Learn about Linux
Download Linux
Get Linux helpSpecial Offers
Feature
Proprietary voting computers: Threat or menace?
Share
Print
CommentsThere has been a great deal of noise recently about the evils of closed-source voting computers and how easy it might be to rig elections with them because their proprietary code hides miscounts from public view. It's a little shocking that government agencies like the Federal Election Commission and mainstream news media haven't paid more attention to this problem. But do voting machines in common use today really contain nefarious code that can change your vote after it is cast? And if they do, what are we going to do about it?
The loudest current voice on the voting machine fraud front right now is a Washington state publicity consultant, Bev Harris, who has let her PR business lay fallow for more than a year while working on a book called Black Box Voting - Ballot-tampering in the 21st Century.
During a telephone interview, Harris spoke most heavily about ES&S (Election Systems and Software), an Omaha, Nebraska company that uses the motto "Better Elections Every Day" and claims to be "the world's largest and most experienced provider of total election management solutions with over 74,000 systems installed worldwide."
ES&S has gotten a bit of journalistic attention in the past, and we're not talking about happy talk on the company's Web site but the fact that Nebraska Senator Charles Hagel owns an interest in the company, had failed to report that interest, which is not direct but is because of his stake in Omaha-based McCarthy Group Inc., a major ES&S investor, on financial disclosure forms, and -- this is the fun part -- was elected through the use of ES&S machines, which are in service in almost every Nebraska jurisdiction.
Not only that, Hagel was apparently chairman of an ES&S predecessor company, American Information Systems Inc., and has also served as president of McCarthy Group Inc.
(One news outlet that is unlikely to pry deeply into the Hagel/ES&S connection is Nebraska's dominant newspaper, the Omaha World-Herald; its parent company is another ES&S co-owner.)
| A bogus case of voting machine fraud |
|---|
|
It was the 1994 Maryland gubernatorial election. Democrat Parris Glendening beat Republican Ellen Sauerbrey by less than half of one percent. Sauerbrey screamed "fraud," claiming that thousands of ineligible voters -- all Democrats, of course -- had been allowed to vote, and also claimed that voting machines in (heavily Democratic) West Baltimore had been rigged by the (Democratic) election board to give extra votes to Glendening. The voting machine accusation centered on a particular polling place that turned in its results hours after others all over the state had completed their election day business. Sauerbrey and her supporters believed the reason results from that polling place were so slow in coming was that voting machine technicians were changing the ballots. These were mechanical voting machines, nothing computerized about them. Voters moved little levers next to their choice, and their vote was made final when they opened the privacy curtain. After the polls closed, election workers -- half-trained people from the community who got far less than minimum wage -- were supposed to open the machines, remove the (paper) rolls on which the votes were recorded, check the paper counts against the machine's reckoning, then fill out a stack of forms and transport the results by car to election headquarters downtown. To prevent fraud at the precinct level, it took two keys to open each voting machine; one in the hands of a Democratic election worker, the other held by a Republican. That night, in the precinct Sauerbrey claimed was the center of the fraud because it turned in its returns so late, the Republican election judge broke his key off in the machine. It took the voting machine technician several hours to dig out the twisted keystub, and that was the reason the results were so late. There was no Vast Left-Wing Conspiracy or evil Democratic plot at all, just a simple screwup -- and a screwup by a Republican, at that. I know all this because I was there, in person, watching the voting machine technician work. The next day I wrote an article for the Baltimore Sun about this non-fraudulent voting machine problem that led Ellen Sauerbrey to say nasty things both to and about me for many months afterwards. She took her 1994 loss with far less grace than Al Gore took his in 2000, to the point where many local commentators started calling her "Ellen Sour Grapes." Many voting fraud accusations turn out to be false alarms. This doesn't mean voting fraud doesn't exist -- especially in Baltimore, where one theory about famous resident Edgar Allan Poe's death (on an election day) claims he was given copious quantities of alcohol and possibly opium while he was taken from polling place to polling place and forced to vote over and over again, which hastened the poor, sick poet's demise. Unfortunately, we have no computerized voting records from Poe's time, so this story cannot be verified. - Robin 'Roblimo' Miller
|
Proving negatives
Perhaps Charles Hagel was twice elected Senator (by large margins) honestly. Perhaps his interest in the company that made the machines used to elect him has nothing to do with anything. But the suspicion is there and will always be there. And since the ES&S machines used to count the votes that elected Hagel are 100% proprietary, both software and hardware, and leave no 'paper trail' human auditors can use to verify their accuracy, Hagel will always have a cloud over him.
Last year Harris wrote a seminal article about the relationship between Hagel, ES&S, the ultra-right wing (and ultra-rich) Ahmanson family, and posted it on her talion.com Web site. Attorneys for ES&S sent her a letter demanding its removal, plus a retraction. Harris has neither removed nor retracted anything, and this material is now almost certain to find its way into her book.
Well-documented voting computer errors
Harris gave NewsForge three well-known instances of voting computer mistakes made in recent years that have drawn surprisingly little national media attention:
- A 100% error rate in an April, 1998 Orange County, California school bond election she says was reported by NewsBytes. According to Harris, "yes" and "no" votes were flip-flopped because of software errors, so every "yes" vote was recorded as a "no" and vice versa.
- In the Allamakee County, Iowa 2000 general election about 300 votes were fed into an optical scanner -- but it tallied 3.9 million. Harris says local election officials never found what the error was, but computer supplier ES&S replaced the machine.
- Baldwin County Alabama, November 2002: Harris says that in the Governor's race 6300 votes changed overnight, after the polls closed. She says, "the race had already been called for Democrat Don Seigelman, but in the morning suddenly it went the other way and Republican Bob Riley was governor. Don Seigelman took it to court, but there was no provision in the law for a recount..."
She also told us that if she wanted to rig a vote herself, she'd "go after the primaries" instead of general election results.
Not only that, she says the best -- and hardest to detect -- way to alter the results of a general election would be "to rig a heavily Republican district to go more Republican rather than to rig a Democratic district to go Republican."
And on the subject of government agencies in other countries buying voting computers from U.S. companies, she is adamant: "If I was in another country I would not buy voting machines from the U.S. unless they were open source."
Echoing this sentiment, James Love, director of the Ralph Nader-founded Consumer Project on Technology, had exactly two words to say when asked the best way to guard against voting computer fraud: "Open source."
Pernicious code?
Harris's publisher supplied NewsForge with several examples of code they say is used in ES&S touchscreen voting computers. The first snippet was unattributed Wine, and they thought it was being used in proprietary equipment against its licensing terms.
We turned to ace Wine coder Jeremy White, of CodeWeavers, for an opinion. He said it was perfectly okay for ES&S or anyone else to use that code, with or without attribution; that it was from 2001, when Wine still carried a BSD-style license, although there might be trouble if they updated to a 2002 or later version, since it would be under the GNU LGPL.
No smoking gun there.
Later Harris handed us more code to look at, this time code that perhaps allowed vote changes to be made. If so, this would be a real negative find. We showed this code (which you can inspect for yourself here) to several expert programmers. Here is what some of them had to say about these code samples:
- "From a quick 10-15 minute analysis of this code I can't see anything that would make me feel uneasy. I'm not sure why they decided to write their own registry editor when "regedit"/"reged32" comes standard on all windows platforms, even NT Embedded and I would guess XP embedded."
- "Aside from the code being ugly, poorly documented, and steeped in
Windows APIs, it seems fine. The code particularly in question (case
REG_MULTI_SZ in CRegistryEditor::DisplayKeyData in registryeditor.cpp)
is only for reading and displaying keys from the Windows registry - it
does not write to the registry, and it does not look like the coders
have left an opening for a buffer overflow. They count the number of
strings in the registry item, then allocate the total length of
strings plus 4 characters per string for padding. The only real way
to exploit this code would be to insert a nonstandard entry into the
registry, e.g. a non-null-terminated string (not sure if/how this is
possible, but it seems like the registry code in the MS APIs would
make damn sure things were valid before putting them in the
system-wide registry), spoof the software into thinking the key type
was REG_MULTI_SZ (not sure how/if this is possible either), and then
attempt to display that registry key.
"If this code is really in use at voter kiosks, I find it highly unlikely that it could be used to modify voter data."
- "The important stuff where the risks and dangers are present is the code
that stores, authenticates & audits the voting data. Code related to
these issues doesn't seem to be present on the above page.
"Regardless, you wouldn't catch me dead voting with any of these machines until somebody like Bruce Schneier takes one to bits & exhibits the strong crypto. If my precinct switches to them, I'll show up, sign off that I showed and leave without voting.
("Given the current dangerous political climate, I'd prefer if you would keep my identity in confidence- and if you use anything I said, I'd appreciate it if you'd also mention this as well.")
scoop.co.nz
The scoop.co.nz Web site is riding this whole story hard, with pieces by Bev Harris and a stack of links to other stories about potential voting computer problems, not to mention a study of Diebold voting computer system insecurities (PDF) unearthed by a team from Johns Hopkins University.
Naturally, one of the lead Scoop stories on the topic is by Bev Harris. In fact, a large percentage of the stories listed on the Scoop site's AMERICAN COUP "voting machine roundup" page were either written by Harris or contain material attributed to her.
This is not a knock: Harris and Scoop may be a tad alarmist at times, but they have certainly managed to get other media outlets (including the New York Times) interested in the idea of proprietary voting computers becoming fraud machines, so hopefully more journalists and even -- just maybe -- a government agency or two may start looking into the matter.
Is there a solution to the problem?
Voting fraud has been a problem since the first time a leader was chosen by putting colored pebbles in a box. Paper ballots can be miscounted, and there's always the old standby vote-rigging method of having a group of people cast multiple ballots at multiple polling locations.
Computers make vote tallying easier, which means they can make voting fraud easier, too. They also have the disadvantage that they are not transparent to everyone. A reasonable amount of honesty can be brought to a paper ballot counting process simply by allowing representatives from all interested parties to participate or observe. Security also enters the picture with computer voting in a way it doesn't with paper ballots, which can be moved under the eyes of many people to prevent theft or substitution instead of as nebulous bits and bytes through phone lines or other electronic communications channels.
Secrecy itself causes many of these concerns. If we all voted openly instead of casting secret ballots, everyone's vote would be obvious to everyone else. But there are many advantages to secret ballots, the primary one being lack of coercion; if the government doesn't know how an individual voted, it is hard to retaliate against that individual for casting a dissenting ballot.
The trick is to maintain the privacy of the individual voter while keeping the vote tallying process itself as open and transparent as possible. And no matter mow transparent that process is, there will always be ways to 'rig' it, including the infamous Florida Republicans' method of preventing unqualified voters (AKA "Democrats") from casting a vote in the first place.
(However, not all Florida jurisdictions are totally corrupt on the voting front. Manatee County, for example, uses an optical scan system that, even if it is flawed, still leaves a 'paper trail' that can easily be read by humans without computer help, which means fraudulent computer counts are relatively easy to detect and trace.)
But this article is about the voting process itself, not about voter registration decisions. And it's obvious that when it comes to counting votes, the more open the process, the more likely it is that the process is honest. When you look at vote counting from this perspective, it's obvious that James Love's "open source" solution is the only way to go. For all we know, Nebraska Senator Charles Hagel really was the popular choice there, and is not in office only because he is connected with the (proprietary software) voting machine company whose products were used to put him there.
Wouldn't an honest politician (like, presumably, Sen. Hagel) want the public to know he or she got into office fair and square? That there was no question of fraud in the vote tallying? If so, shouldn't all honest politicians be working hard to make sure all voting computers are 100% open on both the hardware and software sides?
Profiting from open source voting systems
Ideally, voting machine vendors sell a complete package including hardware, software, and service. None of the machine functions are exotic; everything from optical scanning to touch-screen kiosks are available on the open market and are used in many commercial applications. The software can be extraordinarily simple. All voting machines need to do is count votes, and the rest of the system only needs to be able to add the counts from a number of voting machines together and display the results in human-readable format.
These functions don't require Microsoft Access or Word or any other proprietary software whatsoever. They don't even require much of an operating system at the polling place level, where nothing happens beyond basic counting followed by (hopefully secure) transmittal of that polling place's results to a central location either electronically or physically via some sort of removable storage medium.
And don't forget production of a physical paper record of some sort. Many voting machine companies and the jurisdictions that buy voting machines claim that adding paper and printers to the system increases the chance of mechanical breakdowns and therefore can lead to counting delays, not to mention the added cost of having skilled repair technicians standing by on election day to correct inevitable (mechanical) printer problems. But that "paper trail" is the ultimate in accountability, and one would think someone like Sen. Hagel would want one available so that no one could ever question the legitimacy of his election.
So why can't voting machine companies produce simple, reliable packages that run on open source software? It's being done in Australia, by a government agency, no less. Surely American entrepreneurs can operate more efficiently than a bunch of government flogs! We hear over and over again in the U.S. about the superiority of private companies over governments, so all these American voting machine companies certainly ought to be able to come up with open source, transparent, easy-to-use, easily maintained voting systems without turning a hair, and each company should be able to find a way to differentiate itself from its competitors without resorting to 'secret sauce' nonsense as if they were all selling low-nutrition snacks instead of acting as the guardians of the republic's most necessary political function.
And if current voting machine companies can't handle the basic task of producing simple, honest, and open vote-counting systems, the American way is to start new companies that can do it. We can expect all honest election supervisors to choose the best, most open, most honest systems, of course, because they are the people specifically responsible for making sure we have fair and honest elections.
Does anyone really care?
Only about 51% of the eligible U.S. population bothered to cast a ballot in the last presidential election, and this was not an extraordinarily poor showing by historical standards, as this chart shows.
A look at this more detailed chart shows that more eligible voters stayed home than voted for Al Bush and George W. Gore (or whatever their names were) put together.
