Diebold Documentation – CA Top-To-Bottom Review

Debra Bowen has recently released the “Documentation Assessment of the Diebold Voting Systems”. Having served as a software buyer and as a product manager, I can attest that software documentation is almost always an afterthought, usually poor, hard to keep up to date, and expensive to do well. Its also a very boring and mundane topic for the average software developer and untechnical user.

Yet, don’t overlook this report. There are Gems (no pun intended) and very valuable insights available from the report. Below are several excerpts to hopefully entice some to read at least a few pages of the report:

conscientious local election officials attempting to master the Diebold system will find the documentation presents numerous impediments to their managing the voting system correctly, in a manner that achieves high accuracy, security, and other core objectives…

Pursuant to the federal standards, Diebold submitted to CIBER [Independent Testing Authority] a set of voting system security policies…A comparative analysis shows that the security policies Diebold filed with CIBER were considerably more stringent and extensive than those it ultimately documented in Diebold’s product manuals..

configuration discrepancies involve an uncertified component, and unapproved and largely disabled security settings, raising serious questions about the voting system’s accuracy, security, and reliability

This approach tends to minimize serious security risks and sidestep mitigation strategies…

The Diebold documentation review team never received all of the expected…documentation, despite the team’s follow-up with detailed lists of omissions…

the security policy presented in the Diebold customer documentation differed significantly with the mandatory client security policy submitted to the ITA [Independent Testing Authority]…

we found that Diebold systems were deployed with a range of different COTS [Common Off The Shelf (like Windows operating system)] software components other than those that were tested and those that appear in Diebold’s internal and customer documentation…

we found several significant problems, including:

  • Inconsistent security policies in different documentation sets
  • Problematic statements in the documentation distributed to customers
  • Failure to implement reasonable and consistent security configurations for systems delivered to customers

Read the whole report.


Leave a Reply

You must be logged in to post a comment.