Machines à voter : Diebold, 12345678

Hier, le Secrétaire d’État de Californie a rendu public un rapport d’analyse du code source des logiciels utilisés sur les machines à voter de la compagnie Diebold.

On y apprend entre autre que la compagnie utilise des mots de passe “hard-coded” (inscris directement dans le code source). La version actuelle du logiciel utiliserait deux mots de passe imbriqués dans le code : “diebold” et “12345678”. Chapeau !

“It is interesting (at least to me as a computer security guy) to see how often the three companies made similar mistakes. They misuse cryptography in the same ways: using fixed unchangeable keys, using ciphers in ECB mode, using a cyclic redundancy code for data integrity, and so on. Their central tabulators use poorly protected database software. Their code suffers from buffer overflows, integer overflow errors, and format string vulnerabilities. They store votes in a way that compromises the secret ballot.

Some of these are problems that the vendors claimed to have fixed years ago. For example, Diebold claimed (p. 11) in 2003 that its use of hard-coded passwords was “resolved in subsequent versions of the software”. Yet the current version still uses at least two hard-coded passwords — one is “diebold” (report, p. 46) and another is the eight-byte sequence 1,2,3,4,5,6,7,8 (report, p. 45).”

Voilà qui devrait en intéresser certains !

Laisser un commentaire