BRAD BLOG EXCLUSIVE DOCUMENTS: 'THE PENTAGON PAPERS OF E-VOTING' — THE LONG-SOUGHT 2003 STATE OF MARYLAND'S 'SAIC
REPORT' ON DIEBOLD SECURITY VULNERABILITIES — NOW RELEASED IN FULL!
BLOGGED BY Brad ON 11/5/2006 7:02PM
***********
The complete SAIC Report documents follow in full below. The 200 or so pages have been converted into five separate PDF
files for easier downloading…
SAIC's Maryland Diebold Report, September 2, 2003
(Complete, never released, unredacted version, 197 pages including suggested edits and changes as made by unknown
party.)
SAIC's Maryland Diebold Report, as Publicly Released September 2, 2003
(Edited and redacted down to 40 pages)
– Redacted Version [PDF, appx 700k]
***********
Previously Unreleased 200-Page Report Said to Document Some 180 Security Flaws and Recommendations Made to Diebold and
the State
Still Unclear as to Who Made Changes, Additions, Redactions to Publicly Released 40-Page Version of Report…
On Friday night, we broke Rebecca Abrahams's exclusive story concerning the long-sought yet never-released complete "Risk Assessment Report" of Diebold's electronic voting systems
as commissioned by the state of Maryland from the Scientific Applications International Corporation (SAIC) in 2003.
Tonight, The BRAD BLOG is releasing that report exclusively in full as given to us by Abrahams, who says she obtained it from a source
described to us as "a patriotic high-level state official." She says the source is "someone very close to this
situation" in the Maryland government.
The original, never-before-released SAIC report was nearly 200 pages in all, and details a number of extraordinary
security vulnerabilities found in Diebold's AccuVote-TS (touch-screen) voting systems as deployed by the state of
Maryland initially in 2002. The version of the SAIC report that was eventually released to the public, after extreme
redaction, was a mere 38 pages long.
It was reported by Abrahams that neither the full MD State Board of Elections, nor even the Governor himself, was ever
allowed to see the full report.
Regarded by many in the computer science, security, and election integrity community as "The Pentagon Papers of
E-Voting," the report as released by MD's State Election Administrator, Linda Lamone, was edited, changed, and, of
course, highly redacted by someone.
To this date, it remains unclear whether or not Diebold itself was responsible for the changes, edits, and redactions,
but according to several computer scientists and security experts with whom we discussed the matter today, the company
currently seems to be the leading candidate responsible for changing and removing information from the independently
commissioned SAIC report. Those with whom we spoke questioned the propriety of Diebold having such final control over an
independent report concerning its own systems. Systems, we might add, that will be used across the state and indeed
across the entire country this November 7th, despite the information withheld from the public in this 2003 report.
Also unclear — since the state and virtually the entire computer science and security community have been unable to
review the complete, original report until now — is whether or not any of the various 180 or so recommendations for
changes contained in the report have ever been addressed and corrected by either Diebold or the state of Maryland.
Myriad independent reports on Diebold systems have shown, over the last several months and years since the SAIC report
was completed, that scores of serious security vulnerabilities still remain on Diebold's voting systems — including
their paper-based optical-scan voting machines, touch-screen voting machines, and even their central tabulator software.
Reports of these serious vulnerabilities have now been documented by Finnish computer scientist Harri Hursti, the
computer security firm Security Innovation, and BlackBoxVoting.org in both Leon County, FL and then in Emery County, UT;
by a team of scientists at UC Berkeley commissioned by the CA Sec. of State; by Princeton University; and even by the
U.S. Department of Homeland Security's Computer Emergency Readiness Team (as The BRAD BLOG originally reported in September of 2005 after a tip from a Diebold insider).
Whether or not the vulnerabilities revealed in those subsequent studies — made mostly over the last year or so, but
some, such as the Dept. of Homeland Security's CERT alert came even prior to the 2004 Presidential Election — were
discovered previously in the full 2003 SAIC report has been widely questioned until now.
If, in fact, such vulnerabilities were indeed found in 2003 by SAIC but subsequently kept covered up by Diebold or their
allies within the MD State Elections division, such as longtime booster Lamone, the question of accountability — and
even the specter of malicious out-and-out fraud — has been raised.
