Hacker News new | comments | show | ask | jobs | submit login
Install PAC-MAN on Sequoia voting machine w/o breaking tamper-evident seals (umich.edu)
129 points by finin 2644 days ago | hide | past | web | 51 comments | favorite

It is one of the curious facts of modern culture that the people who love technology the most also seem to be the most opposed to electronic voting.

I think it's because the people who most understand how computers work also understand that no data can be considered trustworthy if somebody else has been in possession of the hardware. Yet governments continue to trust the impossible promises of the people who make voting machines that their machines are secure, despite a continuous stream of demonstrations to the contrary, both intentional and accidental.

I don't know that we're opposed to it in theory, it's just that every single implementation thus far has been terrifically bad. Making the code open source would go a long way, I think, as would establishing open working groups to establish security standards. I may be an optimist, but I do believe that theoretically (at least information-theoretically[1]), it can be done well.

[1] http://scholar.google.com/scholar?q=Information-theoreticall...

It's also fairly easy for us techies to grasp the hacking of computer systems. But we often forget how insecure and error prone paper systems can also be:


Massive voter fraud could be happening every election - it's pretty easy to vote fraudulently and there is almost no way to find out after the fact (I've done it unintentionally). For whatever reason, we are insanely afraid of hackers pushing an election over the edge, and yet we don't even ask for photo ID at the voting booth.

We're more concerned about electronic voting because it lowers the effort and manpower needed to defraud immensely.

And more likely, in a close election the election can be stolen by a minimal change, which will probably go undetected.

I voted on Saturday (Australian election). No id required, 100% paper votes, all counted by hand (as far as I'm aware) and we normally have a result within a few hours of polls in the West closing.

Seems to work very well, but I guess one advantage we have is that none of the parties here are worth cheating for.

Might also help that Australia's population is about 22M. The USA are at 308M and India is 1180M - hand-counting ballots might just be a bigger problem with those kinds of numbers involved.

Can't see why it would be. That kind of thing parallelizes really well.

Granted, oversight would likely thin a bit.

Germany has 80 m, and hand-counting works well. It does seem to be easy to parallelize.

I do not. As long as the hardware has been in possession of untrusted parties (and polling place workers do not count as trusted) any software solution can be compromised.

I'm not convinced that any method will ever be 100% foolproof, but I think it can be improved immensely, and if we could limit the inaccuracies/fraud to always be less than those incurred by a traditional paper ballot[1], I think I'd approve.

In regards to your comment regarding untrusted parties handling the hardware, here are a few counterpoints:

- We already trust polling place workers with paper ballots, the possibility for fraud already exists.

- The potential for fraud from any one polling place can be limited by implementing a system which makes it impossible (or very very difficult) to spoof the location from which a vote was cast, and ensuring that the number of votes cast per polling place is within an expected range.

- Such a system could also include a paper receipt with an ID number on it. A voter could plug this "tracking number" in on a trusted website (ie. vote.gov) and confirm that their name is associated with their preferred candidates, but not allow them to change these choices. This would go a long way towards identifying fraudulent activity when/if it occurs.

[1] Though figuring out how to quantify this is anybody's guess.

"We already trust polling place workers with paper ballots, the possibility for fraud already exists."

I don't know about the US, but here in Germany _anyone_ can watch the whole process including the counting of the votes.

So it is possible for me to check up on my polling place.

With the current paper ballot system you need a lot of people to cheat significantly. With voting computers you need only a really tiny number of people to steal an election.

Is it not the case in the US that representatives of each party supervise the counting of the ballots? Pretty sure that's how it works locally; though elections are state-governed so I guess there could be some variation.

Having representatives of each party overseeing the process should serve to keep any monkey business in check. Though when people are involved, there's always a chance for corruption.

You can't let people look up their vote or their employers, spouse, etc, could force them to vote for preferred candidates. Ron Rivest has a system to make it verifiable and deniable (Three ballot system). There are others.

Rivest has the right idea in terms of thinking about this cryptographically... But the Three Ballot system would be an absolute mess :-P Remember hanging chads? Try telling people that to vote against a candidate, they have to mark them on one of three ballots...

Usability is a big problem with election systems. Making something anonymous, auditable, fraud resistant, affordable, etc and simultaneously make it usable more or less by everyone is tough.

They recently used a system called Scantegrity in Takoma Park, MD (Rivest also collaborated here). I've been meaning to look up the usability conclusions on this one, but I don't remember seeing much in the way of problems at the time.

Certainly we trust the polling workers with paper ballots, and fraud exists there, but IMHO the ease of electronic fraud is much greater than the ease of paper ballot fraud. I'm thinking of the work involved with ballot stuffing - you basically can turn it into a "one click" operation.

(Speaking only of the US voting system)

I don't think that is necessarily true. Perhaps a public key scheme could be derived that would enable everybody to verify the votes on their home PC.

The challenge is to allow for anonymous voting. I don't think it is necessarily a problem that is impossible to solve. Practical solutions are also a challenge.

I think the issue is the difficulty of auditing electronic votes. Computers and databases have made it so easy to forge data--just look at Bernie Madoff.

The best way to ameliorate these discomforts is to ensure that a list of eligible voters is made available every year (already available under the current system), as well as a list and sum total of those eligible that voted. We would need to assign every voter a UUID every time he votes, and provide the voter a printed receipt of the UUID and selected choices (if desired) on security paper (controlled stock of security paper with its own unique identifier to be accounted for), and publish all election results with the selected choices matched to a UUID on a website every year in CSV and HTML formats.

I'm sure there will always be ways to tamper the system. The key is that if every one is able to watch the system (like open source code auditing), the risk of discrepancies or error is minimized. The UUID will allow the voter to confirm that his choices match the recorded results.

If this system were implemented, it would be better than the status quo. The current system may seem better, but it's prone to human error (Scantrons not being scanned by an optical reader; hanging chads; etc).

At least two obvious ways to hack your proposed system. Hackers could just add phony UUID/vote pairs to the totals. Activists could claim their vote was stolen if their preferred candidate loses.

(We already saw a variant of the latter in 2000. Remember "I couldn't follow the arrow and accidentally voted buchanan"?).

Further, if a person's vote is verifiable, it also opens the door to paying people for their votes.

I can't think of a fix for paying people for their votes since that problem still exists today (albeit to a lesser extent than if a voter's vote were verifiable), but I imagine they wouldn't be able to keep it under wraps for very long. Anyone offering to pay money will definitely risk drawing attention to themselves, and I believe ethical people will report suspicious people to voting investigators.

As far as the UUID/pair frauds, we could mail a confirmation letter to the voters stating that they voted. Since I don't think we could tie the UUID to the actual voter, we could tell them they participated in this year's election and to verify the results to the receipt. This part is compounded in difficulty partly due to federal voting regulations that don't allow us to tie a voter to his votes, so I think the only real way is to verify videotapes verifying that said voters appeared in person to vote.

Again there are flaws and it will take more people to resolve the issues with electronic voting.

Secret voting was brought in pretty much as a direct response to widespread coercion and purchasing of votes in many different places.

It reduced the problem significantly by making it impossible (or at least significantly harder) to verify that you vote the way you promised.

The UUID suggestion is worse than the way it used to be, as in the past you generally required people at the polling place to oversee the voting to ensure your people voted the way they were told/paid to do, while with a receipt available, you can monitor more people with fewer people of your own.

Well firstly these machines should have been riveted shut, leaving the only way to access the machine is by breaking the tamper-seals. (This at least eliminates everyone in the country without corresponding replacement tamper-seals from screwing around inside the machines)

Secondly, the OS on these devices should have been stored into ROM; not only is this a bastard way of ensuring people have to use the manufacturer to upgrade the systems, but it also makes tampering that much more of a pain in the ass.

Thirdly a proprietary data storage should have been used. Preferably one designed so that the voting machines only ever contain a write-only drive, in that it either cannot edit the data, or preferably doesn't even have the necessary hardware to read the data it writes (this would be complicated to get working right, but would be well worth it). This means only the manufacturer would have access to the edit/read connections.

I mean come on, compact flash, seriously. My phone can read flash drives, what were the designers thinking!

Proprietary storage? I'm skeptical. This is contrary to the open-source mentality: let the details of how the system works be known to everyone. Like PGP encryption: nobody's hiding how it works - in fact, more scrutiny helps prove it's safe. You don't hide the mechanism, you just hide your personal key.

Otherewise, you start feeling secure based on your assumptions, like "only we can read these drives" - when maybe your assumption is wrong. Maybe somebody has hacked one machine somewhere and reverse-engineered the connector.

Now you've got an unknown danger out there. Whereas if you're constantly submitting your system to public scrutiny, you'll probably only have known dangers. Which you can fix.

>no data can be considered trustworthy if somebody else has been in possession of the hardware

Actually, this isn't true, given properly-implemented crypto. Or, I suppose I should say, it's true only with very low probability.

So here in Australia we use plain old paper and pencil ballots (it is the same in every state - it's Federal). How does electronic security compare to pencil on (anonymous) paper ? I am sure paper fraud happens - as would manual counting (it is manual but overseen of course). Is it perhaps that with electronic both the scale can be increased and the chance of detection decreased?

How much of the drive for electronic voting is driven by big media? The MSM really covers elections like horse races, and at the finish they want to be able to wrap it before people drift off to sleep for another workday.

I wouldn't mind if election results weren't available for a day or two. The ancient Greeks had a completely tamper-proof voting method (and voting was theoretically obligatory). We should likewise be seeking a tamper-proof voting method, whatever that may be. I would also support obligatory voting (with "abstain" as a choice), and media outlets that cover elections like entertainment should be ridiculed.

As a counterpoint, cryptographers (including Rivest of _R_SA fame) are quite interested in voting. Of course, they generally don't trust the machines at all...

I've often considered open source voting software and hardware as a possible startup idea, but frankly I don't have the balls to go through with it. I'm not an entrepreneur, and it is a legal minefield besides, so I stay away. Still, I have some neat (IMHO) ideas, so maybe I should find a venue in which to express them.

"We received the machine with the original tamper-evident seals intact. The software can be replaced without breaking any of these seals, simply by removing screws and opening the case."


Incompetence doesn't even begin to describe it. Or is this by design?

"What's inside the AVC Edge? It has a 486 SLE processor and 32 MB of RAM—similar specs to a 20-year-old PC. The election software is stored on an internal CompactFlash memory card. Modifying it is as simple as removing the card and inserting it into a PC."

Seems to be a history of dubious competence for this machine and company:



I'm not too shocked by the use of the processor, that may very well have something to do with reliability. You'd be surprised how demanding industry is in this respect, and it's not rare at all to find what you'd class as 'ancient' hardware when it comes to doing jobs where you have to make the results reliable. Not saying that was the case here, but it could be, also I'm imagining these boards might be run from a battery backed-up power supply so they may want to have them consume as little power as possible (that's a guess though, but I can imagine that if your election is in an area where there is a power failure you don't want to lose the results).

Compare for instance with avionics and stuff on space flights. If crashing is not an option the rules about hardware change dramatically. It's a pity the article does not say whether the ram was ECC ram or not, that would be a hint that this is not just a way to be 'cheap'.

Mind you, this could be because they were

- spending years on certification and legal compliance of hardware to many jurisdictions

- already had an old and tried platform that is powerful enough to do the job

Before anyone cries "obsolete", be aware that e.g. your Canon digital cameras run a DOS clone (ROM-DOS) on similar CPUs. You don't really have to have quad core everywhere just because you can.

But of course it doesn't address the whole seals fiasco.

A good design would have riveted the machine shut, ensuring the only way in was through the tamper-evident seals.

At work today (I work in construction) I managed to remove a latch & lock system from a door without damaging either part. I manipulated the door hook with the padlock on and loosened the top screws, which gave me enough room to remove the top two screws on the door frame latch, which gave me enough room to remove the two screws on the door hook. I then removed the bottom two on latch by using the new upward-slack. I forced the latch section around until the middle screw became loose, angled the latch and slowly removed the centre screw. I essentially just broke into the customer's garage with no signs of forced entry.

Had the lock been installed properly (IE no slack in the system) it wouldn't have been easy to remove it with no signs of tampering. However it wasn't installed properly. Incidentally, one of the easiest ways to solve this problem is to take a drill bit and to strip the head of the screws. This leaves only manually forcing of the lock to open it, which takes a lot of effort if you're using 3 inch screws through a proper stud.

Could very well be security theater. Or maybe the researchers missed another layer of seals that protected the screws.

I suspect the only way to get the public's attention on voting machine security would be for a group (Anonymous?) to hack a major election in favor of a joke write-in candidate (Mickey Mouse, "None of the Above", Bill Murray).

Definitely 'None of the Above' - I ran for student union president on a None of the Above ticket.

The irony was lost (magnified?) when I drew top of the ballot paper, but ultimately my preferences (was a preferential style not first-past-the-post ballot) tipped the victorious president over in a cliffhanger election.

The Open Voting Consortium is working on an open-source solution that uses everyday PCs and printers instead of these ridiculously expensive voting machines. Their solution[1] is actually paper-based, allowing for increased accountability and transparency. The source is available here[2] although the project hasn't seen activity in quite some time, so I am not sure of the status of the code base.

[1]: http://www.openvotingconsortium.org/our_solution [2]: http://sourceforge.net/projects/evm2003/

Now make it so you have to eat the ghost labeled as the candidate you want to vote for, and it records the vote.

I might actually go to the polls.

Alternatively, a 1 minute quiz on the constitution and/or your countries system of governance. Get all the answers right and you can vote!

Half a century ago, literacy tests and trick questions were widely used to keep blacks from voting. That's why it's illegal to do so now.

I should point out that it wasn't a serious suggestion! I was just trying to think of practical uses for the hack. I didn't think my other idea of networked street fighter, were the victor was able cast the vote on behalf of the loser, would hold much water on HN.

Nowadays, the US repeals voting rights from those who have committed a felony, have a similar name to someone who's committed a felony, or live in the same neighborhood as people who conflict felonies. And who "just happen" to be black.

Civilization has advanced - this is no longer widely accepted - but that doesn't mean it doesn't happen in, say, Florida.

> have a similar name to someone who's committed a felony

Really? How is that justified?

To the best of my knowledge, not at all.

See e.g. http://en.wikipedia.org/wiki/Florida_Central_Voter_File for details.

I don't even need knowledge, just basic reasoning skills--I would prefer to have anybody who can answer a question about, say, the base rate fallacy[1] voting, even if they don't know the constitution. Hell, even if they're illiterate.

[1] http://languagelog.ldc.upenn.edu/nll/?p=12

That would require improving public education first.

They should have hacked it to play Pole Position, where the winner of the race was the candidate who gets the vote.

Support verified voting if you are concerned about electronic voting: http://verifiedvoting.org/

I can't imagine the horror of battling lobby groups and corporate interests to fix this on a federal scale.

well, it works perfectly if what you want is steal an election...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact