Re: A Diebold network connection Question

From: Ron Crane <voting_at_lastland_dot_net>
Date: Wed Aug 17 2005 - 15:25:49 CDT
Yes, it matters what access the state allows Diebold. But also it matters whether this arrangement allows any connections from the voting systems (e.g., GEMS tabulators, "Accuvote" stations) back to Diebold, or to a server controlled or connected to Diebold. The voting system software could use such a connection to load information about when and how to cheat, or the voting system firmware could use it to replace the voting application with one that cheats.

-R

Richard C. Johnson wrote:
The VPN access described here is certainly a connection via the internet.  VPN (Virtual Private Network) involves sending encrypted communications over the network.  Depending on how it is done, and what other security measures are taken, it can be quite secure.  Another question, however, is just what privileges and authorizations the Diebold people have on the State site once they are logged in over the VPN connection.
 
Nothing much wrong with VPN--the access itself just raises all kinds of other questions.  Most corporations use VPN to allow their employees secure access over the Internet.  Most corporations also employ a host of other controls and audits once a person has entered the corporate net through a VPN connection.  What the person does once is unclear from this passage.
 
Essentially, Diebold's use of the connection is the critical issue.  What security does the state impose on Diebold employees?  It is unlikely that the coupling of the state and Diebold could be overhead by someone who cracks the VPN encryption.  Rather, the most interesting question is, what privileges are to be granted on the state system to Diebold employees?
 
One would like to think that the state has more control over its security than to allow Diebold access without carefully applying limits.  Or, perhaps, the Diebold janitor is just a "hellokitty" password away from online access to the state's voting databases.  The pipe is reasonably sound (VPN), but it matters what happens at either end.
 
Cheers!
 
-- Dick

Kathy Dopp <kathy@uscountvotes.org> wrote:
A Question from Scott in MS scottatyner@yahoo.com
(this may also apply in UT)

The following is a term of the Diebold contract with
the state of Mississippi. It is taken verbatim. This
looks like an internet connection between Diebold and
our (Mississippi's) election equipment and software.

Please give your feedback on this:

Article 41 NETWORK SECURITY

Contractor [Diebold] and MSOS [Mississippi Secretary
of State] understand and agree that the State of
Mississippi's Enterprise Security Policy mandates that
all remote access to and/or from the State network
must be accomplished via a Virtual Private Network
(VPN.) If the parties agree that remote access is
required at any time during the life of this
Agreement, Diebold and MSOS agree to
implement/maintain a VPN for this connectivity. This
required VPN must be IPSec-capable (ESP tunnel mode)
and will terminate on a Cisco VPN-capable device (i.e.
VPN concentrator, PIX firewall, etc.) on the State's
premises. Diebold agrees that it must, at its own
expense, implement/maintain a compatible
hardware/software solution to terminate the specified
VPN on Diebold's premises.
The parties further understand and agree that the
State protocol standard and architecture are based on
industry-standard security protocols and manufacturer
engaged at the time of contract execution. The State
reserves the right to introduce a new protocol and
architecture standard and require Diebold to comply
with same, in the event the industry introduces a more
secure, robust protocol to replace IPSec/ESP and/or
there is a change in the manufacturer engaged.


_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

_______________________________________________ OVC discuss mailing lists Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Aug 31 23:17:27 2005

This archive was generated by hypermail 2.1.8 : Thu Sep 15 2005 - 11:44:12 CDT