DC Internet Voting Trial Attacked 2 Different Ways

mtrachtenberg writes "University of Michigan Professor J. Alex Halderman and his team actually had two completely separate successful attacks on Washington, DC's internet voting experiment. The second path in was revealed by Halderman during testimony before the District of Columbia's Board of Elections and Ethics on Friday. Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices. In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November. Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was not allowing them to be stored on internet-connected computers. When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting. Clips from the testimony are available on YouTube." Update: 10/09 19:24 GMT by T : Reader Cwix points out two newspaper stories noting these hearings: one in the Washington Post, the other at the Chicago Tribune. Thanks!

Please use internet voting

to mod me up to +5 informative, to show it does work perfectly!

Re:Please use internet voting

[TheP4st]

Troll or not, Anomynous Coward do have a valid point.

Re:Please use internet voting

[WrongSizeGlass]

I vote we continue with Internet voting.

Re:Please use internet voting

[Miseph]

Question: if we use internet voting, will that impede voter intimidation, ballot stuffing, creative counting or any of the other traditional methods of rigging elections proudly used in this country since the 18th century? Because if so, I've been informed it doesn't matter what I vote, and if not then I've been informed it still doesn't.

Re:Please use internet voting

[flimflammer]

Why are people wasting mod points to mod these troll?

Facts don't matter

[webnut77]

When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting.

Just another example of our government ignoring the facts in favor of doing whatever they want.

Re:Facts don't matter

[Xaositecte]

What I've never understood;

Many of the companies famous for building voting machines also built their reputations building ATMs and such.

ATMs are, to the best of my knowledge, tremendously secure, even when you have physical access to the machine. Basically, when people money is on the line, they do not fuck around at all.

Why then are they making voting machines less secure than ATMs? The expertise clearly exists to do it properly, the only explanation I can see is intentional sabotage of the voting process.

Re:Facts don't matter

[_Sharp'r_]

Why then are they making voting machines less secure than ATMs?

You clearly don't understand enough about ATMs if you think they are more secure than voting machines.

Most ATMs are just barely secure enough to keep the cash from walking away as long as someone can keep a physical eye on the machine (something somewhat inhibited for voting machines by private voting requirements). ATMs generally do a decent job of recording and reporting transactions to a remote server so that when money invariably is stolen (physically or electronically) it can eventually be taken from the correct legally accountable bank account.

A variety of ATMs suffer from default passwords that aren't changed, physical cabinet keys that aren't unique, eavesdropping attacks in the form of card skimmers and cameras, unencrypted transmissions, insecure operating systems, administrative backdoors, etc...

ATMs and voting machines suffer from what are essentially illusions of security that rely on no one smart enough to bypass them having the real desire and resources to do so. When voting machines determine how real power in large amounts is distributed (say, in national elections), they can't hope to stand up to what's at stake unless they are simple enough to be essentially transparent in function to the public.

Re:Facts don't matter

With ATM's, it's much easier to see if something has been tampered with. Historical data is being saved, and people on both sides of the transaction are keeping records and correlating things (at least in theory).

With votes, keeping a significant historical log with detailed correlations between what 'client' made what input into the system is something that actually can't be kept, due to the anonymity of the voting process.

So, from a strictly 'what is being done' context, there is definitely an additional wrinkle and difficulty in the design of a voting system.

Add in the highly cynical analysis of the real world situation and the fact that the ones in charge of ATM's are the banks, who will lose money either directly or indirectly for the lack of security, but with voting, you've got elected officials who would benefit from being able to game the system are the ones in charge of setting up the voting system...

It's a tougher problem, paired with less motivation to do it right (combined with a possible motivation to do it wrong...) Makes sense when seen from that perspective.

Re:Facts don't matter

[mean+pun]

The expertise clearly exists to do it properly, the only explanation I can see is intentional sabotage of the voting process.

How about plain old money? You need a lot of voting machines to handle the entire voting population, and purpose-designed machines are expensive, even if they are modified PCs (as some of them seem to be). Not that all vendors are saints...

Considering the costs, I can see the great attraction of internet voting for the organizers: you only need central servers (that you may even hire from Amazon or something), all other hardware is owned by the voter, and you don't even need personnel. I therefore have some sympathy for government people that tried anyway despite the opposition of experts, and their questions to the experts were also understandable, but I hope they have learned their lesson now.

Re:Facts don't matter

[vadim_t]

IMO, things that work in the ATM's favour:

1. There's strict accounting of whose account is being accessed.
2. If you're going to hack an ATM, you have to have physical access to it.
3. If you manage to steal money from an ATM, it'll be obvious. They just have to compare the amount of money there was inside with how much there should have been.

This doesn't hold with voting machines. The voter doesn't have an account, so detecting something was manipulated is much harder. Also, the money is at the physical ATM. If you're hacking it remotely, then you're not where the money is, and if you're hacking it in person then you can be quite certain you were filmed by a camera. Also there's a lot of money in it, so the bank has a lot of incentives to try to catch you if you manage to steal some.

Re:Facts don't matter

[Securityemo]

2. If you're going to hack an ATM, you have to have physical access to it.

You should never just assume things like that, even if it seems obvious. Assumption leads to complacency. Complacency leads to UFO theorists in your workstations.

Re:Facts don't matter

[AJWM]

When user votes, for his vote a checksum is created using one-way algo (digest) which is formed from:
    Session ID, Voter name, Vote result, a unique key given only to voter and known only by voter and govt, date.

Now crack that one ;)

It doesn't need to be cracked, it's already broken; that unique key known to the govt breaks voter anonymity.

Re:Facts don't matter

[vadim_t]

I understand that an ATM can be potentially messed with remotely.

But what people want from the ATM is money. If making a withdrawal even if you do something remotely you must eventually collect the money in person. And if you were to fake a deposit, eventually the bank will realize that the ATM has a record of money being deposited, but no physical money to match it.

Re:Facts don't matter

[HungryHobo]

ATM's are fairly hardened, at least in comparison to most voting machines.
If anything they should learn more from gaming machines. many states have extremely strict rules for how gaming machines have to be auditable(to make sure the casino is following state regulations), hardened in very specific ways and in general vastly more secure than any voting machine I've ever heard of.

and yet when it comes time to buy voting machines do they think to apply roughly the same regulations?
god no.
Instead they get a 100 buck POS wraped in a neat but insecure case which the company charges a few grand for.

it should be perfectly possible with proper crypto, hardened terminals and proper security to make electronic voting(in person, not over the net, but on that count you're only contending with mail votes) at least as secure as voting on a piece of dead tree if not slightly better and a lot more efficient/accurate.
you decrease the risk of some of the more traditional forms of tampering(like ballot boxes mysteriously appearing in the counting room) and if done properly get only a slightly increased risk of computerized shenanigans.

Re:Facts don't matter

[nelsonal]

No one cares if the bank can tie your transaction at the ATM directly to you, also banks only care that fraud stays low enough that it doesn't kill profitability, not the 0% standard that elections require.

Re:Facts don't matter

[Sique]

Electronic voting still can't solve a simple thing:

To make each vote proven unique and untrackable at the same time.

With paper it's easy. Each piece of paper is unique by virtue of being a real object. Electronic votes are data, and data is limitless copyable, so the only way to warrant a piece of data is unique is giving it a unique ID, at which moment it becomes trackable.

Re:Facts don't matter

[HungryHobo]

With paper it's easy.

what universe are you from?
the dead rise to vote, ballot boxes appear in the counting room stuffed with "legitimate" ballots, people vote early and often and ballots are simply miscounted or lost.
Most of the problems people raise with electronic voting are equally a problem in normal paper voting(but they pretend it it isn't) and the other claimed problems are down to stupid things like connecting all the voting machines to the net and shitty security (in all it's forms). Crappy physical security is a problem for paper ballots as well.

You have a ridiculously romantic view of paper ballots.
They are none of those things.
They are not hard to duplicate/forge, they are not proven or trackable while at the same time are theoretically open to many forms of abuse, hell if you could get hold of the ballots after and election you could even lift fingerprints of the ballots to identify who voted for who.(just to apply the same kind of silly worst case scenario people apply for electronic voting)
Proper crypto should be better at providing both uniqueness and anonymity .

But it's different so it's scary.

Re:Facts don't matter

[MalcolmT]

It also doesn't have plausible deniability any longer. A union leader or employer or gangster who has some hold over somebody can force them to prove their vote was cast in the pre-agreed fashion: the person has to show that their session id, name, result and what they claim is their key matches up with the hash. They can't fake the key, since creating a hash collision on demand for a pre-specified hash is still a hard mathematical problem. They have to know the session id, otherwise there's no verifiability even for the voter.

There have been schemes created that allow verifiability along with deniability , but they are complex and expensive (in physical equipment terms) and I don't think I can recall one that allows over-the-internet voting (i.e. not being present at a specially constructed voting machine).

Re:Facts don't matter

[Machtyn]

There could be a way. It requires two transactions. This would be similar to proving you are a citizen and resident of the community and registered to vote in that community and then taking the paper to vote on. The first transaction is the user logon using the unique key they were given when they registered to vote. Then, when they vote, create a hash using the datetime with the vote selections (and a random number) to prove uniqueness of the vote.

I'm still not convinced Internet voting is a good thing. But as others have mentioned, the old pencil and paper method is also fraught with mischief (vote early, vote often).

Re:Facts don't matter

[Joce640k]

We're talking about internet voting, not voting machines. ie. People voting from their botnet-ridden home PCs.

What's to stop a party from releasing a virus which triggers once on election day then deletes itself from disk? Such a virus could subvert the entire process, regardless of public keys, SSL, whatever.

Re:Facts don't matter

[moosesocks]

Just another example of our government ignoring the facts in favor of doing whatever they want.

Ronald Rivest might be an incredibly intelligent person, but he's still just one guy. Just because he thinks that internet voting is currently a bad idea does not make it a "fact"

(Also, the summary is light on details: The system was only being used for DC's ~900 registered overseas voters. Overseas voting is already notoriously insecure, as it's impossible to establish a legally-liable chain of custody of the ballot as it proceeds through the international postal system in a big fluorescent-yellow envelope marked "ELECTION MAIL" . Having done it once, I can also say that it's an incredible hassle.

The fact that DC put the system online a week before the election to test for flaws, openly acknowledged a successful attack, and took the system down suggests that they did the right thing. We should be cheering them, and helping to make sure that the thing is secure the next time they put it up.)

Re:Facts don't matter

[ShadowFalls]

I suppose you could have the system print out the vote and only allow one print per ID. That can lead to some technical concerns. Also the question of whether or not that vote submitted, was altered in any way before it was print out due to the system already being compromised. I don't really see how you can have perfect voting system, whether it is electronic or not. They all have their own sort of failures.

Re:Facts don't matter

[Karljohan]

An electronic voting system can NEVER be transparent enough for maintaining democracy. It is the people that need to be able to audit the voting procedure and the lowest common denominator for the people is the ability to count notes one by one.

Any electronics will hide what's happening and then we leave the future of democracy to the trust in experts. Then it would be more fair to openly leave our democratic system and enter an era of a pure elitocratic system.

Re:Facts don't matter

[edumacator]

Just another example of our government ignoring the facts in favor of doing whatever they want.

Actually, after watching the YouTube video, I was impressed with the government official. She seemed to genuinely want a secure system that helped voters.

Even after one of the scientists presenting said that ballot distribution would have far fewer problems, she pressed him on it, and even asked several questions that led the panel to explain how even ballot distribution could be manipulated.

Re:Facts don't matter

[DavidTC]

And while paper ballots are not trackable at the vote level, you can physically keep track of them and know where they are at all times. You can sit there and watch the box, you can watch people add and remove things to the box. You can see the 'vote container' without actually seeing the votes, and know that no one can actually change the votes without adding or replacing or removing them from the container, which you could see.

There's no way to do that with electronic voting. The votes can be tampered with without detection, because you're handing the entire ballot box to people every time they vote, where upon they take it into the booth with them and do whatever to it.

Moreover, the people voting can't actually see their vote to start with.

It's just insecure in so many ways, the entire concept is insecure. It's a lot like DRM, in fact...the fact they currently get broken by stupid security issues is sorta masking the fact the entire idea is stupid and unworkable.

Electronic voting, incidentally, is a form of DRM. Except it's DRM where the programmers and system designers have motive to break it also, stopped only by a third party that doesn't understand any of this. So yeah.

To quote Douglas Adams, 'their fundamental design flaws are completely hidden by their superficial design flaws.' The problem isn't any specific security flaws discovered at any specific time, the problem is the idea of non-physical voting, period, full stop, because all the methods we have to stop fraud are via paying attention to physical objects.

Re:Facts don't matter

[mpe]

Many of the companies famous for building voting machines also built their reputations building ATMs and such.
ATMs are, to the best of my knowledge, tremendously secure, even when you have physical access to the machine.

Thing is that they are not that secure, especially against bank employees. "Phantom withdrawls" being the most well known of these problems.

Re:Facts don't matter

[DavidTC]

the dead rise to vote,

That is not a ballot problem, that is a voter roll problem. It can happen just as easy with electronic voting.

ballot boxes appear in the counting room stuffed with "legitimate" ballots,

Yes, in 1920s Chicago. Not in the actual modern world, where ballot boxes are kept fairly careful track of.

people vote early and often

That is not a ballot problem, that is a voter roll problem. It can happen just as easy with electronic voting.

and ballots are simply miscounted

Uh, no. Ballots are not miscounted.

or lost.

Except they aren't.

Incidentally, your 'dead voting' and 'people voting multiple times' and 'ballot box stuffing' happen with the consent of the people working the voting site, and the system is often so observed it actually requires third parties to come in and actually cast those votes. I.e, they can't just add votes.

Whereas with electronic voting, they could just stick the card in a machine and put on as many votes as they want if they were corrupt, you moron.

Proper crypto should be better at providing both uniqueness and anonymity .

You are a fucking idiot, because absolutely none of the 'electronic voting' systems out there provide any sort of crypto at all, much less the hypothetical crypto that would allow people to confirm their vote was counted.

Which, incidentally, would only stop the problem in one direction. If the voting workers are corrupt (As they seem to be in your universe with their manipulation of paper ballots), all they have to do is put in a bunch more votes and mark some voters off as having voted.

You're comparing the absolute worse paper ballot problems, the sort of problems we don't have any more and show up only in extremely corrupt systems where the process itself is being run by corrupt people, with some hypothetical electronic voting that doesn't exist and no electronic voting has ever been attempted as.

That's a bit like arguing lions are safer than cars, because lions could be implanted with auto-traq devices that triggered when they got close to people, whereas the Model T is entirely unsafe.

Hey, imbecile, try arguing in the actual real world.

Re:Facts don't matter

[mpe]

the dead rise to vote, ballot boxes appear in the counting room stuffed with "legitimate" ballots, people vote early and often and ballots are simply miscounted or lost.

All of these appear to be due to a lack of transparency and scrutiny. How do dead people get recorded as able to vote without there being massive fraud in the first place? In which case things are broken before any "election" takes place. If you are concerned about people trying to vote more than once you mark them with fluorescent ink. It's also very hard to count ballots incorrectly if scrutineers are present at the count and the transport of ballot boxes.

Re:Facts don't matter

[mpe]

Any electronics will hide what's happening and then we leave the future of democracy to the trust in experts.

Assuming these experts would be able to do anything anyway. e.g. Would they be allowed to randomly take a voting machine, drop it in liquid nitrogen, chop it up and examine the pieces with an electron microscope? Which is about the only way to find out what such a machine is actually doing.

Re:Facts don't matter

[mpe]

Overseas voting is already notoriously insecure, as it's impossible to establish a legally-liable chain of custody of the ballot as it proceeds through the international postal system in a big fluorescent-yellow envelope marked "ELECTION MAIL"

It might be a better idea to use a plain brown envelope addressed to a random PO box. Also to send plenty of decoys...

Re:Facts don't matter

[HungryHobo]

wow, you have a chip on your shoulder that's more of a boulder don't you.

"That is not a ballot problem, that is a voter roll problem. It can happen just as easy with electronic voting."

it's a problem with the system as a whole.

"Yes, in 1920s Chicago. Not in the actual modern world, where ballot boxes are kept fairly careful track of."

really? You think that kind of fraud never happens any more?

"That is not a ballot problem, that is a voter roll problem. It can happen just as easy with electronic voting."

Absolutely yet when listing problems with electronic voting people will full out electronic variants of all these things as if they have no paper equivalent.

"Uh, no. Ballots are not miscounted."

wow. i mean wow. You really are deluded.
I guess all re-counts turn up the exact same numbers as the first count then.

"Except they aren't."

except they are.

"Hey, imbecile, try arguing in the actual real world."

on a related note there's no point trying these lightbulb things, they're obviously worse than good old lanterns and those noisy smelly automobiles are no match for a good horse.
"Whereas with electronic voting, they could just stick the card in a machine and put on as many votes as they want if they were corrupt, you moron."

not if the system is properly designed you moron.

Re:Facts don't matter

[DavidTC]

Here's the actual fact:

No system even vaguely close to what you pretend is ideal is even close to existing in the real world.

Meanwhile, your support of some sort of perfect electronic election has resulted in goddamn voting machines running MS Access that anyone can walk up to and tamper with.

Yes, I have a fucking chip on my shoulder about sophisticates who yammer about how something could, in some hypothetical universe, work magically and perfectly. Something that is actually being done, in the real world, in such a horrible and treasonous way.

If we hadn't invented circuit breakers and fuses, or required them to be installed in building, yes I'd damn well object to light bulbs, because they'd cause more fires then well-understood lanterns.

The fact that we could hypothetically stop them from catching fire wouldn't change that fact that anyone advocating light bulbs in that world is a fool at best, and in the business of repairing fire damage at worse.

I swear to god, you people are worse than communists, yammering about how things work in some magical ideal world that nothing is even vaguely close to, and meanwhile all practical implementations happily destroy any semblance of the democratic process.

A better analogy: You're standing there arguing that the unpopular group X have the free speech right to march down the street, which is a fine thing to argue, and I'd normally agree with you...but right now the Xs are running around burning down houses and calling it a 'march'. You should perhaps, you know, shut the fuck up about some idealized thing and actually look at the reality of what's happening, and at least stop being part of the problem by defending something that sounds identical, from the POV of the general public, to some very bad thing.

Incidentally, as I've explained in other posts, the 'ideal' implementations are no such thing, either. All of the 'crypto' solutions offload security from a single physical box to hundreds of voter registration sites where any minimum wage employee can steal thousands of your precious magical encryption keys, and use them to make perfectly valid votes, which they can easily slip into the rather insecure vote. Which makes things less secure than physical ballots, as many many people have pointed out. It's more secure than what we use now electronically, but that's damning with faint praise.

But that's really an issue for another time, because, right now, you are arguing for shitty MS Access databases storing voting records, with no security at all. You don't intend to be arguing that, but you are.

Re:Facts don't matter

[HungryHobo]

bullshit

You're a fucking idiot.
But feel free to set up the worlds biggest and most absurd strawman.
Ya, I'm not supporting setting up a fucking decent electronic system and requiring audited hardware and proven code.

No, I'm calling for MS access databases storing voting records and whatever POS diabold can pull out of it's arse!
Great, now we've established that rather than advocating a sane system I'm actually advocating whatever your diseased little brain can imagine as the worst possible system feel free to make up an infinity of additional strawmen.

If you want you could claim I want to give the voting machines barbed penises with which to rape orphans to death.

That'd make your inane rants sound even better wouldn't it.

You sound as intelligent and reasonable as the homeless man who preaches from the corner downtown so I won't be expecting this to get through to you.

Inventor?

> the inventor of public key cryptography, MIT professor Ronald Rivest,

Rivest is a brilliant, very accomplished man, and was one of the inventors of one of the earliest and best-known public-key cryptosystems. But it's misleading to refer to him as "the" inventor of public-key cryptography in general. He co-invented RSA with Shamir and Adleman (several years after Cocks came up with it and kept it secret). But the concept of public-key cryptography was described before RSA, by such luminaries as Diffie, Hellman, and Merkle. He is certainly one of the pioneers of public-key crypto, and deserves acclaim for that, but is not "the" inventor of the concept.

Incidentally, much of Rivest's recent work is in the area of electronic voting (how to make it simultaneously accurate/auditable, privacy-preserving, and usable by non-technical people)--so he's not just speaking as a luminary in the field, but as someone who has studied this specific problem.

Re:Inventor?

[aug24]

Who invents something? The person who comes up with an idea, or the person who comes up with the first working implementation?

Diffie et al said, given a trapdoor function, we could make an encryption system. Rivest and Shamir made an effective trapdoor function.

Actual article

[Cwix]

The youtube videos are all well and good.. heres a few links to written articles about this though

http://voices.washingtonpost.com/debonis/2010/10/prof_explains_how_dc_online_vo.html

http://www.chicagotribune.com/news/chi-ap-dc-dcelections-heari,0,541741.story

Re:Actual article

[mtrachtenberg]

Thanks for posting links to the articles. Given the state of the news media today, though, I'd encourage people to check out the actual words of Halderman and his fellow panelists. And regarding a separate comment... if I was in error about router vs. terminal server, and SQL vs shell injection, my apology.

Corrrections to post text

[EvilSporkMan]

It was a terminal server, not a router, and the previously-published attack was shell injection, not SQL injection.

A solution to a problem that doesn't exist

Electronic voting always seemed to me like a solution looking for a problem.

What, exactly, is it about paper ballots that makes electronic voting systems seem like such a better idea? Obviously it's easier to rig elections with electronic systems, which is a good reason to like electronic voting if you're a scumbag. Aside from the that, what reasons are there to replace a tried and true system that everybody already likes and prefers?

Re:A solution to a problem that doesn't exist

[NiteMair]

Obviously it's easier to rig elections with electronic systems, which is a good reason to like electronic voting if you're a scumbag.

I think you answered your own question there...

