I feel obligated to also say fuck anyone who is concerned with cost-reduction when it comes to running elections, we spend shitloads of money on the stupidest shit imaginable and elections are the absolute core of any government that wants to call itself a democracy. Our elections cost very little in the grand scheme of things, and attempts to reduce cost that also reduce security should be roundly rejected.
A properly implemented paper+electronic system would both reduce costs and improve security from what we have now.
But, as I said above, IT systems are rarely properly implemented.
Which is precisely why I don't think cost should be something we seriously consider: it isn't like the cost of paper ballot elections are burdensome, reducing it should be the absolute last priority.
I feel obligated to also say fuck anyone who is concerned with cost-reduction when it comes to running elections, we spend shitloads of money on the stupidest shit imaginable and elections are the absolute core of any government that wants to call itself a democracy. Our elections cost very little in the grand scheme of things, and attempts to reduce cost that also reduce security should be roundly rejected.
A properly implemented paper+electronic system would both reduce costs and improve security from what we have now.
But, as I said above, IT systems are rarely properly implemented.
Which is precisely why I don't think cost should be something we seriously consider: it isn't like the cost of paper ballot elections are burdensome, reducing it should be the absolute last priority.
It's a low priority to me, too.
It's only a priority to me at all because I think our country was severely fucked in the ass by the decision in the 2000 election to do the weakest possible recount.
I can't guarantee that, had recounts been cheaper and faster, we would have done a statewide recount considering the rightward lean of SCOTUS at the time. But it would have been easier to justify.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
the "no true scotch man" fallacy.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I still have yet to see anyone articulate both an electronic system and a means of securing said system such that it's superior to what is already possible with paper + machine counted + human verification.
I maintain that it's solving the wrong problem. Speed is not critical in this domain. Money is not critical in this domain. Security is, as is accessibility.
Use the electronic goodies to secure the physical ballots. Store them in bank vaults if you like. Chain of custody for physical artifacts has well-known ways of being secured since it requires local actors and you can't strike from halfway across the globe.
This happens across multiple precincts in every election.
I'm randomly searching high-population states, and either I'm using the wrong keywords, or it's not that frequent, (edit: or not that reported). Much frequent seems to be people getting taken off the voter rolls or less frequently but still more often is mail-in ballots getting lost due to various snafus at the post office.
I don't object to an electronic record being a cross-check (in fact that's a good idea), but the ground truth to me is the physical ballot. And if we're not properly securing them, that can be solved via changes in procedures (as in what occurred following the incident you pointed out).
I still have yet to see anyone articulate both an electronic system and a means of securing said system such that it's superior to what is already possible with paper + machine counted + human verification.
I maintain that it's solving the wrong problem. Speed is not critical in this domain. Money is not critical in this domain. Security is, as is accessibility.
Use the electronic goodies to secure the physical ballots. Store them in bank vaults if you like. Chain of custody for physical artifacts has well-known ways of being secured since it requires local actors and you can't strike from halfway across the globe.
This happens across multiple precincts in every election.
Paper ballots routinely go missing in small numbers, at random. Which is utterly meaningless in a large population of votes. If 99% of the votes are counted, and votes are lost at random, then the odds of the lost votes affecting the total result is minuscule. The lost ballot effect is likely far smaller than the 'wrote wrong candidate on ballot' total AND the 'just didn't care and chose at random' total, so losing, or not losing ballots adds no additional randomness to the result of the election.
Destroying specific ballot groups is possible, but far more rare in modern US voting, because we are actually VERY good at tracking malicious direct assaults on the ballot boxes.
I'm pretty sure that it is IMPOSSIBLE for an electronic system with distributed access (IE, vote from home) to be more secure than a physical system simply due to the ENORMOUS cost and risk of interfering with a physical system in a significant way. Whereas all electronic systems, due to their complexity, will always have points of failure. And with an election, if you get an election day failure, then there is nothing which can be done about it.
I feel obligated to also say fuck anyone who is concerned with cost-reduction when it comes to running elections, we spend shitloads of money on the stupidest shit imaginable and elections are the absolute core of any government that wants to call itself a democracy. Our elections cost very little in the grand scheme of things, and attempts to reduce cost that also reduce security should be roundly rejected.
A properly implemented paper+electronic system would both reduce costs and improve security from what we have now.
But, as I said above, IT systems are rarely properly implemented.
Which is precisely why I don't think cost should be something we seriously consider: it isn't like the cost of paper ballot elections are burdensome, reducing it should be the absolute last priority.
It's a low priority to me, too.
It's only a priority to me at all because I think our country was severely fucked in the ass by the decision in the 2000 election to do the weakest possible recount.
I can't guarantee that, had recounts been cheaper and faster, we would have done a statewide recount considering the rightward lean of SCOTUS at the time. But it would have been easier to justify.
I guess my question still boils down to: what is the point of ever having machines do a recount? Why should we expect it to have different results? I could, at most, maybe get on board with some sort of hybrid where we have humans re-running ballots through a scantron, because the humans involved might pull out contentious ballots for (human) review -- but any sort of system where we've stored some representation of ballots in a database is ultimately just going to be summing entries in a database, which will (should) reliably produce the same result. It cant be as cheap and fast as you want -- you can measure it in megarecounts per second! -- but it won't meaningfully address concerns about mishandled ballots, &c. unless humans are significantly involved. At least as far as I can reason. Do you have a specific example case in mind where machine recounting -- even just partial machine recounting -- would substantially improve the process?
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
"The world is a mess, and I just need to rule it" - Dr Horrible
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
...
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
...
Okay look, no. This means I just fire "haha" 10 times at every voter, or a selection of voters who probably support people I don't want to win, and now they can't vote remotely. Denial of service is an attack, and you're touting the possibility of it as a good thing. Security is hard, there's a reason basically every security expert on the planet looks at electronic voting and just says "don't". They don't say "do it this way", they say "don't do it".
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
I mean yeah you guys we can spit ball all day here about ideas and issues. Same goes for paper ballots. They can get lost. Douche bag counters could falsify data. High ranking election officials could fudge numbers. Hanging chads. Miscounts just from human error. Mail fraud (as I pick up a copy of one ballot. Print out a shit tonne of duplicates and fill them out as if I was a bunch of residents, the falsify return addresses).
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
"The world is a mess, and I just need to rule it" - Dr Horrible
1) Early/absentee ballots up to a month prior to election. Available to anyone who asks for it.
2) Voting at the polls uses machine-readable paper ballots.
3) Voter registration can be done at the polls
4) The physical polls are open for a few days minimum
Now, if you want to propose an electronic voting system, go for it, but I expect you to be able to argue why it improves upon this system for cost or convenience without sacrificing security.
As an election worker since 2008, I'm of the opinion that traditional "voting in person at your precinct" needs to die, or at a minimum, leave it at one day like it is now, but make sure the early voting is available, not just up to a month, but extended hours to accommodate workers who work long/crazy shifts. Early/absentee voting needs to be the primary means of voting and the traditional "in person, at your precinct" needs to become an anachronistic/generational thing that eventually dies out until the day comes that e-voting matures enough to be reliable and more trustworthy. Making physical polls open multiple days increases the costs quite a bit because you have to pay all of us election workers to be there at all the precincts and there are already shortages in staff and it's already a 13 hour day for us election workers. (8am-8pm + setup/teardown time + counting the votes and sealing them up)
The average election worker, at least in my county, is in their sixties, and many of them have some sort of deficiency, either they skirt the rules or ignore new rules because "they've always done it this way", or they have a hard time doing at least one aspect of the job, which means mistakes are made. Just as an example, the first time I worked an election, in the 2008 general election, one of my fellow coworkers was probably in her late 80s and was pretty much a shut-in and her working the election was pretty much the most social contact she had with other people, so in one of the most busiest elections, she stopped voters to chit chat with them endlessly, holding up the line many times. In the most recent election I worked, we had another worker who had a hard time with peoples names. guess what, his sole job was to write down the voter's name in the register. He slowed things down a bit. Thankfully it was just a city primary election which doesn't get many voters. Almost every election I've been in I've experienced some geriatric-related issue. Additionally we had a bit of an issue with non-partisan voters in primaries. Many of the election workers believed that non-partisan voters didn't get to vote at all (they could) and were turned away. To be fair, the training we received was vague. yet the manual itself, which very few people read, was quite clear. Unless we start treating election work like jury duty and force younger people to help out, it's just going to continue. Of course we're probably just trading one problem for another (people who don't want to be there), but that just goes back to my notion that "in-person voting at your precinct" needs to die.
And on the other end of it, the the typical person who even shows up to vote in person as opposed to early/absentee is also older and also in the "they've always done it this way" camp. Few people who show up in person are younger as the younger generations are already doing early/absentee.
Despite how annoying it can be, I do recommend doing election work though. It makes you more aware of what the process is. Democracy doesn't just happen on it's own. It takes effort.
OrcaAlso known as EspressosaurusWrexRegistered Userregular
edited July 2018
The problem is that electronic voting systems present both a large attack surface (1) and a centralized point of failure (2) that can be exploited remotely and it is much harder to ensure a good audit trail for them (3)
(1) To be truly secure you need to be able to prove that every chip and bit of software running on your electronics are secure. Your phone alone has dozens of chips, each of them running firmware of greater or lesser complexity. The chips alone would need to be audited to ensure there are no vulnerabilities--I have myself run into and debugged clock-level bugs in ASICs that could cause problems. Improperly securing those chips can lead to problems like Intel's recent AMT bug which is 80 different kinds of not acceptable for this purpose!
(2) Electronic records that are used as the ground truth represent centralized points that can be attacked remotely unless the machines are air-gapped. And even air-gapping is not necessarily enough against state-level actors. See also: Stuxnet. edit: physical ballots are not as vulnerable since they take up space and you can have neutral observers watching things. That's not to say accidents can't happen, or even malicious things can't happen (see up-thread), but the scope is more localized unless there is an extremely broad physical attack involving hundreds or thousands of people.
(3) Audit trails have the same problems in that you are either having a verified hardcopy you're using for ground truth, or you are vulnerable to (2) and (1) above. And if you are using the hardcopy as your ground truth, why are you bothering with the electronic copy as anything other than a crosscheck anyway?
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
You’re just some guy on the internet, I’m just some guy on the internet. I don’t believe that you are so knowledgeable that you somehow understand something that totally invalidates my points.
But please feel free to explain to me how you are actually the foremost security expert in America.
"The world is a mess, and I just need to rule it" - Dr Horrible
I mean yeah you guys we can spit ball all day here about ideas and issues. Same goes for paper ballots. They can get lost. Douche bag counters could falsify data. High ranking election officials could fudge numbers. Hanging chads. Miscounts just from human error. Mail fraud (as I pick up a copy of one ballot. Print out a shit tonne of duplicates and fill them out as if I was a bunch of residents, the falsify return addresses).
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
The difference is that literally any of the issues I've brought up can easily be exploited to swing entire elections, while the issues with paper ballots (lost ballots, human error, falsified counts from individual polling locations, etc) are enormously less likely to do so. Additionally, many forms of trying to deliberately abuse the paper ballot system involve people with little to gain exposing themselves to serious criminal punishment (eg, your mail fraud example) -- some hackers working with plausible deniability for a foreign government are never going to face (negative) consequences for attacking our elections even on a massive scale, while American citizens attacking the election even on a small scale can face significant jail time.
To put it bluntly: paper ballots with reasonable handling are, in fact, that much more secure than any "vote from your home PC" style system we can conjure at this moment. In particular, it's essentially impossible to vote safely from a compromised computer, and I believe the best estimate is that something in the vicinity of 30% of all home computers are compromised (tbh: I would suspect higher, but that's just me). Obviously there's no guarantee that they would all be abused to interfere with their users' voting, but if even one in ten of them did it could easily have a massive effect on our elections.
When it comes down to it, we have a very good system for letting people vote form home: mail-in ballots. They're cheap, easy, friendly to those who aren't tech savvy, and subject to none of the systemic issues present with electronic voting from home.
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
You’re just some guy on the internet, I’m just some guy on the internet. I don’t believe that you are so knowledgeable that you somehow understand something that totally invalidates my points.
But please feel free to explain to me how you are actually the foremost security expert in America.
I'm flattered you think so highly of me, but I'm certainly not the foremost security expert in America. However, I do understand some things that invalidate your points:
* Any simple password system is woefully vulnerable to phishing on a scale large enough to alter the outcome of reasonably close elections. And a state actor could easily have enough data (thanks, Facebook!) to engage in spearphishing targeting important districts, etc.
* * The approach best suited to actually preventing this is two-factor authentication. Unfortunately, for that to be deployed on a nationwide scale for elections would be very difficult without imposing serious voter disenfranchisement (or serious cost if the gov't takes on the duty of providing a second factor to all registered voters).
* It is fundamentally not possible to vote securely from a compromised computer, and far, far too many home computers are compromised.
* * Worse, there is no reasonable way to let people check if their vote was registered correctly -- to even attempt to do so would entail storing a database of how everyone voted (which is disastrous for reasons elaborated upon elsewhere in the thread), and even then you can only guarantee it would show how they (or "they" if they were compromised) actually voted if they check from an uncompromised computer.
* * As noted in my previous post, the best estimates I could find by googling for about ten seconds show that ~30% of home computers are compromised -- and those are the ones we can detect, which would certainly not necessarily be the case if state actors are involved.
I hope that helps clarify my position. Sorry if I was insulting in the post you're responding to, my desire here is to make it clear just how much of a folly it is to try and make electronic voting from home a thing because I've seen how badly we've failed to establish reasonable security surrounding electronic voting at polling stations and dread what any sort of from-home electronic voting solution would look like.
+9
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Take for example, the Gigabyte Z370 motherboard. This was simply the first motherboard that came up when I searched "intel motherboard". This motherboard has at least 9 processors on it PLUS the Intel x86 processor. This I determined by simply looking at the user manual. There may well be more processors it doesn't call out or others I didn't recognize as such. Every single one of those processors needs to be either securely shut down (e.g. USB, ethernet, audio and video codecs, unused PCIE, M2, and DDR slots) or secured (e.g. Z370, iTE Super I/O). PCIE and USB are particularly pernicious since they have direct access to system memory. They are security vulnerabilities just sitting there.
And then there's the potential for vulnerabilities in the x86 processor--and there are plenty of them.
Let's say we've gone through the work and we're confident the hardware has been secured since we locked it in a concrete box and the only way in is a keyboard with its cable wrapped in wire and the only ways out are a VGA monitor (I don't think that has bidirectional communication), and a printer.
Guess we better make sure the processors in the keyboard (and there are several) are secure, as are whatever is in the printer because like I said, USB is a nice easy route on in.
Okay, we've secured the I/O. Excellent.
Now all we need to do is secure the the software stack. That means the BIOS, the operating system, the hypervisor (if applicable), the driver stack (take a look how many devices are on a modern computer), oh, and also by the way the application that is running the voting software.
You are talking a staggeringly large task that will have to be repeated every time a particular set of hardware gets end-of-lifed or a new driver comes out that fixes some exploit or a new version of your OS of choice comes out that does the same.
And now you want to do the same thing for every single person who has a personal computer? How many times have your parents or siblings called you up because they got a virus? Recognize that each of those undermines their ability to vote and compromises the election system if we allowed people to use personal computers to vote.
And the thing is, I'm not a security guy. I'm just a dude who writes firmware for embedded processors like those you might find on that motherboard. I'm sure I'm glossing over great swathes of vulnerabilities here.
+7
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I've also seen what typical USB driver code looks like.
I'll give you a hint: it ain't pretty. And nobody was happy by the time some of those code reviews were done, including me, since I got overruled on a number of points!
Take for example, the Gigabyte Z370 motherboard. This was simply the first motherboard that came up when I searched "intel motherboard". This motherboard has at least 9 processors on it PLUS the Intel x86 processor. This I determined by simply looking at the user manual. There may well be more processors it doesn't call out or others I didn't recognize as such. Every single one of those processors needs to be either securely shut down (e.g. USB, ethernet, audio and video codecs, unused PCIE, M2, and DDR slots) or secured (e.g. Z370, iTE Super I/O). PCIE and USB are particularly pernicious since they have direct access to system memory. They are security vulnerabilities just sitting there.
And then there's the potential for vulnerabilities in the x86 processor--and there are plenty of them.
Let's say we've gone through the work and we're confident the hardware has been secured since we locked it in a concrete box and the only way in is a keyboard with its cable wrapped in wire and the only ways out are a VGA monitor (I don't think that has bidirectional communication), and a printer.
Guess we better make sure the processors in the keyboard (and there are several) are secure, as are whatever is in the printer because like I said, USB is a nice easy route on in.
Okay, we've secured the I/O. Excellent.
Now all we need to do is secure the the software stack. That means the BIOS, the operating system, the hypervisor (if applicable), the driver stack (take a look how many devices are on a modern computer), oh, and also by the way the application that is running the voting software.
You are talking a staggeringly large task that will have to be repeated every time a particular set of hardware gets end-of-lifed or a new driver comes out that fixes some exploit or a new version of your OS of choice comes out that does the same.
And now you want to do the same thing for every single person who has a personal computer? How many times have your parents or siblings called you up because they got a virus? Recognize that each of those undermines their ability to vote and compromises the election system if we allowed people to use personal computers to vote.
And the thing is, I'm not a security guy. I'm just a dude who writes firmware for embedded processors like those you might find on that motherboard. I'm sure I'm glossing over great swathes of vulnerabilities here.
Eh, most of those aren't a viable attack surface because they're not easily hijacked. You basically have to be a state actor to steal an election by replacing a chip in the motherboards of all the election machines.
On the other hand, the software... well. The first thing you should know is that all the companies who make electronic voting machines refuse to publish the source code, or subject it to a third-party audit.
Which reminds me - no software should ever be allowed to be used for electronic voting that isn't open source. Period. It needs to be both (a) open for anyone to inspect and audit and (b) be secure even when adversaries know exactly how it works.
Eh, most of those aren't a viable attack surface because they're not easily hijacked. You basically have to be a state actor to steal an election by replacing a chip in the motherboards of all the election machines.
On the other hand, the software... well. The first thing you should know is that all the companies who make electronic voting machines refuse to publish the source code, or subject it to a third-party audit.
Which reminds me - no software should ever be allowed to be used for electronic voting that isn't open source. Period. It needs to be both (a) open for anyone to inspect and audit and (b) be secure even when adversaries know exactly how it works.
I'm more worried that a foreign (or domestic!) company producing one of the USB chips inserts a little something extra in their Verilog. At that point it's not the case of replacing all the chips, it's the case of all the chips come pre-compromised if they can end up in the canonical design for your voting machine.
Again, single point of failure, massive possible consequences.
Ballot counting isn't done all at once, even in an electronic system, as long as paper mail-in ballots are a thing. So you could, for example, do an election night electronic count to see if there's a clear victor, then do spot audits of the paper receipts plus counts of mail in ballots as they come in. You'd have better accuracy and faster results across the whole process. It isn't technically a "recount" but it serves the same purpose: verification of the electoral process over time.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I still have yet to see anyone articulate both an electronic system and a means of securing said system such that it's superior to what is already possible with paper + machine counted + human verification.
I maintain that it's solving the wrong problem. Speed is not critical in this domain. Money is not critical in this domain. Security is, as is accessibility.
Use the electronic goodies to secure the physical ballots. Store them in bank vaults if you like. Chain of custody for physical artifacts has well-known ways of being secured since it requires local actors and you can't strike from halfway across the globe.
This happens across multiple precincts in every election.
