Re: [Fwd: Re: Secure logging - explained]

From: Michael Hay <michael_dot_hay_at_gmail_dot_com>
Date: Tue Nov 16 2004 - 07:37:35 CST

You could turn the question around and show that by having standalone
machines it makes it easier for people to mess. That's why thin
clients are popular with IT folk and kiosk makers. Basically you take
away everything that people can tweak either intentionally or
accidently--this is also possible on a standlone system.

Additionally while a web based thin client might be technically more
complex consider the administration headaches you have now introduced
when having pure standalone systems. For example how are we planning
on updating the software on standalone systems? Will there be a CD
image which is pressed for every machine that must be installed on
every node? Will they be connected to a network while the software
updates are going on, but later be disconnected?

As far as being harder IMHO arguments can be made either way. If all
of the logging and tracking is consolidated in a single place then the
contortions of having to burn CDs, change FLASH memory, etc. are no
longer needed. Additionally if there are fewer machines to upgrade
you've reduced the administration headaches I mentioned above.
However, I'm sure anyone can provide a counter point to all of the
ones that I brought up.

The one thing which we have not addressed though is Internet voting.
And all of the complexities of using a browser over the Internet need
to be solved for that to be a viable voting paradigm. So my question
here is: is there a way to align a voting system in a polling place
and Internet voting?

Cheers,
Michael

On Mon, 15 Nov 2004 09:59:35 -0500, laird popkin <lairdp@gmail.com> wrote:
> One of the real attractions for me about the OVC system is that it
> consists of simple, stand-alone voting stations that have very
> simple,physically limited interactions with a stand-alone tabulation
> station. My concern about a thin client + server architecture is
> technically more complex, making it harder to prove correctness and
> security.
>
> - LP
>
>
>
> On Mon, 15 Nov 2004 06:28:56 -0800, Michael Hay <michael.hay@gmail.com> wrote:
> > Question. If the OVC software morphed into an online version of a
> > voting system how would we perform secure logging? Would something
> > like the Secure Syslog stuff at UCSD be applicable? If not what
> > changes would be needed to make Secure Syslog robust enough?
> >
> > Link: http://security.sdsc.edu/software/sdsc-syslog/
> >
> > Being in storage and all all the talk of WORM media is rather
> > interesting to see. Some interesting background is that most
> > companies who are after Sarbanes-Oxley SEC regulatory compliance are
> > more interested in the ability to lock things at a file level. The
> > big key here is that the content managment systems and the storage
> > media are both required to keep logs of what has happened to the data
> > since it was locked. The validation comes from checking multiple
> > independant sources and comparing them against one another. If the
> > audit trails line up then a sense of "truth" is aparent.
> >
> > Back to the online thing again, is there any chance we could have a
> > system that used a single server at a polling place with multiple thin
> > clients? This kind of architecture might be a variant of one required
> > for on-line voting, thoughts?
> >
> > Michael
> >
> >
> >
> >
> > On Thu, 11 Nov 2004 20:55:52 -0800, Fred McLain <mclain@zipcon.net> wrote:
> > > Thanks for saying this much more clearly Robert. Well said.
> > >
> > > Another thought I had this evening was the clearly larger capacity of
> > > CD-Rs. A singular failure of a CD-R would certainly wipe out the entire
> > > audit log. This isn't a fault of a paper audit log. Since the log just
> > > records events during the tally process, not individual votes, it's
> > > unlikely we would use even a small fraction of a CD. I'll also bring
> > > into question the idea that we'd have to use a lot of register tape to
> > > record a tally log. At about 8 entries per inch, a typical 220' roll
> > > could record over 21,000 'events' that occurred during the vote count.
> > > That sounds like a reasonable number to me.
> > >
> > > On airplanes we often use wire based recorders for the black box
> > > systems. A magnetic recording on wire spools. Although this is
> > > changing to hardened digital systems, the wire recorders lasted well
> > > into the fly-by-wire control systems and digital "dashboards" for
> > > airliners. It even outlasted replacing copper with optical cables in
> > > the 747-400. The reason? They are very, very durable. The same can be
> > > said for paper trails vs digital ones. At the very least, let's have a
> > > paper backup for audit trails, even if we record them on CD.
> > >
> > > -Fred-
> > >
> > >
> > >
> > > On Thu, 2004-11-11 at 08:07, Robert Rapplean wrote:
> > > > Now that Fred mentions the archival quality and reliability of CD media,
> > > >
> > > > I have to agree. Your typical CD has a shelf life of five to ten years,
> > > > and this drops to about six months to two years if you put any kind of
> > > > adhesive label on them.
> > > >
> > > > Also, in the experience of myself and my friends, the typical CD has
> > > > roughly a 20-50% failure to burn rate. I'm very much in the habit of
> > > > throwing away every other CD because they don't burn correctly. This is
> > > > partially because of borderline shoddy CD production, and partially
> > > > because of the inherent inaccuracy of the typical mass-market $50 CD
> > > > burner. The price you quote for DVD burners is for the low-end,
> > > > low-quality DVD burner. I haven't purchased an extensive collection of
> > > > DVD burners, but if they're anything like CD burners then the low end
> > > > will not be a reliable solution. I had to spend four to five times the
> > > > base CD burner price in order to purchase a CD burner which didn't waste
> > > > every other CD I tried to burn, or need to be replaced after about a
> > > > year of occasional use.
> > > >
> > > > In order to get production quality (and reliably auditable) CD burning,
> > > > you would have to spend something like $150 per burner, and purchase
> > > > archive quality CD's at roughly $1.60/pop, and even then you'd run into
> > > > the issue of a temperature sensitive process. Any CD burner that is
> > > > sitting near a door that opens a lot on a cold day WILL fail its burn.
> > > >
> > > > All things said and done, I think that we should more seriously consider
> > > > good old fashioned ink-on-continuous-tape, maybe with a running vertical
> > > > barcode if we can manage it. A machine readable paper tape would
> > > > significantly reduce wear and tear from human handling.
> > > >
> > > > -R
> > > >
> > > > Fred McLain wrote:
> > > >
> > > > >Hi Jim,
> > > > >
> > > > >I'd strongly call into question your belief that CDR would be more
> > > > >reliable then a register tape. I believe that some (most?) bank
> > > > >machines also uses these sorts of tapes for their audit logs. Thermal
> > > > >printers should not be used because they are susceptible to erasure
> > > > >though heat but ink based printer output can last for decades and even
> > > > >longer with the right type of paper.
> > > > >
> > > > >CDs have recently been shown to have a far shorter shelf life then
> > > > >originally imagined due to oxidation of the underling aluminum foil.
> > > > >They start pitting after time and can be quickly made entirely
> > > > >unreadable. A small scratch on the top side of a CD (where the foil is)
> > > > >will kill the entire CD whereas a mark on a strip of paper only obscures
> > > > >what is under the mark. Recordable multi session CDs are usually only
> > > > >"reliable" on the drive that recorded them, another issue. Also think
> > > > >about the number of recordable CDs that turn out to be "spoiled" -
> > > > >hardly the medium for a real time log.
> > > > >
> > > > > -Fred-
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
> > --
> > ----------------------------------------------------------------------
> > Michael C. Hay
> >
>
>
> --
> - Laird Popkin, cell: 917/453-0700
>

-- 
----------------------------------------------------------------------
Michael C. Hay
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue Nov 30 23:17:33 2004

This archive was generated by hypermail 2.1.8 : Tue Nov 30 2004 - 23:17:44 CST