/. [Voting Isn't Easy, Even if Cheating Is]

Eugen Leitl eugen at leitl.org
Tue Aug 1 23:47:59 PDT 2006


Link: http://slashdot.org/article.pl?sid=06/08/01/191235
Posted by: timothy, on 2006-08-01 20:02:00

   The Open Voting Foundation's disclsosure that only one switch need be
   flipped to allow the machine to [1]boot from an unverified external
   flash drive instead of the built-in, verified EEPROM drew more than
   600 comments; some of the most interesting ones are below, in today's
   Backslash story summary.

   Expressing a common sentiment, reader cmd finds nothing innocent about
   the inclusion of such a switch:

   Diebold also builds automated teller machines (ATM), the definitive
   model for reliability and accountability.

   The AccuVote machines are what they are, not due to poor design or
   unintentional mistake. They are the result of a [2]deliberate intent
   to enable fraud on a massive scale. Viewed from this perspective, the
   AccuVote design is very good. The real problem comes when Diebold
   realizes that it needs to become better at obfuscation and makes it
   harder to detect the fraud.

   "Electronic voting machines with no paper trail are an [3]insult to
   democracy," writes pieterh. "That they come with switches to bypass
   even the dubious 'safeguards' provided is hardly a surprise."

   Paper trails, of course, are only as good as the people guarding the
   paper; readers familar with more recent allegations of vote
   manipulation may be interested in the [4]1946 confrontation in Athens,
   Tennessee (pointed out by reader William J. Poser) between WWII
   veterans and the election officials.

   Reader Soong, though, provides a conspiracy-free explanation for the
   presence of such a switch:

   The ability to boot from different sources is a [5]normal debugging
   feature, not in itself sinister. Should they have cleaned that up on
   the production model? Yeah, sure. But verifiability is ultimately a
   human concern anyway, not a tech one.

   It all comes down to who you trust.

   If you don't trust the polling place, make the voting machine tamper
   proof. But then you have to trust the guy who built the voting
   machine. You have to trust the guy who loaded the software on it at
   the factory or the elections office. You have to trust the guy who
   wrote the code. Even if you inspected the code, you have to trust him
   to give you a binary based on that and not pull a fast one. You have
   to trust his compiler to give him a binary without compiled in back
   doors. I feel like I probably haven't listed all the points where this
   voting machine chain of trust can break down.

   Several readers pointed out that voters might better trust the
   machines as well as the process of electronic voting if regulation
   were more rigorous; as reader Animats puts it, "[6]slot machine
   standards are much tighter":

   The Nevada Gaming Control Board has [7]technical standards for slot
   machines. They've had enough fraud over the years that they know what
   has to be done. Some highlights:
     * ... must resist forced illegal entry and must retain evidence of
       any entry until properly cleared or until a new play is initiated.
       A gaming device must have a protective cover over the circuit
       boards that contain programs and circuitry used in the random
       selection process and control of the gaming device, including any
       electrically alterable program storage media. The cover must be
       designed to permit installation of a security locking mechanism by
       the manufacturer or end user of the gaming device.
     * ... must exhibit total immunity to human body electrostatic
       discharges on all player-exposed areas. ...
     * A gaming device may exhibit temporary disruption when subjected to
       electrostatic discharges of 20,000 to 27,000 volts DC ... but must
       exhibit a capacity to recover and complete an interrupted play
       without loss or corruption of any stored or displayed information
       and without component failure. ...
     * Gaming device power supply filtering must be sufficient to prevent
       disruption of the device by repeated switching on and off of the
       AC power. ... must be impervious to influences from outside the
       device, including, but not limited to, electro-magnetic
       interference, electro-static interference, and radio frequency
       interference.
     * All gaming devices which have control programs residing in one or
       more Conventional ROM Devices must employ a mechanism approved by
       the chairman to verify control programs and data. The mechanism
       used must detect at least 99.99 percent of all possible media
       failures. If these programs and data are to operate out of
       volatile RAM, the program that loads the RAM must reside on and
       operate from a Conventional ROM Device.
     * All gaming devices having control programs or data stored on
       memory devices other than Conventional ROM Devices must:
         1. Employ a mechanism approved by the chairman which verifies
            that all control program components, including data and
            graphic information, are authentic copies of the approved
            components. The chairman may require tests to verify that
            components used by Nevada licensees are approved components.
            The verification mechanism must have an error rate of less
            than 1 in 10 to the 38th power and must prevent the execution
            of any control program component if any component is
            determined to be invalid. Any program component of the
            verification or initialization mechanism must be stored on a
            Conventional ROM Device that must be capable of being
            authenticated using a method approved by the chairman.
         2. Employ a mechanism approved by the chairman which tests
            unused or unallocated areas of any alterable media for
            unintended programs or data and tests the structure of the
            storage media for integrity. The mechanism must prevent
            further play of the gaming device if unexpected data or
            structural inconsistencies are found.
         3. Provide a mechanism for keeping a record, in a form approved
            by the chairman, anytime a control program component is
            added, removed, or altered on any alterable media. The record
            must contain a minimum of the last 10 modifications to the
            media and each record must contain the date and time of the
            action, identification of the component affected, the reason
            for the modification and any pertinent validation
            information.
         4. Provide, as a minimum, a two-stage mechanism for validating
            all program components on demand via a communication port and
            protocol approved by the chairman. The first stage of this
            mechanism must verify all control components. The second
            stage must be capable of completely authenticating all
            program components, including graphics and data components in
            a maximum of 20 minutes. The mechanism for extracting the
            authentication information must be stored on a Conventional
            ROM Device that must be capable of being authenticated by a
            method approved by the chairman.

   Those standards cover the possibility of an "alternate program" in a
   slot machine, and provide a way to check for it, with logs and an
   external program check capability.

   The Gaming Control Board of Nevada was asked to take a look at
   Diebold, and Nevada rejected Diebold equipment as a result.

   Voting machines need tough standards like that. They don't have them.

   Even if e-voting machines had a spec list that would pass at the
   Gaming Commission, Midnight Thunder is puzzled that [8]tamper-proofing
   techniques aren't more evident on the Diebold machines:

   Given taxi meters and electricity meters both have tamper seals, you
   would have thought that these would have visible tamper seals as well.
   If in doubt you could even have two tamper seals: one from Diebold and
   another from the voting commission, in order to ensure that both
   parties are satisfied with the state of the machine.

   Several readers are for canning electronic voting for U.S. elections
   completely. Reader Iamthefallen wants to know

   Has anyone answered the question regarding [9]need for automated vote
   counting in a satisfactory way?

   Seems to me that manual counting of votes would be vastly more secure
   as it would take a huge conspiracy to affect the result either way.

   Counting a hundred million votes is hard, counting a thousand votes in
   a hundred thousand locations is easy.

   Similarly, slofstra writes

   Sorry, I have [10]never seen the point of these machines. Paper
   ballots are auditable, user friendly, and if electronics is put into
   the reporting system, can be counted in a few minutes and submitted.
   Voting machine are a perfect example of a technology fetish at work.
   It would make an interesting case study to examine the economic and
   sociological reasons why we sometimes buy technology that we don't
   need, don't want and further, serves no useful purpose.

   (Augmenting electronic voting machines with a paper record is a
   frequently raised idea; reader megaditto, for one, asks "Is it that
   hard to put a [11]thermal printer behind a glass shield?" A similar
   system is [12]required in Nevada voting machines already.)
   Paper ballots and electronic ones aren't the only options, though;
   lever-based voting machines have dominated recent American national
   elections. Mark Walling writes

   My district [13]switched to electronic- from lever-based. in 2004, at
   7:15 when I voted on lever machines, there was no line, and just about
   as many signatures in the book. In 2005, the line was out the door and
   around the corner at the same time. The person in front of me took 5
   minutes to use the electronic machine. People knew how to use the old
   machines, and they were reliable. These new things take the old people
   forever to use, and then they complain that they were hard to read ...

   Reader WillAffleckUW suggests skipping in-person voting completely;
   absentee voting is a good idea, he argues, not only in light of the
   flaws (demonstrated or alleged) in electronic voting methods, but
   because

   [14]absentee voters get a paper ballot that is not only delivered by a
   trusted source (the U.S. Post Office) who have a verified date/time
   stamp -- and that the ballots can be audited, traced, and verified --
   now that is a reason to register permanent absentee.

   Not so fast, says reader JDAustin:

   I suggest you take a look at the research into the recent Washington
   state elections done by [15]SoundPolitics.com. They verified [16]close
   to a 20% error rate in absentee balloting. The signature verification
   on absentee balloting is no verification at all due to
   non-verification being done by those who count the ballots.
   Additionally, the USPS is not a trusted source, they are just another
   government bureaucracy. The ballots themselves cannot necessarily be
   traced nor verified -- and even when the signatures are completely
   different, they are still counted. Due to the nature of voter rolls,
   duplicate ballots are sent out all the time due to slight variation in
   a person's name, and the duplicate ballots counts are not caught until
   after the final tally has been done and the election finished.
   Finally, mischievous government officials can always delay sending the
   military their ballots so those serving overseas do not have time to
   get their vote in on time. This actually happened in 2004 in
   Washington state.

   Permanent absentee is not the solution. Neither is electronic voting.

   The true solution takes elements of the recent Mexican election to
   prevent fraud (voter ID cards, thumb inking, precinct-based monitoring
   and tallying) and combine them with the best paper-based voting
   machine.
     _________________________________________________________________

   Many thanks to the readers (especially those quoted above) whose
   comments informed this discussion.

References

   1. http://politics.slashdot.org/article.pl?sid=06/07/31/1646246&tid=172
   2.
http://politics.slashdot.org/comments.pl?cid=15818579&sid=192689&tid=172
   3.
http://politics.slashdot.org/comments.pl?cid=15818434&sid=192689&tid=172
   4.
http://hosted.ap.org/dynamic/stories/B/BATTLE_OF_ATHENS?SITE=FLTAM&SECTION=US
   5.
http://politics.slashdot.org/comments.pl?cid=15822092&sid=192689&tid=172
   6.
http://politics.slashdot.org/comments.pl?cid=15819725&sid=192689&tid=172
   7. http://gaming.nv.gov/stats_regs/reg14_tech_stnds.pdf
   8.
http://politics.slashdot.org/comments.pl?cid=15818707&sid=192689&tid=172
   9.
http://politics.slashdot.org/comments.pl?cid=15818594&sid=192689&tid=172
  10.
http://politics.slashdot.org/comments.pl?cid=15818593&sid=192689&tid=172
  11.
http://politics.slashdot.org/comments.pl?cid=15818877&sid=192689&tid=172
  12. http://it.slashdot.org/article.pl?sid=03/12/04/1443257&tid=172
  13.
http://politics.slashdot.org/comments.pl?cid=15818485&sid=192689&tid=172
  14.
http://politics.slashdot.org/comments.pl?cid=15819102&sid=192689&tid=172
  15. http://soundpolitics.com/
  16.
http://politics.slashdot.org/comments.pl?cid=15819391&sid=192689&tid=172

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]





More information about the cypherpunks-legacy mailing list