Animesh Pathak: Oops for Indian Voting Machines.
S.R. Darapuri IPS (Retired) at Counter Currents: Who Is Afraid Of Caste Census And Why?
Laura Miller at Salon: Bad Writing: What Is It Good For?
About the EVMs: my opinion is, if you can take a screwdriver to the device, all bets are off. No device is tamper-proof. Physical security of a device cannot be ensured theoretically and is a task for the election commission, not for security researchers. The question for security researchers is whether a physically intact device can be tampered with: the answer has proved to be yes for several Western machines (Diebold etc), but nobody seems to have demonstrated such insecurity for the Indian EVMs.
@Abi: Thanks for the link. I had begun to wonder why the traffic was suddenly spiking on my humble blog :).@Rahul: I wrote this in reply to you on my post, but re-posting here for Abi's readers:+++Not sure I get your point about Diebold. The exploit I know of used a key from a hotel minibar to open the box and replace the SD card. Does that not count as tampering the device? Links to other types of non-invasive attacks on Diebold will be much appreciated. +++Thanks,-A
Animesh: Here you go.(Quote: " Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable...")
ps - the key point, from the paper, seems to be that the Diebold system requires a smartcard to be inserted by the voter. So a voter trivially has hardware access. Worse, they show that the voter can use this to escalate privileges (become a administrator). There is no such thing in India's machines.
Post a Comment