This is for the general election in a presidential year!
In primaries, off-year congressional races, and strictly local elections, turnouts in the sub-30% range are depressingly common, and in some jurisdictions we see fewer than 10% of eligible voters exercising their franchise in these 'minor' elections.
Perhaps this is why there hasn't been more care and attention paid to the mechanisms we use to tally our votes: That most people simply don't care enough about voting to make the process itself an important issue.
And this, sadly, is not a problem that can be corrected merely by making sure all voting computers run honest, open source software, even though this is certainly a worthy goal in a purely ethical sense even if a majority of the electorate doesn't care one way or the other.
Comments
on Proprietary voting computers: Threat or menace?Note: Comments are owned by the poster. We are not responsible for their content.
Either way, the guy casting his vote will have doubts as to the legitimacy of the process.
A voting machine is not a general-purpose machine that can be re-programmed easily. (Or, it shouldn't be; that's a disaster regardless of the software:)
You're perfectly correct that there must be some way for precinct officials to verify the integrity of the software (the actual binaries loaded into the machine at poll time), but your concern -- that open-sourcing those binaries makes the process easier to subvert -- doesn't seem well-founded to me. In any case, binaries can be decompiled easily, so I don't see that closed-sourcing would provide any safety over open-sourcing, given your tacit assumption that users (precinct officials) can modify the actual binaries in a voting machine.
Again, it's insane to deploy computerized voting machines where the software isn't rigorously protected by the hardware -- read only (for verification), locked inside a strong metal box, etc. But in combination with hardware security measures, open-sourced operating code provides important evidence of trustworthiness and reliability, rather than being a back door to election fraud.
Regards,
TCP/IP Freely
here's some arguments about your "not be able to easily modify" comment:
-slapper
-code red
-every IIS vulnerability ever found
-latest IE buffer overflow
the fact is, having the source closed is more of a security threat because of the limited number of eyeballs to find the holes.
also, note that all ATM machines are easily programmed, but not from the keypad. if there's no keyboard, there's no re-programming anything, period.
whether it's open or closed source, one can assume that reasonable physical security measures would be taken with voting machines.
The right way to do computerized voting would go something like this:
Certified hardware that can only run "signed" code. The Signer must be a non-profit that is completely open in process and will only sign "open source" code. The process of compiling that code must be spelled out and the hash of the resultant binary must be available, both from the signer and at the voting booth from the certified hardware (available to all voters in a predetermined way). This would allow anyone so inclined to audit a voting booth and know with certainty that the software running there exactly matches a particular open-source software distribution.
But this is not enough. Voters need digital identities if this is to work correctly. They need to be issued digital certificates from a government agency. Each and every vote should be signed by the key associated with these government issued certificates. Signing a vote does not compromise anonymity - but it does allow for auditing by the voter. Here is the scenario:
John Smith goes to the local department of motor vehicles and gets his new drivers license which contains a smartcard signing chip (private key and signing logic + digital certificate issued by state).
later that year, John goes to vote in the presedential election. John is a computer consultant and being curious about such things, he had printed out the hash of the current voting software, downloaded the open source software, compiled and generated the same hash. Satisfied that he knew the correct hash, at the poll, before casting his vote, John goes and sits down at the terminal of the voting computer. John had read that this certified hardware can only run signed code and the terminal allows a limited set of interactions to interrogate the system. He quickly verifies that the hardware is running the software that matches his printed out hash.
Satisfied, John goes into the pollbooth and inserts his drivers license (smartcard). Each issue and individual that he votes on is signed and associated with a unique number, which is both stored on his smartcard and printed out for John. At the end of the session, the unique numeric identifiers for John's votes are printed out for John, along with a URL where all signed votes can be found by those identifiers. John goes home.
Later that week, John goes to the election website. Through this website, every vote cast can be interrogated. Each vote is associated with a unique identifier and is signed. The signatures, however, do not include signing certificates (they are simply encrypted hashes of the votes), this makes it impossible for anyone to trace backwards from a vote to an individual. However, John can verify that his vote is there and that it is exactly as he cast it by verifying that his signature on that vote is correct.
In fact, if John is really curious, he can download the entire election database and do a recount himself. While he cannot verify all the signatures, he can examine such things as district computers signing batches of votes, ensure that every vote came from a certified hardware device with the correct hash, etc..
This type of system is not perfect, but it is close. The three weaknesses are (1) Certified hardware [ can certified hardware be compromised? probably, but it is an issue of making it too expensive and difficult to get away with ], (2) Smart-card issuance (how to ensure that an extra million of these buggers aren't printed, or one super-card created with a million keys). This can probably be resolved by having an independant auditing body keep CRLs or equivilent., (3) Identity theft<nobr> <wbr></nobr>.. Cannot be protected from, reasonably... But should not be a big enough issue to cause problems.
