Hacking Internet Voting from Wireless Routers
Good paper, and layman’s explanation.
Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes.
EDITED TO ADD (11/14): Another article.
Comments
Martin, a regular reader • November 10, 2014 2:34 PM
Due to the lack of strong authentication and encryption, no reasonable security expert would use email+PDF for e-voting today. What puzzles me is why you even bother to write a blog post for small children about this? I fail to see this article being novel in any way. It is just even more plain and simple FUD than its reference on [3]. I’m very disappointed to find you fueling this FUD rather than providing a thoughtful analysis on the matter. ;(
Joe • November 10, 2014 3:23 PM
Our “democratic processes” (as you refer to them) are vastly overrated. Especially when many of the Bill of Rights are non-functioning at the moment and that political bribery has just been enshrined in law.
tobi • November 11, 2014 7:20 AM
What democratic process? I don’t see any.
Jeff in Minnesota • November 11, 2014 7:42 AM
Email and PDF? Seriously? What a crock. Let’s pick two of the most least secure technologies around. However, I do think grabbing email packets from a core Internet router is a lot trickier than the researchers think. Not that it cannot be done, but it’s also not as easy as they make it out to be let alone trying to grab all of the email that contains votes. It would be easier to hack the email servers. There are ways to use technology for voting, but the Internet is probably not one of them.
Incredulous • November 11, 2014 8:17 AM
All that is needed to defeat this attack is TLS encrypted connections to and from the email server. Hopefully at least people in the know are already doing this. Even a hacked router can’t break the integrity of the end to end encryption.
I suppose there might be a TLS stripping attack possible, especially if the email server accepts both encrypted and non-encrypted connections at the same port. An evil router could remap the port, too. This should be avoidable with Strict Transport Security.
Really, why should any email server accept a not encrypted connection? For legacy compatibility, maybe. But it shouldn’t be hard to create a service to encrypt normal connections at the server as a last resort.
Fully encrypted should be the default. No fallback. And specific configuration required to allow non-encrypted connections to reach the server through this encryption service, only as a last resort.
R. J. Brown • November 11, 2014 8:25 AM
Despite the weak use case, the example of intercepting traffic in a compromised router is interesting. But given the rather contrived use case to get peoples’ attention by the headline, why was this article delayed until AFTER election day?
bitstrong • November 11, 2014 8:28 AM
“All that is needed to defeat this attack is TLS encrypted connections to and from the email server. Hopefully at least people in the know are already doing this. Even a hacked router can’t break the integrity of the end to end encryption.”
This is either a joke or you’ve overcome by fumes.
Seek fresh air immediately.
Incredulous • November 11, 2014 8:34 AM
@bitstrong
I am open to finding out I am wrong. Are you talking about the weaknesses in some versions of TLS? Do you have any specifics for your position?
herbalist • November 11, 2014 9:13 AM
Voting has been compromised/manipulated ever since Diebold’s Accuvote. Those left the factory with at least 6 different versions of the software, none of which was ever audited. We allowed Diebold to use “intellectual property” to seize control over the election process. This is little more than a continuation of the same.
Chelloveck • November 11, 2014 11:01 AM
I think we can make online voting reasonably secure. It’s a much more difficult proposition to make it both secure and easy enough for everyone to use, but I still think it’s theoretically possible. What I’m more worried about is the social problem of voter bribery and coercion. “Secret” is an important part of “secret ballot” that most discussions fail to take into account. Wide-spread voting outside of a polling place, either via electronic means or the good old-fashioned paper absentee ballot, is likely to lead to wide-spread direct purchase of votes. Just send a copy of your completed ballot showing a vote for John Smith and receive a coupon good for a free coffee at Starbucks! (And yes, I believe that enough people would sell their vote for a cup of coffee to sway most elections.)
Justin • November 11, 2014 11:03 AM
Unfortunately the politics of e-voting don’t demand security as a requirement.
Otherwise here is a possible use for that “seL4” kernel I keep reading about in these comments. If people really cared about e-voting, they could develop a whole open source formally verified e-voting hardware and software system, with a proof of security and correctness.
These would be systems set up to vote in person at the polling places or to count mail-in absentee ballots, though.
I agree that any kind of voting over the internet is hopelessly secure, however.
Thoth • November 11, 2014 11:26 AM
There is no silver bullet for voting related problems. seL4 might give a secure OS for the router but the people who implement the services on the router have to make sure they don’t leave backdoors and magic codes or stuff like that. seL4 only makes the OS as secure as the implementations and nothing can be done if someone persistently places magic codes and backdoors for easy admin console access.
TLS can only ensure the connections are authentic and secured but it does not prevent end-to-end breaches which is what should have been in place as the paper have suggested. A properly implemented end-to-end security with a trusted endpoint on both ends would be the best case but the endpoints are terrifically weak and badly compromised. Even if you provision each citizen to have an RSA or ECC key pair, their computers would have been so badly infected and easy to bypass that the best case for an honest vote would be to be present at the voting station in person and do the vote by yourself physically on site.
There are use cases for remote voting but that would be really complex. A good starting point is to use a citizen ID smart card with CC EAL 5+ and above but if I were a HSA, I would not want the smart card to perform honestly and it is as good as back to the drawing board. Disruption of votes have a huge incentive to the winner and has a large attack surface making it hard to secure. The bigger the surface, the more attack vectors. No one have ever successfully secure e-Voting and may continue so for a while until some efficient machine and algorithm can be created for such purposes.
Anura • November 11, 2014 11:45 AM
I think in-person electronic voting machines can be done properly, but it will involve printing a paper ballot and telling the voter they have to verify that the paper ballot is correct. The software needs to be open source, and formally verified, with procedures in place to make tampering as difficult as possible. Internet voting fails from the beginning as even if you forget the middle tier, you are relying that the device the end-user being on is hacked. Before any of that can be done, we need a reliable, proven way of providing identity verification, and we need to make sure that the protocols are secure, as well as the security of the devices. We aren’t even close on any front.
Of course, I think voting machines and the like are the least of our worries (as long as we don’t have internet voting). I really think every country in the world needs to revisit how democracy is accomplished. We put too much power in too few hands; we have legislative systems that put chokepoints where single individuals can block or modify legislation, making it extremely easy to influence legislation. We also have less than ideal ways of electing candidates in many countries (plurality is severely flawed, more so than other systems that fail to provide proportional representation).
Nick P • November 11, 2014 11:57 AM
The people there are the biggest problem. They can physically subvert the machines with devices or instructions given to them by pros. Plus, interdiction or supply chain poisoning is undetectable by city or state level persons.
Better solution is going back to paper with strong auditing. If electronic, then optical scanners with a receipt for voter confirmation and audits.
herbalist • November 11, 2014 12:05 PM
As long as corporations control the manufacture of the equipment, electronic voting will never be secure or private. The Accuvote demonstrated this beyond any doubt. In addition to using proprietary
software that the public couldn’t inspect, it ran on Windows.
The “democratic process” of elections is fiction. Candidacy is a purchased commodity, especially at the federal level. Our “choice” is between those approved by big money, as is usually won by whoever spent the most. There’s no realistic means to hold any of them accountable for not doing what they say. Voting has been reduced to a symbolic gesture that has little if any effect on the course of this nation.
noonnee • November 11, 2014 1:13 PM
@Anura
You mean that all elections in Brazil, using their “Urna Eletronica”, isn’t safe, simply because they don’t print the vote, the “user” can’t check if the vote was properly accounted, and the system isn’t open source, isn’t audited, the hardware might have fails, the software isn’t accesible to anyone who wants to compile it and check if the “trusted” version is installed ?
