Slashdot Mirror

The objections you rise are valid. Thankfully the smartcard industry knows how to handle them.

Yeah, because they've been doing a great job so far...

The objections you rise are valid. Thankfully the smartcard industry knows how to handle them.

Yeah, because they've been doing a great job so far...

I find your claim that Sarah Palin might become President is a sign of idiocy laughable on its face. Aren't the dems the ones who keep saying that no experience can prepare you for president (since Obama has no experience)? And yet, they keep saying that Palin is inexperienced? Pot? Kettle?

I think you are missing the larger stupidity.

You have to consider that Palin is not running for prez, it's Obama vs. McCain. That makes this argument (and campaign tactic) even more stupid (or shrewd?) than it appears on the surface. It's a classic fallacious red herring argument.

About the OP:
>The academics and computer scientists who said they were unreliable "have won that battle."'"

No they have not won the battle. They believe that electronic voting can work, but it needs to be done right. Here's a great link to Avi Rubin's (who more or less started the whole voting machine security/traceability debate) site that explains what the academics want and how Diebold etc can fix their machines.

http://avirubin.com/vote/

None want paper, they want the electronic systems to be designed and implemented properly. Paper voting is a PITA and also inaccurate. Avi etc have told Diebold etc how to fix their machines, til they were blue in the face, and were categorically ignored.

This development in MD and VA is a step backwards. What we (I'm a MD resident) should do is let Avi and Accurate( http://accurate-voting.org/ ) write the requirements for the machines and put the contract up for bid to have them built properly to spec.

-Viz

b) I think working as a poll worker would be a great way to contribute to the community, and having more slashdot types with direct experience with the polls helps make us all smarter and more credible critics. (See, e.g., Avi Rubin's blog entries on his experience

As I said earlier, you can find impartial experts to review impartial software. There is no such thing, however, as an impartial ballot, since somebody has already used it to vote one way or the other.

"Impartial software?" "Impartial ballot?" That doesn't make sense. The issue is the partiality of people, not of inanimate objects.

If impartial people (or teams of people with balanced biases) can be found to review software, then impartial people (or teams of people) can be found to review ballots.

you have two candidates, and representatives for one side raise objections on a ballot that the other side thinks should count as a vote for them... That's way harder to resolve than the similar dispute over a voting machine.

You need three reviewers for contested ballots. One from Party A, one from Party B, one from a pool of people approved by both parties (unaffiliated voters, or community leaders of unimpeccable honesty).

Regardless, you could have checks from all the interested parties to at least get consensus [on voting machines]

You can also get consensus on methods and rules for counting paper ballots ahead of time.

Multiple recounts typically return an array of unique values.

Only if there's ambiguity in the ballot marking, or errors in counting. The latter can be eliminated by multiple rounds and by improved methodology - if Las Vegas casinos can count all that cash, we can find ways to count unambiguous ballots. The former problem should be very very rare in machine-printed voter receipts, or indeed in any sensible ballot design.

They trust ATMs and Credit Card processing machines...

Which give paper receipts, and whose results I can review and challenge. I've had erroneous or fraudulent charges against ATM cards and credit cards, but I could catch them because the bank sends me statements. I don't get a paper from Baltimore County saying "Here's how we recorded your vote. Call 1-800-SCREWUP if you wish to contest it."

a "back-door that effects all electronic machines by a manufacturer"...is still exactly equivalent to a mechanical voting machine.

Not at all. A mechanical voting machine can't do logic like "if (candidate.party == 'GREEN') then (candidate.votes += 100)". (Not unless your mechanical voting machine was designed by Charles Babbage...)

something like that should be caught in the independent review of the code

Bugs get through reviewed code. Deliberately obfuscated backdoors could too. Then there's the problem of trusting trust. If Ken Thompson says "You can't trust code that you did not totally create yourself...No amount of source-level verification or scrutiny will protect you from using untrusted code," maybe we ought to listen to him, instead of call him a Luddite.

Writing trusted systems is much harder than you seem to understand it to be.

You are taking the traditional luddite position, because you seem to be incapable of understanding how electronic voting could work securely.

My position is pretty much that of the ACM: "voting systems should enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast, and to serve as an independent check on the result produced and stored by the system." It's also pretty much the position of computer security experts like Avi Rubin and

It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design.

However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.

1977, Rome:
G. Forsen, M. Nelson, and R. Staron, "Personal Attributes Authentication Techniques," Rome Air Development Center Report RADC-TR-77-1033, Air Force Base Griffis (New York, 1977).

