[Cryptography] Used election machinery?
John Denker
jsd at av8n.com
Sat Jul 24 22:14:40 EDT 2021
On 7/23/21 9:56 PM, Ray Dillinger wrote:
> equipment that has already been decertified. So that
> equipment is likely to be sold on the secondary market to private
> citizens, or outright scrapped.
>
> I am of the opinion that this machinery should be acquired by security
> researchers who can do a real audit, not of any election in particular,
> but of the machinery itself. To investigate its function and security,
> entirely without involving any real ballots that have been cast or real
> elections that have been decided and/or challenged.
1a) This is well worth doing. Similar investigations have been conducted
in the past, generally with innnnteresting results.
1b) I am quite confident there are bugs waiting to be found. With my own
eyes I have seen ballot marking devices screw up. Here is some background
reading: Tip of the iceberg:
https://www.washingtonpost.com/business/2019/08/12/def-con-hackers-lawmakers-came-together-tackle-holes-election-security/
1c) There is tremendous good that can come of this. For starters, consider
the 2018 litigation that compelled Georgia to replace its election
equipment in time for the 2020 election ... which meant that they had
auditable paper ballots ... just in time to avert a really bad outcome.
2a) There are some nasty non-technical hurdles to overcome before the
interesting work can begin. The vendors engage in quite a bit of
security-by-obscurity. Everybody on this list thinks they shouldn't.
but in fact they do. That is, all the machines they sell are subject
to strict non-disclosure agreements. There are also *laws* in many
jurisdictions that forbid hacking -- even white-hat hacking -- of
voting machines.
2b) The "cyber ninjas" obviously don't consider themselves bound by
confidentiality agreements, or even by laws. This may help with the
hurdles. Cats out of bags frolicking with horses out of barns.
3) Item (2) does not outweigh item (3). It's still a good idea. I'm just
suggesting that before we get too far into it, we should line up resources
sufficient for doing the job properly.
It might be worth calling the Brennan Center to see if they would be
interested in sponsoring such an exercise, and/or know anybody who might
be interested in co-sponsoring.
More information about the cryptography
mailing list