Joseph Kiniry • November 11, 2014 4:12 PM
Thanks for the coverage, Bruce, and all of the reflections, readers.
A few comments to answer questions posted by commenters:
Arclight: Your lack of faith in Secretary of State offices (and
implicitly, election officials) may be called for given past decisions
and current RFPs in the elections area. The same might hold true for
NIST certification standards, lack of leadership from professional
associations like the ACM and IEEE, and lack of leadership from the
U.S. Election Assistance Commission (EAC).
That being said, key government employees at the federal, state, and
local level, companies, researchers, and activists are working hard to
change this state of affairs for the better. This work comes in the
form of voter, election official, and lawmaker education (like this
video), hacktivism (like hacking existing election equipment), and
constructive work trying to design and build trustworthy, open source,
peer-reviewed election systems that fulfill the fundamental
requirements of elections.
Martin: Your criticism of this system is well-placed. The “small
children” you reference which are the target audience of this
particular blog post and short movie are voters, election officials,
and lawmakers, not security experts. Perhaps your characterization of
them, and the tone of the post and video, say something about your
perceptions of that audience.
Jeff in Minnesota: We debated also demonstrating how to subvert
routers in the wild, but doing so would require a strong trust
relationship with providers, and we do not have such. Attacking email
servers and voting infrastructure is indeed easier, given our past
experience, but also more likely to be detected by competent system
administrators.
Incredulous: Indeed, appropriate use of TLS goes a long way to the
solution to at least the secure-channel problem between the voter’s
system and the election server(s), but that is one very small step on
a load road to a correct, secure, and usable evoting system.
Moreover, existing deployments of evoting systems have often screwed
up this, seemingly simple, goal.
R.J. Brown: We had worked on this demonstration well-before election
day, but just couldn’t get the filming and editing done quickly
enough. Additionally, we honestly are not trying to cause a election
officials a panic attack, we are simply trying to get their attention
so that they begin to listen more to security and election experts,
and less to opaque vendors, while their eye is on the ball of the
current election.
herbalist: Indeed, problems are rife in existing election equipment,
deployed both here in the USA and abroad. Some of those old vendors
are now selling new “elections as a service” internet offerings, so I
think you’ll agree that it is likely the engineering that goes into
online systems will smell like that which goes into their kiosk-based
DREs.
Justin, Thoth, etc.: seL4 is one of Galois’s expertise areas. Suffice
to say we keep high-assurance technologies like it in mind as we work
on problems relating to verifiable elections.
Anura: Verifiable paper-based ballot printers is indeed the direction
that some states/counties are moving. In particular, Travis County
Texas, and perhaps Los Angeles County are both pursuing this agenda.
Have a look at the STAR-Vote system, designed by my colleagues Josh
Benaloh, Dan Wallach, Philip Stark, and others.
Nick P.: Auditing is a mandatory, fundamental component of any
trustworthy election process. Modern research verifiable voting
systems are, at their core, fancy ways of auditing elections using
cryptography. But even were we to use intelligence risk-limiting
audits with traditional voting-on-paper, we’d be much, much better off
than we are today. Have a look at the groundbreaking work of Philip
Stark at Berkeley on this topic, which has been deployed in
experimental audits in California and Colorado over the past few
years.
Sancho_P • November 11, 2014 4:16 PM
“Internet voting scares me. It gives hackers the potential to seriously disrupt our democratic processes.”
[Bruce Schneier]
While I’m really skeptical that “our democratic processes” in fact could change anything, let alone our future, the term “hackers” needs clarification in the context of Internet and fraud.
LSA / MSA / HSA ( see Nick P: https://www.schneier.com/blog/archives/2014/10/friday_squid_bl_448.html#c6682282 )
“MSA” might be involved in local election fraud only.
If small scale, the attack could be undiscovered.
That might change a lot for some particular politicians, indeed, but scary???
So “HSA” – the really bad boyz:
First the FNSA, Foreign Nation State Attacker:
This kind of “hacker” lacks any motive and the risk would be too high.
No need, no way.
So Bruce probably thinks about the “hacker” being either
– elite/obsessive independents (motive, but would they have the power?)
– criminal organizations (motive? Power?)
Massive fraud would be discovered anyway.
So it remains the internal Nation State Attacker (iNSA).
They’d have the motive, the power and will remain undiscovered,
because nowadays the protection of whistleblowers is void.
—> This is scary.
But it’s likely not what Bruce meant.
Anyway, “hacker” hurts (me) in this context.
Tom Fredrik Blenning • November 11, 2014 5:08 PM
Internet voting scares me as well, however I’ve been observing the Norwegian election in 2013, they’ve implemented novel cryptographic techniques, to avoid the normal scares of internet voting.
In particular the ability to cast a vote as many times as you need, and only the last vote counts, makes any scheme to coerce votes infeasible at any scale larger than the large problems with manual voting.
The use of an independent logging facility, a repository at GitHub (surprisingly enough), addresses the issues of machine fraud.
As an election observer I would still not sign of on the system, because there are still possible phishing attacks against the authentication service. But those problems seems to be solvable, simply by using out of band verification.
For all the bad systems I’ve seen, it’s a shame that Norway has discontinued it’s system for what I see as political reasons.
David in Toronto • November 11, 2014 7:04 PM
@Sancho_P
I am regularly baffled by folks that cling to the old idea of “hacker” as an inquisitive experimenter. The linguistic horse left the corral over 30 years ago. Closing the gate over and over is just a bit OCD. For all intents and purposes in most modern dialog now “hacker” means a criminal or bad actor.
I’m further amused by the fact that some people that cling to this old meaning feel they have some ownership over the term. The word base of the English language is essentially open source. English is successful because it is the biggest word thief on the planet. That a group came along and seized an existing word and made it their own only to have it stolen again is life. That a group with aversion to the idea of intellectual property became offended at that is irony. I don’t recall the golfers complaining.
All that aside, clarifying the actors is always a good thing.
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 11, 2014 7:06 PM
Why put voting where there is at least a remote chance of integrity? Let’s keep it in the discreet logistics of the “honest”/logically-plutocratic..
Imagine if there was a hash for each voter in a publicly distributed and signed database? ANYONE could do audits based off ANY range of information and since each voter would know there own hash there would be hundreds of millions of encryption oracles. I challenge anyone to post even a vague theoretical attack..
Such a model scares the hell out of “democratic” countries. America doesn’t count because if public votes dominate college votes, college chairmen can freely veto vote stats of the states they represent..
Nick P • November 11, 2014 7:41 PM
@ David
” That a group with aversion to the idea of intellectual property became offended at that is irony.”
Never thought of that angle. Clever haha.
n00b • November 11, 2014 9:06 PM
@3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug
ANYONE could do audits based off ANY range of information and since each voter would know there own hash there would be hundreds of millions of encryption oracles.
sorry, noob here. what’s an “encryption oracle” in this context and why do you represent it as a “benefit”?
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 12, 2014 12:30 AM
@n00b: It’s a benefit because it’s logistically impossible to make hundreds of millions to billions of people lie about their votes, or to make them think a cryptography hash is different than theirs no matter the review medium.
This system can’t not work and I suspect is the only logical way to manage a secure voting model. Which is why it will NEVER be implemented..
My challenge still stands.. I will go on to say every intelligence agency on Earth combined couldn’t defeat such a system, and there is no other “secure” voting system; the rest depend on discreetly-audited logistics by very small parties maybe supplemented with cryptography susceptible to side-channel or escrow..
Regarding oracles: I probably use it wrong http://cseweb.ucsd.edu/~mihir/papers/ro.pdf
Gerard van Vooren • November 12, 2014 12:35 AM
@ Joseph Kiniry
Nice try. I am still on the side of Bruce.
Arclight: Your lack of faith in Secretary of State offices (and
implicitly, election officials) may be called for given past decisions
and current RFPs in the elections area. The same might hold true for
NIST certification standards, lack of leadership from professional
associations like the ACM and IEEE, and lack of leadership from the
U.S. Election Assistance Commission (EAC).
Among a dozen of other issues more. Counting votes by hand is done by groups of people and in open view. Who is gonna count the votes of the machines and where is that being done?
That being said, key government employees at the federal, state, and
local level, companies, researchers, and activists are working hard to
change this state of affairs for the better.
You really have a lot of faith in these people. I still remember how G.W.Bush “won” the presidency in 2000. I said “won” because he didn’t have the most votes. It was his brother that helped him. With presidential campaigns that costs hundreds of millions USD there is a lot more at stake than “people working hard to change this state of affairs”. Also remember Clapper lying and Obama that bypasses Congress to start yet another war? Who is the “for the better” part for actually?
Btw, TLS is NOT the answer. It never was and never will be. Have a look at MinimaLT. I am not saying MinimaLT is the right answer, but it makes a lot more sense to me.
65535 • November 12, 2014 12:46 AM
“It gives hackers the potential to seriously disrupt our democratic processes.” –
Bruce S.
Given the NSA buys zero-day viruses from hackers [new virus that are undetectable] the scenario of voter hacking is a discomforting possibility.
If any hard evidence of voter hacking is brought to light it will prima facia case against the NSA’s motives and operations of hording of zero-day exploits and using them in a destructive fashion. The NSA will be seen to be destroying democracy instead of protecting it.
Gerard van Vooren • November 12, 2014 12:58 AM
Correcting what I said at November 12, 2014 12:35 AM
“You really have a lot of faith in these people.”
should be
“You really have a lot of faith in the key government employees at the federal level.”
Andrew_K • November 12, 2014 2:10 AM
When it comes to electronic voting, I usually referr to the “your parents”-test.
There might exist a secure protocol for electronic voting — granted. But can you explain it to my 72 year old father (who used to be a tailor) so that he will be able to understand why it is impossible that his vote is manipulated? And no, “my parents are cleverer than yours” is not a valid answer. All of them have the right to vote, so all of them should be able to understand the technical process voting is based on.
That is a major feature of all pen-and-paper-votes: The principles are understandable, even to simplest minds. Fill out a paper sheet, drop it into a box, optionally watch for the rest of the day that no one removes a sheet from the box, watch how the seal is broken and the sheets are finally counted. When there are cases of doubt, every step can be reconstructed — starting with the total number of ballot sheets: Used, unused and invalid sheets together have to equal the number of printed sheets. The process can be evaluated by a forth grade pupil, which is a good thing. Every judge can inspect it without need for experts trying to give him or her an insight in crypto magic. In the end, they anyhow will either bildly trust the expert — or not.
I do not even want to start with other issues like anonymity or confidentiality of a vote. Just saying that no one will stop me from pen-and-paper-voting with gloves (ok, latex gloves would be a bit creepy but think of more fashion oriented gloves fitting my appearance).
I do realize that this (“don’t do it”) is not a popular opinion on elecronic voting, escpecially among the folks wanting to save money with this. Or those, making money.
John Malcolm • November 12, 2014 4:11 AM
What’s your take on Estonian Internet voting infrastructure? This is using end to end encryption as well as a special software client. Voter can also verify the vote during a certain amount of time after the process through another communication channel. Secure enough for democratic processes?
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 12, 2014 7:15 AM
As I said: Something that will actually work will NEVER be implemented. It isn’t near as complex as these comments make it out to be.. Just use basic logic and keep discreet processing out..
@John Malcolm:Wow they added an encrypted connection strait to a discreet logistics system that relies on a very small party of processors with the only validation being a time-limited voter review.. Don’t worry most people here would call this secure..
By the way there are Russian politicians in Estonia that are hated by the entire country but have stayed in office for decades.. Don’t get me started on how government contractors and business ownership works there..
I KNOW!! LETS INVOLVE A RUBIX CUBE AND MAGIC 8 BALL!!!!
Nick P • November 12, 2014 9:23 AM
@ Andrew_K
We basically have the same idea about eVoting. Except, you said it better. 😉 I’ll add that there’s a large rural population that’s quite suspicious of technology & have little education on it. The simpler, lower tech methods appeal to them more. Given their voting power, that’s important to remember.
David in Toronto • November 12, 2014 9:27 AM
This story sounds a bit too close to Bruce’s last movie plot contest.
Nick P • November 12, 2014 9:38 AM
@ 3298
You didn’t give the crowd enough specific information to produce an attack. All kinds of hashing schemes have been beaten with attacks on the endpoint, network, or hashing process itself. The security of distributed protocols is regularly beaten, including those made by experts. There’s also potential that the manufacturers or developers of the system will subvert it. And it is logically possible to create enough forged votes to swing an election: it’s actually been done quite a few times in the U.S. So, your scheme is failing in many ways before it gets started.
Yet, before you publish more specifics, it will help if you learn the properties necessary for secure voting. Bruce outlined them in his Applied Cryptography book. Here is a public paper on it. The key requirements are: voter privacy, eligibility, uniqueness, fairness, uncoercibility, receipt-freeness, accuracy, and individual vote check. Additionally, American voters expect to get the election results quickly. So, that’s what your voting scheme must satisfy to be secure far as known issues go.
Good luck.
Slowhand • November 12, 2014 11:13 AM
As said by someone else, a video posted after election day is not very useful. In fact, it would be exactly the timing I would choose if I was an oppressor. People can do exactly nothing about their mistake if they did vote electronically, and there is no use for them getting up in arms then, so it almost certainly has the psychological effect of making people apathetic.
But the comments on the story have a very nice feature.
Electronic voting is such an obvious fallacy, it makes all kinds of tricks by bad people much, much easier. You don’t have to be an expert on security to understand this, just a thinking individual with a grain of general computer knowledge. You just switched from humans doing the counting to computers doing it, a small change in how the computer operates and you can make huge changes in the count. “Formally verified e-voting hardware” ? Yea, that’s gonna happen. Even if it did, how do you check that the hardware you are given was not replaced with another one in the mail ? Are you gonna guard it at all times ? And on and on it goes. The stakes are too high (if voting matters at all), and the attack surface is too big.
Therefore the story serves as a litmus test. Anyone who has talked in favor of electronic voting is of course untrustworthy. They either did not study their field properly or they talk against their own better judgement.
squarooticus • November 12, 2014 11:56 AM
Electronic voting seems to be a solution in search of a problem. Just how hard is it to count paper ballots once every two years? It’s a problem with a proven distributed solution and tons of nice properties about verification (see Andrew_K’s post).
Anura • November 12, 2014 12:18 PM
@squarooticus
I guess you weren’t paying attention to US elections in 2000? Electronic voting reduces spoilt ballots, which is a huge problem.
