SoylentNews is people
SoylentNews
The Virginia election commission, which is responsible for certifying whether machines are fit to be used in elections, has decertified the Advanced Voting Solutions WINVote and for many very good reasons. Amongst the many security flaws in this product are:
- Weak administrator passwords such as "admin" or "abcde"
- Use of an embedded version of Windows XP which hasn't been updated since 2004
- Use of WEP for Wifi encryption
- An absence of any firewall
Worse still, this machine has been used in actual elections and its lack of any logging or record-keeping means that we'll never know if its weaknesses were used to manipulate the outcome of an election. As a proof of concept, security researchers successfully demonstrated accessing the machine and manipulating the recorded vote counts.
This discussion has been archived.
No new comments can be posted.
WINVote Voting Machines Used in Virginia Elections are Shockingly Insecure
|
Log In/Create an Account
| Top
| 35 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Good day for a change of scene. Repaper the bedroom wall.
(Score: 2, Insightful) by Anonymous Coward on Thursday April 16 2015, @08:03PM
No system is immune to rigging, not even hand-counting of paper ballots. But there is a way to do e-voting that minimizes the risk while still maximizing the benefits of e-voting (primarily ease of voting, ease of counting and reduced error rates like hanging chads).
Its a two part process:
part 1: the voting-machine
. has a really good user-interface, different versions for people with different first languages,
visual disabilities (like extra large fonts for people who need, etc).
. prints completed ballot on paper in human-friendly (no barcodes, only shows minimum
necessary data for selected candidates
. but also OCR-friendly form - fonts, layout etc designed to minimize OCR errors
. human visually checks paper ballot and inserts it into ballot box
part 2: the vote counting machine
. scans each ballot
. high confidence scans are immediately tabulated
. low confidence scans go to a human to visually inspect and manually count
. all ballots marked with indeliable timestamp when tabulated (not necessarily when inserted into ballot box)
. all ballots retained for recounts
No additional automation can improve on the integrity of that process without also significantly increasing the risk of fraud
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @09:29PM
I have come to a similar conclusion. My method is slightly different and only uses one machine.
Each voting machine is un-networked standalone and any IO (apart from that required to vote) is inside a physical locked safe (which the returning officer has the key to). The device has a card reader and physical context sensitive screen edge buttons (like an ATM)
1) The voter enters the hall, their ID is checked against a register and they are given a card with a unique code (randomly).
2) The voter scans there card and the machine assigns them an anonymous unique ID (AUID) (the value on the card). The card is retained but not destroyed.
3) The voter selects usability (language) choices.
4) The voter goes though and selects a choice for all ballots currently being run.
5) A receipt ballot is printed and displayed to the voter though a secure transparent window.
6) The voter uses a lever to move the ballot either to the "incorrect" [goto 7a] bin or the "correct" bin [goto 7b].
7a) The ballot is made unreadable by moving the leaver and dropped into "incorrect" bin. User is taken to step 3.
7b) The ballot falls into opaque "correct" bin.
8) The machine stores in a sighned list the voters AUID, and choices and destroys there card (from step 1).
At any time before step 5, the voter can press "cancel" and receive back there voting card.
At the end of the voting session the returning officer downloads information from the machine to a secure device and collates all data from voting machines.
The Returning officer reports these "initial" values though the same channels as current values are reported.
Some machines are randomly selected after the voting and a manual count is performed on the printed values. These must tie up to the machine count within an acceptable margin of error (to allow for human error in counting.)
or a full manual count is triggered.
Any registered voter can demand a re-count.
If the counts match within the human error bar the machine count holds.
For close runs (within human error bar), a more elaborate counting structure may be used (i.e tripple counting to minimize error)
Until recounts are completed the machine count holds, people can act as if elected on all matters except the voting procedure.
The returning officer later confirms or resubmits counts.
(Score: 2) by c0lo on Thursday April 16 2015, @10:33PM
Missing from you scheme: auditability.
Is it necessary? Well, at multiple steps in your scheme an attack can be arranged (letting aside breaking the security of the computers).
For instance, counting low confidence scans (phase 2, 3rd bullet), I can buy the sole human you put in charge as decider to swindle the votes my way and arrange a good proportion on scans to be "low confidence" (just runs some slightly greasy ballots through it, nothing a human would consider conspicuous).
(I can imagine many other ways of attack, the above is only one example)
Normally, the voter should be able to verify independently that her vote was not altered when it comes to counting. So, the voter would need to get a voting receipt that she can use with a/the central system to validate it. The receipt should contains a hash of her vote - to preserve the "vote secrecy" (she cannot prove how she voted to any 3rd party, to eliminate vote influence by directly buying them or by coercion).
For advanced topics, a suggested start for your research: end-to-end auditable voting systems [wikipedia.org]
https://www.youtube.com/watch?v=aoFiw2jMy-0
(Score: 0) by Anonymous Coward on Friday April 17 2015, @05:14AM
> Missing from you scheme: auditability.
That is what manual recounts are for.
> counting low confidence scans (phase 2, 3rd bullet), I can buy the sole human you put in charge
I really hate when people try to tear down ideas by playing dumb. Of course ambiguous votes would be inspected by a team with a member from every party.
> So, the voter would need to get a voting receipt that she can use with a/the central system to validate it.
> The receipt should contains a hash of her vote
Not useful. For one thing, we don't currently have an analog equivalent and it's not a major problem, for a second if it were a significant attack vector the attackers would just fake out the hash, which as you've proposed it is nothing more than a serial number. Just because the system says "yes this serial number is in the system" doesn't prove that it was actually counted.
(Score: 2) by c0lo on Friday April 17 2015, @12:43PM
You lnow what a hash of the vote is? You take the serial of the ballot, concat the chosen option on the ballot and the timestamp, and apply a hash function [wikipedia.org]. You print that hash on a piece of paper (transparent plastics would be better) to act as a receipt which you hand to the voter (make it a QR code, if you like). The voter can ask the central system, based on the serial number of the ballot, to regenerate the hash on all the recorded info at any time: if any info was changed, there's no way the hash will be the same (if the hash is printed on on transparent plastic, the voter needs just to overlap it over an image on the screen for comparison).
But it's still a problem. Since you can use the very technology you proposed to address it, why not take the opportunity?
https://www.youtube.com/watch?v=aoFiw2jMy-0