http://www.wired.com/news/technology/0,1282,59976,00.html By Kim Zetter Aug. 12, 2003 After weeks of defending itself against charges of bad programming and lax security, Diebold Election Systems is facing an independent, third-party audit of the software for its touch-screen voting machines. Maryland Gov. Robert L. Erhlich Jr. ordered the review after researchers at Johns Hopkins University and Rice University released a report (PDF) last month revealing numerous programming flaws and security vulnerabilities in the source code for Diebold's AccuVote-TS voting machines. In March 2002, Maryland purchased more than 5,000 Diebold touch-screen terminals at a cost of $17 million. The machines were used in four counties in the state election that year. Then last month, just days before the university report came out, Maryland awarded Diebold a $55.6 million contract to provide and service 11,000 additional Diebold machines to be used throughout the state for next spring's presidential primary. But publicity about security flaws has caused the state to seek a thorough review of the software before proceeding with the order. "Government has no more fundamental obligation than to ensure the integrity of the democratic election process," Ehrlich said in a statement released from his office. "In an effort to strengthen public confidence in Maryland's election process, I have ordered a thorough, fully independent review of the Diebold system by a third party leader in information security." Maryland is the first state to adopt a unified electronic voting system statewide. The success of electronic voting machines there likely will result in additional lucrative contracts for Diebold around the country. The audit is the first to be conducted on the entire range of AccuVote-TS software -- the Johns Hopkins report focused only on software for the touch-screen terminal and not on backend software that tabulates, compiles and prints final votes. Science Applications International Corp., or SAIC, will conduct the audit. The San Diego-based company has a standing contract to vet new software purchased by the state of Maryland, so its role in the audit is not a surprise. According to Diebold spokesman Mike Jacobsen, the company granted SAIC access to the source code after the group signed a nondisclosure agreement. The report is expected to be completed in about three weeks but likely will remain closed to the public. Critics of electronic voting will watch closely to see if Maryland goes through with its purchase of Diebold's equipment. Jacobsen said, "We're confident that no problems will arise from the review. But should the third-party audit require action on our part, we're going to work very closely with the state of Maryland to make sure that their needs are met." When asked whether any alterations made to the software used by Maryland will also be made to electronic machines already purchased by other states, Jacobsen replied: "This review is for Maryland. No other state has found the need to enact that kind of review at this time." He added, "Were going to work very hard with all of the states to make sure that their needs are met, that they're as comfortable with the security of our system as we are." Cindy Cohn, legal director at the Electronic Frontier Foundation, said the audit is a good first step but wants the report made public. "I would like the review to be more open so that ordinary people can see what testing was done and what the results were," she said. "There's a list of things that the university teams found and I'd like to see a point-by-point response to it from SAIC." She also said that other states need to take a cue from the Maryland audit. "The average vending machine is more secure than the Diebold code," she said. "Given this backdrop it's irresponsible for public officials not to go give the public a better explanation of the security of our voting machines." Professor Avi Rubin, technical director of the Information Security Institute at Johns Hopkins and one of the authors of the critical report against Diebold, said SAIC is a top-notch company and he's glad it will be conducting the audit. "It shows that Maryland really is serious about this," he said. The initial report concluded that the AccuVote-TS machines would allow a voter to cast multiple votes and was vulnerable to someone hacking into the system to switch votes. The researchers also found that cryptography wasn't written into the code in some places where it should have been used, and where it was written into the code, it was used poorly and incorrectly. "We were looking at code that would not get a C-minus grade in an undergraduate computer-programming course," Rubin said. "It's so full of mistakes and misunderstandings and improper use of cryptography that it was obvious to us that the person who wrote this code had no training." Diebold reports that during the state elections of Nov. 5, 2002, approximately 33,000 of its voting machines were used throughout the United States, including more than 22,000 in Georgia and 4,000 in a county in California. States that have used the touch-screen terminals so far have reported that voters were happy with them and liked their design and ease of use. But these comments were elicited before anyone made public the security risks involved in using the systems. Rubin said he's worried that states are taking an attitude that assumes electronic voting systems are secure until proven otherwise. "People will use it unless someone can show it's insecure," he said. "I don’t know if that's the right model we should be taking for elections." Diebold responded to the accusations laid out in the report with a 27-page rebuttal (PDF) defending its product. The company claimed the version of software the researchers viewed was from last year and had since been revised. "Only parts of that code may have been used in an actual election," Jacobsen said. "It was not the total code that you have to take into account when you consider everything that's involved in a real-world election." But Rubin said it's highly unlikely Diebold could have fixed problems in the software within a year because fundamental security design flaws would have required a complete revamping of the program rather than simple corrections. "I don't think anybody has the capability to develop a whole new system from scratch in a year, and I don't think Diebold had any incentive to do so because none of this news broke until recently," he said. "The only alternative is that they fixed it, and I don't think it was fixable." Diebold said the code viewed was "less than 5 percent" of the whole application, which includes backend servers and other hardware as well as election protocols designed to prevent vote tampering. But Rubin said security standards call for "defense in-depth," a term used by security professionals that means defenses must be built into every layer of a system. That includes software, hardware and implementation. "We looked at the software and it was poorly written. I don't think claiming that the other components are secure is a good enough argument," Rubin said. Diebold's rebuttal also takes issue with the fact that researchers tested the program on a Windows 2000 machine rather than on a modified Windows CE device, the intended operating system for it. Rubin calls this a non-issue because the researchers' conclusions are based on reading the code, not on observing its performance on a machine. They ran it on a machine only to verify that it was workable code rather than a nonworking draft. Regardless of the type of machine used, the security problems remain the same. Rubin's group has posted a response to the Diebold rebuttal. It includes this damning statement: "We have claimed that, in the Diebold code we examined, 'cryptography, when used at all, is used incorrectly.' We stand by this claim. Every use of cryptography in the Diebold code is flawed." Rubin said for the SAIC review to be successful, it should audit the code carefully and look at software engineering processes to see that they follow industry standards, particularly for cryptography. In addition, the auditing group should examine a host of attack scenarios to see if the voting system would survive them. According to a press release on Gov. Ehrlich's website, SAIC intends to build a test bed on which to run the Diebold system. "The test will be built as dictated by State Board of Elections regulations, standards and procedures developed for polling places.... Once adapted to a simulated Maryland election environment, SAIC will evaluate the claims of voting security and integrity vulnerabilities." "I think SAIC has competent people," Rubin said. "But if SAIC passes the software, then I'll be very suspicious of how good they did the review. "But I obviously don't think this thing is going to pass the tests," Rubin said. "It took us a couple of hours to identify very serious problems and two weeks to complete our project, including writing the paper. Diebold called the research we did a 'homework assignment.' But if a homework assignment can find these problems, then how much is a real serious audit going to find? "The main thing is, it would have been very easy for them to do this right, but they didn't," Rubin said. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 03:32:04 PDT