NHNE News List
Current Members: 925
Subscribe/unsubscribe/archive info at the bottom of this message.
MARYLAND: E-VOTING PASSES MUSTER
By Kim Zetter
September 25, 2003
Maryland election officials released a highly anticipated report Wednesday
that examines the security of Diebold Election Systems' touch-screen voting
Despite a summary in the report that states the Diebold system used in
several state elections is "at high risk of compromise," the election
officials and representatives of the company that wrote the report said they
now have confidence in the Diebold system, and the state will proceed with
its $55.6 million contract to purchase the machines.
votingsystemreportfinal.pdf), prepared by Science Applications International
(SAIC), offered an "action list" of 23 items for securing the machines.
Six of those items have already been implemented, according to David Heller,
project manager for Maryland's board of elections. These include applying
encryption to the process of transferring votes from voting machines to
state servers via modem and altering Diebold's software so that votes in the
system could not be matched to the names of voters.
The remaining items on the list include policies and procedures that the
state must implement, such as training for election workers. Assuming those
changes are made, officials said the Diebold systems will be ready to use in
next year's primary in March.
Gilles Burger, chairman of the board of elections, called the report "the
most robust information-system risk assessment ever conducted in the nation
for election systems."
"We remain very comfortable with the voting system, and that the state board
of elections is developing and will fully implement proper procedures safely
that will allow Marylanders to have complete and total confidence in the
integrity of the system," said Jim Pettit, spokesman for the board of
But Avi Rubin, who detailed security problems with the Diebold software in
an earlier report (http://avirubin.com/vote.pdf)
, said the audit itself
paints a more disturbing picture than what state officials and SAIC were
saying about it in public comments.
It was Rubin's report, written with colleagues at Johns Hopkins and Rice
University, that prompted Maryland's governor to call for the SAIC audit of
the Diebold software.
Rubin, who read the redacted version of the report, said, "I'm very happy to
see this report, and I think it validates our work. But my concern remains
that Maryland, instead of responding with a sense of urgency, seems to be
looking for ways to move ahead with Diebold despite this report.
"The Maryland plan of action is seriously out of whack with the SAIC risk
assessment," he added. "This is a system with serious problems. I would
expect them to suspend plans to use the Diebold machines until SAIC releases
a report that says the system is safe to use."
Rubin said elections in states that have already used these systems were
open to compromise. These include Georgia, which used more than 20,000 of
the Diebold machines in its gubernatorial election last November, as well as
counties in Maryland and California.
SAIC officials took into consideration the issues raised in Rubin's report
but said that most of his concerns could be satisfied simply by
disconnecting servers in the voting system from the Internet.
The report also said Rubin's research didn't take into account other
security measures used by election officials to prevent unauthorized access
to voting machines.
"While many of the statements made by Mr. Rubin were technically correct,"
SAIC auditors wrote, "the State of Maryland's procedural controls and
general voting environment reduce or eliminate many of the vulnerabilities
identified in the Rubin report."
The report added, however, that even taking into consideration voting
controls and procedures, the Diebold system did not "meet the standard of
best practice or the State of Maryland Security Policy."
Pamela Woodside, chief information officer for Maryland's board of
elections, said the Diebold technology must now be recertified before it can
be used in an election. That process is already underway. Wyle Laboratories
and Ciber, the independent authorities that originally tested the Diebold
system, are doing the certification.
But Rubin questioned the wisdom of returning a system to the same
authorities that originally certified it. "If the certification process
didn't catch these security problems, why should we believe that the same
certification process will work to ensure that these problems are
The certification process itself has long raised questions among security
professionals about the voting system standards.
Heller said the Federal Election Commission standards, by which
certification agencies judge voting systems, have never required systems to
be secure, he said. "They've only addressed issues about the reliability of
the systems to count votes accurately."
He said this has not been changed because state and local authorities, who
run elections -- including presidential elections -- don't have the
authority to demand security standards from the federal government.
Woodside said that while Wyle and Ciber are certifying the system, SAIC is
reviewing the revised code to ensure that Diebold's changes to the software
solve the security problems.
Rubin remains skeptical. He said encryption problems in the system would
have required Diebold to rewrite the software from start. "They clearly have
a very naive concept of how long it takes to fix software and to replace
it," he said.
Although the SAIC audit was completed only two weeks ago, Heller said the
company began working on fixes back in July when Rubin's report first
appeared. "They've had two months to accomplish it."
"I don't think they could fix these problems in five months," said Rubin.
"You cannot fix these kinds of software problems that quickly."
PREVIOUS NHNE NEWS LIST ARTICLES:
MORE NEWS ON VOTING MACHINE CONTROVERSY (8/31/2003):
ELECTRONIC VOTING MACHINES FACE AUDIT (8/12/2003):
VOTING SOFTWARE COULD ALLOW BALLOT FRAUD ON A MASSIVE SCALE (7/26/2003):
HOW TO RIG AN ELECTION IN THE UNITED STATES (7/10/2003):
LEGISLATION INTRODUCED TO REQUIRE ALL VOTING MACHINES TO PRODUCE PAPER TRAIL
VOTING MACHINES THAT LEAVES PAPER TRAILS (5/10/2003):
CONTROLLING ELECTIONS THROUGH VOTING MACHINES (5/7/2003):
NHNE News List:
To subscribe, send a message to:
To unsubscribe, send a message to:
To review current posts:
Published by NewHeavenNewEarth (NHNE)
NHNE Website: http://www.nhne.com/
Phone: (928) 282-6120
Fax: (815) 346-1492
Appreciate what we are doing?
You can say so with a tax-deductible donation:
P.O. Box 2242
Sedona, AZ 86339