
That XKCD on voting machine software security is wrong - Terretta
https://blog.erratasec.com/2018/08/that-xkcd-on-voting-machine-software-is.html#.W27f5IopCfA
======
gumby
I'm not sure who the two authors of this piece are but they are distressingly
naïve and their sweeping statements ignore the real issues.

> The reason we have electronic voting machines in the first place was due to
> the "hanging chad" problem in the Bush v. Gore election of the year 2000.

The reason electronic voting machines are now so common in the US is indeed a
result of the 2000 presidential election, but it was at the time a panicked
reaction that also ignored the advice of computer security professionals (and
followed the wishes and claims of voting machine vendors)

> After that election, a wave of new, software-based, voting machines replaced
> the older inaccurate paper machines.

A nice statement, characterizing paper-based machines as "inaccurate" and
implying software is not. But there has been no serious study of this issue,
which implies that people don't care either way.

> ...If [accidents vs. intentional attack is the] measure, then voting machine
> software is fine and perfectly trustworthy. Such machines are no more likely
> to accidentally record a wrong vote than the paper voting systems they
> replaced -- indeed less likely.

Again, a sweeping, unsupported statement. When I work on software that people
actually care about (e.g. system control for power plants, trains, aircraft
and other vehicles; medical devices) there's a huge amount of attention paid
not just to classical security but also reliability, resilience, correctness
etc. Audits of voting software have never shown concern for these matters --
everything I've seen has been written with the same level of care as for an
e-commerce website.

> To repeat: software is better than the mechanical machines they replaced,
> which is why there are so many software-based machines in the United States.

I could assert, and repeat, that the moon is 90% made of quartz, and for all I
know that could be true, but I have no real data on the question.

~~~
specialist
As a recovering election integrity activist, I agree with gumby.

------
ncmncm
Missed the point, so badly.

There is nothing smug about the comic. It expresses horror at democracy
subject to haphazard, ill-informed choices and malicious negligence.

Hanging chads were a result of a previous rush to faulty technology.

The fact is that voting machines are thrown together from faulty components
with faulty design choices by badly managed companies with no evident care for
their responsibility to the public.

~~~
specialist
_" Hanging chads were a result of a previous rush to faulty technology."_

Not quite.

The hanging chads happened because those election administrators didn't follow
procedures and simply clean out the machines (turn over, shake vigorously),
allowing the wells to fill up with chads, preventing new votes.

Otherwise punch card ballot tabulation is rather robust and reliable.

------
MiddleEndian
The real question is "Why?" Manually counting votes is easily verified. What
do computers add here? Speed? Who cares? It's not that kind of race.

There are absolutely conflicts of interest involved in voting. I assume anyone
who tries to implement computerized voting is malicious, trying to cash in on
voting, or both.

~~~
UncleMeat
I disagree with a lot of the article, but they do bring up the "hanging chad"
debacle. Digital voting helps prevent these cases.

~~~
CM30
Wouldn't a simple pen/pencil also solve that problem? I mean, over here in the
UK we don't use hole punches for voting, we just write a cross in the relevant
box.

Seems to work well enough without any sort of voting machine involved.

~~~
Atheros
Problems off the top of my head:

\- cross is too light

\- shape drawn is not a cross

\- more than one cross

\- one cross drawn, erased, and redrawn elsewhere

\- one cross drawn, crossed off, word "nevermind" written next to it, and then
a new cross drawn somewhere else

~~~
rikkus
These are handled by the vote counting humans. There are rules about what
counts as s valid marking of the paper. Anything else gets discarded. I don’t
see a problem with this.

------
dradtke
True, software works just dandy these days if you remove the "attack" factor,
but software isn't deployed into an attack-free space the same way a plane
flies through safe air.

As anyone who has ever logged into a Linux server to be greeted with the
number of failed logins since the last successful one knows, _everything_ is
under constant attack when it comes to digital technology. That's a large part
of the problem, but the other part is that most people don't take security
seriously enough. I would be more likely to trust a voting machine that isn't
networked at all, with votes periodically extracted manually onto an encrypted
USB drive or something, but good luck getting these manufacturers to not put
wi-fi and bluetooth in everything.

I'll just end on this note: [https://www.engadget.com/2017/10/10/defcon-event-
reveals-eas...](https://www.engadget.com/2017/10/10/defcon-event-reveals-ease-
of-hacking-voting-systems/)

~~~
dredmorbius
Military aircraft frequently operate in a non-attack-free environment.

Attacks are not entirely stochastic.

Oddly, this has been known in military circles for several years. Check with
Sun Tzu.

------
dogma1138
Threat actors are threat actors no matter if they are “conscious” or not.

Now are current electronic voting machines sufficiently reselient against
modern threat actors - probably not.

Especially not in the US where mandating government issued IDs is seen a taboo
(I understand why, but as a non-Americans it just seems odd to me) which means
that much of modern cryptography backed by “something you have/are” is out of
the question.

But the argument that machines are only intended to be reselient against
“accidental” attacks is simply incorrect.

The airline industry is a good benchmark of how to manage threats against
automated systems if anything a good argument would be that launching an
attack against an airline is simply not cost effective while launching an
attack against a nation state to sway an election is a completely different
ballgame.

And the most important factor is that unlike say causing an airplane to crash
you don't actually need to launch a technically successful attack against an
election, the allegation and doubt alone can cause long lasting political
damage and chaos.

So even if you manage to hack a single machine in a single district and
nullify only a single vote the doubt that would be cast on the entire election
process not to mention the candidates and the political parties behind them
can last for years.

------
yifanl
I think the wording in Randall's comic was very deliberate.

"Nothing is ever foolproof", "Nearly incapable". Software engineers can
absolutely reach those standards.

But we also understand the threat model well enough that to us, "almost
foolproof" is equivalent to "totally broken".

We understand that there are smart saboteurs looking to attack our systems, we
understand that our software is only one link in a very susceptible chain, and
we understand that they know our almost foolproof system is totally broken.

------
Analemma_
> Confusing the two, accidents vs. attack, is used here because it makes the
> reader feel superior. We get to mock and feel superior to those stupid
> software engineers for not living up to what's essentially a fictional
> standard of reliability.

For what it's worth, every single person I saw retweeting and agreeing with
that comic was a software engineer, usually with some comment to the effect of
"This is the truest thing ever written about programming". The article makes a
good point that the comic elided over the distinction between hardening
against accidents and attacks, but let's not pretend like software doesn't
have hilariously low standards compared to more mature engineering
disciplines.

------
gmuslera
The problem goes down to Hanlon's Razor.

In elevator or airplanes, it applies, we try to make as safe as possible, we
ironed most of the bugs (over which the maker would lose big), and if they
ever fail, would be far more possible to be because human stupidity than
malice.

In the other hand, with voting is human malice what matters. The holy grail
for that is to paint it as safe and failproof as possible while still rigging
things for the intended party at some point of the circuit. And there is big
money to ensure that it happens, so the for profit manufacturers of such
machines (or their for profit workers/managers) will be very motivated for
slipping a subtle/obfuscated bug or backdoor somewhere (remember the Apple SSL
bug due a duplicated goto fail line?).

Making software safe from their own makers is complicated. Software itself it
runs may be complicated, what makes auditing it not trivial, and with enough
resources you still can play with lower layers like the compiler or chipset
(for all or a portion significative enough of the machines).

And blockchain is a tool that can be misused too, we already seen a lot of
frauds, scams, majority attacks and so on over it. "It is safe because it uses
blockchain" is a good intro by someone that have something to win there.

------
johnklos
Utter bullshit. Who even wrote this? This seems horribly naively written from
people who can't think beyond simple concepts. Voting machine company shills,
perhaps?

This has next to nothing to do with attacks. This has everything to do with
choosing who gets to choose the software. If the software and system design
came from academia, it'd be vastly different than anything that comes from
Diebold or any other evil company that's excellent at selling crap to the
government but willfully and intentionally ignorant of actual security.

As Douglas Adams wrote, "Anyone who is capable of getting themselves made
President should on no account be allowed to do the job." Likewise, any voting
software which can be sold to politicians should on no account be allowed
anywhere near the voting process.

------
dredmorbius
Counterpoint:

[https://threadreaderapp.com/thread/1027539289750429696.html](https://threadreaderapp.com/thread/1027539289750429696.html)

------
UncleEntity
IDK, hacking elections _is_ a standard use case and not some "accident" that
needs little attention because "extraordinary circumstances".

Be like a bank saying their vault is super secure but online security isn't
important because that's an external threat outside of their control.

------
dasil003
This article is needlessly harsh in pointing out a hole in the analogy. All
analogies have holes—that doesn’t mean they can’t still be informative (and
funny).

------
bluejekyll
> software voting machines are actually better against accidents than the
> paper machines they replace. ... It ignores the solution, which isn't to fix
> software bugs, but to provide an independent, auditable paper trail.

XKCD is not an essay, where this may in fact be the ultimate belief of the
comic, there’s only so much space in a comic.

The comic is right that this implementation is bad, and the quote above
agrees, it’s the paper audit trail that’s the fix.

I actually agree that software could, emphasis on could, make the voting
system better by simplifying the interface to the ballot. For example, in San
Francisco we have ranked choice voting, this creates a complex ballot, I think
it’s a better system than winner take all balloting. This creates a complex
voter form, though. A good UI/UX on a computer _could_ make this simpler and
less error prone, but it should be backed up by a paper ballot.

Paper ballots can’t be as easily hacked, and require larger orders of
corruption to pull off. Not just a single hacker getting in and changing some
numbers, but a group of people working together to change the paper record.
This makes them important for auditing an election's results.

That being said, are computers in this context worth the cost, that can
probably be determined by the error rate of paper ballots.

~~~
specialist
_"...provide an independent, auditable paper trail."_

I trust that you're advocating the Australian Ballot, aka private voting,
public counting.

And not VVPAT, which has been an utter failure. Most USA election
administrators have abandoned touchscreens and are either reverting to
precinct-based opscans or moving to postal ballots.

~~~
bluejekyll
In San Francisco we have a decent system in place, paper ballot with a scanner
that immediately tallies the vote and secured the ballot in a tamper-evident
box.

I’m not advocating for anything more than that.

------
triplee
OMG Becky, really?!

First off, yes this piece raises some important ideas, but also misses the
point of the comic, which isn't about smugness. It's boiling down the
importance of something complicated to point out AT LEAST one reason to shut
it down.

Second, this is the kind of thing I could pull up and show any of my non-tech
relatives. Nitpicking does not help anyone.

------
101011
I don't think the XKCD comic is wrong. It's a commentary on 'computerized
voting.' Not a commentary on 'computerized voting with a paper trail,' which
is what the writer of the article presents as a solution.

~~~
specialist
VVPAT has been tried. It failed. It's irredeemable.

------
specialist
Errata Security wrote:

 _" Such machines are no more likely to accidentally record a wrong vote than
the paper voting systems they replaced -- indeed less likely."_

Wrong. The gear is unreliable.

 _" Confusing the two, accidents vs. attack, is used here because it makes the
reader feel superior."_

Wrong. Fraud, incompetence, and silent failure are indistinguishable.

I stopped reading at that point.

Errata Security may know something about cybersecurity, but knows nothing
about election administration.

XKCD's assessment is (mostly) correct.

