One bourbon, one scotch, one election

I'm not sure which is more imbecilic -- posting a photo of the key to
your electronic voting system to the Web, or making that key a
universal one designed to access any machine you manufacture and the
hotel mini-bar to boot (see "One bourbon, one scotch, one election").

In the end, it doesn't really matter because our doltish friends at
Diebold have done both. Until yesterday, when Diebold slammed the barn
door shut on a horse that's by now halfway to Katherine Harris' summer
home, the voting machine manufacturer offered for sale on its Web site
replacement keys to its AccuVote-TS.

On the product page sat a photo of the key so detailed it could be
used to create a working copy.

Which is precisely what Ross Kinard of SploitCast did. "I bought three
blank keys from Ace," Kinard told J. Alex Halderman at Princeton's
Center for Information Technology Policy. "Then a drill vise and three
cabinet locks that used a different type of key from Lowes. I hoped
that the spacing and depths on the cabinet locks' keys would be
similar to those on the voting machine key. With some files I had I
then made three keys to look like the key in the picture." Kinard sent
those keys to Halderman, who found that two could be used to open
Diebold machines. Nice, eh? As Halderman notes, the shape of a key is
like a password -- only a fool, or Diebold, would post it to the Web
(see "AccuVote -- that's an oxymoron, right?").

"Security experts advocate designing systems with 'defense in depth,'
multiple layers of barriers against attack," Halderman writes. "The
Diebold electronic voting systems, unfortunately, seem to exhibit
'weakness in depth.' If one mode of attack is blocked or simply too
inconvenient, there always seems to be another waiting to be exposed."

Posted by John Paczkowski on 08:08 AM
Permalink

http://blogs.siliconvalley.com/gmsv/2007/01/im_not_sure_whi.html#comments