Re: Fw: Meet the $499 Mac.

From: Ron Crane <voting_at_lastland_dot_net>
Date: Sat Aug 27 2005 - 13:23:35 CDT
Richard C. Johnson wrote:
The procedure for retiring bad machines is as follows:
1. The voter compares his vote on the screen to the printed ballot he holds in his hand
2. The voter is asked to verify that these two are the same and that they agree with the voter's intention
3. If yes, the voter completes the electronic voting by hitting YES and, leaving the polling station, deposits a printed ballot (as in the old days) in a locked ballot box.
4. If no, the voter leaves the booth without hitting YES and voids the paper ballot with an unmistakable mark in return for a new voting card, assuming that the voting screen still shows pending status.
5. The voter goes to another machine and votes.
6. The election official, observed by the pollwatchers, takes the offending machine out of service after verifying that the pending vote has not registered.
7. A sample of all paper ballots and, in defined circumstances, a 100% sample will be subject to hand count.  Any error will cause an investigation. The digital ballot is (1) quick and (2) can cause the paper ballot process to be investigated. 
Taking "an" offending machine out of service fixes that machine -- from the point at which it is turned off forward. It does not fix a vendor-installed cheat potentially affecting many or all of the machines, and it does not correct fraudulent ballots cast using "the" offending machine before it was turned off. The sampling hand recounts will catch only cheats in which the machine records the voter's choice in one place (e.g., the voter-readable portion of a VVPB) and its (fraudulent) choice in another (e.g., the corresponding bar code on the VVPB). If the machine instead records its (fraudulent) choice everywhere (relying upon most voters not verifying their ballots), no amount of cross-checking will catch it. Also your approach does not catch presentation frauds, where the machine makes it more difficult to select disfavored candidates, or just occasionally omits them from the ballot entirely.
The digital path makes the paper voting path more secure .
Note that the entire process is understandable by anyone observing it.  The machine failed, was detected by the voter, and that is not rocket science.  The machine can be taken out of service, publicly, and in the view of observers (observe the official pull the plug)....
It may be "understandable" in some sense, but it is not effectively supervisable. Yes, an individual (conscientious) voter can more or less determine whether her vote has made it properly onto the human-readable portion of her VVPB -- though not whether her ballot was tallied correctly. But voters at large cannot determine whether other voters' votes are properly recorded and tallied. And the digital path *creates the necessity* for the doubtful enterprise of voter verification (have you found a study verifying its efficacy yet?) and for the sampling (or 100%) hand recounts.
As for denying COTS any meaning, well, I suppose that one's phone could easily be designed by Bell Labs to have an automatic connection to the FBI that would make bugs unnecessary, but I have yet to understand that such has happened. 
Did you know that routers now support wiretapping as just another administrative feature, e.g. ? I have no doubt that digital telephone switches also support this, as required by 47 U.S.C. 1001 et seq. ("Communications Assistance for Law Enforcement Act"). .
Many bad things could happen, and we can't ward off all of them.  Such is life.  But I think that at least today, the composition of most off the shelf devices is knowable and does not include voting specific features.  I think that software vendors' products (even Microsoft XP) are free of voting specific malware. 
"Today" and "are" are key words here. Further, nothing prevents a malicious vendor from adding malware to its "COTS" hardware -- and doing so will only become easier as systems become more advanced (see below).
My point is simply that our ability to imagine dangers should not make us all haters of machines in general.
I don't "hate" machines. I do, however, see that computers' flexibility (which makes them so useful for so many things) is anathema to secure voting. And that flexibility increases every day. Very little prevents a malicious vendor from embedding a malware loader in a "COTS" machine. And as communications devices and system management functions become standard equipment, it will only become easier to inject malicious software.
I do believe that the major features of common sense voting security can be made understandable to the vast majority, whether digital or paper ballots are used.  I also believe in a role for those with technical expertise to investigate attempts to subvert the voting process and to investigate occasions where officials proceed in spite of error.
This is but to say that it's sufficient for the general public to understand the process's outlines, but not the details. That works for most things, but I don't think it works for voting. It still permits a small elite to determine how votes are counted -- and thus who wields the State's power.
Oh, yes.  Paper can be bent to any end you like.  One doesn't, in fact, know most of them.  Paper, done alone, is hardly secure.  Observers are barred in many states for the counting, tabulating, and administrative processes. 
That, of course, must change. But equivalent (actually more extensive) procedural changes are required to open up e-voting to any kind of public scrutiny.
Counterfeiters, for another paper-based example, have caused the feds to go to extreme measures to protect the currency (paper), most lately by adding high tech features that deter by making counterfeiting more expensive.  Why should we not assist our paper voting by extending twin data paths of both paper and digital ballots?  I think we should.  IMHO.
Please. Money's chain of custody cannot practically be monitored, therefore it must be self-validating. Paper ballots' chain of custody *can* practically be monitored, so self-validation is unnecessary (and creates other problems, like what to do when the self-validation fails). The entire process, from casting at the precinct, to placement in the ballot box, to the box remaining locked until the close of polls, to the opening of the box, to the removal and hand counting of the ballots, to the compilation of the totals, to their posting at the precinct and via the media, can be understood and monitored by any person of ordinary intelligence. Absentee ballots are, admittedly, another story that requires careful consideration -- but e-voting does nothing to change that.

