[E-voting] details about ClearVoting
cansbro at eircom.net
Thu Aug 30 11:43:44 IST 2007
I think this discussion is fundamentally important. Policy issues only
make sense when informed by technological realities.
Emanuele, there are still gaping holes. Similar issues have been
discussed at some length on the website blackboxvoting.org and perhaps
you would benefit from posting there. I mention some key points below,
as they are also relevant to other voting systems that might be proposed
in the future. In many cases my own view on these things has changed
over time as I have become better informed. (See below regarding
proofreading, for example.)
1) Research has shown that only a small percentage of voters bother to
verify their vote. Knowing this fact alone has serious implications for
any system that adds an extra step of requiring voters to check
something against something else
2) Research into proof-reading also shows that only some errors are
caught, even when people are trying to catch errors. The mental
processes involved have nothing to do with software development--yet
voting system software developers persist in developing systems that
involve other capabilities/problems/issues about which they have zero
3) You are still requiring unacceptable trust (e.g., that the downloaded
version of the software is correct) rather than the eyes and ears of
regular citizens. This takes control of elections away from people and
puts it in the hands of "experts". This is unwise and unacceptable when
dealing with systems on which democracy depends. It is different to
"trust" the observation of parties who have competing interests (e.g.,
observers representing opposing candidates or parties)
4) Your point 5) below shows lack of awareness of numerous other
vulnerabilities that have been well documented in relation to existing
electronic voting equipment in use in the USA. Blackboxvoting.org has
extensive documentation as do many other sites. They include not just
the various Harri Hursti attacks, but many others (e.g. boot-loader
attacks that can permanently compromise a counting system yet are
undetectable afterwards--e.g., they can change software, and after they
have run they can change the software back again and erase evidence of
what occurred). Such exploits have been demonstrated and documented by
multiple red-teams and various research institutions; they are not
5) What defenses do you propose regarding social engineering? These
methods are the most likely methods. E.g., a trusted insider is talked
into revealing a key password because of a plausible-sounding emergency
or misrepresenting oneself as a vendor technician; a person in a key
role is bought off or threatened into assisting; physical access is
obtained to a key piece of equipment using a plausible pretense,
allowing vulnerabilities to be exploited.
emanuele lombardi wrote:
> Dear Paul,
> thank you for your reply.
> I would like to counter your points.
> 1) My system does print VVBP and those pieces of paper are the ONLY legal
> 2) Voters don't need to verify nor to trust the software that prints their
> votes as they simply verify the VVBP has printed on it the name of voted
> candidate (or party).
> 3) Voters need to trust the software that counts their votes. Of course
> voters may have no competence to verify the software, but parties and
> organizations have it. I'm sure we agree that party representatives must
> carefully watch voting operations whichever the media and the technology.
> Thus they will be present in any polling room even at the opening of
> election when the software is installed booting kiosks from the media that
> has been officially distributed by the Authority (central or local).
> [ Anyway voters need to trust something or somebody whichever is the media
> used for voting. In traditional paper elections, as a voter, I trust that
> votes will be properly counted and also that poll workers will properly
> write the results onto the official statements. Voters, unless they stay in
> the polling room all the time, also need to trust parties representatives.]
> 4) I know Ken Thompsons's "Reflections on Trusting Trust", in fact I linked
> it from my web site http://www.electronic-vote.org. Such reflections are the
> reason why I decided ClearVoting to use any of the Open Source operating
> systems available on the Internet. In fact nobody can think they are hacked
> just to make fraud in my voting application.
> The use of a Linux distribution downloaded from the Internet and the use of
> software written in an interpreted language give a very high level of
> confidence that nothing bad will happen. Please note that the use of an
> interpreted language means that no compilation is involved.
> Even if we think that RedHat, Suse, Ubuntu, Debian, Mandriva, Fedora, Gentoo
> all distribute some hacked version of their software, I can't image how such
> hacked versions could ever make fraud in our Open Source voting software
> that is not compiled and that accomplishes extremely simple operations like
> the counting by one.
> Anyway, to increase security the Linux to be used is chosen among the many
> by the bipartisan commission that also chooses a release/version that is not
> the latest. Do we really think that (for example) version 5.0 of Ubuntu
> contained such hackings or errors that will make our PHP software give wrong
> results of additions by one?
> 5) How can any software running "under" the Operating System alter the
> results of our high level software that simply adds integers? I don't see
> what BIOS or disk firmware could ever do alter the results of the "n=n+1"
> computations done by our software. In any case voting kiosk are standard PCs
> that when are not used for voting can be used for other purposes by the
> local administrations. If they work properly it means that their low level
> software also works properly.
> Dear Paul,
> I hope I made clear my points. I agree that any further mail can be direct
> not no bore all the list.
> E-voting mailing list
> E-voting at lists.stdlib.net
More information about the E-voting