The two-fingered scroll may be interesting, but what I want to know is whether anyone has bought the XP version and loaded, say, Ubuntu or Fedora on it, either single- or dual-boot.
When I asked at the Yodobashi Camera and Sofmap in Umeda, I was told that no stores in Japan are carrying the Linux version of any of the eeePCs.
I'm guessing that a single identity really is not that easy to profit from.
One issue is culling the identities that are potentially profitable from a large catch of identities of people with no money and low credit limits and high levels of paranoia.
Another is possibly using several identities to enhance the profitability of attacking one, think sock puppet.
That's why you should have a backup voting method. I think the benefits of e-voting are enough that it is worth it.
Backup method?
But I don't think we have the same things in mind when we say failure.
To me, failure is not in failing to elect the most popular candidate (by whatever measure of popularity). To me, failure is when the elections process puts someone in office who is more interesting in using the system to his or her own purposes than in being a public servant. That means that the system should discourage gaming at any level. (Yes, the current US system is a dismal failure.)
Voting is a statistical process. If the vote is so close that a 1% error could effect the outcome, you can't really say that the voters have chosen one or the other. That's the reason some places have runoff elections when no candidate is a clear winner, and runoff elections are the better solution here.
I agree. Unfortunately, I'm pretty sure almost nowhere in the US does actually have runoff elections.
Have you checked wikipedia on the subject? Or are you only thinking of the popular vote in the presidential elections?
I would *love* to see an instant runoff system, or other modified voting system, in place throughout the country for all elections. (Not just when it's close, unless it's so far apart that the outcome can't change.) However, I'm not holding my breath for this to happen.
What do you mean by so far apart that the outcome can't change? 10% difference? 30%? Change by means of what?
Besides, what happens if it reaches two candidates and there is still a virtual tie? Declare both of them winners and have two presidents?
I'd have to think about that two presidents idea. Might not be a bad idea. Can you see, in 2001, Gore and Bush trading places every day or every week as president and vice-president?
In case you're curious, I'm inclined to believe that putting the president and vice president on a single ticket was a mistake.
Of course, I'm not particularly enthusiastic about a government that actually "accomplishes" things. I think it's better when the government helps the people themselves to do most of the things they come running to the government for.
If you only have one seat, you have to have a winner. So I think e-voting would be good even with instant runoff.
I'm more inclined against instant run-off. I'd rather run a separate election. But, then, I don't think the country would fall apart if we had no president for a few weeks. Shoot, without a president to not veto, it would automatically require congress to pass every item of legislation by two-thirds majority. (Of course, if we change the laws, there would always be the danger that Congress would decide that lack of a president would become lack of veto instead of lack of review.)
I kid. sort of. The former vice president, of course, remains as acting president until something can be done, according current law.
Anyway, the electoral college provides a way to get around statistically insignificant differences just fine.
So the city runs temporary cables between the county offices and all the polling places just before every election?
You really think that man-in-the-middle is just a theoretical problem?
1) You don't need temporary cables, the standard phone system would work fine.
2) As I said, the "call-in" count would be preliminary anyway; you would audit the systems later anyway.
3) Network people in CS figured out ways of preventing man-in-the middle attacks long ago (see SSL), and intelligence people long before that.
Filled in completely is not nearly the problem it sounds like, in practice. The warning is to get people to recognize that a dot is not enough and that a mark that drags across the next ballot is too much.
Some suggest a machine to check the ballot, but that opens (more) potential holes for eavesdropping. It's not that hard to get a bubble chart filled in right, especially when you use special felt tip pens. If the voter has doubts about stray marks, he can always surrender the spoiled ballot (current standard process for spoiled ballots) and get a new one. Some voters may need assistance, that's just not going to be avoidable, whether we use machines or paper.
Even ignoring whether a validating machine could have a custom wireless com card (or even "poorly designed" noisy circuitry), the advantage of a checksum have to be balanced with the possibility of steganography. If you have a monotonic counter feeding into the checksum, you can extract the order. Besides, checksumming is always going to be opaque to a large portion of the voting population. Someone who claimed to be from Canada claimed they are using anti-counterfeiting tech like used on currency there. But I worry about the yellow dot problems we have recently (well, a couple of years ago) become aware of with color printers.
