[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <MDEHLPKNGKAHNMBLJOLKIEFKOKAA.davids@webmaster.com>
Date: Wed, 29 Sep 2004 01:05:12 -0700
From: "David Schwartz" <davids@...master.com>
To: "Paul Wouters" <paul@...net.nl>
Cc: "Jeremy Epstein" <jeremy.epstein@...methods.com>,
<bugtraq@...urityfocus.com>
Subject: RE: Diebold Global Election Management System (GEMS) Backdoor
> If a vendor did a proper job of constructing a machine that conformed to
> the VVAT spec, then open source would not be required *at all*. The
> voter gets to verify the paper ballot before it is deposted in the
> ballot box, and external oververs can physically inspect the ballot box
> and the discard box to ensure that the right number of ballots are
> deposited into each box.
But surely a paper trail is inferior to a cryptographically secure voting
system? It's easier to verify millions of crptographic signatures than
millions of pieces of paper.
> OTOH, if the machine does *not* conform to the VVAT spec, then open
> source is no where near sufficient to assure fair balloting, because the
> vendor could supply source code all over the place, and then just
> install trojan code at the last moment.
So long as the mathematical scheme by which the votes were entered and
counted was itself secure, it matters not what the machine does. It will
either produce valid results or obviously invalid results. All you have to
do is devise the scheme so that it is computationally infeasible to produce
invalid, but valid looking, results. This is not a difficult mathematical
problem.
> And that is the fundamental problem with all-electronic (no paper trail)
> voting: a human observer on the outside cannot tell what is going on in
> the chips and disks.
Doesn't matter. You can't tell what's going on in the chips and disks when
you connect to 'https://www.amazon.com', but you can tell whether you
reached the Amazon server or not (assuming you trust the certificate
issuers). Similary, one can develop voting schemes (it isn't even difficult)
where it is not possible for the chips and disks to produce invalid results
that would pass automated inspections that anyone could do.
> You can get all the tripwire/opensource/checksum
> report crap you want, but if a bad guy got access to the machine and
> installed a trojan, then your reports are all a pack of lies, and no
> amout of election observing by anyone will help.
Exactly.
> That is why the VVAT isn the one and only answer to fair digital voting.
> Open source is a distraction.
I think the solution is mathematical. Devise schemes such that it's not
possible for a machine to produce valid-looking, but not valid, results.
This is not only not difficult, but already done. Even apparently
contradictory requirements are not really contradictory. For example, there
are schemes in which a person cannot prove how they voted, yet can prove
that their vote was not counted for the correct candidate if it in fact was
not.
DS
Powered by blists - more mailing lists