I was sent a story from the Sacramento Bee which effectively tries to discredit the results of the red team study I talked about in a previous post:

Voting technology manufacturers portrayed the study as unfair and unreasonable because they said it was conducted without Election Day security measures. They specifically took issue with the fact that the state gave Bishop’s team access cards with secret codes that are typically kept secure by elections officials.

“This was not a security-risk evaluation but an unrealistic worst-case scenario evaluation limited to malicious tests, studies and analysis performed in a laboratory environment by computer security experts with unfettered access to the machines and software over several weeks,” said Steven Bennett, California sales executive for Sequoia. “This is not a real-world scenario.”

This is a load of FUD (Fear, Uncertainty, and Doubt) without much backing, so lets tackle the issues one by one:

Election Day Security Measures — According to the overview of the reports each of the 58 counties each have their own security procedures. In reality, what they did was the most useful, because you can look at all the problems they found, match them up with a certain counties procedures, and find out if you are safe or not.

Instead, what the critics would rather them do would have simply let the critics discredit them another way. If they had done 1 or 2 of the counties or made up their own models, the critics could say “Well, it doesn’t apply to the other 50 or so counties”. The critics would also be able to play the D.A.R.E. game, where, when there’s a known issue in a certain set of procedures, you say “well, next time the procedures will be different”. The **best** way to do this sort of testing is outside the scope of procedures, because then you get the most bang for the buck, and you can build procedures around your infrastructure to help protect you.

Security cards and access codes — This appears to be misleading. It looks like they gave them smart cards, but a majority of the problems that were found don’t even use them, just look at page 9 of the overview: election management system problems, problems w/ the operating system, static security keys — none of these appear to require a smart card — although they mention that the cards themselves were also easy to forge.. oops. I can’t imagine it would be very hard to get a hold of one of these cards or create one of your own.

Access to machines — This is deliberately confusing the amount of time it took to find flaws with the amount of time it would take to exploit them. Finding a flaw is sometimes tedious, but exploiting one can take seconds or minutes. Plus, the machines are stored in a backroom for months at a time, it couldn’t be too hard to borrow one for a few weeks to find some flaws, or steal the source from a vendor and find it that way..

Worst case scenario — Maybe this is obvious, but shouldn’t that be what we are looking at? In any case, from the overview:

The results presented in this study should be seen as a “lower bound”; all team members felt that they lacked sufficient time to conduct a thorough examination, and
consequently may have missed other serious vulnerabilities

That doesn’t sound very “worst-case” to me. It sounds like they had a limited amount of time on the order of weeks, and could have probably found much more if they could have examined the systems in depth.

To summarize, trying to discredit these guys by saying this “is not a real world scenario” shows a fundamental lack of understanding what they were trying to do. I’ve just scratched the surface here, and I wish I had more time to get into it, but I don’t so I hope this gets the point across.

Good news! that video is available!

This entry was posted on Tuesday, July 31st, 2007 at 8:32 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.