Re: voting by m of n digital signature?

[Florian Weimer]

* James A. Donald:

> Is there a way of constructing a digital signature so
> that the signature proves that at least m possessors of
> secret keys corresponding to n public keys signed, for n
> a dozen or less, without revealing how many more than m,
> or which ones signed?

What about this?

  Christian Cachin, Asad Samar
  Secure Distributed DNS
  

Or do you require that potential signers must not be able to prove
that they signed?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting by m of n digital signature?

[dan]

"James A. Donald" writes:
-+---
 | Is there a way of constructing a digital signature so
 | that the signature proves that at least m possessors of
 | secret keys corresponding to n public keys signed, for n
 | a dozen or less, without revealing how many more than m,
 | or which ones signed?
 | 

quorum threshhold crypto; if Avishai Wool or Moti Yung
or Yvo Desmedt or Yair Frankel or...  are here on this
list, they should answer

a *tiny* contribution on my part

  http://geer.tinho.net/geer.yung.pdf

humbly,

--dan

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting by m of n digital signature?

[Richard Salz]

> Is there a way of constructing a digital signature so
> that the signature proves that at least m possessors of
> secret keys corresponding to n public keys signed, for n
> a dozen or less, without revealing how many more than m,
> or which ones signed?

Yes there are a number of ways.  Usually they involve splitting the 
private key so that when a quorum of fragment signatures are done, they 
can be combined and the result verified by the public key.   Look for 
multi-step signing or threshold signatures, for example.

Disclaimer: I worked at CertCo who had the "best" technology in this area. 
It was created for SET.
/r$


--
STSM, DataPower Chief Programmer
WebSphere DataPower SOA Appliances
http://www.ibm.com/software/integration/datapower/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

voting by m of n digital signature?

[James A. Donald]

Is there a way of constructing a digital signature so
that the signature proves that at least m possessors of
secret keys corresponding to n public keys signed, for n
a dozen or less, without revealing how many more than m,
or which ones signed?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[Adam Fields]

On Mon, Aug 18, 2008 at 09:24:33AM -0700, Eric Rescorla wrote:
[...]
> Without directly addressing the question of the quality of Diebold's
> offerings, I actually don't think the criticism implied here is
> entirely fair. If you're going to have voting machines, even precinct
> count optical scanners (and because of the complexity of US elections,
> hand counting is quite expensive), you likely want to machine
> tabulate, and that means an EMS. Though you certainly should make
> serious attempts to keep the EMS from coming in contact with outside
> data (see [HRS+08] for some discussion of how difficult this actually
> is), there is always some chance that there will be some
> contact. Generic AV probably isn't that great at detecting or stopping
> this, but it may well be better than nothing, and it's certainly an
> arguable point.
[...]

This raises the very real question of what exactly went wrong that
caused the AV software to freak out and "lose" votes. Did the vote
data have a virus signature pattern and get quarantined?!?

-- 
- Adam

** Expert Technical Project and Business Management
 System Performance Analysis and Architecture
** [ http://www.adamfields.com ]

[ http://www.morningside-analytics.com ] .. Latest Venture
[ http://www.confabb.com ]  Founder
[ http://www.aquick.org/blog ]  Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wiki ].Wiki

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[Adam Fields]

On Mon, Aug 18, 2008 at 10:16:02AM -0700, Paul Hoffman wrote:
[...]
> Essentially no one would argue that is is "quite expensive". I 
> suspect that nearly everyone in the country would be happy to pay an 
> additional $1/election for more reliable results.

Without seeing all of the expense (and likely inability) of securing
and ensuring the proper count from the machine, people look at the
problem and go "computers are good at counting things fast and people
aren't, so it must therefore be massively cheaper to have a computer
do the count".

If you're >just< talking about summing a few lists, that's true. But
of course, no one who doesn't work for a voting machine company is
just talking about summing a few lists.

The idea that after you factor in everything, it might actually be
cheaper to have people do it after all, is a very difficult one for
many people to even conceptualize. "Progress" demands that computers
do all menial tasks.

-- 
- Adam

** Expert Technical Project and Business Management
 System Performance Analysis and Architecture
** [ http://www.adamfields.com ]

[ http://www.morningside-analytics.com ] .. Latest Venture
[ http://www.confabb.com ]  Founder
[ http://www.aquick.org/blog ]  Blog
[ http://www.adamfields.com/resume.html ].. Experience
[ http://www.flickr.com/photos/fields ] ... Photos
[ http://www.aquicki.com/wiki ].Wiki

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[dan]

Paul Hoffman writes:
-+--
 | At 9:24 AM -0700 8/18/08, Eric Rescorla wrote:
 | >(and because of the complexity of US elections,
 | >hand counting is quite expensive)
 | 
 | This is quite disputable. Further, hand vs. machine counting is core 
 | to the way we think about the security of the voting system.
 | 




The keynote talk for the USENIX Security Symposium was 

  Dr. Strangevote or: How I Learned to Stop Worrying
  and Love the Paper Ballot

  Debra Bowen, California Secretary of State 


and her talk had one slide only.  I do not have the
slide, but I can reproduce it.  It was a photo of
the tail end of her car and on it a bumper sticker.
That bumper sticker read

  
  PREVENT UNWANTED PRESIDENCIES
  MAKE VOTE COUNTING A HAND JOB


In no other state could a Constitutional Officer
get away with such a bumper sticker, but...

--dan


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[Paul Hoffman]

At 9:24 AM -0700 8/18/08, Eric Rescorla wrote:

(and because of the complexity of US elections,
hand counting is quite expensive)


This is quite disputable. Further, hand vs. machine counting is core 
to the way we think about the security of the voting system.


On a "complex" ballot, there are maybe 20 races or propositions, some 
of which may allow multiple votes per race. The pre-electronic method 
for hand-counting these was to start with race #1, have one person 
reading each vote out load from a large stack of ballots, and another 
person tabulating. In most districts, this is done twice with 
different people doing the counting and, often, those people coming 
from the "opposite party" in our wonderful two-party system.


The numbers I saw in the late 1970's said that each vote took 2.5 
seconds per ballot per race when done slowly; so that's 5 seconds 
when run twice. Per "complex" ballot, that's about 100 seconds, or 
roughly 2 minutes, or roughly 1/30 of an hour. At current labor rates 
of $12/hour for this type of work (that's high, but we want qualified 
people to count), that means it costs about US$0.40 per ballot for a 
complex ballot.


Essentially no one would argue that is is "quite expensive". I 
suspect that nearly everyone in the country would be happy to pay an 
additional $1/election for more reliable results.


--Paul Hoffman, Director
--VPN Consortium

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[Eric Rescorla]

At Fri, 15 Aug 2008 11:57:38 -0400,
John Ioannidis wrote:
> 
> This just about sums it up: http://xkcd.com/463/

Without directly addressing the question of the quality of Diebold's
offerings, I actually don't think the criticism implied here is
entirely fair. If you're going to have voting machines, even precinct
count optical scanners (and because of the complexity of US elections,
hand counting is quite expensive), you likely want to machine
tabulate, and that means an EMS. Though you certainly should make
serious attempts to keep the EMS from coming in contact with outside
data (see [HRS+08] for some discussion of how difficult this actually
is), there is always some chance that there will be some
contact. Generic AV probably isn't that great at detecting or stopping
this, but it may well be better than nothing, and it's certainly an
arguable point.

More discussion at:
http://www.educatedguesswork.org/2008/08/should_voting_systems_have_av.html

-Ekr


[HRS+08] J.A. Halderman, E. Rescorla, H. Shacham, and D. Wagner. ?You
Go to Elections with the Voting System You Have: Stop-Gap Mitigations
for Deployed Voting Systems.? In D. Dill and T. Kohno, eds.,
Proceedings of EVT 2008. USENIX/ACCURATE, July 2008. 
http://www.cse.ucsd.edu/~hovav/papers/hrsw08.html

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Voting machine security

[[EMAIL PROTECTED]]

On Fri, Aug 15, 2008 at 11:57 AM, John Ioannidis <[EMAIL PROTECTED]> wrote:
> This just about sums it up: http://xkcd.com/463/
>
Only slightly better then suggested by the comic. McAfee anti-virus
software was on the servers, not the DRE voting machines themselves.

>From 
><http://www.middletownjournal.com/n/content/oh/story/news/local/2008/08/06/ddn080608votingweb.html>

  Premier spokesman Chris Riggall had not seen the
  counterclaim [breach-of-contract lawsuit counterclaim
  filed by the Ohio Secretary of State] and declined
  comment on it. But he blamed the vote tabulation
  problems on McAfee anti-virus software on computer
  servers.

-Michael Heyman

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Voting machine security

[John Ioannidis]

This just about sums it up: http://xkcd.com/463/

/ji

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Voting machines make mistake in Arkansas

[Perry E. Metzger]

Excerpt:

   Bruce Haggard, an election commissioner in Faulkner County,
   Arkansas, is baffled by a problem that occurred with two voting
   machines in this month's state primary elections. The machines
   allocated votes cast in one race to an entirely different race that
   wasn't even on the electronic ballot. The problem resulted in the
   wrong candidate being declared victor in a state House nomination
   race.

http://blog.wired.com/27bstroke6/2008/05/arkansas-voting.html


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Call for presentations: Cryptographic e-voting systems for the IACR

[james hughes]

The International Association for Cryptologic Research (http://www.iacr.org/ 
) is seeking presentations and demos of e-voting systems. For its next  
meeting in August-17, 2008 (in Santa-Barbara, CA, USA), the IACR board  
would like to invite presentations and demos of cryptographic e-voting  
systems that are open source and freely available for all.


For more information see http://www.iacr.org/elections/cfp.html

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Electronic Voting: Danger and Opportunity

[Ali, Saqib]

University of Illinois will hold a talk on "Electronic Voting: Danger
and Opportunity". Professor Edward W. Felten of Princeton University
will be speaking.See:
http://webtools.uiuc.edu/calendar/Calendar?calId=504&eventId=78090&ACTION=VIEW_EVENT


saqib
http://www.quantumcrypto.de/dante/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Fwd: Fwd: Fwd: PunchScan voting protocol

[Taral]

I've attached below Rick's reply to this thread. Rick Carback is a member of
the PunchScan team.

- Taral

-- Forwarded message --
From: Rick Carback
Date: Dec 16, 2007 12:01 PM
Subject: Re: Fwd: Fwd: PunchScan voting protocol

 I think there are some misconceptions/assumptions in play here about the
privacy available in current systems. Punchscan was designed to provide an
unconditional levels of integrity into the voting process, not to improve
privacy over the status quo. Election officials, ultimately, are still
responsible for protecting the privacy of voters. The cryptography is meant
as a tool to be used by election officials that prevents anyone from
arbitrarily changing vote totals without getting caught. I do not think that
Punchscan is noticeably worse than current systems in terms of privacy
protection and it is still unclear to me if there is any real difference at
all.

As for specific responses:

 "Well, that's the right question.  That's the sort of question
the punchscan team should be asking themselves, and answering
in more detail that I have heretofore seen.  What threats does
punchscan claim to defend against?  What threats does it leave
to be mitigated by other (non-punchscan) means?"

 We have talked about this stuff and published it -- we're still talking
about it, see:

http://punchscan.org/papers/ibs_carback.pdf
http://punchscan.org/papers/receipts_clark.pdf
http://punchscan.org/papers/patterns_popoveniuc
http://punchscan.org/papers/pip_essex.pdf

There will be more publications in the future. Also, you might want to check
out our VoComp submission:

http://punchscan.org/vocomp.php

Unlike any other team at the competition, we were more careful with our
claims and our analysis of our system. Part of that is the reason why we
won.

 "As an example: Let's look at the plant where the ballots are
printed.  Suppose somebody attaches a tiny "spy camera" to
the frame of one of the printing presses, so as to obtain an
image of both parts of the two-part ballot (for some subset
of the ballots)."

 In a traditional system, you can put the spy cameras in the polling place
so you can watch each voter vote. That will allow you to *directly* target
and identify each voter in a location where election authorities exert *less
* control over the surrounding environment. By contrast, attacking the
printer provides you with a decryption of the ballots but not who used them
-- you still have to go out and find each voter, and the only reliable way
to do that is to catch them in the act of voting, because they could have
got rid of the receipt or swapped it (Alternatively, receipts could be given
to third parties, e.g. LWV, this is what EPIC suggests). In that sense, this
example is unrealistic. This is especially true when you include machines in
polling places that know how voters vote (in punchscan, they don't), and the
myriad of ways a voter could expose their choices to a coercer. See:

http://punchscan.org/blog/?p=6
http://punchscan.org/blog/?p=7

The comment about "partial exposure risk" looks like a misunderstanding, so
I'll ignore it

 "Ah yes, but what is being assumed about the /properties/ of
this Election Authority?  Is the EA omnipresent and omnipotent,
like the FSM, or does it have boundaries and limitations?
For example, does it ever need to rely on employees or
subcontractors?"

 This information is in the original papers, but the EA is responsible for
generating the data, supervising the printing and packaging (which should
include tamper-evident protections), and coordinating the shipment of
ballots to polling places. Essentially, all the things a central authority
would be responsible for in a current optical scan system. It would also be
responsible for generating keys for the scanning equipment and controlling
authentication to the bulletin board, but that is all part of the bulletin
board component that could be generic to any E2E system.

I might post this to the blog, but I am sort of busy. I will let you know
when/if I do.

-R

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PunchScan voting protocol

[John Denker]

On 12/13/2007 08:23 PM, Taral wrote:
> On 12/12/07, John Denker <[EMAIL PROTECTED]> wrote:
>> Several important steps in the process must be carried out in
>> secret, and if there is any leakage, there is unbounded potential
>> for vote-buying and voter coercion.
> 
> I've done quite a bit of work with this protocol. The protocol assumes
> the existence of an Election Authority. The Authority has the master
> keys required to generate certain data sets, and these keys give the
> Authority the ability to associate ballot numbers with votes. Note
> that this doesn't necessarily give the Authority the ability to
> associate people with votes.
> 
> There are no per-ballot keys, so there is no partial exposure risk.
> It's all-or-nothing.
> 
>> 1) It would be nice to see some serious cryptological protection
>> of election processes and results.
> 
>> 2b) In particular I don't think PunchScan really solves "the"
>> whole problem.
> 
> What is "the" whole problem? Please provide an attack model.

Well, that's the right question.  That's the sort of question
the punchscan team should be asking themselves, and answering
in more detail that I have heretofore seen.  What threats does
punchscan claim to defend against?  What threats does it leave
to be mitigated by other (non-punchscan) means?

As an example: Let's look at the plant where the ballots are
printed.  Suppose somebody attaches a tiny "spy camera" to
the frame of one of the printing presses, so as to obtain an
image of both parts of the two-part ballot (for some subset
of the ballots).

Obviously anybody who gets this information can defeat all the
cryptologic protections that the protocol is supposed to provide
(for that subset of the ballots).

  Note that the spy camera can be hiding in plain sight, in
  the guise of a "security camera".  Many election-related
  facilities are /required/ to have security cameras.

  There's a difference between mathematical cryptology and real-
  world security.

> There are no per-ballot keys, so there is no partial exposure risk.
> It's all-or-nothing.

It's bad luck to prove things that aren't true.  I just gave an
example of a "partial exposure risk", since some of the ballots
were seen by the spy camera and some weren't.

> The protocol assumes
> the existence of an Election Authority. 

Ah yes, but what is being assumed about the /properties/ of
this Election Authority?  Is the EA omnipresent and omnipotent,
like the FSM, or does it have boundaries and limitations?
For example, does it ever need to rely on employees or
subcontractors?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: PunchScan voting protocol

[Taral]

On 12/12/07, John Denker <[EMAIL PROTECTED]> wrote:
> Several important steps in the process must be carried out in
> secret, and if there is any leakage, there is unbounded potential
> for vote-buying and voter coercion.

I've done quite a bit of work with this protocol. The protocol assumes
the existence of an Election Authority. The Authority has the master
keys required to generate certain data sets, and these keys give the
Authority the ability to associate ballot numbers with votes. Note
that this doesn't necessarily give the Authority the ability to
associate people with votes.

There are no per-ballot keys, so there is no partial exposure risk.
It's all-or-nothing.

> 1) It would be nice to see some serious cryptological protection
> of election processes and results.

> 2b) In particular I don't think PunchScan really solves "the"
> whole problem.

What is "the" whole problem? Please provide an attack model.

-- 
Taral <[EMAIL PROTECTED]>
"Please let me know if there's any further trouble I can give you."
-- Unknown

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

PunchScan voting protocol

[John Denker]

Hi Folks --

I was wondering to what extent the folks on this list have taken
a look the PunchScan voting scheme:

  http://punchscan.org/

The site makes the following claims:

>> End-to-end cryptographic independent verification, or E2E, is a
>>  mechanism built into an election that allows voters to take a 
>> piece of the ballot home with them as a receipt. This receipt 
>> does not allow voters to prove to others how they voted, but it
>>  does permit them to:
>>
>> * Verify that they have properly indicated their votes to 
>> election officials (cast-as-intended).
>> * Verify with extremely high assurance that all votes were
>> counted properly (counted-as-cast).
>>
>> Voters can check that their vote actually made it to the tally,
>> and that the election was conducted fairly.


Those seem at first glance to be a decent set of claims, from
a public-policy point of view.  If somebody would prefer a
different set of claims, please explain.


PunchScan contains some nifty crypto, but IMHO this looks like
a classic case of too much crypto and not enough real security.

I am particularly skeptical of one of the FAQ-answers
 http://punchscan.org/faq-protections.php#5

Several important steps in the process must be carried out in
secret, and if there is any leakage, there is unbounded potential
for vote-buying and voter coercion.
  The Boss can go to each voter and make the usual silver-or-lead
  proposition:  Vote as I say, and then show me your voting receipt.
  I'll give you ten dollars.  But if I find out you voted against
  me, I'll kill you.

The voter cannot afford to take the chance that even a small
percentage of the ballot-keys leak out.

1) It would be nice to see some serious cryptological protection
of election processes and results.

2a) I don't think we're there yet.

2b) In particular I don't think PunchScan really solves "the"
whole problem.

3) I'd love to be wrong about item (2).  Does anybody see a way
to close the gaps?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Phd thesis on voting

[Mads Rasmussen]

I haven't seen this mentioned here:

Ben Adida did a Phd thesis on voting at MIT (ended this August)

http://ben.adida.net/research/phd-thesis.pdf

At his blog there is more material available such as conference slides, 
paper etc.


http://benlog.com/  (end of page)

--
Mads Rasmussen
LEA - Laboratório de Ensaios e Auditoria
ICP-Brasil   
(Brazilian PKI Cryptographic Certification Laboratory)

Office: +55 11 4208 3873
Mobile: +55 11 9655 8885
Skype: mads_work
http://www.lea.gov.br
   



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: free e-voting software available?!

[Andrea Pasquinucci]

I am working on the implementation of a system which should fit your 
requirements based on some work of mine and on

  "A Protocol for Anonymous and Accurate E-Polling",
  Danilo Bruschi, Igor Nai Fovino, Andrea Lanzi,
  E-Government: Towards Electronic Democracy, International Conference, 
  TCGOV 2005, Bolzano, Italy, March 2-4, 2005, Proceedings. Lecture 
  Notes in Computer Science 3416 Springer 2005, ISBN 3-540-25016-6

I am planning to release the first version together with docs etc, in 
september (the system is already working, but I prefer not to release 
preliminary test versions). 

Andrea

PS. In case for the moment contact me in private for more infos.

--
Andrea Pasquinucci [EMAIL PROTECTED]
PGP key: http://www.ucci.it/ucci_pub_key.asc
fingerprint = 569B 37F6 45A4 1A17 E06F  CCBB CB51 2983 6494 0DA2

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: free e-voting software available?!

[Ed Gerck]

For non-commercial use, ZMAIL offers free voting software
and service. The secure ballot may have a Release Time (cannot
be read before) and an Expiration Time (cannot be read after),
defining when voting begins and ends. Verified voter
registration is included. Candidates and voters know that the
votes will remain secret until the election closes, and can be
verified, without the need to trust a third-party or proxy service.
For small elections, the received ballots can be printed and
manually tallied, with or without identifying voter information,
as desired. The printed ballots can be audited and stored.

For large elections, or for commercial use, the entire election work
can be automated and third-party audited.

More info at:
  http://zvote.zsentry.com/zelection.htm
Election Manager and Voter registration at:
  https://zsentry.com/mail/premiumsecurity.html

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: free e-voting software available?!

[Thierry Moreau]

John R. Black wrote:


My department would like to conduct departmental votes in some automated way.
We're looking for free software, (or modestly-priced software) to do this.

Anyone know of such a thing?  I've done some searching without any luck.



Query your search engine for Punchscan, a design led by the 
distinguished cryptographer David Chaum, e.g. 
http://vote.cs.gwu.edu/vsrw2006/papers/9.pdf.


Apparently, their development project is aimed at educational votations 
as an operational proof-of-concept.


Interesting project, cryptography application to voting system without 
number theory or secret key cipher design.


Have fun.


--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

free e-voting software available?!

[John R. Black]

My department would like to conduct departmental votes in some automated way.
We're looking for free software, (or modestly-priced software) to do this.

Anyone know of such a thing?  I've done some searching without any luck.

We don't have the usual requirements of a full-blown voting package
(for example, we don't need to ensure that Alice cannot prove whom she
voted for later on; this is a typical requirement of voting schemes).

We are not voting on earth-shattering events, so it doesn't have to be
perfect.  We just want to improve on the "email your votes to the secretary"
approach.

If nothing suitable is out there, I'll likely get a student to write something
and put it into the public domain.

john//

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Surprise! Another serious hole in Diebold voting machines...

[Bill Squier]

...okay, not so much surprise.

  [...]

  Scientists said Diebold appeared to have opened the hole by making  
it as
  easy as possible to upgrade the software inside its machines. The  
result,

  said Iowa's Jones, is a violation of federal voting system rules.

  "All of us who have heard the technical details of this are really  
shocked.
  It defies reason that anyone who works with security would  
tolerate this

  design," he said.

  [...]

http://www.schneier.com/blog/archives/2006/05/ 
election_machin_1.html

(http://tinyurl.com/rqw23)


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Ireland faces ¤50m e-voting write-off

[R.A. Hettinga]

<http://www.theregister.co.uk/2005/02/04/ireland_evoting_bill/print.html>

The Register


 Biting the hand that feeds IT

The Register » Internet and Law » eGovernment »

 Original URL: http://www.theregister.co.uk/2005/02/04/ireland_evoting_bill/

Ireland faces ¤50m e-voting write-off
By electricnews.net (feedback at theregister.co.uk)
Published Friday 4th February 2005 12:16 GMT

A lack of public confidence in e-voting means that Ireland may be forced
into writing off its ¤50m investment in electronic ballot systems.

Michael Noonan, chairman of the Dail Public Accounts Committee, expressed
doubts that the current system will ever be introduced, after last year's
debacle where plans to initiate e-voting were scrapped over security
concerns, the Irish Times reports. Even if the system is found to be safe,
few ministers would give it the go-ahead because the public would have
little trust in it, he told the newspaper.

Noonan made his comments ahead of an inquiry into expenditure on the
e-voting initiative. Officials from the Department of Environment are due
before the committee today to answer criticisms over the the scheme.

The civil servants are likely to be subjected to a serious grilling on why
security concerns were not addressed before ¤50m was spent on e-voting
systems. The storage of the unused e-voting machines is estimated to cost
Irish taxpayers up to ¤2m per annum.

Fine Gael, Ireland's biggest opposition party, has attacked the Government
over the fiasco. "The criticisms contained in the report of the Independent
Commission on Electronic Voting make it clear that this was a fiasco of the
highest order," Fergus O'Dowd TD, Fine Gael spokesman on the Environment,
said. "Considering all the information that is available to him, Minister
Roche needs to fully explain the findings of these inquiries."

"Is it now the case, as feared, that the government will have to write-off
the ¤50m spend on electronic voting because of the botched handling of the
project? I will be raising the issue through Fine Gael's priority questions
in the Dail early next week. The Minister must give some definite answers."

The Irish government had planned to introduce e-voting at local and
European elections on 11 June 2004. But it abandoned the idea, following a
report of the Independent Commission on Electronic Voting (ICEV) which
raised doubts over the accuracy of the software used in the system.

According to the Irish Citizens for Trustworthy Evoting (ICTE) submission
to the commission, the Nedap/Powervote electronic voting system had a
fundamental design flaw because it had no mechanism to verify that votes
would be recorded accurately in an actual election. Consequently, results
obtained from the system could not be said to be accurate, ICTE said.

Other flaws identified included possible software errors and the use of the
graphical user interface programming language Object Pascal for a
safety-critical system.

Although ICEV's remit was advisory, the government accepted its
recommendation that the system should not be used until further testing had
established the effectiveness of its security.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Diebold completes e-voting printer prototype

[R.A. Hettinga]

Wherein Dieblod remembers, hey, presto, they're a cash-register company
after all...

Cheers,
RAH
---


<http://www.usatoday.com/tech/news/techpolicy/evoting/2005-01-28-diebold-printout_x.htm>

USA Today




Diebold completes e-voting printer prototype


NORTH CANTON, Ohio (AP) - Diebold said Thursday it has completed a
prototype printer designed for use with touch-screen electronic voting
machines, allowing voters to print, review and verify ballot selections.

 "Voter verified paper receipts are something new," said David Bear, a
spokesman for subsidiary Diebold Election Systems in McKinney, Texas.

 "No other type of voting provides a receipt for voters. But some states
are asking for it, so we needed to develop a product that meets standards
for functionality," he said.

 Voters can view their selections, but will not be able to remove the
printout. The voter's printed selections would be placed into a secure
enclosure, stored and numbered with a security tag. The printer weighs less
than three pounds.

 The printer will be submitted to independent testing authorities to ensure
that it meets federal standards as a prerequisite to certification in
states, Bear said.

 The printer would be an optional component to any new or existing Diebold
AccuVote TSx touch-screen voting machine. Bear said a per-unit cost and a
time frame for possible sale are not yet determined.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Calif. settles electronic voting suit against Diebold for $2.6M

[R.A. Hettinga]

<http://sfgate.com/cgi-bin/article.cgi?f=/news/archive/2004/11/10/financial1831EST0118.DTL>

Ths San Francisco Chronicle

Calif. settles electronic voting suit against Diebold for $2.6M

RACHEL KONRAD, AP Technology Writer

Wednesday, November 10, 2004

(11-10) 15:31 PST SAN FRANCISCO (AP) --

 California Attorney General Bill Lockyer announced Wednesday a $2.6
million settlement with Diebold Inc., resolving a lawsuit alleging that the
company sold the state and several counties shoddy voting equipment.

 Although critics characterized the settlement as a slap on the wrist,
Diebold also agreed to pay an undisclosed sum to partially reimburse
Alameda, San Diego and other counties for the cost of paper backup ballots,
ink and other supplies in last week's election. California's secretary of
state banned the use of one type of Diebold machine in May, after problems
with the machines disenfranchised an unknown number of voters in the March
primary.

 Faulty equipment forced at least 6,000 of 316,000 voters in Alameda
County, just east of San Francisco, to use backup paper ballots instead of
the paperless voting terminals. In San Diego County, a power surge resulted
in hundreds of touch-screens that wouldn't start when the polls opened,
forcing election officials to turn voters away from the polls.

 According to the settlement, the North Canton, Ohio-based company must
also upgrade ballot tabulation software that Los Angeles County and others
used Nov. 2. Diebold must also strengthen the security of its paperless
voting machines and computer servers and promise never to connect voting
systems to outside networks.

 "There is no more fundamental right in our democracy than the right to
vote and have your vote counted," Lockyer said in a statement. "In making
false claims about its equipment, Diebold treated that right, and the
taxpayers who bought its machines, cavalierly. This settlement holds
Diebold accountable and helps ensure the future quality and security of its
voting systems."

 The tentative settlement could be approved as soon as Dec. 10.

 The original lawsuit was filed a year ago by Seattle-based electronic
voting critic Bev Harris and Sacramento-based activist Jim March, who
characterized the $2.6 million settlement as "peanuts."

 March, a whistle blower who filed suit on behalf of California taxpayers,
could receive as much as $75,000 because of the settlement. But he said the
terms don't require Diebold to overhaul its election servers -- which have
had problems in Washington's King County and elsewhere -- to guard them
from hackers, software bugs or other failures.

 The former computer system administrator was also upset that the state
announced the deal so quickly. Several activist groups, computer scientists
and federal researchers are analyzing Nov. 2 election data, looking for
evidence of vote rigging or unintentional miscounts in hundreds of counties
nationwide that used touch-screen terminals. Results are expected by early
December.

 "This settlement will shut down a major avenue of investigation before
evidence starts trickling in," March said. "It's very premature."

 A Diebold executive said the settlement would allow the company to spend
more money on improving software and avoid "the distraction and cost of
prolonged litigation." Diebold earnings plunged 5 cents per share in the
third quarter because of the California litigation, which could cost an
additional 1 cent per share in the current quarter.

 Diebold shares closed Wednesday at $53.20, up 1.22 percent from Tuesday in
trading on the New York Stock Exchange.

 "We've worked closely with California officials to come to an agreement
that allows us to continue to move forward," Diebold senior vice president
Thomas W. Swidarski said in a statement. "While we believe Diebold has
strong responses to the claims raised in the suit, we are primarily
interested in building an effective and trusting relationship with
California election officials."


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

No mandate for e-voting, computer scientist says

[R.A. Hettinga]

<http://gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=27861>

No mandate for e-voting, computer scientist says
11/09/04
By William Jackson,
GCN Staff

Despite wide use in last week's presidential election, direct-recording
electronic voting still is a faulty method of casting ballots, one computer
scientist says.
"Paperless electronic-voting systems are completely unacceptable," said Dan
Wallach, assistant professor of computer science at Rice University.
Assurances about the machines' accuracy and reliability are not based on
verifiable data, Wallach said today at the Computer Security Institute's
annual conference in Washington.
Wallach was one of a team of computer scientists who in 2003 examined
source code for voting machines from Diebold Election Systems Inc. of North
Canton, Ohio, and reported numerous security flaws.
Cryptography implementation and access controls showed an "astonishingly
naive design," he said. "As far as we know, these flaws are still there
today."
Diebold has defended its technology and said the computer scientists
examined an outdated version of the code.
Wallach countered that without access to current code for any voting
machines, it's impossible to verify manufacturers' claims. The proprietary
nature of the code and a lack of government standards for voting technology
also make certification of the hardware and software meaningless, he said.
The IT Association of America hailed the Nov. 2 election as a validation of
direct-recording technology. But Wallach said sporadic problems with the
systems have been reported, and a thorough analysis of Election Day
procedures and results is under way.
Plus, a paper ballot that can be recounted is essential to a reliable
system, he said.
"Probably the best voting system we have today is the optical scan system,
with a precinct-based scanner," Wallach said. "It is very simple, it is
accurate, and it is auditable."
He suggested that a hybrid voting system that produces a verifiable paper
ballot would be as reliable as optical systems and would offer convenience
and accessibility for disabled voters.
A number of states, including California and Nevada, have laws or
legislation pending to require that voting machines produce paper ballots.
Wallach said technical standards that demand transparent certification
processes would go a long way toward increasing voting reliability.
"I think the Common Criteria would be a good place to start," he said,
referring to the set of internationally recognized standards for evaluating
security technology, either against vendor claims or against a set of needs
specified by a user.

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Electonic Voting

[Udhay Shankar N]

Very timely.
Udhay
http://www.infosecwriters.com/hhworld/hh9/voting.txt
 Hitchhiker's World (Issue #9)
 http://www.infosecwriters.com/hhworld/
Observable Elections

Vipul Ved Prakash 
November 2004
This is an interesting time for electronic voting. India,
the largest democracy in the world, went completely paper-
free for its general elections earlier this year. For the
first time, some 387 million people expressed their
electoral right electronically. Despite initial concerns
about security and correctness of the system, the election
process was a smashing success. Over a million electronic
voting machines (EVMs) were deployed, 8000 metric tonnes of
paper saved[1] and the results made public within few hours
of the final vote. Given the quarrelsome and heavily
litigated nature of Indian democracy, a lot of us were
expecting post-election drama, but only a few, if any,
fingers were found pointing.
Things didn't fare so well in the United States.

--
((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

On the Voting Machine Makers' Tab

[R. A. Hettinga]

<http://www.nytimes.com/2004/09/12/opinion/12sun2.html?th=&pagewanted=print&position=>

The New York Times
September 12, 2004

On the Voting Machine Makers' Tab

As doubts have grown about the reliability of electronic voting, some of
its loudest defenders have been state and local election officials. Many of
those same officials have financial ties to voting machine companies. While
they may sincerely think that electronic voting machines are so trustworthy
that there is no need for a paper record of votes, their views have to be
regarded with suspicion until their conflicts are addressed.

Computer scientists, who understand the technology better than anyone else,
have been outspoken about the perils of electronic voting. Good government
groups, like Common Cause, are increasingly mobilizing grass-roots
opposition. And state governments in a growing number of states, including
California and Ohio, have pushed through much-needed laws that require
electronic voting machines to produce paper records.

 But these groups have faced intense opposition from election officials. At
a hearing this spring, officials from Georgia, California and Texas
dismissed concerns about electronic voting, and argued that
voter-verifiable paper trails, which voters can check to ensure their vote
was correctly recorded, are impractical. The Election Center, which does
election training and policy work, and whose board is dominated by state
and local election officials, says the real problem is people who "scare
voters and public officials with claims that the voting equipment and/or
its software can be manipulated to change the outcome of elections."

What election officials do not mention, however, are the close ties they
have to the voting machine industry. A disturbing number end up working for
voting machine companies. When Bill Jones left office as California's
secretary of state in 2003, he quickly became a consultant to Sequoia
Voting Systems. His assistant secretary of state took a full-time job
there. Former secretaries of state from Florida and Georgia have signed on
as lobbyists for Election Systems and Software and Diebold Election
Systems. The list goes on.

Even while in office, many election officials are happy to accept voting
machine companies' largess. The Election Center takes money from Diebold
and other machine companies, though it will not say how much. At the
center's national conference last month, the companies underwrote meals and
a dinner cruise.

 Forty-three percent of the budget of the National Association of
Secretaries of State comes from voting machine companies and other vendors,
and at its conference this summer in New Orleans, Accenture, which compiles
voter registration databases for states, sponsored a dinner at the Old
State Capitol in Baton Rouge.

 There are also reports of election officials being directly offered gifts.
Last year, the Columbus Dispatch reported that a voting machine company was
offering concert tickets and limousine rides while competing for a contract
worth as much as $100 million, if not more.

When electronic voting was first rolled out, election officials and voting
machine companies generally acted with little or no public participation.
But now the public is quite rightly insisting on greater transparency and
more say in the decisions. If election officials want credibility in this
national discussion, they must do more to demonstrate that their only
loyalty is to the voter.

Making Votes Count: Editorials in this series remain online at
nytimes.com/makingvotescount.


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

States Continue to Debate Merits of Paper Trail For E-Voting Machines

[R. A. Hettinga]

<http://online.wsj.com/article_print/0,,SB109407788036007336,00.html>

The Wall Street Journal


 September 2, 2004

 DIGITS



States Continue to Debate
 Merits of Paper Trail
 For E-Voting Machines
September 2, 2004; Page B4

Paper or Plastic?

In the race to use electronic-voting machines that produce a paper copy of
the ballots cast, Nevada has become the front-runner in this presidential
election year. For the past two weeks, new touch-screen machines with
printers attached have been used by more then 50,000 Nevadans in early
voting for the state's Sept. 7 primary for in-state offices. Come November,
the state will be the first to roll out such a system for a presidential
election. "A lot of people didn't think we could pull it off in time," says
Steve George, spokesman for Secretary of State Dean Heller, who in December
mandated the new systems from Sequoia Voting Systems, a unit of De La Rue
PLC. "It certainly seems like a very wise choice when you look at some of
the problems the electronic systems have had."

Those problems -- faulty software, security glitches and human errors --
are certain to get even more scrutiny as the latest presidential contest
goes down to the wire. Several swing states, including Pennsylvania,
Florida, New Mexico and Tennessee, will use electronic systems with no
paper trail. But Ohio's secretary of state has barred the purchase of new
electronic-voting machines beyond the five counties where they are already
installed. New regulations in California mandate that every voter have an
option to use a paper ballot, providing the so-called paper-or-plastic
choice.

Such moves have hampered the adoption of touch-screen voting machines.
After the 2000 presidential election imbroglio, experts predicted 50% of
voters would use this year. Now it appears less than 30% will do so. "We've
slowed the train down," says Kim Alexander, president of the California
Voter Foundation, an election watchdog.

The existence of a paper trail raises as many questions as it answers. In
Nevada, many voters in Clark County, which includes Las Vegas, will cast
ballots on older electronic machines without printers, meaning there won't
be a complete paper record of the state's votes. And the paper read-outs
don't yet conform to the state's legal format, meaning they can't be used
in an official recount without court approval. Mr. George says that won't
be a problem if a dispute arises over Nevada's five electoral votes.

"If it's a choice between hitting the button again for the electronic total
and the paper record, it stands to reason the court would choose to go with
the paper record," he says.

Vintage 6.0

No wine is fine before its time. And the same could be true for Wine.com1,
an online wine site that certainly has had a long shelf life.

