That paper is from 40 years ago and things have evolved quite a bit since. For example, the entire toolchain that compiles the code running on the voting machines is compiled from source, in a single machine in an air-gapped secure room, and digitally signed.
The attack you hypothesized, where a hidden radio “flips a bit” to alter votes, would necessitate defeating several layers of security and months-long auditing cycles. Software and hardware security aside, randomly selected devices are sent to three major public universities for verification every year. On election day, a significant number of random devices are used in tandem with paper voting, which would also flag altered results. Transparency could definitely be improved by allowing individual verification of votes, but that comes with the risk of voter identification as in the article you linked to earlier.
So not really “in principle, extremely justifiable”.
It’s just such a remote possibility and you’d need some kind of evidence (which he did not have) to point to a potential failure. All that said, some of his tweets literally said “wake up, the elections were a fraud” and not just innocent questioning. He used that to imply that any actions by the justice court were illegitimate. And then he went on to say the country should have a Nazi party… kinda difficult to sympathize with.
> The attack you hypothesized, where a hidden radio “flips a bit” to alter votes [..] Software and hardware security aside, randomly selected devices are sent to three major public universities for verification every year.
Sorry, I wasn't clear enough - the whole point of using a radio is to selectively compromise only machines used for voting, and leave the verification ones alone.
> but that comes with the risk of voter identification as in the article you linked to earlier.
The court simply asserted that a paper trail risks voter identification, but the many countries that use paper voting without problems of voter identification shows this assertion to be false. But it's easy to determine one side is in the wrong, when you simply accept the other side's assertions at face value.
> The attack you hypothesized, where a hidden radio “flips a bit” to alter votes, would necessitate defeating several layers of security and months-long auditing cycles.
No, you have to defeat only one layer - hardware. Put your malware into some spare non-volatile memory, and only activate it when you get the signal. Otherwise simply report that memory as empty. You can even allow writing to it (assuming you're reporting the total memory available accurately) in case the legitimate code needs more space. In that case, the attack disables itself to avoid discovery. Then all your digital signing and compiling from source (This uses a hand-written-in-assembly bootstrapping compiler, right? Otherwise the trusting-trust attack still works.) is moot.
Finally, all of this depends on trusting the people doing all this verification and development. What is the minimum number of people one would need to compromise, to compromise this entire process? Let me remind you that after all the verification and bootstrapping and code signing and vulnerability patching, to an external observer, a compromised and a trustworthy machine look identical [1]. Given that the courts twice overrode paper trails, why should one trust them?
> And then he went on to say the country should have a Nazi party… kinda difficult to sympathize with.
Oh that's easy then - prosecute him for being difficult to sympathize with, not for questioning the election.
To reiterate - a paper trail would render all these attacks ineffective. And it is proven to preserve anonymity, as evidenced by the many countries using it. Instead, a process is used that requires trust in an appointed (by who?) group of experts, whose work has to be monitored for its entire duration to be trusted, you cannot simply look at the resulting artifact, and even if you do trust the current batch of these experts, they are still vulnerable to outside attackers. The US is on record exerting behind the scenes pressure to claim the election is secure (and also provides hardware for that election), courts have blocked attempts to make it more transparent and verifiable, and questioning it is illegal.
But this is all fine because hey, probably this time it wasn't subverted, and the people that don't like the process are unsympathetic, and conspiracies never happen.
[1] No, dumping memory won't help - unless you decap the memory and read the individual bits with an external tool, the machine can simply lie about the contents of its memory.
> the many countries that use paper voting without problems of voter identification shows this assertion to be false
No, they just accept the risk and haven’t developed a system that can address it (like electronic voting machines).
> To reiterate - a paper trail would render all these attacks ineffective
Paper ballots can be easily modified at the time of counting, there is no feasible way of verifying individual votes at scale or even trying to detect such fraud - this was happening in the north of Brazil decades ago and is actually one of the main reasons the electronic voting was developed!
> you have to defeat only one layer - hardware
And the supply chain. Memory content is also encrypted so you still need to defeat the security chain to be able to modify the results, or the running software. And somehow magically know when this particular device is in a testing room (it’s random assignment for a reason).
It’s funny and sad to be here going through the same arguments as when this started back in 2018. You’ve had six years to read about the system’s security measures and architecture, instead of creating fantasy scenarios that for some reason an army of security researchers failed to consider but you did. I’ve made my point and won’t be responding to this thread any further, happy new year.
> No, they just accept the risk and haven’t developed a system that can address it (like electronic voting machines).
Want to describe this risk? You mark a ballot, throw it in a box with hundreds of other ballots - how do you risk getting identified?
> And somehow magically know when this particular device is in a testing room (it’s random assignment for a reason).
Do I have to explain the purpose of the radio-bitflip a third time?
> Paper ballots can be easily modified at the time of counting, there is no feasible way of verifying individual votes at scale or even trying to detect such fraud - this was happening in the north of Brazil decades ago and is actually one of the main reasons the electronic voting was developed!
If there's no way to even detect such fraud, how do we know it was happening? You've just demonstrated why a paper trail is necessary - to discover fraud. Yes, in corrupt countries like Brazil, voting machines in addition to paper are necessary to combat systemic fraud. But you've put words in my mouth that, when I said "paper trail", I meant "only paper, no computer".
> instead of creating fantasy scenarios that for some reason an army of security researchers failed to consider but you did.
Plenty researchers consider only-electronic voting dangerous, and the EFF calls a paper trail a baseline best practice [1], and Schneier notes "computer security experts are unanimous on what to do (some voting experts disagree, but it is the computer security experts who need to be listened to; the problems here are with the computer, not with the fact that the computer is being used in a voting application)... DRE machines must have a voter-verifiable paper audit trails... Software used on DRE machines must be open to public scrutiny" [2].
Besides, despite your phrasing trying to make this about my ego, I didn't come up with any of the techniques described - others have done that. Nor did I say the security experts in charge of Brazil's election system [3] didn't consider it. They probably did, but figured the risk was low enough, or the politicians in charge made that choice for them. I, and many other experts, disagree - but for some reason only the opinion of the experts in Brazil counts, and that of the experts in countries that didn't introduce, or introduced and abandoned, pure-e-voting, doesn't. Because this way you can make it about my ego, and make it seem like I'm the only one opposed.
Perhaps if you stood on firmer ground, you wouldn't have to invent motives and put words in my mouth to argue.
> Memory content is also encrypted
And the key to this encryption is in memory itself, and an attacker has the source code of the voting software that will run (every political party gets access to it, as well as a few institutions, per wikipedia) and has built the hardware it will run on.
[3] I hope security experts continue to be in charge indefinitely, and they're not replaced by more politically useful people, invisibly subverting elections, because all voters get to see is a black box.
The attack you hypothesized, where a hidden radio “flips a bit” to alter votes, would necessitate defeating several layers of security and months-long auditing cycles. Software and hardware security aside, randomly selected devices are sent to three major public universities for verification every year. On election day, a significant number of random devices are used in tandem with paper voting, which would also flag altered results. Transparency could definitely be improved by allowing individual verification of votes, but that comes with the risk of voter identification as in the article you linked to earlier.
So not really “in principle, extremely justifiable”.
It’s just such a remote possibility and you’d need some kind of evidence (which he did not have) to point to a potential failure. All that said, some of his tweets literally said “wake up, the elections were a fraud” and not just innocent questioning. He used that to imply that any actions by the justice court were illegitimate. And then he went on to say the country should have a Nazi party… kinda difficult to sympathize with.