
Argentina's voting machine system leaked? - necessity
https://github.com/prometheus-ar/vot.ar
======
jkldotio
I've never seen the need for voting machines, even if they were open source
and not plagued by scandals constantly. Counting votes can be done mostly in
parallel. If you can't get enough volunteers and auditors to watch them then
you have other problems a machine would likely make worse. In Australia we
rarely have to wait long for the result and our Senate voting is fairly
complex. It's even crazier when people try to push the speed benefits for
things like the US presidential election where those elected don't even take
office for weeks after the polling day.

Although the ancient Athenians were not Luddites - they had an elegant machine
to randomise a large stratified sample of the population for jury duty and
water clocks to time speeches - for the actual votes they just used pebbles or
pieces of metal. That's because counting something up is simply not that
complex and shouldn't be made complex unnecessarily just to pad the CV of some
electoral commissioner or pad the wallet of the company making the machines.

~~~
arkem
As a fellow Australian I would love voting machines to encourage below the
line senate voting and to allow even faster tabulation of results.

I'd argue that we're stretching the limits of paper ballots with the current
senate situation. There are significant chances for it to go wrong, like when
the Western Australian senate election had to be rerun after the High Court
voided the previous result due to lost ballots[1].

Even if machines had the same problems as paper they it could be faster and
cheaper to recover from them..

[1]
[https://en.wikipedia.org/wiki/Australian_Senate_special_elec...](https://en.wikipedia.org/wiki/Australian_Senate_special_election_in_Western_Australia,_2014)

~~~
tacticus
Except voting machines have a huge collection of their own problems like being
much easier to compromise and much lower security

~~~
arkem
I'd say that they have different security problems rather than more.

~~~
NickNameNick
They have unmanageable security problems rather than manageable ones.

When I look at a ballot paper, I can see that it is what it is. When I stand
in front of a voting machine, there is no was to validate that it's running
the software that it's supposed to run. No way to validate it hasn't been
tampered with, no way for the election scrutineers to validate it hasn't been
tampered with before counting.

With a paper ballot, the scrutineers can lock the ballot box, and ensure it
remains unopened and untampered with, aside from depositing ballots in it,
simply by watching it.

------
Htsthbjig
I can't think on a worse idea that electronic voting machines in Argentina or
Brazil.

Corruption is chronic there. I traveled to Brazil with a friend , he did a
mistake(not using common sense) an his camera and the bag we used with several
electronic tools was stolen. He went to the police, and was beaten by the
police!!

We are from Spain and he simply expected a behavior in institutions that does
not exist there. In Brazil you are either rich or poor, and police protects
the rich(or the highest bidder) with iron fist. They are rude and you better
not resist.

Argentina by the way has Spanish and Italian "picaresca" on their veins. "Ser
un vivo" and fool other people is not only ok, but something to brag around.

Electronic voting could work on Switzerland or Denmark, and even there I will
only trust it for menial tasks, like what they do in Switzerland asking people
opinion on the new street lights(they do it using mail!!) and so on, but never
with serious things like who gets in power.

Last time I was in Argentina,there were elections, and the politicians were
literary buying the vote of poor people with crumbs even renting buses for
them.

~~~
gphilip
India has been successfully using EVMs for elections since the turn of the
century [1].

And an Indian General Election is no menial task. In the latest election of
2014, 814.5 million people were eligible to vote, making it the largest-ever
election in the world. A total of 8,251 candidates contested for 543 seats in
the Indian parliament. The average election turnout was around 66.38% [2].

[1]
[https://en.wikipedia.org/wiki/Indian_voting_machines](https://en.wikipedia.org/wiki/Indian_voting_machines)

[2]
[https://en.wikipedia.org/wiki/Indian_general_election,_2014](https://en.wikipedia.org/wiki/Indian_general_election,_2014)

------
wslh
Security guys in Argentina are working hard on Friday. Shell command injection
in the code: [http://pastebin.com/KNNjAyzP](http://pastebin.com/KNNjAyzP)

It is important to note that the computer security and bitcoin scene are very
strong in Argentina. See
[http://www.ekoparty.org/eng/index.php](http://www.ekoparty.org/eng/index.php)

~~~
danso
Slightly off-topic but as I stop to think about it, I think this is one of the
only times I have ever seen code in non-English. I'm confident enough in
Python that I _know_ the only difference is in reference names, and that has
nothing to do with the computational logic or structure...but I'm taken aback
by how non-trivial -- even with the syntax highlighting -- it is to tell my
brain that it's just Python, and to treat it like any other code with strange
naming conventions. I don't know what the takeaway is here...that proper
naming conventions and self-documenting code is even more important than I
realized...and/or that not having familiar context (i.e., what are these
variables referring to) is a substantial mental drain...even though it's not
particularly important to debugging the code.

It definitely makes me respect all non-English coders even more, for happily
putting up with the ASCII status quo...especially those from non-Latin
languages, such as Matz.

~~~
cmrx64
You should try your hand at deobfuscation of a VM bytecode like actionscript
(flash), CLR, or JVM. I suspect that will give you good practice with dealing
with "strange naming conventions" ;)

------
fisadev
Ex-developer of that system here (not working in MSA anymore since 3 years
ago). Can answer questions if there aren't hundreds of them.

~~~
aortega
Hi, have a couple...

1) First, I found the complete lack of security puzzling. I mean, they don't
even use SSL in their site logins. You use md5 to check firmware...and the
coders are obviously capable of using proper cryptography, but they won't.
It's like they completely gave up on any kind of security whatsoever. Is this
something deliberate?

2) Why the RFID to store the vote? why not a qr-code? it's hard to read? RFID
tags are hundreds of times more expensive, they can be unlocked, re-written,
must be protected with a weird faraday cage that _do not work correctly_
(Faraday cages must be grounded!) they are a nightmare. I'm sure there must be
a good reason.

~~~
fisadev
1) Here you make a lot of false statements, and then conclude on the lack of
security based on them. So let me answer to each of them:

> they don't even use SSL in their site logins.

Which sites? The only one I can think of having a login is the transmission
site, and it not only uses SSL, it even has two way certs validation, so even
the client has to have valid SSL certs which the server validates.

> You use md5 to check firmware

No. They use SHA256, not MD5, and to check the CD software, not firmware
(there is no way you can checksum a firmware securely if the firmware wants to
lie to you).

> and the coders are obviously capable of using proper cryptography, but they
> won't

Yes, they use encryption, where it makes sense, like the double SSL in
transmission.

But I guess you are referring to the unencrypted chip data. It would be
useless to encrypt that. Think for a second: the machine needs to be able to
read that chip on the counting step. So you are distributing the unencryption
keys in _hundreeds_ of _public_ CDs that very same day. Having the data on the
chips encrypted would accomplish nothing, they keys to unencrypt them would be
public. It's like puting a padlock in your bike, but leaving the key along the
padlock.

So no, nobody has given up on security, you just probably have read misleading
things.

2) Again, several wrong things, will answer separatedly:

> why not a qr-code? it's hard to read?

This is the only one I can't answer with full knowledge, but I think it had
something to do with them being hard to read because of the quality of the
print (thermical fast printing)

> they can be unlocked, re-written

No, they can't. It's a physical process that burns and cuts connections on the
chip, you can't "rebuild" them to unlock it again.

The thing you probably saw was people rewriting _demo_ ballots, which are
created with the machine configured in _demo mode_ , in which it doesn't burn
the chips, to be able to reuse the same in several demos. The people claiming
that even published photos of the supposed "real" ballots they where
rewritting, and the ballots had in really big letters crossing all the print,
the text "DEMOSTRACION USO NO OFICIAL". So, no, they weren't rewriting real
ballots, it's obvious those where demo ones.

> with a weird faraday cage that do not work correctly

Reallity doesn't agree with you, hehe. Even people opposing the system had
tried and weren't able to read the chips through the shield. It's simply a
shield which has enough mass to absorb the signal that the chip emits.

~~~
aortega
>Which sites?

The tech login sites.

>They use SHA256, not MD5

[https://github.com/prometheus-
ar/vot.ar/blob/master/msa/voto...](https://github.com/prometheus-
ar/vot.ar/blob/master/msa/voto/constants.py#L216)

>double SSL

Come on...

>hard to read because of the quality of the print

print them bigger? change the printer? this makes no sense, unless you want to
have the ability to change the vote. It's the only logical explanation.

>I guess you are referring to the unencrypted chip data.

No, I'm referring, for example, to software package signatures.

>No, they can't. It's a physical process

This is simply not true. Even if you had the power to physically burn
something in the chip (you do not), many RFID chips allow unblocking with a
special password, because they do not really burn anything. You don't know how
the rfid chip works internally because the design is not public, and there are
no ways to check the model of chip used.

> Even people opposing the system had tried

Who? were they qualified RF engineers or just some dudes with a commercial
RFID reader? No signal can be "absorbed" completely.

------
dysoco
There has been a lot of discussion over the past few months about this. The
voting machines were created by a private company (MSA). The code was
supposedly "open" but it was nowhere to be seen.

The machines basically print an electronic voting bill, that has an RFID chip
which is reportedly vulnerable.

~~~
speeder
Still, this can be considered better than Brazil system: The code cannot be
read by the population, the machine itself has secret proprietary components,
testing its security is not truly allowed (the government claims to allow
testing, but the test has rules to make true testing impossible, and the
allowed tests pointless), and... the machine prints nothing, you are supposed
to trust whatever it says the vote count is, without even being able to see if
there are bugs or not in the vote counter (what if it has a loop with a >
instead of >= for example, that causes 1 less vote per machine?)

~~~
CountSessine
That's not a voting machine - that's a secret coup d'état.

------
Animats
Here in San Mateo County, we have a good voting machine system, although the
knob-based UI is strange. After you've selected all your votes, you press the
"done" button, and, behind a transparent window, a printer prints your votes
on paper, with the chosen candidates names spelled out fully, followed by a
big 2D bar code. You can then accept or cancel your vote. If you reject the
printed version, it prints CANCELED and you start over. If you accept, it
prints VOTED, and the paper roll winds past the window.

The paper is a backup. The votes are also recorded by the software. But the
paper can be read by hand if necessary, or by a scanner which reads the bar
codes. So recounts are possible and checkable by all parties.

~~~
nileshtrivedi
If the paper can be read, political thugs will use bullying and intimidating
tactics to get votes. Secret ballot is essential.

~~~
DannyBee
It's possible to make verifiable secret systems. Some have even been tested in
real elections in the US as part o projects by NIST (for arcane reasons, NIST
controls voting technology in the US :P). For example, Takoma park in maryland
has used scantegrity a few times (2009, 2011).

------
molmalo
The title can stop being a question. MSA has confirmed that this is their
code, but they say its a copy from earlier this year, and that they have been
working on it, so it's already old:

[https://translate.google.com.ar/translate?sl=es&tl=en&u=http...](https://translate.google.com.ar/translate?sl=es&tl=en&u=http%3A%2F%2Fwww.lanacion.com.ar%2F1803251-filtran-
parte-del-codigo-fuente-de-la-boleta-electronica-portena&edit-text=&act=url)

~~~
wslh
New code can share the same bugs and add new ones.

The point here is that voting machines must be open source and its hardware
completely public to analyze it. This can't be the weakest link in a
democracy.

~~~
NickNameNick
Open source software is certainly preferable to closed, but it's not
sufficient for a voting machine, because there is logically no way for the
user to verify that the software on the machine is what it is supposed to be.

~~~
shiggerino
Nor is there a way for the voter to verify that the machine itself is what
it's supposed to be.

Now, if the hardware instead

1) could be provided by the voters themselves,

2) was easily auditable

3) was used in their daily lives providing a ubiquitous understanding of the
technology involved

only THEN would it be appropriate for use in elections. So far, only pen and
paper fulfils all of those criteria.

~~~
NickNameNick
It also needs to be anonymous to prevent people buying or coercing other
peoples votes.

and if you satisfy all those requirements, and other, congratulations, you've
probably just invented the worlds most expensive printer.

------
embarcadero
This is a terrible idea. I lived in Argentina for two years and studied the
country. It's a cesspool of corruption, with scant separation of powers (see
Nisman, Alberto).

Even in less corrupt countries, electronic voting is a terrible idea: it's
vulnerable to hacking and, because the system is opaque to the average
citizen, erodes trust.

Richard Stallman has been emphatic on this point:
[https://stallman.org/evoting.html](https://stallman.org/evoting.html)

The more at stake, the greater the temptation, the greater the likelihood of
fraud. Leave online decisions to scheduling problems a la doodle.com

People should recognize that sometimes paper is superior to bits.

------
edko
if(citizen.isDead && !citizen.hasVoted){ FPV++; citizen.hasVoted=true }

------
innguest
If only we had the perfect voting system, and if only the deck chairs on the
Titanic were aligned just so...

