Washington DC's trial online voting system hacked
Posted 05 October 2010 - 02:38 PM
Posted 09 October 2010 - 11:41 PM
Here's a story I thought binrevers might enjoy.
We're currently discussing this on schneier.com. I post as "Nick P" there. There should be no surprise that the voting system failed. I mention some reasons and issues on this article and others. Voting systems are special, though. As Schneier's Applied Cryptography showed, voting systems have many requirements that are contradictory. No existing voting system meets all of our requirements, even the most necessary ones. I don't mean the implementation: I mean the protocol and high level design. If that is broken, then any implementation is hopeless. The high level design of a voting system must be secure or implementation is pointless. This is because a voting system must meet high assurance security requirements. What is that?
High assurance means that the development provides such confidence in the design that failure is almost inconceivable. Think firewalls to Top Secret data, airplane control systems, critical industrial control systems, medical devices, etc. Systems requiring high assurance usually produce catastrophic loss when they fail and/or are high value targets to well-funded, sophisticated, patient attackers. A voting system is a high value target with enemies willing to spend maybe millions of dollars and many years to rig a national election, maybe hundreds of thousands at state level. Hence, the software should be trustworthy all the way from requirements to design to implementation to operation/maintenance. The best implementation and tamper-resistant hardware in the world doesn't help you if the very voting protocol or high level system is flawed. Hence, secure e-Voting is hopeless until we have a protocol (probably cryptographic) that meets all core, contradictory requirements. We have many that are close, but close isn't good enough.
For now, I say we stick to paper-based methods like optical scanners. Then, if a recount or audit is done, a certain number of the voting populace is picked randomly to audit all or a sizeable sample of the votes. The segments to be audited would be distributed randomly to the auditors. Each one would tally their results and give a sample vote count. If the winners don't match, then they can audit more votes or do a whole recount. If the winners match, they can still choose to do this. The point is that it must be in the people's hands. The votes should also be checked against the registration list, which can be audited separately. I think Ireland switched back to paper last year due to all the software flaws. They are smart for that. And I'm not just saying it because I'm part Irish.
BinRev is hosted by the great people at Lunarpages!