[Fsfe-ie] perspective on e-voting
s_fsfeurope2 at nedprod.com
Mon Mar 1 03:07:20 CET 2004
-----BEGIN PGP SIGNED MESSAGE-----
On 1 Mar 2004 at 0:46, Fergal Daly wrote:
> > Data signing techniques could fix this and all software has bugs.
> > Also, you don't need a perfect voting system, just one which is
> > better (more accurate) than the current system - and I'm personally
> > not too bothered about a flawed system which has in place an active
> > method of improvement over time.
> Data signing only works for the person who checks the signature and
> since I'm not going to be let near a machine in order to check the ROM
> signature, it's no good for me. It's also no good for people who have
> no idea what a "ROM signature" is. They shouldn't have to know.
I was more thinking of the data signing mechanisms used to ensure CIA
wire tap boxes haven't been compromised. These boxes get stuck in the
wild so there's a chance they could be interfered with by an outside
party. Basically it's a loopy state machine whereby the software is
encrypted with a key and that key is derived from the signature of
the encrypted image. Basically if you alter the image you must alter
its signature thus losing the ability to run it - and it can't be
There's loads of this kind of tech used in the security services. I
had a contract in this arena once. It's a bit more pricey but these
are one off purchase machines.
> How do I check the signature of a PCI controller or a chip that's
> labelled as a Motorola 68000 anyway?
You'd use one of the military spec processors. They are hardened to
EMP and are very hard to hack into. This is a good thing, given they
control the world's nuclear arsenel.
> And so far I've only been talking about intentional alterations and
> software bugs, there's radiation induced bit-flipping to consider too.
> It happened in Belgium, some guy got 4096 more votes than his own
> party's total, so they spotted it and the expert conclusion was a
> bit-flip. It's probably happened lots more in non-spectacular ways but
> it's never spotted because there's no paper trail.
If people will insist on using off the shelf components, they will
have this problem. When I was working for EuroFighter, I was appalled
to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of
high quality and certainly not of high security. As an example, DEC
VMS didn't have a single root exploit in 17 years.
> There's also the possibility of hardware glitches where all the days
> votes get wiped etc etc. There's a zillion things that can go wrong. A
> backup record that's not susceptible to microscopic influences is the
> only remedy.
Even the current system loses a small percentage of votes. I'm far
more worried about them getting changed without anyone realising -
destroyed is fine by me so long as we know there's some lost.
> We actually have a very secure system at moment. It's secure because
> people from all sides of the election are keeping one-another honest.
> There is no single point of failure. The ballot boxes are watched by
> multiple people (who don't trust each other) from the time they're
> opened to the time they're emptied.
I think it's less secure than you might think. I have no Irish
examples, but vote rigging is as old as time and it never completely
goes away even with the very best of systems.
> > BTW when I said "open", I meant it being able to be altered by
> > volunteers a bit like a sourceforge project - not just publishing
> > the source. This brings the formidable security & debuggability
> > advantages of free software to bear. By far and away free software
> > is *ideal* for these kinds of software as they don't need to be
> > innovative.
> That would be great but it doesn't address the trust problem. The
> citizens still have to take the word of an elite. It's a bigger more
> varied elite but still.
No I must disagree with this. The nature of free software is that
it's totally anarchic - more than likely you'd get people crying wolf
more often than genuine illustration of problems. Remember it's also
transnational - an Irish person reporting a substantial flaw just
before the Americans vote indicates strongly to everyone there's no
party political agenda at work.
Think about the other areas where public access is granted to ensure
public confidence - most government meetings eg; trials, Dail
debates, public archives - even FOIA. All these are too technical to
the the lay person. Voting software is an identical issue - the lay
person won't and can't understand, but it's having the free access is
> A system like this would be much cheaper to implement than the
> proposed one and it wouldn't need an army of operators to control and
> monitor all the machines - if the machine isn't controlling the
> recording of votes then there's nothing to gain from tampering with
I completely agree - this government's attempt is a complete balls up
and rather than break a reasonably working system, better to draw a
line under it and end the project.
However, I really do think if people could vote say by mobile phone,
you'd get a lot more people voting (even better if the phone asked
you for a vote on polling day). So to me, any substantially improved
voting system must have this feature. Just replacing paper ballots
with an electronic system seems pointless to me - one is spending
money for zero gain. Of course, current mobile phones aren't secure
enough and neither will be the next generation. But maybe thereafter
given how much they want us to buy stuff using them eg; a distributed
self-repairing peer to peer voting network based on all mobiles
reaching a consensus (and attacking every mobile phone in the country
is a tad hard).
-----BEGIN PGP SIGNATURE-----
Version: idw's PGP-Frontend 184.108.40.206 / 9-2003 + PGP 8.0.2
-----END PGP SIGNATURE-----
More information about the FSFE-IE