E-vote vendors submit software for safekeeping

Computerworld - WASHINGTON -- With less than a week to go before the presidential election and concerns still lingering about the integrity and security of the software used by tens of thousands of electronic voting machines, five voting machine makers agreed to submit their software to the National Software Reference Library (NSRL) for safekeeping, federal officials said yesterday.
While the move to store the software for comparison in the event of questions about the integrity of e-voting systems has been positively received, the decision comes more than three months after the U.S. Election Assistance Commission officially called on the vendors to submit their software to the NSRL.
In a July 13 advisory letter, EAC Chairman DeForest Soaries said that doing so would "facilitate the tracking of software version usage," a critical concern for some observers who say vendors have in the past installed patches and upgrades prior to and during elections without those pieces of software having been inspected.
The NSRL is designed to collect software and incorporate file profiles computed from the software into a reference data set (RDS) of information. The RDS can be used by law enforcement, government and industry organizations to review files on a computer by matching the profiles in the RDS. The National Institute of Standards and Technology will maintain the voting software library.
According to the NSRL's Web site, the five vendors that have submitted software are: Diebold Inc., Election Systems & Software Inc., Hart InterCivic, Sequoia Voting Systems and VoteHere.
Soaries also said that the EAC will solicit information about suspicious electronic voting system activity, including software programming, and, if necessary, will request aggressive investigation from the U.S. Department of Justice Elections Crimes Branch. The EAC will also document incidents and record data concerning e-voting equipment malfunctions during the election.
Alfie Charles, a spokesman for Sequoia Voting Systems, said the NSRL will store "pristine copies" of vendor software "to help prepare for the inevitable challenges that take place whenever there are close elections." He also said that "this election is likely to be the most litigated and challenged contest we have ever seen."
Security experts and grass-roots voter advocacy groups, however, are skeptical of the vendor move.
Avi Rubin, a professor at Johns Hopkins University and a leading critic of the security controls put in place by e-voting system vendors, called the reference library "smoke and mirrors." The real threat to the election, he said, is that if "the code is already rigged, storing the hashes only guarantees the malicious code will be there