Re: The case for open-source software in elections

From: Hamilton Richards <hrichrds_at_swbell_dot_net>
Date: Fri Feb 09 2007 - 16:37:27 CST

Ron, thanks for your thoughtful critique of my attempt to disentangle
the issues of open-source software and security.

Presentation attacks look like a problem, especially when a polling
place presents numerous different ballots to different voters
depending on their language or place of residence (so it wouldn't
help to have a wall poster saying "Your ballot should look like
this"). As ever, complexity provides hiding places for skullduggery.
The touch-screen sensitivity modulation attack could be countered by
not using touch screens (their tendency to lose calibration is
already enough reason to prefer interfaces like Hart Intercivic's
rotary indexing knob). Otherwise, aside from depending on voter
vigilance, I don't see an obvious solution.

Ballot spoofing attacks are a weakness of the OVC's prototype design
[1], which encodes the voter's choices in a bar code; this feature
makes for easy reading by a scanner, but not by humans. Perhaps it
would be better for the bar code to be dispensed with, and for the
scanner to read the the same text as the humans.

On the other hand, one of the OVC design's strengths is that it has
the voter manually deposit the printed ballot. This feature provides
immunity to the attack (Paper Trail Manipulation II) described in the
NIST Threats paper to which you provided a link.




>Date: Wed, 07 Feb 2007 22:24:02 -0800
>From: Ron Crane <>
>Subject: Re: [OVC-discuss] The case for open-source software in
> elections
>To: Open Voting Consortium discussion list
> <>
>Message-ID: <>
>Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>I agree with most of what you've written, and especially the Thompson
>cite. But ballot printers are susceptible to more than just DoS attacks.
>There are also presentation attacks (e.g., dropping candidates from the
>ballot, rearranging the ballot, modulating the sensitivity of the
>touch-screen depending upon the candidate being selected...), plain-old
>misprinting attacks (depends on the voter not verifying her ballot, like
>lots of voters won't), and ballot spoofing attacks, where the machine
>produces a ballot that looks correct to humans, but that is printed so
>that the scanner reads something other than what the voter intended (can
>be detected by hand audits, but who does those?).
>And VVPAT machines are susceptible to worse attacks, like
> .

Hamilton Richards, PhD           Department of Computer Sciences
Senior Lecturer (retired)        The University of Texas at Austin      
OVC-discuss mailing list
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Wed Feb 28 23:17:14 2007

This archive was generated by hypermail 2.1.8 : Wed Feb 28 2007 - 23:17:27 CST