Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Inside The Certification of the Diebold AccuVote Optical Scan System

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread		 This topic is archived.
Home » Discuss » Topic Forums » Election Reform Donate to DU
 
sabra Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Dec-01-04 10:48 PM
Original message
Inside The Certification of the Diebold AccuVote Optical Scan System
I don't know about you, but I couldn't believe these systems were certified. Check out the Security Access Controls and Other Known Problems sections, they will shock you!

<<SNIP>>

http://www.ss.ca.gov/elections/consultant_report_item_5c.pdf

State certification testing was conducted 19-22 July, 2004, at Diebold offices in Coppell, TX, to certify two versions of the AccuVote Optical Scan (AV-OS), versions 1.94W and 1.96.4, with the
new GEMS 1.18.19. The AV-OS, version 1.94W, was previously certified in California under an earlier version of GEMS. This testing was to ensure continued compliance with California election code and rules under the new GEMS 1.18.19 and for the newer AV-OS Version 1.96.4.

The testing for this version configuration showed compliance with the California Election Code but
has broadly published security weaknesses similar to those reported earlier in reports
about the Diebold DREs. In spite of these weaknesses, the tested configuration provides
better security and functional support than the currently certified version and is recommended
for certification in replace of the current version, with suitable Technical Security Plan
procedures compatible with those suggested earlier for the Touch Screen DREs.

The following security weaknesses were noted in testing:
Item GEMS TS OS
1. Weak security of the basic server and operating system Yes n/a n/a
2. GEMS database is accessible by DAO-supported programs Yes n/a n/a
3. GEMS passwords are too weak Yes n/a n/a
4. SSL/TLS encryption may be disabled Yes uses n/a
5. Default encryption keys published (but may be changed) Yes uses n/a
6. Default passwords/pins are hardcode Yes Yes n/a
7. Some passwords/pins restricted to four digits. Yes Yes Yes
8. Key locks on access panels are not secure Yes Yes
a. Memory card not secure Yes Sealable
b. Serial/Parallel ports not secure Yes Yes
9. PS/2 Keyboard port not secure Yes n/a
10. (new) Modem not secure Unused Yes

The election procedures for the AV-TS and AV-OS are being rewritten to address some
of these items but are not finished at in time to be included in this report.




<</SNIP>>
Printer Friendly | Permalink |  | Top
sabra Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Dec-01-04 10:53 PM
Response to Original message
1. Wasn't CA on Madsen's List of Fraud? n/t
Printer Friendly | Permalink |  | Top
 
rockedthevoteinMA Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Dec-01-04 10:57 PM
Response to Reply #1
3. yes n/t
Printer Friendly | Permalink |  | Top
 
sabra Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Dec-01-04 11:05 PM
Response to Reply #3
5. How were these systems certified?
With so many known security holes? Essentially this report is saying, "hey, atleast it's better than the last version".
Printer Friendly | Permalink |  | Top
 
stella2cat Donating Member (157 posts) Send PM | Profile | Ignore Wed Dec-01-04 10:55 PM
Response to Original message
2. and how did Ohio certify?
I've looked all over for doco on the Ohio certification process and can't find anything anywhere. I found info for some states, but oddly enough, Ohio seems to have done it secretly. I still think this is a true issue -- whether or not the correct software was used, but how can we prove it?
Printer Friendly | Permalink |  | Top
 
sabra Donating Member (1000+ posts) Send PM | Profile | Ignore Wed Dec-01-04 10:57 PM
Response to Reply #2
4. I looked too, and couldn't find anything...
but if the CA cert is any indication of what it was like, it just adds to my concerns...
Printer Friendly | Permalink |  | Top
 
stella2cat Donating Member (157 posts) Send PM | Profile | Ignore Wed Dec-01-04 11:18 PM
Response to Reply #4
6. I think this would be the soundest way to challenge....
but short of checking every machine I don't know how we could establish that they were using either
a) uncertifed versions or
b) versions with uncertified patches

Mr Blackhole has done a fine job of keeping Ohio to himself
Printer Friendly | Permalink |  | Top
 
sabra Donating Member (1000+ posts) Send PM | Profile | Ignore Thu Dec-02-04 09:23 AM
Response to Reply #6
7. I agree
but in my opinion, going off the CA certification doc, they seem to be OK with the system being unsecure. I am totally baffled how this is allowed.
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view this author's profile Click to add this author to your buddy list Click to add this author to your Ignore list Thu Apr 18th 2024, 05:39 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » Topic Forums » Election Reform Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC