From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Fri May 16 2003 - 07:06:55 MDT
Lee Daniel Crocker wrote,
> <http://verify.stanford.edu/evote.html>
>
> a Stanford professor states the obvious: some electronic voting
> machines are not auditable and easily hacked.
This is well known and has been widely discussed in the security industry.
Standard security requirements for double-checks, auditing, logging,
testing, external verification, etc., have been excluded by these machines
and the companies that produce them. They cannot be evaluated as secure
using standard techniques the way they are implemented. Many security
organizations have discussed publishing official statements against these
machines. There also have been some discussions that security professionals
cannot ethically be involved in supporting these elections as accurate given
the current situation with these machines.
> So, is there an attack here I don't see? If so, can you plug the
> hole, or come up with a system with the same safeguards?
The problem is more political than technological. I see no problems with
your solution, but I don't think it addresses the root problems that are
preventing these machines from being auditable. If the state legislatures
would allow security to be part of the voting process, we already have
proven methods for this.
The problem is that these machines are proprietary and the manufacturer's
contracts forbid third-party audits of the machines. They also don't want
anybody looking at their software code, so it can't be verified. There also
is political resistance to having any kind of audit trail, even like the one
you suggest. The idea is to avoid recount fiascos by eliminating the
possibility of a recount. This is quite a hot topic here in Florida, where
Jeb Bush and the republicans in the state legislature want to destroy all
the ballots from the 2000 presidential election to avoid any possibility of
future counts. They also would like to pre-emptively do this for all future
elections. By eliminating all audit trails, there is no way someone can
demand a recount.
Also, be aware that the system is much larger than the piece you are
addressing. Your system proves is that the newspaper correctly reported
back an encrypted version of each person's vote. How do we know this list
matches what was counted? How do we know the counts add up to what totals
were reported? How do we know a bunch of extra votes weren't added? How do
we know if all the voters were eligible to vote? How do we know that each
person only voted once? There are a lot of audit areas beyond the single
one you excellently solved. But the political problems are bigger than the
technological ones.
-- Harvey Newstrom, CISSP, IAM, GSEC, IBMCP <www.HarveyNewstrom.com> <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Fri May 16 2003 - 07:21:17 MDT