Reply #39: for the sake of accuracy [View All]

Let's talk about "vindication".

Actually, the full section from which you pulled your quote says this:

2.2.2. SBE GEMS server is connected to the SBE intranet

The current security controls employed for the AccuVote-TS voting system require that the system not be connected to any network. The Direct Recording Equipment (DRE) voting terminals themselves are not connected to any network. However, the SBE Global Election Management System (GEMS) server is connected to the SBE intranet, which has access to the Internet. In addition, the server contains some Microsoft Office products not required for the operation of the AccuVote-TS voting system.

We recommend including testing for time-triggered exploits (e.g., Trojans) as a part of the L&A testing. If L&A testing proves to be an inappropriate venue for this testing, we recommend the SBE choose another venue, or introduce into the testing protocol an additional battery of tests including these procedures. We recommend that the SBE GEMS server be immediately removed from any network connections. The server should be rebuilt from trusted media to assure and validate that the system has not been compromised.

Bev has repeatedly, uncategorically, stated that the GEMS computer is "connected to the Internet" and that (either by inference or by direct statement by her) anyone can simply walk right in (metaphorically) and gain access to it through that public network. Moreover, she has repeatedly and vociferously called Diebold and various state officials "liars" for claiming that the GEMS computer was not connected to the Internet. Interestingly this report states clearly and categorically that the GEMS computer is assuredly not connected to the Internet... only to an internal intranet. I hope that Bev will be issuing the appropriate retractions and apologies forthwith.

SAIC recommended that the GEMS computer not be connected even to the private intranet. That recommendation seems reasonable enough... after all, why bother connecting it to anything? The issue however is procedural, however, not a flaw inherent in the software itself.


As for "rebuilding the server from trusted media", the recommendation seems like a reasonable enough security precaution. Break out the CDs. Once again, it doesn't at all suggest there's a flaw inherent in the software.


As for removing all extraneous software from the server, that recommendation seems reasonable as well. Why have software there if it's not used? The state said they would undertake the recommendations in the report... one would think you'd be thrilled about this.

JC


edited to remove rampant accidental bolding of text