http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9029038&source=NLT_AM&nlid=1
Robert McMillan
August 04, 2007 (IDG News Service) California's Secretary of
State has mandated tough new security standards for the state's e-voting
systems and curtailed their use, following an independent review of the
technology.
"Citizens do not have confidence that elections have
been fairly decided because they don't have faith in the integrity of the
tools," said Secretary of State Debra Bowen during a midnight conference
call, late Friday night.
The state will still allow the use of e-voting systems
manufactured by Diebold Election Systems Inc. and Sequoia Voting Systems Inc.,
but under strict new conditions. Polling stations will not be allowed to have
more than one of the Diebold AccuVote-TSx and Sequoia Edge Model systems in
place, and county registrars will have to do things like reinstall the devices'
software and firmware, reset the machine's encryption keys, and take new
measures to prevent physical access to the systems.
Similar security measures are now mandated for Hart
InterCivic Inc.'s voting systems, but without the single-machine limitation.
Systems from a fourth e-voting system maker, Election
Systems & Software Inc. (ES&S), were decertified after ES&S was
late in providing access to its products. The ES&S InkaVote Plus systems,
which are used in Los Angeles County, are now being evaluated and could be
approved for use in the February 2008 election, the secretary of State said in
a statement released after the conference call.
California's review of e-voting has been a rushed affair,
since it was kicked off in early May. That's because the state subsequently
moved its upcoming presidential primary vote ahead by four months, to Feb. 5,
2008. State law requires that county registrars be given six months notice on
any decertification of voting systems, forcing Bowen to come up with decisions
by Friday, earlier than she had first anticipated.
E-voting systems were used by between a quarter and a third
of California's 8.9 million voters in last November's election, the secretary
of State said.
The order comes just days after the release of a
state-sponsored review of California's e-voting machines. Led by the University
of California, several teams of researchers evaluated the security,
accessibility and usability of voting machines. Part of the review was an
unprecedented study of the source code of the software used by the state's
voting machines.
The researchers' findings were not encouraging for backers
of the current electronic voting systems. A "red team" of penetration
testers found 15 security problems in the devices. For example, researchers
were able to exploit bugs in the Windows operating system used by the Diebold
GEMS election management system to circumvent the system's audit logs and
directly access data on the machine. They were able to get a similar level of
access to Sequoia WinEDS data as well.
Testers were also able to overwrite firmware, bypass locks
on the systems, forge voter cards, and even secretly install a wireless device
on the back of a GEMS server.
A source-code review, released earlier this week, found
problems in all three e-voting systems it evaluated, noting that Diebold's
systems were subject to a virus attack.
Copyright © 2007 Computerworld Inc. All rights reserved.