A pre-printed, sparse, pseudo-random serial number on loose cards, with instructions to shuffle each pack when it is opened, might be workable, to prevent counterfeiting.
Unless you quietly warned the granddaughter to keep her voice down. (And you would have been doing the wrong job if you had said or done anything else.)
Although, you might suppose it was staged, that the grandmother had asked the granddaughter to say that while she actually voted for someone else.
If you could see what buttons were being pushed, you should have moved the machines.
I was a judge once when we handed out ballots with serial numbers, in non-random order. As I recall, we had a sign-in book and everyone signed-in in order. I didn't raise a fuss on election day because I knew there was nothing to be done that wouldn't require just postponing the election, and I hadn't realized the problems during the training. One thing that helped, we had three sign-in books, so the record of order wasn't perfect. I arranged with the other judges to pull the ballots of the pads in somewhat random order, as well.
The next election I judged (same place) had the voters signing-in on the voter list itself, so that no record of order remained. We had three copies of the list, to avoid a bottleneck. I think, also, the ballots were loose, so we could shuffle them, so that order was broken within the ballot pack.
No system can correct for improper training of election judges, or for their failure to understand or do their duty.
In small precincts, where everyone is friendly and no one is going to fire someone for voting wrong, sure, it doesn't matter. Until someone gets fired right after an election and doesn't like the stated reason.
Sure, you can make the vote iron-clad accurate if you are willing to sacrifice anonymity, but it doesn't take a computer to do it. It just takes everyone being brave enough to vote their conscience even though everyone can see their vote. Well, not just brave enough, but conscience enough of his or her reactions to peer pressure to be able to cancel the effects of what other people will think while they mull over the decisions.
There are two apparently conflicting principles here.
One is that there needs to be a significant, if not majority, section of the population who are brave enough to vote their conscience even if they are killed, beat up, or fired for it. (You do need more who are brave during civil war.)
The other is that, unless the problems are really, really bad, it's usually better to work through the system than go to the revolution mode. In such times, people need room and time to think without others being able to criticize every thought. That's what the anonymous vote is really necessary for.
Even live CDs will not be very effective if the malware writers find their way to the boot sectors (which is quite possible with a lot of unsupported but in-use previous versions of MSWindows).
Yes, MSWindows is, in part, a victim of its own popularity. But Bill & Steve have been far too reluctant to give up the market share.
So, even though it seems unfair to say so, when no system could (in theory) prevent the stupidity of the user from causing the user pain, it is still Microsoft to blame for how bad things have become. Microsoft and us, because we drank the kool-aid. We bought their bill of goods.
If we lived in a world where people were surfing the web on Amigas, Macs, MSWhatever boxen, Ataris, Acorns, Apple ][32, TRS 80 level VIIs, Tandy Color Computer 32s, C64x64s, Sinclair128s, etc., the malware business would be a lot harder to make a profit in. There would, of course, be more platform-specific exploits, but not nearly the minefield we have now.
Okay, when I wake up from the fantasy, I'll admit that not all the cool kludges would/should have survived, but the current homogenized web is just way too easy to attack.
Well, we should say, don't use sudo except as an admin user that you never surf the web with.
The solution is to prompt the user to make, not one, but two non-root accounts when they start the system up the first time or install the OS. Spell it out like this:
"This one is for admin. It will have no general purpose web browsers, e-mail, etc., in the doc/start menu unless the user him/herself puts them there, only stuff useful for admin. DON'T USE IT FOR ORDINARY STUFF! Give it a really hard password that you write down and keep in the safe or whatever."
"And this next one is for ordinary, day-to-day use. DON'T USE IT TO INSTALL THINGS OR DO OTHER ADMIN STUFF. Give it a hard password that you can remember."
And you don't let the ordinary GUI agent for sudo to run for an ordinary user unless the admin goes into the user setup and selectively allows the ordinary user to run it. And there is a warning there, short and to the point: "Checking this box may allow evil things to happen while the user is surfing the web or reading e-mail or doing other work."