My translation: Concern over the integrity of computerized voting machines is a paranoid conspiracy theory. (Apologies if I mis-paraphrased, but it's the natural interpretation of your glib post.)
There's a big difference between skepticism (which is falsifiable) and a conspiracy theory (which isn't). Openness in the design and implementation of computerized voting machines allows the public to falsify concerns of fraud perpetrated by politicians, the manufacturers of said machines, and the alliances between said parties.
It doesn't help to blur the distinction between skepticism and conspiracy theories; you're suggesting that anyone who doesn't accept the status quo is intellectually unreliable.
Cheerio,
TCP/IP Freely
the fact that we don't have computerized voting machine ALREADY is one that boggles the mind. it is only due to paranoid theories that we don't have them.
we have computers managing the national treasuries, social security, and airline safety...after the last presidential election...can we afford NOT to have computers running the voting ? come on.
The article was meant to point out the key problems -- I don't understand why you call the facts theories. Risk is high-stakes here next to social security, which is why higher verifiability and security in the process is important.
"The price of freedom is eternal vigilance."
Our nation was founded by conspirators, just like every other country that was started via revolution.
Guess what? The Trilateral Commission and the Council on Foriegn Relations are perfectly real organizations, not creations of the inflamed imaginations of the Religious Right. www.trilateral.org and www.cfr.org will tell you in mind-numbing detail what they'd like you to know about them. Real agendas? Good luck if you pursue that question and it was nice knowing you.
Adam Smith (Economist and Philosopher 1723 - 1790) said "People in the same trade seldom meet together even for merriment or diversion, but the
conversation ends in a conspiracy against the public and in some contrivance to raise prices."
Voting without a visible audit trail is an invitation to fraud. Good story, and one I want to keep an eye on.
imagine if the 'audit trail' can not only give you a vote tally, but the date/timestamp of every authorized person who accessed the internals, moved the system geographically, and had failsafe electronic locks.
Simple matter to change that law to include voting machines, and the voting software? Why can't we vote electronically, via internet, from any computer, (and, telephone?) like they do in India?
I don't find it shocking at all. The Feds seem to like the system just fine, thankyouverymuch, and the media is too busy following Kobe Bryant's penis around. And as you say, half the population didn't even bother to voice their preference for the POTUS.
I'm afraid the ugly truth is that nobody gives a rat's ass who the president is, or how he gets into office.
Roblimo, I mean to tell you this with the utmost respect, but for heaven's sake please, get a clue.
Any government administration, regardless of political party, will see this as an opportunity. The idea that the FEC is immune from partisan politics is beyond absurd. The media swings left, and the left is probably already calculating ways to steal elections. This would be a lot easier than registering dead voters.
As opposed to the right, which has already accomplished that feat in the last Presidential election, and is doing their best to gerrymander districts in Texas right now for good measure.
Did you actually read the Supreme Court decision of Bush v. Gore (it's a boring, long pdf available at the scotus website), or are you a sheep who believed the tv media that Bush "stole" the election?
As much as I dislike Bush, at least I can say he's legitimately elected, instead of some sheep.
I heard your sheepish "baaaaah" when I read your response.
www.harrybrowne.org
Auditory hallucinations are a troublesome thing, sorry that you suffer from them. But I am glad to see that you are willing to treat the subject in a "fair and balanced" manner.
Sort of like Fox News.
http://www.doonesbury.com/strip/dailydose/index.h<nobr>t<wbr></nobr> ml?uc_full_date=20030727
GORE *VIDAL* in '04!!!!
congratulations, you've exposed your ignorance
Posted by: Anonymous Coward on July 30, 2003 04:45 PMThe complaint I've read about the "liberal" media at left-wing sites is that they uncritically repeat the GOP Administration party line. How many mass media outlets were raising serious questions about the evidence the neocon loonies were using to build public support for the war in Iraq?
The media is frequently perceived as liberal because whether they want to or not, because they are frequently forced to report the ugly results of GOP activities in order to retain their public credibility.
Anyone who talks about the "liberal" media is automatically suspected of using Rush Limbaugh as a substitute for critical thinking. But being that kind of person, you won't check for yourself, you'll just keep whining about a phenomenon that only exists in the imaginations of knee-jerk Republicans.
What's the REAL "liberal media agenda"?
That secret got out generations ago.
"Fascism should more properly be called corporatism because it is the merger of state and corporate power." - Benito Mussolini. (from Encyclopedia Italiana, Giovanni Gentile, editor).
Re:congratulations, you've exposed your ignorance
Posted by: Anonymous Coward on July 30, 2003 10:47 PMWhat a clod. At least the libertarians are honest.
I don't trust ANY electronic system for voting. If there is an error/bug or nefarious tampering, there is no way to check it, no way to count votes manually. There is no paper trail, no hard record, that can be gone back to and counted/examined to make sure that X many votes did go to candidate A and X many votes to candidate B, etc. All you have is the suspicious tally in bits on a computer. It isn't real and cannot be trusted. A recount is pointless if using all-electronic ballots.
No thanks.
HMMMM Lets keep looking and reading
And as far as why people aren't voting, I think it's not so much that they don't care as they're smart enough to realize that their vote doesn't count for much. It doesn't really matter which party you vote for if you're not a member of one of the special interest groups. Perot discovered just how many desperate voters are out there to his horror when he first jokingly decided to run for president.
The Republicans are for the wealthy - the Enron executives - the copyright thieves (like the RIAA), and the religious members of the American Taliban. The Democrats are no better - if you're not part of big labor or the Israeli lobby, or the black caucus, they're not for you. Remember, it's the Democrats who made the IRS the gestapo that they are.
It's no wonder people don't bother to vote.
I read this web page for software news - not a Republican bashing (and I'm Independent - and this idiot is part of the reason why).
come on. there's no mud-slinging in this article, and you know it. it's hardly bashing Republicans. as for having a sidebar firsthand account, it's hardly narcissictic. take a look at any newspaper....right or left. it's done everywhere. don't bring politics to this discussion.
it's about the merits of computerized voting machines. and if you think that the left are the only ones who think it's a good idea, think again. both the Left and the Right want to make elections an efficient process, not a cumbersome one.
computers can count votes efficiently, be secure, and improve the process, if it's done correctly. that is a fact. how it's done and by whom is the question.
It was done in 6 months for less than $150,000 US too (Australian Software Engineers cost a lot less than US ones).
>Improvements Pty Ltd, not by a Government Agency.
This is not quite the whole truth.
The original tender bid was put together by a
team that consisted of approximately 6 people
from Linuxcare (Australia), approximately
2 people from Software Improvements, and
exactly 2 people from the Australian
National University (ANU). I was one of the
two people from the ANU.
Linuxcare put in a huge amount of effort for this
bid, and much of the initial design was due to
them. My personal opinion is that our team would
not have won the bid without them. This is where
the push for open source originated.
Unfortunately, almost immediately after we won
the bid, Linuxcare Australia disappeared in the
dot com crash and its people went off to work
for other companies.
For practical reasons, the ACT Electoral
Commissioner then made Software Improvements
the main contractor, and the ANU people and
the various Linuxcare people subcontracted
to Software Improvements.
There is no doubt that Software
Improvements did a very professional
job of engineering the software. But
it is not really correct to say
that "eVACS was designed and built by Software
Improvements Pty Ltd". A huge amount of
the design effort from Linuxcare, and some
smaller contributions from the ANU, are
invisible because of circumstances.
That was, until Rebecca Mecuri, an electronic voting researcher from the University of Pensylvania (http://mainline.brynmawr.edu/~rmercuri/ ) contacted us, pointing out that the compiling step is just as vulnerable as the coding process: Reflections on Trusting Trust ( http://www.acm.org/classics/sep95 ).
This revelation has led us to separate the coding and compilation steps in future.
She also posited the indispensibility of a voter-verified audit trail, and I am now swayed to this position. Voters should be under no obligation to trust anyone outside of an independent and accountable Electoral Organisation, especially software developers like myself.
Open Source code is necessary for a transparent Electoral Process, but not sufficient.
In fact, as Mercuri surely pointed out to you (and the Thompson talk demonstrates), the compilation step is in some ways more vulnerable than the coding process, because subversion is so much more difficult to detect. Of course, the specific attack described by Thompson works because the trojan has a straighforward but hardwired way of deciding when to infect the code it's asked to compile, and the attack affects <tt>login</tt>, a widely compiled program. More work is required to craft an attack to subvert code written for voting machines (say), both because the trojan must be more intelligent about deciding when to activate, and because an attacker would have to trojan an entire compiler lineage in order to infect a single program compiled by a single company. A far more present danger is that the voting machine software vendor's development machine gets rooted...<nobr> <wbr></nobr>:)
I'd be very interested to learn more about how the eVACS Project proposes to deal with the possibility of trojaned binary utilities, since it's an issue that (as you say) affects even the free software movement, to say nothing of entities that must create reliable software for banking, trading, voting machines, medical hardware, air traffic control, nuclear power plants, etc. Is there a niche for "pedigreed" compilers, ones that can be guaranteed to have been generated from untrojaned assembly and human-readable sources? Do such things already exist?
Best regards,
TCP/IP Freely
It would have to be an inside job, and the compiler or PERL or whatever would fail an MD5 check from the distro. Not that anyone does these, but there's a good reason.
As for hacking the microcode of chips, again, this would take significant preparation and would have to act very specifically. I can't see how this could be done given electoral candidates may not be known until a few weeks before the ballot. By this I mean we can't write a Trojan that is to switch votes as we don't know who's up.
I think a possibly more likely one might be to write a virus that hacks the JVM binary on a voters PC. The binary then mis-executes a Java mobile voting client (lets say we are using a Java PKI client).
However, this requires open source Java voting client (so we can see how to mis-execute its byte codes) and the ability to have the java bytecode execution system mis-execute some bytecodes and not totally break the applet. We also need to be sure that we are going to get the bytecodes we are after - that the OSS voting client has been compiled with the right Java compiler. Heck, we might trip up on someone else's Java compiler Trojan!
Can someone please elaborate on Ms. Mercuri's point? It feels like scaremongering.
Tar,
-fvxz
Bruce Schneier in Counterpane crypto-gram says!
Posted by: Anonymous Coward on July 30, 2003 09:56 PMhttp://www.counterpane.com/crypto-gram-0012.html#<nobr>1<wbr></nobr>
see also...
http://www.counterpane.com/crypto-gram-0102.html#<nobr>1<wbr></nobr> 0
"...pundits have called for more accurate voting and vote counting. To most people, this obviously means more technology. But before jumping to conclusions, let's look at the security and reliability issues surrounding voting technology.
The goal of any voting system is to establish the intent of the voter, and transfer that intent to the vote counter. Amongst a circle of friends, a show of hands can easily decide which movie to attend. The vote is open and everyone can monitor it. But what if Alice wants _Charlie's Angels_ and Bob wants _102 Dalmatians_? Will Alice vote in front of his friends? Will Bob? What if the circle of friends is two hundred; how long will it take to count the votes? Will the theater still be showing the movie? Because the scale changes, our voting methods have to change.
Anonymity requires a secret ballot. Scaling and speed requirements lead to mechanical and computerized voting systems. The ideal voting technology would have these five attributes: anonymity, scalability, speed, audit, and accuracy -- direct mapping from intent to counted vote".
---Please read the rest of the url for the real answer to this problem, as discussed by a guy that has more than a few ideas about computer security and how this plays when mixing voting and computer security together.
I'm getting tired of seeing the media tout "voter apathy" as a problem unto itself. Maybe we should be looking at why people don't care enough to vote. If people are disillusioned by the system, we should be asking "what's wrong with the system" instead of "what's wrong with the people". Many people think it doesn't matter who's in office. Many think their vote doesn't matter, for whatever reason. Many think the people in power don't represent them. What's worse, they are probably right. Fix the system, then maybe people will care enough to take part in it. Then you can worry about how the votes are cast and counted.
Except that making sure the votes are cast and counted correctly is part of what needs to be fixed. If people don't think their votes are being counted correctly, they don't have much motivation to vote.
I mean, we're talking about half the eligible voters not taking part in the single most important election in the country. With the sheer number of methods used, I find it hard to believe that all these people are dissatisfied with they way their vote is cast.
I gave it a shot and tried calling around to various state and federal groups and am awaiting a call back from the people who can release these reports from both levels. In my state, Georgia, there is a state body - Center for Election Systems at Kennesaw State University which plays some role in setting up voting systems. The good news is that it is headed by a Professor of Computer Science, however it appears that this body does more to provide operational assistance with the voting machines. I have not found any information that stated that they have done a security analysis of the source code. I have found information that states that they provide some measure of operational security (verifying that the code on the machines is what it should).
On another topic I was also there for that election in MD. I saw evidence of voter fraud myself. I volunteered to verify voting records [disclosure: it was a completely Parisian effort to support the Republican candidate] and found many, many examples of 4-6 people registered to vote from vacant and even destroyed residences as well as commercial buildings, all in areas that voted heavily for the other side.
The point being, there are many paths to election fraud, regardless of what system is in place. Perhaps before us geeks get too worked up about the problems with electronic systems, we should look at what problems existed in the systems they replaced?
Both Diebold and various election officials have pointed to the existing state and federal certification process as justification for their confidence in this system. Has anyone attempted to obtain a copy of the federal and state government reports on this voting system?
Yes, Harris has tried to run down the cerfication process. It leads to a private company called <A HREF="http://www.electioncenter.org/" TITLE="electioncenter.org">Election Center</a electioncenter.org> which sets the certification standards. A company called Ciber Labs actually checks the code. However, Ciber Labs will not answer any questions about the process nor even tell us whether they actually see the source code.
