I think this is a good step in the right direction, but secure machines alone won’t increase my confidence in election results. I’ll explain why.
Galois and DARPA are creating basically a proof of concept that other companies can adopt for free. Maybe I missed it, or maybe I’m being pessimistic, but it doesn’t say that the implementations must also remain open source.
A major problem with the current voting paradigm is that the voting machines are privately owned. What kind of sense does it make for our voting infrastructure to be privately owned? This is insane because every time someone wants to inspect voting machines to ensure the results of an election, they’re rejected on the grounds that the software is proprietary 1 2.
If we want to move to a more transparent process that gives voters confidence in the system (while also allowing watchdog organizations to do their jobs), we need to make it possible to inspect the machines as well. That said, I know basically nothing about security, so maybe I’m blowing things out of proportion here. @nickpsecurity what do you think?
While the OSI-approved license has not been chosen yet, we certainly are knowledgeable about the pros and cons of various licenses and how a choice of license can impact a technology’s adoption in industry. We give DARPA our input, and they make the decision about licensing. Many of the technologies we have created in SSITH are already open source, and so far all are under the BSD license, I think.
Of course, if we base a new technology on an existing project, that project’s license may give us little or no flexibility.
I literally came to comment this comment.
I’m all for OSS software, but the thing is…
a) their implementations probably won’t be OSS (just as zmitchell said)… AND
b) even if the implementations are OSS, how do you know the code you see on github** is what’s actually ON the voting machine you’re using?
github** = whatever location they make it public at, just using github as an example
We have previously developed a formally verified measured boot for RISC-V. It measures the state of the system in a deeper fashion than any existing verified boot insofar as we can measure the SoC, the firmware, and the full software stack, ensuring that every bit there is exactly as it should be before the system begins execution. This work has been presented or published at past RISC-V workshops (the 7th, I think) and last year’s CARRV 2019 conference.
That’s awesome, thanks for sharing. Is that this paper?
Perhaps a hash of the compiled/installed image shown on the screen?
or even better, ability to grab the running firmware off the system you’re using to vote?
Who says the display of the hash or the black box that dumps out the firmware is telling the truth? Both of those are just as easy to fake as they are to really implement.
(Sorry for delay. Work’s been rough. Had to take a nap before a deep response.)
“This is insane because every time someone wants to inspect voting machines to ensure the results of an election, they’re rejected on the grounds that the software is proprietary 1 2.”
We could make security regulations that force them to be shared source for inspection of hardware, firmware, software, etc. That hasn’t happened largely due to voters being unaware of this option (no push) and corruption (bribes) driving the adoption process of voting machines. These companies couldn’t have kept peddling this garbage without such corruption. They be kicked out by higher standards followed by competition. If Galois can open this, it creates the possibility of competition by shared-source, highly-inspectable implementations which can be used to create more pressure on buyers and suppliers. Who knows, though.
“so maybe I’m blowing things out of proportion here.”
I don’t think so. There’s quite a few categories of risk I don’t think Galois even has the capability to address, esp in analog and RF subversions. I only know a few folks that even understand how they work much less could stop them all. I wrote here about steps to secure in hardware based on applying generic, security engineering to hardware lifecycle (I’m not hardware guy). The mixed-signal and EMSEC parts of my smartphone teardown apply here, too. If all this sounds like a lot, remember that we’re talking about elections that competing parties spend anywhere from hundreds of thousands to hundreds of millions on winning. Higher the stakes, the more likely someone will pay a few million to some rogue engineers, do interdictions, etc.
I’m with Bruce Schneier on this: we don’t want computers handling voting. He has repeatedly written about the risks of digitized voting on his blog where we all debated it a lot. He, Clive Robinson (hardware/software high-security guy), and I all seemed to agree on paper of some form with optical scans. The scans are for the “get results in quick!” requirement Americans seem to have. The process security, though, gets three benefits from paper-based method:
Everyone can understand how it works from children to ambitious youth in college to senior citizens who are cautious about technology. You get more buy-in when they can wrap their heads around something. Crypto, boot attestation, RISC-V, C language or SPARK… yeah, they’re going to see a black box they might or might not trust.
Following 1, the audit process is something that anyone can participate in. Votes can be randomly split up by a community with each person recounting piles or several people counting piles. They can add it up every which way. If scan, they can use a different vendor for scan machine. It’s a recount they can trust more than some computer telling them “trust us.”
Most important: scalability of attack/defense. The computerized voting has a handful of vendors. The attacks were easy to find in the past. An adversary might find remote ones in each. If they do, they might be able to easily compromise all kinds of votes. Whereas, if it’s paper, they need more bodies or insiders to compromise the votes. It’s hard to scale up without detection. The main trick they’ll use there are focusing on swing states or just anywhere where a small number of fake votes can win. So, we have to give them extra scrutiny, maybe even recounts by default. Nonetheless, vast improvement here.
If already doing paper, the best a company such as Galois could do is design a system that makes paper that scanning machines never screw up on and/or a secure system for reporting early results that aren’t final. Americans might like that. The buyers might get it for the convenience. The disturbing thing, though, is they’re already on insecure, voting machines. I doubt what we’re discussing will even factor into the decision. So, I’m glad Galois is working on voting machines with more security in case we can’t stop them from buying voting machines. The lesser of two evils with potentially less sabotage. They also mentioned an optical scan system. That’s good, too. :)
This approach seems to work for encryption, sounds reasonable for sanity checking public use software.
Sorry, which approach are you referring to?
Encryption algorithms are transparent, built and vetted in public forums. In fact, privately built encryption is often trivially broken. To me that supports the idea that privately built voting machines are likely to be riddled with vulnerabilities.
So yeah, I’m most likely to put my money towards transparent voting machine implementations where we can all take a crack.
more secure ok, but secure is a lie
Practically speaking, I know that even the most secure system, even one with formally proven algorithms, is sure to have bugs and exploits. I trust this much less than a paper system, because no matter how much I trust the math, I distrust the rest of the infrastructure that would surround such a system.
Maybe few years ago I would have been falling over myself to support an effort like this, but knowing what I do now, these sort of schemes scare the living crap out of me.
On the complete opposite end of the spectrum, many technophobics, neo-Luddies, or the uneducated and ignorant would also reject the system, because they don’t understand it.
I imagine the implementation of any electronic voting system would simply be a recipe for irreparable harm to democracy, and serve only to completely erode any remaining trust in already fragile institutions.
In short, I believe this is a recipe for total disaster and would disenfranchise huge swaths of the voting public and erode any legitimacy of voting results. This might be the first step on the path to complete anarchy and civil war.
Doesn’t Australia already have an open-source voting system? Why can’t the US just use and improve upon that? Isn’t that what open source is for?
They do not. Australia has several different computer-based voting systems, none of which are open source. Some have outdated disclosed source snapshots (e.g., the VEC) and others are proprietary (the various incarnations of the notorious iVote system in NSW). All of these systems have been shown to have serious architectural, design, and development flaws.
Authorities have not been kind, to put it lightly, to public employees (i.e., professors with expertise in relevant areas) who point out problems.
Have a look at the excellent work of my colleagues Vanessa Teague, Roland Wen, Rajeev Gore, and others who are excellent scientist-activists in Australia doing important public good work pro bono.
Cuz throwing Galois at a hard problem to see what they come up with is always a good idea. They do high-assurance security. They often open-source things they build. They might produce a better, voting system than Australia’s. The components their solution uses might also be reusable in other projects.