Re:A solution to a problem that doesn't exist

[iris-n]

Obviously it's easier to rig elections with electronic systems

[citation needed]

Actually there's quite a long history of election rigging in the US with paper ballots.

Re:A solution to a problem that doesn't exist

[WrongSizeGlass]

The press needs to report on the results as soon as possible to stay relevant. If the results come out the next day at noon then no one is going to be watching CNN, et al, all night waiting for the results. BTW, does anyone really think it's a coincidence that elections happen in the middle of November sweeps? (it is a just a coincidence but that wouldn't help make my point, now would it?)

Re:A solution to a problem that doesn't exist

[MachDelta]

They mention it in one of the videos, but basically e-voting would be excellent for US citizens abroad, specifically those deployed in the military.

One would also hope that, if internet voting were to ever be successful, there would be a substantial increase in voter turnout. Imagine casting your vote from a candidates Facebook page, for instance.

In any case, teh intertubes is far too cluttered with evil things that go bump in the night for this to be a sane idea in 2010.

Re:A solution to a problem that doesn't exist

[GrumblyStuff]

He said "easier", not "suddenly possible".

With paper, you have to hand count it and there's observers from each party there. Then there's simply the paper itself. You need to bring in extra ballots and/or dispose of many.

With an insecure electronic system, it might be as easy as typing in a new count number. Observers may not understand the tech so swapping programs or hardware could be done right under their nose. Programs aren't open source and are not available to scrutinize. They could give different results on different dates or show voters they voted correctly when they tallied another for the opposing party. If they're connected to the internet, the voting machine could be hacked or the offsite tallying system could be.

Re:A solution to a problem that doesn't exist

[AJWM]

What, exactly, is it about paper ballots that makes electronic voting systems seem like such a better idea?

At a guess, I'd say the anon poster above is familiar with voting in countries other than the US.

For various arcane reasons, the US has regularly scheduled election days where just about every government position, from President down to county coroner (or even dogcatcher) is voted on on the same day. That would require a paper ballot (or collection thereof) on the order of a phone book. It's even worse when you consider the strange and bizarre overlaps in various federal, state, county, municipal and other districts. Basically, electronic systems are (theoretically) cheaper for the jurisdictions responsible for actually running the elections.

Note, though, that electronic systems are not incompatible with paper ballots. Several voting system vendors make systems (originally in response to Federal regulations in the wake of the 2000 Florida fiasco, and Federal disability act regulations) that provide a variety of ways for a user to interact (touch screen, audio response, sip/puff switches, etc) and then generate a marked-up paper ballot. These ballots are also much more amenable to machine reading. No more hanging chads.

Re:A solution to a problem that doesn't exist

[jd]

Obviously it's easier to rig elections with electronic systems

Extraordinary claims require extraordinary proofs.

Let us say you have an electronic ballot system, where the voter's registration card has a public encryption key. The ballot is then encrypted using that key. The corresponding private key is in a central computer, with no record linking it to the public key (thus preserving anonymity). This allows the central computer to verify that any one encryption key is used once and only once (one person cannot cast more than one vote), and that no vote that is counted comes from a person without a valid encryption key (so all votes are from people). Let us also say that observers and election officials are supplied with crytographic hashes of the unencrypted ballots at the time of the vote being cast. The total number of votes tallied at the end must equal the total number of cryptographic hashes if no fraud was perpetrated. Since the hash will uniquely identify the cast vote (without identifying what any individual voted), stolen votes (votes injected into the system by an attacker) would be readily identifiable as they would not match a hash. Fraudulent votes could then be eliminated and replaced with the real ones in a semi-automated recount.

We now have three things that cannot be tested with any paper ballot and one corrective action that cannot be achieved by paper ballot.

If you want to show that it is easier to rig an electronic election, find a way you could rig the above system that would be easier than an election official substituting a real ballot box with a pre-stuffed one (something that actually happened in the 2000 election) or that would be easier than an election official "losing" thousands of votes behind office furnishings (something that actually happened in the 2004 election).

The above system is not perfect, but show me that it isn't better. It may be that paper ballots are better, but that doesn't mean it is "obvious". Oh, and as for dodgy software (as happened with Diebold), let's say the election system used a CC EAL7 (Orange Book A1) rated platform, that the software AND submitted proof was open to independent scrutiny, that all networking was encrypted and run over a virtual circuit (so it can't be tampered with and can't be DDoSed) and that both NIST scrutiny and independent scrutiny had certified the systems as secure, politically agnostic, reliable, fault-tolerant and robust.

Again, these are all criteria you can look for in an electronic system, but not a single one of them applies to a manual system. The current system is run by party stooges, for a start. That automatically creates means, motive and opportunity for electoral fraud. Independent international observers have tried to monitor US elections but were blocked from doing so, so independent scrutiny is impossible. Reliability is obviously false, given that electoral fraud has happened on a fairly substantial scale in the past (hence the interest by international observers).

Now, if you meant "the proposed electronic system is open to fraud", then I'd agree with you. It's the generic that I'm not happy with, as it's possible to show that there's examples of superior electronic systems even if they're not ones that would likely be deployed in practice.

Re:A solution to a problem that doesn't exist

[AJWM]

Programs aren't open source and are not available to scrutinize.

Yes and no. The EAC (Election Assistance Commission, formerly the Federal Elections Commission) has a very fat book full of regulations and specifications to which voting systems should be certified. (Technically certification is voluntary, in practice many states and counties will only approve certified systems for purchase.) The testing and certification is done by independent Voting System Testing Laboratories (VSTLs). Testing covers everything from hardware (security of locking mechanisms and seals, resistance to ESD and power glitches, etc) to software (line-by-line inspection of source code, independent builds of the source using independently acquired or verified compilers, etc) to running simulated elections and verifying counts, etc. A lot of the validation data for certified systems is available on the EAC web site.

Not that any of this is 100% foolproof, the standards don't cover everything conceivable.

(I worked for a VSTL mostly doing source code review, also security analysis of the system design,both as documented and checking that implementation matched documentation. I rejected a lot of code, although much of that was for commenting that wasn't up to standard rather than potential security holes -- although there was a lot of failing to check for null pointers. If the logic really looked squirrelly, but met coding standards, I had to okay the code but could write up a test case to check it out during system testing. The code itself of course was all under NDA and security in the labs was pretty tight -- although not quite as tight as for the game testing lab next door.)

Re:A solution to a problem that doesn't exist

[iris-n]

With paper, you have to hand count it

AFAIK the US use some bizarre system of optical counting; never hand counts. Actually you tried to hand count it in Florida 2000, but the Supreme Court stopped it.

Again, how is that more secure?

Observers may not understand the tech

They already don't understand the tech to do optical counting. Electronic voting is simpler. And if you never use, of course no one is going to understand it.

Programs aren't open source and are not available to scrutinize

That is unacceptable, but evidently not a required part of electronic voting. Brasil uses open-source software in the voting machines.

If they're connected to the internet

Even the government knows how stupid and dangerous that would be. Fortunately no one has ever done this.

Re:A solution to a problem that doesn't exist

[feenberg]

Maybe sweeps are in November because that is when the elections are? Anyway the problem with electronic voting is not only that it is hard to do right, but also that it is impossible to show the average voter that it has been done right. With paper ballots and each party having a representative at the polling place and at the counting, voters are willing to believe the count is accurate. The offer to examine the source code is less convincing. Saying that the source code has been examined by someone paid for by the company that wrote the code is nothing at all.

Re:A solution to a problem that doesn't exist

[mrosgood]

Extraordinary claims require extraordinary proofs.

