Political strategy of today is to use the more-active primary voters to control the nomination, then excite the loyal voter base and tilt the swing vote to select the electee. It's ripe for abuse by propaganda: you only need to tilt a few minds.
We can solve this with better voting rules.
For any party with 25% or more of the registered voter base, the party should be allowed to nominate two candidates by Single Transferable Vote. Single Transferable Vote converges ballots onto the plurality-strongest candidate first, and then removes voting power proportional to the win: if they have barely enough votes to win, they retain barely any voting power. Ballots keep moving down to find the next candidate who hits quota.
This means you split the voting base: the strongest majority preference gets the first seat, and those voters lose part of their voting power; the next chunk (in this case, the other half) retain full voting power, and so tend to strongly influence the next seat. You get the left and right half of the parties nominating two different candidates.
Exciting the more-extreme voting base doesn't net you a simple nomination of a candidate with a strong base; it elects one of two such candidates, giving the party loyalists some choice. For a large party, you need that choice.
For single-seat elections, use Tideman's Alternative method. That means smaller-party primary elections and single-seat general elections. Tideman's Alternative restricts to the Smith or Schwartz set, then eliminates the weakest candidate and starts over. The Smith Set is the smallest set of candidates who each have a majority vote preference above each non-Smith candidate.
If the Smith Set is one candidate, that candidate would defeat any and every other candidate in a one-on-one race by majority vote. Everyone agrees this candidate is better than any single other candidate.
Tideman's Alternative throws out the non-Smith candidates and, if there is more than one candidate left, eliminates whichever has the fewest votes. The process repeats until there is only one candidate.
If 52% vote A and 48% vote B, why do we get A? Half the country hates A. The other half hates B.
If 48% vote A and 45% vote B, we still get A; yet those other 7% voted C. If 80% of the nation voted C as their second choice, maybe we should elect C. It looks like 55% prefer C to A and 52% prefer C to B.
In a three-candidate race where everyone votes the two extremes, your nation is ill. The winning candidate can't be absolutely horrific for the losers when a compromise candidate exists unless everyone is totally absorbed in extreme polarization. That's why any party larger than 1/4 should get two nominations: if the extremes are in that party, they'll control its primary; that party must then behave as two parties to avoid the illness of polarization being thrust upon a people who have not polarized.
These voting rules prevent hijacking of an election by exciting 5% of voters to move. Your nation's core electorate suddenly controls the election, instead of just a few on the edges.
Seems like you agree there's a ballot-stuffing risk, so how do you address it? I gave you one example that would be very effective and minimally cumbersome, which you don't like. So what's your solution?
The only way to control ballot stuffing is public observation. Paper ballots allow collusion to evade this.
In an electronic system, you can use a handling chain of HMACs and digital signatures. That means the election judge has to put a card into the electronic ballot box during initial configuration after imaging, and carry the card to each voting machine to do the same, then back to the EBB. A card for each of the election staff also must be inserted into each EVM at imaging, that one being the type that contains an encryption routine for digital signatures.
Election staff would insert their card into a voter roll machine, and insert a blank ballot card (a smart card that only stores a few KB of data and doesn't do anything fancy) into the same machine. They select the voter, and it puts the voter ID, location ID, and ballot ID on the card. This information is first sent to the smart card for digital signing, then encrypted (with the EVM's keys), then HMAC'd (using the smart card).
The whole thing looks pretty boring: insert card, click name, remove card, take card to voting station. Magic is happening behind the scenes.
HMAC is an SHA256 or SHA512 with a secret key for fast verification of authenticity (only election staff can HMAC and sign). Passing that, the EVM will decrypt and interpret the information. The EVM presents the correct ballot if the Location ID matches the current location configured (and yeah, it has to decrypt first, so the wrong machines can't even read it); it lets you vote; and then it writes Voter ID and votes to the ballot card.
Of course the EVM would write more than that. A random salt value, the voter ID, the ballot ID, the location ID, the votes, and a digital signature, encrypted for the EBB to read (you can't copy and reveal your card), and HMAC authenticated so the EBB can skip decryption if someone spoofs a card. EBB validates your Voter ID hasn't already voted, records a vote, and wipes the card.
Ballot salt is for logging. You need a one-way serial output from the EVM and EBB to write logs to a separate collector. The EVM would log Voter ID and salted hash of the ballot (which doesn't reveal ballot contents because it's basically a random number); EBB would log Voter ID and compute the same salted hash for what it pulled off the card; and then the EBB would store, retrieve, display, and log Voter ID and the computed salted hash for the retrieved ballot. These three hashes should be the same; if not, the EBB can self-detect an error.
In any case, you can't alter the card (it's encrypted, signed, and HMAC), duplicate it (VoterID is logged so we know you've voted), or read it (it's encrypted). As with paper ballots, the election staff can pick up a bunch of ballots off the desk if nobody is in the polling center and begin filling them out; they can't pass a bunch of blank ballots to someone outside before polling begins because each blank ballot must be brought to a single visible desk and operated upon in view of the public.
I've juggled a few black swan defenses in case you find a way to covertly create initialized ballot cards.
Everything I've read says that the restriction is enforced at the driver level for almost all SD card readers
Damn, you're right. I thought it was enforced at the IO level.
Purpose-built hardware is more viable than you'd think. With 2,160 polling places, EVM/EBB image, and candidate data load image, you need 4,320 cards for just Maryland. The customization is a write-protect switch that breaks the write line, leaving it grounded out--the extra production cost is zero, and you have some up-front R&D. If your driver misbehaves when told the FS is RO, that's your own problem.
An order that size is a trivial customization. You'd end up with the bulk discount saving you more than the customization cost.
By the by, the EVMs are under $200 per voting station with UPS and lexan cases and all; states pay $3,500+ these days.
Why? You're thinking like a Windows programmer whose grown accustomed to writing code for general-purpose OS. What do you need interrupts for that couldn't be handled with polling?
Well the touch-screen device, keyboard, or whathave you raise interrupts when there is data. You can't poll everything, you know.
Your system/software storage can be EEPROM, or similarly configured flash, easily accessed via mapping into memory space (many embedded systems do it that way).
Oh, yes, and we can swap the EEPROM chip out before and after the election so nobody knows we used a tampered system.
And what is this complex, graphical software you're talking about? You're recording ballots, not simulating physics or playing video games. And graphical? You're planning to include photos of the candidates?
You're drawing buttons and inputs on-screen. It's actually not a trivial process.
And, yes, you have photos of the candidates, along with clips of their voice. It's necessary for impaired voters: we allow the illiterate, the deaf, and the blind to vote.
No, it's insurance against ballot stuffing. Without that, if someone manages to post even one extra vote (slips in an extra SD card or whatever), how do you invalidate those votes?
That's a good question. This is also a question not addressed today with paper: once the ballot is cast, it cannot be found. We have a way to invalidate the immediate prior ballot, but not go two steps back.
There is, of course, this requirement:
Protect the secrecy of the vote such that the system cannot reveal any information about how a particular voter voted, except as otherwise required by individual state law
And what makes you think you can make the requisite handling of electronic voting systems by techno-incompentents is going to do any better?
Well despite the fact that a lot of folks--you, for example--think computers are mystical and not-computers are simple, you can actually make everything simple and direct. By contrast, as you yourself acknowledge, people still can't figure out paper ballot security--which of course is several pages of procedures requiring understanding of complex concepts like zero-information proofs.
Do they make those? I've never heard of such a thing - certainly the write protection tab on a normal SD card is only a suggestion that the controlling device is free to ignore.
