Re: Secure logging - explained

From: Edmund R. Kennedy <ekennedyx_at_yahoo_dot_com>
Date: Wed Nov 10 2004 - 10:25:26 CST

Hello Jim:
OK, you're talking about the canvassing process at what I've been calling election central. I know that in the EVM this is handled by having vote data and images written to duplicate USB mounted memory chips to random memory locations thereon and then burned to the CD when the polls close. This would also be the CD that the software would run from. The CD and the memory sticks from each EVM would be placed in the ballot box right before it's sealed as secondary records for audit purposes.
I've found CD's to be basically WORM devices (Write once/read many) persoanlly but I've never pretended to fully understand them. I'm aware that you can competely erase them if they are the proper type, but appending to them is something I've never found out how to do. I wish I had a better knowledge of the ins and outs of this, but life is short. I know we have discussed this in the past but I'm none the wiser for the discussion.
I know that we didn't 'balance the register' at the close of voting in the polling place I worked. It left a bad taste in my mouth especially when I was assured by the inspector that this was par for the course. I spent a while working as a cashier and had a little financial training so I clearly understand the need for a good audit trail. While I'm a little surprised that this isn't a norm for vote counting I think this has to do, in part, with basic fear and loathing of numeric rigor among the general population. I know this isn't a subject we've addressed much in the past as a group as we've been focused on the EVM.
Thanks, Ed Kennedy

Jim March <> wrote:
Ed Kennedy wrote:

> Hello Fred and Charlie:
> Just in case you weren't aware of this, there is a Searchable
> correspondance archive
> . If OVC has
> previously discussed a subject like this, that is where you will find
> it. BTW, I don't understand the issue. Could you please clarity it
> for this simple minded civil engineer?
> Thanks, Ed Kennedy

Ed, the issue is that every time votes move into the central tabulator
computer (one big PC per county that adds up the vote) there needs to be
an audit log entry performed. Every time those votes are "processed" in
any way, there needs to be an entry. That means reports created, data
added, data deleted because it was accidentally entered twice, a new
precinct's worth of stuff brought in, and MANY other operations each
need an "audit trail item" created.

These audit trail items track what was done, WHEN it was done (date/time
stamp), who did it (by username), etc.

The audit trail concept is borrowed from professional bookkeeping
practice (more or less) and is analogous to how a bank tracks taking in
and processing money. The principles of tracking such money flow have
been understood for more than 300 years, were perfected by Wells Fargo
back when they were still famous for stage coaches as a sideline and
have been extensively codified - it's part of what a CPA knows how to do
in his/her/it's sleep. Bev Harris' position (and mine) is that we
should directly borrow from that CPA "playbook" and treat votes as
directly analogous to money. This is a minority opinion in the
electronic voting community so far but one that I think can be supported
- it's not expensive and the "R&D" is all basically done and long since
public domain.

Diebold's simplistic audit trail (nowhere near CPA best practices to
start with) has each audit trail item added to an MS-Access database
table(!). This table can be edited by...well, by anybody. With
MS-Access (full copy, not runtime) it's dead simple. Failing that being
available, you can write Visual Basic scripts to do it (controlling the
MS-Access "runtime" (a sort of brainless "mini-Access") included with
the Diebold software package) or with a regular text editor like Windows
NT/2000/XP Notepad(!) if you know what you're doing. It's ridiculous.
Hell, it's so simple Bev Harris hired some dude to teach Baxter to do
it. Baxter was paid in Menthos, dunno what flavor - he's a freakin'

The resulting video is hilarious:

(Errr...we're having an ISP problem as I write this...try tomorrow.
Quicktime required.)


What's not funny is that we now have proof this "audit trail editing"
happened in a live election...King County WA, this year's primaries,
three hours missing on election night. Not funny AT ALL.

We're trying to sort out how to create an audit log that CANNOT be
edited for the OVC system.

One option is to print it on a continuous cash register tape. Low tech,
but hey, not a crazy idea. Another is to burn it to CD-ROM or DVD-ROM,
some physical media that cannot be erased under computer control.
Slightly more expensive BUT I believe a bit more reliable. A third is
to go ahead and write it to a hard disk sorta like what Diebold does
(shudder) except use hardcore encryption and redundent copies to make
sure it doesn't go away. And an auto-backup to CD-write-once mebbe?

Come to think...there are companies selling USB2.0 external memory chip
"hard disks" of 512meg - 1gig or more range that have onboard hardware
heavy-duty encryption that can be set to prevent erasure. Might have
potential as an audit trail encoding that should survive
the computer having a fairly major crash?

Point is, we can do one HELL of a lot better than Diebold with any of
several options...but then again, so can a trained Chimpanzee so that
ain't saying much...


10777 Bendigo Cove
San Diego, CA 92126-2510
"We must all cultivate our gardens."  Candide-Voltaire
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue Nov 30 23:17:24 2004

This archive was generated by hypermail 2.1.8 : Tue Nov 30 2004 - 23:17:44 CST