But all this aside, e-voting is just unnecessary. It creates many security problems while conferring siginificant benefits to only a small subset of the population -- most of whom might be helped just as well by Braille-enhanced paper ballots or similar non-electronic technologies.

-- Dick

Ron Crane <> wrote:
Paper is certainly susceptible of various kinds of fraud. We also know most of them, because we've used paper for a long time, and (unlike computers) it is not infinitely malleable. The mechanisms for ensuring chains of custody are well-known, and an ordinary member of the public effectively can supervise every one -- given appropriate official cooperation.

Voter verification, as I have pointed out many times, is a half-measure of doubtful efficacy. I have asked, and asked, and asked again for a cite to a study confirming its efficacy, and every time my request has been met with booming silence. But even assuming some voters "catch" a cheating voting station by verifying their ballots, what then? Will they bother to report it? Or will they just leave in disgust? If they report it, what will the pollworkers do? Cancel their ballot and let them re-vote -- because it's a ! "glitch", right? But even if the pollworkers want to take it seriously, what do they do? Report it to their superiors, right? And what do the superiors do? Ignore the problem? Conclude that the voters don't know what they're talking about? Call the vendor? Turn off the machines and break out the paper ballots, leaving an unknown amount of fraud uncorrected? Cancel the election and reschedule it? It's hard even to determine an appropriate response, let alone to implement one.

But even were someone magically to solve every e-voting security issue once and for all, an average member of the public cannot, and never will be able to, competently supervise a voting process that uses it. That, in and of itself, makes its use contrary to the checks-and-balances-by-citizens principle at our republic's core. I  suspect that Jefferson and Madison (and possibly even the anti-democrat Hamilton) would scream if they knew we were using a voting system that average citizens cannot effecti! vely supervise.


Richard C. Johnson wrote:
Paper ballots, like digital ones, sometimes get lost, strayed, or stolen, or even generated from the legions of the dead.  Neither will ever generate trust by mere existence.  Both require you, even if you trust, to verify through cross checking, procedural safeguards, poll watchers, locked ballot boxes, encrypted data lines, and so forth. 
I believe firmly that there is no necessary safety in paper ballots, that such ballots need to be subject to security procedures.  And I believe that there is no necessary lack security in digital votes, just a crying need for cross-checking with voter verified paper ballots and for the procedures and checks and observers that make it very difficult to cheat or to propagate error.
I trust no one with my ballot, suspect everyone, and want all the checks and balances and security procedures I can get.  Paper alone, however, does not inspire trust.  A securely engineered combination of digital and paper voting, however, comes closer to earning my trust than anything else I know.
Trust little, verify much.
-- Dick

Ron Crane <> wrote:
charlie strauss wrote:

>...It's possible, likely I guess, that when macs go to Intel they will also go to trusted platform computing. While that's a controversial topic for some people, I think it's something the voting community should embrace as one more layer of security that begins to address the one topic we have left uncovered. How do you know the binary you are running is the one you think you are running...
If "you" is an average voter, you don't: you have to trust the "experts"
-- elections officials, vendors, and (if you're lucky) a savvy activist
or two. That, in itself, is an excellent reason to abandon e-voting for
precinct-based hand-counted paper. The voting system is our republic's
basis, and must therefore be effectively supervised by ordinary
citizens. And ordinary citizens understand squat about software in gener! al, let alone about computer security.

>And how do you establish a secure connection to the video screen that can't have a man in the middle? Trusted platform computing along with the new HD video screens address these issue. Not neccessarily perfectly, but with a very solid layer we lack right now.
What's "solid" about it? Why should I trust it? What prevents the vendor
from installing a malware loader in its firmware? What prevents the
vendor from hiding a wireless or BPL device (getting smaller all the
time) somewhere in the system, then using it to convey triggers and/or
cheating code on election day? How would I ever detect the presence of
such malicious firmware? And when the computers are recycled into the
general school population (and then back for voting machines in the next
election -- yikes!) what prevents whoever uses them (or the vendor via
regular "updates" or "service") from installing malicious c! ode in t! heir
firmware, and malicious devices in their hardware?

>Also I'd like to point out that there is a LINUX BIOS avaliable. Developed I believe at Los Alamos National Lab. Use that instead of the regular bios and you can scrap the boot loader. It's open source.
That might solve one problem. Maybe. Quite aside from the "Reflections
on Trusting Trust" problem, it'll be difficult enough getting
pollworkers properly to check that the correct voting application is
loaded (i.e. to check the cryptographic signature with a piece of
software not provided by the vendor or a vendor's associate). I'm sure
getting them to flash the firmware properly'll be a blast. In any case
the "Linux BIOS" addresses only mainboard BIOS issues, not those in the
video BIOS, nor in any system-management firmware, nor in any hidden
trap-door firmware, nor in malicious hardware.

There are just too many ways to cheat with computers, and! the ! number
(and deviousness) of cheats increases daily.


OVC discuss mailing lists
Send requests to subscribe or unsubscribe to

_______________________________________________ OVC discuss mailing lists Send requests to subscribe or unsubscribe to

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to

_______________________________________________ OVC discuss mailing lists Send requests to subscribe or unsubscribe to

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Aug 31 23:17:33 2005

This archive was generated by hypermail 2.1.8 : Thu Sep 15 2005 - 11:44:12 CDT