Onderwerp: Re: Diebold Global Election Management System (GEMS) Backdoor Acc

On Tue, 28 Sep 2004, Adam Jacob Muller wrote:

> At a recent family gathering I spent about an hour trying to explain to
> various people why "open source" voting machines are more secure.

But security of voting machines is not (or should not be) the issue.

The issue is that we live in a democracy, and unless the average person
is able to satisfy for him/herself that the voting machinery is fair,
then it makes no difference whether it's open- or closed-source.

I'm an open-source advocate, but I think *any* kind of computerized
voting machine is disastrous. Maybe a select few among us can verify
that the circuitry of the machine is OK, analyze the source code to verify
that it's OK, analyze the cryptography to verify that it's based on sound
principles, and analyze the binary code to verify that it came fom the
purported source code.

But that's not good enough. Anyone capable of voting is capable of
understanding how to mark an X on a ballot, and the process of
securing, counting and validating the votes. (This is the system we
use in Canada.) And I direct complaints from anyone who says it will
take forever to count millions of votes to /dev/null. People in a
vote-counting tree can count N votes in O(log N) time.

*Any* use of advanced "voting technology" is a step back for
democracy, because not only does it open the system up to fraud, but
it also disenfranchises the majority of the population who are now
unable to understand how their votes are counted and secured, and how
the counts are verified.

> I simply don't understand why a company doesn't do open source voting
> machines...

Because it's a non-solution to a non-problem: Electronic voting machines
are not only unneccessary, they're harmful.

--
David.

> -----Original Message-----
> From: Claudius Li [mailto:aprentic@sectae.net]

> So my question is, given that this seems to be a solved
> problem why is there so much debate on finding the solution?
> Surely I am missing something obvious.

You're missing the social dynamics around it. There are several parties
involved:

- State officials who actually pick the voting equipment. They generally
are politicians, with a background in law or business. They don't
understand the complicated technical issues behind electronic voting.

- Companies who build the voting equipment. Their motive is profit. They
want to get a marketable product out quickly and cheaply. They perceive
(correctly) that the audience they're selling to does not understand or care
about complicated security issues, and can be easily impressed by trivial
but sophisticated-looking features.

- The public. They don't understand these issues either, and they have a
short attention span.

- The news media. They don't push security issues because they lack good
visuals and don't fit into a 15-second news spot. Anything longer and
they'll lose their audience (see above.)

- Computer scientists and voting activists. They *do* understand the
issues, but are unable to explain them in a way the news media, the public,
and state officials find compelling and understandable. The companies who
build the equipment can easily label them as alarmists or conspiracy
theorists.

Adam Jacob Muller wrote:

> At a recent family gathering I spent about an hour trying to explain
> to various people why "open source" voting machines are more secure.
> Everyone perceived "open" as being able to go in and change votes...
> The fact that I was trying to explain the open source model for the
> first time did not help...


Therein lies the issue. Understanding the (possible) benefits of
open-source voting machines, and how computerized voting systems might
or might not be reliable and verifiable has two big problems:

i) it's obscure
ii) it's boring

It's obscure because at the least you need a grasp of various concepts
of computers and software to understand the terminology, let alone
decide on the relative merits of different approaches. It's boring
because people who don't know those things on the whole really don't
want to, especially given faith that "someone else is checking" and that
elections "don't get tampered with in the West" (etc.)

Paper votes are slow to count and may be spoiled. Ballot boxes may be
lost. But the basics can be grasped by just about anyone, and from there
much of the detail understood. It's a piece of paper, somehow marked to
indicate preference. Those pieces of paper are counted, and that count
decides who won (whether it's first past the post, STV, ATV or
whatever). Even the complicated stuff is understandable. That's why the
obvious compromise is a paper audit trail: the machines can count the
votes very quickly, but if there's a problem you can do it the
old-fashioned way, and everyone can understand the old-fashioned way.

Craig.

That's a very interesting viewpoint, but one that's directly at odds with
the trend in America today (and probably other countries too). In the US,
corporations build nearly all the military equipment, do a lot of the
military work, transport the mail (most US mail goes on jets run by private
companies), run some of the jails, provide social services, deliver nearly
all the healthcare (e.g., for Medicare and Medicaid), etc. In short, the US
government can't run today without substantial work by private industry.

