[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
spare memory cards; election vs. test modes
- To: "Al Kolwicz" <alkolwicz@xxxxxxxxx>, "neal McBurnett" <neal@xxxxxxxxxxxxxxxxx>
- Subject: spare memory cards; election vs. test modes
- From: Harvie Branscomb <harvie@xxxxxxxxxxxxx>
- Date: Fri, 06 Oct 2006 08:43:40 -0600
- Cc: ken@xxxxxxxxxxxxx,"Tom Morris" <tmmco1@xxxxxxx>, "Carolyn Bninski" <carolynbn@xxxxxxxxxxxxx>, "Geof Cahoon" <gcahoon@xxxxxxxxx>,"Ivan C. Meek" <ivan.meek@xxxxxxxxx>, "Joe Pezzillo" <jpezzillo@xxxxxxxxx>, "Kellen Carey" <kcarey636@xxxxxxxxx>, "Margit Johansson" <margitjo@xxxxxxxxx>, "Mary Eberle" <m.eberle@xxxxxxxxxxxx>, "Myriah Conway" <myriah_conroy@xxxxxxxxx>, "Neal McBurnett" <neal@xxxxxxxxxxxxxxxxx>, "Paul Walmsley" <paul@xxxxxxxxxxx>, "Peter Richards" <aprichards@xxxxxxxx>, "Ralph Shnelvar" <ralphs@xxxxxxxxx>, "Scott A. Morris" <samorris@xxxxxxxxxx>, "Stith Bennett" <stith@xxxxxxxxxxxxxx>, "Claudia Kuhns" <claudiakuhns@xxxxxxxxxxx>, cvv-discuss@xxxxxxxxxxxxxxxxx,cfvi@xxxxxxx
- Delivered-to: mailing list cvv-discuss@coloradovoter.net
- Delivered-to: moderator for cvv-discuss@coloradovoter.net
- Disposition-notification-to: <harvie@media.mit.edu>
- List-help: <mailto:cvv-discuss-help@coloradovoter.net>
- List-post: <mailto:cvv-discuss@coloradovoter.net>
- List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
- List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
- Mailing-list: contact cvv-discuss-help@coloradovoter.net; run by ezmlm
Al and Neal and other election evangelists:
I did not receive any comments on
this important email- does anyone have any?
I need some backup to make this important argument to the Clerk in Eagle
County.
(Green and black
are from harvie,
blue
is from Teak Simonton)
FYI this morning I found at least one "white hat
hacker" to take on the recent challenge by Jefferson
County to try to crack the security on their iVotronics machinery. There
is an association of "white hat hackers" called the Hackers
Conference. "White hat hackers" are not dangerous
like "black hat" but probably as close as we can get in
"laboratory" instead of field conditions.
Today you may be able to help me get a handle on how to clarify this
discussion I am having regarding choice of memory cards and method of
programming for the LAT and election with Teak, the Clerk of Eagle
County.
I am looking for your comments.
This discussion of test mode vs election mode is crucial to testing
effectiveness and I think a requirement not to use test mode is either in
the statute or in the rules or both. Do either of you know the
exact location of this?
Al, I did not get a reply from you on
this... did you find the provision? I have also asked Ken Gordon -
mainly to see if he is paying attention.
Then there is the point of whether the individual
memory cards get tested. So far they
have never all been tested and apparently are not required to be tested
individually. They are swapped during the election without concern for
their individual condition. Is this a safe assumption?
Probably not since they are flash memory and flash memory actually fails
over time. I am not aware of a test for the performance of the flash
memory cards. In future rules there should be a provision for this
testing.
Teak says that it is the contents of the memory card which gets
tested. If so, then that same
tested contents in any memory card will have been considered to have been
tested, presumably. I think this is the status quo.
And therefore it would not be a problem to test a subset of identical
memory cards while saving others for the election.
All memory cards for test and
election could be programmed in the same operation to be sure they are
identically programmed. This seems likely to the best procedure insuring
that we are testing under election conditions (ideally the date would
also be programmed for the election date during the test).
It is the manufacturer who poses the extra levels of
security which impose the difference between election and test mode, such
that in election mode the cards may be used only once, and so
forth. This is not a reason to
use test mode for the test.
In my observations, the Clerk is frequently required
to work-around this security restriction to accomplish the election by
either reprogramming the cards or using pre-programmed spares, therefore
the security measure of making the cards work "only in the
election" and "only once in the election" is actually moot
in common
practice.
On the other hand the added security of separating a special "test
mode" which is more flexible actually increases the potential for
fraud, substantially, by injuring the effectiveness of the tests if they
are being performed in "test mode" rather than under the
conditions of "election". This is, simply put, because
all of the bugs in the software, and intentional fraud, if any, will
therefore be found only in "election
mode" which is unfortunately not
tested.
In view of the ease and nonchalance and frequency
with which memory cards are supplemented with spares during the
election, it seems to me that there is no point in giving any
attention to the "security measures" which would have prevented
them from being supplemented and swapped or replaced
(because the work-around defeats this
security).
Instead the cards should be kept under effectively maintained
identification and seal and either one of following two procedures
followed (depending on how many
memory cards are available for use).
1) the identical card is used for test and election, with a re-zeroing or
re-downloading of the card done after the LAT and before the election.
This is not the preferred method, but required if there are an
insufficient number of cards available to accomplish #2.
2) a duplicate set of cards is prepared in advance, enough for test and
for election. The cards are chosen at random for the test so that
the identity as the one for the election is determined by chance just
prior to testing. During the test these specific cards are clearly marked
as dedicated to the test so these cards will never be tallied in an
election. I think this is the best solution.
where? In this case, the cards chosen at random for tests are sealed and
separated so that they can not be included in the election tally (along
with any other memory cards in inventory).
Has this been worked out in election rules elsewhere?
But Teak says :
[Teak Simonton] It is my understanding that we are not required
to test each memory card used, but to test the programming of the
election that the cards hold ? and testing some of the cards
suffices. I am definitely uncomfortable programming extra Diebold
cards and using some for test and some for election mode ? this would
make the security people go crazy. Any of these test cards could
conceivably be uploaded on election night in replacement of the real
cards ? we can?t do this.
Teak, what you are describing as
"we can't do this", is exactly what you have regularly been
doing... creating extra memory cards as spares for use in
emergencies. This is just as dangerous or more dangerous than
programming extra memory cards for the test. And it might indeed make the
security people go crazy. Are you going to stop programming spare
memory cards? You must be consistent on this point. Either
you adhere to the security restrictions imposed by the manufacturer and
live within those restrictions, or you provide physical security to be
sure that test and spare memory cards are never tallied. In which case it
should be no problem to use extra memory cards for the testing. It is
inconsistent to go both ways on this.
The production of "spare" memory cards must
be addressed by the rules and procedures in the future, particularly in
terms of security. The failure of the manufacturer's own equipment makes
the spares essential. Anyway, it seems to me the existence of the
spares makes the distinction between "test" and
"election" mode meaningless, and therefore the use of any
"test" mode should be abandoned, as I believe Colorado has
already decided.
Looking forward to your comments
Harvie Branscomb