Ehrlich Orders Voting System Security Study

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.washingtonpost.com/wp-dyn/articles/A25673-2003Aug6.html

By Brigid Schulte
Washington Post Staff Writer
Thursday, August 7, 2003; Page B01 

Maryland Gov. Robert L. Ehrlich Jr. (R) yesterday asked a contractor 
with expertise in computer security to review the electronic voting 
machines that the state recently agreed to purchase for up to $55 
million and plans to put in every precinct before the 2004 election. 

The review comes two weeks after computer scientists at Johns Hopkins 
University said the voting system was so flawed that a 15-year-old 
hacker could tap into the software and tamper with election results. 

Based on Ehrlich's request, Science Applications International Corp. 
will write a risk assessment of the possibility of election fraud 
after examining the hardware and software of the touch-screen machines 
manufactured by Ohio-based Diebold Election Systems Inc. SAIC also 
will review state and local election procedures to evaluate the 
security of the entire voting system, state officials said. 

"Government has no more fundamental obligation than to ensure the 
integrity of the democratic election process," Ehrlich said in a 
statement. 

The governor's spokeswoman, Shareese N. DeLeaver, said: "The state 
will take whatever steps are necessary to ensure that these machines 
are checked, remedied, and any errors found are minimized to ensure 
voter confidence on Election Day. If [SAIC researchers] find there are 
no concerns, the sale will go forward. If not, then we'll go back to 
the drawing board and renegotiate." 

In the two weeks since its release, the Johns Hopkins report has hit 
like a bomb, with some state and local jurisdictions putting off plans 
to buy electronic equipment. Diebold spokesman Mike Jacobsen said 
company officials have been flying across the country, reassuring 
nervous election officials that all is well. 

"I hope that this independent study will help put some people's fears 
to rest," said Gilles W. Burger, chairman of the Maryland State 
Election Board. 

SAIC is an internationally known scientific engineering and technology 
company based in San Diego. It and its subsidiaries have 
multimillion-dollar contracts with, to name a few, NASA and the 
Department of Defense, and even with the government of Greece to 
provide computer security for the 2004 Olympic Games. Since June 2002, 
SAIC has been working under a $2.6 million consulting contract with 
Maryland to review its information technology systems, DeLeaver said. 
Reviewing the Diebold machines will be covered by the existing 
contract. 

While some election officials dismiss the Hopkins report as 
"technological hysteria," saying it did not take into account all the 
human security that election workers provide, others voice concern 
that it will undermine faith in elections and further depress voter 
turnout. 

Montgomery County Council member Howard A. Denis (R-Potomac-Bethesda) 
is so upset that he is calling for a meeting of the Hopkins 
scientists, state election officials and the council. If he's not 
satisfied, he said he will consider asking the state for a waiver, to 
take the Diebold machines that were used in the county's 2002 election 
out of circulation. "I don't want a situation where some 15-year-old 
kid could elect Ben Affleck to county executive," Denis said. "I'm 
very concerned about this. It goes to the heart of the integrity of 
our elections." 

In their report, Avi Rubin, technical director of John Hopkins's 
Information Security Institute, and his colleagues analyzed a Diebold 
software "sourcecode" that had been mistakenly stored on a public 
Internet site. The security flaws, they said, were "stunning," from 
hard-wiring one password into the code that would work on all machines 
-- making the system vulnerable to sabotage -- to relying on smart 
cards that could be easily duplicated in "homebrew" cards and used to 
vote multiple times. 

Diebold, with 55,000 such machines throughout the country, maintains 
that the code Rubin analyzed is old and that much of it has never been 
used in elections. In a 27-page point-by-point rebuttal, Diebold has 
challenged many of the findings and has called the Hopkins report 
faulty and erroneous. 

Rubin and Diebold officials said they welcomed the SAIC review. 

"If the result of our study is that SAIC examines this, then that's an 
excellent outcome," Rubin said. 

"We've got confidence in our system," Diebold's Jacobsen said. "We 
take these concerns seriously. And we're willing to take the 
appropriate steps with the right folks so that voters have a comfort 
level that things are done right." 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
----------------------------------------------------------------
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
================================================================
Help C4I.org with a donation: http://www.c4i.org/contribute.html
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.