Voting In Rural Pennsylvania

Out here, it was pretty calm, and boring as usual.

There were no glowering goons with guns (aka: “neighbors”) or idiots driving around in tanks festooned with flags. In fact, there were 4 people there running the polls, same as usual, same people as usual – I didn’t have to give my name because everyone sang, “Hi, Marcus!” in unison. I’m probably known as “the liberal” or something.

Anna voted in her community, nearer to Pittsburgh, and also reported no gun goons or lines. It seems as though Pennsylvanians are taking this thing seriously, which is very good as we are an important swing state.

One thing that made me extremely happy was that they are not using the voting machines this year. We had a paper ballot to fill out (“completely fill the circle by your selection”) and we then walked it across the room, fed it into a scanner, and OK’d the scan results. As you may guess, I am professionally unimpressed with voting machine technology. My old co-worker and fellow JHU alumnus Avi Rubin used to bedevil the voting machine manufacturers (most notably Diebold) by ripping giant smoking holes in their software and networking protocols on a regular basis. I, myself, was once involved in some consulting for a voting machine manufacturer and made heads explode by recommending that, instead of using networks of VPNs over the internet, they simply could E-mail the results using an open protocol like PGP and an embedded sequence number in each message. (sequence numbers are easy to summarize and missing entries are immediately detectable and can be mapped to the time-stamps on either side of the missing sequence to locate the event in time) E-mail’s queueing and transaction management is remarkably good and resilient, and is near real-time on fast networks. Why not? “Well, Marcus, we appreciate your input but I doubt we will be using your suggestions…”

Anyhow, done is done and I am going to take the rest of the day off, go to the shop, and weld some pieces of cable into bars. I haven’t done any cable bar for a while, and I’m feeling my oats!

I wish you all patience and calm for the next few days.


  1. joestutter says

    Not related to the topic. I have some chirurgical stainless steel pieces (plate and screws) that were recently removed from my tibia, and was wondering if I could commission a small knife from you using those pieces.

  2. billseymour says

    Partly-baked idea:  open-source voting machines.  Could they be mader safer, or engender more public confidence, than machines running secret code?

    Marcus might know:  are the various Linux distributions any more resistent to hacking?

  3. Pierce R. Butler says

    … and weld some pieces of cable into bars.

    Make sure the bartenders are okay with that before lighting up your torch. They’re going to have a long hard day tonight.

  4. says

    The design should be open. For example, using email as backhaul, with PGP envelopes and sequence #s with a standard format, would go a long way toward standardizing and securing the backend. Also, there are many things that can be done to make votes self-validating: give each voter a 128bit random secret, then hash their ballot to a 128bit cryptographic hash, XOr with the secret and put a 1 in a published database at that key value. Anyone with the secret who knows what they voted could verify their vote was seen. Sequence number gaps could be published including inferred times when they occurred. Tricks like that are conspicuously absent from current voting tech – why?

    As I have mentioned before, David Chaum has some interesting e-voting patents. Give him a few $mil and nationalize them. Then do public implementations.

    A publicly viewable, readonly voting machine image would be good. But the hardware and software backdoors NSA has in everything make the whole system’s integrity doubtful.

    What I would recommend is a bootable image that is a single-threaded vote processing application that boots on bare metal on some simple base hardware tablet. No need for multitasking (multitasking means you can timeslice in malware) or a file system fancier than FAT32 or networking at all. Format the votes, print a copy and the hash code, queue them to a card, email them, post the sums. No pretty touch-screen interface, just:
    1) Trump
    2) Biden
    3) whatever

    There are things like Intel Management Engine in modern processors that worry me. But a single-threaded application with no o/s simplifies a lot of the problem to the point where I might feel comfortable.

    For that matter you could probably write a voting app that ran on a Siemens PLC where you turn the knob to your selection and push a button. No operating system needed.

    What worries me about all this stuff is that plenty of people understand how to do the kind of things I just suggested, and why. Yet instead we get voting machines that connect to VPNs operated by partisan agencies. Voting machines that can’t hold up two hours on DEFCON’s vote machine hacking net. It’s as if the people who specify and buy and build voting machines are deliberately being stupid or something.

  5. billseymour says

    I think Jörg is right about the actual voting.  Filling in a circle with a blue or black pen isn’t that hard.

    But I would include the machine that reads the paper ballots and tabulates the votes in my definition of “voting machine,” not just the user interfaces.  How confident are we that they’re not hackable?

  6. says

    How confident are we that they’re not hackable?