During an interview with Abrahams and Stephen Spoonamore, the CEO of computer security firm Cyberinth LCC, on a radio program we co-hosted yesterday , they suggested that an FBI investigation may currently be under way in Maryland concerning several events surrounding
the use of Diebold machines in the state.
We've not yet had time to review the entire unredacted report as posted below. However, given the importance of this
never-before-released information — and after close consultation with Abrahams and several others — The BRAD BLOG feels
the national public interest in the information contained in this report requires full and immediate release and
disclosure.
The report, therefore, is released here for the first time…
Please note that the version of the report released here has several additional cover pages describing the report as
"State of Maryland - Electronic Voting System Security: Department of Budget and Management, Annapolis, Maryland,
September 17, 2003."
Nonetheless, the header on each page describes the document with a SAIC tracking number, with a date of September 2,
2003, and contains the title "Diebold AccuVote-TS Voting System and Processes Risk Assessment." The publicly released
redacted version ( also linked below for comparison) has the same date and tracking number. The title for that version
is the same, but with "Redacted Final"added to the header.
As well, this version contains many unexplained strike-throughs, additions, and rewrites. As Abrahams detailed in her Friday exclusive, some of those edits were included in the final redacted release version of the report, while other sections were
simply removed entirely. It is unclear as to who made the suggested edits and additions seen in the version of the
report we are making available here.
Note also that there are several handwritten comments and marginalia which were apparently made by Abrahams and others
during their review of the document and comparisons with the publicly released redacted version.
We discussed the issues of both the dates and the various edits with Spoonamore this afternoon. He told us that he
previously reviewed this document "in great detail" in conjuction with Abrahams's initial report.
As to its authenticity, since we are unable to get comment from the state of Maryland, SAIC, or Diebold at this time,
Spoonamore told us, "The report is certainly a Diebold risk assessment for the state of Maryland." He says that he
"would give a 99% assessment that this document is the real thing."
Spoonamore adds that the SAIC tracking number is an "authentic tracking number for the state of Maryland and matches the
sequence for mid-2003 assignment by SAIC."
With regard to the content of the report, Spoonamore, a Republican of 22 years, explained in our conversation late this
afternoon, "There is no one on that public commission [in Maryland] that has the skills to use that document." After his
review of the report, he says that "the real value in this document is what it's not saying. It's clear that even SAIC
was not allowed to review the source code or the computer interfaces" for the complete Diebold AccuVote-TS voting
system.
Nonetheless, he says that the report clearly reveals that the security in place in these systems is wholly inadequate
for the threats faced when used during an election. That danger is one described this week to the LA Times as "a matter of national security," by computer scientist David Jefferson of the Lawrence Livermore National
Laboratory. He added, "The legitimacy of government depends on getting elections right."
Jefferson served on the UC Berkeley panel convened by California Sec. of State Bruce McPherson to study several aspects
of the Diebold voting system. That panel found more than 16 "serious vulnerabilities"in the system last February before
McPherson certified the systems for use in California anyway. Jefferson continues to serve as one of the top technical
voting systems advisors to McPherson.
"Microsoft has admitted that the Windows operating system in use in Maryland's Diebold voting systems is subject to at
least 75,000 known exploits," Spoonamore told us. "The unredacted version [of the SAIC report] reveals that none of them
have been defended against in these Diebold machines."
Finally, as Abrahams reported last Friday, there is yet another report commissioned by the State of Maryland to examine
whether the items in the SAIC report were adequately addressed. That report, completed by the firm Freeman, Craft and
McGregor — a group which has come under fire from Election Integrity advocates for its close relationship with the voting machine companies such as Diebold — has
also never been released to the public. We are told that we may soon be able to release that report in full as well.
Stay tuned.
***********
The complete SAIC Report documents follow in full below. The 200 or so pages have been converted into five separate PDF
files for easier downloading…
SAIC's Maryland Diebold Report, September 2, 2003
(Complete, never released, unredacted version, 197 pages including suggested edits and changes as made by unknown
party.)
SAIC's Maryland Diebold Report, as Publicly Released September 2, 2003
(Edited and redacted down to 40 pages)
– Redacted Version [PDF, appx 700k]
****ENDS****