In December last year I wrotetwice about the H4X0R friendly e-voting machines produced by Diebold. The Register today (also at security focus and a wholeload of blogs) report that those previous security holes - the ones that led the flaw discoverer to state "The design of the Diebold Precinct-Based Optical Scan 1.94w system is, in the author’s own view, more akin to 'a house with an unlockable revolving door.'" - are actually not the most serious problems with the machines after all. [Note: many of the same security researchers as last time, and BlackBoxVoting, are involved but I don't see that this invalidates the findings]
Yes there is an even larger gaping hole in the security scheme. You see if you insert a PCMCIA card with the right software on it and switch the machine on then the Diebold machine will access the PCMCIA card without running the sorts of checks you would hope it would do to ensure that the code on the PCMCIA card is a genuine certified patch and not some piece of malicious hack. However while you would expect that sort of thing, to put it bluntly, it doesn't - or at least it doesn't if the hack is approved by someone with poll-worker-level access. In other words any corrupt (or innocently duped) poll volunteer could approve this if he or she were given the card and a few minutes of undisturbed access. Perhaps worst of all BBV reports that:
In the worst case scenario, the architectural weaknesses incorporated in these voting terminals allow a sophisticated attacker to develop an "offense in depth" approach in which each compromised layer will also become the guardian against clean-up efforts in the other layers. This kind of deep attack is extremely persistent and it is noteworthy that the layers can conceal the contamination very effectively should the attacker wish that. A quite natural strategy in these types of situations is to penetrate, modify and make everything look normal.
David Bear, a spokesman for Diebold Election Systems, said the potential risk existed because the company's technicians had intentionally built the machines in such a way that election officials would be able to update their systems in years ahead.
"For there to be a problem here, you're basically assuming a premise where you have some evil and nefarious election officials who would sneak in and introduce a piece of software," he said. "I don't believe these evil elections people exist."
Still, he said, the company will in the coming months solve the vulnerability, but not before most primary elections occur.
In other words this is not an accidental security flaw this is a deliberately designed one and it is justified by the fact that "there are no evil and nefarious election officials". I'm sure that most (99% plus) election officials are wonderful people but to say that there are no corrupt ones seems to be more like wishful thinking than anything else unless US poll workers undergo a screening that is more rigourous than that applied to the standard security background checks which let through people like Sandy Burgler. Also recall that in some recent elections (e.g. the Washington State governors race in 2004) the winer was decided on a mere handful of votes, just two or three e-voting machines which skewed the numbers in that race could have changed the result.
I seem to recall noting this before and if so I'll repeat it. Diebold appears to work on the principle of "security through obscurity" which is a concept that no competant security professional subscribes to. Examples to prove that "security through obscurity" is not secure are legion (many of the micorosoft vulnerabilites exploited by virus writers are good examples). The fact that the flaws exist is utterly staggering but it is far far worse that Diebold apparently designed the system intentionally to have these flaws. I believe (but I am not a lawyer) that the various states and counties who have bought these insecure pieces of junk would have an excellent class action case against Diebold because the security holes are so gaping that there is no way that Diebold's certification program could possibly be correct unless they completely and deliberately reprogram everything from the flash bootcode upwards. And even then its only safe if there are clear tamper-proof/tamper-evident seals attached at appropriate spots.