Voting Machines: Diebold Security Vulnerabilities
BRAD BLOG EXCLUSIVE DOCUMENTS: ‘THE PENTAGON PAPERS OF E-VOTING’ —
THE LONG-SOUGHT 2003 STATE OF MARYLAND’S ‘SAIC REPORT’ ON DIEBOLD SECURITY VULNERABILITIES — NOW RELEASED IN FULL!
Previously Unreleased 200-Page Report Said to Document Some 180 Security Flaws and Recommendations Made to Diebold and the State
Still Unclear as to Who Made Changes, Additions, Redactions to Publicly Released 40-Page Version of Report…
On Friday night, we broke Rebecca Abrahams’s exclusive story concerning the long-sought yet never-released complete “Risk Assessment Report” of Diebold’s electronic voting systems as commissioned by the state of Maryland from the Scientific Applications International Corporation (SAIC) in 2003.
Tonight, The BRAD BLOG is releasing that report exclusively in full as given to us by Abrahams, who says she obtained it from a source described to us as “a patriotic high-level state official.” She says the source is “someone very close to this situation” in the Maryland government.
The original, never-before-released SAIC report was nearly 200 pages in all, and details a number of extraordinary security vulnerabilities found in Diebold’s AccuVote-TS (touch-screen) voting systems as deployed by the state of Maryland initially in 2002. The version of the SAIC report that was eventually released to the public, after extreme redaction, was a mere 38 pages long.
It was reported by Abrahams that neither the full MD State Board of Elections, nor even the Governor himself, was ever allowed to see the full report.
Regarded by many in the computer science, security, and election integrity community as “The Pentagon Papers of E-Voting,” the report as released by MD’s State Election Administrator, Linda Lamone, was edited, changed, and, of course, highly redacted by someone.
To this date, it remains unclear whether or not Diebold itself was responsible for the changes, edits, and redactions, but according to several computer scientists and security experts with whom we discussed the matter today, the company currently seems to be the leading candidate responsible for changing and removing information from the independently commissioned SAIC report. Those with whom we spoke questioned the propriety of Diebold having such final control over an independent report concerning its own systems. Systems, we might add, that will be used across the state and indeed across the entire country this November 7th, despite the information withheld from the public in this 2003 report.
Also unclear — since the state and virtually the entire computer science and security community have been unable to review the complete, original report until now — is whether or not any of the various 180 or so recommendations for changes contained in the report have ever been addressed and corrected by either Diebold or the state of Maryland.
Myriad independent reports on Diebold systems have shown, over the last several months and years since the SAIC report was completed, that scores of serious security vulnerabilities still remain on Diebold’s voting systems — including their paper-based optical-scan voting machines, touch-screen voting machines, and even their central tabulator software.
Reports of these serious vulnerabilities have now been documented by Finnish computer scientist Harri Hursti, the computer security firm Security Innovation, and BlackBoxVoting.org in both Leon County, FL and then in Emery County, UT; by a team of scientists at UC Berkeley commissioned by the CA Sec. of State; by Princeton University; and even by the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (as The BRAD BLOG originally reported in September of 2005 after a tip from a Diebold insider).
Whether or not the vulnerabilities revealed in those subsequent studies — made mostly over the last year or so, but some, such as the Dept. of Homeland Security’s CERT alert came even prior to the 2004 Presidential Election — were discovered previously in the full 2003 SAIC report has been widely questioned until now.
If, in fact, such vulnerabilities were indeed found in 2003 by SAIC but subsequently kept covered up by Diebold or their allies within the MD State Elections division, such as longtime booster Lamone, the question of accountability — and even the specter of malicious out-and-out fraud — has been raised.
During an interview with Abrahams and Stephen Spoonamore, the CEO of computer security firm Cyberinth LCC, on a radio program we co-hosted yesterday, they suggested that an FBI investigation may currently be under way in Maryland concerning several events surrounding the use of Diebold machines in the state.
