Speaking of full disclosure, I am interested in manufacturing hardware, so keep that in mind when I talk about how to implement security requirements.:)
What state are you in?
Goombah99,
I don't agree you that all necessary security characteristics can be met without some hardware requirements, but I agree with your approach to transparency and want to talk with folks on your team. I'll be in touch through your site.
Maryland Attorney General's report on voting system irregularities: press release at http://tinyurl.com/6ahena links to the report.
Granted, it was written to address specific 2006 difficulties, but the security of the equipment was not even mentioned, nor was there a security expert on the panel.
Good points, but who do you trust to load the machine's flash drive the morning of election day? How do you convince me to trust the person who loaded the flash drive? How do you and I convince the crazy guy down the street who thinks the government is listening to him through his drains?
Obviously the last guy is a lost cause, but my point is that a well designed system should minimize the number of roles that can only be filled by trusted agents, since trusted agents are hard to come by in a domain as fraught with conflicts of interest as public voting.
Voting machines are publicly visible during an election, but before and after they are not.
Also, tamper seals do not help when the machines are vulnerable through their data ports. Ed Felten and Avi Rubin demonstrated an attack using a virus propagated via memory card: http://tinyurl.com/kven7
Quoting from the abstract of their article: "For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities â" a voting-machine virus. We have constructed working demonstrations of these attacks in our lab."
Absolutely. At a forum on the Voluntary Voting System Guidelines (http://tinyurl.com/5a9ju7) last fall, a voting equipment industry lobbyist said to a room of security researchers (with a straight face) that the security problems have been solved by the military and the financial industry.
Both the military and banks have trusted agents (else why give them guns and/or money) and can and do link all auditing to authenticated identities. The principle of the secret ballot is in direct conflict with the latter approach, and the integrity of the voting process should not be dependent on trusting elections adminstrators.
They have inherently different security requirements. As QuoteMstr mentioned, ballot anonymity is in direct conflict with the detailed logging required for financial transactions. In addition, bank employees are trusted agents (else why did you give them your money) where a voting system should be designed such that elections administrators have role separation and accountability and need not be fully trusted.
I wrote about this last month: http://tinyurl.com/5l3vc8
Slashdot Mirror
Speaking of full disclosure, I am interested in manufacturing hardware, so keep that in mind when I talk about how to implement security requirements. :)
What state are you in?
Goombah99, I don't agree you that all necessary security characteristics can be met without some hardware requirements, but I agree with your approach to transparency and want to talk with folks on your team. I'll be in touch through your site.
Maryland Attorney General's report on voting system irregularities: press release at http://tinyurl.com/6ahena links to the report. Granted, it was written to address specific 2006 difficulties, but the security of the equipment was not even mentioned, nor was there a security expert on the panel.
Instead of a keyed hash verified by a human, I would prefer a digital signature verified by the equipment.
Good points, but who do you trust to load the machine's flash drive the morning of election day? How do you convince me to trust the person who loaded the flash drive? How do you and I convince the crazy guy down the street who thinks the government is listening to him through his drains? Obviously the last guy is a lost cause, but my point is that a well designed system should minimize the number of roles that can only be filled by trusted agents, since trusted agents are hard to come by in a domain as fraught with conflicts of interest as public voting.
Voting machines are publicly visible during an election, but before and after they are not. Also, tamper seals do not help when the machines are vulnerable through their data ports. Ed Felten and Avi Rubin demonstrated an attack using a virus propagated via memory card: http://tinyurl.com/kven7 Quoting from the abstract of their article: "For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities â" a voting-machine virus. We have constructed working demonstrations of these attacks in our lab."
Gaming machines also use TPM to verify the integrity of the BIOS, OS and all applications. A good voting machine will do the same.
Absolutely. At a forum on the Voluntary Voting System Guidelines (http://tinyurl.com/5a9ju7) last fall, a voting equipment industry lobbyist said to a room of security researchers (with a straight face) that the security problems have been solved by the military and the financial industry. Both the military and banks have trusted agents (else why give them guns and/or money) and can and do link all auditing to authenticated identities. The principle of the secret ballot is in direct conflict with the latter approach, and the integrity of the voting process should not be dependent on trusting elections adminstrators.
They have inherently different security requirements. As QuoteMstr mentioned, ballot anonymity is in direct conflict with the detailed logging required for financial transactions. In addition, bank employees are trusted agents (else why did you give them your money) where a voting system should be designed such that elections administrators have role separation and accountability and need not be fully trusted. I wrote about this last month: http://tinyurl.com/5l3vc8