A system that can't be compromised

From: Marc Baber <marc_at_botworks_dot_com>
Date: Wed Dec 06 2006 - 17:16:11 CST

Apparently attachments don't work on this list, so here's a cut and paste:

Hi Ron,

Let's say you have a digital image scanner that you bought a couple
years ago for your office computer and you now plan to use to scan
ballots this year. Because you're concerned about it being hacked, you
unplug it and the notebook computer you're planning to use with it and
put them in an empty locked room the day before the Secretary of State
publishes how the ballots will be formatted and ordered for the upcoming
election. The scanner and computer had no knowledge of the ballot
images before you put them in the room, obviously, because that
knowledge didn't exist yet. The scanner and computer cannot gain that
knowledge while they're in your locked room because they can't function
without electricity, are not connected to any network, have no wireless
interfaces and aren't telepathic.

On election day, you take your scanner and computer out of the locked
room, and down to county elections facilities where precinct ballot
stacks have been placed in a locked glass case after being bused in from
the precincts handcuffed to bipartisan teams of couriers in plain view
of citizen observers from each precinct. You go up to a glassed-in
counter and the election worker slides the "teller" window up so you can
slide your scanner inside the counting room. Then the election worker
slides the window down and locks it in place leaving just enough room
for the cable running from your scanner to your laptop PC. She plugs in
your scanner and turns it on. You boot up your notebook computer which,
by the way, has no internet connection, wireless or otherwise.

Next you request a stack of ballots from a certain precinct. The
election worker places the stack on your scanner and you initiate a
digital image scan of the entire stack, saving a tiff file for each
ballot page. After saving the image files, you run a dumb scanner
program to interpret the positions of colored-in ovals on each page and
write this data to a disk file. You use a common utility program to
produce checksum numbers for each file so that any tampering with the
files will be detectable. You print out the file names and checksums.
You save the image files, raw ballot data and checksum numbers to a
write-once CD.

Other individuals, representing other campaigns do much the same, except
they're using their own computers, probably different brands and maybe
even different operating systems, different scanners and so on. You
don't know for sure that they kept their equipment in a locked room like
you did. You don't know that their notebooks don't have wireless
devices. You notice that one of the parties is using a power filter to
prevent even the possibility of data travelling through the power
cords. He plugs both his scanner and his computer into the power filter
on his side of the window. Another party keeps glancing at a small
keychain device he carries that has a blinking red light. He's
complaining to the election worker that he detected a WiFi signal in the
room and wants it shut down immediately. The election worker brings out
a directional detector, announces that anyone operating WiFi equipment
will be expelled from the counting facility. One gentleman quickly
apologizes and removes the wireless PCMCIA card in his notebook. The
red light stops blinking.

Using a different computer, someone else on your team uploads the CD to
your party's website where everyone can download it and the BDF (ballot
definition file) for that precinct and begin tabulation using open
source software program(s) that were certified, published and downloaded
long before this election's candidates were even announced. You can
check the BDF against an actual ballot to make sure the filled in ovals
are assigned the correct significance.

Your team also compares your raw ballot data files with files created by
the opponent's scanners and note which ballots have different data, if
any. On the ballots that appear different, you refer first to your own
scanned images and correct your raw data file where it appears your
scanner made a mistake. When it appears that your scanner got it right
and someone else's didn't, you let them know about it. If they agree
and correct their file, all's well, If not the election workers refer to
the original paper ballot to reconcile.

My question to you, Ron, is: In this scenario, how do you imagine
someone might be able to compromise your scanner or computer so it
produced results favoring your opponent?

And, if you have any plausible answer to that, then I would ask how
would this someone compromise not only your scanner, but those of every
other participating scanning party so that they would all cheat (falsify
ballot images and data) in exactly the same way to avoid detection.
Note that any random vote-flipping would be detected because the systems
would almost certainly generate different random number sequences to
control the misvotes. Note that any flip-every-nth-ballot scheme would
be detected the instant any scanner fed two pages through at the same
time and got out of step or if someone changed the order of the ballots
even slightly. Note that any consistent, deterministic, vote flipping
scheme would require huge amounts of data in order to be prepared to
mis-read votes consistently with other mis-readers.

And, if you have any plausible answer to that, then I would ask how
would the malicious party compromise all the scanners before hand when
he or she doesn't even know how many people are going to participate in
scanning, who is going to represent each participating campaign, who is
going to show up to participate in scanning, what equipment they're
going to use, whether they'll opt to hand count ballot images or which
precincts and/or counties they'll choose to scan.

I challenge anyone to find a reputable computer scientist or data
security expert anywhere in the world willing to stake their reputation
on a claim that it's possible such a system could be compromised to
produce a predetermined result and explaining how, exactly, it would be
done without being detected by one or more of the scanning and
tabulating parties.

No fair claiming the whole system is just too complex. It's not.
There's nothing here that is significantly more complex than most other
IT systems used today in business and government on a daily basis. I
know it's difficult to imagine starting with the status quo as a base or
not having much background in computer systems. I'm sorry this is such
a long scenario, but I wanted to try to convey, in detail, a seamless
vision of how I imagine this system working. I may have been asking
people to fill in too many of the blanks themselves with my previous
posts. But such a system could easily be implemented and there are
plenty of local computer buffs and/or consultants to perform
party/campaign sponsored counting in each county (CBOS = county-based
optical scan) in addition to PBOS done by pollworkers.

Thanks for reading and considering,


Ronald Crane wrote:
> A dishonest tabulator can produce dishonest ballot images to match its
> dishonest count. You need sampling hand recounts of the original
> ballots to detect this kind of fraud. To speak of "hand recounts" of
> electronic ballot images is really to propagate a non-sequitur.
> -R
> *
> *


EILeg mailing list

 Marc Baber           marc@botworks.com
 The Bot Works, Inc.  http://www.botworks.com 
 P.O. Box 5008        Phone: 541-485-8446
 Eugene, OR 97405     FAX:   541-485-8446

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:06 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST