[Cryptography] securing the ballot scanners
John Denker
jsd at av8n.com
Sat Nov 12 14:46:27 EST 2016
I wrote:
>> I reckon there is a role for cut-and-choose at some point: pick
>> some subset of the machines and tear them down to bare metal and
>> bare silicon.
Then on 11/11/2016 12:12 PM, Arnold Reinhold asked:
> Is that even possible today? We’ve had discussions on this list of
> subverting processors by changing the dopant level at certain
> transistors. Isn’t hand counting ballots from a sample of scanners,
> as you suggest below, just as effective, cheaper, and doable by
> people without (very) advanced training in computer security?
Taking the last point first: In each jurisdiction there are millions
of voters ... but you don't need millions of computer security
experts. Each political party needs to find just one expert,
literally one in a million, to oversee the cut-and-choose and
other validation procedures.
As for redundancy, we all agree that is a good way to detect a
machine that is miscounting ballots. However, alas, that is not
the only threat.
The following example is hypothetical, but it makes the point that
there are many possible threats, and you might not know what you're
looking for until you find it:
Suppose we have paper ballots (as we should) and optical scanners
in each precinct (as we should). Now suppose the bad guys have
hacked into the scanner in a way that doesn't change the count,
but merely broadcasts (via WiFi or whatever) the results for each
ballot as it comes in, and/or a running total.
*) This causes a near-total breach of voter privacy. It opens
the door to voter coercion.
The breach is even worse than you might think, because typically
there are records showing who voted and the *order* in which they
showed up at the polling place. By law these records are routinely
provided to the parties. So the bad guys don't even need to watch
the voters coming and going.
*) Furthermore, the transmission provides real-time information
as to which precincts are underperforming or overperforming.
The least-intrusive consequence is that the underperforming party
could redouble its GOTV efforts in that predinct.
Or they could send observers and challengers to disrupt operations
at that precinct, essentially mounting a denial-of-service attack.
Or about ten other more brazen and/or more violent things they
could do (which I'd rather not discuss).
More information about the cryptography
mailing list