Thursday, September 15, 2005

Is your vote at risk?


In exclusive stunning admissions to The BRAD BLOG some 11 months after the 2004 Presidential Election, a "Diebold Insider" is now finally speaking out for the first time about the alarming security flaws within Diebold, Inc's electronic voting systems, software and machinery. The source is acknowledging that the company's "upper management" -- as well as "top government officials" -- were keenly aware of the "undocumented backdoor" in Diebold's main "GEM Central Tabulator" software well prior to the 2004 election. A branch of the Federal Government even posted a security warning on the Internet.

Pointing to a little-noticed "Cyber Security Alert" issued by the United States Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security, the source inside Diebold -- who "for the time being" is requesting anonymity due to a continuing sensitive relationship with the company -- is charging that Diebold's technicians, including at least one of its lead programmers, knew about the security flaw and that the company instructed them to keep quiet about it.

"Diebold threatened violators with immediate dismissal," the insider, who we'll call DIEB-THROAT, explained recently to The BRAD BLOG via email. "In 2005, after one newly hired member of Diebold's technical staff pointed out the security flaw, he was criticized and isolated."

In phone interviews, DIEB-THROAT confirmed that the matters were well known within the company, but that a "culture of fear" had been developed to assure that employees, including technicians, vendors and programmers kept those issues to themselves.

The "Cyber Security Alert" from US-CERT was issued in late August of 2004 and is still available online via the US-CERT website. The alert warns that "A vulnerability exists due to an undocumented backdoor account, which could a [sic: allow] local or remote authenticated malicious user [sic: to] modify votes."

The alert, assessed to be of "MEDIUM" risk on the US-CERT security bulletin, goes on to add that there is "No workaround or patch available at time of publishing."



Read the rest at The Brad Blog

No comments: