Quote of the Day

We’ve been assured again and again that RFID passports are secure. When researcher Lukas Grunwald successfully cloned one last year at DefCon, industry experts told us there was little risk. This year, Grunwald revealed that he could use a cloned passport chip to sabotage passport readers. Government officials are again downplaying the significance of this result, although Grunwald speculates that this or another similar vulnerability could be used to take over passport readers and force them to accept fraudulent passports. Anyone care to guess who’s more likely to be right?
It’s all backward. Insecurity is the norm. If any system — whether a voting machine, operating system, database, badge-entry system, RFID passport system, etc. — is ever built completely vulnerability-free, it’ll be the first time in the history of mankind. It’s not a good bet.
Once you stop thinking about security backward, you immediately understand why the current software security paradigm of patching doesn’t make us any more secure. If vulnerabilities are so common, finding a few doesn’t materially reduce the quantity remaining. A system with 100 patched vulnerabilities isn’t more secure than a system with 10, nor is it less secure. A patched buffer overflow doesn’t mean that there’s one less way attackers can get into your system; it means that your design process was so lousy that it permitted buffer overflows, and there are probably thousands more lurking in your code.
Diebold Election Systems has patched a certain vulnerability in its voting-machine software twice, and each patch contained another vulnerability. Don’t tell me it’s my job to find another vulnerability in the third patch; it’s Diebold’s job to convince me it has finally learned how to patch vulnerabilities properly.

Bruce Schneier

3 thoughts on “Quote of the Day”

  1. Diebold Election Systems has patched a certain vulnerability in its voting-machine software twice, and each patch contained another vulnerability.

    It is commonly thought among programmers that they introduce one new bug for every four bugs they patch. In theory, one can asymptotically approach a secure system but truly never reach it.

    However, I would point out that companies like Diebold have been creating secure systems for banking and other financial institutions for over 30 years and, despite what one sees in the movies, no major penetration of these systems has ever occurred. In fact, very few of the hackers who penetrated major systems anywhere used actual exploits in the computers themselves. Far more often, hackers used “social engineering” i.e. the age old techniques of con artist to obtain the information needed to access the system in the guise of a legitimate user.

  2. If I have to get a RFID passport, I plan first thing to zap whatever electronics that are within, easy to do with a high-voltage discharge.

  3. Voting machines are different from ATMs.

    Diebold produced its electronic voting system based on poorly thought-through specifications created hastily by politicians who didn’t understand the technical issues. Some bugs have been found, and the design of the system is inherently bad. In particular, there’s no paper trail for voters, so it’s conceivable that votes can be changed or manufactured fraudulently without anyone detecting it. I’ve voted on Dieblod machines and dislike them — you press a button to register your vote, and there is no feedback mechanism to tell you that your vote was recorded correctly or at all.

    This is all much different from a ATM, where there are multiple sources of feedback for the customer (paper receipts, bank statements), as well as a supply of physical cash in the machine that the bank can count. Also, ATMs have been around for decades. They are by now thoroughly tested, since any serious problem very quickly leads to an accounting imbalance that costs someone money. By contrast, electronic voting machines are relatively new and their lack of audit-trail feedback makes only gross errors or fraud detectable. It’s conceivable that these machines have already been hacked.

    A lot of the problems with electronic voting result from having the wrong people design the systems, and from designing the systems hastily, after the 2000 election. However, Diebold has exacerbated these problems greatly by refusing to acknowledge bugs in the system, by taking an adversarial position toward critics and by being secretive about source code.

Comments are closed.