Researchers Demo Hardware Attacks Against India's E-Voting Machines 179
An anonymous reader writes "India, the world's largest democracy, votes entirely on government-made electronic voting machines that authorities claim are 'tamperproof,' 'infallible,' and 'perfect,' but last week security researchers proved that they can be manipulated to steal elections. A team led by Hari Prasad, Professor J. Alex Halderman, and Rop Gonggrijp released an awesome video that shows off hardware hacks they built. These machines are much simpler than e-voting designs used in the US, but as the research paper explains, this makes attacking the hardware even easier. Halderman's students at the University of Michigan took only about a week to build a replacement display board that lies about the vote totals, and the team also built a pocket-sized device that clips onto the memory chips, with the machine powered on, and rewrites the votes. Clippy says, 'It looks like you're trying to rig an election ...'"
Looks like Diebold has some new competition! (Score:2)
Oh, sorry, "Premier Election Solutions"...
Re: (Score:2, Offtopic)
You know, the ATM I use nearly every day is made by Diebold.
It's an awesome little ATM. I'm nowhere near rich or even financially secure, and the ability to be able to withdraw money by an exact dollar amount ($6 for breakfast? I can take out exactly six bucks FUCK YEAH) is very appealing. The machine has been down exactly once in the three years I've been using my bank and there has never been any problems with it (save for the time it ate my card while I took to long counting the money - my fault, not the
Re: (Score:3, Insightful)
There's a much simpler reason.
The people ordering ATMs, care a great deal more about their correct and secure operation, than the people ordering voting-machines.
Re: (Score:2)
Maybe.
Or maybe they just notice quicker when they get cheated on a daily basis than when it happens once every four years. The fact that the user can verify the ATM transaction probably speeds awareness, as well.
I think ignorance is more plausible than apathy in this case.
Re: (Score:3, Insightful)
Yeah. That too. They care, AND they notice.
The ATM is supposed to withdraw money from your account, and dispense cash, and ideally do the same amount of both.
If it withdraws -more- from the account than it dispenses, odds are plenty of account-holders will notice in quick order (not everyone checks, but ENOUGH people do), whereas if it does the oposite, odds are the bank will notice real quickly. (plenty of those who get too much cash from the ATM will talk about it too)
I'm not convinced politicians univers
Diebold - Good ATM machines, bad voting machines. (Score:3, Informative)
You also have to figure that e-machines, being used only a couple times a year on average, have to be competitive with paper based systems as far as cost goes, while a ATM Machine has to be competitive with a teller(or three)'s salary spread over most of a decade.
Oh, and for whatever reason, Diebold didn't use the same people in the effort.
Re: (Score:2)
Re: (Score:2)
// to do: insert joke about outsourcing here.
A real hacker... (Score:5, Funny)
...would register a one-issue party against the use of insecure voting machines. Then win the election. Then fix the problem.
Re: (Score:2)
Security (Score:5, Insightful)
Any security professional, IT or otherwise, who ever says "impossible to break" in any of its forms, should be directly fired.
No discussion. No explanations. You blabber idiocies about your supposed area of expertise, you're fired.
Re:Security (Score:5, Insightful)
I doubt any IT professional would say that. Usually politicians and managers are the ones responsible for this kind of nonsense because they have no clue or just want to sell their product.
Politicians are generally untouchable, no matter what they say or how bad they screw up. And managers make sure the contract contains some fineprint along the lines of "we guarantee nothing" and "not really impossible to break".
So yea, nothing you can do about it.
Re: (Score:2)
Not strictly true. There is such a thing as a 100% secure computer system.
Of course you have to grind it to dust, embed that dust in concrete then throw the concrete off a ship somewhere over the Marianas Trench, by which time it's not a terribly useful computer. But I bet you anything you like you couldn't hack it.
That's not how it works (Score:2)
Usually, it's being trotten out by poor security professionals to justify not bothering because "as no system can be secure, why bother attempting to secure one?"
Re: (Score:2)
Australia is about to install an infallible content filter.
I doubt it, the way things are going for the Government [abc.net.au] right now.
Re: (Score:2)
seals and stickers, and trusted people that inspect the seals before and after make it a lot harder than low tech solutions - like getting the printer to print a few million extra voting forms.
Are you suggesting that the machine can't be hacked as long as they use seals and stickers? That it's impossible to devise a way of touching a machine's hardware as long as it's protected by seals and stickers?
Or maybe you're saying that that method of tampering with the machine, that we don't even know of, will be more complex to implement than replacing the paper votes inside a closed box with new ones.
Comment removed (Score:4, Informative)
Re: (Score:2)
So how was this better than if they had just given you the paper and had you draw the arrows yourself? Sounds to me like the best thing about this system was the sheet of paper. Remove the computer, and it would be even better.
Ultimate accountability (Score:2, Interesting)
Maybe it is time for a new law: You cheat, you die.
Imagine that a party leader becomes responsible for the actions of the members of his party. Some lowly member cheats, the leader gets a bullet in the head.
Open for abuse to be sure but all our leaders claim we should trust the system so surely they trust it?
It would motivate leaders to motivate their followers not to break the rules. Right now the system does exactly the reverse. As long as the leader isn't proven to have given the direct order in writ
Re: (Score:2, Insightful)
Re:Ultimate accountability (Score:4, Insightful)
Please understand that I think the undermining of the democratic process is a crime which should carry a special sentence, but more along the lines that you can't run for office for X years (like any felon I believe). But the problem is always the same: the cheater won and is now in charge.
I think the only way to guarantee a cheater free process is by completely making every step of the process transparent. Coincidentally it's the technology currently used to cheat that can be put to use to prevent it. The only problem is there is always one or more black-box-systems between the voter and the results, so there is no way to guarantee it unless we remove every black-box step. Here is my solution to make the process as open as possible:
- Generate a unique key per voter and store on a single offline drive.
- Print voter registration cards with each key used once (we know every voter can vote exactly once).
- Generate a strong encryption certificate that is only valid around election day for HTTPS use.
- Voters can choose to vote at home (but they need a separate online ID) or at a registered voting location (and show their ID), but the process is the same.
- To vote at home you can use the supplied voting live-CD or use your own (it's recommended instead of your default OS), or use the kiosks supplied at voting locations.
- The voting consists of going to the voting website, verifying the origin of the site and after that select a candidate and enter the key to store the vote.
- These votes are stored on the same 'offline' drive that is currently online only with a serial cable connected to the webserver.
- The drive containing the votes as well as the server(s) that serves the website are on public display and the code is all opened to public scrutiny.
- The server should be behind a firewall that specifically looks for any and all attacks (it should be fairly easy if you tightly define only the packets that may get trough), if there is any reason to doubt the results because of a possible breach we will know.
- The results as well as the timeline of the votes is made public from the start, when the voting closes the results are known *immediately*.
Before talking about how insecure the web is please note that this problem is known and well understood, so we have know what to harden the system against attacks... The current voting solutions are much worse in my opinion since there are attack vectors too, but we do not know how many and how bad, and even worse: we have no idea how often these are already exploited. But we do know for a fact that paper elections have been rigged (despite the rules), electronic voting machines have been tampered with and even something as simple as denying people the right to vote (sending people away who stand in line for hours). These non-tech exploits are used regularly and should not be forgotten... I'd say a web-voting is the lesser of two possible evils. Especially since the technical requirements of such a system are known. If fucking soda companies can print unique codes on the inside of the bottles and phone operators use codes for prepaid cards i'd say we should be able to make it work for something important.
I posit that for every argument against such a system slashdot's finest geeks will come up with a solution...
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
There are plenty of techniques to create a one-time code that isn't linked to you personally and can't be traced back
Except all the proposals I have seen call for the unique key being generated by the government (and generally snail mailed to you). So you have no proof that such techniques have been used by the government.
But you can't honestly tell me you're so paranoid about this that you now vote with gloves on because they might trace the fingerprints on the ballot?
