Frequent Voting Rights Forum Participant
Post Number: 147
Best of Black Box?
|Posted on Friday, October 23, 2009 - 10:08 pm: |
@Joel - 10:58
Maybe it was this --
In “An Undetectable Computer Virus” David Chess and Steven White of IBM show that you can always create a vote changing program (a virus in their context) that no ‘verification software’ can ever detect. They do this by a very clever argument which you can pursue in that paper, but the important thing to realize is that their results are not in doubt. You also should know that these arguments apply to every computer system that can ever be created. Therefore, if you use a computer anywhere in the vote counting process, you cannot be certain of the result.”
This was in a BBV thread...
More references...two papers by leading scientists -- for cv look them up in Wikipedia.]
Dr. Peter Neumann, one of the world's most distinguished computer scientists: “Even if you can look at the source code, you can’t guarantee that there’s not a Trojan horse embedded somewhere in the code. Any self-respecting system programmer can hack the innards of the system to defeat encryption techniques or any password protection, or anything like that. All this stuff is trivial to break, for the most part. In most computer systems out there, it is child’s play. Given the fact that the underlying systems are so penetrable, it is relatively easy to fudge data-for example, to start out with three thousand votes for one guy and zero for the other before the counting even starts, even though the counter shows zero. Essentially a Trojan horse in the coding. I can do it in the operating system. I can do it in the application program. Or I can do it in the compiler. I can rig it so that all test decks work perfectly well….”
Dr. Kenneth Thompson, another most highly-regarded scientist, won the Turing Prize [maybe one level below a Nobel award]; he wrote a paper which has become one of the classics; in it he showed how a trojan horse can be designed and released to do its work undetectably...
“The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) [:-)] No amount of source-level verification or scrutiny will protect you from using untrusted code.”
[His attack inserted malware in the source-level code whence the compiler translated it to machine-level code. Then he erased the malware items in the source level code. But the compiler itself had been subverted and remained ready to pass on the malware indefinitely in later occasions.
There is even worse trouble at the hardware levels but I don't have a short note about that...