|
Technical Response To The Johns Hopkins
Study On Voting Systems
Diebold is in the process of performing a complete
review of the lengthy research article about one of Diebold’s election products,
dated Wednesday, July 23.
A prior version of Diebold’s touch screen software was
analyzed while it was running on a device on which it was never intended to run,
on an operating system for which it was not designed, and with minimal knowledge
of the overall structures and processes in which the terminal software is
embedded. In addition, many of the weaknesses attributed to the operating
system on which the software was tested are inapplicable to the embedded
operating system actually used by Diebold. As a result, many of the conclusions
drawn by the researchers are inaccurate or incomplete with respect to the
security of this particular element of Diebold’s voting system.
The researchers installed and analyzed a prior
version of the AccuVote-TS software on a typical personal computer, on which a
generally available Microsoft®
operating system was installed. This personal computer on which the software
was analyzed also had an internet or continuous modem connection, a keyboard,
and disk drives. The exploitation of many weaknesses attributed to
Diebold’s software resulted from this configuration, which does not exist when
the software is used in a Diebold voting terminal.
A continuous or unmonitored internet or modem connection
would be necessary in order for last minute or stealth changes to be downloaded
to a voting terminal. As installed by Diebold, this voting terminal contains
neither. Diebold does not connect its voting terminals to the internet. All
downloads to the terminals for purposes of programming take place over a secure
connection to an isolated server, to which the voting terminal is generally only
briefly connected. Once the changes have been made, the terminal is
disconnected, the software tested, the terminal is locked and a
tamper-indicating device affixed.
Unlike the personal computer on which the analysis
was performed, the voting terminal does not have a standard keyboard or disk
drives, and the redundant memory is physically locked into the machine. This
makes unavailable the easy access required to accomplish some of the other
security breaches that have been suggested.
Similarly, unlike the personal computer on which the
analysis was performed, the card reader is an integrated portion of the
terminal. This prevents the signal monitoring which, it was suggested, could
easily be used to capture the data needed to create a “homebrew” voting card.
Further, because the actual voting booths are not the enclosed structures the
researchers may be used to, it was inaccurately suggested that it would be easy
to use a readily available device to capture the data without detection. The
data which would be needed to create voting cards varies from election to
election, so creating voting cards would be difficult without access to such
captured data.
Similarly, the suggestion that election results
would be intercepted and modified during uploading is unrealistic. First, any
results transmitted via modem are always considered unofficial results; the
official results are transported solely by means of a memory card, which is
locked into the system during voting. Any modified unofficial results would not
match the official results and would immediately be rejected. In addition, it
is very unlikely that any individual would have all the information required to
implement such an attack.
Beyond the code analysis, the researchers suggested that
Diebold lacked an adequate change control process. Systemic control is in
place, both internally and externally. Diebold’s extensive change control
process is not embedded in its source code, nor would it be expected to be. In
addition to the internal programming group and quality control, the software is
tested externally by independent testing authorities. Once delivered to the
customer, the software is tested for logic and accuracy both before and after
each election. An individual intent on inserting malevolent code, would
require the cooperation of the programmers, the quality assurance group,
the independent testing authorities, the multiparty observers, and poll workers.
In addition, programmers draft code to deal with
party IDs, candidate IDs, precinct IDs, and other generic object identifiers,
not individual identified candidates or parties. The actual information
associated with these identifiers is entered by individuals in a particular
election jurisdiction. Because the specific association between a generic
identifier and a particular candidate is not predictable in advance, it would be
nearly impossible for a programmer to craft programming to favor a particular
candidate or political party without the active cooperation of the individual in
the election jurisdiction who formats the ballots. It is extremely unlikely
that this kind of cooperation would occur in the first place or, if it did
occur, would go unnoticed by the quality assurance group, the independent
testing authority, the multiparty observers, and poll workers.
The democratic process is a fiercely held right in the
United States, and election officials have long been on guard against
mishap and fraud. They have implemented a comprehensive list of safeguards,
which protect the integrity of the election process. These safeguards did not
end when electronic voting entered the picture, and in fact have been
increased. Electronic voting offers an opportunity to make voting more
accessible and independent than ever before, particularly to individuals who are
sight impaired or who speak another language. To require that each portion of
the system be impervious to security breaches ignores security features in place
in each other element of the physical system, and the systemic protections in
place that extend far beyond the devices on which the votes are cast and
tallied. |
|