|
Bob, There’s a couple of things going on here about the
hacking perception. I think that I can tell from many of the private emails
that I’ve been getting that this is a brain cloud for lots of people, so I am
pushing it back out to the CVV list. I hope that won’t annoy you. And I hope
that people with an interest in clarity will bother to read down this thread,
of the off-line conversation that we’ve been having. I was saying that hacking the console, meaning being
able to enter the code from a DRE, is a pretty difficult thing to do. It would
take special equipment and lots of time. The equipment wouldn’t really be all
that special, but don’t you think that it would be sort of odd to have someone
come into a polling place with a keyboard in hand? Diebold, Sequoia, and Avante are all PC based systems
and among the final four in the running in Boulder. These three have the
standard ports that most Intel based PCs have. So you could plug in a keyboard,
a mouse, etc. But could you really? Maybe if no one was watching you and you
were somewhere other than a polling location. So breaking into a DRE without
someone seeing you would be pretty difficult. Even doing this at the clerk’s
office would be suspect. Hacking is not cracking. Hacking is a term used by the
uninitiated. Hackers are looky-loos. Crackers are there to change things and do
damage. Hackers learn about what goes on and get into things that perhaps they’re
not supposed to. Hackers might even download information (steal). Crackers blow
stuff up, change code, etc. In short, crackers are bad people, and hackers are
not. I bother to make this distinction, because it is
pretty obvious to me that Diebold has been the target of hacker. They’ve
extracted information and code from the company, not necessarily the DREs and
published it. It could also be an ‘inside job’. Disgruntled
employees, whistle blowers, etc. While there is a widely held belief that Diebold
systems are hackable, we really don’t have any proof that this has been done.
The code that was dissected came from an Internet site, not a DRE. If a hacker
had a Diebold DRE and lots of time they could probably hack in. How this could
happen in a polling location is beyond me. Dissecting Diebold’s code or any other vendor’s for
that matter, doesn’t mean that they got it from a DRE. That would be very
difficult for the average hacker. The code exists in places other than the DRE.
It might be stored in a system in the clerk’s office on a networked system that
would allow them to spend lots of time and go undetected. They could be doing
this remotely, and not even be present at the location where the code is
stored. I personally would not be worried about a cracker
changing code at a DRE, but I would be worried about them doing this on the
computer where the code is stored before it is downloaded into the DRE. Boulder County is pretty careful about not having any
elections systems involved with the actual voting or tallying systems from
being on a networked computer. When we were posting the results to the
internet, I was being given a diskette from the tally system and was ‘sneaker
netting’ that back to my computer for publication on the county’s web site.
There was no hardwired connection between the tally computer and the county
network, and therefore no internet connection. Thus a hacker or cracker would
have to have been in the counting room and in full view of half a dozen people.
Under scrutiny. Diebold has been raked over the coals on the issue of
if their code was secure. This issue is in a muddle. Is the Diebold code
insecure because of where it was stored, or because the code itself is
insecure. The thing that Diebold could do to protect the source code is to make
sure that it is not stored on a computer that is connected to a private or public
network. I think that we are pretty clear that they didn’t take that
precaution. So having the code where it could be gotten is
certainly an issue, but we can’t assume that it was taken from a DRE. Now we have the issue that you’ve pointed to. If the
policy of a DRE maker allows them to keep the source code on a public system,
we might assume that they are also not paying heed to the security of the code
itself. My opinion is that one stupidity does not constitute another. A systems
administrator is not a code developer. A code developer could make a very
secure program, and then pass it to a code librarian who would store it for
him. If he stored it on a system that the administrator had not locked down,
hacker would have a field day. So I don’t think that we are talking about insecure
code, but insecure storage of that code. Not fraud, not insecure code, but
either stupidity and mistakes, or simply a systems administrator that is not
good at his job. It could also be representative of a company culture.
One in which safeguards take a back seat. Now I get to this thing that REALLY BOTHERS me. Every example
that we’ve so far seen uses Diebold as the example of a culture of ineffective
security. Diebold is the worst-case scenario. Support systems that are
hackable; DRE code that is crackable; a company culture that ignores all of
this and VPs that make damaging statements in public. It puts the entire industry in a poor light. All the
so-called pros are concentrating on Diebold and talking about all DREs. That’s
a bad thing. Now everyone is suspect of all the DRE vendors, which could be
good, except that other makers are not using Diebold code, and may have a
company culture that supports security. Its like what I have been warning about the term ‘touch-screen’.
Not all DREs are touch-screen devices. The populist press lives in a world of
sound-bites. They are not going to distinguish between touch-screen and non
touch-screen. So one bad egg makes them all bad eggs, if you rely upon the
reports in the media. By the same token, all hackers are bad. But that is a fallacy.
Hackers are the people that got us to pay attention to the security flaws in
the first place. It is crackers that we are or should be worried about. The people
that want to do damage, change source code, screw up the works. There are computer professionals that are paid to hack
to see if things can be broken into. Then their methods of exploits are used to
make things more secure. Crackers have no such high ideals. They will break in
to where the source code is stored and change it. If cracking goes undetected, then the DREs can be
loaded with exploited software that can do all sorts of things that we would be
concerned with. They might even create a way for selected electors to defraud
the DREs at the polling location. I mean criminals. It may sound all like semantics to the untrained, but
it is the intent of those trying to break in that I am addressing. Do people
want to break in just to show that it can be done, and warn us? Or do they want
to defraud the systems and not have anyone know? Hackers are not the enemy. The enemy are those with
criminal intent, and those that believe that they have secure systems and
secure code and ignore the possibility that they are WRONG. Paul Tiger -----Original
Message----- So I guess I'm left with the dilemma of
whether the ends justify the means. Does our democracy merit condoning
people hacking into these DRE's sites to obtain information with which to fight
the fight for transparency? I don't think that would stand up in a court
of law as admissable evidence, but if there is an insider who happens to
release this type of info then I see a higher standard of possibly being able
to accept this info -- particularly if its source is a mystery and one is
simply left to deal with the information itself, as Bev has made her
case. As I said, this world is foreign to me, so
it's hard for me to comprehend. Your statements make it appear that
hacking occurs; it doesn't tell me if it is a legally accepted practice to
which I would lend support. Your suppositions about the source of
Diebold's source code's existence on an FTP site being a point of denial by the
company rings true to me, since no company will want to admit that they could
have been hacked into -- especially one that touts the security of its
systems. -----Original
Message----- Bob, Many of us are computer security professionals. In order to test
the security of a system, you have to break in. I have worked for companies that hire hackers to test their
preventative measures. Beyond that, hacking is a learning method for programmers. There
are many levels of hacking. Simply stealing _javascript_ from a web site could be
defined as a form of hacking. And that goes on all the time. Hackers sometimes download files that they have found that they can
get to and then post them somewhere on the internet just to prove that the
supposedly secured system is not secured. I’ve had thoughts about the Diebold
code that was ripped off an FTP site. Thoughts that make me think that someone
hacked Diebold and posted their DRE code. Of course Diebold and any smart
marketing company would deny this. They would rather say that it was an inside
job, disgruntled employee; or that it was simply a mistake. They would never
admit to being hacked. Sure, when you are not hired to hack, then hacking is a crime.
Okay, so what? Murder is illegal, but the punishment doesn’t seem to be a
deterrent. Paul Tiger -----Original Message----- the concept of hacking just to see if you
can get in, but not to do any damage while you are there, is a foreign concept
to me. As a non-computer programmer guy, I simply can't comprehend any
sort of rationale for doing this other than the possible vicarious thrill of
being able to say you did it. Am I missing something here. Breaking
the law is breaking the law, in my book. [|>] snip |