[Talk] DIEBOLD VOTING MACHINE KEY COPIED FROM PHOTO AT COMPANY'S OWN ONLINE
STORE!
talk@flux.org
talk@flux.org
Wed, 24 Jan 2007 14:24:06 -0500 (EST)
Princeton University Computer Scientists Confirm 'Secret' Key For Every
Diebold Voting Machine 'Revealed' on Company Website!
http://www.bradblog.com/?p=4066
BLOGGED BY Brad ON 1/24/2007 6:05AM
Good lord in heaven. How dumb are these guys at Diebold?! Can you believe
the United States has actually entrusted them to build a security system
for the original U.S. Constitution, the Declaration of Independence and
the Bill of Rights?!
After everything else. Now comes this.
It was revealed in the course of last summer's landmark virus hack of a
Diebold touch-screen voting system at Princeton University that,
incredibly, the company uses the same key to open every machine. It's also
an easy key to buy at any office supply store since it's used for filing
cabinets and hotel mini-bars! That is, if you're not a poll worker who
already has one from the last time you worked on an election (anybody
listening down there in San Diego?)
The Princeton Diebold Virus Hack, if you've been living in a cave, found
that a single person with 60 seconds of unsupervised access to the system
who either picked the lock (easy in 10 seconds) or had a key, could slip a
vote-swapping virus onto a single machine which could then undetectably
affect every other machine in the county to steal an entire election.
But the folks at Princeton who discovered the hack (after our own
organization, VelvetRevolution.us, gave them the Diebold touch-screen
machine on which to perform their tests) had resisted showing exactly what
the key looked like in order to hold on to some semblance of security for
Diebold's Disposable Touch-Screen Voting Systems.
But guess what? Diebold didn't bother to even have that much common sense.
This idiotic company has had a photograph of the stupid key sitting on
their own website's online store! (Screenshot at end of this article.)
Of course, they'll only sell such keys to "Diebold account holders"
apparently --- or so they claim --- but that's hardly a problem. J. Alex
Halderman, one of the folks who worked on the Princeton Hack, but who had
tried to keep the design of the key a secret for obvious reasons, revealed
Tuesday that a friend of his had found the photo of the key on Diebold's
website and discovered that it was all he needed to create a working copy!
Halderman writes:
The shape of a key is like a password - it only provides security if you
keep it secret from the bad guys. ...
Could an attacker create a working key from the [Diebold website]
photograph? Ross [Kinard of SploitCast] decided to find out. Here's what
he did:
I bought three blank keys from Ace. Then a drill vise and three cabinet
locks that used a different type of key from Lowes. I hoped that the
spacing and depths on the cabinet locks' keys would be similar to those
on the voting machine key. With some files I had I then made three keys
to look like the key in the picture.
Ross sent me his three homemade keys, and, amazingly, two of them can
open the locks on the Diebold machine we used in our study!
Kinard's homemade key --- created only from the photo at Diebold's online
store --- is seen opening the machine at Princeton in the video on the
left. Unbelievable.
This is the once-great American security company that helped kick off this
entire disaster after it was discovered they left their "secure" source
code for their unsecure voting machines sitting out on the net for anyone
to download from a public FTP site in 2003. And if you couldn't figure out
how to hack one of their systems from that alone, now they've given you
the model to build your own key at home! Have fun, kids!
Anybody seen the U.S. Constitution lately? We know Bush hasn't. But other
than that, seriously, maybe someone oughta check the National Archives
just to be sure...
A screenshot of the page from Diebold's online store, featuring a photo of
the keys to the kingdom, follows below...
http://www.bradblog.com/?p=4066