Paper ballots routinely go missing in small numbers, at random. Which is utterly meaningless in a large population of votes. If 99% of the votes are counted, and votes are lost at random, then the odds of the lost votes affecting the total result is minuscule. The lost ballot effect is likely far smaller than the 'wrote wrong candidate on ballot' total AND the 'just didn't care and chose at random' total, so losing, or not losing ballots adds no additional randomness to the result of the election.
You don't know that it's random or meaningless. You guess that it's random and meaningless. Frankly, I think that's a bad guess. There may be geographic or socioeconomic correlates to lost ballots that we're unaware of - for example, perhaps lost ballots are more common in places with underfunded elections, which would correlate to lower income precincts.
But that's part of the problem. Once paper ballots go missing, we can only conjecture about their contents. We have no verification. Building redundancies into the system would not only improve the system's integrity, but allow us to more accurately study the situations in which one half of the system fails.
It is also a bad look. On this forum, we routinely mock people who refuse to vote with arguments to the tune that every vote counts. Turning around on another topic and saying, effectively, "Eh, who cares about 150 votes? That's utterly meaningless," demonstrates intellectual laziness at best.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
You’re just some guy on the internet, I’m just some guy on the internet. I don’t believe that you are so knowledgeable that you somehow understand something that totally invalidates my points.
But please feel free to explain to me how you are actually the foremost security expert in America.
I've been trying to find a way to say this nicely but all of your ideas on how to secure the process so far have demonstrated some pretty severe misconceptions about cybersecurity.
If you give people random passwords, most people will just write them down on paper. Ideally, everybody would use a password manager, but very few people do.
Passwords suck in general, which is why so many services are moving to two-factor or even three-factor authentication.
Aggressive password-lockout systems just transform a brute force attack into a denial of service attack.
No matter how much you'd like to believe that voters would simply roll on down to their polling place on election day in the event of a denial of service attack, I can guarantee that a significant portion voters will not. Most people who are not technologists do not contingency plan around potential technology failures.
Regarding your earlier post about adding a PIN to your SSN, consider that if you give that PIN to companies who need to do verification checks on you (credit card companies, credit check companies, your employer, your landlord, etc) then its secrecy is severely undermined. Consider for a moment that in your scenario, millions of people would have given Equifax their SSN PINs.
MitM is a pretty low-likelihood attack here; that's only a legitimate concern for people using untrustworthy networks like public wifi hotspots. If it were a legitimate concern, a web app "with a built in VPN" would be no better at stopping it than the current SSL certificate trust system and HTTPS.
Consider that a motivated attacker is interested in creating a plausible copy of the election site and is in a position to hijack requests from the victim's network. There is nothing in this scenario to stop the attacker from mimicking the "built in VPN" as well. The VPN doesn't have to even encrypt traffic; it just as to be plausible enough to convince the victim that they're on the correct site.
Meanwhile, web-based VPNs are finicky. A lot of products call themselves web VPNs or SSL-VPNs that aren't really VPNs; they aren't necessarily bad products but the VPN label is more of a marketing decision and a technical one. The ones that are actually VPNs always have to install a component on the end-user's device; this installation process fails frequently for a multitude of reasons. On top of that, asking the public to install software from a national website further increases the incentive for the bad guys to phish. Maybe some foreign scammers aren't interested in undermining the election, but they are interested into tricking people into installing their botnet agents.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Ballot counting isn't done all at once, even in an electronic system, as long as paper mail-in ballots are a thing. So you could, for example, do an election night electronic count to see if there's a clear victor, then do spot audits of the paper receipts plus counts of mail in ballots as they come in. You'd have better accuracy and faster results across the whole process. It isn't technically a "recount" but it serves the same purpose: verification of the electoral process over time.
The provincial election we had a month or so back had a system where you filled out the normal ballot and then handed it (folded) to a guy who put it in this little device attached to a big box. The device verifies the ballot is valid, counts it and then spits the ballot out into the box it's attached to.
Something like that is probably the best idea. You get a computer record for fast counting with a physical record for recounting and verification. You throw in a ton of random and asked-for-by-any-party audits to ensure both records match and you get a pretty solid system.
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
What I remember about Diebold was...I think the 2004 election, where the CEO of Diebold at the time was quoted that he was committed to helping deliver Ohio's electoral votes to Bush. Fortunately he resigned in 2005, but how much more of a conflict of interest can you get? and that's in addition to any known or unknown vulnerabilities.
Ballot counting isn't done all at once, even in an electronic system, as long as paper mail-in ballots are a thing. So you could, for example, do an election night electronic count to see if there's a clear victor, then do spot audits of the paper receipts plus counts of mail in ballots as they come in. You'd have better accuracy and faster results across the whole process. It isn't technically a "recount" but it serves the same purpose: verification of the electoral process over time.
The provincial election we had a month or so back had a system where you filled out the normal ballot and then handed it (folded) to a guy who put it in this little device attached to a big box. The device verifies the ballot is valid, counts it and then spits the ballot out into the box it's attached to.
Something like that is probably the best idea. You get a computer record for fast counting with a physical record for recounting and verification. You throw in a ton of random and asked-for-by-any-party audits to ensure both records match and you get a pretty solid system.
That strikes me as pretty good at first glance, yeah.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I do wonder if we aren't already screwed insofar as voter rolls seem to be digital at least in part.
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
I do wonder if we aren't already screwed insofar as voter rolls seem to be digital at least in part.
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
Right, I mean the entire idea of having to be registered ahead of time is dumb.
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
Especially after the revelations with Russia in the 2016 election.
Ossoff may actually have won the georgia special House election instead of that lunatic Handel but there's no way to know if the numbers were tampered with. georgia is one of those states that doesn't have paper trails, just the electronic machines, and in particular when regarding Ossoff, the machines were wiped right before there could be an investigation. Handel was secretary of state of georgia, which means she was in charge of the elections. She very well could have had it stolen for herself and destroyed the evidence.
Even if she didn't (which I strongly suspect but she destroyed all the evidence, which makes me suspect it more strongly) there is this possibility, and it's very easy to exploit by people in power. This possibility should not exist.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
With 15 years of working in tech I'd just like to say that making a distributed networked voting system on which we base our government with literally no means by which to recall an election (even in the case of obvious misdeeds) would pretty much make the whole system a joke.
The only secure system is one that's not connected to a network... and is unplugged. Other than that it's all vulnerable, it basically just creates the biggest hill to take in international and domestic cyberwarfare. Especially since its been proven out that discovery of tampering in the voting system triggers literally no comeuppance or change in the results of a tampered election. Folks completely unconnected to anyone could just fuck up the whole country for lols by crackin the system and giving all the votes to the trix rabbit, and there'd be no way to fix the problem.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
You're right. Voting records are a reasonable application of blockchain technology, despite this forum's cultural hostility towards it.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
With 15 years of working in tech I'd just like to say that making a distributed networked voting system on which we base our government with literally no means by which to recall an election (even in the case of obvious misdeeds) would pretty much make the whole system a joke.
The only secure system is one that's not connected to a network... and is unplugged. Other than that it's all vulnerable, it basically just creates the biggest hill to take in international and domestic cyberwarfare. Especially since its been proven out that discovery of tampering in the voting system triggers literally no comeuppance or change in the results of a tampered election. Folks completely unconnected to anyone could just fuck up the whole country for lols by crackin the system and giving all the votes to the trix rabbit, and there'd be no way to fix the problem.
Sometimes tech isn't the answer.
Like you said, vote rigging isn't punished.
That said, an election recall is a legal process, not a technological one. There's nothing about e-voting that makes recalls impossible.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
You're right. Voting records are a reasonable application of blockchain technology, despite this forum's cultural hostility towards it.
"Cultural hostility" is a hell of a swipe that isn't even accurate.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
I mean, yes, I would want that.
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
You’re just some guy on the internet, I’m just some guy on the internet. I don’t believe that you are so knowledgeable that you somehow understand something that totally invalidates my points.
But please feel free to explain to me how you are actually the foremost security expert in America.
I've been trying to find a way to say this nicely but all of your ideas on how to secure the process so far have demonstrated some pretty severe misconceptions about cybersecurity.
If you give people random passwords, most people will just write them down on paper. Ideally, everybody would use a password manager, but very few people do.
Passwords suck in general, which is why so many services are moving to two-factor or even three-factor authentication.
Aggressive password-lockout systems just transform a brute force attack into a denial of service attack.
No matter how much you'd like to believe that voters would simply roll on down to their polling place on election day in the event of a denial of service attack, I can guarantee that a significant portion voters will not. Most people who are not technologists do not contingency plan around potential technology failures.
Regarding your earlier post about adding a PIN to your SSN, consider that if you give that PIN to companies who need to do verification checks on you (credit card companies, credit check companies, your employer, your landlord, etc) then its secrecy is severely undermined. Consider for a moment that in your scenario, millions of people would have given Equifax their SSN PINs.
MitM is a pretty low-likelihood attack here; that's only a legitimate concern for people using untrustworthy networks like public wifi hotspots. If it were a legitimate concern, a web app "with a built in VPN" would be no better at stopping it than the current SSL certificate trust system and HTTPS.
Consider that a motivated attacker is interested in creating a plausible copy of the election site and is in a position to hijack requests from the victim's network. There is nothing in this scenario to stop the attacker from mimicking the "built in VPN" as well. The VPN doesn't have to even encrypt traffic; it just as to be plausible enough to convince the victim that they're on the correct site.
Meanwhile, web-based VPNs are finicky. A lot of products call themselves web VPNs or SSL-VPNs that aren't really VPNs; they aren't necessarily bad products but the VPN label is more of a marketing decision and a technical one. The ones that are actually VPNs always have to install a component on the end-user's device; this installation process fails frequently for a multitude of reasons. On top of that, asking the public to install software from a national website further increases the incentive for the bad guys to phish. Maybe some foreign scammers aren't interested in undermining the election, but they are interested into tricking people into installing their botnet agents.
I don't really want to continue down the road of attacking individual points because it is a lot of work, but I feel like there is a disconnect here. Many of the responses I am getting are acting as if there is some fundamental issue with cyber-security that can not be overcome, and that by poking holes in my suggestions you have illustrated this fundamental flaw. I just don't see it that way. I am not a cyber security expert and I'm willing to admit that I have underestimated how close we are to having a workable system, but just because I don't have a full proof plan doesn't mean that it's not possible.
I mean just as an example (and again I am not trying to defend or discount all of your points), look at the bolded. You are insinuating that PINs are fundamentally flawed. And yet we use them all the time. For bank passwords (debit cards, account access from phones), for identity theft purposes (loan applications, tax forms), security systems in sensitive government (or private) areas use them for access. And somehow that system is workable. Not perfect, and there are other security measures in place most of the time, but nobody goes around talking about debit PINs as if it is a joke and you might as well just not even try to have electronic banking.
So you say banking is totes different, but why? How would hackers not be just as incentivized to fuck with money, or do any of the other terrible things they could do to our country with information that is digitized? I don't see how elections rise above FED security/policy decisions, or military secrets, or infrastructure details in terms of the one thing that state hackers would actually dedicate their time to.
Jebus314 on
"The world is a mess, and I just need to rule it" - Dr Horrible
Or you could just use paper ballots and randomly spot-check the votes compared to what is read by your scantron readers.
This is already done, except not randomly spot-checked, in competitive races.
Counting all ballots by hand is completely feasible, and what I think of for those automatic recounts. The usual enhancement I see proposed is to audit the process by taking statistical samples of paper ballots to compare to the final result, and adding a full recount if it varies too much.
I still have yet to see anyone articulate both an electronic system and a means of securing said system such that it's superior to what is already possible with paper + machine counted + human verification.
I maintain that it's solving the wrong problem. Speed is not critical in this domain. Money is not critical in this domain. Security is, as is accessibility.
Use the electronic goodies to secure the physical ballots. Store them in bank vaults if you like. Chain of custody for physical artifacts has well-known ways of being secured since it requires local actors and you can't strike from halfway across the globe.
This happens across multiple precincts in every election.
Right and when it happens its notable enough to get in the news and cause a big to-do. In the linked article, a total of 0.1% of ballots were lost and people were aghast and could verify that the results were not altered. Every election digital voting systems go down and often have no paper trail with no recourse. That's on top of being subject to the exact same kinds of screw-ups that paper ballots are.
Mail-in ballots are also far less secure than in-person voting, which is its primary downside.
Posts
Which is precisely why I don't think cost should be something we seriously consider: it isn't like the cost of paper ballot elections are burdensome, reducing it should be the absolute last priority.
It's a low priority to me, too.
It's only a priority to me at all because I think our country was severely fucked in the ass by the decision in the 2000 election to do the weakest possible recount.
I can't guarantee that, had recounts been cheaper and faster, we would have done a statewide recount considering the rightward lean of SCOTUS at the time. But it would have been easier to justify.
the "no true scotch man" fallacy.
I'm randomly searching high-population states, and either I'm using the wrong keywords, or it's not that frequent, (edit: or not that reported). Much frequent seems to be people getting taken off the voter rolls or less frequently but still more often is mail-in ballots getting lost due to various snafus at the post office.
I don't object to an electronic record being a cross-check (in fact that's a good idea), but the ground truth to me is the physical ballot. And if we're not properly securing them, that can be solved via changes in procedures (as in what occurred following the incident you pointed out).
Paper ballots routinely go missing in small numbers, at random. Which is utterly meaningless in a large population of votes. If 99% of the votes are counted, and votes are lost at random, then the odds of the lost votes affecting the total result is minuscule. The lost ballot effect is likely far smaller than the 'wrote wrong candidate on ballot' total AND the 'just didn't care and chose at random' total, so losing, or not losing ballots adds no additional randomness to the result of the election.
Destroying specific ballot groups is possible, but far more rare in modern US voting, because we are actually VERY good at tracking malicious direct assaults on the ballot boxes.
I'm pretty sure that it is IMPOSSIBLE for an electronic system with distributed access (IE, vote from home) to be more secure than a physical system simply due to the ENORMOUS cost and risk of interfering with a physical system in a significant way. Whereas all electronic systems, due to their complexity, will always have points of failure. And with an election, if you get an election day failure, then there is nothing which can be done about it.
I guess my question still boils down to: what is the point of ever having machines do a recount? Why should we expect it to have different results? I could, at most, maybe get on board with some sort of hybrid where we have humans re-running ballots through a scantron, because the humans involved might pull out contentious ballots for (human) review -- but any sort of system where we've stored some representation of ballots in a database is ultimately just going to be summing entries in a database, which will (should) reliably produce the same result. It cant be as cheap and fast as you want -- you can measure it in megarecounts per second! -- but it won't meaningfully address concerns about mishandled ballots, &c. unless humans are significantly involved. At least as far as I can reason. Do you have a specific example case in mind where machine recounting -- even just partial machine recounting -- would substantially improve the process?
If your worried about bad passwords than auto generate good ransoms ones for people instead of letting them pick.
You control the number of times an account can be wrongly password entered before it’s locked and in person voting is required, so brute force attacks aren’t possible.
No vote is invalidated because you can always vote in person and it supercedes any mistake in your previous vote/gives an option if the electronic version is having problems.
If you’re worried about MITM then create a web app or something with built in VPN. Have part of voter registration be generating a private key that you scan in to access your private voting terminal online.
There is so much already digitized that we desperately want to keep secret. Military information. Government secrets. Bank information. Federal reserve information about security details for our money, or current monetary policy.
I don’t buy the doom and gloom that there is just now way it’s possible. It would need to be tightly regulated and have lots of backups/accountabilty, but so does the paper method! How much more secure is it if all a state actor needs to do is buy off a high ranking election official or two to fudge the numbers. We don’t do full recounts, pretty much ever.
The only real argument for paper seems that it necessitates more people being involved. So I can’t just target a server somewhere I have to target a bunch of people. To some extent I suppose that can be better, but I don’t buy that it’s inherently infallible, or that you can’t build a secure system without it.
As to what it gains you, it’s quite obviously convenience. How many people don’t vote because they don’t have the time? Or can’t be bothered to wait in line? How many more would vote if all it took was logging in at home or at your local library with no wait? How easy is it to disenfranchise entire communities by reducing voting locations or hours? All of that is solved by more convenient voting methods.
Okay look, no. This means I just fire "haha" 10 times at every voter, or a selection of voters who probably support people I don't want to win, and now they can't vote remotely. Denial of service is an attack, and you're touting the possibility of it as a good thing. Security is hard, there's a reason basically every security expert on the planet looks at electronic voting and just says "don't". They don't say "do it this way", they say "don't do it".
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Autogenerated passwords: Only addresses my first point, not my second or third. Adds to disenfranchisement concerns.
Limiting number of attempted logons: Helps (but doesn't entirely solve) my first concern, massively adds to disenfranchisement concerns.
Voting in person supercedes online votes: Helps mitigate disenfranchisement, but doesn't address any of my concerns unless they're *aware* that their account has been compromised in some fashion, which they may well not be.
"Built in VPN": If the computer the person is voting from is compromised, this accomplishes nothing.
So, no, that does nothing meaningful to improve the security. You might at least defeat the neighbor's kid now, though, so I suppose that's an improvement.
We keep classified military information secret -- to the extent that we do, which isn't great (see: NSA hacking tool leaks, the leak of literally every clearance application from a couple years back, etc.) -- by having way, way, way more rigorous security than pretty much any home user does or can be reasonably expected to.
Sorry my dude, I'm sure you mean well, but you're about on par with someone showing up in a global warming thread and saying everyone should just run their air conditioners full blast in terms of knowledge.
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
As an election worker since 2008, I'm of the opinion that traditional "voting in person at your precinct" needs to die, or at a minimum, leave it at one day like it is now, but make sure the early voting is available, not just up to a month, but extended hours to accommodate workers who work long/crazy shifts. Early/absentee voting needs to be the primary means of voting and the traditional "in person, at your precinct" needs to become an anachronistic/generational thing that eventually dies out until the day comes that e-voting matures enough to be reliable and more trustworthy. Making physical polls open multiple days increases the costs quite a bit because you have to pay all of us election workers to be there at all the precincts and there are already shortages in staff and it's already a 13 hour day for us election workers. (8am-8pm + setup/teardown time + counting the votes and sealing them up)
The average election worker, at least in my county, is in their sixties, and many of them have some sort of deficiency, either they skirt the rules or ignore new rules because "they've always done it this way", or they have a hard time doing at least one aspect of the job, which means mistakes are made. Just as an example, the first time I worked an election, in the 2008 general election, one of my fellow coworkers was probably in her late 80s and was pretty much a shut-in and her working the election was pretty much the most social contact she had with other people, so in one of the most busiest elections, she stopped voters to chit chat with them endlessly, holding up the line many times. In the most recent election I worked, we had another worker who had a hard time with peoples names. guess what, his sole job was to write down the voter's name in the register. He slowed things down a bit. Thankfully it was just a city primary election which doesn't get many voters. Almost every election I've been in I've experienced some geriatric-related issue. Additionally we had a bit of an issue with non-partisan voters in primaries. Many of the election workers believed that non-partisan voters didn't get to vote at all (they could) and were turned away. To be fair, the training we received was vague. yet the manual itself, which very few people read, was quite clear. Unless we start treating election work like jury duty and force younger people to help out, it's just going to continue. Of course we're probably just trading one problem for another (people who don't want to be there), but that just goes back to my notion that "in-person voting at your precinct" needs to die.
And on the other end of it, the the typical person who even shows up to vote in person as opposed to early/absentee is also older and also in the "they've always done it this way" camp. Few people who show up in person are younger as the younger generations are already doing early/absentee.
Despite how annoying it can be, I do recommend doing election work though. It makes you more aware of what the process is. Democracy doesn't just happen on it's own. It takes effort.
Enlist in Star Citizen! Citizenship must be earned!
(1) To be truly secure you need to be able to prove that every chip and bit of software running on your electronics are secure. Your phone alone has dozens of chips, each of them running firmware of greater or lesser complexity. The chips alone would need to be audited to ensure there are no vulnerabilities--I have myself run into and debugged clock-level bugs in ASICs that could cause problems. Improperly securing those chips can lead to problems like Intel's recent AMT bug which is 80 different kinds of not acceptable for this purpose!
(2) Electronic records that are used as the ground truth represent centralized points that can be attacked remotely unless the machines are air-gapped. And even air-gapping is not necessarily enough against state-level actors. See also: Stuxnet. edit: physical ballots are not as vulnerable since they take up space and you can have neutral observers watching things. That's not to say accidents can't happen, or even malicious things can't happen (see up-thread), but the scope is more localized unless there is an extremely broad physical attack involving hundreds or thousands of people.
(3) Audit trails have the same problems in that you are either having a verified hardcopy you're using for ground truth, or you are vulnerable to (2) and (1) above. And if you are using the hardcopy as your ground truth, why are you bothering with the electronic copy as anything other than a crosscheck anyway?
You’re just some guy on the internet, I’m just some guy on the internet. I don’t believe that you are so knowledgeable that you somehow understand something that totally invalidates my points.
But please feel free to explain to me how you are actually the foremost security expert in America.
The difference is that literally any of the issues I've brought up can easily be exploited to swing entire elections, while the issues with paper ballots (lost ballots, human error, falsified counts from individual polling locations, etc) are enormously less likely to do so. Additionally, many forms of trying to deliberately abuse the paper ballot system involve people with little to gain exposing themselves to serious criminal punishment (eg, your mail fraud example) -- some hackers working with plausible deniability for a foreign government are never going to face (negative) consequences for attacking our elections even on a massive scale, while American citizens attacking the election even on a small scale can face significant jail time.
To put it bluntly: paper ballots with reasonable handling are, in fact, that much more secure than any "vote from your home PC" style system we can conjure at this moment. In particular, it's essentially impossible to vote safely from a compromised computer, and I believe the best estimate is that something in the vicinity of 30% of all home computers are compromised (tbh: I would suspect higher, but that's just me). Obviously there's no guarantee that they would all be abused to interfere with their users' voting, but if even one in ten of them did it could easily have a massive effect on our elections.
When it comes down to it, we have a very good system for letting people vote form home: mail-in ballots. They're cheap, easy, friendly to those who aren't tech savvy, and subject to none of the systemic issues present with electronic voting from home.
I'm flattered you think so highly of me, but I'm certainly not the foremost security expert in America. However, I do understand some things that invalidate your points:
* Any simple password system is woefully vulnerable to phishing on a scale large enough to alter the outcome of reasonably close elections. And a state actor could easily have enough data (thanks, Facebook!) to engage in spearphishing targeting important districts, etc.
* * The approach best suited to actually preventing this is two-factor authentication. Unfortunately, for that to be deployed on a nationwide scale for elections would be very difficult without imposing serious voter disenfranchisement (or serious cost if the gov't takes on the duty of providing a second factor to all registered voters).
* It is fundamentally not possible to vote securely from a compromised computer, and far, far too many home computers are compromised.
* * Worse, there is no reasonable way to let people check if their vote was registered correctly -- to even attempt to do so would entail storing a database of how everyone voted (which is disastrous for reasons elaborated upon elsewhere in the thread), and even then you can only guarantee it would show how they (or "they" if they were compromised) actually voted if they check from an uncompromised computer.
* * As noted in my previous post, the best estimates I could find by googling for about ten seconds show that ~30% of home computers are compromised -- and those are the ones we can detect, which would certainly not necessarily be the case if state actors are involved.
I hope that helps clarify my position. Sorry if I was insulting in the post you're responding to, my desire here is to make it clear just how much of a folly it is to try and make electronic voting from home a thing because I've seen how badly we've failed to establish reasonable security surrounding electronic voting at polling stations and dread what any sort of from-home electronic voting solution would look like.
And then there's the potential for vulnerabilities in the x86 processor--and there are plenty of them.
Let's say we've gone through the work and we're confident the hardware has been secured since we locked it in a concrete box and the only way in is a keyboard with its cable wrapped in wire and the only ways out are a VGA monitor (I don't think that has bidirectional communication), and a printer.
Guess we better make sure the processors in the keyboard (and there are several) are secure, as are whatever is in the printer because like I said, USB is a nice easy route on in.
Okay, we've secured the I/O. Excellent.
Now all we need to do is secure the the software stack. That means the BIOS, the operating system, the hypervisor (if applicable), the driver stack (take a look how many devices are on a modern computer), oh, and also by the way the application that is running the voting software.
You are talking a staggeringly large task that will have to be repeated every time a particular set of hardware gets end-of-lifed or a new driver comes out that fixes some exploit or a new version of your OS of choice comes out that does the same.
And now you want to do the same thing for every single person who has a personal computer? How many times have your parents or siblings called you up because they got a virus? Recognize that each of those undermines their ability to vote and compromises the election system if we allowed people to use personal computers to vote.
And the thing is, I'm not a security guy. I'm just a dude who writes firmware for embedded processors like those you might find on that motherboard. I'm sure I'm glossing over great swathes of vulnerabilities here.
I'll give you a hint: it ain't pretty. And nobody was happy by the time some of those code reviews were done, including me, since I got overruled on a number of points!
Eh, most of those aren't a viable attack surface because they're not easily hijacked. You basically have to be a state actor to steal an election by replacing a chip in the motherboards of all the election machines.
On the other hand, the software... well. The first thing you should know is that all the companies who make electronic voting machines refuse to publish the source code, or subject it to a third-party audit.
Which reminds me - no software should ever be allowed to be used for electronic voting that isn't open source. Period. It needs to be both (a) open for anyone to inspect and audit and (b) be secure even when adversaries know exactly how it works.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
I'm more worried that a foreign (or domestic!) company producing one of the USB chips inserts a little something extra in their Verilog. At that point it's not the case of replacing all the chips, it's the case of all the chips come pre-compromised if they can end up in the canonical design for your voting machine.
Again, single point of failure, massive possible consequences.
the "no true scotch man" fallacy.
You don't know that it's random or meaningless. You guess that it's random and meaningless. Frankly, I think that's a bad guess. There may be geographic or socioeconomic correlates to lost ballots that we're unaware of - for example, perhaps lost ballots are more common in places with underfunded elections, which would correlate to lower income precincts.
But that's part of the problem. Once paper ballots go missing, we can only conjecture about their contents. We have no verification. Building redundancies into the system would not only improve the system's integrity, but allow us to more accurately study the situations in which one half of the system fails.
It is also a bad look. On this forum, we routinely mock people who refuse to vote with arguments to the tune that every vote counts. Turning around on another topic and saying, effectively, "Eh, who cares about 150 votes? That's utterly meaningless," demonstrates intellectual laziness at best.
the "no true scotch man" fallacy.
I've been trying to find a way to say this nicely but all of your ideas on how to secure the process so far have demonstrated some pretty severe misconceptions about cybersecurity.
If you give people random passwords, most people will just write them down on paper. Ideally, everybody would use a password manager, but very few people do.
Passwords suck in general, which is why so many services are moving to two-factor or even three-factor authentication.
Aggressive password-lockout systems just transform a brute force attack into a denial of service attack.
No matter how much you'd like to believe that voters would simply roll on down to their polling place on election day in the event of a denial of service attack, I can guarantee that a significant portion voters will not. Most people who are not technologists do not contingency plan around potential technology failures.
Regarding your earlier post about adding a PIN to your SSN, consider that if you give that PIN to companies who need to do verification checks on you (credit card companies, credit check companies, your employer, your landlord, etc) then its secrecy is severely undermined. Consider for a moment that in your scenario, millions of people would have given Equifax their SSN PINs.
MitM is a pretty low-likelihood attack here; that's only a legitimate concern for people using untrustworthy networks like public wifi hotspots. If it were a legitimate concern, a web app "with a built in VPN" would be no better at stopping it than the current SSL certificate trust system and HTTPS.
Consider that a motivated attacker is interested in creating a plausible copy of the election site and is in a position to hijack requests from the victim's network. There is nothing in this scenario to stop the attacker from mimicking the "built in VPN" as well. The VPN doesn't have to even encrypt traffic; it just as to be plausible enough to convince the victim that they're on the correct site.
Meanwhile, web-based VPNs are finicky. A lot of products call themselves web VPNs or SSL-VPNs that aren't really VPNs; they aren't necessarily bad products but the VPN label is more of a marketing decision and a technical one. The ones that are actually VPNs always have to install a component on the end-user's device; this installation process fails frequently for a multitude of reasons. On top of that, asking the public to install software from a national website further increases the incentive for the bad guys to phish. Maybe some foreign scammers aren't interested in undermining the election, but they are interested into tricking people into installing their botnet agents.
the "no true scotch man" fallacy.
The provincial election we had a month or so back had a system where you filled out the normal ballot and then handed it (folded) to a guy who put it in this little device attached to a big box. The device verifies the ballot is valid, counts it and then spits the ballot out into the box it's attached to.
Something like that is probably the best idea. You get a computer record for fast counting with a physical record for recounting and verification. You throw in a ton of random and asked-for-by-any-party audits to ensure both records match and you get a pretty solid system.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
https://www.politico.com/magazine/story/2016/08/2016-elections-russia-hack-how-to-hack-an-election-in-seven-minutes-214144
Especially after the revelations with Russia in the 2016 election.
Enlist in Star Citizen! Citizenship must be earned!
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
That strikes me as pretty good at first glance, yeah.
the "no true scotch man" fallacy.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
Right, I mean the entire idea of having to be registered ahead of time is dumb.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Ossoff may actually have won the georgia special House election instead of that lunatic Handel but there's no way to know if the numbers were tampered with. georgia is one of those states that doesn't have paper trails, just the electronic machines, and in particular when regarding Ossoff, the machines were wiped right before there could be an investigation. Handel was secretary of state of georgia, which means she was in charge of the elections. She very well could have had it stolen for herself and destroyed the evidence.
Even if she didn't (which I strongly suspect but she destroyed all the evidence, which makes me suspect it more strongly) there is this possibility, and it's very easy to exploit by people in power. This possibility should not exist.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
The only secure system is one that's not connected to a network... and is unplugged. Other than that it's all vulnerable, it basically just creates the biggest hill to take in international and domestic cyberwarfare. Especially since its been proven out that discovery of tampering in the voting system triggers literally no comeuppance or change in the results of a tampered election. Folks completely unconnected to anyone could just fuck up the whole country for lols by crackin the system and giving all the votes to the trix rabbit, and there'd be no way to fix the problem.
Sometimes tech isn't the answer.
You're right. Voting records are a reasonable application of blockchain technology, despite this forum's cultural hostility towards it.
the "no true scotch man" fallacy.
Like you said, vote rigging isn't punished.
That said, an election recall is a legal process, not a technological one. There's nothing about e-voting that makes recalls impossible.
the "no true scotch man" fallacy.
"Cultural hostility" is a hell of a swipe that isn't even accurate.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
I don't really want to continue down the road of attacking individual points because it is a lot of work, but I feel like there is a disconnect here. Many of the responses I am getting are acting as if there is some fundamental issue with cyber-security that can not be overcome, and that by poking holes in my suggestions you have illustrated this fundamental flaw. I just don't see it that way. I am not a cyber security expert and I'm willing to admit that I have underestimated how close we are to having a workable system, but just because I don't have a full proof plan doesn't mean that it's not possible.
I mean just as an example (and again I am not trying to defend or discount all of your points), look at the bolded. You are insinuating that PINs are fundamentally flawed. And yet we use them all the time. For bank passwords (debit cards, account access from phones), for identity theft purposes (loan applications, tax forms), security systems in sensitive government (or private) areas use them for access. And somehow that system is workable. Not perfect, and there are other security measures in place most of the time, but nobody goes around talking about debit PINs as if it is a joke and you might as well just not even try to have electronic banking.
So you say banking is totes different, but why? How would hackers not be just as incentivized to fuck with money, or do any of the other terrible things they could do to our country with information that is digitized? I don't see how elections rise above FED security/policy decisions, or military secrets, or infrastructure details in terms of the one thing that state hackers would actually dedicate their time to.
This is already done, except not randomly spot-checked, in competitive races.
QEDMF xbl: PantsB G+
Counting all ballots by hand is completely feasible, and what I think of for those automatic recounts. The usual enhancement I see proposed is to audit the process by taking statistical samples of paper ballots to compare to the final result, and adding a full recount if it varies too much.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Right and when it happens its notable enough to get in the news and cause a big to-do. In the linked article, a total of 0.1% of ballots were lost and people were aghast and could verify that the results were not altered. Every election digital voting systems go down and often have no paper trail with no recourse. That's on top of being subject to the exact same kinds of screw-ups that paper ballots are.
Mail-in ballots are also far less secure than in-person voting, which is its primary downside.
QEDMF xbl: PantsB G+