Fwd: Ms. Tobi's overheated rhetoric

From: David Jefferson <d_jefferson_at_yahoo_dot_com>
Date: Sat Nov 03 2007 - 13:52:10 CDT

On Nov 3, 2007, at 4:40 AM, Jim March wrote:

> David,
>
> There have been a boatload of academics over the years of the Brit
> Williams/Merle King ilk. People who have supported the "dominant
> paradigm" at NASED, EAC and various state certification processes.
> Rotten certification systems have had academic apologists for years.
>
> And when they're not apologizing, they're simply ignoring data that
> comes from non-academic sources.

Most of these people are not "elite technologists" about whom Ms. Tobi
was writing.
The bona fide technologists who support the Williams/Merle paradigms
are a dying
breed. I do not think there have been any new ones in the U.S. since
2006 or so,
although Europe is a few years behind. There have never been more
than a handful.
What has changed is that there are now at least a hundred active
technologists on
the other side.

> Let's take one example. You must be aware by now that Windows CE in
> the Diebold touchscreen product line hasn't been examined by anybody
> outside of Diebold. Documents filed by Diebold with the California
> SecState's office list WinCE as "COTS", which is flat-out impossible
> as CE has to have been customized in order to work at all. It's a
> "kit", not a "product".

Correct.

> How can you ignore that? I'm quite serious here: there is NO possible
> way the legality of the Diebold CE-based products can be supported.

The COTS exemption is indefensible from any security standpoint.

But there is nothing illegal about Diebold CE-based products. The
VVSG standards
are voluntary guidelines. Many states do not recognize them, as you
know. But of
course many states do require in law or regulation or custom that
their voting
systems be federally certified. They do not require that the VVSG
standards actually
be adhered to. What they require is federal certification. Well
Diebold's systems were
and still are federally certified. Perhaps they should not have been,
but they were.
So their state certification was not illegal. We can argue on lots of
grounds that it
should have been illegal, but I argue it was not not.

> Worse, since CE is at the core of the Sequoia and Hart touchscreens,
> it's quite possible they pulled the same stunt. After all, there were
> only three labs. If one examined CE in code-review detail while
> another treated it as COTS, you'd think somebody would ask questions
> over drinks at the hotel bar wherever the next NASED meet was held?

You would think. But the people at NASED do not understand these
issues. I know.
I spoke at NASED in 2003 and said that ever that Diebold systems should
be "considered" for decertification as a result of the Hopkins/Rice
report. I have never
had a hostile audience before but that audience turned hostile, led by
Doug Lewis.
They practically threw tomatoes at me and ran me out of the place.

> So at least one vendor's product line is verifiably
> illegal...something I told you in person around Oct. 2003. Did you
> ever check up on that? Ever ask any questions?

Jm, I am sure you have told me a lot of things in person. I do not
agree that these
systems are "illegal". I wish they were.

> It's 2007 and the
> junk is still in use all over the country. Never mind that both the TS
> and TSx have drop-in flash memory module support allowing wholesale
> code addition with a standard Phillips screwdriver and less than five
> minutes.

Everyone knows this now.

> As to Dill. Problem one is that the way he treats non-academics is
> completely different from how treats his "fellow ivory tower folk"
> with names followed by lots of funny initials. The difference is
> night and day. Go have a chat with his first (volunteer) webmaster
> some time.

You may not like or get along with Dill. If he treats some people
badly, which
I have never seen, I won't try to defend it. You treat people badly
also. But
we were talking about whether Dill fits Ms. Tobi's bombastic
characterization
of "elite technologists" who are "drowning in their own self created
illusion
that a high tech, complexified, opaque, and expertified election
system can
meet the standards for a free and open democracy". Dill stands for
the exact
opposite of that. He does not want to fix DREs for example, he wants
to get
rid of them. He does not want to "secure" voting systems, he wants to
audit them. I suspect that you probably even agree with that.

> Problem two, he hasn't complained about what's going to anywhere near
> the degree the situation merits. He's like a guy watching a riot
> saying "excuse me, this isn't polite at all" in a squeaky voice. It
> doesn't do a lot of good. Think I'm exaggerating? Go over his
> testimony before the Carter-Baker commission.
>
> Three, and worst of all, he's an enabler. I don't expect you to
> understand that right away because you are too - a worse one,
> actually.

OK, I'm an "enabler". I guess your case for that is below, so I will
respond there.

> It's not my words that should "unnerve" you, nor were they meant to.
>
> What *should* unnerve you is a serious examination of what you've been
> doing for years: by acting as an "insider" to "reform things from
> within" including during the McPherson years when it was obvious
> reform wasn't going to happen, you didn't just fail to do reforms.
> Much worse, you enabled the ongoing bullshit. You lent your name,
> your credibility and your academic credentials to a visibly broken
> process. You propped up an ongoing disaster.

The McPherson administration was a lost cause once Susan Lapsley was
appointed in about Jan., 2004. But you have no idea what happened in
that administration, or how much we (me and the VSTAAB members tried
to move them in a favorable direction).

I assume you are upset because of the VSTAAB report we submitted in
February 2006 that led to the Diebold certification. I will give you
(or other
readers of this) my story of what happened.

1) The Diebold system was going to be certified no matter what we said
or
wrote. If you don't know that, you just don't understand. It was
already mid
February and there was a special election scheduled for early April in
San
Diego (a Diebold county) and a statewide primary in June. Many counties
had Diebold equipment in place, and they were pressuring the SoS that
there
was no time to get another system, and the SoS agency was in complete
agreement. Furthermore, the January 1 federal deadline for HAVA
compliance
had already passed, and the SoS believed that DREs were important for
HAVA
compliance. So certification was going to happen. The only real
issue then
was what technical qualifications and mitigations would be required
are part of
certification.

2) The VSTAAB charter did not allow us to make policy
recommendations. We
were required to confine ourselves to technical statements of fact and
possibly
outline options for dealing with those facts. But not
recommendations. Policy
makers do not want to be boxed in by their technical advisors and they
make
that clear.

3) The issue at hand was the Hursti I vulnerability--the one
demonstrated in Leon
County Florida done by Harri Hursti and set up by Bev Harris. We were
not authorized
to do a full study of Diebold, nor would that have been possible in
the time alotted.
Our recommendations, and we did in effect make some in spite of the
fact that we
were not supposed to, were all directed toward doing something to
mitigate them. I
might add that the Husti I vulnerability was easily fixed, and even if
not fixed was, we
believed "manageable" (as we wrote) for a special Congressional
election 6 weeks
away.

4) We intended, and expected, most of those mitigations to be targeted
primarily at
the April special election. We figured that there was barely enough
time by the June
primary for Diebold to make the code changes to fix the security
vulnerabilities that we
were able to identify (which we estimated would take a day) and get
them federally
certified and back to the state for certification for June. We
pointed out in our
nonpublic appendix to the report the exact lines of code that were
faulty and needed
to be fixed. We never imagined that that neither Diebold nor the SoS
had that
intention, and that we would go through the general election in
November and
another year as well with no fix at all even attempted! That was
inconceivable to
us. I am still stunned at the dereliction of duty that represents,
especially in the light
of subsequent events (Hursti II).

5) After certification of the Diebold Systems on Feb. 17, 2006, it was
made clear to me
that the agency was not happy with the report we submitted. Their
biggest
complaint was that we stated flatly that Harri Hursti was exactly
right--everything
he had said was correct, and his demonstration was real. They hated
that, I think
because it gave legitimacy to Hursti, whose work had embarrassed
Florida officials,
officials who had visited Sacramento to play a role in--and
manipulate--the
Hursti/AccuBasic investigation.

6) After that report the McPherson administration basically never
dealt with us
again. Barely a month later (March 15) I learned of the Hursti II
vulnerabilities
and the threat of viral attacks on Diebold voting systems, and I
repeatedly tried to
get the attention of the SoS agency to warn them of these
vulnerabilities that were
100 times worse than Hursti I, and here it was an election year with a
primary
less than 3 months away. They would not listen, and would not even
give us
an appointment. Eventually I got another state to act (PA, with the
help of
Mike Shamos) and only then did CA officials even agree to hear us
out. When
they did, it was with Diebold people on the phone, and in the end they
did
essentially nothing. And they basically never spoke to us again,
through the
primary and general election, when McPherson was voted out of office.

So, far from "enabling" the McPherson administration, I think it is
fair to say that
I (or we, the VSTAAB) slightly influenced them as best we could before
the
Diebold certification (Feb, 2006), and had no influence at all after.

>
David

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Nov 30 23:17:08 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST