cookies and OnLine Voting

RC Steve Sterling rcsteve at tcrcm.org
Thu Dec 23 18:33:14 AKST 2004 

Thanks Bill-- you can probably tell I love this techy stuff-- Which has got
me thinking about the correct way to do an online voting system, should the
new officers and membership choose to consider it.

To ensure acceptability, it would need to be a "double-blind" system.
Required protections would include:
-- Define criteria of "valid voting members", then system restricts voting
to only those meeting the criteria.
-- Authenticate the voter (ensure someone else doesn't vote in your name).
-- Ensure no multiple ballots.
-- Provide feedback to the voter so they know their vote got registered as
the intended, and provide a doublecheck just in case the system errors or
did let someone else vote in your spot.
-- Protect the secrecy of an individual's vote. (Use double-blind databases)
-- Auditable results.
-- Mail-in ballots for those that don't have online access or don't want to
use online ballots.

I'm not sure "double-blind" system is exactly the correct label for it, but
I'll try to illistrate. Think of a paper ballot with individual serial
numbers, the serial number is listed on the main ballot, plus on a tear-off
strip. When someone votes and puts their ballot in the box, they tearoff the
strip with their ballot serial number on it. When tallying the votes, a list
is made of the ballot serial numbers and how it was voted. An individual
voter can look at the results list, and using the ballot serial number,
check and see that his/her vote was counted, and counted correctly. But know
one can tell how any individual voted except the individual voter that holds
that ballot number.

We could build it, test it over the next year on some surveys, work out any
bugs and build user confidence, before doing anything as critical as an
election.

Steve Sterling
Web Team Member

-----Original Message-----
From: discussion-request at nsrca.org
[mailto:discussion-request at nsrca.org]On Behalf Of Bill Glaze
Sent: Wednesday, December 22, 2004 7:13 AM
To: discussion at nsrca.org
Subject: Re: Off Topic


Steve:
Thanks so much to you and Marty for your education about cookies.  Not
only have you completely explained my "need to  Know" (read: curiosity)
but you folks have taught me something also.  (Not an easy thing to do,
BTW! ;-)   Is this list great, or what?  Bill Glaze

RC Steve Sterling wrote:

>Hi-- without disclosing too much of the site's security that would give a
>hacker an edge to break in--
>
>On login when you travel into the member's only section (retrieve latest
>K-Factor, membership management etc), a non-persistent cookie is set as a
>token so you don't have to login to each separate page you may browse.
>
>Other non-persistent cookies are used to pass values from one page to
>another in the membership administration sections (mainly Maureen's
domain).
>
>Note they are non-persistent cookies.  They are never written to the user's
>hard-disk, unlike "normal" cookies. They only exist as a volitile variable
>in that browser session. Closing the browser distroys them. You will also
>see a "logout" on some of those members pages, and those distroy the
cookies
>without closing the browser.
>
>Why did I use non-persistent cookies? Other methods of passing this token
>are much easier to hack.
>
>You can test this yourself. Login to www.nsrca.org/members. You will see a
>menu with at least "download kfactor", "Update Password" and "Logout".
Click
>on "download Kfactor" and/or "Update Password". You get there without
>hassle. Hit the browser back button. You get back to the menu
>(www.nsrca.org/members/default.asp), again without hassle. Close the
browser
>window, open up another and go back to the menu at
>www.nsrca.org/members/default.asp. It makes you login again because that
>cookie was destroyed.
>
>I only speak for the section I am responsible for (www.nsrca.org/members).
>Other people take care of other areas. They may be using cookies (normal or
>non-persistent) for other purposes.
>
>Steve Sterling
>
>
>-----Original Message-----
>From: discussion-request at nsrca.org
>[mailto:discussion-request at nsrca.org]On Behalf Of Bill Glaze
>Sent: Tuesday, December 21, 2004 7:04 AM
>To: Discussion
>Subject: Off Topic
>
>
>I'm asking some of the computer gurus on this list:
>Why can't I access the NSRCA web site when I have cookies disabled?  I
>realize that the commercial sites want to insert cookies into my system
>to "further serve me" (ahem) better.  But, inasmuch as I am already
>sold<G> on the NSRCA, it seems peculiar to me that they want to install
>cookies.  Any help out there for my curiosity?  TIA
>btw: I remove all cookies at the end of the particular session..
>
>Bill Glaze
>AMA 2221
>NSRCA 2388
>
>=================================================
>To access the email archives for this list, go to
>http://lists.f3a.us/pipermail/nsrca-discussion/
>To be removed from this list, go to http://www.nsrca.org/discussionA.htm
>and follow the instructions.
>
>=================================================
>To access the email archives for this list, go to
>http://lists.f3a.us/pipermail/nsrca-discussion/
>To be removed from this list, go to http://www.nsrca.org/discussionA.htm
>and follow the instructions.
>
>
>
>
>

=================================================
To access the email archives for this list, go to
http://lists.f3a.us/pipermail/nsrca-discussion/
To be removed from this list, go to http://www.nsrca.org/discussionA.htm
and follow the instructions.

=================================================
To access the email archives for this list, go to
http://lists.f3a.us/pipermail/nsrca-discussion/
To be removed from this list, go to http://www.nsrca.org/discussionA.htm
and follow the instructions.

More information about the NSRCA-discussion mailing list