---------- Forwarded message ----------
From:
Ronald L. Rivest <rivest@xxxxxxx>
Date: Sun, Dec 18, 2011 at 3:36 PM
We don't yet know how to make our commercial software
secure. It is interesting to note that the "National Vulnerability
Database" (
http://nvd.nist.gov/home.cfm ) says its list of
vulnerabilities in well-known software in increasing at the
rate of
*** 11 vulnerabilities per day. (!) ***
You might (or might not) for example, enjoy reading some
of the vulnerability postings for a recent week, posted by
U.S. Cert:
http://www.us-cert.gov/cas/bulletins/SB11-346.html
With new vulnerabilities being discovered daily in software
produced by even our best software companies, it is
unrealistic to expect voting system software to be any
better.
Vigorous patching and testing may not keep an adversary
from using a recently-discovered vulnerability to surreptitiously
affect an election outcome.
Computers are cool in many ways: they are efficient, and
very flexible; these qualities can reduce costs and provide
good user interfaces. However, their vulnerability to
compromise makes their work always suspect. Computers
shouldn't be trusted to make the final determination of
an election outcome---that is too important.
By using paper ballots as the foundation for ``ground truth'',
and ``checking'' the work of the computers (with effective
and efficient post-election audits, based on hand-counting
a small sample of ballots), the risk of incorrect election
outcomes resulting from computer compromise can be
largely eliminated.