1980, Rand:
R. Gaines, W. Lisowski, S. Press, and N. Shapiro, "Authentication by Keystroke Timing: Some Preliminary Results," Technical Report Rand report R-256-NSF, Rand Corporation (1980).

1990, Gupta:
R. Joyce and G. Gupta, "Identity Authentication Based on Keystroke Latencies," Communications of the ACM 33:2 (1990), 168-176.

1995, IBM:
http://ieeexplore.ieee.org/Xplore/login.jsp?url=/i el3/3531/10615/00491588.pdf?tp=&arnumber=491588&is number=10615

1999, ATT:
http://avirubin.com/fgcs.pdf

2005, MIMOS:
http://digital.ni.com/worldwide/singapore.nsf/web/ all/ACCD272C9FEF487D8625703D005562A0

Nope. It is impossible to create any physical system that exists outside the boundaries of probability. Which means that there is always a margin of error. Always. Thermodynamics and all that.

However, there are specific reasons why the US system is particularly prone to error. Especially when dealing with large state and national races where differing regional elections laws, differing voting systems, and tabulation rules, make *extremely* accurate counting absolutely impossible. Which is why elections officials care more about outcomes than individual vote counts.

IIRC, Avi Rubin talked about the probability issue during his interview on C-SPAN. Here is his web page, there are links to .mov files of that interview available there.

Why not have the machine print out a human/machine readable ballot (names with bubbles filled next to your choices) and then have an optical scanner read the votes? This gives you a stack of ballots that can be hand counted if necessary. It eliminates people accidentally spoiling ballots (no hanging chads etc.). You don't have to worry about a bunch of votes getting digitally corrupted and being completely unrecoverable. You don't have privacy issues that can occur where an observer keeps track of who goes into the booth and then reviews the printed paper trail (assuming the trail is generated as people vote, it is trivial if tedious to figure out who voted for what/who).

This isn't my idea BTW. I first heard this suggestion on Science Friday interview with Avi Rubin:
http://avirubin.com/
http://www.sciencefriday.com/pages/2006/Oct/hour1_ 102706.html

Good arguments enumerated... http://avirubin.com/vote.pdf#search=%22Diebold's%2 0AccuVote-TS%20voting%20system%22

There are at least three reasons why we shouldn't trust their dirty, nasty, evil b0xen:
http://www.democraticunderground.com/discuss/duboa rd.php?az=show_mesg&forum=203&topic_id=11874&mesg_ id=19911/
http://www.dailykos.com/story/2004/11/10/1172/9052 /
http://avirubin.com/vote.pdf/
Violation of warranty? Sure. I can see that.
Still, nobody is answering the question: "why on earth are computers the best answer to solving the handicaped voter problem?"
I could hire some little old ladies for minimum wage and get them to help disadvantaged people cast their ballots for less than $27 million!
Or, at the very least, if these machines are supposed to be SO easy to use, just get one or two of them for each precinct. You don't need every parking stall to be handicap accessible, and you don't need all of your voting booths to be, either.
In my mind, Bruce Funk is the only sane election official in the whole state.

TRANSPARANCY is the key

Quote:

All of the data on [the Diebold] storage device is encrypted using a single, hardcoded DES key:

#define DESKEY ((des_key*)"F2654hD4")

Note that this value is not a hex representation of a key, nor does it appear to be randomly generated. Instead, the bytes in the string "F2654hD4 " are fed directly into the DES key scheduler... from the CVS logs, we see this particular key has been used without change since December 1998 ...

(Support Guide - Review) (pdf):

4.4 Key management and other cryptographic issues with the vote and audit records [...] the audit logs are encrypted and checksummed before being written to the storage device. Unfortunately, neither the encrypting nor the checksumming is done with established, secure techniques. [...] (Recall that we have already discussed the lack of cryptography in other potions of the system.) [...] All of the data on a storage device is encrypted using a single, hardcoded DES [22] key: #define DESKEY ((des_key*)"F2654hD4"). Note that this value is not a hex representation of a key, nor does it appear to be randomly generated. Instead, the bytes in the string "F2654hD4 " are fed directly into the DES key scheduler. [...] from the CVS logs, we see this particular key has been used without change since December 1998 [...] ...