And the same warning should be prominently displayed in the GUI agent for sudo anytime it runs.
That's something Microsoft has been notoriously lax on. Unless it makes them a little money, in which case they give the bare minimum required to make the money, then leave the user to fend for himself in a hostile environment that is oriented to discouraging him from thinking for himself.
Apple has been an order of magnitude better, but that is not enough. And they've been slowly backing off of that, and are not so now.
These days, seems like everyone wants you to pay them for thinking for you.
(Linux, of course, well, shoot, even Linux is getting its share of wizards. Visual access to the settings, human readable help, verification of the settings, and a human language explanation of the settings set, that's okay. But the current setup assistants try to think for the user, try to tell the user what he wants based on incomplete criteria. They give visual partial access, human readable partial help, partial constraints instead of verification, and precious little human readable explanation of the results.)
It has much less to do with popularity than with featuritis. More features means more cracks to (intentionally) fall through.
Well, the feature creep is part of what is driving the popularity, but that's reversing the causality.
ps: fanboys are a misfeature of any popular OS
pps: 10% is not exorbitant. Don't confuse lack of a stripped-down model for high prices. Complain about the lack of a stripped-down model, instead.
ppps: insane (sparse) memory usage is also a misfeature of any modern OS. Solve the hard computation problems with processor speed and sparse memory organization. Let the user upgrade to 512M+ (AppleMac) or 1G+ (MSVista), and depend on better memory management to avoid swapping.
This will be the year the AppleMac catches up with MSWindows in being vulnerable. Maybe.
Anyone with competence to go to a website, and enter their receipt and remember the text they entered would verify the entire route of their vote was in place.
(Insert sarcastic comment of your choosing here.)
Only expert verification would be of the validity of the algorithms used to encrypt it. Which shouldn't be more than a page or 2 of code, I would think. (couldn't be touch screen, but something simple)
A few hundred tests prior to the actual vote to certify things, and only enough memory/hardware to accomplish the single encryption in the machines.
Yeah. If they're going to program it to do something funny, they'll always program it to happen during the first hundred tests.
Sure. You and I could look at the ROM to make sure what Ken Thompson pointed out many years ago hasn't been slipped in. But then your mother has to trust me, or my father-in-law has to trust you.
Since none of this level of security is available now, with paper ballots.
What is available is at least visible to the ordinary voter.
I personally wouldn't want to live in a country full of people who had been trained to trust machines to check their votes for them, but maybe that's just me.
Now, if there is a particular person that you want to be able to intimidate about his vote, you can find out what he voted.
Of course, you say that I'm being paranoid. Working in a large county maybe hides the issue from you, but many polling places where I have been a voting judge have had so few voters that I could probably have memorized their names and the order they voted, had I been inclined to do so.
(And I get modded tin-foil-hat when I remind people that electronic equipment leaks radio, and that there are known ways to monitor both keyboards and screens via the radio noise. No, that's black helicopter stuff, no use bringing that up.)
Print the ballots using a font that can be scanned optically. Eliminate the bar code.
Several years ago, I was thinking basically the same thing, but then I remembered how checks have those funny numbers at the bottom. OCR can be really accurate if you can specify a good font in advance.
I have also considered that encrypted barcode could provide a check against someone trying to forge ballots, but then I remember the serial number problem. Serial numbers open a back door to determining who voted how if someone can record who voted when. (Randomized serial numbers can close the backdoor to a large extent, but I'm not sure it helps.) Anything a human can't read on a ballot is a potential place to hide a serial number. We want as little fancy printed stuff on the ballot as possible.
Anyway, the bubble chart ballot is easily verified by humans, machines, and manual counting judge. It takes more ink and more paper than just printing the voter's choice at the time of the vote, but it also doesn't require printers to be serviced during the vote.
I assume you're overstating your case to be emphatic. However,...
A single post is not what we call a conversation.
A second account, well, sometimes you don't want to put your employer at too much risk for what you say, even if you are posting from home, after hours. More than two accounts seems like going to a lot of trouble, I'll admit.
Batting ideas back and forth can be a game, but I find the ideas themselves to be just as important as the players (or the play).
If one guy wants to try to play all the bases and the outfield against me while I play with a full team,...
hmm. I guess he'd have to be pretty good to make it an interesting game.
Never mind, I don't think I had anything important to say here, anyway.
We can have electronic voter assistance for voters who need assistance and find electronics less scary than human assistance without the need for trying to shoe-horn electronics into the whole system.
You don't need the complexity of a game video card or a momentum sensing input device to hide back doors and other bad stuff, although, yes, the more complex the driver the more places to hide things.
(Cue Ken Thompson's little games with libraries used by the compilers.)
It's more expensive, more prone to failure, and doesn't actual provide, better, faster, or more verifiable results.
Really? I agree that it's more expensive and probably more prone to failure,
Failure in a voting system is acceptable?
but I would argue that a system should provide better, faster, AND more verifiable results.
Better: If you have a "voter marks a ballot, machine counts ballot" system, that will have recognition errors. These can be upwards of 99%, but there are important elections where the margin is smaller than that.
Sigh.
Voting is a statistical process. If the vote is so close that a 1% error could effect the outcome, you can't really say that the voters have chosen one or the other. That's the reason some places have runoff elections when no candidate is a clear winner, and runoff elections are the better solution here.
A computer voting system should have NO error. The computer won't occasionally add 257 + 1 and get 258. (Bizarre quantum effects and energetic particles hitting the RAM notwithstanding; and you could always have it do every calculation twice
Three times, really, although you would prefer to restart a count, rather than have automatic error correction, partly because you would want a technician to check that the error really was just RAM errors.
if you really want to worry about those.) There are still other sources of inaccuracy and fraud in election, but why not remove one part?
Any time you add complexity, you add more points of failure. (One thing that worries me here is adding more potential points for eavesdropping, but let's not distract you too much.
Faster: It should be virtually instant.
Why is instantaneous such a big deal? I mean, seriously, I don't mind waiting even a couple of days to discover that, even if the candidate I voted for won, we really didn't have a very good pool to pick from in the first place.
I think the problems that need most to be worked on come way before the count. And I suspect that computer technology has just made us less willing to deal with problems that are inherently not handled very well by automata.
Even assuming that the machines aren't connected to an outside network (which is how it should be),
-
So the city runs temporary cables between the county offices and all the polling places just before every election?
You really think that man-in-the-middle is just a theoretical problem?
precincts should be able to report almost instant vote totals. For instance, at election close, someone at each precinct calls the statewide election office and reports the total for each machine (perhaps in encrypted form). Mutual authentication ensures that the person calling is the designated representative. I can imagine several other schemes where perfectly accurate (assuming subsequent audits are clean) statewide results can be available within 5 or 10 minutes of the close of elections. None of this waiting several hours for Cleveland to count their ballots to even get the first number.
What does calling in have to do with anything here? If you're willing to trust the net, there is no reason to even bother with voice.
Verifiable: A paper trail provides essentially as much verification as any other system. Because it would be printed by the computer, quality control could ensure that the paper ballots are clear in their intention and all valid. It would be impossible to create a paper ballot that had two votes for the same office, and squabbles about voter intention should all but disappear.
But what are we going to do when a voter claims that the printer messed up? (Okay, seems like not such a big deal, but it will happen.)
I think a much better argument would be that the "better" result is a tiny part of voter inequi
Slashdot Mirror
The two-fingered scroll may be interesting, but what I want to know is whether anyone has bought the XP version and loaded, say, Ubuntu or Fedora on it, either single- or dual-boot.
When I asked at the Yodobashi Camera and Sofmap in Umeda, I was told that no stores in Japan are carrying the Linux version of any of the eeePCs.
I'm guessing that a single identity really is not that easy to profit from.
One issue is culling the identities that are potentially profitable from a large catch of identities of people with no money and low credit limits and high levels of paranoia.
Another is possibly using several identities to enhance the profitability of attacking one, think sock puppet.
(Sorry to be sensible.)
How much more difficult is it to get to the BIOS flash than to the boot sector?
Failure in a voting system is acceptable?
That's why you should have a backup voting method. I think the benefits of e-voting are enough that it is worth it.
Backup method?
But I don't think we have the same things in mind when we say failure.
To me, failure is not in failing to elect the most popular candidate (by whatever measure of popularity). To me, failure is when the elections process puts someone in office who is more interesting in using the system to his or her own purposes than in being a public servant. That means that the system should discourage gaming at any level. (Yes, the current US system is a dismal failure.)
Voting is a statistical process. If the vote is so close that a 1% error could effect the outcome, you can't really say that the voters have chosen one or the other. That's the reason some places have runoff elections when no candidate is a clear winner, and runoff elections are the better solution here.
I agree. Unfortunately, I'm pretty sure almost nowhere in the US does actually have runoff elections.
Have you checked wikipedia on the subject? Or are you only thinking of the popular vote in the presidential elections?
I would *love* to see an instant runoff system, or other modified voting system, in place throughout the country for all elections. (Not just when it's close, unless it's so far apart that the outcome can't change.) However, I'm not holding my breath for this to happen.
What do you mean by so far apart that the outcome can't change? 10% difference? 30%? Change by means of what?
Besides, what happens if it reaches two candidates and there is still a virtual tie? Declare both of them winners and have two presidents?
I'd have to think about that two presidents idea. Might not be a bad idea. Can you see, in 2001, Gore and Bush trading places every day or every week as president and vice-president?
In case you're curious, I'm inclined to believe that putting the president and vice president on a single ticket was a mistake.
Of course, I'm not particularly enthusiastic about a government that actually "accomplishes" things. I think it's better when the government helps the people themselves to do most of the things they come running to the government for.
If you only have one seat, you have to have a winner. So I think e-voting would be good even with instant runoff.
I'm more inclined against instant run-off. I'd rather run a separate election. But, then, I don't think the country would fall apart if we had no president for a few weeks. Shoot, without a president to not veto, it would automatically require congress to pass every item of legislation by two-thirds majority. (Of course, if we change the laws, there would always be the danger that Congress would decide that lack of a president would become lack of veto instead of lack of review.)
I kid. sort of. The former vice president, of course, remains as acting president until something can be done, according current law.
Anyway, the electoral college provides a way to get around statistically insignificant differences just fine.
So the city runs temporary cables between the county offices and all the polling places just before every election?
You really think that man-in-the-middle is just a theoretical problem?
1) You don't need temporary cables, the standard phone system would work fine.
2) As I said, the "call-in" count would be preliminary anyway; you would audit the systems later anyway.
3) Network people in CS figured out ways of preventing man-in-the middle attacks long ago (see SSL), and intelligence people long before that.
1) The phone system works (present tense) ju
Filled in completely is not nearly the problem it sounds like, in practice. The warning is to get people to recognize that a dot is not enough and that a mark that drags across the next ballot is too much.
Some suggest a machine to check the ballot, but that opens (more) potential holes for eavesdropping. It's not that hard to get a bubble chart filled in right, especially when you use special felt tip pens. If the voter has doubts about stray marks, he can always surrender the spoiled ballot (current standard process for spoiled ballots) and get a new one. Some voters may need assistance, that's just not going to be avoidable, whether we use machines or paper.
Even ignoring whether a validating machine could have a custom wireless com card (or even "poorly designed" noisy circuitry), the advantage of a checksum have to be balanced with the possibility of steganography. If you have a monotonic counter feeding into the checksum, you can extract the order. Besides, checksumming is always going to be opaque to a large portion of the voting population. Someone who claimed to be from Canada claimed they are using anti-counterfeiting tech like used on currency there. But I worry about the yellow dot problems we have recently (well, a couple of years ago) become aware of with color printers.
A pre-printed, sparse, pseudo-random serial number on loose cards, with instructions to shuffle each pack when it is opened, might be workable, to prevent counterfeiting.
Unless you quietly warned the granddaughter to keep her voice down. (And you would have been doing the wrong job if you had said or done anything else.)
