[Fsfe-ie] perspective on e-voting

[Niall Douglas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1 Mar 2004 at 0:46, Fergal Daly wrote:

> > Data signing techniques could fix this and all software has bugs.
> > Also, you don't need a perfect voting system, just one which is
> > better (more accurate) than the current system - and I'm personally
> > not too bothered about a flawed system which has in place an active
> > method of improvement over time.
> 
> Data signing only works for the person who checks the signature and
> since I'm not going to be let near a machine in order to check the ROM
> signature, it's no good for me. It's also no good for people who have
> no idea what a "ROM signature" is. They shouldn't have to know.

I was more thinking of the data signing mechanisms used to ensure CIA 
wire tap boxes haven't been compromised. These boxes get stuck in the 
wild so there's a chance they could be interfered with by an outside 
party. Basically it's a loopy state machine whereby the software is 
encrypted with a key and that key is derived from the signature of 
the encrypted image. Basically if you alter the image you must alter 
its signature thus losing the ability to run it - and it can't be 
faked.

There's loads of this kind of tech used in the security services. I 
had a contract in this arena once. It's a bit more pricey but these 
are one off purchase machines.

> How do I check the signature of a PCI controller or a chip that's
> labelled as a Motorola 68000 anyway?

You'd use one of the military spec processors. They are hardened to 
EMP and are very hard to hack into. This is a good thing, given they 
control the world's nuclear arsenel.

> And so far I've only been talking about intentional alterations and
> software bugs, there's radiation induced bit-flipping to consider too.
> It happened in Belgium, some guy got 4096 more votes than his own
> party's total, so they spotted it and the expert conclusion was a
> bit-flip. It's probably happened lots more in non-spectacular ways but
> it's never spotted because there's no paper trail.

If people will insist on using off the shelf components, they will 
have this problem. When I was working for EuroFighter, I was appalled 
to discover they use x86 kit and Windows which is totally unsuitable.

Commercial off the shelf kit is mass produced cheaply. It's not of 
high quality and certainly not of high security. As an example, DEC 
VMS didn't have a single root exploit in 17 years.

> There's also the possibility of hardware glitches where all the days
> votes get wiped etc etc. There's a zillion things that can go wrong. A
> backup record that's not susceptible to microscopic influences is the
> only remedy.

Even the current system loses a small percentage of votes. I'm far 
more worried about them getting changed without anyone realising - 
destroyed is fine by me so long as we know there's some lost.

> We actually have a very secure system at moment. It's secure because
> people from all sides of the election are keeping one-another honest.
> There is no single point of failure. The ballot boxes are watched by
> multiple people (who don't trust each other) from the time they're
> opened to the time they're emptied.

I think it's less secure than you might think. I have no Irish 
examples, but vote rigging is as old as time and it never completely 
goes away even with the very best of systems.

> > BTW when I said "open", I meant it being able to be altered by
> > volunteers a bit like a sourceforge project - not just publishing
> > the source. This brings the formidable security & debuggability
> > advantages of free software to bear. By far and away free software
> > is *ideal* for these kinds of software as they don't need to be
> > innovative.
> 
> That would be great but it doesn't address the trust problem. The
> citizens still have to take the word of an elite. It's a bigger more
> varied elite but still.

No I must disagree with this. The nature of free software is that 
it's totally anarchic - more than likely you'd get people crying wolf 
more often than genuine illustration of problems. Remember it's also 
transnational - an Irish person reporting a substantial flaw just 
before the Americans vote indicates strongly to everyone there's no 
party political agenda at work.

Think about the other areas where public access is granted to ensure 
public confidence - most government meetings eg; trials, Dail 
debates, public archives - even FOIA. All these are too technical to 
the the lay person. Voting software is an identical issue - the lay 
person won't and can't understand, but it's having the free access is 
what's important.

> A system like this would be much cheaper to implement than the
> proposed one and it wouldn't need an army of operators to control and
> monitor all the machines - if the machine isn't controlling the
> recording of votes then there's nothing to gain from tampering with
> it.

I completely agree - this government's attempt is a complete balls up 
and rather than break a reasonably working system, better to draw a 
line under it and end the project.

However, I really do think if people could vote say by mobile phone, 
you'd get a lot more people voting (even better if the phone asked 
you for a vote on polling day). So to me, any substantially improved 
voting system must have this feature. Just replacing paper ballots 
with an electronic system seems pointless to me - one is spending 
money for zero gain. Of course, current mobile phones aren't secure 
enough and neither will be the next generation. But maybe thereafter 
given how much they want us to buy stuff using them eg; a distributed 
self-repairing peer to peer voting network based on all mobiles 
reaching a consensus (and attacking every mobile phone in the country 
is a tad hard).

Cheers,
Niall





-----BEGIN PGP SIGNATURE-----
Version: idw's PGP-Frontend 4.9.6.1 / 9-2003 + PGP 8.0.2

iQA/AwUBQEKa2cEcvDLFGKbPEQKOsQCePkDbIYKTWWJKdSI//iEUMuci1lUAoJWw
iWEqruruncUNSBx2GomVhBU6
=8dC6
-----END PGP SIGNATURE-----