Internet Voting Hack Alters PDF Ballots In Transmission

← Back to Stories (view on slashdot.org)

Internet Voting Hack Alters PDF Ballots In Transmission

Posted by timothy on Thursday November 13, 2014 @08:34AM from the don't-let-the-nice-man-borrow-your-router dept.

msm1267 (2804139) writes Threats to the integrity of Internet voting have been a major factor in keeping the practice to a bare minimum in the United States. On the heels of the recent midterm elections, researchers at Galois, a computer science research and development firm in Portland, Ore., sent another reminder to decision makers and voters that things still aren't where they should be. Researchers Daniel M. Zimmerman and Joseph R. Kiniry published a paper called 'Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering' that explains an attack against common home routers that would allow a hacker to intercept a PDF ballot and use another technique to modify a ballot before sending it along to an election authority. The attack relies on a hacker first replacing the embedded Linux firmware running on a home router. Once a hacker is able to sit in the traffic stream, they will be able to intercept a ballot in traffic and modify code strings representing votes and candidates within the PDF to change the submitted votes.

148 comments

Min score:

Reason:

Sort:

Pedantic by Anonymous Coward · 2014-11-13 08:36 · Score: 0, Troll

Clearly, this would never happen outside of an academic setting. Who would bother?
1. Re:Pedantic by Bob_Who · 2014-11-13 08:42 · Score: 3, Insightful
  
  Clearly, this would never happen outside of an academic setting. Who would bother?
  Does it matter, who?
2. Re:Pedantic by bhcompy · 2014-11-13 08:42 · Score: 1
  
  Obama, duh
3. Re:Pedantic by Anonymous Coward · 2014-11-13 09:07 · Score: 0
  
  Does it matter, who?
  It does;
  Every true slashdotter who has any involvement in election software should make sure that Mr Spock gets at least 120% of the vote (compared to potential electorate). We gotta find every single one who has the opportunity and isn't doing that. Wanna be safe? Make sure Spock gets the ticket. We need some logical politicians at last. Don't do that, we need a list of who you are posted up here on Slashdot to shame. Handing in your geek cards will be by far the least paninful bit of it.
4. Re:Pedantic by Anonymous Coward · 2014-11-13 09:10 · Score: 0
  
  N.B. pnain is much much worse than mere pain. Watch out.
  CAPTCHA: "extreme" - Slashcode is watching you. We know where you live.
5. Re:Pedantic by ShanghaiBill · 2014-11-13 09:23 · Score: 4, Insightful
  
  Clearly, this would never happen outside of an academic setting. Who would bother?
  Does it matter, who?
  The outcome of elections are worth billions to vested interest groups. $4 billion was donated to candidates and PACs in the months preceding the election on November 4th. Many, many, people would "bother".
6. Re:Pedantic by wonkey_monkey · 2014-11-13 10:01 · Score: 1
  
  Whoever it is - if there is anyone - they'll be relying on people having exactly that attitude to get away with it.
  
  --
  systemd is Roko's Basilisk.
7. Re:Pedantic by Anonymous Coward · 2014-11-13 10:22 · Score: 0
  
  You are actually making the opposite point. It it far more cost effective to spend millions on advertising than on obscure computer hacking techniques especially given the likelihood of discovery.
8. Re:Pedantic by FatdogHaiku · 2014-11-13 11:08 · Score: 1
  
  Why, you want to cause Leonard Nimoy to off himself or what?
  
  --
  You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
9. Re:Pedantic by LinuxIsGarbage · 2014-11-13 12:12 · Score: 1
  
  Why, you want to cause Leonard Nimoy to off himself or what?
  Don't worry, Sheldon still has Leonard Nimoy's DNA on a napkin Penny gave him. He can always clone more.
10. Re:Pedantic by I'm+New+Around+Here · 2014-11-13 12:52 · Score: 1
  
  He just needs a healthy ovum.
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
11. Re:Pedantic by Anonymous Coward · 2014-11-14 02:36 · Score: 0
  
  Clearly, this would never happen outside of an academic setting. Who would bother?
  Does it matter, who?
  The outcome of elections are worth billions to vested interest groups. $4 billion was donated to candidates and PACs in the months preceding the election on November 4th. Many, many, people would "bother".
  The point of the question "Does it matter who?" is to point out that the outcomes of elections are worth billions to vested interest groups, and that $4 billion was donated to candidates and PACs in the months preceding the election.
  So from here, it looks as if you think you disagree with someone with whom you actually agree.
12. Re:Pedantic by MiSaunaSnob · 2014-11-14 07:17 · Score: 1
  
  I actually think this is a really good idea, instead of letting one of the parties, or someone else with a vested interest get there guy elected, elected a fictitious person. It would really open up everyone's eyes on how serious the security issues with voting are.
13. Re:Pedantic by Bob_Who · 2014-11-24 17:21 · Score: 1
  
  Clearly, this would never happen outside of an academic setting. Who would bother?
  Does it matter, who?
  The outcome of elections are worth billions to vested interest groups. $4 billion was donated to candidates and PACs in the months preceding the election on November 4th. Many, many, people would "bother".
  The point of the question "Does it matter who?" is to point out that the outcomes of elections are worth billions to vested interest groups, and that $4 billion was donated to candidates and PACs in the months preceding the election.
  So from here, it looks as if you think you disagree with someone with whom you actually agree.
  Mod Parent Up !
Umm, encryption? by thebes · 2014-11-13 08:39 · Score: 2, Informative

Why isn't that referenced? E2E encryption eliminates this, assuming the user is not an idiot.
1. Re:Umm, encryption? by Anonymous Coward · 2014-11-13 08:44 · Score: 1
  
  That's the problem, the users ARE idiots (technically). The most powerful voting block in the country can't tell a PC from a microwave.
2. Re:Umm, encryption? by Anonymous Coward · 2014-11-13 08:45 · Score: 1
  
  assuming the user is not an idiot.
  Well see, there's your problem.
3. Re:Umm, encryption? by mlts · 2014-11-13 08:47 · Score: 2
  
  I might be wrong, but the last time I checked, the forms feature in Acrobat would allow the stuff in the PDF to be submitted via SSL. It didn't submit the PDF as a file... just the stuff in the forms.
4. Re:Umm, encryption? by fustakrakich · 2014-11-13 08:52 · Score: 5, Funny
  
  Well, both do run at 2.4GHz, at least in my house... They have a clock, and they beep when they're finished. And the computer keeps my coffee warm. Is there really that much difference?
  
  --
  “He’s not deformed, he’s just drunk!”
5. Re:Umm, encryption? by sunderland56 · 2014-11-13 08:55 · Score: 2
  
  Maybe you missed the story from tuesday where ISPs can and do turn off the encryption for you?
  Plus, if you've replaced the router's firmware, it can make it *appear* as if you have e2e when you do not.
6. Re:Umm, encryption? by DanielHenneberger · 2014-11-13 09:06 · Score: 2
  
  ISPs can't just turn off all encryption. They can only denial of service connections to downgrade encryption for services that offer it.
7. Re:Umm, encryption? by Anonymous Coward · 2014-11-13 09:13 · Score: 0
  
  Maybe you missed the story from tuesday where ISPs can and do turn off the encryption for you?
  That's a misinterpretation of Tuesday's story, which refers to the optional omission of transport layer encryption (basically, routers did us the 'favor' of encrypting data without being asked, and some ISP's are simply disabling that feature of their routers). End-to-end encryption is not affected by this in the least.
8. Re: Umm, encryption? by Anonymous Coward · 2014-11-13 09:28 · Score: 2, Funny
  
  One has a cup holder
9. Re:Umm, encryption? by DaHat · 2014-11-13 11:37 · Score: 1
  
  They can easily man in the middle it.
  Remember that ISP crapware they installed on your parents PC in order to connect them... did they or you make sure there wasn't a rouge CA in there?
  
  --
  Help Brendan pay off his student loans
10. Re:Umm, encryption? by blueg3 · 2014-11-13 12:36 · Score: 1
  
  No and no. There are other problems with end-to-end encryption, but you have not identified any of them.
11. Re: Umm, encryption? by I'm+New+Around+Here · 2014-11-13 12:56 · Score: 1
  
  Hey, how did you know my pc came with that option?
  Are you the NSA? Spying on me or something?
  
