LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The voting machine industry looks at open source

[Posted April 16, 2009 by corbet]

Here is a report from the Election Technology Council [PDF] giving the voting machine industry's view of open source software. It's ... interesting. "The level of accountability present within an open source product offering is weakened due to its diffuse contributor base and lack of clear liability. Public oversight is arguably just as diminished in an open source environment since the layperson is unable to read and understand software source code adequately enough to ensure total access and comprehension. If a third party is charged with this oversight function to remedy this situation, this is would be no different than any other regulatory process that institutionalizes an oversight function." (Seen on Freedom To Tinker, where Dan Wallach adds several comments of his own).
(Log in to post comments)

The voting machine industry looks at open source

Posted Apr 16, 2009 16:46 UTC (Thu) by dbruce (subscriber, #57948) [Link]

I see at least two mischaracterizations that seem significant and deliberate.

First, the article argues that open/free licensing does not lead to sufficient public oversight because the layperson is unable to understand the source. Well, the idea is not for laypeople to be able to do code review. The idea is that interested reviewers who do have the needed expertise should have access to review these programs that are in public use. As it stands now, no one is allowed to do an independent review, irrespective of level of expertise.

Second, the article says that if the code of existing proprietary voting systems is made public, "all existing security would be ripped away" until the open code review takes effect. One would hope this is not the case - if so, it is an admission that the proprietary code is intrinsically insecure, with vulnerabilities that are just not yet known by potential attackers.

The voting machine industry looks at open source

Posted Apr 16, 2009 19:15 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

Of course we know this is true, but the average person doesn't understand that "security through obscurity" doesn't work: it's an attractive and commonly-made mistake precisely because it seems to the uneducated person that it should work. Getting it through the public's collective heads that "security through obscurity" is snake oil is, I think, the most important and hardest challenge in computer (or any other) security today.

It's matter of finding the right analogy

Posted Apr 17, 2009 8:01 UTC (Fri) by khim (subscriber, #9252) [Link]

When I explain to my non-IT friends that "security through obscurity" I'm not trying to "go deep" and explain how obscure software is not hard to crack but hard to "secure right". I often present a single fact and ask just one question.
1. Fact: PlayStation3 is the first game console with open per-reviewed security architecture in it's core (see here).
2. Question: how many game consoles can you name which were uncracked year after release?

The answer is that, of course, PS3 is the only console which can claim such achievment and this answers says it all. "Security through obscurity" works for some time - but not for long if attacker is determined enough. If game console dvelopers can not do anything about this fact with billions of dollars - how come small company which produces voting machines can do better?

The voting machine industry looks at open source

Posted Apr 17, 2009 13:26 UTC (Fri) by marcH (subscriber, #57642) [Link]

> Getting it through the public's collective heads that "security through
> obscurity" is snake oil is, I think, the most important and hardest
> challenge in computer (or any other) security today.

As usual, some real world analogies can help. Which lock model would you buy to protect your house? The secretly designed model that the manufacturer "forbids" you to study? (ha ha ha). Or the model designed and reviewed by an large committee of locksmith experts?
People are not so clueless, they are just confused by the lack of tangible objects.

Concerning voting machines more specifically, the root cause of the problem is just the American fascination for useless technology gadgets. I have participated in manual vote counting sessions and can attest that they are both efficient and as transparent as a real ballot box.

The voting machine industry looks at open source

Posted Apr 17, 2009 15:37 UTC (Fri) by drag (subscriber, #31333) [Link]

But security through secrecy does work.

If you don't believe me.. then post right here your username, password, and ip address to your main server or desktop.

As your at it, why not post your ssh keys or any other encryption keys you may use?

People are smart enough to know that it is critical to keep the detailed shape of their keys secret. They can obscure the fact that they are keeping somehing valuable in their car in the parking lot at the mall. They don't go posting their tax returns to internet forums and try to shred documents.

Hell even doorlocks can be easily circumvented by skilled locksmith, but just not by the average person.

They do all sorts of things on a daily basis that keep things hidden or obsufcated that do a decent enough job of improving their personal security, the security of people around them, and the security of their belongings.

Hell even software that people consider security uses obscurity all the time... Like if your create a hash using the SHA256 function to store a password in a secure manner. Your depending on the fact that there are billions of possible combinations and that nobody has made a list that happens to have your hash's number yet.

---------------

Software is unusual in the fact that it's fundamentally math and math can be made to have absolutes... which is very rare in the real world. And because it can be absolute it can be made to be secure as long as you follow lots of rules and constrants.

How easy to explain it to people that technologically enforced DRM schemes are fundamentally flawed design, but SSL can be made to be secure against aggressive attackers?

How easy is it to understand that there are dozens of things on people's computers that should be kept secret, but that there are lots of things that should NOT be kept secret?

---------------------------------------

Think about this...

The people that you have most to worry about in terms of security in a voting situation is not some nation-wide secret organization setup to subvert voting machines, nor is it the voting machine companies themselves.. the people you have to worry most about is the people administrating the local precinct or parish at which you vote.

Just think about it.

There just recently was a case were ESS iVotronic devices were people were getting their votes changed.

Sure the attackers exploited a flaw in the UI of the machines becasue the
'vote' button did not cast their ballots, but finished the voting session and put the machines into the review session which the user was presented with a gigantic screen that said that they needed to review the vote and confirm it before the vote would be counted.

There was locks on the machines to prevent access to sensitive parts and generally there is a paper audit record printed out in real-time that records each and every event or key press on those devices.

The attackers were the actual administrative people setting up the voting situation in the first place. They instructed people to turn around and leave as soon as the vote button was pressed. As soon as the voter leaved the attackers had to then go into the booth and respond to the prompt before the machine started beeping to alert the voter that the vote was not complete. Since the attacker tricked the voters into leaving before the vote completed they stepped in a impersonated the voter and thus no alerts or bad activities showed up on the paper audit logs.

The attackers also setup a situation in early voting were they monitored a person voting and paid them cash based on that vote. Completely evil and it required the cooperation of the voter.

With paper ballots this sort of situation is even worse... What is going to stop voting officials from substituting paper ballots with ones that they prepared prior to the election? Just one trip through a back room with the lock box and the votes of thousands of people can be eliminated and replaced in seconds.

------------------

Banks and such can keep their stuff secure much easier because every transaction is tracked from one endpoint to another. Everybody from the end user to the shop owner is tracked and actions are recorded.

Therefore banks depend on users to monitor and keep track of their own money in their own self-interest to help secure the bank...

But with voting, at least in America, everything has a very high requirements for anoniminity. This means that votings cannot be tracked and users cannot go back and double check to see if things are recorded correctly. This is a entirely higher challenge.

------------------

The thing here is that everything is much more complicated then it seems at first glance.

I think that electronic voting has the potential to make democracy more secure against fraud then it ever was before, but for that things need to change drastically.

Completely open hardware. From the schematics on the board, to the firmware, to everything. Very easy auditing that can be carried out by individual voters and third parties with court orders. Completely open software. Complete transparency from the top to the bottom.

Very simple software stacks using proven and widely used and understood open source code.

Once we get that then things can be improved. Short of that then the whole thing is just one huge mess...

The voting machine industry looks at open source

Posted Apr 17, 2009 16:15 UTC (Fri) by adj (subscriber, #7401) [Link]

If you don't believe me.. then post right here your username, password, and ip address to your main server or desktop.

Well, it's not mine. But the root password and IP address (DNS entry, actually) for an Internet connected Linux system are available at http://www.coker.com.au/selinux/play.html. Connecting using the instructions provided gets you a working shell process running with uid 0.

The voting machine industry looks at open source

Posted Apr 17, 2009 18:18 UTC (Fri) by marcH (subscriber, #57642) [Link]

> As your at it, why not post your ssh keys or any other encryption keys you may use?

I suggest you do some research on the Kerckhoffs' principle

> How easy to explain it to people that technologically enforced DRM schemes are fundamentally flawed design, but SSL can be made to be secure against aggressive attackers?

