Slashdot Mirror
Online Voting In 2004 To Require Windows
letxa2000 writes "According to this article at CBS, a trial Internet voting system will be made available to 100,000 voters in 2004--particularly military and overseas U.S. citizens. As an American living overseas I think this is a step in the right direction. But the article also says 'Voters using SERVE can register to vote and cast their ballots from any computer using Microsoft Windows with Internet access.' Why the Windows requirement? Is that really going to make online voting secure?"
They are concerned about building something that works solidly and since Microsoft dominates the desktop market, it is a no brainer to target Windows IE as the single allowable browser to vote with.
Many of us know what a bitch it is to develop a code and feature intensive site that works correctly for all browsers.
It also cuts down on support issues. I have met people who are unsure of what platform they are running. "What kind of computer am I using? It says 'power' here near a button. Is that right?"
Why the Windows requirement?
Maybe because the VAST majority of individualsuse MS Windows. You ASSume that it is just a HTTP connection with SSL so any OS should suffice. Look at the F.A.Q.. It says that "required software is downloaded automatically as needed when you access various parts of the SERVE website. Possibly, the voting software uses their own encryption and will be delivered as an ActiveX or some other format. Could they have written the software so it could work on other OS. Sure but it's a trial run! Their is no right to Vote from a Linux box.
Security through obsurity is worthless
You and I know that, but what about the lawmakers, do they know and/or understand that. How are you going to get them to understand that? We are not dealing with computer people here we are dealing with people who for the best part knows how to use Word, and the worse don't even know how to turn on a computer.
eh? Or they could just use standard html and not I.E. specific HTML, and then you wouldn't need to do any porting to any other operating systems at all!
Relying on i.e. specific java scripting or whatever they are doing that is i.e. specific is just asking for trouble--and not because it locks our small minority out of it.
The fact that they are using ANY sort of client side java-script, let alone i.e. specific java script for checking values or what not for a voting system is not a good idea. What if they are using i.e. and have java-script disabled, or whatever.
Bottom line, is it should be standard HTML, not just so everyone can use it, but so that it is more robust!!
Well, I dare the position that the internet can be made a lot more secure than a regular hole-puncher voting-machine ever will.
... suffice to say that Gore and Bush quarreled over these machines quite a bit.
... paper-based, internet based, the issue here is of course with trust. Whether you or my mom would trust internet voting more than paper voting is another matter entirely and lends itself to a much larger discussion about referendum validity, but mathematically it is indeed harder to fake a Diffie key-exchange than it is to throw in a few extra paper votes in the bag when counting.
In some countries/referendums you tick a box; with more than one tick the vote is void. What's to prevent someone from ticking an already ticked vote when counting them up. Redundacy, of course, but Mr. Smith walking around, making sure that 15 other Mr. Smiths don't void the votes they have been given is hardly what I would call a secure system.
In other countries/referendums you use a hole puncher. I mean, I hardly even need to comment on a hole puncher
In Denmark, where I've lived, you need to brind ID to the voting booths (often a passport). You go down, get counted (yes, Mr. So'n'So have votes) and tick your box. Nothing prevents me from giving my passport (or whatever other means of ID that is deemed fitting) to someone else and let them vote in my name.
Contrast to internet voting, where a full ID check can be done once (i.e. you go down to your city hall, you bring ID, they check your ID, they double-check your ID, they check your picture etc.) and then, once, they issue you a voting key (say, an in-expensive USB dongle) with a private-public keyset. With this dongle there's a mathematically much smaller chance of fraud than there ever will be with paper-based referendums.
Sure, everything can be hacked
Secondly, (not that I'm advocating this) but isn't it easy to fake the http Browser/OS tag header?
Great... so they're securing the hell out of the server which accepts the vote. No problem there. How about the client machines? What if I were to write a worm program which spread innocuously through emails with the sole purpose of modifying the user's web browser.
i ewpqkd
i ewpqkd
Once the protocol is understood, this shouldn't be too difficult to do. Likely it'll be on a secure site, maybe password protected. Doesn't matter. The modified web browser waits until the user visits http://vote.us.gov or wherever, watches the variables being passed, and simply modifies them. Instead of:
name=John+Smith
secretcode=K38DJSH38
password=a
vote=Al+Gore
It changes it to:
name=John+Smith
secretcode=K38DJSH38
password=a
vote=George+W.+Bush
Securing the server is all well and good, but they'll need to think really hard about securing the client side as well. Hint: the choice of who to vote for should also be encoded and (preferably) signed against the user's information. So the vote shouldn't be for "Al Gore" but for a signed and encrypted string which represents Al Gore, making it impossible to derive the signed and encrypted string for "George W. Bush".
Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
Maybe of some relevance: How To Rig An Election In The United States Inside A U.S. Election Vote Counting Program Bald-Faced Lies About Black Box Voting Machines
Interesting, but I think they're making a little too big a hoopla of it. Or?
Belief is the currency of delusion.
Other operating systems not supported because they make up only a small percentage of the users?
What percentage of voters are handicapped and require wheelchair access to physical polls? Are they turned away because they can't walk in on Microsoft Legs(TM)? No, polling places are chosen to be wheelchair accessible.
Likewise, online voting should be accessible to all, and to that end, the specs of the voting interface should be published, so anyone with a C64 and a modem should be able to write their own voting program. As long as the specs are met, there should be no requirement for any proprietary software.
Also look at This story and the related pages at The Scoop. The most widely deployed system in the US is based on MS Access (!?!), with NO controls for cryptographic storage, trasport, data integrity and/or non-repudiation.
Baaaa, Baaaa! Computers Better! Paper Worse! It's mere superstition by the Sheep-people.
"Flyin' in just a sweet place,
Never been known to fail..."
That's the standard pat answer but it's still not the right answer.
If it's over the Web it should be cross-platform.
Period.
It's the same as if there were highways that didn't allow German cars, or Fords on them.
Percentages don't mean a thing when every professional HTMl editor will validate for Mac OS, Netscape, Windows, IE.
If the Federal Government has anything to do with it, then it should have to work across the major platforms (Windows 9x/NT/2K/XP, Mac OS 9/X, Netscape, KDE browser, Opera).
Volkwagon accounts for less than 2% of the cars sold in North America, so it is acceptable to keep them off the Interstate?
Exclusively, in fact, to all other OS's.
I'm goint to play "Devil's Advocate" here and note that the article says "Windows users *can*..." not "Windows users *must*..."
So where is the "requirement" here? I've yet to see any protocol (on a public network at least) that can't be used (reverse-engineered?) by anyone so inclined.
Granted, the wording underlies a basic assumption that computer usage equals Windows usage; at best this is an accurate reflection of market conditions. At worst, it is a blatant plug for somebody's sales Dept. Either way, it's an obvious bias and should be taken with a grain of salt. I can only *hope* that the relevant security is up to par.
Of course, I'm just playing "Devil's Advocate". And the devil is in the details.
C|N>K
what are you talking about? Lots of people know what it means.
Unfortunately, many coders don't bother implementing true security because they assume that compiling the login is sufficient.
Having an open source version of the code eliminates that option, requiring true security to be implemented.
Face it. Coders and designers are lazy. I am one, and I know what I'm talking about.
We had a pocketpc project that a third party contractor implemented. He wanted to install it on our system using a web server gateway to our databases.
He was convinced, because https is "secure", that having the client piece do the database updates to our server was fine. He couldn't understand my point that if the client piece was reverse engineered, anyone could then update rows on our database. He kept claiming that Microsoft says it's ok.
The posted requirements in this type of system are more often the words of the legal or marketing teams as any kind of true technical specification. Plenty of sites (I know because I've worked on them) specify requirements like these because:
I routinely use Mozilla or Opera on Linux to access sites that are labelled "Windows/IE only". Sure, there are some that don't work because of fancy plug-ins, extensions and such, but the vast majority pose no problems. I suspect this is all a tempest in a teapot...
Trouble making decisions? Just flip for it.
...will quite probably never be removed from power
SERVE, a rewrite by Database Technology, Florida?
One must never forget that even before the 2000 U.S. election took place, tens of thousands of legal voters were illegally purged from the voting rolls by the Florida State Department, run by Katherine Harris under the aegis of Jeb Bush's government.
A Database Technologies/Choicepoint Vice President has testified under oath TWICE that his company informed the State of Florida of the extent to which legal voters would be purged from the voting rolls, yet the Florida State Department decided to go ahead in any case.
Further, exonerated felons who had served their time and had their citizenship rights restored in other states were illegally required to apply for clemency in Florida, to Jeb Bush's Clemency office.
This was not the standard practice and was illegal, as several court cases made clear, cases of which Jeb Bush could not have been ignorant as they happened in his own state and ruled on his practice. Much of this can be found in Gregory Palast's great investigative journalistic work, and we've compiled a complete list here.
If you don't like to read, I suggest you at least view Palast's BBC Newsnight broadcast, which ran nationally in Britain. While the national mainstream news carried this story in England, U.S. news consumers are, in the case of the vast majority, completely in the dark.
The story was reiterated in the Nation by the Pulitzer Prize Winning journalist John Lantigua here.
I am afraid that sentiments like yours mask a great deal of indiferrence and intellectual laziness by the pretense of a realistic and 'no-nonsense' attitude.
It is a far-cry from the blanket assertion:
to the validation for implementing systems which have a documentable history of being the worst possible of implementations. Those so far in evidence actually invite abuses!http://www.blackboxvoting.com/
Inside A U.S. Election Vote Counting Program
Bald-Faced Lies About Black Box Voting Machines
It is irresponsible, derelict and probably mendacious of anyone advocating the adoption of newer vote collection technologies not to insist on addressing these specific allegations and their evidence. Any proposal which is advanced without a specific redress of these concerns should be considered suspect in motive. Ignorance of the basic issue - and its gravity - is not a possibility.
"Flyin' in just a sweet place,
Never been known to fail..."
Apparently, there is a scientifically sound way of doing e-voting, although it would require someone much better versed in math than I, to confirm this. I once heard Vince Rijmen (of AES "Rijndael" fame) describe ways to ensure some essential, and apparently contradictory, guarantees in e-voting (it was in an EU country, so pls forgive the EU-centricity - I have a history, you insensitive clod.. :-) ):
/.ers will draw Vince into an online discussion about this, so we can all find out whether he really has this magical solution, or he was just advertising his new company. Make it an "Ask /.", for example.
Authentication: Assuring that one votes oneself, that one's vote is not falsified, and that one has voted, at all. (some EU countries have mandatory voting)
Anonimity: Assuring that it is impossible for a third party to determine who I've voted for.
Correctability: assuring that I can modify my vote for a certain period after it has been cast (because there is no oversight in voting at home, I could have been coerced to vote a certain way, e.g. by someone coming into my home and holding a gun against my head, and should be able to correct this).
Vince described how he and his fellows at Cryptomathic found ways to project some basic mathematical techniques onto PKI, to ensure all of the above, and therefore allow for mathematically provable e-voting. Essentially making the voting process much more certain and transparant than was ever possible using conventional techniques.
I was solemnly impressed. It sounded too good to be true. I sincerely hope some of you mathematically unchallenged
for the virus/spyware/worm/... that infects Windows machines and patches the election program to vote for the candidate of the spyware author's choice. Remember the 2000 election 100,000 overseas votes could make the difference ....
I think letting people vote online is stupid too many people (everyone) have access from uncontrolled locations (everywhere). If voting is to be done electronicly is should be done on a private network where you would still be required to go to the polls and instead of a silly punch card there is a computer for you to vote on. This way if anyone wanted to mount an attack they would have to launch it from the polling place (assuming the physical layer is secure) and the pcs their could be dumbed down enough (no cd/floppy drive, touch screen only) to make it next to impossible for a person to hack without drawing attention to themselves.
Is it a good idea for them to be using client software? By doing so, you are giving hackers a large amount of bitcode to play with and find exploitations with. It seems to me that it would make a lot more sense to use SSL over HTTP as this has been highly tested for security all over the internet for years. Any program that they develope will be very green and unpredictable.
It will be much more convenient for wealthy computer owners to point and click on their favorite candidate. It is more fair for everyone to have to vote in the same place in the same way at the same time.
P.S. - Please disregard this post if the online voting will never be applied to more than absentee voting as the article discusses.
In this case, security from script kiddies is neither here nor there. The best way to keep your system secure is have as many white hats as possible try and find holes in it, and the best way to do that is to publish the details of the system. That way, you can be confident that the system is secure, even if the source code is leaked.As to your comment about OpenBSD, that is almost completely irrelevant. It doesn't matter how secure the base OS is if the software it's running is insecure.
Which do you trust more? A system where the proponents say, "Trust Us" or a system where you can look for yourself. I know which I prefer.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
There's a cost-benefit curve there. If you keep it secret from everyone, that's bad. If you keep it secret only from those who might attack it, and no one else, that's good. For each given scenario there's a point somewhere in between that's best. Unfortunately, it's almos never possible to tell who'll be attacking it, and the costs of not getting peer review are higher than the benefits of making your enemies attack it blind, for basically secure systems. But recall that replicating the Purple cipher nearly drove Freidman mad, while Turing et all were able to crack a captured Enigma relatively sanely... So the sucessful Japanese obscurity efforts cost America a great cryptanalyst.
The basic technologies behind security certainly shouldn't be secure. But some obscurity, like blocking people from figuring out what sort of server software you are running(or fooling them into thinking its something else) is certainly a good idea.
If someone is trying to crack a linux box running Apache they think is a windows box running IIS, they won't get very far. At the least, they will waste time figuring out what you are really running, thats time you can detect the intrusion in and gather information for any relevant response before he actually gets through. In a setup like this, using an open platform as a base but obscuring the deployment details, obscurity helps immensely.
How many troops in Iraq of Afghanistan are using *NIX?
Slightly OT but...
That video wall used in Doha, Qatar where the big briefings by Franks and others was run by an SGI Irix box and there is a large amount of Sun hardware/software in the comms, image processing (recon), and weather forecasting departments. I have no clue as to the availability of *nix laptops/PC's for grunts though.
The OICS/Project 21/New century soldier palmtops have been running everything from Newton OS through PalmOS and WinCE. I've never seen a hardened, linux running, Zarus, but there is no reason Sharp shouldn't try to get in on that contract.
09f911029d74e35bd84156c5635688c0
whoops, my bad- I was looking for the simpleton bold letters.
/results.dat to /secret/results1.dat.
A agree with you tho- it'll be hard to prove who you are without tying your identity to a vote. I don't trust the current/any politicians to say "here is our closed source voting system. all you do is put all of your personal info in here, and we promise not to check and see who you voted for. Promise."
Funny story I have to go along with that, rather long but it's on topic and quite interesting.
My college tried doing something similar for student senate. They hired an art major who used frontpage to write a form. It included inputting your student ID(SSN), your name, your birthdate(for confirmation), and everyone you voted for on the ballot.
Of course, no one bothered to think that perhaps the data should be stored somewhere safe. Instead, it was stored in a flat file that was web accessable. A friend of mine who shall remain nameless was bored and decided to trace through the html.... 20 seconds later, he asked if anyone in the lab had voted online. a couple of people raised their hands. He then said, "hey Chris, is your SSN 123-23-1234?"
The demonstration was complete. There were about 700k of text in the file, over 900 names, SSN's and votes by 11am(half an hour after we found it.)
We had of course went and told everyone we could find that was in any position of power to kill the page and move the file offline.
Around noon, the file was removed, but the voting page was still up. Se looked into the code to find that they had changed the name of the frole from
I looked at the list as it grew larger, noticing more and more of my non-geek friends showing up on the list. We even went so far as to have Beavis vote, and then watched as he was added to the text file.
We reported it again, and by 2pm, they finally "stopped" the online elections.
Some of the people in the lab were less that impressed by that point. One individual who I've only seen once in that lab and never again, printed out the list. He then went and stapled 5 pages to each door in the Computer Science building. That prompted more of an investigation than anything else.
The funny part was that the people who counted the votes were the ones who were currently in office. Not only that, but one of the guys, the student senate president, had voted over 50 times for himself and his fellow encumbents.
Of course they blew over it in the school paper with a crap apology. I think one new person was elected that year.
Of course, no one would touch that story with a 10 foot pole- not slashdot, not the local news papers, not the local tv stations.
Moral of the story: my voter apathy prevented me from getting my identity stolen. Remember to be apathetic towards the voting process.
Anyways, my point is this was one example of a horriffic abuse of online voting, and I whole-heartedly agree that it's not ready. Not yet.
Looking for Book Reviews? Check out Literary Escapism.
Nice racket! When is some country going to liberate us?
No encryption system is perfect, all can be cracked given enough time. All security systems can be defeated given enough time. The art of security is to choose measures which protect data for a 'critical' time. Even state secrets are revealed after 50 years. You can lengthen the secured time by adding more bits to the key. Any unflawed algorithm can be made arbitrarily difficault to crack. So even if the whole world knows you're using AES, it will still take them X years (per $ of computer hardware) to crack. For elections the encryption only needs to protect against fraud until the results are announced - so 1 years protection would be sufficient.
So whilst revealing the algorithm may weaken security, this can be countered by increasing key length. For something as important as voting the system must be unriggable, but more important it must be seen to be unriggable. The only way this can be done is if the code is open, otherwise the box could ignore the vote cast and record a different vote.
People have to trust the system - and this is much more important than any loss of security due to opening the code.
Any questions?
The whole key infrastructure for this should be FIPS-140 compliant for hardware-based key modules, and require the coordinated actions of two or more actors in managing/engaging keys. There should be strict operational guidelines for the separation of roles in the management, deployment and retreival of these devices, and a separate role with an auditory function. The Auditory role needs a key that can reveal and validate any information on the system, yet create or modify nothing.
These controls are the only justifyable reason to implement 'electronic voting'. Cost? Give me a break! If free and fair voting is not worth paying premium prices for, what is? Do we have to pinch pennies for the land mines we drop on Afghan soil?
Without attempting to reach this benchmark, electronic voting is a fraud. It is a humbug of technophillic superstition used by sellers of snake-oil to dazzle the onlooker, while trusty assistant rob the crowd.
"Flyin' in just a sweet place,
Never been known to fail..."
And if Libertarians had their way, we'd be driving on toll roads owned by and going to state parks owned and operated by Georgia-Pacific lumber company. Plus we'd all be out of jobs, because the major corporations would move everything overseas due to the lack of gov't interference in business.
Liberalism, Conservatism, and Libertarianism all have their strengths and weaknesses. Give me a party that believes in protecting the environment, promotes competition amongst businesses by not allowing them to buy each other up, stays out of my personal life, and puts the rights and liberties of citizens ahead of big business. One that believes children are this country's most valuable asset and that all citizens have a right to medical coverage.