Florida E-Voting Study

Florida just recently released another study of the Diebold voting
machines. They -- and it was real security researchers like the California study, and not posers -- studied v4.6.5 of the Diebold TSx and v1.96.8 of the Diebold Optical Scan. (California studied older versions (v4.6.4 of the TSx and v1.96.6 of the Optical Scan).

The most interesting issues are (1) Diebold's apparent "find- then-patch" approach to computer security, and (2) Diebold's lousy use of cryptography.

Among the findings:

  • Section 3.5. They use RSA signatures, apparently to address previously documented flaws in the literature. But their signature verification step has a problem. It computes H = signature**3 mod N, and then compares _only 160 bits of H_ with the SHA1 hash of a message. This is a natural way to implement RSA signatures if you just read a security textbook. But this approach is also insecure -- the report demonstrates how to create a 250-line Java program to forge RSA signatures over (basically) arbitrary messages of their choosing.

  • Section 3.10.3. The original Hopkins report talked about the lack of crypto for network (or dialup) communications between a TSX voting machine and the back-end GEMs server. Apparently, Diebold tried to use SSL to fix the problem. The RABA report analyzed Diebold's SSL usage and found a security problem. Diebold then tried to patch their SSL implementation. This new report looks at the patched version, and finds that it is still vulnerable to a man-in-the-middle attack.

  • Section 3.7.1.1. Key management. Avi Rubin has already summarized some of the highlights.

    This is arguably worse than having a fixed static key in all of the machines. Because with knowledge of the machine's serial number, anyone can calculate all of the secret keys. Whereas before, someone would have needed access to the source code or the binary in the machine.

    Other attacks mentioned in the report include swapping two candidate vote counters and many other vote switching attacks. The supervisor PIN is protected with weak cryptography, and once again Diebold has shown that they do not have even a basic understanding of how to apply cryptographic mechanisms.

Avi Rubin has a nice overall summary, too:

So, Diebold is doing some things better than they did before when they had absolutely no security, but they have yet to do them right. Anyone taking any of our cryptography classes at Johns Hopkins, for example, would do a better job applying cryptography. If you read the SAIT report, this theme repeats throughout.

Right. These are classic examples of problems that can arise if (1) you "roll your own" crypto and/or (2) employ "find and patch" rather than a principled approach to security.

It all makes me wonder what new problems will arise from future security patches.

The good news is that Florida has decided not to certify the TSX at this time. They may try to certify a revised version of the OS (optical scan) system.

Posted on August 6, 2007 at 6:34 AM • 42 Comments

Comments

Ulrich BocheAugust 6, 2007 7:20 AM

It strikes me funny that a company that arguably has no clue about implementing cryptography securely is also one of the largest manufacturers of ATMs and similar banking equipment.
--
Ulrich

kybAugust 6, 2007 7:36 AM

As long as poorly created voting machines help those in power, then there will be no change.

If these machines are so easy to compromise, then let's see an election using these machines that is so obviously rigged against the vested interests that they will be forced to abandon them.

Perhaps the best option would be simply for a gang of hackers to find a decent way to DOS them all early on voting day.

Alternatively, the surprising election of a libertarian, or technoliterate write-in candidate (perhaps Mr S?) might make people sit up and take notice.

C GomezAugust 6, 2007 8:24 AM

Voters simply have to demand a return to paper ballots... umambiguous paper ballots. Very easy to count and recount, if they are unambiguous.

When you perforate the holes to be punched, this is not ambiguous.

e-voting is a gimmick that Congress and many state legislatures fell for when they suddenly had billions to spend on "fixing voting".

Voters in the U.S. rarely demand anything, however. They continue to vote for candidates who take no real stands and debate no real issues. That's because, largely, what is happening in government doesn't affect daily life and most people are actually doing okay. Sure, they want more, but they are getting by. It's really the only explanation for why there isn't larger political or civil unrest.

AnonymousAugust 6, 2007 8:31 AM

Diebold security audits really raise more questions than answers:

If this is the 'quality' of their election equipment, then how does their banking equipment compare?

If their banking equipment is of similar quality, then why haven't we heard of any of the severe breaches that would be expected to occur given an intersection of money and poor security?

If their banking equipment is secure, then why wasn't that security knowhow used to make secure voting machines?

