June 10, 2004

Functionality vs. Security

Avi Rubin's May 5th testimony on the reliability of voting machines [pdf] is an interesting read. Especially this section:

Id like to stress one important point. Security and functionality are completely different things. Functionality is whether or not something works when it is used as planned. Functionality can be tested, and the tests can be used to make predictions about the future behavior of a system. Security, on the other hand, has to do with how a system behaves under unanticipated circumstances with an active, dynamic adversary trying to subvert it. By definition, you cannot test a system for security the way you test for functionality. It is inappropriate and incorrect to draw conclusions about the security of a system based on its past performance. The fact that this argument is consistently put forward in defense of the security of the DREs [electronic voting machines] demonstrates just how much real security expertise is needed in this process. You would not design a heart implant without feedback from cardiologists. You would not design defense systems for the physical security of this country without consulting military experts, and you should not design systems for computerized elections in this country without consulting computer security experts. I can assure you from my analysis of the Diebold machines that no such expertise was utilized.

The bottom line? After the debacle of the 2000 election in Florida our election officials spent wildly in the hope of avoiding a repeat. The problem is the election officials had no clue what they were buying, traditional tests were insufficient, and the technology vendors were happy to rush an immature product to market to chase election reform dollars.

Posted by Abner on June 10, 2004 10:51 PM
Comments ARE BROKEN Send email instead - Thanks!


Recent Entries
iPhone's SIM Locks: Hardware vs. Software vs. Lawyers
Even (or especially) contests could use a security review
Vendors Responses: Voting Machines and the Pwnie Awards
Dude "Security Rocks"
iPhone Wi-Fi Vulnerability
Harry Potter Security
iPhone Hacking & Fustrations
Let the iPhone Hacking Begin
Geer heads to Washington, Again
This Just In: DRM still doesn't work
L0pht
Phishing meets Internet Advertising
How long to unlock the iPhone Operating System?
Predictive Markets For Politics
The Irony of Phone Security Google Ads
Why Biometric Fingerprint Readers Are A Waste
How to Blag an Interview
Yet another Boston marketing flub
MAC vs. Vista Security
The latest in physical security
Data Loss Archive
Guerrilla Marketing Backfires in Boston
Hackistan
NY Times on the "Market" For Software Vulnerabilities
Not marketing security, marketing *during* security