| Author |
Message |
    
Bruce Sims
Frequent Voting Rights Forum Participant
Username: Ubetchaiam
Post Number: 390
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Wednesday, August 31, 2005 - 7:53 pm: | 
|
This applies to Windows CE, which is used in many new voting machines. But Windows CE isn't really an off-the-shelf product. Microsoft distributes it in the form of source code that is compiled for each target hardware device. So here is software that can be supremely compromised, yet the certification officials never even take a look at it.
 |
Ami Silberman
Voting Rights Forum Participant
Username: Jol
Post Number: 88
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, September 1, 2005 - 12:21 am: |
|
Slight amplification: It is compiled for each hardware device design. It isn't separately compiled for, say, each individual cellphone.
It should be possible, therefor, to have a different entity (possibly even a governmental branch) perform the final integration between the voting software and Windows CE, and then be responsible for loading it onto the machines, or producing an install disk. |
James Zukowski
Frequent Voting Rights Forum Participant
Username: Jimz
Post Number: 120
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, September 1, 2005 - 1:03 am: |
|
Do you think the companies would really go for this...? Unfortunately, I don't think so.
Peace!
JimZ
The people who cast the votes decide nothing.
The people who count the votes decide everything.
|
Ami Silberman
Voting Rights Forum Participant
Username: Jol
Post Number: 90
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, September 1, 2005 - 7:52 am: |
|
They do in the defense industry. Final integration of software components and installation of software on hardware is often performed by non-vendor contractors at DoD facilities. |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 697
Registered: 12-2004
Best of Black Box? 
Votes: 139 (A keeper?) | | Posted on Thursday, September 1, 2005 - 8:05 am: |
|
I'd say the DoD is "bigger" than the vendors. I'm sure vendors know they can't dictate to the DoD. DoD would also have plenty of in-house expertise.
In the case of state or county officials, the vendors may feel that they can call the shots. Since election officials would likely have far less understanding of the technology they'd probably gladly accept if a vendor offered or insisted to do the installation. |
Ami Silberman
Voting Rights Forum Participant
Username: Jol
Post Number: 91
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Thursday, September 1, 2005 - 8:10 am: |
|
So maybe we need a system with national level officials specifying and integrating the voting machines. The machines would have to be designed so that setting them up for an election would be within the capacity of local election officials. |
Roger Fox
Voting Rights Forum Participant
Username: Fogerrox
Post Number: 54
Registered: 06-2005
Best of Black Box? 
Votes: 1 (A keeper?) | | Posted on Friday, September 2, 2005 - 11:27 am: |
|
There seems to be many DRE vendors using Windows 2000, maybe XP.
DANAHer still uses windows 98 2nd edition.
Hart uses 2000, as does Truvote.
Accupoll uses XP pro 2002, 2000 and Redhat in the DRE.
http://www.nased.org/ITA%20Information/NASEDQualifiedVotingSystems12.03to7.05.pd f |
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 73
Registered: 04-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, September 2, 2005 - 2:21 pm: |
|
Now how can DANAHer use an operating system which no longer available for sale?
I would love to know how a system I new by today from DANAHer has Windows 98 loaded on it without violating the license agreement with Microsoft.
If Windows 98 is NOT the operating system delivered, what is the certification number which covers the certification of this non-'98 system.
Both the DANAHer numbers on the list in your NASED link are for certification to the 1990 standards. I think the requirements are if you want the HAVA money, any electronic system you may optional adopt has got to have a 2002 certification number.
In Liberty,
John Washburn
|
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 74
Registered: 04-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, September 2, 2005 - 2:30 pm: |
|
Here is a link to a later list of NASED certification numbers. http://www.nased.org/ITA%20Information/NASEDQualifiedVotingSystems12.03to8.05.pd f
In Liberty,
John Washburn
|
John Washburn
Voting Rights Forum Participant
Username: Johnwashburn
Post Number: 75
Registered: 04-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, September 2, 2005 - 2:45 pm: |
|
Here is the latest URL for NASED certified equipment: As of August, 2005
Your NASAD list was As of July, 2005
Here are past lists:
As of May, 2005
As of June, 2005
I could not find lists:
As of January, 2005
As of February, 2005
As of March, 2005
As of April, 2005
Does this mean a URL As of September, 2005 will be available soon?
With As of October, 2005, As of November, 2005, As of December, 2005, As of January, 2006, etc. to follow?
I love the fact the report does not list the end date, just current, on all of these. But at, least the URL indicates the month the report was run.
In Liberty,
John Washburn
|
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 753
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Friday, September 2, 2005 - 3:15 pm: |
|
Maybe the missing months are when they are on vacation (or perhaps testing voting machines in the Ukraine or elsewhere). |
Roger Fox
Voting Rights Forum Participant
Username: Fogerrox
Post Number: 60
Registered: 06-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Friday, September 2, 2005 - 6:15 pm: |
|
John-- excellent-- I have neen waiting for them to get back from vacation-- I havent been to the NASED site in about a week or so.
I have IIRC June -05 and July, 05-- but they take the prior lists off the server-- I tried to use the July link and NUTIN. there are items on the July list that were deleted from my older
June or May list.
And John -- you are right about the 1990 certified equipment, it is not NAVA compliant and not eligible for HAVA money and cannot be used in a federal election as per Title III, section 301, of HAVA |
Ami Silberman
Voting Rights Forum Participant
Username: Jol
Post Number: 98
Registered: 12-2004
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Saturday, September 3, 2005 - 8:45 am: |
|
Now how can DANAHer use an operating system which no longer available for sale?
I would love to know how a system I new by today from DANAHer has Windows 98 loaded on it without violating the license agreement with Microsoft.
Microsoft allows you to "downgrade" the OS delivered with a new system. I'm not sure on the details, but I know that it is possible. However, I would be pretty concerned about any voting system using anything prior to XP just from a system stability angle. |
Bruce Sims
Frequent Voting Rights Forum Participant
Username: Ubetchaiam
Post Number: 413
Registered: 06-2005
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Saturday, September 3, 2005 - 11:24 am: |
|
No matter what, if a State has the phrase 'safe from fraud and manipulation' in their standards for certifying voting machines, they have violated such requirements because there isn't a Windows version (except -perhaps- Windows CE because the source code is given and can be altered to address security) that is 'safe from fraud and manipulation.
The evidence is the myriad and ongoing security 'hotfixes'. |
Roger Fox
Voting Rights Forum Participant
Username: Fogerrox
Post Number: 65
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, September 3, 2005 - 1:16 pm: |
|
Yes Amy I'm not all that conversant on these matters -- but even I have heard that XP is far more stable -- compared to 2000-- |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 779
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, September 3, 2005 - 3:11 pm: |
|
Really?
I heard there were problems with XP, at least when it first came out, and also with one of the SPs. Guess I'm out of date.
I thought 2000 had some security advantages. (I've heard bad things about XP & spyware, so I wouldn't have thought XP would be at the top of the list for a voting machine OS. I'll admit I'm biased vs MS for a number of reasons, including the fact that it's proprietary making it impossible for anyone to check the code for their legendary backdoors.) |
Bruce Sims
Frequent Voting Rights Forum Participant
Username: Ubetchaiam
Post Number: 422
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Sunday, September 4, 2005 - 11:59 am: |
|
Having worked with both XP and Win2K my experience is there is no discernible difference in 'stability'; BUT there is a world of difference between the 'pro' and 'home' editions when it comes to 'stability'.
Just my experience; someone may have a different experience; doesn't matter, both have ongoing and numerous 'security hotfixes'. |
Roger Fox
Voting Rights Forum Participant
Username: Fogerrox
Post Number: 71
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, September 5, 2005 - 7:13 pm: |
|
Bruce-- Im guessing Office is more stable than Home?
Same for 2k & XP? HOw would pro fit in?
Catherine--
I only saw Diebold using MS CE in the TSx DRE @ the NASED link
Avante uses 2k pro |
Pat A. Vesely
Moderator
Username: Pat_vesely
Post Number: 1931
Registered: 12-2004
Best of Black Box?
Votes: 1 (A keeper?) | | Posted on Tuesday, September 6, 2005 - 12:51 am: |
|
The real question is how the "service packs" that address the known exploits are factored into the decision as to whether the OS is safe to use for a given purpose.
If an operating system is shown to be vulnerable to a given exploit unless a known "service pack" is installed, should the rules make it mandatory that SP number such and such (the latest) be installed to the COTS before it's accepted as secure for use? Seems like a no brainer to me. Why don't our laws demand this?
Pat Vesely ;-) |
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 825
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 6, 2005 - 3:28 am: |
|
Don't the SPs sometimes introduce new vulnerabilities of their own?
