Need a WinCE expert - voting machine related - Windows CE

This is a discussion on Need a WinCE expert - voting machine related - Windows CE ; Folks, My name is Jim March. I'm an activist in the area of electronic voting reform and I need to find a credible expert in Windows CE *fast*. There is a serious flaw in the certification of the Diebold touchscreen ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Need a WinCE expert - voting machine related

  1. Need a WinCE expert - voting machine related

    Folks,

    My name is Jim March. I'm an activist in the area of electronic voting
    reform and I need to find a credible expert in Windows CE *fast*.

    There is a serious flaw in the certification of the Diebold touchscreen
    voting machine product line. To complete the documentation trail on
    this issue, we need a "declaration" from a reasonably qualified
    individual who deals with Windows CE.

    Google my name in quotes with the word "Diebold" if you want to confirm
    I'm for real.

    The short form:

    Diebold's entire touchscreen voting machine product line is based on
    Windows CE (3.xx series). These things are scattered across California
    and a slew of other states and are the sole voting system for the
    entire states of Georgia and Maryland.

    In 37 states, the state can't begin the state approval/certification
    process until the Federal certification is done. The Federal process
    involves a source code review at an "independent testing authority"
    paid for by the vendor - in Diebold's case, Wyle labs in Huntsville AL.

    According to the Federal Election Commission rulebook on certification,
    any code that is "commercial off the shelf" ("COTS") and is not
    modified in ANY way for the voting machine doesn't need to go through
    source code review. The test lab is supposed to check to make sure
    it's really "unmodified COTS".

    The issues:

    1) The lab is on record saying that they don't know how to make sure
    something described as "COTS" really is. They have apparantly never
    heard of hashes, checksums or binary compares. Source: a California
    legislative hearing dated 3-27-06; we have a short 6 page summary of it
    with key quotes at:

    http://www.bbvforums.org/cgi-bin/for...197/27598.html

    At the end of the six-page "showdown in california" PDF you'll find
    links to the entire 154-page transcript if you can stand that much
    Dilbert's-boss-grade stupidity in one sitting...

    2) Wyle claims (in that same hearing) that Diebold didn't release the
    CE code to them, and hence they just assumed it was COTS. This is
    backed up by a Diebold internal EMail released as one of the two major
    "dumps" of Diebold internal data in 2003, in which the head of R&D for
    Global Election System (now bought by Diebold) ordered underlings not
    to release CE source code to Wyle labs or any other:

    http://www.sims.berkeley.edu/~ping/d.../msg00055.html

    3) We even have the Wyle certification report for the latest Diebold
    touchscreen variant showing what source code they DID review - nothing
    even remotely looking like CE stuff is in there:

    http://www.bbvforums.org/forums/mess...0001-32747.pdf

    ....particularly not NK.BIN or anything close - my understanding is that
    the kernel needs to be compiled custom for each build?

    4) The FEC definition of "COTS" as it applies to voting machines can be
    found at:

    http://www.eac.gov/election_resources/vss.html

    Look in Appendix A: Glossary, Volume 1 (filename v1aa.doc). The
    definition reads:

    -----
    Commercial, readily-available hardware devices (such as card readers,
    printers, or personal computers) or software products (such as
    operating systems, programming language compilers, or database
    management systems). These devices and software are exempted from
    certain portions of the qualification testing process so long as such
    products are not modified in any manner for use in the voting system.
    -----

    Note the words "any manner"...

    ===

    What all this means is simple: my understanding is that since CE is
    more of a "kit" than a finished product such as other versions of
    Windows, and since MS makes the source code available to vendors such
    as Diebold who can modify any part of it they want, and some bits HAVE
    to be custom for the hardware, there is no way to possibly describe CE
    as "COTS".

    If that's the case, and somebody with at least basic credentials (as in
    a degree plus some work experience building CE systems) will testify to
    that on paper, we can get Diebold thrown out of 37 states. That in
    turn will throw these jokers out of the elections biz (we haven't even
    gotten into how the central tabulator is an MS-Access database and
    laughably hackable yet).

    Is anybody willing to state on the record what's going on with CE?

    If so, please drop me EMail: jmarch@prodigy.net - I'll get you a blank
    declaration template in your choice of MS-Word or OpenOffice formats,
    with instructions.

    Note that there's a lawsuit in Georgia going on right now that won't
    survive an initial motion to dismiss unless they have such a
    declaration in hand stat. They may have as little as three weeks.
    Georgia is one of the 37 "Federal cert required" states...if the
    Federal cert was obtained via fraud, then it's not worth it's weight in
    spit and we win in GA.

    It ain't a lot of work to do a declaration and hey, it's your vote at
    risk too .

    Thanks for listening.

    Jim


  2. Re: Need a WinCE expert - voting machine related

    Sigh, it's auto-chopping my EMail addy.

    Try:

    jmarch -at- prodigy.net

    Thanks,

    Jim

    jmarch@prodigy.net wrote:
    > Folks,
    >
    > My name is Jim March. I'm an activist in the area of electronic voting
    > reform and I need to find a credible expert in Windows CE *fast*.
    >
    > There is a serious flaw in the certification of the Diebold touchscreen
    > voting machine product line. To complete the documentation trail on
    > this issue, we need a "declaration" from a reasonably qualified
    > individual who deals with Windows CE.
    >
    > Google my name in quotes with the word "Diebold" if you want to confirm
    > I'm for real.
    >
    > The short form:
    >
    > Diebold's entire touchscreen voting machine product line is based on
    > Windows CE (3.xx series). These things are scattered across California
    > and a slew of other states and are the sole voting system for the
    > entire states of Georgia and Maryland.
    >
    > In 37 states, the state can't begin the state approval/certification
    > process until the Federal certification is done. The Federal process
    > involves a source code review at an "independent testing authority"
    > paid for by the vendor - in Diebold's case, Wyle labs in Huntsville AL.
    >
    > According to the Federal Election Commission rulebook on certification,
    > any code that is "commercial off the shelf" ("COTS") and is not
    > modified in ANY way for the voting machine doesn't need to go through
    > source code review. The test lab is supposed to check to make sure
    > it's really "unmodified COTS".
    >
    > The issues:
    >
    > 1) The lab is on record saying that they don't know how to make sure
    > something described as "COTS" really is. They have apparantly never
    > heard of hashes, checksums or binary compares. Source: a California
    > legislative hearing dated 3-27-06; we have a short 6 page summary of it
    > with key quotes at:
    >
    > http://www.bbvforums.org/cgi-bin/for...197/27598.html
    >
    > At the end of the six-page "showdown in california" PDF you'll find
    > links to the entire 154-page transcript if you can stand that much
    > Dilbert's-boss-grade stupidity in one sitting...
    >
    > 2) Wyle claims (in that same hearing) that Diebold didn't release the
    > CE code to them, and hence they just assumed it was COTS. This is
    > backed up by a Diebold internal EMail released as one of the two major
    > "dumps" of Diebold internal data in 2003, in which the head of R&D for
    > Global Election System (now bought by Diebold) ordered underlings not
    > to release CE source code to Wyle labs or any other:
    >
    > http://www.sims.berkeley.edu/~ping/d.../msg00055.html
    >
    > 3) We even have the Wyle certification report for the latest Diebold
    > touchscreen variant showing what source code they DID review - nothing
    > even remotely looking like CE stuff is in there:
    >
    > http://www.bbvforums.org/forums/mess...0001-32747.pdf
    >
    > ...particularly not NK.BIN or anything close - my understanding is that
    > the kernel needs to be compiled custom for each build?
    >
    > 4) The FEC definition of "COTS" as it applies to voting machines can be
    > found at:
    >
    > http://www.eac.gov/election_resources/vss.html
    >
    > Look in Appendix A: Glossary, Volume 1 (filename v1aa.doc). The
    > definition reads:
    >
    > -----
    > Commercial, readily-available hardware devices (such as card readers,
    > printers, or personal computers) or software products (such as
    > operating systems, programming language compilers, or database
    > management systems). These devices and software are exempted from
    > certain portions of the qualification testing process so long as such
    > products are not modified in any manner for use in the voting system.
    > -----
    >
    > Note the words "any manner"...
    >
    > ===
    >
    > What all this means is simple: my understanding is that since CE is
    > more of a "kit" than a finished product such as other versions of
    > Windows, and since MS makes the source code available to vendors such
    > as Diebold who can modify any part of it they want, and some bits HAVE
    > to be custom for the hardware, there is no way to possibly describe CE
    > as "COTS".
    >
    > If that's the case, and somebody with at least basic credentials (as in
    > a degree plus some work experience building CE systems) will testify to
    > that on paper, we can get Diebold thrown out of 37 states. That in
    > turn will throw these jokers out of the elections biz (we haven't even
    > gotten into how the central tabulator is an MS-Access database and
    > laughably hackable yet).
    >
    > Is anybody willing to state on the record what's going on with CE?
    >
    > If so, please drop me EMail: jmarch@prodigy.net - I'll get you a blank
    > declaration template in your choice of MS-Word or OpenOffice formats,
    > with instructions.
    >
    > Note that there's a lawsuit in Georgia going on right now that won't
    > survive an initial motion to dismiss unless they have such a
    > declaration in hand stat. They may have as little as three weeks.
    > Georgia is one of the 37 "Federal cert required" states...if the
    > Federal cert was obtained via fraud, then it's not worth it's weight in
    > spit and we win in GA.
    >
    > It ain't a lot of work to do a declaration and hey, it's your vote at
    > risk too .
    >
    > Thanks for listening.
    >
    > Jim



  3. Re: Need a WinCE expert - voting machine related

    This is hardly the forum for dealing with such things. noone experienced
    enough to be considered an expert on the subject would consider responding
    with any kind of authoritative response in a public forum such as this. That
    would require a significant payment since serious legal counsel would need
    to be involved. It is a serious legal matter requiring significant
    consideration and proper legal advice. Ultimately it *sounds like* there is
    discrepancy over the definition of COTS and on the means and or plausibility
    of verifying that it is unmodified. There is no simple answer to that as it
    depends on definitions (legal and government mandated ones in this case)

    --
    Steve Maillet
    EmbeddedFusion
    www.EmbeddedFusion.com
    smaillet at EmbeddedFusion dot com




  4. Re: Need a WinCE expert - voting machine related


    Steve Maillet (eMVP) wrote:
    > This is hardly the forum for dealing with such things. noone experienced
    > enough to be considered an expert on the subject would consider responding
    > with any kind of authoritative response in a public forum such as this. That
    > would require a significant payment since serious legal counsel would need
    > to be involved. It is a serious legal matter requiring significant
    > consideration and proper legal advice. Ultimately it *sounds like* there is
    > discrepancy over the definition of COTS and on the means and or plausibility
    > of verifying that it is unmodified. There is no simple answer to that as it
    > depends on definitions (legal and government mandated ones in this case)
    >
    > --
    > Steve Maillet
    > EmbeddedFusion
    > www.EmbeddedFusion.com
    > smaillet at EmbeddedFusion dot com


    Steve,

    Actually, such a declaration is simple (legally and practically) so
    long as the person testifying does NOT make conclusions about how the
    facts stated to connect with the Diebold product line.

    To do THAT, a detailed study of the Diebold products would be necessary
    and various people at the federal, state and local levels of gov't
    (plus Diebold) have made that difficult.

    However, to make statements as to how CE works (esp. the 3.xx family)
    and whether or not a "COTS build" is even possible is much simpler.
    Thankfully, telling the honest truth in America doesn't tend to get one
    in hot water.

    It's not like the facts of the matter are hidden. This diagram on the
    Microsoft CE pages shows in blue elements of the "OEM layer" that need
    to get customized or built outright:

    http://msdn.microsoft.com/library/de...tWindowsCE.asp

    The problem is that the courts are way behind the curve on
    understanding "geekiness". Part of the issue is that the legal mind
    and the geek mind operate at complete opposites. With one exception,
    all of the nine lawyers I know fairly well are technoturnips barely
    chugging along on old gear and struggling every so often to recover
    from the latest phish attack "because it looked so real!". Sigh. This
    crosses over into how judges look at this stuff. We SHOULD be able to
    go into court, say "here's the manual" and go from there. Fat chance.

    So instead, somebody with credentials needs to tell the simple truth in
    language as simple as possible. And then good stuff happens...or bad
    stuff happens to bad people, which is even more fun.

    Anyways. Telling the truth doesn't hurt. Making unwarranted
    conclusions does, no question!

    Fortunately, somebody interested in telling the truth did read this
    thread. In public? Nope. Hence I got my EMail addy in there...

    Jim March


  5. Re: Need a WinCE expert - voting machine related

    >It's not like the facts of the matter are hidden. This diagram on the
    >Microsoft CE pages shows in blue elements of the "OEM layer" that need
    >to get customized or built outright:
    >
    >http://msdn.microsoft.com/library/de...tWindowsCE.asp



    It's not that simple. The picture is nice and pretty, sort of, but it's a
    theoretical abstraction of reality. Actual reality is much more complex. As
    the saying goes, the devil is in the details. Certainly one can create a
    device that does not alter any of the actual OS bits provided by Microsoft.
    But again the challenge of being able to verify that is the case is rather
    significant. It is also possible to completely alter the BEHAVIOR of the
    system without altering any of the MS bits. (This is true on the desktop as
    well, search google for "root filter kit" to see some possibilities.) So
    would that still be considered, unmodified COTS? As I said it all comes down
    to definitions of "modification" and "COTS". And in this case the law isn't
    particularly precise in it's definitions of that. (Imagine my surprise ;-) )

    --
    Steve Maillet
    EmbeddedFusion
    www.EmbeddedFusion.com
    smaillet at EmbeddedFusion dot com



+ Reply to Thread