  --
  If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
12. Re:Umm, encryption? by gstoddart · 2014-11-14 05:16 · Score: 1
  
  there wasn't a rouge CA in there?
  Not sure about the rouge, but there could have been some guy-liner.
  Perhaps you meant rogue?
  
  --
  Lost at C:>. Found at C.
13. Re: Umm, encryption? by cwsumner · 2014-11-14 10:21 · Score: 1
  
  One has a cup holder
  Um... not any more. At least, some new PC's don't.
  But the Microwave doesn't have a "computer" (i.e.monitor and keyboard) connected to it.
  They do both look sort of like a "Harddrive", though. (As some businesses use the word...)
14. Re:Umm, encryption? by cwsumner · 2014-11-14 10:25 · Score: 1
  
  assuming the user is not an idiot.
  Well see, there's your problem.
  Don't assume the user is an idiot.
  If you worked a day at their job, you would probably appear just as much an idiot, as they do talking about your job.
  Besides, if they were really idiots, it would cause less problems!
ssh / scp / https maybe? by roman_mir · 2014-11-13 08:42 · Score: 2

so how about not running an http server but instead using an https connection? Here, solved this one for you.

--
You can't handle the truth.
1. Re:ssh / scp / https maybe? by Shakrai · 2014-11-13 08:49 · Score: 4, Insightful
  
  Snide answer: How about getting off your ass and actually going to the polling place to vote?
  More contemplative answer: How do you actually prove the person behind the keyboard is the registered voter in question, even if your system is totally secure from threats in transit? How do you prove they're not being unduly influenced, perhaps by an employer or other person with a financial sword to hold over their head? This can be precluded in the polling place with a secret ballot; it can not be prevented if people are voting via computer or absentee. (*)
  (*) Obviously allowances need to be made for people who are disabled or otherwise unable to make it to the polls, but I fail to see why an otherwise able bodied adult should regard a trip to the polling place as onerous.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
2. Re:ssh / scp / https maybe? by DoofusOfDeath · 2014-11-13 08:59 · Score: 1
  
  Snide answer: How about getting off your ass and actually going to the polling place to vote?
  How do you know the person at the polling place is actually legally allowed to vote?
3. Re:ssh / scp / https maybe? by CRCulver · 2014-11-13 09:07 · Score: 1
  
  Snide answer: How about getting off your ass and actually going to the polling place to vote?
  
  We are in the 21st century. I work from home (or from wherever country I care to travel to and work from there). I can order online virtually any good I need delivered, even food. My finances have also mainly moved online and very rarely would I need to visit a bank branch. Special-interest clubs are dying across the West, as nowadays people often go online to community with people that share their hobbies.
  When all the rest of human activity is moving to virtual spaces, why should the practice of representative government not do the same? Granted, secure online voting is a hard problem, and as long as security is not taken seriously, then it's best to avoid such platforms. But I see no reason why voting must forver remain an exception to the general tendency of location-independent life. Postal voting has already been a thing in many countries for decades now.
4. Re:ssh / scp / https maybe? by DaHat · 2014-11-13 09:08 · Score: 1
  
  but I fail to see why an otherwise able bodied adult should regard a trip to the polling place as onerous.
  But... but... but... your toilet might overflow!
  
  --
  Help Brendan pay off his student loans
5. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-13 09:08 · Score: 0
  
  Because democrats think any work or requirement to vote is too much or too hard. In fact they will implement a new program where everyone that does not vote will be put down as a full democrat ticket because they obviously there was some evil circumstance put in place by evil rich people to prevent those from voting all democrat. Democrat officials have also indicated they will add a few extra votes to their side because even though illegals aren't eligible to vote, they should be represented.
  Proof of Identity? Too onerous
  Required to Physically present? Too onerous
  Required to be alive? Too onerous
  Required to be a citizen? Too onerous
6. Re:ssh / scp / https maybe? by myth24601 · 2014-11-13 09:09 · Score: 1
  
  Snide answer: How about getting off your ass and actually going to the polling place to vote?
  How do you know the person at the polling place is actually legally allowed to vote?
  We could implement some sort of credentialing system.
  
  --
  No matter where you go, there you are.
7. Re:ssh / scp / https maybe? by DoofusOfDeath · 2014-11-13 09:10 · Score: 1
  
  Snide answer: How about getting off your ass and actually going to the polling place to vote?
  How do you know the person at the polling place is actually legally allowed to vote?
  We could implement some sort of credentialing system.
  I don't think Democrats would allow that. It's apparently racist.
8. Re:ssh / scp / https maybe? by roman_mir · 2014-11-13 09:12 · Score: 1
  
  I was under impression we are talking about a technical problem here, however if you want to take it to the next level of /. conversation, Ok, let's do that. My answer: most people shouldn't be voting anyway, a vote of one informed intelligent person is cancelled by thousands of uninformed idiots, so what's the difference? AFAIC democracy killed the Republic, the only correct answer is stop playing the game and remove the government judiciously.
  
  --
  You can't handle the truth.
9. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-13 09:20 · Score: 0
  
  No one but the Republicans who want to win elections despite their toxic policies is for disenfranchising the poor with ID requirements. it addresses a problem that only exists in the minds of ignorant conservatives. We can't let the least intelligent people take the lead like the Republicans do with their reverse meritocracy.
10. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-13 09:28 · Score: 1
  
  Really freaking simple reason: Ability to sell, coerce or otherwise influence a vote.
  Physical presence at a polling location makes it impossible to do these things, at least on a large enough scale to change an election. No one knows your vote so you can't sell it and no one can "check" to make sure you voted a certain way.
  Pure online voting could / would lead to massive fraud, "voting parties" where peer pressure will rule, and otherwise socialize voting. It is one thing to tell someone who you voted for and an entirely different thing to be able to prove it. Just the ABILITY to provide proof will cause problems. Imagine a fraternity, church or other strong social institution. Do you think you are strong enough to say in the group when they question your loyalty and demand proof of who you voted for. Will you give up your status/membership in that group to preserve your voting integrity? Most won't be strong enough.
11. Re:ssh / scp / https maybe? by mythosaz · 2014-11-13 09:37 · Score: 1
  
  The problem is solved on all sides by announcing ID restrictions that go into effect at the next major election, and providing state ID services at this one.
  I mean, if you wanted to solve the problem, and not just keep poor voters from the polls.
12. Re:ssh / scp / https maybe? by Obfuscant · 2014-11-13 09:51 · Score: 1
  
  When all the rest of human activity is moving to virtual spaces, why should the practice of representative government not do the same?
  
  You can have all the virtual-space representative government you want, just as long as it doesn't intrude on the meat-space real government we all have to live with.
  
  But I see no reason why voting must forver remain an exception to the general tendency of location-independent life.
  If you care so little about a place that you cannot bother to live there, why should you be allowed to vote there? Voting on location-dependent laws has been and should be done by location-dependent people who are subject to them. I think there was a war or something about one group of people who thought the proper location for voting on laws wasn't the place where the laws were being applied, wasn't there? Something about tea, IIRC
13. Re:ssh / scp / https maybe? by riverat1 · 2014-11-13 10:03 · Score: 1
  
  We could implement some sort of credentialing system.
  You mean like registering to vote?
14. Re:ssh / scp / https maybe? by riverat1 · 2014-11-13 10:06 · Score: 1
  
  Why not instead just vet a persons right to vote when they register to vote? Why should you need anything other than your registration card on election day?
15. Re:ssh / scp / https maybe? by hamburger+lady · 2014-11-13 10:19 · Score: 1
  
  uh, their name is on the voter rolls at the polling place?
  you make it sound like voter fraud is an actual thing.
  
  --
  
  ---
  Is this the MPAA? Is this the RIAA? Is this the DMCA? I thought it was the USA!
16. Re:ssh / scp / https maybe? by CRCulver · 2014-11-13 10:20 · Score: 1
  
  You can have all the virtual-space representative government you want, just as long as it doesn't intrude on the meat-space real government we all have to live with.
  
  One's relationship with "meat-space real government" has already been carried out through the post, or increasingly online, for a long time now, from filing and payment of taxes to various license applications. People who want to bring something to their local representatives's attention typically send a letter or e-mail or make a phone call, they don't drive down to his office. Again, I don't see why voting can't proceed that way, especially when voting by post is so accepted.
  
  Voting on location-dependent laws has been and should be done by location-dependent people who are subject to them.
  
  US citizens abroad, or voters registered to vote in one state but currently in another state, have been able to vote by post since time immemorial.
17. Re:ssh / scp / https maybe? by DoofusOfDeath · 2014-11-13 10:21 · Score: 1
  
  uh, their name is on the voter rolls at the polling place?
  you make it sound like voter fraud is an actual thing.
  You make it sound like it's not.
18. Re:ssh / scp / https maybe? by garote · 2014-11-13 10:33 · Score: 1
  
  Really freaking simple reason: Ability to sell, coerce or otherwise influence a vote.
  Physical presence at a polling location makes it impossible to do these things, at least on a large enough scale to change an election. No one knows your vote so you can't sell it and no one can "check" to make sure you voted a certain way.
  1. It is possible to design an electronic system where no one but you knows your vote. That is, where no one but you can uniquely verify that a given vote is yours, and that it is set the way you chose.
  2. The ability to sell, coerce, or otherwise influence a vote is a complex problem, and could just as well be _decreased_ by electronic voting. In general, for every abuse you dream up on the electronic side, there is an equivalent abuse on the physical side. For example, nefarious vote organizers can close polling stations in areas they don't like - or, they can attempt to disrupt internet services to those areas. Want to make the system better? How about offering both?
  
  Pure online voting could / would lead to massive fraud,
  Care to provide a reference? Here are some working models you can investigate.
  
  "voting parties" where peer pressure will rule, and otherwise socialize voting.
  Have you ever been to a church in Texas?
  
  It is one thing to tell someone who you voted for and an entirely different thing to be able to prove it. Just the ABILITY to provide proof will cause problems. Imagine a fraternity, church or other strong social institution. Do you think you are strong enough to say in the group when they question your loyalty and demand proof of who you voted for. Will you give up your status/membership in that group to preserve your voting integrity? Most won't be strong enough.
  You're pretty far behind the times if you think these are new problems - for paper OR electronic voting.
19. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-13 11:07 · Score: 0
  
  I am not sure what you are saying regarding he vote? I am talking about video taping, taking screen captures, or voting in front of people to prove you voted a certain way. A physical polling station prevents this by ensuring a) the voter is not documenting the vote and b) no one else is documenting the vote. Neither a) nor b) can be guaranteed with online voting. It is extremely hard to provide PROOF to someone you voted a certain way in a physical voting situation. It is easy to SAY you voted a certain way, but that doesn't have to be true.
  All these things you are talking about are meant to *influence* the vote but then when you return to church, the frat, or to family you can SAY you voted "with them" but in reality you did not. This is NOT the case with online voting, where your family, friends, and social groups can demand that you take video evidence of your vote if you wish to remain a part of the social circle. You are missing the point, which is the PROOF.
  A Texas church can influence people all it wants - but those people should be able to go into a polling location, vote against the churches wishes, and have no repercussions. With online voting the church can get everyone together at the church and watch them vote. You could refuse to attend the "voting party" but that would mark you as a potential outcast - someone who doesn't belong.
20. Re:ssh / scp / https maybe? by DaHat · 2014-11-13 11:40 · Score: 1
  
  How many polling places do you know that ask for a registration card on election day?
  More so, unfortunately plenty of people are accidently registered to vote (as one example): http://jacksonville.com/news/f...
  
  --
  Help Brendan pay off his student loans
21. Re:ssh / scp / https maybe? by riverat1 · 2014-11-13 12:00 · Score: 1
  
  That's a problem with the registration process. Maybe we need to improve that.
22. Re:ssh / scp / https maybe? by mythosaz · 2014-11-13 12:16 · Score: 1
  
  It's sort of like asking why I need something other than your credit card to make purchases. It's no problem for small purchases, but voting for our elected officials is (or should be) a big deal.
  There's no problem with making sure that people don't fraudulently vote. I don't think that voter fraud is a big problem, mind you, and I think "voter fraud' are just scare words mostly used to drive republican voters out to the polls to make sure their voice isn't drowned out by all the terrible "fraud" being perpetuated by the evil, evil, democrats and their zombie army of illegal aliens.
  Presenting a valid state or federally recognized ID when voting should be the only thing you need. Compare to list of registered voters (or those automatically registered by having current valid ID) and done. But if you're going to do that, put simple services in to allow people to get or update their IDs.
23. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 12:20 · Score: 1
  
  Yes, let's solve the problem. First we should probably look at the evidence of the problem to ensure we're actually solving it: so where is it again? It's not like this is an issue of electronic voting machines secretly switching your vote with no papaer trail for confirmation. Every polling place I've ever gone to has some sort of voting roster to ensure that you don't spend all day voting at different places, so if there's voter fraud going on there's going to be a paper trail. And yet, aside from a few corrupt-to-the-core districts (Chicago springs to mind), there's precious little evidence of a problem. And where there is a problem it could mostly be easily fixed by not letting dead people vote - except of course for the fact that most of those dead people voted for the people in power, so there's precious little political will to "disenfranchise" them.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
24. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 12:23 · Score: 1
  
  Give me a single solid example - voter validation leaves a paper trail, so the evidence should be easy to come by. And yet the only evidence seems to be in areas that let the dead vote - a avenue of fraud that could easily be fixed by cross-referencing the voter registry with the orbituaries, if only the dead didn't so consistently vote for the people making the rules.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
25. Re:ssh / scp / https maybe? by Obfuscant · 2014-11-13 12:42 · Score: 1
  
  US citizens abroad, or voters registered to vote in one state but currently in another state,
  Neither are an example of location-independent people, especially not the latter. "Currently" is a dead giveaway.
26. Re:ssh / scp / https maybe? by CRCulver · 2014-11-13 12:52 · Score: 1
  
  Neither are an example of location-independent people
  
  You think that having US citizenship makes one somehow bound to the US? Not only are there people who have left the US for good but still vote (often so that they can try to make the US more like the country they currently enjoy living in). but there are also many thousands of people who hold US citizenship but have never lived a day in their life in the US. And with regard to out of state voting, it's entirely possible to be registered to vote in one state, and then spend the rest of one's life in another state.
27. Re:ssh / scp / https maybe? by DaHat · 2014-11-13 13:12 · Score: 1
  
  Why not an all of the above solution?
  Validate that the person registering is who they say they are and eligible to vote... and again at the polling place to ensure that someone isn't trying to vote in the name of another?
  
  --
  Help Brendan pay off his student loans
28. Re:ssh / scp / https maybe? by Obfuscant · 2014-11-13 13:26 · Score: 1
  
  You think that having US citizenship makes one somehow bound to the US?
  Where did I say that?
  
  Not only are there people who have left the US for good but still vote (often so that they can try to make the US more like the country they currently enjoy living in).
  And you can explain why they should have any say in any election in a country they've chosen not to live in? I don't particularly care about those who think they should change where I live to be more like where they live.
  
  And with regard to out of state voting, it's entirely possible to be registered to vote in one state, and then spend the rest of one's life in another state.
  Not legally. It's hard to claim residency in one state when you don't live there anymore.
29. Re:ssh / scp / https maybe? by DaHat · 2014-11-13 13:31 · Score: 1
  
  Give me a single solid example - voter validation leaves a paper trail, so the evidence should be easy to come by.
  Utter BS!
  What paper trail? You walk in, say you are Joe Blow, live at a given street, make your mark and you get a ballot... the only way you know that this was done fraudulently is if the real Joe Blow comes in later to vote and told that he already did... which mathematically wouldn't always happen depending on how well a fraudulent voter picked their targets.
  Want cases of people who were told they already voted? Here are a couple:
  http://www.nbc12.com/story/199...
  http://www.examiner.com/articl...
  And even from Scotland: http://www.itv.com/news/update...
  At the end of the day, so long as you keep your mouth shut (unlike this woman: https://www.youtube.com/watch?... ) you probably aren't going to get caught: http://www.wcpo.com/news/local... as you don't exactly see many cameras in polling stations synced up to when given names are scratches off as having voted.
  This all assumes it's hard to get someone else's ballot, (spoiler: it isn't): https://www.youtube.com/watch?...
  
  --
  Help Brendan pay off his student loans
30. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 13:34 · Score: 1
  
  1)Possible, but difficult - any system which lets you verify your vote also makes it possible for you to provide that verification to a third party. Which probably means the sytem also has to allow you to produce airtight false verification. You still have the problem though that someone, somewhere needs to be able to discard the false votes to get the final tally - and the system breaks down if they are comprmised.
  2) Your examples are all of disenfranchisement - which is a problem, but one independent of voter coercion. Conflating such wildly different problems doesn't help the discussion. I agree with your basic argument though - any ability to decisively *prove* how you voted opens the door to massive abuse.
  One possible solution: allow people to change their votes retroactively and/or secretly "lock in" a vote ahead of time - they can then provide "proof" or "vote" at a last-minute voting party, while casting their real ballot in secret. Of course either option opens the door to new kinds of voter fraud, as well as new avenues for vote monitoring, which would have to be addressed.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
31. Re:ssh / scp / https maybe? by Shakrai · 2014-11-13 13:39 · Score: 1
  
  You think that having US citizenship makes one somehow bound to the US?
  Yes, it does.
  
  And with regard to out of state voting, it's entirely possible to be registered to vote in one state, and then spend the rest of one's life in another state.
  Possible but not legal; one is required to vote in the state they're resident in. Residency is defined differently in each of the 50 States you're generally required to actually maintain a residence there (i.e., own or rent some piece of property) and may further be required to spend a plurality or even a majority of your time at that residence.
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
32. Re:ssh / scp / https maybe? by CRCulver · 2014-11-13 13:43 · Score: 1
  
  And you can explain why they should have any say in any election in a country they've chosen not to live in? I don't particularly care about those who think they should change where I live to be more like where they live.
  
  I don't really feel the need to explain why. It's simply how things are and have been since well before I was born. It's you who is arguing for a change to a very old tradition in America (and many other developed nations) of absentee voting.
  "If you care so little about a place that you cannot bother to live there, why should you be allowed to vote there?" Really, you remind me of those tiresome Slashbots in the early millennium who read a little too much Heinlein and urged a requirement of military service before one could have voting rights. They were so out of touch with reality they thought such a demand should be taken seriously.
  
  Not legally. It's hard to claim residency in one state when you don't live there anymore.
  
  Some states have very lax requirements for maintaining residence and voting rights there.
33. Re:ssh / scp / https maybe? by Shakrai · 2014-11-13 13:45 · Score: 1
  
  I was under impression we are talking about a technical problem here
  You can't solve the problem of voter intimidation under any system that allows for off-site voting. It doesn't matter if the vote is conducted via paper or electronic means. I can shoulder surf while holding the proverbial gun to your head in order to ensure that you vote as I wish. The only way to preclude intimidation is to require an in-person secret ballot with rules that preclude others from going into the voting booth with you.
  I can accept the need for absentee ballots for those people who are physically disabled or whom can document that they will be out of town on election day but that's as far as I'm willing to go. Everybody else should get down to the polls and vote in person. People died to secure that right for us but we're going to complain that it's burdensome to make an annual the trip to the polls? Seriously?
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
34. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 13:45 · Score: 1
  
  >It is extremely hard to provide PROOF to someone you voted a certain way in a physical voting situation
  Back when a video camera was the size of a loaf of bread that may have been true, but I've never even been asked to leave my phone outside the voting both - which means I could easily have filmed the final ballot sheet and my submission of it. The only way to avoid making such proof possible is to strip-search incoming voters. Which I don't see going over well, nor being terribly effective as miniaturization makes it ever easier to hide a camera.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
35. Re:ssh / scp / https maybe? by CRCulver · 2014-11-13 13:50 · Score: 1
  
  I am aware that US citizens abroad can be subject to US taxes, and states may demand ownership of property for one to legally maintain voting rights there. However, I'm not sure that simply filing income taxes and keeping a property around would satisfy Obfuscant's demand that one be able to vote in a place only if one is subject to the overall laws there. The US simply has too old a tradition of people who have permanently left, and whose sole encounter with US authorities is income tax filing (on which most don't even pay anything anyway), but who still vote in US elections.
36. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 13:50 · Score: 1
  
  Every place I've ever voted required a valid state ID matched against the voter roster in order to gain access to the polling booth. Proof of identity. The problem is when additional proof such as a voter ID card is required - as the process of acquiring said proof is typically compromised in short order.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
37. Re:ssh / scp / https maybe? by Shakrai · 2014-11-13 13:56 · Score: 2
  
  Give me a single solid example - voter validation leaves a paper trail
  I worked elections for eight years in the State of New York. All we had to go on was your signature and address. The process in NYS goes like this:
  Me: What's your name?
  You: I'm Mr. Immerman.
  Me: *Flipping through poll book, finds you* What's your address Mr. Immerman? (many poll workers omit the address verification, but we are supposed to ask, and I always followed procedure)
  You: 123 Main St.
  Me: Sounds good, sign here please.
  In theory I can challenge you if the signature doesn't match what I have in the book but in reality we're not handwriting experts and such challenges were never made. Heck, even if I was a handwriting expert I wouldn't issue such a challenge; signatures change over time and the one in the poll book is from your original registration card and may be decades old. The only way I would catch you trying to cast a ballot under another name would if the voter you were trying to impersonate was personally known to me.
  Why is an ID requirement regarded as so burdensome by Democrats? Most European countries have two factor authentication; they mail a registration card to your address, which you're required to bring, along with your photo ID. In this manner they verify both your address and your identity. Nobody is accusing the EU of being racist with such requirements. What's the problem with having something similar in the States?
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
38. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 13:56 · Score: 1
  
  Ah yes, a meritocracy is definitely superior. And I can only assume you'll be wanting a place on the committee that decides the standards by which such merit is measured?
  It doesn't matter how incompetent the populace is, if you deprive them of a voice in government then you are consigning them to be slaves to that government in short order. And to quote C.S. Lewis: "Aristotle said that some people were only fit to be slaves. I do not contradict him. But I reject slavery because I see no men fit to be masters."
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
39. Re:ssh / scp / https maybe? by DaHat · 2014-11-13 14:53 · Score: 1
  
  The powers that be like to tout how background checks have prevented some untold number of bad guys from getting guns... often left out is the woefully small # of prosecutions of said people for their illegal attempts to acquire a firearm.
  When the penalty on the books is rarely enforced, it quite easy to look for other ways to do what you want to do and know that you probably aren't going to get caught... a problem that has existed in the voting world for years: http://www.washingtonpost.com/...
  
  --
  Help Brendan pay off his student loans
40. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 15:33 · Score: 1
  
  I believe the problem is that the US has a long history of organized interference in the acquisition of voting-specific ID. I've heard far fewer complaints against the usage of a state-issued photo-ID (aka drivers license, assuming you drive) Even those though can often cost upwards of $50 or so, and have limited usage outside of driving and banking, thus imposing a substantial financial burden on the poorest members of society who still wish to vote.
  Keep in mind - the social safety net in the US is mostly restricted to critical medical care and food-specific financial assistance of less than $6/day. And there are substantial gaps that are easy to fall through even for the meager assistance available. For example to receive food assistance you need to have an income of at least 50% of the poverty line or provide documented evidence of at least 20 attempts per month to find a qualifying job, and benefits are suspended for a minimum of 3 months if you fail to provide your monthly evidence in a timely fashion. Not always an easy thing for someone struggling to survive to comply with. And since the Republicans can be pretty much counted on to try to reduce the safety net even further, those who can least afford to comply with voter identification laws are also disproportionately likely to vote Democrat.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
41. Re:ssh / scp / https maybe? by riverat1 · 2014-11-13 17:21 · Score: 2
  
  Out of the hundreds of millions of votes cast over that past 14 years they've found less than 30 cases if in-person voting fraud which is a fraud rate of less than 0.00001%. Voter ID is just a solution looking for a problem. Before Oregon switched to vote-by-mail I would go to the polling place, they'd find my name and address in the poll book, I'd sign the line next to it and get my ballot. Now with vote-by-mail I sign the outside of the envelope (which has an inner secrecy envelope so it can be separated without identifying my ballot) which is compared with the signature on file from my voter registration. That system has worked just find for a century. Why make voting any more complicated than it has to be?
42. Re:ssh / scp / https maybe? by roman_mir · 2014-11-13 18:23 · Score: 1
  
  If you are actually concerned with people not being slaves, then you have to reject democracy, because it is mobocracy, where the majority turn minorities into slaves. That's why there are so called 'progressive income taxes' in the first place, the majority votes to steal more money from a minority and that is also slavery and if you are as against it as you say, then you can't be for democracy at all.
  I am against democracy of-course and I am against slavery, which is not a contradiction once you realise that it is what a constitutional republic supposed to be, but it devolved from that into a mobocracy and slavery due to human element. So the answer is to remove the power from government. The problem is government, its very existence leads to slavery one way or another. Voting for something always means using violence against some people to get something from them (to steal from them, to use them), there is no difference between voting and dictatorship if the dictator was always on the side of majority, which is what happens in democratic politics anyway. So the actual answer is anarchy as a political system and capitalism as an economic one.
  
  --
  You can't handle the truth.
43. Re:ssh / scp / https maybe? by znrt · 2014-11-13 19:57 · Score: 1
  
  Why make voting any more complicated than it has to be?
  because there's big money to be made?
44. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-13 20:12 · Score: 0
  
  In theory, when the *real* Mr. Immerman shows up to vote, and someone's already signed in that box, you AND Mr. Immerman know there's vote fraud taking place.
  At which time the fact needs to be recorded, and the police notified, etc. etc.
  Handwriting recognition isn't required -- pretty much you're just looking for a mark to be made in the correct location. If nearly everyone votes, in person, then fraud is very likely to be detected, and the criminals caught, prosecuted, and penalized.
  Keeping the rolls cleaned up is a separate issue, but even if they aren't, there's only a limited amount of damage any one criminal can do. Voting at the same polling place vastly increases the chances of being caught. Voting at multiple polling places increases the amount of effort, and also increases the risk ("Hey, I know Mr. Immerman, and you're not Mr. Immerman!") of being caught.
  Now, with mail-in votes, or all-electronic voting, the risk of getting caught goes way, way, way down. And we all know what happens when the cost/risk of some action drops and the payoff stays the same.
  Having an all-electronic voting system is already broken. Not building in data-integrity checks (e.g., bidirectional public-key message signing) is just icing on the fail cake.
  As for ID being regarded as burdensome, the best argument I have found is made here - http://www.weeklystorybook.com...
  As for the poor having difficulty taking a day off of work to acquire an ID, well, that's a simple solution. Raise the taxes to keep more government-ID offices open longer hours and on weekends (MORE JOBS) as part of the voter-ID laws. I agree that one shouldn't have to go far to get to an ID if, in fact, an ID is going to be required. And likewise, I agree taking time off of work shouldn't be required to acquire an ID -- do it before or after work, by appointment if necessary, and have the people in that state pay the damn taxes to fund the offices, 24/7/365 if necessary.
  As I see it, people can whine about their taxes, or whine about voters not having IDs, pick one and only one.
  (Hm. Don't feel like logging in. AC it is.)
45. Re:ssh / scp / https maybe? by Immerman · 2014-11-13 21:32 · Score: 1
  
  Well, if you're going to pull up taxes as a form of theft then we'd better go back a little further and point out a much, much bigger one: private property rights. The law of the jungle is you can only accumulate as much wealth as they can personally defend - anything that someone can take from you by force or trickery becomes theirs by right of possession. It's only in the presence of "civilized" private property rights that you can get the current situation where a tiny minority can accumulate many orders of magnitude more wealth than the majority.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
46. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-14 01:14 · Score: 0
  
  With a paper-based system:
  1. Go into booth.
  2. Check the one you were paid to vote for.
  3. Snap picture.
  4. Leave booth.
  5. Go back to the voting officials and explain that you misread the name of the guy you were going to vote for, and get your ballot replaced.
  6. Go back into booth.
  7. Check the guy you want to vote for.
  8. Put ballot into the voting bin.
  9. Deliver picture of ballot.
  10. Profit.
47. Re:ssh / scp / https maybe? by cellocgw · 2014-11-14 03:47 · Score: 1
  
  Out of the hundreds of millions of votes cast over that past 14 years they've found less than 30 cases if in-person voting fraud which is a fraud rate of less than 0.00001%. Voter ID is just a solution looking for a problem.
  
  If only that last sentence were true. VoterID is a solution to a major problem: getting rid of people who don't vote Republican. If you think the whole megillah was set up with actual fraud-protection in mind, you're seriously naive.
  
  --
  https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
48. Re:ssh / scp / https maybe? by Obfuscant · 2014-11-14 06:44 · Score: 1
  
  It's you who is arguing for a change to a very old tradition in America (and many other developed nations) of absentee voting.
  I'm WHAT? I'm arguing for a change? Now I know you're replying to someone else.
  
  Really, you remind me of those tiresome Slashbots in the early millennium who read a little too much Heinlein and urged a requirement of military service before one could have voting rights.
  I've already commented on the events that came about based on people in one place voting on laws to be followed elsewhere. That you equate a fictional requirement for some public service to earn the right to vote, and a logical and existing requirement that you be a resident of the jurisdiction in which that right exists, is the tiresome part here.
  
  Some states have very lax requirements for maintaining residence and voting rights there.
  'Lax' is not 'none', and maintaining a residence is creating a less than location-independent lifestyle. Your use of the term "currently" when referring to the ex-pats implies a short-term nature of the ex-pat status, which also makes them less than location-independent.
49. Re:ssh / scp / https maybe? by Obfuscant · 2014-11-14 06:53 · Score: 1
  
  would satisfy Obfuscant's demand
  
  If you cannot make your own arguments, at least stop making them up in my name. I made no demand. I stated my opinion.
  
  The US simply has too old a tradition of people who have permanently left,
  
  Yeah, there are a lot of old traditions that the sole reason they can't be changed is because they are old traditions. The Democrat voting machine in Chicago being one. Using paper ballots at a physical polling place would be another. Oh, wait, That 'old tradition' is one you think should change. Hmmm. Seems like 'old tradition' is only an argument against change when you don't want something to change.
  Since you seem unwilling to defend that "old tradition" of people who don't live someplace getting to set the rules for those who do live there, I'll assume you have no reason other than it is "old tradition", similar to the "old tradition" where the British Parliament and His/Her Majesty set the rules for their colonies.
50. Re:ssh / scp / https maybe? by garote · 2014-11-14 07:42 · Score: 1
  
  A physical polling station prevents this by ensuring a) the voter is not documenting the vote and b) no one else is documenting the vote. Neither a) nor b) can be guaranteed with online voting. It is extremely hard to provide PROOF to someone you voted a certain way in a physical voting situation. It is easy to SAY you voted a certain way, but that doesn't have to be true.
  A physical polling station does nothing to ensure that the voter is not documenting their own vote, nor was it designed for this purpose. It's trivial in the modern era to take out your phone and film yourself voting, from beginning to end, inside the booth. Whether you throw some tantrum and manage to get your vote changed, or edit the video footage later, is your own business of course. Your peers pressuring you into demanding "proof" is just as much a problem with paper voting as it is with any other form.
  The more important point, though, is this: If you don't want anyone else to see you voting on your smartphone, you can go hide in a closet and vote. If you do, you can always register your vote "in public" and then change it later. If you think someone is going to hold you at gunpoint and stare directly at your phone for the entire duration of the voting period - which can be as long as a WHOLE MONTH, considering how vote-my-mail ballots already work in this country - then you have much, much bigger problems than your ability to vote being tampered with. You are the victim of a kidnapping and the police should be out looking for you.
  If you're especially paranoid I suppose the voting software could implement a "no take-backs" feature where you can lock in your vote, so even if you're kidnapped near the end of the voting period, you can't be forced to change it. Then the kidnapper has to simultaneously abduct enough people to sway an entire election the SECOND the polls open, then have enough coercive power with them - threat of imminent death for example - so that they don't just refuse to vote altogether. Again, if you live in a city where this can happen, you have bigger problems.
  Same deal with the hypothetical Texas church: If your church locks you in and compels you to vote a certain way on pain of excommunication or whatever, you have much bigger problems at hand. You should be videotaping that and going to the feds with it. Sadly, if you're a member of such a church, you probably think the feds are an agent of Satan anyway. Properly implemented encrypted online voting is not going to influence this, since this sort of ugly fraud is just as possible with absentee ballots and voting-by-mail already.
  (Note that this scenario is pretty damn out-of-wack. In many towns, the church is trusted as non-political enough to double as an official polling place.)
51. Re:ssh / scp / https maybe? by cwsumner · 2014-11-14 10:33 · Score: 1
  
  Actually, it's the Democrats that assume the poor voters are too dumb to have ID. The Republicans know quite well that poor people have ID, because they use it to buy things from stores. The laws are just to keep "foreign spies" out. And to irritate the Dems... 8-P
52. Re:ssh / scp / https maybe? by Anonymous Coward · 2014-11-14 15:34 · Score: 0
  
  That's why there are so called 'progressive income taxes' in the first place, the majority votes to steal more money from a minority and that is also slavery
  Taxation is neither stealing nor slavery. To get the benefits of civilization you have to pay for it and taxation is where you get the money from. The G20 agrees with me and is wisely moving to end corporate tax dodging.
53. Re:ssh / scp / https maybe? by CRCulver · 2014-11-14 19:46 · Score: 1
  
  I'm WHAT? I'm arguing for a change?
  
  Is claiming that a status quo is unjust not wishing for change?
  
  Your use of the term "currently" when referring to the ex-pats implies a short-term nature of the ex-pat status, which also makes them less than location-independent.
  
  I don't see where you get that from. Merriam-Webster defines "currently" as simply " happening or existing now" with no connotation that it's a temporary thing. Many US citizens abroad have left the US for good (or have never lived there, but simply received US citizenship through ius sanguinis), and they now, as they vote, are living somewhere else.
  With regard to the American Revolution, the colonists who pushed for a break with England supposedly wanted no taxation without representation. US citizens abroad must file US taxes, and denying them the right to vote would mean being taxed without representation.
PDF by BradleyUffner · 2014-11-13 08:44 · Score: 1

Do any electronic voting systems actually work by sending around PDFs? If so I don't recall hearing about them.
1. Re:PDF by DaHat · 2014-11-13 08:59 · Score: 1
  
  From TFA:
  
  PDF ballots have been used in Internet voting trials in Alaska, and in New Jersey as an voting alternative for those displaced by Hurricane Sandy.
  
  --
  Help Brendan pay off his student loans
2. Re:PDF by Anonymous Coward · 2014-11-13 09:09 · Score: 0
  
  Weren't the post-Sandy e-voting efforts in NJ a one-off effort that are widely regarded as a cluster-fuck? Would anyone really try that solution again?
3. Re:PDF by Immerman · 2014-11-13 13:58 · Score: 1
  
  Becasue wherever there's a clusterfuck, there's an opportunity for massive fraud in your favor?
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
Re:Open Vulnerability by fustakrakich · 2014-11-13 08:47 · Score: 4, Insightful

No computer is suited for elections. They need constant verification, which they are not getting.
And I sure do hear a lot of people saying, *I didn't vote for that!*, more than usual, but I don't expect anything to come of it. Everybody is just too conditioned to write off such talk as crazy.

--
“He’s not deformed, he’s just drunk!”
My two cents by Anonymous Coward · 2014-11-13 08:48 · Score: 0

Here in Washington state, we have paper ballots counted by machines. Even so, I think it'd be best to hand-verify all votes that matter most even if it's time consuming.
I could save money on my server costs by JohnnyDoesLinux · 2014-11-13 08:53 · Score: 3, Interesting

I do PDF processing using a server class rack mount machine. Damn, if I could have known that I could have used a cheap off-the-shelf router to do this, I could have had a raise..
Oh, is that all by smooth+wombat · 2014-11-13 08:56 · Score: 1

The attack relies on a hacker first replacing the embedded Linux firmware running on a home router.

Well then, the obvious answer is to not have embedded Linux firmware on the home router. There, problem solved.

We know voting from home is fraught with dangers, but this is another one of those situations where you would have to spend inordinate amounts of time tracking down each router, finding a way to get into it, change the firmware, then wait until you're sure the person is in the process of voting before you could even consider changing their vote.

You could accomplish the same thing by getting a fake driver's license and showing up at the polls in their stead.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
1. Re:Oh, is that all by DaHat · 2014-11-13 09:01 · Score: 1
  
  You don't need to know the specifics of each and every router... just one or two which there are enough of that you can identify and exploit remotely.
  Coming up with a single fake drivers license and voting gets you only a single vote... exploiting say... the standard ISP provided router may be a bit harder... it will get you far more votes and less visibility.
  
  --
  Help Brendan pay off his student loans
Internet voting defeats the purpose. by Anonymous Coward · 2014-11-13 08:56 · Score: 0

For elections to be truly free and democratic, the process has to be simple enough that everybody can vote and anybody can participate in the tallying of results (i.e. it is TRANSPARENT)
The second you introduce any kind of mildly advanced technology, you lose the transparency. If everybody who voted cannot also verify by themselves that the process follows the rules and that the votes are properly counted, then the experts become the gatekeepers.
It's a slippery slope.
I don't care how "cumbersome" the old paper ballots are. Freedom takes precedence over convenience.
1. Re:Internet voting defeats the purpose. by DaHat · 2014-11-13 09:04 · Score: 1
  
  We have a system today where we are told it's just too hard to come up with a photo id and show up to the polling station on election day.
  Given the degree of laziness and helplessness that the electorate is told it has... is it no wonder that some think that voting from the comfort of your home and on your own PC might be a good thing?
  Gimme a old school paper ballot and an oval to fill in after showing my id any day.
  
  --
  Help Brendan pay off his student loans
2. Re:Internet voting defeats the purpose. by Anonymous Coward · 2014-11-13 09:29 · Score: 0
  
  >We have a system today where we are told it's just too hard to come up with a photo id and show up to the polling station on election day.
  
  Not just that it's too hard, but that it's pointless since voter fraud only happens in significant numbers in the minds of ignorant, regressive Republicans. Why should we cater to terrible, delusional people who want to marginalize the citizens who would vote the wingnuts out of office? Isn't the gerrymandering bad enough? You need to deny people the right to vote as well?
3. Re:Internet voting defeats the purpose. by Anonymous Coward · 2014-11-13 23:39 · Score: 0
  
  I don't care how "cumbersome" the old paper ballots are. Freedom takes precedence over convenience.
  If machines can count physical currency notes, why can't they do the same with paper ballots? I think the cumbersomeness is just an excuse to introduce a technology where computers (and the people running them) decide the winner of an election, instead of voters.
  What proof is there that if I vote for candidate A, that vote is not going to be added to candidate B? With paper ballots, there can be multiple counts by different humans counters to verify that the vote count is accurate. With paperless computer-voting, no physical evidence exists of what happens to a vote. We have to entirely trust the computer to do the right thing and that's just stupid.
all your voting system are belong to us by Cardoor · 2014-11-13 09:10 · Score: 1

love,

your pals @ diebold
easyer to just a list of dead people and vote unde by Anonymous Coward · 2014-11-13 09:10 · Score: 0

easyer to just a list of dead people and vote under there names.
Paper? by xtal · 2014-11-13 09:28 · Score: 4, Insightful

Seriously?
Whats wrong with paper?
Lots of systems for automatically dealing with it. Unique and irrefutable record. Easy to recount. Don't like one machine? Design a better one to scan and count. People really pissed off? Count those SOBs one at a time in front of a crowd on a big-screen TV.
Ballot boxes are easily placed out in the open; they're easily observed and tracked by as many people as would like to. The entire way through the process.
Lots of very large, modern democracies just use paper. Including your neighbours up north. X marks the spot.
Crazy.

--
..don't panic
1. Re:Paper? by Anonymous Coward · 2014-11-13 09:35 · Score: 0
  
  Well, actually, one of the flaws in paper is that it's not absolutely irrefutable. Some of this is human error when it comes to marking, but you can even have problems with printing, with delivery, and with storage.
  It's not a perfect solution, not by any means.
2. Re:Paper? by riverat1 · 2014-11-13 10:16 · Score: 1
  
  Nothing is perfect when humans are involved. But I challenge you to find a method that is less potentially subject to manipulation than paper (other than the town hall open voting in some New Hampshire towns).
3. Re:Paper? by Anonymous Coward · 2014-11-13 10:43 · Score: 0
  Authenticated vote via key encryption. The only weakness is that someone can coerce you to prove that you voted for their candidate. However, it can remain otherwise anonymous by setting up one entity to confirm and record your identity, another to register, count, and display your votes to the public and a final one to authenticate your identity (anonymously) with the second agency. To explain in a bit more depth:
  Agency A gives you a key, confirms your identity, gets supporting documentation to prove that you registered.
  Agency B gets a list of valid keys from Agency A.
  Agency C takes your vote, automatically confirms that you have a valid key with agency B, then records your vote onto the public ledger.
  At any time, someone can take the entire vote and confirm their signature and their vote, and tally the result to confirm the result.
  For extra points, legally require everyone to vote (ala Australia) and allow votes for "No confidence" or something to illustrate satisfaction with the state of and process of democracy in the country. Also, make it illegal to share your key with others to help avoid coercion and dissuade vote buying. Though, I should note, if you are being bought or coerced you can provide someone else's public key from the ledger and claim that it is your own, so it's not making it easy for perps either.
4. Re:Paper? by Anonymous Coward · 2014-11-13 10:54 · Score: 0
  
  Sorry, one mistake: Agency C records a one-time key in the public record, NOT your public key. Agency B can then confirm that Agency C didn't add additional votes. Corruption then becomes at least as transparent as paper and much harder, since Agency C would have to lie about the vote and try and guess at who will not confirm their vote based on their ip address or something or Agency A would have to create keys for factitious people which could not surpass the voting population and would be traceable based on the records they are required to keep.
5. Re:Paper? by xtal · 2014-11-13 11:30 · Score: 2
  
  ..or just use a piece of paper.
  
  --
  ..don't panic
6. Re:Paper? by Anonymous Coward · 2014-11-13 11:43 · Score: 0
  
  To which vote counters can then pad with extra slips. Poll supervisors can "lose". People have to go through the hassle of going to vote on one particular day (instead of registering at any time prior to election). You can not confirm that your own vote was counted correctly. There is additional cost in moving things around where that could instead be spent on verification and accountability. etc etc etc. The idea that internet votes are being cast via PDF or sent without end-to-end encryption based on predetermined identities (DISTRIBUTED KEYS NOT HTTPS!!!), on the other hand, is deplorable.
7. Re:Paper? by xtal · 2014-11-13 12:10 · Score: 2
  
  Do you know how this works?
  The box goes out in the open. Everyone can watch things go in.
  The count is done with several people. Observers can watch. That's how it's done in Canada. Really.
  The whole process, if fraud is a concern, can be watched end-to-end. There is no opportunity for "extra slips".
  Paper works and is AFAIK the hardest to game and has the most oversight. I question those who are so quick to get rid of it.
  
  --
  ..don't panic
8. Re:Paper? by riverat1 · 2014-11-13 12:12 · Score: 1
  
  The problem I have with your solution is the complexity. The average voter will never understand what is going on there which doesn't help their confidence in the outcome of the vote. A simple paper ballot is understandable by any one intelligent enough to vote.
9. Re:Paper? by Anonymous Coward · 2014-11-13 12:37 · Score: 0
  
  Granted, though being able to verify your vote with a "key" and being able to count the vote yourself should be easy enough to understand for the younger generation. I think the biggest challenge would persist with compromised machines. People would only notice a tamper after the vote and would have to re-cast, extra labour, and with no trace to who could be responsible for the gaming would leave them free to manipulate no confidence votes from people who would be far less likely to check their vote. It would also kill confidence in the system. Giving identifiers out on bootable flash drives could help if the machine's firmware wasn't compromised, though.
10. Re:Paper? by Immerman · 2014-11-13 14:05 · Score: 1
  
  You forgot:
  Non-Agent D coerces you into giving him your private key so that he can vote in your stead. And if it's illegal for you to do so then you have even more incentive to keep quiet about it.
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
11. Re:Paper? by Anonymous Coward · 2014-11-13 14:22 · Score: 0
  
  I should clarify, illegal to share your private key and then fail to revoke it within some time frame.
12. Re:Paper? by DNS-and-BIND · 2014-11-13 16:37 · Score: 1
  
  Paper isn't some magical solution. The PRI in Mexico rigged elections for eighty years using nothing but paper. Did you not know that?
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
13. Re:Paper? by riverat1 · 2014-11-13 17:23 · Score: 1
  
  Yes, the younger generation would understand it better but I doubt even a quarter of them would either. It's mainly computer geeks like us that understand that.
14. Re:Paper? by Anonymous Coward · 2014-11-13 20:30 · Score: 0
  
  Works this way in Australia too.
  You rock up, give your name and address, they cross your name off their list. The person checking names then signs the ballot paper to show that it was given out.
  You go into your booth, number the boxes, fold it up and drop it in the box on the way out. The box has people standing next to it, and everyone can see it.
  After closing the box gets sealed and taken to the counting area.
  Multiple people there to make sure it's done properly.
  Results get sent back to HQ. Ballots get kept in case a recount is needed/required.
  If one electoral area has major problems, they redo the voting in that area. (as happened here http://www.news.com.au/national/breaking-news/palmers-senate-candidates-to-be-revealed/story-e6frfku9-1226840550981)
15. Re:Paper? by cwsumner · 2014-11-14 10:56 · Score: 1
  
  See the phrase "Poll Watcher".
  The US state political parties send people to each polling place to watch what is happening. Both sides are watching all day, with different volunteers trading off shifts. Every step has watchers.
  So how do they "watch" the electronic transfers?? In some states it is required by law, and they are deciding now whether to change the state law or just not use electronic machines.
Re:Open Vulnerability by ShanghaiBill · 2014-11-13 09:30 · Score: 1

And I sure do hear a lot of people saying, *I didn't vote for that!*, more than usual, but I don't expect anything to come of it.
Polling data predicted the outcome in 50 out of 50 states during the 2012 presidential election. During the election this month, there was some gaps with the pre-election polls, but the exit polls were mostly dead-on. There may be some cheating here and there, but comparisons with the polling data suggests it is insignificant.

Everybody is just too conditioned to write off such talk as crazy.
People are just jaded on conspiracy theories unsupported by any evidence whatsoever.
Open Vulnerability by Anonymous Coward · 2014-11-13 09:36 · Score: 0

With proprietary solutions there are just as many bugs and vulnerabilities, except they get ignored shoveled under a rug for very long periods of time within which hackers will exploit them. At least with open source, you can't deny the existence of bugs and they tend to get patched very quickly. Take your pick.
Man in the middle versus E2E by goombah99 · 2014-11-13 09:46 · Score: 2

E2E encryption likely won't work. The router would set it self up as a proxy to allow a man in the middle attack. But you might be able to use encryption of the ballot itself, not it's transmission layer to avoid a problem. However this would be a pain in the ass since now the user has to somehow assign passwords and stuff.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:Man in the middle versus E2E by Anonymous Coward · 2014-11-18 20:32 · Score: 0
  
  Using cryptography in the ballot is mandatory, there is no other way.
  Online voting must satisfy two things:
  - confidentiality (otherwise your ISP or compromised router will know for whom you have voted), this is handled by encryption
  - integrity, which is handled by cryptographic signatures. Otherwise it would be very easy to duplicate or create fake votes.
Re:Open Vulnerability by Archangel+Michael · 2014-11-13 09:51 · Score: 1

"Calibration" Issues are not a conspiracy theory. When on screen choices switch to a candidate you don't want, while you're in the booth, there is a problem. I would say, BIG problem. Once an electronic ballot is cast, there is no way to verify it actually gets counted the way it was cast. And there is no backup.

--
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
TLbhtlhblthttt. by garote · 2014-11-13 10:10 · Score: 1

Run the numbers. How much would it cost to
1. convince a voting authority to accept UNENCRYPTED PDFS as a means of voting
2. covertly install functioning hacked firmware on the wireless routers of a significant percentage of the citizenry
Wouldn't the return-on-investment be far better just running a bunch of attack ads?
1. Re:TLbhtlhblthttt. by DaHat · 2014-11-13 11:35 · Score: 1
  
  A bit of upfront coding, a few stolen credit card numbers and spinning up a few hundred instances in AWS to scan for exploitable routers seems rather cheap to me.
  
  --
  Help Brendan pay off his student loans
2. Re:TLbhtlhblthttt. by blueg3 · 2014-11-13 12:34 · Score: 2
  
  2. covertly install functioning hacked firmware on the wireless routers of a significant percentage of the citizenry
  That's already been done in the real world. It looks like it was done on a budget that's trivial compared to the value of modifying votes.
3. Re:TLbhtlhblthttt. by sconeu · 2014-11-13 15:49 · Score: 1
  
  Re item 1: What's the going rate for a Senator? I'm sure your local voting authority (I believe in CA it's the local county that decides voting methods) are a hell of a lot cheaper.
  
  --
  General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
Re:Open Vulnerability by fustakrakich · 2014-11-13 10:13 · Score: 3, Insightful

When you keep the divisions within the margin of error, it is very easy to push the results one way or the other without raising suspicion, and any possible evidence is very easy to hide, or destroy, as the case may be. But without that, it is not difficult to trace means and motive, and only one conclusion can be drawn. Why should I ever give the authorities the benefit of the doubt? Isn't 10,000 years of precedence enough?

--
“He’s not deformed, he’s just drunk!”
Code execution privileges allow code execution! by ShadowRangerRIT · 2014-11-13 10:17 · Score: 4, Insightful

How is this even noteworthy technologically? He's assuming he can modify the router firmware. "If I completely replace the software handling my data, I can change the data!" Seriously? That's the dumbest, most obvious thing possible.

--
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
1. Re:Code execution privileges allow code execution! by duck_rifted · 2014-11-13 10:25 · Score: 2
  
  It's dumb and obvious to anybody who knows anything about tech. That is, nobody in politics. That is, nobody responsible for deciding whether to use these machines. When policy is drafted by people who just say whatever the highest bidder pays them to say, it helps to point out the obvious.
Re:Open Vulnerability by sycodon · 2014-11-13 10:43 · Score: 1

Amen.
Paper and pencil and optical readers.
Scan the ballots three separate times at the district and compare the results. Report the results over the network...confirm via portable media, confirm again with rescan at central location before certification of the election.
Electronic ballots are slow and stupid.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Re:Open Vulnerability by tibit · 2014-11-13 11:02 · Score: 1

So, let's see, what's better: a Linux kernel or some barely working "micro" TCP implementation on a microcontroller of some sort? I'll take linux any day, thank you.

--
A successful API design takes a mixture of software design and pedagogy.
Apparently this isn't a problem yet by Anonymous Coward · 2014-11-13 11:39 · Score: 0

Since the republicans are winning so much, hackers obviously aren't doing enough.
Um, SSL? by Craig+Ringer · 2014-11-13 12:38 · Score: 3, Interesting

Otherwise known as the "voting machine company was too stupid to implement SSL" attack?
Or, for email, the "what idiot thinks email is secure without local S/MIME or PGP signatures" attack. Seriously, on-wire tampering is the least if your worries if you're *emailing* ballots around.
1. Re:Um, SSL? by Anonymous Coward · 2014-11-14 12:24 · Score: 0
  
  This demonstration shows policymakers and the general public exactly why they should care about these things. It's not intended for the /. crowd, really.
Re:Open Vulnerability by Anonymous Coward · 2014-11-13 13:13 · Score: 0

Dude, if there were a Nobel Prize for stupidity, you'd be a shoo-in. Fuck.
Re:Open Vulnerability by Anonymous Coward · 2014-11-13 13:19 · Score: 0

Stupid for not being ignorant of history? Huh.
Wrong by Anonymous Coward · 2014-11-13 13:23 · Score: 0

There is no such thing as a "proxy" when it comes to E2EE. You encrypt it, send it, and if a MITM modifies it, then it will be rejected at the other end.
1. Re: Wrong by Anonymous Coward · 2014-11-14 04:43 · Score: 0
  
  If you are frauding for party A, getting votes rejected for likely party B voters is just as helpful.
Re:Tracable to what? by Anonymous Coward · 2014-11-13 13:26 · Score: 0

Traceable only to a signing key that is issued by the gov't. They might know... just like they know your SSN, but they wouldn't make that information public.
Voter surpression by rsilvergun · 2014-11-13 13:41 · Score: 2

is what's wrong with paper. Long lines in poor neighborhoods. Broken machines. Polling places closing hours early when you know people can't take time off to vote

You'll never see voting day a national holiday because the powers that be don't want the lower caste voting. Progressives do though, and we're trying to come up with ways to combat voter suppression. From the progressive standpoint who cares if it gets hacked? The paper vote has already been hacked so to hell by voter suppression that things can't get any worse.

--
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
1. Re:Voter surpression by Anonymous Coward · 2014-11-13 14:33 · Score: 2, Informative
  
  But you can solve that with paper, too. In fact my state does: I live in a 100% vote-by-mail state, so there's no lines and no worries about having election day off or time to votes. It's not a perfect solution, but it does solve those problems. Although you can also print off a ballot if you lose the one mailed to it, which is less secure (all you need is a name and birthdate). Also, voting not in a voting place means there's no controls to prevent coercion and ensure vote privacy.
2. Re:Voter surpression by rsilvergun · 2014-11-13 16:19 · Score: 1
  
  The trouble with just Vote By Paper is it's equally vulnerable. It's not hard to make sure that it's tough to register for it. The mailings can (and have) "gone to the wrong address", etc, etc.
  
  I'm not opposed to vote by paper. Indeed the bottom rung of society will still need it (they can't afford a computer + internet connection). But a two pronged assault on voter suppression is definitely a good thing. If the lower classes could vote more I don't think we'd have lower classes :P
  
  --
  Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
3. Re:Voter surpression by riverat1 · 2014-11-13 17:32 · Score: 1
  
  The problem with making election day a national holiday is that we usually have more than one day of elections in a year. Maybe it's enough just to make the 2nd Tuesday in November a holiday but you've also got the primary elections and special elections that come up from time to time. I can remember having as many as 4 elections in a year. I think it would be better to have more than one day for an election and have it over a weekend, perhaps Saturday to Monday or Friday to Sunday. I like our system here in Oregon with vote-by-mail where I get my ballot at least 14 days before the election and can turn it in anytime before 8:00 PM on election day.
Re:Open Vulnerability by Anonymous Coward · 2014-11-13 13:50 · Score: 0

I'm sure you will be the perfect stand-in to accept the award. Say hi to your mom for me, okay? She has the number...
Thanks
Re:easyer to just a list of dead people and vote u by Immerman · 2014-11-13 14:02 · Score: 1

Only if the election commission failes to purge the dead from the voting roster. And if they fail on such a basic task I can only assume they've already been compromised by the people who want to steal the election.

--
--- Most topics have many sides worth arguing, allow me to take one opposite you.
This is not about router security by misnohmer · 2014-11-13 17:16 · Score: 2

If this can happen at home router level, think what can be done at the ISP. This is not an issue of router security, because your traffic can be intercepted with other techniques, this points to a much larger problem that electronic voting results can be changed in transit and they travel over open internet. Who can change packets in transit, let's see:
* US government (NSA, FBI, or any other agency with full access)
* Government sponsored hackers (Russia, China, etc...)
* Your ISP (Comcast, Verizon, etc)
* Backbone ISP (Level3, Sprint, MCI, etc)
* Non government sponsored hackers (Anonymous,...)
The traffic should be secured end-to-end - both authenticated and encrypted (the latter for privacy reasons).
.pdf? by Anonymous Coward · 2014-11-13 21:03 · Score: 0

Did I read that right? Voting machines use .pdf?, a format which is likely the second most ludicrously large size to send data in? Most elections could run off a single byte, oh, and apparently they weren't smart enough to send a checksum to check for alternations. They aren't even using SSH tunneling-level security. I'm surprised the designers didn't have to call IT to make sure their work computers were actually turned on.
Problem solved by SinisterEVIL · 2014-11-14 07:06 · Score: 1

Blockchain Technology..... Boom
Re:Open Vulnerability by Anonymous Coward · 2014-11-14 12:15 · Score: 0

There are some crpytographic voting schemes that let voters ensure that their votes are registered correctly and included in the final count. but not prove to anyone else how they voted. See systems like Scantegrity or STAR, or for a good intro, read Ben Adida's PhD thesis from MIT.