According to official plurality-vote totals: Florida’s ballot spoilage rate in 2000 was 3%, and for the US nationwide 2000 presidential election, 1.9 million ballots were spoiled and hence uncounted versus 105 million that were counted, for a spoilage rate of 1.8%.
However, the distribution of invalid ballots in the USA is uneven: USA Today reported that voters in Florida’s majority-black precincts were four times as likely to have their 2000 ballots invalidated than white precincts: 8.9% versus 2.4%.
http://rangevoting.org/SPRates.html
Internet voting is an attempt to solve the problem of low voter turnout, by making it take less effort to vote.
BJP • November 12, 2014 12:53 PM
@Anura
For some of us, an unauditable electronic ballot counted in secret IS a spoiled ballot.
Anura • November 12, 2014 1:02 PM
@BJP
And that’s why we shouldn’t use unauditable systems. Electronic systems that print paper ballots are resistant to accidental spoiling and can be audited. The paper ballots should be considered official. Instead of the voting machine storing or transmitting results, it should print a paper ballot which is fed into a device that scans the ballots as they are collected. The paper ballot is official, they can be checked by the voter before depositing it, and they can be hand-counted later (and I would recommend that a statistically significant portion of precincts are hand-counted at random to discourage tampering).
herbalist • November 12, 2014 1:12 PM
“For some of us, an unauditable electronic ballot counted in secret IS a spoiled ballot.”
It seems that most everyone has forgotten about the Accuvote memos. When “intellectual property” prevents independent verification that the votes are all counted properly, all of the ballots are spoiled.
When the version of the vote counting software changes with almost every order, all of the results are spoiled.
When the company that makes the voting machine is a financial backer of one party, the machine represents a conflict of interest.
Anura • November 12, 2014 1:29 PM
@herbalist
Again, this is not a problem with electronic voting in general, this is a problem with how we are doing it. Voting software needs to be open source, along with the hardware. Any business (or even the state) should be able to manufacture the hardware by contract, and the software should be done by a separate entity (probably the state). There needs to be procedures in place for auditing the companies and hardware before the election – every machine should be tested. If they print out paper ballots, tell every voter to check the paper ballot and make sure it is correct, and log any time a voter discards a ballot, and what machine it was printed on – audit anomalous machines. Hand count randomly selected precincts to look for possible issues. Audit all machines after the election to make sure they are correct.
Electronic voting machines have the potential to significantly improve the democratic process, especially if we want to move to ranked voting systems which have higher spoilage rates, but have much fewer problems in general than plurality (i.e. you don’t have a situation in which every voter votes tactically by default).
Joseph Kiniry • November 12, 2014 1:58 PM
@Tom Fredrik Blenning
The Norwegian experiment in internet voting was shut down for numerous
reasons, including technical failures in development and deployment.
The key generation failure in the last election was particularly
egregious.
@David in Toronto and @Sancho_P
I use the classical definition of “hacker” when speaking with people
from that community, otherwise I freely use the modern nomenclature
and am unconcerned with confusion about the archaic definition.
@Gerard van Vooren
I agree that paper-based elections with public audits is definitely
still the right way to go in many contexts. In fact, I have a
research paper about that from nearly a decade ago called “Formally
Counting Electronic Votes (But Still Only Trusting Paper)”.
Thanks for the pointer to MinimaLT. I’ll put it in my reading queue.
@Andrew_K
I also use a “your parents” test, though for me it is “your
grandparents”. That being said, I find it sometimes frustrating and
surprising that most voters do not understand our current paper-based
election system…
@John Malcolm
I have given public talks about Estonia’s system which you can find
via some Google-fu. The detailed analysis done by my colleagues Alex
Halderman, Harri Hursti, and others is also quite revealing. It is,
in our opinion, an ill-designed, ill-conceived, opaque, shoddily
engineered system.
@Slowhand and @squarooticus
Electronic voting, if done properly (as I discussed earlier), has
several excellent features that make it a legitimate choice in some
contexts. In particular, permitting the disabled to independently
vote, enabling expat voting, and supporting elections in countries
with high levels of insider attack and past election fraud are three
commonly-accepted scenarios within the elections research community.
With regards to your claims, questions, and challenges about digital
voting, I suggest you examine some of the peer-reviewed literature on
the topic. Very intelligent security researchers have been working
for decades on this topic and have been making a lot of progress on
all of the topics you mention. Consequently, I suggest that your
blanket claims about capability and ad hominem attacks on the
researchers who work in this field are ill-targeted and inappropriate.
@Anura
Internet voting is an attempt, in part, to increase turnout, but only
from the point of view of politicians and electoral officials. We
scientists have seen no evidence thus far that any introduction of
digital voting technology has helped election turnout.
Also, the system you describe in a later comment is basically the core
of STAR-Vote, the peer-reviewed ballot printer-based verifiable voting
system I mentioned earlier.
Once again, thanks to you all for an excellent dialog.
Nick P • November 12, 2014 2:19 PM
@ Joseph Kiniry
Nice to see a Galois employee commenting here. I’ve given your company plenty of free advertising online for their solid work in high assurance systems, esp CRYPTOL and ASN.1. Best of luck to you people on future projects.
re voting
I’ll look up that paper. Meanwhile, what do you think of adopting a scheme like CIVITAS? It’s already in use in academics and companies. I’d re-implement it via a highly assured development process on dedicated hardware if using it for an election. Throw in paper verification of some sort, too.
I agree that most online efforts have failed due to shoddy design and implementation. I haven’t analyzed the specific examples. Yet, my first guess is that unqualified people got the contracts for design, deployment or operation for political/financial reasons. Then, disaster followed. (“garbage in, garbage out”) That’s how many public sector atrocities (eg Healthcare.gov) happen over here, at least.
BJP • November 12, 2014 2:28 PM
@Anura
On the one hand you discuss electronic voting to make voting require less effort, then next electronic voting burdens these voters for whom making a mark on paper is too much work with:
A) Navigation through a GUI interface for N separate elections
B) Selection of the desired candidate(s) for each election
C) Identifying a mechanism to vote instead for a write-in candidate not on the ballot
D) Reading a piece of paper printed on the spot to be sure it accurately reflects the votes they made moments before
E) Depositing it into the right receptacle
People for whom “fill in the bubbles with your own hand and walk away” or “walk up to machine and pull a lever” is too much effort will not be enfranchised by a system such as that.
n00b • November 12, 2014 2:55 PM
Thanks for the explanation, 3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug on
Nick P • November 12, 2014 3:25 PM
@ All
re STAR-Vote
The voting scheme Joseph referenced…
https://www.usenix.org/conference/evtwote13/workshop-program/presentation/Bell
…made for a good read. It’s worth further review for anyone that’s interested in that subject.
1999 • November 12, 2014 3:28 PM
@Andrew K;
I don’t think e-voting can be secure. But I’ve watched Penn and Teller. I don’t think my parents or I could reliably audit a pen and ink election. In either case detecting all possible subversion requires skill, training, and the ability to access things you won’t be allowed to access.
XCheck • November 12, 2014 4:27 PM
Agree with the comment about anonymity and privacy of the vote. Cryptography and security may one day be able to address the technological challenge of tampering prevention, but ensuring your vote remains anonymous is another matter. Even if the problems is solved, it remains too complicated for most people to understand and trust.
wordhoard • November 12, 2014 4:59 PM
@David in Toronto
Yes, indeed! i wish more people understood the nature of language, then I (as an editor) wouldn’t have to convince them that their “rules” (of 30 or 100 years ago) are outdated. I enjoy being alert to new usages, calculating when they’re consensus enough to be stable for awhile.
“Open source” is a good description.
BrianM • November 12, 2014 5:28 PM
OK, so the paper is specifically about what a bad idea it is to send unencrypted PDF documents through normal email, and how it is possible to subvert home routers (not necessarily limited to WiFi models) to evil ends.
I think the vote fraud in this case would be a bit limited.
#1, the routers must be subverted. A significant number of routers must be subverted for an election to be shifted, unless it’s a close race. However, on the technical side, a lot of firmware has to be downloaded, analyzed, and then repackaged. After that is done, it has to be loaded onto the vulnerable routers in question. Yes, as has been demonstrated, multiple router brands can be affected by a bug or a backdoor, but it’s still a lot of work.
#2, this is limited to changing a specific voting scheme.
#3, why go through all of this when BGP can be redirected to send traffic through your evil system? There has been a noted routing of traffic that should be flowing directly into Russia, but has been making a side trip through China. (This may be due to misconfiguration, or traffic routing agreements, or spies in the woodwork. Nobody knows at the moment.)
#4, do it the old fashioned way, and use a mole in the system. Modify the databases.
(And as far as the Bush-Gore election went, does anybody really think there was any fraud in that? Those ballots were so carefully scrutinized, counted, recounted, etc., that I can’t imagine that any fraud occurred. If the ballots had been counted the way Gore wanted, Bush won. If the ballots had been counted the way Bush wanted, Gore would have won. The main problem is that the election was so tight that it came down to the senile and the illiterate. Each voter is responsible for their ballot, and if they turn in a screwed up ballot, it’s not the fault of the candidates.)
Sancho_P • November 12, 2014 6:13 PM
@ David in Toronto
I apologize, I’m ESL and in EU thinking.
However, the standard dictionary of my (Apple) computer says:
A) British English: hacker (noun)
1)
– a person who uses computers to gain unauthorized access to data.
– informal an enthusiastic and skillful computer programmer or user.
2)
– a person or thing that hacks or cuts roughly.
(Thesaurus has no suggestions)
B) American English: hacker
1) and 2) are identically to the English dictionary.
The American English Thesaurus lists some suggestions:
CYBERCRIMINAL, pirate, computer criminal, keylogger, keystroke logger;
informal cyberpunk, hacktivist.
.
But my feeling originates from a slightly different point:
If “hacker” is “not authorized” and probably against (stupid?) laws,
how could our government be called “hackers”?
Are they thought to be “unauthorized” ?
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 12, 2014 6:16 PM
@Nick P: Even if you defeat the top level signature and the hashing algorithm, hundreds of millions to billions of people all know their own hashes and if any one doesn’t match when viewed ANY form of alteration is detected and a fallback policy is used that goes through stages(like multi-party-multi-repo backup audits) all the way back to a re-vote(if somehow all repos/backups are altered).
Use SHA1 or MD5.. It doesn’t matter there is no logical method to defeat this model, and I don’t know of any other model you can say this about. Anything involving a small group with discreet processing is instantly vulnerable.. Electoral colleges DO make this model not work though, but electoral colleges are by definition plutocratic and far from democratic; despite what America has long since claimed..
Chris Abbott • November 12, 2014 7:46 PM
What about a program that runs in a VM in which you generate a RSA signature that you submit in a way that verifies that it’s your signature and from the program running in the VM, you cast a vote that is a properly MAC’d, signed, and encrypted e-mail using a RSA, PGP style system? Forget the PDF garbage. Anyone have thoughts on that?
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 12, 2014 9:24 PM
@Chris Abbot:
<
ul>
My Version: Primitive and heavily audited ARM chip based solution driven by a TrustZone kernel and 256bit AES using ARM key storage and signed heavily-audited bootchain. Make all the code open.
Neither would ever be implemented and even my alternative is compromised by silicon RE.
My original model remains undefeated even on an abstract/vague theoretical level and you could do it in anything even old vulnerable J2ME apps for old cell phones.. Even with a backdoor’d hash generator.. It also costs considerably less computationally and economically than anything else proposed here, and probably will remain that way
But don’t feel competitive or offended.. None of these systems will EVER be implemented because democracy doesn’t exist logically, and logic is everything including the absolute unbiased truth..
Kevin C • November 12, 2014 10:53 PM
I brought this to the attention of local newspapers some weeks ago. The City of Cambridge, Ontario, had employed a new online voting system with a serious fault.
Along with emailing users PIN number when registering using snail mail delivered VoterID cards, they used Birth Year as a second factor. 5 mins on Facebook and a stolen voter card would allow me to vote on their behalf.
The most interesting part of this though, is that none of the responses to my article addressed my concerns. Instead, respondents focused on my intentions for posting as being ‘free advertising’ and not that I was trying to alert them that our voting process was broken.
My article can be found here.
herbalist • November 13, 2014 12:00 AM
@Anura
“Again, this is not a problem with electronic voting in general, this is a problem with how we are doing it. Voting software needs to be open source, along with the hardware.”
The problem is that this is how corporations and the government they control are doing it. We the people have no say in the matter.
If they want to really increase voter turnout, put some real choices on the ballot. Better yet, put a “no confidence” option on the ballot and give voters the option to reject them all.
Juhani • November 13, 2014 6:12 AM
I have seen Estonia’s e-voting from pretty close distance.
It has worked, for many years. IIRC from 2007.
Security analysis on that is rather comprehensive. It’s perhaps not nice to borrow credibility from Skype, but Skype security has been good enough. And the security analysis and procedures are improved, before every voting.
From my point of view the only and serious risk in Estonia e-voting is that the complex security is highly dependent on details. If somebody could not follow the procedure and just show middle finger then the results can be falsified. Somebody will understand that the voting is insecure, but nothing can be done. This is the only thing that scares me in e-voting.
Think Al Gore in US, votes were recounted, so what and people believe it is democratic country (in reality yes, up to limit).
Something on the way Putin is doing in Ukraine, claiming there is no Russian military in Ukraine. People believe him enough so nothing serious is done, though pictures show otherwise. E-voting is more complex, more difficult to comprehend than pictures of Russian tanks.
It’s about what is being done by people, pragmatic, in reality. Rotten eggs were not thrown at whoever won miscounted presidential votes.
Juhani
dot tilde dot • November 13, 2014 10:24 AM
“No, sir, my wife is lying to the court. I didn’t force her to vote for anybody.
And, uhm, how can you say such a thing anyway. I thought there was this thong called secret ballot…”
Voting at home is so wrong, even without the electronics.
.~.
David in Toronto • November 13, 2014 10:25 AM
@Sancho_P
If a 3 letter agency manipulated an election result they would be violating quite a few laws. Hence unauthorized and criminal.
It is the heart of the debate that has been going on for the last couple of years with all the disclosures.
Nick P • November 13, 2014 10:40 AM
@ David in Toronto
A tool to manipulate votes/polls was in the leaked GHCQ catalog. So, it’s definitely on their mind and within their capabilities.
Joseph Kiniry • November 13, 2014 12:41 PM
@Nick P
Always happy to answer questions and have a dialog about these
important matters.
Civitas is another interesting verifiable elections system from my
friends Andrew Myers and Michael Clarkson. The work is a rare bird in
that it brings programming language research together with elections
research. The community certainly looks at it as one of the top ten
systems that has novel ideas, though its developers argue that its
design, and especially its implementation, is not appropriate for
binding elections.
