
Fraud possible in Brazil's e-voting system - daddy_drank
http://www.zdnet.com/fraud-possible-in-brazils-e-voting-system-7000034341
======
tomjen3
E voting could be made safe if the machines printed the users choice on a
little slip of paper which was then put into a box, to be counted once the
election is over.

You could have the machines tally the votes a few seconds after the last poll
location closes, but the election result isn't official until the votes has
been counted.

Any trust in the machines at all and you might as well have the election take
place in NK.

~~~
VLM
An obvious optimization to that process is having voters fill out an optical
"scantron" ballot, then run the ballot thru a scanner and lock the paper
ballot away for later spot checking.

You can network the scanners in whatever crude or advanced way you'd like.

This is what Wisconsin has done for about a quarter century.

------
eduardordm
"when the TSE granted access to more than 10 million lines of code for five
hours."

The software itself is very small. They are counting the OS, etc.

The software could be safer. But this whole story about those machines
involves ego and fights for notoriety between government-run universities,
departments and the opposition in place, which changes from time to time. Not
exactly FUD, but an exaggeration of the facts.

~~~
rfonseca
The problem is much bigger than the specific process used or the findings in
the verification. If you look at what they found in the code in the short
inspection, you would shiver. For example, vote secrecy was protected by
storing votes in a shuffled order, where the shuffle was determined with the
random seed srand(time(null)).

But still, the problem is the principle: the system is the only source of
truth, and _if_ there is fraud, or a bug, that changes votes, it is
undetectable and impossible to prove. TO have the fate of 200M people depend
on such premise is absurd.

The electronic system must change, but this will only happen if there is
awareness and sound technical discussion by the population.

------
awayand
voting should never be computerized. the risk for exploits to go unnoticed is
too high. paper and pen seems to me the only safe implementation.

------
olh
Brazilian here.

Possible? Maybe, because computers.

Did this Aranha guy get it right? Probably not, but drama is money.

~~~
marcosdumay
You mean he got what wrong exactly?

In 2012 the TSE did call professors to test the system, he did demonstrate an
attack that recovered the identity of most of the votes registered at the
device's memory, and it was widely published. Since then, there was no other
test.

It's clearly an unverifiable system, where we don't have even guarantees that
the tested software is the one running on it. And the government is not
responding to request of improving the overall system.

What part exactly are you saying he got wrong?

------
ddingus
SOAP BOX = 1

For what it's worth, e-voting isn't verifiable directly, unless it's done in a
way linked to voter identities. Even then, it's highly exploitable, but it is
verifiable, depending on the implementation.

A trustworthy election embodies these four ideas to the maximum extent
possible:

1\. Anonymity. Votes cast are not linked to voters who cast them.

2\. Transparency. The record of the voter intent, election law, means,
methods, processes are visible to all involved and human readable.

3\. Oversight. Depends on transparency. The election happens under the public
eye, and we've got clear means and methods to resolve issues in a just and
true manner.

4\. Freedom. Voters are free to vote or not as they will.

The basic problem with electronic voting is this:

We don't record the voter intent. We do record what some device or enabling
technology understood the voter intent to be. This is a vote by proxy.

Physical media, such as pencil and paper, present a chain of trust from the
voter intent to the record of the vote, verifiable by the voter.

Electrons and computing systems in general depend on the fact that information
states change easily and transparently. This is a good thing in most cases.

With voting, it's not a good thing because we do not actually record voter
intent! Secondly, a voter cannot ever understand whether or not their vote
record cast reflects their intent. They must trust the proxy.

Touching a screen may set a bit and that bit once set can be displayed back to
the user. This display can be anything!

Physical media, directly used as the record of the vote, does present the user
with a verifiable record they can compare to their intent before their vote is
cast.

Human readable records, fed to machines, work reasonably well. There are
exploits, mistakes, and such possible. However, the entire election can be
litigated, validated as the election process and the people participating in
the election deem necessary. While this is painful, it is necessary, if we are
to trust the election.

Voter records presented in a court of law in electronic form contain very
little other than the interpretation of the voter intent done by the machine
at the time. Worse, it's extremely difficult to understand whether or not the
machine interpretation actually reflects voter intent, and or if it complies
with election law requirements.

A physical record has another property in that the media is actually changed
in a material way by the voter as they record their voter intent. Further
modifications to this record are very difficult to perform without leaving
evidence of said modification on the media right along with the original,
uncorrupted voter intent.

Electrons, if modified, changed, corrupted... just present different data
states. For an analogy, say the vote count is in your mind, and suddenly you
change that count, or manipulate it in subtle ways. The count is just
different now, a mere information state.

Electronic voting isn't verifiable and trustworthy without extensive auditing
and votes linked to users. For an example of this working reasonably, see
banking and how all the records and accounting can work.

Do we want to link votes to people? If so, then e-voting can make some sense.
I personally am opposed to this, and as a result, am opposed to electronic
voting, but I do believe electronic counting, plus audits, given it's done
from human readable records, can make sense.

Oregon, Washington and Colorado are vote by mail States, where the voter
intent is collected in a human readable way, counted electronically, audited
with appropriate sample sizes to insure accuracy within reasonable limits, and
the entire election can be verified in court, one vote at a time, if needed.

This is the path forward IMHO. E-votes are a PITA and we can't really trust
them. Votes by mail have a lot of advantages and they cost less than full on
"go to the polls" elections do.

Finally, voting happens over a period of a week or two, distributing the votes
nicely in time, preventing attacks, surprises and other things that can
corrupt an election when it's all got to happen in one significant day.

I sure hope Brazil figures this out before they suffer too much from it.

SOAP BOX = 0

~~~
oggy
> For what it's worth, e-voting isn't verifiable directly, > unless it's done
> in a way linked to voter identities

You're missing out on the last 20 years of crypto research. I'd say we're not
there yet, but people have been thinking hard about things such as
verifiability (with vote confidentiality of course!), coercion resistance etc,
and have come up with really cool ideas. As with his other work, David Chaum
has some stuff that makes you go "WTF?!? oooh", check out things like Pret a
Voter or Scantegrity.

~~~
lcastillo
Also check Microsoft research U-Prove ([http://research.microsoft.com/en-
us/projects/u-prove/](http://research.microsoft.com/en-us/projects/u-prove/))
or IBM Identity Mixer
([http://www.zurich.ibm.com/security/idemix/](http://www.zurich.ibm.com/security/idemix/)),
both are Identity systems that allow casting electronic votes anonymously.

I wonder if we will ever get to a point where that kind of crypto is explained
enough that we collectively trust it as much as pen and paper.

~~~
ddingus
There still exists a forced trust by the voter in that they must trust the
machine to parse their voter intent and must trust it to use that intent to
contribute to the overall tally.

A machine presents a user with some interface, and they make a selection and
they get told something. They have no identifiable way to see the record of
their intent is accurate, or even will be used.

With pen and paper, the intent of the voter is what we record and that record
is used to arrive at the tally to determine the election.

With a machine, we do not record the voter intent, only what a machine
determined that intent to be.

Actually recording the voter intent means being able to evaluate that intent
in a court of law, vote by vote, if needed. Given the impact law and
government has on us, it's not too much to ask we actually do record intent.

------
rfonseca
Other comments at
[https://news.ycombinator.com/item?id=8410586](https://news.ycombinator.com/item?id=8410586)

------
br_smartass
I doubt Brazil is ever going back to paper voting. With that said, human vote
counting is exploitable/error-prone, too, and electronic vote counting instead
of electronic voting seems like it'd have the same issues the voting machine
has.

The solution is clear to me, make it open-source, give bounties for issue-
fixing. If the current software is crap hire RSA and/or some nice software
shop to refactor and audit it, then open-source it.

~~~
specialist
All systems are fallible. Assess the relative risks by comparing their attack
surface areas.

Paper ballots issued, cast, and counted per precinct, the night of the
election is the most robust system existent. Compared to any other system,
corruption would require more participants, increasing the cost, difficulty,
and risk of detection.

Further, it also enables verifying the physical chain of custody, which is
very, very difficult with electronic systems.

RSA? Why would I trust them?

------
oruam
fraud? in brazil anything is possible, because my country is a totally mess.
NOTHING works properly here. so, why the e-voting will be an exception?

~~~
br_smartass
are you aware of how infantile you sound?

Behold, readers, the brazilian inferiority complex.

~~~
oruam
no, it's not. it's just reality. infantility is not admit this (e-voting and
another things) as REAL issue. love my country, but I have my foots on the
ground.

~~~
br_smartass
Stop being such a wimp. All the places everywhere in the world through all
history have had issues(something you're probably ignorant of, I suppose), get
over it.

ps downvoter.: Sorry if it's too agressive but the point I'm trying to make
here is that ignorant opinions and defeatism aren't going to take us anywhere,
people really need to get over this IMO. As the quote of "a little learning is
a dangerous thing", shallow knowledge intoxicates the mind, but drinking it
largely sobers us again ;)

~~~
oruam
so, let's pretend everything's OK. after all, "ignorance is bliss".

