[Cryptography] securing the ballot scanners

John Denker jsd at av8n.com
Sat Nov 12 14:46:27 EST 2016

I wrote:
>> I reckon there is a role for cut-and-choose at some point: pick
>> some subset of the machines and tear them down to bare metal and
>> bare silicon.

Then on 11/11/2016 12:12 PM, Arnold Reinhold asked:

> Is that even possible today? We’ve had discussions on this list of
> subverting processors by changing the dopant level at certain
> transistors. Isn’t hand counting ballots from a sample of scanners,
> as you suggest below, just as effective, cheaper, and doable by
> people without (very) advanced training in computer security?

Taking the last point first:  In each jurisdiction there are millions
of voters ... but you don't need millions of computer security
experts.  Each political party needs to find just one expert,
literally one in a million, to oversee the cut-and-choose and
other validation procedures.

As for redundancy, we all agree that is a good way to detect a
machine that is miscounting ballots.  However, alas, that is not
the only threat.

The following example is hypothetical, but it makes the point that
there are many possible threats, and you might not know what you're
looking for until you find it:

  Suppose we have paper ballots (as we should) and optical scanners
  in each precinct (as we should).  Now suppose the bad guys have
  hacked into the scanner in a way that doesn't change the count,
  but merely broadcasts (via WiFi or whatever) the results for each
  ballot as it comes in, and/or a running total.

  *) This causes a near-total breach of voter privacy.  It opens
  the door to voter coercion.

  The breach is even worse than you might think, because typically
  there are records showing who voted and the *order* in which they
  showed up at the polling place.  By law these records are routinely
  provided to the parties.  So the bad guys don't even need to watch
  the voters coming and going.

  *) Furthermore, the transmission provides real-time information
  as to which precincts are underperforming or overperforming.

    The least-intrusive consequence is that the underperforming party
    could redouble its GOTV efforts in that predinct.

    Or they could send observers and challengers to disrupt operations
    at that precinct, essentially mounting a denial-of-service attack.

    Or about ten other more brazen and/or more violent things they
    could do (which I'd rather not discuss).

More information about the cryptography mailing list