Since its launch in the late 1990s, the online retailer has morphed from an
earlier version of the Wine.com site, as well as from start-up enterprises
called WineShopper and eVineyard. Together the start-ups have raised about
$150 million in venture capital, according to President and Chief Executive
George Garrick. This week the company is announcing it has raised more: Its
sixth, "Series F" financing to the tune of $20 million. The money comes
from a syndicate led by Baker Capital in New York. The company said it will
use it to retire debt, to upgrade the Web site and for marketing.

So what's new this time? The latest vintage basically is the eVineyard
enterprise that was restarted in 2002, after the company bought the
Wine.com name and customer list. But, says Mr. Garrick, "We've taken a very
by-the-numbers, conservative approach" -- much more sensible and lean. He
adds that the company go to great effort to comply with the complex,
interstate laws that regulate the shipping of alcohol. The San
Francisco-based retailer can legally ship to 26 states. Those states
"account for 75% of wine consumption," Mr. Garrick says.

Tech Tracker?

If the Webby Awards are a barometer for the tech industry, the bust may
officially be over.

The Webbys, which honor outstanding Web sites run by reviewers, cultural
institutions and schools, among others, is more than doubling the number of
its prize categories, to 65 from 30. The reason: to include categories for
new online phenomena such as blogs and social networking. Other new prize
categories include sites devoted to getting a job or finding real estate
and those run by nonprofits.

The expansion of the award categories parallels the growth of the Internet,
says Tiffany Shlain, founder of the online awards. "The Web has changed
dramatically since we started it," she says.

The Webbys, usually held in San Francisco, were dubbed the Oscars of the
Internet industry when they started in 1996. But during the past two years,
organizers opted against holding a live awards s

He Pushed the Hot Button of Touch-Screen Voting

[R. A. Hettinga]

<http://www.nytimes.com/2004/06/15/politics/15vote.html?pagewanted=print&position=>

The New York Times

June 15, 2004

He Pushed the Hot Button of Touch-Screen Voting
By KATHARINE Q. SEELYE

Kevin Shelley is a big and voluble Irish politician, the son of a former
San Francisco mayor, and not the sort you would figure for the heretofore
semi-obscure job of California secretary of state. But Mr. Shelley, who was
elected to the post in November 2002 after a career as a state legislator,
has adapted the job to suit his style, taking the arcane matter of voting
machines and turning it into a hobbyhorse that some predict he could ride
to the governor's office.

Mr. Shelley, a Democrat, has gained national notice for his skepticism
toward touch-screen voting and his insistence that voters be able to look
at a paper record inside the voting booth to verify their ballots. He says
such paper trails are crucial if government wants voters to have confidence
that their ballots are being counted correctly.

As a result, he has ordered that after July 1, 2005, no county in
California can buy a touch-screen system without a paper record that is
verifiable by the voter, and as of July 2006, all touch-screen systems here
must be equipped with paper trails, regardless of when they were bought.
Until the machines have that capability, he wants people who do not trust
them to have the option of voting by a traditional paper ballot.

Then, on April 30, he banned the use of certain touch screens in 4 counties
and decertified them in 10 other counties until additional security
measures could be put in place.

 "Someone said to me, 'The problem with Kevin Shelley is, he's an
activist,' " Mr. Shelley recalled in an interview earlier this month in his
office here overlooking the black-and-gold dome of City Hall in San
Francisco. "I plead guilty. But, oh my God, never has it been more
important to be an activist."

His directive has national implications because 40 percent of all
touch-screen voting machines in use are in California. If vendors start
making equipment to the specifications of the huge California market, that
market is likely to dictate what is available to the rest of the country.

But Mr. Shelley's advocacy of paper trails has set off a fierce and
emotional reaction among local election officials in California and
elsewhere and has brought the purchase of such systems to a near
standstill. Nearly one third of voters nationwide this November will vote
on touch screens.

 Local officials say that despite demonstrations from computer experts that
hackers can break into the machines, there is no evidence that anyone has
done so. Moreover, voters may expect an actual, individual receipt after
they vote; what happens instead is that a paper record, visible to the
voter, is created in the machine. Officials have also expressed concern
about paper jams.

Mr. Shelley's insistence on paper trails has prompted officials in four
California counties to sue him. The clash is being repeated in other states
and courtrooms and has even roiled the venerable League of Women Voters,
where advocates of paper trails tried to overthrow the league's
establishment, which has been against them. They settled yesterday on a
compromise resolution to support "secure, accurate, recountable and
accessible" systems, all code words for paper trails.

Conny B. McCormack, the respected registrar of Los Angeles County, the
biggest voting jurisdiction in the country, has emerged as one of Mr.
Shelley's chief critics. Ms. McCormack said that Mr. Shelley had confounded
local officials by handing down directives that require a technology that
does not yet exist. Rather than inspire voter confidence, she said, Mr.
Shelley has undermined it.

 (Manufacturers have said that if the technology were required, they could
supply it, but not in time for the November elections.)

"He put out a report on April 20 saying that touch screens were 100 percent
accurate," Ms. McCormack said. "And then two days later he decertified
them." She said such actions had "destabilized the entire election process
in California and potentially nationwide."

In random testing during the March 2 California primary, Mr. Shelley's
office found that the machines "recorded the votes as cast with 100 percent
accuracy."

In an effort to prod the industry, Mr. Shelley yesterday issued standards
for the manufacturers in developing paper trails, the first in the country.
They include requirements that voters who are disabled be able to vote and
verify their vote without assistance, that voters be able to verify their
votes before casting them and that the paper records be printed in both
English and the voter's preferred language.

 "I'm insisting, quite unapologetically, on the need to have these
appropriate security measures in place to protect the vot

Who Tests Voting Machines?

[R. A. Hettinga]

<http://www.nytimes.com/2004/05/30/opinion/30SUN1.html?th=&pagewanted=print&position=>

The New York Times

May 30, 2004
MAKING VOTES COUNT

Who Tests Voting Machines?
henever questions are raised about the reliability of electronic voting
machines, election officials have a ready response: independent testing.
There is nothing to worry about, they insist, because the software has been
painstakingly reviewed by independent testing authorities to make sure it
is accurate and honest, and then certified by state election officials. But
this process is riddled with problems, including conflicts of interest and
a disturbing lack of transparency. Voters should demand reform, and they
should also keep demanding, as a growing number of Americans are, a
voter-verified paper record of their vote.

Experts have been warning that electronic voting in its current form cannot
be trusted. There is a real danger that elections could be stolen by
nefarious computer code, or that accidental errors could change an
election's outcome. But state officials invariably say that the machines
are tested by federally selected laboratories. The League of Women Voters,
in a paper dismissing calls for voter-verified paper trails, puts its faith
in "the certification and standards process."

But there is, to begin with, a stunning lack of transparency surrounding
this process. Voters have a right to know how voting machine testing is
done. Testing companies disagree, routinely denying government officials
and the public basic information. Kevin Shelley, the California secretary
of state, could not get two companies testing his state's machines to
answer even basic questions. One of them, Wyle Laboratories, refused to
tell us anything about how it tests, or about its testers' credentials. "We
don't discuss our voting machine work," said Dan Reeder, a Wyle spokesman.

 Although they are called independent, these labs are selected and paid by
the voting machine companies, not by the government. They can come under
enormous pressure to do reviews quickly, and not to find problems, which
slow things down and create additional costs. Brian Phillips, president of
SysTest Labs, one of three companies that review voting machines, conceded,
"There's going to be the risk of a conflict of interest when you are being
paid by the vendor that you are qualifying product for."

It is difficult to determine what, precisely, the labs do. To ensure there
are no flaws in the software, every line should be scrutinized, but it is
hard to believe this is being done for voting software, which can contain
more than a million lines. Dr. David Dill, a professor of computer science
at Stanford University, calls it "basically an impossible task," and doubts
it is occurring. In any case, he says, "there is no technology that can
find all of the bugs and malicious things in software."

 The testing authorities are currently working off 2002 standards that
computer experts say are inadequate. One glaring flaw, notes Rebecca
Mercuri, a Harvard-affiliated computer scientist, is that the standards do
not require examination of any commercial, off-the-shelf software used in
voting machines, even though it can contain flaws that put the integrity of
the whole system in doubt. A study of Maryland's voting machines earlier
this year found that they used Microsoft software that lacked critical
security updates, including one to stop remote attackers from taking over
the machine.

If so-called independent testing were as effective as its supporters claim,
the certified software should work flawlessly. But there have been
disturbing malfunctions. Software that will be used in Miami-Dade County,
Fla., this year was found to have a troubling error: when it performed an
audit of all of the votes cast, it failed to correctly match voting
machines to their corresponding vote totals.

If independent testing were taken seriously, there would be an absolute bar
on using untested and uncertified software. But when it is expedient,
manufacturers and election officials toss aside the rules without telling
the voters. In California, a state audit found that voters in 17 counties
cast votes last fall on machines with uncertified software. When Georgia's
new voting machines were not working weeks before the 2002 election,
uncertified software that was not approved by any laboratory was added to
every machine in the state.

The system requires a complete overhaul. The Election Assistance
Commission, a newly created federal body, has begun a review, but it has
been slow to start, and it is hamstrung by inadequate finances. The
commission should move rapidly to require a system that includes:

Truly independent laboratories. Government, not the voting machine
companies, must pay for the testing and oversee it.

Transparency. Voters should be told how testing is being done, and the
testers' q

[Publicity-list] DIMACS Workshop on Electronic Voting -- Theory and Practice

[Linda Casals]

*
 
DIMACS Workshop on Electronic Voting -- Theory and Practice
  
   May 26 - 27, 2004 
   DIMACS Center, Rutgers University, Piscataway, NJ

Organizers: 
   
   Markus Jakobsson, RSA Laboratories, [EMAIL PROTECTED]  
   Ari Juels, RSA Laboratories, [EMAIL PROTECTED] 
   
Presented under the auspices of the Special Focus on Communication
Security and Information Privacy and the Special Focus on Computation 
and the Socio-Economic Sciences..



To many technologists, electronic voting represents a seemingly simple
exercise in system design. In reality, the many requirements it
imposes with regard to correctness, anonymity, and availability pose
an unusually thorny collection of problems, and the security risks
associated with electronic voting, especially remotely over the
Internet, are numerous and complex, posing major technological
challenges for computer scientists. (For a few examples, see
references below.) The problems range from the threat of
denial-of-service-attacks to the need for careful selection of
techniques to enforce private and correct tallying of ballots. Other
possible requirements for electronic voting schemes are resistance to
vote buying, defenses against malfunctioning software, viruses, and
related problems, audit ability, and the development of user-friendly
and universally accessible interfaces.

The goal of the workshop is to bring together and foster an interplay
of ideas among researchers and practitioners in different areas of
relevance to voting. For example, the workshop will investigate
prevention of penetration attacks that involve the use of a delivery
mechanism to transport a malicious payload to the target host. This
could be in the form of a ``Trojan horse'' or remote control
program. It will also investigate vulnerabilities of the communication
path between the voting client (the devices where a voter votes) and
the server (where votes are tallied). Especially in the case of remote
voting, the path must be ``trusted'' and a challenge is to maintain an
authenticated communications linkage. Although not specifically a
security issue, reliability issues are closely related and will also
be considered. The workshop will consider issues dealing with random
hardware and software failures (as opposed to deliberate, intelligent
attack). A key difference between voting and electronic commerce is
that in the former, one wants to irreversibly sever the link between
the ballot and the voter. The workshop will discuss audit trails as a
way of ensuring this. The workshop will also investigate methods for
minimizing coercion and fraud, e.g., schemes to allow a voter to vote
more than once and only having the last vote count.

This workshop is part of the Special Focus on Communication Security
and Information Privacy and will be coordinated with the Special Focus
on Computation and the Socio-Economic Sciences.

This workshop follows a successful first WOTE event, organized by
David Chaum and Ron Rivest in 2001 at Marconi Conference Center in
Tomales Bay, California (http://www.vote.caltech.edu/wote01/). Since
that time, a flurry of voting bills has been enacted at the federal
and state levels, including most notably the Help America Vote Act
(HAVA). Standards development has represented another avenue of reform
(e.g., the IEEE Voting Equipment Standards Project 1583), while a
grassroots movement (http://www.verifiedvoting.org) has arisen to
promote the importance of audit trails as enhancements to
trustworthiness.

**
Program:

This is a preliminary program.

Wednesday, May 26, 2004

 7:45 -  8:20  Breakfast and Registration

 8:20 -  8:30  Welcome and Opening Remarks
   Fred Roberts, DIMACS Director

 8:30 -  9:15  Ron Rivest, MIT (tentative) 

 9:15 - 10:15  Rebecca Mercuri

10:15 - 10:45  Break

10:45 - 11:30  David Chaum  

11:30 - 12:15  Michael Shamos, Carnegie Mellon University   

12:15 -  1:30  Lunch

 1:30 -  1:50  European online voting experiences
   Andreu Riera i Jorba, Universitat AutUnoma de Barcelona, Spain

 1:50 -  2:10  Providing Trusted Paths Using Untrusted Components
   Andre Dos Santos, Georgia Institute of Technology

 2:10 -  2:30  Internet voting based on PKI: the TruE-vote system
   Emilia Rosti, Università degli Studi di Milano, Italy

 2:30 -  2:50  Andy Neff, VoteHere, Inc. 

 2:50 -  3:10  E-voting with Vector Ballots : Homomorphic
   Encryption with Writeins and Shrink-and-Mix networks
   Aggelos Kiayas, University of Connecticut

 3:10 -  3:30  How hard is it to manipulate voting?
   Edith Elkind, Princeton University and
   Helger Lipmaa, Helsinki University of Technology

 3:30 -  3:50  Towards a dependability case for the Chaum e - voting scheme
 

E-Voting Commission Gets Earful

[R. A. Hettinga]

<http://www.wired.com/news/print/0,1294,63349,00.html>

Wired News

E-Voting Commission Gets Earful 
By Michael Grebb?

Story location: http://www.wired.com/news/evote/0,2645,63349,00.html

02:00 AM May. 06, 2004 PT

WASHINGTON -- Passions ran high Wednesday at the first public hearing of
the Election Assistance Commission, where activists and manufacturers of
electronic voting machines clashed over whether new e-voting systems should
include a voter-verifiable paper trail that auditors could use to recount
votes if necessary.

 The newly formed commission, which is just beginning to oversee the
certification of voting systems and the standardization of elections across
the country, held its first meeting to examine the state of elections and
voting systems. The commissioners were collecting testimony from
special-interest groups, election officials, computer scientists and
voting-machine makers.


 But the commission's chairman said he didn't expect the bipartisan panel
would issue national standards requiring paper receipts when it makes
preliminary recommendations next week, followed by more detailed guidelines
next month.

 "We will not decide on what machines people will buy," said the chairman,
Republican DeForest B. Soaries Jr., saying it wasn't the panel's role to
tell states what to do. "We will say, if California wants to have a backup
paper system, what national standards it should follow."

 At least 20 states are considering legislation to require a paper record
of every vote cast after rushing to get ATM-like voting machines to replace
paper ballots in the wake of Florida's fiasco with hanging chads in the
2000 presidential election. About 50 million people, or 29 percent of
voters, are expected to vote electronically in November's election.

 Representatives from the machine makers tried to convince commissioners
that paperless e-voting systems are not only safe and accurate, but more so
than paper-based systems.

 Mark Radke, director of marketing at Diebold Election Systems, said
Diebold's touch-screen voting systems experienced "zero security problems"
during the November 2002 elections, pointing out that its "voice guidance"
audio feature allowed blind voters "to vote in private for the very first
time." (With paper-only systems, blind voters historically have needed to
recite their ballot choices to a poll worker or friend, who would then mark
the ballot for them.)

 Radke also said Diebold's machines outperformed other systems during the
California recall elections in October. He claimed that under-counted votes
were the lowest on Diebold touch screens, at 0.73 percent, compared with
2.86 percent for optical-scan systems, 4.6 percent for other electronic
systems and 6.32 percent for paper-only systems.

 Alfie Charles, spokesman for Sequoia Voting Systems, said the
"sensationalized concerns" of paper-trail advocates aren't grounded in
reality.

 "The evidence is pretty clear," he said. "Electronic systems help prevent
disenfranchisement."

 Several panelists also pointed out that the pool of people able to hack
into an e-voting system is far smaller than those able to steal ballots,
stuff the ballot box or punch holes in voting cards to change or nullify
votes. Under that theory, electronic systems would increase security.

 "We would reduce the number of people capable of committing fraud,"
Charles said.

 But Avi Rubin, a Johns Hopkins University computer scientist who helped
author a report last July about security vulnerabilities in Diebold's
touch-screen voting system, warned that paperless systems could allow savvy
intruders to rig an election. He said corporations supporting a particular
presidential candidate who is friendly to their needs would have billions
at stake to make sure their candidate won.

 "We've got very well-funded and bad-intentioned adversaries to worry
about," he said.

 Rubin said while paper trails are needed for the November election, "in
the long, long term we should explore other cryptographic options and other
electronic techniques" to someday run secure, paperless elections.

 At a press conference and rally outside the hearing, a crowd of supporters
cheered when California Secretary of State Kevin Shelley took the podium.

 On Friday, Shelley banned the use of one model of Diebold's voting
machines in four California counties, and decertified all touch-screen
systems unless counties that own them implement 23 security requirements.
At least one county is filing suit against Shelley for his actions, and
others may follow.

 Supervisors in Riverside County voted unanimously Tuesday to sue Shelley,
California's top election official, to remove the ban on their machines,
saying his ruling would harm disabled and visually impaired voters who have
been able to vote unassisted f

Tiny new agency ill-equipped for e-voting oversight

[R. A. Hettinga]

<http://www.siliconvalley.com/mld/siliconvalley/8580743.htm?template=contentModules/printstory.jsp>

The San Jose Mercury News

Posted on Mon, May. 03, 2004

Tiny new agency ill-equipped for e-voting oversight




SAN JOSE, Calif. (AP) - As alarm mounts over the integrity of the ATM-like
voting machines 50 million Americans will use in the November election, a
new federal agency has begun scrutinizing how to safeguard electronic
polling from fraud, hackers and faulty software.

But the tiny U.S. Election Assistance Commission says it is so woefully
underfunded that it can't be expected to forestall widespread voting
machine problems, which would cast doubt on the election's integrity.

The commission -- which on Wednesday conducts the first federal hearing on
the security and reliability of electronic voting -- laments its
predicament in a new report.

``We've found some deeply troubling concerns, and the country wants to know
the solution,'' said DeForest B. Soaries, Jr., a Republican and former New
Jersey secretary of state named by President Bush in December to lead the
agency.

The Washington, D.C. hearing will focus on the security risks of
touchscreen machines, which computer scientists say cannot be trusted
because they do not produce paper records, making proper recounts
impossible. Despite reassurances from the machines' makers, at least 20
states are considering legislation to require a paper trail.

After hearing from academics, elections officials and voting equipment
company executives, the Soaries commission will issue recommendations --
for example, that poll workers should keep a stack of paper ballots handy
in case machines fail to start. Machines in more than half the precincts in
California's San Diego County malfunctioned during the March 2 presidential
primary, and a lack of paper ballots may have disenfranchised hundreds of
voters.

Created nearly a year after a congressional deadline, the Soaries-led
agency took over the Federal Elections Commission's job of setting
standards for ensuring the voting process is sound.

But the EAC lacks the authority to enforce any such standards and the
agency's first annual report, released Friday, is apt to disappoint anyone
who had high expectations.

Created under the 2002 Help America Vote Act that began funneling $3.9
billion to states to upgrade voting systems after Florida's hanging chad
debacle, the agency's two Republican and two Democratic commissioners
weren't appointed until December. Their first public meeting was in March.
A bare-bones Web site only went live on Friday.

With only $1.2 million of its $10 million budget appropriated, the
commission has so far been able to hire seven full-time staffers, borrowing
some part-timers from other federal agencies.

The lack of funding has forced the EAC to abandon or delay much of its
intended mission. For example, it won't be able to develop a national
system for testing voting machines, according to the report.

Soaries intends to use his bully pulpit as chairman to highlight problems
to state and local elections officials. But he said in a telephone
interview that the EAC will need $2 million more this year and its full $10
million in 2005 to tackle its mission of restoring public faith in
electronic voting.

``If you look at the evolution of voting in America, only in last four
months has there been a federal agency whose exclusive focus is to deal
with voting. It's the foundation of our democratic structure on one hand,
but on the other we've really left it to the states to manage completely,''
Soaries said.

Most states have relied on guidance from the National Association of State
Election Directors, a volunteer organization of retired and active election
officials around the country. NASED, in turn, has certified three
little-known testing companies to verify the integrity of every machine and
every line of code in e-voting equipment nationwide, and it's up to
elections officials in each state to get the equipment tested.

NASED plans to transfer its certification authority to the National
Institute of Standards and Technology, which is supposed to update the
decade-old standards the labs use to make sure voting equipment is secure
and reliable.

But that also is on hold because NIST ``did not receive funding to support
the work,'' the commission report says.

``I wish the EAC luck, but oversight of these systems is illusory,'' said
Kim Alexander, president of the California Voter Foundation. ``As long as
federal voting system standards are voluntary, voters across the country
will not have the peace of mind they need to feel confident in their voting
systems.''

Currently certified by NASED to test all voting hardware for U.S. elections
is a Huntsville, Ala.-based division of Wyle Laboratories Inc. All software
is tested by two other entities -- a Huntsville,

Calif. Official Bans Some Voting Machines

[R. A. Hettinga]

<http://news.yahoo.com/news?tmpl=story&cid=519&u=/ap/20040501/ap_on_re_us/electronic_voting&printer=1>

Yahoo!

Yahoo! News   Sat, May 01, 2004


Calif. Official Bans Some Voting Machines

 Fri Apr 30, 8:56 PM ET
Add U.S. National - AP to My Yahoo!

By JIM WASSERMAN, Associated Press Writer

SACRAMENTO, Calif. -  The state's top elections official called for a
criminal investigation of Diebold Election Systems Inc. as he banned use of
the company's newest model touchscreen voting machine, citing concerns
about its security and reliability.




 Friday's ban will force up to 2 million voters in four counties, including
San Diego, to use paper ballots in November, marking their choices in ovals
read by optical scanners.

 Secretary of State Kevin Shelley asked the attorney general's office to
investigate allegations of fraud, saying Diebold had lied to state
officials. A spokesman for Attorney General Bill Lockyer said prosecutors
would review Shelley's claims.

 Diebold issued a statement saying it was confident in its systems and
planned to work with election officials in California and throughout the
nation to run a smooth election this fall.

 The ban immediately affects more than 14,000 AccuVote-TSx machines made by
Diebold, the leading touchscreen provider. Many were used for the first
time in the March primaries and suffered failures.

 In 10 other counties, Shelley decertified touchscreen machines but set 23
conditions under which they still could be used. That order involved 4,000
older machines from Diebold and 24,000 from its three rivals.

 The decision follows the recommendations of a state advisory panel, which
conducted hearings earlier this month.

 Made just six months before a presidential election, the decision reflects
growing concern about paperless electronic voting.

 A number of failures involving touchscreen machines in Georgia, Maryland
and California have spurred serious questioning of the technology. As
currently configured, the machines lack paper records, making recounts
impossible.

 "I anticipate his decision will have an immediate and widespread impact,"
said Kim Alexander, president of the California Voter Foundation and a
frequent critic of the machines. "California is turning away from e-voting
equipment, and other states are sure to follow."

 Activists have been demanding paper printouts - required in California by
2006 - to guard against fraud, hacking and malfunction.

 Diebold has been a frequent target of such groups, though most California
county election officials say that problems have been overstated and that
voters like the touchscreen systems first installed four years ago.

 At least 50 million voters nationally were expected to use the ATM-like
machines from Diebold and other companies in November.

 California counties with 6.5 million registered voters have been at the
forefront of touchscreen voting, installing more than 40 percent of the
more than 100,000 machines believed to be in use nationally.

 A state investigation released this month said Diebold jeopardized the
outcome of the March election in California with computer glitches,
last-minute changes to its systems and installations of uncertified
software in its machines in 17 counties.

 It specifically cited San Diego County, where 573 of 1,611 polling places
failed to open on time because low battery power caused machines to
malfunction.

 Registrars in counties that made the switch to paperless voting said
Shelley's decision to return to paper ballots would result in chaos.

 "There just isn't time to bring this system up before November," Kern
County Registrar Ann Barnett said. "It's absurd."

 Diebold officials, in a 28-page report rebutting many of the accusations
about its performance, said the company had been singled out unfairly for
problems with electronic voting and maintained its machines are safe,
secure and demonstrated 100 percent accuracy in the March election.

 The company, a subsidiary of automatic teller machine maker Diebold, Inc.,
acknowledged it had "alienated" the secretary of state's office and
promised to redouble efforts to improve relations with counties and the
state.

 ___

 On the Net:

 California Secretary of State: http://www.ss.ca.gov

Diebold Election Systems: http://www.diebold.com/dieboldes/

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Matt Crawford]

On Apr 15, 2004, at 8:58 PM, Ed Gerck wrote:

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not.
For many years in the 90's there was (maybe still is) a resident of 
Cook County, Illinois, who refused to vote because she was the only 
voter in her precinct, and the precinct totals would consist purely of 
her vote.  (She lived in a forest preserve.  There's probably some 
latter-day Brothers Grimm tale in this.)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Ed Gerck]

Yeoh Yiu wrote:
> 
> Ed Gerck <[EMAIL PROTECTED]> writes:
> 
> > The 'second law' also takes precedence: ballots are always secret, only
> > vote totals are known and are known only after the election ends.
> 
> You get totals per nation, per state, per county, per riding,
> per precinct, per polling stion and maybe per ballot box.

The lowest possible totals are per race, per ballot box. The 
'second law' allows you to have such totals -- which are 
the election results for that race in that ballot box. For 
example, if there are two candidates (X and Y) in race A ,
two candidates (Z and W) in race B, and only one vote per 
candidate is allowed in each race, the election results for 
ballot box K might be:

Vote totals for race A in ballot box K:
  Votes for candidate X:  5
  Votes for candidate Y: 60
  Blank votes:   50

Vote totals for race B in ballot box K:
  Votes for candidate Z: 45
  Votes for candidate W: 50
  Blank votes:   20

Total ballots in ballot box K:  115

Because only the vote totals are known for each race, a 
voter cannot be identified by recognizing a pre-defined, 
unlikely voting pattern in each race of a ballot. This 
exemplifies one reason why we need the 'second law' -- to 
preserve unlinkability between ballots and voters.

> So there's a need to design the system to have more voters
> than ballot boxes to conform to your second law.

No. All you need is that there should be more than one voter
per ballot box. This is a rather trivial requirement to meet.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Yeoh Yiu]

Ed Gerck <[EMAIL PROTECTED]> writes:

> David Jablon wrote:
> > 

> The 'second law' also takes precedence: ballots are always secret, only
> vote totals are known and are known only after the election ends.
> 
> > What I see in serious
> > voting system research efforts are attempts to build systems that
> > provide both accountability and privacy, with minimal tradeoffs.
> 
> There is no tradeoff prossible for voter privacy and ballot secrecy.
> Take away one of them and the voting process is no longer a valid
> measure. Serious voting system research efforts do not begin by
> denying the requirements.

You get totals per nation, per state, per county, per riding,
per precinct, per polling stion and maybe per ballot box.
So there's a need to design the system to have more voters
than ballot boxes to conform to your second law.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Ed Gerck]

David Jablon wrote:
> 
> I think Ed's criticism is off-target.  Where is the "privacy problem" with
> Chaum receipts when Ed and others still have the freedom to refuse
> theirs or throw them away?

The privacy, coercion, intimidation, vote selling and election integrity
problems begin with giving away a receipt that is linkable to a ballot. 

It is not relevant to the security problem whether a voter may destroy 
his receipt, so that some receipts may disappear. What is relevant is 
that voters may HAVE to keep their receipt or... suffer retaliation...
not get paid... lose their jobs... not get a promotion... etc. Also
relevant is that voters may WANT to keep their receipts, for the same
reasons.

> It seems a legitimate priority for a voting system to be designed to
> assure voters that the system is working. 

As long as this does not go against the 'first law' for public voting 
systems: voters must not be linkable to ballots.

The 'second law' also takes precedence: ballots are always secret, only
vote totals are known and are known only after the election ends.

> What I see in serious
> voting system research efforts are attempts to build systems that
> provide both accountability and privacy, with minimal tradeoffs.

There is no tradeoff prossible for voter privacy and ballot secrecy.
Take away one of them and the voting process is no longer a valid
measure. Serious voting system research efforts do not begin by
denying the requirements.

> If some kind of tradeoff between accountability and privacy is inevitable,

There is no such principle.

> in an extreme scenario, I'd still prefer the option to make the tradeoff for
> myself, rather than have the system automatically choose for me.

You don't have this option when the public at large is considered, for
a public election. You can do it in a private election for a club,
for example, but even then only if the bylaws allow it.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[David Jablon]

I think Ed's criticism is off-target.  Where is the "privacy problem" with
Chaum receipts when Ed and others still have the freedom to refuse
theirs or throw them away?

It seems a legitimate priority for a voting system to be designed to
assure voters that the system is working.  What I see in serious
voting system research efforts are attempts to build systems that
provide both accountability and privacy, with minimal tradeoffs.

If some kind of tradeoff between accountability and privacy is inevitable,
in an extreme scenario, I'd still prefer the option to make the tradeoff for
myself, rather than have the system automatically choose for me.

-- David


>> At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
>> 
>> >1. The use of receipts which a voter takes from the voting place to 'verify'
>> >that their vote was correctly included in the total opens the way for voter
>> >coercion.

>John Kelsey wrote:
>> I think the VoteHere scheme and David Chaum's scheme both claim to solve
>> this problem.  The voting machine gives you a receipt that convinces you
>> (based on other information you get) that your vote was counted as cast,
>> but which doesn't leak any information at all about who you voted for to
>> anyone else.  Anyone can take that receipt, and prove to themselves that
>> your vote was counted (if it was) or was not counted (if it wasn't). 

At 06:58 PM 4/15/04 -0700, Ed Gerck wrote:
>The flaw in *both* cases is that it reduces the level of privacy protection
>currently provided by paper ballots.
>
>Currently, voter privacy is absolute in the US and does not depend
>even on the will of the courts. For example,  there is no way for a
>judge to assure that a voter under oath is telling the truth about how
>they voted, or not. This effectively protects the secrecy of the ballot
>and prevents coercion and intimidation in all cases.



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: voting

[Trei, Peter]

> Ed Gerck[SMTP:[EMAIL PROTECTED]
> 
> John Kelsey wrote:
> > 
> > At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
> > 
> > >1. The use of receipts which a voter takes from the voting place to
> 'verify'
> > >that their vote was correctly included in the total opens the way for
> voter
> > >coercion.
> > 
> > I think the VoteHere scheme and David Chaum's scheme both claim to solve
> > this problem.  The voting machine gives you a receipt that convinces you
> > (based on other information you get) that your vote was counted as cast,
> > but which doesn't leak any information at all about who you voted for to
> > anyone else.  Anyone can take that receipt, and prove to themselves that
> > your vote was counted (if it was) or was not counted (if it wasn't). 
> 
> The flaw in *both* cases is that it reduces the level of privacy
> protection
> currently provided by paper ballots.
> 
> Currently, voter privacy is absolute in the US and does not depend
> even on the will of the courts. For example,  there is no way for a
> judge to assure that a voter under oath is telling the truth about how
> they voted, or not. This effectively protects the secrecy of the ballot
> and prevents coercion and intimidation in all cases.
> 
> 
I'd pretty much dropped this topic after it became clear that Mr. Leichter's
only response to the problems that people pointed out in VoteHere's
scheme (in particular, its vulnerability to vote coercion, and lack of
recountability) was to attempt to redefine them as non-problems. 
However, since the topic has arisen again.

Ed's got a very good point. I always prefer security which relies for
its integrity on the laws of nature, rather than on people behaving
with integrity.

Peter Trei






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Ed Gerck]

John Kelsey wrote:
> 
> At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
> 
> >1. The use of receipts which a voter takes from the voting place to 'verify'
> >that their vote was correctly included in the total opens the way for voter
> >coercion.
> 
> I think the VoteHere scheme and David Chaum's scheme both claim to solve
> this problem.  The voting machine gives you a receipt that convinces you
> (based on other information you get) that your vote was counted as cast,
> but which doesn't leak any information at all about who you voted for to
> anyone else.  Anyone can take that receipt, and prove to themselves that
> your vote was counted (if it was) or was not counted (if it wasn't). 

The flaw in *both* cases is that it reduces the level of privacy protection
currently provided by paper ballots.

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not. This effectively protects the secrecy of the ballot
and prevents coercion and intimidation in all cases.

Thus, while the assertion that "Only if all the trustees collude can
the election be defrauded" may seem to be reasonable at first glance, it
fails to protect the system in the case of a court order -- when all the
trustees are ordered to disclose whatever they know and control.

Also, the assertion that "All of this is possible while still m
aintaining voter secrecy and privacy essential to all public elections" 
is incorrect, for the same reason.

Moreover, the assertion that "Vote receipts cannot be used for vote 
selling or to coerce your vote" is also incorrect, for the same reason.

These shortcomings do not depend on any specific flaw of a shuffling
process, a TTP, or any other component of either system. Rather, it is 
a design flaw. A new election system should do "no harm" -- reducing the 
level of voter privacy and ballot secrecy should not be an acceptable 
trade-off for changing from paper to electronic records, or even
electronic verification.

Court challenges are a real scenario that election officials talk about 
and want to avoid. Without making voter privacy inherently safe from court
orders, voter privacy and ballot secrecy are at the mercy of casuistic, 
political and corruption influences -- either real or potential. When the 
stakes are high, we need fail-safe procedures.

Now, you may ask, is there any realistic possibility of a court order 
for all trustees to reveal their keys?

Yes, especially in a hot and contested election -- and not only Bush vs.
Gore. Many local elections are very close and last year an election
in California was decided by *one* vote. 

For example, the California Secretary of State asked this as an 
evaluation question, when they were testing voting systems for the 2000 
Shadow Election Project.

The question was whether and to what extent the voting system could be 
broken under court order  – for example, if some unqualified voters 
were wrongly allowed to vote in a tight election and there would be a 
court order to seek out and disqualify their votes under best efforts.

Perhaps a trustee could be chosen who would be immune even from a US
court order?

Well, not for a US election, which is 100% under state and/or federal 
jurisdiction.

But there are additional scenarios -- a bug, Trojan horse, worm and/or 
virus that infects the systems used by all trustees would also 
compromise voter secrecy and, thereby, election integrity.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: voting

[Bill Frantz]

One area we are not addressing in voting security is absentee ballots.  The
use of absentee ballots is rising in US elections, and is even being
advocated as a way for individuals to get a printed ballot in jurisdictions
which use electronic-only voting machines.  Political parties are
encouraging their supporters to vote absentee.  I believe that one election
in Oregon was recently held entirely with absentee ballots.

For classic polling place elections, one strength of an electronic system
which prints paper ballots is that there are two separate paths for the
counts.  The machine can keep its own totals and report them at the end of
the election.  These totals can then be compared with the totals generated
for that precinct by counting the paper ballots.  This redundancy seems to
me to provide higher security than either system alone.

Cheers - Bill


-
Bill Frantz| "There's nothing so clear as a | Periwinkle
(408)356-8506  | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet." -- Dean Tribble | Los Gatos, CA 95032


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: voting

[John Kelsey]

At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
...
1. The use of receipts which a voter takes from the voting place to 'verify'
that their vote was correctly included in the total opens the way for voter
coercion.
I think the VoteHere scheme and David Chaum's scheme both claim to solve 
this problem.  The voting machine gives you a receipt that convinces you 
(based on other information you get) that your vote was counted as cast, 
but which doesn't leak any information at all about who you voted for to 
anyone else.  Anyone can take that receipt, and prove to themselves that 
your vote was counted (if it was) or was not counted (if it wasn't).  (This 
is based on attending a presentation of David's scheme at George Washington 
a few months ago, a conversation I had with a VoteHere guy, and some 
conversations and documents given to me by each.  I haven't tried to verify 
the protocols or proofs, but I'm convinced that all this is possible, 
modulo various assumptions.  There may be a dozen other people doing 
similar things, that I've simply not heard of.)

...
1. How does this system prevent voter coercion, while still allowing receipt
based recounts? Or do you have some mechanism by which I can
personally verify every vote which went into the total, to make sure they
are correct?
The way I understood these schemes, you can see the initial encrypted 
ballots (they're published), and then there are several rounds of 
publically verifiable shuffling and decryption by different TTPs.  After 
the last round of shuffling and decryption, you have raw votes.  So anyone 
can verify the count, assuming the set of initial encrypted ballots are 
legitimate.  And anyone can produce a receipt that can be shown to be one 
of those encrypted ballots, if it was counted.  That doesn't keep someone 
from stuffing the ballot box, but it does mean that anyone who throws away 
unfavorable votes is going to leave behind evidence, which can potentially 
call the whole vote into question.  The way I saw these schemes described, 
there was no recount capability, but the count was done in a completely 
public way.