Encryption is about hiding things. So DRM is about hiding things... that you want to show! The flaw is hard to conceal.

> What is going to stop voting officials from substituting paper ballots with ones that they prepared prior to the election? Just one trip through a back room with the lock box and the votes of thousands of people can be eliminated and replaced in seconds.

You have apparently never assisted to a transparent election: the ballot box obviously never leaves the public room until it is emptied and (re-)counted. This is the very first, basic rule that never, ever gets violated.

> But with voting, at least in America, everything has a very high requirements for anoniminity. This means that votings cannot be tracked and users cannot go back and double check to see if things are recorded correctly. This is a entirely higher challenge.

Paper ballots give you anonymity for free. With computers it becomes quite a challenge indeed.

> The thing here is that everything is much more complicated then it seems at first glance.

Paper ballots are one of the simplest system ever invented. That is why it works. Computers are probably the most complex human invention. We all know how they work.

> I think that electronic voting has the potential to make democracy more secure against fraud then it ever was before

I think the only potential electronic voting has is to decrease security. Open source hardware and software is just a first requirement, but by no means sufficient. The cost of an hypothetical electronic voting system that would be as secure as paper ballots is a joke.

The voting machine industry looks at open source

Posted Apr 17, 2009 23:41 UTC (Fri) by i3839 (guest, #31386) [Link]

I thought long and hard (three months or so) about e-voting.

Summary: The best you can do is giving a partial solution for the whole voting procedure, namely the counting part. And when doing that everything becomes more complicated than it was before. It's just not worth it.

The biggest problem in general is keeping track of people and where votes came from. That's easy to do with e-voting if you forget about anonymity and everyone has a special electronic passport or something like that. But you can't have both anonymity and a guaranteed valid vote count. Mind that this is also not possible with paper ballots, but cheating there is a lot more physical, making it much harder to do widespread, because it can't be automated.

The voting machine industry looks at open source

Posted Apr 18, 2009 22:12 UTC (Sat) by jlokier (guest, #52227) [Link]

Electronic passports do have a role in anonymous voting.
Just like paper ballots, you need two things:

- Some way to certify each voter has exactly one vote.
This can use electronic passports or whatever you like.

- Some way for the voter to give the _value_ of their vote anonymously.

The fact they have voted should not be anonymous. In fact it must be tracked, to make sure each person has one vote.

It's the vote value which must be kept separate, while tracking the number of votes cast.

This is what paper ballots and the ballot process do. Anonymity of the vote values is achieved by making sure the paper has no identifying information. Tracking that everyone has one vote is achieved by ticking people off a big list when they come in the door, and giving them one ballot paper, and hoping they don't slip a second paper into the box (that they brought themselves) in with the first one.

By analogy, it's not hard to imagine giving each person a random, anonymous signing key which is itself signed (but not recorded) by the election authority, letting them choose their vote value and sign it, and storing the signed value in the database of results.

To ensure a secret ballot, no injection of false votes, and no removal of votes, the process has to be scrutinised by enough interested people to ensure trust. This part can involve open source to check the software is good in principle, but the working system needs to be scrutinised after building it and when it's installed and running too, to ensure no additional back doors.

To ensure that votes are _counted_ properly, the entire list of signed values can be made available to whoever wants to check the count. That, plus scrutiny of the processes to ensure no duplicate or lost keys or violating the secrecy of the ballot, should be enough.

The paper ballot has the advantage that most people can understand it, so it's much easier to scrutinise including by local election officials and opposing party agents to ensure it is fair. This may be beyond the abilities of the available local officials and party agents with a computerised system, and therefore trust cannot be established.

However, there are weakness in the paper system too. The only one which comes to mind is that people could bring their own ballot paper and slip it into the box at the same time as the supplied one with sleight of hand. This is much harder with a sufficiently good electronic system.

The voting machine industry looks at open source

Posted Apr 19, 2009 0:23 UTC (Sun) by i3839 (guest, #31386) [Link]

It's not that simple.

You need some way to know that all votes are legitimate votes. This implies that votes of people who don't vote aren't stolen and that there are no virtual voters. No vote stealing nor vote injection.

This is very hard with electronic voting. Overseeing correct distribution of keys is as hard as paper voting. That won't happen, so it will be easy to circumvent. Any leaked key can be used to make fake votes. If it can't, then you have no anonymity (per definition, just think about it).

Now the fun question is how you're going to use that key or whatever you
use to sign your vote. Let me guess: You use a machine. Now after an election one party has won easily and has absolute majority. Geej, now what? Let's assume people go check if they're vote is what it should be, and see that somehow it's that it isn't. Have fun proving it.

You only look at one part of the problem. Voters aren't the only one who can't be trusted, the same is true for the manufacturer of the machines, the government and the polling-committee. You want that each party can supervise the others, and that the system is secure if one of the three is rotten.

Other thing you forget is that you don't want that voters can be extorted to cast a certain vote. If you give voters a way to check their vote someone else can check it as well.

Complying with all requirements is theoretically impossible. You can push the problems around in circles as much as you want, but it is never water tight. The same is true for paper ballots, but that can't be automated and needs a lot of effort to do widespread.

> However, there are weakness in the paper system too. The only one which
> comes to mind is that people could bring their own ballot paper and slip
> it into the box at the same time as the supplied one with sleight of
> hand. This is much harder with a sufficiently good electronic system.

Sure, if they fake the signature well enough. Of course then the ballot count doesn't match with the number of voters, so they know something went wrong.

But the danger isn't in individual voters trying to cheat, it's by other parties trying to cheat massively.

I don't say that electronic systems don't have a place at all, they're not too bad in certain circumstances.

The voting machine industry looks at open source

Posted Apr 19, 2009 0:35 UTC (Sun) by i3839 (guest, #31386) [Link]

Before you scavenge half the internet and discover pret-a-voter systems:

The idea is good, but rubbish. This because the system is only theoretically correct when ignoring reality. Reality is that there can be information exchange between the virtual and physical parts of the system, and once that is the case the whole thing falls apart. (When looking only at the virtual domain it's complicated enough to get right though.)

Another practical problem is that most mobile phones have a little camera and that people can be forced to use it to prove what they have voted. This doesn't work with paper ballots because you can ask a new ballot after taking the picture.

The voting machine industry looks at open source

Posted Apr 19, 2009 2:47 UTC (Sun) by jlokier (guest, #52227) [Link]

> The idea is good, but rubbish. This because the system is only
> theoretically correct when ignoring reality. Reality is that there can be
> information exchange between the virtual and physical parts of the system,
> and once that is the case the whole thing falls apart. (When looking only
> at the virtual domain it's complicated enough to get right though.)

That's why you must have oversight of the process by competent and motivated inspectors while it's happening, until the whole set of ballots are signed and sealed and cannot be changed.

If there is information exchange in the process where there shouldn't be, the process is not being monitored with enough care.

I agree it's difficult, perhaps too difficult.

> Another practical problem is that most mobile phones have a little camera
> and that people can be forced to use it to prove what they have voted.
> This doesn't work with paper ballots because you can ask a new ballot
> after taking the picture.

It doesn't work with electronic ballots if you can ask to restart the ballot after pressing ENTER.

However, just like paper ballots, people can be forced to video themselves filling it in then leaving the voting booth. To ensure it's secret you need the ability to go back in after leaving...

The voting machine industry looks at open source

Posted Apr 19, 2009 10:50 UTC (Sun) by i3839 (guest, #31386) [Link]

You can't expect people to watch for things the experts didn't think about. Securing a pret-a-voter system is complicated and arcane enough, with the promise that if all steps are followed it's guaranteed secure. Why would people go and look for other things as well? The biggest danger isn't a wrong outcome, that's pretty secured (though not water-tight either), it's voters anonymity, with all the accompanying problems like extortion, bribing and selectively dropping votes at the next polls.

> It doesn't work with electronic ballots if you can ask to restart the ballot after pressing ENTER.

