Re: Avante Releases White Papers on AVVPAT...

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sun Jun 13 2004 - 20:00:34 CDT

> Say I hand you a voting machine, and I assert: This is running
> Scam-A-Vote Version 10.3.2.4. You turn it on, and it prints out
> "Scam-A-Vote 10.3.2.4" on its internal printer.
> What assurance does this give you? Nothing. Do you gain any
> assurance when it prints out "ROM signature = 05F8C4D3"

All true. Which is why the OVC "best practices" procedure is more like
the following:

(1) Elections workers inspect voting stations to see that they are
apparently the specified hardware. This isn't impossible to fool, of
course.

(2) Elections workers inspect machines to make sure that the IS NO
harddisk drive inside the chasis. Probably it takes someone with a bit
of extra training to know what a harddisk looks like; but it ain't
rocket science.

(3) Elections workers open the sealed envelope that says EVMix 10.3.2.4
on it. Again sealing an envelope isn't huge protection, but it can be
part of the procedure; it helps once there's a procedure for
chain-of-custody.

(4) With observers looking over their shoulders, an election worker
takes the CD-R to one machine, say a Windows system, and checks the MD5
of the CD ISO image as a whole. If it isn't reported as, e.g.
3fc57f73b68ed746f99d73707468461e, something bad has happened.

(5) With observers still watching, some other election worker carries
the same CD-R to a different system, say a OpenBSD system, and runs a
different version of 'md5sum' than runs on Windows. We must get the
same fingerprint.

(6) Now, for the first time, the election workers actually *run* the
software on the CD by carrying it over to voting station, and booting
from CD-ROM device. The bootable volume is read-only, and cannot be
changed.

(7) The welcome message on screen displays "Initializing EVMix
10.3.2.4".

We trust this message. Not because it's hard to forge a welcome
screen. But because a bunch of procedures have been followed to assure
the chain-of-custody and cryptographic fingerprint is right; and
because those same procedures make sure the running software is the
stuff on the certified CD.

To follow the above steps, it really doesn't make any difference
whether the EVMix CD has object code, source code, or some combination
of the two. The whole ISO image is what is certified.

Btw. to elaborate on the Palladium thing: it may well be that some part
of the "digital rights management" sham could technically be used to do
what is done much more simply by 'md5sum'. But I really meant my
analogy from before. It's probably also less likely that a poll worker
will try to give a voter a false ballot form if some armed guards are
pointing a gun at the poll worker during her sleight-of-hand. But
putting "vote marshals" in polling places is FUNDAMENTALLY anathema to
democracy, even if it might have some minor "technical" virtue.

Palladium is about instituting a police state. That's not something
OVC should want or endorse. Stallman wrote a nice distopian parable
about a Palladium-enabled society:

        http://www.gnu.org/philosophy/right-to-read.html
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Jun 30 23:17:15 2004

This archive was generated by hypermail 2.1.8 : Wed Jun 30 2004 - 23:17:30 CDT