It seems to me that this kind of scheme has a lot of potential for 
disruption attacks, since one compromised voting machine can be used to 
call any election into question.  But I could be missing something, as this 
is really not something I've spent a lot of time on

2. On what basis do you think the average voter should trust this system,
seeing as it's based on mechanisms he or she cant personally verify?
I see your point, but there's an awful lot of any voting system that isn't 
being closely observed by the voters, or that isn't really well-understood 
by most of them.  It's not so clear to me that the average voter is going 
to walk away convinced that a voter-verified paper ballot, or a mark-sense 
ballot, or whatever other thing isn't going to somehow be subject to 
attack.  Or that if they do walk away convinced, that this has much to do 
with whether they *should* walk away convinced.

3. What chain of events do I have to beleive to trust that the code which
is running in the machine is actually and correctly derived from the
source code I've audited? I refer you to Ken Thompsons classic paper
"Reflections on trusting trust", as well as the recent Diebold debacle
with uncertified patches being loaded into the machine at the
last moment.
Yep, this is a big issue.  Which is why I think everyone with any sense 
agrees that we need some kind of independent audit trail, regardless of 
whether we're doing voting with computers, or with pens for punching out 
holes.  There are a bunch of ways to do this, one obvious and pretty 
easy-to-field choice being voter-verified paper ballots.

This last is an important point - there is no way you can eliminate the
requirement of election officials to behave legitimately. Since that
requirement can't be done away with by technology, adding technology
only adds more places the system can be compromised.
Huh?  Do you think the same is true of payment systems?  Those also 
ultimately require some humans to play by the rules, but it sure seems like 
a well-designed payment system can remove a lot of the ambiguity about who 
has violated the rules, and can outright prevent other kinds of rule 
violations.  And it seems to me that this is very similar to the situation 
with voting.

Touch screen voting (with the audio extensions) has at least one huge 
advantage over pen-and-paper schemes, because blind people can vote with 
them.  The VoteHere and Chaum schemes provide other benefits (a lot of 
kinds of misbehavior by the authorities are prevented by the design, though 
of course, not *all* possible misbehavior), at various costs in system 
complexity, dependence on lots of interacting systems that might not be all 
that reliable, ability to recover from some 

DIMACS Workshop on Electronic Voting -- Theory and Practice

[Linda Casals]

*
 
DIMACS Workshop on Electronic Voting -- Theory and Practice
  
   May 26 - 27, 2004 
   DIMACS Center, Rutgers University, Piscataway, NJ

Organizers: 
   
   Markus Jakobsson, RSA Laboratories, [EMAIL PROTECTED]  
   Ari Juels, RSA Laboratories, [EMAIL PROTECTED] 
   
Presented under the auspices of the Special Focus on Communication
Security and Information Privacy and the Special Focus on Computation 
and the Socio-Economic Sciences..



To many technologists, electronic voting represents a seemingly simple
exercise in system design. In reality, the many requirements it
imposes with regard to correctness, anonymity, and availability pose
an unusually thorny collection of problems, and the security risks
associated with electronic voting, especially remotely over the
Internet, are numerous and complex, posing major technological
challenges for computer scientists. (For a few examples, see
references below.) The problems range from the threat of
denial-of-service-attacks to the need for careful selection of
techniques to enforce private and correct tallying of ballots. Other
possible requirements for electronic voting schemes are resistance to
vote buying, defenses against malfunctioning software, viruses, and
related problems, audit ability, and the development of user-friendly
and universally accessible interfaces.

The goal of the workshop is to bring together and foster an interplay
of ideas among researchers and practitioners in different areas of
relevance to voting. For example, the workshop will investigate
prevention of penetration attacks that involve the use of a delivery
mechanism to transport a malicious payload to the target host. This
could be in the form of a ``Trojan horse'' or remote control
program. It will also investigate vulnerabilities of the communication
path between the voting client (the devices where a voter votes) and
the server (where votes are tallied). Especially in the case of remote
voting, the path must be ``trusted'' and a challenge is to maintain an
authenticated communications linkage. Although not specifically a
security issue, reliability issues are closely related and will also
be considered. The workshop will consider issues dealing with random
hardware and software failures (as opposed to deliberate, intelligent
attack). A key difference between voting and electronic commerce is
that in the former, one wants to irreversibly sever the link between
the ballot and the voter. The workshop will discuss audit trails as a
way of ensuring this. The workshop will also investigate methods for
minimizing coercion and fraud, e.g., schemes to allow a voter to vote
more than once and only having the last vote count.

This workshop is part of the Special Focus on Communication Security
and Information Privacy and will be coordinated with the Special Focus
on Computation and the Socio-Economic Sciences.

This workshop follows a successful first WOTE event, organized by
David Chaum and Ron Rivest in 2001 at Marconi Conference Center in
Tomales Bay, California (http://www.vote.caltech.edu/wote01/). Since
that time, a flurry of voting bills has been enacted at the federal
and state levels, including most notably the Help America Vote Act
(HAVA). Standards development has represented another avenue of reform
(e.g., the IEEE Voting Equipment Standards Project 1583), while a
grassroots movement (http://www.verifiedvoting.org) has arisen to
promote the importance of audit trails as enhancements to
trustworthiness.

**
Program:

This is a preliminary program.

Wednesday, May 26, 2004

 7:45 -  8:20  Breakfast and Registration

 8:20 -  8:30  Welcome and Opening Remarks
   Fred Roberts, DIMACS Director

 8:30 -  9:15  Ron Rivest (tentative) 

 9:15 - 10:15  Rebecca Mercuri

10:15 - 10:45  Break

10:45 - 11:30  David Chaum  

11:30 - 12:15  Michael Shamos   

12:15 -  1:30  Lunch

 1:30 -  1:50  European online voting experiences
   Andreu Riera i Jorba

 1:50 -  2:10  Providing Trusted Paths Using Untrusted Components
   Andre Dos Santos

 2:10 -  2:30  Internet voting based on PKI: the TruE-vote system
   Emilia Rosti

 2:30 -  2:50  Andy Neff 

 2:50 -  3:10  Aggelos Kiayas

 3:10 -  3:30  How hard is it to manipulate voting?
   Edith Elkind and Helger Lipmaa 

 3:30 -  3:50  Towards a dependability case for the Chaum e - voting scheme
   Peter Ryan 

 3:50 -  4:20  Break

 4:20 -  4:40  Secure practical voting systems: A Cautionary Note
   Quisquater

 4:40 -  5:25  Rob Ritchie

 5:25 -  6:10  Panel (moderator: David Chaum)
 
 6:10 -  7:30  Buffet Dinner - Reception - DIMACS Lounge

Thursday, May 27, 2004

 7:45 -  8:30  Breakfast and Registration

 8:30 -  9:15  Rice University "hack - a - vote&qu

Re: voting

[Florian Weimer]

Perry E. Metzger wrote:

> Complicated systems are the bane of security. Systems like this are
> simple to understand, simple to audit, simple to guard.

I fully agree, but there is a wide variety of voting schemes out there,
of varying complexity.  In a ballot with only very few options, your
proposal makes sense.  But in some cases, the complete description of a
vote doesn't necessarily fit onto an A4 paper sheet.  Our own municipal
elections are so complicated that you fill in your votes at home and
bring the paperwork to the election office.  In the U.S., some of the
simple votes are linked to dozens of plebiscites, and you'll have a hard
time to print that onto a small piece of paper, too.

But I can't see why computerized voting is so important.  Here in
Germany, the pencil-and-paper method is doing just fine.  Volunteers do
the counting, so there is no monetary incentive to automate this
process.  It means that we have to wait a few hours (or even days, in
case of the municipal elections) before preliminary official results are
available, but this doesn't seem to be a significant problem, IMHO.

However, I'm sure our own paper-based voting system would fall apart if
subjected to the same scrutiny as Diebold's voting machines.  It's just
a different kind of insecurity.

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: postino.it, tiscali.co.uk, tiscali.cz, tiscali.it,
voila.fr.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: voting

[Jerrold Leichter]

|   "privacy" wrote:
|   [good points about weaknesses in adversarial system deleted]
|
| > It's baffling that security experts today are clinging to the outmoded
| > and insecure paper voting systems of the past, where evidence of fraud,
| > error and incompetence is overwhelming.  Cryptographic voting protocols
| > have been in development for 20 years, and there are dozens of proposals
| > in the literature with various characteristics in terms of scalability,
| > security and privacy.  The votehere.net scheme uses advanced cryptographic
| > techniques including zero knowledge proofs and verifiable remixing,
| > the same method that might be used in next generation anonymous remailers.
| >
| Our anonymous corrospondent has not addressed the issues I raised in my
| initial post on the 7th:
|
| 1. The use of receipts which a voter takes from the voting place to 'verify'
| that their vote was correctly included in the total opens the way for voter
| coercion.
|
| 2. The proposed fix - a blizzard of decoy receipts - makes recounts based
| on the receipts impossible.
The VoteHere system is really quite clever, and you're attacking it for not
being the same as everything that went before.

Current systems - whether paper, machine, or whatever - provide no inherent
assurance that the vote you cast is the one that got counted.  Ballot boxes
can be lost, their contents can be replaced; machines can be rigged.  We
use procedural mechanisms to try to prevent such attacks.  It's impossible to
know how effective they are:  We have no real way to measure the effectiveness,
since there is no independent check on what they are controlling.  There are
regular allegations of all kinds of abuses, poll watchers or no.  And there
are plenty of suspect results.

| Answer this:
|
| 1. How does this system prevent voter coercion, while still allowing receipt
| based recounts?
a)  Receipts in the VoteHere system are *not* used for recounts.  No receipt
that a user takes away can possibly be used for that - the chances of you being
able to recover even half the receipts a day after the election are probably
about nil.  Receipts play exactly one role:  They allow a voter who wishes to
to confirm that his vote actually was tallied.

b)  We've raised "prevention of voter coercion" on some kind of pedestal.
The fact is, I doubt it plays much of a real role.  If someone wants to coerce
voters, they'll use the kind of goons who collect on gambling debts to do it.
The vast majority of people who they try to coerce will be too frightened to
even think about trying to fool them - and if they do try, will lie so
unconvincingly that they'll get beaten up anyway.  Political parties that want
to play games regularly bring busloads of people to polling places.  They
don't check how the people they bus in vote - they don't need to.  They know
who to pick.

However, if this really bothers you, a system like this lets you trade off
non-coercion and checkability:  When you enter the polling place, you draw a
random ball - say, using one of those machines they use for lotteries.  If the
ball is red, you get a receipt; if it's blue, the receipt is retained in a
sealed box (where it's useless to anyone except as some kind of cross-check of
number of votes cast, etc.)  No one but you gets to see the color of the ball.
Now, even if you are being coerced and get a red ball, you can simply discard
the receipt - the polling place should have a secure, private receptacle; or
maybe you can even push a button on the machine that says "Pretend I got a
blue ball" - and claim you got a blue ball.  The fraction of red and blue
balls is adjustable, depending on how you choose to value checkability vs.
non-coercion.

| Or do you have some mechanism by which I can
| personally verify every vote which went into the total, to make sure they
| are correct?
In VoteHere's system, you can't possibly verify that every vote that went into
the total was correctly handled.  You can verify that the votes *that the
system claims were recorded* are actually counted correctly.  And you can
verify that *your* vote was actually recorded as you cast it - something you
can't do today.  The point of the system is that any manipulation is likely to
hit someone who chooses to verify their vote, sooner or later - and it only
takes one such detected manipulation to start an inquiry.

Whether in practice people want this enough to take the trouble ... we'll have
to wait and see.

| 2. On what basis do you think the average voter should trust this system,
| seeing as it's based on mechanisms he or she cant personally verify?
On what basis should an average voter trust today's systems?  How many people
have any idea what safeguards are currently used?  How many have any personal
contact with the poll watchers on whom th

Re: voting, KISS, etc.

[Adam Fields]

On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote:
> I think that those that advocate cryptographic protocols to ensure
> voting security miss the point entirely.
[...]
> I'm a technophile. I've loved technology all my life. I'm also a
> security professional, and I love a good cryptographic
> algorithm. Please keep technology as far away as possible from the
> voting booth -- it will make everyone a lot safer.

Hear, hear!

As the supposed experts, how do we get the idea out of people's heads
that making everything electronic and automated is somehow
intrinsically better, regardless of the actual risks and benefits of
doing so?

-- 
- Adam

-
http://www.adamfields.com

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

voting, KISS, etc.

[Perry E. Metzger]

I think that those that advocate cryptographic protocols to ensure
voting security miss the point entirely.

They start with the assumption that something is "broken" about the
current voting system. I contend it is just fine.

For example, it takes a long time to count pieces of papers compared
with bits. However, there is no actual need for speed in reporting
election results. This is not a stock exchange -- another election
will not be held the next day, and the number of elections being held
will not rise 8% per quarter. If it takes a day or even several days
to get an accurate count, no one will be hurt. The desires of
television networks to report the results in ten minutes is not
connected to the need for a democracy to have widespread confidence in
the election results. Speed is not a requirement. As it is, however,
automated counts of paper ballots are plenty fast enough already.

It also is seemingly "behind the times" to use paper and such to hold
an election when computers are available -- but the goal is not to seem
"modern" -- it is to hold a fair election with accurately reported
results that can be easily audited both before, during and after the
fact.

It seems to some to be "easier" to vote using an electronic
screen. Perhaps, perhaps not. My mother would not find an electronic
screen "easier" at all, but lets ignore that issue. Whether or not the
vote is entered on a screen, the fact that paper ballots can be
counted both mechanically (for speed) and by hand (as an audit
measure), where purely electronic systems lack any mechanism for
after-the-fact audit or recount, leads one to conclude that old
fashioned paper seems like a good idea, and if it is not to be marked
by hand, then at least let it be marked by the computer entry device.

It is also seemingly "better" to have a system where a complex
cryptographic protocol "secures" the results -- but the truth is that
it is more important that a system be obvious, simple and secure even
to relatively uneducated members of society, and the marginal security
produced by such systems over one in which physical paper ballots are
generated is not obvious or significant.

(The marginal security issue is significant. Consider that simple
mechanisms can render the amount of fraud possible in the "old
fashioned" system significantly smaller than the number of miscast
votes caused by voter mistakes, but that no technology can eliminate
voter mistakes. Then ask why a fully electronic "fraudless" system
understandable to a miniscule fraction of the population but where
miscast votes continue to occur -- and possibly to be inaccurately
perceived as evidence of fraud -- would be superior.)

To those that don't understand the "understandable to even those who
are not especially educated" problem, consider for moment that many
people will not care what your claims are about the safety of the
system if they think fraud occurred, even if you hand them a
mathematical proof of the system. I suspect, by the way, that they'll
be right, because the proofs don't cover all the mechanisms by which
fraud can occur, including "graveyard" voting.

We tamper with the current system at our peril. Most security
mechanisms evolve over time to adjust to the threats that happen in
the real world.  The "protocols" embedded in modern election laws,
like having poll watchers from opposing sides, etc., come from
hundreds of years of experience with voting fraud. Over centuries,
lots of tricks were tried, and the system evolved to cope with
them. Simple measures like counting the number of people voting and
making sure the number of ballots cast essentially corresponds,
physically guarding ballot boxes and having members of opposing
parties watch them, etc., serve very well and work just fine.

Someone mentioned that in some elections it is impractical for the
people running to have representatives at all polling places. It is,
in fact, not necessary for them to -- the threat of their doing so and
having enough poll watchers from enough organizations in a reasonably
random assortment of polling places is enough to prevent significant
fraud.

I'm especially scared about mechanisms that let people "vote at home"
and such. Lots of people seem to think that the five minute trip to
the polling place is what is preventing people from voting, and they
want to let people vote from their computers. Lets ignore the question
of whether it is important that the people who can't be bothered to
spend ten minutes going to the polling place care enough about the
election to be voting anyway. Lets also ignore the totally unimportant
question of vote buying -- vote buying has happened plenty of times
over the centuries without any need for the purchaser to verify that
the vote was cast as promised. Tammany Hall did not need to watch
people&#

RE: voting

[Trei, Peter]

"privacy" wrote:
[good points about weaknesses in adversarial system deleted]

> It's baffling that security experts today are clinging to the outmoded
> and insecure paper voting systems of the past, where evidence of fraud,
> error and incompetence is overwhelming.  Cryptographic voting protocols
> have been in development for 20 years, and there are dozens of proposals
> in the literature with various characteristics in terms of scalability,
> security and privacy.  The votehere.net scheme uses advanced cryptographic
> techniques including zero knowledge proofs and verifiable remixing,
> the same method that might be used in next generation anonymous remailers.
> 
Our anonymous corrospondent has not addressed the issues I raised in my 
initial post on the 7th:

1. The use of receipts which a voter takes from the voting place to 'verify'
that
their vote was correctly included in the total opens the way for voter
coercion.

2. The proposed fix - a blizzard of decoy receipts - makes recounts based
on the receipts impossible.

> Given that so many jurisdictions are moving towards electronic voting
> machines, this is a perfect opportunity to introduce mathematical
> protections instead of relying so heavily on human beings.  I would
> encourage observers on these lists to familiarize themselves with the
> cryptographic literature and the heavily technical protocol details
> at http://www.votehere.com/documents.html before passing judgement on
> these technologies.
> 
Asking the readers of this list to 'familiarize themselves with the
cryptographic
literature', is, in many cases,  a little like telling Tiger Woods that he 
needs to familiarize himself with the rules of golf. We know the 'advanced 
cryptographic techniques' you refer to. We also know what their limitations
- 
what they can and cannot do. This is not the appropriate forum to try to say

"trust me".

Answer this:

1. How does this system prevent voter coercion, while still allowing receipt
based recounts? Or do you have some mechanism by which I can
personally verify every vote which went into the total, to make sure they
are correct?

2. On what basis do you think the average voter should trust this system,
seeing as it's based on mechanisms he or she cant personally verify?

3. What chain of events do I have to beleive to trust that the code which
is running in the machine is actually and correctly derived from the 
source code I've audited? I refer you to Ken Thompsons classic paper 
"Reflections on trusting trust", as well as the recent Diebold debacle
with uncertified patches being loaded into the machine at the 
last moment.

This last is an important point - there is no way you can eliminate the
requirement of election officials to behave legitimately. Since that
requirement can't be done away with by technology, adding technology
only adds more places the system can be compromised.

Based on the tone of this letter, I'd hazard a guess that 'privacy' has a
vested interest in VoteHere. If this true, it's a little odd that they are
willing to expose their source code, but not their name. We don't
bite, unless the victim deserves it :-) Opening your source is an
admirable first step - why not step out of the shadows so we can
help you make your system better?

I fear a system which does not have a backup mechanism that the
average voter can understand. While it's true that non-electronic
systems are subject to compromise, so are electronic ones, 
regardless of their use of ZK proofs, or 'advanced cryptographic
techniques".

I do think electronic voting machines are coming, and a good
thing. But they should be promoted on the basis that they 
are easier to use, and fairer in presentation, then are manual
methods. Promoting them on the basis that they are more
secure, and less subject to vote tampering is simply false.

Peter Trei
Cryptoengineer
RSA Security

Disclaimer: The above represents my personal opinions only.






-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Major Variola (ret)]

At 11:16 PM 4/8/04 +0200, privacy.at Anonymous Remailer wrote:
>In the second place, it fails for elections with more than two parties
>running.  The casual reference above to representatives "on each
>side" betrays this error.  Poorly funded third parties cannot provide
>representatives as easily as the Republicans and Democrats.  We already

>know that the major parties fight to keep third party candidates off
>the ballots.  Can we expect them to be vigilant in making sure that
>Libertarian and Green votes are counted?

Your points about the weaknesses of adversarial observers are
stimulating,
valid points, but the Reps and Dems *can* count on those votes *not*
being moved
into their de facto adversary's (Dems, Reps, respectively) bin.  And
in practice the fringe votes usually don't matter.  (I vote Lib..)
Its not uncommon for elections to be upheld *even when votes are known
lost* if the margins are sufficient. (It happened in California last
election, human error plus tech.)

Ultimately the adversarial parties are the ones who have to check the
whole process, including any tech that gets used.  And that process
is open to the Libs, etc.

As to your other point, the clever protocols, Perry and other
KISS advocates have a very strong (albeit social) point.  Joe
Sixpack can understand *and test* levers or Hollerith cards
or their optical counterparts.  Good luck getting him to understand
number theory.  It would be better in many estimations to have
even coercible voting than to have "Trust Me" apply to electing a
government.
(Not that the govt will avoid using that phrase once elected :-)





-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[l . crypto]

Having a paper ballot printed by machine (and checked by the votor) before
being dropped in a box may permit some additional cross-checks:

* Put serial numbers or something like them, on each ballot, so that
missing or added ballots can be detected.

* Put check digits on each ballot, so that alterations can be detected.
In order to avoid a big key management problem, perhaps each machine
could generate its own key-pair, and print the public half on each
ballot.  Perhaps the check digits could be chained through the whole
sequence of ballots so that adversaries have to modify the whole
tail sequence to change one. Perhaps at the end of the sequence, the
machine could generate a known set of void ballots, making changing the
tail after the fact impossible.

* Print a receipt for the actual votor that can be used by the votor
to check that her vote was actually recorded.  Ideally, the receipt
should also be able to confirm that the actual intended votes were recorded.
It should not be possible to compute the votes from the receipt.
It should not be possible for an inquiry about a vote from the receipt
holder to tie the identity of the votor to the votes.

This last item would help my degree of confidence - I'd like to be able
to independently confirm, myself, that my vote was accurately recorded.


Naturally, the sequence information must not be traceable to an individual -
this is usually the case in manual sign-in systems that match votors to
registration books.  I would be skeptical about automated sign-in.

-Larry


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Arnold G. Reinhold]

At 8:24 AM -0400 4/8/04, Perry E. Metzger wrote:
"Trei, Peter" <[EMAIL PROTECTED]> writes:
 I think Perry has hit it on the head, with the one exception that
 the voter should never have the receipt in his hand - that opens
 the way for serial voting fraud.
 The receipt should be exposed to the voter behind glass, and
 when he/she presses the 'accept' button, it visibly drops into
 the sealed, opaque ballot box.
Seems fine by me, except I'd make the ballot box only lightly frosted
-- enough that you can't read the contents, but light enough that poll
inspectors can visually assure themselves that the contents aren't
mysteriously altered during the course of the day.
I can see one potential problem with having the machine produce the 
receipts. Let's say the system is well designed and completely fair. 
There will be a certain percentage of voters who will complain that 
the receipt recorded the wrong vote because they in fact 
inadvertently pressed the wrong button.  Over time, that percentage 
and its variance will become well known.  Call that rate "r.' A party 
with the ability to make surreptitious changes to the voting software 
can then have it occasionally record a vote and print a receipt 
contrary to what the voter chose as long as the number of such bogus 
votes is small enough relative r and its variance to escape notice. 
They can then determine what fraction, f, of voters who get wrong 
receipts  report them. They can then increase the fraction of bogus 
votes by 1/f.  Over the course of several elections they can slowly 
grow the fraction of bogus votes, claiming that voters are getting 
sloppy. Since major elections are often decided by less than one 
percent of the vote, this attack can be significant.

We have a system now in Cambridge, Massachusetts where we are given a 
paper mark sense ballot and fill in little ovals, like those on 
standardized tests. We then carry our ballot to a machine that sucks 
it in and reads it. The totals are reported after the polls close, 
but the mark sense ballots are saved inside the machine (which I 
assume is inspected before the voting starts and then locked) can 
easily be recounted at any time. This system seems ideal to me.

By the way, I should mention that an important part of such a system
is the principle that representatives from the candidates on each side
get to oversee the entire process, assuring that the ballot boxes
start empty and stay untampered with all day, and that no one tampers
with the ballots as they're read. The inspectors also serve to assure
that the clerks are properly checking who can and can't vote, and can
do things like hand-recording the final counts from the readers,
providing a check against the totals reported centrally.
The adversarial method does wonders for assuring that tampering is
difficult at all stages of a voting system.
A important thing to remember is that these poll watchers, along with 
the workers running the voting for the election authorities are often 
retired people who have very little computer skills. It is much 
easier for them to understand and safeguard systems based on paper 
and mechanical locks.

Arnold Reinhold

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: voting

[Ed Gerck]

a counterpoint...

"Perry E. Metzger" wrote:
> 
> I'm a believer in the KISS principle.

:-) that's one S too many. For true believers, KIS is enough.
 
> A ballot that is both machine and human readable and is constructed by
> machine seems ideal. You enter your votes, a card drops down, you
> verify it and drop it in a slot. Ideally, the cards would be marked
> with something like OCR-B so that the correspondence between machine
> marking and human marking is trivial.

If the real vote (the thing that gets counted) is machine-read
from the OCR-B, and the voter is verifying the human-readable 
OCR-B text on the ballot, then how can one say the vote is really 
verified?

You end up trusting the machines after all, both for scanning as 
well as for tallying. In addition, the paper ballots could also be 
falsified and the totals would be wrong even if someone would have us 
believe that their machines are infallible.

> You can't have "hanging chads" or mismarks on optical cards because a
> machine marks it for you. You can always do a recount, just by running
> the cards through the reader again. 

Machines are not 100% efficient when counting paper ballots. There
are misreads, rejections, jamming, etc. The usual procedure is to feed
the ballots twice in the machine, for verification. What happens
if the result differs? Since you don't know which paper ballots were 
misread, you MUST end up having to count them ALL manually. Florida law,
for example, unequivocally requires a manual recount in a close election
-- even if no one complains. This is the same scenario, btw, as the
November 2000 election.

> You can prevent ballot stuffing by
> having representatives of several parties physically present during
> the handling of the ballot boxes -- just like now. 

Just like now, ballot boxes are "lost", some ballots are not counted,
some ballots can be changed.

For 200 years, fraud has been endemic fraud in paper ballots in the
US. This is exactly one of the reasons that is driving this society 
to develop better solutions. 

Better solutions, IMO, should include independent representations of 
the ballot data, witnesses of the ballot as cast by the voter. When 
these witnesses exist, they must all be audited for consistency. 
This can be done efficiently with a proper random sampling. Further, 
as it is already legal today in the U.S., I think that voters should 
be able to cast their ballots at a poll precinct as well as at home, 
at work, and abroad. 

Moreover, election systems need to eliminate all physical connections 
between production system (the election) and development (the vendor).
This is a lesson from the banking sector. Vendors must not be allowed 
to operate their machines during an election, as it is routinely done 
today in the US. This current (bad) practice also contains a conflict of 
interest, as the vendor has an interest in selling a machine that is hard
to operate.

> You can verify that
> the counting mechanisms are working right by manually counting if
> needed.

There are at least three problems with this statement.

Manually counting? If someone even suggests that a city like Los 
Angeles (1.9M voters) is going to HAND COUNT all of it's ballots, 
they won't go very far. It is humanly impossible to do this without 
mistakes creeping in, in addition to time and costs. 

Working right? Contrary to banking, a ballot (ie, a transaction in bank 
terms) must be not be linkable to whoever did it. A voter should not be 
able to prove, not even to himself, how he voted.  Nonetheless, voters 
are not anonymous (they have to be well-identified). Compare this with 
"working right" in banking: if there is a debit of $10,000.00 in our 
account, how would you feel if no one (not even you) could prove that 
the debit is not yours?

Counting mechanisms? There is no way to know with current paper ballots 
if they are in fact "counted right" from an auditing viewpoint, which
depends whether what is counted is what was cast by a voter or just 
stuffed in, or changed. 

> Complicated systems are the bane of security. Systems like this are
> simple to understand, simple to audit, simple to guard.

Simple to defraud too, as has been done here for 200 years.

Cheers,
Ed Gerck

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

See-Through Voting Software

[R. A. Hettinga]

<http://www.wired.com/news/print/0,1294,62983,00.html>

Wired News


See-Through Voting Software 
By Kim Zetter


02:00 AM Apr. 08, 2004 PT

VoteHere, an electronic voting systems company, released its source code
this week in a bid to let others examine how the machines work and help
people gain confidence in the e-voting process.

 In addition, the Bellevue, Washington, company revealed a novel
alternative to paper trails to verify the accuracy of the vote count:
Voters would get an encrypted code on a receipt that corresponds to their
vote, and at the end of the election voters could check through the
Internet to see that their vote was tallied correctly.


 Other voting-system makers have resisted calls for scrutiny of the inner
workings of their machines. In contrast, VoteHere released its source code
on its website this week after spending the past few months submitting
details of its machines to conferences and journals to solicit feedback
from security experts.

 "We went into this business to make voting better," said VoteHere founder
and chief executive Jim Adler. "We're doing everything we can to move the
ball in that direction."

 VoteHere doesn't manufacture voting machines. Instead, the company
patented a technology called VoteHere Technology inside, or VHTi, that it
hopes to license to voting-machine manufacturers. It can even be integrated
into current electronic touch-screen voting machines, adding auditing
capability to help verify that the machines record votes accurately.

 So far, only one of dozens of voting companies has partnered with
VoteHere. Sequoia Voting Systems of Oakland, California, will install the
software in its touch-screen machines, though Sequoia hasn't said by when.
The Sequoia system would need to undergo federal and state certification
testing once the VoteHere software is installed.

 Activists have criticized paperless electronic touch-screen voting
machines because they don't produce an audit trail that voters can use to
verify that the machines counted votes correctly and that the results
weren't altered. Some have called for machines to produce a voter-verified
paper trail. But Adler said, "The call to go back to paper ballots has
drowned out any other solution."

 He said the VoteHere method ensures the accuracy of the machines in a way
that is more secure than a simple paper receipt. Here's how it works: Next
to each candidate's name on the ballot, a random code appears that changes
for each voter. After making their selections, voters receive a printed
receipt containing their unique codes, along with encrypted information
that assures that the codes match the correct candidates. Once the voters
verify their votes, they cast their ballots on the machine. After the
election, voting codes appear on the county website so voters can see that
the codes on their receipts translated to a counted vote. While the county
tallies the votes, the public can tally them independently as well.

 Adler said nonpartisan watchdog groups and computer scientists also could
verify the results independently in this way to ensure that no votes were
lost or changed.

 "Since all of the ballots are published, there's an entire election
transcript," he said. "So the voters can do their bit to verify their own
vote and then anyone can verify the backend. I think that's what's
important. This verifies that the count was right."

 Adler said that with so much transparency and with so many people
monitoring the results, somebody is bound to catch any anomalies.

 "If someone comes through your yard, there is a dog barking to tell you
it's happening. We're trying to make sure that there is a dog barking if
someone touches those ballots," he said.

 Some critics pointed out that the VoteHere procedure might be too
complicated for some voters. But Adler said not all voters would have to
check their votes at the end of the election to ensure the vote count was
correct. It would take only a small percentage to verify the election.

 In December, a hacker broke into VoteHere's internal computer network and
copied its source code. Adler said his company's decision to release the
source code didn't have anything to do with the hack. VoteHere had been
planning to release the code before the break-in, but was waiting to obtain
sufficient feedback.

 "We felt the source code was finally at a sufficient state of maturity to
release it," Adler said.

 Josh Benaloh, a cryptographer and researcher with Microsoft, has examined
VoteHere's research papers and methodology. He said the VoteHere paper
receipt is a nicety but not a necessity. What matters is the cryptography
and the public counting afterward.

 "If you use cryptography and use it properly, you can build an electronic
system that is much safer than a paper system and has a much highe

Re: voting

[Perry E. Metzger]

"Trei, Peter" <[EMAIL PROTECTED]> writes:
> I think Perry has hit it on the head, with the one exception that
> the voter should never have the receipt in his hand - that opens
> the way for serial voting fraud.
>
> The receipt should be exposed to the voter behind glass, and
> when he/she presses the 'accept' button, it visibly drops into 
> the sealed, opaque ballot box.

Seems fine by me, except I'd make the ballot box only lightly frosted
-- enough that you can't read the contents, but light enough that poll
inspectors can visually assure themselves that the contents aren't
mysteriously altered during the course of the day.

By the way, I should mention that an important part of such a system
is the principle that representatives from the candidates on each side
get to oversee the entire process, assuring that the ballot boxes
start empty and stay untampered with all day, and that no one tampers
with the ballots as they're read. The inspectors also serve to assure
that the clerks are properly checking who can and can't vote, and can
do things like hand-recording the final counts from the readers,
providing a check against the totals reported centrally.

The adversarial method does wonders for assuring that tampering is
difficult at all stages of a voting system.

-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: voting

[Trei, Peter]

> Perry E. Metzger wrote:
> 
> I'm a believer in the KISS principle.
> 
> A ballot that is both machine and human readable and is constructed by
> machine seems ideal. You enter your votes, a card drops down, you
> verify it and drop it in a slot. Ideally, the cards would be marked
> with something like OCR-B so that the correspondence between machine
> marking and human marking is trivial.
> 
> You can't have "hanging chads" or mismarks on optical cards because a
> machine marks it for you. You can always do a recount, just by running
> the cards through the reader again. You can prevent ballot stuffing by
> having representatives of several parties physically present during
> the handling of the ballot boxes -- just like now. You can verify that
> the counting mechanisms are working right by manually counting if
> needed.
> 
> Complicated systems are the bane of security. Systems like this are
> simple to understand, simple to audit, simple to guard.
> 
> Perry E. Metzger  [EMAIL PROTECTED]
> 
I think Perry has hit it on the head, with the one exception that
the voter should never have the receipt in his hand - that opens
the way for serial voting fraud.

The receipt should be exposed to the voter behind glass, and
when he/she presses the 'accept' button, it visibly drops into 
the sealed, opaque ballot box.

Peter

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

voting

[Perry E. Metzger]

I'm a believer in the KISS principle.

A ballot that is both machine and human readable and is constructed by
machine seems ideal. You enter your votes, a card drops down, you
verify it and drop it in a slot. Ideally, the cards would be marked
with something like OCR-B so that the correspondence between machine
marking and human marking is trivial.

You can't have "hanging chads" or mismarks on optical cards because a
machine marks it for you. You can always do a recount, just by running
the cards through the reader again. You can prevent ballot stuffing by
having representatives of several parties physically present during
the handling of the ballot boxes -- just like now. You can verify that
the counting mechanisms are working right by manually counting if
needed.

Complicated systems are the bane of security. Systems like this are
simple to understand, simple to audit, simple to guard.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

All Internet voting is insecure: report

[Ian Grigg]

http://www.theregister.co.uk/content/6/35078.html
http://www.eetimes.com/at/news/OEG20040123S0036

=
All Internet voting is insecure: report
By electricnews.net
Posted: 23/01/2004 at 11:37 GMT
Get The Reg wherever you are, with The Mobile Register


Online voting is fundamentally insecure due to the architecture of the
Internet, according to leading cyber-security experts.

Using a voting system based upon the Internet poses a "serious and
unacceptable risk" for election fraud and is not secure enough for
something as serious as the election of government officials, according to
the four members of the Security Peer Review Group, an advisory group
formed by the US Department of Defense to evaluate a new on-line voting
system.

The review group's members, and the authors of the damning report, include
David Wagner, Avi Rubin and David Jefferson from the University of
California, Berkeley, Johns Hopkins University and the Lawrence Livermore
National Laboratory, respectively, and Barbara Simons, a computer
scientist and technology policy consultant.

The federally-funded Secure Electronic Registration and Voting Experiment
(SERVE) system is currently slated for use in the US in this year's
primary and general elections. It will allow eligible voters to register
to vote at home and then to vote via the Internet from anywhere in the
world. The first tryout of SERVE is early in February for South Carolina's
presidential primary and its eventual goal is to provide voting services
to all eligible US citizens overseas and to US military personnel and
their dependents, a population estimated at six million.

After studying the prototype system the four researchers said that from
anywhere in the world a hacker could disrupt an election or influence its
outcome by employing any of several common types of cyber-attacks.
"Attacks could occur on a large scale and could be launched by anyone from
a disaffected lone individual to a well-financed enemy agency outside the
reach of US law," state the three computer science professors and a former
IBM researcher in the report.

A denial-of-service attack would delay or prevent a voter from casting a
ballot through a Web site. A "man in the middle" or "spoofing" attack
would involve the insertion of a phoney Web page between the voter and the
authentic server to prevent the vote from being counted or to alter the
voter's choice. What is particularly problematic, the authors say, is that
victims of "spoofing" may never know that their votes were not counted.

A third type of attack involves the use a virus or other malicious
software on the voter's computer to allow an outside party to monitor or
modify a voter's choices. The malicious software might then erase itself
and never be detected, according to the report.

While acknowledging the difficulties facing absentee voters, the authors
of the security analysis conclude that Internet voting presents far too
many opportunities fo

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

DIMACS Workshop on Electronic Voting -- Theory and Practice

[Linda Casals]

*
 
DIMACS Workshop on Electronic Voting -- Theory and Practice
  
   May 26 - 27, 2004 
   DIMACS Center, Rutgers University, Piscataway, NJ

Organizers: 
   
   Markus Jakobsson, RSA Laboratories, [EMAIL PROTECTED]  
   Ari Juels, RSA Laboratories, [EMAIL PROTECTED] 
   
Presented under the auspices of the Special Focus on Communication
Security and Information Privacy and the Special Focus on Computation 
and the Socio-Economic Sciences..



To many technologists, electronic voting represents a seemingly simple
exercise in system design. In reality, the many requirements it
imposes with regard to correctness, anonymity, and availability pose
an unusually thorny collection of problems, and the security risks
associated with electronic voting, especially remotely over the
Internet, are numerous and complex, posing major technological
challenges for computer scientists. (For a few examples, see
references below.) The problems range from the threat of
denial-of-service-attacks to the need for careful selection of
techniques to enforce private and correct tallying of ballots. Other
possible requirements for electronic voting schemes are resistance to
vote buying, defenses against malfunctioning software, viruses, and
related problems, audit ability, and the development of user-friendly
and universally accessible interfaces.

The goal of the workshop is to bring together and foster an interplay
of ideas among researchers and practitioners in different areas of
relevance to voting. For example, the workshop will investigate
prevention of penetration attacks that involve the use of a delivery
mechanism to transport a malicious payload to the target host. This
could be in the form of a ``Trojan horse'' or remote control
program. It will also investigate vulnerabilities of the communication
path between the voting client (the devices where a voter votes) and
the server (where votes are tallied). Especially in the case of remote
voting, the path must be ``trusted'' and a challenge is to maintain an
authenticated communications linkage. Although not specifically a
security issue, reliability issues are closely related and will also
be considered. The workshop will consider issues dealing with random
hardware and software failures (as opposed to deliberate, intelligent
attack). A key difference between voting and electronic commerce is
that in the former, one wants to irreversibly sever the link between
the ballot and the voter. The workshop will discuss audit trails as a
way of ensuring this. The workshop will also investigate methods for
minimizing coercion and fraud, e.g., schemes to allow a voter to vote
more than once and only having the last vote count.

This workshop is part of the Special Focus on Communication Security
and Information Privacy and will be coordinated with the Special Focus
on Computation and the Socio-Economic Sciences.

This workshop follows a successful first WOTE event, organized by
David Chaum and Ron Rivest in 2001 at Marconi Conference Center in
Tomales Bay, California (http://www.vote.caltech.edu/wote01/). Since
that time, a flurry of voting bills has been enacted at the federal
and state levels, including most notably the Help America Vote Act
(HAVA). Standards development has represented another avenue of reform
(e.g., the IEEE Voting Equipment Standards Project 1583), while a
grassroots movement (http://www.verifiedvoting.org) has arisen to
promote the importance of audit trails as enhancements to
trustworthiness.

**
Participation:

Interested participants may contact the organizers.

**
Registration Fees:

(Pre-registration deadline: May 20, 2004)

Regular Rate 
Preregister before deadline $120/day 
After preregistration deadline  $140/day

Reduced Rate*
Preregister before deadline $60/day
After preregistration deadline $70/day

Postdocs 
Preregister before deadline $10/day 
After preregistration deadline $15/day

DIMACS Postdocs $0 

Non-Local Graduate & Undergraduate students 
Preregister before deadline $5/day 
After preregistration deadline $10/day

Local Graduate & Undergraduate students $0
(Rutgers & Princeton) 

DIMACS partner institution employees** $0 

DIMACS long-term visitors*** $0 

Registration fee to be collected on site, cash, check, VISA/Mastercard
accepted.

Our funding agencies require that we charge a registration fee during
the course of the workshop. Registration fees include participation in
the workshop, all workshop materials, breakfast, lunch, breaks and any
scheduled social events (if applicable).

* College/University faculty and employees of nonprofit and government
organizations will automatically receive the reduced rate. Other
participants may apply for a reduction of fees. They sh

Electronic-voting firm reveals hacker break-in

[R. A. Hettinga]

<http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=2001825724&zsection_id=268448455&slug=votehere300&date=20031230>

Tuesday, December 30, 2003, 12:00 A.M. Pacific

The Seattle Times:
Electronic-voting firm reveals hacker break-in

By Monica Soto Ouchi
Seattle Times technology reporter

Bellevue-based VoteHere, which sells software designed to make electronic
voting more secure, said yesterday a hacker it thinks was politically
motivated broke into its computer system and stole nonsensitive internal
documents.

The break-in occurred in October but was only publicly acknowledged
yesterday by Chief Executive Jim Adler.

The incident occurred after the hacker exploited a vulnerability in the
company's corporate software. VoteHere was "a couple days behind" updating
a security patch, spokeswoman Stacey Fields said.

VoteHere said it identified the hacker within 24 hours of the break-in and
that it believes the person is affiliated with anti-electronic voting
organizations.

The Washington Cyber Crime Task Force - an affiliation of FBI, U.S. Secret
Service and local law enforcement - is investigating.

No one has been arrested, Fields said.

The breach comes amid growing concern about the security and reliability of
electronic voting.

Bev Harris, who runs a small Renton public-relations firm, helped energize
citizens and computer scientists concerned with the potential for election
fraud after earlier this year discovering an open, unprotected Web site
that revealed source code for Diebold voting machines.

The most vocal opponents have called for electronic-voting systems to be
backed up by voter-verifiable paper audit trails, a move adopted by
California's secretary of state.

VoteHere sells two electronic-voting products. One, encryption-security
software for electronic-voting machines, detects when ballots are
compromised by adding, deleting or changing a vote.

The other is Internet voting software for private and public elections.

Adler said the hacker didn't access sensitive materials because the
company's business model rests upon releasing its source code for all to
see.

VoteHere deploys the same encryption technology used to keep credit-card
data private during online transactions. The secret is the "key data," a
10-digit number that unlocks the information.

"We're a bunch of cryptographers that decided all the algorithms must be
public for the system to be trustworthy," Adler said.

"There's no secret in any of this."

VoteHere released some of its source code earlier this year to be
scrutinized by VerifiedVoting.org, a grass-roots organization pressing for
accountability in election systems.

David Dill, the group's founder and a Stanford University computer-science
professor, said he has yet to find a volunteer with the expertise to verify
the company's systems.

"What I think we need, before I'm confident in a system like VoteHere, is a
near consensus among experts in cryptography and election administration
that the system is trustworthy," Dill said.

"At this point, people haven't looked at it enough to gain a consensus."


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: ANDOS-based secure voting system

[Sidney Markowitz]

Joel Takvorian wrote:

how can we prevent a single person from voting multiple 
times???
A clear summary of some voting protocols including the use of ANDOS for 
voting with one central facility can be found at

http://csci.mrs.umn.edu/twiki/view/CSci4554f02/SethMattPresentation

If you compare the protocol that uses ANDOS with the one that uses two 
central facilities and avoids the complications of ANDOS, it may become 
clear just what is the point of the identification number I which is 
distributed using ANDOS. That number is linked to the identity of the 
voter. The problem being addressed is how to allow someone to vote while 
preserving the anonymity of their vote, i.e., without recording their 
real-world ID with the vote. ANDOS allows a central facility to 
distribute unique ID numbers without knowing who gets what ID. The 
second protocol simplifies the problem by allowing one central facility 
to know who got what ID and the second facility to know the vote cast by 
each ID, but anonymity depends on trusting the two facilities not to 
collude.

Where this relates to your question is that nothing in the protocols has 
anything to do with the problem of physically identifying the voter and 
certifying that individual's right to vote. That is outside the 
cryptographic protocol. Step 1 of the ANDOS version is publishing a list 
of eligible voters. That implies that there are individual identities, 
that some are eligible to vote, and that they can be identified. In Step 
2 each voter submits an intention to vote. This step implies some way 
for each voter to authenticate as being one of the identities on the 
list. Whether it is through biometrics or fear of legal sanctions or 
naive trust of all the voters is up to the people setting up the voting 
procedures. It is only after the identity has been verified and an ID 
number assigned that the rest of the protocol comes into play to allow 
exactly one vote per ID and to preserve the privacy of the voter.

 -- sidney

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

ANDOS-based secure voting system

[Joel Takvorian]

Hello,

This is my first post on this mailing-list since i'm new with 
cryptographic problems. I also apologize in advance for any language mistake I'll 
make.

I am currently interrested in programming a secured voting system using 
ANDOS (All-or-Nothing Disclosure of Secrets) protocol.
I've found many documents describing this kind of voting protocol like 
this :

1) "Ivan" publishes the list of  eligible candidats
2) Each voter informs "Ivan" his intention to vote
3) "Ivan" publishes the list of all voters
4) Each voter receives an unique identifier using ANDOS protocol
5) bla bla bla...
the identifier will be used for every transferts between "Ivan" and the 
corresponding voter.
I know ANDOS is a quite hard and complex algorythm, but it's not a 
problem for now.

My question is : how can we prevent a single person from voting multiple 
times???
In other words, although an ANDOS-generated number can be used by only 
one single person, i can't see anything preventing a single person from 
using multiple ANDOS-generated identifiers, if this person asks "Ivan" 
several times - hiding his real identity - for a identifier.

Of course, a solution would be to separate the attribution of 
identifiers and the vote itself, assuming identifier attribution is a 
physical process where "Ivan" gives identifiers and marks on a list the 
future voters as having got their identifier. This process must be 
physical in order to really identify the voter (for instance with his 
identity card). First, a corrupted "Ivan" could mark on his list anyone. 
Then, even if we try to secure it, man may be quite disappointed to use 
a physical process for e-vote.

Thank you in advance for answers!

Joel Takvorian

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: VeriSign tapped to secure Internet voting

[Anton Stiglic]

> Schu stressed that several layers of security will prevent hackers from
> accessing the system. VeriSign will house the security servers in its own
> hosting centers. The company will ask military personnel to use their
> Common Access Cards--the latest form of ID for the military--to access
> the system and cast a vote. Civilians will use digital signatures.

So how will these civilians get a certified public key, and how will the
private
key be protected?  Is there a special policy for the issuance of these kind
of certificates?

--Anton

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: VeriSign tapped to secure Internet voting

[Roy M. Silvernail]

On Wednesday 01 October 2003 19:53, Ian Grigg wrote:
> "Roy M. Silvernail" wrote:
> > On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded:
> > > VeriSign tapped to secure Internet voting
> > >
> > > "The solution we are building will enable absentee voters to exercise
> > > their right to vote," said George Schu, a vice president at VeriSign.
> > > "The sanctity of the vote can't be compromised nor can the integrity of
> > > the system be compromised--it's security at all levels."
> >
> > One would wish that were a design constraint.  Sadly, I'm afraid it's
> > just a bullet point from the brochure.
>
> It's actually quite cunning.  The reason that this
> is going to work is because the voters are service
> men & women, and if they attack the system, they'll
> get their backsides tanned.  

Good observation.  I missed that one.

> Basically, it should
> be relatively easy to put together a secure voting
> application under the limitations, control structures
> and security infrastructure found within the US military.
>
> It would be a mistake to apply the solution to wider
> circumstances, and indeed another mistake to assume
> that Verisign had anything to do with any purported
> "success" in "solving" the voting problem.

Definitely, but I can see Verisign doing both.  The rabbit hole gets ever 
deeper.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: VeriSign tapped to secure Internet voting

[Ian Grigg]

"Roy M. Silvernail" wrote:
> 
> On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded:
> 
> > VeriSign tapped to secure Internet voting
> 
> > "The solution we are building will enable absentee voters to exercise
> > their right to vote," said George Schu, a vice president at VeriSign. "The
> > sanctity of the vote can't be compromised nor can the integrity of the
> > system be compromised--it's security at all levels."
> 
> One would wish that were a design constraint.  Sadly, I'm afraid it's just a
> bullet point from the brochure.

It's actually quite cunning.  The reason that this
is going to work is because the voters are service
men & women, and if they attack the system, they'll
get their backsides tanned.  Basically, it should
be relatively easy to put together a secure voting
application under the limitations, control structures
and security infrastructure found within the US military.

It would be a mistake to apply the solution to wider
circumstances, and indeed another mistake to assume
that Verisign had anything to do with any purported
"success" in "solving" the voting problem.

iang

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: VeriSign tapped to secure Internet voting

[Roy M. Silvernail]

On Wednesday 01 October 2003 17:33, R. A. Hettinga forwarded:

> VeriSign tapped to secure Internet voting

> "The solution we are building will enable absentee voters to exercise
> their right to vote," said George Schu, a vice president at VeriSign. "The
> sanctity of the vote can't be compromised nor can the integrity of the
> system be compromised--it's security at all levels."

One would wish that were a design constraint.  Sadly, I'm afraid it's just a 
bullet point from the brochure.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

VeriSign tapped to secure Internet voting

[R. A. Hettinga]

<http://msnbc-cnet.com.com/2102-1029_3-5083772.html?tag=3Dni_print>



VeriSign tapped to secure Internet voting=20
By Robert Lemos=20
Staff Writer, CNET News.com=20
http://news.com.com/2100-1029-5083772.html=20

VeriSign announced Monday that it will provide key components of a system d=
esigned to let Americans abroad cast absentee votes over the Internet.=20

The contract was granted by consulting firm Accenture, which is working wit=
h the U.S. Department of Defense on a voting system known as the Secure Ele=
ctronic Registration and Voting Experiment . When completed, the system wil=
l allow absentee military personnel and overseas Americans from eight parti=
cipating states to cast their votes in the 2004 general election.=20

"The solution we are building will enable absentee voters to exercise their=
 right to vote," said George Schu, a vice president at VeriSign. "The sanct=
ity of the vote can't be compromised nor can the integrity of the system be=
 compromised--it's security at all levels."=20


VeriSign has been selected to host the servers and information needed to au=
thenticate voters and ensure that they cast only one vote.  Internet and el=
ectronic voting systems are notoriously hard to secure. In July, researcher=
s at Johns Hopkins University raised extensive security issues with a leadi=
ng electronic voting system manufactured by Diebold Election Systems.=20

Schu stressed that several layers of security will prevent hackers from acc=
essing the system. VeriSign will house the security servers in its own host=
ing centers. The company will ask military personnel to use their Common Ac=
cess Cards--the latest form of ID for the military--to access the system an=
d cast a vote. Civilians will use digital signatures.=20

Overseas U.S. citizens from Arkansas, Florida, Hawaii, Minnesota, North Car=
olina, South Carolina, Utah and Washington will be able to use the system t=
o cast votes.=20

Related News=20
Voting machine fails inspection=9A=9A July 24, 2003=20
http://news.com.com/2100-1009-5054088.html=20

Tech glitches don't mar Florida vote=9A=9A November 6, 2002=20
http://news.com.com/2100-1023-964609.html=20

Tech makes its mark at the ballot box=9A=9A November 6, 2002=20
http://news.com.com/2009-1023-964723.html=20

U.K. puts online voting to the test=9A=9A April 26, 2002=20
http://news.com.com/2110-1023-893093.html=20

Toward digital democracy=9A=9A November 6, 2001=20
http://news.com.com/2009-1023-275348.html=20

Get this story's "Big Picture"=20
http://news.com.com/2104-1029-5083772.html=20


--=20
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: DC Security Geeks Talk: Analysis of an Electronic Voting System

[Major Variola (ret)]

At 02:48 PM 9/24/03 -0400, R. A. Hettinga wrote:
><http://www.cryptonomicon.net/modules.php?name=News&file=print&sid=463>

>
>Cryptonomicon.Net -
>
>Talk: Analysis of an Electronic Voting System

Someone needs to inject a story about e-voting fraud into the popular
imagination.
Is Tom Clancy available?  Maybe an anonymous, detailed, plausible, (but
secretly fictional)
blog describing  how someone did this in their podunk county... then
"leak" this to a news reporter..
Failure to be *able* to assure that this *didn't* happen in that podunk
county would make
an important point.


"On two occasions, I have been asked [by members of Parliament],
 'Pray, Mr. Babbage, if you put into the machine wrong figures,
 will the right answers come out?' I am not able to rightly apprehend
 the kind of confusion of ideas that could provoke such a question."
  -- Charles Babbage


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

DC Security Geeks Talk: Analysis of an Electronic Voting System

[R. A. Hettinga]

<http://www.cryptonomicon.net/modules.php?name=News&file=print&sid=463>

Cryptonomicon.Net - 

DC Security Geeks Talk on September 24th 
Date: Wednesday, September 24 @ 08:10:00 EDT 
Topic: Events / Special Interest Groups 


Talk: Analysis of an Electronic Voting System
Speaker: Tadayoshi Kohno (JHU and UCSD)
Date: Wed, Sept. 24 @ 7:30PM
Location: Virginia Tech Falls Church Campus 

Abstract:  Recent election problems have sparked great interest in managing the 
election process through the use of electronic voting systems. While computer 
scientists, for the most part, have been warning of the perils of such action, vendors 
have forged ahead with their products, claiming increased security and reliability. 
Many municipalities have adopted electronic systems, and the number of deployed 
systems is rising. For these new computerized voting systems, neither source code nor 
the results of any third-party certification analyses have been available for the 
general population to study, because vendors claim that secrecy is a necessary 
requirement to keep their systems secure. Recently, however, the source code 
purporting to be the software for a voting system from a major manufacturer appeared 
on the Internet. This manufacturer's systems were used in Georgia's state-wide 
elections in 2002, and the company just announced that the state of Maryland awarded 
them an 
 order valued at up to $55.6 million to deliver touch screen voting systems. 



This unique opportunity for independent scientific analysis of voting system source 
code demonstrates the fallacy of the closed-source argument for such a critical 
system. Our analysis shows that this voting system is far below even the most minimal 
security standards applicable in other contexts. We highlight several issues including 
unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to 
network threats, and poor software development processes. For example, common voters, 
without any insider privileges, can cast unlimited votes without being detected by any 
mechanisms within the voting terminal. Furthermore, we show that even the most serious 
of our outsider attacks could have been discovered without the source code. In the 
face of such attacks, the usual worries about insider threats are not the only 
concerns; outsiders can do the damage. That said, we demonstrate that the insider 
threat is also quite considerable. We conclude that, as a societ
 y, we must carefully consider the risks inherent in electronic voting, as it places 
our very democracy at risk. 

This was joint work with Adam Stubblefield, Avi Rubin, and Dan Wallach. 

Bio: 

Tadayoshi (Yoshi) Kohno is a doctoral student at the University of California at San 
Diego Cryptography and Security Laboratory. He is also affiliated with the Johns 
Hopkins University Information Security Institute. Prior to entering graduate school, 
Yoshi worked as a cryptography and computer security consultant with Counterpane 
Systems (now Counterpane Internet Security) and with Cigital. 






This article comes from Cryptonomicon.Net 
http://www.cryptonomicon.net/ 

The URL for this story is: 
http://www.cryptonomicon.net//modules.php?name=News&file=article&sid=463 

-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Concerns Over 'Serious Flaws' in Electronic Voting Prompt NewExamination by Members of Congress

[R. A. Hettinga]

<http://www.americanfreepress.net/08_25_03/Concerns_Over/concerns_over.html>

American Free Press

Concerns Over 'Serious Flaws' in Electronic Voting Prompt New Examination by Members 
of Congress 

 

A recently published study documenting a host of security flaws in a leading 
touch-screen voting system has caused elections officials across the United States to 
question the use of electronic voting machines. 

