- Joined
- Mar 9, 2005
- Messages
- 2,628
Another Diebold Source Code Leak
By Avi Rubin, Johns Hopkins University
October 22, 2006
This article was posted on Avi Rubin's Blog. It is reposted here with permission of the author.
This week, three disks containing Diebold source code, that appear to have come from Wyle Labs and Ciber Inc, the independent testing authorities that certify voting machines for federal qualificaiton, were delivered anonymously to a former Maryland state delegate. The story was covered this morning in the Washington Post and the Baltimore Sun. I was asked by a reporter to inspect the disks to verify their contents, and I enlisted Adam Stubblefield and my Ph.D. student Sam Small, and together we examined them.
The disks contained source code for the BallotStation software, which is the software on the voting machine, and what was labeled as GEMS, which is the back end tabulation system. The GEMS disks were password protected, and while I'm certain we could have cracked them, we chose not to. The BallotStation source code was not protected at all. It was the 2004 version, which is newer than the source code we analyzed in 2003, and appears to be slightly later than the version analyzed by the Princeton team. I would love the opportunity to perform a similar analysis on this code, but yesterday, we were only given the opportunity to inspect to the code to determine whether it was genuine. As a condition to inspecting the disks, we agreed not to make copies or to perform any other activity with the software. An analysis of this source code would answer many questions that I've been asked about whether Diebold fixed the problems we encountered in our previous analysis. Of course, I don't believe that all of the problems we found back then are even fixable, but some of them are.
I've been getting calls all day asking exactly what the significance is of the new software leak. I'm not really sure. If the software leaked out of Diebold, then they obviously have not learned any lessons about securing their proprietary information. If, as I suspect (due to the labels on the disks), the software leaked out of the testing labs, then that is a serious problem that has to be addressed. Don't get me wrong - I think that voting system software should be available to the public, but that is a different issue from whether or not testing labs are competent at protecting things that they are trusted with and that they believe they are supposed to protect
link
This software leak brings once more into question the security of electronic voting machines.
With no audit trail available and security breached, will this once again open the door to the Bush Neocons to steal the Mid Terms and keep control over both houses ?
This is not the first time that Diebold source code has been leaked. In early 2003, Diebold critic Bev Harris uncovered similar source code while conducting research using Google Inc.'s search engine.
Soon after, researchers at Johns Hopkins University and Rice University published a damning critique of Diebold's products, based on an analysis of the software.
They found, for example, that it would be easy to program a counterfeit voting card to work with the machines and then use it to cast multiple votes inside the voting booth.
Diebold says it has since introduced security enhancements to its products, but the fact that the company's sensitive source code has again leaked out is not a good sign, according to Avi Rubin, a computer science professor with Johns Hopkins and one of the authors of the 2003 report.
link
Conspiracy leaked a few days before it happens ?????
edited by TheQuixote: fixed links