BBV: Chart: 12 vulnerabilities identified by Rubin, 4 addressed by SAIC

Great work!

they can make it easy to understand. I'm routing people to this.

Where would we be without you! :evilgrin:

:kick:

hopefully they'll report it...

http://www.electionline.org/electionlinetoday.jsp

feedback@electionline.org

I'll be having another go at Kathy Rogers of the GA Elections Division plus probably other reprentatives again tomorrow afternoon. 2 copies of this go with me. Hmmm, probably ought to take more, as handouts.

Well done!!

Eloriel

I would really like to be there. Find out who's car trunk is safely storing those securely stored machines while you're there.

very easy to read and understand.

This is inaccurate and suspiciously self-serving.

First of all, the SAIC report states very clearly:

The State of Maryland procedural controls and general voting environment reduce or eliminate many of the vulnerabilities identified in the Rubin report.

There is simply no way to spin that statement. Rubin got it substantially wrong. There's an entire appendix devoted to debunking most of his claims, several of which are driven by his stated anti-DRE bias. You've simply ignored all of that material entirely. Why?

Moreover, you intentionally leave out specific things that are reported in the Maryland press release to have been specifically addressed by Diebold, to wit:

"Diebold has incorporated three new security features in response to the independent review. The enhancements include 1.) implementing a dynamic assignment of security keys to enable the State to determine the pass codes used by smart cards to access the system, 2.) incorporating encryption into the electronic transmission of election results, 3.) providing personal identification numbers for when election officials access the system."


Furthermore, the Maryland press release appears to be missing additional salient details. Yesterday's Wired story includes the following bit of additional interesting detail:

The report (PDF), prepared by Science Applications International (SAIC), offered an "action list" of 23 items for securing the machines. Six of those items have already been implemented, according to David Heller, project manager for Maryland's board of elections. These include applying encryption to the process of transferring votes from voting machines to state servers via modem and altering Diebold's software so that votes in the system could not be matched to the names of voters.


Let us for the sake of convenience refer to the items in the MD press release above as items (1) to (3), and the item in the Wired article about system alterations to prevent votes being matched to voters as item (4). Why is this last item not mentioned in the MD press release? The reasons are unclear (and probably unimportant) at this time, but let's assume for the sake of argument that Wired didn't simply invent the item. It's equally unclear whether any other security-related modifications were made to the system -- neither Wired nor the MD press release represents a complete functional specification document -- but for the sake of argument let us assume that these four items constitute all of the code changes implemented by Diebold and that no other "fixes" were implemented in the system. Additional information about the details pertaining to items (1), (3) and (4) would be highly desirable. Item (2) seems fairly self-explanatory. Assuming that items (1) and (3) address smart card authentication issues and/or administrative access (I interpret "for when election officials access the system" as pertaining to administrative functionality) then it's quite plausible that you can "green dot" the following (already debunked) issues from the Rubin report:


(R-1) Vote multiple times using forged smartcard
The Rubin claim is based on the authentication methodology used, and the hard-coding of security keys into the system. This is addressed by item (1) above - updating the smart card authentication mechanism and security keys, and by (S-12). Details would be nice, but that sort of thing sounds like something they wouldn't (intentionally) publish.

(R-2) Access administrative functions or close polling station
This is addressed by item (1) above - revising the smart card authentication mechanism and security keys, and possibly by item (3) above - providing personal identification numbers for when election officials access the system (clarification would be helpful).

(R-4) Impersonate legitimate voting machine to tallying authority
Resolved by (S-5)/item (2) - encryption of result transmission. Rubin's stated claim (section 4.3) is based on the fact that communication between the voting terminal and the server is not encrypted/checksummed. Also addressed by item (S-6) - separate, individual count of the PCMCIA cards (eliminating direct communication between the voting terminal and the server entirely).

(R-5) Modify ballot definition
Eliminated by (S-5)/item (2) - encryption of data transfer (if applied to download of election/ballot data as well as result transmission), and additionally addressed by (S-16) as indicated in your matrix (also note: S-16 is a procedural issue, not a flaw in the software). Rubin's stated argument (sections 4.3 and 5.1) is based on the fact that data transfer is not encrypted/checksummed, and that it's performed over the Internet (incorrect assumption) or via removable media such as floppy disk (also incorrect).

(R-6} Cause votes to be miscounted by tampering with configuration
Eliminated by (S-5)/item (2) - encryption of data transfer (if applied to download of election/ballot data as well as result transmission). Rubin's stated argument is based on the fact that data is not encrypted/checksummed, and the additional (incorrect) presumption that data is transferred over the Internet or by removable media such as floppy disk (also incorrect).

(R-9) Link votes to voters
Appears to be addressed very specifically by item (4) above.

(R-10) Delay the start of an election
This is a straw man based entirely (according to Rubin's paper, section 5.2) on the presumption that the voting terminals are connected to the Internet and subject to a denial of service attack. This claim (often espoused by the BBV crew) has been sufficiently debunked by now, as you well know, and requires no special mitigation.

