[ISN] Ehrlich Orders Voting System Security Study

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 00:35:05 PDT

  • Next message: InfoSec News: "[ISN] McAfee Antivirus Tool Blocks Internet Access"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.washingtonpost.com/wp-dyn/articles/A25673-2003Aug6.html
    
    By Brigid Schulte
    Washington Post Staff Writer
    Thursday, August 7, 2003; Page B01 
    
    Maryland Gov. Robert L. Ehrlich Jr. (R) yesterday asked a contractor 
    with expertise in computer security to review the electronic voting 
    machines that the state recently agreed to purchase for up to $55 
    million and plans to put in every precinct before the 2004 election. 
    
    The review comes two weeks after computer scientists at Johns Hopkins 
    University said the voting system was so flawed that a 15-year-old 
    hacker could tap into the software and tamper with election results. 
    
    Based on Ehrlich's request, Science Applications International Corp. 
    will write a risk assessment of the possibility of election fraud 
    after examining the hardware and software of the touch-screen machines 
    manufactured by Ohio-based Diebold Election Systems Inc. SAIC also 
    will review state and local election procedures to evaluate the 
    security of the entire voting system, state officials said. 
    
    "Government has no more fundamental obligation than to ensure the 
    integrity of the democratic election process," Ehrlich said in a 
    statement. 
    
    The governor's spokeswoman, Shareese N. DeLeaver, said: "The state 
    will take whatever steps are necessary to ensure that these machines 
    are checked, remedied, and any errors found are minimized to ensure 
    voter confidence on Election Day. If [SAIC researchers] find there are 
    no concerns, the sale will go forward. If not, then we'll go back to 
    the drawing board and renegotiate." 
    
    In the two weeks since its release, the Johns Hopkins report has hit 
    like a bomb, with some state and local jurisdictions putting off plans 
    to buy electronic equipment. Diebold spokesman Mike Jacobsen said 
    company officials have been flying across the country, reassuring 
    nervous election officials that all is well. 
    
    "I hope that this independent study will help put some people's fears 
    to rest," said Gilles W. Burger, chairman of the Maryland State 
    Election Board. 
    
    SAIC is an internationally known scientific engineering and technology 
    company based in San Diego. It and its subsidiaries have 
    multimillion-dollar contracts with, to name a few, NASA and the 
    Department of Defense, and even with the government of Greece to 
    provide computer security for the 2004 Olympic Games. Since June 2002, 
    SAIC has been working under a $2.6 million consulting contract with 
    Maryland to review its information technology systems, DeLeaver said. 
    Reviewing the Diebold machines will be covered by the existing 
    contract. 
    
    While some election officials dismiss the Hopkins report as 
    "technological hysteria," saying it did not take into account all the 
    human security that election workers provide, others voice concern 
    that it will undermine faith in elections and further depress voter 
    turnout. 
    
    Montgomery County Council member Howard A. Denis (R-Potomac-Bethesda) 
    is so upset that he is calling for a meeting of the Hopkins 
    scientists, state election officials and the council. If he's not 
    satisfied, he said he will consider asking the state for a waiver, to 
    take the Diebold machines that were used in the county's 2002 election 
    out of circulation. "I don't want a situation where some 15-year-old 
    kid could elect Ben Affleck to county executive," Denis said. "I'm 
    very concerned about this. It goes to the heart of the integrity of 
    our elections." 
    
    In their report, Avi Rubin, technical director of John Hopkins's 
    Information Security Institute, and his colleagues analyzed a Diebold 
    software "sourcecode" that had been mistakenly stored on a public 
    Internet site. The security flaws, they said, were "stunning," from 
    hard-wiring one password into the code that would work on all machines 
    -- making the system vulnerable to sabotage -- to relying on smart 
    cards that could be easily duplicated in "homebrew" cards and used to 
    vote multiple times. 
    
    Diebold, with 55,000 such machines throughout the country, maintains 
    that the code Rubin analyzed is old and that much of it has never been 
    used in elections. In a 27-page point-by-point rebuttal, Diebold has 
    challenged many of the findings and has called the Hopkins report 
    faulty and erroneous. 
    
    Rubin and Diebold officials said they welcomed the SAIC review. 
    
    "If the result of our study is that SAIC examines this, then that's an 
    excellent outcome," Rubin said. 
    
    "We've got confidence in our system," Diebold's Jacobsen said. "We 
    take these concerns seriously. And we're willing to take the 
    appropriate steps with the right folks so that voters have a comfort 
    level that things are done right." 
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 03:16:57 PDT