    It’s easier to hack them politically. But the whole voting “stack” is full of holes at every layer. The republicans mostly hack layer 9.

  7. says

    I have some chirurgical stainless steel pieces (plate and screws) that were recently removed from my tibia, and was wondering if I could commission a small knife from you using those pieces.

    If you do not see my reply, gmail has decided I am spam and you should check your spam box.
    Spare parts, interesting.

  8. says

    @billseymour, #2: Open Source software on voting machines isn’t solving the right problem. Of course it absolutely should be standard; if there is any part of the election process that is not open to scrutiny, you don’t have democracy at all. And the democratic process is to corporate secrecy as life is to property. But even then, just publishing the complete engineering drawings and software listings so that anyone can reconstruct voting machines on which to perform their own tests, or compare the voting machines kept in storage with the published designs, is far from enough.

    Because even if you are smart enough to understand what it is supposed to be doing, you still have no way to know for certain that the software running on the machines in the polling station on election day really is actually the same as the published listing.

    If you can understand the programming language used, you can be sure the published software does what it is supposed to do. But you can never be sure the actual software running on the machines isn’t going to print out a receipt saying you voted for candidate A, then record a vote for candidate B.

    Nothing anyone can invent would get around this limitation; it’s a limitation of the universe, not a limitation of present-day technology. What’s actually being counted is an unreliable copy of your vote. Your opportunity to examine the equipment between elections is just like the first part of a conjuring trick — the bit where the magician is showing a container to be completely empty.

    The beauty of pencil and paper lies in its universal comprehensibility. Everybody can understand how it works, which means everybody can understand how it can go wrong. So everybody is a potential election scrutineer. And hand-counting by the candidates and their representatives ensures a fair result: the adversarial relationship between the candidates prevents them from agreeing on any result besides the truth.

    To put is succinctly, anyone who supports the use of electronic voting machines either does not understand the issues involved; or understands the issues involved well enough to benefit from corruption.

  9. says

    The beauty of pencil and paper lies in its universal comprehensibility. Everybody can understand how it works, which means everybody can understand how it can go wrong. So everybody is a potential election scrutineer.

    I do think that it’s valuable to also have electronic tallying, so long as it’s easy to validate that any individual or collective set of votes were counted. You’ll note that my dual-hash/database suggestion would allow an entire district to be checked instantly (relatively speaking) to make sure no votes got “lost” in transmission.

    The key is to build systems that cross-check each other and provide an easy way of identifying where/if something changed or went wrong. Just using paper ballots does not accomplish that. Sure, we’ve got ballot counts, and the physical ballots, but the physical ballots are also vulnerable.

    One of the scary scenarios that the wargamers suggested was this: let’s say some national guard Captain is a full-blown ideologue on one side or another and marches into a polling location with a unit of troops, seizes a load of ballots, and throws them on a bonfire. That’s not out of the question; in fact that sort of thing happened in the 1920s. The only way to tell how many ballots were destroyed is to take the word of the officials at the polling location. I believe the ballots are serialized nowadays so you could determine how many ballots were burned at a given location but from there it’s opaque. A digitally cross-checked-plus-paper system would make that sort of attack quantifiable and the ballots could be recovered by asking the voters to re-vote and then validating the checksums which would indicate if they had re-voted correctly.

    One thing I hope we can all agree on is that having each state decide what ballot tech they are going to use is an invitation to corruption and vote fraud. It’s my opinion that vote-counting is “critical infrastructure” and is one of those things that a federal government should do – not states.

  10. DrVanNostrand says

    Marcus, I can’t speak for all jurisdictions, but the ballots I was handing out when I was working the polls were not serialized. No one is trying to hack my state though.

  11. says

    @Marcus, #10: A single polling station might handle up to a few thousand ballots, but you already know the names and addresses of every person who was assigned to that polling station. So if, after all the rest of the votes are counted, the margin of victory is smaller than the total uncounted votes (and therefore the winner could not be changed even if every single lost ballot had been for the second place candidate), a new election can be held with just those voters.

    About the only thing you can say in favour of the UK’s first-past-the-post system is, it’s potentially robust against small-scale tampering: you don’t need to count every single ballot, but can stop as soon as you reach the point of mathematical certainty.

  12. petenihu says

    @Marcus, #4: Just as a side-note to your comment about Siemens PLC: Of course those things also have an operating system – albeit simpler than a full-blown PC – and can be hackable.

    And you don´t necessarily have to attack the PLC itself, you can target some other level in their engineering/programming stack (see Stuxnet)

Leave a Reply