Re: draft of text for new OVC-sponsored bill

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Thu Jan 22 2009 - 15:10:49 CST
In that approach, the public has to trust the officials to download the correct code, to maintain a continuous chain of custody over the CDs thus created, to use those CDs to load the machines on election day, and to make honest copies of them for post-election audits (instead of using hacked CDs and giving out correct CDs for post-election audits). The only things the public gets directly to audit are, apparently, the source, the downloaded ISO images, and the (possibly-hacked) copies of the discs supposedly used on election day. This isn't very solid.

On hashes, verification is a little tricky, particularly for code downloaded from websites. A raw hash, published on the same website that provides the code downloads, can be attacked by replacing both the code and the hash on that website. A GPG signature is better, but it requires more-complex verification, and non-techie officials might not catch techniques in which an attacker falsifies the relevant signature "trust web". Also, an attacker might mount a DoS attack by attacking the "trust web" (e.g., key servers) to make it appear that a valid GPG signature is invalid.

On verifying firmware, that's even more difficult. Modern computers' firmware often resides in flash memory instead of in ROM, so it's not really safe to let an auditor examine the machine, nor is there a good way of determining whether a "copy" of such firmware (made, presumably, by some machine operated by an official) is identical to what's loaded on the machine.


Edward Cherlin wrote:
Unfortunately, many of us do not entirely understand how our own
proposal works. This condition is sometimes described as "knowing
enough to be dangerous, but not enough to be helpful." I say this
having been in that state myself. As I understand it, the objections
raised here have previously been answered on this list and the answers
added to our Web site.

These questions also make assumptions about the workings of state and
local governments that simply turn out not to be the case, and cannot
be the case.

On Mon, Jan 19, 2009 at 4:23 PM, cls <> wrote:
Date: Mon, 19 Jan 2009 16:56:34 -0700
From: "Jim March" <>
To: "Open Voting Consortium discussion list" <>
Subject: Re: [OVC-discuss] draft of text for new OVC-sponsored bill
On Mon, Jan 19, 2009 at 4:29 PM, Alan Dechert <> wrote:
----- Original Message ----- From: "Ronald Crane" <>

No CD-R or CD-RW.  The disks will be made with duplicators appropriate for
the purpose.  Did you come to LinuxWorld?  We had one there.  Disk labels
will be serialized.
Great.  So there should be NO problem at all with somebody who does
outside oversight briefly borrowing the county's CD at the precinct
during polls close and ripping an ISO of it for later study.

No, that's not how it works. The student downloads an ISO from the
development site or from the election site. Nobody has a legitimate
reason to mess around with the chain of custody of physical CDs used
in elections.

I've got a small problem with that.  The county's CD at the precinct
needs to be preserved for future audit and inspection along with the
paper ballots themselves.  I need a guarantee that "somebody who does
outside oversight" returns the same CD in the same condition.

There is no reason to give an auditor physical custody of the CD. Any
needed copy is made and validated in the election office or the

Does the county get to inspect and certify his disk copier?
Or does he get to inspect and certify the county's disk copier?

He gets to validate the disk image. No disk copier can make an
incorrect copy without detection.

How does the chain of custody work?

Again, this has nothing to do with proper procedure. Disks that are
used in elections do not get let out without proper certification of
custody and validation of the identity of the disk. The test for the
identity of a CD image is a cryptographic signature. When this is done
correctly, it is computationally infeasible for any one to change the
contents of a CD and get the same signature within the known age of
the universe.

I can imagine a saboteur skilled in sleight of hand replacing the
county's CD with a faulty counterfeit that deteriorates in a few weeks.

This is nonsense. CDs of common quality are good for decades as
archival storage. How do you propose to make one degrade?

His goal isn't to throw the current election, but to discredit the
current voting process.  His accomplices challenge the election and
demand our much-ballyhooed end-to-end audit after enough time has
passed for his fake disk to develop errors while in the County's custody.

Audits must be done within a reasonable time after an election, and
preferably before certification of the results, in the same way that
financial audits must be done and certified within a set time after
the end of the fiscal year. When is any form of audit done at some
arbitrary later time?


That needs to be part of the procedures manual - remember, in Cali you
certify both the system and procedures for use of same...



OVC-discuss mailing list
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Thu Jan 7 00:09:49 2010

This archive was generated by hypermail 2.1.8 : Thu Jan 07 2010 - 00:09:57 CST