User: Password:
|
|
Subscribe / Log in / New account

Security

Voting machine integrity through transparency

By Jake Edge
March 26, 2008

It is hard to believe that governments would spend money on voting equipment that they are not allowed to test, but that is exactly what multiple counties in New Jersey appear to have done. They are certainly not alone, many other places are likely to have the same restrictions on "their" voting machines. This begs the question: where are the free software voting systems?

Union County wanted to ask Ed Felten to look at the voting machines it purchased from Sequoia Voting Systems because of several anomalies—less charitably known as miscounts—observed when using them in the primary elections. Once Sequoia got wind of the plan, they emailed Felten a nastygram because he might engage in "non-compliant analysis" of the machines in violation of the Sequoia license. It seems quite likely that is exactly what Felten and the county clerk had in mind as a third-party analysis is the only sensible way to evaluate voting machines.

Other jurisdictions have done better of late, with Felten's Freedom to Tinker weblog noting that California has denied certification for two voting machines from Election Systems & Software (ES&S). California Secretary of State Debra Bowen has been at the forefront of trying to ensure that voting machines work correctly. LWN's home state of Colorado also decertified a number of voting machines, but, like the earlier California study, it was done after those machines were purchased. As in California, it seems likely that Colorado will be using those machines in November.

Things are getting a little better, perhaps, but no one has, as yet, tried to take on the four major voting machine makers with a system that is built with security in mind. There is no reason that the source code for a voting machine could not be made available for study. The voting machine vendors claim all sorts of proprietary secret sauce in their code, but that isn't the real reason they hide it. Covering up their shoddy code is much more likely.

Every independent review of voting machines has found numerous, fundamental security flaws that should make anyone with an interest in the integrity of the election process cringe. Many of those analyses were done without the source code, so there is little doubt that even uglier problems would have been found in the code itself. It just cannot be that difficult to produce something vastly more secure than what is made available today.

One could speculate about the motives of these companies, but instead looking at what could be built, with mostly off-the-shelf software, is more fruitful. The place to start is by hiring a few good security-minded developers, while lining up an independent review team. One might guess that Felten and his associates would be a good place to start.

A stripped down Linux system could very easily be the basis for a voting machine, but other free software choices would serve just as well. Some user interface code for touchscreens and alternative input methods for those with disabilities would need to be written. Some kind of printing output device would need to be made a part of the system so that voter-verifiable audit trails—better yet, ballots that can be put into a locked box—can be created.

Source code availability does not, in and of itself, ensure vote security. That code needs to be reviewed by as many experts as can be found. In addition, there needs to be some mechanism to show that the source code being reviewed is the same as that being run.

For that reason, the system itself might run on some kind of Trusted Platform Module (TPM) chip so that interested parties can verify that the published code is the same as that running on the system. If the system runs Linux, it might use the integrity management patches for that. Most importantly, the outside interfaces (network, USB, PCMCIA, etc.) to the device would either not be present or be very tightly controlled. Any kind of removable vote recording memory would need adequate cryptographic safeguards to eliminate tampering between vote taking and vote tabulating machines.

Instead of an emphasis on PR, schmoozing, and bamboozling non-technical folks, the focus of a free software voting system would be on transparency. The number one goal would be to give everyone, from the least technical voter to the Bruce Schneiers of the world: confidence in the machines and the process. It is hard to fathom how anyone could want anything less.

Comments (15 posted)

The last updated vulnerabilities section

It would seem that the majority of the readers of this page are willing to part with the updated vulnerabilities section. Based on the comments we got over the last two weeks, we decided to remove it in future editions. So, this is the last week you will find one on the security page. You can always visit http://lwn.net/Vulnerabilities/ to get a look at the most recent vulnerabilities in our database.