The write-protection tab can disable writing to the card by the host device. It's an... okay method, and no your computer can't simply ignore it: writing simply doesn't work.
You could make such a device by putting an eFuse on the write line of the NAND array and burning it if power is applied while write protect is set. No matter what you do after that, it is electrically-impossible to raise the write line and thus to alter the contents of NAND. Needless to say I want one.
No, all you need is one unsupervised moment, when you bring down the fresh safely-booted voting kiosk and reboot it with your compromised kiosk software, allowing you to silently bias all future votes.
Won't work. The EVM and the ballot box are separate; the ballot box displays votes as read from the ballot card, so you have to actually alter the ballot box. The EVMs establish trust and accept encryption keys for the EBB on start, but not afterwards, so you have to carry out this long 10-15 minute process to get everything set up again. Election staff also have a trust with the EVMs so people can actually vote, which means everybody involved in running the election at that location needs to get involved with replacing all of this.
It's simple, but it takes some time.
Or a few moments alone with the ballot-box storage when you plug it into your
If the computer is accurate but the people are cheating, the discrepancy will be noticed. If the computer is hacked but the people are honest and accurate, the discrepancy will be noticed.
How do you tell who is cheating? Did you introduce fake paper ballots, or did the computer drop some ballots? Did you manage to "lose" some ballots, or did the computer? Did the computer record votes but not print ballots for them so that people would discard those votes as computer error/tampering when they were real votes?
You might notice the discrepancy, but how will you correct the errors?
Paper ballot verification is security theater. Language is weird: an electronic paper trail is stronger than a paper paper trail; somebody decided "paper" means "audit". The fun comes when the human auditing in the days that follow leads to amended precinct reports and nobody questions it.
if you say it's not feasible for carefully crafted data to invoke unintended behavior in the data-reading routines and take control of the software, then you have no business even attempting to building such a product.
Let's see.
if (dataFile.Length < GuidSize*3) throw InvalidDataException();
Guid pollingLocation = new Guid(dataFile.PopBytes(GuidSize));
if (pollingLocation != this.PollingLocation) throw new LocationAuthorizationException();
Guid voter = new Guid(dataFile.PopBytes(GuidSize));
if (this.Election.Voters.Contains(voter)) throw new AlreadyVotedException(); // Get empty BallotSheet containing correct races. Throws an exception if invalid ballot sheet.
BallotSheet ballotSheet = this.Election.CreateBallotSheet(new Guid(dataFile,PopBytes(GuidSize));
while (dataFile.Length >= GuidSize*2 + 1) { // Get the Ballot for race with a given GUID
Ballot b = BallotSheet.GetBallot(new Race(new Guid(dataFile.PopBytes(GuidSize)));
if (b is null) throw new InvalidRaceOnBallotSheetException();
while (dataFile.Length >= GuidSize + 1) {
Candidacy c = b.GetCandidate(new Guid(dataFile.PopBytes(GuidSize))); // Get the next 8 bits as the vote
int value = dataFile.PopBytes(1).ToInt(); // if Candidate is 0, this ballot is done
if (c.Id.Equals(new Guid(0))) break;
Vote v = new Vote(c, v); // This throws an exception if the candidate is not in the Race, already has a ranking, etc. // Casts directly to the Ballot on the BallotSheet.
b.Cast(v);
}
} // Must be a complete, non-truncated file
if (dataFile.Length != 0) throw new InvalidDataException();
So that's way crude and you wouldn't do it that way if you were sane; however, let's examine the attributes.
First: it checks how many bytes are available to pop from the stream before popping them. It also checks that an expected available valid chunk of data follows.
Second, it throws an exception if an incorrect polling location, ballot sheet, etc. are encountered. You load the ballot sheet or you catch an exception that says something strange has happened.
Third, if the data file isn't terminated by valid data, it throws an exception.
Now you've loaded blunt data (it's not interpreted: it's just the file stream) into this dataFile object, so no processing happened and literally any data will load into that without causing a program error. You have this rigid set of things which must be internally (to the data file format) and externally (to the expectations of the voting system for what is valid data) consistent.
Take control of the software through a specially-crafted data file.
Yes, this is crude and allows some funky things (like gaps in ranks for ranked voting). Production code would do some sanity checking about that, after loading the objects into memory safely. You'll get a valid ballot out no matter what you throw at it, so long as it validates the above checks; you won't hijack the program flow.
Your argument is essentially "a super-cool hacker could even hack Hello World!", to which I say that's only believable if Hello World were written in Perl.
Process scheduling? What the hell sort of bloated attack-friendly voting system are you trying to create? It's a voting machine - single-threaded single-tasking is completely sufficient for the job. A voting machine only needs to read setup data, display very simple data, recognize very simple inputs, do a bit of tallying, and output the results - again onto a raw device.
It has to handle software interrupts, display systems, storage routines, and the like. You also have to have a way to write this complex, graphical software in a manner which is human-maintainable and as little prone to software flaws as possible--and we all know software alwa
Well I have $10,000 and can buy votes for around $5 each. You can prove you voted for the candidate for whom I paid you to vote, correct? Show me your vote.
E2E systems don't provide election security. It's possible to verify a voter's individual vote as valid while stuffing votes for people who didn't vote. Further, the system has to be able to track and identify each voter's vote--and allow proof of vote--to function, which allows vote-buying, coercion, and the like. Scratch-and-vote and three-vote have been demonstrably-attacked.
By making the actual system image of each EVM and electronic ballot box public, you obtain permanent auditability of the vote-recording process. You can confirm ballots by reading them from the smart card, displaying them, then storing and recalling them to display the stored ballot next to the ballot cast to show they are not different (a sort of integrity check). A separate log collector (over a one-wire, one-direction serial link) can receive a log when a ballot cast is recalled invalidly, as well, to provide record of an internal integrity check. At close, the machine generates a 1:1 tally which proves the ballot set later published is the same ballot set.
The problem is trusting anyone at any level. You can check your vote; can you check the stuffed ballots? Do you know if someone along the way inserted additional votes? All of your ballots must be traceable to a polling process and must not be traceable to an individual voter; that a voter can trace a ballot to themselves is actually a bug.
or secret knowledge, or collusion on the part of vendors
I've removed the possibility of collusion. That's the problem I'm actually attacking.
Computers can be hacked, all computers are insecure
Hacking requires attack surface. That means you need to accept complex, user-controlled input. Wireless and wired networks immediately create an uncontrolled source of attack surface, and so are impossible to secure.
The required surface exposure is actually fully-auditable in reasonable human time. The biggest part is access: a voter has to be identified to a voting machine to vote. You can use an EVM to cast votes to a smart card and then cast the smart card ballot to an electronic ballot box. The election staff initialize the smart card to identify the voter to the EVM; the EVM signs and encrypts the data it places on the smart card to cast to the EBB. EVM and ballot box generate their key pairs at poll open and you exchange them via smart card as part of the opening process, so this is done in an observably non-tampered environment.
That means a voter can't copy, view, or alter a ballot card (because the EBB is tracking who voted, but not which ballot they cast, so you'd need to break the encryption). Your EBB's decryption and signature verification implementations need to reject any invalid input and handle all input correctly (small and complex code base: auditable). Your EVM needs to accept a Voter ID, polling center ID, and ballot ID (extremely-small, simple: auditable).
This opens an obvious weak point: manufacturing ballot cards to allow voting at the EVM.
To avoid that, you need to use a signature device like a FIDO U2F or smart card with Ed25519 code built in. These devices generate their own key pairs on themselves. At poll open, you have to associate them with an EVM, and then transfer that key to each EVM in turn. Each election staffer then can use their device to sign any ballot card they activate, giving it one-time voting use for one voter.
The only way through this is to chain an attack first compromising the signature verification code on the EVM, then injecting code to manufacture bad signatures that won't verify on the EBB, plus include code to inject into the EBB to tamper with votes and display false votes.
The data operations in Ed25519 signature verification operate on fixed-length fields. There is no copying of strings; there is only mathematical operation on bytes in a declared-length byte stream.
So you can do things like %LEN your offsets "just in case" your code somehow tries to write to buffer[out_of_bounds_index]. If you somehow read extraneous data when verifying the signature, you'll get a signature mismatch (unless someone has magically figured out how to break SHA256 and Ed25519). More to the point, however, this is a few hundred lines of direct, step-by-step arithmetic mostly made up of small arithmetic functions: there are few operations concerning buffers, and they're all auditable for correctness.
You either reduce the attack surface to something a few hundred instructions wide, or you don't have security.
In theory (and hopefully in practice) there are electronic voting systems that are nothing more than a print-on-demand ballot-printer for a paper ballot or a computer-assisted vote-marker of a paper ballot.
Paper ballots create a route for spoofing. Print-on-demand paper ballots imply easy ballot forgery.
because the actual ballot is seen and cast by the voter and is inherently audit-able, it is no more or less "hack-able" than a pure paper-ballot system would be
Paper ballots are lost, found, altered, and simply ignored all the time. They're ripe for electoral fraud; the trick is they're generally ripe for fraud by the election staff, not the voters. Paper ballots are made with all kinds of security against forgery so the voter can't sneak in counterfeit ballots to stuff ballot boxes.
You can make an electronic voting system that's far more secure (and provably secure) than paper ballots, but it requires adherence to protocol. Deviation from proper handling protocol destroys integrity. With paper ballots, you can't even count them without undiscoverable sleight-of-hand risk: once you've manipulated the count, nobody will ever discover it. Proper electronic voting protocol can make tampering discoverable 100% of the time, and never hideable.
What if the your smart card is corrupted in such a manner as to exploit a flaw in your data-reading routines to corrupt the software itself?
Not feasible. Either the driver would fail to read or the software would receive data which fails to validate. Computers aren't physical things: you don't rust a pipe to break through, but rather feed it something that triggers bad logic in a wholly-functional subroutine.
we're *still* finding new ways to compromise data loading routines for common formats that are decades old, though you could hopefully simplify the format to
Rigid validation. Many data formats are incredibly-complex, and a simplistic and predictable format would be used for ballot data.
the smart-card formatting itself could be corrupted, attacking through the OS instead of the voting software.
Smart cards have a sort of protocol where you get raw data. It's not a 2GB SD card with a file system; it holds a few kB at best. That passes directly through without being processed by the OS; and if there are packet length specifiers and the like, you can follow the code path in the driver and ensure you have predicted the length of each data packet, allocated a buffer that size, and only copy that many bytes.
Though I find it unconscionable that any voting machine would incorporate the huge attack surface of an OS in the first place
You'd have to. An OS handles inputs and outputs, along with process scheduling. If you didn't use an OS, you'd have to write a lot of extremely-complex stuff from scratch to control the system. You're then introducing the same kind of attack surface, but with less vetting, thus more risk.
Just because an acceptable solution isn't readily apparent is no reason to avoid exposing the fact that your system has been compromised
Whenever you take an action to intervene--if you step in and un-stuff ballots when someone sneaks extra smart cards in--you have a chance to pull some sleight-of-hand and tamper with votes. Prevention preserves integrity.
here's a possibility: the oversight officials have to push a "commit" button periodically to commit the last N temporarily recorded votes to the permanent record - or a cancel button to invalidate them.
Creates bottlenecks and people who leave won't necessarily know their votes were confirmed. You're opening for official intervention, which opens up for tampering.
why are you trying to do electronic voting at all? What _exactly_ is the point?
Reduces the number of attack points and allows us to retain election integrity.
Paper ballots are unhackable,
Paper ballots are routinely altered, thrown out, lost, found, manufactured, and otherwise tampered. Thousands of votes go uncounted or appear somewhere along the way all the time. Election judges get to decide if a ballot is valid based on if it has a smudge, scratch, stray mark, or anything else.
It's *far* easier to secure a physical ballot box, and doesn't take that long to count - especially since the volunteer pool for vote counters is directly proportional to the number of voters
A pool from which you can find a few volunteers, maneuver them into the counting, and have them manipulate the error rate. It's done all the time.
Just like that we've solved almost all the existing problems with paper ballots
Not at all. We have undervote and overvote problems, spoiled ballots, manipulation of the ballots, and of course the complexities introduced by ranked systems which resist tactical manipulation (and can be hard to follow during the count, thus allowing for further manipulation of the vote).
you've not once trusted a computer without verifying its wo
Yes. It's the kind of confused ideal you get out of a lunatic with a large ego.
I've been working on electronic voting machines and high-integrity elections. Do you know what that takes? You publish the image ahead of time; you image the machines at poll open while people observe, and then let them copy the read-only media to verify no tampering; you generate vote count statistics on the machines before copying the votes off to send them up to the board, ensuring we can all verify that the ballots observed are the ballots reported.
That narrows the window of attack to the time between poll-open and poll-close. As long as you have public observers during that time, nobody can tamper with the machines. You have non-repudiation of the software, the machine's initial state, and the ballots as cast.
If you have no public observers, then bought-off election staff can enter the machines when nobody's around and modify the vote counts or the software loaded.
I'm building on a model of using EVMs to encode ballot sheets onto smart cards, then take the smart card to an electronic ballot box which displays the ballots and allows you to cast them.
The touch interface exposes approximately zero attack surface. You're putting boxes in order (ranked votes) or checking boxes. Besides that, separating the ballot box ties the entire attack surface to clicking "Accept" or "Reject" and to reading the data on the smart card.
The ballot box itself has to deal with the smart card.
That's tricky. On one hand, I can definitely validate input data and protect from smart card attacks: there will be no hacking by using a tampered smart card. On the other, someone could load a smart card with forged data and just stuff votes--which the vote count display overhead is supposed to prevent (one person goes in, count increases several times), but then what? Election judge comes in and voids the prior X ballots cast? We now have a method to edit votes during the election?
We could have each EVM create a Curve25519 key pair and put the certificate onto a smart card, which we then copy into the ballot box. Once we confirm all machines are set up, that's it: no more keys added, no more EVMs can send votes. The small strip of data on the smart card has a cryptographic signature.
Now: is your Ed25519 signature verification library vulnerable to attack by giving a bad encrypted signature?
Fortunately, we can audit these code paths heavily. They're small. They can perform strong validation. It's possible to guarantee you can't hack the ballot box by tampering with a smart card because only the EVMs have the encryption keys generated that morning (on the EVMs themselves) to sign the smart cards.
So long as you don't have a wireless chip (bluetooth/wifi), don't plug it into any kind of network, and don't let anyone physically tamper with the machine during voting, it's unhackable.
You have to remove the attacker to make it unhackable. If someone can attack it, you have no way to guarantee they can't successfully attack it.
Why do you think I worry about the signature verification code path? That's the single uncontrolled attack vector. The defense there is to "make sure that 30 lines of code is correct". Cringe.
People with incredible hubris declare they have made an unhackable Network server or keychain device; then they get swarmed by gremlins prying into every seam they can find.
What gets me is the car stopped suddenly during a right turn and another driver complained they almost hit it. Well shit, your 8-year-old ran out into the street in front of my car and I had to stop suddenly; I almost hit it!
Maybe you should be in control of your vehicle in case you have to stop suddenly.
Second, because the security model is harder for a full, uncontrolled VM. An application is also a difficult security model, as it's uncontrolled and can be taken apart;.NET is mostly managed code and individual applications can have their own restricted permissions and containers.
Third, because.NET integration with ChromeOS is reasonably-achievable such that the applications all seem native. It would be like Paint.NET or Visual Studio was built for ChromeOS.
A full VM is an interesting feature, but not an everyday feature without a major technology step forward. We'd need a way to swap the main head from ChromeOS to Linux to really do it well..NET with a Python and Java runtime (as in: AOT the Python or Java to.NET, run that) is a pretty big step forward, and can look and feel like it's just a part of the ecosystem and not a special kind of environment wedged in for compatibility and expert users.
Comey never leaked anything classified. Hillary mishandled a bunch of things because of incompetence. I don't have much familiarity with Clapper and Brennan.
We can compare Mark Felt and Daniel Ellsberg to some of these people--notably Snowden. "Criminal" doesn't much mean anything; the question is: is what they did right?
The justice system and the application of law should be for the benefit of society. It should be to redress and rehabilitate, not to inflict procedural maters of punishment.
I've extended some of the basics to achieve stronger economic stability and growth with lower taxes. The Nordics use huge social welfare systems as an economic support and a household support; I split those two duties between two specifically-designed systems, with the main economic support being a foundation and the rest built on top. We should be able to provide stronger welfare and social insurances at half the tax rate of the Nordic nations.
That actually sounds like a good strategy: let them have rope enough to hang themselves, then blame Epic for the sudden rush of malware-laden Android phones after their sideload software gets everything hacked to hell. Frighten the world into running as far away as possible from anything you haven't blessed.
It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.
It looks more like you said they shouldn't have published a vulnerability before the patch was ready, and GP pointed out Google published the vulnerability after the patch was already released and being installed by users for a week.
Most of us get the advisory that a patch fixes a critical vulnerability the second the patch is released. It's right there in the release notes, right up front.
Google did more than they were obligated: they kept quiet a week longer than required to let Epic make the announcement and let users catch up. They only had an obligation to go 90 days without a patch or one second after the patch was released.
The fact remains, though, that there are enough statistics that show that the availability of guns alone isn't the factor that determines violent crime.
Of course it isn't. We need a better criminal justice system targeting redress and rehabilitation instead of punishment and dehumanization.
Do you think there will be fewer robberies or murders?
Murders. Empirical evidence shows removing uncontrolled guns and removing access to firearms by people who are at-risk reduces the number of murders and suicides.
Domestic violence convicts and those who are suicidal tend to more-frequently commit domestic murder or suicide if they have access to firearms. Removal of the firearms reduces the number of both.
More-generally, the amount of homicide due to civil disagreement decreases with lower firearms ownership (this is more cultural than legal: you can't prohibit all firearms, although you can restrict their carry in schools and such). The amount of criminal firearms carry reduces when firearms are harder to obtain: criminals with high risk (e.g. drug gangs) will take high risks to get a firearm, while low-risk criminals (burglars, etc.) with no occupational hazard of being gunned down by other criminals in turf wars generally don't bother unless firearms are easy to come by.
Gun control policies have boundaries and diminishing returns. You get large returns for the basics, and thereafter you don't gain much ground by removing firearms.
We've found that many people who are armed are simply more belligerent because if you don't stfu you're going to get shot in the face.
The basic premise of an armed society being "polite" suggests a fear of repercussions. An armed society is a fearful society; thus an armed society will tend to raise arms frequently against constant perception of danger. This means more attacks and more homicides.
Actual data suggests RTC increases the homicide growth rate by 14%.
I'm curious as to why you think mandatory military service is a terrible idea.
A voluntary military is more reliable.
A voluntary military doesn't develop resentment for their forced enslavement into military service.
A voluntary military is less of a waste of money.
A voluntary military experiences fewer incidents of dead drill sergeants and hijacked military bases.
Our nation is built on popular sovereignty and the right to life, liberty, and property; it's not a dictatorial oligarchy where we decide your job is "soldier" and send Politburo to fetch you for duty.
You can probably translate C++. Native code won't run on a different CPU IL, hence the use of.NET.
The big IDEs—Eclipse, Monodevelop, and Visual Studio—are Java and C#. Python is a common language. I had hoped to get Monodevelop 7 and Visual Studio native on Chromebook, as well as perhaps Unity3D or something like it (Unity3D is huge). Imagine if Chromebooks were a development platform for Android, IOS, Webapps, games, and cross-platform applications.
I'm not thinking so much about native applications because web browsers, e-mail clients, and the like come on Chromebooks. LibreOffice, Gimp, and Krita would be good applications to port to Chromebook, and are unfortunately not CIL: more work would be needed to port them as native applications. Pinta or Paint.NET can take the place of Gimp. LibreOffice is a large pile of garbage anyway; AbiWord always worked better, but is now defunct.
Containers generally provide security by segmenting the outside OS from the container. They're typically unbreakable.
If you make a container by mounting your host libraries as writable into the container, you can of course modify code that runs as root on the host. Anyone with access to create a container generally is considered a root-level user because they can make a container with root as the user internally and with / as the / volume, and then they have root access.
There's a sort of advanced setting where you map users so e.g. UID 0 is really UID 90,000. The user ID of the process creating the user namespace has all capabilities within the namespace, but none outside: it becomes root inside the container, and can't do root things outside the container. Generally, the process can only switch to another namespace if it has CAP_SYS_ADMIN in that namespace as well.
That means a process can't leave the container and see your system; if it does leave the container (somehow), it's UID 90,000 and has regular user permissions instead of root permissions.
I had suggested they use containers to add.NET support instead of straight Linux apps. Linux needs a whole underlying support system in a VM;.NET can inherit that from the local system and the.NET runtime.
Stuff.NET Core or Mono in there and provide a/home/$USER directory. Mount/home/$USER, mount local Documents to/home/$USER/Documents, and mount the Google Drive folder to/home/$USER/Drive.
When you install a.NET application, it would mount all of those things, as well as a.NET runtime for the app. The runtime could include a modification to call for additional libraries: if it tries to load an assembly, it calls through a socket to tell ChromeOS to add that library to the container (additional mount), and ChromeOS may fetch the library via nuget.
The container would expose a Chrome browser stub which also calls on ChromeOS to open the browser. It could do the same for opening various files. A ChromeOS file dialogue would display the mounted paths the same way ChromeOS exposes them, unifying the UI.
Now you have native.NET applications. You can get a Python and Java VM running on.NET, which may allow extending this to other types of native applications using the same runtime. You can isolate those applications from the system so they only have access to their own configuration and specific paths, rather than the whole of your files.
It's less reach than a whole Linux VM; it's also less overhead and tighter integration.
If you drink X amount of alcohol in Y time, you die.
If you're rich, X amount of alcohol costs a small percentage of your income.
If you're poor, X amount of alcohol costs a large percentage of your income.
A tax on alcohol thus reflects less of a rich person's income than a poor person's income at a given level of intake; and the level of intake is bounded by death.
Alcohol taxes are on alcohol, generally, and so cheap 40% vodka faces the same tax as expensive 40% whiskey. In some states, the alcohol tax is a sales tax, so the expensive whiskey actually carries a higher tax.
Slashdot Mirror
Pro-White-Supremacy isn't "white people are great". Pro-White-Supremacy is "white people are functionally greater than not-whites."
Political strategy of today is to use the more-active primary voters to control the nomination, then excite the loyal voter base and tilt the swing vote to select the electee. It's ripe for abuse by propaganda: you only need to tilt a few minds.
