[Fsfe-ie] perspective on e-voting

Tue Mar 2 10:54:43 CET 2004

On Tue, Mar 02, 2004 at 12:56:18AM -0000, Niall Douglas wrote:
> > voting machines from anything except off the shelf chips is not going
> > to change any time soon.
> 
> Why? You can get a military hardened CPU from Atmel or even Intel for 
> less than a x86 CPU. It just won't run Windows.

Fair enough. I assumed they'd be more expensive. Still doesn't change the
fact that when you look at the circuit board all you can see is a plastic
package and that there's no non-destructive way of finding out if you've
really, really got an genuine xyz military hardened processor or just
something pretending to be one.

> > Something(s) on the board must be the key to the trust system, usually
> > the processor but maybe there are multiple chips that check the
> > signatures. You only need to replace these with look-a-likes that will
> > also trust your switched image. No one can discover this without
> > examining the chip layout under an electron microscope, rather
> > impractical.
> 
> You're wrong on this. There are these key generating boxes which spit 
> out encryption keys for use in X509 certs and such and they usually 
> live inside a fire proof safe. They're very very tamper proof, you 
> can't even let them get too hot or cold or else they reset themselves 
> and you lose the key sequence. You could have something similar for 
> voting machines.
> 
> I know them from having to go through the rigmarole of accessing one. 
> You had to sign this log book and two people had to be present at all 
> times to make sure you didn't drop it etc.

You've gone way outside the requirements for a voting machine here. I agree
with you that a practically tamper proof machine is possible, however we are
talking about machines which will spend 364 days a year switched off in a
warehouse in the back of beyond and then they'll spend a full day in an
unfriendly environment being used in private by punters.

If a machine is not running continuously then I can swap chips on it so that
it behaves perfectly correctly until it gets my signal and there is nothing
anyone can do to discover this, short of cracking open all the chips.

> > I don't think technological security is the issue here, personal
> > security is much more important. Mobile phone voting in the North
> > would be a good laugh, where the bloke looking over your shoulder,
> > watching you vote, wears a balaclava for a bit of petrol bombing fun
> > at the weekend. Even taking threats and violence out of the mix,
> > remote voting allows vote selling.
> 
> No more so than a fellow paying you a tenner to vote a certain way. 
> Of course you could vote differently anyway - however under a mobile 
> phone voting system, I see no problem with being able to change your 
> vote later.

One problem is that it greatly complicates vote storage and anonymnity. I
can't see it ever being accepted because most people want to know that when
they cast their vote it's done and nothing can undo it.

F