Stories
Slash Boxes
Comments

SoylentNews is people

South Carolina's 13k Electronic Voting Machines Vulnerable, Unreliable

posted by martyb on Saturday July 21 2018, @10:31PM   Printer-friendly
from the Replace-or-not-to-replace?-Have-the-people-vote-on-it! dept.

canopic jug writes:

The project Protect Democracy is suing the state of South Carolina because its insecure, unreliable voting systems are effectively denying people the right to vote. The project has filed a 45-page lawsuit pointing out the inherent lack of security and inauditability of these systems and concludes that "by failing to provide S.C. voters with a system that can record their votes reliably," South Carolinians have been deprived of their constitutional right to vote. Late last year, Def Con 25's Voting Village reported on the ongoing, egregious, and fraudulent state of electronic voting in the US, a situation which has been getting steadily worse since at least 2000. The elephant in the room is that these machines are built from the ground up on Microsoft products, which is protected with a cult-like vigor standing in the way of rolling back to the only known secure method, hand counted paper ballots.

Bruce Schneier is an advisor to Protect Democracy

Earlier on SN:
Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States (2018)
Want to Hack a Voting Machine? Hack the Voting Machine Vendor First (2018)
Georgia Election Server Wiped after Lawsuit Filed (2017)
It Took DEF CON Hackers Minutes to Pwn These US Voting Machines (2017)
Russian Hackers [sic] Penetrated US Electoral Systems and Tried to Delete Voter Registration Data (2017)
5 Ways to Improve Voting Security in the U.S. (2016)
FBI Says Foreign Hackers Penetrated State Election Systems (2016)
and so on ...

Original Submission

 
This discussion has been archived. No new comments can be posted.
South Carolina's 13k Electronic Voting Machines Vulnerable, Unreliable | Log In/Create an Account | Top | 24 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by edIII on Saturday July 21 2018, @11:30PM (5 children)

    by edIII (791) on Saturday July 21 2018, @11:30PM (#710607)

    I would say the only way to go is a cryptographically signed vote. All votes are made public. There is a large file for the politician containing all the votes, which can be downloaded anonymously. Anybody curious about their vote only has to search the public database for the vote to see if it is counted to the right politician. If you find your vote in the wrong "pile" you have proof from a cryptographically signed receipt proving you voted for a different politician.

    The most important part is that you leave with the receipt, and yes, that would be on paper. Encode the information is something like a QR code with maximum protection (meaning it can degrade a little without losing data). Even then, that's only going to work as long as the cryptography is strong. That's increasingly doubtful, and quantum cryptanalysis will eventually break all conventional crypto.

    Paper ballots are by far the simpler, and almost foolproof method, to conduct voting. All we really need to do is make them easier, faster, and more verifiable during counting. I've thought of going to thin metal pieces made of aluminum. Your vote is hole punched, with a metal tag per vote. It peels apart into two pieces, one to be counted, one you can walk away with. Counting can be done by machine and verified by "eye". Imagine a stack of them that could only stack if every single vote were the same, with long metal rods through the punched holes. This could be automated by machine, with an entire stack easily seen by all as to be in the same configuration, and a configuration for that politician. Votes could probably be counted by height, and it they would be much easier to rapidly count into a database with a machine. Also worth noting, that there are perforations or risks of hanging chad. The hole punches should be validated by machine before you even leave.

    You could still imprint data onto the metal plates. Bonus, if you used a TRNG and used OTP which is the only 100.00% secure cryptographic method known in existence. Download all the metal plates for the politician, and then safely verify if your OTP key is inside it.

    Anything less than paper ballots is just designed to ultimately bring down democracy. Anybody can say whatever they want, but Orange Anus is illegitimate. We still don't know the extent of the hacking, and anywhere were the race was tight needs to be looked at intently. I sincerely doubt anyone here, on any side of the political arguments, trusts Diebold with jack diddly shit right? How much of the last election was done electronically? None of it can be trusted. Those machines keep getting hacked, but they survive. Like Microsoft POS keeps surviving on everything despite the vulnerabilities and hacking.

    The only two times I voted, which the first time I missed, the results were already largely in favor of the person I voted for. If I were in some place where the races were tighter, and there was electronic voting, I would be suspicious as fuck and feel that democracy as probably denied me.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Sunday July 22 2018, @12:02AM (2 children)

    by Anonymous Coward on Sunday July 22 2018, @12:02AM (#710611)

    Blockchain, dude, blockchain.

    • (Score: 1, Touché) by Anonymous Coward on Sunday July 22 2018, @12:32AM

      by Anonymous Coward on Sunday July 22 2018, @12:32AM (#710617)

      Ethereum! Then it can be a series of contracts!

    • (Score: 5, Interesting) by edIII on Sunday July 22 2018, @02:11AM

      by edIII (791) on Sunday July 22 2018, @02:11AM (#710636)

      Actually, no. The benefit of stamping OTP onto both side of the metal tag before splitting it, is that the level of math required to verify it is elementary school simple. Just add up every number, or treat at is if it needs to be equal strings.

      The danger of a blockchain, or conventional cryptography is that we need a very small percentage of our population to verify it. So small, that it wouldn't be possible to verify it all even if that were their full time jobs. It has to be something simple and accessible by the masses, which given the piss poor state of America across the board, necessitates a rather low bar. Addition might be too much, which is why just verifying the first and last 10 digits as the same would probably be LCD for America at this point.

       

      --
      Technically, lunchtime is at any moment. It's just a wave function.

  • (Score: 1, Insightful) by Anonymous Coward on Sunday July 22 2018, @12:18PM

    by Anonymous Coward on Sunday July 22 2018, @12:18PM (#710733)

    If you can verify that your vote was counted correctly you can also prove to someone else what your vote was. That means that someone else can put you under pressure to vote for the candidate of his choice and not yours. A good voting system is designed to prevent that, not to facilitate it.

  • (Score: 3, Insightful) by Thexalon on Sunday July 22 2018, @08:43PM

    by Thexalon (636) Subscriber Badge on Sunday July 22 2018, @08:43PM (#710881)

    I would say the only way to go is a cryptographically signed vote. All votes are made public. ...

    I feel like we need a version of the old-school spam solution checklist [craphound.com] for voting security. Because a wide variety of proposals for "fixing" voting have a small set of common flaws, and it's abundantly clear folks aren't thinking these things through. Without further ado, here's my attempt, with the flaws in your plan highlighted:
    -----------------------------------------------------------

    Your post advocates a

    (X) technical ( ) legislative ( ) market-based ( ) vigilante

    approach to securing voting. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws.)

    ( ) Voters can't be sure their vote was counted
    (X) Politicians can find out how each voter voted and act accordingly
    (X) Individual voters' choices can be verified and/or demonstrated to a third party, allowing coercion and vote-buying
    (X) It is defenseless against insider attacks
    ( ) It is defenseless against brute force attacks
    ( ) Politicians will not put up with it
    ( ) Requires too much cooperation from scammers

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (X) Lack of centrally controlling authority for elections
    (X) Asshats
    ( ) Jurisdictional problems
    (X) Willingness of under-trained poll workers to install OS patches
    (X) Armies of worm riddled broadband-connected Windows boxes
    (X) Extreme profitability of election hacking
    ( ) Identity theft
    (X) Technically illiterate politicians and bureaucrats
    (X) Failures of poorly-designed encryption methods undetectable to technically illiterate persons

    and the following philosophical objections may also apply:

    (X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
    (X) Any scheme based on a method of verifying any individual's vote is unacceptable
    (X) Why should we have to trust you and your servers?
    ( ) Feel-good measures do nothing to solve the problem
    (X) I don't want the government knowing my votes

    Furthermore, this is what I think about you:

    ( ) Sorry dude, but I don't think it would work.
    (X) This is a stupid idea, and you're a stupid person for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

    --
    The only thing that stops a bad guy with a compiler is a good guy with a compiler.