Kent Krispin wrote:
> More concretely: The auditors come, examine the code, certify it, and
> leave. A *different* program starts up the minute they walk out
> the door, a program derived from the certified one, and that as far
> as the external network connection to the rest of the world behaves
> identically. But it actually does a whole lot of other stuff, in
> addition. When the auditors come back, they find the same certified
> code sitting on Joops disk, unmodified. But unless they are logged
> on locally, and monitoring in real time, they can't verify that the
> program that is running, and providing service to the outside world,
> is the one they certified.
>
> Furthermore, the trojaned version will externally act identically to
> the certified one, so no one, an auditor or a normal voter, could
> ever tell the difference externally.
>
> In fact, even if you *are* sitting there, monitoring in real time,
> you can't really be sure. It would be perfectly possible to have a
> trojaned shell that ran "election_code_subverted" whenever you
> specified "election_code_verified" on the command line, for example.
>
> This may seem far fetched to the inexperienced, but this kind of
> thing REALLY DOES HAPPEN, ALL THE TIME, IN THE REAL WORLD. There are
> nicely packaged hacker toolkits, commonly available, that replace the
> system utilities that would normally reveal their presense, and it
> takes no particular intelligence or expertise to run them.
Kent, expertise in Network security does not translate in expertise in
political manipulations with real human beings, ballot stuffing, vote
buying and other forms of electoral cheating that generally comes from the
top down.
I have told you once on the IDNO list why I am motivated to do all this.
In my eyes your objections that the IDNO polling system is not secure are
a smokescreen. The voting system allows us to take democratic decisions, on
line, without expensive f2f meetings. This has enormous value.
The integrity of the system is far less important than the integrity of the
people.
I also think that in case the entity running the election is not trusted by
its voters, there *is* an easy way to verify election results, and it has
nothing to do with system security or detecting Trojan software.
Assuming that there is no question about the authenticity of the voters,
the voting website could be duplicated , or even triplicated at several
trusted third-party locations.
The voters will be asked to vote at both sites. If there is no difference
in voting results, you can assume that no tampering has taken place. In
case there would be a significant difference (people may change their vote
or make mistakes, but this should not be significant) then you declare the
election void and let them vote again at yet another site.
Sure, all sites could be tampered with at the same time. When elections
would be repeated every three months, you would wonder if a tampering
effort would not be mainly directed at sabotage, rather than gaining office.
You deal in "security" and I tell you that *all* security is an illusion.
Is that an argument against using the Net for cheap and often repeatable
voting?
--Joop Teernstra LL.M.-- , bootstrap of
the Cyberspace Association,
the constituency for Individual Domain Name Owners
http://www.idno.org
