On 03/18/2016 09:07 PM, Jim Jagielski wrote: > One thing that the previous STV code had was that if > the code running the election itself was changed, it > invalidated the running election. This was to prevent > someone from changing the software (say, by silently > dropping 'AC' from the counts) during the election > in order to change the election.
But couldn't that in itself be circumvented by overriding that check? > > Again, there is some limit to how much we can really > do things: even the previous could be circumvented if > one was root after all. But it Good to do what we can, > imho. > The current system revolves around the base assumption that whoever has access as a 'vote admin' does not generally have access as a 'sys admin' to the actual system on the machine (iow shell/disk access) and thus can't change anything without the alarms going off (if you change election data during an election, big red letters appear and you get very afraid ;)). Having said that, I'd love for us to work more on the credibility aspects of this and especially document best-practice for people that might not know how this is supposed to be set up. I don't know that we can create a fully tamper-proof system, but we can try :) With regards, Daniel.