In June 2005, [Kevin Shelley, the California Secretary of State], reported that when given access to Diebold vote-counting computers, Bev Harris- a critic of Diebold's voting machines - was able to make 65,000 votes disappear simply by changing the memory card that stores voting results for one that had been altered. Although the machines are supposed to record changes to data stored in the system, they showed no record of tampering after the memory cards were swapped. In response, a spokesperson for the Department of State said that, "Information on a blog site is not viable or credible."

"A national technology consulting firm he hired to review the system in 2003 found security flaws, but state officials said they could be fixed quickly"

Luckily we live in the NY Metro area within driving distance of a large number of universities. We found a few online lists of programs (
here and here) via a post in the sci.crypto newsgroup.

I happen to agree that in this instance Diebold is more than likely hiding behind the shield of the OS to avoid going down the road of opening their own code up to scrutiny. They have seen where that leads.

However...

As another poster pointed out, from a line count perspective, the Windows OS probably makes up 99% of the OS + Dieblold code stack. Further, I believe they use additional MS libraries like Access DB File DLLs. So the percentage of MS code is even higher.

So we come to an interesting point: Could the state of North Carolina require Diebold to exhaustively black-box test the voting application including the underlying Microsoft components and document that the software functions as expected and specified by both a requirements and design specification document?

Theoretically yes. IF the requirements and design specification documents were executed perfectly, AND IF all possible variables and test cases were known AND IF the testing was conducted in a perfect manner. This would "verify" that the software functions as advertised.

But... We already do that. Sort of. Take a look at section 1.6, 1.6.1-.3

Does looking at those two pages give you the warm fuzzies? Me neither... Also notice this gem:

Some voting systems use one or more readily available commercial off-the-shelf (COTS) devices (such as card readers, printers, or personal computers) or software products (such as operating systems, programming language compilers, or database management systems). COTS devices and software are exempted from certain portions of the qualification testing process as defined herein, as long as such products are not modified for use in a voting system.

So I think that you are technically correct in that the submission of the OS source code is not absolutely necessary to reach a relative comfort level (comparable to say: testing of FDA certified devices).

But... That doesn't mean that I think that there are any practical alternatives. And from what I can tell the state of North Carolina rather fairly or unfairly to closed source solutions, is looking out for the its citizens as best it can.

There are many systems that provide strong anonymity in a public network. These include Herbivore, Crowds, Tarzan, Tor, P5 and many others. Some have even been deployed and used in practice.

And when it does, Diebold and ES&S vote for you anyway, so it doesn't matter.

Prove It.

Analysis of Diebold voting machines

"[Diebold's] committed to helping Ohio deliver its electoral votes to the president next year."

- Walden O'Dell, chief executive of Diebold Inc., August 14 2004

DailyKos

Of course, the burden of proof is really on Diebold to prove their machines are secure against intentional tampering.

"Why am I always being asked to prove these systems aren't secure? The burden of proof ought to be on the vendor. You ask about the hardware. 'Secret.' The software? 'Secret.' What's the cryptography? 'Can't tell you because that'll compromise the secrecy of the machines.'... Federal testing procedures? 'Secret'! Results of the tests? 'Secret'! Basically we are required to have blind faith."

- Dr. David Dill, Stanford

However, we weren't listened to. And when we were listened to, we were treated in a "fair and balanced" way.

The problem is, of course, that fair and balanced only applies well to perfectly political questions. Essentially, it is an axiom designed to preserve all views in a purely abstract argument (i.e. "is abortion wrong?"). It has no bearing in an argument of fact. In science, even computer science, there are people who are incorrect. Disproving an algorithm mathematically is a proof that the algorithm is flawed, and its author is incorrect. Showing that there are vulnerabilities in an electronic voting machine is a statement of fact, a proof that it is true, not an opinion.

Now, those of us who understand the scientific method know there's more to it than that--methodologies can render an inductive/statistical proof meaningless, unconscious biases on the experimenter's part can affect outcomes, and simple mistakes can happen. However, this sort of thing is usually very rapidly caught. That's what peer review is about. You get people who understand the topic to sign off on what you've said, correct your mistakes, poke holes in your arguments. After a thing has been through peer review, it can be considered not-incorrect.

This is the source media should be tapping from: peer reviewed journals. Not the manufacturer, not politicians. In the former case, there is a conflict of interests. In the latter case, there is a lack of knowledge. It's like asking a fox and a field mouse to evaluate the security of a chicken coop.

So, listen up media! If 95% of the field is screaming "NO!", and you have to go to the manufacturer or dig around to find someone saying "YES", it's not because we're opressing them. It's because they're INCORRECT!

danheskett wrote:
>
> It was one CEO making a fundrasing pitch in a letter!

