[E-voting] Submission latest

Patrick O'Beirne mail2 at sysmod.com
Thu Mar 18 09:09:40 GMT 2004


That reads well.

I like the clear statement of risk avoidance at the start:
"It is not necessary to show that tampering is likely in order to justify
acting to protect against it."

The first time you refer to ACM and ICS, should you spell them out in the 
text rather than a footnote? Footnote is fine for me. May I presume the 
non-academic readers in the Commission will be aware of the convention that 
[XYZ] means it will be referred to in the References Appendix, or should 
they be told that? Sorry if I'm raising really tiny or obvious points!

4 Conclusion References

"When testing a car, " - yes, better than the yardstick analogy

"While concerns over improper testing are incidental to the fatal lack of a 
VVAT, " clear justification of both targets, good.

2.1 ACM authority - good!

2.3 "No electronic commerce system would be deployed without an auditing 
capability;" Yes, you have to tell them that.

2.4 "With suitable auditing, any problem is recoverable because computer 
'errors' can be detected."
Yes. Rather than spend huge amounts in an illusory attempt to design a 
"perfect" system with 100% testing (except to destruction...), 
organisations with a mature security process add checks and balances to 
monitor for error in operation and have contingencies and fallbacks.

P. 7 "If and when it fails due to innocent error,"
Rather than "innocent" maybe "non-intentional" such as hardware failure or 
software malfunction?

in 2.7 Review of consultants' reports
 >>PTB volunteered that "An exchange of the ROM chips including
fraudulent presentation of the correct checksums cannot be avoided by 
software but by means
of sealing only"<<
I found the source for this in "PTB test rpt 2 - sept03.pdf"
Obviously the checksum calculation software can be altered to present a 
given result whatever the contents of the ROM.
If there's a hardware expert here, can they comment on whether a checksum 
can be obtained by an external diagnostic device that reads the ROM on the 
If so, that's an independent check. Of course it means the unit cannot then 
be sealed. So do you trust the sealer or the accuracy and coverage of the 
tester? Rather than have an infinite recursion of testers and verifiers, is 
separation of roles a sufficient protection?  (I don't know the answers 
here, just asking)

P. 8 " there will be no evidence which
might distinguish a vexatious action from a valid one. "
Very well put.

P. 8 "It is strictly an inference that the same software
will work correctly with all other test data;"
Not just test data - just data, including real vote data.

"2.10 Unreviewed machine code"
Maybe "Unreviewed machine and third-party code" ?

That's pretty close, just get a conclusion that echos the intro and off you go.

  Patrick O'Beirne,     Systems Modelling Ltd.
  Gorey, Co. Wexford, Ireland. +353 55 22294
  www.sysmod.com  I.S. management consulting

More information about the E-voting mailing list