Re: Fw: Meet the $499 Mac.

From: Richard C. Johnson <dick_at_iwwco_dot_com>
Date: Sat Aug 27 2005 - 10:18:41 CDT

Ron,
 
The procedure for retiring bad machines is as follows:
 
1. The voter compares his vote on the screen to the printed ballot he holds in his hand
2. The voter is asked to verify that these two are the same and that they agree with the voter's intention
3. If yes, the voter completes the electronic voting by hitting YES and, leaving the polling station, deposits a printed ballot (as in the old days) in a locked ballot box.
4. If no, the voter leaves the booth without hitting YES and voids the paper ballot with an unmistakable mark in return for a new voting card, assuming that the voting screen still shows pending status.
5. The voter goes to another machine and votes.
6. The election official, observed by the pollwatchers, takes the offending machine out of service after verifying that the pending vote has not registered.
7. A sample of all paper ballots and, in defined circumstances, a 100% sample will be subject to hand count. Any error will cause an investigation. The digital ballot is (1) quick and (2) can cause the paper ballot process to be investigated. The digital path makes the paper voting path more secure .
 
Note that the entire process is understandable by anyone observing it. The machine failed, was detected by the voter, and that is not rocket science. The machine can be taken out of service, publicly, and in the view of observers (observe the official pull the plug).
 
If this does not inspire total trust (and it should not), at least it should allow for the useful co-existance of paper and digital ballots. And it substantially raises the cost of corrupting the system, all any security measure can hope to do.
 
As for denying COTS any meaning, well, I suppose that one's phone could easily be designed by Bell Labs to have an automatic connection to the FBI that would make bugs unnecessary, but I have yet to understand that such has happened. Many bad things could happen, and we can't ward off all of them. Such is life. But I think that at least today, the composition of most off the shelf devices is knowable and does not include voting specific features. I think that software vendors' products (even Microsoft XP) are free of voting specific malware. My point is simply that our ability to imagine dangers should not make us all haters of machines in general.
 
I do believe that the major features of common sense voting security can be made understandable to the vast majority, whether digital or paper ballots are used. I also believe in a role for those with technical expertise to investigate attempts to subvert the voting process and to investigate occasions where officials proceed in spite of error.
 
Oh, yes. Paper can be bent to any end you like. One doesn't, in fact, know most of them. Paper, done alone, is hardly secure. Observers are barred in many states for the counting, tabulating, and administrative processes.
 
Counterfeiters, for another paper-based example, have caused the feds to go to extreme measures to protect the currency (paper), most lately by adding high tech features that deter by making counterfeiting more expensive. Why should we not assist our paper voting by extending twin data paths of both paper and digital ballots? I think we should. IMHO.
 
-- Dick

Ron Crane <voting@lastland.net> wrote:
Paper is certainly susceptible of various kinds of fraud. We also know most of them, because we've used paper for a long time, and (unlike computers) it is not infinitely malleable. The mechanisms for ensuring chains of custody are well-known, and an ordinary member of the public effectively can supervise every one -- given appropriate official cooperation.

Voter verification, as I have pointed out many times, is a half-measure of doubtful efficacy. I have asked, and asked, and asked again for a cite to a study confirming its efficacy, and every time my request has been met with booming silence. But even assuming some voters "catch" a cheating voting station by verifying their ballots, what then? Will they bother to report it? Or will they just leave in disgust? If they report it, what will the pollworkers do? Cancel their ballot and let them re-vote -- because it's a "glitch", right? But even if the pollworkers want to take it seriously, what do they do? Report it to their superiors, right? And what do the superiors do? Ignore the problem? Conclude that the voters don't know what they're talking about? Call the vendor? Turn off the machines and break out the paper ballots, leaving an unknown amount of fraud uncorrected? Cancel the election and reschedule it? It's hard even to determine an appropriate response, let alone to imp!
 lement
 one.

