Saturday, June 17, 2006

El miedo a la auditoría

Estas son el tipo de cosas que pasan cuando las maquinas de votación electoral que no son auditadas argumentando "protección de la tecnologia innovadora de la empresa" reciben algun tipo de evaluación por terceros expertos. Se entiende un poco mejor porque Smartmatic nunca ha querido recibir una auditoria de sus maquinas por terceros. Es una verdadera cachetada a los venezolanos de mente critica y responsables que miramos angustiados esta lamentable situación.

En este articulo entre otras cosas, se dice que se encontraron formas de "hackear" las maquinas de Sequoia. Esta empresa fue comprada por Smartmatic hace ya algun tiempo. Me pregunto si las maquinas que se hackearon ya son las "maravillosas maquinas" de smartmatic. Pero definitivamente, su tecnologia fue demostrada incapaz de sostenerse frente a una simple auditoria realizada por gente externa a la empresa. Entonces como pretenden muchos empleados de Smartmatic decirnos que estas maquinas son TAN seguras que no estan dispuestos a permitir que sean evaluadas por verdaderos expertos en seguridad informatica del país?

Yo conozco a muchos de los desarrolladores del software detras de las maquinas de smartmatic. Muchos fueron estudiantes de la Universidad Central y la Universidad Simón Bolívar. Ninguno de ellos fue formado en lo mas minimo con consciencia en la seguridad informática. Es verdad muchos se destacaron por sus excelentes notas y desempeño en clases. Lastimosamente, no tienen ni la mas minima idea, ni experiencia, en hacer software seguro.

De ahi el miedo que tienen los directivos de Smartmatic a realizar una auditoría por terceros, y se escudan en que estan protegiendo secretos industriales. Por favor. A quien engañan?

Lo mas increible es que incluso esos empleados! excelentes estudiantes, por alguna razon increible, de la noche a la mañana, se creen con la capacidad de opinar que el software que crearon es "seguro" y "protege efectivamente" la voluntad de los venezolanos. Realmente me dan verguenza. Si no los conociera, no me daría tanta rabia. Pero se lo incapaces que son, y me molesta en sobremanera! las afirmaciones tan aventuradas que se atreven a dar. Sin embargo, nunca han podido contestar a esta pregunta: Por que si el software es tan seguro, nunca se le dio a SUMATE una maquina para que realizara pruebas de seguridad en ellas? Estoy casi seguro que se debe a que TEMEN por resultados similares a los que se describen a continuación:

Sequoia E-Vote Systems Found 'Hackable' in PA, Testing Shut Down After Machine Failures

By Brad Friedman, The Brad Blog
March 30, 2006

'Software Clearly Unstable,' Says Testing Official Who 'Transformed Handful of Votes into an Instant'

This article was published on The Brad Blog.

Ten-Year Old E-Voting Systems from Nevada Planned for First Time Use in Pennsylvania This Year Pennsylvania's Allegheny County, where plans to use Diebold's hackable Electronic Voting Equipment have recently been nixed, Plan B seems to be failing too. The machines they'd hope to use instead, as made by Sequoia Voting Systems, have now been shown to be hackable as well.

Pittsburgh's Post-Gazette picked up on the story yesterday, and followed up today on the testing being run in Allegheny County by Dr. Michael Shamos, a Carnegie Mellon University professor, on the "new" Sequoia Voting Machines. The county had hoped to use these systems -- ten-year old Sequoia "Advantage" machines as purchased from Clark County, Nevada who is moving to a different Sequoia system -- in their upcoming Primary Elections in May. That plan, now may be in grave doubt.

The testing of the machines has found so many problems -- including Shamos' findings during "tampering tests" that he was able to instantly "transform a handful of votes into thousands" -- that he has now simply shut down the entire process described as "pointless" due to all of the errors in the software.

According to today's report...

HARRISBURG -- A state voting-machine examiner yesterday halted testing of the machine Allegheny County intends to use in the May primary, saying it was pointless to continue until a critical software problem is resolved.

"It's not useful to continue because [the software] clearly is not stable," said Michael Shamos, a Carnegie Mellon University professor.

Sequoia Voting Systems, the Oakland, Calif.-based manufacturer of AVC Advantage voting machines, will have a chance to fix the software and have it retested in a week or two. Otherwise, it's unlikely the machines will be certified for use in Pennsylvania.

As you may recall, it was machines made by Sequoia which failed so miserably across the state in Illinois just last week during the Primary Elections there. Just a handful of the many mainstream reports covering the meltdown are here, here and here.

Now pay attention...because this can be confusing...

Illinois' Cook County (Chicago) had used new Sequoia "Edge" machines in the recent primary that had been purchased by Clark County, Nevada. Since Illinois' primaries were first, and Sequoia didn't have time or inventory to fill both orders, Cook used Clark's machines for last week's contest only.

Those "Edge" machines, which failed so disastrously in Cook County, IL, are now to be shipped to Clark County, NV who is selling their own ten-year old Sequoia "Advantage" machines to Allegheny County, PA. It is those ten-year old machines which are now being tested in Allegheny and failing so horrendously.

All of which begs the questions: How well were those "Advantage" machines tested in Nevada in the last ten years? How much is Nevada now looking forward to using the new and failed "Edge" machines that they had loaned for a single use to Cook County, IL? And finally, will Clark County, NV bother to test them to find out if they too are hackable like the ones -- modified a bit by Sequoia on the way, apparently -- that they've just unloaded on Allegheny County, PA?

But back to the halted tests in Allegheny...and the claims by Sequoia officials that the problems found were "no big deal". Shamos doesn't see them as "no big deal" and is concerned that a malicious hacker could do precisely what he was able to do in these tests...

Dr. Shamos encountered yesterday's problem during a test for vote tampering. In an instant, he said, he was able to transform a handful of votes into thousands.

Developers quickly fixed the problem by replacing a file in the tabulation software, but that didn't alleviate Dr. Shamos' concerns. A malicious hacker could easily make the same switch, allowing votes to be changed, he said.

"What control is there over the software package if different files can be swapped in and out?" he asked.

As mentioned, Sequoia officials were predictably quick to dive into spin-control/crisis-management mode claiming they can simply continue to fix the software problems right on up "until just before the election." Said Larry Tonelli, Sequoia's state manager for Pennsylvania and New York:

"We know the hardware is fine. It's been out there for eight or nine years so we're moving ahead with training and shipping machines [to Allegheny County]. The software doesn't need to work until just before the election so we've got time. It's no big deal," he said.

Not sure how such software changes could be testified and certified if they are made "just before the election" -- so we fail to see how this is "no big deal."

Neither do we understand, with the hardware "out there for eight or nine years" how Sequoia failed to find and fix these problems on their own previously. With that in mind, why should they be trusted to get it right just days before an election???

But that didn't stop another Sequoia spokes from blaming everyone else for problems with their own shitty machines, dredging up last week's (literally) excuse from Illinois and, apparently, trying to apply it here:

"The problems are not necessarily inherent in the equipment itself, but in the initial intersection of the new technology and the people who use it," said Sequoia spokeswoman Michelle Shafer.

It's unclear whether Shafer was referring to the problems in Illinois where Sequoia has been blaming poll workers for the fact their machines failed, or whether she's suggesting that the problems Shamos has found has something to do...somehow or another...with "the people who use it." Those "people", in this case, being Shamos who knows how to both use and test -- and now, apparently hack -- Sequoias Electronic Voting Systems.


Post a Comment

<< Home