Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Martin McKeay

Security Matters

One key to rule them all!

7 comments

IT TOPICS:Government & Regulation, Security

Yesterday fellow CW blogger, Angela Gunn, pointed out the stupidity of Diebold for putting a picture of the key to their DRE voting machines online. But I think she missed out on the true depth of their ignorance of basic security concepts: they're using one key to open every e-voting machine they manufacture. That's right, if you have a key from a voting system in your local district then you can easily open Accuvote machines anywhere. It makes it much easier if you happen to lose your key, but it also makes it much easier if you want to get access to those oh-so-important memory cards in the machines. You know, the memory cards that hold every vote the system records.

Publishing the picture of the key is a relatively minor faux pas compared to using a single key for all systems. Especially considering the same key that opens minibars and jukeboxes opens Diebold machines. Apparently the security of our votes is no more important to Diebold than a cold drink at Holiday Inn or the CD library at the local pizza joint (Side question: do these machines still use CD's or are they using MP3's now?). Of course, even if the keys were different, it only takes a couple of seconds to pick the lock anyways, so why even bother having a lock?

Diebold has taken down the picture. Which is sooo effective, given that there are videos of the hacked keys and copies of the original photograph all over the Internet. And let's not forget little things like the Wayback Machine, which probably has a copy of the picture if you're willing to dig for it. So taking down the original photo is worse than useless now. It's not like Ross Kincaid at Sploitcast didn't give them weeks of notice before the story broke.

If Diebold actually had a clue, each device would have a unique key that was tied to the serial number of the system. Or a combination, again tied to the serial number, so that it would be easier to look up if the key was lost. Even making the districts buy small padlocks themselves would have been better. But by using a single key on all machines, they've once again demonstrated a utter lack of understanding of the basics of security. The folks at the local storage locker company have a better grasp on physical security than Diebold does. And these are the people we're trusting to safeguard our democracy? You may trust them, but I think they're idiots. Rumor has it that Diebold is thinking about getting out of the e-voting business; I'm hoping the rumors are true.

Email this

Digg this

What People Are Saying

Add new comment

Thanks Grammar Guy (or

Submitted by Martin McKeay on January 26, 2007 - 8:11 A.M.

Thanks Grammar Guy (or Gal)

That's why I have an editor, to catch basic errors like this, and all my typo's too. I know the difference, but sometimes my fingers forget.

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/
Voicemail: 916.231.9479

Reply | Report this comment

Don't ask me to use my brain

Submitted by Grammar Is Your Friend on January 26, 2007 - 3:36 A.M.

Don't ask me to use my brain unless your willing to use yours first, and please don't resort to name calling; it just proves that your not thinking, your reacting.

Good grief, you certainly weren't kidding about using your brain there.

Someone who has "written for three years" and is "a professional" should really know the difference between "your" and "you're."

It just makes my head explode to read that coming from a braggart who was trying to insult someone else's intelligence.

* You're is short for "You are:"

"You're not as smart as you'd like to think."

* Your is a possessive:

"Your writing skills need improvement."

Reply | Report this comment

Common sense,

Submitted by Martin McKeay on January 25, 2007 - 7:01 P.M.

Common sense,

I actually took some time to have a good long look at the Sequoia voting machine at my local voting place in November. You'd be surprised the level of social engineering you can do when you have a 7 year old in tow. I didn't do anything to the machine, didn't even touch it, but after watching me for about 30 seconds, the local official got distracted. I had well over 5 minutes of free time with the machine as I explained DRE machines to my son. If you think your officials are any better, you're in for a rude surprise. Heck, if you think you could do better, you might want to think again. Try being vigilant for 8 hours straight some time.

People are people; they're fallible. Every effort has to be made to prevent our failings from leading to a significant compromise. Instead, Diebold has decided to give ease of use a higher priority than security.

I'm not someone who's just 'jumped on the band wagon'. I'm a security professional and have been following the story of Diebold since Avi Rubin first published his papers on the weakness of the systems. I've been writing on this subject for over three years, long before I ever wrote for Computerworld.

Don't ask me to use my brain unless you're willing to use yours first, and please don't resort to name calling; it just proves that you're not thinking, you're reacting.

Martin McKeay
martin_cw@mckeay.net
http://www.mckeay.net/
Voicemail: 916.231.9479

Reply | Report this comment

Mr. "Common Sense"'s

Submitted by Orange on January 25, 2007 - 4:47 P.M.

Mr. "Common Sense"'s counter-attack is itself STUPID. He is trying to imply that all elections bureaus have great security procedures that make Diebold's locks on the voting machines unnecessary and superfluous. Not so. For most of the year, any county's voting machines are stored in a minimum security warehouse. He also assumes that ALL employees of county elections departments are honest and do not need to be kept out of the machines. Like not one of the underpaid low-level flunkies would think of taking a big bribe for 5 minutes of risky work, shoving a funny card into a slot for a few seconds....

Reply | Report this comment

Did an anti-diebold fanatic

Submitted by Common Sense on January 25, 2007 - 3:55 P.M.

Did an anti-diebold fanatic pay to have this article written? Use your brain for a couple of minutes and think...PLEASE. While the pic of the key(s) may make in the secrity's top 10 list of don't do this, no one writing articles like this has a freaking C-L-U-E about the elections business or how department are run. If they did they'd know this completely mindless jump on the bandwagon to attack is plain STUPID. Just call your local elections office and find out why. By the way, why don't you ask for an appointment so they can show you their security procedures. If they don't have any that could stop anything from what this article describes or the Princeton Report, they should have their a**es thrown out of office.

Reply | Report this comment

At a recent election in

Submitted by campaign poll watcher on January 31, 2007 - 3:53 P.M.

At a recent election in which I volunteered to be a "poll watcher" for a candidate for state office, I witnessed a disturbing but apparently above board action by one of the official poll workers. In our city, absentee ballots are distributed back to the voter's precinct to be fed into the ballot boxes, during normal election hours, under the supervision of the precinct warden. This allows the absentee ballots to be part of the automatic tabulation at the end of the day. I noticed one poll worker using a marker pen, and seemingly filling out ballot after ballot before submitting them to the ballot box. I asked her what she was doing, and she explained that the pens used by individuals at home are often not registered by the optical tabulators, so they would overwrite the voters marks with an official black pen that would be properly tabulated. So what I initially thought was ballot stuffing turned out to be a method to make sure that the voter's intention was carried out -- assuming, of course, that you absolutly trust the integrity of the poll worker. Frankly, I still think that the practice is suspect.

Reply | Report this comment

Ahhh, but you missed the

Submitted by Angela Gunn on January 25, 2007 - 3:16 P.M.

Ahhh, but you missed the spectacle of me having a coronary about the one-key-to-rule-them-all mess back in October! It was spectacular. I turned many colors and said many things that shall not be repeated in a fine family blog such as this.

Reply | Report this comment

Spam culture, part 3: Nigeria (and 419 scams)

Los Angeles goes Google; dumps GroupWise; shuns Microsoft; ignores IBM

Obama Drupal-ing around; whitehouse.gov goes open source

Spammer trick of the month: Delayed DNS

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

FISMA Prescriptive Guide
A Tactical Guide Enabling you to take Action and Achieve Operational Excellence

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

US Government Prevents Malware on Sensitive Financial Systems
Download This Case Study Now!

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

Whitelisting Your Way to FISMA Compliance
Download This Whitepaper Now!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Technology Briefings IT Service Management

Computerworld Briefing - Analytics: The Art and Science of Better

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Martin McKeay's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

One key to rule them all!

What People Are Saying

Thanks Grammar Guy (or

Don't ask me to use my brain

Common sense,

Mr. "Common Sense"'s

Did an anti-diebold fanatic

At a recent election in

Ahhh, but you missed the

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Martin McKeay's Archive

IT Topics

Sponsored Links