Hacker News new | comments | show | ask | jobs | submit login
Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat” (freedom-to-tinker.com)
86 points by lainon 67 days ago | hide | past | web | favorite | 93 comments



Seems like I recall similar security issues being found years and years ago, back when ESS was still called Diebold and their CEO was getting in hot water for saying at a GOP political fundraiser that he would “deliver Ohio to the GOP.” What’s old is new again.

I ask myself time and again why voting systems aren’t federally regulated “critical infrastructure,” with source code available for public review.


Who cares if the source code is public or not? There is never going to be a way to verify that it is running on the machine when you are standing in front of it.


There isn't a way to vet that software by using it, but there are other problems which are easily solved with software freedom (the freedom to run, inspect, share, and modify published computer software for which complete source code and build instructions are a prerequisite): the ballot layout could require changes that were unanticipated by the program's developer. A new ballot layout could require changes in every computer that deals with the ballot in any capacity (producing the page description for printing, scanning ballots for voter verification and over/under counts for example).

We can't predict all of the problems that come up and that alone tells us we need to be in the best position to anticipate changes, hence respecting software freedom for all computer owners. Therefore not being able to inspect that the running voting machine is running trusted software is no reason to deny any computer own their software freedom. That's no justification for pushing voting districts into buying new voting equipment which ostensibly supports the needed change.

So in the end the solution remains the same: anyone who cares about software freedom (as we all should) would care that their voting machines run on free software.


Totally electronic balloting is bad news, period.

Paper ballots, electronic tabulation. Can be recounted by hand if necessary.


Totally electronic balloting is bad news but not what the article dismisses without evidence. I'm not for electronic tabulation by default nor do I see the need. Optically scanned voter-verifiable paper ballots will involve electronics but the tradeoff is that this arrangement conveys considerable advantages to certain voters.


The firmware images and hardware designs should be public too, with extensive auditing of machines in the field to check for backdoors or supply chain compromise.

Or, pencil and paper ballots.


It could prevent unintended mistakes or rogue employees from compromising the machine. A Diebold-sponsored plot is not the only vector to worry about.


> I ask myself time and again why voting systems aren’t federally regulated “critical infrastructure,” with source code available for public review.

IANAL but the Constitution. States run their own elections.


The risks in electronic vote tampering are two-fold. Not just in election hijacking by changing vote tallys. Particularly in light of state-sponsored capabilities. But also in the distrust and possible erosion of the democratic institutions and process itself. Which may constitute an existential threat. Power vested in the people. Not in machines.



What problem are electronic voting machines supposed to solve?


Optimist: the problem of spending a lot of effort counting ballots.

Cynic: the problem of voters choosing the wrong candidate.


We count all votes manually in the Netherlands. Municipalities generally have no trouble finding sufficiently many volunteers to count all the votes. They fill entire sports halls up with'em.

The only "problem" voting machines solve (and the only somewhat compelling reason pro-voting-machine voices raise) is that the results could be out faster (it takes about a day with the manual counting).


US voters have probably an order of magnitude more elections than other democracies.

I'm a dual citizen: in my other country, every five years I can vote on two ballots (to choose a party list for national government and one for regional government) and the following year again two ballots (to choose a party list and an individual representative for local government). In the US, I can vote for n state judges, state governor, state lieutenant governor, state treasurer, state secretary of state, state representative, state senator, presidential primary, president, federal senate primary, two senators, federal representative primary, representative, mayor, n members of the school district board, n local referenda, n state referenda. Some of these offices have terms as short as two years (e.g. representatives), or non-aligned terms (e.g., in a six year cycle there are two separate elections for federal senators). While in the other country there are two election days in every five year cycle, in the US I vote once or twice a year, and there are half a dozen to a dozen ballots on each occasion.

It could be done by hand, but the scale is very different to a more typical democracy.


Note however that unofficial results are out usually the same day. Other than not being vetted yet, these unofficial use (afaik) the same counts the official results use.


Paper ballots and manual counting isn’t that expensive and it’s not where we should be looking to pinch pennies.


That sounds like a far better set of priorities than commonly gets raised in discussions like these.

Another benefit of electronic voting systems that mark and/or verify voter-verified paper ballots with the voter is allowing the blind and illiterate to vote alone and retain their privacy. Sighted literate voters take for granted that they don't have to reveal their vote to anyone else.

This doesn't get any discussion or support in the article (quite the contrary, there's some language about how such machines are second-best to voters marking their own ballots). The paragraph discounting "BMDs" (ballot-marking devices) contains no pointer to evidence to back the assertion that voters don't check their machine-marked voter-verifiable paper ballot. This is solved with voter education -- tell voters to verify their ballots no matter how they're marked. By the logic of this claim, it's worth pointing out that humans make mistakes writing on paper too. So better to have the voter verify their own ballot. There's also no evidence given of "the dispute-resolution mechanism" for a malicious or errant machine mismarking a ballot. This excuse seems particularly reaching to me as all roads lead to the same outcome -- the voter should spoil the ballot and get a new ballot. No proof is needed to justify spoiling the ballot because in the end they're not committing fraud. Even if the voter spoils multiple ballots, that's not a big deal. I'll need evidence to see that this is a serious concern but the article presents none.


Braille cards could easily be printed and mailed out to voters who request them.

A small number could be sent to polling locations each cycle, to account for loss and damage too.

This would be a far better use of resources then trying to make electronic voting not a disaster of security problems.


I have no problem with doing either (so long as pre-arrangement never becomes mandatory), but that doesn't address fairness for illiterate voters at all. Also, it doesn't really tackle how a voter-verified paper ballot processing system that involves electronics is fairly described as "a disaster of security problems".


In theory they're much better because votes are tallied pretty much instantly with very little effort. Running hand counts is very expensive and it's way easier to quantify the value of the cheaper counting than the cost of insecure elections.


What need is there for instant tallies? Elections are usually in November, winners take office in January. Plenty of time to sort it out if there's a question. It has worked mostly pretty well for a long time.

And I have yet to see the expense directly compared. How much do the machines cost to purchase and maintain? How much does the overtime for election officials to count the ballots?


People want the news as quickly as possible.

> Elections are usually in November, winners take office in January. Plenty of time to sort it out if there's a question.

This is an issue as you reach larger offices in particular the presidency where there's an entire transition process that has to happen where the incoming president has to pull together the team to run the state and get read into all the various secret programs so that day 1 they're ready to run the country.


well, it's also meant to eliminate the issue of recounts, can be better audited as a process, and minimizes human error in what is a very manual and repetitive task. tbh if computers should be used anywhere, its in something like this. It's literally counting, and a lot of it

but alas


> can be better audited as a process

What could possibly be better audited than a public count that any concerned citizen can visit to oversee? Digital machines are as opaque as it gets for auditing.


And single points of compromise. The biggest problem with all conspiracy theories is that they require an implausibly large number of people to stay silent.

Whereas computers stay silent by default, and let one person in the right place potentially control everything.


Wouldn't the optical-scan ballots listed as the best option in the article still have that benefit?

To me it seems the benefit of full electronic is avoiding paper both for environmental effects and physical annoyance of moving it around.


Yes personally I think optical scan ballots are probably the best solution for both worlds. They're basically counted as the votes are given by the machine and provide a full paper trail that can be fully audited later. They do have some problems with people incorrectly marking the sheet (eg not filling in the bubble fully). They can break down which is a little troublesome but the votes can still be tallied by alternate means.


Ah yes, very expensive... God forbid you need 10-20 people per district for a couple of hours to count the votes, the costs, someone thinks of the costs!

I'm not even convinced that at face value the development, manufacture, distribution and protection of these voting machines are remotely close as cheap as just counting votes the good old way.


What can counting cost? A dollar per vote? I think spending a few hundred million every couple of years is not that big of a deal in exchange for much harder tampering.


I have said dozens of times and I will say it again.

I am a technophile, but the only sane way to vote is with pen and paper with manual counting.


Everyone who is in cybersecurity or computer science says no, this is a terrible idea. The primary reason for not having a paper trail is so you or someone else can change results and not be caught. Cf. Georgia clearing its election server and degaussing its backups 3 times each when subpoenaed. [0]

[0]: https://arstechnica.com/tech-policy/2017/10/days-after-activ...


So are you agreeing or disagreeing with OP? Sounds like you're disagreeing at first, but your example seems to agree.


He is corroborating and elaborating. All agreement. The example fits the thesis.


I don’t think your referenced case has anything to do with the technology. That is clear and obvious subversion of the law and destruction of evidence. If it were paper ballots instead, they could put in place “safety” and “privacy” “environmentally friendly” procedures to shred all paper trails just as easily.

Laws aren’t worth a damn if you’re not willing to enforce them.


If I may, I'd like to offer a different perspective.

In my job as a prosecutor, something I see over and over again is juries wanting to believe the defendant, even when their story isn't credible. If you have a likeable defendant and there's any doubt, reasonable or not, juries will acquit.

So when the little old lady government worker who could be your grandmother says that she was just doing what she thought she was supposed to and golly gee she doesn't understand this whiz-bang computer stuff ("They keep talking about digital evidence, and I just feel hopeless putting up my defense... I don't even know what digital evidence is!")... it's very hard to convince a jury it was intentional.

Shredding paper ballots is a lot more of a compelling narrative to put in front of a panel.


Exactly. Destroying those drives was spun as "oops we made a mistake". It's a lot easier to believe that someone accidentally erased a drive, even three times, than that someone accidentally destroyed millions of sheets of paper.


Yet another example of how we've become enslaved by letting people wander around without understanding technology that makes their world run daily.


Shredded paper can't be recycled - at least around the Seattle region. But it makes great compost.


I disagree strongly. There are cryptographically secure algorithms for voting, that allow you to ensure that your vote has been counted in the final tally (and counted correctly), by returning to you a token that will be incorporated into the final count. You can also securely determine the precise number of votes cast. All of this without sacrificing anonymity.

https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...

For more. We absolutely should be using these systems and the fact that we have allowed electronic voting machines to be used that do not conform to these protocols is an absolute travesty of democracy, considering how easy it would be.


Even if the concept is secure, implementation of any electronic voting system will never be secure.

All voting is vulnerable to hacks, even paper and pen. The key is to make it as expense as possible to hack a vote. In-person paper voting is pretty much as expensive as it gets.

Never mind that the general public will never understand what you said or ever implement anything like it.


No...it's much more expensive to hack an E2E auditable cryptographic voting scheme. Infinitely expensive.

> Never mind that the general public will never understand what you said or ever implement anything like it.

They don't need to understand it. It just needs to be in place, so that we can audit votes properly.


It's not "infinitely" expensive to find an exploit and one person having discovered such a flaw can compromise the election.

In reality land what we actually build IT wise is normally hot garbage.

We know how to hold honest paper elections. Let's do that instead of hoping that 10 years from now and 10 billion later we can have a secure election.


Sigh, listen man. Just learn about how it works or stop commenting. You're wrong.


Feel free to educate me regarding how "it" works if you feel my opinion is in error. It seems unlikely that any system will constructed any time soon which doesn't involve onerous secret key distribution, is provably correct, doesn't allow someone to prove after the fact to a third party that they voted a certain way, is secure against insider and outside manipulation, can be verified in a way that an average person could understand. All properties of presently available paper voting solutions.


> Feel free to educate me regarding how "it" works if you feel my opinion is in error.

https://eprint.iacr.org/2016/670.pdf

> It seems unlikely that any system will constructed any time soon which doesn't involve onerous secret key distribution, is provably correct, doesn't allow someone to prove after the fact to a third party that they voted a certain way, is secure against insider and outside manipulation,

Paper ballots aren't secure against insider or outsider manipulation and they definitely aren't provably correct. I don't see any reason why it should be necessary for the average person to understand how the system works. It should be sufficient that they can verify it, given sufficient knowledge.


> ”I don't see any reason why it should be necessary for the average person to understand how the system works”

It’s important so people have faith in the system. Yes, verifiability can help with that, but trust in math that few can really understand is a barrier. This can be exacerbated as distrust in algorithmic feed generation and social media manipulation grows. You’re savvy enough to see beyond this, but that’s not the point: that trust needs to be solid and widespread for people to have faith in the process. This is a human issue, not a technical one.


I simply disagree. Yes, the transition will be difficult due to the issue of comprehension. But I think there is a fundamental difference between these things. Of course, there will be a handful of people that never believe it's legitimate, and insist that it's not. But you can simply direct them to the papers - which they won't read, but it's hard for an ecosystem to form around something that is provably false. E.g. sure, there are flat-earthers, but they don't make up a sizable political bloc.


But the payoff is so much higher.

And I never believe someone who says something is unhackable... social engineering is a non-removable threat vector.


This isn't software security it's cryptography. The guarantees are much stronger here.


And yet cryptocurrency theft, scams and bugs are rampant.


This is different. If you'd bothered to understand how the system works, you would understand why that is so.


No, people do need to understand it or they won't believe it's too be trusted. Hacking an election is not even necessary if your can make a large segment of the population believe that it was done.

Eroding all trust in the democratic system is just as bad as actually changing the results.


The current voting systems basically increment a number in a crappy unsecured database.

These systems cost tens of thousands each, are the standard, and probably still too complicated for anybody in your local elections office to actually inspect.

If you think switching this to a cryptographic proof of vote is somehow easy, or easier then moving to slices of dead trees and a pen, then it's time to put down the keyboard and go outside.


Maybe you should like, learn about it first, or something? It's really pretty easy to implement, and it's a LOT more secure than paper ballots ever could be.


What we actually build isn't secure and it isn't going to be.


Yes it is. Learn about how the system works, and you will understand why.


Have you actually read about any real voting machines presently in use? I find it extremely hard to believe you have done so and come to this conclusion.


The systems in use are shit. That isn't what i'm talking about. People have, however, designed secure e-voting protocols, such as: https://eprint.iacr.org/2016/670.pdf

It's just that nobody uses them.


You realize our government is a hostile actor from our perspective? They are as likely to be complicit in any compromise of the system and thus unsuitable to trust to design a system suitable to preserve our democracy. The mouse can't guard the cheese.

We the citizenry can probably resist and discover interference which has to be done in a fashion that is broadly distributed and plainly comprehensible by common people. Ditital systems are commonly found to be vulnerable to manipuluation that can be done by one or a small number of actors and only discoverable by a tiny portion of the population if and only if the people that compromised our democracy allow you to audit them. It seems like the best case real world system would be an unacceptable risk and astoundingly unlikely that the real world result would be any better than ACTUAL existing government IT projects which as mentioned are hot garbage.

As far as I can tell its already entirely possible if laborious to prevent malfeasance at scale. The only possible benefit to the system you are describing would in decreased cost of operating the election after we pay off the billions required to build the system and slightly quicker results. We are short on neither money or time. This is still one of the wealthier nations and transitions from one group of assholes to the next in practice takes months from reasons that have nothing to do with tabulating votes.

We cannot risk our democracy so that you or others like yourself can work on a neat new IT project. Our fearless leader will just have to find another way to deter millions of imaginary illegals from voting for his opponent next go round.


> You realize our government is a hostile actor from our perspective? They are as likely to be complicit in any compromise of the system and thus unsuitable to trust to design a system suitable to preserve our democracy. The mouse can't guard the cheese.

They aren't designing it. It's already been designed by academics. In the paper that I linked. Please read it.

> We the citizenry can probably resist and discover interference which has to be done in a fashion that is broadly distributed and plainly comprehensible by common people.

No, we can't. Paper ballots are ridiculously insecure. They are just paper. Anyone, anywhere can throw them away, change them, insert thousands of fake ones, etc. I don't even see how you can argue in seriousness that paper ballots are a reasonable solution to the problem of elections. They're a joke.


Maybe you should try and visit a voting office sometime?


jfc, you have no idea what you're talking about. You know that's ok right? You don't have to know about everything. Maybe instead of commenting when you don't know, you should learn first.


I'll join you and take some of the downvotes you got, because I have a pet peeve on this topic to complain about.

Too often this fallacy is used to criticize e-voting:

1) find a flaw with electronic voting,

2) support paper ballots.

Opportunity costs are completely missing. If paper offered perfect security, that would make sense, but it doesn't.

I would have enormous respect for anyone willing to build an honest list of pros and cons on both sides.

Let me take a first naive stab:

- Electronic voting complicates auditing (in the worst cases making it all but impossible).

- Machine manufacturers have a poor record of discovering and correcting vulnerabilities.

- Mechanisms to force corrections of vulnerabilities are weak or unenforceable, or raise impossible policy dilemmas if vulnerabilities are discovered near an election.

But...

- Paper ballots are sometimes ambiguous in ways that skew results.[0][1]

- Paper ballots have no mechanism to guarantee "availability." ie, ballot boxes have gone missing, switching recount totals, or sometimes aren't counted at all in close races.[1]

- Tabulation is more costly, and often involves separate systems or equipment than recording and storage. "Introduce more unique systems and complexity!" is not usually a good way to guarantee security.

On the pro side for both too:

+ Paper trails improve auditing (but what do you do if there are discrepancies, given the history of both lost paper and flaws in electronics?)

+ Estonia has had some flaws in their system, but also has tried some innovative solutions to guarantee identity (private keys for all citizens) and prevent coercion/vote buying (votes are revocable up to election day)

Everything has flaws, risk mitigation is about shifting those flaws around. Pointing out a flaw in one system isn't a security analysis. Too often that's how people treat it.

[0] https://en.wikipedia.org/wiki/Chad_(paper)#History

[1] https://www.nytimes.com/2017/12/28/us/virginia-election-reco...

[2] https://www.wired.com/2008/10/florida-countys/


Single-point of failure. The biggest con of electronic voting that you forgot. Its a single-piece of software that can be manipulated or hacked to change the outcome of the entire election by a small group of people. Pretty much every month for the past few years there has been a major security hack that affects millions of people. The same will inevitably happen with an electronic voting system and may go undetected for months/years.

Second, usually in a paper voting system, the ballot box and the counting of the votes is always done in the presence of the election officer, and the representatives of at least two major political parties. All have conflicting aims, and to manipulate an election, you have to corrupt all three of them at many many polling stations.


I don't think that cuts one direction. Electronic doesn't have to have a single point of failure, that's a design decision.

And paper ballots often have moments where they have single points of failure, like the examples I cited of missing ballot boxes. There weren't three corrupt parties involved in those.


> Single-point of failure. The biggest con of electronic voting that you forgot. Its a single-piece of software that can be manipulated or hacked to change the outcome of the entire election by a small group of people

Did you even read my original comment? It is not a single piece of software that can be hacked. It is a deterministic independently, cryptographically verifiable algorithm. You receive a receipt that allows you to personally and independently verify that your vote was counted correctly.


I love technology... But voting machines are a bad idea, especially in their current implementations.

Paper voting, with manual counting, scales well, and has far fewer attack vectors than electronic voting.


"Manual banking, with humans counting cash, scales well, and has far fewer attack vectors that electronic banking.".


Banking has do be done daily, can reverse bad transactions, and has no requirement to keep the customer’s activity so secret that even the bank doesn’t know what they’re doing.

Elections, on the other hand, happen once or twice a year, can’t be reversed in the event of fraud, and need to protect the voter’s privacy to such an extent that even giving them, and only them, confirmation of how they voted is considered far too dangerous.


Banking has to be done daily only because we are used to modern banking systems. Banking was not done daily 100 years ago.


And the other major differences I pointed out?


Here you go.

> can’t be reversed in the event of fraud

Counterexamples from one country: https://en.wikipedia.org/wiki/List_of_UK_Parliamentary_elect...

> need to protect the voter’s privacy

And you are convinced that there are no algorithmic solutions? Here is an attempt from a famous computer scientist whose algorithms book most of us have read. https://en.wikipedia.org/wiki/ThreeBallot (This one turned out to be cumbersome to implement because of bad UX, but worked rather well.)


You can potentially reverse an entire election and do it again, but you can’t reverse one vote.

I’m sure there are solutions. My point isn’t that it’s impossoble, it’s that banking and voting are so different that the existence of solutions for one tells us nothing at all about the other.


That metaphor doesn't work, because there is no (obvious) equivalent to double-entry bookkeeping for a vote. There's no counterparty.

As history shows, double-entry bookkeeping does not entirely prevent fraud, but as history also shows, it does significantly raise the bar.

Other people reference other cryptographic possibilities but it's still not clear you get that counterparty advantage or any equivalent as cleanly from any of them.

I try to speak precisely, so I chose not to say that it does not on purpose. Maybe someone could convince me. But I've seen too many games and incredibly subtle backdoors to have too much confidence in such things. Nor am I sure how to convince the general public that they are correct, whereas convincing them paper ballots work is easy, and they intuitively understand the requisite security measures. It is not sufficient for a voting scheme merely to obtain the right number, it must also be trusted by the losers, or it's a waste of time.


>it must also be trusted by the losers, or it's a waste of time.

There is no voting scheme that is trusted by the losers. With paper ballot, you can easily claim ballot stuffing or biased counting.


At least in the UK, independent observers can (and do) follow the paper trail: observe at a polling station, watch the ballot box being sealed, follow it, watch it bring unsealed, observe the count.


Why does that not translate to electronic voting? We have had hash functions and digital signatures for a while.


How does one observe the binaries on a voting machine? Nobody seems willing to sign on to that [0].

When you can't audit what is in a voting machine, you can't guarantee if it works.

[0] https://www.austinmonitor.com/stories/2017/10/star-vote-coll...


>How does one observe the binaries on a voting machine?

You can make this argument against literally any programmable machine. Also, checksums of reproducible builds (a feature a lot of compilers in production now support) are a good way to know the software wasn't altered. Securing the hardware is more of a protocol issue than a technical one here.


> Also, checksums of reproducible builds (a feature a lot of compilers in production now support) are a good way to know the software wasn't altered.

Nobody will agree to doing that. I just said that.

> Securing the hardware is more of a protocol issue than a technical one here.

I wouldn't agree. Because the binary being run, isn't being run in isolation, making verifying the database difficult. [0]

If we're not allowed to verify any of the internal workings of the voting machine... How can we say it actually has a copy of a verified binary on it?

Random verification of a voting machine is far more intense, costly, and time-consuming than verifying that a bunch of people at the voting place are doing their jobs correctly.

[0] https://www.engadget.com/2018/07/17/voting-machine-remote-ac...


"There is no voting scheme that is trusted by the losers. With paper ballot, you can easily claim ballot stuffing or biased counting."

Yes, there is. You can tell by the way they don't grab people and guns and start shooting.

The purpose of voting is not to prevent hurt feelings or a bit of grousing. Despite the lies you may have been told, hurt feelings are inevitable. It's to prevent people who think they won, but didn't, from shooting people. And some other things too, like convincing them they'll have a fresh fair chance next time and that loss isn't permanent, but not shooting people is the main one.


But that's not actually true whereas GP's is. I mean how would voting be better if we had the capacity to count billions of votes?


Not just the capacity, the verifiability and redundancy it can support.

I am a little bit surprised that people at Hackernews are so hostile against technology. Sure, there are some attack vectors, but we have 4-5 decades of security research and engineering to mitigate or at least detect that.

Don't throw away the baby with the bathwater.


so we should build machines to tell the truth quicker and then verify the machines told the truth by using methods that do not include using machines... when machines are built to determine the truth but cannot be trusted to do so - it's (more or less) a negative sum game.


Ok well if I see any voting machines like that I might reconsider. In the meantime stick with paper.


Maybe I'm getting old, but using 12px font size on an article is evil.


I'm loving the feature on hn clients like MiniHack that auto-enable readability mode for the browser when you click through to the article. It's like wearing polarized shades.


Evil in the same way your cat stalking your foot is evil.

Zoom in.


Then you balloon the whole page content, navigation and all. I maintain that 12px font is silly for long-form content.


I'm zoomed in at 200% on an 11" at 1366x768 and still all the text wraps cleanly within the viewport.

If I want to zoom in further I can click the little book icon for reader view in Firefox, and the content will wrap without scrollbars to my heart's content.

So again, evil in the same way a BDFL maintainer is a tyrant.


Firefox -> Preferences -> Content -> Fonts & Colors -> Advanced -> Minimum font size

And the problem is cleared right up.


Isn't that the standard size for text?


The default in Chrome and Firefox is 16px.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: