
Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat” - lainon
https://freedom-to-tinker.com/2018/09/14/serious-design-flaw-in-ess-expressvote-touchscreen-permission-to-cheat/
======
hotsauceror
Seems like I recall similar security issues being found years and years ago,
back when ESS was still called Diebold and their CEO was getting in hot water
for saying at a GOP political fundraiser that he would “deliver Ohio to the
GOP.” What’s old is new again.

I ask myself time and again why voting systems aren’t federally regulated
“critical infrastructure,” with source code available for public review.

~~~
hannasanarion
Who cares if the source code is public or not? There is never going to be a
way to verify that it is running on the machine when you are standing in front
of it.

~~~
Digital-Citizen
There isn't a way to vet that software by using it, but there are other
problems which are easily solved with software freedom (the freedom to run,
inspect, share, and modify published computer software for which complete
source code and build instructions are a prerequisite): the ballot layout
could require changes that were unanticipated by the program's developer. A
new ballot layout could require changes in every computer that deals with the
ballot in any capacity (producing the page description for printing, scanning
ballots for voter verification and over/under counts for example).

We can't predict all of the problems that come up and that alone tells us we
need to be in the best position to anticipate changes, hence respecting
software freedom for all computer owners. Therefore not being able to inspect
that the running voting machine is running trusted software is no reason to
deny any computer own their software freedom. That's no justification for
pushing voting districts into buying new voting equipment which ostensibly
supports the needed change.

So in the end the solution remains the same: anyone who cares about software
freedom (as we all should) would care that their voting machines run on free
software.

~~~
TylerE
Totally electronic balloting is bad news, period.

Paper ballots, electronic tabulation. Can be recounted by hand if necessary.

~~~
Digital-Citizen
Totally electronic balloting is bad news but not what the article dismisses
without evidence. I'm not for electronic tabulation by default nor do I see
the need. Optically scanned voter-verifiable paper ballots will involve
electronics but the tradeoff is that this arrangement conveys considerable
advantages to certain voters.

------
ArtWomb
The risks in electronic vote tampering are two-fold. Not just in election
hijacking by changing vote tallys. Particularly in light of state-sponsored
capabilities. But also in the distrust and possible erosion of the democratic
institutions and process itself. Which may constitute an existential threat.
Power vested in the people. Not in machines.

~~~
darawk
[https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_sy...](https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_systems)

------
s_m_t
What problem are electronic voting machines supposed to solve?

~~~
rtkwe
In theory they're much better because votes are tallied pretty much instantly
with very little effort. Running hand counts is very expensive and it's way
easier to quantify the value of the cheaper counting than the cost of insecure
elections.

~~~
sverige
What need is there for instant tallies? Elections are usually in November,
winners take office in January. Plenty of time to sort it out if there's a
question. It has worked mostly pretty well for a long time.

And I have yet to see the expense directly compared. How much do the machines
cost to purchase and maintain? How much does the overtime for election
officials to count the ballots?

~~~
setr
well, it's also meant to eliminate the issue of recounts, can be better
audited as a process, and minimizes human error in what is a very manual and
repetitive task. tbh if computers should be used anywhere, its in something
like this. It's literally counting, and a lot of it

but alas

~~~
nightcracker
> can be better audited as a process

What could possibly be better audited than a public count that any concerned
citizen can visit to oversee? Digital machines are as opaque as it gets for
auditing.

~~~
XorNot
And single points of compromise. The biggest problem with all conspiracy
theories is that they require an implausibly large number of people to stay
silent.

Whereas computers stay silent by default, and let one person in the right
place potentially control everything.

------
on_and_off
I have said dozens of times and I will say it again.

I am a technophile, but the only sane way to vote is with pen and paper with
manual counting.

~~~
darawk
I disagree strongly. There are cryptographically secure algorithms for voting,
that allow you to ensure that your vote has been counted in the final tally
(and counted correctly), by returning to you a token that will be incorporated
into the final count. You can also securely determine the precise number of
votes cast. All of this without sacrificing anonymity.

[https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_sy...](https://en.wikipedia.org/wiki/End-to-
end_auditable_voting_systems)

For more. We absolutely should be using these systems and the fact that we
have allowed electronic voting machines to be used that _do not_ conform to
these protocols is an absolute travesty of democracy, considering how easy it
would be.

~~~
MichaelApproved
Even if the _concept_ is secure, _implementation_ of any electronic voting
system will never be secure.

All voting is vulnerable to hacks, even paper and pen. The key is to make it
as expense as possible to hack a vote. In-person paper voting is pretty much
as expensive as it gets.

Never mind that the general public will never understand what you said or ever
implement anything like it.

~~~
darawk
No...it's much more expensive to hack an E2E auditable cryptographic voting
scheme. Infinitely expensive.

> Never mind that the general public will never understand what you said or
> ever implement anything like it.

They don't need to understand it. It just needs to be in place, so that we can
audit votes properly.

~~~
michaelmrose
It's not "infinitely" expensive to find an exploit and one person having
discovered such a flaw can compromise the election.

In reality land what we actually build IT wise is normally hot garbage.

We know how to hold honest paper elections. Let's do that instead of hoping
that 10 years from now and 10 billion later we can have a secure election.

~~~
darawk
_Sigh_ , listen man. Just learn about how it works or stop commenting. You're
wrong.

~~~
michaelmrose
Feel free to educate me regarding how "it" works if you feel my opinion is in
error. It seems unlikely that any system will constructed any time soon which
doesn't involve onerous secret key distribution, is provably correct, doesn't
allow someone to prove after the fact to a third party that they voted a
certain way, is secure against insider and outside manipulation, can be
verified in a way that an average person could understand. All properties of
presently available paper voting solutions.

~~~
darawk
> Feel free to educate me regarding how "it" works if you feel my opinion is
> in error.

[https://eprint.iacr.org/2016/670.pdf](https://eprint.iacr.org/2016/670.pdf)

> It seems unlikely that any system will constructed any time soon which
> doesn't involve onerous secret key distribution, is provably correct,
> doesn't allow someone to prove after the fact to a third party that they
> voted a certain way, is secure against insider and outside manipulation,

Paper ballots aren't secure against insider or outsider manipulation and they
definitely aren't provably correct. I don't see any reason why it should be
necessary for the average person to understand how the system works. It should
be sufficient that they _can_ verify it, given sufficient knowledge.

~~~
grzm
> _”I don 't see any reason why it should be necessary for the average person
> to understand how the system works”_

It’s important so people have faith in the system. Yes, verifiability can help
with that, but trust in math that few can really understand is a barrier. This
can be exacerbated as distrust in algorithmic feed generation and social media
manipulation grows. You’re savvy enough to see beyond this, but that’s not the
point: that trust needs to be solid and widespread for people to have faith in
the process. This is a human issue, not a technical one.

~~~
darawk
I simply disagree. Yes, the transition will be difficult due to the issue of
comprehension. But I think there is a fundamental difference between these
things. Of course, there will be a handful of people that never believe it's
legitimate, and insist that it's not. But you can simply direct them to the
papers - which they won't read, but it's hard for an ecosystem to form around
something that is _provably_ false. E.g. sure, there are flat-earthers, but
they don't make up a sizable political bloc.

------
shakna
I love technology... But voting machines are a bad idea, especially in their
current implementations.

Paper voting, with manual counting, scales well, and has far fewer attack
vectors than electronic voting.

~~~
fooker
"Manual banking, with humans counting cash, scales well, and has far fewer
attack vectors that electronic banking.".

~~~
mikeash
Banking has do be done daily, can reverse bad transactions, and has no
requirement to keep the customer’s activity so secret that even the bank
doesn’t know what they’re doing.

Elections, on the other hand, happen once or twice a year, can’t be reversed
in the event of fraud, and need to protect the voter’s privacy to such an
extent that even giving them, and only them, confirmation of how they voted is
considered far too dangerous.

~~~
fooker
Banking has to be done daily only because we are used to modern banking
systems. Banking was not done daily 100 years ago.

~~~
mikeash
And the other major differences I pointed out?

~~~
fooker
Here you go.

> can’t be reversed in the event of fraud

Counterexamples from one country:
[https://en.wikipedia.org/wiki/List_of_UK_Parliamentary_elect...](https://en.wikipedia.org/wiki/List_of_UK_Parliamentary_election_petitions)

> need to protect the voter’s privacy

And you are convinced that there are no algorithmic solutions? Here is an
attempt from a famous computer scientist whose algorithms book most of us have
read.
[https://en.wikipedia.org/wiki/ThreeBallot](https://en.wikipedia.org/wiki/ThreeBallot)
(This one turned out to be cumbersome to implement because of bad UX, but
worked rather well.)

~~~
mikeash
You can potentially reverse an entire election and do it again, but you can’t
reverse one vote.

I’m sure there are solutions. My point isn’t that it’s impossoble, it’s that
banking and voting are so different that the existence of solutions for one
tells us nothing at all about the other.

------
panopticon
Maybe I'm getting old, but using 12px font size on an article is evil.

~~~
jancsika
Evil in the same way your cat stalking your foot is evil.

Zoom in.

~~~
panopticon
Then you balloon the whole page content, navigation and all. I maintain that
12px font is silly for long-form content.

~~~
jancsika
I'm zoomed in at 200% on an 11" at 1366x768 and still all the text wraps
cleanly within the viewport.

If I want to zoom in further I can click the little book icon for reader view
in Firefox, and the content will wrap without scrollbars to my heart's
content.

So again, evil in the same way a BDFL maintainer is a tyrant.

