[Fwd: Re: [E-voting] About Estonian e-voting]

Craig Burton caburt at alphalink.com.au
Mon Oct 24 12:10:35 IST 2005

> The mobile code is only one link in the chain. What about the code on 
> the server
> side, which is not seen by the voters? There would be no signature to 
> check then.

The point of the mobile code, the signing etc is to make it so that the 
server code cannot affect votes.  If it can't affect votes, then it need 
not be trusted as much. The same is true for the data centre operators, 
sysadmins etc.

> Auditing and compiling code by a third party doesn't seem practical to 
> me.
> First, auditing is not gauaranteed to find all bugs. 

The real threat is not bugs, its malware.  The Linux kernel hack of a 
missing "=" sign is typical of a bug but it was very unusual as a piece 
of malware.  With a very small piece of software of  few thousand lines, 
one that has no external dependencies (except compiled-in signed 
libraries), I think it would be hard to hide malware, especially malware 
we know is going to try to perform some very specific actions on vote data.

> Second, the process of
> auditing, building and signing a piece of software is too complicated,
> too hard to observe, and too easy to be interfered with.

Agree.  We have to trust someone somewhere.  Even in a paper election no 
one observer can be everywhere at once.   We have to trust other people 
didn't see something bad.   For the software,  the best way to do this 
is to give out the source codes (signed by us) to several groups for 
inspection.  If no people complain, one group compiles the code on a 
known clean compiler and they and others then sign the compiled object.  
I concede that, unlike making ballot box seals, someone who wants to 
watch software signing will actually see very little but we should rely 
on several groups' satisfaction with the code.

I got a quote from CSC.com to perform this audit-compile-sign task for 
an election.  They said it would take a person week.  We've had this 
done before by another software firm in 2003, it took 4 days.   For a 
major election, this seems like an reasonable task.

>> Only one voter needs to spot this signature not being intact and the 
>> game's up.  Probably 1% of the voters might do this, that's plenty.   
>> Other parts of the system need to be audited and signed as well.  
>> These are any parts that can make or modify votes.  
> Who is going to know which parts can modify votes or not? Ultimately,
> you end up having to trust the developers of the system.

There are three reasons this can be done
1. developers have to "out" the system (to certification authorities, 
academics, media whomever).  Just saying it's proprietary doesn't cut 
it.  It has to be an open system.
2.  examining the mobile code confirms it encrypts and signs votes.  
Only the private key and the voter credential lists matter now.  No 
other software can intervene.
3. developers of voting software had better make a demonstrably strong 
system lest they get their kneecaps broken by those who still think the 
operators can be coerced. 

I have  a young family, why would I provide a system I couldn't 
demonstrate was very hard to game?  Bev Harris found 15 Diebold techo's 
home addresses...  its a lot cheaper to threaten and coerce than it is 
to bribe someone.


More information about the E-voting mailing list