|

 
|
| | Name : | Stanley A. Klein | Organization : | N/A | Post Date : | 9/30/2005 |
| Comment : | If the voting software is not seriously tested for security, the “validated” distribution will only
serve to ensure that the flawed, vulnerable software is being distributed without change. It can
then be attacked by exploiting its vulnerabilities.
The setup validation is dependent on hash code testing. There are already a variety of means for
defeating this kind of defense, especially if the attack is conducted by insiders. There is already
a case in which a hash code checker was modified by an insider to install malicious code on a
system (a slot machine). The perpetrator was caught only after an investigation that started when
an accomplice in a completely different form of gambling fraud raised the suspicions of
authorities in another state. Also, the election day installation of selfdeleting
malicious code
using an existing vulnerability would completely bypass any hash checking.
The requirement in Volume I, Section 6.4.6.2, that the vendor provide a means for verifying the
integrity of the software on the voting machine, is highly problematic. It essentially adds the
issue of integrity of the verification software to the issue of integrity of the voting machine
software. Any function that can be performed by software can be compromised, exploited, or
falsified by software. The verification software must be tested to ensure it works properly and
that it has not been altered or replaced with a malicious version prior to use,. Then the question
expands to how the verification software can itself be verified, how the software for verifying the
verification can be verified, and so on. A success at attacking any level will collapse this entire
structure like a house of cards. | |
|
|