Although, you might suppose it was staged, that the grandmother had asked the granddaughter to say that while she actually voted for someone else.
If you could see what buttons were being pushed, you should have moved the machines.
I was a judge once when we handed out ballots with serial numbers, in non-random order. As I recall, we had a sign-in book and everyone signed-in in order. I didn't raise a fuss on election day because I knew there was nothing to be done that wouldn't require just postponing the election, and I hadn't realized the problems during the training. One thing that helped, we had three sign-in books, so the record of order wasn't perfect. I arranged with the other judges to pull the ballots of the pads in somewhat random order, as well.
The next election I judged (same place) had the voters signing-in on the voter list itself, so that no record of order remained. We had three copies of the list, to avoid a bottleneck. I think, also, the ballots were loose, so we could shuffle them, so that order was broken within the ballot pack.
No system can correct for improper training of election judges, or for their failure to understand or do their duty.
In small precincts, where everyone is friendly and no one is going to fire someone for voting wrong, sure, it doesn't matter. Until someone gets fired right after an election and doesn't like the stated reason.
Sure, you can make the vote iron-clad accurate if you are willing to sacrifice anonymity, but it doesn't take a computer to do it. It just takes everyone being brave enough to vote their conscience even though everyone can see their vote. Well, not just brave enough, but conscience enough of his or her reactions to peer pressure to be able to cancel the effects of what other people will think while they mull over the decisions.
There are two apparently conflicting principles here.
One is that there needs to be a significant, if not majority, section of the population who are brave enough to vote their conscience even if they are killed, beat up, or fired for it. (You do need more who are brave during civil war.)
The other is that, unless the problems are really, really bad, it's usually better to work through the system than go to the revolution mode. In such times, people need room and time to think without others being able to criticize every thought. That's what the anonymous vote is really necessary for.
Even live CDs will not be very effective if the malware writers find their way to the boot sectors (which is quite possible with a lot of unsupported but in-use previous versions of MSWindows).
Yes, MSWindows is, in part, a victim of its own popularity. But Bill & Steve have been far too reluctant to give up the market share.
So, even though it seems unfair to say so, when no system could (in theory) prevent the stupidity of the user from causing the user pain, it is still Microsoft to blame for how bad things have become. Microsoft and us, because we drank the kool-aid. We bought their bill of goods.
If we lived in a world where people were surfing the web on Amigas, Macs, MSWhatever boxen, Ataris, Acorns, Apple ][32, TRS 80 level VIIs, Tandy Color Computer 32s, C64x64s, Sinclair128s, etc., the malware business would be a lot harder to make a profit in. There would, of course, be more platform-specific exploits, but not nearly the minefield we have now.
Okay, when I wake up from the fantasy, I'll admit that not all the cool kludges would/should have survived, but the current homogenized web is just way too easy to attack.
Well, we should say, don't use sudo except as an admin user that you never surf the web with.
The solution is to prompt the user to make, not one, but two non-root accounts when they start the system up the first time or install the OS. Spell it out like this:
"This one is for admin. It will have no general purpose web browsers, e-mail, etc., in the doc/start menu unless the user him/herself puts them there, only stuff useful for admin. DON'T USE IT FOR ORDINARY STUFF! Give it a really hard password that you write down and keep in the safe or whatever."
"And this next one is for ordinary, day-to-day use. DON'T USE IT TO INSTALL THINGS OR DO OTHER ADMIN STUFF. Give it a hard password that you can remember."
And you don't let the ordinary GUI agent for sudo to run for an ordinary user unless the admin goes into the user setup and selectively allows the ordinary user to run it. And there is a warning there, short and to the point: "Checking this box may allow evil things to happen while the user is surfing the web or reading e-mail or doing other work."
And the same warning should be prominently displayed in the GUI agent for sudo anytime it runs.
That's something Microsoft has been notoriously lax on. Unless it makes them a little money, in which case they give the bare minimum required to make the money, then leave the user to fend for himself in a hostile environment that is oriented to discouraging him from thinking for himself.
Apple has been an order of magnitude better, but that is not enough. And they've been slowly backing off of that, and are not so now.