I don't wear gloves because I help count the votes so my fingerprints are on all the ballots!
All jokes aside, they don't know which ballot is yours. So they would have to scan the fingerprints on a substantial percentage of the ballots to find out and they would have a hard time doing that in secret. I
Re: (Score:2)
Before talking about how insecure the web is ...
The problems with "voting at home" (or "at work") do have nothing to do with the lack of security of the web, but more with the lack of guaranteed privacy.
If you allow voting from work, who guarantees that the manager is not standing behind his employees, making sure that they vote the "right way". Or, at home, that the spouse isn't making similar enforcement. Or at the pub, that a buddy isn't promising a beer in exchange for the "good" vote...
As long as you allow voting away from designated polling stati
Re: (Score:2)
Re: (Score:3, Insightful)
What stops people from selling their vote and going to the polling booth to vote?
Easy: the buyer has no way of verifying that the seller did indeed vote how he promised to vote.
it makes it *very* easy for people to disrupt, influence or plainly destroy votes there. Someone in this thread already pointed out practices like this: http://en.wikipedia.org/wiki/Booth_capturing [wikipedia.org] [wikipedia.org].
Such practices are ...hmmm... rather obvious. Meaning, that in a really democratic country, they would lead to instant cancellation of the election, and punishment of the perps.
If such brute force disruptions are commonplace in India, then security of electronic elections is indeed the least of their worries. Without punishment of obvious abuse, the crooks could just wheel a supercomputer into the polling statio
Re: (Score:2)
And here are some examples to the contrary:
Netherlands - last election there were people instructing others how to vote in the booth (which was strangely allowed by officials present) and they counted over 100 mystery extra votes (this w
Re: (Score:2)
Rather obvious yeah, so because it's not obvious to you immediately it does not happen in western countries?
No matter how many times I read that sentence, it doesn't make sense. I suppose it's meant to be a miffed reaction at my astonishment about the non-subtlety of electoral fraud in India? If so, I'm sorry to have offended you.
Look at the following list of the many means of fraud and tell me they are not used in so called 'true democracies': http://en.wikipedia.org/wiki/Election_fraud [wikipedia.org] [wikipedia.org]
Why should I tell you something like that? Yes, this is a list of frauds for people who are concerned about stealth and/or plausible deniability. That's why brute force approaches such as just invading the polling station is not included there.
The sentence that I liked most was: Harsh p
Re: (Score:2)
What stops people from selling their vote and going to the polling booth to vote?
What stops them is the lack of a buyer: the potential buyer knows he will have no way to verify you really voted the way he wanted so he won't waste 'money' on trying to outright buy votes (he will instead resort to propaganda).
And how do you think it's a good idea to just have a few points where people go to vote, it makes it *very* easy for people to disrupt, influence or plainly destroy votes there.
And centralizing all the votes on one server in one place solves this problem? Sure if you have massive safety and order problems then you will get voter suppression [wikipedia.org]. Note though that such in countries people would typically be lacking the means to vote from home anyway.
To my knowledge polling stations are responsible for all irregularities with voting up until now
Irregularitie
Re: (Score:2)
I claim it is possible, and any issue can be addressed. No solution will ever be perfect, but if it works good enough that you can verify that the will of the people has been represented with
Re: (Score:3, Informative)
Here is my solution to make the process as open as possible:
[...]
- To vote at home you can use the supplied voting live-CD or use your own (it's recommended instead of your default OS), or use the kiosks supplied at voting locations.
Make it possible to vote at home and a lot of people will be coerced to vote a certain way by their spouse / parent (or you're out of this house) / children (elderly people). Make it possible to vote from any computer and companies will nicely provide computers for you, will even help you. You would be free vote the way you wanted and they would not even put you on top of the list for the next round our layoffs if you voted wrong. Vote at the kiosk against the wishes of the above parties and be assured they
Re: (Score:2)
Now examine the new system which relies on tech
Re: (Score:2)
We currently have a flawed system which relies on perfect cooperation of thousands of individuals each one of which can influence the voting process without us knowing it.
This has lead to voting fraud not only in third world countries with 'broken election laws'
but in all western nations (at least on some local level).
In the US you are right, votes can be tampered during transport, probably by a single individual (blame the 'broken election laws'). In France (where we have transparent ballot boxes and where ballots are counted on the spot when the election closes) no single individual can tamper with the voting process. But yes, tell me how to commit fraud in France and not get caught.
There is a single point of failure, and if that fails you should to be able to detect it.
How will you know that there has been fraud if candidate A wins with 52% of the
Re: (Score:2)
But the problem is always the same: the cheater won and is now in charge.
Bush hadn't won, and wasn't in charge. But it's easier to give a party of professional crybabies special treatment instead of recounting fucking ballots.
A recount is never the wrong thing to do - you'll know the liars by who refuses the recount. But instead we listen to their lawyering instead of just threatening to shoot (yes, death penalty - applied by the courts, a mob, or a revolutionary army - appearance of correctness is VERY important here) them until they agree to a recount.
You promote the death penalty in a situation where it is even more despicable then usual, especially since anyone can see the clear option to cheat by getting your opponent eliminated. Each election has some irregularities (and I assume most are not sanctioned by the candidates themselves) so it would be far too easy to cheat for the other guy while collecting 'evidence'.
Then don't call yoursel
Re: (Score:2)
Re: (Score:2)
But do you really think there aren't millions of voters that vote what someone told them to vote already?
I think the point is that while you can bribe voters all you like, they're still untrusted. Heck, bribery is less of a concern than blackmail/threats. With unverified voting, if you bribe me with $100, while I'm pretty likely to vote your way, I can still vote for the other party(How are you going to make that $100 back?). On the other hand, you can't really say 'If you don't vote for X you're fired/finding a new apartment/being beaten bloody/etc...'
Re: (Score:2)
Re: (Score:3, Insightful)
I agree, vote rigging should be treated as seriously as a crime can be.
I'd add to that- politicians taking bribes should attract similar penalties.
Re: (Score:2)
This is as it should be, the problem is today most politicians just use their power for their own gains, do not accept any responsibility, and sure as hell are never punished... I do not advocate punishing politicians for mistakes otherwise you would never become a politician anymore, but I would like to see strict rules regarding corruption and that anyone ever caught betraying the
Amazing findings (Score:2, Insightful)
Amazing work they've done here. They've proven that if you have intrusive access to the hardware, you can screw it up and do deviant shit. How about you post an article when someone can walk into a polling place, hack a machine, and walk out without take a screwdriver or some large, obvious device to a voting machine?
This article, like most of the front page needs "-1, Irrelevant".
Re: (Score:2, Insightful)
Your analysis neglects the basis of comparison, in which case is traditional voting methods on paper.
If you can walk in with a screwdriver to mess up an election with the electronic system but can't do the same to the paper method, then clearly there is some impact to security.
Re: (Score:2)
Hardware based attacks that rely on invasive access are stupid in terms of demonstrating 'how vulnerable' an e-voting system is. The assumptions you have to make are stupid; You assume no one will notice someone taking 10 minutes to vote , that they're carrying tools, that they get down on their knees to open the case,
Re: (Score:3, Insightful)
the point here is that polling places can rig the machines just fine.
clever in key areas where a specific political party needs more votes to win.
kinda like how with diebold, republicans got overwhelming victories in predominantly democratic voting districts.
Re: (Score:3, Insightful)
How about you post an article when someone can walk into a polling place, hack a machine, and walk out without take a screwdriver or some large, obvious device to a voting machine?
So the possibility of bypassing democracy isn't worrying, as long as you put a full body scanner in front of each voting cabin?
Or you could limit the time that can be spent voting, and pray nobody finds a faster hacking method.
1...2...3... BAM! You're out. Vote faster next time.
Re: (Score:2)
Ask yourself what stops people from opening ballot boxes to mess with the votes? The answer (in the UK at least) is four uniquely serial-numbered ties which have their numbers noted when the box is sent out, and verified when it's opened. Just put all the innards in an epoxy resin, put them in a toughened metal cabinet, lock the door with a key and attach aforementioned ties. A screwdriver won't help you.
Re: (Score:2)
That was my first thought do. Physical access is needed to break the hardware.
The Researchers just say that the security measures used are low tech and easy to break, but show no demonstration about breaking it in a simulation/real polling situation.
I personally think its hard to pull off in a polling booth.
Second, With the size of India's population I would rather that India continues to use EVMs and switch to paper trail methods -- Please think of the trees.
Using paper is not only is bad for the environme
Re: (Score:2)
All voting systems are vulnerable... (Score:2)
The only solutions are transparent voting systems (if electronic, software and hardware must be publicly documented so that flaws are found and fixed - yes, I user Firefox!), plus independe
Re: (Score:2)
In the UK in particular you *cannot* issue a receipt - anything which can be used to match a vote to a voter is illegal. Even signing your name instead of putting a cross renders your ballot spoiled.
Re: (Score:3, Interesting)
Re: (Score:2)
Ugh yeah, should have clarified that it's anything which on its own identifies a voter with a vote, which a receipt (I'm guessing) would do much as a signed ballot paper does.
Re: (Score:3, Interesting)
In the UK in particular you *cannot* issue a receipt - anything which can be used to match a vote to a voter is illegal. Even signing your name instead of putting a cross renders your ballot spoiled.
Except, of course, the recording of the ballot paper number next to your name when you vote.
In the past it would have been difficult to automatically match up every vote with a voter but it certainly wouldn't have been difficult to find out who cast a particular vote. "Who voted communist?"
Nowadays I'd expect th
Re: (Score:2)
Maybe, but why not shift the election to a Sunday (or make election day a public holiday) as a first measure? It might help if voting was spread out more evenly over the course of the day.
everyone should stick to paper (Score:2, Insightful)
even the most technologically advanced societies (some nordic countries want to vote by cell phone!?), for two reasons:
1. attack vectors
of course paper voting is subject to cheats, ballot stuffing, getting lost in transit, etc. its just that paper voting is a simpler process than mechanical or electronic voting, so therefore the numnber of attack vectors for paper voting is orders of magnitude less than mechanical voting... which in turn has orders of magnitude less attack vectors than electronic voting
one
Re: (Score:2)
i don't agree with you (Score:2)
if what you say is true, then people can't grasp that sometimes convenience has to be sacrificed. if what you say is true, then X Factor generation is the end of democracy
it is naive to think that technology offers a better way to vote: there is no technological solution to the bribe-able government bureaucrat
therefore, you have to make the voting process as technologically crude as possible, to prevent creative ways to cheat we cannot foresee
its also a matter of trust in the system. i can trust and verify
Re: (Score:2)
direct democracy is a joke (Score:2)
not even in a small town is it possible
you WANT representatives, you really do
in a genuine direct democracy, every little zoning board approval or budgetary line item would require your vote. you would spend all day voting. you wouldn't pay attention to the issues: you wouldn't have TIME to pay attention to the issues. you wouldn't have time to educate yourself on the issues in the amount of time possible before the vote was due. every single vote, in nauseous tedium, would require your research. you wouldn
Re: (Score:2)
its hard (Score:2)
in fact, all of history is a process of perfecting that balance to better and better degrees, raising the bar to even better orders of perfection, and repeating the process, forever, never completely erasing graft and corruption, but getting closer and closer to something resembling acceptability, barely
Re: (Score:2)
Your potential for impersonation stems from the fact that you can't verify with any certainty the identity of people...