Typo "doesn't" -> "does"? In general, yes, but not if you want the voter to be able to check if the vote made it and is correct afterwards, like with pret-a-voter systems. And that is the sad part, obviously if all voting happens in the open everyone can check if the outcome is correct or not, barring virtual people. But being able to do that and have guaranteed anonymity is sadly not possible.

On the other hand, if they want to know what people vote they can install hidden cameras in the booths and keep track who went were (and/or use face recognition). Or mark the ballots subtley, have them in a known order and log the order of people getting a ballot. So paper voting isn't perfect either, but finding something that is substantially better without being overly complicted and expensive is near impossible.

Videoing yourself is a lot harder to do covertly, hence easier to spot by the poll-committee or inspectors.

The voting machine industry looks at open source

Posted Apr 17, 2009 23:27 UTC (Fri) by i3839 (guest, #31386) [Link]

> But security through secrecy does work.

Security is something else than obscurity. It's the difference between burrowing your furtune somewhere in the wood without anyone knowing and burrowing it under a heap of leaves and giving everyone the GPS coordinates to the spot.

The voting machine industry looks at open source

Posted Apr 19, 2009 7:00 UTC (Sun) by maco (guest, #53641) [Link]

Actually, the reason the US is using electronic voting machines now is so that blind folks can plug in headphones and have the computer read the ballot to them, tell them to touch on the left or right, audibly confirm the vote, etc. The old way, you needed to have a person come in with you, then you tell them who you want to vote for, and hopefully they pulled the right lever or checked the right box. That creates both trust issues (which I'm not saying electronic voting got rid of) and anonymity issues.

The voting machine industry looks at open source

Posted Apr 30, 2009 15:34 UTC (Thu) by shmget (subscriber, #58347) [Link]

"Actually, the reason the US is using electronic voting machines now is so that blind folks can plug in..."

That is a very very poor excuse. It is much more effective and cheaper to print a few ballot in braille....
Spending such massive amount of money to get an inherently unsecured system for all, just to for 1 in 300 potential voter... The remedy is worse than the problem.

The voting machine industry looks at open source

Posted Apr 16, 2009 23:11 UTC (Thu) by cpeterso (guest, #305) [Link]

A good analogy might be that laypeople might not understand legalese, but they're glad lawyers understand legalese and have access to (non-secret) law books!

The voting machine industry looks at open source

Posted Apr 16, 2009 17:10 UTC (Thu) by Xanadu (guest, #1215) [Link]

I loved this part:

"Public oversight is arguably just as diminished in an open source environment since the layperson is unable to read and understand software source code adequately[...]"

First the "lay person" would have no interest in reading the source code *HOWEVER*, I think they'd have a better change of reading C (or whatever) than reading assembly funky characters in a text editor like with closed source, binary only, apps!

/me shakes his head.

M.

The voting machine industry looks at open source

Posted Apr 19, 2009 7:03 UTC (Sun) by maco (guest, #53641) [Link]

Those "funky characters" are what happens when you try to interpret binary as ASCII. It (obviously) doesn't work. However, that is *not* assembly. Assembly is human-readable, while binary...not so much.

The voting machine industry looks at open source

Posted Apr 17, 2009 10:27 UTC (Fri) by tnoo (subscriber, #20427) [Link]

It always makes me wonder how a big supplier of voting machines like
Diebold is not able to provide a secure environment and an accountable
paper track record plus paper receipts.

The same company (Diebold) is one of the biggest manufacturers of ATMs
(Bancomats) where security, paper track records and receipts, plus an
intuitive user interface, are commonly assumed standards.

Is that not the same technology, or is banking not as secure as one would
assume?

Different scopes

Posted Apr 19, 2009 0:13 UTC (Sun) by man_ls (subscriber, #15091) [Link]

The problem of dispensing money is solvable; the problem of securely keeping track of anonymous, secret votes is not (at least right now). Similarly, the algorithm for dispensing money can be kept secret; while the algorithm for public voting should be public. In public polls transparency and simplicity are as important as accountability; not so in banking where your algorithms can be as complex as you want.

