Hacker News new | comments | ask | show | jobs | submit login
Argentina's voting machine system leaked? (github.com)
97 points by necessity on June 20, 2015 | hide | past | web | favorite | 76 comments

I've never seen the need for voting machines, even if they were open source and not plagued by scandals constantly. Counting votes can be done mostly in parallel. If you can't get enough volunteers and auditors to watch them then you have other problems a machine would likely make worse. In Australia we rarely have to wait long for the result and our Senate voting is fairly complex. It's even crazier when people try to push the speed benefits for things like the US presidential election where those elected don't even take office for weeks after the polling day.

Although the ancient Athenians were not Luddites - they had an elegant machine to randomise a large stratified sample of the population for jury duty and water clocks to time speeches - for the actual votes they just used pebbles or pieces of metal. That's because counting something up is simply not that complex and shouldn't be made complex unnecessarily just to pad the CV of some electoral commissioner or pad the wallet of the company making the machines.

Depends on the threat model.

In India, the threats were things like the ability to print enough forms without leaks to counterfeiters, transport them on Indian roads, store them until polling day in villages where no doors have locks, and so on. And while the counting was highly parallel and scrutinised by auditors, it was also painful, because here was a rule along the lines of "both vote forms and counters' hands must remain visible from when votes are unsealed until counting is complete". Sometimes the counters went for more than 24h without a bathroom break, so would you volunteer to count?

I wrote a blog posting about it, http://rant.gulbrandsen.priv.no/indian-election-machines, but the most relevant point here is:

When you consider security issues, START WITH THE THREAT MODEL. Always. And it's not the same threat model everywhere.

You forgot Booth Capturing, the most blatant threat of all [1].

[1] https://en.wikipedia.org/wiki/Booth_capturing

I didn't mention it here. I did in the blog post, which can be a bit longer than a HN comment.

There simply are no valid arguments for voting machines.

Speed is irrelevant, there's no reason why tallying the votes desperately needs to take a few hours less.

There are only two motives for voting machines: commercial interests and the desire to obscure the voting process. Neither of these should be trusted with foundations of the democratic vote.

On the latter subject: because the transparency of the voting process is so fundamental to democracy, most countries had laws in place that first needed to be scrapped or mutilated to allow voting machines in the first place. The people who wrote these laws were neither stupid nor Luddites.

Ironically, we've always send observers to third world countries and former dictatorships to judge whether their elections are truly free and democratic, using criteria that would never allow for voting machines to obfuscate the process. For starter, it would make such neutral observation pointless.

I'm lucky I live in country (Netherlands) that has abolished voting machines years ago. (After a campaign against them led by by old school hackers.)

(There's one movement in the Netherlands that openly advocates a return to voting machines. This movement is lead by Dutch mayors. The Netherlands is rather unique in the fact that mayors are not elected but appointed by political manoeuvring, which has been subject of debate for a long time. I do not believe these things to be a coincidence.)

I think for places like Aus, NZ - with small populations and a handful of population centers, what you are saying makes a lot of sense.

For a place like India, the problems pretty much require electronic voting. I am old enough to still remember paper ballots in India. Imagine having to count of the order of 600 million(!) votes. Each with potential challenge from a partisan, validation, security. The costs and logistics were a nightmare. After polling, it used to take days just to get all the ballot boxes to centralized counting arenas. The machinery for the counting alone endedup involving about a million people!

India has very strict election codes - how many voters to a booth (few hundreds), how far a voter can be required from his place of residence to polling station (3 miles max), etc. We also do not require "registration" before polling like in the US for example. Once you are 18 and have obtained a voter ID, you can simply walk into a polling booth on the day and vote.

Indian Election Commission took a pioneering lead in using technology for polling - We have had near-universal electronic polling for 25+ years now. The trouble with the "moderm" voting machines is that they are way to complex and try to do too much. Indian design went the other way. Security of paper ballots was already an understood and mostly solved problem. The machines are simple - more in the league of a 8-bit microcontroller with 16 push buttons and 4x7 segment LED display. very old school. The machines rely on physical security. They cannot be opened without breakage, physical seals can be applied to their "reset" and "count" buttons, and access to them is controlled the same way as access to paper ballots and boxes would have been controlled. This allows even a poor country to deploy the order of half a million voting machines!

There are of course issues - there is no paper trail for example, which as a concept has never even arisen in Indian electoral design debates. I am not sure I am myself sold on the need for them - I do see the importance, but its not an absolute.

EVMs built on top for high end PCs, with Windows and millions of lines of custom code, manufactured by people who also build Slot machines (in the US atleast) is at least to my mind - simply another case of overdesign and overspending - typical of defence and government contracts. When security, reliability, are concerned, simplicity and even non-technical solutions combined with technology work better than compicated technology.

"I think for places like Aus, NZ - with small populations and a handful of population centers, what you are saying makes a lot of sense. For a place like India, the problems pretty much require electronic voting. I am old enough to still remember paper ballots in India. Imagine having to could of the order of 600 million(!) votes."

This scale argument is totally spurious. Australia is one of the older continuous democracies so we have had a lot of population growth since federation, vote counting hasn't slowed down each time the population has doubled (indeed I'd suspect it's gotten faster as people have telephones and over 100 years of institutional experience at the federal level). Counting votes scales because as the population scales you have more money and more people to count votes. Let's say you have two paid electoral officials and 100 volunteers for each 10,000 voters. A country with 20,000 people would have four paid electoral officials and 200 volunteers, a country with 1 million people would have 200 paid officials and 10,000 volunteers.

Australia also has some of the most spread out and remote polling stations in the world due to our being much larger geographically than India so there goes that argument as well. Additionally it's far easier to get a cardboard ballot booth and paper ballots to various remote places than it is to get machines there. Not only do you have to lug machines around they need electricity and maintenance personnel. The Indian machines run on batteries, but how long until they need replacing if they are in storage for 5 years between each use? A more complex machine would need a lot more power than batteries could provide as well, and more complex machines would be needed. The Indian voting machines are having to add a printed validation, at great cost and adding complexity, so they are acknowledged as being flawed in their current state.

I am not making any arugments - I am not sure what has offended you so much. I am simply unaware of the AU/NZ electoral systems. The parent post was making a point that paper balloting seems to work well in Australia, and I took the poster at their word.

If you are insisting paper ballots worked well in India and machines don't, I can only imagine you don't know what you are talking about.

The scaling you speak of doesn't work - complexities scale superlinearly and so do costs. We know this in our daily lives, in our networking architectures, when we argue scaleup/scaleout, etc.

The economic scaling - money available per capita for spending on elections - also doesn't scale linearly like you seem to be implying. Even if, for the sake of argument, it did - I would prefer not to spend it like that if I can save money using EVMs. That money has better uses out here.

Even with one of the largest paramilitary forces in the world, India needs to stagger its elections across a couple of weeks as the security apparatus moves around. That also doesn't scale. Paramilitaries are not maintained as a proportion of the population, but as per the security needs of the country. Local police should scale as per population, but India is significantly underpoliced. Also the Election commission tends to not trust local police with election security as by definition the police reports to and is allied to the incumbents.

Elections don't happen once every five years - India has a central Election authority and the machines are constantly in use, shuttled all around the country as needed. I also don't understand what the trouble is with replacing batteries every few years? You have to remake cardboard booths and reprint ballots as well, don't you? No one said EVMs are cost free.

"_ so there goes that argument as well_"

Where are you "sending" these arguments? They don't seem to have gone anywhere at all. If you think polling 16 million people in a rich country is more complex than polling 815 million people in a poor one, please sit down and have a rethink. It is very very hard to fathom that difference in scale.

"If you think polling 16 million people in a rich country is more complex than polling 815 million people in a poor one, please sit down and have a rethink. It is very very hard to fathom that difference in scale."

I think you have misunderstood my argument. I totally agree that the Indian election is more complex. But I argue that complexity comes from places other than the counting itself, and returning to the subject at hand that means India's size and complexity in no way leads to the conclusion that its elections or anyone else's elections "pretty much require electronic voting". So in what follows I will examine the "ideal" case and then the rest of the issues.

In the ideal case, if we imagine a theoretical Westminster system with first past the post voting, we can pay 10 people to organise 250 volunteers per electorate of a theoretical 200,000 voters. They all start counting at the same time when polls close. In this system there are always 800 votes per volunteer to count. It doesn't matter how big the population gets there are always 800 votes to count for each volunteer. Population of 1 million? 800 votes per volunteer. Population of 8 billion? There is still only 800 votes per volunteer. So the system is scaling with the population. Thus India having 51 times (using your figures) as many voters as Australia does not mean it's 51 times more complex to count up the votes. Similarly, nobody would claim that the counting the votes in the UK election is somehow magically 3 times as complex as the Australian one or that elections in Australia now are many times more complex that elections in Australia 100 years ago.

Of course, leaving the ideal case somewhat, due to natural human variability a larger system will have more electorates that return their results slightly later. Indeed in an infinitely large imaginary system there might be an electorate where all 10 officials in one electorate die of a heart attack and it takes two days to get officials from other electorates to show up and do the count. In the real world with real humans, but still presuming they were operating on the exact same rules, the larger system (say the UK or the USA versus Australia) would likely have later returning results, but not by much. It's also worth remembering at this point that in many elections the last electorate to return a result is often irrelevant to "the ultimate result" as someone already will have a majority much earlier, many elections are conceeded by the loser well before the final tally comes in.

That there, in the ideal case or the "same system" with real people, is the basis of my objection to your comment that "for a place like India, the problems pretty much require electronic voting. I am old enough to still remember paper ballots in India. Imagine having to count of the order of 600 million(!) votes". I am not saying there aren't other sources of complexity: many languages, poverty, illiteracy of some voters, poor transport and corruption will all take their toll. But those problems are not solved by voting machines either. I continue to maintain that 600 million votes does not in any way shape or form "pretty much require electronic voting".

You are thinking of complexity _per_ agent. That is not where the complexity comes from.

If you have to evacuate an area using 4-seater cars - do you really not see the difference in complexity:

A - a village with 200 people, each household has their own car. You need 50 cars, maybe need to requisition/rent a few, the rest people bring by themselves. You don't need a police escort or barriade for orderly movement of 50 cars. People self organize, and you are good to go.

B - a town with 10000 people, 20% households have their own car. Now the administrator needs to arrange for 1000s of vehicles, make sure fuel is available for all of them. You will need to appoint "marshalls" for each block cause you won't be able to handle everything yourself. You also can't expect anyone to self organize at that scale.

Lets say you appointed 50 marshalls. You probably can't even manage all those by yourself. So you appoint 5 "chiefs" - 10 to a marshall.

You need additional staff to manage and track each vehicle. You also need enough police on hand to provide escort. You need to define "assembly points" so that people know where to show up.

Do you seriously not see the complexity that arises when you have 20,000 counters vs a million?

The difference between running a startup with 20 employees - you can do that in your house. No need for HR, building services etc.

Versus a 1000-employee company?

And vote counters at least in India are not volunteers - that would be a disaster. THey are govt employees on deputation. Similarly after polling you don't simply take the ballot boxes to the corner and count. There are a handful of counting arenas - heavy security, representatives of all candidates present etc. Senior "notaries" have to remain present, inspect every box for tempering and certify, with agreement from the candidate reps. WHen you are thinking of a million counters, do you seriously think there can be a say 10,000 notaries present to certify, and a million representatives of candidates keeping their eye on each vote counter? Thats not how the real world scales man.

Stop thinking in terms of 800 votes/counter - theres a MUCH MUCH larger structure there, you keep missing that.

The reason EVMs help is they are smaller and faster. A set of notary, election officer, candidate reps can process a machine in about 10 minutes when counting. An average machine may have 400-500 votes on it. So that means that one set of people can now count about 3000 votes an hour or 25000 votes per day. To count 600 million votes, you need 25,000 sets country wide.

With paper ballots, counting 500 votes would take half a day. So one set would count 1000 votes a day. Now you either need 625,000 sets of counters or more days.

Theres also the issue of securely printing, transporting, storing, issuing 600 million ballots, vs 1.2 million machines.

In anycase - the biggest flaw in your argument is you are arguing theory - 800/counter, so no complexity - and simply ignoring the real world 25 year long experience.

Things simply don't scale like you think they do. 100 page views/ web server doesn't mean you can simply install a million servers and serve out google.com. Saying this added complexity is "not from web serving" makes no sense.

Australia has a population of 25 million people.

India has a population of 1.25 billion.

And? This is like MapReduce, which scales well for certain problems, particularly those involving counting. If I am counting up the words in 25 TB of text in one case and counting up the words in 1250 TB of text in another, but in the first case I have 25 servers available to me and in the second case I have 1250 servers. How long does it take given in both problems each server is counting up the words in 1TB of text? Does it take 50 times longer to count up the words in the second problem? No, because there are 50 times as many servers. There are other issues which make the Indian elections complex, but counting the votes isn't one of them, and neither the counting nor the other issues mean that voting machines are "pretty much required" as was claimed.

The batteries in the Indian machines are replaced often. They're a kind you can buy cheaply in random shops, not like laptop batteries. (They look like the ones in smoke alarms.)

I am from Brazil...

Here voting machines don't print the votes, only the machines can "count", and the source and hardware are not open to inspection.

Also, recently the government started to rollout a system where you can only vote by using a biometric fingerprint scanner on the machine.

To me the machine has a very clear purpose: do nefarious stuff, and NOT help the elections (Brazil electoral court always makes a point of expending money to PR about how great it is that we can count 99% of presidential election votes in 40 minutes after the end of the elections... but that is useless, here the elections, for all elected positions, happen MONTHS before anyone take office).

Worth remembering that although Athens was a large city, only 30-50k people had the right to vote (out of a total of 300k). Your other example of Australia has only 24 million people and I'm sure it suits the country's needs well. However, in larger countries like India(1200m) America(322m) and Brazil(202m) an electronic solution might be better.

If implemented correctly (ie without fraud), there are huge potential benefits

* Cost savings. India's general election cost the taxpayer $600m and state elections will cost a similar amount. If there are early elections, the cost is repeated.

* Turnout. Right now certain sections of society in any country are more likely to turn out, to the detriment of democracy. A large part of election campaigning is getting people to turn up to the booths. This is so hard that rarely are the turnout percentages higher than 60%, which is a pitiful number. If we could make it simpler and quicker to vote, this would be less of an issue.

To be honest I don't know how we would implement such a system. Certainly today's machines that rely on secrecy for security are a joke and should be replaced.

Putting the Athenians aside, because their system is significantly different and different throughout the 500BC~338BC period as well, counting happens in parallel so there is no substantial difference between Australia's 24 million and India's 1.2 billion. The resources of the nation for counting, volunteers and money, scale with the population as well remember. The only difference is the final step, which is fairly trivial. Even if you had an election with a population equal to everyone on Earth it wouldn't be that different, there isn't any meaningful scaling problem.

I don't think there will be cost savings, and these machines will need to be replaced regularly as well so it won't be a one-off cost. And the present system isn't really expensive as elections aren't held every year, so that $600m price tag for the Indian election has to be weighed against the GDP of an entire electoral cycle of five years. We are talking about a price tag of around $120m a year for India then, against a GDP per annum of almost two trillion (if not higher, I am just going by 1.87 trillion for 2013). Per capita that's something like just under 10 cents a year from each Indian. I somehow doubt an IT project, which also has to accommodate all of India's many languages and scripts, is going to make a significant saving on that.

I am not aware of any research linking voting machines to turnout, have you got a source for that? I imagine some older people might even get frustrated and stay away. Australia has something like ~95% turnout through implementing a small fine for not voting (the tasty BBQs at many polling stations may also have an effect). There are also limited polling booths open before the election for those that expect to not be able to vote on the day.

So the benefits just aren't there, and as you say yourself "I don't know how we would implement such a system".

I wasn't really defending electronic voting machines. They're notoriously unreliable and as you point out are expensive and need replacement with time.

I was thinking something along the lines of voting online. There is significant research to support the idea that more people vote when it requires less time and effort to do so. Not just research, there are many political parties in America and elsewhere that try to improve their chances at the polls by making it more difficult to vote and keeping turnout low.

Voting online would improve the situation greatly, but it isn't easy to implement. To wit, the problems are

1. How to authenticate a user 2. How to map each voter to a vote, without keeping a record of whom he voted for 3. How to prevent fraudulent votes

I've thought about it but I couldn't come up with a good solutions to these.

Cost savings? Really? I don't know about other rich countries, but the country where I live spends about €1 per vote cast. All votes are counted twice, once on the night of the election and then a slow recount during office hours, both times manually, and it costs €1.

If there are many people to vote, there are many people to count. Summing up those votes is just on logarithmic order of complexity. Therefore sheer numbers are no argument.

As a fellow Australian I would love voting machines to encourage below the line senate voting and to allow even faster tabulation of results.

I'd argue that we're stretching the limits of paper ballots with the current senate situation. There are significant chances for it to go wrong, like when the Western Australian senate election had to be rerun after the High Court voided the previous result due to lost ballots[1].

Even if machines had the same problems as paper they it could be faster and cheaper to recover from them..

[1] https://en.wikipedia.org/wiki/Australian_Senate_special_elec...

"There are significant chances for it to go wrong"

If you read that link you posted you would realise this is the first time it has happened on this scale. Ever.

The implementation of electronic voting in NSW has had its own problems[1]. Candidates missing from the screen, hacks allowing anonymity or votes to be compromised. Representative democracy voting shouldn't be fast or cheap. It should be careful and methodical.

Also, there is a fix proposed to the senate paper situation, allowing optional preferencing above the line, and optional preferencing below the line of 6 or more. Of course, both major parties have since all but rejected this as being too democratic.

So in this context, what is the point of electronic voting?

[1] https://theconversation.com/thousands-of-nsw-election-online...

Except voting machines have a huge collection of their own problems like being much easier to compromise and much lower security

I'd say that they have different security problems rather than more.

They have unmanageable security problems rather than manageable ones.

When I look at a ballot paper, I can see that it is what it is. When I stand in front of a voting machine, there is no was to validate that it's running the software that it's supposed to run. No way to validate it hasn't been tampered with, no way for the election scrutineers to validate it hasn't been tampered with before counting.

With a paper ballot, the scrutineers can lock the ballot box, and ensure it remains unopened and untampered with, aside from depositing ballots in it, simply by watching it.

As a fellow Australian, the only voting machine I'd like to see would be one that prepared a more easily machine-readable paper vote.

I'm also a Spanish national, where the voting system is admittedly much simpler (closed party lists with provincial constituencies), but you can take the paper system from my democracy's cold, dead hands. Meaning the temptation for fraud would be too high for a country used to shortcuts.

To thin the herd on the Senate ballots they could just up the number of people required to register. They could also up the deposit a bit, although doing that by too much would be undemocratic. I personally don't have a problem with a large ballot, and nobody I've spoken to has one either. I understand Antony Green has a bee in his bonnet about it, but is there actual evidence that the large ballots are a problem? I haven't seen any.

A machine approach to the Senate ballot would also be problematic as you'd also have to display the candidates across multiple views on an app. Should said app have a "next" button or should we swipe to the next "card"? Should it scroll? Will older people know how to scroll it? Is some "GUI rockstar" going to inflict a drag-and-drop candidate ordering on us? Which OS are we going to use? Is the nation where the hardware is made democratic or does it have to be made here? I can see it ballooning in complexity as many government run IT projects do. The paper ballot, perhaps with fewer parties via the mechanisms I highlight above, is solid and proven.

Existing electronic voting systems provide a guide for what to expect. There have been US cases where the touch screen was so poorly calibrated it was selecting the wrong candidate, cases of election officials taking machines home (machines later proven to be hackable with that kind of access), in some places there weren't enough machines provisioned. The security question extends to the machines for weeks before the election, they have to be protected for all that time. And now you need the equivalent of IT support services at every polling booth, or a significant increase in the costs of training the volunteers. I can't see how all of that, on top of R&D and the cost of the machines, is going to cost less. Also how do you handle a power outage on polling day? Or do we need to add more complexity, and fork out even more money, to have batteries sufficient to handle a whole day power outage? What happens when someone pours some water into a machine with 10,000 votes in it near the end of the day?

You can't say, as you did in your reply to someone else, voting machines have “different security problems rather than more”. They are more complex, more complex things can indeed have more security problems. A computer has more potential security problems than a piece of paper. That's why the Russian FSO, who know a thing or two about security, are buying typewriters.[1]

Most times these arguments boil down to the machines having to print out a paper ballot or receipt to be credible, anyone who has dealt with computers and printing knows what a barrel of laughs it's going to be to have people dealing with jammed machines or machines that are out of paper. I can picture an irate voter having their ballot secrecy violated as their crumpled ballot is pulled out of the slot by some highly paid technician. And given the spacing of elections, the machines would become outdated quickly so we'd have to go through the whole rigmarole of designing or commissioning new ones every three or four electoral cycles.

Finally, I don't think we should underestimate the benefits of getting large numbers of people involved in the counting. There is a social good in getting those volunteers to become knowledgeable about the process. They carry that civic knowledge around with them so it's available when someone needs the Senate voting explained to them at a weekend BBQ or someone wants to run an election for a role in a non-profit or a club.

[1] http://www.bbc.com/news/world-europe-23282308

Note that in Australia, we do use electronic counting in the Senate. (cf http://easycount.mjec.net)

I voted online in the last nsw election as I had moved states and forgotten to update my details. To implement my civic duty while in underpants truly made me feel like I was living in the future.

We think/hope we can make a system that is impervious to fraud (or perhaps reduces the attack surface to easily manageable levels). Paper & human counting systems are always imperfect. I think that's the root of it, the combined desires to "solve it with technology" and the "strive for perfection".

Whether we can actually do that, is not certain.

accuracy is one reason. Would voting machines have solves Florida in 2000?

You could (in theory) also get better accounting of votes and detect oddities.

Didn't (mechanical) voting machines cause the Florida 2000 debacle?

I can't think on a worse idea that electronic voting machines in Argentina or Brazil.

Corruption is chronic there. I traveled to Brazil with a friend , he did a mistake(not using common sense) an his camera and the bag we used with several electronic tools was stolen. He went to the police, and was beaten by the police!!

We are from Spain and he simply expected a behavior in institutions that does not exist there. In Brazil you are either rich or poor, and police protects the rich(or the highest bidder) with iron fist. They are rude and you better not resist.

Argentina by the way has Spanish and Italian "picaresca" on their veins. "Ser un vivo" and fool other people is not only ok, but something to brag around.

Electronic voting could work on Switzerland or Denmark, and even there I will only trust it for menial tasks, like what they do in Switzerland asking people opinion on the new street lights(they do it using mail!!) and so on, but never with serious things like who gets in power.

Last time I was in Argentina,there were elections, and the politicians were literary buying the vote of poor people with crumbs even renting buses for them.

India has been successfully using EVMs for elections since the turn of the century [1].

And an Indian General Election is no menial task. In the latest election of 2014, 814.5 million people were eligible to vote, making it the largest-ever election in the world. A total of 8,251 candidates contested for 543 seats in the Indian parliament. The average election turnout was around 66.38% [2].

[1] https://en.wikipedia.org/wiki/Indian_voting_machines

[2] https://en.wikipedia.org/wiki/Indian_general_election,_2014

Electronic voting has been discussed in Denmark and both experts and most politicians are against it. I suspect there's some correlation between how eager countries are to introduce electronic voting and how likely it is to be abused.

As an Argentine citizen, I can vouch for everything said above.

Indeed, some political parties give buses and free food to people as "motivation" to vote (even though voting is mandatory).

Since being a child I've known that on a long distance bus, or airplane, you never put anything remotely valuable in our luggage, and carry those things with you. Otherwise they'll be stolen. It's not "they might be stolen", it's very much a hard rule.

I'm from Brazil. What you are describing is the "brazilian way" (jeitinho brasileiro), which indeed happens. Much of people are against eletronic voting machines, but the problem is that we dont have good politicians that represent us to make opposition. And some part of population even know what is happening with the country.

au contraire. it's a great idea.

corruption and vote manipulation will happen either way. but that way it's at least a little more ecological and economical for the tax payers. not to mention two days earlier to get results so you know alpha corrupt du jour (and two less days for the former one to screw things even more for the new one during the murky transition period)

Security guys in Argentina are working hard on Friday. Shell command injection in the code: http://pastebin.com/KNNjAyzP

It is important to note that the computer security and bitcoin scene are very strong in Argentina. See http://www.ekoparty.org/eng/index.php

Slightly off-topic but as I stop to think about it, I think this is one of the only times I have ever seen code in non-English. I'm confident enough in Python that I know the only difference is in reference names, and that has nothing to do with the computational logic or structure...but I'm taken aback by how non-trivial -- even with the syntax highlighting -- it is to tell my brain that it's just Python, and to treat it like any other code with strange naming conventions. I don't know what the takeaway is here...that proper naming conventions and self-documenting code is even more important than I realized...and/or that not having familiar context (i.e., what are these variables referring to) is a substantial mental drain...even though it's not particularly important to debugging the code.

It definitely makes me respect all non-English coders even more, for happily putting up with the ASCII status quo...especially those from non-Latin languages, such as Matz.

You should try your hand at deobfuscation of a VM bytecode like actionscript (flash), CLR, or JVM. I suspect that will give you good practice with dealing with "strange naming conventions" ;)

You should try to read Cyrillic code comments...

Wow. I find it stunning that in 2015,there is still engineers who execute user inputs without any kind of sanitization.

The input is sanitized: https://github.com/prometheus-ar/vot.ar/blob/master/msa/voto...

It's just that people are too eager to scream "vulnerability!" without properly checking it before.

Correct me if I am wrong but client side sanitization does not really count. It is really easy to bypass that check (send packets directly to the backend or use dev tools for example)

No, because it's not a website with a network between the backend and frontend. It's a desktop app, with no network connection, just using html for the gui. Nobody can send packages to it.

Argentinian here. The bitcoin is not that big around here, there are some enthusiast but it's not something you see every day.

No. I was talking about the people, not the use.

In Argentina we have the top development team of BitPay, developing cutting edge stuff like Copay, Bitcore Wallet Service, etc. People like Matias Alejo Garcia, and Manuel Araoz (now a BitPay alumni). Look at: https://github.com/bitpay/bitcore-wallet-service and other projects.

We have Sergio Lerner, one of the top security researchers and the official Bitcoin Core security reviewer. Look at his blog: https://bitslog.wordpress.com/

We have also projects like Xapo.

And many many others like https://streamium.io/

Not mainstream by any stretch of the imagination, but we still have the strongest Bitcoin userbase in the region, with Brazil in close second.

That exploit won't work.

If Alfredo says it, I am sure he is right and he can find other bugs.

Lol yes, there are many more bugs ;)

Analyzing your second paragraph, it only makes perfect sense for you to note "that the computer security and bitcoin scene are very strong" if bitcoin means "untraceable criminal currency". Because then you are making a valuable comment that election fraud through purchasing hacks of the voting system are especially possible in Argentina, due to a strong computer security scene, and a strong criminal untraceable currency scheme.

Otherwise, why would you juxtapose the irrelevant mention of bitcoins? It's not hard to pay someone (i.e. this is completely irrelevant) except if the payment is for criminal activity - then it's hard.

This is sad, as bitcoin and other blockchain technology is cool. Your comment is just a data point (I won't list other ones, just keep an eye out for them in the future) that shows that a functional society requires a legal layer baked into the peer to peer currency protocol (at a minimum self-reporting regarding identities involved). Nobody wants to live in a world where people can anonymously purchase election counting source code from an employee of that company, using the online equivalent of a suitcase full of cash, (except probably without anyone knowing and nothing else being involved except network traffic) then the same night turn around and purchase the untraceable services of a security firm located in a totally different city (or who knows where), again using the online equivalent of a suitcase full of cash. I am positive nobody wants that.

That means that there is a huge, huge market opportunity for a non-criminal distributed online currency. I bet half the people I know would prefer to use that over bitcoin. Yes, because they have nothing to hide: but also, because they do not trust that criminals who are able to buy elections have nothing to hide.

I realize that technical solutions are preferable to legal solutions; but there are some things technology can't solve, and "untraceably buying elections from the people tasked with computer counting them, by untraceably bribing employees for source code and then surreptitiously supplying it to blackhat security firms and purchasing an attack vector, without any connection to the former" is one of these.

Bitcoin is absolutely great. It will be better when it comes with a social contract.

This page - https://bitcoin.org/en/download

should have 2 versions "[ ] With social contract", "[ ] Client only", where the one with the social contract lets governments trace your transactions the same as they can with bank transfers. (Not sure of the mechanism.) I don't mind making bank transfers, or the government seeing this, and I don't prefer cash to using my card etc etc etc. An online currency is supremely cool, far more convenient, and I would have no problems downloading the version with the social contract. (I think governments should have the same level of access as they do to bank transfers.)

I consider it a genuine problem that I don't even have this choice.

It's not about having a currency for criminal activities but to have a currency at all that is widely accepted in outside countries. Only in tourist areas of Brazil, Chile, Uruguay and other bordering countries you can change your pesos into something else but definitely not at the official exchange rate.

Also with an annual inflation rate of 25% - 35% you don't want to have your savings in pesos. That's why many people buy dollars on the street if they can't get it in legal ways. Also BitCoin is usable as it can change in any kind of currency without to much red tape.

If you read my other comment you can understand that I mentioned the bitcoin scene as part of the security scene and I was not talking about the bitcoin use but the excellence of people working on cryptocurrency projects. People who can do state of the art security reviews and provide good feedback about electronic voting systems.

Ex-developer of that system here (not working in MSA anymore since 3 years ago). Can answer questions if there aren't hundreds of them.

Hi, have a couple...

1) First, I found the complete lack of security puzzling. I mean, they don't even use SSL in their site logins. You use md5 to check firmware...and the coders are obviously capable of using proper cryptography, but they won't. It's like they completely gave up on any kind of security whatsoever. Is this something deliberate?

2) Why the RFID to store the vote? why not a qr-code? it's hard to read? RFID tags are hundreds of times more expensive, they can be unlocked, re-written, must be protected with a weird faraday cage that do not work correctly (Faraday cages must be grounded!) they are a nightmare. I'm sure there must be a good reason.

1) Here you make a lot of false statements, and then conclude on the lack of security based on them. So let me answer to each of them:

> they don't even use SSL in their site logins.

Which sites? The only one I can think of having a login is the transmission site, and it not only uses SSL, it even has two way certs validation, so even the client has to have valid SSL certs which the server validates.

> You use md5 to check firmware

No. They use SHA256, not MD5, and to check the CD software, not firmware (there is no way you can checksum a firmware securely if the firmware wants to lie to you).

> and the coders are obviously capable of using proper cryptography, but they won't

Yes, they use encryption, where it makes sense, like the double SSL in transmission.

But I guess you are referring to the unencrypted chip data. It would be useless to encrypt that. Think for a second: the machine needs to be able to read that chip on the counting step. So you are distributing the unencryption keys in hundreeds of public CDs that very same day. Having the data on the chips encrypted would accomplish nothing, they keys to unencrypt them would be public. It's like puting a padlock in your bike, but leaving the key along the padlock.

So no, nobody has given up on security, you just probably have read misleading things.

2) Again, several wrong things, will answer separatedly:

> why not a qr-code? it's hard to read?

This is the only one I can't answer with full knowledge, but I think it had something to do with them being hard to read because of the quality of the print (thermical fast printing)

> they can be unlocked, re-written

No, they can't. It's a physical process that burns and cuts connections on the chip, you can't "rebuild" them to unlock it again.

The thing you probably saw was people rewriting demo ballots, which are created with the machine configured in demo mode, in which it doesn't burn the chips, to be able to reuse the same in several demos. The people claiming that even published photos of the supposed "real" ballots they where rewritting, and the ballots had in really big letters crossing all the print, the text "DEMOSTRACION USO NO OFICIAL". So, no, they weren't rewriting real ballots, it's obvious those where demo ones.

> with a weird faraday cage that do not work correctly

Reallity doesn't agree with you, hehe. Even people opposing the system had tried and weren't able to read the chips through the shield. It's simply a shield which has enough mass to absorb the signal that the chip emits.

>Which sites?

The tech login sites.

>They use SHA256, not MD5


>double SSL

Come on...

>hard to read because of the quality of the print

print them bigger? change the printer? this makes no sense, unless you want to have the ability to change the vote. It's the only logical explanation.

>I guess you are referring to the unencrypted chip data.

No, I'm referring, for example, to software package signatures.

>No, they can't. It's a physical process

This is simply not true. Even if you had the power to physically burn something in the chip (you do not), many RFID chips allow unblocking with a special password, because they do not really burn anything. You don't know how the rfid chip works internally because the design is not public, and there are no ways to check the model of chip used.

> Even people opposing the system had tried

Who? were they qualified RF engineers or just some dudes with a commercial RFID reader? No signal can be "absorbed" completely.

s/where/were/g :)

There has been a lot of discussion over the past few months about this. The voting machines were created by a private company (MSA). The code was supposedly "open" but it was nowhere to be seen.

The machines basically print an electronic voting bill, that has an RFID chip which is reportedly vulnerable.

Still, this can be considered better than Brazil system: The code cannot be read by the population, the machine itself has secret proprietary components, testing its security is not truly allowed (the government claims to allow testing, but the test has rules to make true testing impossible, and the allowed tests pointless), and... the machine prints nothing, you are supposed to trust whatever it says the vote count is, without even being able to see if there are bugs or not in the vote counter (what if it has a loop with a > instead of >= for example, that causes 1 less vote per machine?)

That's not a voting machine - that's a secret coup d'état.

Here in San Mateo County, we have a good voting machine system, although the knob-based UI is strange. After you've selected all your votes, you press the "done" button, and, behind a transparent window, a printer prints your votes on paper, with the chosen candidates names spelled out fully, followed by a big 2D bar code. You can then accept or cancel your vote. If you reject the printed version, it prints CANCELED and you start over. If you accept, it prints VOTED, and the paper roll winds past the window.

The paper is a backup. The votes are also recorded by the software. But the paper can be read by hand if necessary, or by a scanner which reads the bar codes. So recounts are possible and checkable by all parties.

If the paper can be read, political thugs will use bullying and intimidating tactics to get votes. Secret ballot is essential.

It's possible to make verifiable secret systems. Some have even been tested in real elections in the US as part o projects by NIST (for arcane reasons, NIST controls voting technology in the US :P). For example, Takoma park in maryland has used scantegrity a few times (2009, 2011).

The paper is behind a window, it is not a receipt and you don't take it with you. It is secret.

The title can stop being a question. MSA has confirmed that this is their code, but they say its a copy from earlier this year, and that they have been working on it, so it's already old:


New code can share the same bugs and add new ones.

The point here is that voting machines must be open source and its hardware completely public to analyze it. This can't be the weakest link in a democracy.

Open source software is certainly preferable to closed, but it's not sufficient for a voting machine, because there is logically no way for the user to verify that the software on the machine is what it is supposed to be.

Nor is there a way for the voter to verify that the machine itself is what it's supposed to be.

Now, if the hardware instead

1) could be provided by the voters themselves,

2) was easily auditable

3) was used in their daily lives providing a ubiquitous understanding of the technology involved

only THEN would it be appropriate for use in elections. So far, only pen and paper fulfils all of those criteria.

It also needs to be anonymous to prevent people buying or coercing other peoples votes.

and if you satisfy all those requirements, and other, congratulations, you've probably just invented the worlds most expensive printer.

This is a terrible idea. I lived in Argentina for two years and studied the country. It's a cesspool of corruption, with scant separation of powers (see Nisman, Alberto).

Even in less corrupt countries, electronic voting is a terrible idea: it's vulnerable to hacking and, because the system is opaque to the average citizen, erodes trust.

Richard Stallman has been emphatic on this point: https://stallman.org/evoting.html

The more at stake, the greater the temptation, the greater the likelihood of fraud. Leave online decisions to scheduling problems a la doodle.com

People should recognize that sometimes paper is superior to bits.

if(citizen.isDead && !citizen.hasVoted){ FPV++; citizen.hasVoted=true }


No, in general developers in Argentina also comment in English.

If only we had the perfect voting system, and if only the deck chairs on the Titanic were aligned just so...

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact