November 22, 2024

Post-Election Review

How did e-voting technologies hold up in Tuesday’s election? It’s too early to tell for sure, but it looks as if there weren’t any major disasters.

We saw the usual list of crashing, misbehaving, and non-functional machines. Some of these are just routine glitches or procedural problems. If somebody forgets to deliver power cords to the polling place, that’s just an isolated mistake. If a machine just won’t turn on in the morning, that’s probably just a maintenance issue.

But other kinds of “glitches” can indicate deeper problems. Experienced engineers know that certain behaviors, especially complex ones that are supposed to be impossible, are clues that something has gone badly wrong in the system’s internals. If the inside of your fridge is at room temperature, you probably have a simple problem. If the liquids in your fridge are boiling, you have an Engineering Issue.

The most alarming error report I saw from Tuesday’s election came from Avi Rubin, a respected computer scientist and e-voting expert who is a precinct worker in Maryland, where they use the Diebold AccuVote-TS, the same machine my colleagues and I recently studied. Here is Avi’s story:

So, while we were watching the last handful of voters cast their ballots … one of the chief judges came up to me and said that there was a “situation”. I was called over where a voter was explaining to one of the judges what had happened, and he repeated his story to me. The voter had made his selections and pressed the “cast ballot” button on the machine. The machine spit out his smartcard, as it is supposed to do, but his summary screen remained, and it did not appear that his vote had been cast. So, he pushed the smartcard back in, and it came out saying that he had already voted. But, he was still in the screen that showed he was in the process of voting. The voter then pressed the “cast ballot” again, and an error message appeared on the screen that said that he needs to call a judge for assistance. The voter was very patient, but was clearly taking this very seriously, as one would expect. After discussing the details about what happened with him very carefully, I believed that there was a glitch with his machine, and that it was in an unexpected state after it spit out the smartcard.

This is supposed to be impossible. Having examined a similar version of Diebold’s software, I know that when the Cast Vote button is pressed, the system is supposed to (1) invalidate the smartcard, then (2) record the vote, then (3) kill the voting screens, then (4) eject the smartcard. This voter saw Steps 1 and 4 happen, but not Step 3. (We don’t know whether Step 2, recording the vote, happened.) At least one voting screen was still there, and that screen was active: something happened when the Cast Vote button on that screen was pressed, but it wasn’t the something that would normally happen.

It’s hard to see how this can happen, absent a subtle, serious bug in this part of Diebold’s software. And by “this part” I mean the part that carries out the four-step procedure that includes recording the vote. Could this bug have affected vote recording for other voters? What other problems could it have caused? We don’t know. We could probably tell, given access to a Maryland voting machine.

Another thing we don’t know is how many times this bug showed up in Maryland on Tuesday. It’s hard to believe that the problem didn’t happen elsewhere too. If it were going to happen only once, what are the odds that that one occurrence would be in a precinct with an evoting-savvy computer scientist blogger election judge? Pretty slim.

Fortunately, Avi was there and was able to recognize the relevance of this particular machine misbehavior. How many other poll workers, not being experts in computer science, saw a similar problem and just shrugged it off as a routine glitch?

Comments

  1. These days, cents are worth more.

  2. My county offers two choices:

    1. Vote early on an AccuVote TS. No waiting, but you must provide a government-issued photo ID, as the poll workers do not have the hard copy rosters and must look you up online. This is to prevent fraud, not to keep one from voting as has been suggested certain states do by requiring photo ID on election day.

    2. Vote on election day on a good, old-fashioned optical scan machine. No ID required as the rosters are available in your precinct. However, lines can be long, etc.

    The Elections Commissioner of this county was recently censured for destroying fairly recent electronic elections data because “he didn’t know how long to keep it”. (I beg to differ.)

    I belong to an organization that does pollwatching on election day. Extensive instructions are provided on what to do if anomalies are witnessed, phone numbers of organizations to call if certain conditions are seen, etc.

    My biggest gripes with the AccuVote TS:
    1. No receipt for the voter.
    2. Known software flaws with no assurances that there have been any remediation for these flaws.
    3. No assurance that the voting machine I may have used has been patched for the bugs mentioned in item 2.
    3. The infamous “I’ll deliver Ohio” statement made by the Diebold executive. Makes me wonder who might be delivered in my county, despite the ‘voter verified paper trail’.
    4. This machine meets verifiedvoting.org specs, but I would prefer a system based on open-source software. If all touch screen voting machine vendors used the same operating system, for example some Linux variant, and put their own front-end on it, then security researchers (and miscreants) everywhere would know the innermost secrets. On top of that, you could do harden the operating system by using Bastille Linux, for example.

    Just my two cents…or might that be my two votes?

  3. Funny you should mention against monopoly. I read there as regularly as here. Gifs look fine on my 1024×768. All I can suggest is use the audio option (where available) or a screen magnifier. 🙂

  4. Auto-whitelisting sounds like a good idea – I wouldn’t worry about ratios (until necessary).

    The best captcha I’ve come across is that used by AgainstMonopoly – a concatenation of a 4 digit number spelt phonetically in Spanglish.

    unotwoquatrocinco (from 1245)

    http://www.againstmonopoly.org

    The gif based ones all assume everyone has an 800×600 display (unlike my 2000×1800)

  5. Oops, neglected to mention another option — put a captcha on the post-comments form. Some captcha systems now include an audio option for the visually impaired (blogger.com uses one of those). You can then relax the filtering. Anyone posting spams that get by the captcha is most likely a human rather than a bot, and holding them all for human review is no longer infeasible as there can’t be very many of them anymore.

    Another antibot trick, invisible to human users and perhaps even more effective, is to simply generate a key from the time of day to encrypt with a secret of the server and put into a hidden field in the comment form. Submitted forms have this field decrypted and compared to the system clock. If the key is forged, it’s overwhelmingly likely to decode to a time that’s invalid, more than a day old, or from the future. If so the submission can be rejected (with a polite error message and a filled-in resubmission form, which a bot will probably ignore). Most bots don’t retrieve a copy of the form or check the responses, but rather just spam out HTTP GET application/x-www-form-urlencodeds.

    Which brings me to another suggestion: in light of

    form action=”http://www.freedom-to-tinker.com/wp-comments-post.php”
    method=”post”

    you can safely configure the server to reject HTTP GET application/x-www-form-urlencoded submissions and accept only HTTP POST submissions. The only submissions in the former format that your server receives will be bot spam.

  6. Well, the only comments coming from my IP address ought to be legit. What are those 800 spams that pass the moderation filter anyway? If they don’t contain many links? Just “Buy new Foo brand foobars” and similar exhortations without any followup info, or with phone numbers or snail-mail addresses for ordering?

    I’d suggest a couple of ways to tune the process:
    1. Whitelist the IP ranges of past contributors of multiple legit comments. Delist those ranges only if they start generating loads of spam; until then anything suspicious is held for moderation but never just disappears that comes from those ranges.
    2. Save the most aggressive spam filtering for comments to blog posts that have dropped off the front page of the blog. Few legitimate comments will be posted there, and fewer will be found and read, so the damage risked is least there.

    I’ve seen worse, mind you — architectures of control has a bot that a) took offense to one posting I made, one that was somewhat long but didn’t use any links; b) silently ate it; c) proceeded thereupon to locate and delete everything else I’d posted there, ever; and d) to top it off put my IP address in a .htaccess deny(!) — all without any human supervision whatsoever. I think it may have been tamed somewhat since then, but just to let you know that there’s overzealous and then there’s overzealous.

    Crosbie finds that the same link I used doesn’t produce such a drastic consequence if he uses it, which implies that your current system does differentiate among users, perhaps based on legitimate post count. If so, the threshold is apparently set way too high — I have easily enough non-spam comments here to be whitelisted too, in my opinion. 🙂 Ten comments that didn’t get deleted should qualify you, or a ratio of ten times as many accepted as rejected, or something. Spammers won’t be able to spam without actually contributing that way and thus paying us for the privilege. (And even then, the spam just gets a little exposure before being deleted instead of none at all, and the guy lands in a blacklist.)

  7. Guys,

    Let me explain how comment filtering works. There are two stages. The first is done by the WordPress blogging software, which will automatically hold for moderation any comments with certain properties (very long, or containing several hyperlinks, or containing certain words typically associated with spam (such as names of certain drugs)). In a typical day one comment might be held for moderation. I deal with held-for-moderation comments once a day or so.

    Comments that make it through that screen are submitted to Akismet (see akismet.com). Comments identified by akismet as probable spam are silently put into a “spam box”. Once a day or so I visit the spam box and quickly scan it for legitimate comments. Any legitimate comments are rescued from the spam box and appear on the site; the rest are deleted. About 800 comments per day go into the spam box; I rescue about one comment per week. I scan the spam box quickly (and it shows me only one comment per source IP address, so I don’t have to look at all 800), so I might miss legitimate comments occasionally.

    With 800 spam comments per day, manual moderation or manual spam-removal isn’t really an option. I’ve tried various antispam methods and the current one is by far the best.

    I don’t know what criteria akismet uses. I know they take input from lots of blogs and I assume they use a combination of machine learning and hand-tuning to program their filters.

  8. http://www.wikipedia.org

    http://en.wikipedia.org/wiki/Main_Page

    Got any more URLs you want tested?

    NB I just type these in literally – I don’t put in the HTML tags myself.

  9. Crosbie Fitch: Well, that is disturbing.

    My post contained a link to the Wikipedia main page. Removing it made the post succeed.

    Yours contains a link to a Wikipedia article but not the main page; including it didn’t prevent the post succeeding.

    Either it specifically hates linking to the main page at Wikipedia, or it has a more stringent antispam policy for my posts than for yours. The latter possibility is particularly disturbing.

  10. Ronald Crane says

    Quote:
    ——
    Actually, the solution is pretty simple. Make a board with an 8032 or equivalent (ROMless), some standard SRAM chips, and standard glue logic chips. Two-layer through-hole board, easily inspectable, nothing fancy. All the code is stored on a removable cartridge which the Z80 is physically incapable of writing to. The Z80 board would have no storage media that could possibly hide a trojan horse because it would have no storage media that could run any sort of code whatsoever.
    ——

    Such systems still would have to be subject to random forensic inspections, since any gap in manufacturing security or in physical security afterward could allow an attacker to replace the innocent Z80 board with a mimic board. Such a board looks identical to the official board but contains an embedded ASIC that mimics it and adds some “extra features.” The amount of silicon required to create such a mimic is tiny, and the mimic chip easily could be placed in a hollowed-out section of the board’s ground plane.

    Hard to do? Yes. Worth it to obtain political power? Absolutely.

    Quote:
    ——
    Before use, the cartridges would be programmed with the proper software and, write-protected, and marked with seals supplied with both parties. Both parties could then use a simple reading device to confirm that the cartridge contained the proper code before the election and use the same device again to ensure that it contained the proper code after.
    ——

    An attacker could instrument the programming device to write code and/or data into the cartridges’ “unused” areas, which the mimic board could then use to direct its operations. The “simple reading device” could minimize this danger by verifying the contents of the unused areas. Note, however, that an attacker could engineer special-purpose cartridges containing hidden memories that the reading device wouldn’t know about, but that the mimic board would understand. The best approach here probably is to burn CD-Rs. Though that means the voting machine needs a CD-ROM drive and associated driver software, which provides another attack vector.

    Quote:
    ——
    Votes should be stored on a different cartridge. That one would be write-protected immediately after the election, whereupon people from both parties would immediately read the contents and record a cryptographic checksum. Both parties’ people should get the same checksum; if they both sign off that they got the same checksum, then the cartridge contents will be effectively protected against future alteration.
    ——

    An attacker could also use this writable cartridge to transfer code and/or data to a mimic board. The write-protect feature would need to be foolproof so that the parties’ checksum programs couldn’t possibly modify the cartridge’s contents.

    All of this requires careful engineering and rigorous supervision, and the vast majority of the public wouldn’t have a clue if an attacker slipped something right beneath its nose.

  11. //First, there’s the issue of verifying that the executables used on election day actually were honestly produced from the publicly-reviewed sources. Assuming you solve that problem (and ignoring “Trusting Trust” attacks), a malicious operating system or device driver can simply replace critical portions of an honest executable with dishonest code, as can firmware and even hardware. Reducing the risk of these attacks involves not only use of open operating systems, firmware, and hardware, but also random forensic hardware inspections.//

    Actually, the solution is pretty simple. Make a board with an 8032 or equivalent (ROMless), some standard SRAM chips, and standard glue logic chips. Two-layer through-hole board, easily inspectable, nothing fancy. All the code is stored on a removable cartridge which the Z80 is physically incapable of writing to. The Z80 board would have no storage media that could possibly hide a trojan horse because it would have no storage media that could run any sort of code whatsoever.

    Before use, the cartridges would be programmed with the proper software and, write-protected, and marked with seals supplied with both parties. Both parties could then use a simple reading device to confirm that the cartridge contained the proper code before the election and use the same device again to ensure that it contained the proper code after.

    Votes should be stored on a different cartridge. That one would be write-protected immediately after the election, whereupon people from both parties would immediately read the contents and record a cryptographic checksum. Both parties’ people should get the same checksum; if they both sign off that they got the same checksum, then the cartridge contents will be effectively protected against future alteration.

  12. Yup, postpone it.

    However, say it was a referendum under quarantine as to whether an expensive vaccination for the contagious disease should be compulsory?

    Delay only increases contagion…

    Another scenario is that there was radioactive debris everywhere – with a long half-life (dirty-bomb).

