Perl Programmers, America Needs Your Help! We Need Secure Voting Machines

[Dave Roberts]

Please forgive me if this isn't entirely a Perl problem. But it could
definitely have an almost immediate Perl solution.

Anyone researching the facts concerning electronic voting will
immediately discover the importance of a paper record of all
transactions.

The fact that Diebold has been building its voting machines (used in
at least 37 states) for years, refuses to include this crucial feature
or publish their computer code, only adds insult to the injury already
created with the numerous reports of their system's verifiable voting
irregularities.

This type of software is easy and fast to develop using proven, secure
techniques with Open Source software, using reliable equipment costing
a fraction of the outrageous fees charged by Diebold, and could easily
employ all the safety features demanded by security experts with
software available for public inspection by anyone concerned.
Diebold's policy insults the intelligence of respectable software and
hardware vendors.

Diebold must be forced to return all the money they have bilked the
public out of and their equipment must not be used.

An acceptable alternative could easily be rapidly created by any one
of thousands of high school students who have all the skills
necessary, as well as no obvious incentive to profit from election
fraud.

The fact that the government sits idly by as this travesty unfolds
speaks for itself.

When you go to the polls to cast your vote, if there is any Diebold
equipment there, the only vote is one of no confidence.

That said (and published) I received replies stating that this was
being handled by programmers in association with SourceForge, but it
turns out that their version won't be done 'till 2005, won't be
entirely open source and uses Python (of all things). A trip to their
site reveals a broken link to the home page of the project manager, a
virtually unused forum, and information available from an AOL address.
Does anything seem wrong here? Visit this link and see for
yourselves. http://sourceforge.net/projects/evm2003/
Then you might want to visit http://www.blackboxvoting.org and
explain to these people that a simple database program isn't exactly
rocket science.

I don't consider myself nearly as skilled as most of you and I think I
could do it with Perl and MySQL in a few days.

The future of America is in your hands!

 

[Robert Wallace]

Please forgive me if this isn't entirely a Perl problem. But it could
definitely have an almost immediate Perl solution.

...........



I don't consider myself nearly as skilled as most of you and I think I
could do it with Perl and MySQL in a few days.

The future of America is in your hands!

You're a clown? Why didn't you say so.
try: http://www.disney.com/

 

[Andy Baxter]

At earth time Tue, 06 Jan 2004 06:34:30 -0800, the following transmission
was received from the entity known as Dave Roberts:

Please forgive me if this isn't entirely a Perl problem. But it could
definitely have an almost immediate Perl solution.

Anyone researching the facts concerning electronic voting will
immediately discover the importance of a paper record of all
transactions.

The fact that Diebold has been building its voting machines (used in
at least 37 states) for years, refuses to include this crucial feature
or publish their computer code, only adds insult to the injury already
created with the numerous reports of their system's verifiable voting
irregularities.

This type of software is easy and fast to develop using proven, secure
techniques with Open Source software, using reliable equipment costing
a fraction of the outrageous fees charged by Diebold, and could easily
employ all the safety features demanded by security experts with
software available for public inspection by anyone concerned.
Diebold's policy insults the intelligence of respectable software and
hardware vendors.

Diebold must be forced to return all the money they have bilked the
public out of and their equipment must not be used.

An acceptable alternative could easily be rapidly created by any one
of thousands of high school students who have all the skills
necessary, as well as no obvious incentive to profit from election
fraud.

The fact that the government sits idly by as this travesty unfolds
speaks for itself.

When you go to the polls to cast your vote, if there is any Diebold
equipment there, the only vote is one of no confidence.

That said (and published) I received replies stating that this was
being handled by programmers in association with SourceForge, but it
turns out that their version won't be done 'till 2005, won't be
entirely open source and uses Python (of all things). A trip to their
site reveals a broken link to the home page of the project manager, a
virtually unused forum, and information available from an AOL address.
Does anything seem wrong here? Visit this link and see for
yourselves. http://sourceforge.net/projects/evm2003/
Then you might want to visit http://www.blackboxvoting.org and
explain to these people that a simple database program isn't exactly
rocket science.

I don't consider myself nearly as skilled as most of you and I think I
could do it with Perl and MySQL in a few days.

The future of America is in your hands!

I don't live there, so it's not something I want to take on, but I do
think you're talking about something that matters. In the UK we still have
a paper based system where all the boxes are brought back to the town
hall, opened in public, and then counted on rows of tables where anyone
with an interest in the result can watch to make sure it's being done
right. It takes most of the night to do it, but it only happens every four
years or so, so that isn't really a problem, and personally I don't see
the need for electronic voting, when it takes away the kind of
public accountability that you get with a paper system. I.e. you don't
need to be a tecchy to sit at a table a watch ballots being counted, or
sit in the van that's taking them back to the hall to be counted.

So if you are going to have electronic voting, I think it's important that
this accountability is kept somehow, and open source and open hardware
designs would help with that.

All I'm saying really is sorry I can't help, but good on you for thinking
of taking this on, even if it's beyond what you're able to do.

andy.

 

[Walter Roberson]

:Anyone researching the facts concerning electronic voting will
:immediately discover the importance of a paper record of all
:transactions.

For good discussions on this issue, please see RISKS Digest,
available on usenet as comp.risks . Dave's posting might look
like a rant, but at the core the issues he is talking about
are substantial.


iebold must be forced to return all the money they have bilked the
ublic out of and their equipment must not be used.

But that approach is very bad strategy. 'bilked' is an implication
of criminal activity, and *any* firm is going to defend itself
very robustly against accusations of criminal activity, and that
defence would likely draw upon the strong political connections
the firm has. If you don't think that Diebold is doing a good
job, then out-compete them.


:An acceptable alternative could easily be rapidly created by any one
f thousands of high school students who have all the skills
:necessary,

Very few high-school students have ISO9001 experience. For
a project this important, you are going to need transparency
and rigerous quality controls -- there is no way that you are
going to displace a well-established firm on allegations of
"potential" fraud, unless your own QA is beyond reproach.
ISO9001 is not for the faint of heart, though, and not for the
slim of pocketbook.


I would also point out that the technologies required are *not* easy.
It is not enough to produce a paper trail: one must produce the paper
trail in such a way that the paper trail is verifiably the same as the
electronic records, and in which the paper trail itself can be
*reliably* counted quickly (think "hanging chad"), with there being no
way to trace the exact votes of any individual (to prevent
vote-buying); and it all has to work with "Internet voting" [as there
is the perception that low vote turnouts are 'caused' by inconvenience
in reaching a polling station.] And the data collection mechanisms to
report the results has to be secure [doesn't matter about your paper
trail if someone can subvert the tally in transit]], has to scale well
(*lots* of polls close at the same time), and the data results should
be easily segregated from each other at the central counting station so
you can analyze voting patterns and for easy totaling reasons and for
easy submission of results from recounts.

That's a LOT to expect from a "high-school student": even seasoned
professionals often get some of these things wrong. (Look at the
history of air traffic control systems: handling a lot of
data simultaneously is *hard*!)

 

[Dave Roberts]

You're a clown? Why didn't you say so.
try: http://www.disney.com/

You're a newbie, Robert. Nobody expects you to grasp the gravity of
the situation. As for my humility, I wasn't referring to the likes of
you with my comment about the immense talent of this group.

 

[Matt Garrish]

If you seriously think that any group of people-- however talente--
can, using Perl and MySQL, develop a secure, reliable, anonymous &
verifiable electronic voting system in only a few days, then I have a
very inexpensive bridge you might want to take a look at, next time
you're in Brooklyn. I bet you could make millions just by charging
tolls!

Would that make him the troll under the bridge? : )

Matt

 

[Uri Guttman]

ES> If you seriously think that any group of people-- however talente--
ES> can, using Perl and MySQL, develop a secure, reliable, anonymous &
ES> verifiable electronic voting system in only a few days, then I have a
ES> very inexpensive bridge you might want to take a look at, next time
ES> you're in Brooklyn. I bet you could make millions just by charging
ES> tolls!

how dare you try to sell my bridge!! i have the deed and a legal bill of
sale. if you put one foot on the bridge, i will push you off into the
east river so you can sleep with the fishes.

uri

 

[Keith Keller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

how dare you try to sell my bridge!! i have the deed and a legal bill of
sale. if you put one foot on the bridge, i will push you off into the
east river so you can sleep with the fishes.

I'm not sure fishes can survive in the East River. ;-)

- --keith

- --
(e-mail address removed)-francisco.ca.us
(try just my userid to email me)
AOLSFAQ=http://wombat.san-francisco.ca.us/cgi-bin/fom

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/+4NmhVcNCxZ5ID8RAklDAKCToKqoWDINHvVOUTmt3cUpsv0iAACeK+69
wSg2Ded6KhfAcCAoP2Ag97g=
=YLfz
-----END PGP SIGNATURE-----

 

[Dave Roberts]

If you seriously think that any group of people-- however talente--
can, using Perl and MySQL, develop a secure, reliable, anonymous &
verifiable electronic voting system in only a few days, then I have a
very inexpensive bridge you might want to take a look at, next time
you're in Brooklyn. I bet you could make millions just by charging
tolls!

-=Eric

I already have quite a large collection of database applications that
I consider to be much more complicated than a voting system. Most of
the routines are already done and only need slight reconfiguration.

In fact, when I think of all the banking and business applications
that are written in Perl and MySQL, again, there is no comparison
between simply counting votes and to what these elaborate systems are
doing. And again, a simple modification, and your work is done.

Considering that these voting machines won't be on the internet, then
using software from secure applications that are would result in an
application that is more secure than the ones we use every day
transferring millions of dollars. Most people are more concerned with
their banking software than their voting software.

The touch screen terminals could connect to an Apache web server.
Again most everyone already has all the code done for this. The only
other thing is configuring the touch screens through a serial device
(or maybe USB), connecting up printers and figuring out how to hook up
a redundant server.

It might not be ready for prime time in a few days, but it would at
least work and be such that the code could be distributed and anyone
could test it and work on improving various modules.

The sad fact is the people who do have a huge organization consisting
of Python programmers working on this project have at it for months
and still don't expect it to be done before the election.

I just don't see any issues that aren't considerably less complicated
than what I see discussed here every day.

 

[Sam Holden]

I already have quite a large collection of database applications that
I consider to be much more complicated than a voting system. Most of
the routines are already done and only need slight reconfiguration.

So those routines already deal with the hard stuff do they?

You know, somehow making sure that votes are both anonymous and
also that people can only vote once.

You know, making rigging the election at least as difficult as rigging
a pencil and paper system.

You know, making sure the voter can verify that the vote recorded for
them was in fact the vote they wanted to make.

In fact, when I think of all the banking and business applications
that are written in Perl and MySQL, again, there is no comparison
between simply counting votes and to what these elaborate systems are
doing. And again, a simple modification, and your work is done.

Considering that these voting machines won't be on the internet, then
using software from secure applications that are would result in an
application that is more secure than the ones we use every day
transferring millions of dollars. Most people are more concerned with
their banking software than their voting software.

Except that anonymity isn't an issue in banking software, but is
essential to voting. And it just happens to make doing everything
a few orders of magnitude more difficult.

Audit trails are easy until you aren't allowed to store who made which
vote.

People have successfully defended PhD dissertations solely about the
very thing you dismiss as a trivial weekend hack, for example:

http://www.notablesoftware.com/Papers/thesdefabs.html

 

[news]

The fact that Diebold has been building its voting machines (used in
at least 37 states) for years, refuses to include this crucial feature
or publish their computer code, only adds insult to the injury already
created with the numerous reports of their system's verifiable voting
irregularities.

That's your country's problem.

The future of America is in your hands!

No thanks. I rather think it's in /your/ hands.
Chris

 

[Thomas Kratz]

I already have quite a large collection of database applications that
I consider to be much more complicated than a voting system. Most of
the routines are already done and only need slight reconfiguration.

In fact, when I think of all the banking and business applications
that are written in Perl and MySQL, again, there is no comparison
between simply counting votes and to what these elaborate systems are
doing. And again, a simple modification, and your work is done.

I actually work in an IT department of a bank and if you'd really have an
idea about the software quality in terms of security and reliability that
is used there, you wouldn't use it as an example. The system only works
because the customer gets a printout of the transactions and can intervene
if neccessary and a horde of system managers and programmers are nursing
the software day by day.

Like others have pointed out: the problem is not security alone but also
anonymity *and* auditing. The last two are hard to combine, without being
able to show the voter something substantial that he can count himself if
he'll doubt the result.

Here in Germany we vote with pen on paper, and I am glad for it.

Thomas

 

[Walter Roberson]

:I already have quite a large collection of database applications that
:I consider to be much more complicated than a voting system. Most of
:the routines are already done and only need slight reconfiguration.

And any one of those thousands of high-school students are going
to have access to that code?


:In fact, when I think of all the banking and business applications
:that are written in Perl and MySQL, again, there is no comparison
:between simply counting votes and to what these elaborate systems are
:doing. And again, a simple modification, and your work is done.

What happened when the FTC "Do Not Call" registry opened last
year? Answer: it was swamped for days, and could not keep up
with the volume. And that was just for 1/3 of the US registrering
within the first month. Voting involves data from about 1/2
of the US within a few *hours*.


:Considering that these voting machines won't be on the internet,

Bad assumption. They -will- get put on the Internet, and
there will be demands to be be able to vote from home. Several
states have remote-voting legislation already in place; if your
design does not allow for it, you will not be able to "sell" to
those states, and you risk the existing market leader coming
back the next month and saying "Don't buy from them, -our- new
software supports home voting!"


:then
:using software from secure applications that are would result in an
:application that is more secure than the ones we use every day
:transferring millions of dollars. Most people are more concerned with
:their banking software than their voting software.

You have, I believe, forgotten about cost/benefit analysis. It's not
so easy to break a decent SSL session, and the average transaction
value to capture is only a few hundred dollars; you might get a couple
of thousand by cleaning out an average bank account. Fix an
election, though, and you can draw upon *billions* of dollars in
tax cuts and grants and contracts and tax incentives. The "value"
of a favourable election can be quite high. Even if the value
comes only out of (say) ensuring that the person elected is the
candidate willing to weaken ship inspections in the name of
"reducing bureaucracy" or "reducing the economic burden on
those responsible for making sure little Johnny gets his milk
and little Suzie gets her dolls" -- it's amazing what can slip by
overworked inspectors.



:The touch screen terminals could connect to an Apache web server.
:Again most everyone already has all the code done for this. The only
ther thing is configuring the touch screens through a serial device
or maybe USB), connecting up printers and figuring out how to hook up
:a redundant server.

No, that's not the only other thing. What do you *do* with the
printouts? What do you do when the printer jams, or the ink starts
running out making the printouts less readible? "Just hit print"
and have the last few ballots reprinted, thus allowing one to see
who the previous person voted for? If the ballot printout is just to be
given to the person to read and then throw away, then how does
the person know that the ballot represents what was stored in memory?
What if the recording program is biased (or can be induced
to be biased): what cross-check is in place to ensure that
this would be caught? Suppose someone "stuffs" the physical ballot
box: how does one detect the fake ballots from the real ones?


:It might not be ready for prime time in a few days, but it would at
:least work and be such that the code could be distributed and anyone
:could test it and work on improving various modules.

And the operating system for these machines would be what, exactly?
Think of the number of ways that have been come up with to subvert
Linux.


:The sad fact is the people who do have a huge organization consisting
f Python programmers working on this project have at it for months
:and still don't expect it to be done before the election.

And you believe that ~200,000 of these new devices can be
in place before November, including the time needed to get through
the politics of revoking the near monopoly the existing companies
have? How long were you expecting the code review to take -- should
I bother bringing along a second donut?


:I just don't see any issues that aren't considerably less complicated
:than what I see discussed here every day.

In the time frame you are suggesting the work could be completed
in, we would not even be able to decide which CPAN module to
use for the networking component.

 

[Henry Law]

Except that anonymity isn't an issue in banking software, but is
essential to voting.

In the UK there is no anonymity in our parliamentary and local voting
systems. When you pitch up to the polling booth the attendant takes
your name and writes your voter number on the counterfoil from which
she tears the voting slip; they are both numbered. So when you've
made your cross there is a direct tie-up between your voting paper and
your voter number, and therefore to you. Is "appalling" the word I
want?

Not many people in the UK seem to know that.

