Re: Fwd: ITA testing would detect Hursti attack, ballot programming errors, etc.

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Sun Sep 03 2006 - 14:56:15 CDT

At 9:26 PM -0500 9/2/06, Douglas W. Jones wrote:
>On Sep 1, 2006, at 9:26 PM, Kathy Dopp wrote:
>> Can anyone please help me to verify or refute these claims ... ?
>>> From: Joan Krawitz VTUSA <>
>>> Date: Sep 1, 2006 7:56 PM
>>> Federal testing if conducted decently can and should find
>>> the kind of problems that have been reported with the Hursti
>>> hack, the ES&S ballot programming and similar system design
>>> defects.
>This is basically true. The VSTAAB review of the AccuBasic
>interpreter reveals numerous flat-out violations of the FEC
>2002 guidelines. If the California VSTAAB could do it, the
>ITAs could have done it. The basic problem exposed by Hursti
>I and II is also very obvious -- the ability to inject
>executable code into a voting system is clearly covered under
>the intent of the FEC 2002 guidelines concerning protection
>against viruses and malware.
>However, I see no evidence that the ITAs have been effective in
>detecting these problems. I've read the current ITA reports,
>and they're no better than the ones I used to read when I was
>an examiner for Iowa. My confidence is not raised by anything
>I've seen recently. Just because the ITA process has the
>potential to do better should not be taken as evidence that
>it is doing better.
>As an aside, I've read ITA source code review reports from
>Wyle, Ciber and SysTest. Ciber reports are, overall, the
>least informative. SysTest reports contain enough text that
>I can get into the head of the source code examiner and see
>what they're looking for and how they're going about it.
>Wyle is in between.

The California CSTAAB is a body chosen by the State of California. I
believe it is problematic for the vendor to choose a particular ITA
to use and to pay the ITA directly. This contracting structure leads
to an inherent conflict of interest for an ITA.

An alternative model is used for Environmental Impact Reports (EIRs)
within California (as required by the California Environmental
Quality Act or CEQA). The developer of a project submits a proposal
to the cognizant jurisdiction. The jurisdiction then chooses a
contractor to perform an Environmental Impact Study. The report
process is managed by the jurisdiction, but paid for by the developer
(with the jurisdiction as the intermediary for payment, I believe).
In the case of EIRs, the Draft Environmental Impact Report (DEIR)
when done is circulated among the public and given to the developer.
The public then has an opportunity to comment and responses to those
comments are then reflected in a Final Environmental Impact Report
(FEIR). Both DEIRs and FEIRs include descriptions of mitigations of
the environmental impact.

Similarly, the ITAs should be under contract with a government agency
not the vendor, although the vendor should pay the cost of the
assessment. The government agency should choose the ITA for a
particular assessment. The assessment should include both
conformance to the relevant standards and a "Security Impact Report,"
which should assess security risks and identify mitigations for these

Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Sat Sep 30 23:17:03 2006

This archive was generated by hypermail 2.1.8 : Sat Sep 30 2006 - 23:17:08 CDT