Saturday, July 28, 2007

More on California Top to Bottom

I should point out that only the red team reports have been released so far. (As the SoS web site states, "The document review teams and source code review teams submitted their reports on schedule. Their reports will be posted as soon as the Secretary of State ensures the reports do not inadvertently disclose security-sensitive information.") The red teams are groups of talented white hat hackers who approach the system as though they were mailicious parties looking to disrupt the election. These reports do not take into account flaws in the source code. The source code analysis reports, which are akin to the study that my research team performed in 2003 about Diebold, will be very revealing because they will shed light on how Diebold responded to the flaws that we found four years ago. Considering that I had two (very talented) graduated students looking at the code for about a week, I fully expect that this team of professionals who spent a month will uncover much more serious problems.

It's important to keep in mind, as the California report states, that any security problems reported by them constitute a lower bound on the problems that exist. The reason is that they were limited in both time and in the information available to them. Some of the material they needed was given to them only a couple of weeks before their final deadline. Furthermore, in a real world scenario, hackers would not have a month to do the analysis and produce a report. They would probably skip the report and could spend many months developing their attacks.