Pen-testing Diebold's Voting Software
From: Chuck Herrin (me_at_chuckherrin.com)
Date: 11/13/04
- Previous message: Andrew Stephen: "PDA Risks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <pen-test@securityfocus.com> Date: Sat, 13 Nov 2004 16:11:34 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi All,
Some of you may have seen the reports that Diebold's vote tabulation
software was certified to run on a Windows machine without being
pen-tested by the certifying organization(?!?!). When I read that, I
took blackboxvoting.org up on their challenge to test it myself, and
the results are staggering.
I was able to change over 11,000 votes in my sample election in just
a few minutes, then review the audit logs to make sure there were no
traces. The full report, with screenshots and timestamped reports
and audit logs, is available at my website,
www.chuckherrin.com/hackthevote.htm. It was so easy, I hate to even
call it "Hacking".
Partisan politics aside - we've got to fix this.
Thanks,
Chuck Herrin, CISSP, CISA, MCSE, CEH
All outgoing correspondence is digitally signed. Lack of a valid
signature indicates possible forgery.
My public key is available at
http://www.chuckherrin.com/ChuckHerrin.asc
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBQZZ4hqbL2AcPBTOlEQKuYQCeOnghpidOET7Ukl4yVPohBls4ssUAn1/n
qvMPM8cTxxTaMac95hzjeEow
=nQmg
-----END PGP SIGNATURE-----
- Previous message: Andrew Stephen: "PDA Risks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