Henry Law <>< Manchester, England

 

[pkent]

systems. When you pitch up to the polling booth the attendant takes
your name and writes your voter number on the counterfoil from which
she tears the voting slip; they are both numbered. So when you've
made your cross there is a direct tie-up between your voting paper and
your voter number, and therefore to you. Is "appalling" the word I
want?

Not many people in the UK seem to know that.

How can people not notice that? I've never examined (never had chance)
those sequences of numbers so I have no idea how often the same number
comes up or if it's a unique identifier, but there's certainly something
there, and some writing down, and some crossing off of name off The
Sheet Of All Names - which of course makes me think "ballot paper number
relates to name on sheet relates to me" which means "given access to all
the relevant bits of paper you can find out how someone voted".

The algorithm for doing so goes something like:
find voter in the Sheet Of Names
find the number of their counterfoil
search through all ballot papers to find the relevant one
Which might take some time.

OTOH maybe the number they write down is only a portion of the whole
counterfoil number, or maybe the number on the counterfoil and on the
ballot paper differ in some way, or... it's been a while.

P

 

[Sam Holden]

In the UK there is no anonymity in our parliamentary and local voting
systems. When you pitch up to the polling booth the attendant takes
your name and writes your voter number on the counterfoil from which
she tears the voting slip; they are both numbered. So when you've
made your cross there is a direct tie-up between your voting paper and
your voter number, and therefore to you. Is "appalling" the word I
want?

Appalling sounds right to me. I'm assumming its a mechanism to deal with
ballot box stuffing, and
http://www.hart.gov.uk/elections/secretballot.htm seems to confirm that
suspicion. The benefit doesn't outweigh the cost in my opinion.

In Australia, there is no such identifying mark on ballot papers, and
there is no place for it on the From describing the ballot paper in the
Electroal Act (though of course it is simply legislation and can be
modified relatively easily).

Not many people in the UK seem to know that.

And those that do probably wish they didn't.

I can't think of any perl content I can sneak in to make this
vaguely on topic, so this will be my last post in this thread
until there is

 

[Mark Jason Dominus]

In the UK there is no anonymity in our parliamentary and local voting
systems. When you pitch up to the polling booth the attendant takes
your name and writes your voter number on the counterfoil from which
she tears the voting slip; they are both numbered. So when you've
made your cross there is a direct tie-up between your voting paper and
your voter number, and therefore to you. Is "appalling" the word I
want?

I'm startled, but I won't be appalled until I hear that the UK has
problems of the type that the anonymity is there to avoid.

If there is a way to match up a person with their votes, then it
becomes possible, at least in principle to force the voter to vote a
particular way through extortion, blackmail, or bribery. With
anonymous voting, these schemes don't work, because there is no way to
verify afterward that the coercion was successful.

But if such coercion never occurs in the UK, then I suppose there's no
problem to solve.

In the better sorts of electronic voting systems in the U.S., the
voting machine produces a receipt listing that candidates for whom the
coter has voted; the voter can then verify that the machine has the
correct ballot before leaving the polling station. But the receipt is
confiscated and destroyed before the voter leaves, to avoid the
possibility of vote selling.

 

[Eric Schwartz]

I have thought about all the scams that are possible, and there is no
way of having honest electronic elections unless a permanent record
of each vote is kept.
Even the printed receipt method can be scammed, by printing out what
the voter wants to see, then registering something else.

If the paper copy is the only legitimate record of the vote, then this
problem can be solved.

The ONLY way to be totally verifiable, is to keep a record of each
voter's votes, associated with his/her social security number.

Wrong. Google for the "Mercuri Method". The only way to be totally
verifiable is to allow the voter to verify their vote visually, and
record that as the legal vote, only generating an electronic tally as
an advisory. Using the SSN is a very bad idea for a number of
reasons, not the least of which is the ease of forgeability for older
cards, and the total lack of any guarantee of uniqueness.

See the addendum to CPSR's SSN FAQ, "Why SSNs Make Bad Keys in
Databases", at:

http://www.cpsr.org/cpsr/privacy/ssn/SSN-addendum.html#NewDBs

That way, if enough people feel that some shenanigans went on, they
could request a recount, and see if their registered votes actually
matched what they did. Then you also could do some random sampling
checking of each precinct, by asking random voters to verify their
votes.

