On Sun, Feb 29, 2004 at 08:08:43PM -0000, Niall Douglas wrote:
The problem is that you don't know that the source code you saw is actually running on the machine and now matter how much you study it, you'll never really know that it's actually 100% bug free.
Data signing techniques could fix this and all software has bugs. Also, you don't need a perfect voting system, just one which is better (more accurate) than the current system - and I'm personally not too bothered about a flawed system which has in place an active method of improvement over time.
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
A "well funded adversary" could very easily make a ROM chip containing 2 images, switchable in some way (possibly by radio). This is all a bit much but in 10 years how much will it cost to do this? These machines will be used for 20 years.
And so far I've only been talking about intentional alterations and software bugs, there's radiation induced bit-flipping to consider too. It happened in Belgium, some guy got 4096 more votes than his own party's total, so they spotted it and the expert conclusion was a bit-flip. It's probably happened lots more in non-spectacular ways but it's never spotted because there's no paper trail.
There's also the possibility of hardware glitches where all the days votes get wiped etc etc. There's a zillion things that can go wrong. A backup record that's not susceptible to microscopic influences is the only remedy.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
BTW when I said "open", I meant it being able to be altered by volunteers a bit like a sourceforge project - not just publishing the source. This brings the formidable security & debuggability advantages of free software to bear. By far and away free software is *ideal* for these kinds of software as they don't need to be innovative.
That would be great but it doesn't address the trust problem. The citizens still have to take the word of an elite. It's a bigger more varied elite but still.
The worst thing in my mind is to make these boxes and use them unchanged - this gives time for special interests to discover how to compromsie them with no opportunity for the holes to be found and sealed.
Haven't several studies shown that open source and security by obscurity are about equal. Open source beats SBO for fix time but in this case, you only need to fix the hole for polling day, so it's not a huge matter. In fact recently several exploits have been found and fixed after first being used by blackhats (Debian's recent compromise was a case I think). This would be disastrous for democracy as the people who just stole the election are now in power unlikely to look too hard for the security hole they used to get there.
I actually think that SBO could be better for voting machines than open source security. Many holes in MS software (for example) are found through repeated probing of interfaces looking for buffer overruns etc. This is only possible if you have unrestricted access to a copy of the software to play with. If you have no voting machine, you'll have to wait a few years between attempts to compromise it. So finding the holes will be difficult.
That said, I believe it should be open source because a paper trail makes software security a relative non-issue.
A paper trail is only useful if what is printed out is identical to the vote recorded electronically and if humans continue to manually count the paper copies (and the latter is precisely what the government is trying to save costs upon).
The paper trail is most useful when what is printed out _differs_ from what's recorded electronically. In fact it's whole raison d'etre is to catch this problem. When there's no difference, it simply only job is to reassure people that the system is working ok (also important).
As for manual counting, the proposed system (and any other system that puts computers in control) has massive staff overheads. Each of the 6,300 machines needs an operator and polling stations are open for 14 hours. The government will be training 15,000 people in the operation of these machines. The number of counting staff used to be about 2,300.
Also the machines need to be stored in a secure and controlled environment whereas ballot boxes were stored in any old cowshed. The budget for Waterford's storage for this year is 50,000. That means about 1 million per year just to store the things. Then there's transport - they're heavy. There's also batteries.
The supposed big problem with the current system is accidental vote spoiling. For me, the best solution to that is computer assisted voting. The computers help a voter produce an unspoiled ballot paper. The computers can also help the counters to classify and count the papers. At no stage is a computer responsible or in control.
A system like this would be much cheaper to implement than the proposed one and it wouldn't need an army of operators to control and monitor all the machines - if the machine isn't controlling the recording of votes then there's nothing to gain from tampering with it.
F