Yea? How's a court of law sit with you? The election results in New Mexico 2004 were fraudulent. Here's the link to Voter Action's lawsuit.

Were the machines actually hacked, as in malicious intent? Well, that's the rub, isn't it? Kind of hard to prove when there's no physical evidence. Either way, wrong is wrong. Whether be default or by design. Kerry still got more votes than Bush in New Mexico. Yet Bush was awarded the electoral votes.

it's possible to show that there's examples of superior electronic systems

Both incorrect and impossible. As this comment upstream notes:

Electronic voting still can't solve a simple thing: To make each vote proven unique and untrackable at the same time.

It's really very simple.

Private voting and public counting.

Secret ballots and transparent elections.

That is only possible with paper ballots. (The ballot box is the secure one way hash.)

Any electronic voting system eliminates both voter privacy and the ability to inspect the results.

Let us say you have an electronic ballot system...

Let us say you shut your air scoop until you learn something about voting systems.

Re:A solution to a problem that doesn't exist

[Joce640k]

the voter's registration card has a public encryption key...yada yada

...and their swiss-cheese-security PC has a specially released vote changing virus on it.

Oh, dear. All your maths and cryptographic theory was just defeated by a $5 wrench.

Re:A solution to a problem that doesn't exist

[Mathinker]

> private key is in a central computer, with no record linking it to the public key (thus preserving anonymity).

Interesting. How is the encrypted ballot going to get to the correct person, then? I think you meant to say that the public key isn't linked to the identity of the person to whom it was issued.

BTW, one presumes that these keys will be reused, since otherwise there is no extra convenience to the voter. And if the keys are reused, it is possible that a previous voting pattern could be correlated with a voter's disclosing information about his past votes. Another problem is that it is impossible to immediately revoke the voting privileges of felons, you'd have to wait until they need to be reissued new public keys (some people might find this a feature rather than a problem). Another, much much more significant problem is that it is possible to buy a voter's vote using money or intimidation (well, that could possibly be "fixed" if the central computer just doesn't complain about trying to vote more than once --- which has its own problem in that the rightful voter can never be sure if his vote actually was counted or someone else somehow used his key before him).

Another problem which you are overlooking is that, on the voter side, most voters would be using unsecured computers to contact this central computer (and in addition, most voters are incapable of securing their own computers). One suspects that it will just become a big competition as to who can infect as many as possible computers of the opposing candidate with their custom Trojan designed to undermine the results of the election.

There's tons of academic papers about remote electronic voting, and the conclusion of most people (including Rivest, it seems) is that yes, it can theoretically be done securely but in practice it is no better than the current system, and probably worse.

Re:A solution to a problem that doesn't exist

[DavidTC]

Yes, there are a lot of rules and regulations...

...none of which actually get followed. See blackboxvoting.org for more information about uncertified 'patches' applied during elections, spare memory card lying around that non one can explain what they're for or what's one them, and obviously faked tallies to match reported tallies, and databases that don't match each other, etc, etc, etc.

Re:A solution to a problem that doesn't exist

[DavidTC]

We now have three things that cannot be tested with any paper ballot and one corrective action that cannot be achieved by paper ballot.

Uh, no.

The problem here is that if election officials are corrupt, they're corrupt. Changing to a new system that stops specific behavior is just idiotic.

In this example, you've traded off having to physical secure election sites with having to physical secure and electronically voter registration offices and having to electronically secure election sites.

Please note by 'secure', I mean election level security. That means having observer watch a voter registration location. All the time. 24 hours a day. With people peering over worker's shoulders to make sure they're only adding one person for each person in.

Otherwise, people can just, you know, add new people to the rolls, or steal existing people's public keys. And then, with a tiny amount of software or a card reader or just ten minutes 'fixing' a 'broken' machine, electronically add entirely valid votes. In a manner much much easier, and much less detectable, than adding paper ballots.

The voting process requires security. Any idiot can set up a process that works if you've already verified every single person in advance and know there's no issue there, but that's patently impossible. and if you can do that, you should have just had them vote there.

The only way to make voting secure is to make the part that requires security as small as possible, and to make it observable to all. In a paper election, the part that requires security is a ballot box, which can be kept track of easily (Let's note that most of the manipulation comes from moving the box, and simply not move boxes anymore.), and an ID check at the start, which can also be kept track of easily.

You've invented some entirely different location, namely, all the places where keys get added, and some giant database, that also must be watched, and you've changed the level of security needed at actual voting locations from 'watching a box and license check', which any idiot can do, to 'watching all machines at all times to make sure that someone isn't doing something'.

You've functionally moved the 'voting' process off the voting site, which is all well and good for 'secure elections', but as you've now made 'adding valid votes' much much easier (a few milliseconds if you can hack a computer, an extra memory card brought in or one with a few votes on it to start if not.) now you have to 'secure the voter roll', too. To the election level security.

Re:A solution to a problem that doesn't exist

[DavidTC]

Ultimately, whether your proposal is better than paper ballots depends on the ease being able to make fraudulent registrations. Under a decentralized registration process as we have now, it would be just as easy.

Not really. Right now, it would be a zillion times easier to make fraudulent registrations. Voting precincts are watched to an amazing level.

The voter registration roll is a giant state-wide database with hundreds of access points, and probably ten thousand people a state who could alter it.

It's not even vaguely comparable, security-wise, to a ballot box. Ballot boxes have one location, and are inspected, sealed, watch, and unsealed. Voter registration computers are just sitting in offices.

And once you've added five thousand voters, all it takes is a rogue voting machine, just like now. His system is basically exactly the same, security-wise, as current electronic voting. (Except he apparently wants to network it.)

And a 'more centralized system' would be akin to barring poor people from voting. They already have enough trouble getting to their voter registration office.

Re:A solution to a problem that doesn't exist

[AJWM]

It's hardly the case that "none" of them get followed.

Yes, uncertified patches and extraneous memory cards happen -- at the point where the systems are under the control of the county election officials. Those same folks who could -- if they'd a mind to -- tamper with plain old paper balloting too. Nobody said the system was perfect. There's a mechanism (the independent VSTLs and certification) for making reasonably sure the machines aren't compromised by the vendor, but that still needs to be supplemented by local vigilance to make sure the counts are kept reasonably honest.

The upside is that uncertified patches and stray memory cards, like lost ballot boxes and mispunched cards, usually will only screw up a close local election and not something national (vs a systemic problem with all machines from a given vendor.) But yeah, exceptions like Florida in 2000 happen.

Re:A solution to a problem that doesn't exist

[DavidTC]

Those same folks who could -- if they'd a mind to -- tamper with plain old paper balloting too.

Which is why we make them do it in PUBLIC. Where we can SEE it.

You know, what we can't do with electronic ballots.

Color Me Paranoid

[Cylix]

It seems like the entire ordeal was designed to fail.

These were all fairly common attack vectors and not nearly as lavish as the PS3 stack smash. (Seriously, who thinks of that attack vector). Even basic precautions and awareness of current threat models would have enabled them to harden their system from these things. To add insult to injury the left over data on the host and default passwords to expose it.

I wholly agree that internet voting is fucking scary, but it seems like this test setup was created just to make the idea shine.

Re:Color Me Paranoid

[iris-n]

Never ascribe to malice what can be explained by incompetence.

Sadly, I think that this is the case.

Re:Color Me Paranoid

[Sir_Lewk]

Sufficiently advanced incompetence is indistinguishable from malice.

And really, why does it matter which one it was? In either case these people shouldn't be in the positions they are.

Re:Color Me Paranoid

[marcansoft]

the PS3 stack smash. (Seriously, who thinks of that attack vector)

Stack smashes are easy. The PS3 exploit is a complex interaction with multiple noncompliant USB devices and is still not fully understood. All we know is a pointer to a function pointer gets overwritten with attacker-controlled data (the end of a USB descriptor) and the rest is history, but the circumstances leading to that overwrite are much more complicated than your average exploit. And none of it has anything to do with the stack (as far as we know anyway!). Phiren claims it's a heap overflow overwriting a malloc boundary tag, but I'm not convinced.

They Should Handle it Like Reality Shows

[Greyfox]

You can vote as many times as you want by texting a number, but each time costs you $1.99! Then you could have "fair" elections, AND raise much needed revenue for the Government!

Re:They Should Handle it Like Reality Shows

[istartedi]

In the long run, the number of votes cast would tend to be based on prevailing interest rates. If the winner's salary + bribes is $1 million, and the prevailing rate of interest is 2%, then spending $50 million would only get you prevailing interest. You should spend less, because there are risks to being an office holder, and you might also lose.

Ultimately, an options market should be built around the candidates, and we should dispense with voting and simply sell shares in each candidate. Insted of pork, they could just pay dividends.

Of course, on the way to this perfection there might be some problems with candidate derivatives being sold over the counter, and banks over-leveraging on a particular candidate that nobody thought would lose or get sick and die.

Nevertheless, we should proceed. I'll get in touch with the Grand Negis shortly...

Re:They Should Handle it Like Reality Shows

[Lanteran]

that just made me loose a little bit more faith in humanity. Thanks.

shakes head

[Type44Q]

When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was not allowing them to be stored on internet-connected computers. When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting.

Don't worry; they still won't get it.

Votes simply don't matter...

[blahplusplus]

... I don't understand why people are so up and up about the voting system given that

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues
2) Most candidates can only get anywhere by money
3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.
4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

Re:Votes simply don't matter...

[copponex]

Yeah. Fuck democracy. It's not like keeping the voting system accessible by the public has any meaning. What's the difference between North Korea and America? Why, just a little cuisine and weather, right?

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues

Go fuck yourself. Seriously.

2) Most candidates can only get anywhere by money

Martin Luther King? Desmond Tutu? Ghandi? There have been many political leaders, who didn't necessarily enter politics, who were able to force the state to change because the truth was no longer concealable. You cannot govern a population that does not want to be governed by you. Their desire to hold on to their positions of power is both a blessing and a curse. Even in communist China popular will has given way to reforms because the ruling party didn't want to be overthrown. There are some examples of states supported by outside powers, or in power because that state is under threat from other states, but especially in the developed Western world, the citizens of a nation determine their destiny.

3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.

Bullshit. People are what make the world go around. Do you really think life would stop tomorrow of AT&T and Exxon didn't exist? Civilization existed for thousands of years before the corporation. They are a human invention, not some magical organization that's any better or worse than any other hierarchy. But keep swallowing that line like an obedient intellectual prostitute.

4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

Bullshit. Countries around the world have voted to kick corporations out. Unfortunately, when they do, the United States often assassinates their leader or overthrows their democratic government through coups or terror campaigns. If you are an American citizen, you are one of the most powerful people on earth, because you have a vote that can change the way the world operates. But you've accepted the reality they sold to you, not out of struggle or just giving up because you don't have the strength to continue fighting, but because accepting that belief enables you to act immorally and pretend that it doesn't matter. You're nothing more than a sell out.

Democracy is a device that ensures we shall be governed no better than we deserve. -George Bernard Shaw

Re:Votes simply don't matter...

[Mikkeles]

'I don't understand why people are so up and up about the voting system...'

Because letting a bad system become worse is not a good way to improve it.

Re:Votes simply don't matter...

[circletimessquare]

1) The vast majority of the public is too stupid to make any kind of sound decision about many issues

the people do not deserve to be told they are stupid. according to who? according to someone who is angry that the "smartest" agenda is not being implemented? on what basis is your agenda better and smarter? in china, they think as you do: the average man is too dumb to determine his own destiny. in other words, your thinking is the essence of anti-democratic fascism: "the common man can not think for himself, i must think for him". this is how every despot, dictator, and authoritarian system thinks: like you

2) Most candidates can only get anywhere by money

yes, and this is why we need to improve democracy, not make it even more flawed with internet voting

3) You can never get rid of or mitigate the influence of money on politics since corporations are what makes the world go round.

money is an influence. its not ALL the influence. unless you are a hopelessly negative cynic. in which case, butt out: us who are trying to make a positive difference don't need to be told our fight for what is good is hopeless. we know it isn't hopeless, and we also know you believe that out of a personality defect you have, rather than any better knowledge of reality. what you have is called "learned helplessness". it is a psychological flaw that defines a downward trajectory to YOUR life, not my life, and not our reality

4) Until their is something of a mass movement/revolt so that the power of corporations are reigned in, voting is irrelevant.

so you want a bloody revolution. after which, who knows who will be in power (no one controls a revolution). it could (it will) be a lot worse than the system we have now

how about we use the issue you and i care about: get money out of our government, to vote for **gasp** candidates who want money out of government? what an amazing fucking concept. as opposed to your mindless cynicism that believes in things WORSE than what we currently have

Re:Votes simply don't matter...

[wesgray]

I wish that I could have said it myself ! Thanks copponex for a truly "insightful" comment.

Re:Votes simply don't matter...

[mpe]

The fact that it is far easier for the average American to vote on the American Idol winner than our government shows that we have not applied our knowledge to the appropriate priorities.

Most likely it means that the "American Idol" voting system should be applied to electing politicians. If nothing else this method would appear less likely to create career politicians.

stunning ...

[Skal+Tura]

What stuns me is that they are basicly saying that nothing in internet is secure, and everything is hackable.

One way digests, strong cryptography, public key cryptography(SSL) etc etc etc.

Which would mean that US govt has, and these individuals know they have, means to hack any current cryptographic method available, and what is to be available within near term. Which sounds just pure bullshit.

Re:stunning ...

[BungaDunga]

No, that's not what they're saying. It's not about breaking RSA or whatever- strong cryptography is a requirement of, but not sufficient for, an unhackable voting system.

Re:stunning ...

[Rakishi]

It's called trojans and to a seller extent fake websites (you seriously think most people check for ssl?). It doesn't matter what the encryption in the middle is if someone controls the end point you're using.

The only secure approaches involve bypassing the whole internet part for authentication and verification. RSA tokens, one time password pads and so on only minimize the problem since a Trojan can still hijack your session. Pretty much need interactive tokens that generate verification hashes on a per transaction basis (ie: you enter the amount, etc.) to be remotely secure.

It doesn't generally matter mind you. Your house isn't secure either. Your wallet isn't secure. Paper elections aren't secure. Shit happens and it gets cleaned up later.

Electronic election is different because the value is likely much higher and the damage much worse than in any other case. It's also inherently harder to undo damage, there's no equivalent to checking your bank account and telling the bank something is up. People have nothing invested so they won't be on their guard. Likewise knowing that 10million people will use one website and one form of authentication on a given day can let you tailor your trojans so much better. In the long run, undermining the very foundation of our society would tend to do bad things in the long run.

Re:stunning ...

[Joce640k]

You know all those machines which are affected by things called "botnets" you see in the news...?

Basically there's millions and millions of people who aren't really in control of their home computers.

Strength of cryptographic algorithms would be irrelevant if the balance of power was decided by people visiting a web page using those computers.

not careing

[luther349]

doesn't matter how voters vote anyways. no matter who you vote for it will be the same idiots that are crashing are economy. oboma did some good things but also a ton of bad. and its not the system i lost faith in its people to dammed stupid to see how to really fix are issues and get these retards out of power.

Still better than paper

[metrix007]

Whenever these kinds of stories on the flaws in e-voting come up, most people inevitably advocating going to paper and that there is no advantage to e-voting. Bullshit!

It has been done sloppily as hell so far, but the technology we have allows for much greater convenience and accuracy than is posisble with paper. If we implement a system we trust, which is possible, then all those manhours wasted counting and recounting can be used on something useful, and there are many advantages, not least that it may encourage more people to vote if they can do it without all the hassle of registering and having to turn up and wait in line.

The Rivest bit reminded me of Annie Hall

[hey!]

In Annie Hall, Woody Allen is stuck in line behind an obnoxious guy pontificating about the work of media critic and scholar Marshall McLuhan

MAN: Now, Marshall McLuhan--

WOODY ALLEN: You don't know anything about Marshall McLuhan's work--

MAN: Really? Really? I happen to teach a class at Columbia called TV, Media and Culture, so I think that my insights into Mr. McLuhan, well, have a great deal of validity.

WOODY ALLEN: Oh, do you?

MAN: Yeah.

WOODY ALLEN: Oh, that's funny, because I happen to have Mr. McLuhan right here. Come over here for a second?

[Allen pulls McCluhan out from behind a group of bystanders]

MAN: Oh--

WOODY ALLEN: Tell him.

MARSHALL McLUHAN: -- I heard, I heard what you were saying. You, you know nothing of my work. How you ever got to teach a course in anything is totally amazing.

WOODY ALLEN: Boy, if life were only like this.

Evidently, sometimes it is.

Re:The Rivest bit reminded me of Annie Hall

[harmonise]

Here's the clip: http://www.youtube.com/watch?v=OpIYz8tfGjY

There's an even bigger problem: selling votes

[YA_Python_dev]

There's an even bigger problem: selling votes.

If I'm allowed to vote at home criminals can use threats and/or bribes to convince me to vote in their presence so they can be sure that I voted exactly how they wanted.

That's why vote must always be strictly secret and voters must always have plausible deniability about their choices. E.g. in most modern democracies voters are prohibited from taking photos inside the voting booth for exactly this reason: so anyone else cannot be sure of their votes, and threats and bribes to influence elections become much less effective.

Re:There's an even bigger problem: selling votes

[rufey]

Except for absentee voting, or voting my mail. Where I live (Utah), you can vote absentee by filling out a ballot at home (or abroad if you are not currently in the state) and mailing it in. Whats to prevent someone from paying you to vote a certain way, by having you fill out the ballet, giving it to them, and if you have followed their instructions, they pay you and they put the ballot in the envelope and mail it for you.

Further, in the county where I live, they are providing a "vote by mail permanently" type program, where you can vote by mail every time, even if you are in town on election day.

Re:There's an even bigger problem: selling votes

[makomk]

Whats to prevent someone from paying you to vote a certain way, by having you fill out the ballet, giving it to them, and if you have followed their instructions, they pay you and they put the ballot in the envelope and mail it for you.

Not a lot, which is why the availability of absentee ballots has often been strictly regulated and monitored. A few years ago, the UK tried an experiment in some areas in which all voting was by mail and there were no ballot boxes. There were some fairly impressive issues with fraud - people from the Labour party were going door-to-door, collecting people's blank ballots and filling them in.

Too bad you're clueless.

[copponex]

A democracy means there is a vote to either directly approve laws (direct democracy) or to elect representatives to do the same (representative democracy). Republic literally means ruled by the public, not by a monarch or a non-elected supreme rule. America is a representative democracy that limits government power with a constitution, but since that constitution can be changed by democratic action, you cannot say that it isn't a democracy. We could do away with the constitution in another constitutional convention and replace it with another if we so chose.

Just because you read Atlas Shrugged yesterday doesn't mean shit to anyone else. Crawl back over the Drudge Report, where you can eat up the talking points regurgitation with the rest of the libertarian zombies.

Re:Too bad you're clueless.

[DavidTC]

Technically, monarchies can be republics. Because monarchs can be elected. 'Monarch' just means 'one person is the state'.

Ancient Rome, for example, was an elective monarchy, and a Republic. It eventually devolved into unofficial hereditary monarchy, at roughly the same time it devolved into an official empire, although those were not, strictly speaking, related. Even the emergency powers of 'emperor' still allowed the Senate to vote for the next one...the heredity stuff happened because of the Senate's failures and cowardice, and a trick of leaders getting 'co-elected' with their chosen successor, so the Senate didn't get to vote for the next guy. The Senate still officially picked the leader of Rome until the end.

Granted, in modern times 'monarchy' usually means hereditary, and we use other words to describe other forms of monarchy.

Just because you read Atlas Shrugged yesterday doesn't mean shit to anyone else. Crawl back over the Drudge Report, where you can eat up the talking points regurgitation with the rest of the libertarian zombies.

Indeed. Anyone who thinks saying 'The US isn't a democracy' is a valid political point is probably some glibertarian fresh out of his government-sponsored education.

Auditing ATMs easy, auditing votes hard.

[EmperorOfCanada]

Also ATMs are regularly audited by most customers and banks. If they make any mistakes most people will catch them and complain. If the machines don't tally for the bank then they will look into it. But if your e-vote goes astray then good luck figuring that out.

A paper vote is physical with interested parties scrutinizing their every move. Short of hiring 10,000 tight-lipped magicians for an election it is nearly impossible to steal an election in a western democracy.

Plus if someone cheats and wins an election they now would then be best placed to prevent an investigation.

Re:Auditing ATMs easy, auditing votes hard.

[mpe]

A paper vote is physical with interested parties scrutinizing their every move. Short of hiring 10,000 tight-lipped magicians for an election it is nearly impossible to steal an election in a western democracy.

Whilst scrutineering of elections is common in Europe, Australasia and Canada this does not appear to be the case in the US.

You had me until "stooges"

[davide+marney]

I agree with practically everything you're saying. I am an Officer of Election (poll worker) in Fairfax City, Virginia, and a software architect by trade. A well-designed, well-executed PKI-based voting system running on hardened systems *would* be more reliable than what we have. In fact, it would be overkill.

People would be pleasantly surprised, I think, at how extensive our internal audit controls are. We monitor the count of voters using two separate systems. We call in the running totals every hour, where they are recorded in a third system. At the end of the day, the dozens or so poll workers all inspect the tallies and physically sign the print outs, and one copy gets sealed and sent to the court house.

What this means is that to successfully corrupt the vote, you'd have to corrupt all the poll workers, the registrar, and somehow keep people from reading the court's copies. It would not be easy.

Let me assure you we are not ANYONE'S "stooges" -- especially not the political parties, who we tend to dislike rather strongly because they can be such jerks at election time, which makes our jobs that much harder. We are 100% volunteer, usually retired.

What makes pure internet voting problematical is that we don't have nearly the same opportunity to do any of the human-based auditing that makes the system work. The computer systems we are using now are far less secure than what you are proposing, but we don't need them to be that tight. We need them to be auditable.

Re:You had me until "stooges"

[jd]

Apologies to those who are honest election officials - and hopefully that is the majority.

Yes, the system I proposed would be overkill, but to some extent I intended it that way. Because there are doubts over the safety and reliability of an electronic voting system, I wanted to come up with an idea that would be sufficiently stronger than the existing system that it would be hard for anyone to succumb to the very natural and normal fear of things that are very different. You absolutely know that every time there is any problem with a computer in an election system, it can and will be used against electronic voting in any shape or form (be it computers in the ballot booths or voting at home).

It follows that if you want people to have confidence, there needs to be a system that is sufficiently hardened that it can establish confidence. There are going to be many ways of building such a system far less secure than the one I outlined that is still better than the existing one and would still be good enough to inspire confidence rather than inspire cynical headlines.

My fear is that this is not the approach being used. Diebold was a case of cheap-and-easy over secure. Well, cheap for the company. That will damage confidence and, in turn, will delay any improvements to the system.

Re:You had me until "stooges"

[mrosgood]

A software architect would know about Ken Thompson's "Reflections on Trusting Trust" paper.

Re:You had me until "stooges"

[atamido]

You guys have it quite a bit more together than the folks at the elections I've seen. We have a big enough problem just trying to keep them from changing our information displays to whatever TV shows are on. I suspect that doing something dirty in the election other places may be significantly easier than where you are.

Re:You had me until "stooges"

[DavidTC]

Oh, they'll assert that even computers can't fake signing.

When, of course, they could indeed trivially sign a vote different than the one you actually tried to cast, and yet present you the other one.

Of course, all this is made pointless by the fact that anyone with access to the computers in the voter registration office could just add a bunch of voters, and thus get a bunch of valid votes in advance. The poster mentioned 'election officials being supplied with hashes of votes as they're cast', which was presumably a way to try to avoid this, but that's nonsense. For one thing, now you've networked the damn computers together (So they be 'supplied' with this information), making any attacks easier, and for another that's just another database to put more records in, it doesn't actually solve anything at all. If you can add the votes, you can add the damn records that shows the hashes being displayed.

That's really all this 'signing' accomplishes...it spreads the voting, and the security, thinner and thinner:

Under his system, you'll go and get the ability to cast valid ballots at the voter registration office. (Instead of the poll, where they physically won't let you near the box unless you've proved it there.) So it's okay if there's an invisible box that votes end up in that anyone can tamper with, because only valid votes can be counted, and deleted votes get noticed.

This doesn't make things more secure, it makes them less.

Re:You had me until "stooges"

[jd]

You've made claims but not offered any reason for them.

How, precisely, do you propose to attack an IPSec connection to an A1-rated computer? (Remember, these things are mathematically demonstrably secure.)

How, precisely, do you propose that anyone with access to the computer could add false votes to an A1-rated computer?

There is no "signing" in the system in the way you seem to believe.

Networking the computers is the ONLY way to ensure security, as it is the ONLY way to ensure that what is stored after the election in the counting computer is what SHOULD be stored after the election in the counting computer.

No, you will not be able to cast votes at the voter registration office. You would cast votes at the polling station and have the same strict physical requirements as always, BUT there will be the additional verification that what is in the system matches up 1:1 with the population that voted.

No, nobody can tamper with it, that's why I've stipulated so much bloody security. Machines that are input-only (where the voter registration office adds users) have mandatory access control, as do the voting machines themselves (by definition, since that is part of what A1 means). The counting system is essentially output only from the users perspective and therefore has no user account to crack. Input over the network would be via IPSec-utilized certificates with both client and server validating each other. Since the server has a pre-programmed list of acceptable voting machines, additional machines cannot be added in.

Since I stipulated that the code and mathematical proof of the code were to be circulated, the machine cannot alter the vote. If it could, this would be known well in advance, since it's trivial to compare the proof with the code to see if they differ, and trivial to inspect a proof to see if the code could do that.

Re:You had me until "stooges"

[DavidTC]

f it could, this would be known well in advance, since it's trivial to compare the proof with the code to see if they differ, and trivial to inspect a proof to see if the code could do that.

Really? You can somehow walk up to a computer and know the code on it is the same code that other people inspected?

That is...implausible to say the least.

This is because, of course, security certifications don't protect against the people installing the software. At all. Not a single one of them is even slightly designed to let users verify things administrators have done.

Seriously, you sound so knowledgeable, but somehow you think there's a way to walk up and verify that computers have had the software installed on them that you think they've had installed on them, and nothing else. That is so cute.

No, nobody can tamper with it, that's why I've stipulated so much bloody security. Machines that are input-only (where the voter registration office adds users) have mandatory access control, as do the voting machines themselves (by definition, since that is part of what A1 means). The counting system is essentially output only from the users perspective and therefore has no user account to crack. Input over the network would be via IPSec-utilized certificates with both client and server validating each other. Since the server has a pre-programmed list of acceptable voting machines, additional machines cannot be added in.

And, of course, nowhere in the list is there any way, nor can there be any way, to stop someone from sitting down at one of the machines and using a dozen of public keys to vote. (Which, as I pointed out, anyone working in a vote registration office can get.)

Because that is not, in any sense, 'tampering' with the machine.

Now, you'll probably assert they'd have to each vote individually, limiting their effect to a couple of dozen votes before they'd obviously be caught, because of the magical software you're sure will be there.

I will point out that, in no circumstances, would any TCSEC requirement restrict doing thousands of perfectly valid inputs in a few seconds, although obviously that could be an additional requirement of the system. TCSEC systems verify input. Ten thousand votes with public keys attached are correct input.

I will also point out that A1 security ranking is, um, impossible without physical security...and they get tested after being installed. You can't stick a computer in a box, pull it out six months later, and claim it's A1 security, unless you had someone watching the box at all times.

And note you've added at least two other computers to each polling site. And each voting computer needs some way to read the public key, so you've added a barcode reader, at least, to them.

To actually install A1-level security computers, you would spend millions of dollars per site.

Which makes the whole thing rather idiotic to start with, as we could never afford it, on top of the problem that A1 security is not designed to protect against a) programmer/administrative tampering (Which is what we're fucking talking about when we talk about tampering...we're not assuming voters figure it out.), and b) there's a rather obvious hole in the system of assigning public keys, so people can have entirely, utterly, completely 'valid' inputs that rig an election.

Here are the three specific security issues I've pointed out, that do not exist under paper voting. Please explain how your system catches them:

a) The person who loads the software onto a machine alters it before doing so.
b) Someone in the voter registration office adds extra voters to the roles, and takes their public keys, and they and others vote multiple times when they enter the booth. (This actually is fixable.) c) b, but with one poll worker also helping them. Perhaps by, when setting up the computers, they simply set one up in another room, so someone can

Rivest invented public-key cryptography?

[Aardpig]

Pull the other one. And look up Clifford Cocks.

That's the biggest problem you can think of...?

[Joce640k]

What about all those "botnets" you see in the news?

Strength of cryptographic algorithms, etc., is completely irrelevant when people vote by visiting a web page using their home PC.

Re:one way

[DavidTC]

Why would you need to do that? The tabulator is probably being watched carefully.

No, just add a few thousand people to the voter rolls, generate entirely valid votes for them, and put them in there from the outside, like they're entirely normal votes.

who cares

[bussdriver]

Who cares if they get his credentials wrong-- its AMAZING they even remembered what the expert told them at all! Even then, they still attempted to do it when so many experts say its not feasible given the current requirements.