I assume no one is allowed to test for this because of proprietary software. |
Ami Silberman
Frequent Voting Rights Forum Participant
Username: Jol
Post Number: 102
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 6, 2005 - 9:47 am: |
|
In general, the security problems with Windows XP are exploits of the use of Active X, Internet Explorer, Media Player etc. It is possible to configure XP so that it is pretty darn secure, but you can't use IE, or USB ports, and are pretty much reliant on applications which use the SSL (Secure Socket Layer) directly. |
Ami Silberman
Frequent Voting Rights Forum Participant
Username: Jol
Post Number: 103
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 6, 2005 - 9:49 am: |
|
Pat, the one reason for remaining with an older SP is to avoid new vulnerabilities and instabilities introduced with a new SP. In the corporate world, a good IT department will evaluate all SPs and fixes to verify that they don't break any of the core business software used, and determine whether they will result in a need to reconfigure anything. For certain applications, later SPs or even some "critical" fixes are unneeded because they fix vulnerabilities which are, by design, not exposed. For example, if your system is configured to just not run Active X, then patches that fix Active X vulnerabilities are not needed. |
Bruce Sims
Frequent Voting Rights Forum Participant
Username: Ubetchaiam
Post Number: 432
Registered: 06-2005
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Tuesday, September 6, 2005 - 10:24 am: |
|
Amy is correct but didn't mention that there are what are called 'co-req's' for 'hot fixes' that often/sometimes(depends,have to evaluate beforehand)that require those 'hot fixes' that weren't previously applied to now be applied. in the 'real' world there are programs like SMS and Wise that help out in the determination and distribution of such 'service packs' (which are accumulations of patches,'hot fixes' etc.
The 'hot fixes' usually come out on their own without an associated 'service pack'.
Roger, 'Office' is a 'productivity' suite, not a version of the OS; The OS'es carry the 'home' and 'professional' designations with the 'professional' being more 'stable' in my experience.
CE addresses the win2k and xp issues Ami mentions by disabling those "features"/capabilities. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5788
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 14, 2006 - 11:30 am: |
|
Windows CE has just been hit with a massive security alert pertaining to risks through hacking the bootloader. Will publish the information shortly.
WHAT TO DO WITH EVIDENCE:
"Never put it in a funnel."
Always PROPAGATE evidence to at least 5-7 different places:
- A reporter
- Black Box Voting
- Your local elections office (this will seed it into the public record)
- Your e-mail list
- Your local elections reform group
- The EIRS reporting system
- A blog
- Someplace unexpected
EVIDENCE = video, audio, photos, public records
(stories and anecdotes are not evidence)
|
Catherine Ansbro
Frequent Voting Rights Forum Participant
Username: Catherine_a
Post Number: 3333
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 14, 2006 - 12:03 pm: |
|
Maybe somebody at MicroSoft read the most recent Hursti report. |
Bev Harris
Board Administrator
Username: Admin
Post Number: 5789
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Saturday, October 14, 2006 - 4:04 pm: |
|
Actually, I received notice that upon closer inspection is two reports -- one on bootloader hacking which is dated Jan 2006, and one on CE vulnerailities dated yesterday.
WHAT TO DO WITH EVIDENCE:
"Never put it in a funnel."
Always PROPAGATE evidence to at least 5-7 different places:
- A reporter
- Black Box Voting
- Your local elections office (this will seed it into the public record)
- Your e-mail list
- Your local elections reform group
- The EIRS reporting system
- A blog
- Someplace unexpected
EVIDENCE = video, audio, photos, public records
(stories and anecdotes are not evidence)
|
Bev Harris
Board Administrator
Username: Admin
Post Number: 5801
Registered: 12-2004
Best of Black Box? N/A
Votes: 0 (A keeper?) | | Posted on Monday, October 16, 2006 - 12:48 pm: |
|
Windows CE thread closed for admin reasons. Due to news about Windows CE hacking dangers we will be reopening on a new thread.
WHAT TO DO WITH EVIDENCE:
"Never put it in a funnel."
Always PROPAGATE evidence to at least 5-7 different places:
- A reporter
- Black Box Voting
- Your local elections office (this will seed it into the public record)
- Your e-mail list
- Your local elections reform group
- The EIRS reporting system
- A blog
- Someplace unexpected
EVIDENCE = video, audio, photos, public records
(stories and anecdotes are not evidence)
|
