[E-voting] details about ClearVoting

Catherine Ansbro cansbro at eircom.net
Thu Aug 30 11:43:44 IST 2007


I think this discussion is fundamentally important.  Policy issues only 
make sense when informed by technological realities.

Emanuele, there are still gaping holes.  Similar issues have been 
discussed at some length on the website blackboxvoting.org and perhaps 
you would benefit from posting there.  I mention some key points below, 
as they are also relevant to other voting systems that might be proposed 
in the future.  In many cases my own view on these things has changed 
over time as I have become better informed.  (See below regarding 
proofreading, for example.)

Specific points:
1) Research has shown that only a small percentage of voters bother to 
verify their vote.  Knowing this fact alone has serious implications for 
any system that adds an extra step of requiring voters to check 
something against something else
2) Research into proof-reading also shows that only some errors are 
caught, even when people are trying to catch errors.  The mental 
processes involved have nothing to do with software development--yet 
voting system software developers persist in developing systems that 
involve other capabilities/problems/issues about which they have zero 
expertise.
3) You are still requiring unacceptable trust (e.g., that the downloaded 
version of the software is correct) rather than the eyes and ears of 
regular citizens.  This takes control of elections away from people and 
puts it in the hands of "experts".  This is unwise and unacceptable when 
dealing with systems on which democracy depends.  It is different to 
"trust" the observation of parties who have competing interests (e.g., 
observers representing opposing candidates or parties)
4) Your point 5) below shows lack of awareness of numerous other 
vulnerabilities that have been well documented in relation to existing 
electronic voting equipment in use in the USA.  Blackboxvoting.org has 
extensive documentation as do many other sites.  They include not just 
the various Harri Hursti attacks, but many others (e.g. boot-loader 
attacks that can permanently compromise a counting system yet are 
undetectable afterwards--e.g., they can change software, and after they 
have run they can change the software back again and erase evidence of 
what occurred).  Such exploits have been demonstrated and documented by 
multiple red-teams and various research institutions; they are not 
hypothetical.
5) What defenses do you propose regarding social engineering?  These 
methods are the most likely methods.  E.g., a trusted insider is talked 
into revealing a key password because of a plausible-sounding emergency 
or misrepresenting oneself as a vendor technician; a person in a key 
role is bought off or threatened into assisting; physical access is 
obtained to a key piece of equipment using a plausible pretense, 
allowing vulnerabilities to be exploited.

Regards,
Catherine

emanuele lombardi wrote:
> Dear Paul,
>
> thank you for your reply.
> I would like to counter your points.
>
> 1) My system does print VVBP and those pieces of paper are the ONLY legal
> votes.
>
> 2) Voters don't need to verify nor to trust the software that prints their
> votes as they simply verify the VVBP has printed on it the name of voted
> candidate (or party).
>
> 3) Voters need to trust the software that counts their votes. Of course
> voters may have no competence to verify the software, but parties and
> organizations have it. I'm sure we agree that party representatives must
> carefully watch voting operations whichever the media and the technology.
> Thus they will be present in any polling room even at the opening of
> election when the software is installed booting kiosks from the media that
> has been officially distributed by the Authority (central or local). 
>
>  [ Anyway voters need to trust something or somebody whichever is the media
> used for voting. In traditional paper elections, as a voter, I trust that
> votes will be properly counted and also that poll workers will properly
> write the results onto the official statements. Voters, unless they stay in
> the polling room all the time, also need to trust parties representatives.]
>
> 4) I know Ken Thompsons's "Reflections on Trusting Trust", in fact I linked
> it from my web site http://www.electronic-vote.org. Such reflections are the
> reason why I decided ClearVoting to use any of the Open Source operating
> systems available on the Internet. In fact nobody can think they are hacked
> just to make fraud in my voting application.
>
> The use of a Linux distribution downloaded from the Internet and the use of
> software written in an interpreted language give a very high level of
> confidence that nothing bad will happen. Please note that the use of an
> interpreted language means that no compilation is involved. 
>
> Even if we think that RedHat, Suse, Ubuntu, Debian, Mandriva, Fedora, Gentoo
> all distribute some hacked version of their software, I can't image how such
> hacked versions could ever make fraud in our Open Source voting software
> that is not compiled and that accomplishes extremely simple operations like
> the counting by one.
>
> Anyway, to increase security the Linux to be used is chosen among the many
> by the bipartisan commission that also chooses a release/version that is not
> the latest. Do we really think that (for example) version 5.0 of Ubuntu
> contained such hackings or errors that will make our PHP software give wrong
> results of additions by one? 
>
> 5) How can any software running "under" the Operating System alter the
> results of our high level software that simply adds integers? I don't see
> what BIOS or disk firmware could ever do alter the results of the "n=n+1"
> computations done by our software. In any case voting kiosk are standard PCs
> that when are not used for voting can be used for other purposes by the
> local administrations. If they work properly it means that their low level
> software also works properly. 
>
> Dear Paul,
> I hope I made clear my points. I agree that any further mail can be direct
> not no bore all the list.
>
> Ciao,
> Emanuele
>
>
> _______________________________________________
> E-voting mailing list
> E-voting at lists.stdlib.net
> http://lists.stdlib.net/mailman/listinfo/e-voting
> http://evoting.cs.may.ie/
>
>
>
>   



More information about the E-voting mailing list