The Johns Hopkins University
computer scientist who identified security lapses in the voting system Maryland is adopting took his warnings to Annapolis
yesterday, telling legislators he has no confidence the flaws are being fixed.
Aviel D. Rubin, technical director of Hopkins' Information Security Institute, criticized the Ehrlich administration's decision to withhold two-thirds of a consultant's report on problems with the Diebold voting system from public view. Rubin said that if the flaws have been fixed there's no justification for secrecy.
"We need to apply pressure on them to release that report," Rubin said in an interview after his presentation to the House Ways and Means Committee.
Rubin helped kick off in July what has become a national controversy when he released a study alleging that an election system produced by Ohio-based Diebold Elections Systems was fraught with security flaws that could allow manipulation of election results.
The report was attacked by Diebold, which had been awarded the contract to supply a statewide touch-screen system for Maryland, but received support from many other computer scientists. "Our work is not just some lunatics from Johns Hopkins making some wild statements," Rubin told the committee.
Rubin's allegations prompted Gov. Robert L. Ehrlich Jr. to call for an independent review of the security of the system. The consultant that reviewed the Diebold system - Science Applications International Corp. - found there was a "high risk of compromise" but said the system could be fixed.
Rubin told the lawmakers that Diebold's problems have continued since he issued his report, noting that California election officials have refused to certify the system.
Rubin said the Diebold software he examined was vulnerable to an attack by someone wanting to tamper with an election.
"The skill level needed to hide malicious code is much easier than the skills needed to find it," he said. "I don't believe there's a computer scientist or a team in the world that could find it."
Linda Lamone, director of the state elections board, largely dismissed Rubin's concerns and insisted Diebold had completed all the recommended changes in its software. She accused computer scientists of trying to undermine confidence in elections officials.
"I think they're doing a great disservice to democracy," she said. "They're telling the public: Don't trust them, don't trust the voting equipment."
Russell Doupnick, the state's deputy chief information officer, rejected Rubin's call for full disclosure of the SAIC report. He said officials did not want to provide "a road map to intrude into the system."
Frank Schugar, SAIC's project manager on the election system, conceded that Rubin - whom he described as "extraordinarily qualified and more qualified than I am" - had some valid points.
"Is it easy to hide malicious code in a great big code package? Absolutely," he said - putting the chance it would go undetected at 99.9 percent.
Schugar said his company does not know whether all 26 vulnerabilities it found in the Diebold system had been fixed. He said SAIC had verified three changes had been completed successfully but does not expect to do a final examination of the system as suggested by Rubin.
Election board officials said another company, BSC Systems of Churchton, will conduct such a review.
Rubin said yesterday that the original code showed such a lack of competence that he doubted Diebold had the capability required to fix the software. However, he said he would be happy to lend his expertise in determining whether the revised code was secure.
Lamone said the elections board wouldn't take him up on the offer.
"I don't think Diebold would allow it," she said. "It's their proprietary code."
Del. Jean Cryor, a Montgomery County Republican, said she came to the briefing thinking Rubin would be a "smart aleck."
"I thought he was far more credible than I thought," she said. "I was disappointed the [election] administration didn't come forward with stronger and more focused responses to what his complaints had been since day one."