11/22/2004

Subject: Reviewing Diebold's software - A letter from Chuck Herrin

Subject: Reviewing Diebold's software

Special message to Diebold: you are cordially invited to bite me.
Bring it on. Make my day.


Hey lawnorder,

I saw some of your posts cautioning examination of Diebold's
software, and I just wanted to let you know that it is something that
Bev Harris, Jim Clark, and I have given a lot of thought. I
appreciate your caution, but I don't think our voting systems should
be hidden. Anyway - they said it so well, I'll just let them do the
talking.
Bev:(http://www.blackboxvoting.org/bbv_chapter-12.pdf)

"Here is what I came to believe, after much thought: I think
that examining our voting machine software is not only a legitimate
activity, but it is also our civic duty. For queasier souls, I offer
these
statements in defense of this endeavor:
1) These files were publicly available.
2) Examining them is in the public interest.
3) Our objective is study and review, not copying and selling voting
systems.
4) In a democracy, vote-counting should not be secret in the first
place."

And Jim: (http://www.equalccw.com/dieboldtestnotes#appendixC)

"First, let me explain that I fully "confess" that I am distributing
Diebold copyrighted product on my website. And I was (and am)
involved in the effort to strip the encryption from some of the ZIP
archives downloaded from Diebold's FTP site.

So why am I not worried?

a) I believe all this falls under "fair use". I have a history of
using the Public Records Act to expose government-related misconduct,
corruption and general stupidity. See also:

http://www.equalccw.com/commiemommies.html (the first time my
reporting made Matt Drudge's site)

http://www.equalccw.com/donperata.gif (the second time Drudge picked
my stuff up - note that Perata is a well-known rabidly anti-gun
politician)

http://www.equalccw.com/oaklandzen.html

http://www.equalccw.com/sactoletter.html

...and other examples.

b) Voting is a highly "public" function, and public scrutiny over the
election process is a VERY well established area of law. There have
been two lower court decisions in favor of the secrecy of electronic
voting systems but first, I believe those decisions were wrong and
second, in those cases no specific allegations of misconduct were
presented - only theoretical issues.

c) In Diebold's case, misconduct is very, VERY well established. Good
God, where do we start?

. Diebold is supposed to be supplying security with their
system - it's part of the contract for services, either implied,
specific or in some cases, mandated by law. So they leave their FTP
site totally wide open, only encrypt some files and the ones they do
encrypt, they do so with ZIP encyption which is known to be flawed?

. Diebold grabbed elections data from 3:31pm on the DAY OF THE
RACE in SLO County. If the data isn't public record, then what the
hell were they doing with it?!

. California Penal Code 19205(c) says that the Secretary of
State shall not approve voting systems that are "subject to
tampering". GEMS doesn't even begin to qualify, once you know that
MS-Access is a "hack tool". By withholding the info on grotesque
security flaws via MS-Access, Diebold violated God only knows how
many contracts plus that element of state law.

- Diebold's own internal memos show that they fully understood
the issues Bev Harris discovered years later, knew they were in
violation of a slew of laws, and lied to the Federal testing labs. It
doesn't get any worse - this is an "Enron grade" corporate ethics
failure.

d) The elements of "c" above lead to an "unclean hands" problem on
Diebold's. In court, the term "unclean hands" applies to somebody who
tries to get "justice" when they themselves are law-breakers. This is
why a crack dealer can't sue his customers over failure to pay.

e) I hope they do sue me in civil court. The discovery process will
be an absolute blast. Depositions will be even more fun.

f) They might convince the Feds to prosecute me criminally. Riiight.
Let's see - will they be able to convince a jury that hey, this whole
"democracy" thing is over-rated? Basically, prosecuting me for
copyright issues and/or hacking under the DCMA would be much the same
as the guy who sees a robber in a ski mask and packin' a shotgun rush
into a bank, so he slashes the crook's tires - and gets prosecuted
for vandalism. There's such thing as a "necessity defense" in
criminal law. It applies in this case, in spades.

g) Yo Diebold: before you take me on, you should know what you're up
against. Go here:

http://www.keepandbeararms.com/information/Item.asp?ID=3601


Pay particular attention to the downloadable video linked in that
article. That's what you'll be facing in court.

h) I have friends with law degrees. Lots of 'em. Scads. And they're
gun-rights lawyers, which in California means "battle hardened
sumbiches fighting behind enemy lines".

i) Special message to Diebold: you are cordially invited to bite me.
Bring it on. Make my day."

Sorry for the length, but I just thought I'd add that to the debate.

Chuck

Chuck Herrin, CISSP, CISA, MCSE, CEH

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home