Comments (6 posted)

New vulnerabilities

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2007-6430 CVE-2008-1332 CVE-2008-1333
Created:March 20, 2008 Updated:April 25, 2008
Description: From the Debian alert:

CVE-2007-6430: Tilghman Lesher discovered that database-based registrations are insufficiently validated. This only affects setups, which are configured to run without a password and only host-based authentication.

CVE-2008-1332: Jason Parker discovered that insufficient validation of From: headers inside the SIP channel driver may lead to authentication bypass and the potential external initiation of calls.

Alerts:
SuSE SUSE-SR:2008:010 licq, libpng, asterisk, openldap2, audit, blender 2008-04-25
Gentoo 200804-13 asterisk 2008-04-14
Fedora FEDORA-2008-2554 asterisk 2008-03-21
Fedora FEDORA-2008-2620 asterisk 2008-03-21
Debian DSA-1525-1 asterisk 2008-03-20

Comments (none posted)

asterisk: multiple vulnerabilities

Package(s):asterisk CVE #(s):CVE-2008-1289 CVE-2008-1390
Created:March 24, 2008 Updated:March 26, 2008
Description:

From the Red Hat bugzilla:

CVE-2008-1289: Two buffer overflows exist in the RTP payload handling code of Asterisk. Both overflows can be caused by an INVITE or any other SIP packet with SDP. The request may need to be authenticated depending on configuration of the Asterisk installation.

The first overflow is caused by sending a payload number that surpasses the programmed maximum payload number of 256. This causes an invalid memory write outside of the buffer. While this does not allow the attacker to write arbitrary data it does allow the attacker to write a 0 to other memory locations.

The second overflow is caused by sending more than 32 RTP payloads. This causes a buffer on the stack to overflow allowing the attacker to write values between 0 and 256 (the maximum payload number) to memory locations after the buffer.

CVE-2008-1390: Due to the way that manager IDs are calculated, this 32-bit integer is likely to have a much larger than average number of 1s, which greatly reduces the number of guesses an attacker would have to make to successfully predict the manager ID, which is used across multiple HTTP queries to hold manager state.

Alerts:
Fedora FEDORA-2008-2554 asterisk 2008-03-21
Fedora FEDORA-2008-2620 asterisk 2008-03-21

Comments (none posted)

bzip2: denial of service

Package(s):bzip2 CVE #(s):CVE-2008-1372
Created:March 24, 2008 Updated:March 30, 2009
Description:

From the CVE entry:

bzlib.c in bzip2 before 1.0.5 allows user-assisted remote attackers to cause a denial of service (crash) via a crafted file that triggers a buffer over-read, as demonstrated by the PROTOS GENOME test suite.

Alerts:
Gentoo 200903-40 analog 2009-03-29
CentOS CESA-2008:0893 bzip2 2008-09-16
Red Hat RHSA-2008:0893-01 bzip2 2008-09-16
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Fedora FEDORA-2008-2970 bzip2 2008-04-08
Fedora FEDORA-2008-3037 bzip2 2008-04-08
Slackware SSA:2008-098-02 bzip2 2008-04-08
Gentoo 200804-02 bzip2 2008-04-02
Ubuntu USN-590-1 bzip2 2008-03-24
rPath rPSA-2008-0118-1 bzip2 2008-03-21
Mandriva MDVSA-2008:075 bzip2 2007-03-23

Comments (none posted)

Firefox: multiple vulnerabilities

Package(s):firefox CVE #(s):CVE-2007-4879 CVE-2008-1233 CVE-2008-1234 CVE-2008-1235 CVE-2008-1236 CVE-2008-1237 CVE-2008-1238 CVE-2008-1240 CVE-2008-1241
Created:March 26, 2008 Updated:July 28, 2008
Description: The Firefox 2.0.0.13 release contains fixes for several vulnerabilities; see this list for details.
Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Mandriva MDVSA-2008:155 mozilla-thunderbird 2008-07-25
Mandriva MDVSA-2008:155-1 mozilla-thunderbird 2008-07-27
Gentoo 200805-18 mozilla-firefox 2008-05-20
Fedora FEDORA-2008-3557 thunderbird 2008-05-09
Fedora FEDORA-2008-3519 thunderbird 2008-05-09
Debian DSA-1574-1 icedove 2008-05-12
SuSE SUSE-SR:2008:011 rsync, MozillaFirefox, poppler, nagios, lighttpd, sarg, squid, bzip2, kdelibs3, texlive-bin, kdelibs4, Sun Java 2008-05-09
Slackware SSA:2008-128-02 mozilla 2008-05-08
Debian DSA-1534-2 iceape 2008-04-24
Ubuntu USN-605-1 mozilla-thunderbird, thunderbird 2008-05-06
rPath rPSA-2008-0128-2 firefox 2008-03-27
SuSE SUSE-SA:2008:019 MozillaFirefox 2008-04-04
Red Hat RHSA-2008:0209-01 thunderbird 2008-04-03
Slackware SSA:2008-089-02 seamonkey 2008-03-31
Slackware SSA:2008-089-01 mozilla-firefox 2008-03-31
Mandriva MDVSA-2008:080 mozilla-firefox 2007-03-28
Debian DSA-1535-1 iceweasel 2008-03-30
rPath rPSA-2008-0128-1 firefox 2008-03-27
Red Hat RHSA-2008:0208-01 seamonkey 2008-03-27
Debian DSA-1534-1 iceape 2008-03-28
Red Hat RHSA-2008:0207-01 firefox 2008-03-26
Debian DSA-1532-1 xulrunner 2008-03-27
Fedora FEDORA-2008-2682 blam 2008-03-26
Fedora FEDORA-2008-2682 firefox 2008-03-26
Fedora FEDORA-2008-2682 kazehakase 2008-03-26
Fedora FEDORA-2008-2682 chmsee 2008-03-26
Fedora FEDORA-2008-2682 openvrml 2008-03-26
Fedora FEDORA-2008-2682 gnome-web-photo 2008-03-26
Fedora FEDORA-2008-2682 devhelp 2008-03-26
Fedora FEDORA-2008-2682 galeon 2008-03-26
Fedora FEDORA-2008-2682 liferea 2008-03-26
Fedora FEDORA-2008-2682 epiphany-extensions 2008-03-26
Fedora FEDORA-2008-2682 gnome-python2-extras 2008-03-26
Fedora FEDORA-2008-2682 ruby-gnome2 2008-03-26
Fedora FEDORA-2008-2682 gtkmozembedmm 2008-03-26
Fedora FEDORA-2008-2682 epiphany 2008-03-26
Fedora FEDORA-2008-2682 yelp 2008-03-26
Fedora FEDORA-2008-2682 Miro 2008-03-26
Fedora FEDORA-2008-2662 yelp 2008-03-26
Fedora FEDORA-2008-2662 ruby-gnome2 2008-03-26
Fedora FEDORA-2008-2662 openvrml 2008-03-26
Fedora FEDORA-2008-2662 liferea 2008-03-26
Fedora FEDORA-2008-2662 kazehakase 2008-03-26
Fedora FEDORA-2008-2662 Miro 2008-03-26
Fedora FEDORA-2008-2662 gtkmozembedmm 2008-03-26
Fedora FEDORA-2008-2662 galeon 2008-03-26
Fedora FEDORA-2008-2662 firefox 2008-03-26
Fedora FEDORA-2008-2662 epiphany-extensions 2008-03-26
Fedora FEDORA-2008-2662 epiphany 2008-03-26
Fedora FEDORA-2008-2662 devhelp 2008-03-26
Fedora FEDORA-2008-2662 chmsee 2008-03-26
Ubuntu USN-592-1 firefox 2008-03-26

Comments (none posted)

JBoss: inject and execute arbitrary commands

Package(s):JBoss CVE #(s):CVE-2007-6306 CVE-2007-6433
Created:March 25, 2008 Updated:March 26, 2008
Description: The JFreeChart component was vulnerable to multiple cross-site scripting (XSS) vulnerabilities. An attacker could misuse the image map feature to inject arbitrary web script or HTML via several attributes of the chart area. The setOrder method in the org.jboss.seam.framework.Query class did not properly validate user-supplied parameters. This vulnerability allowed remote attackers to inject and execute arbitrary EJBQL commands via the order parameter.
Alerts:
Red Hat RHSA-2008:0158-01 JBoss 2008-03-24

Comments (none posted)

krb5: memory use after free

Package(s):krb5 CVE #(s):CVE-2007-5901
Created:March 24, 2008 Updated:April 7, 2010
Description:

From the CVE entry:

Use-after-free vulnerability in the gss_indicate_mechs function in lib/gssapi/mechglue/g_initialize.c in MIT Kerberos 5 (krb5) has unknown impact and attack vectors. NOTE: this might be the result of a typo in the source code.

Alerts:
Ubuntu USN-924-1 krb5 2010-04-07
Fedora FEDORA-2008-2637 krb5 2008-03-21
Fedora FEDORA-2008-2647 krb5 2008-03-21
Gentoo 200803-31 mit-krb5 2008-03-24

Comments (none posted)

libsilc: buffer overflow

Package(s):libsilc CVE #(s):
Created:March 24, 2008 Updated:March 26, 2008
Description:

From the Red Hat bugzilla:

SILC Toolkit contains a possible buffer overflow from PKCS#1 message decoding in versions earlier than 1.1.7. Specially crafted digital signature can be used to crash the program.

Alerts:
Fedora FEDORA-2008-2641 libsilc 2008-03-21
Fedora FEDORA-2008-2616 libsilc 2008-03-21

Comments (none posted)

namazu: cross-site scripting

Package(s):namazu CVE #(s):CVE-2008-1468
Created:March 26, 2008 Updated:August 29, 2008
Description: The sanitizing of input to namazu does not work properly with certain encodings, allowing HTML directives and script code to be injected into content.
Alerts:
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
Fedora FEDORA-2008-2767 namazu 2008-03-26
Fedora FEDORA-2008-2678 namazu 2008-03-26

Comments (none posted)

openssh: hijacking of forwarded X connections

Package(s):openssh CVE #(s):CVE-2008-1483
Created:March 25, 2008 Updated:May 14, 2008
Description: OpenSSH 4.3p2, and probably other versions, allows local users to hijack forwarded X connections by causing ssh to set DISPLAY to :10, even when another process is listening on the associated port, as demonstrated by opening TCP port 6010 (IPv4) and sniffing a cookie sent by Emacs.
Alerts:
Debian DSA-1576-1 openssh 2008-05-14
SuSE SUSE-SR:2008:009 openssh, opera 2008-04-11
Slackware SSA:2008-095-01 openssh 2008-04-07
Gentoo 200804-03 openssh 2008-04-05
Ubuntu USN-597-1 openssh 2008-04-01
Mandriva MDVSA-2008:078 openssh 2007-03-26
rPath rPSA-2008-0120-1 openssh 2008-03-25

Comments (none posted)

ruby: directory traversal

Package(s):ruby CVE #(s):CVE-2008-1145
Created:March 25, 2008 Updated:August 29, 2008
Description: Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
Alerts:
SuSE SUSE-SR:2008:017 powerdns, dnsmasq, python, mailman, ruby, Opera, neon, rxvt-unicode, perl, wireshark, namazu, gnome-screensaver, mysql 2008-08-29
Mandriva MDVSA-2008:142 ruby 2008-07-09
Mandriva MDVSA-2008:141 ruby 2007-07-09
Fedora FEDORA-2008-6094 ruby 2008-07-04
rPath rPSA-2008-0123-1 ruby 2008-03-25

