|

 
|
| | Name : | James C. Johnson III | Organization : | N/A | Post Date : | 9/9/2005 |
| Comment : | Simple measures such as: ensuring that after certification testing systems
are closed and cannot be manipulated; disallowing the use of wireless
(optical and RF) communications on Election Day; use of encryption and
strong authentication between all communicating components was not
required; and a written prohibition against allowing software on voting
system equipment that it did not undergo certification testing with. These
are examples of some of the precautions that were presented to IEEE and
the TGDC and rejected by both without justification. I hope that the EAC
will have the VVSG specification reviewed by security experts and the
language within the specification strengthened in a manner that compliance
can be easily determined and enforced.
It is also a concern that this morning the EAC adopted certification
procedures based on a model used by the FCC. The FCC procedures are
inappropriate for certifying voting systems where the threat model is
considerably different. A more appropriate starting point would have been
standards used in the gaming and banking industries where there are
similar threats of fraud by making changes to the data being collected
and managed by the system. Mr. Berger’s colleague from TEM Consulting even
pointed out that FCC does not conduct performance testing only for RF
emissions. It is interesting that the security measures required by these
standards are much more stringent than the ones used for voting.
Without access to the vendor’s source code, software escrow at NIST will
be extremely limited in value. Counting votes is not rocket science and
does not require complex proprietary procedures that require independent
discovery by different vendors. Also submitting source to NIST does not
constitute public disclosure if this is a concern of manufacturers. By
submitting binaries the possibility of an outside check on the logic is
all but eliminated. | |
|
|