    Incidentally, perhaps we need a buzzword for the system I suggest as the only comparably secure alternative to paper voting?

    Proprietary voter assistance machines, and proprietary, privately networked ATM/voting machines, or even proprietary client/server web based voting systems are all democratically untenable.

    However, open and distributed/de-centralised e-voting (assuming it passes all acceptance tests with flying colours) perhaps should be called ‘p2p-voting’ for short?

    Back to the point…

    Not only is there ‘ease’ in terms of immediacy, there’s also ‘ease’ in terms of achievability.

    Consider that referenda in Iraq might be a tad easier if everyone had a web terminal, than that everyone had to queue outside polling stations.

    A referendum in China may even be possible. The state will likely ignore it, but the people may be curious to know what the people think.

    You probably wouldn’t get very far trying to set up a paper vote in China, eh?

  13. Ned Ulbricht says

    Could there be a situation when the ease of conducting a credible Internet e-vote over a paper based one, is such an advantage that it could become the only viable alternative?

    Consider a general quarantine as a counter-measure against an acute epidemic or pandemic. If the quarantine period extended for more than a few days, there would have to be some provision for continuity of basic services: water, food, electricity, medicine. These services would require some person-to-person contact—so the quarantine would not effect complete isolation. Nevertheless, presume that it’s desirable to restrict population mobility for a lengthy period.

    Would it be best to simply postpone a scheduled election under these circumstances?

  14. Here’s a link to Wikipedia just to test your theory…

    http://en.wikipedia.org/wiki/Chili_pepper

  15. “I simply pointed out that the spam filters were the reason behind what was happening, that this was a known factor when posting here, that the filters were a neccessity and not a “problem”, and how to locate the triggering events within your posts.”

    What I pointed out, that you haven’t addressed, includes:

    * That the postings in question didn’t get held for moderation (I would have just waited) but rather simply disappeared without any explanation (such as an error message). This is incorrect behavior. Postings from a known spammer IP should cause 403 errors, and postings from anyone else should at worst be held for moderation. In the past, that has been the actual behavior. For some reason, it changed yesterday to start silently rejecting legitimate posts without even holding them for moderation first.

    * Legitimate posts not producing an error, appearing promptly, or being held for moderation, but doing something that isn’t one of those three things, is ipso facto a problem.

    * Nothing in the post in question was anything but innocuous. No likely trigger words (such as certain pharmaceuticals’ names) were present and the only link present was to wikipedia. I’ve posted links before and the results have merely been held for moderation. Ditto HTML.

    * I’ve since proved that it specifically didn’t like the link to Wikipedia. I removed that (but not the anchor text or the italics HTML tags used elsewhere) and added a paragraph of other stuff and it posted normally. Apparently, it will hold for moderation posts containing links, unless the links are to Wikipedia, in which case it will silently eat them.

    * Silently eating posts from any source other than a blacklisted IP range is totally unacceptable! Catastrophic data loss can result. Imagine a legitimate contributor writes a long, legitimate comment containing a Wikipedia link in Internet Exploder or some other shoddier browser than Firefox. The post fails to appear, they hit “back” to try again, and the form is now blank again. So much for their long, legitimate comment. They’ll have to rewrite it from scratch.

    * I hate, hate, HATE any software behavior that can cause catastrophic loss of unsaved data. This is an especially common problem with Web stuff because you can’t just tap ctrl+S now and again to save your progress when typing in one of these cramped little boxes on a Web page the way you can in a Real Editor(tm). That is why it is ABSOLUTELY CRITICAL that Web forms do all of the following:
    – NEVER silently reject any submission except from blacklisted IP ranges. Preferably, send a 403 to those and also send a 403 to any such IP requesting the page with the input form. The latter ensures no human will type a lengthy posting into the form and have it eaten; only bots go directly to posting a form submission without requesting the page with the form on it first.
    – ANYTHING ELSE that succeeds (here, either “held for moderation” or simply posted) gives clear evidence that it succeeded and never incorrectly claims to have failed.
    – ANYTHING ELSE that fails goes to an error page with a filled-in copy of the form, perhaps with red labels near the fields that didn’t validate. The error page has a PROMINENT NOTICE at the top of what went wrong, so it doesn’t look to the user like they hit “submit” and nothing happened or the page merely reloaded without anything else happening. The error is self-explanatory and easy for a typical person without extensive technical know-how to correct, modulo the exact expected user base demographic of course. The error page’s form can be used to make corrections and resubmit. Error pages NEVER result from submissions that actually succeeded, or you’re guaranteeing duplicate submissions. Error pages ALWAYS result from submissions that failed, with resubmission forms, except for blocked IPs who get a plain 403.

    Despite this Web form implementation wisdom being widely documented, it’s amazingly common for me to encounter a Web site that breaks that contract with its users and risks data loss, duplicate submissions, user confusion, user frustration, and even user hostility.

    Oh, and did I mention that:

    * I hate, hate, HATE WITH A PASSION software behavior that is GRATUITOUS and can cause catastrophic data loss? In this case, it’s not merely a bug — it actually seems to behave in an actively malicious, data-destroying way towards anybody who it *suspects* of being a spammer. Apparently, there are two levels of suspicion — posting links gets the posting held for moderation, which is fine, but posting *Wikipedia* links causes it to silently disappear the posting and risk catastrophic loss of your data for no possible justification whatsoever!

  16. the_zapkitty says

    Neo Ranted Further:

    “I did NOT try to post SPAM. To suggest otherwise is extraordinarily insulting and borders on a libelous false accusation of criminal intent.”

    Dude, take a big blue chill pill.

    I simply pointed out that the spam filters were the reason behind what was happening, that this was a known factor when posting here, that the filters were a neccessity and not a “problem”, and how to locate the triggering events within your posts.

    Anything you might construe further than that is in your own head, not mine 🙂

  17. Thanks for the clarification Neo. I am not quite so scrupulous in checking the accuracy of my statements concerning cuisine as I am concerning other things.

    My brain must have melded the following:
    “An American laboratory found the chilli to be almost 60 per cent hotter than the one listed in the Guinness Book of Records. The Naga registered a Scoville heat unit of 876,000. The record holder is a Red Savina Habanero with a rating of 577,000. ”
    http://www.thechileman.org/naga_morich.php

    I got my chillies from Peppers by Post.

    I mixed two packets (of about 6 chillies each) into 1Kg minced beef plus kidney beans, chopped tomatoes, etc.

    Even soured cream couldn’t bring the heat down.

  18. “Joe’s Chili sounds interesting. Incidentally, did I ever tell you I’ve recently
    cooked a chilli con carne using the Dorset Naga (Guinness book of records for the hottest chilli pepper)? I can only manage about 70% of my usual serving. And if you’ve ever had a Bangalore Phall, or a Naga curry, and I tell you my CcC recipe is hotter, then that should give you an idea of how bloody hot it is.”

    Funny — according to today’s Wikipedia featured picture entry the record holder is the Red Savina variety of Habanero chili. (Starting Nov. 15 2006 the featured picture will have changed; search Wikipedia for Red Savina then.)

    Actually, the Red Savina article indicates that although it is still the official record holder, there are two contenders to usurp the record and maybe some controversy. One of the contenders (apparently the weaker of the two) is the Dorset Naga.

    If you are reading this, it means that the *only* thing that was causing it to mysteriously disappear before was a single link to wikipedia. Nothing else was removed or changed. Links to wikipedia shouldn’t trigger the spam detector. And if they do, the comment should be held for moderation; it should not just disappear without any error message or other explanation at all.

  19. Hmm — an anti-welfare rant.

    So, you’d deny any political influence to a) the retired (generally society’s most experienced members, including whoever remembered whatever was the most recent truly nasty war in any given era); b) the poor (who need it most); and c) everyone else besides (since everyone, ultimately, is connected to government largesse via the web of economic transactions after some number of hops). Or perhaps you think that the poor are stupid or defective and should be Darwinned out, rather than unlucky sods deserving sympathy and compassion? The elderly are lazy, or past their sell-by date so they should just hurry up and die and make room for another generation? Because you know what will happen if these segments of the population can’t vote; the “cut taxes massively along with all social spending and leave everyone but able-bodied young whites out in the cold act of 2012” will pass by a wide margin shortly thereafter. In December, half the population of the North dies of exposure. By March, California’s seceded and Washington is in flames. By May, the Second Civil War is in full swing … wait, there’s no way you can really want all this to happen.

    You must be pulling my leg, then. 😛

    How about this: we remove the franchise from anyone who either a) owns their own golf clubs, b) owns multiple cars (averaged over adult close family members), c) can name any specific species of wine other than champagne, d) actually has access to champagne, e) has their own personal stock symbol, f) has any ties to a major election equipment manufacturer, or g) has either more than one lawyer, any number of accountants other than zero, or any number of lobbyists other than zero on their payroll.

    That should level the playing field. Those people already have enough political influence without letting them vote! 🙂

  20. The_zapkitty wrote:

    I did NOT try to post SPAM. To suggest otherwise is extraordinarily insulting and borders on a libelous false accusation of criminal intent.

    Perhaps you misunderstand. I know some comments (particularly if you put in links) are held for moderation. The missing ones weren’t; they just disappeared. I can tell the difference, to wit, it doesn’t show up as awaiting moderation but simply disappears. 😛

    In fact, the comment that keeps being eaten is totally innocuous. The only link in it is to Wikipedia for Chrissake, and there’s none of the usual names of pharmaceutical products and the like in there that might also trigger moderation. If that were even what was happening, which, clearly, it isn’t.

    Please read more carefully before you accuse a fellow poster of Something Bad(tm) in the future.

  21. I’m not against any voting – fraudulent or otherwise – I haven’t voted in 20 years and likely won’t again. There is no chance of the only thing that would be worthwhile happening – government is going to keep on growing and becoming even more intrusive, because of the incentives of the crooks that vote – the last estimate I saw (several years ago, I don’t remember exactly where) was that 60% of Americans received at least half of their income – welfare (incl SS), pay checks, or as contractors’ employees – from some branch of government. A vicous, positive feedback spiral. The only way I’d bother voting is if all welfare, Social Security, government employees, and employees of government contractors were not allowed to vote for more – the current SYSTEM is thoroughly corrupt.

  22. the_zapkitty says

    Neo Ranted:

    “Apparently, my comments are being filtered out selectively. Some are posted and others are silently discarded on mysterious criteria.”

    Correct, and nothing new around here. It’s not a “problem”, it’s the spam filters.

    According to numbers posted by Ed we wouldn’t even be able to read this blog for the spam without the filters.

    Check your posts for common elements… then figure out what’s triggering the filter.

    THEN decide if it’s a problem in censorship.

  23. Apparently, my comments are being filtered out selectively. Some are posted and others are silently discarded on mysterious criteria. Let me know when you’ve fixed the problem so I can repost my original comment in the assurance that it will appear for others to read. (Posting a comment here saying you’ve fixed it will suffice for notification.)

  24. Why are my comments no longer being posted? There’s no error message or anything; they just fail to actually appear. Am I being censored?!

  25. Randy Roberts says

    I’ve been in the systems business for 20 years, and i would not trust a machine to do this important task. I’m grateful to live in Oklahoma where we are so backwards that we use paper balots that are machine read and tabulated, but provide the critical ability to be physically verified by the average 75 year old election worker.

    Cost is minimal, the elction is verifiable, and we have the ability to use the machines to do what they do well – count.

    A simple process, with few steps has a better chance of success and an easier ability for audit than a complex process with more steps.

    btw – the majority of this thread reminds me of a recent Dilbert Cartoon

    randy

  26. My point was Ronald, that if they WISHED to procure an open and decentralised system, their heart was obviously in the right place, and consequently they would ultimately do what was best for democracy.

    If they wish to retain and pursue a proprietary system, you’ve got some hard work ahead of you.

  27. Ronald Crane says

    Quote:
    ——
    the_zapkitty, if Diebold and their clients wish to procure a system that would be open and de-centralised, then you have nothing to worry about.
    ——

    Wrong. Every voting system can be gamed, so all are worth citizens’ worries (“The price of Liberty is eternal vigilance.”) Some can be gamed so easily, by so few participants, and on such large scales, that we should not use them.

  28. the_zapkitty, if Diebold and their clients wish to procure a system that would be open and de-centralised, then you have nothing to worry about.

    If I should be paid for my labour, well, that sounds pretty fair to me. However, I’m not putting in my order for a new Ferarri just yet…

    As to conspiracies, the only good thing about them is that if they’re true then at least there’s method to our madness. If they aren’t true then mankind is on a collision course with imminent annihilation. 🙁

    Joe’s Chili sounds interesting. Incidentally, did I ever tell you I’ve recently cooked a chilli con carne using the Dorset Naga (Guinness book of records for the hottest chilli pepper)? I can only manage about 70% of my usual serving. And if you’ve ever had a Bangalore Phall, or a Naga curry, and I tell you my CcC recipe is hotter, then that should give you an idea of how bloody hot it is.

  29. the_zapkitty says

    Great.

    If telling the truth about e-voting machines, outing the lies of the corporations that push them, and double-checking the machine results independent of the government… if any or all of these things might be construed as “sedition” then it’s time for that next revolution Thomas Jefferson recommended.

    Crosby, you’re sure you don’t have a check from Diebold laying around? 🙂

    I mean, if they can go to the trouble to buy off a school for the blind to get testimony for their “enabling those with disabilities” shtick then I’d guess they wouldn’t stop at buying off blogger geeks. But be warned: should that be the case then you will lose your official status as a paranoid terrorist blogger geek conspiracy theorist… and that would mean no more Thursday night meetings at Joe’s Chili for you!

  30. You call it ‘fantasizing’, I call it ‘due diligence against a failure of imagination’.

    Let’s hope that those who prefer the comforting confidence that nothing will ever go wrong so severely that it cannot be rectified with impromptu ad hoc solutions (as easily as any contingency) are proven correct.

  31. Ronald Crane says

    Quote:
    ——
    Could there be a situation when the ease of conducting a credible Internet e-vote…
    ——

    Now you’re fantasizing again.

    Quote:
    ——
    …is such an advantage that it could become the only viable alternative?

    Consider a shortage of time and a potential decision by the state that an independent poll fomented civil unrest and/or was a seditious challenge to a democratically elected government.
    ——

    In that kind of situation your e-poll might feed the desire to overthrow the despotic government, but it would be only one among many reasons to do so. A State that must generally invoke “sedition” laws is already teetering on the brink of overthrow.

  32. “It would be unlikely to be as easy, but it would have significantly more credibility — in part because eligibile voters actually would have to show up to participate in a well-conducted paper-based parallel election. In contrast, a bot — or some hacker in Russia — might easily cast votes in an internet election.”

    Ah, so an Internet based e-voting system would likely be easier?

    That is interesting.

    (We’ll agree to disagree about whether an Internet e-voting system can be resistant to bots and hackers, and be credible despite not requiring physical turnout)

    Could there be a situation when the ease of conducting a credible Internet e-vote over a paper based one, is such an advantage that it could become the only viable alternative?

    Consider a shortage of time and a potential decision by the state that an independent poll fomented civil unrest and/or was a seditious challenge to a democratically elected government.

  33. Ronald Crane says

    Quote:
    ——
    Is it a better solution than paper?

    That’s more like the kind of discussion I was hoping for.

    A distributed e-voting system can be a single piece of software and can have frequently been used for other things (opinion polls, unofficial referenda).
    ——

    Then it has no more credibility than those other things, nor should it.

    Quote:
    ——
    In all circumstances would it be at least as easy to permit the populace to conduct an ad hoc paper based vote as it would be to conduct an ad hoc Internet based e-vote?
    ——

    It would be unlikely to be as easy, but it would have significantly more credibility — in part because eligibile voters actually would have to show up to participate in a well-conducted paper-based parallel election. In contrast, a bot — or some hacker in Russia — might easily cast votes in an internet election.

    Quote:
    ——
    If you already have a paper system in place, then presumably you don’t need a parallel one.
    ——

    Assuming you have a well-run, publicly-supervised paper system in place, then I think there’s not much need for a parallel system beyond that provided by exit polls.

    Quote:
    ——
    So the issue is only going to arise if an unsatisfactory e-voting system has been adopted and yet tolerance/apathy permits it because we are always assured “The bugs/irregularities will be fixed by next time/in the new version”
    ——

    I don’t think it helps to use another unsatisfactory e-voting system to check the results of the official unsatisfactory e-voting systems. We’d be much better off forcing our governments to replace e-voting systems with good paper systems, or working on nationwide citizen-conducted exit polls.

  34. Is it a better solution than paper?

    That’s more like the kind of discussion I was hoping for.

    A distributed e-voting system can be a single piece of software and can have frequently been used for other things (opinion polls, unofficial referenda).

    If you already have a paper system in place, then presumably you don’t need a parallel one.

    So the issue is only going to arise if an unsatisfactory e-voting system has been adopted and yet tolerance/apathy permits it because we are always assured “The bugs/irregularities will be fixed by next time/in the new version”

    So, at what point will the sleepwalker awake and challenge the validity of the voting system?

    In all circumstances would it be at least as easy to permit the populace to conduct an ad hoc paper based vote as it would be to conduct an ad hoc Internet based e-vote?

  35. Ronald Crane says

    Quote:
    ——
    I gave my ‘manned flight’ example to illustrate the thermodynamic doom of any attempt on my part to expend sufficient energy and explanation that I could convince every single all-comer to the discussion on this comments page that an open and distributed/de-centralised e-voting system was feasible.
    ——

    And yet you said that is was my job to “prove that it is fundamentally impossible to produce a voting system (transparent, accurate, secret) without involving a central trusted authority.”

    Quote:
    ——
    However, if despite the best attempts of detractors to prevent adoption of proprietary or centrally administered e-voting systems, they are adopted (to an ever greater extent), then I propose the unilateral adoption of an open and distributed/de-centralised e-voting system as a better solution (than revolution).
    ——

    But is it a better solution than conducting parallel elections (or official elections!) using paper? And what *is* your solution, other than a list of platitudes with a smattering of mostly-ineffective technical suggestions?

  36. Ronald, I have no need to insult anyone, nor any such inclination. And even if I did, I’d do it directly rather than by implication.

    I gave my ‘manned flight’ example to illustrate the thermodynamic doom of any attempt on my part to expend sufficient energy and explanation that I could convince every single all-comer to the discussion on this comments page that an open and distributed/de-centralised e-voting system was feasible.

    I could claim offense at your suggestion that I’d implied an insult against you, but somehow I think such an escalation would be an unproductive indulgence. 😉

    I am certainly not here to champion e-voting per se.

    However, if despite the best attempts of detractors to prevent adoption of proprietary or centrally administered e-voting systems, they are adopted (to an ever greater extent), then I propose the unilateral adoption of an open and distributed/de-centralised e-voting system as a better solution (than revolution).

  37. Ronald Crane says

    Quote:
    ——
    Necessity is the mother of invention.
    ——

    And still, despite numerous requests, you have not provided any argument showing that e-voting is necessary. Others, however, have provided good evidence that it is not necessary, and strong evidence that it is (and is likely to remain) insecure, and plausible reasons for why it cannot effectively be supervised by the vast majority of the public, and plausible arguments for why that should disqualify it from use.

    Quote:
    ——
    But, really, to many of those who doubt the feasibility of manned flight, nothing short of an aeroplane is going to make much headway.
    ——

    I’ll let the implied insult slide, and only note that doubt is the heart of science. Indeed, science considers only hypotheses that are susceptible of disproof. Everything else resides, at best, in the realm of speculative philosophy, if not the realm of pure faith.

  38. Why Ned, it would be my pleasure, however it may take me a little while. I’ll get back to you.

    Until that point, here’s a ‘for all intents and purposes’ one-way function:

    Take some DNA, generate a human being, add a bit of “I think therefore I am”, input a number, and the output is a digital snapshot of the neurological state of the brain.

    I think you’ll find it’s pretty tricky retrieving the original number given only that snapshot (not the being from which it was taken).

    While it may not be sufficiently one-way for your purposes. I think it’s sufficiently one-way for e-voting.

    Come the day we can nanotechnologically reconstruct human brains given a digital snapshot, we’ll have more to worry about, but by then I may well have arrived at the proof you seek – or proven that such a proof is impossible.

  39. Ned Ulbricht says

    Necessity is the mother of invention.

    Crosbie,

    Would you please give me a construction proof for a one-way function?

  40. Necessity is the mother of invention.

    It is legitimate to discuss whether there’d be mileage in an open and distributed/de-centralised approach to voting without having to provide a demonstrably correct proof that such a system can be implemented.

    Once one can establish that there could be a need for such a system, then one can inspire its invention (if you believe we do not yet possess the necessary technology) or its implementation (- if you do).

    I’m happy to entertain your arguments that there could never be a need for such a system.

    But, really, to many of those who doubt the feasibility of manned flight, nothing short of an aeroplane is going to make much headway.

  41. Ronald Crane says

    Quote:
    ——
    I’m not asking you to trust me, only suggesting that you consider a third alternative (unilaterally adoptable by the public) can provide a solution to preventing the adoption of an inferior e-voting solution (that is a million times worse by your criteria).
    ——

    If we’re into the realm of unilateral public adoption (which is an interesting idea), then we should adopt paper ballot systems. Indeed, the “parallel elections” movement (e.g., http://www.defendersofdemocracy.com/drupal/node/114 ), which aims to audit official elections, has widely (and probably universally) advocated hand-filled paper systems.

  42. Ronald Crane says

    Quote:
    ——
    ZapKitty, a comment stream is not the place to thrash out the design of an open and distributed voting system.

    For others to construct straw systems in order to knock them down as if by vague induction the entire proposition is invalid isn’t really helpful either.
    ——

    A comment stream is exactly the place to thrash out designs. If you cannot or will not provide one, but instead insist, without evidence, that a system satisfying your criteria is possible, you should expect a poor reception — especially from technorati. And if we are not permitted to construct straw systems in an attempt to make your vague ideas more concrete, there really is little to discuss. It would seem that all we might permissibly do is to pour praise upon your ideas and upon the faith that sustains them.

    Quote:
    ——
    I’m simply interested and curious about people’s reaction to considering such a system that has the characteristics I describe.
    ——

    Unless you plausibly describe how such a system might be built, only e-voting enthusiasts will be interested in rhapsodizing on its purely hypothetical characteristics.

    Quote:
    ——
    However, a complete prejudice against any system that involves computers seems to demonstrate a disagreeable lack of understanding, bordering upon the superstitious.
    ——

    It is not “superstitio[n]” to ask one who proposes an idea to flesh it out so that others may tear it to shreds. It’s called “science,” and it’s almost the polar opposite of “superstitio[n].”

    Quote:
    ——
    No-one’s going to participate in an open and distributed e-voting system unless there’s confidence in it. For one thing, you’d need a quorum anyway, i.e. at least 150,000,000 enthusiastic participants.
    ——

    This is just not so. It could be foisted upon us in the same manner as existing e-voting systems.

    Finally, you never did answer my question about the advantages you believe e-voting to confer that you believe to counterbalance its expense, security flaws, and lack of transparency.

  43. the_zapkitty says

    You say “It must be possible.”

    Yet you offer no insight into how this might be made to work, aside from exceedingly vague generalities and cries of “You just don’t get it.”

    The proof of the problems with e-voting machines lies all around us, in the smoking ruins of an electoral process that nevertheless couldn’t obscure the public’s overwhelming disgust with the current state of affairs.

    Yet you offer no clues, but just want others to leave your statement that essentially says “It must be possible!” standing unchallenged.

    Sorry, life doesn’t work like that 🙂

  44. ZapKitty, a comment stream is not the place to thrash out the design of an open and distributed voting system.

    For others to construct straw systems in order to knock them down as if by vague induction the entire proposition is invalid isn’t really helpful either.

    I’m simply interested and curious about people’s reaction to considering such a system that has the characteristics I describe.

    The current strategy in favour appears to be “Prohibit any computer based or assisted system of voting. Pencil, ballot paper/cubicle/box/station, and human counting is all that shall ever be permitted (with some postal votes).

    If that strategy is going to work, you’ve nothing to worry about.

    I’m simply presenting an alternative approach, one that by definition can only possibly work if everyone has confidence in it. No-one’s going to participate in an open and distributed e-voting system unless there’s confidence in it. For one thing, you’d need a quorum anyway, i.e. at least 150,000,000 enthusiastic participants. Remember, this would occur in parallel to the incumbent voting system until, if ever, it was considered superior.

    I think we all agree and understand why a proprietary e-voting solution is a step backwards.

    However, a complete prejudice against any system that involves computers seems to demonstrate a disagreeable lack of understanding, bordering upon the superstitious.

  45. There is no way that non-technical users can use ordinary PCs to vote securely, no matter what software they are running: someone can always produce a perfect copy and subvert the user’s screen and keyboard with it.
    The terminal is not secure and is therefore useless.

    They might be able subsequently to discover that the election has been subverted, but that doesn’t help: you have to run the election again, it will be subverted again, and you still don’t have a sound result.

    Paper ballots aren’t vulnerable to technological tampering, everyone can understand how they work, and they can be recounted. They work in a lot of countries, and are probably not much more expensive to administer (use volunteers) than the expensive e-voting systems.

  46. the_zapkitty says

    Crosbie Fitch Says:

    “At the moment it look’s like you’re going to have to trust Diebold and a few privileged auditors you can count on the fingers of one hand.”

    Actually, they’re not trusted anymore… in case you’ve had your TV turned off.

    In fact the current situation, where races hang in the balance for days and every close vote is questioned… this would have been unthinkable in the days when the Great Television Networks demanded results they could publish within hours of the election… and got them.

    E-voting: not trusted. Paper voting: trusted. “Paper trails” offered as a solution, but are the versions offered really just e-voting sugar coated?

    Unverified e-voting’s death knell has rung… although some are a little slow on the uptake 🙂

    The question asked of you is: why are you treating e-voting as inevitable? Sure, you believe it can be done reliably and securely… although you seem to be a bit fuzzy on the implementation… but he’s not asking about your religion 🙂

    He’s asking “Why e-voting? What has it got that paper can’t do more reliably, faster, and cheaper.”

    In you answer use the current e-voting solutions or practical alternatives as a starting point… not some pie-in-the-sky possible future solution.

    (What? You didn’t know there’d be a test? 🙂 )

    As a potential future dissertation you can try laying out the groundwork for a possible future e-voting plan… just don’t handwave such things around here days after e-voting machines did little tricks like disappearing tens of thousands of votes, flipping voter selections… you know the drill.

  47. At the moment it look’s like you’re going to have to trust Diebold and a few privileged auditors you can count on the fingers of one hand.

    Get back to me when you want an alternative that can be implemented by the public (and that one that involves no officials).