These days, seems like everyone wants you to pay them for thinking for you.
(Linux, of course, well, shoot, even Linux is getting its share of wizards. Visual access to the settings, human readable help, verification of the settings, and a human language explanation of the settings set, that's okay. But the current setup assistants try to think for the user, try to tell the user what he wants based on incomplete criteria. They give visual partial access, human readable partial help, partial constraints instead of verification, and precious little human readable explanation of the results.)
It has much less to do with popularity than with featuritis. More features means more cracks to (intentionally) fall through.
Well, the feature creep is part of what is driving the popularity, but that's reversing the causality.
ps: fanboys are a misfeature of any popular OS
pps: 10% is not exorbitant. Don't confuse lack of a stripped-down model for high prices. Complain about the lack of a stripped-down model, instead.
ppps: insane (sparse) memory usage is also a misfeature of any modern OS. Solve the hard computation problems with processor speed and sparse memory organization. Let the user upgrade to 512M+ (AppleMac) or 1G+ (MSVista), and depend on better memory management to avoid swapping.
This will be the year the AppleMac catches up with MSWindows in being vulnerable. Maybe.
I find it par for the course that the commentator on zdnet says java and sun, but Macaulay, per theregister, says javascript.
Or maybe they don't like to put the number into a web site. Or maybe they have credit problems (ergo, where they live).
(Insert sarcastic comment of your choosing here.)
Only expert verification would be of the validity of the algorithms used to encrypt it. Which shouldn't be more than a page or 2 of code, I would think. (couldn't be touch screen, but something simple)Aren't you forgetting something?
A few hundred tests prior to the actual vote to certify things, and only enough memory/hardware to accomplish the single encryption in the machines.Yeah. If they're going to program it to do something funny, they'll always program it to happen during the first hundred tests.
Sure. You and I could look at the ROM to make sure what Ken Thompson pointed out many years ago hasn't been slipped in. But then your mother has to trust me, or my father-in-law has to trust you.
Since none of this level of security is available now, with paper ballots.What is available is at least visible to the ordinary voter.
I personally wouldn't want to live in a country full of people who had been trained to trust machines to check their votes for them, but maybe that's just me.
is a different problem when it comes to voting.
I posted above about the serial number problem. See if you can figure it out without peeking.
That should get you started. Then take a fresh look at the theoretical advantages, look for implementation issues and the like.
(And you might want to consider, for example, whether a person in the voting booth wants the machine to pop up a dialog:
"It looks like you forgot to vote for your county commissioner: Are you sure you want to skip that?"
Heh. We would hope, anyway, that the programmer wouldn't use "Accept/Retry/Deny?")
Do you understand the serial number problem?
Watch who goes in the booth when.
Compare that to the votes on the spool.
Now, if there is a particular person that you want to be able to intimidate about his vote, you can find out what he voted.
Of course, you say that I'm being paranoid. Working in a large county maybe hides the issue from you, but many polling places where I have been a voting judge have had so few voters that I could probably have memorized their names and the order they voted, had I been inclined to do so.
(And I get modded tin-foil-hat when I remind people that electronic equipment leaks radio, and that there are known ways to monitor both keyboards and screens via the radio noise. No, that's black helicopter stuff, no use bringing that up.)
Print the ballots using a font that can be scanned optically. Eliminate the bar code.
Several years ago, I was thinking basically the same thing, but then I remembered how checks have those funny numbers at the bottom. OCR can be really accurate if you can specify a good font in advance.
I have also considered that encrypted barcode could provide a check against someone trying to forge ballots, but then I remember the serial number problem. Serial numbers open a back door to determining who voted how if someone can record who voted when. (Randomized serial numbers can close the backdoor to a large extent, but I'm not sure it helps.) Anything a human can't read on a ballot is a potential place to hide a serial number. We want as little fancy printed stuff on the ballot as possible.
Anyway, the bubble chart ballot is easily verified by humans, machines, and manual counting judge. It takes more ink and more paper than just printing the voter's choice at the time of the vote, but it also doesn't require printers to be serviced during the vote.
That's crazy, if not illegal.
