
The Return of Software Vulnerabilities in the Brazilian Voting Machine - vitorcoliveira
https://www.researchgate.net/publication/323470546_The_Return_of_Software_Vulnerabilities_in_the_Brazilian_Voting_Machine
======
caiobegotti
Diego Aranha (and his peers) has been presenting strong cases and amazing
proofs over the years why the software stack in those voting machines is
bugged beyond repair (specially considering they never have permanent
uncontrolled access to scrutinize it, because if they did they would uncover
with evidences some very dirty stuff) and it's disgusting to see him being a
target of ad hominem and FUD by many political leaders and electoral judges in
Brazil. Just so you have more context on this.

EDIT: Brazil has over 2 decades of electronic voting "experience", so you see
how important papers like this one are for democracy and electronic voting in
other countries

~~~
crpatino
I have met Diego a few years ago at LatinCrypt, and if half of what he says is
to be believed, it is much worse than that.

It is not just the possibility that "very dirty stuff" might be uncovered. It
is the fact that in spite of all the restriction the Brazilian government
throws in his way, he still is able to find ugly stuff, and it is not so much
mallicious as utterly incompetent.

------
bloomingfractal
I see the authors are hanging out here so would like to make a question :)

Do you believe that with the proper audit systems in place (e.g. open-source,
open-hardware, not rolling your own crypto, etc) it would still be possible to
have a secure electronic voting system?

~~~
mulmen
What is the value proposition of electronic voting machines?

I'm not an expert on the technology but I would say that in 2018 and for the
forseeable future there is no way to make an electronic voting machine that
the public will trust.

Arguably that is far more important than the tech stack.

~~~
bloomingfractal
Assuming they work correctly the benefits are clear.

If they can ever be made secure, it's what I wanted to know from the
researchers.

~~~
mulmen
I'm sorry what are the benefits? They are not clear to me.

~~~
beisner
Accuracy. If you could somehow prove that every vote could accurately be tied
to a human pulling a lever, confidence in election results would be higher.
Also instantaneous results and no issues of a recount (like in the 2000
election, where the refusal of a recount in a state cost Al Gore the
election).

~~~
dfaranha
Yes, in Brazil we don't even have the possibility of recounts, so reassuring!
:)

~~~
cassianoleal
On the other hand, the way votes were counted back in the days of the paper
ballot were not something to be proud of either.

Anyone who's been involved in counting votes has seen more vote count fraud
than they could possibly try to explain to others. Everybody used to be
involved in that, from the people counting who didn't want to be there and
would do anything just to get over with it, to the party delegates, to the
people in charge of the sections.

I understand all the criticism and I praise your work in pushing for a more
secure and auditable stack but it's hard to argue that the previous system was
better in any way.

~~~
dfaranha
Fortunately that's not what I am arguing. I am pushing for VVPATs instead. :)

~~~
cassianoleal
I don't really see how that's superior to anything. It adds complexity to a
system that's already hard to understand to large slices of the voters, and
provides nearly no actual advantage to either the old paper ballot or the new
electronic system.

A potentially better approach would be to have the systems themselves publicly
auditable and somehow have the live ballot devices verifiable.

~~~
dfaranha
VVPATs do not add complexity, they cheaply allow a layman to verify if a
proper record of his/her vote was produced.

I can't parse your last sentence, sorry.

PS: Yes, I would prefer to redesign the whole thing from scratch and tightly
integrate physical and electronic records, as in an optical scanner, but this
is very unlikely to happen anytime soon.

------
cfontes
The site is dead.

There is no cached version but using google translate still works

[https://translate.google.nl/translate?hl=pt-
BR&sl=en&tl=pt&u...](https://translate.google.nl/translate?hl=pt-
BR&sl=en&tl=pt&u=https%3A%2F%2Fwww.researchgate.net%2Fpublication%2F323470546_The_Return_of_Software_Vulnerabilities_in_the_Brazilian_Voting_Machine&anno=2)

~~~
dfaranha
I can't reproduce your issues, but perhaps resolving the DOI works better:
[http://doi.org/10.13140/RG.2.2.16240.97287](http://doi.org/10.13140/RG.2.2.16240.97287)

