June 17, 2004

Voting Machine Challenge = Good Threat Model

I noticed I have a few posts here on all the hand wringing over voting machines. I believe the issue of voting machine reliability is a leading indicator for customer perception and analysis of the reliability and security of many devices.

One thing missing from this debate has been a clear explaination of the threat model all the computer security types are up in arms about. Simply bumbling about yelling "the security is broken" gets attention from the techie community, but leaves the rest of the market scratching their heads wondering what should be done next. (Other than send a PR person into the fray to deny everything.)

Writing down and debating the threat model is a good start. Writing a threat model and proposing to turn it into a public challenge is one of the best ideas in a while. Avi Ruben has done just that.

The announcement. (Somebody please get Avi a real PR person)
The challenge [PDF].

Additionally, (via Farber's IP list) the NY Times today has an article on Kevin Shelley, California's Secratary of State, who has effectively stalled the market for electronic voting machines by demanding paper back-ups of all California elections. The voting machine vendors need to snap out of denial and start publically proving the validity of meaningless words on the quality of their products.

Posted by Abner at 06:40 AM | Comments (0)

June 14, 2004

Voting Machines VS. Slot Machines

The NY Times posted a fantastic comparison between the government requirements for the security, reliability, and fraud testing of voting machines vs. slot machines.

Posted by Abner at 11:19 AM | Comments (0)

June 10, 2004

Functionality vs. Security

Avi Rubin's May 5th testimony on the reliability of voting machines [pdf] is an interesting read. Especially this section:

Id like to stress one important point. Security and functionality are completely different things. Functionality is whether or not something works when it is used as planned. Functionality can be tested, and the tests can be used to make predictions about the future behavior of a system. Security, on the other hand, has to do with how a system behaves under unanticipated circumstances with an active, dynamic adversary trying to subvert it. By definition, you cannot test a system for security the way you test for functionality. It is inappropriate and incorrect to draw conclusions about the security of a system based on its past performance. The fact that this argument is consistently put forward in defense of the security of the DREs [electronic voting machines] demonstrates just how much real security expertise is needed in this process. You would not design a heart implant without feedback from cardiologists. You would not design defense systems for the physical security of this country without consulting military experts, and you should not design systems for computerized elections in this country without consulting computer security experts. I can assure you from my analysis of the Diebold machines that no such expertise was utilized.

The bottom line? After the debacle of the 2000 election in Florida our election officials spent wildly in the hope of avoiding a repeat. The problem is the election officials had no clue what they were buying, traditional tests were insufficient, and the technology vendors were happy to rush an immature product to market to chase election reform dollars.

Posted by Abner at 10:51 PM | Comments (0)