When a rabidly Republican CEO of one of the largest voting machine pledges he is " committed to helping Ohio deliver its electoral votes to the President next year " you don't smell election fraud?

The fact that he made the pledge in a letter asking for money is all the more suspicious.

> And, oh, the company in question makes about 1% of
> its profit from voting machines, is very transparent and publically traded

Being publically traded didn't stop Enron from commiting massive fraud. And what does how little money this company makes from voting machines have to do with its capacity for fraud?

> [Black box voting] is a very old problem for our country

But it just got about a billion times easier and virtually untraceable since the introduction of electronic voting machines, and electronic vote tabulating machines.

> I urge you to find me one article or study that
> can prove that electronic voting machines -
> flawed as they are - are anything short of the
> most accurate and secure voting system we have.

Here's Johns Hopkins Computer Science professor Avi Rubin's study where he states:

"We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software"

And read about Diebold while you're at it:

http://www.scoop.co.nz/mason/stories/HL0211/S00081 .htm

Finally, I urge you to find me one article or study that can prove that electronic voting machines - flawed as they are - are anything short of the most accurate and secure voting system we have.

Electronic voting, while a neat idea to speed up the vote counting process, seems to have run into a number of glitches (over 1100 nationwide) this November 2nd. In addition to seemingly random problems in Florida [1, 2], Ohio [1], and North Carolina [1], there are allegations of systematic fraud based on statistical comparison of exit polls to final results in precincts with audit trails and those without. It is also interesting that in Florida, the voting patterns do not match the voter registration patterns as they do nationwide. This has attracted the attention of numerous civil rights groups including the Electronic Frontier Foundation that has filed at least two lawsuits since election day, and BlackboxVoting.org that has filed a Freedom of Information Act request to obtain computer logs and documents from 3000 counties and districts across the US. Equally disturbing is the fact that CNN has (since Nov 2) changed its exit polling results to reflect the actual results. This has attracted the attention of Congressmen John Conyers Jr. of Michigan, Jerrold Nadler of New York and Robert Wexler of Florida who have jointly requested that the GAO immediately investigate the efficacy of e-voting machines.

In case you are thinking that this is just sour grapes from Democrats who lost the election, think again. BlackboxVoting.org has been investigating e-voting fraud for years. Likewise, the CEO of Diebold, one of the e-voting machine manufacturers has been quoted as saying "I am committed to helping Ohio deliver its electoral votes to the president." And if that's not conflict of interest enough for you, Republican Senator Chuck Hagel (now resigned) is an owner of the largest e-voting machine company ES&S.

Other numerous problems have been found with the machines from nearly every company in the past [1, 2, 3]. Avi Rubin, a computer science professor at Johns Hopkins University, has been investigating such machines on his own and has found a number of security issues. Swarthmore students stood up to Diebold in November of 2003 after discovering

I believe, however, that these issues, although important, mask much more fundamental problems with how the technology is deployed and the general failure of electoral management to reform itself through the effective use of technology. There are long term solutions but these are immaterial in terms of the present election because it's far too late to change.

Tomorrow's election will, therefore, feature the use of some e-voting technologies within the constraints of traditional electoral management and, in all likelihood, demonstrate some of that combination's weaknesses during this process. In my opinion, however, the total actual impact these security weaknesses have on the final vote counts is likely to be insignificant in the more important contests. What will be far more significant is the leverage these few real problems give conspiracy theorists to allege that much more consequential, but uncaught, frauds also took place. Fundamentally a small, but real, problem can become a national crisis if it lends itself to exploitation by people with agendas - and that's what I'm afraid will happen to e-voting on the day after tomorrow.

In that scenario Democractic losers across the country contest Republican electoral victories by asserting that security weaknesses in electronic voting were illegally exploited to their opponent's benefit and their loss. The resulting firestorm of media protest would then cast a shadow over legitimate electoral victories and discredit the electoral system because the security weaknesses allegedly exploited are real, even if the exploits are generally not.

Suppose, for example, that Mr. Bush wins by a narrow margin - a few percent in the overall popular vote with the issue even closer in one or two key states. In that situation the democrats seem unlikely to simply concede, preferring instead to launch hundreds of lawsuits at least some of which will ultimately be decided by judges balancing the unprejudiced, and genuinely expert, testimony of people like Dr. Rubin to the effect that exploitable weaknesses exist against the accused's assurances that no cheating took place. In this situation electoral management doesn't stand a chance: the traditional media will hold them guilty before the trials start and at least some judges, however well intentioned otherwise, will be forced to conclude that reasonable doubt exists as the legitimacy of the election results.

