Posted on 09/14/2006 1:47:32 PM PDT by WmShirerAdmirer
Does anyone use non-rewritable media for electronic voting? If not, some of the same issues are just as applicable to other systems as to Diebold's. To be sure, the succeptibility to outsider cheating may not be as bad on other systems as on Diebold's, but any system with rewritable code will be subject to undetectable insider cheating.
By contrast, putting code and votes on non-rewritable media would mean the only way to cheat would be physical substitution of the media in question. Use of well-designed serialized holographic seals could make such substitution sufficiently difficult as to no longer be the easiest method of fraud.
Actually, as demonstrated in Washington state, it isn't even necessary to be subtle and try to make books balance. Many precincts had more ballots than voters; the total number of excess ballots far exceeded Gregoire's "victory" margin.
I wish someone would explain to me how there could possibly not be thousands of fraudulent ballots in that election. It seems to me pretty straightforward:
Non-rewritable would be safer, but not absolutely necessary. You could still transmit a virus with it, and the best safety it gives is the inability to change votes, but in this case the votes put on the media are already bad if the machine is infected.
And we could achieve the same thing with flash cards if the machine would just cryptographically sign the vote file.
My proposal would be to have OTP carts with a conspicious write-protect switch. Before the election, the code cart is set to "write protect", and then both Republicans and Democrats ensure that it matches what it's supposed to contain. The cart is then marked with numbered seals and inserted into the voting machine. Next, a second cartridge is set to "write protect" and verified by members of both parties to be blank. The cart is then set to "write enable" and inserted into the machine.
Both parties then use serialized tamper-resistant tape to seal both carts into the machine and a transparent cover is locked down over them. The numbers of all relevant seals are then copied onto a sign which is visible within the voting booth but also outside (so election judges can ensure nobody tampers with it).
How is a virus going to get into such a system? If the code is open source, and both parties have a bit-for-bit copy of exactly what it's supposed to contain, how's it going to get infected?
Further, it's easy to include in an OTP an unalterable checksum, i.e. a checksum which is designed so that changing any bit in the main array from a "1" to a "0" will require changing at least one checksum bit from a "0" to a "1". Such a change would be impossible in an OTP.
On the ballot memory card, each ballot record would be tagged with an unalterable checksum. If each ballot record is 30 bytes + 2 bytes checksum, a 27C256 (fairly small by modern standards) could hold 1000 ballots plus 768 bytes of other data. If 600 people cast votes, there should be 400 blank ballot spots and 600 ballot spots with valid checksums. There will be no way to change the contents of the memory chip without either reducing the number of blank ballot spots or producing an invalid ballot spot.
Without counterfeiting seals, how could one tamper with a system like that and not have such tampering detected?
And we could achieve the same thing with flash cards if the machine would just cryptographically sign the vote file.
What does that accomplish? You haven't eliminated the possibility that the machine might be running altered software that will "un-alter" itself just before the end of the election. Publishing a cryptographic hash of a vote file immediately upon close of election may be good to prevent the file from being modified post-election, but if something is modified it would be quite useless at showing what. By contrast, if for some reason a memory card which is supposed to have 600 valid records and 400 blank ones is found to have 598 valid records, 397 blank ones, and 5 invalid records, one could be assured that there were at least 595 true records, at most five had been destroyed, and at most 3 new ones were added.
Any of us can make decent proposals that have better security than the Diebold machines and the processes to run them. That's the problem. This is a big company that has spent years developing these machines that have been and will be used to take our votes, and we can come up with something better off the top of our heads.
Personally though, I don't think one time write media is necessary. Plus physical access to any one machine still spoils the vote for it, it just can't propagate.
Here's my "off the top of my head" but doing it in a way that closer to how my polling station does it with paper and a scanner:
Hardware: Steel box in iMac shape, everything inside. Security lock to open the whole box, keys held by state election officials. Smart card slot in front.
Behind the lock, the BIOS EEPROM has crypto certificate and algorithms. Cannot be flashed in-situ, must be removed and reprogrammed using an EPROM writer. This EPROM also controls the tamper switch on the box, authorized reset required for further function. There is of course also a serialized holo seal.
OS and all software is on fixed flash, signed and must authenticate with the EEPROM or it will not run (TiVO-like). The flash can only be programmed by attaching a cable physically to the inside connector. Reprogramming requires current-dated certificate revocation list to be downloaded to system, or the EEPROM won't allow it. Programming computer first uploads the CRL, and must also have valid certificate for software updates and when it inputs election data. Election data is on another fixed flash. These three chips (EEPROM and flashes) have serialized holo seals. Machines are programmed, sealed and locked at state level with Republican, Dim and independent observers.
Now we have an idiot-proof box that unobserved locals can't touch.
At the local level, all box seals are verified. A poll official has another box like the first, but it has different software loaded with voter registration info and abilities. Voter comes up, shows his ID, poll worker finds his name on the system and inserts a blank smart card, voter signs on the touch screen, card is programmed with a certificate for the voter. That is has been done is stored.
Voter takes the card to a voting machine, inserts it, it's authenticated, he votes, removes the card. Voter takes the card to the exit poll box like the other, but with a differently-designed bottom section. This one sucks in cards, reads them, erases them, and drops them in the base for re-use. It also has a printer slot with a roll of paper behind that also acts like a stand for the system. His card is sucked in and he gets a paper receipt for his vote. His receipt has readable info, plus coded on it in bar code a hash of his votes, the machine used to give him his card, the machine voted on, and the tally machine.
At the end of the polling a local poll worker can insert his smart card in the tally machine to get an unofficial count. The registration and tally machines are sent to state for an official count. Seals are verified under observation, count is read directly off the data flashes after removing the holographic seals, authenticated and compared.
There's an overview for hardware, software and procedure that I think would be hard to hack. Also, this whole thing would run on an open operating system, with the code openly available. Under independent observation at the company, the open, unaltered codebase is compiled, signed, packaged into programming/votecount machines (another box with with a flash programming cable sticking out) with the latest certificates, and sent to the states.
How is a virus going to get into such a system? I
They don't follow the procedure, forgetting a step. It's easier to control complicated processes at the state level.
This is a big company that has spent years developing these machinesBzzzzt!
Diebold bought a smaller company to obtain access to this 'market':
... In 1979, Mr. Urosevich founded American Information Systems. He served as the President of AIS now known as Election Systems & Software, Inc. (ES&S) from 1979 through 1992.Seems to me that a smaller company actually developed this technology and was acquired by a larger company; but, as I determined this on the Internet and the Internet uses a plethora of computers I suspect this was a 'planted' story as a result of a number of planted viruses that effected a desired outcome ...Bob's brother, Todd Urosevich, is Vice President, Aftermarket Sales with ES&S, DES's chief competitor.
In 1995, Bob Urosevich started I-Mark Systems, whose product was a touch screen voting system utilizing a smart card and biometric encryption authorization technology.
Global Election Systems, Inc. (GES) acquired I-Mark in 1997, and on July 31, 2000 Mr. Urosevich was promoted from Vice President of Sales and Marketing and New Business Development to President and Chief Operating Officer.
On January 22, 2002, Diebold announced the acquisition of GES, then a manufacturer and supplier of electronic voting terminals and solutions. The total purchase price, in stock and cash, was $24.7 million. Global Election Systems subsequently changed its name to Diebold Election Systems, Inc.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.