Wednesday, November 10, 2004

smoking gun = #define DESKEY ((des_key* "F2654hd4".

Here's a few snips:

Posting unprotected source codes for a commercial product on the Web is rare and considered unspeakably stupid in the computer world, so, word spread quickly, and a computer scientist at Stanford University told Dr. Rubin. Dr. Rubin, in turn called in Adam Stubblefield, a doctoral student at Hopkins, and Tadayoshi Kohno, a summer graduate student, telling them they needed to drop everything and come see what was on his computer. What they were looking at, they concluded, was a program compiled in 2000 and its April 2002 update, apparently posted so programmers could work on it. It was nothing less than the programming that made the voting machines voting machines.

The students pored over 49,609 lines of "code," computer language commands that look like hieroglyphics to anyone not trained as a programmer. One line blew them away. It means nothing to laymen, but it was enough to make Dr. Rubin's hair stand on end.

#define DESKEY ((des_key* "F2654hd4".

All commercial programs have provisions to be encrypted, protected by secret code so that no one could read or change the contents without the encryption key. That is particularly true of programs that require transmission by telephone or wireless networks. The line that staggered the Hopkins team told them first, that the method used to encrypt the Diebold machines was a method called Digital Encryption Standard (DES), a code that was broken in 1997 and is no longer used by anyone to secure programs. F2654hd4 was the key to the encryption.

The programmers had done the equivalent of putting the family jewels in a safe, putting up a blinking neon sign reading "Jewels in Here!" and taping the lock's combination to the safe door. Moreover, because the key was in the source code, all Diebold machines responded to the same key. Unlock one, you can unlock them all.

"I continue to believe that the Diebold voting machines represent a huge threat to our democracy. I fundamentally believe that we have thrown our trust in the outcome of our elections in the hands of a few companies who are in a position to control the final outcomes of our elections.

"The more e-voting is viewed as successful, the more it will be adopted," he said, "and the greater the risk when someone decides to actually exploit the weaknesses in these systems.

"I am not against technology. I drive a car, get on airplanes and ride elevators. However, if the code in any of these was as bad as Diebold's software, I wouldn't. I think that the real difference is the adversary model. If there were trillions of dollars worth of incentives for people to rig elevators so that they crashed, I would be advocating for only using stairs."


Post a Comment

Links to this post:

Create a Link

<< Home