RE: CRIME Security experts nix Internet voting plan

From: Andrew Plato (aplato@private)
Date: Fri Jan 23 2004 - 14:46:57 PST

  • Next message: Todd Ellner: "Re: CRIME Security experts nix Internet voting plan"

    All of the above (except hosting). Anitian was selected to provide
    information security oversight to Oregon's new election system last
    summer. We partnered with the master contractor on the project. 
    
    To my knowledge, Oregon is the first state in the union to have an
    independent security group overseeing the development of a new
    elections/voter registration system. That's us. And other states are, of
    course, now calling us to do the same thing for them. 
    
    ___________________________________
    Andrew Plato, CISSP
    President/Principal Consultant
    Anitian Enterprise Security 
     
    503-644-5656 Office
    503-214-8069 Fax
    503-201-0821 Mobile
    www.anitian.com
    ___________________________________ 
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Sasha Romanosky
    Sent: January 23, 2004 1:40 PM
    To: 'Crime List'
    Subject: RE: CRIME Security experts nix Internet voting plan
    
    
    
    Andrew, 
    
    What do you mean, "securing Oregon's voting system"? Pen testing
    hardware and software; hosting a site; Monitoring activity?
    
    cheers,
    Sasha
    
    > -----Original Message-----
    > From: owner-crime@private [mailto:owner-crime@private]
    > On Behalf Of Andrew Plato
    > Sent: Friday, January 23, 2004 12:06 PM
    > To: Crime List
    > Subject: CRIME Security experts nix Internet voting plan
    > 
    > 
    > Interesting report from an independent group. They are
    > recommending that the federal voting site, SCORE be shut down 
    > because of security weaknesses. The system was designed by Accenture. 
    > 
    > This is, of course, interesting to us since Anitian is
    > securing Oregon's electronic voting system. 
    > 
    > The report is a good read if your interested in electronic
    > voting issues. 
    > 
    > ___________________________________
    > Andrew Plato, CISSP
    > President/Principal Consultant
    > Anitian Enterprise Security
    >  
    > 503-644-5656 Office
    > 503-214-8069 Fax
    > 503-201-0821 Mobile
    > www.anitian.com
    > ___________________________________
    > 
    > 
    > Security experts nix Internet voting plan
    > By R. Colin Johnson, EE Times
    > January 23, 2004 (12:45 p.m. EST)
    > URL: http://www.eetimes.com/story/OEG20040123S0036
    > 
    > PORTLAND, Ore. - An Internet voting scheme called Secure
    > Electronic Registration and Voting Experiment may be dead, at 
    > least according to an independent report. 
    > 
    > The report was released by four whistle-blowing security
    > experts hired by the Federal Voting Assistance Program to 
    > evaluate the program, also know as Serve. Serve is scheduled 
    > to become operational in time for 2004 primary elections 
    > beginning in February. 
    > 
    > "We were hired to evaluate the Serve Internet voting system,
    > and to recommend repairs we thought were needed to make the 
    > system secure, but we found that its based on consumer-level 
    > PCs and operating systems that cannot be made secure. A worm 
    > or virus like the ones we've seen attacking the Internet 
    > lately could easily change your vote without you knowing it. 
    > Serve should be abandoned," said computer scientist David 
    > Wagner. Wagner coauthored the report with computer scientists 
    > Avi Rubin from the University of California at Berkeley, 
    > David Jefferson of Johns Hopkins University and Barbara 
    > Simons of Lawrence Livermore National Laboratory. Their 
    > report represents a minority opinion of the Security Peer 
    > Review Group, an advisory group formed by the Federal Voting 
    > Assistance Program to evaluate Serve. 
    > 
    > Overseas residents and military personnel must use paper
    > absentee ballots, which are often delayed, thereby 
    > invalidating the ballots. The program was created to remedy 
    > the problem, but the cure could be worse than the illness, 
    > according to the security experts. 
    > 
    > The critics said using consumer-grade components already
    > under attack by hackers worldwide makes the online voting 
    > system dead-on-arrival. Program officials nevertheless plan 
    > to begin trial usage soon despite the experts' conclusion 
    > that the system is not secure. 
    > 
    > According to Wagner, the computer security experts tried a
    > range of methods to fix the security holes in the 
    > Internet/PC/Windows environment, but concluded that it could 
    > not be done. Instead, Wagner said secure lines independent of 
    > the Internet and consumer-grade operating systems should be 
    > installed at foreign embassies and military bases. 
    > 
    > "We tried every imaginable method of providing secure voting
    > over the Internet using PCs, but we have concluded that it 
    > can only be done with secure lines. It won't be as convenient 
    > as using the Internet, but it will be secure," said Wagner. 
    > 
    > Serve is being readied for use in 50 counties and in seven
    > U.S. states during this year's primary and general elections, 
    > handling as many as 100,000 votes beginning on Feb. 3 during 
    > South Carolina's presidential primary. The program's stated 
    > goal is to provide 6 million overseas voters with access to 
    > online absentee voting.
    > 
    



    This archive was generated by hypermail 2b30 : Fri Jan 23 2004 - 15:56:01 PST