[Fwd: Re: [E-voting] About Estonian e-voting]
caburt at alphalink.com.au
Mon Oct 24 12:10:35 IST 2005
> The mobile code is only one link in the chain. What about the code on
> the server
> side, which is not seen by the voters? There would be no signature to
> check then.
The point of the mobile code, the signing etc is to make it so that the
server code cannot affect votes. If it can't affect votes, then it need
not be trusted as much. The same is true for the data centre operators,
> Auditing and compiling code by a third party doesn't seem practical to
> First, auditing is not gauaranteed to find all bugs.
The real threat is not bugs, its malware. The Linux kernel hack of a
missing "=" sign is typical of a bug but it was very unusual as a piece
of malware. With a very small piece of software of few thousand lines,
one that has no external dependencies (except compiled-in signed
libraries), I think it would be hard to hide malware, especially malware
we know is going to try to perform some very specific actions on vote data.
> Second, the process of
> auditing, building and signing a piece of software is too complicated,
> too hard to observe, and too easy to be interfered with.
Agree. We have to trust someone somewhere. Even in a paper election no
one observer can be everywhere at once. We have to trust other people
didn't see something bad. For the software, the best way to do this
is to give out the source codes (signed by us) to several groups for
inspection. If no people complain, one group compiles the code on a
known clean compiler and they and others then sign the compiled object.
I concede that, unlike making ballot box seals, someone who wants to
watch software signing will actually see very little but we should rely
on several groups' satisfaction with the code.
I got a quote from CSC.com to perform this audit-compile-sign task for
an election. They said it would take a person week. We've had this
done before by another software firm in 2003, it took 4 days. For a
major election, this seems like an reasonable task.
>> Only one voter needs to spot this signature not being intact and the
>> game's up. Probably 1% of the voters might do this, that's plenty.
>> Other parts of the system need to be audited and signed as well.
>> These are any parts that can make or modify votes.
> Who is going to know which parts can modify votes or not? Ultimately,
> you end up having to trust the developers of the system.
There are three reasons this can be done
1. developers have to "out" the system (to certification authorities,
academics, media whomever). Just saying it's proprietary doesn't cut
it. It has to be an open system.
2. examining the mobile code confirms it encrypts and signs votes.
Only the private key and the voter credential lists matter now. No
other software can intervene.
3. developers of voting software had better make a demonstrably strong
system lest they get their kneecaps broken by those who still think the
operators can be coerced.
I have a young family, why would I provide a system I couldn't
demonstrate was very hard to game? Bev Harris found 15 Diebold techo's
home addresses... its a lot cheaper to threaten and coerce than it is
to bribe someone.
More information about the E-voting