Re: Ballot Reconciliation Procedure

From: Karl Auerbach <karl_at_cavebear_dot_com>
Date: Fri Nov 28 2003 - 04:10:51 CST

On Wed, 26 Nov 2003, Alan Dechert wrote:

> This is not, of course, proposed as "all we need in terms of ballot
> security" but it is an important part of how we ensure one person one vote
> and one matching xml file for tabulation (previous descriptions of this
> procedure may have referred to records or rows in a table... now we're
> talking about an XML file for each ballot instead).

Having just dealt with a number of damaged file system problems I'd
suggest that procedurally that there be verified frequently:

        1. That the file system is valid (fsck)
        2. That there is lots of available space and inodes available
           (it is embarrassing to have space but no inodes.)
        3. That the access permissions are valid.

As an aside - a solid file system structure (I don't know which are best,
but probably one of the journaling file systems, would be useful
protection against file system damage due to system restarts [think
lightning storm and power failures.])

(As an audit trail issue, it seems to me that there also ought to be a
journal - perhaps on a separate non-volatile physical medium [e.g. USB
flash memory drive] in addition to the files. The journal could be used
for reconstruction [I see legal questions on that horizon] or might merely
be used as a tool to cross-check for tampering.)

...

> The barcode on each ballot is scanned and an XML ballot image is created
> with the same format and file naming scheme as on the voting machine.

Having the same name bothers me because of makes it more difficult to do a
forensic review/audit of a failure. My gut tells me that the file names,
and the data itself should indicate the source.

Yes, the directory already identifies the source, but in systems like this
I believe that it's best if there is lots of information redundancy.

> The list of 30 unmatched ballot numbers...

Has anyone considered whether it would be useful, feasible (or a source of
attack) if the number of sheets of paper in the printer were known before
the polling station opened and when it closed?

                --karl--

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Nov 30 23:17:11 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST