It was a nice talk. Most of it was just information to show how truly terrible the problem is — it's probably worse than you think.
There's an IEEE standard being developed for voting machines, and guess who's on the committee? All the voting machine companies. No security experts.
He went to visit a company once and asked about their security. They said they used cryptography. He asked what algorithms they used. After some attempt to avoid the issue, they finally admitted that they had made up their own.
Diebold's software has the cryptographic key hardcoded in the source, as found by investigators at Johns Hopkins. That means that every Diebold machine in an entire election probably has the same key — crack one key and you can hack them all. Worse than that, it almost certainly means that you can find the key in the software binary, which is widely distributed.
David Dill's main proposal is for a "voter-verifiable audit trail". It's very simple: if the voting machines produce a printed record of your vote, you can look at the paper to make sure it's correct and put it in a box. Then you can recount the election by looking at the paper ballots.
One really surprising thing was that there are actually quite a few advocacy groups that oppose this. Groups that represent disabled people oppose it because it increases the cost of deploying electronic voting machines. They fought hard to get voting machines in order to improve accessibility for people who have vision problems, people with motor problems that prevent them from marking a paper ballot, or people that can't read.
So, i have an alternate proposal.
My motivation behind this approach is that we can address the issue of insider fraud in at least two ways: (1) a paper audit trail lets us do random samples and detect after the fact if something was fishy; or (2) using open source software lets us all make sure that nothing is fishy before the election takes place. David argued that (2) did not solve the problem because we don't have a way for people to make sure the software that happens to be running on the machines is really the same software we all decided to audit and trust, so we have to go with (1).
I'm suggesting that we may never be able to satisfy the groups that are demanding accessibility with solution (1), so it may be more effective to argue for (2). if there is a way to solve the verified software problem. Here is how you might do it.
The votes are cast using software that runs on off-the-shelf PCs. The election officials buy the PCs with no hard drives, and on election day any voter is permitted to request that the case be opened so they can see that there is no hard drive.
The election software is open source, and is distributed as a bootable CD image. At some point before the election, the software is reviewed by experts, development on the software is stopped, a distribution is built, and the MD5 hash of the CD image is widely publicized.
Pre-burned CDs are at the election site. The CDs are all verified at the beginning of the day, and voters are also allowed to bring in laptop computers, put in any CD, and verify that the hash is correct. Voters are also allowed to burn their own CDs at home and bring them to the polling place, where they are hashed and verified on a separate computer. At the end of the day we might also allow people to take any CD with them and verify it at home if they wish.
The reason i'm suggesting we use plain PCs is that they're cheap and come from lots of sources. We do have to trust that the hardware isn't tampered with, but we would be no worse off in this scenario than we are now, and because the PCs can come from all over the place, no one vendor can control the election. Similarly i'm suggesting the use of CDs because CD-R drives are so commonplace these days, so we can distribute the cost of verifying the election by letting conscientious voters burn their own CDs or verify existing CDs if they so desire.
How does it sound?14 comments | post a comment