Damning Report On Sequoia E-Voting Machine Security

TechDirt notes the publication of the New Jersey voting machine study, the attempted suppression of which we have been discussing for a while now. The paper that the Princeton and Lehigh University researchers are releasing, as permitted by the Court, is "the same as the Court's redacted version, but with a few introductory paragraphs about the court case, Gusciora v. Corzine." What's new is the release of a 90-minute evidentiary video — the researchers have asked the court for permission to release a shorter version that hits the high points, as the high-res video is about 1 GB in size. See TechDirt's article for the report's executive summary listing eight ways the AVC Advantage 9.00 voting machine can be subverted.

Re:"E-Voting Machine Security" like "Microsoft Wor

[entgod]

They could, in addition to printing the paper ballots, count the votes. That way it would be possible for people to see the votes being cast in almost real-time. I would like it. Of course, the official count would be done by hand.

Re:"E-Voting Machine Security" like "Microsoft Wor

[corsec67]

On a side note - how hard can this stuff be? It's not like they aren't making a fortune from these things - it's seeming like they are barely able to break even so they have to hire "below the barrel" talent...

Making a machine that counts or tallies votes shouldn't be very hard, and should be a first year programming assignment.

Making that whole system *secure*, otoh, is almost impossible, especially when it is something as large and distributed as a national voting system. If a company could actually make a completely secure voting system, they could also have a good DRM system. (Yeah, I did say "good DRM system", which shows how possible I think that is)

From Ken Thompson's essay Reflections on Trusting Trust, he says it isn't enough to check the source code, you also have to check the compiler, the output from that compiler, and I would add, in the context of a voting system, everything that is or could be in the system/network.

Why so backwards?

[lord_sarpedon]

Funny I think that people are so cautious to trust computers here, but they're fine for everything else. Just make it open. We can gain some advantages.

-Immediately before voting, you are handed a number. How we generate these numbers is up for debate. Perhaps they are centrally generated and serial. Perhaps a hash of name + DOB + other stuff. Each choice here opens different doors.

-Barcode equivalent to said number must be scanned at the machine. Number must also be entered on an onscreen key pad.

- Number + voting choices + timestamp + voting machine id are stored in a central database. Immediately. Nothing local.

-You get a receipt with your Number + voting choices + timestamp + machine ID. It also has these other handy value on there. A digital signature, created by said central authority with its private key. The public key is well known long in advance.

-After the election, the entire result set is made available for download. Yeah, a recount is a big fucking deal. We have these neat machines that are good at math. The bigger deal here is that if you check the database after you voted and the entry for your number doesn't match, you scream bloody murder. If you don't trust the machine, any party can verify the central authority's signature.

-But in addition to 'any' party, it is critical to have a non-networked verification appliance, which does nothing but verify the central signature for you before you physically leave. If you scream bloody murder at this point, we can consider the plain-text part of the receipt trusted. You obviously couldn't have faked the entire receipt while being watched by everyone. More on this soon.

Nice huh? Let's recap some advantages here:
-You can verify that your vote was counted and correctly
-You can't determine who voted for whom, except yourself.
-The receipt actually means something

Let's elaborate on that third point.
There are several means of lying to you, which can't easily be solved without adding machines into the mix

-What if the receipt says you voted for X but the machine recorded you as voting for Y? This is as good as pressing the wrong button. The signatures will both be valid. But if the plain-text portion shows the wrong candidate, you'll notice and scream. If the plain-text portion doesn't match the the central signature (the one most directly relevant to proper recording) you will catch this at the non-networked verifier. The receipt can still be trusted having not left the polling place, so you will be allowed to vote on another machine, as meanwhile the machine you previously used is marked for a serious investigation...

-What if the central authority records whatever it wants but produces a normal signature? The receipt will be considered entirely valid and endorsed. People will notice quickly as they check the database from home. You have a paper trail that can be trusted. What if the signature is bogus? People notice before they leave the polling place.

Up to this point? Criminal negligence bordering on treason. Open source needs to step up.

Re:LOL

[TheLink]

"... I am getting upset over the fairness of a system that will only let me choose between two criminals for who should be the leader."

Aren't there more than two candidates? Can't you vote for the others instead?

Apparently in the past election 60+ million voted for X and 59+ million voted for Y.

But 80+ million didn't bother to even show up.

Think X and Y might notice if the 80+ million voted for Z?

I bet X and Y might also notice even if the 80+ million walked up to the voting booths and voted "none of the above" and thus "spoilt" their vote.

At least the foreign media would be reminding them of it e.g. "Mr President, how can you say you have support of the people?".