We’ve not yet had time to review the entire unredacted report as posted below. However, given the importance of this never-before-released information — and after close consultation with Abrahams and several others — The BRAD BLOG feels the national public interest in the information contained in this report requires full and immediate release and disclosure.
The report, therefore, is released here for the first time…
Please note that the version of the report released here has several additional cover pages describing the report as “State of Maryland – Electronic Voting System Security: Department of Budget and Management, Annapolis, Maryland, September 17, 2003.”
Nonetheless, the header on each page describes the document with a SAIC tracking number, with a date of September 2, 2003, and contains the title “Diebold AccuVote-TS Voting System and Processes Risk Assessment.” The publicly released redacted version (also linked below for comparison) has the same date and tracking number. The title for that version is the same, but with “Redacted Final” added to the header.
As well, this version contains many unexplained strike-throughs, additions, and rewrites. As Abrahams detailed in her Friday exclusive, some of those edits were included in the final redacted release version of the report, while other sections were simply removed entirely. It is unclear as to who made the suggested edits and additions seen in the version of the report we are making available here.
Note also that there are several handwritten comments and marginalia which were apparently made by Abrahams and others during their review of the document and comparisons with the publicly released redacted version.
We discussed the issues of both the dates and the various edits with Spoonamore this afternoon. He told us that he previously reviewed this document “in great detail” in conjuction with Abrahams’s initial report.
As to its authenticity, since we are unable to get comment from the state of Maryland, SAIC, or Diebold at this time, Spoonamore told us, “The report is certainly a Diebold risk assessment for the state of Maryland.” He says that he “would give a 99% assessment that this document is the real thing.”
Spoonamore adds that the SAIC tracking number is an “authentic tracking number for the state of Maryland and matches the sequence for mid-2003 assignment by SAIC.”
With regard to the content of the report, Spoonamore, a Republican of 22 years, explained in our conversation late this afternoon, “There is no one on that public commission [in Maryland] that has the skills to use that document.” After his review of the report, he says that “the real value in this document is what it’s not saying. It’s clear that even SAIC was not allowed to review the source code or the computer interfaces” for the complete Diebold AccuVote-TS voting system.
Nonetheless, he says that the report clearly reveals that the security in place in these systems is wholly inadequate for the threats faced when used during an election. That danger is one described this week to the LA Times as “a matter of national security,” by computer scientist David Jefferson of the Lawrence Livermore National Laboratory. He added, “The legitimacy of government depends on getting elections right.”
Jefferson served on the UC Berkeley panel convened by California Sec. of State Bruce McPherson to study several aspects of the Diebold voting system. That panel found more than 16 “serious vulnerabilities” in the system last February before McPherson certified the systems for use in California anyway. Jefferson continues to serve as one of the top technical voting systems advisors to McPherson.
“Microsoft has admitted that the Windows operating system in use in Maryland’s Diebold voting systems is subject to at least 75,000 known exploits,” Spoonamore told us. “The unredacted version [of the SAIC report] reveals that none of them have been defended against in these Diebold machines.”
Finally, as Abrahams reported last Friday, there is yet another report commissioned by the State of Maryland to examine whether the items in the SAIC report were adequately addressed. That report, completed by the firm Freeman, Craft and McGregor — a group which has come under fire from Election Integrity advocates for its close relationship with the voting machine companies such as Diebold — has also never been released to the public. We are told that we may soon be able to release that report in full as well. Stay tuned.
The complete SAIC Report documents follow in full below. The 200 or so pages have been converted into five separate PDF files for easier downloading…
SAIC’s Maryland Diebold Report, September 2, 2003
(Complete, never released, unredacted version, 197 pages including suggested edits and changes as made by unknown party.)
SAIC’s Maryland Diebold Report, as Publicly Released September 2, 2003
(Edited and redacted down to 40 pages)
– Redacted Version [PDF, appx 700k]