So what can be done? Absent a landslide Republican victory (or a kerry win) there's probably nothing you can usefully do except refuse to be caught up in the rush - just trust that the system will muddle through.

There may, however, be something the President can do - it's a classic hail Mary pass idea which may be really dumb, but which I'd like to toss out for comment.

Sir Arthur Conan-Doyle told a Sherlock Holmes story in which the big clue was that the dog failed to bark. In the same vein there's a missing "60 Minutes" special you need to think about in terms of that dog not barking.

In this case there seems to be reasonably good evidence that some captured North Vietnamese and VietCong papers naming John Kerry and earthed at the Vietnam War Archives held by Texas Tech University in Lubbock, are genuine. So far no third party has authenticated them, but they are said to show that both

Security for E-Voting in Public Elections (Realplayer video 01:23:34) Avi Rubin (AT&T Labs-Research) discusses the security considerations pertaining to remote electronic voting in public elections and examine the feasibility of running national federal elections over the Internet. The focus of this talk is on the limitations of the currently deployed infrastructure in terms of the security of the hosts and the Internet itself.

People should be marching on their state capitols demanding that the current e-voting machines be replaced with verifiable voting methods such as paper ballots until such time as everyone can be satisfied that the e-voting machines are fair and reliable. (Which probably means when they produce a clear paper trail.)

The foundation of our system of government is put at risk by sloppy or malicious coding and we all sit at home and go about our lives as if nothing is truely at risk. The degree of apathy that has been shown on this issue is astonishing.

Avi Rubin, the leading authority on e-voting, gave a great interview in the recent Dr. Dobbs Journel. I think what he says is something that every voter should hear. (His writings on e-voting are here.) The problem is not whether or not a certain political party or company has rigged these machines to fix the election, it's that the very design and nature of these machines makes it possible to do so in a way that is undetectable.

Up until now, if you wanted to steal an election, you had to coordinate the work of a large number of people in across a large number of states unless you could blame it all on a bunch of people voting incorrectly in one county in Florida. Now, you could subtley alter the programming of these machines and shift a small percentage of the results produced by each one. It would be almost impossible to detect.

It's not just the presidential race that is affected, its all the races. Think of the money that is controlled by these politicians and the incentives available to people who want to make sure they get the "right" political climate in the future. If this type of cheating doesn't happen this election, it will happen in another, and soon.

The only way to make sure that these machines can be trusted is to:

• Make the source open to viewing by anyone who wishes to see it. The source should be posted on the Internet and paper copies should be supplied to voters on request.
• Run the software on an operating system that is also open source. It's already been shown that the Diebold machines can be compromised via the Microsoft Windows operating system.
• Produce a paper audit trail and a printed voting receipt that can be used to verify the results the machine reports.

They say we get the government we deserve. If we don't raise hell with out state governments and election boards over the use of these machines, you can be certain of it.

People should be marching on their state capitols demanding that the current e-voting machines be replaced with verifiable voting methods such as paper ballots until such time as everyone can be satisfied that the e-voting machines are fair and reliable. (Which probably means when they produce a clear paper trail.)

The foundation of our system of government is put at risk by sloppy or malicious coding and we all sit at home and go about our lives as if nothing is truely at risk. The degree of apathy that has been shown on this issue is astonishing.

Avi Rubin, the leading authority on e-voting, gave a great interview in the recent Dr. Dobbs Journel. I think what he says is something that every voter should hear. (His writings on e-voting are here.) The problem is not whether or not a certain political party or company has rigged these machines to fix the election, it's that the very design and nature of these machines makes it possible to do so in a way that is undetectable.

Up until now, if you wanted to steal an election, you had to coordinate the work of a large number of people in across a large number of states unless you could blame it all on a bunch of people voting incorrectly in one county in Florida. Now, you could subtley alter the programming of these machines and shift a small percentage of the results produced by each one. It would be almost impossible to detect.

It's not just the presidential race that is affected, its all the races. Think of the money that is controlled by these politicians and the incentives available to people who want to make sure they get the "right" political climate in the future. If this type of cheating doesn't happen this election, it will happen in another, and soon.

The only way to make sure that these machines can be trusted is to:

• Make the source open to viewing by anyone who wishes to see it. The source should be posted on the Internet and paper copies should be supplied to voters on request.
• Run the software on an operating system that is also open source. It's already been shown that the Diebold machines can be compromised via the Microsoft Windows operating system.
• Produce a paper audit trail and a printed voting receipt that can be used to verify the results the machine reports.

They say we get the government we deserve. If we don't raise hell with out state governments and election boards over the use of these machines, you can be certain of it.

This seems to be similar to Dr. Avi Rubin's challenge to the community, which basically states that a team of security specialists and programmers should be given access to the development environment of one of the major DRE machines, by the vendor. The team should then attempt to rig the machine in favor of one candidate, and then submit the machine for approval by the elections board's testing agency. The testing agency doesn't know it's being tested, and doesn't know the machine is rigged. Could they catch the rigged machine as they currently claim? It's the same basic principle as having undercover agents attempt to sneak weapons through airport security.

The paper can be found at:
http://avirubin.com/vote/ita.challenge.pdf

This seems to be similar to Dr. Avi Rubin's challenge to the community, which basically states that a team of security specialists and programmers should be given access to the development environment of one of the major DRE machines, by the vendor. The team should then attempt to rig the machine in favor of one candidate, and then submit the machine for approval by the elections board's testing agency. The testing agency doesn't know it's being tested, and doesn't know the machine is rigged. Could they catch the rigged machine as they currently claim? It's the same basic principle as having undercover agents attempt to sneak weapons through airport security.

The paper can be found at:
http://avirubin.com/vote/ita.challenge.pdf

I agree that it's very difficult to introduce non-technical people to the woes of electronic voting. Surprisingly, however, the Daily Show (from Comedy Central) did a very good spot on e-voting which covers many of the main introductory issues involved. Not only does it make one think, but it's funny and very believable. It has certainly made many people I know stop and think.

The video is available at Avi Rubin's site -- he's a security expert who wrote a report exposing the flaws of voting machines. The video clip is available here.

I agree that it's very difficult to introduce non-technical people to the woes of electronic voting. Surprisingly, however, the Daily Show (from Comedy Central) did a very good spot on e-voting which covers many of the main introductory issues involved. Not only does it make one think, but it's funny and very believable. It has certainly made many people I know stop and think.

The video is available at Avi Rubin's site -- he's a security expert who wrote a report exposing the flaws of voting machines. The video clip is available here.

For many years now Bruce Schneier has been writing on this topic extensively and since I share his views I decided to put together the most relevant excerpts from his excellent Crypto-Gram newsletter and let them speak for themselves. If you really want to get up to speed on this topic, this is what you've been looking for.

Crypto-Gram: September 15, 2003 :: News:

Interesting report on the security of Diebold's voting machines. Scary stuff, especially if you consider that these are already being purchased for use in U.S. elections.
http://avirubin.com/vote.pdf

Crypto-Gram: October 15, 2003 :: News:

Despite admitting that Diebold voting machines have a high risk of compromise, the state of Maryland is going to buy them:
http://www.wired.com/news/business/0,1367,60583,00 .html

Crypto-Gram: December 15, 2003 :: Computerized and Electronic Voting:

There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine.

These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice.

Computers are fallible and software is unreliable; election machines are no different than your home computer.

Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software?

And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count?

Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely?

Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote.

And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by

See http://avirubin.com/judge.html:

One thing absolutely amazed me. With very few exceptions, the voters really LOVED the machines. They raved about them to us judges. The most common comment was "That was so easy." I can see why people take so much offense at the notion that the machines are completely insecure. Given my role today, I just smiled and nodded. I was not about to tell voters that the machines they had just voted on were so insecure. I was curious that voters did not seem to question how their votes were recorded. The voter verifiability that I find so precious did not seem to be on the minds of these voters. One woman did come up to Joy and complain that she wanted a paper ballot to verify. But, Joy managed to convince her that these machines were state of the art and that there was nothing to worry about, which was followed by a smile and a wink in my direction. I just kept quiet, given the circumstances. As an election judge, my job is to make the election work as well as possible, and creating doubts in the voters' minds at the polls does not figure into my idea of responsible behavior. Perhaps the lightest moment in the day came when one voter standing at his machine asked in the most deadpan voice, "What do I do if it says it is rebooting?" Head judge Marie turned white, and Joy's mouth dropped. My heart started to beat quickly, when he laughed and said "just kidding." There was about a two second pause of silence followed by roaring laughter from everyone.

