From: Edward Cherlin <echerlin_at_gmail_dot_com>
Date: Tue Jan 27 2009 - 03:43:10 CST

On Mon, Jan 26, 2009 at 6:24 PM, Ronald Crane <> wrote:

[sigh] I guess I have to break my own rule.

Ron, you are straining at gnats while swallowing camels (in
particular, in your other recent posts, the notions that hand-marked
paper ballots can be made secure, or are in any way preferable to
machine-marked ballots). We have evidently failed to communicate
something essential to you, but I can't imagine where the gap lies.

> Alan Dechert wrote:
>> From: "Ronald Crane" <>
>>> On class certification, if the class is something like "all
>>> PC97-compliant computers",
>> No, of course not. The class spec would spell out a configuration in some
>> detail.

I don't think that great detail is needed. There would be a minimum
standard for processor and memory, and there would be some
prohibitions, but I think that they can be summed up as "no external
access possible during voting" and "verifiable BIOS". Instead of
complicated design requirements, we can use relatively simple methods
for officials and observers to detect any problems, so that
problematic equipment just doesn't get used, or is immediately removed
from service on detection of a problem.

>> It would need to be standard PC architecture so anyone could run it
>> to test, but for use in an election, there would be a number of restrictions
>> on the configuration. For example, the CD drive would need to be out of
>> reach to the voter.

The entire computer needs to be out of reach. Only the touchscreen and
a printer output slot need to be accessed by voters. This question of
physical access has nothing to do with the configuration.

>> I don't think this is necessary to go into detail about
>> at this point. Mostly, it would be a set of dos and don'ts about how these
>> PCs can be set up, configured, and the procedures for how they are handled
>> before and after the election.
> I think it's necessary to ban network interfaces in the statute. They're
> hazardous, there's no good reason ever to have one in a voting machine, and
> we won't always have an SoS as competent as Bowen to write the regulations.
> -R

o It is not necessary or desirable to ban network hardware. It is
necessary for our software to turn off any networking. This is not at
all difficult in Linux, regardless of the network hardware interface.
We have proposed the use of used government computers for voting. It
is extremely unlikely that any such computers will come without
network hardware.

o No network exploit can corrupt a CD.

o The idea is to put the standards into the law, under the supervision
of a competent public standards body (choose from NIST, ANSI, ISO,
IEEE, but not ECMA), not of random SoSs. The law should also specify
public oversight, not control by partisan officials. Public oversight
can only be achieved by designed systems to be auditable, and then
requiring auditable data to be posted to the Internet. When the data
stream (software, ballot layouts, voting data) is public and
verifiable, it doesn't matter what can be done behind closed doors by
the devious and malicious, because it would be immediately detected.

o It will be easy to design systems for observers that can detect and
record any wireless network traffic going on at the polling place.
Forensic experts can then review this data. The software for these
functions already exists (war-driving, packet-sniffing). There should
be no active Wi-Fi access points in any voting facility. When wireless
becomes ubiquitous, we can discuss putting voting computers into
shielded enclosures. Basically these will be boxes with copper foil or
copper mesh sandwiched between layers of plastic or cardboard, or
something like that. Cheap, effective, and verifiable with common
equipment. (I wrote a study of the much more demanding Tempest
shielding issues long ago when it was much harder and more expensive
to accomplish.)

