MD Legislators warned of evoting systems, largely unconvinced

[Dave Farber <dave () farber net>]

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Fri, 14 Nov 2003 08:55:21 -0500
From: tim finin <finin () umbc edu>
Subject: MD Legislators warned of evoting systems, largely unconvinced
To: dave () farber net

Avi Rubin testified at hearings here in Maryland yesterday
on the electronic voting machine controversy.  I'm very
disappointed at how poorly his concerns were received by
state officials and especially disturbed by the reaction
of the director of MD's elections board, who said of
those who raise the issues:

  "I think they're doing a great disservice to democracy.
   They're telling the public: Don't trust them, don't
   trust the voting equipment."

--

Legislators are warned by voting system critic
Expert who found flaws fears they weren't fixed

By Michael Dresser, Sun Staff, November 14, 2003
http://www.sunspot.net/news/local/bal-md.diebold14nov14,0,3307906.story?coll=bal-local-headlines

The Johns Hopkins University computer scientist who identified
security lapses in the voting system Maryland is adopting took his
warnings to Annapolis yesterday, telling legislators he has no
confidence the flaws are being fixed.

Aviel D. Rubin, technical director of Hopkins' Information Security
Institute, criticized the Ehrlich administration's decision to
withhold two-thirds of a consultant's report on problems with the
Diebold voting system from public view. Rubin said that if the flaws
have been fixed there's no justification for secrecy.

"We need to apply pressure on them to release that report," Rubin said
in an interview after his presentation to the House Ways and Means
Committee.

Rubin helped kick off in July what has become a national controversy
when he released a study alleging that an election system produced by
Ohio-based Diebold Elections Systems was fraught with security flaws
that could allow manipulation of election results.

The report was attacked by Diebold, which had been awarded the
contract to supply a statewide touch-screen system for Maryland, but
received support from many other computer scientists. "Our work is not
just some lunatics from Johns Hopkins making some wild statements,"
Rubin told the committee.

Rubin's allegations prompted Gov. Robert L. Ehrlich Jr. to call for an
independent review of the security of the system. The consultant that
reviewed the Diebold system - Science Applications International
Corp. - found there was a "high risk of compromise" but said the
system could be fixed.

Rubin told the lawmakers that Diebold's problems have continued since
he issued his report, noting that California election officials have
refused to certify the system.

Rubin said the Diebold software he examined was vulnerable to an
attack by someone wanting to tamper with an election.

"The skill level needed to hide malicious code is much easier than the
skills needed to find it," he said. "I don't believe there's a
computer scientist or a team in the world that could find it."

Linda Lamone, director of the state elections board, largely dismissed
Rubin's concerns and insisted Diebold had completed all the
recommended changes in its software. She accused computer scientists
of trying to undermine confidence in elections officials.

"I think they're doing a great disservice to democracy," she
said. "They're telling the public: Don't trust them, don't trust the
voting equipment."

Russell Doupnick, the state's deputy chief information officer,
rejected Rubin's call for full disclosure of the SAIC report. He said
officials did not want to provide "a road map to intrude into the
system."

Frank Schugar, SAIC's project manager on the election system, conceded
that Rubin - whom he described as "extraordinarily qualified and more
qualified than I am" - had some valid points.

"Is it easy to hide malicious code in a great big code package?
Absolutely," he said - putting the chance it would go undetected at
99.9 percent.

Schugar said his company does not know whether all 26 vulnerabilities
it found in the Diebold system had been fixed. He said SAIC had
verified three changes had been completed successfully but does not
expect to do a final examination of the system as suggested by Rubin.

Election board officials said another company, BSC Systems of
Churchton, will conduct such a review.

Rubin said yesterday that the original code showed such a lack of
competence that he doubted Diebold had the capability required to fix
the software. However, he said he would be happy to lend his expertise
in determining whether the revised code was secure.

Lamone said the elections board wouldn't take him up on the offer.

"I don't think Diebold would allow it," she said. "It's their
proprietary code."

Del. Jean Cryor, a Montgomery County Republican, said she came to the
briefing thinking Rubin would be a "smart aleck."

"I thought he was far more credible than I thought," she said. "I was
disappointed the [election] administration didn't come forward with
stronger and more focused responses to what his complaints had been
since day one."

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/