Election Center is run by R. Doug Lewis, and Harris had a very interesting <A HREF="http://blackboxvoting.com/modules.php?name=News&file=article&sid=3" TITLE="blackboxvoting.com">interview with him.</a blackboxvoting.com>
My favorite quote from Mr. Lewis is found in an <A HREF="http://www.salon.com/tech/feature/2003/02/20/voting_machines/index2.html" TITLE="salon.com">article in Salon.</a salon.com>
Lewis says that if you have "malicious code in the system" -- such as a simplistic virus, perhaps, designed to change a vote cast for one candidate into one for his opponent -- the code will be caught in the testing phase of the certification process: "It will not compile right. The testing itself would discover this."
Ever hear of a compiler with a morality module?
In my state, Georgia, there is a state body - Center for Election Systems at Kennesaw State University which plays some role in setting up voting systems. The good news is that it is headed by a Professor of Computer Science, however it appears that this body does more to provide operational assistance with the voting machines.
Ahh, Georgia. Check this <A HREF="http://blackboxvoting.com/modules.php?name=News&file=article&sid=1" TITLE="blackboxvoting.com">interview with Dr. Williams.</a blackboxvoting.com>
A whole question about Georgia can be found <A HREF="http://blackboxvoting.com/modules.php?name=News&file=article&sid=29" TITLE="blackboxvoting.com">here.</a blackboxvoting.com>
The point being, there are many paths to election fraud, regardless of what system is in place. Perhaps before us geeks get too worked up about the problems with electronic systems, we should look at what problems existed in the systems they replaced?
Agreed, but as the new system eliminates paper ballots, i.e. any method to conduct a believable recount, it is much worse than the current system with paper ballots. Like the perfect murder, voter fraud by data alteration is undetectable.
I have been assured that the ITAs do preform a line by line security audit of the code for electronic voting machines. I do find it very very odd that no media source has reported the contents of this certification report or even mentioned attempting to obtain a copy of the report. After a few calls I was able to find someone who told me they would get me a copy of the report, which makes me think the media is being rather lax or there is something even fisher going on.
Here's a thought:
The voter makes their selections on an electronc voting device (open source if you'd like) and inserts a card into a slot to be printed on(much the same way one would validate a pre-purchased ticket at a transit station) and then looks at the card. The would then confirm on the electronic system that the printed selections are correct, and drop the card in a ballot box.
Now you have the validated electronic votes for instantaneous counting, and you have the paper ballots to come back to for audits and recounts.
Are the printers going to periodically break down? Sure. Just make it a small USB device and keep spares on hand. If one breaks down or runs out of ink or whatever you just hot swap it with a spare. No specialized technical knowledge is necessary, any old poll clerk can manage that (provided they can figure out how to plug a cable into a box).
I mean - c'mon, no wonder you've got a trade deficit and debts coming out of your ears...
In January, 2002 the State Elections Board approved two closed source touch screen voting systems, the ES&S Votronic DRE and the GBS Accu-Touch EBS 100 DRE.
This spring I raised the system integrity issues with the Board, and persuaded them to <A HREF="http://elections.state.wi.us/board_materials/26March2003/Rpt%20on%20Voting%20Equipment%20Certification3-26-03.pdf" TITLE="state.wi.us">revoke the certifications.</a state.wi.us>
The source code mentioned in the Johns Hopkins' report, which was found to be completely porous, appears to have passed the certification process.
Also, how do you conduct a recount if the machine screws up the votes without a paper ballot to look at?
David Allen
Publisher, CEO, Janitor
Plan Nine Publishing
1237 Elon Place
High Point, NC 27263
http://www.plan9.org
The problem is not too FEW voting it's too many!
Until we have INFORMED voters at the polls we will continue to get the candidate who "looks good" or isn't "too old" or "is charming" rather than one who is best for the job.
--
<A HREF="http://www.mutley.uklinux.net/" TITLE="uklinux.net">www.mutley.uklinux.net</a uklinux.net>
Baby Ruby says <A HREF="http://www.mutley.uklinux.net/Ruby/Grandma%20&%20Noisey%20Ruby.html" TITLE="uklinux.net">"bwarghhhhh!"</a uklinux.net>
Threat to freedom.
Posted by: Anonymous Coward on July 29, 2003 09:48 PMThere are many motives for subverting elections, and it will happen. It is more difficult, although obviously not impossible, when a paper trail exists. But even though it isn't perfect, because it is more difficult to subvert paper balloting results, paper is the better solution.
Any closed source election software is a risk in this application, and a corporation large enough to influence national policy through conventional means, will be tempted, sooner or later, to decide elections without regard to the will of the electorate.
Paper is the way to go.
#