Hacker News new | ask | show | jobs
by gregmac 2876 days ago
Another threat model is the people who build the software and hardware. How do you ensure:

(1) The software is not doing anything nefarious

(2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious

(3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)

(4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)

This is essentially the same problem as is outlined in Ken Thompson's Reflections on Trusting Trust [1].

[1] https://www.archive.ece.cmu.edu/~ganger/712.fall02/papers/p7...
1 comments
d0lph 2876 days ago
> (1) The software is not doing anything nefarious

Open source

> (2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious

Use open source toolchains and hash the result.

> (3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)

Maybe some kind of cryptographic puzzle, question/response, you need to make a hash with the program, and make the HDD not large enough to contain more than that. Or maybe read only storage. Even a combination.

> (4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)

Your voting results are confirmable on the blockchain, but not specific, you can check that your vote hasn't been changed, but not the vote itself.

link
henrikschroder 2876 days ago
For people to have trust in their vote being counted, the voting machine needs to be understandable by everyone, not just software engineers specializing in cryptography.

A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

But the biggest argument against electronic voting is that you're not solving any problems, you're just adding problems and decreasing the trust in the elections massively. And for what? To get election results a few hours faster? That's ridiculous.

link
d0lph 2876 days ago
If the only question left is whether or no it's easy enough, I think we're good and can find a solution for that problem too.

> A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

I agree with this 100%

Electronic voting must be cryptographically secure, and increase trust and security. I think this should be the first rule.

link
henrikschroder 2876 days ago
> must be cryptographically secure, and increase trust and security.

Those two goals are mutually exclusive.

Everyone understands how a room full of people counting paper ballots works, without having to explain it. Everyone understands that the process is transparent, and that by having people of different political persuasions working together, you ensure that the result is fair.

There is also immense value in having the voting "machine" being made up of actual humans, so that everyone in society can take part if they want to, and feel like they're doing their part to defend democracy.

And none of that can be replicated in software. You and I might be able to understand and trust the software, but everyone? Not gonna happen.

link
d0lph 2876 days ago
I personally don't understand how hashes work, I know _what_ they do, but not really how, just that they are not mathematically reversible. I should probably learn how exactly it works, since they extremely common.

I think most people know their passwords are encrypted, but they don't know about hashes at all, they just assume the domain experts have figured it out.

Security in e-voting would probably look similar. You would know there are smart people somewhere who understand the complexity, and ideally you would have ample opportunity to learn.

link
beat 2876 days ago
If you want to know what the general public thinks of "smart people" doing stuff they don't understand, just look at the reaction to scientific consensus on global warming.

I find it hard to imagine a plausible scenario where a complex, blockchain-driven election model is met with trust and comfort by a broad cross section of voters. It practically begs for anti-science paranoia.

link
beat 2876 days ago
The blockchain voting idea, among its numerous flaws, is philosophically grounded in hyperindividualism. I care about the integrity of my ballot, and mine alone.

But elections are not about my vote. They're about everyone's vote. I care about not just the integrity of my own ballot, but the integrity of every other voter's ballot as well. And, given a system where most people will never do a complex blockchain verification of their ballot, or have a mechanism to be certain that no additional machine-generated ballots were added to the results... blockchain isn't solving the actual problem.

Don't be in love with technology when looking for actual solutions to actual problems.

link
d0lph 2876 days ago
> people will never do a complex blockchain verification

People don't verify their vote now, so this is unimportant.

> have a mechanism to be certain that no additional machine-generated ballots were added to the results

This should only require a hand full of people to check.

link
scj 2876 days ago
Theoretically correct and practically correct are two different things... Kind of like cryptography. Is it reasonable to expect best practices to happen? Especially when observable things like Gerrymandering are so blatantly done?

Consider the apocryphal story: "NASA spent millions of dollars developing an 'astronaut pen' that would work in outer space, while the Soviets solved the same problem by simply using pencils."

Why go for the complicated solution when the simple one works?

link