Hacker News new | past | comments | ask | show | jobs | submit login
Hackers at convention to ferret out election system bugs (reuters.com)
115 points by rbanffy 7 months ago | hide | past | web | favorite | 113 comments

Some useful information about paper ballot process, based on my experience as a Minnesota election judge. Minnesota has excellent election law and process, which is how we've survived two high-profile statewide recounts in the recent past without incident.

First and foremost, paper ballots everywhere. No touchscreens.

Second, from printing time onward, all handling of ballots, whether marked or unmarked, must be done in the presence of representatives of at least two political parties. At no point are ballots left alone with individuals or only one party (this is something a lot of states could learn from us!). This eliminates many avenues for cheating by adding or removing ballots from the count.

The ballots themselves are Scantron, fill in the dots with ink. The state provides standardized pens for this.

All registered voters in a precinct are tracked in a paper roll. In order to get a ballot, voters must either be in the registration book, or apply for a provisional ballot (which requires identification). Names are marked off the registration roll as they get their ballots, and a count is kept. At the end of voting, the total count of the voting machines must match the total count of voters exactly. Any difference triggers a manual count.

Scantron machines are randomly spot-checked - some percentage of them will be hand-counted, and those counts checked against the machine results. Multiple mismatches across the district/state would trigger an election-wide hand count. This insures against cheating by altering the behavior of the machines. (This is also where touch-screen machines fall down, imho, and should be flatly banned! There is no manual guarantee of the integrity of the results in a touch-screen machine.)

Initial counts on election day are provisional, and need to be certified via additional checks before being finalized (including the possibility of recounts).

There's more, but these are the big ones, and you get the idea. This entire system depends on protecting the integrity of physical ballots, which as you can see, is pretty straightforward.

> First and foremost, paper ballots everywhere. No touchscreens.

> Second, from printing time onward, all handling of ballots, whether marked or unmarked, must be done in the presence of representatives of at least two political parties.

Australia does this at all levels of government, up to national elections. The people nominated by candidates are called "scrutineers" and every candidate may nominate at least one for every polling station and several for every counting room.

The count is done manually, thrice, again with scrutineer oversight.

Here's a photo of a close count occurring under scrutiny: http://www.abc.net.au/news/2016-07-06/counting-resumes-in-se...

At the last Federal election, 3 boxes of Senate ballots in Western Australia were lost. The matter wound up in the High Court. Because there was a very slight but non-zero mathematical possibility that those ballots could have changed the outcome, the election was voided and run again from scratch.

This stuff isn't rocket science. You just have to pretend that it's important.

They call those "poll watchers" in Minnesota. And yes, every party is allowed to place poll watchers at any/all precincts. Poll watchers are also allowed to challenge the registrations of any individuals coming to vote. I don't remember the exact details around it, but they aren't powerless.

I remember one election in particular where I was working a mixed-race, poor neighborhood precinct in Minneapolis. The Democratic poll-watcher was convinced the Republican one was going to challenge every single voter and paralyze the precinct, preventing hundreds from voting. The Republican poll watcher was convinced that Democrats were going to bus in thousands of paid illegal black voters from Wisconsin. Of course, neither of these things happened.

One important consequence of this is that, as long as you can control the integrity of the paper ballots, then cheating the software of the voting machines does not matter. It will simply get caught, and replaced with a manual count.

Such incredibly simple steps.

Who thought it was a good idea to "disrupt" voting by going electronic?

It's not just electronic voting. Let's look at a real attempt to subvert elections - Voter ID laws. Voter ID is presented as a solution to a problem that actually does not exist, given this system.

In Minnesota, you show up at the polling place, say your name and address, they find you on the registration list, check you off, and hand you a ballot. No need to prove you are who you say you are. If someone pretends to be you before you vote, then it's immediately and obviously brought to the attention of the judges (and we aren't seeing a massive wave of fakery now). If someone pretended to be you after you vote, they'd get caught.

