[E-voting] details about ClearVoting

Patrick J Kobly patrick at kobly.com
Fri Aug 31 22:56:37 IST 2007


Once again...  From http://www.clearvoting.com/detail_software_en.php

>  ClearSoftware is a method of _writing, producing, publishing, 
distributing, installing and running
 > software_ that ensures the easy detection of any computing tricks 
that could produce unwanted
 > results.

The use of the word "ensure" here is unsupported hyperbole.

>  ClearSoftware is not only applicative software but also the whole 
operating environment in which
 > applications are executed.

Okay...  One step forward.  You're starting to try to look at the full 
(technical) context.  You do, however, ignore firmware and hardware in 
this situation.  Certainly, BIOS, drive firmware,  bus firmware have the 
capacity to modify contents of data read into memory.  Whether or not we 
have observed malware in the wild doing this is thoroughly irrelevant.  
Thought experiment.  Consider installing your solution in a VMWare 
virtual machine?  Could the VM be subverted to subvert your 
application?  If so, why could hardware / firmware not be subverted in 
the same way?

 > We could trust results of an applicative software if we could:
 > trust the applicative software
 > trust the operating system in which the applicative software runs
 > trust that nothing else runs in the computer
 > test ourselves all the software on our computers

Indeed, I would concur with this.  Your proposed solution does not 
satisfactorily address any of these.

goal 	how ClearSoftware fulfils the goal
trust the applicative software 	

    * applicative software is 100% Open Source coded in human-readable
      text files that, without any need of compilation,

[PK] Sheer and utter nonsense.  The reason Thompson focusses on 
compilation is solely because interpreted languages were not as 
important when he wrote the Turing award lecture as they are now.  From 
an information perspective, the challenge with code is not compilation 
per se, but translation.  Just as with compiled code, something is 
needed to interpret the "human-readable text" and implement it in terms 
of machine operations.  In many cases, interpreted languages are much 
_less_ safe than compiled languages.  (Google "phpbb vulnerability" if 
you don't believe me)

    *  are executed by some of the base services of the operang system
      (database, browser, server httpd...)

[PK] Heh.  If you believe a DBMS, browser and web server are base 
services of the operating system...  Again, search CERT/CC for vulns in 
MySQL/PostgreSQL/PHP/FF/Apache.  Further, how do you verify that the 
httpd running is the one publicly available?  That's right, you can't.
trust the operating system 	

    * the operating system is an Open Source operating system downloaded
      from the Internet

[PK] Which cannot be verified

    * customizations of the operating system are only well-documented
      human-readable text files

[PK] Which customizations still need to be interpreted through something 
in a machine language.
trust that nothing else runs in the computer 	

    * the software is distribuited in the form of read-only media

[PK]  Define read-only.  Is a CD-R read-only?  a pressed CD?  A USB 
drive with the read-only switched locked on?  All of these can be 
modified.  None of this even matters if you can't trust that the system 
reads the media accurately anyway.

    * the installation of the media automatically
          o formats all disks of the computer
      [PK] Define "format"
          o installs the Open Source operating system
      [PK] Sourced from where?  How is its integrity verified?
          o installs tthe Open Source applicative software
          o boots the newly installed system
          o runs the Open Source applicative software

test ourself the software on our computers 	

    * the ISO file of the self-installable media is distribuited on the
      Internet
      [PK] And again, how do we verify this is what's running on the
      actual systems used in the election?

Please watch the ClearSoftware animation 
<http://www.clearvoting.com/flash_en.php#clearsoftware>


    Details

To be ClearSoftware compliant, any software must adhere to the following 
points:

<Snip bunch of stuff reiterating the above table>

   1.
          * the text file ClearSoftware.txt that must contain the full
            identification of the orignal operating system and all the
            info about its customization, as it follows:
          *
                o identity of the original operating system (name,
                  version and release)
                o URL from which the ISO of the orignal operating system
                  has been downloaded
                o date and time when the orignal operating system has
                  been downloaded
                o MD5 or similar check of the orignal operating system
                o full path of the "A" and "B" folders
                o full path of all the files of the orignal operating
                  system that have been customized but could not be
                  placed in folder "A"

[PK] And what happens if this text file is modified or intercepted?  How 
do you verify its integrity?

   1. the final distro must be published on the Internet in the form of
      ISO file together with its MD5 (or similar) checksum so that
      anybody can download the final distro and install it on his/her
      computer to analise and test it

[PK] Again, MD5 only verifies something about the data on a particular 
media.  Nothing about the data actually being used.


    Notes

   1. since latest release of any operating system may have problems
      still to be discovered, it is

Better to have an older version with problems already discovered?

   1.  wise to download from the Internet an older release. It doesn't
      matter if it has known bugs, as far as they don't impact on our
      application (like bugs related to devices we don't have or related
      to base services we don't use).

It doesn't matter if there's a bug in the installed sendmail daemon, 
because this machine doesn't use a mail server.   Riiiiiight.  Come on!

   1.  Using an old release also ensures that nobody may have hacked it
      long ago to alter the behaviour of our today's ClearSoftware
      application

Only if you can verify that what's being run is actually the old 
version.  Which you can't.

