Is anyone at IFSO doing anything on the e-voting campaign at the moment?
I realize there are at least two other campaigns opposing the rapid introduction of electronic voting in Ireland.[1] Is there still a desire for us to give the free software angle on this, maybe along the lines of 'Electronic voting must not use secret software'.
Whom would we be targeting? I get the impression we'd have more luck giving choice arguments to the opposition than in attempting to convince the government to see reason. If the arguments are good enough, Pat Rabbitte and the like would do the hard work of bringing it to the mainstream media.
- Cathal.
[1] * Irish Citizens for Trustworthy E-voting http://evoting.cs.may.ie/ * At What Cost? http://www.atwhatcost.info/
Cathal Mc Ginley cathalmcginley@eircom.net writes:
Is anyone at IFSO doing anything on the e-voting campaign at the moment?
Aidan Delaney is(?) working on this.
Is there still a desire for us to give the free software angle [...] 'Electronic voting must not use secret software'.
1. Voting *must* be verifiable (paper audit trail) 2. The totaling system *should* be transperant
(Both are missing from the planned system. Lesser issues exist too.)
Without #1, we don't know if we live in a democracy or not.
On #2, the source code *should* be viewable. There is no legitimate reason for an honest government to hide the instructions that will be used to total the votes - but this is not fundamental to democracy.
As a liberty-in-software group, I think we're in a good position to comment on #2 - but I think we'd have to be careful not to push #1 out of politicians heads.
"Dear Ms. Politician, Regarding the use of electronic voting equipment, IFSO seconds the proposal of [the good e-voting group], but we would also like to comment on the non-transperancy of the voting software .. yakkity yakkity...."
If you can work on this, you could talk to Aidan or write your own letter (which could be sent personally or as IFSO (after committee review (or something))).
Don't worry about who the target is. That can be figured out during or after the letter writing process - if you put off writing the letter it may never happen. The target will be someone non-technical, a mail to the e-voting list (@stdlib.net I think) will probably get the answer.
I'm surprised no-one's mentioned this so far, I watched it from start to finish the other day and it was fascinating. And before anyone starts complaining about the video being in Real Media format, be advised that a proprietary *nix player is available from the Real Media website (see foot of page), and a pre-release open source player is available from https://player.helixcommunity.org/.
adam
Moglen on Free Software as a Way of Life posted by mpawlo on Friday February 27, @08:40AM from the interesting-people dept.
Mary Bridges is back. This time good Mary has summarized a presentation professor and free-software guru Eben Moglen http://moglen.law.columbia.edu/ gave at Harvard Law School, February 23, 2004. Moglen is the general consel of the Free Software Foundation http://www.gnu.org/. Among other things, Moglen discussed the SCO ./. IBM law suit. Professor Moglen stated:
'I feel somewhat overwhelmed at the prospect of trying to talk for any substantial length of time about a lawsuit that isnt going anywhere,' professor Eben Moglen told the audience.
Read Mary Bridges' recollection of the event http://cyber.law.harvard.edu/briefings/moglen.
Watch a streaming video http://media.law.harvard.edu:8888/ramgen/jolt/spring_04/2004-02-23_ae_0630- 0830.rm (Real Media) of professor Moglen's presentation.
Also, Greplaw's coverage of Bridges' summary of Lessig's presentation at Radcliffe http://grep.law.harvard.edu/article.pl?sid=04/02/24/0318248&mode=flat.
[ about RealPlayer format]
and a pre-release open source player is available from https://player.helixcommunity.org/.
You've been tricked. That software is not open source or free software. It's an easy scam to fall for though, since they've made press releases which claim that the whole player is "open source" - a new low for RealNetworks IMHO.
The software at that site is released under a combination of 4 licenses, all quite long and newly written by RealNetworks. Both FSF and Debian have rejected all four.
The OpenSource team have certified *one* of those licenses as OpenSource - but that license only applies to parts of the interface, not the codec, so to use that player to view RealPlayer format videos, you must install the proprietary codec software too.
I mailed the JOLT@harvard people about a week before Ebens talk and asked that they make it available in a format which has a free software player - and they said they would. They made a previous talk (by Darl McBride) available in Speex format, but it took a few days extra so maybe if you check back to their speakers page in a few days, there will be a playable version.
In the mean time, a transcript of Ebens harvard talk is at: http://www.groklaw.net/article.php?story=20040226003735733
And here's an Ogg of a previous (better, IMO) talk by moglen: http://courses.durhamtech.edu/~jeremy/moglen/eben_moglen.ogg
You've been tricked.
Nah, I haven't. I use the "official" Real Player on Linux, because I don't really object to proprietary software, just the practices of proprietary fotware companies; and (personally) I accept source code that's open to /me/ as a form of open source software. My concern is that I've seen it reported both here and on the ICTE mailing list that there's no Real Player for Linux. There is, in fact there's (at least) two.
adam
<?php $s=array(74,65,112,104,112,72,32,59,45,41); for($i=0;$i<count($s);$i++){echo'&#'.$s[$i].';';} ?>
-----Original Message----- From: fsfe-ie-bounces@fsfeurope.org [mailto:fsfe-ie-bounces@fsfeurope.org]On Behalf Of Ciaran O'Riordan Sent: 28 February 2004 15:11 To: fsfe-ie@fsfeurope.org Subject: Re: [Fsfe-ie] Eben Moglen in Harvard
[ about RealPlayer format]
and a pre-release open source player is available from https://player.helixcommunity.org/.
You've been tricked. That software is not open source or free software. It's an easy scam to fall for though, since they've made press releases which claim that the whole player is "open source" - a new low for RealNetworks IMHO.
The software at that site is released under a combination of 4 licenses, all quite long and newly written by RealNetworks. Both FSF and Debian have rejected all four.
The OpenSource team have certified *one* of those licenses as OpenSource
- but that license only applies to parts of the interface, not the
codec, so to use that player to view RealPlayer format videos, you must install the proprietary codec software too.
I mailed the JOLT@harvard people about a week before Ebens talk and asked that they make it available in a format which has a free software player - and they said they would. They made a previous talk (by Darl McBride) available in Speex format, but it took a few days extra so maybe if you check back to their speakers page in a few days, there will be a playable version.
In the mean time, a transcript of Ebens harvard talk is at: http://www.groklaw.net/article.php?story=20040226003735733
And here's an Ogg of a previous (better, IMO) talk by moglen: http://courses.durhamtech.edu/~jeremy/moglen/eben_moglen.ogg
-- Ciarán O'Riordan http://www.compsoc.com/~coriordan/ Irish Free Software Organisation: http://ifso.info/ _______________________________________________ fsfe-ie@fsfeurope.org mailing list List information: http://mail.fsfeurope.org/pipermail/fsfe-ie Public archive: https://mail.fsfeurope.org/mailman/listinfo/fsfe-ie
You've been tricked.
Nah, I haven't. [...] I accept source code that's open to /me/ as a form of open source software.
Ahh, but the source code is not open to you.
RealNetworks have been careful to create confusion about this. While they have made *some* of the interface source code viewable (but none free), the codec module that is needed to actually play the RealPlayer audio/video is completely proprietary/closed/hidden/etc.
Sigh. To avoid a(nother) wasteful flame war occuring on Monday morning, let me state for the record that I had no intention (or interest) in discussing the "open source-edness" of the Helix Player here. I was simply pointing out that players for Linux are available. Whether people choose to use them or not is their own decision.
adam
-----Original Message----- From: fsfe-ie-bounces@fsfeurope.org [mailto:fsfe-ie-bounces@fsfeurope.org]On Behalf Of adam beecher Sent: 28 February 2004 17:03 To: fsfe-ie@fsfeurope.org Subject: RE: [Fsfe-ie] Eben Moglen in Harvard
Ahh, but the source code is not open to you.
I don't need the codec. I wouldn't know what to do with it if I had it. *shrug*
adam
fsfe-ie@fsfeurope.org mailing list List information: http://mail.fsfeurope.org/pipermail/fsfe-ie Public archive: https://mail.fsfeurope.org/mailman/listinfo/fsfe-ie
A recording playable with FS is now available: http://jolt.law.harvard.edu/images/jolt-moglen.spx
Cathal Mc Ginley wrote:
Is there still a desire for us to give the free software angle on this, maybe along the lines of 'Electronic voting must not use secret software'.
I think we need to acknowledge that by far the most important and most easily justifiable requirement is the verifiable paper audit.
My concern is that any additional demands (such as opening the sourcecode) which IMHO is justifiable, but far less justifiable than the paper trail, may detract from our ability to achieve the primary goal.
Ian.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 28 Feb 2004 at 11:28, Ian Clarke wrote:
I think we need to acknowledge that by far the most important and most easily justifiable requirement is the verifiable paper audit.
My concern is that any additional demands (such as opening the sourcecode) which IMHO is justifiable, but far less justifiable than the paper trail, may detract from our ability to achieve the primary goal.
Personally I can't see much use for a paper trail if the source is fully open. However since it's unlikely the source would be made open (breach of contract or an expensive renegotiation), a paper trail is better than nothing.
At least they're better than Diebold machines anyway! ;) - though why we didn't just buy the Australian ones is beyond me (I'm guessing EU tariffs).
Cheers, Niall
On Sunday 29 February 2004 02:40, Niall Douglas wrote:
I think we need to acknowledge that by far the most important and most easily justifiable requirement is the verifiable paper audit.
My concern is that any additional demands (such as opening the sourcecode) which IMHO is justifiable, but far less justifiable than the paper trail, may detract from our ability to achieve the primary goal.
Personally I can't see much use for a paper trail if the source is fully open. However since it's unlikely the source would be made open (breach of contract or an expensive renegotiation), a paper trail is better than nothing.
The problem is that you don't know that the source code you saw is actually running on the machine and now matter how much you study it, you'll never really know that it's actually 100% bug free.
Open source is desirable but an independent paper audit trail, verified by each voter before it drops into the box is the only thing that can give an acceptable level of security and confidence.
http://lists.stdlib.net/mailman/listinfo/e-voting
is the place for an extended debate,
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 29 Feb 2004 at 14:01, Fergal Daly wrote:
Personally I can't see much use for a paper trail if the source is fully open. However since it's unlikely the source would be made open (breach of contract or an expensive renegotiation), a paper trail is better than nothing.
The problem is that you don't know that the source code you saw is actually running on the machine and now matter how much you study it, you'll never really know that it's actually 100% bug free.
Data signing techniques could fix this and all software has bugs. Also, you don't need a perfect voting system, just one which is better (more accurate) than the current system - and I'm personally not too bothered about a flawed system which has in place an active method of improvement over time.
BTW when I said "open", I meant it being able to be altered by volunteers a bit like a sourceforge project - not just publishing the source. This brings the formidable security & debuggability advantages of free software to bear. By far and away free software is *ideal* for these kinds of software as they don't need to be innovative.
The worst thing in my mind is to make these boxes and use them unchanged - this gives time for special interests to discover how to compromsie them with no opportunity for the holes to be found and sealed. A paper trail is only useful if what is printed out is identical to the vote recorded electronically and if humans continue to manually count the paper copies (and the latter is precisely what the government is trying to save costs upon).
Cheers, Niall
On Sun, Feb 29, 2004 at 08:08:43PM -0000, Niall Douglas wrote:
The problem is that you don't know that the source code you saw is actually running on the machine and now matter how much you study it, you'll never really know that it's actually 100% bug free.
Data signing techniques could fix this and all software has bugs. Also, you don't need a perfect voting system, just one which is better (more accurate) than the current system - and I'm personally not too bothered about a flawed system which has in place an active method of improvement over time.
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
A "well funded adversary" could very easily make a ROM chip containing 2 images, switchable in some way (possibly by radio). This is all a bit much but in 10 years how much will it cost to do this? These machines will be used for 20 years.
And so far I've only been talking about intentional alterations and software bugs, there's radiation induced bit-flipping to consider too. It happened in Belgium, some guy got 4096 more votes than his own party's total, so they spotted it and the expert conclusion was a bit-flip. It's probably happened lots more in non-spectacular ways but it's never spotted because there's no paper trail.
There's also the possibility of hardware glitches where all the days votes get wiped etc etc. There's a zillion things that can go wrong. A backup record that's not susceptible to microscopic influences is the only remedy.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
BTW when I said "open", I meant it being able to be altered by volunteers a bit like a sourceforge project - not just publishing the source. This brings the formidable security & debuggability advantages of free software to bear. By far and away free software is *ideal* for these kinds of software as they don't need to be innovative.
That would be great but it doesn't address the trust problem. The citizens still have to take the word of an elite. It's a bigger more varied elite but still.
The worst thing in my mind is to make these boxes and use them unchanged - this gives time for special interests to discover how to compromsie them with no opportunity for the holes to be found and sealed.
Haven't several studies shown that open source and security by obscurity are about equal. Open source beats SBO for fix time but in this case, you only need to fix the hole for polling day, so it's not a huge matter. In fact recently several exploits have been found and fixed after first being used by blackhats (Debian's recent compromise was a case I think). This would be disastrous for democracy as the people who just stole the election are now in power unlikely to look too hard for the security hole they used to get there.
I actually think that SBO could be better for voting machines than open source security. Many holes in MS software (for example) are found through repeated probing of interfaces looking for buffer overruns etc. This is only possible if you have unrestricted access to a copy of the software to play with. If you have no voting machine, you'll have to wait a few years between attempts to compromise it. So finding the holes will be difficult.
That said, I believe it should be open source because a paper trail makes software security a relative non-issue.
A paper trail is only useful if what is printed out is identical to the vote recorded electronically and if humans continue to manually count the paper copies (and the latter is precisely what the government is trying to save costs upon).
The paper trail is most useful when what is printed out _differs_ from what's recorded electronically. In fact it's whole raison d'etre is to catch this problem. When there's no difference, it simply only job is to reassure people that the system is working ok (also important).
As for manual counting, the proposed system (and any other system that puts computers in control) has massive staff overheads. Each of the 6,300 machines needs an operator and polling stations are open for 14 hours. The government will be training 15,000 people in the operation of these machines. The number of counting staff used to be about 2,300.
Also the machines need to be stored in a secure and controlled environment whereas ballot boxes were stored in any old cowshed. The budget for Waterford's storage for this year is 50,000. That means about 1 million per year just to store the things. Then there's transport - they're heavy. There's also batteries.
The supposed big problem with the current system is accidental vote spoiling. For me, the best solution to that is computer assisted voting. The computers help a voter produce an unspoiled ballot paper. The computers can also help the counters to classify and count the papers. At no stage is a computer responsible or in control.
A system like this would be much cheaper to implement than the proposed one and it wouldn't need an army of operators to control and monitor all the machines - if the machine isn't controlling the recording of votes then there's nothing to gain from tampering with it.
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1 Mar 2004 at 0:46, Fergal Daly wrote:
Data signing techniques could fix this and all software has bugs. Also, you don't need a perfect voting system, just one which is better (more accurate) than the current system - and I'm personally not too bothered about a flawed system which has in place an active method of improvement over time.
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
I was more thinking of the data signing mechanisms used to ensure CIA wire tap boxes haven't been compromised. These boxes get stuck in the wild so there's a chance they could be interfered with by an outside party. Basically it's a loopy state machine whereby the software is encrypted with a key and that key is derived from the signature of the encrypted image. Basically if you alter the image you must alter its signature thus losing the ability to run it - and it can't be faked.
There's loads of this kind of tech used in the security services. I had a contract in this arena once. It's a bit more pricey but these are one off purchase machines.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
You'd use one of the military spec processors. They are hardened to EMP and are very hard to hack into. This is a good thing, given they control the world's nuclear arsenel.
And so far I've only been talking about intentional alterations and software bugs, there's radiation induced bit-flipping to consider too. It happened in Belgium, some guy got 4096 more votes than his own party's total, so they spotted it and the expert conclusion was a bit-flip. It's probably happened lots more in non-spectacular ways but it's never spotted because there's no paper trail.
If people will insist on using off the shelf components, they will have this problem. When I was working for EuroFighter, I was appalled to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of high quality and certainly not of high security. As an example, DEC VMS didn't have a single root exploit in 17 years.
There's also the possibility of hardware glitches where all the days votes get wiped etc etc. There's a zillion things that can go wrong. A backup record that's not susceptible to microscopic influences is the only remedy.
Even the current system loses a small percentage of votes. I'm far more worried about them getting changed without anyone realising - destroyed is fine by me so long as we know there's some lost.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
I think it's less secure than you might think. I have no Irish examples, but vote rigging is as old as time and it never completely goes away even with the very best of systems.
BTW when I said "open", I meant it being able to be altered by volunteers a bit like a sourceforge project - not just publishing the source. This brings the formidable security & debuggability advantages of free software to bear. By far and away free software is *ideal* for these kinds of software as they don't need to be innovative.
That would be great but it doesn't address the trust problem. The citizens still have to take the word of an elite. It's a bigger more varied elite but still.
