Security and Transparency Teleconference Meeting
Wednesday, August 23, 2006
10:30 a.m.
Participants:
Alicia Clay, Allen Eustis, Angela, David Flater, Helen Purcell, Nelson
Hastings, Patrick Gannon, Philip Pearce, Ron Rivest, Sharon Laskowski,
Thelma Allen, Wendy Haven
The
meeting was called to order at 10:33 a.m.
Administrative
Updates:
- Allan Eustis
is in Wyoming observing their post election certification process,
receiving an education about canvassing procedures after an election.
Laramie county has a secure routine and back up process. Trip report
forthcoming upon Allen's return.
- Allen forwarded
a note about CNN's Lou Dobbs Tonight which featured an interview with
Verified Voting's Founder, Stanford computer science Professor David
Dill, concerning the failed pre-election Logic & Accuracy (L&A)
tests of voting machines in Pinellas County, Florida last week.
- There will be
several NIST employees attending upcoming logic and accuracy tests
in WA, DC, and MD. Follow up notes will be sent out.
- Helen Purcell
mentioned that they were conducting L&A tests on the August 29th.
They are having problems with their DREs because of their size. Everything
is not able to fit on one computer, more like 12 - they have over
7,000 ballot styles. They have new legislation in place and must count
certain counties (approx 2%).
- John Wack and
Nelson Hastings will be traveling to DC on Friday to observe Q&A
tests.
- Nelson introduced
Stephen Quinn from the Computer Security Division (CSD).
- Alternative
dates of Tuesday or Thursday were suggested for the teleconferences.
Nelson has sent an email out with new dates.
Basic
Assumptions:
- Steve gave
a quick introduction regarding CSD's plans to provide various security
input to the group. Sections will be introduced into the group for
vetting. A schedule of deliverables will be posted on the web. For
the August 23rd meeting, the discussion will center around Basic Assumptions
for which a bulletized package was forwarded before the meeting.
- General comments
about the sections organization were discussed, including what was
the context of the bullets. The bullets are being provided for background
material and for the framework in writing the security section
- Page 1:
Bullet 1: This bullet discussing voting systems should be replaced
with David Flater's definition of voting systems and voting process.
Bullet 2: Voter registration systems are not part of the voting system
Bullet 3: Clarify that the poling place in part of the voting system
Bullet 4: Procedures for running elections are a part of the voting
process but not a part of the voting system and therefore outside
of scope
- Page 2:
Bullet 1: Regarding changes should be inexpensive - What kind of changes
are we talking about? It was decided to remove this bullet and it
would be given as a verbal guide.
- Page 3:
Bullet 6: Discussion about "possible" adversaries.
- Page 4:
Add bullet about certification testing not guaranteeing 100% against
vulnerabilities.
- Page 5:
Methods regarding voter registration system will eventually appear
in the VVSG, not immediately.
Last Bullet: Needs adjustment. How much tampering is possible. Degree
of affect needs to be accounted for as well as the risk of detection.
- Page 6:
Bullet 1: Not broad enough. Needs to include states view.
Last Bullet: Intention of this bullet? Needs to have procedures specified
and the operation impact of the VVSG.
- Page 7:
Bullet 1: Vulnerabilities during life cycle need to be addressed.
This bullet needs to be rewritten to make the context larger.
- Page 8:
Bullet 1: This bullet sounds like an "absolute". Should
be rewritten to change wording to "shall minimize".
*Add a bullet about transparency and documentation.
- Page 9:
Small changes
- Document Overview:
Some organization would be helpful. Is this comprehensive enough?
Steve welcomes comments offline.
- Transparency
and documentation not covered - voter confidence is a part of transparency.
- Question: If
voter system uses Cox product are we going to deal with compliance
issues? The answer is yes.
- This is a good
starting point for a white paper that needs to be done to address
these bullets in more detail. Ron will work on draft. Steve would
like comments by next Wednesday, August 30, 2006, including next steps.
Meeting adjourned
at 11:45 a.m.
Next teleconference,
Thursday, September 7 at 10:30.
***************
Link
to NIST HAVA PageLast updated: July 25, 2007 Point of Contact
Privacy
policy / security notice / accessibility statement
Disclaimer
/ FOIA
NIST is an agency of the U.S. Commerce Department
|