Any "inconvenience" with paper voting was due to procedural failings in the UK implementation, not some inherent faults. My (EU) country has also paper voting, and it works extremelly smooth. It's simply scheduled for Sunday, from 8AM to 8PM (and sometimes 10PM), when not only the population has plenty of time to vote but also you have lots of "workforce" available to staff a very dense net
Poll rigging this way is unnecessary in India. (Score:4, Funny)
Perfectly illustrated in http://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
Go to Pot (Score:2)
If they've proved that someone can clip a device over a RAM chip, may I suggest epoxy resin or a potting compound. Pot the entire internals, including the ribbon cable to the display and the display board itself to make the electronics much, much more difficult to reach.
'tamperproof,' 'infallible,' and 'perfect' (Score:2)
Our project team includes three Centaurs, design was managed by the Minotaur and the UI was put together by a herd of Unicorns. Debugging was handled by a 500 year old wise Chinese dragon.
After all, who better than a team of mythical creatures to design a system with a mythical feature-set ?
Re: (Score:3, Informative)
Our project team includes three Centaurs, design was managed by the Minotaur and the UI was put together by a herd of Unicorns. Debugging was handled by a 500 year old wise Chinese dragon.
We tried that and it didn't work. The minotaur's design was too convoluted, the UI was pink and invisible, and after receiving hundreds of bug notices we discovered that the dragon had spent months farming gold.
Re: (Score:2)
>"UI was pink and invisible"
It was invisible... but it had a colour... oh nervermind, that's actually MORE believable than "it was tamperproof and infallible" !
Scale (Score:3, Interesting)
The size and scale of India's election makes attempts at manipulating the election at the voting machine level very difficult. Any legit attack would have to be done at the back-end altering massive numbers of votes.
you've defined the weakness, not the strength (Score:2)
if you had paper voting, you'd need an army of conspirators (which by nature of its size would be discovered), and an audit would discover statistical perturbations
but with electronic voting, you just bribe the right official or two, and one guy with a few milliseconds of access to the database and some crafty code can alter the votes in statistically invisible ways
Re: (Score:2)
absolutely (Score:2)
you seem to think i'm saying that paper voting won't have cheating. of course paper voting will have cheating. all voting systems will have some (hopefully low grade) cheating all the time, forever. there's no way around that, there's no technological fix for that
what i'm asking you to understand is that electronic voting will have cheating too, and the kind of cheating that can go on in electronic voting is far more subtle and dangerous and far more venomous of a threat to the legitimacy of indian democrac
Re: (Score:2)
Not true. India did have paper voting. The fraud happened before the vote count. Criminals would simply "capture" polling booths and stuff the ballot boxes.
How do the new voting machines help in this regard?
Sorry, I fail to see the difference.
Here's a better solution:
Re: (Score:2)
The problem in Indian elections is not manipulation of voting machines, but the corruption of the voter by purchasing their votes through paying money, especially to the poor and illiterate masses.
The solution to voter coercion is of course not voting computers but secret ballots [wikipedia.org]. Apparently ballots are already supposed to be secret but maybe the polling places need bigger curtains [instablogs.com].
EVM: Simple tech & tamper resistent procedures (Score:2, Informative)
The way EVMs reduce rigging is not by any superior technology. It is based on simple accessible technology and elaborate procedures to ensure that poll rigging is minimized to the maximum extent possible. Check this very detailed FAQ by Election Commission of India, specifically Q24 and Q28.
http://www.indian-elections.com/electionfaqs/electronic-voting-machines.html [indian-elections.com]
How to build a good voting machine (Score:3, Interesting)
For the hardware you need:
Touchscreen with graphics chip and touchscreen controler as an input device
Receipt printer (the kind that has been used in millions of cash registers, ATMs and other devices world wide for a few decades)
Flash memory chip to hold the machine OS and the config file (which candidates are running etc). This should be the kind that when its in the machine, it cannot be written to and has to be removed to write new software or configs. This would have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure that it hasn't been swapped for another identical chip containing rigged software.
Thumb drive or memory card to hold the counted votes. This would also have a difficult-to-duplicate-or-remove sticker applied with the voting machines unique serial number to ensure it isn't substituted with a fake one containing a different result.
