[Fwd: Re: [E-voting] About Estonian e-voting]
michael at hexmedia.com
Mon Oct 24 14:02:01 IST 2005
Craig Burton wrote:
>> The mobile code is only one link in the chain. What about the code on
>> the server
>> side, which is not seen by the voters? There would be no signature to
>> check then.
> The point of the mobile code, the signing etc is to make it so that the
> server code cannot affect votes. If it can't affect votes, then it need
> not be trusted as much. The same is true for the data centre operators,
> sysadmins etc.
This doesn't make sense. If there are two components in a system
say A and B. A is audited and the code is signed by someone. B is not. A does some processing
and passes the data to B. B can do whatever it wants with the data.
The fact that A was signed doesn't help at all.
>> Auditing and compiling code by a third party doesn't seem practical to
>> First, auditing is not gauaranteed to find all bugs.
> The real threat is not bugs, its malware. The Linux kernel hack of a
> missing "=" sign is typical of a bug but it was very unusual as a piece
> of malware. With a very small piece of software of few thousand lines,
> one that has no external dependencies (except compiled-in signed
> libraries), I think it would be hard to hide malware, especially malware
> we know is going to try to perform some very specific actions on vote data.
Malware is another threat. It's not *the* threat.
>> Second, the process of
>> auditing, building and signing a piece of software is too complicated,
>> too hard to observe, and too easy to be interfered with.
> Agree. We have to trust someone somewhere. Even in a paper election no
> one observer can be everywhere at once. We have to trust other people
> didn't see something bad. For the software, the best way to do this
> is to give out the source codes (signed by us) to several groups for
> inspection. If no people complain, one group compiles the code on a
> known clean compiler and they and others then sign the compiled object.
> I concede that, unlike making ballot box seals, someone who wants to
> watch software signing will actually see very little but we should rely
> on several groups' satisfaction with the code.
> I got a quote from CSC.com to perform this audit-compile-sign task for
> an election. They said it would take a person week. We've had this
> done before by another software firm in 2003, it took 4 days. For a
> major election, this seems like an reasonable task.
I'm sure you would find some companies who would do it in an hour or two :)
Unfortunately, code reviews just don't catch very many bugs. Most bugs
are found in testing and actual live use of a system. And if people cannot
verify their votes then there is no way of detecting them.
>>> Only one voter needs to spot this signature not being intact and the
>>> game's up. Probably 1% of the voters might do this, that's plenty.
>>> Other parts of the system need to be audited and signed as well.
>>> These are any parts that can make or modify votes.
>> Who is going to know which parts can modify votes or not? Ultimately,
>> you end up having to trust the developers of the system.
> There are three reasons this can be done
> 1. developers have to "out" the system (to certification authorities,
> academics, media whomever). Just saying it's proprietary doesn't cut
> it. It has to be an open system.
> 2. examining the mobile code confirms it encrypts and signs votes.
> Only the private key and the voter credential lists matter now. No
> other software can intervene.
> 3. developers of voting software had better make a demonstrably strong
> system lest they get their kneecaps broken by those who still think the
> operators can be coerced.
> I have a young family, why would I provide a system I couldn't
> demonstrate was very hard to game? Bev Harris found 15 Diebold techo's
> home addresses... its a lot cheaper to threaten and coerce than it is
> to bribe someone.
I'm afraid that doesn't really answer the question. Software running in
a data center (or on a PC) cannot be seen by the voters. If some part of that software
is audited and signed, then that is really a meaningless assurance for
the voters. In fact it's worse than that. It creates an impression
of security, when there is really none.
More information about the E-voting