PA: Verified Voting Reviews Diebold TSx Amended Certification Report

Pennsylvania: Verified Voting Foundation Reviews Diebold TSx Amended Certification Report

by Bob Kibrick, Legislative Analyst, and David Dill, Founder, Verified Voting Foundation

January 22nd, 2006

snip

The Questions

Pennsylvania's recently-issued (January 17, 2006) amended certification report for the Diebold TSx implicitly attempts to address several related questions:

1. Does Diebold's AccuBasic interpreted code (which is present on the memory cards of both their TS and TSx DREs and on the precinct count version of their optical scanners) violate the FEC 2002 Voting Systems Standard's (VSS) prohibition on the use of interpreted code?

2. Is the same security vulnerability that has been documented in Diebold's precinct count optical scanner (i.e., the "Hursti Hack") also present in the TSx?

3. Are there procedural requirements that PA can impose (as a condition for state-level certification) that at least partially address either of these first two questions?

Because the report does not explicitly pose these specific questions, for the most part it fails to give explicit answers to them. However, some answers are implied “between the lines.”

The Short Answers

#1. No, provided one accepts Pennsylvania's interpretation of a rather vague and ambiguous exemption clause (Section 6.4.1(e)) of the FEC 2002 VSS.

#2. No, provided one accepts the assertions made by:
a) Diebold, in their letter responding to PA's queries
b) Michael Shamos, who was apparently permitted to review and analyze the relevant Diebold source code

#3. Yes.

The report implies that the risk of undetected modification of the contents of the removable memory cards employed by the OS and TSx systems can be reduced through procedural means, including “careful handling and storage procedures and the effective use of seals”; such procedures are one of the conditions that Pennsylvania has imposed for certification of the TSx . However, the report implies that such procedures, by themselves, provide insufficient protection against unauthorized access to or modification of the contents of such memory cards. If such procedures did provide sufficient protection, then Pennsylvania would not have had a valid basis for denying certification to Diebold's precinct count optical scan (OS) system.

The report also appears to argue that bogus .abo files (interpreted code that has been tampered with) would not be as harmful on the TSx as on the OS because what the TSx stores on the removable memory card are ballot images rather than counters. The point may be that without counters, it may be impossible to store -N ballots for one candidate and +N ballots for another so that the number of ballots at the end of the election balances out (as Hursti had demonstrated).

It is unknown whether the "digital signatures" on the TSx memory cards prevent modified code from being executed. No details about the digital signatures are given, so it is possible no one other than the vendor knows if they conform to cryptographic best practices or not. Furthermore, the report seems to concede that someone with root privileges on the GEMS server could modify a script and get a legitimate digital signature using GEMS.

snip

http://www.verifiedvotingfoundation.org/article.php?id=6324