   1. As an example, the applicative software can be a WEB application
      that is written in PHP <http://www.php.net> and it uses a MYSQL
      <http://www.mysql.com> database.

http://search.cert.org/query.html?rq=0&ht=0&qp=&qs=&qc=&pw=100%25&ws=1&la=&qm=0&st=1&nh=25&lk=1&rf=2&oq=&rq=0&si=1&col=xtracert&col=trandedu&col=vulnotes&col=techtips&col=research&col=certadv&col=incnotes&qt=mysql&x=0&y=0
http://search.cert.org/query.html?col=general&col=history&col=orgsec&col=response&col=secsys&col=sftassur&col=training&qt=PHP&charset=iso-8859-1

In addition, it is _very_ bad form to specify specific implementation 
technologies in a methodology specification.

   1. the final distro can undergo a process of mass duplication or
      replication. A logo may be impressed on each CD (or DVD) to
      certify it's original.

And you can start a process of mass-fabrication of the hardware / 
firmware and all of its components too...  Chip fabs aren't that 
expensive ;-)

   1. anyboy can verify the content of each CD (or DVD) simply computing
      its MD5 (or similar) checkum and comparing it with the one
      published on the Internet


    Steps to creat a ClearSoftware distro

   1. code the applicative software
   2. choose the Open Source operating system to be used to run the
      applicative software
   3. download from the Internet the ISO file of the chosen Open Source
      operating system
   4. create the file structure of the final distro adding to the
      operating system the folders "A" and "B" and the text file
      ClearSoftware.txt
   5. burn the master CD (or DVD) of the final distro
   6. publish on the Internet the ISO file of the final distro and its
      MD5 checksum (or similar)


   1. Collect Underpants
   2.  ?
   3. Profit



    What for ?

Most of the times we don't need to know in detail the software we use 
because we simply compare its output with the expected one (e.g. we move 
the mouse and we check if the pointer actually goes where it should). 
But same times we deal with unverifiable input data or with event that 
must follow a given law (usually the law of equal chance) in a term that 
is too long for us to verify it. For examples:

    * voting. Nobody can ask voters whom they voted for, so nobody can
      verify if the vote recorded in each elector's behalf is true or
      not. Electors must trust the way their votes are collected and counted
    * gambling. To be fair, gambling must be based on truly random
      events, but no single gambler can verify it, unless he gambles for
      days and days without a rest. Thus gamblers must trust the way
      such events are generated

[PK] Gambling is a much simpler problem.  The characteristics of the 
game are much better understood and verifiable (we know how often 
triple-7's should come up on a slot machine), audit trails need not be 
anonymized or disassociated from time.  Yet, still, there are huge 
vulnerabilities discovered from hidden code in electronic gaming 
machines.  Conflating these two problems is thoroughly inappropriate.


Thus fairness of elections and gambling can be ensured only by means of 
public and verifiable procedures. It is not by chance that fairness of 
elections has been based upon ballot papers publicly managed and counted 
and that fairness of gambling has been based upon cards publicly 
shuffled and dice publicly thrown.

I'm not aware of people complaining about the undisclosed software 
running on gambling machines, but it's quite obvious that for voting no 
undisclosed software should ever be used.

[PK] Then you haven't been following media coverage of gaming 
machines...  bzzzzt.

Open Software is often proposed as a safe way to use computers in 
voting. But Open Software by itself is not enough because:

    * it's practically impossibile to verify that the program being run
      in all polling stations is really the one originating from the
      compilation of the verified Open Source sources
    * rigged alterations to the results could also derive from
      fraudulent modifications of compilers, operating systems, system
      libraries, interfaces and other high level applications

ClearSoftware addresses all the above points in a simple, cheap and 
verifiable way.

[PK] ClearSoftware addresses neither of these two points.


    An example of ClearSoftware application

Here it follows an example of a ClearSoftware application.
It uses a web browser to interact with users and a mysql database to 
access data. Both are part of the Open Source operating system 
downloaded from the Internet, thus only the applicative software 
(yellow) must be really coded. Applicative software is written in any 
interpreted language that doesn't need any compilation (PHP 
<http://www.php.net> in the example), thus it's easy to review it for 
bugs or hacking.

[PK] Okay, you _clearly_ have not been involved in _any_ serious 
maintenance of PHP applications.

No other part of the system (light blue) needs to be reviewed since they 
all come from the Linux distribution downloaded from the Internet.

[PK] *cough* Are you ^*&%ing serious?  Are you insane?

an example of ClearSoftware application

------------------------------------------------------------------------
As you can see on my site www.electronic-vote.org 
<http://www.electronic-vote.org> I'm one of the most heated and radical 
opposers to electronic voting as it is presently intended and proposed.

[PK] Seriously, go read Jason Kitcat's writing on why he shut down the 
GNU.FREE open source voting software project that he started up.

Recently this deep-seated aversion, together with over twenty years 
experience as a computer technician, has led me to work out 
ClearSoftware <http://www.clearvoting.com/intro_software_en.php> and 
ClearVoting <http://www.clearvoting.com/intro_voting_en.php> that 
overcome all the limitations of current electronic voting systems.

[PK] When you consistently use hyperbole like "overcome all the 
limitations of current electronic voting systems," you will certainly 
invoke the ridicule of a large number of serious security folks.  You 
don't know what you're talking about and you don't provide sufficient 
support for your arguments.  Your snake oil is getting tiresome.

I'm looking for companies willing to invest in the new voting system, 
thus interested companies please send me a message 
<http://www.clearvoting.com/contatti_en.php>.

[PK] Advice to prospective investors - Do your own due diligence.  
Besides which, there's nothing to invest in.  No working system 
protected by copyright.  Nothing patentable.  Just a trademark with no 
reputation.  Good luck.

PK





More information about the E-voting mailing list