Video and photos show Linux booting on the Brazilian voting machines (BR-Linux.org) [LWN.net]

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 0:47 UTC (Wed) by drag (subscriber, #31333) [Link]

> And that requirement is only met by pen&paper and counting.

You have to be joking. Have you ever participated in counting ballots by hand? That's the most inaccurate, bug-ridden, and fraud-filled way to count ballots. You'll have error rates approaching several percentage points.. sure if your lucky all the mistakes will even themselves out, but that's just dumb chance.. a statistical likelihood, probably, but still not good-enough odds.

What is required is proven, simple methods to count ballots statistically, with paper trails. Openness and transparency at all levels combined with a voting base that is intelligent enough to give a shit and pay attention.

Oh, and voting machine companies that are not almost completely incompetent. (which they all are, currently)

And, no, over regulation from government (these are the people your trying to replace, remember?) and pie-in-the-sky security requirements from academia are no substitute for voter vigilance and education. Far from it.. these regulations are usually bullshit and cause people to get a false sense in security and trust wayyy too much in the process.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:23 UTC (Wed) by dskoll (subscriber, #1630) [Link]

What is required is proven, simple methods to count ballots statistically

Nonsense. Such methods don't exist, or are not "simple" enough for the average voter to understand.

with paper trails.

If you have the paper trails (ie, ballots), then why not just count the ballots and be done with it? Quicker, cheaper, more accurate, and much easier to understand. And is "provable". And "simple".

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:44 UTC (Wed) by drag (subscriber, #31333) [Link]

> If you have the paper trails (ie, ballots), then why not just count the ballots and be done with it? Quicker, cheaper, more accurate, and much easier to understand. And is "provable". And "simple".

Because it's not Quicker, Cheaper, or More accurate.

It's vastly more expensive, inaccurate, and slower to count paper ballots. And much much more complicated to coordinate. And, believe it or not; prone to fraud.

The reason you have paper trails is for auditing purposes. Just like you have log files on your servers.

For a modern society you need to have electronic counting machines that are open, auditable, and simple.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:58 UTC (Wed) by dskoll (subscriber, #1630) [Link]

It's vastly more expensive, inaccurate, and slower to count paper ballots.

No, it's NOT. We have our election results in Canada within hours. We already know who will form the government with about an hour of polls closing. 6-10 hours later, all results will be in and finalized.

The 2000 election in Canada cost about $200 million, or around $6 per Canadian citizen. Most of that cost was not related to the count, but to enumerating voters and reimbursing political parties for costs.

And much much more complicated to coordinate.

No, it is NOT. Elections Canada has been doing this successfully and efficiently for over 140 years. There has never been a federal election that was even remotely suspect in Canada, and certainly nothing like the fiasco in the United States in 2000.

And, believe it or not; prone to fraud.

You said that before. I asked for evidence. Well?

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 3:15 UTC (Wed) by drag (subscriber, #31333) [Link]

> You said that before. I asked for evidence. Well?

Every time there is a ballot recount the results come out different.

Organizations like Acorn are perpetrators of massive amounts of voter fraud involving fake people, dead people, moving people from different regions. This do it 'the hard way'.. that is getting and organizing people to commit multiple counts of fraud on a individual basis.

If your depending on individuals to do hand counts then how do you know that those people are trustworthy? It wouldn't take much orginization at all to get a few dozen people to nullify the results of many many thousands.

If you examine the sort of fraud the electronic machines are vulnerable too you'd realize that it's a game of percentages with them also. You won't be able to defraud a election more then a percent or two and get away with it. So election fraud from voting machines is only really something you have to pay attention to in very close elections. Which is the same thing from hand-counted ballots.

If you want to have the best 'proof' then you have to use both methods together.

> The 2000 election in Canada cost about $200 million, or around $6 per Canadian citizen. Most of that cost was not related to the count, but to enumerating voters and reimbursing political parties for costs.

Well in the USA we are much more hard-core about our politics. Also people are very paranoid and blow things far out of proportion. The Florida election issue from years ago is a HUGE example of normally intellegent people not understanding how election process works and problems being blown out of proportion for the purposes of bad politics.

(Hint: The president was never, ever, meant to be elected by popular vote. I'm convinced that politicians make a big big deal of the president to distract people from the elections that really matter; Senate and House of Representatives)

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 6:55 UTC (Wed) by anselm (subscriber, #2796) [Link]

The big advantage is that concerned citizens can come in and actually watch the ballots being counted. This is very different from an election official hitting a button and reading the counts off a little strip of paper that the voting machine spits out.

Counting paper ballots is something that people understand intuitively. Nobody can vouch for sure that the voting machine does what it is supposed to be doing - well, maybe under ideal conditions they can, but there are lots of incidents where voting machines are basically left sitting out in somebody's garage overnight before the actual election etc., and of course nobody knows for sure that the correct software was on the machine when it was put in the garage, let alone taken out the morning after.

Having said that, the paper ballot method seems to work very well for us here in Germany, thank you very much. But then again we tend to keep things simple; we don't elect the President and the municipal dog-catcher and everybody in between at the same time.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 7:16 UTC (Wed) by njs (guest, #40338) [Link]

>Organizations like Acorn are perpetrators of massive amounts of voter fraud involving fake people, dead people, moving people from different regions. This do it 'the hard way'.. that is getting and organizing people to commit multiple counts of fraud on a individual basis.

Err, you just demonstrated a huge amount of ignorance on this subject, FYI. The conversation is about voting fraud, not voter registration fraud, and the two are totally different. If you don't even distinguish between them then it rather throws the rest of your thoughts into doubt.

(Quick catchup: ACORN is a voter registration organization who pays people to bring them filled-out voter registration forms; sometimes people bring them ones full of nonsense, but they are *required by law* to file those nonsense forms anyway; invalid forms being submitted to election officials just creates more work for them screening out the nonsense, it doesn't result in any extra votes being cast; in principle clever fakes could be created and people could vote multiple times using them, but in fact no-one can find any evidence of this occurring in the US recently, despite a lot of people worrying about it very publicly and using it to justify things like voter roll purges that do, empirically, disenfranchise people. HTH. I suspect our politics differ, but that's no reason not to work from the same set of facts.)

>If your depending on individuals to do hand counts then how do you know that those people are trustworthy? It wouldn't take much orginization at all to get a few dozen people to nullify the results of many many thousands.

Which is why such counts have always been open to the public and attended by representatives of the opposing sides.

Voting is an interesting problem, with lots of tricky aspects; it's a fun literature to read up on.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 7:31 UTC (Wed) by drag (subscriber, #31333) [Link]

> Err, you just demonstrated a huge amount of ignorance on this subject, FYI. The conversation is about voting fraud, not voter registration fraud, and the two are totally different. If you don't even distinguish between them then it rather throws the rest of your thoughts into doubt.

Voter registration fraud _is_ voter fraud.

My point is that it's possible for people to orchestrate among relatively large amounts of people to defraud the voting system. In the case of Acorn it was on the voters side, not the counters side, but it's certainly possible both ways. Now they didn't get away with it in this instance, but they are not the only people doing very funny business.

It would be quite easy, if a voter official was not ethical, to 'stack' a group of counters to sway a local election. A unethical mayor or other powerful lower-level politician could sway the vote of a entire state in a closely contested area by putting like-minded people in charge and corrupting 10% or so of the counters in their county race.

And it's not something unique or new either. Some places, especially in Chicago, has been long notorious about people trying to get away with silliness on both sides. Going back many decades.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 8:32 UTC (Wed) by njs (guest, #40338) [Link]

>Voter registration fraud _is_ voter fraud.

The examples of registration fraud that have been cited regarding ACORN have been multiple registration forms filed by the same person (i.e., putting their own name on multiple forms), or people filling in forms with nonsense like "Mickey Mouse".

Neither of these leads to fraudulent votes on election day. (Though I'd love to see the news clips of Mickey arriving to do his patriotic duty. --on second thought he'd probably vote for someone like Rep. Berman, so never mind.) Both are screened out by the registrar of voters before election day even arrives.

Even given the level of competence we've come to expect from some Democratic-leaning political groups, as a clever conspiracy this lacks a certain something.

We know how to do voting. Computers are not necessary or even useful, except in limited cases for accessibility. Still nice to see the ideas of openness gaining currency among election officials, though.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 7:36 UTC (Wed) by nix (subscriber, #2304) [Link]

That's true only if you have dozens and dozens of 'elections' all rolled
into one, so the ballots are so complex nobody could dream of counting
them fast.

Hand counting *demonstrably works*. *Every* major industrialized democracy
uses it other than the US. Even the Swiss use it, and they're vote fiends.
It has failure modes, but they're known and everyone understands them. The
system is simple and comprehensible. Extra fraud methods are rare and very
difficult to think up. The system is not amenable to silent corruption by
remote parties without physical access to the ballot, which means
(assuming a sane system where the counts are conducted in situ) a huge
organizational problem that is highly likely to be detected.

You can't say that *any* of that is true of voting machines.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 8:56 UTC (Wed) by kragil (subscriber, #34373) [Link]

In germany we get very accurate projections of the vote a few seconds afer voting stopped. And we get final results the same night. And so far each test run with voting machines turned out to be vastly more expensive than paper.
The only real problem there is is having enough citizens helping with the election.

All your imaginary claims are just proven wrong by nearly every proper democracy there is.

Paper ballots then!

Posted Oct 15, 2008 13:26 UTC (Wed) by freemars (subscriber, #4235) [Link]

It's vastly more expensive, inaccurate, and slower to count paper ballots. And much much more complicated to coordinate. And, believe it or not; prone to fraud.

Optical scan paper ballots work well. A counting (not a voting) machine tabulates the ballots at the most local level. After the polls close election judges look at and sign off on the totals, and can call them in to HQ for the unofficial count. The machine, the tally sheet and the original/official ballots go back to election HQ for any recounts.

Fairly fast, not too expensive, and easy to audit.

machine counting can still be a problem

Posted Oct 15, 2008 20:05 UTC (Wed) by dlang (✭ supporter ✭, #313) [Link]

remember the florida fiasco? those were machine counted ballots.

a perfectly filled out ballot isn't the problem, the imperfectly filled out ballots are the problem

in Florida the ballots were pre-perferated to make it easier to punch out the vote that you wanted. the problem was that punching out the tab sometimes didn't completely remove it, combined with the pieces sometimes comeing loos with lots of handling of the ballot.

with optical scan ballots you have the problem of incomplely filled out circles, smudges causing non-filled out circles to be read as being filled out, etc.

I happen to agree that optically scanned ballots are probably the best bet right now for rapid and (reasonably) accurate counts. but I don't believe that they are completely reliable and error free.

Paper ballots then!

Posted Oct 16, 2008 9:41 UTC (Thu) by forthy (guest, #1525) [Link]

The "counting machines" have again been found to count wrong. These machines are broken by design, anyway. Counting votes starts with sorting votes - you look at the paper, and put it on an appropriate stack. You can identify dubious votes (e.g. cross not in the circle, but at the side, candidates stroked through, handwritten explanations on the paper like "I promised to vote for Osama to my grandchilds, but because he's a black terrorist, I vote for McSame", inappropriate pens causing marks elsewhere, etc.), and after a debate decide on which stack they go. You can recheck the stacks again and again, and by nature, your result will stabilize.

The result of a counting machine which doesn't sort however will never stabilize. Each time, it will interpret dubious votes differently, and therefore it looks like a Rübezahl effort. It's just because the machine is broken by design, because the designers never saw a real ballot counting procedure. The only risk of fraud is when votes are replaced during the counting process.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 19:56 UTC (Wed) by man_ls (subscriber, #15091) [Link]

A "me too" from Spain: simple paper ballots, manual count and recount, complete results in about 5 hours after polls close. Cheap and well coordinated. Since all political parties audit the results, fraud is unheard of.

For a modern society you need to have electronic counting machines that are open, auditable, and simple.

No, what you need to have is an election mechanism which is open, auditable and simple. Counting can be done by drunken donkeys as far as the system is concerned -- but in fact is done by randomly selected officials, for efficiency.

Why don't you think about simplifying your 18th century election systems instead of making it even more complex? In those days you had to carry the results by horse across vast expanses, so it probably made sense to ask a lot of things at a time. Not now.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 16, 2008 13:14 UTC (Thu) by Hanno (guest, #41730) [Link]

Hi,

you may want to read this

http://www.wijvertrouwenstemcomputersniet.nl/other/es3b-e...
(in English)

It is an instructing read an worth every page

> it's Quicker

True.

> Cheaper

False. All in all, a human ballot count is cheaper than a machine count.

Voting machines are prohibitively expensive. Buying _and_ maintaining voting machines costs a lot of money.

A machine count is only cheaper if (!) the machine is used with little change or maintenance for several votes over several years or decades. The widely used Nedap voting computers are based on technology that was "modern" 25 years ago.

People who opt for voting machines usually argue with the cost and then forget maintenance. This includes servicing outdated technology (see above) as well as exploring and patching security issues of voting machines once they are known.

Just two quick examples.

The ultra-modern "voting pen", a counting assistant device with a paper trail, was designed for the Hamburg elections of 2008. It has cost the city 4.5 million euros.

This money has been spent - and then the CCC demonstrated several simple hacks on how its vote can be rigged. One hack used a simple manipulation invisible to human vote ballot observers and voters.

The hack was demonstrated shortly before the vote and the digital pen was mothballed. Much ado was made by the city officials that they now have to find the needed volunteer ballot counters in a very short time and that the new voting rules may make the human count weeks to complete. However, enough volunteers signed up instantly and the count took a few hours for the party results and 1.5 more days for the regional candidate results. The regional press claims that the regional count was stretched by officials who wanted to discredit the human counting process.

The city of Hamburg has been widely criticized in German media a few days ago for flushing away this much taxpayers' money down the toilet.

http://www.abendblatt.de/daten/2008/10/10/950382.html?cmf=1

According to critics, the digital vote machine used in Amsterdam made a ballot more than 1 million Euro more expensive _per_ vote - the vote costs rose from 1.6 to 2.7 million. 0.9 million Euro of this went directly to the maintenance service parter for the digital vote machine - 3 Euro per voter.

http://www.heise.de/ct/06/23/036/

> more accurate

No. As others pointed out, the problem with vote counting is not those that can be counted easily. Human counters are better in this regard, as I can attest from my own experience as a ballot counter.

> [paper ballots are]
> much much more complicated to coordinate.

I have been a human ballot counter and will sign up to help for the next vote, again. It was not a complicated process, it was well coordinated and the count was fast enough.

> And, believe it or not; prone to fraud.

To rig a manual vote count, you have to conspire with several dozen people. All of them have to remain quiet after your candidate won.

To rig an electronic vote, you have to conspire with one or two specialists for software and electronics. (The Nedap hack and the Hamburg digital vote pen crack were done by small teams of volunteers.)

Which conspiracy is more likely?

> For a modern society you need to have electronic
> counting machines that are open, auditable, and simple.

Using "modern" as a reason for voting machines is a fallacy. As one critic puts it, voting machines are a solution to a problem we do not have. "Slow result count" is not a problem in votes.

Human ballot counts usually take a few hours or (max) days. There is no need to press a "result" button a minute after the vote ended. The sensationalist media should have no problem waiting for this result before they crown the new mayor, chancellor, prime-minister or president.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 8:01 UTC (Wed) by kragil (subscriber, #34373) [Link]

I am not joking. I am dead serious.

Electronic voting is inherently insecure and undemocratic PERIOD If you think otherwise you have to educate yourself.

In germany we vote with pen&paper and it just works.
No inaccuracy, no fraud or no bugs, thank you very much.
Can you prove your claims?

The german CCC did a lot of research on voting machines. Firstly they were able to hack every machine so far and secondly the vendors of those machines are almost always very shady companys.

Most information is in german though ;(
Exception: http://www.ccc.de/updates/2007/wahlcomputer-spenden?langu...

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 19:27 UTC (Wed) by clugstj (subscriber, #4020) [Link]

"No inaccuracy, no fraud or no bugs"?!? How do you know?

Internet Voting systems are not secure

Posted Oct 15, 2008 10:14 UTC (Wed) by davi (guest, #18853) [Link]

Creating an Internet Voting system sufficiently secure, reliable and anonymous is extremely difficult, if not impossible. As Bruce Schneier points out "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers."

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 16, 2008 11:30 UTC (Thu) by Hanno (guest, #41730) [Link]

Hi,

> Have you ever participated in counting ballots by hand?

Yes.

I joined the manual ballot count at the last regional vote and had a very close look at the process.

http://www.hanno.de/blog/2008/wahlhelfer/
http://www.hanno.de/blog/2008/wahlbeteiligung/

Your claims about the disadvantages of a manual count do not match my observations. In fact, I have seen your username in LWN discussions often associated with loud claims that are not backed by evidence or actual experience. This here seems to be no exception.

> That's the most inaccurate, bug-ridden, and
> fraud-filled way to count ballots.

It is not.

> You'll have error rates approaching several percentage points..

No.

> What is required is proven, simple methods to count
> ballots statistically, with paper trails.

This is not enough. Users (ballot counters) trust the machine too much and even with paper trail counting machines, voting fraud by an insider is possible and a cost-effective way to rig an election.

This is a report of a paper trail ballot count in Bavaria, Germany. The observer reports that the human ballot counter soon only listened to the "beep" of the machine to believe that it counted. The counter didn't double check the paper vote with the machine count and after all, even then the vote can easily be rigged by modifying the sums by a few percent.

http://www.hessi.net/?p=17

> pie-in-the-sky security requirements from academia
> are no substitute for voter vigilance and education

You have a false trust in education and what you call "voter vigilance". Even those who should know better say: "The computer counted it, so it must be right." - This is the usual argument by /ballot counters/ when addressed by computer hackers observing computerized votes.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 1:44 UTC (Wed) by bdanilko (subscriber, #14872) [Link]

Well they seem to have transparency covered:

From the article:
>All political parties have access to the source code, and digitally sign the executable code, and thus can confirm, at any individual machine, that the running software is the official one

As for understandable to _anyone_, the idea of counting is pretty easy. The actual way that most electoral systems work though tends to be pretty complex. At least voting machines should help reduce the big delays between voting and having the results announced.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:07 UTC (Wed) by dskoll (subscriber, #1630) [Link]

All political parties have access to the source code, and digitally sign the executable code, and thus can confirm, at any individual machine, that the running software is the official one.

SNAKE-OIL ALERT! SNAKE-OIL ALERT!

How do you verify that the executable code matches the source code you saw? Has everyone forgotten "Reflections on Trusting Trust"? (Google it...)

How do you verify that the running image is the official image? Sure, there may be some official-looking files on the disk. (That part of the disk you can see, that is.) Maybe you can even poke around in memory and see chunks of what looks like official software. But confirming that the currently-running software is official? Bollocks!

The Xbox only accepted signed executables. We all know how successful that was at preventing an Xbox Linux port (ie, subverting the entire Xbox security mechanism.)

Linux and associated applications weigh in at several million lines of source code. That's several thousand bugs, probably. And dozens to hundreds of security vulnerabilities, probably. Can these political parties audit the source code for all these bugs? Not a chance.

E-voting is snake-oil. Open-source e-voting is open-source snake-oil.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:26 UTC (Wed) by drag (subscriber, #31333) [Link]

The U.S. government requires 'trusted builds'.

These are builds in which you give election or cert representatives access to your source code and build environments.

They install the OS, install the compilers, and everything else that is required to build and install the software. Then they go and build the software and create a image or whatever.

Those 'trusted builds' are then hashed using SHA2-style encryption and records of these hashes are made publicly available. Then those 'trusted builds' are what is used in actual elections.

Then the voting machine manufacturers have to establish protocols for independently validating the firmware or OS or applications or whatever that is installed on the machines matches the trusted builds. They can't use any vendor-supplied tools to do this, and they can't write their own software to validate the items. They can only use FIPS 104-2 approved tools from third parties if they choose to use cryptographic analysis.

This, I believe, is all part of the 2005 guidelines. Most, pretty much all, voting machines don't meet those requirements yet. There is a bunch of things far far beyond what I just outlined, but this is the stuff for confirming the software on those systems.

Oh, and the software is periodically audited during development by third parties. The software is always proprietary, except the OS (QNX, WinCE, Linux, and others are all used), but the source code is available to government regulators.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:34 UTC (Wed) by dskoll (subscriber, #1630) [Link]

The U.S. government requires 'trusted builds'.

Do you trust the US government? Do you trust the US government when it comes to security?

Those 'trusted builds' are then hashed using SHA2-style encryption and records of these hashes are made publicly available. Then those 'trusted builds' are what is used in actual elections.

Now go and explain that to the average voter. "SHA2-what? Wasn't SHA1 the leader of Iran until 1979 or somethin'?"

Or the above-average voter: "Hmm... MD5 is provably insecure. What does the NSA know about SHA2 that I don't?"

Voting is undemocratic if the average voter can't even understand the tabulation process or can have reasonable doubts about it. And don't get me started on the uselessness of "trusted builds", etc... I can write essays about this stuff.

E-voting is snake-oil. Open-source e-voting is open-source snake-oil.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:48 UTC (Wed) by drag (subscriber, #31333) [Link]

There is nothing I can do to make the 'average voter' a non-moron. (which I just don't think they are)

And since, yes, the freaking government is IN CHARGE OF THE ELECTIONS, then yes, YOU HAVE TO TRUST THEM.

It doesn't matter if your using paper, electronic, seashells, or farts in the wind to collect votes, if you can't trust the government to run a fair election then your utterly fucked from the outset. You lose. Do not collect 200 dollars, do not pass go.

(and for the record, no, I don't trust the government. It's packed full of moron and fools that can barely run their own lives, much less the lives of hundreds of thousands of other peoples. People like you and me.)

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 3:01 UTC (Wed) by dskoll (subscriber, #1630) [Link]

And since, yes, the freaking government is IN CHARGE OF THE ELECTIONS, then yes, YOU HAVE TO TRUST THEM.

OK, just think about that for a few minutes...

I do not trust the government (any government). What I trust are democratic institutions. The democratic institution of voting in Canada is so transparent, so easily understood, and so difficult to subvert that I trust elections even if I don't trust the government of the day.

An e-voting system is so easy to subvert, and so easy to subvert undetectably, that it's worthless. To trust an e-voting system, I'd have to trust the government, which I already said I don't.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 3:43 UTC (Wed) by drag (subscriber, #31333) [Link]

> What I trust are democratic institutions

I don't trust those ether. That's the definition of USA government and most European or the Canadian governments. I mean, here we are talking about fraud in democratic elections and your trying to remind me that you trust democratic institutions, but not democratic governments? They are one and the same.

Here is how I look at it:

The average person, every person, is barely able to take care of themselves and their immediate family. If that. We are all somewhat insane and very flawed. Putting one of us, or a few hundred of us, in charge of all of us, is just something that is going to result in badness 9 times out of 10.

But governments are a requirement, it seems, and they are needed for lots of different reasons. A necessary evil.

So you have to keep them as small and open as possible and hope that everybody else is to stupid to really get a very successful conspiracy going.

Sometime it works. The USA is the oldest one so far.. Being a little over 200 years old. It looks like our government is getting very ossified. If your in Europe your essentially witnessing your future politics unfolding in the USA.

Other democratic institutions have melted down in far far shorter time. Liberia is a big example. So is Germany's attempts in the 1930's to get away from the monarchy. But whatever.

It still stands, if you can't trust your government you can't trust elections held by your government. Really, one is dependent on the other.

Trusting Government

Posted Oct 15, 2008 8:25 UTC (Wed) by Felix.Braun (subscriber, #3032) [Link]

It still stands, if you can't trust your government you can't trust elections held by your government. Really, one is dependent on the other.

Sorry. We'll have to agree to disagree here.

The way I see it is, that if the voting process is as transparent and difficult to manipulate as pen and paper votes, then you don't need to trust the party currently in power. Actual people can look at the counting process and verify that it represents the actual voting results.

I agree with you that we are all flawed and limited, and I would add easily defrauded. So a well organised powerful party to the election process could in theory pull off major voting fraud without people noticing anything.

HOWEVER, luckily enough the bad guys are just as flawed and limited as the good guys. So, if they agree to conduct the voting process and the vote counting in the open, under the eyes of everybody who's interested. Then yes, I'm prepared to trust that if there was major organised rigging of elections, it would somehow show up because they would make some stupid mistake, as humans tend to do.

If elections are taken out of the public eye into some room were some priests look at code and attach some very big prime numbers to it to make sure nobody tampers with it, then this trust in the process is hurt.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 14:53 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Certainly not! Canada has many democratic institutions that are constitutionally guaranteed and essentially impossible for any government to change. I certainly would never trust any government to implement electronic voting securely (since as another poster said, that would be the first secure application ever written.) However, I trust our elections commission, the various election laws, the various physical safeguards, the thousands of volunteers who participate in democracy, and the scrutineers from each political party to keep things honest.

Last night we had an election. I am perfectly satisfied that it was fair. Not a single person in Canada, to my knowledge, has the slightest doubt as to the accuracy of the outcome.

Can you say that in the USA? Could you say it in 2000?

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 20:14 UTC (Wed) by nix (subscriber, #2304) [Link]

Sometime it works. The USA is the oldest one so far.. Being a little over 200 years old. It looks like our government is getting very ossified. If your in Europe your essentially witnessing your future politics unfolding in the USA.

Ah, US parochialism, so refreshing. Here's a little hint: the UK has been a continuous democracy for much longer than that, although until 1832 the franchise was rather limited. Certainly a form of mass franchise has been in place since 1688: but even before then some people sometimes got to vote, and Parliament itself (which does, of course, itself involve voting and a sort of mass illusion) has been going so long that some trace its forebears back to the fifth century AD.

(I'd have expected you to realise that, what with the Bill of Rights 1689 being important in all this, and being a major source for the US Bill of Rights.)

So, sorry, the US is not the oldest democracy in the world. It isn't even the oldest continuously functioning one. (And, guess what? We still hand count.)

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 7:38 UTC (Wed) by nix (subscriber, #2304) [Link]

The government is not in charge of elections in the UK. All they can do is
say when voting will start.

Separate non-political institions are in charge of the elections. (You
see, we don't fire our entire civil service and replace it with partisan
hacks every few years.)

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 19, 2008 10:42 UTC (Sun) by gdt (subscriber, #6284) [Link]

Trust of the government isn't required for a paper ballot.

In Australia the major political parties closely observe the paper ballot, since all parties bar the one in government don't trust the government. It is difficult to see how such a close observation can be done with electronic ballots.

That close observation has a large effect on reducing electoral fraud. Less observable ballots, such as the postal ballots, have fraud rates more than 100x higher than traditional paper ballots.

The trust from any citizen being able to inspect the ballot process to their satisfaction leads to a lot less conspiracy theories surrounding voting than exist in the USA. Certainly there's never been events like the Florida machine ballot and claims of "stolen presidencies".

Regarding your initial claims, the results of an Australian federal election are known in broad scope in a few hours (who will form government, etc) and exactly in two to three weeks (one week of the delay simply because the count can't be finalised until all postal ballots have had time to arrive from overseas locations).

How to subvert trusted builds

Posted Oct 15, 2008 2:47 UTC (Wed) by dskoll (subscriber, #1630) [Link]

They install the OS, install the compilers, and everything else that is required to build and install the software. Then they go and build the software and create a image or whatever.

Supply a compromised OS for the build.
Supply a compromised compiler for the build.
Supply a compromised assembler for the build.
Supply a compromised linker for the build.
Compromise the software that transfers the built image into the voting machine.
Compromise the boot-up ROM in the voting machine.
Compromise the firmware in the hard drive on which the image is installed.
Bribe the person transferring the built image to the voting machine to let you hide your code in it in a way that won't appear when you do the hash-verification. (You probably only have to bribe one or a few low-paid employees rather than thousands of motivated scrutineers in a hand-ballot election.)

And those are the difficult ways. The easy way:

Exploit one of the several thousands bugs inevitably present in software with the complexity of Linux or Windows.

That's just off the top of my head. I'm sure a real security person could come up with several hundred ways to subvert a voting machine without even pausing to think.

How to subvert trusted builds

Posted Oct 15, 2008 2:58 UTC (Wed) by drag (subscriber, #31333) [Link]

> * Supply a compromised OS for the build.

No. They can't supply the OS for the build. That's the point.

They don't supply any of the software. They supply directions on how to make a build environment and the source code and any Makefiles or whatnot.

Then election officials produce the binaries.

> * Supply a compromised compiler for the build.

No they can't supply the compiler.

if they require a special compiler then they have to provide the source code for that compiler and that compiler itself needs to have a trusted build.

> * Supply a compromised assembler for the build.

No:
See Above

> * Supply a compromised linker for the build.

No:
See Above

> * Compromise the software that transfers the built image into the voting machine.

No:
See Above.

Also the machines are non-networked, single user-only.

> * Compromise the boot-up ROM in the voting machine.

No:
They have to supply the source code for the ROMs, a trusted build for them, and a method to audit them.

> * Compromise the firmware in the hard drive on which the image is installed.

Well usually the harddrives are going to be COTS. Everything is COTS if they can be.

This can be a problem because election folks are not going to think of that.

> * Bribe the person transferring the built image to the voting machine to let you hide your code in it in a way that won't appear when you do the hash-verification. (You probably only have to bribe one or a few low-paid employees rather than thousands of motivated scrutineers in a hand-ballot election.)

Motivated scrutineers are easy to fool.

Any election requires third parties to independently verify the findings of the voting machine companies and the government.

This can't be regulated, for obvious reasons. Your dependent on independent hackers and folks at universities and whatnot to dissassemble, decompile, and hack the shit out of the voting machines.

This is why they need (as I stated above) to be as simple and open as possible.

Current regulations, unfortunately, are fossilizing the status quo and making devices more complex, more expensive, and harder to hack.

How to subvert trusted builds

Posted Oct 15, 2008 3:04 UTC (Wed) by dskoll (subscriber, #1630) [Link]

No. They can't supply the OS for the build. That's the point.

Well, somebody has to supply the OS. You find that somebody and bribe/blackmail/fool them into supplying a compromised OS. You are not thinking like a sufficiently-motivated criminal.

I'm not going to correspond to most of your points because they all show a refreshing naivete and unfamiliarity with the criminal mindset. But I'll respond to this one:

Motivated scrutineers are easy to fool.

Except, you'd have to fool thousands of them. And each party has a representative watching the counting (they all have to agree on the final tally), so that's a lot of disparate people you'd have to fool. So much easier to compromise one homogeneous computer system...

How to subvert trusted builds

Posted Oct 15, 2008 3:33 UTC (Wed) by drag (subscriber, #31333) [Link]

> Well, somebody has to supply the OS. You find that somebody and bribe/blackmail/fool them into supplying a compromised OS. You are not thinking like a sufficiently-motivated criminal.

Yes. If you don't trust Microsoft or Linux hackers to put secret hide-outs in the source code of their operating systems (their generic off-the-shelf operating systems that anybody can walk down to the source and purchase or download. The same OSes you and I use) to detect when somebody is compiling code for a election and then subtly modify that code at compile time to defraud national elections then you have bigger issues to worry about.

Because if you can't trust GCC or ICC or Borland or whoever not to stick back doors into their commercial off-the-shelf compilers to change election outcomes then you are going to have so many other worries in live that a question of voting fraud isn't going to be high on your priority list.

You'll have much more to worry about from aliens or governments simply lying about election outcomes.

> Except, you'd have to fool thousands of them. And each party has a representative watching the counting (they all have to agree on the final tally), so that's a lot of disparate people you'd have to fool. So much easier to compromise one homogeneous computer system...

You would have to fool a few dozen. Maybe a hundred.

Electronic voter fraud is a game of percentages. Any significant change to how the election turns out, in a properly design voting machine or using hand counting, would be instantly noticable.

Since, in a properly designed voting machine, is going to be open enough and auditable enough that only very subtle changes are going to be missed by folks hacking them and checking them.

So the only changes you could make would be subtle, and small. A few changes here and there. So only elections you could successfully defraud are in situations were you have very slim differences on each side.

It's there are many different methods to try to affect closely contested elections.

-----------------------

That's not to say that election voting machines are properly designed right now.

Voting machine companies, by and large, are borderline incompetent. But the level of government regulation and such is so high that it completely bars any other company from participating in the elections or coming out with rival hardware and software to improve the situation.

In, other words, attempts at controlling companies have insured their continued existence and profitability no matter how badly they do. To the execs of voting machine companies, not ending up in jail is going to be their main goal.. everything else is gravy.

To even get your voting machines close to being able to be used in a modern election costs several million of dollars in just _ATTEMPTING_ to match the certification process. That doesn't mean they are successful and does not include the costs of developing the custom hardware and software required.

Everything is regulated down to the county level, meaning that they are required to support many static versions of the same software and firmware for different regions and elections. Massively expensive.

How to subvert trusted builds

Posted Oct 15, 2008 14:57 UTC (Wed) by dskoll (subscriber, #1630) [Link]

I read somewhere that the latest US presidential election campaigns are going to cost around $1 billion. That is, to become the president of the United States the "honest" way, you have to raise $1 billion.

How much do you think it would cost to subvert a voting machine system? The stakes are so high and the attackers potentially so well-funded that it's simply unthinkable to trust democracy to complex software systems.

Every single software system the complexity of Windows or Linux has security holes. Every single one. There has never in the entire history of computing been systems that complex that are also secure.

How to subvert paper ballot

Posted Oct 15, 2008 5:24 UTC (Wed) by khim (subscriber, #9252) [Link]

1. You can print "sample paper" which explains how to vote and attach it to the wall of cabin. Of course "accidentally" one candidate will be marked there. This candidate will have bigger chance of success.

2. You can estimate number of ill people, take a fill their bulletins (government must control if that does not happen but as you've said you don't trust government).

3. The easiest part: just pay small sum to counters and bulleting with few marks (technically invalid) will be counted in favour of one candidate.

4. Even easier: just pay responsible person to rely wrong information to the next stage.

5. The most expensive but the most trivial: just pair the head to cite results you want.

All such approaches (and many others) were used in real life. If you don't trust the government to some degree then you are already lost. End of story. Paper or no paper.

How to subvert paper ballot

Posted Oct 15, 2008 14:58 UTC (Wed) by juha123 (guest, #52509) [Link]

1. And none of the voters would realize what you did? Also, how is that different from attaching a similar paper to the wall of an electronic voting cabin?

2. Again, is this different from electronic voting?

3. Didn't you just prove the vulnerability of electronic voting here? At least in it the number of people you need to bribe to significantly affect the result is much, MUCH smaller.

4. Doesn't work, at least over here those next stage numbers are public, so the first stage counters would notice that the result is wrong.

5. Doesn't work, see item 4.

Sure, paper voting isn't invulnerable to every kind of subverting, but that's beside the point. It's still the most reliable way to vote if it's better than the alternatives.

How to subvert paper ballot

Posted Oct 15, 2008 15:01 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Except you have to somehow get into thousands of voting places across the entire country and convince the election workers to let you post the paper.

2. You can estimate number of ill people, take a fill their bulletins (government must control if that does not happen but as you've said you don't trust government).

Except in Canada, you need to supply ID with proof of name and address to vote. This won't block attack (2), but will make it infeasible on a large scale.

3. The easiest part: just pay small sum to counters and bulleting with few marks (technically invalid) will be counted in favour of one candidate.

Except in Canada, each political party sends representatives to watch the counting. Paying off enough of them to affect the outcome is very difficult.

4. Even easier: just pay responsible person to rely wrong information to the next stage.

Again, you'd have to do that thousands of times at the lowest level of the tree. At higher levels, there are fewer people involved, but at every step of the way, there are election officials plus representatives from each political party. A tough attack.

5. The most expensive but the most trivial: just pair the head to cite results you want.

I'm not sure what that means.

All such approaches (and many others) were used in real life. If you don't trust the government to some degree then you are already lost. End of story. Paper or no paper.

If the government is the attacker, then yes, you're in a tough spot. However, the Canadian system makes it pretty obvious that an attack has taken place, whereas e-voting allows attacks to proceed undetectably.

How to subvert paper ballot

Posted Oct 15, 2008 16:10 UTC (Wed) by drag (subscriber, #31333) [Link]

As I pointed out before it's all a game of percentages. Most these issues are not going to be issues unless your dealing with difference in results of 2 percent or less.

The way voting machines work nowadays it's exceptionally difficult to defraud on a national scale. Any sort of violation is going to happen on precinct level. That is individual counties or however a region is divided.

That is when each machine is individually programmed for a specific election and specific area is were you really have to worry about security. Otherwise they are going to be generic machines with no election-specific information programmed into them.

The people involved in that sort of thing is not the 'hundreds' or 'thousands' that all you think that are involved in those sort of situations. People in charge of localities, whether your dealing with paper ballots, electronic machines that produce and consume paper ballots (which is the norm in USA), or fully electronic machines using digital media only, are going to be numbered in the dozens.

--------------------------

I am not saying that I like the current status quo or I think things are done correctly right now. Like I mentioned several times before the current crop of voting machine companies are about as bad as you can get and are dinosaurs lingering from the bad old days of nothing-but-proprietary software from the 1990's.

They CAN be done correctly, however. This is my contention.

There are flaws and holes in everything. If you think that _any_ public institution is not vulnerable to corruption then your just deluding yourself.

How to subvert trusted builds

Posted Oct 15, 2008 3:12 UTC (Wed) by dskoll (subscriber, #1630) [Link]

Well usually the harddrives are going to be COTS. Everything is COTS if they can be. This can be a problem because election folks are not going to think of that.

That's all it takes. Just one little flaw and the system comes tumbling down. I'm not even a security expert. I'm sure a real expert can think of many attacks that "election folks" will never dream of.

Even security people can be shocked. Who would have thought that five box-cutters would bring down two skyscrapers?

What you need are systems that are robust. E-voting is manifestly fragile; just one wrong bit can conceivably render a voting machine vulnerable. In the hand-counting world, one or a few crooked scrutineers can't affect much. And with each party sending representatives to oversee the counting, it's highly unlikely fraud would go unnoticed for long.

Voting is inherently fragile

Posted Oct 15, 2008 5:31 UTC (Wed) by khim (subscriber, #9252) [Link]

What you need are systems that are robust.

Monarchy?

E-voting is manifestly fragile; just one wrong bit can conceivably render a voting machine vulnerable.

Yes, but this bit is buried in millions of other, not-so-important bits. And if you have money to buy 10 people who'll find this bit then why not just buy few persons who are delivering results of vote to public?

And with each party sending representatives to oversee the counting, it's highly unlikely fraud would go unnoticed for long.

If you don't destroy the evidence, that is. But if you had money to unfairly win then to pay some small sum to replace all paper ballots with "correct" ones is a snap.

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 2:25 UTC (Wed) by dskoll (subscriber, #1630) [Link]

At least voting machines should help reduce the big delays between voting and having the results announced.

Oh, you mean the big delays we backward folk in Canada suffer because we use pencil-and-paper ballots? Let's see... the polls closed here about 55 minutes ago. And we already know who will form the government, and I already know fairly reliably who will be elected in my riding. 55 minutes!!! The shame!!! Bring in machines to speed things up!!!

Video and photos show Linux booting on the brazilian voting machines (BR-Linux.org)

Posted Oct 15, 2008 6:30 UTC (Wed) by bdanilko (subscriber, #14872) [Link]

I wasn't commenting on the Canadian election, or the skills of Canadians in general :-)

Some electoral systems around the world are more complicated then others. In Australia, we use a preferential voting system (which I found quite a bit more complicated then the Canadian system I was used to). As the Australian Electoral Commission web site states, determining winners for the senate can take a couple of weeks. Some of this is waiting for postals, but some of it is just the complexity of preferential voting. I'm sure that lots of countries use more complicated systems then Canada and the US's first-past-the-post systems.

In fact if I remember correctly for Canada, senators are appointed instead of elected. That simplifies counting heaps! (here I'm making a joke and not commenting on the merits of different countries' political systems)