Matt Blaze's
EXHAUSTIVE SEARCH
Science, Security, Curiosity
The best defense
Ad hominem security engineering.

California Secretary of State Debra Bowen's decision on the fate of her state's voting technology was announced just before midnight last Friday. The certifications of all three reviewed systems (Diebold, Hart, and Sequoia) were revoked and then re-issued subject to a range of conditions intended to make it harder to exploit some of the problems we found in the security review (see previous entry in this blog). The certification of a fourth system, ES&S, was revoked completely because the vendor failed to submit source code in time to be reviewed.

Whether the new conditions are a sufficient security stopgap and whether the problems with these systems can be properly fixed in the long term will be debated in the technical and elections communities in the weeks and months to come. How to build secure systems out of insecure components is a tough problem in general, but of huge practical importance here, since we can't exactly stop holding elections until the technology is ready.

But that's not what this post is about.

The traditional role of the vendors in cases like this, where critical products are found to be embarrassingly or fatally insecure, is to shoot the messengers. The reaction is familiar to most anyone who has ever found a security flaw and tried to do the right thing by reporting it rather than exploiting it: denials, excuses, and threats.

Occasionally, though, a company will try to look "responsible" by employing a different strategy, acknowledging -- and perhaps even actually correcting -- the underlying problems. This should be understood as nothing more than a transparent attempt to pander to customers by wastefully improving the security of otherwise perfectly good products. These naive organizations -- a tipoff is that they're often run by engineers rather than experienced business people -- do enormous damage by shirking their public relations duty to the community as a whole. Fortunately, this kind of unsophistication is rare enough not to have been much of an issue in the past, although in some circles, it is becoming worrisomely commonplace.

To help vendors focus on their obligations here, Jutta Degener and I present Security Problem Excuse Bingo. Usual bingo rules apply, with vendor press releases, news interviews, and legal notices used as source material. Cards can be generated and downloaded from www.crypto.com/bingo/pr

Because we follow all industry standard practices, you can rest assured that there are no bugs in this software. We take security very seriously.