Thus, Greg Woods' statement that we need to be "very clear in stating that
free enterprise (and capitalism) has no place whatsoever at any time in the
creation, formation, and instatement of a government for the people" is a
lovely thought, and totally out of touch with reality. Not saying he's
wrong in his desire; just that it's a much bigger issue than voting
machines.

Arguing that the government shouldn't be relying on private corporations to
provide voting machines misses the point. The government ISN'T going to
build its own voting machines; it's going to rely on the private sector,
using laws and regulations to keep risk at an acceptable level.

Besides, given what most of us know about government efficiency, would you
WANT the government to be designing and building voting machines? Be
careful of what you wish for, as you may get it!

--Jeremy

P.S. Worth noting that Mr. Woods lives in Canada, as judging by his domain
and phone number. The relationship of government and private industry may
be different in Canada from the US; I have no idea and wouldn't hazard a
guess.

> -----Original Message-----
> From: Greg A. Woods [mailto:woods@weird.com]
> Sent: Monday, September 27, 2004 2:26 PM
> To: Jeremy Epstein
> Cc: BUGTRAQ: Full Disclosure Security Mailing List
> Subject: RE: Diebold Global Election Management System (GEMS)
> Backdoor Account Allows Authenticated Users to Modify Votes
>
>
> [ On Thursday, September 23, 2004 at 06:21:03 (-0400), Jeremy
> Epstein wrote: ]
> > Subject: RE: Diebold Global Election Management System
> (GEMS) Backdoor Account Allows Authenticated Users to
> Modify Votes
> >
> > And I'd strongly discourage folks from calling for open
> source, as it
> > plays directly into the hands of folks like Diebold, who claim that
> > the people (like me) who want Voter Verified Paper Audit Trails
> > (VVPATs) are really trying to kill free enterprise. [Yes,
> I know all
> > the examples of businesses based on open source, but that's
> not what
> > this is about.]
>
> Well, that's pretty stupid.
>
> The answer is not to try to show that open source can be used
> in captialistic ventures, but rather to be very clear in
> stating that free enterprise (and capitalism) has no place
> whatsoever at any time in the creation, formation, and
> instatement of a government for the people.
>
> Indeed those involved in creating a government for the people
> need to be very wary of even the support of corporate
> entities since such support can invoke almost infinitely more
> power than any one governed individual can ever hold over his
> or her government or a government representative.
>
> Just as the Church(es) has(have) no place in the halls of
> government, neither do corporations. Corporations, despite
> being legally individuals, don't even need one vote as no
> matter what governments might do to regulate them they still
> have far more power than any human individual.
>
> --
> Greg A. Woods
>
> +1 416 218-0098 VE3TCP RoboHack
> <woods@robohack.ca>
> Planix, Inc. <woods@planix.com> Secrets of the Weird
> <woods@weird.com>
>

Adam Jacob Muller wrote:
> This is very true...
> At a recent family gathering I spent about an hour trying to explain to
> various people why "open source" voting machines are more secure.
> Everyone perceived "open" as being able to go in and change votes...

It comes from the basic misconception almost all people have. Because
if something is "closed", "not known", "secret", than how anybody can go
into it and break it (or change votes in this case)? We call it
"security by obscurity". And we know that system that is based on
"security by obscurity" is inherently less secure than an open system
with well published security principles. But general public doesn't
know that, and general public do not want to find it out. General
public likes "black boxes", and it likes to trust someone with a nice
big smile telling how the black box is great thing. It also likes when
"a man with nice big smile" is proven to be a liar on prime time news.
And the circle is complete (and ready for the new round).

--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7

> -----Original Message-----
> From: Jeremy Epstein [mailto:jeremy.epstein@webmethods.com]

> Besides, given what most of us know about government
> efficiency, would you
> WANT the government to be designing and building voting machines? Be
> careful of what you wish for, as you may get it!

Much of what people "know" about government efficiency is wrong. I'm not
saying that there isn't inefficiency in government, but people underestimate
how inefficient the private sector is. A couple years ago a study was done
that found that in the private U.S. health care system, a lower percentage
of the money going in goes to actual health care than in the Canadian
government-run system. The rest of the money went to bureaucracy and (in
the U.S. case) corporate profits. This is just one example of the private
sector being less efficient than government.