[nickparker]

Does anyone else find it extremely discomforting that the voting machines even have a full fledged OS?

It's a throwback to this xkcd https://xkcd.com/463/

In my mind, the ideal electronic voting machine:

- Has mechanical buttons which simultaneously punch a paper ballot in a manner observable to the voter

- Runs on a small (open source) microcontroller that's been audited for backdoors.

- Runs (open source) crypto directly on the metal

- Publishes the results in a cryptographically verifiable way.

IMO, anything else is evidence of at least government/contractor ineptitude, and potentially malfeasance.

[saosebastiao]

In terms of security, that is probably exactly correct (I'm a complete security novice FWIW). Way too high of an attack surface area. That being said, as soon as you get into microcontroller territory, you turn it into a niche thing that makes it inaccessible to most. What are the chances of finding talent that can write user-facing code that runs bug free on microcontrollers while simultaneously writing/proving the crypto? Maybe that talent is more common than I suspect, but I certainly haven't seen it. I would be happy with rust/ocaml on a unikernel or rump kernel though :)

[vonmoltke]

Why does dropping the OS mean you have to run on microcontrollers and write everything from scratch? All it means is your software needs to incorporate the OS functions that it needs for interacting with the hardware. You can still use any hardware platform you want and any third-party libraries available for said platform.

[di4na]

Which is exactly what micro controllers programming is.

I worked and still do some work for embedded programming. If you never did it before : OS make life super super easy. Really.

[vonmoltke]

Well, yeah, most microcontrollers require bare-metal programming. That's not my point. My point is any device can be developed for that way, and that going OS-less does not mean having to write everything from scratch. After all, that's what the OS is: a bare-metal application that functions as middleware (amongst other things) for the hardware platform.

Also, I know having an OS makes it easy. If you have full control over the hardware platform and environment, and user interaction with the system is limited to a relatively small set of UI objects, you shouldn't need a full OS. Something bare-bones like DOS or FreeRTOS should be fine. Even on the box I worked on that used RHEL we stripped almost everything out. I'm still not sure why they decided to go with RHEL as the base, considering the amount of work that went into customizing it.

[nickparker]

Microcontroller stuff isn't necessarily inaccessible. You can target extremely barebones platforms with Rust, and it goes without saying that C runs almost anywhere.

The point is to have absolute bare-minimum technology. There's no user-facing code to write, it should really be as simple as: - A function that encrypts an int between 0 and N, perhaps in homomorphic fashion - N-1 buttons (as in, mechanical contacts) that each trigger a subroutine "Encrypt the number X and broadcast it to whoever is tabulating and/or auditing the vote"

[Bartweiss]

This is my reaction too. There are systems with no security flaws, but they tend to be small-surface devoted hardware. Something the size of Windows will consistently turn up zero-day flaws that could be used against voting, whereas plenty of on-metal microcontroller programs have no holes at all.

Frankly, a really reassuring voting system would be the exact opposite of what we have: it would be open to all security researchers and consist of minimal, verifiably-safe code to count vote totals.