Counter-intuitively, dispensing money is orders of magnitude easier than public voting. Our intuition is probably based in the old world of paper and pencil, where voting is much easier than dispensing money.

Different scopes

Posted Apr 21, 2009 4:41 UTC (Tue) by jordanb (guest, #45668) [Link]

Diebold was caught insisting that paper trails on the voting machines were impossible because they couldn't make reliable systems to manage and print the paper. One could see how absurd the argument was simply by going to any one of the thousands of Diabold ATM machines and have it happy and reliably print out a paper receipt.

At any rate, I think people here are over-thinking the problem.

The problems in Florida 2000 came from the fact that the punch card system isn't user-friendly. Not only can ballots be mis-designed but they also can't provide any real-time feedback if the user makes a mistake. Voting machine and optical scan machines can both provide feedback to the voter, and they both avail themselves to more straightforward ballot design.

The problems with those machines is that it is a much smaller logistical problem to steal an election by manipulating electronic vote tallies than it is falsifying thousands of paper records. In addition, the makers of the machines are not particularly trustworthy and they have been very hostile to open-auditing of their technology.

I think optical scan machines resolve all the issues except the one about trustworthiness of the manufacturers, and I think that could be resolved by mandatory open-sourcing of the device. I think electronic machines that print a readable paper record that can be reviewed by the voter and surrendered to the judge for safekeeping should a recount be ordered would also resolve the issue -- with the minor proviso that many voters won't bother to look at the paper closely.

I don't think we have a big problem with voter fraud in this country. I think the elections generally go off very well. I think it's unfortunate that Florida 2000 happened because it made everyone decided to change everything and that let the profiteers like Diabold get their foot in the door.

The fact is that there will always be a margin of uncertainty in an election (as in any measurement). Most elections fall outside that margin and are resolved quickly. When they're not -- currently -- they're resolved with long, expensive court battles. But in general, running an orderly and clean election is not some terrifically complicated engineering problem.

With a little more openness the machines that came along after 2000 -- particularly the optical scan machines -- can provide an easier and more robust voting process. The main issue for me is I don't think the cost is worth it.

Missing the point

Posted Apr 17, 2009 13:39 UTC (Fri) by dskoll (subscriber, #1630) [Link]

The point is, no-one has ever made a secure, affordable networked operating system. Never. In the entire history of computing.

So open-source vs. closed-source is a bit of a red herring. Without physical ballots as evidence of vote-casting, I would not trust any voting system. And if you have the physical ballots, the arguments in favour of any kind of e-voting are substantially weakened.

Another nail in e-voting's coffin is that to understand if an e-voting system is secure or not requires considerable background in computer science. To understand the security of (and possible attacks against) hand-counted paper ballots requires basic intelligence and common sense. Any voting system that isn't understood by a large proportion of the population essentially disenfranchises them.

Open-source advocates should NOT be advocating for open-source e-voting systems. We should be advocating against e-voting, period.

Missing the point

Posted Apr 18, 2009 13:34 UTC (Sat) by marcH (subscriber, #57642) [Link]

> Open-source advocates should NOT be advocating for open-source e-voting systems. We should be advocating against e-voting, period.

Agreed. Open-source e-voting systems would encourage more elaborated and harder to discover cheating techniques, thus maintaining an illusion of security for a longer time. The more e-voting scandals, the sooner average people realize the flaw.

Missing the point

Posted May 4, 2009 19:36 UTC (Mon) by job (guest, #670) [Link]

There's also the problem of voter identity authentication together with voting secrecy. The two must be handled by separate and completely transparent entities. It must also be impossible to prove what you voted to a third party, otherwise you open up the possibility of buying votes which would ruin confidence is the system rendering it useless.

All in all, it's a tricky problem. Not impossible for an e-voting scheme to solve, but tricky. Transparency in the voting systems is just a small part of it. The regular paper scheme with independent inspectors is a neat solution with no apparent drawbacks.

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds