Nothing but winning.
-
@mattblaze @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot My view on open source code and voting is that while open source is useful in many cases it is not necessarily so in voting code.
Why? One of the argument of O-source code is inspection. It is a good argument, if it were done (may AI tools can do good work here - but what is the criteria they would use to tell good from bad?)
In our effort we concluded that while inspection is good, testing is better - and that anyone ought to be able to test (and that vendors ought to supply test gear), *and* that test results be published to all.
There is a side effect - we want to encourage vendors to build good voting systems (software+hardware+procedures). So we ought to leave some incentives, like not requiring publication of the code (or parts of the code) and limit open copying/use - leaving some room for innovation and profit.
We also tend to forget toolchains - which are often a significant overlooked vulnerability.
@karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot There are two major attack vectors for automation in voting systems: (1) Exploitation of bugs to induce malicious behavior, and (2) replacement of the legitimate software with malware.
Open source attempts to address (1), but the "many eyes make all bugs shallow" maxim breaks down as systems become as complex as they are today. And (2) is an inherent problem for precinct equipment, which is vulnerable to tampering.
-
@karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot There are two major attack vectors for automation in voting systems: (1) Exploitation of bugs to induce malicious behavior, and (2) replacement of the legitimate software with malware.
Open source attempts to address (1), but the "many eyes make all bugs shallow" maxim breaks down as systems become as complex as they are today. And (2) is an inherent problem for precinct equipment, which is vulnerable to tampering.
@karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot So the approach of trying to completely secure election software is ultimately a fool's errand. That's why modern techniques like risk-limiting audits are so critical.
-
@dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot While there might be good public policy reasons to use open source software and designs for election systems, there's probably very little security benefit to be gained by doing so. Open source software is just as subject to malicious tampering and bugs as closed source.
The approach favored by experts involves *assuming* the software is compromised, and conducting routine post-election audits on the ballots to verify the tally.
@mattblaze @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot Commercial software comes with a support model, and competent support is expensive. Competent support with massive demand for a few days a year is even more expensive.
You might want source availability, verifiable builds and more, but the economics of “anyone can use it” that comes with Open Source (tm) is a very very hard tradeoff.
-
@violetmadder @mkb @Bandersnatch @DemocracyMattersALot @mattblaze How would you do it better?
@dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot @mattblaze
I wonder why electronic voting machines and voting software are necessary at all.
I mean, some software is necessary for summarizing results etc; but as for actual counting, other democracies count votes manually, give (semi) final tallies in just a few hours, and the entire process is extensively audited and leaves detailed trails of every step. -
@mattblaze @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot My view on open source code and voting is that while open source is useful in many cases it is not necessarily so in voting code.
Why? One of the argument of O-source code is inspection. It is a good argument, if it were done (may AI tools can do good work here - but what is the criteria they would use to tell good from bad?)
In our effort we concluded that while inspection is good, testing is better - and that anyone ought to be able to test (and that vendors ought to supply test gear), *and* that test results be published to all.
There is a side effect - we want to encourage vendors to build good voting systems (software+hardware+procedures). So we ought to leave some incentives, like not requiring publication of the code (or parts of the code) and limit open copying/use - leaving some room for innovation and profit.
We also tend to forget toolchains - which are often a significant overlooked vulnerability.
@karlauerbach @mattblaze @violetmadder @mkb @Bandersnatch @DemocracyMattersALot I hear you all.
Very interesting points and ideas from different perspectives.Our federal election-voting procedures are also largely governed by individual state laws, as directed by the US Constitution, though efforts have been made to enact overarching standards, guidelines, and testing.
https://www.congress.gov/crs_external_products/R/PDF/R47592/R47592.3.pdf
--
https://www.eac.gov/
--
https://en.wikipedia.org/wiki/Election_Assistance_Commission -
@dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot @mattblaze
I wonder why electronic voting machines and voting software are necessary at all.
I mean, some software is necessary for summarizing results etc; but as for actual counting, other democracies count votes manually, give (semi) final tallies in just a few hours, and the entire process is extensively audited and leaves detailed trails of every step.@mbpaz @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot US elections are - by far- the most complex in the world. We vote on more things, in more ways, than any other democracy. Automation is essential in practice in US election, in ways that it isn't almost everywhere else.
-
@mattblaze @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot My view on open source code and voting is that while open source is useful in many cases it is not necessarily so in voting code.
Why? One of the argument of O-source code is inspection. It is a good argument, if it were done (may AI tools can do good work here - but what is the criteria they would use to tell good from bad?)
In our effort we concluded that while inspection is good, testing is better - and that anyone ought to be able to test (and that vendors ought to supply test gear), *and* that test results be published to all.
There is a side effect - we want to encourage vendors to build good voting systems (software+hardware+procedures). So we ought to leave some incentives, like not requiring publication of the code (or parts of the code) and limit open copying/use - leaving some room for innovation and profit.
We also tend to forget toolchains - which are often a significant overlooked vulnerability.
@karlauerbach @mattblaze @violetmadder @mkb @Bandersnatch @DemocracyMattersALot Great points.
I can see all this from a business-perspective. -
@karlauerbach @mattblaze @violetmadder @mkb @Bandersnatch @DemocracyMattersALot I hear you all.
Very interesting points and ideas from different perspectives.Our federal election-voting procedures are also largely governed by individual state laws, as directed by the US Constitution, though efforts have been made to enact overarching standards, guidelines, and testing.
https://www.congress.gov/crs_external_products/R/PDF/R47592/R47592.3.pdf
--
https://www.eac.gov/
--
https://en.wikipedia.org/wiki/Election_Assistance_Commission@dalfen @mattblaze @violetmadder @mkb @Bandersnatch @DemocracyMattersALot We always need to keep in mind that security is best applied in layers.
Many of us are software people and we tend to think in those terms. But hardware is important. I brought a Diebold voting machine to a conference long ago and a person was able to pick the lock in less than ten seconds. Voting hardware is hard - there are a lot of environmental issues, like lack of reliable grounding and angry voters.
Procedures go on top of all of this - how are spoiled ballots declared and handled? How are cross-checks applied to physical media to assure that at the end of the day every piece of paper is accounted for?
And, of course, statistical auditing - it can't prove with absolute God-like authority that bad things happened, but it sure can point a bright light of suggestion.
By-the-way, I had not realized until yesterday that registration was introduced in the 1890s to exclude "undesirable" voters.
-
@violetmadder @mbpaz @dalfen @mkb @Bandersnatch @DemocracyMattersALot Well, some things are actually hard, and benefit from the input of experts.
Election law (especially) is an obstacle course full of Chesteron's Fences.
-
@dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot @mattblaze
I wonder why electronic voting machines and voting software are necessary at all.
I mean, some software is necessary for summarizing results etc; but as for actual counting, other democracies count votes manually, give (semi) final tallies in just a few hours, and the entire process is extensively audited and leaves detailed trails of every step.@mbpaz @violetmadder @mkb @Bandersnatch @DemocracyMattersALot @mattblaze I hear you. My state conducts electronic voting but also prints up each voter's choices (which they verify) as a backup in case a recount is needed.
It seems a bit redundant, but backups are important.
Some of the ideas behind electronic voting are to improve efficiency and accuracy. I suppose there is always room for human error when interpreting other humans' hand written ballots. Fraud can also occur there.
-
@karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot So the approach of trying to completely secure election software is ultimately a fool's errand. That's why modern techniques like risk-limiting audits are so critical.
@mattblaze @karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot
The phrase "completely secure election software" assumes you do every part of the election in software.
IMHO, that's guaranteed-fail.Toronto uses hardware to do a first read of the paper ballots as they get dropped into the box. It saves the data, and reports it by cell phone a few minutes after closing the precinct. Instant results.
The ballots are saved for a manual or judicial recount, so hacking the software only lasts until a random sample is recounted manually. AKA, a risk-limiting audit.
Consider it a safety-critical system, not a computing problem.
-
@mattblaze @karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot
The phrase "completely secure election software" assumes you do every part of the election in software.
IMHO, that's guaranteed-fail.Toronto uses hardware to do a first read of the paper ballots as they get dropped into the box. It saves the data, and reports it by cell phone a few minutes after closing the precinct. Instant results.
The ballots are saved for a manual or judicial recount, so hacking the software only lasts until a random sample is recounted manually. AKA, a risk-limiting audit.
Consider it a safety-critical system, not a computing problem.
@davecb @karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot No, it does not imply that at all.
But whatever. You all are the experts. I just work here.
-
@davecb @karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot No, it does not imply that at all.
But whatever. You all are the experts. I just work here.
@mattblaze @davecb @karlauerbach @violetmadder @mkb @Bandersnatch @DemocracyMattersALot I'm not an expert in this.
-
@mattblaze @karlauerbach @dalfen @violetmadder @mkb @Bandersnatch @DemocracyMattersALot
The phrase "completely secure election software" assumes you do every part of the election in software.
IMHO, that's guaranteed-fail.Toronto uses hardware to do a first read of the paper ballots as they get dropped into the box. It saves the data, and reports it by cell phone a few minutes after closing the precinct. Instant results.
The ballots are saved for a manual or judicial recount, so hacking the software only lasts until a random sample is recounted manually. AKA, a risk-limiting audit.
Consider it a safety-critical system, not a computing problem.
@davecb @mattblaze @karlauerbach @violetmadder @mkb @Bandersnatch @DemocracyMattersALot Interesting to know what Toronto does. Thank you for sharing.
-
R relay@relay.infosec.exchange shared this topic