@BrianM
The other attacks you mention were indeed part of our discussions here
at Galois. We chose not to write-up every single threat and
countermeasure we came up with because we worried that non-security
readers would think that we had solved the entire problem.
@Chris Abbott
Variants of the scheme you sketch out has indeed been discussed and
experimented with. Hash chaining and use of a/the blockchain is also
a fertile field for designing new verifiable election variants. So far
no one has come up with a system that the bulk of the elections,
security, and high-assurance communities think has the right balance
of security, usability, utility, and deployability. We’ll keep trying
through!
@Kevin C
Thanks for fighting the good fight. I hope that informed readers will
try to educate their election and elected officials about the
challenges inherent in digital elections.
@Juhani
I suggest you read https://estoniaevoting.org/. Your definition of
“worked” is different than mine.
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 13, 2014 5:42 PM
No offense, but most proposed and referenced voting systems here are sloppy/inefficient&costly economically and obviously vulnerable even from an abstract description.. More time¤cy expensive isn’t more “secure” and neither is more official or standardized.. Secure is unalterable and multi-voter-validated, and efficient isn’t just pipe-lining encrypted data to the old voting process or relying on ANY encryption cipher’s integrity..
****Anyone came up with a solution to defeat my system that is about a twentieth costly as other proposed and referenced solutions? It’s kind of annoying people act like they blessed us with references and designs that have the exact same fundamental flaw as what countries are already using..
I’ll make it easier: Any system more efficient and you’re allowed to rely on the security of a cipher.. It’s a kiddy challenge now..
Sancho_P • November 13, 2014 6:01 PM
@ Gerard van Vooren
Thanks for the link to MinimaLT (and Ethos), interesting, indeed.
Funny that respectable scientists still don’t know how to add a date prominently into their paper, though? 🙁
Sancho_P • November 13, 2014 6:28 PM
@ David in Toronto (sorry, that’s lengthy and going OT)
3 letter agencies are protected by law, hence never act unauthorized.
They can murder and torture by law [1], the so called “ongoing debate” is moot.
Single failures may occur but are extremely rare due to close oversight,
the whole organism is sound and indisputable (credits @Skeptical).
3 letter agencies will always act for the sake of the nation, so if they manipulate election results it will be solely for the benefit of National Security, supported by very important politicians and the president.
They will protect the nation for / from the people.
Their actions are not criminal but heroic.
I can’t imagine any regime that would think otherwise.
While “hacker” includes small criminals (cracking pwds, neglecting ToS, EULAs, copyright, …) from my point of view it is one individual or a small group, they act for their personal benefit (money, knowledge).
Hundreds working for the government / president I’d not call hackers.
A “hack” is a small damage, if any, the term hacking” downplays the situation.
China probably is a good example.
While the news read “Chinese hack U.S weather systems, satellite network” (WP), the term “hack” here notably downplays what otherwise would be a political / international crisis.
Call it “Chinese government breached federal weather network containing vital data for disaster planning, aviation, shipping and score of other crucial uses” and the president would probably reside in AF1 [2].
And the Chinese “hackers” are not criminals in their view, it may be against U.S. laws (and ethics), but in China they are honorable (wo)men.
As is the NSA when “hacking” the enemy in Syria or China …
So “hacker” may have an old, a modern and a deceiving, downplaying meaning in “native” English (which, U.S. / Canada only?) but the reception in the rest of the world could be different.
— Again, I’m ESL and live in Spain, it’s my personal / local view only.
[1]
Unfortunately “the law” is very local, as is the kid’s view of “us” versus “foreigners”.
Our enemies are their heroes and vice versa.
[2]
Many (but not the majority) will read that news as drumming for funding and understand that the news is fraudulent and dishonest. Leaking “information” without evidence is typical for national warmongers.
The reception in the public is similar ignorant, unfortunately.
We should blame those who do not protect the national assets but pile up a useless, unmanageable and explosive billions haystack.
The hacker should be awarded, the vulnerability publicly disclosed and closed.
Sancho_P • November 13, 2014 6:33 PM
@ 3298
Did you read the book Nick P has suggested to you?
Probably try to explain your proposal again, beginning with “voter privacy”?
Nick P • November 13, 2014 7:30 PM
@ Sancho_P
“Funny that respectable scientists still don’t know how to add a date prominently into their paper, though?”
Oh you wouldn’t believe how common that is in academic research in INFOSEC. I’ve had to dig for dates on so many papers that I think there might be an academic writing style guide that says not to put a date. Both of mine in college required dates so I’m doubtful of that. Whatever the cause, it’s ridiculous as a date is very helpful. I’ve found they even tell you whether a paper is worth reading in some cases: e.g. an older paper on a security approach might have been rebutted by a newer paper, which will likely describe older technique in “Related Work” section anyway.
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 13, 2014 10:11 PM
@Sancho_P: Individual privacy in a democratic voting system? That means we can only rely on cipher security, which even if existed would require discreet logistics with staff and handlers. This makes the entire conversation frivolous and boring..
I think the world is better off with plutocracy and fraudulent voting, because what sort of agenda makes a person want to secretly affect others which is exactly what private voting(and sociopath) is.. In the case you are protecting a cut-throat public image while voting for some liberal politician, then you are logically going against your own efforts(you’re part of the problem). There is no real difference..
I’m bored so quick solution though that none of you can break for sociopath-voting: Quality-IV AES 256 CTR for each voter meta data in SHA3-512 signed SQLLITE FILE DB rows, and provide voter’s key thermal printed to voter with FIPS 140-3 hardware solution with strong buffer cycling and no storage except FW ROM and RAM in POP; on-submit at poll with twenty-character string for lookup by voter. SQLLITE DB and SHA3-512 sig stored on multiple public mirrors.
I can do this all day.. Still more secure and more efficient.. I’d use a ARM chip in resin&mesh for the poll machine with properly audited code-base, not that it matters.. Might as well not even be encrypted since it’s under infinite-check by voters..
Game-theory time.. Let’s play.
Nick P • November 13, 2014 10:24 PM
“Quality-IV AES 256 CTR for each voter meta data”
There’s no “Quality-IV” for AES that I know of. I assume you mean FIPS Level 4 crypto. FIPS Level 4 is controlled by the NSA and fewer proprietary vendors than fingers on one hand (IIRC). It therefore is the easiest thing for them to subvert to forge votes or fake unreliability. People go with a fake vote that looks like a close election or they fallback on insecure methods due to “unreliable” voting machines.
Your scheme looses again. And before its technical details even prove relevant.
Note: And ARM is a profit-loving group whose main SOC vendors have plenty of undocumented functionality in chips to make one chip seem like many individual ones to end users after a certain configuration is entered. Easier to corrupt them given that and their $1-15 mil entry point. Trusting ARM chips is another fatal flaw for you.
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 13, 2014 10:55 PM
@Nick P: You provided literally NO technical, or even theoretical abstract, description of an attack.. How did I lose anything?
What you didn’t bother to read:When you DO defeat the hundred of millions to billions of AES 256 CTR keys each with different IV(even if they ARE weak) and forge results. You gotta go hack in to dozens or more of mirror servers and upload your altered binary without leaving a single trace of even a TOR, VPN, or proxy, and hope nobody actually checks their record till the end of human existence(“infinity”)..
I did point out there is no logically secure way to protect voter privacy though in my own comment. Logistically it’ll always depend on descreetness and human trust or cryptography.. The fact there IS even the need for secret voting means the whole concept is pointless in the first place IMO.. So whatever, but fun times..
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 13, 2014 11:08 PM
Regarding ARM: So can Intel and AMD, so everything is vulnerable since manufacturing and design of silicon is out of reach unless you have at least half a mil and audit silicon, and even then you have to pass around your low-yield of units with bad Q&A..
ARM at least has security features that don’t just partition RAM and accelerate like x86(TXT&VTx&AES-NI) and typical PPC(DLPAR&ROM).. There is no alternatives even if you were to settle for primitive UI and a cheap PIC.. Cheap PIC way you could resin and mesh the hardware and keep a primitive UI with no memory corruption vector, but what if NSA got the hardware to their think-tank? Plus you still have the reality NSA can defeat both AES 256 and RSA 4096 and ECC AND SHA3-512 etc..
Simply REFUSE to revert back to human-trust models.. It’s a big annoying waste of time..
Figureitout • November 14, 2014 12:36 AM
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug
–If you’re not even going to implement it, what’s the f*cking point egging people on to attack your non-existent scheme? Where’s the actual development happening? It’s a Windows PC w/ x86 architecture, isn’t it? That makes “secure” development easy…How did you manage all files and “reasonably” isolate the PC used for programming chips (mostly internet)? Where do you leave the computer when you sleep or on weekends, at an unsecured location?
These are where the attacks will actually come b/c it doesn’t involve a lot of brains, and it’s scary and creepy as hell when you find them…That and watching for trigger words from ‘net searches.
I’ve got lots of fun projects I’m doing and working on (frickin’ bogged down for at least a month or two before I post something w/ more meat), so lots of capable people are probably already busy like always, probably not even reading; but I won’t be coming here fanning the flames for attacks on my design w/ no actual design yet…Make it and then someone else (not me, too busy) can come up w/ a way to get access (meaning no internet/RF, just tell people to try to attack the device on your bench or whatever).
In my short experience w/ embedded dev., ARM chips are very fun & easy to work w/; Atmel on ARM is actually a lot of fun, not so much work, but I have reasons to believe PIC’s have some of the best default hardware security compared to most others (which isn’t anywhere near where I want it, but as an individual I can’t design and lock down fab for production run; yet…). People crying about a primitive UI can suck a fat one, it’s a voting machine! Who cares…Probably don’t even know what goes into a simple 7-segment LED display…
For me, the ways in remain malware from the internet and hardware again I haven’t examined (hardly f*cking feasible from many vectors and frames of reference…) from unassured places. I don’t see a mitigation for that in your designs, or your brainstorms.
Wael • November 14, 2014 1:16 AM
@Figureitout,
probably not even reading;…
Don’t equate the scarcity of posts to “not reading” (???? != ???? || ???? ) Some don’t like to respond to posters with handles that are more than one line long!
uh, Mike • November 14, 2014 8:43 AM
There’s this book, Applied Cryptography, …..
uh, Mike • November 14, 2014 8:46 AM
On to my comment. I think pencil and paper is the best. Any sophomore computer scientist can scale a pencil and paper voting system. It leaves the eponymous paper trail.
You don’t get instant reporting, although you could approximate it. All you need is trusted (oops) minions and phones.
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 14, 2014 8:50 AM
@Figureitout: Because everyone else were referencing and suggesting obvious-vulnerability systems like encrypted data to old discreet human processing. I’m the only one who posted something that actually can’t be compromised..
Why don’t I just implement it? Because I’ll make a simple program to collect votes and build the data(pretty easy actually maybe use XML for ballot gen.) and like the comments nobody will care. A few people might reference some AES vulnerabilities and ignore half of the design that is there to handle cipher failure like Nick..
Even better question: If we’re not going to suggest something that actually works, then why all the comments and debate in the first place? I posted something that can’t be compromised and where voter privacy is only compromised if the strongest encryption cipher(with decent IV algo) in existence is defeated. People are too lazy to even attempt a theoretical attack that works to forge results or admit it can’t be done.
I’m sorry all of you are rustled by my idea that you can’t actually defeat.. If you beat AES or even the ballot machine you only expose voter decisions, the person who is voted for by the people is still getting elected XD AND THERE IS NOTHING ANY OF YOU CAN DO ABOUT IT XD..
Nick P • November 14, 2014 10:38 AM
@ 3298
Oh I read it. And I showed attack surface. It seems your lack of experience in the INFOSEC field requires me to be very specific instead of talk about known problem areas. So, here’s a few specific attacks.
- Technical. The mirror servers are hacked using 0-days. This can be used for MITM or simple denial of service to cause a fallback. Also would remove faith in the system.
- Technical. Users’ computers are destroyed as they connect to those servers. Could cause a fallback and would remove any faith in the voting system.
- Technical. The software itself is subverted with a 0-day like Heartbleed that attackers hit during the election. Like the banking malware, it shows the users one thing and does another. Even if detected, it will remove faith in the system & cause a fallback.
- Usability. Majority of Americans wouldn’t understand your system at all. It wouldn’t get adopted for that reason. If it was, they’d use it incorrectly and screw up the security properties. A “secure” design whose users can’t use securely is insecure in practice.
-
Voter privacy. Your system, unlike others, doesn’t have this very important feature. So, people vote and the opposing party can get retribution against them later if they win.
-
Coercion resistance. Your system has none. Voters who trusted your solution might be harassed or killed in name of fradulent votes. Further, the election is easier to rig when targeting users in swing states.
So, your system is a failure in many ways. There’s already better ones published that don’t have these failures. Therefore, yours should never be implemented & people should start with the others. Further, that you keep pushing it and repeating details instead of fixing the problems with it says something about your character. Your future work should be very carefully reviewed before anyone uses it. The reviewers should keep in mind that you chose to potentially let people die than improve your voting work. And they should only review it if they have no other work on their desk from more reputable people.
I do have work to review from such people so… ciao!
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 14, 2014 1:38 PM
@Nick P: So you have a way to control a user from reporting altered data after you defeat the encryption and alter hundreds of mirrored backups?
Perhaps your failure in basic comprehension or logic is the problem? You’re still announcing a win without actually giving any description.. You defeated encryption and even ballot entry? Nice, but what about the other 85% of the security that assumes that 15% will be defeated?
My only experience with infosec is RCE and embedded engineering.. I’m proud to not be reputable in an industry that has the same specific technical problems it did over three decades ago..
I think this whole argument is kind of pointless if something is going to be deemed insecure just because some bitter majority says so without a single proof or technical explanation.. Nobody really cares about job titles, it has nothing to do with the challenge and it’s flaunting being part of the element that is responsible for the problems in the first place..
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug • November 14, 2014 2:00 PM
@Nick P: By the way to shoot down all your points at once: How would anyone get away with killing a large portion of a population to force a candidate? Killing even hundreds would have no affect and be extremely high-risk and even self-defeat once even basic statistics were used on the diff..
All your theories were built on top of your “murder” theory, and the “murder” theory is so irrational and illogical, even applied for the worlds smallest nations, that I’m interested in what you were thinking when you posted it..
Sorry kiddy, you still haven’t done it unless you want to just go with me being wrong because more people than not simply say so.. Which is idiotic enough to come from a security pro designing all these wrecked models that are tanking in half a decade tops..
Justin • November 14, 2014 2:17 PM
@3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug
I think this whole argument is kind of pointless if something is going to be deemed insecure just because some bitter majority says so without a single proof or technical explanation..
