E-Voting Raises New Questions In Brazil

Zaatxe writes, "Today is election day in Brazil. About 125 million people are expected to vote for president, governor, congressman (for both state and federal levels) and senator. The Washington Post has some interesting details about the electronic voting machines used in Brazil. From the article: 'Elections in Brazil used to be a monumental challenge, with millions of paper ballots to count by hand, many of them delivered by canoe and horseback from remote Amazon villages. Fraud was widespread, and it often took a week or more to determine the winners. Latin America's largest country eliminated many of these hassles by switching to electronic voting a decade ago, long before the United States and other countries... Some computer programmers who have closely examined Brazil's system say... confidence is misguided... Some Brazilians are lobbying... to switch from Windows CE to an open-source operating system for the voting machines, since Microsoft Corp., citing trade secrecy, won't allow independent audits to make sure malicious programmers haven't inserted commands to "flip" votes from one candidate to another.'" Read more below.

As a Brazilian voter, it was a shock for me to see that the voting machines here are made by Diebold. But what makes me confident in the system can also be found in the article: "Given the choice of picking a system where wholesale rigging is easy, versus one where it's impossible, why has Brazil gone with the system where it's easy? Brazil did build in some safeguards during its transition to electronic voting — protections that still don't exist in the US. While the code behind Microsoft's operating system remains secret, independent auditors must approve of the overlying voting software before it is inserted into the nation's 430,000 machines. The software remains open to inspections for three months before election day. And hours before the polls open, randomly chosen voting machines are tested 'to verify that the software inside does what it is supposed to do.'"

Simplicity is important ...

[Gopal.V]

India has been using an EVM for a while, it has no operating system and is a bare-bones equivalent of a calculator with a line printer attached. Hook it up to a standard dot-matrix printer and get voting. It is probably as simple as a system can be.

No government which outsources its technology to vote can remain soverign. Machiavelli didn't go on and on about mercenaries, for nothing. And all said & done, this doesn't actually mean an honest election brings up a good government - we're intelligent induviduals, who form dumb mobs, pulled & manipulated by politicians with electoral issues (which are non-issues in the real sense).

MS Ain't So Bad Here

[logicnazi]

Frankly I think the concern about using an MS OS rather than an open source OS is misplaced. In fact despite my general dislike for MS I have to say that in this situation MS is probably a better choice than a Linux based OS.

Sure people are going to claim the 'lots of eyeballs' effect makes linux more secure. However, there are major sections of the code that are deep vodoo and very very few people understand. An attacker would of course choose to put his code in one of these sections and if you are really running this code atop a full blown OS and you know (because the government has demanded it be published) the software that will run on top of if there are probably tons and tons of innocent looking ways to screw with the results.

I don't know if this would really work but one might imagine a situation where the ballot will be divided into two pages. Likely whether or not the vote was recorded and sent to permanent memory before the page is flipped or after will have some statistical difference in memory reservations or paging or some subsystem like this. One could code a race condition that scrambles the cast vote which while rare is slightly more statistically likely to happen in these situations than the other ones. Hell in an election often the young have different voting patterns than the old so you could just have some statistical relation to the speed at which options are picked.

The point is the bad guy is likely to have lots of resources and be able to concentrate them in one very small area of the code in a way that looks valid or if discovered innocent. The eye balls need to look over all the code. Yet we know from the number of bugs found in the linux kernel that many bugs do make it past without even being engineered to like innocous.

While the MS kernel is likely to be more buggy it is much harder to contribute a patch to the MS kernel making it more difficult for a bad guy to slip the code into the kernel in the first place. So while it would be nice if the kernel was visible to everyone I think not accepting third party patches is a more important security feature than being open source for a situation like this. Getting someone hired as part of MS's OS team or corrupting one of them is way harder than getting a patch acceted to the linux kernel that delibrately contains a very subtle area.

Of course what they really should be doing is not using anything complicated like a real OS anyway and instead an EVM.

Re:MS Ain't So Bad Here

[orasio]

That doesn't make sense to me.
You are saying that in order to hack the linux kernel, you would need to make a patch to the mainstream kernel, and get it accepted. Someone will review your code, and you need to disguise it as a fix for something. For this step alone, that involves deceiving kernel hackers, you need the knowledge of a top level kernel hacker, and there are few of them, and _some_ of them can't be easily bought for any reasonable amount of money, because they are well known people, and have a reputation to protect.
Then you need to make sure that the makers of the machines use a recent enough version of Linux. So you need to send the patch at least one year, and more realistically, a couple of years in advance.
After that, you need to pray that, in the meantime, your code doesn't break anything for any of its millions of users. And some of those millions are actually watching the changelog, and could find some flaw in your patch by chance.

With any closed kernel, there is not known worldwide development process, so it _could_ be much easier to instill a bad patch, you maybe just need to buy one developer for a ridiculous amount of money, and that would be it. Of course, they could have better safeguards, but we don't know anything about that, so we can safely assume the worst.

Aside from that, I think these ways of skeweing the elections are overkill. You can always buy your votes on-site, and find a way to change the software of the voting machines on delivery, or maybe changing the whole voting machine before it goes to its place. You can buy some auditors, or people at Diebold. That would be much easier, safer and cheaper than changing the OS kernel.

Re:Why Does Diebold Oppose Printers?

[bremstrong]

For something as important as voting, it sure seems like the US as a country could afford printers.

Anything to make it more likely that every vote is accurately tallied sounds like a worthwhile use of taxpayer dollars.

Electronic voting machines that can't be audited--why again?