Re: Fwd: ITA testing would detect Hursti attack, ballot programming errors, etc.

From: Douglas W. Jones <jones_at_cs_dot_uiowa_dot_edu>
Date: Sat Sep 02 2006 - 21:26:20 CDT

On Sep 1, 2006, at 9:26 PM, Kathy Dopp wrote:

> Can anyone please help me to verify or refute these claims ... ?

>> From: Joan Krawitz VTUSA <>
>> Date: Sep 1, 2006 7:56 PM
>> Federal testing if conducted decently can and should find
>> the kind of problems that have been reported with the Hursti
>> hack, the ES&S ballot programming and similar system design
>> defects.

This is basically true. The VSTAAB review of the AccuBasic
interpreter reveals numerous flat-out violations of the FEC
2002 guidelines. If the California VSTAAB could do it, the
ITAs could have done it. The basic problem exposed by Hursti
I and II is also very obvious -- the ability to inject
executable code into a voting system is clearly covered under
the intent of the FEC 2002 guidelines concerning protection
against viruses and malware.

However, I see no evidence that the ITAs have been effective in
detecting these problems. I've read the current ITA reports,
and they're no better than the ones I used to read when I was
an examiner for Iowa. My confidence is not raised by anything
I've seen recently. Just because the ITA process has the
potential to do better should not be taken as evidence that
it is doing better.

As an aside, I've read ITA source code review reports from
Wyle, Ciber and SysTest. Ciber reports are, overall, the
least informative. SysTest reports contain enough text that
I can get into the head of the source code examiner and see
what they're looking for and how they're going about it.
Wyle is in between.

                Doug Jones

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sat Sep 30 23:17:02 2006

This archive was generated by hypermail 2.1.8 : Sat Sep 30 2006 - 23:17:08 CDT