Re: Avante Releases White Papers on AVVPAT...

From: Joseph Lorenzo Hall <joehall_at_gmail_dot_com>
Date: Sun Jun 13 2004 - 17:36:19 CDT

OK... a follow-up: How are these issues dealt with in gambling?

Joe

PS: I ask after reading today's NY Times editorial which seems to make
a slew of very good points:

http://www.nytimes.com/2004/06/13/opinion/13SUN1.html

June 13, 2004
MAKING VOTES COUNT
Gambling on Voting

f election officials want to convince voters that electronic voting
can be trusted, they should be willing to make it at least as secure
as slot machines. To appreciate how poor the oversight on voting
systems is, it's useful to look at the way Nevada systematically
ensures that electronic gambling machines in Las Vegas operate
honestly and accurately. Electronic voting, by comparison, is rife
with lax procedures, security risks and conflicts of interest.

On a trip last week to the Nevada Gaming Control Board laboratory, in
a state office building off the Las Vegas Strip, we found testing and
enforcement mechanisms that go far beyond what is required for
electronic voting. Among the ways gamblers are more protected than
voters:

1. The state has access to all gambling software. The Gaming Control
Board has copies on file of every piece of gambling device software
currently being used, and an archive going back years. It is illegal
for casinos to use software not on file. Electronic voting machine
makers, by contrast, say their software is a trade secret, and have
resisted sharing it with the states that buy their machines.

2. The software on gambling machines is constantly being spot-checked.
Board inspectors show up unannounced at casinos with devices that let
them compare the computer chip in a slot machine to the one on file.
If there is a discrepancy, the machine is shut down, and investigated.
This sort of spot-checking is not required for electronic voting. A
surreptitious software change on a voting machine would be far less
likely to be detected.

3. There are meticulous, constantly updated standards for gambling
machines. When we arrived at the Gaming Control Board lab, a man was
firing a stun gun at a slot machine. The machine must work when
subjected to a 20,000-volt shock, one of an array of rules intended to
cover anything that can possibly go wrong. Nevada adopted new
standards in May 2003, but to keep pace with fast-changing technology,
it is adding new ones this month.

Voting machine standards are out of date and inadequate. Machines are
still tested with standards from 2002 that have gaping security holes.
Nevertheless, election officials have rushed to spend hundreds of
millions of dollars to buy them.

4. Manufacturers are intensively scrutinized before they are licensed
to sell gambling software or hardware. A company that wants to make
slot machines must submit to a background check of six months or more,
similar to the kind done on casino operators. It must register its
employees with the Gaming Control Board, which investigates their
backgrounds and criminal records.

When it comes to voting machine manufacturers, all a company needs to
do to enter the field is persuade an election official to buy its
equipment. There is no way for voters to know that the software on
their machines was not written by programmers with fraud convictions,
or close ties to political parties or candidates.

5. The lab that certifies gambling equipment has an arms-length
relationship with the manufac-

turers it polices, and is open to inquiries from the public. The
Nevada Gaming Control Board lab is a state agency, whose employees are
paid by the taxpayers. The fees the lab takes in go to the state's
general fund. It invites members of the public who have questions
about its work to call or e-mail.

The federal labs that certify voting equipment are profit-making
companies. They are chosen and paid by voting machine companies, a
glaring conflict of interest. The voters and their elected
representatives have no way of knowing how the testing is done, or
that the manufacturers are not applying undue pressure to have flawed
equipment approved. Wyle Laboratories, one of the largest testers of
voting machines, does not answer questions about its voting machine
work.

6. When there is a dispute about a machine, a gambler has a right to
an immediate investigation. When a gambler believes a slot machine has
cheated him, the casino is required to contact the Gaming Control
Board, which has investigators on call around the clock. Investigators
can open up machines to inspect their internal workings, and their
records of recent gambling outcomes. If voters believe a voting
machine has manipulated their votes, in most cases their only recourse
is to call a board of elections number, which may well be busy, to
lodge a complaint that may or may not be investigated.

Election officials say their electronic voting systems are the very
best. But the truth is, gamblers are getting the best technology, and
voters are being given systems that are cheap and untrustworthy by
comparison. There are many questions yet to be resolved about
electronic voting, but one thing is clear: a vote for president should
be at least as secure as a 25-cent bet in Las Vegas.

Copyright 2004 The New York Times Company | Home | Privacy Policy |
Search | Corrections | Help | Back to Top

On Sun, 13 Jun 2004 16:23:31 -0500, Douglas W. Jones <jones@cs.uiowa.edu> wrote:
>
>
> On Jun 13, 2004, at 11:37 AM, Joseph Lorenzo Hall wrote:
>
> > So was Prof. Jones comment targeted specifically at object code? That
> > is, checksumming will not work for object code because it is unique
> > for each computer (because it holds things like the name of the
> > computer, or what-have-you)?
>
> Say I hand you a voting machine, and I assert: This is running
> Scam-A-Vote Version 10.3.2.4. You turn it on, and it prints out
> "Scam-A-Vote 10.3.2.4" on its internal printer.
>
> What assurance does this give you? Nothing. Do you gain any
> assurance when it prints out "ROM signature = 05F8C4D3", the
> expected CRC32 for the contents of the resident ROM? No. If,
> in addition, it prints "RO Filesystem signature = "4AC320FE688C"
> did you learn more? Not a thing.
>
> In sum, no self-report from a computer system should convince
> you that that system is authentic. If the system claims to be
> dumping the entire contents of its disk and ROM to the serial port,
> you still don't know that it's telling the truth. It could have
> twice the hard drive capacity internally, using most of it to
> store the correct system images while the code it actually
> executes is in the other half of the drive.
>
> So, you need some way to independently inspect the contents of
> memory.
>
> Either this needs to be a special hardware port that a memory
> inspection device can be attached to, or you need to be able to
> extract the memory from the voting system and attach it to a
> second machine used to inspect the contents. In either case, the
> inspection mechanism needs to be guaranteed to be unable to write
> things, so if you're verifying compact flash cards, your CF
> reader needs to be incapable of writing the card. Verifying
> CD-ROM is easy, but the moment it's stored on CD-RW media, your
> verifier must be certified to be unable to write (easy, use a
> CD-ROM player that doesn't support the write function, but the
> problem here is that covert substitution of a writer would be
> fairly easy.)
>
> In sum, it's tough.
>
> > Is this a place that Trusted Computing (a/k/a NGSCB, a/k/a Palladium)
> > could help specifically in the context of elections systems?
>
> Potentially.
>
> Doug Jones
> jones@cs.uiowa.edu
>
>

-- 
Joseph Lorenzo Hall
UC Berkeley, SIMS PhD Student
http://pobox.com/~joehall/
blog: http://pobox.com/~joehall/nqb/
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Wed Jun 30 23:17:14 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:30 CDT