We can solve this with better voting rules.
For any party with 25% or more of the registered voter base, the party should be allowed to nominate two candidates by Single Transferable Vote. Single Transferable Vote converges ballots onto the plurality-strongest candidate first, and then removes voting power proportional to the win: if they have barely enough votes to win, they retain barely any voting power. Ballots keep moving down to find the next candidate who hits quota.
This means you split the voting base: the strongest majority preference gets the first seat, and those voters lose part of their voting power; the next chunk (in this case, the other half) retain full voting power, and so tend to strongly influence the next seat. You get the left and right half of the parties nominating two different candidates.
Exciting the more-extreme voting base doesn't net you a simple nomination of a candidate with a strong base; it elects one of two such candidates, giving the party loyalists some choice. For a large party, you need that choice.
For single-seat elections, use Tideman's Alternative method. That means smaller-party primary elections and single-seat general elections. Tideman's Alternative restricts to the Smith or Schwartz set, then eliminates the weakest candidate and starts over. The Smith Set is the smallest set of candidates who each have a majority vote preference above each non-Smith candidate.
If the Smith Set is one candidate, that candidate would defeat any and every other candidate in a one-on-one race by majority vote. Everyone agrees this candidate is better than any single other candidate.
Tideman's Alternative throws out the non-Smith candidates and, if there is more than one candidate left, eliminates whichever has the fewest votes. The process repeats until there is only one candidate.
If 52% vote A and 48% vote B, why do we get A? Half the country hates A. The other half hates B.
If 48% vote A and 45% vote B, we still get A; yet those other 7% voted C. If 80% of the nation voted C as their second choice, maybe we should elect C. It looks like 55% prefer C to A and 52% prefer C to B.
In a three-candidate race where everyone votes the two extremes, your nation is ill. The winning candidate can't be absolutely horrific for the losers when a compromise candidate exists unless everyone is totally absorbed in extreme polarization. That's why any party larger than 1/4 should get two nominations: if the extremes are in that party, they'll control its primary; that party must then behave as two parties to avoid the illness of polarization being thrust upon a people who have not polarized.
These voting rules prevent hijacking of an election by exciting 5% of voters to move. Your nation's core electorate suddenly controls the election, instead of just a few on the edges.
Seems like you agree there's a ballot-stuffing risk, so how do you address it? I gave you one example that would be very effective and minimally cumbersome, which you don't like. So what's your solution?
The only way to control ballot stuffing is public observation. Paper ballots allow collusion to evade this.
In an electronic system, you can use a handling chain of HMACs and digital signatures. That means the election judge has to put a card into the electronic ballot box during initial configuration after imaging, and carry the card to each voting machine to do the same, then back to the EBB. A card for each of the election staff also must be inserted into each EVM at imaging, that one being the type that contains an encryption routine for digital signatures.
Election staff would insert their card into a voter roll machine, and insert a blank ballot card (a smart card that only stores a few KB of data and doesn't do anything fancy) into the same machine. They select the voter, and it puts the voter ID, location ID, and ballot ID on the card. This information is first sent to the smart card for digital signing, then encrypted (with the EVM's keys), then HMAC'd (using the smart card).
The whole thing looks pretty boring: insert card, click name, remove card, take card to voting station. Magic is happening behind the scenes.
HMAC is an SHA256 or SHA512 with a secret key for fast verification of authenticity (only election staff can HMAC and sign). Passing that, the EVM will decrypt and interpret the information. The EVM presents the correct ballot if the Location ID matches the current location configured (and yeah, it has to decrypt first, so the wrong machines can't even read it); it lets you vote; and then it writes Voter ID and votes to the ballot card.
Of course the EVM would write more than that. A random salt value, the voter ID, the ballot ID, the location ID, the votes, and a digital signature, encrypted for the EBB to read (you can't copy and reveal your card), and HMAC authenticated so the EBB can skip decryption if someone spoofs a card. EBB validates your Voter ID hasn't already voted, records a vote, and wipes the card.
Ballot salt is for logging. You need a one-way serial output from the EVM and EBB to write logs to a separate collector. The EVM would log Voter ID and salted hash of the ballot (which doesn't reveal ballot contents because it's basically a random number); EBB would log Voter ID and compute the same salted hash for what it pulled off the card; and then the EBB would store, retrieve, display, and log Voter ID and the computed salted hash for the retrieved ballot. These three hashes should be the same; if not, the EBB can self-detect an error.
In any case, you can't alter the card (it's encrypted, signed, and HMAC), duplicate it (VoterID is logged so we know you've voted), or read it (it's encrypted). As with paper ballots, the election staff can pick up a bunch of ballots off the desk if nobody is in the polling center and begin filling them out; they can't pass a bunch of blank ballots to someone outside before polling begins because each blank ballot must be brought to a single visible desk and operated upon in view of the public.
I've juggled a few black swan defenses in case you find a way to covertly create initialized ballot cards.
Everything I've read says that the restriction is enforced at the driver level for almost all SD card readers
Damn, you're right. I thought it was enforced at the IO level.
Purpose-built hardware is more viable than you'd think. With 2,160 polling places, EVM/EBB image, and candidate data load image, you need 4,320 cards for just Maryland. The customization is a write-protect switch that breaks the write line, leaving it grounded out--the extra production cost is zero, and you have some up-front R&D. If your driver misbehaves when told the FS is RO, that's your own problem.
An order that size is a trivial customization. You'd end up with the bulk discount saving you more than the customization cost.
By the by, the EVMs are under $200 per voting station with UPS and lexan cases and all; states pay $3,500+ these days.
Why? You're thinking like a Windows programmer whose grown accustomed to writing code for general-purpose OS. What do you need interrupts for that couldn't be handled with polling?
Well the touch-screen device, keyboard, or whathave you raise interrupts when there is data. You can't poll everything, you know.
Your system/software storage can be EEPROM, or similarly configured flash, easily accessed via mapping into memory space (many embedded systems do it that way).
Oh, yes, and we can swap the EEPROM chip out before and after the election so nobody knows we used a tampered system.
And what is this complex, graphical software you're talking about? You're recording ballots, not simulating physics or playing video games. And graphical? You're planning to include photos of the candidates?
You're drawing buttons and inputs on-screen. It's actually not a trivial process.
And, yes, you have photos of the candidates, along with clips of their voice. It's necessary for impaired voters: we allow the illiterate, the deaf, and the blind to vote.
No, it's insurance against ballot stuffing. Without that, if someone manages to post even one extra vote (slips in an extra SD card or whatever), how do you invalidate those votes?
That's a good question. This is also a question not addressed today with paper: once the ballot is cast, it cannot be found. We have a way to invalidate the immediate prior ballot, but not go two steps back.
There is, of course, this requirement:
Protect the secrecy of the vote such that the system cannot reveal any information about how a particular voter voted, except as otherwise required by individual state law
And what makes you think you can make the requisite handling of electronic voting systems by techno-incompentents is going to do any better?
Well despite the fact that a lot of folks--you, for example--think computers are mystical and not-computers are simple, you can actually make everything simple and direct. By contrast, as you yourself acknowledge, people still can't figure out paper ballot security--which of course is several pages of procedures requiring understanding of complex concepts like zero-information proofs.
Do they make those? I've never heard of such a thing - certainly the write protection tab on a normal SD card is only a suggestion that the controlling device is free to ignore.
The write-protection tab can disable writing to the card by the host device. It's an... okay method, and no your computer can't simply ignore it: writing simply doesn't work.
You could make such a device by putting an eFuse on the write line of the NAND array and burning it if power is applied while write protect is set. No matter what you do after that, it is electrically-impossible to raise the write line and thus to alter the contents of NAND. Needless to say I want one.
No, all you need is one unsupervised moment, when you bring down the fresh safely-booted voting kiosk and reboot it with your compromised kiosk software, allowing you to silently bias all future votes.
Won't work. The EVM and the ballot box are separate; the ballot box displays votes as read from the ballot card, so you have to actually alter the ballot box. The EVMs establish trust and accept encryption keys for the EBB on start, but not afterwards, so you have to carry out this long 10-15 minute process to get everything set up again. Election staff also have a trust with the EVMs so people can actually vote, which means everybody involved in running the election at that location needs to get involved with replacing all of this.
It's simple, but it takes some time.
Or a few moments alone with the ballot-box storage when you plug it into your
If the computer is accurate but the people are cheating, the discrepancy will be noticed. If the computer is hacked but the people are honest and accurate, the discrepancy will be noticed.
How do you tell who is cheating? Did you introduce fake paper ballots, or did the computer drop some ballots? Did you manage to "lose" some ballots, or did the computer? Did the computer record votes but not print ballots for them so that people would discard those votes as computer error/tampering when they were real votes?
You might notice the discrepancy, but how will you correct the errors?
Paper ballot verification is security theater. Language is weird: an electronic paper trail is stronger than a paper paper trail; somebody decided "paper" means "audit". The fun comes when the human auditing in the days that follow leads to amended precinct reports and nobody questions it.
if you say it's not feasible for carefully crafted data to invoke unintended behavior in the data-reading routines and take control of the software, then you have no business even attempting to building such a product.
Let's see.
if (dataFile.Length < GuidSize*3) throw InvalidDataException();
// Get empty BallotSheet containing correct races. Throws an exception if invalid ballot sheet.
// Get the Ballot for race with a given GUID
// Get the next 8 bits as the vote
// if Candidate is 0, this ballot is done
// This throws an exception if the candidate is not in the Race, already has a ranking, etc.
// Casts directly to the Ballot on the BallotSheet.
// Must be a complete, non-truncated file
Guid pollingLocation = new Guid(dataFile.PopBytes(GuidSize));
if (pollingLocation != this.PollingLocation) throw new LocationAuthorizationException();
Guid voter = new Guid(dataFile.PopBytes(GuidSize));
if (this.Election.Voters.Contains(voter)) throw new AlreadyVotedException();
BallotSheet ballotSheet = this.Election.CreateBallotSheet(new Guid(dataFile,PopBytes(GuidSize));
while (dataFile.Length >= GuidSize*2 + 1) {
Ballot b = BallotSheet.GetBallot(new Race(new Guid(dataFile.PopBytes(GuidSize)));
if (b is null) throw new InvalidRaceOnBallotSheetException();
while (dataFile.Length >= GuidSize + 1) {
Candidacy c = b.GetCandidate(new Guid(dataFile.PopBytes(GuidSize)));
int value = dataFile.PopBytes(1).ToInt();
if (c.Id.Equals(new Guid(0))) break;
Vote v = new Vote(c, v);
b.Cast(v);
}
}
if (dataFile.Length != 0) throw new InvalidDataException();
So that's way crude and you wouldn't do it that way if you were sane; however, let's examine the attributes.
First: it checks how many bytes are available to pop from the stream before popping them. It also checks that an expected available valid chunk of data follows.
Second, it throws an exception if an incorrect polling location, ballot sheet, etc. are encountered. You load the ballot sheet or you catch an exception that says something strange has happened.
Third, if the data file isn't terminated by valid data, it throws an exception.
Now you've loaded blunt data (it's not interpreted: it's just the file stream) into this dataFile object, so no processing happened and literally any data will load into that without causing a program error. You have this rigid set of things which must be internally (to the data file format) and externally (to the expectations of the voting system for what is valid data) consistent.
Take control of the software through a specially-crafted data file.
Yes, this is crude and allows some funky things (like gaps in ranks for ranked voting). Production code would do some sanity checking about that, after loading the objects into memory safely. You'll get a valid ballot out no matter what you throw at it, so long as it validates the above checks; you won't hijack the program flow.
Your argument is essentially "a super-cool hacker could even hack Hello World!", to which I say that's only believable if Hello World were written in Perl.
Process scheduling? What the hell sort of bloated attack-friendly voting system are you trying to create? It's a voting machine - single-threaded single-tasking is completely sufficient for the job. A voting machine only needs to read setup data, display very simple data, recognize very simple inputs, do a bit of tallying, and output the results - again onto a raw device.
It has to handle software interrupts, display systems, storage routines, and the like. You also have to have a way to write this complex, graphical software in a manner which is human-maintainable and as little prone to software flaws as possible--and we all know software alwa
Well I have $10,000 and can buy votes for around $5 each. You can prove you voted for the candidate for whom I paid you to vote, correct? Show me your vote.
E2E systems don't provide election security. It's possible to verify a voter's individual vote as valid while stuffing votes for people who didn't vote. Further, the system has to be able to track and identify each voter's vote--and allow proof of vote--to function, which allows vote-buying, coercion, and the like. Scratch-and-vote and three-vote have been demonstrably-attacked.
By making the actual system image of each EVM and electronic ballot box public, you obtain permanent auditability of the vote-recording process. You can confirm ballots by reading them from the smart card, displaying them, then storing and recalling them to display the stored ballot next to the ballot cast to show they are not different (a sort of integrity check). A separate log collector (over a one-wire, one-direction serial link) can receive a log when a ballot cast is recalled invalidly, as well, to provide record of an internal integrity check. At close, the machine generates a 1:1 tally which proves the ballot set later published is the same ballot set.
The problem is trusting anyone at any level. You can check your vote; can you check the stuffed ballots? Do you know if someone along the way inserted additional votes? All of your ballots must be traceable to a polling process and must not be traceable to an individual voter; that a voter can trace a ballot to themselves is actually a bug.
or secret knowledge, or collusion on the part of vendors
I've removed the possibility of collusion. That's the problem I'm actually attacking.
Computers can be hacked, all computers are insecure
Hacking requires attack surface. That means you need to accept complex, user-controlled input. Wireless and wired networks immediately create an uncontrolled source of attack surface, and so are impossible to secure.
The required surface exposure is actually fully-auditable in reasonable human time. The biggest part is access: a voter has to be identified to a voting machine to vote. You can use an EVM to cast votes to a smart card and then cast the smart card ballot to an electronic ballot box. The election staff initialize the smart card to identify the voter to the EVM; the EVM signs and encrypts the data it places on the smart card to cast to the EBB. EVM and ballot box generate their key pairs at poll open and you exchange them via smart card as part of the opening process, so this is done in an observably non-tampered environment.
That means a voter can't copy, view, or alter a ballot card (because the EBB is tracking who voted, but not which ballot they cast, so you'd need to break the encryption). Your EBB's decryption and signature verification implementations need to reject any invalid input and handle all input correctly (small and complex code base: auditable). Your EVM needs to accept a Voter ID, polling center ID, and ballot ID (extremely-small, simple: auditable).
This opens an obvious weak point: manufacturing ballot cards to allow voting at the EVM.
To avoid that, you need to use a signature device like a FIDO U2F or smart card with Ed25519 code built in. These devices generate their own key pairs on themselves. At poll open, you have to associate them with an EVM, and then transfer that key to each EVM in turn. Each election staffer then can use their device to sign any ballot card they activate, giving it one-time voting use for one voter.
The only way through this is to chain an attack first compromising the signature verification code on the EVM, then injecting code to manufacture bad signatures that won't verify on the EBB, plus include code to inject into the EBB to tamper with votes and display false votes.
The data operations in Ed25519 signature verification operate on fixed-length fields. There is no copying of strings; there is only mathematical operation on bytes in a declared-length byte stream.
So you can do things like %LEN your offsets "just in case" your code somehow tries to write to buffer[out_of_bounds_index]. If you somehow read extraneous data when verifying the signature, you'll get a signature mismatch (unless someone has magically figured out how to break SHA256 and Ed25519). More to the point, however, this is a few hundred lines of direct, step-by-step arithmetic mostly made up of small arithmetic functions: there are few operations concerning buffers, and they're all auditable for correctness.
You either reduce the attack surface to something a few hundred instructions wide, or you don't have security.
There are elections that are not secret ballot
EVMs must not expose who cast what ballot.
In theory (and hopefully in practice) there are electronic voting systems that are nothing more than a print-on-demand ballot-printer for a paper ballot or a computer-assisted vote-marker of a paper ballot.
Paper ballots create a route for spoofing. Print-on-demand paper ballots imply easy ballot forgery.
because the actual ballot is seen and cast by the voter and is inherently audit-able, it is no more or less "hack-able" than a pure paper-ballot system would be
Paper ballots are lost, found, altered, and simply ignored all the time. They're ripe for electoral fraud; the trick is they're generally ripe for fraud by the election staff, not the voters. Paper ballots are made with all kinds of security against forgery so the voter can't sneak in counterfeit ballots to stuff ballot boxes.
You can make an electronic voting system that's far more secure (and provably secure) than paper ballots, but it requires adherence to protocol. Deviation from proper handling protocol destroys integrity. With paper ballots, you can't even count them without undiscoverable sleight-of-hand risk: once you've manipulated the count, nobody will ever discover it. Proper electronic voting protocol can make tampering discoverable 100% of the time, and never hideable.
What if the your smart card is corrupted in such a manner as to exploit a flaw in your data-reading routines to corrupt the software itself?
Not feasible. Either the driver would fail to read or the software would receive data which fails to validate. Computers aren't physical things: you don't rust a pipe to break through, but rather feed it something that triggers bad logic in a wholly-functional subroutine.
we're *still* finding new ways to compromise data loading routines for common formats that are decades old, though you could hopefully simplify the format to
Rigid validation. Many data formats are incredibly-complex, and a simplistic and predictable format would be used for ballot data.
the smart-card formatting itself could be corrupted, attacking through the OS instead of the voting software.
Smart cards have a sort of protocol where you get raw data. It's not a 2GB SD card with a file system; it holds a few kB at best. That passes directly through without being processed by the OS; and if there are packet length specifiers and the like, you can follow the code path in the driver and ensure you have predicted the length of each data packet, allocated a buffer that size, and only copy that many bytes.
Though I find it unconscionable that any voting machine would incorporate the huge attack surface of an OS in the first place
You'd have to. An OS handles inputs and outputs, along with process scheduling. If you didn't use an OS, you'd have to write a lot of extremely-complex stuff from scratch to control the system. You're then introducing the same kind of attack surface, but with less vetting, thus more risk.
Just because an acceptable solution isn't readily apparent is no reason to avoid exposing the fact that your system has been compromised
Whenever you take an action to intervene--if you step in and un-stuff ballots when someone sneaks extra smart cards in--you have a chance to pull some sleight-of-hand and tamper with votes. Prevention preserves integrity.
here's a possibility: the oversight officials have to push a "commit" button periodically to commit the last N temporarily recorded votes to the permanent record - or a cancel button to invalidate them.
Creates bottlenecks and people who leave won't necessarily know their votes were confirmed. You're opening for official intervention, which opens up for tampering.
why are you trying to do electronic voting at all? What _exactly_ is the point?
Reduces the number of attack points and allows us to retain election integrity.
Paper ballots are unhackable,
Paper ballots are routinely altered, thrown out, lost, found, manufactured, and otherwise tampered. Thousands of votes go uncounted or appear somewhere along the way all the time. Election judges get to decide if a ballot is valid based on if it has a smudge, scratch, stray mark, or anything else.
It's *far* easier to secure a physical ballot box, and doesn't take that long to count - especially since the volunteer pool for vote counters is directly proportional to the number of voters
A pool from which you can find a few volunteers, maneuver them into the counting, and have them manipulate the error rate. It's done all the time.
Just like that we've solved almost all the existing problems with paper ballots
Not at all. We have undervote and overvote problems, spoiled ballots, manipulation of the ballots, and of course the complexities introduced by ranked systems which resist tactical manipulation (and can be hard to follow during the count, thus allowing for further manipulation of the vote).
you've not once trusted a computer without verifying its wo
Yes. It's the kind of confused ideal you get out of a lunatic with a large ego.
I've been working on electronic voting machines and high-integrity elections. Do you know what that takes? You publish the image ahead of time; you image the machines at poll open while people observe, and then let them copy the read-only media to verify no tampering; you generate vote count statistics on the machines before copying the votes off to send them up to the board, ensuring we can all verify that the ballots observed are the ballots reported.
That narrows the window of attack to the time between poll-open and poll-close. As long as you have public observers during that time, nobody can tamper with the machines. You have non-repudiation of the software, the machine's initial state, and the ballots as cast.
If you have no public observers, then bought-off election staff can enter the machines when nobody's around and modify the vote counts or the software loaded.
I'm building on a model of using EVMs to encode ballot sheets onto smart cards, then take the smart card to an electronic ballot box which displays the ballots and allows you to cast them.
The touch interface exposes approximately zero attack surface. You're putting boxes in order (ranked votes) or checking boxes. Besides that, separating the ballot box ties the entire attack surface to clicking "Accept" or "Reject" and to reading the data on the smart card.
The ballot box itself has to deal with the smart card.
That's tricky. On one hand, I can definitely validate input data and protect from smart card attacks: there will be no hacking by using a tampered smart card. On the other, someone could load a smart card with forged data and just stuff votes--which the vote count display overhead is supposed to prevent (one person goes in, count increases several times), but then what? Election judge comes in and voids the prior X ballots cast? We now have a method to edit votes during the election?
We could have each EVM create a Curve25519 key pair and put the certificate onto a smart card, which we then copy into the ballot box. Once we confirm all machines are set up, that's it: no more keys added, no more EVMs can send votes. The small strip of data on the smart card has a cryptographic signature.
Now: is your Ed25519 signature verification library vulnerable to attack by giving a bad encrypted signature?
Fortunately, we can audit these code paths heavily. They're small. They can perform strong validation. It's possible to guarantee you can't hack the ballot box by tampering with a smart card because only the EVMs have the encryption keys generated that morning (on the EVMs themselves) to sign the smart cards.
So long as you don't have a wireless chip (bluetooth/wifi), don't plug it into any kind of network, and don't let anyone physically tamper with the machine during voting, it's unhackable.
You have to remove the attacker to make it unhackable. If someone can attack it, you have no way to guarantee they can't successfully attack it.
Why do you think I worry about the signature verification code path? That's the single uncontrolled attack vector. The defense there is to "make sure that 30 lines of code is correct". Cringe.
People with incredible hubris declare they have made an unhackable Network server or keychain device; then they get swarmed by gremlins prying into every seam they can find.
What gets me is the car stopped suddenly during a right turn and another driver complained they almost hit it. Well shit, your 8-year-old ran out into the street in front of my car and I had to stop suddenly; I almost hit it!
Maybe you should be in control of your vehicle in case you have to stop suddenly.
Firstly, because you have to support both.
Second, because the security model is harder for a full, uncontrolled VM. An application is also a difficult security model, as it's uncontrolled and can be taken apart; .NET is mostly managed code and individual applications can have their own restricted permissions and containers.
Third, because .NET integration with ChromeOS is reasonably-achievable such that the applications all seem native. It would be like Paint.NET or Visual Studio was built for ChromeOS.
A full VM is an interesting feature, but not an everyday feature without a major technology step forward. We'd need a way to swap the main head from ChromeOS to Linux to really do it well. .NET with a Python and Java runtime (as in: AOT the Python or Java to .NET, run that) is a pretty big step forward, and can look and feel like it's just a part of the ecosystem and not a special kind of environment wedged in for compatibility and expert users.
Comey never leaked anything classified. Hillary mishandled a bunch of things because of incompetence. I don't have much familiarity with Clapper and Brennan.
We can compare Mark Felt and Daniel Ellsberg to some of these people--notably Snowden. "Criminal" doesn't much mean anything; the question is: is what they did right?
The justice system and the application of law should be for the benefit of society. It should be to redress and rehabilitate, not to inflict procedural maters of punishment.
Nordic capitalism works pretty well. It's called Social Democracy; people today want to run to Democratic Socialism.
I've extended some of the basics to achieve stronger economic stability and growth with lower taxes. The Nordics use huge social welfare systems as an economic support and a household support; I split those two duties between two specifically-designed systems, with the main economic support being a foundation and the rest built on top. We should be able to provide stronger welfare and social insurances at half the tax rate of the Nordic nations.
That actually sounds like a good strategy: let them have rope enough to hang themselves, then blame Epic for the sudden rush of malware-laden Android phones after their sideload software gets everything hacked to hell. Frighten the world into running as far away as possible from anything you haven't blessed.
It's pathetic to see people justify abuse under the law, but it's even more pathetic to see people justify abuse under corporate policy.
It looks more like you said they shouldn't have published a vulnerability before the patch was ready, and GP pointed out Google published the vulnerability after the patch was already released and being installed by users for a week.
Most of us get the advisory that a patch fixes a critical vulnerability the second the patch is released. It's right there in the release notes, right up front.
Google did more than they were obligated: they kept quiet a week longer than required to let Epic make the announcement and let users catch up. They only had an obligation to go 90 days without a patch or one second after the patch was released.
Heart disease is solvable with a little tampering.
The fact remains, though, that there are enough statistics that show that the availability of guns alone isn't the factor that determines violent crime.
Of course it isn't. We need a better criminal justice system targeting redress and rehabilitation instead of punishment and dehumanization.
Do you think there will be fewer robberies or murders?
Murders. Empirical evidence shows removing uncontrolled guns and removing access to firearms by people who are at-risk reduces the number of murders and suicides.
Domestic violence convicts and those who are suicidal tend to more-frequently commit domestic murder or suicide if they have access to firearms. Removal of the firearms reduces the number of both.
More-generally, the amount of homicide due to civil disagreement decreases with lower firearms ownership (this is more cultural than legal: you can't prohibit all firearms, although you can restrict their carry in schools and such). The amount of criminal firearms carry reduces when firearms are harder to obtain: criminals with high risk (e.g. drug gangs) will take high risks to get a firearm, while low-risk criminals (burglars, etc.) with no occupational hazard of being gunned down by other criminals in turf wars generally don't bother unless firearms are easy to come by.
Gun control policies have boundaries and diminishing returns. You get large returns for the basics, and thereafter you don't gain much ground by removing firearms.
We've found that many people who are armed are simply more belligerent because if you don't stfu you're going to get shot in the face.
The basic premise of an armed society being "polite" suggests a fear of repercussions. An armed society is a fearful society; thus an armed society will tend to raise arms frequently against constant perception of danger. This means more attacks and more homicides.
Actual data suggests RTC increases the homicide growth rate by 14%.
I'm curious as to why you think mandatory military service is a terrible idea.
A voluntary military is more reliable.
A voluntary military doesn't develop resentment for their forced enslavement into military service.
A voluntary military is less of a waste of money.
A voluntary military experiences fewer incidents of dead drill sergeants and hijacked military bases.
Our nation is built on popular sovereignty and the right to life, liberty, and property; it's not a dictatorial oligarchy where we decide your job is "soldier" and send Politburo to fetch you for duty.
You can probably translate C++. Native code won't run on a different CPU IL, hence the use of .NET.
The big IDEs—Eclipse, Monodevelop, and Visual Studio—are Java and C#. Python is a common language. I had hoped to get Monodevelop 7 and Visual Studio native on Chromebook, as well as perhaps Unity3D or something like it (Unity3D is huge). Imagine if Chromebooks were a development platform for Android, IOS, Webapps, games, and cross-platform applications.
I'm not thinking so much about native applications because web browsers, e-mail clients, and the like come on Chromebooks. LibreOffice, Gimp, and Krita would be good applications to port to Chromebook, and are unfortunately not CIL: more work would be needed to port them as native applications. Pinta or Paint.NET can take the place of Gimp. LibreOffice is a large pile of garbage anyway; AbiWord always worked better, but is now defunct.
Containers generally provide security by segmenting the outside OS from the container. They're typically unbreakable.
If you make a container by mounting your host libraries as writable into the container, you can of course modify code that runs as root on the host. Anyone with access to create a container generally is considered a root-level user because they can make a container with root as the user internally and with / as the / volume, and then they have root access.
There's a sort of advanced setting where you map users so e.g. UID 0 is really UID 90,000. The user ID of the process creating the user namespace has all capabilities within the namespace, but none outside: it becomes root inside the container, and can't do root things outside the container. Generally, the process can only switch to another namespace if it has CAP_SYS_ADMIN in that namespace as well.
That means a process can't leave the container and see your system; if it does leave the container (somehow), it's UID 90,000 and has regular user permissions instead of root permissions.
I had suggested they use containers to add .NET support instead of straight Linux apps. Linux needs a whole underlying support system in a VM; .NET can inherit that from the local system and the .NET runtime.
Stuff .NET Core or Mono in there and provide a /home/$USER directory. Mount /home/$USER, mount local Documents to /home/$USER/Documents, and mount the Google Drive folder to /home/$USER/Drive.
When you install a .NET application, it would mount all of those things, as well as a .NET runtime for the app. The runtime could include a modification to call for additional libraries: if it tries to load an assembly, it calls through a socket to tell ChromeOS to add that library to the container (additional mount), and ChromeOS may fetch the library via nuget.
The container would expose a Chrome browser stub which also calls on ChromeOS to open the browser. It could do the same for opening various files. A ChromeOS file dialogue would display the mounted paths the same way ChromeOS exposes them, unifying the UI.
Now you have native .NET applications. You can get a Python and Java VM running on .NET, which may allow extending this to other types of native applications using the same runtime. You can isolate those applications from the system so they only have access to their own configuration and specific paths, rather than the whole of your files.
It's less reach than a whole Linux VM; it's also less overhead and tighter integration.
If you drink X amount of alcohol in Y time, you die.
If you're rich, X amount of alcohol costs a small percentage of your income.
If you're poor, X amount of alcohol costs a large percentage of your income.
A tax on alcohol thus reflects less of a rich person's income than a poor person's income at a given level of intake; and the level of intake is bounded by death.
Alcohol taxes are on alcohol, generally, and so cheap 40% vodka faces the same tax as expensive 40% whiskey. In some states, the alcohol tax is a sales tax, so the expensive whiskey actually carries a higher tax.