You’re putting the burden of proof here on the wrong side. If you propose an electronic voting system, you’d better have a proof and good technical explanation why it is secure and reliable and why we should trust democratic elections to your system.
Sancho_P • November 14, 2014 4:36 PM
@ 3298
Sorry I don’t understand your postings.
Just to make sure in case you didn’t understand mine:
Before going into any technical details,
voter privacy is the very first principle to begin with when thinking about a voting mechanism.
Voting without privacy is a farce, void.
Look at our corrupt, stupid and partisan parliaments:
Dozens of “voters” have absolutely no own judgement about a particular “question” or law but have to raise their hand when the master calls them up.
Some of them may have at least a “feeling” that the call is wrong but can’t refrain from voting, let alone vote otherwise.
Basically it’s wrong to ask laymen (also “the people”) questions for experts.
But to press people to vote for colors at “gunpoint” is worse.
Or would (or could ! ) you vote in favor of your opinion at the price of your job?
Freedom includes privacy.
Sancho_P • November 14, 2014 4:45 PM
Nearly on topic, but in German / Germany (fraud at letter / paper voting):
However:
– Pencil and paper – We know that we can’t trust in complex software.
-
Personal, no letter voting.
-
ID required.
-
A checkbox for “I want to see other options”.
-
Integrated intelligence test, working like a checksum, if failed: Void.
This test should deliberately cut 20+% possible vote(r)s off. -
There is absolutely no need of instant reporting, voting isn’t fun.
Angel • November 15, 2014 11:56 AM
The Myth of Democracy.
That is what comes to mind when I read this, and why I am not at all concerned about security threats to voting systems.
Do you have ideas? Have you spent decades poring over political issues and have come to the correct answers on everything? Then go and get elected. Only, of course, you can not because the political system does not work in this way.
Never mind the fact that:
-> Even if a human being had an incredibly unlikely “IQ”, this would mean nothing about them being “right” on political issues
-> Being incredibly intelligent and having an incredibly good heart are highly improbable (or is it)
-> political issues typically involve “tomorrow”, ideas that can seem really good to implement today for your constituency (say, the rich or the poor) may actually be the worst thing to do — sure there are issues which are plain and simple, but these can be completely undone by the more complex issues
-> people live an extremely short period of time, and even if they devoted decades to studying the issues, they would not really know what the hell they were doing
Hence, politics is as people generally understand it to be: superficial nonsense that is entirely meaningless, but which they attribute meaning to for the sake of belonging to and engaging in social grouping.
Democrats bond with Democrats, and Republicans bond with Republicans. Much ado about all their rules and beliefs, but few of them actually mean anything even if people really try to make them mean something.
There are the “right”, “best way” about matters. Societies should be even, there should be fairness, justice. Equal food, equal housing, equal rights. There should be an abundance of mercy and tolerance. Every one should be wealthy. Every one should have the best health care. Every one should have an abundance of free time and luxuries. Every one should be well educated. Every one should be happy and have a harem of beautiful spouses who adore them.
Thankfully, people are not selfish, and are all equally doused with an abundance of joy, so they are constantly wishing for all the people to know the paradise of existence they themselves live.
Back to planet earth: this is not even remotely plausible as fantasy, and far less so as science fiction.
Never mind the fact that everyone will die about by the time they ever achieve anything, and then all they worked for and all which meant anything to them is lost. So the point is?
The political systems are corrupted and controlled by monied & empowered interests. Non-elected, empowered interests.
The vote of the impoverished is but political theater.
All other concerns about the democratic system are far beneath this reality.
Figureitout • November 15, 2014 10:22 PM
3298fuvoting_logistics_are_illogical_and_fraudulant_in_every_nation_4390ug
I’m the only one who posted something that actually can’t be compromised..
–It was at best a brainstorm, miniature paragraph of a “design”. Don’t get me wrong, I love brainstorming and extensive planning before committing; but not a design. It involves servers and the internet which, security-wise; is beyond shameful (wild wild west). Saying it can’t be compromised is flat wrong. Usually attackers aren’t so nice to reveal their methods and tell you you’re being hacked (a-hurr-durr)…
I’m not suggesting sh*t for voting systems b/c I currently reserve my right to NOT vote in a rigged system. Citizens don’t choose candidates, and the country is too big for “representational democracy” to even work anymore. The system hasn’t been updated (well it has, just gotten more tyrannical and pushing falsehoods) since 1800’s; tell me what we do today that resembles 1800’s, it’s only fundamental science. It makes little to no difference who you vote for (in US at least), the same stupid policies will happen. Unless I see communities come together way more than they do now; the root issue of people not actually getting involved or actually working together remains unsolved. I got close to trying some things but I’m still too poor to do it…
So far from having my “jimmie’s rustled” by your brainstorm; they’re more so being rustled by you suggesting we can’t crack a design/implementation you haven’t even made nor explained enough. So yeah, good job for nothing.
Wael
–I can only read your “monkey symbols” on mobile lol…well this poster is trying to rustle some jimmies w/ retarded arguments; I don’t know, sounds like he’s looking for a fight of some kind…
Gerard van Vooren • November 16, 2014 4:55 AM
@ BrianM
These are the facts:
– Gore did have half a million more votes than G.W.Bush
– The controversy took place in Florida
Well, it happened, like other things happened (I mentioned them before). It happened in Jeb Bushes state. So if you ask me, someone pulled some strings. That means indeed fraud.
Now think what would have happened when Al Gore was the president during 9/11. Would he have introduced the politics of fear, the PATRIOT ACT, the wars and the countless lies? One thing is for sure: There wouldn’t be a Dick Cheney, Rumsfeld, Wolfowitz or Rice.
Also there wouldn’t be a tax cut for the super rich. And Gore, like Clinton, would have looked way better on government spending what could have resulted in a much better heritage regarding the national dept. Clinton did very good work in that area.
On the other hand, Gore would have had a great chance of being eliminated because of his environmental views.
Purely hypothetical of course.
CallMeLateForSupper • November 16, 2014 11:46 AM
@Chris Abbot
“…you cast a vote that is a properly MAC’d, signed, and encrypted e-mail using a RSA, PGP style system”
If my reply echoes an earlier one, sorry for its being redundant.
The encryption/crypto sig. idea applied to viting has been around for years. (For a very short time after I myself thought of it, I imagined I’d invented it!) It’s a non-starter however. To understand why, all one need do is to look at personal encryption’s thin user base. Relatively few people use it.
Citizens don’t learn crypto for two reasons: Time and again writers in print who were otherwise responsible dismissed personal crypto tools because of a “steep learning curve”. Second, citizens don’t really care about their personal security.
Hendrik Boom • November 16, 2014 3:03 PM
Isn’t the ability to subvert elections the whole point of electronic voting, whether done by email or by computers at the pools?
Subscribe to comments on this entry
Leave a comment
← Sophisticated Targeted Attack Via Hotel Networks Narrowly Constructing National Surveillance Law →
Sidebar photo of Bruce Schneier by Joe MacInnis.
Arclight • November 10, 2014 2:20 PM
If we consider how badly electronic in-person voting has been implemented, I don’t have a lot of hope for our various Secretaries of State and local election boards to get Internet voting anything close to right.
For an example of an actually rigorous process, look at the Nevada Gaming Control Board and how they deal with slot machines (a much more limited-scope problem) through code audits, human controls and severe sanctions for unauthorized modifications and such. This is a good parallel to voting:
http://www.nytimes.com/2004/06/13/opinion/gambling-on-voting.html
Arclight