Saturday, September 16, 2006

Diebold should let us analyze the "new" system

As most of you who read this blog know, Ed Felten and his students at Princeton have implemented the attacks that we described in our paper back in 2003 and some new attacks as well. I was aware of this work and was an early peer reviewer of their paper. I have watched Diebold's reaction to the Princeton paper, and they are reacting as expected based on their track record. Doug Jones has posted a very good commentary about the Diebold response.

Here's what I recommend. Diebold's defense against our paper and against Princeton's paper is that we looked at an old version of the system. Well, my response to that is, let us look at the new one! Every election administrator in the country who uses the Diebold machines should want Ed's team and mine to perform a security assessment of their voting technology. If Diebold's system is not vulnerable to Princeton's virus, then wouldn't they welcome such a public analysis? If they fear that the new version is vulnerable, then isn't that a question that needs to be answered publicly?

Diebold maintains that they now use AES for encryption, and that for this reason, they are immune to the Princeton "hack". Their responses always demonstrate to me how little they understand about security. The Princeton malicious code is running on the machine with access to all of the data and memory. There is nothing in this system preventing malicious code from accessing the AES keys on the machine, and Diebold has never used any kind of key management. They always use the same key in all of the machines.

Why is it that in this country, vendors can get away with this? Shouldn't it be part of the process to have competent and independent security reviews? I think that vendors should have to post their security mechanisms, algorithms and protocols publicly, and let the security community evaluate them. The computer security community eschews security by obscurity. If the voting machines have good security, we'll say so, and if they don't, we'll point out the flaws so that they can be fixed. Secrecy creates legitimates doubts and suspicion. Diebold is not acting like a company that wants to get it right. They act instead like a company that is afraid to have their weaknesses exposed.