Comments on: Some e-voting observations

By: Didier Stevens

Didier Stevens — Thu, 25 Oct 2007 16:27:07 +0000

So you have done a) here in Belgium? How long did it take you?

And BTW, shrub was put into power by Corporate America, not by dubious voting machines. See? I can also write oversimplifications.

By: Charles

Charles — Thu, 25 Oct 2007 15:47:03 +0000

So coercion is the latest pro for elo voting?
a) You can do paper voting twice (foto-ing the 1st trial), by devalidating the 1st paper after the foto and ask for a 2nd one. So coercion can be ruled out as well in paper.
b) Bush (jr.) was elected twice by dubious voting machines on Florida and then Ohio (more Bush votes than legal participants in some Ohio districts etc.). So this WAS fraud.
c) Let it be DOS, or Unix or whatever. Nobody will be able to verify the whole package, in all districts.
Who could possibly check multiplying/exponentiating 512-bit numbers modulo the RSA modulus or whatever is behind the voting algorithm. Plainly 8almost) nobody.
d) After the fact, the is no paper trail, no electronic trail, nothing. Neither the voter, nor the party members present in the stands, nor anybody else can do anything with the result than believe. I am computer scientist and catholic, but my belief in God is somewhat firmer than that in those voting machines.
e) What good is elo voting anyway? (potential harm we have already seen) Faster? Yeah, knowing the Prime Minister 5 min after closing instead of after 30 min… No coercion? Also fightable in paper … so what???

By: Curt Sampson

Curt Sampson — Thu, 12 Jul 2007 10:25:02 +0000

For a voting machine, DOS sounds good to me. It’s much smaller and simpler to audit than something like Unix or Windows.

cjs@cynic.net

By: Joske

Joske — Sat, 23 Jun 2007 17:03:30 +0000

No, it won’t allow you to change your vote. It just shows the voted names in a gray background color.

By: Didier Stevens

Didier Stevens — Sat, 23 Jun 2007 15:04:23 +0000

This is interesting. And does the screen that shows your vote, after reinserting the card, allow you to change your vote?

By: Joske

Joske — Sat, 23 Jun 2007 14:01:14 +0000

It’s still possible: if you feed the voting machine a magnetic card already carrying a vote (the one you just cast), it will clearly show you who you’ve voted for.

By: Koen Dreelinck

Koen Dreelinck — Wed, 13 Jun 2007 12:00:06 +0000

In some parts of Belgium, we still use paper and pencil to vote, and to be honest I still find it the best way … Bruce Schneier has some very interesting articles in his monthly Crypto-Gram indicating the pro’s and con’s of the electronic voting. Also the SANS weekly newsletter has already published a few articles and comments on the electronic voting system.

Independent of the Source Code Review, there will always be items for discussion with the current system of electronic voting. As a user of the system, you can never be assured that the vote you entered on the screen is really captured on the card, even ignoring the fact that this card also have to be read correctly by the card reader. If I vote on a paper ballot, I see literally that I have elected party X and nothing or nobody can change this if correct procedures are in place (which is still the case in Belgium with a lot of people involved in voting, counting and controlling the system).

If there is a problem or an issue with the counting, one can ask a recount. With paper ballots this is rather straight-forward and everybody can testify the correctness. The current way of electronic voting has no such possibility.

And no, I’m really not against the electronic voting system but I think it’s time to rethink the way this is done. There are some examples that also provide a paper trail of your vote

By: Luke

Luke — Tue, 12 Jun 2007 20:57:27 +0000

Oh boy… DOS? That might be nasty. No user permissions, funky memory model, archaic kernel. Definitely doesn’t sound like a modern, robust tamper-proof voting system.

By: Didier Stevens

Didier Stevens — Tue, 12 Jun 2007 16:57:39 +0000

I don’t know if it’s open source, but the source code is available on an official site (I just found this out yesterday): http://www.ibz.rrn.fgov.be/index.php?id=627&L=0

I’ve read about all the issues with Diebold machines a while back, and I started to ask myself the same questions you’re asking. But until know, I was not very actively looking for answers. This will probably change now that I’ve the source code. But of course, the source code is only one part of the voting system. For example, it appears to be running on DOS, and DOS is not the first thing I think about when you ask me for a secure OS.

By: Luke

Luke — Tue, 12 Jun 2007 15:24:53 +0000

Interesting… I must ask - is Belgian e-voting software open sourced? If no, who reviews the software to ensure that it is fair? And is that verification process public, and are the test results easily available to the general public?

Here in US the e-voting machines are running proprietary software and hardware, and are tested by licensed private companies in a secretive, non-public process. The company that makes them goes to great lengths to prohibit any independent entities not affiliated with them to test or examine their machines.

It has been shown that their hardware uses insecure, cheap locks, and that their software can be easily altered by simply plugging a modified memory card into it, and rebooting.

It’s a fucking mess around here. With such insecure, easily hackable machines, produced by private companies, running closed code, voter coercion is really a secondary concern here.

I’m just wondering if you guys came up with a better system than we did.