[ISN] Elections hacks don't guard us against hackers

From: InfoSec News (isn@private)
Date: Wed Jun 14 2006 - 01:03:21 PDT


http://www.miami.com/mld/miamiherald/14803773.htm

By FRED GRIMM
fgrimm at MiamiHerald.com
Jun. 13, 2006

For a county supervisor of elections needing someone to test the
vulnerabilities of his voting system, Dan Wallach's the man.

Wallach, who runs the security computer lab at Rice University, is a
nationally regarded expert on computer network security and voting
system vulnerabilities. He's associate director of ACCURATE (A Center
for Correct, Usable, Reliable, Auditable and Transparent Elections).  
Besides, his parents live in Lauderdale-by-the-Sea.

He is a perfect choice. But not in Florida.

Wallach and his associates at ACCURATE may represent academia's
leading experts on voting system security, but under the new rules
promulgated by the Florida Secretary of State, they don't qualify.

Any security test, the secretary of state's office insists, must be
performed by someone certified by the American Software Testing
Qualifications Board, the American Society for Quality or the EC
(E-Commerce) Council.

Not only is Wallach not certified by the three organizations, ''I've
never heard of them,'' he says.


TRAINING COURSE

Actually, the first two organizations are concerned with the overall
quality of manufactured software, not security. The EC Council website
offers a five-day training course into something called ''ethical
hacking.'' Five days of training, under the new rules, would trump the
most sophisticated résumés in computer science.

Computer professor David Dill, of Stanford University, who served on
California's Ad Hoc Task Force on Touch Screen Voting, and whose
degree -- not the five-day kind -- comes from MIT, added his
apprehensions to the comments on the proposed rules the Florida
Secretary of State's office collected Monday. He said they would
``would exclude the most competent evaluators, such as those who have
found most of the reported security holes in existing voting systems.

''I have checked with several computer security experts, who not only
do not have these qualifications, but, like me, have never heard of
them. A little research on the Web reveals these certifications to be
of dubious relevance to voting system evaluation,'' Dill wrote.

Other rules would require that the voting-machine vendors and the
secretary's office get advance notice of any security test. And a
supervisor of elections contemplating a security test must first take
special pains to protect the machine manufacturer's secret operating
code.


CERTIFIED HACKERS

Wallach and Dill seemed puzzled. Wallach noted that a voting machine
ought to be secure no matter who tries to hack the system. The notion
that a would-be hacker must first be properly certified and possess
special qualifications (like a five-day online course), and the
vendors need advance notice becomes utterly irrelevant in cyberspace.

''If someone is malicious and his goal is to throw the election,
they're not going to ask permission.'' Wallach said.

Of course, the new rules aren't really about protecting the integrity
of elections. Only one Florida supervisor of elections allowed outside
experts to test his voting system security. And when Ion Sancho's
hackers discovered they could alter the outcome of an election and
wipe out all trace of the tampering last year, it was a huge
embarrassment to the Secretary of State's office. Instead of trying to
fix the flaws, state officials and Diebold -- a maker of voting
machines -- went after Sancho, disparaging his findings and suggested
that he ought to be tossed from office.

Then California -- not Florida -- directed a panel of computer science
experts to look into the Leon County findings. The panel found the
same flaws and more. Florida election bureaucrats were humiliated.

''The new rules are designed to make sure that they're never
embarrassed again, '' Sancho said Monday.

Florida first priority is to protect the vendors. We'll let California
worry about the damn voters.



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Jun 14 2006 - 01:12:35 PDT