Conformity Magazine - October 2008 - (Page 26)

with historical trends, polls or the expectations of a candidate, calls for an investigation are common. As a trigger for an investigation, this body of information forms a pretty good safeguard. After all, it would be pretty hard to rig an election without the vote totals looking odd, and triggering a call for an investigation from the losing candidate. Although far from perfect, it is an important safeguard. The increasing use of computer forensic techniques is creating even more interesting benefits. An array of techniques are available, and state and local officials are starting to employ them. One growing trend is the use of digital file signatures, commonly called HASH codes, to assure that voting system software has not been modified or tampered with. The Georgia Election Center at Kennesaw State has created a self-booting CD for the state of Georgia. When a system is booted from the CD, every file used by the voting system, including those files the voting applications use in the operating system, is examined and its digital signature is compared to the certified version of the software. The check takes 1.5 to 2 minutes and gives a GO/NO GO result. The check can be made before, after, and even during an election. Parallel monitor testing is another growing tool being used. In a parallel monitor test, sample voting devices are pulled out of service and brought to a test location. The machines are then voted by people using scripts. Typically cameras record every keystroke made during the test. At the end of the election day, the totals are compared to what is expected from the scripts that were voted. The machines don’t know that they are part of a test. If there is any malicious or malfunctioning software, the monitored test will reveal a difference in the total, leading to an investigation of the source of the discrepancy, and how widespread it is in the machines used in the actual election. Other forensic tools are available but have not yet been applied in elections. One technique that security experts use in other areas is to run a separate monitor program simultaneously with an application. The monitor program, as an example, can monitor all reads and writes to election data files. Because all voting software is source code reviewed as part of national certification, the routines that will legitimately read or write election data are well known. The software that legitimately does this is both source code reviewed and extensively tested to assure it is secure and accurate. A monitor program could then simply confirm that only the expected software read and wrote to the election data files. If any other software accessed these files, a record and trigger for an investigation would be created. If the monitor program is provided by an organization separate from the voting software vendor, they become independent actors. Situation Specific Security The security requirements developed so far have taken something of a “one-size-fits-all” approach, and have failed to 2 Conformity oCtober 2008 Figure 3: Voter Privacy Domain http://www.citelprotection.com http://www.citelprotection.com

Table of Contents Feed for the Digital Edition of Conformity Magazine - October 2008

Conformity Magazine - October 2008 Contents Editor's Note FCC Releases Annual Report on National Do-Not-Call Registry Commission Cracks Down (for the Fourth Time!) On Junk Fax Marketer FCC Releases Quarterly Reports on Consumer Inquiries and Complaints Greenpeace Ranks Electronics Manufacturers Standards List For The EU’s Energy Consumption Directive Published EU Commission Publishes Standards List for Directives on Pressure Equipment, Pressure Vessels Standards List for the EU’s Medical Devices Directive Available The IEEE Product Safety Engineering Society: The First Five Years ESD Open Forum Improving Election Security and Accuracy: The Future of Voting System Certification Conformity Assessment and Accreditation: Their Role in the Global Market Design Issues in Extreme EMC Environment Focus On... Test Equipment Buyers Guide Product News Updated Standards List for EU Directive on Active Implantable Medical Devices FDA Warns of Effects from CT Scans on Electronic Medical Devices FDA Provides Report Card on Its PMA Review Process CPSC Releases Import Safety Strategy Other CPSC Actions in the News IEC Standards Update Product Reviews UL Standards Update Telcordia Standards Update From Our “You Can’t Make This Stuff Up” Department Looking Back: Items from Past Issues of Conformity Advertisers

Conformity Magazine - October 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.