1. Theoretically, it is impossible to have anonymous communication on the Internet.
2. In practice it is a balance of resources. The trick is that it is much cheaper to publish contents anonymously, than to trace the origin of an information. Therefore projects like Hacktivismo - Six/Four, Crowds, Freedom-Net, Tarzan, Onion-Routing, etc. make sense.

Furthermore, it is often the content which speaks more about the authorship, than the chain of technical events that leads to the publishing of the information. In Slashdot, for example, I have chosen not to show my e-mail, etc., but by reading my comments even a 10-years old kid can make a deduction about my real identity. Does it make sense for me to use IP-tunneling then?

Finally, I do not understand the author. He just seems pissed. Maybe he will reconsider his opinion and revive the project. Is he sick from the lies (?) about the crypto-protocols used in the software which is written? IMHO the theory proves quite stable and if there is a room for attacks it is more in the implementations than in the protocols themselves. How many broken cryptosystems do you recollect (I know, I know "the knapsack", but it got broken on the conference on which it was presented).

Still, even with this project retreating, the subject remains interesting.

True Geek, right here.

In PDF, and a Google HTML version

I'd be especially wary of sites locked into ASP or .NET, not just for the inherent security problems. PayPal, for example,. is at potential risk, as it is owned by eBay. But read the changes to HotMail or other similarly MS-Passport encumbered services.

There are ways to do secure, platform independent, centralized authentication for web and other services, but MS-Passport isn't one of them. See Kerberos + LDAP instead. If you don't wish to experiment on *BSD or something else, all the major Linux distros include both clients and servers. There are even ways of scaling enourmously. Universities and libraries with electronic subscriptions should be able to get the most mileage out of Kerberos.

Ah, but the interesting thing is that even the current e-voting election process with Diebold systems involves counting the number of votes versus the number of authorization cards (i.e., the number of people that actually voted). As Avi describes, the real risk is at the end of the day, when the "zero machine" is used to tally all the votes and transmit them to HQ, where audit trails cease to exist.

That's an excellent and most obvious point. Yet you would not believe the institutional resistance to this idea among the three e-voting OEMs (Diebold, ES&S, and Sequoia) to the idea of creating some sort of printed record. They insist on doing it all digital, even though their systems are ridiculously, incredibly insecure--probably because, in the event of a recount, a paper trail would provide concrete proof of how poorly their systems perform. There was an excellent overview of all this in Act One of the latest This American Life. You aren't going to believe your ears when you hear how lame these companies are (esp. Diebold), they to whom we are poised to entrust our most important the most important cornerstone of our democracy.

Ok how about just perjury alone. Forged video evidence was also presented in the anti-trust trial in the U.S.

Ok how about the court's decision, upheld on appeal, that the company used illegal methods to maintain a desktop monopoly?

There are also the false and misleading advertising, against palm, novell, and regarding MS-Passport. MS-Passport cannot be secure even in theory, so any claims were clearly known to be falsehoods. And since MS-Office 2003 is tied into that, expect more legal action.

Then there have been a series of fines regarding patent infringements. The most recent being from SPX.

Where I come from, all that's called lying or stealing.

"I don't know what the holdup is," Margaret K. Luca (D), secretary of the county's three-person elections board, said late last night. "I thought we had it covered. We tested all week in the county."

Last January the electronic voting machine maker faced public embarrassment when voting activists revealed the company's insecure FTP server was making its software source code available for everyone to see.

Then researchers and auditors who examined code for the company's touch-screen voting system released two separate reports stating that the software was full of serious security flaws.

Now a former worker in Diebold's Georgia warehouse says the company installed patches on its machines before the state's 2002 gubernatorial election that were never certified by independent testing authorities or cleared with Georgia election officials.
If the charges are true, Diebold could be in violation of federal and state election-certification rules. The charges also raise questions about the integrity of the Georgia election results and any other election that uses patched Diebold systems that have not been re-certified.

This is a decision based upon consumer experiences, child protection and our strategic investment to build up MSN Messenger.[my emphasis]

This would be a good opportunity to turn people on to cross-platform IM clients like GAIM. I doubt anyone in the tech communities is naive enough to take the children argument as more than a red herring to keep IM from joinging the OS/Broswer/Mediaformat/Office format anti-trust action. It does, however, provide a very good cover for pushing people into MS-Passport, despite its reputation, and for locking out non-Microsoft IM clients.

Alternately, this can be seen as just another product or service being dropped or postponed as the company sheds weight to try to stay afloat.

Lastly, regarding the link. This is being covered by everyone and his dog, even Reuters, so no need to plug poor sources..

Though they only spent three-quarters of a page of copy on this, I found it interesting that U.S. News and World Report did a decent job with this week's coverage of this topic.

Typically, I don't have many kind words for USNWR, often questioning my own subscription tendencies, but I am pleased to see they reference the Johns Hopkins and Rice report regarding the insecurity of the Diebold system.

Now, if only folks would see the same potential flaws in the Hart Intercivic system, then perhaps they would not be shipping 9,000 e-Slate voting machines to California.

Personally, I detest that the last four times I've voted here in Texas I've walked away with a laundry ticket. I demand a paper trail! Or at least an online database where I can review all my past votes cast. (Of course, in a perfect world, the database would be open for peer review - r/o - and the source to the programs that access and tally the votes would be available for peer review.)

Here is another episode where they talk about Electronic Voting. Dan Wallach a professor of computer science at Rice University is the guest. He is the one who wrote a report about Electronic voting

You can read the paper I believe they are making reference to in the article at http://www.avirubin.com/vote/

And that's exactly what's dead wrong about voting machines in general and Diebolds AccuVote in specific.

It's about as plausible like those industry strength, propriatery, uncrackable encryption devices with a secret, secret algorithm (which is certified by the association of creative spooks).

If we (as the voters) allow for such unaccountable, unauditable and error-rigged devices we can give the key to the town right away to he who maintains the devices (or even a few creative script kiddies for that matter)

"iRights" - Voting Machine Analysed, Found Wanting.

From the linked site:

The authors have done a security analysis of Diebold code that was downloaded from an open FTP site earlier this year. While the paper is technical, significant portions of it can be read easily by a non-computer scientist.

From the conclusion of the paper, Analysis of an Electronic Voting System, emphasis mine:

Using publicly available source code, we performed an analysis of a voting machine. This code was apparently developed by a company that sells to states and other municipalities that use them in real elections. We found significant security flaws: voters can trivially cast multiple ballots with no built-in traceability, administrative functions can be performed by regular voters, and the threats posed by insiders such as poll workers, software developers, and even janitors, is even greater. Based on our analysis of the development environment, including change logs and comments, we believe that an appropriate level of programming discipline for a project such as this was not maintained. In fact, there appears to have been little quality control in the process....

The model where individual vendors write proprietary code to run our elections appears to be unreliable, and if we do not change the process of designing our voting systems, we will have no confidence that our election results will reflect the will of the electorate....

And finally, the text of the Voter-Verifiable newsletter I received regarding this issue, which should appear on this page sometime (July 24, 2003):

If these EVM's model the voting machines used in the United States, this is clearly a bad idea. Anyone who read the report released earlier by researchers at Rice and Johns Hopkins about fraud concerning electronic voting machines has ,at least, serious reservations about not using them. If we throw into the mix India's huge populace, then it is safe to say that vote rigging and election stealing is far from over.

What is the solution to India's voting problems? I am far from qualified to present a solution. But, electronic voting systems is certainly not a solution.The reason for this is that it is very, very difficult to ensure that the software that is used for such systems is extremely secure. In other words, it is nearly impossible to ensure that no cheating will be carried out by the voters, the poll workers, the election officials, the software developers, etc.

The only known solution to this problem is to use a voter verifiable audit trail, that is a paper account of the voting. By doing this, we no longer care about the accuracy of the software. The software is simply a blackbox that accepts the input of the user and prints it out to paper, which the voter can verify. The point is that the only possible proper use for an EVM is as a user-interface.The machine can help people who are visually or hearing impaired or it may display voting options in different languages, etc. There are innumerable user interface hacks that can help the population. But no matter what, it is nearly impossible to verify security if the EVM's are used as anything other than exclusive user interfaces.

I suggest that the Indian government reads this study (PDF) about the security of EVMs first and then thinks if they really want to have it.

There really does seem to be no difference between someone who cannot read and someone who does not. Those that can read wouldn't be caught using MS-Passport. Sadly, signal can be drowned out by noise coming from a colossal marketing blitz to last through september.

We'll see if they last that long. Windows2003 seems to be more of a push to get users over to OS X or Linux. Their other (2nd of 2) cash cow, the new MS-Office has already been postponed and seems to be more of an incentive to move to OpenOffice than to upgrade.

Anyone except me that see the irony in the fact that those who wrote the paper Defending against an internet-based attack on the physical world displays their physichal world location on the top of the paper?