Another Stolen ElectionFollow

I am not against voting machines in general my point is this.

1. We must have transparency. This means that we should be able to see the source code and verify that all machines work properly immediately before they are put to use to know how exactly how the machines work before we use them.

2. We must have accountability. This means that we should be able to somehow verify our vote. A printout of your vote on the machine as you confirm your ballot is fine, as long as we can verify the integrity of the machine beforehand.

The other points that are made I do not necessarily disagree with, it just depends on how each particular state handles the vote. Both paper ballot and electronic voting can be transparent and accountable, or not.

States with absolutely no way to verify the electronic vote:

Florida
Pennsylvania
Virginia
Indiana
Texas
Louisiana
Georgia
South Carolina
Kentucky
New Jersey
Delaware
Maryland
Colorado (partial)
Kansas (partial)
Mississippi (partial)
Arkansas (partial)

http://www.verifiedvoting.org/verifier/

Erm.... did you click on those counties? To grab a random example from the dark green "paper only" counties...

 
Champaign County Equipment Detail 
Accessible Polling Place Equipment	Accessible Ballot Marking Device 
 Vendor	                                Election Systems & Software 
 Model	                                AutoMARK 
 Tabulation	                        Counted at polling place 
Standard Polling Place Equipment	Optical Scan 
 Vendor	                                Election Systems & Software 
 Model	                                Model 100 
 Tabulation	                        Counted at polling place 
Source	http://www.elections.il.gov/VotingInformation/VotingEquip.aspx 
Date information obtained	        2008-01-25

It's not a "purely paper" system, ya dip. It's a paper ballot fed into an electronic scanner. The other counties have a touch-screen or keypad system which takes your vote and, by law, has to produce a paper trail for verification and later audit. A few use that system nearly exclusively; most have a combination of the touch system & paper ballots. No one in the Prairie State is dumping piles of paper onto a card table for counting on election night.

This just blew my mind, you obviously have no idea what you're talking about.

The vast majority of corporate and government servers as well as security devices such as router/firewalls run on unix based kernels, which is open-source. The fact is that these systems are more secure because everyone has had a chance to validate them and find vulnerabilities and add their own security measures. If we can't see the code and there is no paper printout we have no idea what is happening behind the GUI, period.




No. That is not essentially what I was saying. I articulated my point very clearly is subsequent posts. You are trying to pin me to some position that I do not hold and argue against that and it just isn't making any sense.

As to my list, over 1/3 of the United States electoral college vote comes from unverifiable electronic voting machines.

Lol...



No. Unix != linux. Most Unix operating systems (Solaris, HPUX, Irix, etc) are *not* open source. Some (like BSD) are... sorta. And the most secure applications are run on non-open-source systems. We use a remote file access encryption system from a company called Decru. Guess what? It's completely black box, right down to the damn chips on the board. Then they encase it in a polymer to prevent tampering and put sensors on that to cause the encryption chips to fry if there's even an attempt to "look under the hood".

Open source is great for producing useful and mostly reliable software that is "cheap". It's not good for anything you really want "secure".


The stock linux kernel is open source. Many stock linux utilities are open source. But the distributions are not. Ask the Redhat and Suse folks if their entire product is open source. But then I already know the answer...




No. This allows them to be developed more quickly and debugged more quickly. Open source really doesn't make anything more secure. That's a common misconception, but security is really not a core benefit of open source systems.

Linux systems happen to be more secure than windows, but that's because they're based on a base design that is simply inherently more secure. I don't know anyone who would argue that a stock redhat box is more secure than a stock solaris box. Well. Not anyone who actually knows what they're talking about.




And yet you linked and presumably agreed with a blogger who was bashing electronic voting systems which do have verification (paper printouts).


Maybe if you switched your crusade from blindly attacking any and all electronic voting systems to perhaps arguing that we should implement them all with paper printouts you might have a more salient and reasonable position. Just a thought...




[/quote]

No, it didn't. It was developed independently as a MINIX workalike.

No, it wasn't. Unix was developed and owned by Bell Laboratories. It was not ever an open-source project.

No, if anything it's a descendant of the MINIX kernel, but it was developed independently. And again, Unix was never and open-source project.

No. Just no.

Yay, something accurate!

From the standpoint of commercial enterprise deployment, I would say that Solaris is more secure. Solaris and RHEL are pretty close, though.

Solaris is based on Unix SVR4, which was owned by AT&T.

This is like beating up a small child, so I'll be gentle.




This is correct. Figured I'd give you an easy one.



False. Just totally false.



False. Kernels were proprietary. They were developed by companies like IBM, HP, and Sun. "people" did not add on and modify them much at all.



Well. You skipped free-BSD and about 25 years, but whatever. Linux was an attempt to make a "free" unix-like kernel to run on PC hardware. Up to that point, most unix operating systems were designed to run on specific hardware. And the hardware and the software was proprietary.

Several of the unix OS vendors had versions of their OS designed to run on PC hardware, but none of them really ran that well. Linux was designed to do just that, and it worked reasonably well. The primary point of Linux was to compete with windows and to give hobbyists at home the ability to use the superior features of unix without having to purchase the very very expensive hardware that most unix systems ran on (and without having to deal with the relatively chunk-blowing BSD).

I've literally forgotten more about this than you know.



No. And no. If the first were true, Linus Torvalds would have been sued. He wrote a new kernel from scratch. It uses the unix conceptual approach to hardware messaging, but that's been more or less out in the wild since the mid 70s. The second is just plain false.



There was no "original open-source Unix kernel". Free-BSD was the closest, but even then it wasn't really the same thing. It was a stripped down version of the full commercial BSD kernel, which was handed out "free" for people to use, but if you wanted to modify it or make changes, you had to coordinate with the folks on the Berkeley Design whatsit.

All your false assumptions lead from this.



No. They've been able to make something that is "unix-like" and free (sorta). While there are some very good aspects to linux development, you really have to not have been involved or aware of the process to think that it magically works so well. That's a fairy tale told to those outside the circle.

And it's not about security. You hear that because many of those involved in various linux development projects came from a windows background. To them, linux was about building a more secure home system. To those of us coming from a true unix background, most of those idiot developers either wasted tons of time re-inventing the wheel, or decided to do something "their way" and actually produced a less secure and less useful product as a result.

I have lots of problems with many of the silly assumptions made by the linux developers. It really isn't all unicorns and rainbows. And no one thinks that linux is more secure than just about any flavor of unix.



Oh please. I'm dying here!

Edited, Oct 31st 2008 3:16pm by gbaji

Some of us don't have to.


You're confusing an "open system" with an "open source kernel". The core design concepts of unix are "open" in the sense that anyone can use them to build their own OS (and many did). They're too simplistic to actually attempt to copyright and control anyway. There were a whole set of attempts to standardize what made an OS a "unix" OS, and some people and groups still disagree.

"Open Source" literally means that the source code of a program is available for anyone to see, download, modify, and use as they wish. Even most open source organizations restrict who and where "official" versions of their code can come from though (although that does not prevent anyone from going "off the farm" if they wish). Linux was the first successful true "open source" kernel for unix-like operating systems. That's what differentiates it from all others before it. It's absurd to then say that all unix systems were open source as well. If that were the case, no one would have ever had a reason to use linux.


Um... Which still misses the core point. Open software is not more secure overall. The most secure systems are those in which the operating mechanisms are "black box", meaning that no-one outside of the vendor knows what's going on. This is true for multi-purpose systems (although a bit harder to see), and very much true for any sort of encryption or key-exchange system.




Edited, Oct 31st 2008 3:46pm by gbaji

Ok. I think you're not getting something. I've been working with unix systems since before Linux was invented. I don't need to research this. I already know that unix kernels were not open source. Period. I also know that most of the distributions were not open source either. It's not like you'd run into a bug with the HP-UX automounter, log onto their site and just download the source code to see if you could identify the problem.

Virtually no vendors work that way. Not the ones who want to actually make money. And guess what? Even most linux distributions don't work that way either. They're a bit closer, but not much. Take it from someone who's actually been involved in testing and debugging kernels and utility software for unix and unix-like systems for nearly 20 years, the idea that Unix is more secure than Windows is because it's "open source" is laughable. Linux inherits much of it's security from the superior design of unix, but there's nothing about open source itself that makes it more secure in any way.


I don't know how many different ways I can explain that. Allowing anyone to see the source code does make it easier to find and fix bugs (but has some negative effect on development direction if you're not really careful). It allows you to build a competitive product cheaply (cause a bunch of people are giving their time to the product for "free"). But it absolutely has no positive effect on the security of the resulting product. If anything, it makes it less secure because anyone who might want to try to hack it will be able to figure out how to do it.


It's always easier to find holes in software than it is to fix them. If for no other reason then you can't fix a hole until you find it. Thus, fixing already requires finding, making fixing harder to do (or at least more time consuming) than fixing. When it comes to finding and fixing bugs, the open source methodology works quite well. When it comes to finding and fixing security flaws? Not so much...




Well. Transparency can mean a lot of things. Usually, it's about transparency in the "process", not necessarily the nuts and bolts. I want to know how my data is secured by a vendor, but I don't really expect him to tell me exactly which encryption system he's using much less what hash keys he's using.

I simply don't see the real value to demanding this. It's one of those things that sounds great when people who don't really understand security and proprietary systems repeat them, but don't really buy you anything. Look at it another way: You drive a car, right? Do you have open access to ever single bit of design material involved in the construction of that car? Or do you just have an operating manual?

Do you feel your car is less safe because you don't have access to the details of it's design? The point I'm getting at here, is that over time any product becomes better because of feedback from the market. In the case of electronic voting machines, the same thing occurs. Companies that make good products get their product purchased by the states who want/need them. Those who make crappy ones get dropped for a competitor. The people can apply pressure to the purchasers (the state governments typically) based on those choices.

The only real flaw with using this same mechanism is that there are many people who for some political reason or another don't want electronic voting systems to be put in place. They then convince other people that electronic voting systems aren't safe and aren't secure and insist that ludicrous requirements be placed on their use. The net result isn't to create a better election system, but a worse one. We can speculate as to what the motivations are behind that, but it is the end result.


And no amount of opening of source code prevents it. If history is any indicator it'll just open the issue up to more argument, and further confuse and delay the adoption of good quality and "secure" electronic voting systems in this country. Again. We can speculate as to why anyone would want that, but it is what ends up happening.



Or we can focus on the end result. Just as with a car, we measure it's safety features based on how it performs in the real world, we should do the same with electronic voting systems. We don't need to know what's going on under the hood. We just need to demand specific security features that work. So a good paper trail is important obviously. More reliable input systems are important. We can push for those improvements without demanding that the vendors open up their source code to us (and should).

The code vault type idea you propose doesn't buy us anything either. At the end of the day, the vast majority of the people simply have to trust that whatever experts are looking at and designing the code that runs these things have done their job properly. And honestly, the last people I'd trust to do that would be a political organization. Let each company design their own systems and then compete with them in an open market. That's how you get the best results.

Opening the code would only result in "dueling experts", with the manipulation of the public perception being the goal. If I can convince enough people that my competitors system is crap, maybe they'll buy my system instead, right? It's a really really bad approach, since negative feedback is all that's going to be effective and that tends to result in adoption of worse technology over time, not necessarily better.



Yup. But you're ****-blocking your own issue, aren't you? If you believe that all electronic voting systems should have paper trails (and just about everyone agrees with that), then just push for that one thing. By lumping in a bunch of other arguments and claims and demands, you increase the likelihood that nothing at all will get done, and absolutely decrease the likelihood that a good change will occur, much less the specific one you care the most about.


That's the problem with the blog you linked to originally. It wasn't about proposing solutions, but simply blasting electronic voting devices for being insecure or inaccurate. It's goal is simply to spread FUD (Fear, Uncertainty, and Doubt) about e-voting. Period. By linking to it, you're supporting that approach. My whole point is that this is the wrong way to do it. If you want to make elections more secure, then instead of focusing on a laundry list of things you think are wrong or may be wrong, focus instead on just the areas you think need improvement and the specific improvements that need to be made.


So you want paper trails on all voting machines? I agree 100% with you. And if you'd restricted your original post to just that, you'd likely have gotten nothing but a chorus of "I agrees" from everyone.

You already stated that you forgot more than I knew about this, perhaps you do need to research this a bit more.

History of Unix, Linux, and Open Source / Free Software

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/history.html





So yes, Unix is open source (the BSD versions, not Sun Microsystems Solaris or any other proprietary variant) and the Linux kernel was inspired by and actually used some of the components of open source BSD Unix.



No, but I feel less safe about my car if I don't know what's going on "under the hood." Why would I just blindly trust something, especially when there is evidence it is unreliable?



So you're advocating that we all remain ignorant?



Are you not familiar with the story of Cliff Curtis, the computer programmer who came forward and admitted to taking part in conspiracy to create a computer program to flip the vote? Here is his testimony to Congress.

http://www.youtube.com/watch?v=z3hUPP_bdOo



My statement in the original OP was that we should not have private corporations conduct our elections with no transparency and accountability. I then explained what I meant by transparency and accountability. You're confusing me with BradBlog. First of all notice that I linked to the main page which chages its story everyday. Just because I link to a site doesn't mean I agree with all of the verbiage on the page, especially one that changes daily. Its a good reference to identify various voting issues, and on that particular day it was identifying problems with machines that were either not calibrated correctly or ones that were flipping the vote. If a machine is not calibrated correctly that is a incompetence. If it is flipping the vote that is criminal. Either way it needs to be investigated and changed.



Absolutely, this would satisfy my concerns, assuming that the paper trail was actually compared to the electronic tabulation at the end of the day by reliable sources.

On what point. How is BSD Unix not open source?? Did you not read about the court ruling in 2007? Do you deny that AT&T gave away their source code to collaborate with academics which developed the BSD Unix?

It's fun, regardless of who agrees with what.