Re: draft of text for new OVC-sponsored bill

From: cls <cls_at_truffula_dot_sj_dot_ca_dot_us>
Date: Mon Jan 19 2009 - 20:45:01 CST

>Date: Mon, 19 Jan 2009 18:14:46 -0700
>From: "Jim March" <1.jim.march@gmail.com>
>To: "Open Voting Consortium discussion list" <ovc-discuss@listman.sonic.net>
>Subject: Re: [OVC-discuss] draft of text for new OVC-sponsored bill

>On Mon, Jan 19, 2009 at 5:23 PM, cls <cls@truffula.sj.ca.us> wrote:
>>>Great. So there should be NO problem at all with somebody who does
>>>outside oversight briefly borrowing the county's CD at the precinct
>>>during polls close and ripping an ISO of it for later study.
>>
>>
>> I've got a small problem with that. The county's CD at the precinct
>> needs to be preserved for future audit and inspection along with the
>> paper ballots themselves. I need a guarantee that "somebody who does
>> outside oversight" returns the same CD in the same condition.
>> Does the county get to inspect and certify his disk copier?
>> Or does he get to inspect and certify the county's disk copier?
>> How does the chain of custody work?
>>
>> I can imagine a sabateur skilled in sleight of hand replacing the
>> county's CD with a faulty counterfeit that deteriorates in a few weeks.
>> His goal isn't to throw the current election, but to discredit the
>> current voting process. His accomplices challenge the election and
>> demand our much-ballyhooed end-to-end audit after enough time has
>> passed for his fake disk to develop errors while in the County's custody.
>>
>> -Cameron

>OK...first off, what exactly are the odds that a COUNTY worker
>inserting the drive into my system, my reading it and then the county
>worker (or pollworker let's say) removing it is going to go south? In
>any way?

It's not a matter of odds. It's a matter of whether this system
is designed to withstand attack by well equipped and well funded adversary
with political connections. Or do we just wave away the class of threats
we haven't addressed? Don't scoff, that describes the organization
that stole the presidential elections in '00 and '04.
"Wishing is not a valid design methodology."

>If you want to bar me as an observer from touching the disk, OK, I can
>go along with that. Put it in my drive, I'll read it, you pull it
>out.

>Even Penn&Teller would have a hard time pulling a funny with that...

Penn and Teller don't have the NSA to build them a laptop with a
"special" CD drive. Never underestimate the bad guy.
(Stage magicians spend lots of money on complex stage pieces.
They've got mirrors and prisms and projectors and remote manipulators
just to pull off the cutting a girl in half trick. Magicians in
P&T's class plausibly *could* have that special laptop prepared.)

I'm playing devil's advocate to some extent here. We can't afford
to oversell this system. That's been one of the biggest mistakes
the whole open source movement keeps making over and over again.
But this isn't just any FOSS project. Integrity and trustworthiness
are everything here. And if we trivialize the threats we don't
know how to address, then we won't design around them and we'll end
up with a weak system, which we'll be overselling as a strong system.

I'm especially alarmed at sweeping that nagging image verification
problem under the rug. It's the Achilles Heel of this whole approach.
Nobody has yet described to me how I can convince an electronic voting
skeptic that the image he just voted on was built from the exact sources
his expert inspected on the Registrar's web site last week.
I'm leaning towards admitting it's intractible during the time frame
of interest, and insisting on a design that *doesn't care* about
any particular software installation. Open source is important, but
not for solving this particular security problem. I want a solution
that can blow the doors off the hand-marked, hand-counted, no-computers-
in-the-whole-chain luddite bandwagon. I can't do that if my solution
depends on being able to verify and authenticate CD images.
The cryptographic strength and verifiability of those paper ballots,
(and the simplicity and verifiability of their custody protocol)
has to do it alone.

Cameron

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Thu Jan 7 00:09:46 2010

This archive was generated by hypermail 2.1.8 : Thu Jan 07 2010 - 00:09:57 CST