No I must disagree with this. The nature of free software is that it's totally anarchic - more than likely you'd get people crying wolf more often than genuine illustration of problems. Remember it's also transnational - an Irish person reporting a substantial flaw just before the Americans vote indicates strongly to everyone there's no party political agenda at work.
Think about the other areas where public access is granted to ensure public confidence - most government meetings eg; trials, Dail debates, public archives - even FOIA. All these are too technical to the the lay person. Voting software is an identical issue - the lay person won't and can't understand, but it's having the free access is what's important.
A system like this would be much cheaper to implement than the proposed one and it wouldn't need an army of operators to control and monitor all the machines - if the machine isn't controlling the recording of votes then there's nothing to gain from tampering with it.
I completely agree - this government's attempt is a complete balls up and rather than break a reasonably working system, better to draw a line under it and end the project.
However, I really do think if people could vote say by mobile phone, you'd get a lot more people voting (even better if the phone asked you for a vote on polling day). So to me, any substantially improved voting system must have this feature. Just replacing paper ballots with an electronic system seems pointless to me - one is spending money for zero gain. Of course, current mobile phones aren't secure enough and neither will be the next generation. But maybe thereafter given how much they want us to buy stuff using them eg; a distributed self-repairing peer to peer voting network based on all mobiles reaching a consensus (and attacking every mobile phone in the country is a tad hard).
Cheers, Niall
Dé Luan, 2004-03-01 ag 02:07, scríobh Niall Douglas:
However, I really do think if people could vote say by mobile phone, you'd get a lot more people voting (even better if the phone asked you for a vote on polling day). So to me, any substantially improved voting system must have this feature. Just replacing paper ballots with an electronic system seems pointless to me - one is spending money for zero gain.
Do you have evidence that mobile phone polls would increase turnout? A recent study in the UK found that the only measure to increase turnout was traditional postal voting. I'll see if I can dig up a reference later...
Of course, current mobile phones aren't secure enough and neither will be the next generation. But maybe thereafter given how much they want us to buy stuff using them eg; a distributed self-repairing peer to peer voting network based on all mobiles reaching a consensus (and attacking every mobile phone in the country is a tad hard).
The trust we need to do ecommerce is fundamentally different to the trust we have in elections. Trustworthy ecommerce transactions *must* identify the parties involved so that the buyer can get his purchase and the seller can get his money. Trustworthy evoting transactions *must not* identify the voter, but still allow the voter to verify that his vote has been recorded and the election supervisor to verify that each voter only has one vote. So it's quite possible for a system to be trustworthy for ecommerce (as you seem to suggest 5G phones will be) but not suitable for evoting.
David
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1 Mar 2004 at 10:20, David O'Callaghan wrote:
Do you have evidence that mobile phone polls would increase turnout? A recent study in the UK found that the only measure to increase turnout was traditional postal voting. I'll see if I can dig up a reference later...
None. It's pure personal opinion.
The trust we need to do ecommerce is fundamentally different to the trust we have in elections. Trustworthy ecommerce transactions *must* identify the parties involved so that the buyer can get his purchase and the seller can get his money. Trustworthy evoting transactions *must not* identify the voter, but still allow the voter to verify that his vote has been recorded and the election supervisor to verify that each voter only has one vote. So it's quite possible for a system to be trustworthy for ecommerce (as you seem to suggest 5G phones will be) but not suitable for evoting.
I had more been thinking that a phone appealing for commercial transactions will have enough onboard processing power and memory to implement any secure application eg; evoting. Put it this way - penetration of PC's into the population at best is no more than 25%. Mobile phones blew that away within their first decade and thus are the future platform for delivering computing to the masses.
I should add that I've never voted and won't be voting next election. I view it as pointless given that the media exercise a far greater control over politicians than the ballot box. Furthermore I know no one of my age group or of my younger sister's group who have ever voted, nor have any intention to ever do so.
Let's face it - rich people don't vote. Ireland is rich now, therefore only old people vote like only old people go to mass regularly. OTOH if they shut down the country on election day like in Australia, I might consider it - otherwise I have more important things to do.
Cheers, Niall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Niall Douglas wrote: | Personally I can't see much use for a paper trail if the source is | fully open.
I disagree, I suggest you read:
~ http://www.acm.org/classics/sep95/
Basically it explains that if the compiler contains the trojan, then even auditing source code will never catch it. Such a trojan could only be caught by auditing the binaries after compilation.
Only a voter verified paper audit trail could prevent this kind of attack on an election process.
Ian.