Diebold has released a response to the Felten study. It appears to me to be misleading in several important respects, so I thought it merited a quick fisking:
Three people from the Center for Information Technology Policy and Department of Computer Science at Princeton University today released a study of a Diebold Election Systems AccuVote-TS unit they received from an undisclosed source. The unit has security software that was two generations old, and to our knowledge, is not used anywhere in the country.
As I noted yesterday, this response would be a lot more credible if Diebold had a habit of submitting its machines to independent review. It’s hardly Felten’s fault that he had trouble getting access to a newer version of the machine.
Normal security procedures were ignored. Numbered security tape, 18 enclosure screws and numbered security tags were destroyed or missing so that the researchers could get inside the unit.
These precautions obviously make it more difficult to introduce malicious software into the machine, but it’s far from foolproof. Given that it only takes a minute to install Felten’s software, and that there’s no external evidence of tampering once the software has been installed, it seems likely that even the best-designed security procedure will leave opportunity for insiders to introduce malicious code. This is particularly true given that Felten developed a version of the software that could be spread via virus.
A virus was introduced to a machine that is never attached to a network.
I think they think this is some kind of contradiction in terms, but non-network virii are in fact quite common. Indeed, the first virii were spread among Macs and PCs on floppy disks in the 1980s, long before the Internet burst onto the scene. And Felten described a perfectly plausible scenario by which the virus could spread: technicians use a single memory card to install software updates on dozens of machines. If the card is placed in an infected machine, the card would become infected and the card would then infect all subsequent machines. So it’s not clear how this sentence is a refutation of anything Felten wrote. Either whoever wrote this press release didn’t read the paper, or he’s counting on reader ignorance.
By any standard – academic or common sense – the study is unrealistic and inaccurate. The current generation AccuVote-TS software–software that is used today on AccuVote-TS units in the United States – features the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more. These touch screen voting stations are stand-alone units that are never networked together and contain their own individual digitally signed memory cards.
Encryption is not magic pixie dust that can be sprinkled on a computer system to make it secure. Hence, the fact that the machine employs sophisticated encryption algorithms tells us absolutely nothing about whether the machines are secure.
Depending on how it’s implemented, digitally signed memory cards could improve the security of the system–particularly if the system authenticates new software found on memory cards before allowing it to be installed on the machine. But, again, the effectiveness of such a strategy depends on the implementation details. Given how poorly the 2002 software was designed, we have little reason to take Diebold at their word when they say that the new software is well-designed.
In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines – every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.
This ignores the fact that machines can be infected at any time–weeks or even months before an election–and the infection can be virtually impossible to detect. This can be done either with direct access to machines, or by infecting memory cards that subsequently infect the machines. Given that infection takes only a minute, and that only one machine or memory card needs to be infected to start the spread of the virus, it strikes me as highly implausible that even the most stringent security procedures could prevent a determined insider from infecting a machine.
Diebold strongly disagrees with the conclusion of the Princeton report. Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis. Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day.
I would be interested in more details about the third party security analysis that has been performed. If, as Felten alleges, these analyses have been commissioned by Diebold, that hardly counts as an independent assessment. The first step would be to offer Prof. Felten the opportunity to evaluate the latest version of their machine so that he can verify their claims that the flaws he identified have been fixed.
The bottom line is that “trust us” just doesn’t cut it when it comes to the integrity of our voting system. Diebold may very well be right that the flaws Felten found were fixed in subsequent versions, but the burden of proof is on Diebold, not on Prof. Felten.