    I’m not asking you to trust me, only suggesting that you consider a third alternative (unilaterally adoptable by the public) can provide a solution to preventing the adoption of an inferior e-voting solution (that is a million times worse by your criteria).

    That you are so antagonistic to this possibility actually lends it credence, i.e. you fear it might actually work. If it is as patently unviable as you contend, then you have nothing to fear.

  48. Ronald Crane says

    Oh yes:

    quote:
    ——
    I’m proposing that one can distribute trust and authentication.
    ——

    Trust has no place in voting systems. They should be subject to audit by any citizen who wants to participate, and any citizen of ordinary intelligence and training should be able to understand and effectively audit every step of the voting process. Any other arrangement deprives citizens of their right (and make impossible the exercise of their duty) to supervise their governments.

  49. Ronald Crane says

    I’m sorry Mr. Fitch, but your task is to present a coherent, detailed description of the system you envision. It is not my job to develop your system for you, nor to debunk every insufficiently-developed e-voting idea that comes along. Still less is it my job to debunk all possible insufficiently-developed e-voting ideas.

    Quote:
    ——
    As to preventing vote sales or compulsion, I addressed that in an earlier comment (a few days ago) by suggesting the optional use of a silent passcode that overrided any existing/subsequent votes (without providing feedback).
    ——

    Then vote coercers and buyers will demand the silent passcode, provided on a medium most voters will be unable to fake (e.g., an official card containing the codes that officials mail to each voter).

    Again, what advantage does e-voting confer that you believe to justify its cost, security shortcomings, and transparency shortcomings?

  50. There is no central server. There are no election officials.

    All that is assured is that N people voted, and a count is provided for each of the options voted on, e.g. 5m voted red, 6m voted blue, 1m voted green.

    As to preventing vote sales or compulsion, I addressed that in an earlier comment (a few days ago) by suggesting the optional use of a silent passcode that overrided any existing/subsequent votes (without providing feedback).

    There are many potential systems and many of them can be flawed. It is not hard to propose flawed systems in order to demonstrated their flaws.

    Your task is to prove that it is fundamentally impossible to produce a voting system (transparent, accurate, secret) without involving a central trusted authority.

    I’m proposing that one can distribute trust and authentication.

  51. Ronald Crane says

    Mr. Fitch:

    Great. Assume I’m an attacker. I download the source, build a new version of the application that signs ballots favoring party A candidates with a bogus digital signature, and widely distribute it as if it were the official application. Many users use my application, which tells voters that the central server accepted their votes. But, in reality, the server didn’t accept them because they were all signed with bogus signatures.

    Later a few voters try to “assure themselves of the system’s veracity by checking their vote.” They complain, are told by elections officials that it’s a “glitch,” and are told to re-vote by downloading the official application. Some do. Most don’t, and party A loses many votes. No investigation is launched, in keeping with standard election practice.

    That’s just one scenario, and it assumes that it’s appropriate to allow voters to “check their vote.” Actually, this isn’t appropriate because it permits a voter to prove her vote to a vote-buyer or vote-coercer. My scenario also assumes that it’s appropriate to allow government to authenticate voters, thus easily tying each one to her ballot. This isn’t appropriate, because it, also, can lead to vote buying and vote coercion. And, in any case, if a voter can authenticate herself to the government, she easily can give her authentication information to a vote buyer or vote coercer, unless it it is obtained through some biometric means.

    Also, you didn’t answer the question about whether e-voting confers advantages sufficient to justify its cost, its transparency shortcomings, and its security shortcomings.

  52. Ronald, let’s assume that every voter has a PC and a piece of GPL software that presents them with a voting screen that let’s them produce a digitally signed/encrypted/certified file representing their vote.

    The non-technical user (99% of users) needs a way to be assured that that the (networked) program is bonafide and not a phishing impostor. The program also needs to enable the user to demonstrate they are who they say they are. 2-way authentication.

    The fact that the s/w is open source simply prevents a temptation to enjoy closed source’s ‘benefit’ of security through obscurity. It also exposes it to public hardening (given public attack & repair).

    This program can be available on all web terminals anywhere, and a user can assure themselves of the system’s veracity to some extent by checking their vote anywhere anytime (given immediate and continuous diffusion of votes).

  53. Ned Ulbricht says

    todd,

    From time to time, I’ve heard otherwise sober, sane and sensible engineers argue that the fault-free implementation of a specification in code is a correct program, i.e. has no bugs.

    Otoh, I happen to think that it’s sometimes useful to separate design fuck-ups into subtle and non-subtle classifications.

  54. Ronald Crane says

    “Open source” e-voting is an improvement over secret-source e-voting, but it is far from adequately secure or supervisible, particularly when conducted over the internet.

    There are several large loopholes in “open source” e-voting. For brevity, I’m going to concentrate on pollplace e-voting. First, there’s the issue of verifying that the executables used on election day actually were honestly produced from the publicly-reviewed sources. Assuming you solve that problem (and ignoring “Trusting Trust” attacks), a malicious operating system or device driver can simply replace critical portions of an honest executable with dishonest code, as can firmware and even hardware. Reducing the risk of these attacks involves not only use of open operating systems, firmware, and hardware, but also random forensic hardware inspections.

    The effective supervision of such a system comes down to the very small number of people who have the ability and the access to verify that the firmware and hardware are not malicious.

    This is a very difficult, expensive, and fragile way to do something that hand-filled paper ballots, poll-watchers, and hand audits accomplish more easily, less expensively, and far more transparently.

    What advantage does e-voting provide that justifies its costs?

  55. The thing is, we really have no way to know if there have been no major disasters. A precinct in Florida has no record of about 10,000 votes for their congressional district, even though votes were cast for governor and other ballot measures on those same ballots. Asking for a recount will get nowhere because there’s no record to recount.

    http://www.eff.org/deeplinks/archives/004993.php

  56. todd johnson says

    Ned, a “subtle bug” isn’t a bug with subtle consequences, it’s a bug whose origin in the source code is non-obvious.

  57. However, Ronald, if a voting system is actually in the hands of all of the people, then there will be sufficient numbers:
    1) To review source code
    2) To verify operation
    3) To attempt to break the system
    4) To detect breakage

    This disparate minority (say 1%) should be sufficient to convince the other 99% that the behaviour of the system, although technically sophisticated, provides them with confidence in its accuracy.

    At the moment we have 0.000001% of the population providing the above services (for obscure e-voting machines).

    Even a fairly transparent paper based system relies on only 0.01% of the population for verification.

  58. We actually have a good basis for a secure e-voting machine that provides a paper audit trail. I wrote this article about e-voting machines and election fraud back in February of 2005. You can read it at http://tinyurl.com/rpdm4

    Also, the error reported above sounds suspiciously like the reason that Diebold replaced a bunch of motherboards earlier this year.

  59. the_zapkitty says

    enigma_foundry inquired:

    “How common is it to have a choice between a touch screen and a paper ballot? Is this approach just limited to Saint Louis, or do other have a choice?”

    Hardly.

    Several jurisdictions have always offered paper, and some offered paper especially for this election.

    Despite the glad-handing the media gave the numerous problem areas, and despite Ed’s current concentration on more serious, innate flaws in the systems… a meltdown is a meltdown and the 7th was a meltdown.

    So not only did many areas hand out paper ballots as an option even with working machines, many more areas had no choice but to hand out or even improvise paper ballots because the machines were just AWOL.

  60. One comment, and a question:

    As a voter in Saint Louis Missouri, I have always had an option of using either a touch screen system, or a paper ballot (of the fill in oval variety)

    I have always chosen the paper ballot. I noticed in Tuesday’s election almost no one at my polling place was using the touch screens. It might have had something to do with the wide spread information about the problems with these machines.

    I doubt very much that the City of Saint Louis Board of elections will buy any more touch screen systems, as they were sitting unused.

    MY QUESTION: How common is it to have a choice between a touch screen and a paper ballot? Is this approach just limited to Saint Louis, or do other have a choice?

  61. Ronald Crane says

    Mr. Fitch, you’re telling us about all the great things your hypothetical internet voting system will do, but you’re not showing us how it will do them. Would you care to share the details of your solution? For example, would you show us how your system preserves voters’ privacy while also preventing large-scale vote selling?

    I would also point out that voting is not merely a computational or technical problem. It is a problem of self-government. If the vast majority of voters are forced to trust a system that they have no hope of understanding, they have thereby delegated their right (and abdicated their responsibility) to supervise the transfer of political power. The usual results of that kind of abdication are all too dismal and well-known.

  62. Wouldn’t the old electoral system be a much better fallback? It’s a lot easier to develop, it’s been tested for hundreds of years, and even in the unlikely event that everything about it is thrown away in the US, there are scores of other countries using it to learn from.

    Compare that to a hypothetical system that requires solving a bunch of extremely difficult, possibly intractable problems (how many man-hours have been unsuccessfully put into solving the spam problem, do you think?), and I personally think the choice is obvious.

  63. Er no, Arachnid. This system would be developed independently and there would be oodles of polls it could be interestingly tested with.

    If I was you I’d worry about the current e-voting system’s integrity and what happens when everyone’s burnt all the old ballot boxes, stationery, and procedural documentation – and then they discover a fault on the magnitude of an ‘election stealing’ event.

    I’m simply proposing a plan-B as a better fall-back.

    Unfortunately, even talking about such a system can be construed as sedition, but now that the Democrats are in power it should be safe eh? 😉

  64. So you propose to use the electoral system as a means of testing some brand new and completely untested technologies for the first time? When it was going to the moon, if something went wrong with your untested technology, a few astronauts, who knew the risks, might die. With this, if something goes wrong, someone can steal an election.

  65. Ronald, your last paragraph demonstrates precisely why Internet voting would be far more secure than a proprietary solution that can evade these problems through obscurity.

    We would also preclude vote selling, identity-theft, and every other possible failure mode.

    The superior skeptic would not itemise umpteen detectable modes of failure, but would demonstrate at least one mode of failure which can be proven undectable. 😉

    We should be able to solve what is essentially an extremely pure computational problem. I acknowledge its apparent intractability, but I can see no show-stoppers (not that that counts for much of course).

    And yes, a solution to phishing would be a spin-off benefit.

    This would be like getting a man to the moon and back again.
    Distributed, resilient systems.
    Decentralised, peer-to-peer accreditation and certification.
    Two-way (phish-resilient) authentication on public terminals.

    Imagine a web app that could provide superior voting accuracy and accountability than a physically ‘secured’ system.

    You’d probably end up solving the e-mail spam problem too.

    Online banking systems could integrate with this system too (once they’d seen it more resilient than their phish susceptible approaches).

  66. Ronald Crane says

    Step 1 in preventing such problems: don’t use e-voting machines. The ease with which they can be subverted (especially by insiders) far outweighs any potential benefits from their use. Instead we should use hand-filled paper ballots counted either by hand, or by machine and accompanied by random and directed hand audits. In either case, citizens should observe the ballots continuously from the opening of polls to the posting of the results outside each precinct and their phoning-in to the media.

    For the disabled who can’t use paper ballots without assistance, we have the Vote-PAD (http://www.vote-pad.us ), a noncomputational assistive device.

    As for internet voting, it only adds to the security problems inherent in poll-place e-voting. It doesn’t take much to imagine the host of voting-related viruses, spyware, and phish-mail messages that internet voting will spawn. And it enables large-scale vote selling, too.

  67. Step 1 in preventing such problems: Don’t use a multithreaded process on your voting machines.

  68. I don’t doubt there’s plenty of knowledge – I imply this in using the term cognoscenti.

    I have a doubt for action.

    Either the cognoscenti sit back smug in the knowledge of how to do better, and enjoy their excuse that action isn’t up to them but the appropriate public officials.

    Or, the cognoscenti take matters into their own hands and produce a better system as a fait accompli.

    Remember you have everything you could possibly need for a more secure system:

    1) 200,000,000 US internet users (66% of US population)

    2) Web terminals in uncountable public places

    3) Continuous stress by hackers to demonstrate security and resilience

    4) Vast computing and storage power

    5) Ample s/w development resources

    6) Assured transparency and public ownership of resulting system and software

    Perhaps this should be done now, so that there is an alternative when the inevitable corruption of the incumbent system leaks out from the panicked cover-up (some time in the not too distant future).

  69. Ned Ulbricht says

    (We don’t know whether Step 2, recording the vote, happened.)
    […]
    It’s hard to see how this can happen, absent a subtle, serious bug in this part of Diebold’s software.

    This is not a “subtle” bug. It is a blatant, neon-sign-waving bug.

    You are correct about the “serious” classification, though.

    It is engineering malfeasance when a voting system—a critical infrastructure—fails to provide the security property of assurance.
    Assurance is a generally-accepted property required in the design of all professionally-engineered critical systems. There is simply no excuse for not knowing whether or not the vote was recorded.

  70. The cognoscenti have suggested many improvements. Our Diebold paper has a long section on mitigation strategies, and there is a big literature on voting system improvements. Indeed, better voting systems are already on the market.

    What is lacking is not suggestisons on how to do better, but action by public officials to put better systems in place.

  71. So, is the ridiculously well tempered human tolerance for frequent computer failure good for democracy or not?

    If this level of failure is likely to continue for the foreseeable future (I bet it will), then is this a problem or not?

    Is there anyone apart from the cognoscenti who are going to do anything about it?

    And if no-one, are the cognoscenti going to be moved to produce a solution or are they just going to get smug on told-you-so credits?

    Or perhaps the Cassandras simply wait for the first hacked election…