On Mon, Mar 01, 2004 at 02:07:20AM -0000, Niall Douglas wrote:
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
I was more thinking of the data signing mechanisms used to ensure CIA wire tap boxes haven't been compromised. These boxes get stuck in the wild so there's a chance they could be interfered with by an outside party. Basically it's a loopy state machine whereby the software is encrypted with a key and that key is derived from the signature of the encrypted image. Basically if you alter the image you must alter its signature thus losing the ability to run it - and it can't be faked.
Unless you take out the bit that actually cares about the signature. Maybe not possible in a single chip custom listening device but quite possible in a machine built from off the shelf chips and building voting machines from anything except off the shelf chips is not going to change any time soon.
Something(s) on the board must be the key to the trust system, usually the processor but maybe there are multiple chips that check the signatures. You only need to replace these with look-a-likes that will also trust your switched image. No one can discover this without examining the chip layout under an electron microscope, rather impractical.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
You'd use one of the military spec processors. They are hardened to EMP and are very hard to hack into. This is a good thing, given they control the world's nuclear arsenel.
They don't need to be hacked, they just need to be replaced with something that looks the same and appears to function the same until it gets the "switch to vote stealing mode" signal. There's now way of calculating a signature from an IC, you have to break the packaging and examine the cicuits.
If people will insist on using off the shelf components, they will have this problem. When I was working for EuroFighter, I was appalled to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of high quality and certainly not of high security. As an example, DEC VMS didn't have a single root exploit in 17 years.
The voting machines are using m68k and a very small custom OS which is little more than a loader. It's probably very secure as it had almost no functionality. It's also got ECC RAM.
The counting machine however is Win 98 + Access on a non-ECC PC! Then again it only has a quick job to do that can be verified in other ways.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
I think it's less secure than you might think. I have no Irish examples, but vote rigging is as old as time and it never completely goes away even with the very best of systems.
Nice example is "the shuffle". Send 1 punter in with a blank piece of paper, he puts that in the box and comes back with a stamped ballot. Fill that out, send the next punter in with that and he comes back with another blank. Repeat until no punters left, then go in yourself with the last ballot. Everyone gets a tenner.
Computers will eliminate that.
Think about the other areas where public access is granted to ensure public confidence - most government meetings eg; trials, Dail debates, public archives - even FOIA. All these are too technical to the the lay person. Voting software is an identical issue - the lay person won't and can't understand, but it's having the free access is what's important.
Dail debates are not beyond the layman, in fact the Dail has several men who are as lay as it gets. The other examples can occasionally get very complicated but I'd imagine there are very few people who get convicted without actually understanding why.
However, I really do think if people could vote say by mobile phone, you'd get a lot more people voting (even better if the phone asked you for a vote on polling day). So to me, any substantially improved voting system must have this feature. Just replacing paper ballots with an electronic system seems pointless to me - one is spending money for zero gain. Of course, current mobile phones aren't secure enough and neither will be the next generation. But maybe thereafter given how much they want us to buy stuff using them eg; a distributed self-repairing peer to peer voting network based on all mobiles reaching a consensus (and attacking every mobile phone in the country is a tad hard).
I don't think technological security is the issue here, personal security is much more important. Mobile phone voting in the North would be a good laugh, where the bloke looking over your shoulder, watching you vote, wears a balaclava for a bit of petrol bombing fun at the weekend. Even taking threats and violence out of the mix, remote voting allows vote selling.
The tests done in the UK showed very small increases in turnout,
F