I mean, talk about man-in-the-middle and what-have-you.
Absentee balloting is one thing, but you need people present as much as possible, when the votes are cast.
I assume you're overstating your case to be emphatic. However, ...
...
A single post is not what we call a conversation.
A second account, well, sometimes you don't want to put your employer at too much risk for what you say, even if you are posting from home, after hours. More than two accounts seems like going to a lot of trouble, I'll admit.
Batting ideas back and forth can be a game, but I find the ideas themselves to be just as important as the players (or the play).
If one guy wants to try to play all the bases and the outfield against me while I play with a full team,
hmm. I guess he'd have to be pretty good to make it an interesting game.
Never mind, I don't think I had anything important to say here, anyway.
End-to-end verification by an expert means that we are at the mercy of the expert. What is so hard to see about that?
We can have electronic voter assistance for voters who need assistance and find electronics less scary than human assistance without the need for trying to shoe-horn electronics into the whole system.
You don't need the complexity of a game video card or a momentum sensing input device to hide back doors and other bad stuff, although, yes, the more complex the driver the more places to hide things.
(Cue Ken Thompson's little games with libraries used by the compilers.)
It's more expensive, more prone to failure, and doesn't actual provide, better, faster, or more verifiable results. Really? I agree that it's more expensive and probably more prone to failure,
Failure in a voting system is acceptable?
but I would argue that a system should provide better, faster, AND more verifiable results. Better: If you have a "voter marks a ballot, machine counts ballot" system, that will have recognition errors. These can be upwards of 99%, but there are important elections where the margin is smaller than that.
Sigh.
Voting is a statistical process. If the vote is so close that a 1% error could effect the outcome, you can't really say that the voters have chosen one or the other. That's the reason some places have runoff elections when no candidate is a clear winner, and runoff elections are the better solution here.
A computer voting system should have NO error. The computer won't occasionally add 257 + 1 and get 258. (Bizarre quantum effects and energetic particles hitting the RAM notwithstanding; and you could always have it do every calculation twice
Three times, really, although you would prefer to restart a count, rather than have automatic error correction, partly because you would want a technician to check that the error really was just RAM errors.
if you really want to worry about those.) There are still other sources of inaccuracy and fraud in election, but why not remove one part?
Any time you add complexity, you add more points of failure. (One thing that worries me here is adding more potential points for eavesdropping, but let's not distract you too much.
Faster: It should be virtually instant.
Why is instantaneous such a big deal? I mean, seriously, I don't mind waiting even a couple of days to discover that, even if the candidate I voted for won, we really didn't have a very good pool to pick from in the first place.
I think the problems that need most to be worked on come way before the count. And I suspect that computer technology has just made us less willing to deal with problems that are inherently not handled very well by automata.
Even assuming that the machines aren't connected to an outside network (which is how it should be),
-
So the city runs temporary cables between the county offices and all the polling places just before every election?
You really think that man-in-the-middle is just a theoretical problem?
precincts should be able to report almost instant vote totals. For instance, at election close, someone at each precinct calls the statewide election office and reports the total for each machine (perhaps in encrypted form). Mutual authentication ensures that the person calling is the designated representative. I can imagine several other schemes where perfectly accurate (assuming subsequent audits are clean) statewide results can be available within 5 or 10 minutes of the close of elections. None of this waiting several hours for Cleveland to count their ballots to even get the first number.
What does calling in have to do with anything here? If you're willing to trust the net, there is no reason to even bother with voice.
Verifiable: A paper trail provides essentially as much verification as any other system. Because it would be printed by the computer, quality control could ensure that the paper ballots are clear in their intention and all valid. It would be impossible to create a paper ballot that had two votes for the same office, and squabbles about voter intention should all but disappear.
But what are we going to do when a voter claims that the printer messed up? (Okay, seems like not such a big deal, but it will happen.)
I think a much better argument would be that the "better" result is a tiny part of voter inequi
You do realize that watching people code is significantly harder than watching people count?
(I'm not talking just orders of magnitude.)
Code, compile, link, burn ROMs, assemble hardware, etc. Coding is probably the most intractable problem, though.