The technical team commissioned by the State of Florida to study the technology used in the ill-fated Sarasota election has released its report. (Background: on the Sarasota election problems; on the study.)
One revelation from the study is that the iVotronic touch-screen voting machines are terribly insecure. The machines are apparently susceptible to viruses, and there are many bugs a virus could exploit to gain entry or spread:
We found many instances of [exploitable buffer overflow bugs]. Misplaced trust in the election definition file can be found throughout the iVotronic software. We found a number of buffer overruns of this type. The software also contains array out-of-bounds errors, integer overflow vulnerabilities, and other security holes. [page 57]
The equation is simple: sloppy software + removable storage = virus vulnerability. We saw the same thing with the Diebold touchscreen voting system.
Another example of poor security is in the passwords that protect crucial operations such as configuring the voting machine and modifying its software. There are separate passwords for different operations, but the system has a single backdoor that allows all of the passwords to be bypassed by an adversary who can learn or guess a one-byte secret, which is easily guessed since there are only 256 possibilities. (p. 67) For example, an attacker who gets private access to the machine for just a few minutes can apparently use the backdoor to install malicious software onto a machine.
Though the machines' security is poor and needs to be fixed before it is used in another election, I agree with the study team that the undervotes were almost certainly not caused by a security attack. The reason is simple: only a brainless attacker would cause undervotes. An attack that switched votes from one candidate to another would be more effective and much harder to detect.
So if it wasn't a security attack, what was the cause of the undervotes?
Experience teaches that systems that are insecure tend to be unreliable as well – they tend to go wrong on their own even if nobody is attacking them. Code that is laced with buffer overruns, array out-of-bounds errors, integer overflow errors, and the like tends to be flaky. Sporadic undervotes are the kind of behavior you would expect to see from a flaky voting technology.
The study claims to have ruled out reliability problems as a cause of the undervotes, but their evidence on this point is weak, and I think the jury is still out on whether voting machine malfunctions could be a significant cause of the undervotes. I'll explain why, in more detail, in the next post.
Front page posts
The 8-bit security of the factory PEB is pretty bad, but it seems like it will take some time to check each of the possibilities though. It doesn't seem like you can easily script it to try each possibility without resorting to some custom hardware or reprogramming the PEB for each value. This raises the bar for a voter who tries to attack it, but it still isn't close to good-enough security.
All of Appendix D is extremely worrying really, with 3 and 5 letter case-insensitive passwords being the norm for "protecting" the election.
[...] Freedom to Tinker … is your freedom to understand, discuss, repair, and modify the technological devices you own. « Sarasota Voting Machines Insecure [...]
It would help if you had more hard data on the SRQ election, that could be supplied and thus it would aid your analysis.
1. There were machine failures not in the study
2. There were procedures not in the study that overcame machine failures
[...] regardless of this information For years, lawyers have been overreacting to the “threat” of online trademarks. While trademark law does require that you police the trademark, or risk losing it, that doesn’t mean you need to go after every use of the market. Trademark, unlike copyrights and patents, don’t give you as much control — and are merely designed as a method of consumer protection against confusion of the authenticity of a product. However, it’s become quite common for lawyers to go after anyone and everyone who use their trademark, even if it’s not in any way confusing of damaging. Where it gets particularly bad is where the lawyers step in and start shutting down fan sites who were only helping to promote the brand. However, the good news is that a few lawyers may finally be coming to terms with all of this. Whether by simply being worn down by the sheer volume of use of the mark, or simply by finally realizing that much of the use helps promote the brand, some lawyers are recognizing that going after every use of a trademark on the web just doesn’t make sense. In fact, some of the lawyers even seem to be grasping the Streisand Effect — that trying to take something offline is likely to get it even more attention. Now if we could only get more lawyers to recognize a moron in a hurry, we might be getting somewhere. I also noted that; cellphone users complain about ‘function fatigue’ (USATODAY.com) USATODAY.com - NEW YORK - Ever get frustrated because you can’t figure out how to use all the features on your cellphone? You’re not alone. Manufacturers have become so enamored of cool features - including cameras, recording devices and video-streaming capabilities - that they have lost sight of the fact that many consumers just want good voice reception, according to a survey by the Forum to Advance the Mobile Experience (FAME). This is worth your time also news Reports May Be A Little Quick To Clear Sarasota E-Voting Machines The Associated Press put out an article late Friday claiming that a study found the e-voting machines used in Florida’s Sarasota County the machines had no problems — despite a large number of missing votes. At least that’s what you’d get from reading the article, with a headline that blares: “Audit: Fla. Voting Machines Didn’t Err.” Of course, that’s not exactly what the study found. First of all, the panel of researchers did not study the e-voting machines at all — but just the source code of the software. There could be plenty of other reasons why the voting machines had problems that couldn’t be uncovered just by looking at the source code of the software. And, in fact, the actual report is hardly as forgiving as the AP report makes out. Ed Felten points out that the report actually highlights all kinds of security problems with the software, including plenty of places where a virus could exploit a buffer overflow. It also discovered incredibly weak security, such as a master password that would be relatively easy to guess (only had 256 possibilities). [...]
[...] Freedom to Tinker » Blog Archive » Sarasota Voting Machines Insecure One revelation from the study is that the iVotronic touch-screen voting machines are terribly insecure. The machines are apparently susceptible to viruses, and there are many bugs a virus could exploit to gain entry or spread (tags: voting computer.voting) [...]
Direct Real Estate Investment
https://estatedeposits.com/?ref=1447