Comments (none posted)

serendipity : insufficient input sanitizing

Package(s):serendipity CVE #(s):CVE-2007-6205 CVE-2008-0124
Created:March 25, 2008 Updated:March 26, 2008
Description: Serendipity, a weblog manager, did not properly sanitize input to several scripts which allowed for cross site scripting.
Alerts:
Debian DSA-1528-1 serendipity 2008-03-24

Comments (none posted)

ssl-cert: certificate disclosure

Package(s):ssl-cert CVE #(s):CVE-2008-1383
Created:March 20, 2008 Updated:March 26, 2008
Description: From the Gentoo alert:

Robin Johnson reported that the docert() function provided by ssl-cert.eclass can be called by source building stages of an ebuild, such as src_compile() or src_install(), which will result in the generated SSL keys being included inside binary packages (binpkgs). A local attacker could recover the SSL keys from publicly readable binary packages when "emerge" is called with the "--buildpkg (-b)" or "--buildpkgonly (-B)" option. Remote attackers can recover these keys if the packages are served to a network.

Alerts:
Gentoo 200803-30 ssl-cert 2008-03-20

Comments (none posted)

viewvc: multiple vulnerabilities

Package(s):viewvc CVE #(s):CVE-2008-1290 CVE-2008-1291 CVE-2008-1292
Created:March 20, 2008 Updated:March 26, 2008
Description: From the Gentoo alert:

Multiple unspecified errors were reportedly fixed by the ViewVC development team. A remote attacker could send a specially crafted URL to the server to list CVS or SVN commits on "all-forbidden" files, access hidden CVSROOT folders, and view restricted content via the revision view, the log history, or the diff view.

Alerts:
Gentoo 200803-29 viewvc 2008-03-19

Comments (none posted)

xine-lib: arbitrary code execution

Package(s):xine-lib CVE #(s):CVE-2008-0073
Created:March 24, 2008 Updated:October 30, 2008
Description:

From the Red Hat bugzilla:

Secunia Research has discovered a vulnerability in xine-lib, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the "sdpplin_parse()" function in input/libreal/sdpplin.c. This can be exploited to overwrite arbitrary memory regions via an overly large "streamid" SDP parameter included in a malicious RTSP stream.

Successful exploitation allows execution of arbitrary code.

Alerts:
Mandriva MDVSA-2008:219 mplayer 2008-10-29
Fedora FEDORA-2008-7572 xine-lib 2008-09-05
Mandriva MDVSA-2008:178 xine-lib 2008-08-20
Ubuntu USN-635-1 xine-lib 2008-08-06
Gentoo 200808-01 xine-lib 2008-08-06
SuSE SUSE-SR:2008:012 xine, xemacs, emacs, opensuse-updater, libvorbis, vorbis-tools, pdns-recursor, openwsman 2008-06-06
Gentoo 200804-25 vlc 2008-04-23
Debian DSA-1543-1 vlc 2008-04-09
Fedora FEDORA-2008-2945 xine-lib 2008-04-08
Debian DSA-1536-1 xine-lib 2008-03-31
Slackware SSA:2008-089-03 xine-lib 2008-03-31
SuSE SUSE-SR:2008:007 unzip, tomcat, moodle, xine 2008-03-28
Fedora FEDORA-2008-2569 xine-lib 2008-03-21

Comments (none posted)

xwine: several vulnerabilities

Package(s):xwine CVE #(s):CVE-2008-0930 CVE-2008-0931
Created:March 21, 2008 Updated:March 26, 2008
Description: The xwine command makes unsafe use of local temporary files when printing. This could allow the removal of arbitrary files belonging to users who invoke the program. The xwine command changes the permissions of the global WINE configuration file such that it is world-writable. This could allow local users to edit it such that arbitrary commands could be executed whenever any local user executed a program under WINE.
Alerts:
Debian DSA-1526-1 xwine 2008-03-20

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds