[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Douglas Jones: wise counsel

To: bcv <bcv@xxxxxxxxxxx>
Subject: Douglas Jones: wise counsel
From: Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>
Date: Thu, 11 Dec 2003 22:48:26 -0700
Delivered-to: mailing list bcv@booyaka.com
List-help: <mailto:bcv-help@booyaka.com>
List-post: <mailto:bcv@booyaka.com>
List-subscribe: <mailto:bcv-subscribe@booyaka.com>
List-unsubscribe: <mailto:bcv-unsubscribe@booyaka.com>
Mailing-list: contact bcv-help@booyaka.com; run by ezmlm

Below is a link to a really excellent memo, submitted to the NIST
meeting by one of the most qualified commentators I've seen. Doug has
served for nearly 10 years on the Iowa Board of Examiners for Voting
Machines, and has served as its chair. He has appeared before
Congress, the Federal Election Commission and elsewhere. He is is
also a professor of Computer Science at the University Iowa and has
taught a course on Computers in Voting.

Douglas Jones: Why trustworthy voting systems require
institutionalized distrust:
http://www.cs.uiowa.edu/~jones/voting/nist2003.html

Below is an excerpt, which underscores my arguments that the current
system of limited disclosure of code to "third parties" is
demonstrably not enough. See the full article for the footnotes and
much more well-thought-out information. He advocates a voter-verified
paper ballot.

Neal McBurnett http://bcn.boulder.co.us/~neal/
Signed and/or sealed mail encouraged. GPG/PGP Keyid: 2C9EBA60

One line of defense, code audit and version control

The primary defense we currently employ, at least to some extent, is to require a strict audit of the code that goes into each voting machine. This involves not only the source code audit originally introduced in Section 7.4.2 of the 1990 voting system standards [11], but issues of configuration control that are a matter of state law and administrative rules.

Unfortunately, in the past 6 months, two major stories have dashed any hope that we can rely on these measures. First, the security weaknesses revealed by the Hopkins Report [12], confirmed by the SAIC study [13], and re-confirmed by the Compuware study [14] make it clear that the current source code audit process has failed to catch extremely serious flaws in the security of voting systems. The first two of these studies only focused on one voting system, but the last focused on and found serious security defects in 4 of the most widely used systems. I have only read the source code audit reports for two of these 4 systems, but those reports (not available to the public) did not point out any of these defects! It is clear, therefore, that we cannot trust the current source code audit process to provide a meaningful assurance that our machines are secure.

Even if we assume perfect source code audits, we must also assume that the software in the voting system as used in the polling place is the version that was subject to the source code audit audit. This is a matter of state administrative rules, and as was pointed out immediately after the Hopkins Report made it into the news, proper administrative procedures at the state level should mask many potential security loopholes in the voting application [15].

Unfortunately in the months that followed, there were two clear test cases for this argument. In both Georgia and California, the applicable rules for voting systems require fairly strict standards of version control. While these standards look good on paper, field investigation reveals that they have not been carried out in practice. In an interview, Rob Behler discussed his work at Georgia's voting machine testing lab at Kennesaw State University; he said: "... one of the engineers used my laptop ... [to get the patch] from the FTP, put it on a card, make copies of the cards and then we used them to update the machines." He went on to clarify that this was his personal laptop, an unsecure machine, and that the patches were downloaded from a public FTP server [16].

Even more damning is the quote from Connie McCormack of Los Angeles; when asked by a reporter from the Los Angeles Times about a state audit of voting system software, her response was: "All of us have made changes to our software - even major changes - and none of us have gone back to the secretary of state. But it was no secret we've been doing this all along" [17]. Between these two stories, it is clear that even the best administrative rules, if unmonitored by routine audits and therefore, effectively unenforced, do nothing to ensure the security of our voting systems and protect against insider fraud, whether it originates from a vendor or from any of the technicians who maintain the machines at more local levels.

-------------

His "Brief Illustrated History of Voting" is scary and illuminating:
http://www.cs.uiowa.edu/~jones/voting/pictures/

One tidbit:

The word ballot comes from the diminuitive form of the word ball in
Italian, ballota, so originally, a ballot was a small ball. In
ancient Athens, votes were taken by issuing little clay balls to
each voter, and the voter would vote by depositing the appropriate
ball in the appropriate ballot box, or rather, in a clay pot that
served as a ballot box.

Prev by Date: 12/12 Daily: County to vote on voting system finalist
Next by Date: Re: 12/12 Daily: County to vote on voting system finalist
Previous by thread: Re: 12/12 Daily: County to vote on voting system finalist
Next by thread: Nevada 1st to go with voter verifiable paper ballots by '04
Index(es):
- Date
- Thread