On Wed, Mar 03, 2004 at 03:28:52AM -0000, Niall Douglas wrote:
Fair enough. I assumed they'd be more expensive. Still doesn't change the fact that when you look at the circuit board all you can see is a plastic package and that there's no non-destructive way of finding out if you've really, really got an genuine xyz military hardened processor or just something pretending to be one.
x86 processors are /vastly/ more complex than they need to be because of the legacy requirements. Really they're a RISC CPU nowadays with a translation front-end converting the x86 into RISC ops. However that said, there is a huge scale of economy in x86 chips only ARM could probably come close to - hence me suggesting the Atmel.
Thank you, I know what modern x86s do and why they're cheap, hence my impression that it would be cheaper than a specialised processor.
Again, it doesn't matter in the slightest whether the chip is hardened or commodity, cheap or expensige or anything else it will still be easy to replace it with a rigged look-a-like.
I think you're thinking too much in how it could be compromised on a technical level whilst ignoring the feedback effects of a compromise. Voting is not like a bank vault where if you break it you win outright - at best, you get four years or so of power. In reality, many factors can play to make your term much shorter and certainly if it emerged that an election was tampered with, any sitting government would have to call another election. The media simply wouldn't permit otherwise.
If you look at the US 2000 presidential elections which were almost certainly rigged, nevertheless Congress allocated quite a lot of money to replace the voting equipment despite the major spending cutbacks of the Bush administration. Unfortunately that's gone on Diebold voting machines which make the Irish voting machines look fantastic, but it's a good example of the feedback system working.
This current government has a slim majority and they have gutted the Freedom of Information Act despite public and media outcry. They are probably about to pass fundamentally change our voting system a completely united opposition and massive media and public discomfort. Once you have a majority in the Dail you can do what you like as long as it's constitutional and in 5 years that covers a hell of a lot of bad stuff. There is no "congress" which will come to the rescue. The closest thing is the Seanad which can only delay legislation, it cannot stop it.
You've gone way outside the requirements for a voting machine here. I agree with you that a practically tamper proof machine is possible, however we are talking about machines which will spend 364 days a year switched off in a warehouse in the back of beyond and then they'll spend a full day in an unfriendly environment being used in private by punters.
What's important is not that the machines are tamper proof - it's that there's *fairly* tamper proof, enough that people trust them and the process. If they emerge to not be so (and there's plenty of journalists sniffing around here never mind whistleblowers), there will be substantial feedback from the public to improve the system. Which means politicians get to give more wads of cash to their friends and thus everyone is happy.
"Fairly" is not enough. The stakes are very high, high enough that someone could decide to invest quite a chunk of money into winning. Finding tampering after the fact is a disaster, it's possible that laws would be unmade, tax "uncollected" and criminals "unconvicted" and it totally undermines the credibility of any future system.
There is only 1 improvement needed and it makes tamper proofing, open source and everything else nice to have but not essential. Add paper. Once you have paper, it doesn't matter how badly the machines perform whether through tampering or through other errors the paper will not change. Paper is not perfect of course but it's a hell of a lot harder to fiddle and the attacks are well known and well understood by the people who are keeping guard.
Everything else is doing things the hard way.
One problem is that it greatly complicates vote storage and anonymnity. I can't see it ever being accepted because most people want to know that when they cast their vote it's done and nothing can undo it.
I did say peer to peer and distributed - therefore there is no central server apart from the trust delegator (which says which phones can vote and which can't). Anonymity is easy to implement in a massively distributed system. And what I really like about such a system is that anyone can ask their mobile what votes were cast for the country and get precisely the same figures as the TV or anyone else gets - obviously if they don't, one can kick up a fuss. My mobile is equal to Bertie's mobile in every way in such a configuration.
I don't see how distributed and peer to peer makes vote revocation and recasting any easier. If anything it makes it harder because you could have multiple copies of both your new and your old vote(s) floating around the system.
The requirements for voting are unusual. In this system you must retain anonymity without allowing multiple voting which is quite different to Freenet for example. In the system you favour, you must combine anonymity with the ability to cancel your old vote and vote again. Also, anonymity and audit trails do not go well together.
While it may be theoretically possible to design this system correctly, it would complex, it would still require that you trust the central server (which could wrongly deny you your right to vote or could be DOSed) and most importantly, it would be totally incomprehensible to the vast majority of voters, including many IT professionals,
F