Neowin.net

From Technet webcast event email update
Thank you for your interest in tomorrow’s December 10, 2003, Technet Security Webcast: “Information about Microsoft’s December Security Bulletins” – THIS EVENT HAS BEEN CANCELLED due to the fact that Microsoft currently has no security bulletins to release as part of the monthly release cycle for the month of December.

In Microsoft's own words:
"In response to extensive customer feedback, Microsoft is implementing changes in the way security bulletins are released. These changes will help enhance the manageability and predictability of the patch management process for customers. Security bulletins will normally be released on the second calendar Tuesday of every month. However, the first monthly bulletins will be released on Wednesday, October 15, 2003."

That would be fine if there were no any outstanding issues...

...but there are - A CHINESE RESEARCHER has discovered 7 new security holes in Internet Explorer and Microsoft is looking into them, or perhaps through them. According to Russ Cooper of TruSecure, two of the holes are critical vulnerabilities which could permit an attacker to remotely execute malicious programs.

So taking those issues into account Microsoft's new strategy seems to be don't release any updates. As usual we will investigate further to see what Microsoft has to say about the matter.

Update: You can give your response to this situation directly to Microsoft. Mike Nash, Vice President of Microsoft's Security Business Unit (SBU), invites you to join him for a one hour discussion on security issues with Microsoft products. Come and let Mike know the issues you are facing and ask questions about what Microsoft is doing to improve security in our products on December 11, 2003 10:00 A.M. Pacific time

Download: Chat: Trustworthy Computing with Mike Nash Event Reminder
View: Windows takes seven spots in Symantec's top 10 November flaws
View: Neowin Security Forum
News source: In-house

Ongoing concerns over the security and reporting features of e-voting machines have cast a cloud of uncertainty over the upcoming election season, forcing ballot machine vendors to address a host of complaints over their products amid signs of an escalating voter backlash.

The affected companies say the weaknesses that have been identified to date aren't insurmountable, and most said they expect to fix them on time to meet the HAVA deadlines. But the biggest problem facing e-voting machine vendors may turn out to be political rather than technical, as belated resistance to e-voting systems mounts.

Individual counties in the United States have used electronic voting machines for years, but many voters have only learned about the potential hazards of e-voting recently, through the missteps of one company: Diebold Election Systems of North Canton, Ohio. The company has become a lightning rod for criticism following partisan political statements by its chief executive and revelations of security flaws within its flagship product.

"I think it's been a year of widespread awakening among the American public about the risks of computerized voting," said Kim Alexander, founder and president of the California Voter Foundation. "A huge movement has developed across the nation, with citizen activists joining computer scientists, academics, lawyers, and nonprofits to demand verifiable voting systems."

Get it on paper

Renewed uneasiness over e-voting technology is manifesting itself in new security audits and demands for paper-based recount safeguards. In recent weeks, four states representing nearly a fifth of the U.S. population--California, Maryland, Nevada and Ohio--have taken official steps to re-evaluate the systems or require paper trails.

California enacted a rule that will require the use of a voter-verified paper copy. Ohio commissioned reports detailing security risks of major e-voting machine vendors.

Maryland ordered new reviews of voting machines scheduled for use in its March primary as state senators called for the implementation of paper verification systems. And Nevada awaits the analysis by its gambling auditors of e-voting machines while the secretary of state brings the e-vote debate to the voters in the form of town-hall meetings.

This week, Ohio's secretary of state demanded security fixes from electronic voting machine vendors, and released two reports that detail their shortcomings.

Diebold Election Systems representative David Bear said the surge in scrutiny of e-voting issues was the result of HAVA.

"I would say I think there's heightened awareness as a result of HAVA," Bear said. "All the states are addressing the issue of how they're going to come into HAVA compliance and, doing the right thing, they're involving the general public in that process. Most people did not think about elections except for the dedicated folks who work on election day or day in and day out as elections officers. But the Florida (2000) vote and the subsequent HAVA act put a spotlight on this as an issue."

But others, including Alexander, said the current hand-wringing may have as much to do with high-profile gaffes by Diebold as it does with deadline jitters.

Diebold, which has deployed 33,000 touch-screen voting machines in the United States, first gained notoriety after its chief executive wrote in an August fund-raising letter that he was "committed to helping Ohio deliver its electoral votes to (President Bush) next year."

Asked about the August fund-raising letter, Bear referred a reporter to a news report posted to the company's Web site, in which Diebold CEO Walden O'Dell pledged to curtail his political activities as a result of the controversy.

"I'm not doing anything wrong or complicated, but it obviously did leave me open to the criticism I've received," O'Dell told the Cleveland Plain Dealer. "I've taken it personally; it's very painful, it may have injured our company, and I feel really badly about that."

A month earlier, university researchers failed Diebold machines in a security audit. And last month California launched an investigation after it was alleged that state-uncertified software had been inserted into Diebold machines in Alameda County--a violation, if true, of California election law.

The company earned another sustained round of bad press after it threatened copyright infringement lawsuits against Internet service providers whose subscribers had posted damaging internal e-mail correspondence that called into question the company's security practices.

Faced with a lawsuit by an ISP and subscribers it had threatened, along with a barrage of news reports that further publicized the e-mails' internal gripes about Diebold security, the company backed off the copyright threats--but not before Ohio Congressman Dennis Kucinich, who is seeking the Democratic Party's presidential nomination, called for a congressional investigation of Diebold.

Assessing the risks

Diebold is not alone in fending off criticism of e-voting's alleged shortfalls in advance of the HAVA deadlines.

Ohio Secretary of State J. Kenneth Blackwell on Tuesday published two previously confidential reports: the DRE (direct recording electronic) Security Assessment report commissioned from Raleigh, N.C.-based InfoSentry, and a Technical Security Assessment Report the state commissioned from Detroit, Mich.-based Compuware.

The Compuware report identified 57 potential security risks of varying severity in four different systems.

Blackwell said he would request a deadline extension to comply with the federal Help America Vote Act (HAVA) so that vendors would have time to fix problems with their machines.

"I will not place these voting devices before Ohio's voters until identified risks are corrected and system security is bolstered," Blackwell said in a statement. "Fortunately, all of the documented risks will be expeditiously corrected by each of our voting machine manufacturers."

Ohio had intended to start using electronic voting machines in March, but Blackwell now wants to wait until August special elections.

Meanwhile, the four vendors surveyed in both reports will have to prepare for another round of inspections by the consultants. In some cases, the secretary of state said, changes in the software will require new certification by the state and federal governments.

The Ohio studies examined three voting systems in addition to Diebold's AccuVote-TS: Election Systems and Software's iVotronic, Hart InterCivic's eSlate 3000, and Sequoia Voting Systems' AVC Edge. All four passed a summer evaluation process by the state that examined the companies and their products, with the caveat that they would have to undergo subsequent security evaluations.

Provided that the system vendors pass another security audit, Ohio counties will be able to consider them.

In response to the publication of Ohio's reports, Diebold said it had already fixed the problems in response to similar complaints by the state of Maryland.

"The areas identified by the secretary of state are the same types of items that were identified and addressed by Diebold Election Systems in Maryland," Mark Radke, director of voting industry for Diebold, said in a statement. "We are confident that the mitigation actions we will take--which have already been used in municipal Maryland elections--will achieve the secretary of state's goals and provide accurate and reliable election results."

Sequoia also said it was well on its way to satisfying Ohio's demands.

"We've already made a number of the recommended changes," Sequoia spokesman Alfie Charles said in an interview. "And we'll be making the balance of them and welcome the secretary's leadership in conducting that type of review so that the entire industry can give voters the confidence they need in their voting technology."

ES&S issued a statement that said it was still analyzing the reports but was confident it could resolve the problems they identified before Ohio's special elections in August 2004. A representative of Hart InterCivic said the company was "pleased to address" risks identified in the reports, while noting that the bulk of problems reported about its systems were deemed "low risk."

"We're working on plans to address them, and it's our intention to be substantially more aggressive in this area than the reports would require," company representative Bill Stotesbery said.

In Carson City, Nev., Secretary of State Heller was preparing on Thursday to conduct a Washoe County town hall meeting with elections officials to address voters' concerns about the machines. In the coming week the state will choose between Sequoia and Diebold machines. Counties that prefer Diebold are wrangling with Clark County--home to Las Vegas and 70 percent of Nevada's population--which has been using Sequoia machines for 10 years.

To help sort through the security analysis, Heller has asked the state's Gaming Control Board to offer its opinion of the machines and expects to get the results of that survey in the next few days.

"There's not a whole lot of people smarter at stopping hacking than in the gaming industry," observed Steve George, a representative for the secretary of state.

In California, Secretary of State Kevin Shelley set a July 2006 deadline for all counties and cities to provide touch-screen voting systems that provide what is known as a voter verified paper audit trail. The paper receipt is meant as a safeguard in case questions are raised about the validity of an electronic vote. Under the policy, counties and cities will be prohibited from buying systems without the paper audit trail starting July 1, 2005.

Paper verification has become a rallying cry for technology watchdog groups and voting rights advocates, who cheered Shelley's decision.

"The recent decision by our secretary of state to require voter-verified paper trails no later than 2006 is a sign we've turned a corner," said CalVoter's Alexander. "And I think and hope that other states will look at California's decision as a sign of where the technology is going, and will follow our lead."