(R-12) Insert backdoors into code
We'll simply have to disagree on whether item (S-13) addresses the issue or not. I believe that if you put procedures in place to guarantee the ITA-certified version of the software is what's installed, then someone aside from the manufacturer has inspected the software and has had every opportunity to discover any back doors. You seem unsatisfied. Impasse. I'm prepared to simply disagree peaceably on this point, although I will cheerfully agree that the certification process should be greatly improved and the existing FEC guidelines should be replaced with something more intelligent and relevant.



It's unclear how you came to the decision to place a red, yellow or green dot in each square of your matrix, but the result is certainly very pretty (if not especially accurate). Pending a few confirmatory details about the code changes implemented by Diebold, it's entirely reasonable to state that 10 of 12 Rubin claims have been addressed to date, and your matrix is either erroneous or intentionally misleading (I will of course give you the benefit of the doubt). Of the remaining two items, (R-10) is a straw man based on fallacious assumptions and can simply be dismissed. (R-3) is already addressed by both existing procedure and hardware design, according to SAIC's evaluation.

I fully expect my observations here to be dismissed by the true believers as per usual, but they're fairly demonstrably irrefutable.

JC

TFHP -

As the bulk of the SAIC "mititation strategies" for "reduction of risk" merely recommend non-specific administrative measures rather than requiring specific software algorithms and hardware configurations, they have to stay yellow or red.

Anyone who's worked on software projects knows that administrators can go around until they're blue in the face recommending better "standard operating procedures" for training users or managing programmers better in order to get the program to run right. This only works if (a) the programmers are willing and able to critically examine where they went wrong in their work, and (b) the programmers are willing and able to rewrite it and get it right this time.

Administrative "hand-waving" has no effect if the programmers "don't get it". How much do you want to bet that Diebold's programmers actually "get it"? Briefly peruse the state of the art in e-voting right now here:

http://www.tcs.hut.fi/~helger/crypto/link/protocols/voting.html

and tell me if you think whether sad, desperate, meaningless "mitigating strategies" such as

"(S-1) Bring the AccuVote-TS voting system into compliance with the State of Maryland Information Security Policy and Standards"

or

"(S-17) Implement an iterative process to ensure that the integrity of the AccuVote-TS voting system is maintained throughout the lifecycle process."

are going to have any real effect on this botched software project.

Truly pathetic. Why doesn't the SAIC just write: "Diebold should try REALLY, REALLY hard this time to get the program right."?

It is doubtful whether any of the Diebold "software engineers" or anybody at the SAIC could make heads or tails of the state-of-the-art stuff on the above-referenced website, or any of the many other contributions to developing secure, distributed, uncoercible, verifiable computer software. And this is what's needed. Not managerial hand-waving. Not "standard operating procedures". We need an algorithm. We need different programmers. The programmers on this project need to be fired, and competent programmers hired. The Diebold programmers are, in the classical sense of the term, mere "hackers" who have no business being involved in developing an e-voting system. Neither the Diebold code, nor the SAIC "mitigation strategies" and "risk reduction" measures have anything to do with the very real problems of secure, private, uncoercible, verifiable e-voting.

One can change a few of the reds to yellow maybe. Give the SAIC the benefit of the doubt. Hiring a new CIO-type could bring enough talent on board so that someone on the project finally understands the technological issues of e-voting. For now, the chart's fine as-is.

- Scott

There is not one statement in your typically wordy reply that addresses anything I wrote.

You make the claim that most of the security issues brought up by Rubin haven't been addressed, and when you are shown irrefutable evidence to the contrary you prattle on with a bunch of sarcasm, rhetoric and misinformation.

Rubin at least based his claims on clear, easy to understand reasoning. Most of his issues appear to have been addressed, as I've demonstrated. You are simply spreading misinformation to further your own agenda.

JC

:hi:

:kick:

How on earth could anyone take this kind of detailed rebuttal as anything but substantive proof of internal Diebold credentials? If there is some independent source of your expertise then the Crusader Rabbit loyalty you have for pro-Diebold logic is a complete turn-off.

Paid traitor to his country is more like it.

I'm not the kind of person who alerts moderators over personal slurs but your comment is way out of line and contributes nothing useful to this thread.

My rebuttal is based entirely on the quoted sources and common sense. You don't need to be a Diebold engineer to expose the glaring inaccuracies in scottxyz's matrix, you just need a lack of bias and the ability to read.

JC

.....being spread to so many politicians! :evilgrin:

Nevertheless I note that there is no response whatsoever to my rebuttal, as per usual. Thanks for your usual useless contribution, Pat.

The technical claims of the BBV crew never stand up to any kind of scrutiny. Ever.

JC

.....read slashdot! :) Gee, for a bunch of 'know nothings', we sure seem to have snowed a lot of intelligent people, huh! :evilgrin:

You contribute nothing to the technical matter at hand.

Also, you misattribute (to me) a quote calling you a bunch of 'know nothings'.

I'll agree that you've tried to snow a lot of people.

JC

:kick: