Re: Shamos Rebuttal, Draft 3

From: Edward Cherlin <cherlin_at_pacbell_dot_net>
Date: Sun May 08 2005 - 16:11:20 CDT

It is proverbial in the computer business (unlike politics) that
incompetence is to be suspected before malice. An example from
on-line poker is
How We Learned to Cheat at Online Poker: A Study in Software
By Brad Arkin Frank Hill Scott Marks Matt Schmid and Thomas John
September 28, 1999
where on on-line poker establishment used a dud shuffling
algorithm and an even dudder random-number-generator-seed
selection method in a system for Texas Hold'em where a player's
computer could determine the current seed in real time, and thus
know the entire deal (every player's hand and the shared cards)
in advance. They say they got a lot of media coverage.

So we should not focus only on the malicious vendor. The known
incompetent vendors together with the known malicious/corrupt
politicians with the money to hire corrupt programmers and other
technical people are here.

On Saturday 07 May 2005 14:30, Ron Crane wrote:

> I would like to describe instances of gambling machine
> cheating, but not the one about Ron Harris. The reason is that
> §3.5.1 advocates requiring intrusive inspection of voting
> machines along the same lines as gambling machines, which are
> thus inspected by the Nevada Gaming Control Board. But Harris
> did his cheating while working for the Board, and using its
> inspection equipment to insert his cheating code. This
> introduces a difficult rhetorical issue that would make us
> look like we're talking out of both sides of our mouths.

I thought the idea was to advocate a completely open process,
i.e. publishing source code, at a minimum, and Open Source
licensing, for preference. Harris is the perfect example of why
*nobody* in the voting business should be trusted *without
verification*. So if it looks like we are talking out of both
sides of our mouth, nix the idea of relying on intrusive
government inspection, and emphasize even more the need for
vigilance by citizens, and therefore the need for an opportunity
for vigilance.

I just looked up Harris. He was supposed to verify EPROMS in slot
machines in Nevada, but he reprogrammed some of them. This is
precisely the sort of thing we are trying to prevent. Sure,
Harris did it on his own, but his technique demonstrates how a
crooked vendor or election official could do it. Or how a
political operative could get a job as a Trusted Person in order
have the opportunity to mess with the machines in a close
election. Harris also read the dud random number generation code
for some of the machines, and figured out how to predict Keno

> If
> you know of other instances of gambling machine cheating that
> involve vendors, please bring them up.

It didn't take me long to find these through Google.
"After a slot machine maker rigged electronic poker machines ten
years ago to limit the number of jackpots, Nevada regulators set
technical standards for gaming machines."
...ABC News show PrimeTime Live about slot machines. The segment
was titled "Against All Odds" and featured their chief
investigative reporter Brian Ross.

The story focused on the computer chips in slot machines and
began with parts of an interview with Frank Romano who, Ross
said, was banned from the industry because a company he owned
with two partners was charged with rigging its video poker
machines to avoid giving out royal flush jackpots.

Larry Volk the person at his company who programmed the chips to
avoid giving the winning hands had been murdered: Volk was shot
to death at his house in Las Vegas shortly before he was
scheduled to begin giving testimony about how he programmed the
chips to cheat.

American Coin was the company that Frank Romano had been
associated with and that it was involved in the biggest cheating
scandal in Nevada gaming history. In July 1989 the Nevada Gaming
Control Board seized about 1,000 of the company’s gaming
machines in 93 southern Nevada locations (mostly bars and
taverns) after it discovered that they contained unapproved
computer chips. The company’s video poker machines had been
altered to avoid giving a royal flush and their keno machines
had also been programmed to avoid giving out the top jackpots.

There is lots more of this sort of stuff on this site.

> Some of the other changes tend to defocus the argument, such
> as the comments about the Founders

The comment about the Founders was a replacement for a far less
focussed clause about relegating the issue to academic
discussion. No, this was a real live issue back then, discussed
in the Federalist Papers, in its analysis of how each branch of
the Federal government could and should act to keep the others
from becoming tyrannical and oppressive, and elsewhere in public
discussion. Jefferson, in particular, went on about the problem
(not vote fraud, specifically, but any usurpation of power) for
the rest of his life. Something about fertilizing the tree of
Liberty with the blood of tyrants, IIRC.

> and 'Reflections on Trusting Trust'.

Not mine. In fact, I don't see it in the paper. What are you
referring to?

> Generally I want to keep the focus on dishonest vendors (as
> opposed to politicans and voting officials), since Shamos's
> main argument is that, with a few tweaks, vendors can be
> trusted. They must not be, and their global reach implies a
> global reach for potential vendor fraud.

We must also be vigilant against vendor incompetence that allows
others to cheat, a known phenomenon since the invention of the
first mechanical voting machine.

> I disagree with some other edits. For example, on average, the
> incentive to verify votes is substantially weaker than the
> incentive to verify financial transactions. Almost everyone
> cares about her money, while many (a majority, in most cases)
> don't care enough about voting even to cast a ballot.

I wrote, "similarly, while some highly-motivated voters always
will wish to verify whether their votes properly are counted,
many others will not." Also, "Designing a system that will
uncover fraud with the likely rather small fraction of voters
checking is highly desirable and definitely possible." Doesn't
that agree with what you say?

> I don't
> want explicitly to raise "the possibility of an alliance
> between vendors and political parties or even administrations,
> as in disputed elections in Central Asia...."; it will sound
> too much like "conspiracy theories" to many readers.

Even if you're paranoid, there may still be somebody out to get
you. ^_^

Part of our point is that much of the public and most of those
with technical knowledge and understanding are already highly
suspicious (with good reason), not only of the machines, but of
the vendors, the politicians, and voting officials (many of whom
belong in jail right now, including substantial parts of the
Florida and Ohio administrations). But I was willing to be
distant and polite in the paper, and stick with undisputed

Chicago, IL, Newark NJ, New York NY, Louisiana,...Don't tell me
it hasn't happened. There may not have been an overt alliance,
but the vendors certainly knew that their machines were being
compromised and did nothing effective about it. (To continue
selling to corrupt jurisdictions, I suppose, regardless of their
party. But that still amounts to collusion.)

Are you saying that reference to actual conspiracies disqualifies
this as a technical paper? That the readers of the journal where
this paper appears will jump to such conclusions? That the
current US administration will attempt to discredit us based on
such references? What?

> The
> qualification about one-party districts is an oxymoron: the
> voting system knows the parties involved in each election, so
> it's not going to shift votes between parties if there isn't
> more than one party involved (e.g., during a primary
> election).

You mean single-district elections for legislators? That isn't
what I was talking about. I meant one party districts
(registration of actual population) in multi-party elections
over larger areas. Well, if you can't understand what I wrote,
it must need clarification.

> I strongly disagree with your deletion of the
> argument about vendors distributing Trojan Horses along with
> regular updates; it is a perfect subterfuge.

Regular updates without testing are illegal. It is a strawman
waiting to be knocked down.

> "Cheating with
> triggers" requires vendor-provided malware,

Malware provided by somebody, not necessarily a vendor.

> so it's already
> implicitly covered elsewhere.

I wanted to make it explicit, and now I want to bring in Ron
Harris, a non-vendor inserter of malware.

> Also it will read like
> conspiracy theories to many, since it requires many
> individuals to cooperate to produce any significant effect.

CREEP, the Plumbers, the whole Nixon White House, Donald
Segretti's distributed dirty tricks in particular..."Landslide"
Lyndon Johnson and his pet shyster, Abe Fortas...The Kingfish,
Boss Tweed...Don't tell me it hasn't happened, and don't tell me
it isn't still happening.

> I am deleting the last item in §5. It's a minor point, and I
> refuse to cite any improperly-conducted poll (such as the
> ACM's poll on paper trails) in any formal paper.

You refuse to *mention* it with appropriate qualifications? I
wrote, "Although no strong statistical inference of confidence
within a few percent can be drawn from such data, it certainly
has the appearance of contradicting Shamos's assertion that most
of this population are undecided." What's wrong with that?

> The qualifications you added to the conclusion weaken it
> substantially, and introduce terms not elsewhere defined
> ("auditable dual data paths", "Best Practices").

Well, let's define them, then. I want to be able to make an
explicit comparison of dual data paths with double-entry
bookkeeping. Having two sets of data is the essence of
auditability. Best Practices is a standard term in matters of
government regulation.

Or you are welcome to suggest other language that we have defined
for the same concepts.

> Finally, I am a little confused by your edit in §3.3. Earlier
> you blasted [1] my comparison between software and bridges,
> saying that, "among historians of bridge engineering it fails
> the laugh test--in fact the guffaw, hoot, and holler, pounding
> on the floor with tears in your eyes test." But your edit
> leaves the comparison intact, with a general qualification
> "normally" (which, BTW, is already implied by the footnote),
> and the addition of a description of the Tacoma Narrows bridge
> – and its mechanism of failure – that only confuses the
> argument.

Well, you can take out Galloping Gertie, but we need at least one
example, unless we take bridges out completely. The Nimitz
collapse would do.

The story about bridges falling down doesn't belong in the paper,
but here it is in outline.

In the 19th century, the only bridge-building firm in the US
whose bridges routinely stayed up was John Roebling & Sons. See
Ken Burns on the Brooklyn Bridge for a popular account. The
Roebling method was reportedly to calculate every possible
stress on a bridge, and then make it six times stronger than
that. (Roebling was also fighting Boss Tweed's minions and
buddies the whole way on the Brooklyn Bridge, including a
purveyor of substandard iron wire that required major redesign
and reinforcement of the bridge cables at the vendor's expense.)
However, the Roeblings fell down on the job [ha ha] when they
designed the Tacoma Narrows Bridge. They did not realize that it
would behave like clarinet reed in a crosswise wind, and that
the stresses at the resonance point would be many times greater
than normal. Gertie bounced up and down off and on for years,
exciting initial alarm which then faded away, until the day
when it cracked clean across and snapped like a whip, throwing
cars high into the air.

Isambard Kingdom Brunel took a completely different tack. He
redesigned bridges completely, abandoning the Victorian Gothic
look of the Brooklyn Bridge and others of the time, and using
forms of sufficient mathematical simplicity so that the stresses
could be modelled accurately. His bridges stayed up, but
traditionalists hated them passionately.

Nowadays, bridges *normally* do not collapse, but there are still
exceptions. The Nimitz Freeway in Oakland in the Loma Prieta
earthquake, for example (and one small section of the Bay
Bridge). Stories are told about the engineering staff begging
the head of the Highway Department to let them make the
double-decker section of 880 earthquake-proof, and being ordered
not to.

The same sort of problem as with Frank Lloyd Wright's
Fallingwater house, where he made a mistake in the calculations
on the cable reinforcing in the concrete, and refused to allow
his staff to correct it. The retrofit to counter the seven
inches and counting of sag over the waterfall has a price tag of
$11.5 million.

There are a number of bridges around Manhattan that are getting
toward the danger area because maintenance has been put off so

> I'll kick out another draft tomorrow.
> -R
> [1] I (and probably others) would be happier at OVC if our
> discussions contained rather less dragon-fire.

Marry, say not so, good sir. The very thought woundeth me. ;->

Edward Cherlin
Generalist & activist--Linux, languages, literacy and more
"A knot! Oh, do let me help to undo it!"
--Alice in Wonderland
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue May 31 23:17:25 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:52 CDT