Like the open-source aspect, both in code and hardware ... question is, if it's built, will they come? Feds likely can't force states to use it I wouldn't think.

And $10M ain't a lotta money for something like this.

One question I have though is ... who's brain-child was this project?

🤔




✌🏼

Your statement is also troubling:
"Feds likely can't force states to use it I wouldn't think."

We've had enough shenanigans with voting machines.

Maybe his new lackey Director of National Intelligence will put the kaboosh on it, sounds like something Trump and Moscow Mitch will want killed.

An ordinary human can understand paper ballots and all the ways to cheat with paper ballots. Every person in the chain can be a watchdog.

An ordinary human can't see what's going on inside a computer, and most people don't understand what makes a computer "secure" or not.

There is in fact no way for an ordinary voter to verify the security of an electronic voting system.

It'd be nice if everybody who cast those paper ballots had their votes counted instead of being classed as 'provisional', and wound up in the trashcan.

MUCH cheaper, but involve people and time.

The USA deserves that time - the time of its citizens to ensure our election integrity.

Maybe instead of totally reinventing the wheel, DARPA could have started with optical scanners and figured out a way to completely secure the reporting process. Optical scanners read and count a paper ballot. Florida implemented them and in counties that don't have really F'ed up ballots (looking at you Hillsborough County), they work exceptionally well. If needed, the scanned ballots can be handcounted.

a problem, the printed ballots are secured for recounts. We even have a ballot printing machine for the extremely handicapped which prints out a scannable ballot.

The scanner prints out a tape with the results, and also saves those results on a chip. The chip is transported to town hall and read into the big machine. (Yes, we know there is the possibility of hacking the connection between Town Hall and the County machine, but there is plenty of redundancy and if you're that paranoid-- don't ever buy anything online or use an ATM.)

Hand counting is completely ridiculous. Each ballot will have up to 20 or so offices with maybe a dozen party lines and a monstrous mashup of candidates across those lines. The scanner automatically kicks the ballot back for overvotes (examples-- someone votes for Joe Blow for Mayor on two lines, or when the instructions say "vote for three judges" out of five, and someone votes for four...) The voter then has a chance to correct his ballot. Try that with hand counting after the polls close.

It also kicks back other mismarked ballots-- like a dot in the middle of the oval that may not be a real vote.

As far as counting them goes-- does anyone really believe hand counting is more accurate than scanning? Or more honest? At 9PM the polls close and the four or 6 people working the ED would have to dig out the ballots and count every single vote, putting hundreds of them on some sort of spreadsheet, then adding up the totals. Anyone who has cashed out a restaurant or retail store knows how often one stupid error screws things up for at least an hour until you find it. Imagine such a scenario with no double entry error checking mechanism to tell you even made a mistake.

And this counting is done by people who got to the polling place at 5:30 that morning.

All that is with honest people at the polls. Imagine an agent who manages to do something to invalidate one out of every five ballots for the "wrong" candidate. It's been done, many times. That's why we have voting machiines.

Add a unique key encoded on each ballot, and spit out a receipt that contains the ballot details in a dense encrypted format, and a key that can be used to access all the races voted on, who won each race, and who my ballot says I voted for. I can dispute the record of my vote using the encrypted data on my receipt

Of course, trying to get stat to adopt it would be a long, uphill, and probably hopeless, battle.

is that it can be turned in to another party willing to pay for "correct" votes.

perhaps in an encrypted 2D barcode, perhaps a public/private scheme. It would be unreadable without the right scanner + decryption.

could hack that receipt. Besides, how would a voter know if votes for the candidate they wanted were the ones on the receipt? And most people would toss them away, or leave them in a pocket that gets washed, so what use would they be in validating a contested election anyway?

And it’s not a panacea, judt another piece of effort. I’d find it helpful, so I advocate for it. YMMV

In Florida in 2016 more that 9 million people voted in the race for President. Imagine hand counting 9+ million votes.

People that pine for paper ballots counted by hand look at countries where the total number of REGISTERED VOTERS will be a fraction of the 9 million that VOTED in Florida in 2016.

In New York City there is more that 3 million registered voters.

The poll workers that I have always seen are old people from both major parties pulled in to work Election Day. My small population Florida county appears to have paid staffers, younger people, but only maybe five total at the main voting location and 2-3 at smaller stations. We have around 10 stations total for the county, so at most there are 50 people countywide. We have around 210,000 registered voters.

To have retired people who are only doing a one day civic duty, or totally understaffed paid people counting hundreds of thousands or million of paper ballots by hand if freaking lunacy.

People talk about mailin ballots that are paper and hand marked. How are those ballots counted, by hand or by a machine? My guess is by machine for most large population counties.

People need to get off the handcounted paper ballot idea, that method went out soon after the horse drawn carriage and is nothing but romantic foolishness. What we should instead push for is hand marked ballots that are read by a secure machine and insure those machines are secure and notify a voter that he or she has registered an accepted and counted ballot.

since I assume russia would be reviewing the code as well?

I developed a cash register system in QuickBasic. The basic program was a couple of pages of code that added up items and prices. That's what computers do-- add and subtract things. That's really all they do. No matter how complex the problem they are dealing with, it's all about adding and subtracting those 1s and 0s.

Didn't even need database software for it.

So, what is the big deal with counting ballots that these other developers have to use Windows or a proprietary OS and secret codes besides owning the copyright for the software and overcharging for it?

.

Everyone keeps perpetuating the myth that people are reviewing open-source software and making it more secure.

The truth is that the only people reviewing open-source are college academia, hackers and nation state actors. The development communities are infiltrated by hackers who inject code to weaken the code and install access points. Many of the vulnerabilities are kept quashed to allow intrusion. One of the least secure offerings is Spring, which most banks rely on to develop code. Open-source presents the source, instead of trying to disassemble code, which most private ISVs use their own compiler variants to make decryption more difficult. Folks using open-source, often use standard compilers which makes hacking easy for the rest of their code.

Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC).

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

https://www.infosecurity-magazine.com/news/not-managing-open-source-opens-1/

Managed software supply chains are 2X more efficient and 2X more secure
Automated OSS security practices reduce the presence of vulnerabilities by 50%
DevOps teams are 90% more likely to comply with open source governance when security policies are automated

The window to respond to vulnerabilities is shrinking rapidly
Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed 400%, going from an average of 45 days to just 3

Hackers are beginning to assault software supply chains
Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications

Industry lacks meaningful open source controls
1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications


https://www.marketwatch.com/press-release/sonatypes-2018-state-of-the-software-supply-chain-report-reveals-use-of-vulnerable-open-source-increased-120-despite-equifax-breach-2018-09-25

Open source code does not sound like a good idea, as you pointed out. DARPA could try to build a encrypted and secure shell within which voting takes place, but if they are counting on the shell transmitting information back and forth with the open source software then that is where hackers will likely attack and either modify information at that point, or figure out a way to hack into the secure shell, either way they can do major damage.

DARPA seems to be trying to build a national voting platform. I am really surprised that Trump is allowing them to do such a thing since that could ultimately make voter suppression harder. I can see part of a national platform being open source, but that would only be for states to announce their results, which can be a one way deal. Each state would need to have a secure shell that can't be hacked into, that is a large order.

.

The only secure environment is one that is disconnected from a network and had external ports disabled.

Only during a file transfer to a jump drive, by an authorized user, can information leave the device, as Read Only.

The jump drives need to be paired to the voting device and those jump drives need to be WORM Only.

.

can be hacked into.

Your points about information transfer are dead on, the only sure way to insure no invasion into a system is to have it disconnected and pull information from it only with a secure storage/transfer device that never send information back into the secured system, and the transfer device should constantly be checked for viruses and trojans.

Secure voting can be made to happen, but with the Republican Party working hard to force voting to be for conservative Whites only (as opposed to other Whites and POC), I don't think there is going to be a national effort to get fair, secure voting - the exception will be if we all vote in all elections and electorally eliminate the Republican Party.

In 2002, he said, „give me a laptop and a cell phone, and I‘ll make any of those voting machines give you any result you want.“

So they have known from the beginning how vulnerable the current machines are. Since no one else seemed to be both interested AND able to do something about it, they are.