But even were someone magically to solve every e-voting security issue once and for all, an average member of the public cannot, and never will be able to, competently supervise a voting process that uses it. That, in and of itself, makes its use contrary to the checks-and-balances-by-citizens principle at our republic's core. I suspect that Jefferson and Madison (and possibly even the anti-democrat Hamilton) would scream if they knew we were using a voting system that average citizens cannot effectively supervise.

-R

Richard C. Johnson wrote: Ron,
 
Paper ballots, like digital ones, sometimes get lost, strayed, or stolen, or even generated from the legions of the dead. Neither will ever generate trust by mere existence. Both require you, even if you trust, to verify through cross checking, procedural safeguards, poll watchers, locked ballot boxes, encrypted data lines, and so forth.
 
I believe firmly that there is no necessary safety in paper ballots, that such ballots need to be subject to security procedures. And I believe that there is no necessary lack security in digital votes, just a crying need for cross-checking with voter verified paper ballots and for the procedures and checks and observers that make it very difficult to cheat or to propagate error.
 
I trust no one with my ballot, suspect everyone, and want all the checks and balances and security procedures I can get. Paper alone, however, does not inspire trust. A securely engineered combination of digital and paper voting, however, comes closer to earning my trust than anything else I know.
 
Trust little, verify much.
 
-- Dick

Ron Crane <voting@lastland.net> wrote:
charlie strauss wrote:

>...It's possible, likely I guess, that when macs go to Intel they will also go to trusted platform computing. While that's a controversial topic for some people, I think it's something the voting community should embrace as one more layer of security that begins to address the one topic we have left uncovered. How do you know the binary you are running is the one you think you are running...
>
If "you" is an average voter, you don't: you have to trust the "experts"
-- elections officials, vendors, and (if you're lucky) a savvy activist
or two. That, in itself, is an excellent reason to abandon e-voting for
precinct-based hand-counted paper. The voting system is our republic's
basis, and must therefore be effectively supervised by ordinary
citizens. And ordinary citizens understand squat about software in
gener! al, let alone about computer security.

>And how do you establish a secure connection to the video screen that can't have a man in the middle? Trusted platform computing along with the new HD video screens address these issue. Not neccessarily perfectly, but with a very solid layer we lack right now.
>
>
What's "solid" about it? Why should I trust it? What prevents the vendor
from installing a malware loader in its firmware? What prevents the
vendor from hiding a wireless or BPL device (getting smaller all the
time) somewhere in the system, then using it to convey triggers and/or
cheating code on election day? How would I ever detect the presence of
such malicious firmware? And when the computers are recycled into the
general school population (and then back for voting machines in the next
election -- yikes!) what prevents whoever uses them (or the vendor via
regular "updates" or "service") from installing malicious code in t! heir
firmware, and malicious devices in their hardware?

>Also I'd like to point out that there is a LINUX BIOS avaliable. Developed I believe at Los Alamos National Lab. Use that instead of the regular bios and you can scrap the boot loader. It's open source.
>
>
That might solve one problem. Maybe. Quite aside from the "Reflections
on Trusting Trust" problem, it'll be difficult enough getting
pollworkers properly to check that the correct voting application is
loaded (i.e. to check the cryptographic signature with a piece of
software not provided by the vendor or a vendor's associate). I'm sure
getting them to flash the firmware properly'll be a blast. In any case
the "Linux BIOS" addresses only mainboard BIOS issues, not those in the
video BIOS, nor in any system-management firmware, nor in any hidden
trap-door firmware, nor in malicious hardware.

There are just too many ways to cheat with computers, and the ! number
(and deviousness) of cheats increases daily.

-R

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

---------------------------------
_______________________________________________OVC discuss mailing listsSend requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org

_______________________________________________
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to arthur@openvotingconsortium.org
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Aug 31 23:17:33 2005

This archive was generated by hypermail 2.1.8 : Thu Sep 15 2005 - 11:44:12 CDT