U.S. To Certify Labs For Testing E-Voting Machines

InternetVoting writes "In a clear counter to the recent criticisms of secrecy involving Ciber labs the National Institute of Standards and Technology (NIST) has issued recommendations (pdf) to the Election Assistance Commission (EAC). NIST recommends the accreditation of two labs, iBeta Quality Assurance and SysTest Labs. The recommendation, emphasizing the need for transparency, includes on-site assessment reports, lab responses, and on-site reviews for each lab. These reports shed much needed light into the process of voting machine certification. Learn more from the Q&As About NIST Evaluation of Laboratories that Test Voting Systems."

Doesn't matter if the standards are the same...

[RyanFenton]

Are these new testers truly being paid to examine these machines completely and exhaustively, or are they being paid to run a script, and sign a document?

If it's the latter, then as long as the standards anywhere close to where they have been, we'll continue working with virtually whatever the voting machine companies assert is good.

Ryan Fenton

Re:Once that's done....

[smooth wombat]

how about an effort to screen the certifiable morons who keep getting onto the ballot?

I know you're trying to be funny but every state has requirements for people who want to run for office. So long as they meet those requirements, anyone can get on the ballot.

However, some states, such as Pennsylvania, have stacked the odds against third party candidates by requiring those candidates to meet higher standards. In Pennsylvania, if you are third party candidate and want to be on the ballot in November (you can't be on the ballot in May), you would need to gather signatures equal to or greater than 2% of the ballots cast for the largest vote-getter in the last statewide election race.

In the most recent election, third party candidates would have needed 67,070 valid signatures to be on the ballot as the highest vote count in the last statewide election was 3.4 million.

Contrast that with the 2,000 signatures that either a Democratic or Republican candidate must gather.

Obviously the answer is to have the legislature change the reqirement but the vast majority of the unwashed masses don't know about the requirement, don't care about the requirement, and are happy enough simply voting straight ticket.

Besides, can you imagine what would happen if it were easier for third party candidates to get on the ballot? Why, there would be competition and choice during an election! We can't have that, now can we?

More crap like NIAP?

[bug]

Another one of NIST's big security certification schemes is NIAP. It's difficult to see it as anything but a failure. The "protection profiles" that systems are tested against sometimes explicitly assume a benign environment with no hackers. Hello, what's the point then? Also, the most common certifications don't involve source code verification or any other kind of strenuous testing. Just take a look at the list of crap [bahialab.com] that they have validated, including some products with absurd levels of vulnerabilities. Apparently, Microsoft Windows is very secure, according to NIST's NIAP. Note also that, because this is pay to play, many of the best security tools are completely missing from the list. If I had to bet money, I'd say that well-heeled companies like Diebold will make it through the testing despite a lot of vulnerabilities, and the public will be no better off.