I did not reply to your DVD solution... One reason that it was technologicaly confusing. ;-)
But thanks for coming in now. There is a limit to how big the original draft should be (else no one reads it all).
Here are some attempt to define the best option: * The "booting" media must be read-only.
I do not even want that.
The earliest CDs were made with a reflective surface, such that the shape of the surface would reflect a laser beam to be seen or not seen (zero vs one). Then the whole CD is read-only - meaning ballot definition cannot be added. I want ONE CD for each polling station,
office districts may be different for each. Would be possible to make CDs with one or a few copies of each, but I think not affordable and would have to be done before election people had resolved who all the candidates would be.
Writing on a CD requires a layer of material that either reflects or absorbs light (zero vs one), and either:
Fully rewriteable like your floppy - I DO NOT want this - part of this technique is to erase, a capability I do not want in a voting machine.
Write once only. This is what I want, with the vendor loading the program, election officials adding ballot definitions, and the voting machine keeping a diary here.
So, I do want logically read-only so far as the boot content is concerned, for I do not want this changeable.
* This media should be unique to that voting place and activated by a key. The key and the media should take separate path to the voting place and only put together on the day of the election. Guessing the key from the media should be as hard as possible.
You lost me on this one, for we are agreed no one should be able to change content of the boot data, and therefore who cares whether it gets seen:
The program came from the vendor, and there are a zillion identical copies.
The ballot definitions are based on public requirements for the election.
Do need protection against substitution by a wrong disc - perhaps this helps on that problem.
* The recording (vote result) should be done on a write-once media.
And I am there - the part of the CD that has not been written on will tolerate EXACTLY write-once.
* Backup copies (of the vote) should be taken and keeped safe and separately from the orignal.
Worth thought. I am ALL FOR copying that CD - as many copies as desired - doable in a PC equipped for this, but I question putting this capability in the voting machine.
Besides official backuo copies, I am happy to make copies for anyone who wants one - perhaps to do their own validation - and perhaps charge them a small fee.
Now there is always a technical problem with: 1* Power loss
Voting machines MUST tolerate short term public power loss - and should be buildable with self power included. Doubtful whether this latter is worth general use.
2* Cosmic ray (memory glitch)
Not sure what you mean here. Certainly computers can and do get defended against expectable environmental problems, and the vendors should get told not to cheat on this detail.
3* Tempest (watching remotely a screen using electro magnetic field generated)
Another item in the list of those that designers, builders, and election officials must take defensive action for defense.
1) Your DVD solution assume it is possible to write at random position one vote at a time. I am affraid this is not possible. On a recordable DVD or CD, you can only append information at the end. Also writing on the media every time someone vote is not really efficient (maybe not even practical.
Not quite:
Recording ONLY at the end was my assumption.
Each record of votes is required to contain votes in random order - enough to make it impossible to be sure which belongs to a particular voter.
This requires temporary storage, in random order, on a hard disk or
floppy or magnetic card ...
Agreed putting single votes on a CD is not practical, for this means more records than should fit, considering required gaps between records.
It is too early in this game to be sure whether a CD has enough capacity.
Also I guess CD writer (why do you want DVD?) might cost too much when multiplyed by the number of voting machine. It is mecanical so risk of problem are high.
I do not know available reliability - even installing double sets of drives is among the design possibilities.
So solving the power loss is not easy.
Certainly doable - and I believe at least some current vendors are into this.
With Paper Audit Trail, in case of electrical/technical problem we can work in downgraded mode where paper must be counted (as our only backup). This is similar to the Belgian: "Let's recount the magnetic card."
As to paper trail - I am not against this, provided it is done in a way to protect secrecy - I am against over dependence on it, for it has it own problems.
2) Now you also have to fight Cosmic ray
Practicaly I don't think it is not possible to shield against cosmic ray. So the same solution that are used in space exploration should be used.
This might mean using "old" and "reliable" technology (like Z80 designed for space). Using ECC or better memory.
Sequoia used to (maybe still does) like Z80s. Good points:
Less chance for vendor to hide something ugly in hardware.
Cannot run Windows (I think) - therefore no need to validate whether there is something funny in a copy of Windows.
Has all the speed voting needs (but I do not know about a Z80 controlling CD or DVD drives).
Anyway, computers can and do get built to survive noisy environments such as you suggest.
Making all the computation in triple might help but if it is processor having one bit value inverting, triple computation does not solve anything.
3) Some screen technology might be better than other... Otherwise you need to go for Tempest proof equipment that cost a lot.
Agreed this is a concern - need to consider voting environment, which may not have to be as difficult as what Tempest gets involved in.
David GLAUDE
A bit more on our Belgian experience...
In one of the voting system we use...
We are using floppy disk (3 1/4'').
The president of the voting burreau receave the key and the floppy (two copies).
The voting machine are booted with the master floppy.
The key is used to start the system.
[...]
At the end of the day, the vote result are recorded on ... the same floppy that was used to boot the system.
It mean that if the floppy at the begining of the day was not the official expected floppy but a fake that does record vote different from the intent of the voter...
Then at the end of the day, all trace can be removed by rewriting the official expected content of the floppy with the vote our your choice.
So any verification of the floppy after the election can not reveal anything. The only thing that can be done is to take a copy of the floppy before it is used and after all the voting machine are started... but this is not done!!!
I assume it would have cost too much to have two set of copies. ;-)
David GLAUDE
Dave Ketchum wrote:
1. MUST enable potential recounts
In my DVD post I specified recording each ballot on the CD or DVD so that they could be recounted if anyone chose. I specified with that that they should be in random order to preserve secrecy.
It is important to know what a recount mean. In Belgium we do recount the magnetic card (in case power is lost in the computerised magnetic card ballot box)... or we get impossible result. But this give us no garantee since we have no proof that what is on the magnetic card is the voter intent.
Seems worthwhile to make voting machines immune to power problems. In my DVD post specify recording the ballots on disc, after which they do not require power to protect them.
-- [EMAIL PROTECTED] people.clarityconnect.com/webpages3/davek Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026 Do to no one what you would not want done to you. If you want peace, work for justice.
---- Election-methods mailing list - see http://electorama.com/em for list info
