cj#350> re: spying trapdoors & voting


Richard Moore

Date: Mon, 18 Dec 1995 11:08:46 -0800
Sender: Ernest Hua <•••@••.•••>
Subject: Re: (resend) cj#341> CIA, drugs and spying trapdoors

> It reminds me of a story I read in the SF press a few months prior to the
> Nicaragua elections in which the Sandinista's supposedly lost.  It seems an
> NSA team raided an East Bay company that writes the vote-counting software
> used almost everywhere.  The NSA was purportedly checking for trapdoors --
> to keep us all safe.  What more perfect opportunity to _emplant_ a
> trapdoor, when you've got the software all taken apart on the auditor's
> table?  Needless to say, no one audited the Nicaragua voting equipment for
> trapdoors.  Word on the street is they're damn difficult to detect anyway,
> if properly installed.

Let's not get way too ahead of ourselves, shall we?  While I would not
trust the NSA (or CIA or FBI) with a 10-foot pole on the issue of
trapdoors, it would be a serious mistake to insist that a detailed audit
is a good time to quickly insert some snippet of code to enable some

Inserting new, unintended code into a program you are not necessarily
familiar with is very difficult to do right.  Even the NSA does not
have super-brilliant and absolutely infallible software engineers.

Then there is the question of source code controls which just about
every serious software developer has in some form or another these days.
It's kind of hard to sneak something in if you know what it looked like
in the previous release, and you did not authorize that change.

There are lots of other reasons and I could go on forever.  Not that I
am advocating that the NSA would NOT try to insert a trapdoor, but
you've got to be more careful about arbitrarily raising suspicions where
it's not that technically plausible.

It is much easier to insert trapdoors with the help of someone on the
inside.  An audit session is just not all that good of an opportunity.



Dear Ern,

The main point really, for me, was simply the realization that systematic
vote-manipulation (with computerized counting) is just a matter of
installing intruder software.

The NSA/CIA or whichever obviously has the access, resources, and
capability to accomplish such an intrusion, by one means or another.  Yes
they would undoubtedly use an inside agent, and the "audit" may have been
incidental -- but it illustrated how wholesale access to a premises (with
the employees locked out?) could be arranged when necessary.  Conceivably,
the "audit" might have provided the opportunity to retro-infect all backup
copies, to be in synch with code developed earlier by the inside agent,
plus the opportunity to clean up any tracks that may have been left lying

I'm not putting this forth as an allegation or even a theory, it's just a
speculative possibility.  But it does give one pause, when you think back
to all the media hype the U.S. created around those elections, the
embarrasment they would have suffered if the Sandinista's had won, and the
unliklihood that a majority of Nicaraguans would really have voted for
CIA-backed candidates.



 Posted by Richard K. Moore (•••@••.•••) Wexford, Ireland
 •••@••.•••  | Cyberlib=http://www.internet-eireann.ie/cyberlib