 

Exclusive to American Free Press 

By Christopher Bollyn 

 

A published report from a team of computer experts exposing a wide range of security 
flaws in a leading touch screen voting system has sent "shock waves across the 
country" and caused elections officials to question the use of electronic voting 
machines. 

"The story is only beginning," Douglas W. Jones, associate professor of computer 
science at the University of Iowa, told American Free Press . Jones is key to 
understanding the security flaws a team of computer experts from Johns Hopkins and 
Rice University found when they examined the "source code," the software that runs the 
Diebold AccuVote-TS voting system. 

Aviel D. Rubin, associate professor of computer science and technical director of the 
Information Security Institute (ISI) at Johns Hopkins, led the study. The group's 
24-page report, Analysis of an Electronic Voting System , was published July 23. 

Diebold voting machines are used in 37 states. Nearly one in five Americans votes on 
touch-screen voting machines. 

Although voting machines were not on the agenda for the National Association of 
Secretaries of State (NASS), the release of the Hopkins report prior to their late 
July conference in Portland, Me., forced a change. The conference discussed whether 
the National Institute of Standards and Technology should be asked to establish new 
standards for computerized voting machines. 

"There is a sense that in the past [critics of computer voting machines] were part of 
the black box crowd and conspiracy theorists," Kay Albowicz, a representative for NASS 
said. "No one is saying that now." 

Albowicz could only have been referring to the numerous stories about computer voting 
fraud carried in The Spotlight , a newspaper shut down by the federal government in 
2001. 

"The Johns Hopkins study is the first piece of evidence that current touch-screen 
technology could be seriously flawed," the Internet-based Wired News (WN) reported. 

"As the computer scientists at Johns Hopkins recently reported, these new machines are 
vulnerable to massive fraud," Rep. Rush Holt (D-N.J.) said. "Unless Congress acts to 
pass legislation that would make sure that all computer voting machines have a paper 
record that voters can verify when they cast their ballots, voters and election 
officials will have no way of knowing whether the computers are counting votes 
properly." 

Holt has introduced a bill, H.R. 2239, which would require computerized voting 
machines to provide voter-verified audit trails, something first advocated by The 
Spotlight .

Computer scientists have said for years that voting machines should provide a 
voter-verifiable paper trail to prevent vote fraud. "In the absence of any significant 
audit trails, you have no knowledge whatsoever as to what goes on inside the systems," 
Peter Neumann of Stanford Research Institute said in 2002. 

The ISI researchers examined code from Diebold Elections Systems Inc. voting machines 
and found serious flaws. Thousands of computer files, including program files, were 
discovered on an unprotected company file transfer protocol (ftp) site on the 
Internet. Diebold "field representatives used the site to fix the company's voting 
machines," WN reported. 

"They claim they keep everything secure, but this shows the lax nature of their 
[Diebold] procedures," said Rebecca Mercuri, a computer science professor at Bryn Mawr 
College. "This just blatantly flies in the face of good security." 

Diebold spokesman John Kristoff said it was "an oversight" that source code had been 
available to the public over the Internet. 

Computer experts say the ftp files indicate that security flaws exist also in 
Diebold's optical scan machines. 

Experts discovered an oddly named folder on the ftp site named "rob-georgia." This 
folder contained program "patch" files, which instruct the computerized voting system 
to replace the existing program with another. Georgia, which experienced a historic 
Republican upset, was the first state to exclusively use Diebold touch-screen machines 
in November 2002. 

Rubin had published an earlier paper speculating on different ways an electronic 
voting machine could be compromised. "Looking at the actual code," he said, "it 
appears a lot worse than I predicted." Among the "stunning flaws"

Dare accepted on electronic voting machines

[R. A. Hettinga]

<http://ajc.printthis.clickability.com/pt/cpt?action=cpt&expire=&urlID=7300348&fb=Y&partnerID=553>

 
[ The Atlanta Journal-Constitution: 8/23/03 ] 

Dare accepted on electronic voting machines 
Programmer says she can crack system 

By JIM GALLOWAY 
The Atlanta Journal-Constitution 

In the end, Friday's two-hour discussion of whether computers should be the sole 
tabulators of Georgia voters' ballots came down to a challenge. 

Roxanne Jekot, a 51-year-old computer program developer from Cumming, said she and a 
few expert friends could crack Georgia's $54 million touch-screen voting system in a 
matter of minutes. 

Bring it on, said state election officials. 

"If something can beat the machine, we need to know that," said Brit Williams, a 
retired Kennesaw State University professor who helped design the state's touch-screen 
security system. He put the odds of corrupting the software undetected at 1 billion to 
one. 

The dare was made and accepted at the first of a series of seminars at Kennesaw State 
sponsored by Secretary of State Cathy Cox to defuse questions about the vulnerability 
of the statewide system she installed last year. 

Jekot said she could be ready as soon as next week. She said all she wants to do is 
point out weaknesses so that they can be fixed -- and declares she can put an 
unauthorized vote anywhere she wants. 

Election officials promised to provide a voting machine, and a computer server into 
which votes from the machine are fed. 

The November 2002 vote in Georgia went smoothly. But with a federally imposed deadline 
to revamp the voting systems in all other states now approaching, concern over the 
corruptibility of computer-based voting has spread across the nation. 

Last month, an associate professor of computer science at Johns Hopkins University 
released a study billed as the first independent review of electronic voting. It found 
the Diebold Election Systems used by Georgia to be vulnerable to tampering by 
unscrupulous voters, poll workers and software developers. 

Election officials in Georgia and other states dismissed it, saying it exaggerated the 
machines' exposure to hackers. 

Furor over the report was partly defused when the lead researcher acknowledged this 
week that he failed to disclose that he had stock options in VoteHere, a company that 
competes with Diebold in the voting-software market, and was a member of VoteHere's 
technical advisory board. 

But there remains a bill in Congress, introduced by U.S. Rep. Rush Holt (D-N.J.), to 
require that all voting machines produce a paper ballot that would be used as a 
back-up system in all elections. In any dispute, paper ballots would become the final 
arbiter. 

The seminar at KSU was a two-hour argument against the bill. Election officials argued 
that giving paper ballots the final say in an election would quickly render computer 
voting useless. 

Moreover, they said, paper ballots can be tampered with more easily than electronic 
ones, and they're harder to tabulate. 

Representatives from two U.S. senators and three members of Congress attended the 
seminar, but most of the questions were posed by Jekot, who describes herself as a 
political independent, and Hugh Esco, political coordinator of the Green Party of 
Georgia. 

"It's our position that machines are capable of showing whatever machines are 
programmed to show," Esco said. "I'm not a Luddite. I have a couple computers in the 
trunk and I know how to use them. But I know that I can't trust them with everything." 

Asked Williams, the computer security expert: "Are you saying there's no such thing as 
a secure and accurate computer? Do you fly on airplanes?" 

"Actually, I don't," Esco replied. 


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Voting Machine Study Divides Md. Officials, Experts

[R. A. Hettinga]

<http://www.washingtonpost.com/ac2/wp-dyn/A48092-2003Jul25?language=printer>

washingtonpost.com 

Voting Machine Study Divides Md. Officials, Experts 

By Brigid Schulte 
Washington Post Staff Writer 
Saturday, July 26, 2003; Page B01 

For some in Maryland, the report yesterday by Johns Hopkins University computer 
security experts that electronic voting machines could easily be hacked into set off 
alarm bells. But for others, including the state officials who recently signed a $55.6 
million agreement to put the units in every voting precinct by March, the report is 
one more example of "technological hysteria." 

"The study should be setting off alarm bells," said Del. William A. Bronrott 
(D-Montgomery). "We need to be 100 percent sure that there is no chance that our 
machines can be tampered with." 

"Even if was completely impossible that [hacking] would ever happen, the reality that 
it could happen should be enough to concern us," said Cheryl C. Kagan, a former 
delegate who opposed using electronic voting machines. "If the system can't be used 
with confidence, it shouldn't be used at all." 

On Thursday, researchers with Johns Hopkins' Information Security Institute released 
their analysis of a Diebold Election Systems Inc. software code that they obtained in 
a fluke from an Internet site. They concluded that the system was so flawed that 
voters could vote multiple times, that ATM-like "Smart Cards" such as those used in 
Maryland could easily be copied and that an insider could program the machine to 
register votes incorrectly. 

Diebold officials dispute that report. On Friday, they released their own technical 
analysis and concluded that many of the weaknesses the Hopkins experts found could be 
attributed to the fact that the researchers used a personal computer to analyze the 
code, and that such weaknesses would not occur in a voting machine. 

Still, officials in Baltimore County say the flaws raised in the Hopkins report 
vindicate their caution. They were the only county in the state to ask for a waiver 
from using the machines. The state refused. 

"From the beginning, we have always felt that that state's timetable on this was 
cavalier and overly aggressive," said Damian O'Doherty, spokesman for County Executive 
James T. Smith Jr. "We think that there's too much evidence that the machines are 
error-prone." 

State officials maintain that the touch-screen machines make voting easier and more 
accurate and insist that the machines are ready for use, despite the report. 

"I don't think you're going to see the governor's office request additional studies," 
spokesman Henry Fawell said. "We believe that this system has gone through a very 
tough certification process and was very successful in the most recent election." 

Margaret A. Jurgensen, director of elections in Montgomery County, said that voters 
loved the machines. "The general election went off perfectly," she said. 

And in Prince George's, Alisha Alexander, an administrator at the county board of 
elections, said voters felt that they were finally entering the 21st century after 
more than three decades of using antiquated lever machines. "The feedback we received 
was overwhelmingly positive," Alexander said. 

Maryland's recent agreement with Diebold is worth as much as $55.6 million for 11,000 
voting machines and optional services -- the largest systemwide contract in the nation 
to date. It represents the second phase of an effort to modernize the state's voting 
machines. In 2001, the state spent $17 million to put 5,000 machines in four counties, 
including Montgomery and Prince George's. 

The debacle of the 2000 presidential election, when the future of the country hung in 
thousands of hanging chads in Florida, prompted many states to reevaluate their voting 
systems. And Maryland became one of the first to embrace the idea of touch-screen 
voting. 

The push was championed by then-Secretary of State John T. Willis, who dismissed the 
Hopkins report as "technological hysteria." 

"To say I can duplicate a Smart Card, sure, you can postulate all kinds of things, but 
there are so many checks and balances," he said. "I have 100 years of election data. 
If someone would try to monkey around precinct by precinct with the vote results, I'd 
know." 

But not everyone is so sure. In 2001, four out of the five members of the technical 
group that was asked to recommend to the state which electronic voting system to buy 
instead recommended against buying any at all. The state ignored the advice. 

"They didn't take us very seriously then," said Tom Iler, director of Information 
Technology for Baltimore County who served on the group. "I suppose it's not very 
sur

Re: Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From Elections Confer...

[Freematt357]

Some effort should be made to communicate the danger of e-ballots to the 
various grassroots, political organizations interested in voting issues. We really 
have to get a wider audience made aware of the tremendous danger.

And somebody should work on producing an alternative hybrid voting machine 
that is hard copy paper verifiable. I think we have to give these local 
governments a viable alternative, a machine that can't be used for
Machiavellian machinations.


Regards,  Matt Gaylor
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From Elections Conference

[Adam Shostack]

Well, if you can't win on the truth, win on the procedures.

At least Dr. Mercuri is in fine company there, ranging all the way
back to Socrates and Galileo.  Little consolation, I know, as our
democracy gets replaced by a kleptocracy, but what can you do?

Maybe she should set up stealdemocracy.com, a new voting machine
company.  Sell machines that explicitly let you steal elections.  Get
some press.

Adam


On Wed, Aug 06, 2003 at 11:08:38AM -0400, R. A. Hettinga wrote:
| Notice they did this to Chaum, too...
| 
| Cheers,
| RAH
| 
| --- begin forwarded text
| 
| 
| Status:  U
| To: "johnmac's living room" <[EMAIL PROTECTED]>
| Cc: Dave Farber <[EMAIL PROTECTED]>
| From: "John F. McMullen" <[EMAIL PROTECTED]>
| Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED]
| Delivered-To: mailing list [EMAIL PROTECTED]
| Date: Mon, 4 Aug 2003 23:31:49 -0400 (EDT)
| Subject: [johnmacsgroup] Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From 
Elections
|  Conference
| 
| Computer Voting Expert Ousted From Elections Conference
| 
| Lynn Landes
| freelance journalist
| www.EcoTalk.org
| 
| Denver CO Aug 1 - Dr. Rebecca Mercuri, a leading expert in voting machine
| security, had her conference credentials revoked by the president of the
| International Association of Clerks, Records, Election Officials, and
| Treasurers (IACREOT), Marianne Rickenbach. The annual IACREOT Conference
| and Trade Show, which showcases election systems to elections officials,
| is being held at the Adam's Mark Hotel in Denver all this week.
| 
| Mercuri believes that her credentials were revoked because of her position
| in favor of voter-verified paper ballots for computerized election
| systems. "I guess in a very troubling way it makes sense that an
| organization like IACREOT, that supports paperless computerized voting
| systems, which are secret by their very design, would not want computer
| experts who disagree with that position at their meetings."
| 
| Dr. Mercuri said that her credentials were approved for the first three
| days of the conference. She attended meetings of other groups and visited
| the exhibitors hall. But it was only on Thursday as she sat down to attend
| her first meeting at the IACREOT that President Marianne Rickenbach took
| Mercuri out of the room and told her that her credentials were being
| revoked. Rickenbach said that Mercuri had not filled out the forms
| correctly. Mercuri protested, but was refused reinstatement.
| 
| David Chaum, the inventor of eCash and a member of Mercuri's
| 'voter-verified paper ballot' group, had his credentials revoked on the
| first day of the conference. On the second day his credentials were
| partially restored. Chaum was allowed to visit the exhibitors hall, but
| not attend the IACREOT meetings.
| 
| Rickenbach was unavailable for comment as of this report. Mercuri can be
| reached at the Adam's Mark Hotel through Saturday.
| 
| ---
| 
| 
|   "When you come to the fork in the road, take it" - L.P. Berra
|   "Always make new mistakes" -- Esther Dyson
|   "Be precise in the use of words and expect precision from others" -
|Pierre Abelard
|   "Any sufficiently advanced technology is indistinguishable from magic"
|-- Arthur C. Clarke
|   "Bobby Layne never lost a game. Time just ran out." -- Doak Walker
| 
|  John F. McMullen
|   [EMAIL PROTECTED] ICQ: 4368412 Fax: (603) 288-8440 [EMAIL PROTECTED]
|  http://www.westnet.com/~observer
|  NOYFB,P
| 
| 
| 
| 
| 
| 
|  Yahoo! Groups Sponsor -~-->
| Buy Ink Cartridges or Refill Kits for Your HP, Epson, Canon or Lexmark
| Printer at Myinks.com. Free s/h on orders $50 or more to the US & Canada. 
http://www.c1tracking.com/l.asp?cid=5511
| http://us.click.yahoo.com/sO0ANB/LIdGAA/ySSFAA/XgSolB/TM
| -~->
| 
| To unsubscribe from this group, send an email to:
| [EMAIL PROTECTED]
| 
|  
| 
| Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 
| 
| --- end forwarded text
| 
| 
| -- 
| -
| R. A. Hettinga 
| The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
| 44 Farquhar Street, Boston, MA 02131 USA
| "... however it may deserve respect for its usefulness and antiquity,
| [predicting the end of the world] has not been found agreeable to
| experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-- 
"It is seldom that liberty of any kind is lost all at once."
   -Hume



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Computer Voting Expert, Dr. Rebecca Mercuri, Ousted FromElections Conference

[R. A. Hettinga]

Notice they did this to Chaum, too...

Cheers,
RAH

--- begin forwarded text


Status:  U
To: "johnmac's living room" <[EMAIL PROTECTED]>
Cc: Dave Farber <[EMAIL PROTECTED]>
From: "John F. McMullen" <[EMAIL PROTECTED]>
Mailing-List: list [EMAIL PROTECTED]; contact [EMAIL PROTECTED]
Date: Mon, 4 Aug 2003 23:31:49 -0400 (EDT)
Subject: [johnmacsgroup] Computer Voting Expert, Dr. Rebecca Mercuri, Ousted From 
Elections
 Conference
Reply-To: [EMAIL PROTECTED]

Computer Voting Expert Ousted From Elections Conference

Lynn Landes
freelance journalist
www.EcoTalk.org

Denver CO Aug 1 - Dr. Rebecca Mercuri, a leading expert in voting machine
security, had her conference credentials revoked by the president of the
International Association of Clerks, Records, Election Officials, and
Treasurers (IACREOT), Marianne Rickenbach. The annual IACREOT Conference
and Trade Show, which showcases election systems to elections officials,
is being held at the Adam's Mark Hotel in Denver all this week.

Mercuri believes that her credentials were revoked because of her position
in favor of voter-verified paper ballots for computerized election
systems. "I guess in a very troubling way it makes sense that an
organization like IACREOT, that supports paperless computerized voting
systems, which are secret by their very design, would not want computer
experts who disagree with that position at their meetings."

Dr. Mercuri said that her credentials were approved for the first three
days of the conference. She attended meetings of other groups and visited
the exhibitors hall. But it was only on Thursday as she sat down to attend
her first meeting at the IACREOT that President Marianne Rickenbach took
Mercuri out of the room and told her that her credentials were being
revoked. Rickenbach said that Mercuri had not filled out the forms
correctly. Mercuri protested, but was refused reinstatement.

David Chaum, the inventor of eCash and a member of Mercuri's
'voter-verified paper ballot' group, had his credentials revoked on the
first day of the conference. On the second day his credentials were
partially restored. Chaum was allowed to visit the exhibitors hall, but
not attend the IACREOT meetings.

Rickenbach was unavailable for comment as of this report. Mercuri can be
reached at the Adam's Mark Hotel through Saturday.

---


  "When you come to the fork in the road, take it" - L.P. Berra
  "Always make new mistakes" -- Esther Dyson
  "Be precise in the use of words and expect precision from others" -
   Pierre Abelard
  "Any sufficiently advanced technology is indistinguishable from magic"
   -- Arthur C. Clarke
  "Bobby Layne never lost a game. Time just ran out." -- Doak Walker

 John F. McMullen
  [EMAIL PROTECTED] ICQ: 4368412 Fax: (603) 288-8440 [EMAIL PROTECTED]
 http://www.westnet.com/~observer
 NOYFB,P






 Yahoo! Groups Sponsor -~-->
Buy Ink Cartridges or Refill Kits for Your HP, Epson, Canon or Lexmark
Printer at Myinks.com. Free s/h on orders $50 or more to the US & Canada. 
http://www.c1tracking.com/l.asp?cid=5511
http://us.click.yahoo.com/sO0ANB/LIdGAA/ySSFAA/XgSolB/TM
-~->

To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]

 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

--- end forwarded text


-- 
-
R. A. Hettinga 
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]