The elephant in the room, however, is if we really want to trust unauditable voting equipment designed by a company with very close ties to a political party which uses voter disenfranchisement as an electoral strategy.

AnonymousAugust 6, 2007 8:34 AM

"largely, what is happening in government doesn't affect daily life"

Until a bridge collapses out from underneath you or you get poisoned by processed foods that were never inspected.

Government matters. Those who believe otherwise are invited to move to Somalia.

LBMAugust 6, 2007 8:51 AM

Several years ago I talked to someone at Diebold when I was working on the first Brennan Center report ()
and found that they are primarily (if not solely) concerned with marketing and selling. So it's no surprise that they are giving relatively short shrift to technology and security.

It's short-sighted, because the economics of find and fix are much more costly than proper design, but emotionally it's seductive. It seems more attractive because there's the hope that the number of problems found will be low enough to offset the higher cost of fixes. Problem is that there are so many more problems created through sloppy implementation that even if they are not all found there are enough found to be very costly. And then there's the market perception and image!

LBMAugust 6, 2007 9:02 AM

@anonymous, "If their banking equipment is secure, then why wasn't that security knowhow used to make secure voting machines?"

follow the money.

The banks will bust their chops if they're insecure - my day job is infosec for a bank, trust me they've got a strong financial incentive to be secure.

Voting machine specs are political, there's no financial incentive to make them secure, because the pols didn't make it so.

When Congress passed the Help America Vote Act that opened this can of worms (in response to the FL 2000 presidential debacle btw) they assigned responsibility for creating standards for voting machines but did not provide any funding.

Congress did however fund states acquisition of those machines, to the tune of something like $4bbn to $6bbn.

The results were predictable, time to market took precedence over secure designs and bug free implementations. Jurisdictions that tried to demand security were swimming against the tide.

Now the money that was on the table has all been grabbed, so it's time for the mid-life product kickers. Replacing the insecure first generation systems with secure upgrades will provide continuing revenue to the manufacturers. Let's hope that money is spent on technical staff domestically and doesn't go off shore, or mostly to H1Bs.

GergAugust 6, 2007 9:29 AM

"If their banking equipment is of similar quality, then why haven't we heard of any of the severe breaches that would be expected to occur given an intersection of money and poor security?"

In whose interest would publicizing such breaches be?

AnonymousAugust 6, 2007 9:54 AM

"In whose interest would publicizing such breaches be?"

If Diebold's financial equipment is as insecure as its voting equipment, the resulting frauds would be on a scale that would be virtually impossible to cover up. There would be a paper trail in the form of criminal charges and court records where information on the existence of vulnerabilities were disclosed as part of the discovery process.

DBHAugust 6, 2007 10:21 AM

MAY THE BEST HACKER WIN!

I love it, lets have the Dems and GOPs hire 'security researchers' instead of mudslingers, opres, etc...

In all seriousness, Bruce, can you start an open source voting machine project? Probably linux based on PC hardware, with VVPT, good use of crypto, clean audit trails, etc?

Bruce SchneierAugust 6, 2007 10:54 AM

"In all seriousness, Bruce, can you start an open source voting machine project? Probably linux based on PC hardware, with VVPT, good use of crypto, clean audit trails, etc?"

I don't think it would help. The voting machine selection and purchasing process is far too political at this point. And there is a popular belief that secrecy = security and an open-source voting machine can't possibly be secure.

C GomezAugust 6, 2007 10:59 AM

Why is an open source voting machine even needed?

I think it's been postulated many times that unambiguous voting can be reasonably achieved without involving a single computer.

And it can also be achieved using systems, machines, and devices that have now been sent to the dustbin.

MoveForwardAugust 6, 2007 11:10 AM

There is no reason that voting can't be done via computers/networks and it can be done faster and cheaper over the long run.

The fact that congress/politications/whomever was involved with this from the get-go didn't factor security into due to "accountability" is a sham and a travesty.

The fact that some are suggesting we go back to writing in paper ballots simply because of the above reasons -- that's might be even a larger disgrace.

Carlo GrazianiAugust 6, 2007 11:38 AM

Non-anonymous re-post (drat!):

It's been pointed out -- here and elsewhere -- that the reason banking equipment is more secure than voting equipment is that losing track of money results in real financial losses, while losing track of votes results in no such losses.

Perhaps a more effective reform would be to monetize votes, instead of (or perhaps in addition to) writing detailed security protocols for voting machines.

For example, suppose that each State's Board of Elections (or Secretary of State) was legally liable to each voter for $100 in case of miscounted ballot, with funds obligated from their budget. I bet accounting standards for voting machines would then demand much more accuracy in a big hurry.

Rob FunkAugust 6, 2007 11:48 AM

To those who think that open source software is the solution to the problem, I direct you to: http://www.openvotingconsortium.org/faq

However, I agree with the others saying that the solution here is not better technology, but rather simpler technology, e.g. pencil and paper and manual counting.

Uncle Moneybag's NephewAugust 6, 2007 12:10 PM

I wrote my Congresswoman asking for legislation that provides voters the right to a physical official ballot which provides the voter the opportunity to review their choices before casting the ballot. The methods for review are either a) the ballot is in human readable form or b) a device is provided at the polling place which can read the ballot and present its contents to the voter in a human readable form (this device must be separate from any device used to assist the voter in preparing their ballot).

If you are a US Citizen please write to Congress about this issue.

I think the paper ballot/optical scan systems used by many districts is very good. Voters mark bubbles on the paper next to candidate names and a scanner (validates the ballot? and) record the votes as the ballot is inserted into the ballot box. The only improvement I'd recommend for such a system is a voting booth with an assistive device allowing a blind voter to prepare a ballot by themselves. An additional booth would allow the blind voter to have their ballot read back to them (separate booths to reduce the risk of a compromised device changing the votes of blind voters).

Uncle Moneybag's NephewAugust 6, 2007 12:20 PM

If the State's Board of Elections were liable to each voter for $100 per vote, the voter would need some way of verifying that their vote were miscounted. That would require that some ballot privacy be revoked. In short secret ballot + all-electronic system = impossible to secure.

jdegeAugust 6, 2007 1:25 PM

The focus of this discussion seems to be entirely on the crypto, but IIRC, the early reports on the Diebold machines showed grave problems in other areas - like lack of an audit trail of administrative actions, etc.

DBHAugust 6, 2007 2:23 PM

@ Rob Funk...

Seems a little skewed since they are asking for $1.2mm, but an interesting approach. I think pencil/paper in fact is also pretty prone to error or 're-interpretation', as is manual counting.

I think it should be possible to have a completely computerized system that would 1) have strong encryption on storage and transmission of results, 2) provide vvpt, 3) provide a receipt of vote that possibly could subsequently be used to verify your vote was counted (but not what it was because of vote-buying issues) using strong hashes, 4) would be accessible, 5) would support robust auditing, signing, and verification of results, 6) use software and ballot version signing and online verification, and 7) would run on relatively inexpensive secure hardware with a high degree of system fault tolerance. No system of computers can prevent all possible tampering, but it should be possible to eliminate any large-scale systematic tampering. Optical scan systems offer these features but compromise some of the convenience of vote counting and aggregation. I think there should be an entirely electronic method with paper trail backup.

neduAugust 6, 2007 2:57 PM

@DBH

The fundamental problem is the requirement for voter confidentiality.

If we assume, without loss of generality, that the votes at a polling place are cast sequentially, and that the votes are tallied sequentially, then we need to randomly permute the casting sequence to create the tallying sequence. (Note, btw, that although in some vague sense 'algorithmic', this is not a Turing computation, because generating a random permutation is not a repeatable calculation. This should be well-known to CSci people.)

In order to assure conservation of the total vote count and counts for each candidate, the randomization process must be extremely simple and robust.

If the ballot randomization process is carried out by a complex subsystem, then we do not know how to verify it's correctness.

neduAugust 6, 2007 3:04 PM

P.S. I'm aware of the work of Ben Adida and others. Unfortunately, those people have not been working on the part of the problem that needs solving, they've been working on the part of the problem that's solvable.

The Sarasota election failure has some unpleasant implications for their work.

robAugust 6, 2007 3:30 PM

how is it that Canada can count its paper ballots and compile the results on the evening of an election, and the US can't? the systems scales easily, and to my knowledge there has never been an issue with tampering on the scale alleged in US elections.

as a Canadian, i have never waited in line to vote. the system scales easily with population because for a given number of voters, there are a proportional number of volunteers and venues.

it seems to me that arguing about the security of the machines is missing the point. maybe there's a reason that electronic voting is being imposed in the first place that needs to be examined. it's completely unnecessary to automate the system when a simple hand-count is perfectly efficient.

the only good reason i could come up with for electronic voting is environmental (paper wastage), but i doubt that's on the minds of many of the people in the voting-machine business.

Matt from CTAugust 6, 2007 3:48 PM

@DBH

And others advocating electronic voting machines

Paper ballots can be understood by a "reasonable man" and can be put before a jury without any expert testimony necessary. Yes, there might be judgement calls -- but we have a legal system designed to decide issues of fact like that. Our canvassing systems in place follow very close parrallels to the reasonable man standard.

With mechanical voting machines, a fair amount of the population could readily understand them, and most of the population could be plucked from the street and would understand and see how the machines physically work with a brief amount of training about them. So they are easily verifiable.

You can't say the same about computers. I'd postulate most people lack the aptitude, even if you sent them to college level courses for several years, to properly evaluate their function.

Even among experts, how do you assure the kernel was not subverted during the balloting? Never mind a myriad of other issues.

We can't rely on dumb terminals to central servers; the American style of elections demand short of a natural disaster the election will be held at a specific place, date, and time. Networks are not reliable enough to assure that.

Paper receipts are utterly worthless and truest form of "security theater."

Ok, so there's a difference in the totals.

What do you trust as the accurate count? The total the machine reports, or the total on the receipts the machine printed? We can reasonable expect most people will not pay attention to the receipts.

The "black box" issue with punch hole or optical readers isn't there. Doesn't matter if the software is corrupt on them -- audits will show a large problem, and close election will trigger a recount with different machines used to count the same ballots as well as larger audit samples.

You don't need a jury or reasonable citizens sitting to evaluate what happens inside an optical scanner -- a classroom full of 5th graders are competent to count the ballots by hand and tell you if they match the totals made by the machine. Either they do or they don't and that's all you need to know.

When you depend on the machine to mark the (electronic) ballot as well as produce the receipt...then you need to have extremely high levels of education to make an informed decision on it's probable accuracy.

Mechanical votings machines, or preferably with the optical scanners availble today provide a simple and reliable system that can be used for voting without relying on black boxes operated by wizards.

Matt from CTAugust 6, 2007 4:05 PM

@rob

As I understand it, a typical U.S. ballot has far more items on it the a Canadian.

Complexity very rapidly increases the time it takes to count the ballots.

I don't know if this is typical of Canada, but here's a sample Canadian ballot I googled:
http://www.elections.ca/content_youth.asp?...

Here's the one for my State last November:
http://www.easthamptonct.org/pdf/townclerk/...

And that's ONLY 11 positions x upto 7 candidates each. (That's also a historic artifact as it was the last general election to be done on our mechanical machines -- that ballot represents what you saw in the booth. Pull the lever over the candidate of your choice.)

We can have more positions; and we run into "rules" sometimes like allowing vote for 3 of 5 candidates...so the machines could be setup to allow multiple levers to be pulled in one column as long as all columns for that office did not exceed the total number of open positions.

==========
I'm also not sure on your use of "volunteer" -- typically in my area and AFAIK the rest of the states, the "volunteers" are paid, and costs rapidly escalate when paper ballots have to be counted.

jdegeAugust 6, 2007 4:07 PM

Seems to me that you can get all of the advantages of computerized voting machines - the immediate feedback, error checking, etc. - with computer terminals that don't keep counts, but simply print optical-readable paper ballots.

Carlo GrazianiAugust 6, 2007 4:11 PM

@rob:
It's a cultural thing. American faith in technology knows no bounds. In the US, "Solution" is synonymous with "Technology". If there's a high-tech way to do something, be it never so stupid and broken, it will trump the low-tech solution every time.

We also have computer-graded college exams that reward broad shallow learning, intravenous drip machines that perform the task that used to be performed by gravity with equal effectiveness and at a tiny fraction of the cost, and computer/video-assisted sports refereeing aids whose only value to supply extra time for beer commercials. We defend against the terrorist suitcase nuke threat by constructing an ABM system. We rely on faith-based "technological" systems such as polygraphs to screen security risks, and phone record data mining to locate terrorists.

It's easy to proliferate examples, but you get the picture. The fact that voting with a pencil in Ghana is more reliable than voting with a sleek touchscreen machine in the US is neither here nor there. The high technology in the machine is its own justification.

Matt from CTAugust 6, 2007 4:19 PM

@jdeg

Why the heck would you use a computer to do what a pen can and mark a ballot?

At least for non-handicapped persons?

jdegeAugust 6, 2007 4:56 PM

@Matt:

"Why the heck would you use a computer to do what a pen can and mark a ballot?"

Pen and paper can't check to see that you haven't marked two choices for President, or that you've forgotten to vote for Water Conservation District #5.

The only real advantage that computer-based voting terminals have is this sort of immediate validation and feedback.

Everything else that they claim to provide is also provided by mark-sense ballots and optical scanners.

If the immediate validation issue is important - and I'm not prepared to make an absolute claim that it is not - using computer terminals to print mark-sense ballots would provide it.

And, of course, people who didn't feel they needed the hand-holding would be free to mark their ballots with a pen. Which would mean you'd only need a couple of computer voting machines, instead of one for every booth.

robAugust 6, 2007 5:42 PM

@Matt from CT

that's something i hadn't considered. we in canada don't have ballot initiatives - i consider them anti-democratic, but that's a whole 'nuther blog - and elections tend to occur at a single level of government, with fewer positions up for grabs.

i still think that where democracy depends on technology that is beyond the ability of the electorate to understand, "accidents" are bound to happen...

robAugust 6, 2007 5:44 PM

also, yes, that's exactly what a typical Canadian ballot looks like. voting is never more than a 30-second affair.

AntonAugust 6, 2007 6:06 PM

It seems to me this whole issue is a wider one of using hardware/software to authenticate people and to sign documents and communications. There needs to be a paradigm shift in the way we communicate and do business. Not until we have electronic authentication (both ways, i.e. the little guy authenticating big corporations not just the other way around) and communication that is binding (via digital signatures) in a way that can easily be upheld in a court of law, does talking about e-voting makes sense. I believe such technology should run behind the scene in an uncomplicated manner and without interfering with the right to remain anonymous or with the right to personal expression in the private realm without being held accountable for it.

Ultimately, we need to address the imbalance generated, when big corporations and government use technology against the small person who has no redress and no way of counteracting their strategy using that same technology to his/her advantage.

Matt from CTAugust 6, 2007 8:37 PM

>Pen and paper can't check to see that
>you haven't marked two choices for
>President

Valid point.

If that's the criteria, then you use the mechanical voting machines that Connecticut and much of NY / New England used for over 80 years.

Proven, highly reliable technology that is easily understood, and has *no* black box processes. If you doubt what's happening, open up the back and watch what the levers and gears are doing. There's no need for encryption, worrying about kernel processes, losing electricity, static discharges, etc. There is no dependency on highly educated experts to analyze what's going on -- just a mechanic who can physically show people off the street how the thing works and what happens when the levers are pulled.

OTOH, if you can't figure out that you marked two candidates and need to ask for another ballot, should you be voting? Seriously. It's not a problem for those who submit absentee ballots.

Indeed, while I don't support Vote By Mail as a standard practice (it's too open to potential abuse)...VBM is universal in the State of Oregon and heavily accepted in the State of Washington. And those people do not have the advantage of a machine to detect possible mistakes.

While I can think of other options -- say an optical scanner to verify the technical accuracy of a ballot in the booth...how many people will quickly become fustrated when they DIDN'T want or care to vote in the minor races and the machine is sqwaking at them that the ballot has problems.

Matt from CTAugust 6, 2007 8:53 PM

@Anton

>and communication that is binding (via
>digital signatures) in a way that can
>easily be upheld in a court of law, does
>talking about e-voting makes sense

Mutually exclusive, IMHO.

We have the basic paradox of needing authentication simultaneously strong and anonymous and producing a discrete document (ballot) as it's output. I didn't major in Computer Science, but I've got to think that ain't a nut that can be cracked.

In the physical world, Vote By Mail ballots are put in an envelope inside another envelope inside the mailing envelope.

After removal from the mailing envelope, the middle envelope is authenticated against the voter registration card. Hopefully no one reviewd those public records with a digital camera in order to pull off the signature.

The inner envelope is then "dropped in the box" for later counting. Hopefully they're shuffled or otherwise made more random so they can't be associated with the order they were authenticated.

That's a process in the physical world would take multiple people colluding to subvert, and any reasonable man could detect fraud going on with their own eyes and life experience.

Can't do that in a computer.

vanillaAugust 7, 2007 2:31 AM

Matt ... I spoke with a county elections official after the voting dispute here in Florida because one of the TV "specials" on the recounts said that if you left a vote blank, the reviewers would "decide for you" who you intended to vote for. He confirmed that this did, indeed, happen in the South Florida vote recounts. I was stunned.

I now understand that I am NOT allowed to leave a voting category blank ... unless I am willing to have my vote decided FOR me if there is a recount. It would be in very bad taste for me to express, accurately, how angry I am about this usurpation of my voting rights. I am just glad that I found out about it ... vanilla


Matt said: "While I can think of other options -- say an optical scanner to verify the technical accuracy of a ballot in the booth...how many people will quickly become fustrated when they DIDN'T want or care to vote in the minor races and the machine is sqwaking at them that the ballot has problems."

Christoph ZurniedenAugust 8, 2007 7:17 AM

@Matt
> We have the basic paradox of needing authentication simultaneously strong and anonymous and producing a discrete document (ballot) as it's output. I didn't major in Computer Science, but I've got to think that ain't a nut that can be cracked.

Did you try a bigger nutcracker? ;-)

You can do that by using randomly assigning every voter a uniq and cryptographicaly signed ID.
This UID may be constructed with a set of natural numbers {1,...,n}, hashed with a cryptgraphically strong hashing algorithms together with a truely random number. The uniqeness of the members of the resulting set can be easily checked without compromising the anonymity.
The signature of this UID should be based on public key cryptography and the signing key should be able to be signed itself (like PGPs chain of trust).
But that's a high tech solution for a low tech problem. Each voter get's one ballot only. If the voter erred, he has to mark all positions to delete his decision and get's a new ballot for his old one.
This works for Vote-by-Mail too, but to get a new ballot in case of an error might be time consuming.
Get a magnifying instrument for the visually impaired, cut one edge of the ballot in such a manner that the blind voters are able to know how to put which site of the ballot in which direction under the Braille-mask.
You can even help the illiterate by publishing the ballot some days in advance (It will help a lot more people than just the illiterate, especially if the ballot has the size of a kingsize bedsheet, which seems not very uncommon in the USA).

Electronically aided voting (EAV) has the single advantage that the counting of the votes is correct in contrast to the error prone hand counting if and only if the logic of the electronical counter is correct.
That means that any function beyond the counting of the votes is unneeded and therefore an unnecessary risk which must be avoided.
But it is a good idea to cryptographicaly secure the communication of the sums to the central. This can and should be done with a little eletronic help if and only if these electronics are indepedent from the EAVs, there has to be an air-gap in between. Otherwise use a dedicated phone line (an all-cable landline). I would prefer the latter.

OK, the above has most probaly a lot of holes in it and is based on some hard to reach conditions but I'm quite confident that it is a bit better than the current line of EAVs which seem to be products of a hasty trip to the scrap yard.

CZ

AnonymousAugust 8, 2007 11:46 AM

@Carlo Graziani, "...banking equipment is more secure than voting equipment is that losing track of money results in real financial losses, while losing track of votes results in no such losses."

It's even stronger than that. The real financial losses are incurred by the owners of the machinery in the financial industry, directly (the money goes out of their pockets to someone else who benefits from the miscount) or indirectly (they get fined if they miscount to benefit themselves).

In voting the real owners of the machinery are the citizens, the public, although too often public officials distort that by believing (a) that means their position and (b) since they hold the position, it really means them personally.

Worse, the incumbents will suffer financial loss by being voted out of office, so they have incentive to perpetrate or at least tolerate miscounts that are to their benefit.

In politics, the definition of a fair election is one that does not favor anyone else. It's even more fair if it does favor our side!

DougAugust 21, 2007 6:47 AM

California's new Democratic Secretary of State Debra Bowen earlier this month DECERTIFIED virtually all Diebold machines in that vote-rich state. Florida's Republican Secretary of State Kurt Browning meanwhile re-certified very quietly the Diebold machines in that state for use in January 2008 in spite of all troubles especially in Florida.

Is there something partisan at work here???

MrManApril 16, 2008 12:03 AM

@Ulrich

The difference with ATM's is they are required to use a certified hardware crypto module from a third party and a pinpad complying with the very strict PCI/DSS requirements (again most likely sourced from a third party) all the crypto is done by these "black boxes" they just connect them together.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..