How about everyone verifies their vote all the time? That's much
safer.

So now-a-days, the only people who benefit from secret ballots, are the
"election-fixers".

Again, wrong.

I'm sure there are numerous variations on this theme, but a verifiable
record has to be kept,

This much is true. And given that we know how to store, count and
read paper votes already, why complicate things unnecessarily with a
melange of USB keychains, PGP, and passwords? (I can't imagine my
84-year-old grandmother even remembering hers unless it's written
down, in which case it's useless as a measure of security.) Adding
complexity solely for the sake of "computerizing" everything is always
a bad idea.

and the social security number is probably a good number to use.

It's an absolutely abominable number to use, not least of which is
because it's not guaranteed to be unique, and also because of the
sheer vast quantity of other information which is misguidedly indexed
by SSN.

-=Eric

 

[Sam Holden]

<2 cents>
I have thought about all the scams that are possible, and there is no
way of having honest electronic elections unless a permanent record
of each vote is kept.
Even the printed receipt method can be scammed, by printing out what
the voter wants to see, then registering something else.

The ONLY way to be totally verifiable, is to keep a record of each
voter's votes, associated with his/her social security number. That way,
if enough people feel that some shenanigans went on, they could request
a recount, and see if their registered votes actually matched what they
did. Then you also could do some random sampling checking of each
precinct, by asking random voters to verify their votes.

There is also something like:

http://www.vreceipt.com/

Which I haven't spent time looking at closely, but on the surface
seems reasonable (of course since it is in the field of cryptography
looking reasonable doesn't mean much...)


Of course nothing can prevent a complete corruption of the system,
if the people running the election, counting the votes, and doing
the checking are corrupt then clearly there is nothing a voting
"system" can do about it.

Of once that happens the time until popular revolution probably isn't
that large. And of course that revolution doesn't have to be violent,
nation wide strikes and and such can have the same effect.

All that is necessary is that the thing that is counted is actually
the thing that the voter saw. Computer tallies with no audit trail are
unacceptable, computer tallies with random counts of real votes (and
hopefully complete counting of real votes - but that would take longer,
and for reasons I don't understand those Americans don't seem willing to
wait a few weeks for votes to be counted). You must assume the system
is honest, with safe guards against corrupt elements - a rogue voting
machine that reports incorrect tallies for example.

Voting secrecy could still be maintained by pgp encryption of the
records. Personally, I think the "secret ballot" no longer serves it's
original purpose, of protecting the voter from reprecussions, if they
"vote wrong". In this day and age of "homeland security surveillance",
the government can learn about your personal ideas by eavesdropping,
which is probably a more reliable indicator than how you vote.
So now-a-days, the only people who benefit from secret ballots, are the
"election-fixers".

The secret ballot works as long as people think it is secret (or secret
enough anyway). People vote differently in secret ballots than they
do in "raise your hand" voting - humans are social animals and modify
their behaviour for social gain. This is easily seen by the large errors
in opinion polls and exit polls when their is a party that holds "popular"
views which are not socially acceptable (of course once the party wins
some votes the polls change as people feel safer being honest).


[snip voting scheme]

Of course, all this should be written in Perl, Because it is
easier to check for validity. There also could be alot of post-election
checks that could be run on these records, which would be done
in a fast electronic manner.

I congratulate your far superior ability than mine in managing to
pretend to be on topic.

 

[Peter Hickman]

How about this. You go into vote, insert your usb memory key with your
public and private pgp keys on it.

This is even worse! You are risking giving your private PGP key away.

ALSO, your private key is copied and
saved under the generated anonymous hash name, with a link to which
saved vote record it pertains to.

No you are deliberately giving your private key away.

You really haven't got a clue about the use of public and private keys
and you have missed the point entirely. You are going to use a machine
and give it access to your public and private keys - if anyone managed
to put a backdoor into the voting machine they could syphon off both and
now nothing you ever do will be safely encrypted.

Whilst you are at it why not give it your bank details, mothers maiden
name and pin number.

Also remember that as the machine has your private key it can encrypt
any vote it feels like with your own key.