[Fsfe-ie] perspective on e-voting

[Fergal Daly]

On Mon, Mar 01, 2004 at 02:07:20AM -0000, Niall Douglas wrote:
> > Data signing only works for the person who checks the signature and
> > since I'm not going to be let near a machine in order to check the ROM
> > signature, it's no good for me. It's also no good for people who have
> > no idea what a "ROM signature" is. They shouldn't have to know.
> 
> I was more thinking of the data signing mechanisms used to ensure CIA 
> wire tap boxes haven't been compromised. These boxes get stuck in the 
> wild so there's a chance they could be interfered with by an outside 
> party. Basically it's a loopy state machine whereby the software is 
> encrypted with a key and that key is derived from the signature of 
> the encrypted image. Basically if you alter the image you must alter 
> its signature thus losing the ability to run it - and it can't be 
> faked.

Unless you take out the bit that actually cares about the signature. Maybe
not possible in a single chip custom listening device but quite possible in
a machine built from off the shelf chips and building voting machines from
anything except off the shelf chips is not going to change any time soon.

Something(s) on the board must be the key to the trust system, usually the
processor but maybe there are multiple chips that check the signatures. You
only need to replace these with look-a-likes that will also trust your
switched image. No one can discover this without examining the chip layout
under an electron microscope, rather impractical.

> > How do I check the signature of a PCI controller or a chip that's
> > labelled as a Motorola 68000 anyway?
> 
> You'd use one of the military spec processors. They are hardened to 
> EMP and are very hard to hack into. This is a good thing, given they 
> control the world's nuclear arsenel.

They don't need to be hacked, they just need to be replaced with something
that looks the same and appears to function the same until it gets the
"switch to vote stealing mode" signal. There's now way of calculating a
signature from an IC, you have to break the packaging and examine the
cicuits.

> If people will insist on using off the shelf components, they will 
> have this problem. When I was working for EuroFighter, I was appalled 
> to discover they use x86 kit and Windows which is totally unsuitable.
> 
> Commercial off the shelf kit is mass produced cheaply. It's not of 
> high quality and certainly not of high security. As an example, DEC 
> VMS didn't have a single root exploit in 17 years.

The voting machines are using m68k and a very small custom OS which is
little more than a loader. It's probably very secure as it had almost no
functionality. It's also got ECC RAM.

The counting machine however is Win 98 + Access on a non-ECC PC! Then again
it only has a quick job to do that can be verified in other ways.

> > We actually have a very secure system at moment. It's secure because
> > people from all sides of the election are keeping one-another honest.
> > There is no single point of failure. The ballot boxes are watched by
> > multiple people (who don't trust each other) from the time they're
> > opened to the time they're emptied.
> 
> I think it's less secure than you might think. I have no Irish 
> examples, but vote rigging is as old as time and it never completely 
> goes away even with the very best of systems.

Nice example is "the shuffle". Send 1 punter in with a blank piece of paper,
he puts that in the box and comes back with a stamped ballot. Fill that out,
send the next punter in with that and he comes back with another blank.
Repeat until no punters left, then go in yourself with the last ballot.
Everyone gets a tenner.

Computers will eliminate that.

> Think about the other areas where public access is granted to ensure 
> public confidence - most government meetings eg; trials, Dail 
> debates, public archives - even FOIA. All these are too technical to 
> the the lay person. Voting software is an identical issue - the lay 
> person won't and can't understand, but it's having the free access is 
> what's important.

Dail debates are not beyond the layman, in fact the Dail has several men who
are as lay as it gets. The other examples can occasionally get very
complicated but I'd imagine there are very few people who get convicted
without actually understanding why.

> However, I really do think if people could vote say by mobile phone, 
> you'd get a lot more people voting (even better if the phone asked 
> you for a vote on polling day). So to me, any substantially improved 
> voting system must have this feature. Just replacing paper ballots 
> with an electronic system seems pointless to me - one is spending 
> money for zero gain. Of course, current mobile phones aren't secure 
> enough and neither will be the next generation. But maybe thereafter 
> given how much they want us to buy stuff using them eg; a distributed 
> self-repairing peer to peer voting network based on all mobiles 
> reaching a consensus (and attacking every mobile phone in the country 
> is a tad hard).

I don't think technological security is the issue here, personal security is
much more important. Mobile phone voting in the North would be a good laugh,
where the bloke looking over your shoulder, watching you vote, wears a
balaclava for a bit of petrol bombing fun at the weekend. Even taking
threats and violence out of the mix, remote voting allows vote selling.

The tests done in the UK showed very small increases in turnout,

F