Comments on: News for Nerds? Some of it matters

By: Tripp

Tripp — Fri, 24 Oct 2003 18:49:46 +0000

I’m a programmer, and I don’t scare easily. I thought the millenium bug was blown way out of proportion. But I second what Jonathan Goldberg said. You must have the source reviewed and agreed on, as well as any code involved in creating the executable code. Then that code must be object-signed, and verification made at each polling place that the signed code is what is actually run. Then you better take a close look at all the back doors. Are patches allowed on the computers? Is there any non-reviewed software running on the computers such as bios, or the operating system? What about activity logs and traces? The whole thing gets so tough so fast, I can’t imagine why any knowledgable person would ever want paperless voting. There absolutely must be a paper trail, and auditting of all results.

By: Neel Krishnaswami

Neel Krishnaswami — Thu, 23 Oct 2003 05:11:20 +0000

It’s possible to use computers to make voting more fraud-resistant, and the Diebold system is a textbook example of how not to do it, but open source is a red herring here. In order to design a more secure model of voting, you need to have a threat model. The threat model I use imagines that voting works like this: the voter arrives at the polling station, and then marks a ballot (which might be real or virtual). The ballots are delivered to a voting center, which counts them up and announces the outcome. There are, in my scheme, three main attacks: 1. Ballot fraud, in which real ballots are modified to be something other than what the voter intended and delivered to the counting center. 2. Ballot stuffing, in which fake votes are generated and delivered to the counting center 3. Ballot destruction, in which some real votes never reach the voting center. Note that my threat model assumes that the voting center is both honest and secure. You can ensure this by having witnesses from all parties at the counting center, so this isn’t a hugely optimistic assumption for a first-world country. So, let’s look at the possible attacks. #1 instantly rules out all purely electronic voting schemes, because modified software can show the voter what he thought he did, and secretly make some other choice. The ballot has to be auditable by the voter, and what the voter audits has to be exactly what the voting center uses to count the votes. So our electronic voting machine has to print out a ballot that lists the voter’s choices, so that he or she can look at it and verify that his or her vote was accurate. (This is why open source is irrelevant in a decent system—the voter can audit his or her vote.) #2. You can make your voting system resistant to ballot stuffing by making each voting machine tamper-resistant, and having it print out a digital signature onto each ballot which indicates which machine it came from. Then, an attacker can’t forge ballots without sitting at the voting machine pumping out votes, and the poll workers there would presumably notice that something was up and call the cops. (You can continue to do what people do today, which is to mark the voter registration rolls with who voted, which sets an upper bound on the amount of fraud per polling place.) #3. So we have paper ballots. What’s to stop a malicious vote-rigger from simply destroying the votes that don’t favor his side? This can be handled by having the voting machine simply count the number of votes that it processed, and have the poll workers phone that information in to the voting center. Then the center can count the number of ballots from each machine and double-check that everything adds up. Note that none of this makes vote fraud impossible—it just makes it harder than it is today. You can make it even harder by planning for a more elaborate threat model, but a post on a weblog comment board doesn’t require it, I think.

By: Tom Runnacles

Tom Runnacles — Wed, 22 Oct 2003 20:40:34 +0000

Philip – you’ve done better in tracking down the full detail of the controversial memos than I did. Sheesh, that stuff’s terrifying. I try hard to suppress my inner conspiracy theorist most of the time, but given the depth of talent available to US software shops, this level of fubar is beginning to look intentional. Alternatively, it’d be interesting to know how Diebold’s compensation packages for (say) developers or architects compare to the rest of the industry. Anyone?

By: Tom Runnacles

Tom Runnacles — Wed, 22 Oct 2003 20:15:53 +0000

Dick, Heh – the ODBC bit was a hedge :) I figured that some smartarse was going to say that you could have some super-sophisticated scheme whereby Access was in effect a client for a proper DBMS, in which case my whole rant would look a bit less savvy. I’m surprised, actually, that nobody took up my offer to grass up their employer (and look clever-clever into the bargain) by pointing out that out-of-the-box, Exchange Server relies on the Access database engine (Jet, is it?). I’d pre-emptively constructed my defence on this point, since I hear MS have responded to client pressure by making it possible to use SQLServer as a backend instead. Personally, I’m a Unix/J2EE guy; I wouldn’t touch ODBC with a bargepole.

By: Tom Runnacles

Tom Runnacles — Wed, 22 Oct 2003 20:08:41 +0000

Jonathan – In some ways I wish I hadn’t mentioned Open Source at all, since my point was certainly not that I think that as a matter of principle, election software should be non-commercial, still less that it needs to be GPL’d. None of the software-licensing theology that ends up provoking so much ‘IANAL but…’ stuff on Slashdot matters here. I just care that we can all see the code if we want to. Not necessarily modify it or redistribute it or make it the basis of a religious crusade, just look at it, poke it about a bit and see where the developers fell on their arses – since we know that they certainly will have. Coder & Jonathan: Agreed about the need for all that other stuff too, especially a paper audit-trail. Publicly-visible source is a necessary, but not sufficient condition of this whole thing being remotely worth trying. Personally, I think paper and pencil work just fine. The most committed defenders of ‘e-voting’, if we must call it that, seem to be people who know little about technology, or are vendors, or (in the apparent case of Diebold), are both.

By: Philip

Philip — Wed, 22 Oct 2003 20:06:35 +0000

http://www.equalccw.com/dieboldtestnotes.html Lets give credit where credit is due. A guide to hacking Diebold databases.

By: coder

coder — Wed, 22 Oct 2003 17:47:40 +0000

Without a hard-copy audit trail, electronic voting is inherently unsafe. Open sourcing the software is not sufficient protection. Techies should already be familiar with Reflections on Trusting Trust. Basically, trusting the source is meaningless if you don’t trust the environment it is compiled, linked, and run in. The bottom line: there is simply no way to ensure that a completely electronic voting solution is trustworthy.

By: Jonathan Goldberg

Jonathan Goldberg — Wed, 22 Oct 2003 15:11:32 +0000

The machines need not be supplied via on open source business model; the source merely needs to be open to inspection. Although that’s not enough. AT A MINIMUM one must also have the compilation scripts and the exact vendor and model of the (all, if more than one) compilers used, so that the software can be independently compiled. At that point an MD5 hash must be derived, and it must be verified that it matches the hash of the software on the machines in the field. No deviation is acceptable. That having been said, a paper trail must still be produced. Speaking as a programmer, I trust paper. Not that paper can’t be tampered with; ballot box stuffing certainly long predates computers. But it’s harder to do it tracelessly and en mass.

By: Dick Thompson

Dick Thompson — Wed, 22 Oct 2003 00:55:52 +0000

I’ve used ODBC as a link between Access and SQL Server, Microsoft’s database, and it’s neither secure nor very stable. ODBC is a techology whose time is long-gone. Funny, that’s what I thought about Access, too.