>Before you ask, I realize that I was unclear... by results I >meant as each vote was cast it would be sent to 3 places to >be stored rather than one. > >Jim > >jpowelljr wrote: >> >> While we are on this topic. If it was possible to >> simultaneously send the results to 3 separate servers to be >> compared at the end, would this be nearly the same as a >> neutral third party? Jim, Not really. It seemed like the hypothetical situation that Fred was envisioning would be something like this: | Someone with wizard-level access permissions at the server the | software is running on (somebody who can replace files on any | account on the whole server) creates a MODIFIED VERSION of the | program that the votes are being sent to. One that does something | like change every 8th vote for candidate X to a vote for candidate | Y, both in the file that is collecting the votes and in any log | of the email traffic (the email sent back to the voter says that | they voted for candidate X, but the email stored in the system | archives says they voted for candidate Y.) | | Then they write another program that randomly swaps the false | program for the original program for 10 minutes out of every hour | (or redirects mail to the alternative program), and run that | swapper program on their own system administrator account. | | The Election Committee and the person who wrote the real program | have no awareness that this is happening, and the file contents | and the email logs match, so they innocently accept the log of | votes as being what people really voted. Since the election-undermining scheme involves substituting a different program for the committee-approved program, and the hypothetical defrauder has access to the program source, NOTHING that the committee-approved program does will help, since the committee-approved program might not be always running. Since it only alters a small percentage of votes, it is also hard to detect by random cross-checking. (You might catch such a scheme by manually, *not programatically*, emailing back a VERY LARGE sample of voters asking them to confirm that who they voted for was who you have a log of them voting for, with the confirmation messages being sent to an account on a different server. But project members would probably object to this level of confirmation being expected. They want voting to be very easy and take a minimum number of steps.) I agree that it is bordering on impossible that anyone at Rootsweb or any other interested server would really have the time and inclination to do something so convoluted. Every system administrator I know of is so incredibly overworked just doing their job that they aren't going to have any cycles left over for hacking elections. But if a significant block of voters would TRUST software running on a neutral server more than software running on a server with a potential interest in the election outcome, that may be reason enough to try to find a neutral server. Not that it would make any actual difference in the election security, but it would make a difference in the voter confidence level. Having the full confidence of all the people we represent is important. Teri Pettit pettit@adobe.com