Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Presidential Candidates' Websites Vulnerabl e
From: John.Airey () rnib org uk
Date: Fri, 2 Jul 2004 17:00:36 +0100

-----Original Message-----
From: Kurt Seifried [mailto:listuser () seifried org]
Sent: Friday, 02 July 2004 02:48
To: Barry Fitzgerald; Frank Knobbe
Cc: Jordan Klein; full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] Presidential Candidates' Websites
Vulnerable


It is of interest to note we just had our federal election 
here in Canada a
few days ago. I went to the polls, they checked my name, gave 
me a paper
ballot, I took it to the booth, made my "X" (within the 
circle using the
pencil provided), folded the ballot as indicated and handed 
it to them. They
tore a small black strip off the ballot and put the ballot in 
the box. The
collection of small black strips is used to ensure the 
ballots in the box
have a second verification mechanism (i.e. if you remove or 
add ballot to a
ballot box it would show up in the tally of ballots vs. 
ballot strips). The
count was done relatively quickly and by midnight or so we 
knew who had won
(polls closed at 8:30pm or so in most places).

Personally I hope we NEVER use anything more sophisticated 
then this for
federal elections in Canada. I simply don't see how an 
electronic system
SIGNIFICANTLY improves on this time tested and simple method. 
Widespread
fraud is quite difficult in our system, requiring coercion of numerous
people, or of the people at the polling stations (and of 
course you'd have
to deal with the scrutineers from opposing parties, perhaps 
with a sharp
blow to the head).

I have read some proposals for electronic systems, to make them truly
anonymous, and verifiable, and tamper resistant you need an extremely
complicated amount of math and crypto, as well as 
technological deployment.
I just don't think it's ready yet, and I am not sure it will 
be for many
years.


What you describe is similar to the UK, except that we have numbered
counterfoils which are stored separate from the ballot papers. It is
possible therefore to work out who voted for whom, but only with a court
order. It would only ever happen if electoral fraud was being investigated.

In England and Wales the weakest part of the system is that the Presiding
Officer travels alone to the count centre and could in theory add ballots,
but it would be a lot of manual work. It isn't possible to issue a ballot in
less than twenty seconds in the polling station with three staff, so working
alone you could probably only fake one ballot per minute. Since you have to
reach the count centre in a reasonable time, you'd be hard pushed to
influence the result. (In Scotland they are collected, hopefully by more
than one person).

I work as a Presiding Officer at elections, so I know the system well.

Using a computerised system faking ballots or changing votes would be
relatively easy. For those reasons I would be opposed to electronic ballot
machines whoever makes them.

I think though that this is way off-topic now, so I'll quit while I'm ahead.

-- 
John Airey, BSc (Jt Hons), CNA, RHCE
Internet systems support officer, ITCSD, Royal National Institute of the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 John.Airey () rnib org uk 

I don't know which is worse. The makers of soap operas thinking they portray
real life or those that watch them thinking it is real life!

-- 
DISCLAIMER: 

NOTICE: The information contained in this email and any attachments is 
confidential and may be privileged. If you are not the intended 
recipient you should not use, disclose, distribute or copy any of the 
content of it or of any attachment; you are requested to notify the 
sender immediately of your receipt of the email and then to delete it 
and any attachments from your system. 

RNIB endeavours to ensure that emails and any attachments generated by 
its staff are free from viruses or other contaminants. However, it 
cannot accept any responsibility for any  such which are transmitted.
We therefore recommend you scan all attachments. 

Please note that the statements and views expressed in this email and 
any attachments are those of the author and do not necessarily represent 
those of RNIB. 

RNIB Registered Charity Number: 226227 

Website: http://www.rnib.org.uk 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]