-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1 Mar 2004 at 0:46, Fergal Daly wrote:
Data signing techniques could fix this and all software has bugs. Also, you don't need a perfect voting system, just one which is better (more accurate) than the current system - and I'm personally not too bothered about a flawed system which has in place an active method of improvement over time.
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
I was more thinking of the data signing mechanisms used to ensure CIA wire tap boxes haven't been compromised. These boxes get stuck in the wild so there's a chance they could be interfered with by an outside party. Basically it's a loopy state machine whereby the software is encrypted with a key and that key is derived from the signature of the encrypted image. Basically if you alter the image you must alter its signature thus losing the ability to run it - and it can't be faked.
There's loads of this kind of tech used in the security services. I had a contract in this arena once. It's a bit more pricey but these are one off purchase machines.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
You'd use one of the military spec processors. They are hardened to EMP and are very hard to hack into. This is a good thing, given they control the world's nuclear arsenel.
And so far I've only been talking about intentional alterations and software bugs, there's radiation induced bit-flipping to consider too. It happened in Belgium, some guy got 4096 more votes than his own party's total, so they spotted it and the expert conclusion was a bit-flip. It's probably happened lots more in non-spectacular ways but it's never spotted because there's no paper trail.
If people will insist on using off the shelf components, they will have this problem. When I was working for EuroFighter, I was appalled to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of high quality and certainly not of high security. As an example, DEC VMS didn't have a single root exploit in 17 years.
There's also the possibility of hardware glitches where all the days votes get wiped etc etc. There's a zillion things that can go wrong. A backup record that's not susceptible to microscopic influences is the only remedy.
Even the current system loses a small percentage of votes. I'm far more worried about them getting changed without anyone realising - destroyed is fine by me so long as we know there's some lost.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
I think it's less secure than you might think. I have no Irish examples, but vote rigging is as old as time and it never completely goes away even with the very best of systems.
BTW when I said "open", I meant it being able to be altered by volunteers a bit like a sourceforge project - not just publishing the source. This brings the formidable security & debuggability advantages of free software to bear. By far and away free software is *ideal* for these kinds of software as they don't need to be innovative.
That would be great but it doesn't address the trust problem. The citizens still have to take the word of an elite. It's a bigger more varied elite but still.
No I must disagree with this. The nature of free software is that it's totally anarchic - more than likely you'd get people crying wolf more often than genuine illustration of problems. Remember it's also transnational - an Irish person reporting a substantial flaw just before the Americans vote indicates strongly to everyone there's no party political agenda at work.
Think about the other areas where public access is granted to ensure public confidence - most government meetings eg; trials, Dail debates, public archives - even FOIA. All these are too technical to the the lay person. Voting software is an identical issue - the lay person won't and can't understand, but it's having the free access is what's important.
A system like this would be much cheaper to implement than the proposed one and it wouldn't need an army of operators to control and monitor all the machines - if the machine isn't controlling the recording of votes then there's nothing to gain from tampering with it.
I completely agree - this government's attempt is a complete balls up and rather than break a reasonably working system, better to draw a line under it and end the project.
However, I really do think if people could vote say by mobile phone, you'd get a lot more people voting (even better if the phone asked you for a vote on polling day). So to me, any substantially improved voting system must have this feature. Just replacing paper ballots with an electronic system seems pointless to me - one is spending money for zero gain. Of course, current mobile phones aren't secure enough and neither will be the next generation. But maybe thereafter given how much they want us to buy stuff using them eg; a distributed self-repairing peer to peer voting network based on all mobiles reaching a consensus (and attacking every mobile phone in the country is a tad hard).
Cheers, Niall