CPU (ARM of some sort would seem to make sense) to control the system with usual support items (power supply, RAM etc)
Tamper-evident case containing the hardware with more difficult-to-duplicate-or-remove stickers with the voting machines serial number covering the screw holes/case edges/etc to ensure you can tell if its been opened.
The receipt printer would be located outside of the tamper-resistant part so the roll can be replaced by poling station officials. Should a machine fail for other reasons (i.e. any reason that would require access to the hardware) that machine would be taken offline and not used for the rest of the election.
Software:
Linux kernel with drivers for the memory card reader, touchscreen, receipt printer etc. (the kernel would be specifically built for the voting machine with everything that is not required for the device such as networking removed)
Basic set of libraries (the bare minimum required to make everything work)
Custom voting machine software.
All software would be 100% open source.
Before the election, the machines are prepared by loading the correct OS and kernel along with the config file for the machine (containing the names and info for the candidates) onto the operating system chips. The operating system chip and vote counting memory card are loaded into the machine. Then the machines are verified and tested. Once they have been verified, they are sealed up and the tamper-evident stickers applied before they get shipped off to the poling booths.
When you go to vote, you pick your candidate on the screen by touching their name. Then you have to press "OK" once you are sure you clicked on the right name.
After your vote is complete, it is recorded in the file on the memory card. Also, a receipt is printed containing a machine readable bar-code corresponding to your vote plus a human readable record. This receipt is then inserted into a ballot box as you depart the polling booth. No part of the machine (receipt included) contains any record of who you are as a voter or any way to associate your vote back to you.
To count the votes, the memory cards are removed from the machines (after checking that the machine was not tampered with and that the memory card is genuine) and sent to the relavent counting office to be read and counted. Should there be a dispute, either the machine readable bar-code or the human readable record can be used as a way to count the ballots.
Maybe some of this is overkill (like labeling the chips with stickers to prevent tampering), I dont know. But when you are talking about something as critical to a free society as an election, its important to get it RIGHT.
My idea would work for any system no matter how many items are on the ballot or how many people are voting (a commonly cited downside of paper systems is that there are too many papers to count and/or too many things being voted on)
My idea wont prevent tampering (of the kind described in TFA) but it will be immediately obvious when someone has tampered with the hardware in the machine (if it works for telling Microsoft or Dell when someone has opened their PC or XBOX and voided the warranty, it should work for a voting machine, especially since getting close enough to one for long enough to fiddle with it is hard when inside a polling station.
Aw, bless them (Score:2)
Meaningless (Score:2)
Scale of Indian elections and EVMs (Score:5, Informative)
Folks,
It is important to put the size of elections in India in perspective and how they operate to understand any meaningful amount of fraud or corruption possible.
The EVMs in question are extremely simple. They only have a breakout panel with 32 buttons (expandable upto 64 buttons with an addon breakout button panel). The machine only ever knows the number of enabled buttons. The names and party symbols are affixed as paper "stickers" on the buttons.
---------------------
[B] S First Last Name
---------------------
[B] S First Last Name
------...
The order and placement of stickers on the buttons changes from constituency to constituency. The machines are sealed/unsealed in presence of at least 3 officials, though in practice, it's no less than a dozen or more, as it's a public affair and often media is present.
Some numbers (courtesy http://www.indian-elections.com/facts-figures.html [indian-elections.com]):
Number of EVMs used: 1.023 million
Max candidates per EVM: 64
Max candidates in election from one constituency: 35
Total number of candidates: 5398 (India is a multi-party democracy)
Number of parties: 220
Number of registered voters: 675 million
Cost of '09 elections: Approx $2 billion
Any 'fraud' analysis needs to take the process and numbers into account. EVMs in India solve a LOT of problems with regard to elections and drastically cut down on time, effort and cost involved. There are a number of places where several miles of journey on the back of mule is needed to reach the polling booths. It's much easier to conduct an electronic poll there rather than carrying several large ballot boxes that could be snatched.
Re: (Score:2)
Re:Secure e-voting (Score:5, Interesting)
Or even poker machines. Every machine runs from a PROM. Authorities keep a table of validated PROM image checksums. Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
Now thats no too hard, is it? Validate a small number of images, then make damn sure they don't get changed. Encourage simple, embedded systems as opposed to big operating systems with 30 million lines of code.
Re:Secure e-voting (Score:4, Insightful)
Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Re: (Score:3, Insightful)
Operators of the machines have to let inspectors validate the checksums on demand, and if it doesn't match then your gaming license gets revoked and the place closes down.
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Yes, sounds about right.
Re: (Score:3, Interesting)
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Yes, sounds about right.
Nice system. So once my party governs I can simply block any further election to ever finish, just by touching a single machine.
Re: (Score:2)
Nice system. So once my party governs I can simply block any further election to ever finish, just by touching a single machine.
Even better, tamper with a machine, accuse your main competitor of it thus causing a huge public outcry against them, rerun the election and win by a landslide.
The moral of the story is: you cannot rerun an election without modifying its result.
Re: (Score:2)
And how to you suggest to apply that system on an election environment? If the checksum doesn't match, you remove all votes from the voters who used that particular machine? You repeat the elections until no machine was tampered with?
Yes, sounds about right.
Nice system. So once my party governs I can simply block any further election to ever finish, just by touching a single machine.
Hell, once your party governs you can find all sorts of ways, some sophisticated, some not, of staying in power.
Re: (Score:2, Interesting)
Re: (Score:2, Informative)
Why are there so many stories on slashdot about how awful e-Voting is? Is there a large part of the slashdot audience that seeks a return to pencil and paper solutions, instead of this new-fangled transistorisation? I think your idea makes perfect sense, the situation where a PROM is touched is the same situation as where a ballot box has been broken open.
I don't really get if you are complaining or agreeing...
Thing is, there are many differences between a ballot box and a e-voting system.
In the case of the ballot box, you need to tamper with it after the election, when it is best garded. Each ballot box only contain a limited number of votes, and you need to prepare a large amount of false ballots before hand.
In the case of the e-voting system, you can tamper with it before the election and make 'invisible' tampering (ROM flashing, replacing the display
Re: (Score:3, Interesting)
Re: (Score:3)
Much simpler system. Voting machine prints out a ballot paper that goes into the ballot box. Select a random sample of ballot boxes and check the contents to what the computer says.
Re:Secure e-voting (Score:4, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
You simply implement the exact same procedures for dealing with a ballot box that had been tampered with. I do not see what the difficulty is here
1 - They don't have to let you spend some time alone with the box as part of the voting process.
2 - It's harder to tamper with the box in a way that makes it impossible to detect until after the elections are over.
Re: (Score:2)
What about the Estonian e-voting system [wikipedia.org]? Can you point out any insecure parts in that system?
Some of the more common scenarios (man in the middle, vote buying and a few others) are addressed in chapter 4.6 of an analysis of e-voting security [triinu.net](warning: large PDF file).
Re: (Score:2)
The whole Estonian system is based on having secure systems connected to the internet. It's possible to do a mass attack on the voters systems and/or servers on the day of the attack. The study you give simply ignores this possibility by "assuming" that the chance of an attack is low. However, it bases this assumption on total falacies. If you assume that your enemy is well funded (likely in the Estonian case; it may well be the Russian government) then they have a zero day exploit ready to go just befo
Re: (Score:3, Interesting)
More than security is at stake here. Transparency also matters. With paper voting many citizens are perfectly able to go to the polling station and observe (and grasp!) the whole voting process and counting votes; generally check that everything happens according to the procedure. Have such people in every polling station and you can independently confirm the result of elections.
It builds confidence in the results.
There's no transparency with electronic voting. None. Even you are "IT pro" and go to see what
Re: (Score:2)
Can you point out any insecure parts in that system?
Only haven given it a quick look: It sounds like they have given up on anonymity, thus every vote can be traced back to the voter.
Re: (Score:2)