OK, it's relevant to OpenBSD because I wouldn't consider anything else safe enough to run on the servers. Not that I'm in a position to do any of it. The servers could even be run from custom official live CDs so they were harder to tamper with, with maybe a RAM drive for speed.
There seems to be a conflict between having anonymous votes and having something similar to paper ballots that can be recounted. So let authentication, identification, etc. be handled by one machine and stored in one database then the transaction is handed over to another machine which stores the votes. That could be something simple like a tab-delimited file which could be counted by hand, one line per voter. The file could be only writeable by the owner. The same person can't vote twice because the first machine wouldn't allow them in a second time. I'm assuming there's physical security over the server room, if that was compromised all bets are off. When I last voted I verbally identified myself to one person who handed me my ballot, which I checked off in pencil, then identified myself to another worker who cranked my ballot into a simple counting machine about 40 years old. Yes, if one person got access to the files in seclusion they could alter something assuming they were root, that would have to be as impossible as erasing the pencil marks on the ballots and changing them. I assume there are always multiple scrupulous workers present. It doesn't have to be an SSN, a driver's license number would work as well. Some long number known mostly only to the voter and to the government which doesn't arrive by the same mailing as the key the town sends Somewhat analogous to a public key, with the private key being the number the town mails each voter for each election. Laziness isn't the only reason to do this, I would hope to expand it to maybe a weekly vote on things that are put to the House and Senate so there's direct input from voters instead of only electing people who do their voting. There probably wouldn't be a lot of interest but being able to provide feedback to elected representatives could be useful, conversely there would be statistics on what percentage of the time they voted as the public wanted. Instead of voting with a web browser, there might be some security to be gained by using a dedicated client. Or voting from something like an Android phone (I have no experience with IOS). Android security seems almost excessive. Incorporating the phone numbers on each end could be useful although not to be trusted as identification by itself. An app could connect to a phone number and load a ballot, fill it out offline, then dial another number to submit it in milliseconds which lessens the load on the server. For that matter you could produce live CDs to be booted and used only for voting, any operating system you want. I think bouncing ideas off a community of knowledgeable computer hobbyists and professionals is a useful thing to do. I became an OpenBSD user about 2001 because I inherited a Linux box at my job that had been root kitted and I needed something more secure, it's still my first choice. I later firewalled the entire office through another OpenBSD box, it worked very well. So yes, security in academia where student records were concerned, we had thousands of transcripts. -- Credit is the root of all evil. - AB1JX