Of course, someone could fake it, with someone's registration that they know won't vote. But if they repeated it at a single precinct, the odds of being recognized as a repeat voter by the election judges goes up. So they would have to move from precinct to precinct, with a list of viable registered non-voters to use.

Now, consider scale. A statewide Minnesota election is about 1.5M voters. To move the outcome 1% requires 15,000 votes. If one person can manage to vote illegally ten times in a day, it would require 1500 people in a conspiracy. Plus data management, tight enough for no errors. And NO leaks while these 1500 people are trained (and probably paid, if you want that many).

With that in mind, the idea of actually manipulating the election with votes that could be prevented with Voter ID is absurd. But! If we put ID laws in place, we could well reduce the number of voters by 1%, and that result would be biased toward people who are poor or otherwise not fully integrated into mainstream society.

Election manipulation, completely legal, and more effective than the mechanism it purports to prevent. Ugh.

And hey, if voters are dumb enough to fall for that, maybe we can get them excited for touchscreen machines!

This comment has put me firmly in the anti-Voter-ID column. I've always been on the fence regarding Voter ID.

One one hand, I can see the effect that it would have on the makeup of the voters: older, richer, more established.

On the other hand, I couldn't shake the idea that voting is too sacred to not enforce some level of identity verification.

You just swept away my "on the other hand". Thanks.

So I still think we should have Voter-ID, but I don't think we're ready for it yet.

My arguments for:

First, don't people have to register to vote in most places? I don't see how bundling your Voter-ID acquisition with registering to vote would be bad.

Second, a valid state ID should be enough to vote even with Voter-ID. This DRASTICALLY reduces the number of IDs we need to handle.

My main argument against not doing it right now:

We'd need proper funding that we're not going to get in the current political climate. A half-assed solution would be BAD.

> I don't see how bundling your Voter-ID acquisition with registering to vote would be bad.

How many times have you forgotten to bring some random item you need for something you're doing? Why stop someone from voting because of a mistake virtually anyone could make?

I don't think forgetfulness has a political bias

I has a time based pro-wealth bias that becomes much larger when you combine it with your second argument, as you're less likely to forget something you take every day.

It's not about whether we can. It's about whether we should.

This is a freedom-based problem. First, what problem is voter id supposed to solve? Well, people cheating by voting illegally. Is this an actual, demonstrable problem? No. Despite grandiose claims by FOX News and Donald Trump, there is no evidence of widespread voting fraud. So we've established that this is a solution to a problem that does not actually exist.

Second, does it impact our freedom? Voting is both our right and responsibility as citizens. Should we be required to carry and show id just to prove that we are citizens? "Do you have your papers, citizen?" used to be a joke we made about the shortcomings of totalitarian communist dictatorships. So yes, it does impact our freedom, as we should be free to go about our day without carrying government id at all times, and I believe that would include the act of voting.

Limiting our freedom to solve fake problems sounds un-American to me.

We're already not free to walk around without papers for certain activities. Entering a bar, buying restricted substances (including some medication!), driving a car, leaving and entering the country, etc. None of that means we're in some totalitarian dictatorship.

I've seen plenty of elections come down to 100s of votes. To me this seems like an attack vector we shouldn't ignore.

Besides, we already have the concept of provisional ballots if people end up not having or forgetting their ID.

But again, I don't think we're ready for all this. A half-assed solution would be very bad, and I don't trust the current system to handle this in a partisan way.

Rather than these attempts at selling electronic voting systems - couldn't there just be a company that establishes 'tried and true' paper ballot voting based on the best existing systems for fairness/anti-cheating.

It seems like you should be able to do things more easily, less expensively, and with lower risk in a repeatable way in every state.

Yes but why pay more for it if not technology?

>And hey, if voters are dumb enough to fall for that, maybe we can get them excited for touchscreen machines!

People are partisan and will buy any story that explains why they lose. A non-trivial portion of Democrats think the Russian advertisements on Facebook changed the election to Trump's favor.

The same kind of guys who scrapped William Binneys working multimillion dollar thinthread project for a multibillion dollar project that didn't work...

Eg, the oligarchs and good Ole boys

In Seattle (which has mail-in voting) all ballot envelopes and ballots are digitally photographed as they enter the elections facility. This sets a baseline count before any ballots are tallied making the process of adding/removing ballots as well as changing votes much more difficult.

This sounds like an outstanding model. Other states have complained that such process would be too expensive. How has Minnesota resisted being "too cheap" on election?

And in general I'm impressed by Minnesota's governance. Maybe the answer is a deeper look at Minnesota's government structure.

It's not any more expensive than any other state. Minnesota doesn't use an unusually high number of election judges - the usual collection of old ladies who do election judge work can handle this.

States that let individuals handle ballots and stuff are either incompetent or malicious. There's no excuse for not solving easily solved problems with simple, proven solutions, when our democracy is at stake.

In King County in Washington state, they stream on the internet the entire processing of the ballots, and there is a tracker that tells you if your vote has been officially counted.


> The ballots themselves are Scantron, fill in the dots with ink. The state provides standardized pens for this.

I wonder if they have considered augmenting that. Add this [1] to it and it would still work pretty much the same as far as voters are concerned when they are in the voting both--the ballots would be printed a little differently and the pens would be different, but it would still be rub the dot with the pen.

Afterwards, though, when the results are released individual voters can verify that their vote was counted and that it went toward the correct candidate. There are other advantages discussed in the link below.

[1] https://en.wikipedia.org/wiki/Scantegrity

I think several states do it this way. Oregon is much the same way. Boxes, not scantron bubbles, but conceptually the same. And vote-by-mail, not in-person. But as you say, always representatives from both large political parties, etc.

I don't think the goal here is to secure the electronic voting systems; that's impossible, and everyone knows it. The goal is to provide ammunition for getting them decertified.

Well, decertifying them might not be in the best interests of those potentially benefitting from the current situation. The US is pretty unique in the world in the sense that you can effectively have a minority party hold on to power because of gerrymandering and, well, hacked voting machines.

If outside hackers can influence the midterms in a way that is beneficial to the GOP - why would they do anything about it?

Is it really impossible though? I feel like we could eventually figure it out.

The threat model is corrupt election workers, who have unmonitored access to the machines.

And if you find problems after the winner is declared? “Only the losing side cares, and they’re just sore losers”

Or an adversary could not commit fraud, just trip the fraud alarms in areas their opponent is strong.

So it’s very, very difficult to secure.

Another threat model is the people who build the software and hardware. How do you ensure:

(1) The software is not doing anything nefarious

(2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious

(3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)

(4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)

This is essentially the same problem as is outlined in Ken Thompson's Reflections on Trusting Trust [1].

[1] https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...

> (1) The software is not doing anything nefarious

Open source

> (2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious

Use open source toolchains and hash the result.

> (3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)

Maybe some kind of cryptographic puzzle, question/response, you need to make a hash with the program, and make the HDD not large enough to contain more than that. Or maybe read only storage. Even a combination.

> (4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)

Your voting results are confirmable on the blockchain, but not specific, you can check that your vote hasn't been changed, but not the vote itself.

For people to have trust in their vote being counted, the voting machine needs to be understandable by everyone, not just software engineers specializing in cryptography.

A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

But the biggest argument against electronic voting is that you're not solving any problems, you're just adding problems and decreasing the trust in the elections massively. And for what? To get election results a few hours faster? That's ridiculous.

If the only question left is whether or no it's easy enough, I think we're good and can find a solution for that problem too.

> A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

I agree with this 100%

Electronic voting must be cryptographically secure, and increase trust and security. I think this should be the first rule.

> must be cryptographically secure, and increase trust and security.

Those two goals are mutually exclusive.

Everyone understands how a room full of people counting paper ballots works, without having to explain it. Everyone understands that the process is transparent, and that by having people of different political persuasions working together, you ensure that the result is fair.

There is also immense value in having the voting "machine" being made up of actual humans, so that everyone in society can take part if they want to, and feel like they're doing their part to defend democracy.

And none of that can be replicated in software. You and I might be able to understand and trust the software, but everyone? Not gonna happen.

I personally don't understand how hashes work, I know _what_ they do, but not really how, just that they are not mathematically reversible. I should probably learn how exactly it works, since they extremely common.

I think most people know their passwords are encrypted, but they don't know about hashes at all, they just assume the domain experts have figured it out.

Security in e-voting would probably look similar. You would know there are smart people somewhere who understand the complexity, and ideally you would have ample opportunity to learn.

If you want to know what the general public thinks of "smart people" doing stuff they don't understand, just look at the reaction to scientific consensus on global warming.

I find it hard to imagine a plausible scenario where a complex, blockchain-driven election model is met with trust and comfort by a broad cross section of voters. It practically begs for anti-science paranoia.

I trust hashes and I wouldn't trust a vote carried out On The Blockchain either. How many billion dollar Ethereum contracts have had bugs again? How many people have had their money stolen because their endpoints were pwned, thereby avoiding the entire crypto stuff and just keylogging?

> How many billion dollar Ethereum contracts have had bugs again?

Is that rhetorical? I can't think of any major bug on a billion dollar ETH contract. The largest "heists" appear to have ranged in the mid 10's M$ (DAO, Parity), with one bug that freezed a sum in the low 100s M$.

The public already has placed trust in bitcoin, which has a fair bit of complexity.

And there are people that don't have a lot of trust in our current voting methods. Can't stop conspiracy theorists really. I think with global warming there is a degree of uncertainty due to the varying environmental factors. This will be something where you can pretty simply explain what's going on, or at least say this part is encrypted with X algorithm and people are happy. The public is willing to trust encryption, specifically there have been cases where the government's efforts were thwarted by strong encryption.

The blockchain voting idea, among its numerous flaws, is philosophically grounded in hyperindividualism. I care about the integrity of my ballot, and mine alone.

But elections are not about my vote. They're about everyone's vote. I care about not just the integrity of my own ballot, but the integrity of every other voter's ballot as well. And, given a system where most people will never do a complex blockchain verification of their ballot, or have a mechanism to be certain that no additional machine-generated ballots were added to the results... blockchain isn't solving the actual problem.

Don't be in love with technology when looking for actual solutions to actual problems.

> people will never do a complex blockchain verification

People don't verify their vote now, so this is unimportant.

> have a mechanism to be certain that no additional machine-generated ballots were added to the results

This should only require a hand full of people to check.

Theoretically correct and practically correct are two different things... Kind of like cryptography. Is it reasonable to expect best practices to happen? Especially when observable things like Gerrymandering are so blatantly done?

Consider the apocryphal story: "NASA spent millions of dollars developing an 'astronaut pen' that would work in outer space, while the Soviets solved the same problem by simply using pencils."

Why go for the complicated solution when the simple one works?

I think that's setting a very unreasonable standard as the exact same could be said of election workers in e.g. a paper balloting system. Votes get miscounted, votes go missing, a new box of 'votes' is added into the mix, etc.

Electronic systems can provide a much better level of security than this through not only all the regular security techniques you'd apply to regular workers (no individual access, surveillance, etc) but also a wide array of electronic means including logging, 'ballot' validation, and much more. And you can also burn everything including the operating system and election software onto a non-flashable ROM meaning software modifications become all but impossible, and even if somehow achieved, would be trivial to detect.

I am also not optimistic, but all of those are also failings of traditional voting methods. So one could offer the standard defense of self-driving cars, "it doesn't need to be perfect, as long as it's better" (but it may never be better...)

> but all of those are also failings of traditional voting methods

This isn't true at all. There is not way to tamper with paper to make it change its properties that isn't obvious and easily detectable. And once votes are cast the ballots are handled with significantly more care.

Collusion of multiple parties meant to verify each other.

Not just collusion, but collusion at scale. See my description of the Minnesota process. Voting and counting are done at the precinct level, and there are thousands of precincts. It might be possible to subvert a single precinct, in order to manipulate its outcome. But how many precincts would need to be subverted in order to affect the outcome in a statistically meaningful way?

Additionally, can the precinct be subverted in a manner that can withstand outside auditing by non-corrupt district/state-wide election officials? Keep in mind that if one party in the election has substantial reason to suspect the results were broadly rigged, they could demand a recount (even at their own cost, as happened with the Dayton/Emmer recount in MN), thus triggering all those downstream audit controls.

Aren’t many of these problems amenable to solutions with asymetric cryptography? I.e people signing their votes with a key and the vote only be decryptable by a multi-part key, with the various parts being disrrinuted between the major parties and media.

Of course this has its own set of tradeoffs, but so does our current system.

First, why? What problem does this actually solve, other than the technical daring-do of it all? This can all be done easily with paper (see my post about Minnesota's process).

Second, it violates the principle of a secret ballot. Repudiation would require voters to reveal who they voted for, to match ballot to (digital) signature. So it's not viable as a mechanism for a global recount.

The ideal e-voting program/platform would increase security and verifiability. Right now I don't know if my vote has been tampered with.

The secret ballot could be reproduced a number of ways, but I'm particularly fond of the idea you have an extra password that makes it look like your vote was different, and only your password shows you who you really voted for.

The solution to every security problem is more complexity.

And, in a well designed paper voting system, you do know your vote was not tampered with, because nobody's votes were tampered with.

There are only three mechanisms for tampering with the actual vote count - adding ballots, removing ballots, or altering the content of ballots. (Replacing ballots is a combined add/remove.) The blockchain mechanism only checks for alteration/removal, and only for a single vote. One individual can verify their own ballot, but repudiation requires breaking secrecy. It's simply not a very good solution.

And the reason it's not a good solution is philosophical - it's focused on the individual, when the election is about the collective. Any effective election validation system must validate the collective, not just the individual. The collective is validated by insuring that no tampering happened anywhere. And if we can demonstrate that, then verification/repudiation of individual ballots is irrelevant. If A is true for all B, and C is a B, then A is true for C.

But when you really love your hammer, every problem looks like a nail. Blockchain is basically useless for elections, but people obsess over it anyway.

How do you know nobody's vote was tampered with?

Because the process is well designed. No single person or single party was left alone with ballots, marked or unmarked, at any point. Any counting machines get spot-checked. Any count discrepancies from voter rolls to ballots cast trigger manual counts. Packages of blank ballots are sealed. Voting machines are locked, so no one can easily get into them to add/remove/replace ballots without the key(s). Used ballots are sealed at the end of the election. Signed chains of custody for everything. Etc.

Collusion among multiple persons would break that, whereas a verifiable distributed system would be unaffected.

Multiple people in both parties, more or less constantly observed by completely unrelated election observers? That is probably the single hardest scenario possible to execute a conspiracy. Conspiracies are hard enough when there are back rooms and hidden corners. Ballot counts are designed to have none.

Somehow we manage to secure electronic banking despite possibly corrupt bank tellers having unmonitored access to the ATMs. I’m sure of the money were there we could secure voting the same way.

We also accept entirely different transparency for ATM transactions, can easily correct issues afterwards and given that it's about monetary damage, it can be insured. ATMs are regularly modified to steal information, and it is primarily fixed be insurance and chargeback mechanisms, the voting-equivalents of which are difficult.

>manage to secure electronic banking

Quite a bold statement. Electronic banking is primarily secured by the means of insurance.

Which detects problems and fixes them. That’s all we really need. A reliable way to detect problems and fix them.

It takes a long time to detect and fix problems. That's OK with ATM machines, because if you catch the insider who tampered with them months or years later, you can put them in jail and probably get most of the money back. But reversing election results more than a day or two after the first announcement is really bad for the stability of the country.

In fact, people are still digging into whether voting machine fraud happened in some states in the 2016 election. Any result now is too late.

Also, the nature of hacks is that you can often detect that one occurred, but not exactly what was changed. How would you take the news, "It looks like the Russians had root on every voting machine. But we've reconstructed the correct vote counts from analyzing deleted database files found in the free block list, and the winner is..." Not too convincing.

One of the vital sections of any election system would be the vote counting.

If you could have a third party verify the count within your system as accurate/inaccurate, then you wouldn't need that system in the first place.

Somehow, we manage to drive cars! I'm sure we could ride a horse the same way.

Electronic banking is defrauded on a regular basis, including at the endpoint using jackpot schemes and more. It’s acceptable for banking given the amounts stolen are ultimately trivial, but not for voting.

Why isn’t that acceptable? Those things get detected and fixed and that’s all that really matters in voting.

Sometimes they get detected and fixed, and sometimes they just get written off because they are small amounts.

Besides an important part of banks fixing issues like this (when they do fix them) is that someone (often the bank itself) must lose money, which they inevitably notice. In the case of an election, no one would ever know if their vote was stolen because they have no way of tracking it once they cast it. You seem to be blindly assuming that every problem will get detected and fixed which is mindbogglingly niave.

What happens when there are election irregularities detected after a winner has been declared?

2000 presidential election. Bush declared victor, but a Florida state law called for a recount as the margin was close. Recount was stopped, original election result stands. [1]

2016 brexit referendum. Leave campaign wins - and is later found to have broken campaign finance laws [2]. Original election result stands.

2016 presidential election. Trump declared victor, but evidence emerges of Russian interference [3]. Original election result stands.

There's no point in detecting irregularities after an election is over if they aren't going to be fixed - and history shows they won't be fixed. I'll stick with pencil-and-paper ballots thanks very much.

[1] https://en.wikipedia.org/wiki/2000_United_States_presidentia...

[2] https://www.standard.co.uk/news/politics/brexit-news-latest-...

[3] https://en.wikipedia.org/wiki/Russian_interference_in_the_20...

It's impossible to secure without giving up the secrecy of the ballot or having a fully redundant paper system with on-premise checks by humans with observers: In which case, why bother?

Why is it impossible without doing those things?

Because you need to both know the value of an action (ie, which politician the vote is counted for) and you need to hide who did the action (to keep the ballot private) and you need to ensure every voter only does the action at most once and you need to ensure that if the machine is replaced or subverted physically that the vote can't be silently switched.

No matter how you dice it, one of those things gives with electronic voting, even if you had electronic voting machines with no state (all pure circuits, say), but especially with votes on machines like personal computers, where a myriad of systems need to be trusted for the vote to register.

It isn't worth it. Paper ballots are intelligible to everyone, and even when we vote by mail there is such a paper trail it is hard to fake.

How is vote by mail secured?

Generally, by sealed envelopes, and by having groups of people inspect mail votes at counting time to ensure the envelopes haven't been tampered with. There's also usually a paper trail from the post office that receives the votes so you can't just show up with a couple of thousand "mail votes" and send them in.

It is obviously less secure than voting in person, but it's good enough, and your in-person vote supersedes your mail-in vote.

Here's link to King County (Seattle) elections and how they work. Ballots come in by mail and can be dropped off at county owned lockboxes. This video shows how ballots are secured and counted.


In my piece of Floriduh a non-expert franks the signature on the envelope. It's still more secure than voting in person as state law prohibits inspection of paper ballots in a recount; The only regular ballots recounted are the machine-generated totals.

How do you verify the output has any relationship whatsoever to what voters input in it?

You will need to encrypt your vote, but they make forms of encryption that can be unlocked with multiple keys.

The encryption would need to be written so there is a fail safe password that identifies the opposite party was voted for, to stop voting coercion.

What encrypts the vote? The machine I don't (and should not) trust?

> Is it really impossible though?

Yes, it really is:


I'd love actual proof/research instead of an Youtube video, plus it doesn't differentiate between e-voting (with machines mentioned in the video) and i-voting (with public key crypto, like in Estonia) which further reduces the video's trustworthyness.

I feel like it's possible to write secure voting software to the same level as NASA's software is bug free [1] following a similar rigorous development and testing process. It's just not worth it for any commercial profit-driven company.

[1] https://news.ycombinator.com/item?id=421555

In which case, a strong argument could be made for an investment in the standardization of election voting machines?

It is purely a fear of federal vs state control that this hasn’t already happened?

> It's just not worth it for any commercial profit-driven company.

I don't think that conclusion follows. Rather, I think that conclusion is too narrow.

In this situation, the astronomic overall cost of such software would overshadow any other impediments, such as profit movite.

Why would anyone task even a public entity with this, if using paper ballots and manual counting is vastly cheaper?

There are several conflicting requirements.

Generally we want only those eligible to cast one vote each and yet the votes must be secret, anonymous and repudiable. But we also want the counting to be auditable by the public and traceable by the individual voter.

It is absolutely impossible. There is no conceivable way to secure an electronic voting machine, especially one wired to a network. These machines solve a problem that does not exist with methods that are not necessary or well suited to the task.

Technically possible, politically impossible in large part because there are just too many local jurisdictions with final say over the selection of vendors and their ballot machinery.

Governments, credit bureaus, and banks haven't figured it out. You want to trust some random third party nobody the State contracts?

There's no such thing as a fully secure system.

That's never the goal with securing a system, though. The goal is to mitigate risk to a level acceptable to the various stakeholders involved based on what said stakeholders value.

Including paper ballots?

Some systems that use paper ballots photograph each ballot before it is counted. This helps with auditing counts later on since every count must exactly match.

Paper can easily get 'lost' or 'replaced.'

The advantage of paper is it's bulky so it's hard to swap out if people from multiple parties and observers etc are paying attention.

PS: Remember the oldies, "Vote early, Vote Often" and "It's Not the People Who Vote That Count, it's the people that count the Vote"

Preventing "lost or replaced" with paper ballots is a straightforward exercise in good human process. There are states that do not have good human process to manage their ballots, despite the example of other states that do have good process. Those states are incompetent/malicious.

Are the people at this convention privy to classified information about actual hacks attempted? [1]

[1] https://www.nbcnews.com/politics/elections/russians-penetrat...

I don't think anyone in the attendance who knows that would come forward.

What I'm getting at is, if not, then wouldn't it become just a thought experiment? Granted one conducted by very intelligent individuals.

Voting machine security had a presence at Defcon before the 2016 election. The 2016 election interference might increase its activity, but it's never been just about that.

Considering some in attendence are FBI and CIA, certainly someone knows something. But like others said, they aren't likely to discuss that in a forum open to the public.

The key property we need to be looking for is software independence.


That doesn't mean that securing the software isn't important. But it does mean that, in any evaluation of a voting system, we should be evaluating the whole-system design (including the critical parts of the software) in terms of how software independence is achieved.

Being one who delves into the conspiracy corners of the Internet I got to thinking on a theory about all this. I am just spitballing here, but what if the bad guys who put all the bugs in these voting machines at one Intelligence Agency are in a hacker war with the good guys at some other Intelligence Agency on election night and the vote total is just the final score of the hacker battle. Neither side wants to call the other side out, because they don't want to air all their dirty laundry in public.

You're being worried about the wrong things. The problem is companies that make these products care about making money, not making safe votes. As long as their marketing is good enough, they can hire sub-par programmers to do a shoddy job. No conspiracy is necessary to end up in the situation at hand.

Consider seeking out a medical professional to help with your delusions.

I said I'm spitballing[1] which means purely speculating for fun and not saying that I'm sure that that's the truth. It's really weird how these days you can't even throw out ideas for fun without some guy bringing out the heavy duty personal attacks.

Anyway, if you looked at Wikileaks vault 7 leak, the CIA stockpiles zero days that they use to remote hack all kinds of different platforms. Other intelligence agencies do the same. One of the voting machine companies had pcanywhere installed on their machines which is even known to be full of holes[2]. Whether this is negligence or malice is really up to a jury to look into, but certainly the possibility is there.



Let's be clear, your theory is that "bad guys" put the security holes in the voting machines (not incompetent underpaid workers) and that they are having a hacker fight with the good guys. Watch less tv, and stop reading those conspiracy theories sites. You are losing your grip on reality.

Security bugs are real. Hacking is real. What you are talking about is not spitballing. That's just fantasy.

Wow, I must have hit a nerve cause this kind of ad hominem arguing that you're doing is unusual for HN.

People saying the NSA was working with hardware vendors to purposefully insert backdoors in routers were called crazy too before the Snowden leaks. I guess you haven't been keeping up with the news or do you think the Snowden leaks qualify as baseless conspiracy theories?

"A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".[1]


I'd like to call attention to what I consider the most informative comment in either of those discussions:


Interesting that you think that, because I was actually fairly unimpressed with that comment. He leads of by saying the algorithms to do it have already been created without actually mentioning what algorithms he is talking about. He also claims that they somehow don't require that they run on trusted hardware which is pretty hard to believe (of course this assertion is completely unsupported in the rest of his comment).

The rest of his comment falls back to a fairly common computer security fallacy: We used it once and nothing terrible happened, so it is probably secure.

Linked arXiv seems pretty straightforward?

It is straightforward yes, but it doesn't allay any of my concerns. I doesn't describe the algorithms used, and it doesn't have a threat model or anything resembling security analysis. It is more about gauging the reactions and social implications of the work, than a hard technical paper.

This is a very important part of the process, but it doesn't address the issues I raised.

Yeah I agree they should release their source, but it's silly to hold that against the comment that didn't impress you.

> but it's silly to hold that against the comment that didn't impress you.

I don't see why. I am still convinced there are security issues. The comment under discussion made all sorts of grandiose yet completely unsupported claims. If the paper he linked had backed up his assertions, I'd be inclined to give him the benefit of the doubt, but it doesn't. Therefore I don't believe him.

That's a pretty good comment.

I helped write the software for the Brazilian voting machines (state issued, standardized, made to spec by competing companies) and we had a long list of scenarios we had to guard against. The people who wrote the spec were field experts who studied attempted and successful (but caught) voting fraud every election. The resulting combination of hardware, software (the application itself is ridiculously simple), analysis and (and this is most important) procedures surrounding the physical devices (never left alone unguarded, clear chain of custody, created layers of protection and, in the end, a reasonably secure device. It's possible to make it absolutely secure? I'm not sure. Would that be usable? I doubt it.

It's foolish to make a flawless voting system when we can't guard against propaganda and other forms of manipulation through social media or even the most traditional paying voters (either explicitly or through promises) to vote a certain way.

The degree of complexity and amount of unknown variables (eg. Backdoored CPUs, 0-day exploits) make digital mass voting a not-so-good option.

Paper, on the other hand, is fairly easy to comprehend and secure by all participants.

I agree. The main advantage of electronic voting (if properly secured) is speed and logistics.

I must offer my congratulations to you and your colleagues. I am broadly opposed to electronic voting, but the Brazilian implementation seems to be the most sophisticated, elegant and well-engineered.

Thank you. It was an interesting experience and I'm proud of what we accomplished.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact