NY Legislature Rejects "Microsoft Amendment"

An anonymous reader writes "Finally, some good news on electronic voting. The New York state legislature rejected an amendment proposed by Microsoft's lobbyists which would have gutted New York's requirements for voting machine vendors to turn over their source code to the state Board of Elections. Assemblywoman Barbara Lifton commented: 'The voting machine vendors have known for two years what our laws said. Now they're saying that those parts of their systems using Microsoft software have to be proprietary? It's just wrong.'"

Nothing to see here. Move along.

Right next to a MS ad, even.

Re:Nothing to see here. Move along.

I click on them all the time.

It's a deliciously satisfying way of transferring cold hard cash from Microsoft's wallet to Slashdot and Google.

Re:Nothing to see here. Move along.

You rock!!

Re:Nothing to see here. Move along.

I click on them all the time. It's a deliciously satisfying way of transferring cold hard cash from Microsoft's wallet to Slashdot and Google.

And you're also diluting the CPA, which is the real measure of ad performance. http://en.wikipedia.org/wiki/Cost_Per_Action [wikipedia.org]

Of course, you by yourself won't have much impact but there would be if 1% of Slashdot's reader base did.

Was I the only one?

Who reacted with a HA! HA! Nelson is my copilot...

no its not

I agree that the voting code should be published.

But platform code that is obtained from a third party vendor should be acceptable provided that it is widely used as a general purpose platform and there is a reliable demonstration that the code has not been modified.

I would rather see voting platforms built on microsoft trustworthy computing platforms without code review of the platform part of the system than built on a platform where I cannot be sure what code is running.

The code reviews are useless unless I am sure that the machines actually run the code that was reviewed.

Of course paper and pencil requires no code review.

Re:no its not

The voting system in old USSR, Current China, Cuba, taliban controlled afghanastan, etc were on systems that were widely used. Personally, I would not trust them. Why settle for a system like MS, when you can insist on having no chance of an illegal election. NY has it right. Insist on all the code up front. Have it compile and then that is installed on the systems. Otherwise, the ppl from other countries have it right; There is NOTHING wrong with a paper vote other than taking so long.

Paper ballots

There is NOTHING wrong with a paper vote other than taking so long.
Oh yeah? What about the honesty of the people who are counting those paper votes.

Ballot-stuffing and outright deliberate miscounts can and still do happen with paper votes. Even right here

Re:Paper ballots

thats why you don't trust them, and make them count in pairs with strict oversight, rotating the pairs and doing random checks. clearly you know nothing of how they count ballots.

Re:no its not

There is NOTHING wrong with a paper vote other than taking so long.

Not that it even takes that long. Most results are in by the 11 O'clock news. In a close race you may need to wait till the morning to get your election results. Who cares?

Electronic voting machines are the solution to a problem that doesn't exist and only result in complicating things immensely and making the results less reliable. I don't see the benefits.

Re:

Most results are in by the 11 O'clock news.

Here in the midwest, we have you beat by an hour. We get it on the 10 o'clock news.

Simplify the hardware

Simplify the hardware; you don't need the latest, fanciest CPU if all you want to do is count.

Buy a batch of Z-80s or even 8080s; they are still being made. The design is so old that it's unlikely to have been compromised; but if you are really paranoid, the circuitry of an 8-bit CPU is simple enough that you could easily verify it by hand. Build a little voting box around one of those chips, and you're done.

The design would take half a year and cost less than a $1 million -- which is peanuts when the goal is to ensure the honesty of a democracy's most important event.

8-bit voting

char voteCount;

...

// FIXME: This won't work if a candidate ever gets more than 255 votes,
// but that'll probably never happen
voteCount++;

Re:no its not

Simplify the architecture as far as possible. Like, 1980s architecture simple. Publish all the code publicly, so as many people as want to can comb over it. Make the 'bootstrapping' of the compiler chain a public event, open to observers. Use a hardware design that's as simple as possible, using parts that are old and widely understood. Make one single, standard reference design, and test/audit the hell out of it. Allow opposing political parties to act as observers during the election and vote-counting process. Keep an audit trail and make that public, too.

Alternately, just use pencils and learn to be slightly more patient than usual. The whole desire for electronic voting is due to a desire for immediate gratification and a pointless requirement to have the votes tallied on the same day as the election. It's stupid; voting is the most important thing in our government, if it takes a week, it takes a week. Democracy functioned without e-voting; we're just making the system more opaque than it needs to be.

Re:no its not

The solution is to create a system where you don't have to trust the source code to begin with

Touchscreen, vote, hit done, the machine prints a paper ballot. You review said ballot and deposit the paper ballot in the ballot box.

What could be simpler and less prone to manipulation or error?

In that scenario, you don't have to know jack shit about the voting machine or its source code. It doesn't matter. The voter reviews the output, not the internals. If people start noticing that a certain machine or certain brand of machines prints incorrect ballots frequently, well then steps can be taken to figure out why.

But the end to end system can't be gamed.

There is no level of code review or "trusted computing platform" specification that will provide anywhere NEAR that level of trust and confidence in the system. Add to that the fact that you have an incontrovertible source of paper ballots for recounts, what more does anyone want? why do we put up with anything less?

Re:

I agree that having the source code offers no assurances as to the legitimacy of the vote. It's too easy to hide stuff.

However, if there are general "quality" problems (lost votes, machines crashing, etc.) it will be that much easier to place the blame

Re:no its not

why not just use paper then? hell of a lot simpler and cheaper.

how does that paper assure you the recorded vote is saved in the system is the same as what the paper says? it doesn't.

the only form of electronic voting i can see working is a system of electronic paper, which lets you press directly on the box you want and fills it. you deposit it in the secure box as normal and it's then counted by a machine, advantage being that it's digital so your counter won't run into false positive problems like with pencil, and it's still human verifible like paper.

Re:no its not

There's a better system than that - your vote is stored in a database, but your vote is also printed out for you to review. You then put the paper in a box that is kept under lock and key. For quick results, the database count is the one that is looked at. However, any third party can request to count the paper votes and compare them to the database count. If they do not match, then there is a physical audit trail to show that someone was monkeying with the software. This way, we get fast results, and verification.

Trust, then verify, is the solution in this case.

Just make the database public

Read-only access of course. But given the size of computer storage nowadays, it should be pretty simple to make the whole voting record publicly available on the Internet.

The voting machine has a public/private key pair. It generates a random public/private key pair in between votes which stays resident only in memory (is not written to disk). When you vote, your votes are coded. It's then encrypted with the voter's private key and the voting machine's public key. The voter's plaintext vote, an index number, the encrypted vote, his private key, and the voting machine's public key are then printed on a piece of paper the voter can take home. The voting machine then stores the encrypted vote and the voter's public key. Nothing else.

When tallying the votes, each machine runs through its stored votes, decrypting the record of encrypted votes using each voter's public key and the machine's private key. All this information is then sent to a central vote tallying database. The unencrypted votes are used for the official tally. The encrypted votes are used as proof against tampering. The index is used to allow voters to query the database.

Once home, the voter can log into the vote tally web site. He can query the database to make sure it's recorded his vote right. He asks it to send the vote recorded with his index number. It takes the unencrypted vote, encrypts it with the voting machine's private key and the public key associated with that index and sends it to him. His computer then uses the voting machine's public key and his private key to decrypt it. If all went well, it should match what's on his printout.

• The system does not record who voted which way. The only way to link a vote with the voter is via the index number and private key printed on the voter's slip, which he is free to shred, eat, burn, whatever. I think it may even be possible to validate that the votes match by comparing the encrypted votes, without ever looking at the plaintext vote. It's been a while since I did the RSA key pair stuff.
• Nobody can tamper with the votes in the database because the encrypted version is encrypted with the voter's private key, and only he has a copy of that key. If someone modifies his vote, they need to use a new public/private key pair. The voter's private key will no longer work against the returned result when he queries the vote counting database, tipping him off that something fishy is going on.
• The voter cannot tamper with his printout to fake vote counting fraud. To change it so his plaintext vote and the encrypted vote match, he needs the voting machine's private key.
• By virtue of the previous two bullets, if there is a discrepancy, you can localize where the problem occurred. The voter needs the voting machine's private key to alter his vote. The vote tallying people need the voter's private key to alter his vote (the encoded and unencoded vote on his paper would be encrypted with the voting machine's private key, authenticating that his printout is genuine).
• Don't do anything stupid like seed the RNGs in all the voting machines with the same seed, so they all generate the same key pairs. Include something like the millisecond the vote was cast in the seed.

The only way I can think of to commit vote fraud against this system would be by stuffing the ballot box with false votes. And even there you could do a sanity check by comparing the number of votes cast by the number of voters the precinct operators counted (they mark off your name after you vote, so it's fairly easy to count how many names they've marked off).

That's all I can think of off the top of my head.

Re:

I like it - you're almost there, but you've got some problems. If I'm mistaken, feel free to correct me.

• Bringing a plaintext vote out of the ballot box is bad and should not be done. While it may seem ridiculous, we don't want members of organized crime

Re:Just make the database public

The system does not record who voted which way. The only way to link a vote with the voter is via the index number and private key printed on the voter's slip, which he is free to shred, eat, burn, whatever. I think it may even be possible to validate that the votes match by comparing the encrypted votes, without ever looking at the plaintext vote. It's been a while since I did the RSA key pair stuff.

If you vote for my candidate, then bring me your slip with the private key so I can verify it online, I'll pay you $20.

Re:

But platform code that is obtained from a third party vendor should be acceptable provided that it is widely used as a general purpose platform and there is a reliable demonstration that the code has not been modified.

Widely used as a general purpose plat

Don't stop at the code. Schematics too

Since it is more than just theoretically possible to hijack a voting machine via hardware methods, all aspecs of the design should be held for review.

Re:

> I would rather see voting platforms built on microsoft trustworthy computing platforms

Here you are [fisher-price.com]. Point the arrow at your candidate and pull the handle.

Re:

That's some rigorous requirement you've got there. So how much does Redmond pay you to be the local /. shill?

So the only reason someone would disagree with your point of view is that they are paid to do so? That is some opinion of your abilities you have

Re:no its not

palladium says that the OS that was installed on the OS was not modified from what the controller wants. It does NOTHING to guarantee that the OS was not compromised before being put on there. I will take a locally compiled version of BSD and/or Linux. In fact, better yet, I will take something that is DO-178B compliant in which the feds have already looked over it, and still looked over. BTW, when MS was asked if they would submit one of their OSs for Do-178B, they asked for the certs. A month later when asked, they laughed the CEO out. They said that NONE of their OSs could come close to close inspection.

Re:

Mod parent up! MSFT operating systems are simply not secure enough for mission critical applications. That's why you see most mission critical apps running on either big iron, Unix, or a realtime embedded system from companies like WindRiver.

Re:no its not

Doesn't the Microsoft EULA state that their OS is not to be used in mission critical applications or applications where the lives of people could be at risk anyway? I remember reading that on the NT4 EULA. Not sure if it remained in the text...

Re:

The Royal Navy's Windows for Warships progam probably counts as both a critical application and one where people's lives are at risk.

e.g.

Prompt: An inbound missile has been detected that could hit your ship (time to impact: 15 seconds). Allow or Deny?
User

Re:no its not

In this particular case the risk of a trapdoor in the platform code is a lower concern than the risk of the running code being substituted on the final machine.

IANAProgrammer, But for this application neither is acceptable.
Given what the code is required to do (allow for the selection of a vote in each catagory, record said votes, provide totals for each catagory) shouldn't the code be blindingly simple? Give me ANSI graphics and no mouse driver. Give me three imputs: cursor up, cursor down, enter/select. Hell, it can print out on a dot matrix. It should be a requirement that the code be small enough to be reviewed completely, without excessive effort.

Risk analysis

So the only reason someone would disagree with your point of view is that they are paid to do so?

Without agreeing with the rhetorical gist of the GP, I believe the point being made was that the suggestion was so absurd that nobody would put it forward unless they were paid to do so.

I disagree with that premise, but I do agree that obscuring any aspect of a voting system that is being used to decide, among other things, the next president of the United Sates is the height of folly.

Security is risk control, not risk elimination. In this particular case the risk of a trapdoor in the platform code is a lower concern than the risk of the running code being substituted on the final machine.

Risk is measured as a combination of:

• How easy it is to attack using a particular vector;
• What the payoff will be for the attacker;
• What the cost will be to the defender if the exploit succeeds;
• What the cost of securing that vector is.

In this case, the prize is political control of the most powerful nation in the world. So we need to ask ourselves: How much are fair and free elections worth? What, in effect, is the price of the democratic process in the US?

I think it's worth billions of dollars. That means stringent code review, impeccable chain of custody and constant supervision. Saving a few bucks by using an off-the-shelf operating system - especially one that is orders of magnitude more complex than what is actually required - that's absurd, in my opinion.

Sucks to be MSFT...

...or any other proprietary vendor.

Sorry Steve, Bill - but some of us want to see what these things actually do when we use 'em to cast a vote.

Meanwhile, I'm damned sure that somebody in Diebold went all Ballmer on the furniture... though I can't wait

Re:Sucks to be MSFT...

You sure as hell wont be seeing it. It'll be shown to a couple of high profile professional auditors who will give it the green or red light, and that's that. At NO point will the public see it.

Glad to see NYS grew a pair...

After that amendment passed, I was worried about NYS letting this fly. I'm glad to see that the legislators are attentive.

The real question is: What does Microsoft have to hide from election officials?
-Are they worrying that the source will be leaked?
-Due to the above fear, is MS afraid of getting crap from the DRM loving media cartels?
-Is there something in the code that MS doesn't want seen?
-Are they afraid this mentality hurts the "security through obscurity" idea?

Of course this is all speculation. I'm just so curious why Microsoft is so opposed to sharing their code with a state government.

Re:

Microsoft doesn't want to put the Windows source code in escrow because if they do, it will hit everyone's favorite Swedish website the very same day. They aren't stupid. They know that some near-minimum-wage state employee would jump at the chance to leak

Re:Glad to see NYS grew a pair...

I'm no fan of MS in any way, shape or form, but I can completely understand their reluctance to hand over their source code. In this day and age there is a good chance that it would be leaked faster than you can say BitTorrent.

If the price of admission into the eVoting game is handing over their source code then they made a wise business decision. It's far too small of a market for MS to chance exposing Windows source (and all the security breaches that would soon follow). In the big picture of things, MS made the right decision. That aside, they still suck for trying to sneak that amendment in.

Re:

This has been my feeling all along. To be honest, I doubt Microsoft really gives a damn, precisely because it's such a small market. But the fact is that some guys out there have written voting software on their platform. I don't really blame Microsoft

Re:Glad to see NYS grew a pair...

The worst case here for Microsoft is that New York State refuses to allow any voting machines that run Windows.

You are thinking way too small here.

The worst case for Microsoft is that this is the first step towards all government computers being forced to run freely auditable code. That means no Windows.

This is frankly the only responsible thing to do from a security standpoint, and barring illegal collusion we would probably be there already.

What I want to know..

Is why the HELL anyone is trying to build a voting machine around an unsecureable platform in the first place? If these vendors want to sell systems that have specific requirements for auditability and securability, they can either comply with the requirements or fuck off.

-jcr

Re:What I want to know..

Is why the HELL anyone is trying to build a voting machine around an unsecureable platform in the first place?

Because you can't rig an election if the voting machines are secure.

Don't Trust Microsoft With Our Elections...

It seems to me that what Microsoft is asking is that we "trust them" without having earned that trust. Without seeing the code how do I know that there isn't a backdoor?

Microsoft's security record has been dismal to put it politely. I certainly don't want to gamble my freedoms on a company that can't secure its own operating system and a company who has shown flagrant disregard for our laws.

As far I'm concerned Microsoft has shown that it will do almost anything to get what it wants. We don't need the fairness of our elections endangered by a company unwilling to provide transparency.

Open Source Voting Machine?

Why isn't there an open source voting machine?

It should be constructed of off-the-shelf parts and it should run open source code!

Re:Open Source Voting Machine?

Pen and paper don't seem to have all those issues - why not use those?

It's an awfully good question, and one that I think Americans should have been asking themselves since the 2000 election.

Up here in Canada, federal elections are administered by a single Federal body; Elections Canada. That means the ballot you get in Toronto is identical in structure to the ballot you'll get on Baffin Island. There's a single standard for marking and counting ballots. The provinces have control of their own elections, obviously, but tend to follow standards very close to that set out by Elections Canada. Only at the lower levels can things be a little different. In my city, they have vote-counting machines and those ballots where you color in the selections you want. Still, even with that automated system (which has been in use in many jurisdictions in North America for decades) there is still the key paper trail, so that if the election is contested, you can go back to a good ol' fashioned recount.

The only argument I've seen against pen and paper ballots for the US is that, unlike some countries, a lot of different elections get tossed on top of congressional, presidential or state elections. Various local positions, voter initiatives, referrenda and the like get tossed into the brew, so that paper ballots could get to be quite volumnious, and possibly confusing, and I guess there is some advantage there to an electronic voting system which can make display of such complicated ballots much easier.

That's great and all...

Now don't mod me troll, but remind me again, what is so horrific about paper ballots? I know Florida had a huge fiasco in 2000 with them, but that had to do with punches, not filling in a bubble or anything....

I don't want to rain on everyone's parade but.....

the legislature didn't actually "reject" it. they just didnt pass it. and yes, they concluded their regularly scheduled legislative session last week. BUT, they're expected back for a "special" session in July, and the governor has implied that he will call them back several times.

students of the NYS legislature will also tell you that the "special" sessions tend to be when the sneakiest things go on in NYS because, in general, they garner less attention and most of the legislators just want to make it as quick as possible and get back to their families.

that being said, NY does have a very strong voting rights coalition with a number of very smart and talented people working very hard to make sure that this DOESNT go through.

one good thing did happen at the end of session. is that NYVV's (New Yorker's for Verified Voting) Bo Lipari (who's been leading the charge AGAINST microsoft's lobbyists) has been granted a seat at the table. the citizen's advisory board now has statutory authority. which means that when the board of elections makes decisions about this stuff he's got a seat at the table to help shape the outcome.

Australian e-voting

Well this is good news, but I doubt M$ will give up quietly.

Australia has some e-voting software that is open sourced, http://www.elections.act.gov.au/Elecvote.html [act.gov.au] also has a link to the source code.

This is funny...

Is it just me or are we all over analyzing what is effectively a glorified bean counter.

Sure we want it to be secure and transparent which means Open Source has the best option for this to occur. Anything that is closed source should *NOT* be trusted. This includes the platform/OS the system runs on.

And is it *REALLY* that hard to ask that there be a god damn paper trail? I think just about every single person on /. has agreed that a paper trail is necessary. Anyone including Diebold who refuses to make a machine with a paper trail is definitely up to no good and likely WANTS their machine to be insecure in order to allow for vote stuffing/miscounting/false results/etc... I mean its not like it hasnt been done before [blackboxvoting.org].

Still missing the problem

Source code or not, you can't look inside the machine and see what's running on it while it's running. Not ever. It doesn't matter who has access to whatever source code. It's just too easy for a very small number of people (or even just one) to tamper with these machines, and leave absolutely no meaningful trace. Anyone caught up in the source code debate has missed the problem.

IBM Wins

This battle in the NY state legislature was between Microsoft's lobbyists for proprietary voting machines vs IBM's lobbyists to make the machines open and auditable outside the closed certification system that is totally rigged to sell vendor products.

IBM has won this battle. Possibly because it's a NY state based company (Armonk, NY). The trick will be seeing this victory applied elsewhere in the country.

NY is famous for being tough, smart and understanding security. I hope other people in other states are lucky enough to follow our lead.

Re:How complicated could it be?

I am not a programmer, so maybe I'm way off base here, but how complicated could this code be?

I can't think of any reasons why Microsoft is being difficult here. I can't think of any complex algorithms you'd have to invent and therefore protect to display and count votes.

If I understand the problem correctly (please correct me if not - but I did RTFA, and went to the source, Bo Lipari's blog as well, and also to his organization's web site), the requirement is not for MS to escrow the code for the *voting* software; MS aren't writing it anyway, Diebold and others are. The requirement is that, since some manufacturers of the above-mentioned voting software wrote it for Windows, MS is supposed to escrow all the *Windows* source code to NYC. This is very silly IMHO (from an engineering point of view), but of course reason needn't apply.

Obviously, MS doesn't want to escrow all the Windows source to a bunch of political hacks. This has been presented on Slashdot as an attack by Microsoft on democracy and mum' apple pie, but what I believe is really hapenning is just a local political maneuver, as follows:
The hullabaloo was started by a certain Mr. Lipari who seems to have a complete dislike for any kind of electronic voting. IMHO, he invented this specific requirement knowing it's totally ridiculous. He presented it as defending democracy, and managed to sell it to the public. His intention is rather, I believe, to torpedo the whole e-voting concept in NY by getting ignorant politicians to vote for impossible requirements. Well, good for him - he seems to have succeeded. And if e-voting companies switch to Linux of FreeBSD or Windows CE (or any OS with available source code) he'll then ask for the BIOS, and the CPU firmware, and so on, until they give up.