Critical Flaw in Swiss Internet Voting System

Researchers have found a critical flaw in the Swiss Internet voting system. I was going to write an essay about how this demonstrates that Internet voting is a stupid idea and should never be attempted—and that this system in particular should never be deployed, even if the found flaw is fixed—but Cory Doctorow beat me to it:

The belief that companies can be trusted with this power defies all logic, but it persists. Someone found Swiss Post’s embrace of the idea too odious to bear, and they leaked the source code that Swiss Post had shared under its nondisclosure terms, and then an international team of some of the world’s top security experts (including some of our favorites, like Matthew Green) set about analyzing that code, and (as every security expert who doesn’t work for an e-voting company has predicted since the beginning of time), they found an incredibly powerful bug that would allow a single untrusted party at Swiss Post to undetectably alter the election results.

And, as everyone who’s ever advocated for the right of security researchers to speak in public without permission from the companies whose products they were assessing has predicted since the beginning of time, Swiss Post and Scytl downplayed the importance of this objectively very, very, very important bug. Swiss Post’s position is that since the bug only allows elections to be stolen by Swiss Post employees, it’s not a big deal, because Swiss Post employees wouldn’t steal an election.

But when Swiss Post agreed to run the election, they promised an e-voting system based on “zero knowledge” proofs that would allow voters to trust the outcome of the election without having to trust Swiss Post. Swiss Post is now moving the goalposts, saying that it wouldn’t be such a big deal if you had to trust Swiss Post implicitly to trust the outcome of the election.

You might be thinking, “Well, what is the big deal? If you don’t trust the people administering an election, you can’t trust the election’s outcome, right?” Not really: we design election systems so that multiple, uncoordinated people all act as checks and balances on each other. To suborn a well-run election takes massive coordination at many polling- and counting-places, as well as independent scrutineers from different political parties, as well as outside observers, etc.

Read the whole thing. It’s excellent.

More info.

Tags: , , ,

Posted on March 15, 2019 at 9:44 AM32 Comments

Comments

Erdem Memisyazici March 15, 2019 9:54 AM

Yea but you can make it secure enough such that only a state actor level can hack the elections. Waitaminute…

Faustus March 15, 2019 10:08 AM

“Most people know that Pedersen commitments rely on a set of “bases” that have to be generated in a trustworthy way: you can’t know a relationship between them.”

Most people know?? This idea makes me smile.

I have a hard time understanding why we place so much trust in traditional voting, which seems subject to manipulation. I am guessing it is because there are subtotals at multiple levels and no one actor is in the position to make countrywide or statewide alterations, while that could done with internet systems.

How is it that we run large scale banking relatively safely and cannot do that with internet voting? I think the key is that each person be able to verify that their vote was registered correctly. (The equivalent to balancing our checkbooks.) Our secret ballot (effectively secret from the vote caster as well) is a great enabler of ballot alteration. How do we know earlier elections weren’t massively stolen already?

wumpus March 15, 2019 10:26 AM

So they want to make what happened in the US’s 9th district of North Carolina a feature, not a bug?

  • ok slight exception. In that election one of the candidates hired someone shady* to gather and supply mail in votes, not a somewhat trusted 3rd party.
  • At least the 9th district left enough of a paper trail that the election was thrown in doubt. E-voting fraud rarely has such issues.

  • They are having a second election thanks to the issues of the first. I don’t think the “winner” of the previous election is running.

  • candidate’s own son (a US attorney) warned him about it and testified as much in court.

Gunter Königsmann March 15, 2019 10:34 AM

Is your local ATM still running XP? Is your gas station using Chip and Pin? Have you never bought in a place whoses terminal stole your data? Have you never online shopped at Sony or someone else whose card data was stolen? And are you really sure that no-one will remember your card retails after having looked at your card for five seconds?

But at least the banks most probably won’t dare to cheat as everyone regularly checks his own bank account. On the other hand when offering online voting the government that runs the voting machines might have a strong interest in winning and it might be hard if all the millions of votes you didn’t hand in were correct, save finding out if all the voters the machine counted actually exist.

Nicolas George March 15, 2019 10:58 AM

When it comes to online voting in real political elections, I wonder why people always forget that very important fact:

Online voting is the final nail on the coffin of vote secrecy.

When you vote from home, nothing prevents somebody from looking over your shoulder. That somebody could, of course, be the one who is buying or coercing your vote.

The increasing ease of setting up absentee ballots, which in the past needed to be motivated by a recognizer reason, at least in some countries, already weaken the vote secrecy and the protections against vote buying and coercion. But online voting, voting from home or other untrusted places, puts a definite end to them.

And I am not even evoking the possibility that the client computer could be compromised, and showing a different ballot than what will be submitted.

mark March 15, 2019 11:31 AM

I just saw today on slashdot that DARPA’s got a project to build a secure voting system. ALL based on open source.

Sed Contra March 15, 2019 11:49 AM

Perhaps to the list of “obviously” reasonable and desirable voting system criteria that (Arrow’s theorem revealed) were not so reasonable, one should add “secrecy”. Maybe secrecy is not so reasonable since everyone’s vote is important to everyone. Could there be a way to achieve the desirable aims of the secret ballot by some other means ?

Matt from CT March 15, 2019 12:17 PM

Our secret ballot (effectively secret from the vote caster as well) is a great enabler of ballot alteration. How do we know earlier elections weren’t massively stolen already?

Secrecy is more important than security and accountability because it allows people to speak to power without fear of individual retribution.

It also assures the elections are not directly bought and paid for.

Balancing votes like a checkbook allows another party to see for themselves you are following their directions.

Some voting reforms like early voting (via a secret ballot, at a secured polling station) and instant runoff come with few trade-offs.

Vote-by-Mail and Internet voting are fundamentally insecure because we, as a society, have no way of assuring the person casting the ballot isn’t being bullied across a kitchen table by their spouse or parent to vote a certain way, isn’t being bullied at work to vote a certain way*, or whether they are being encouraged by cash incentives backed by the person handing out the street cash being able to see the actual ballot before it is cast.

We have a history of voter fraud. We know what it looks like, and what reasonable controls can be put in place to keep it in check. We know the shenanigans pulled off in LBJ’s 1948 Senate campaign a dozen years before he became Vice President reeked of fraud. We just a North Carolina election thrown out over the exact scenario — manipulation of absentee ballots — I mention make non secret, non ballot box votes insecure.

Conducting the elections in public places, with individuals behind privacy screens, goes a long way to assuring freedom of conscious while allowing society to put in visible security measures to assure proper accounting of the ballots.

We don’t have a history, and it would be difficult to police, fraud and intimidation at location like the home that simultaneously provides no assurance of privacy to the voter but assures it is private from public scrutiny.

  • As an aside that is why card check elections should be followed by secret ballot for union organizing so neither the union nor management knows who voted how.

Paul March 15, 2019 12:55 PM

Again, about Brazil electronic voting system (not on-line): To vote, the person must appear in a pre signed room (usually in a public school). Inside the room, four people work to check the documents. Those for people are randomly assigned by the government, often they don’t know each other. The voting person goes to the cabin to type their vote, the machine register the vote but does not record who voted on whom. The machine is not connected to the internet. In the room it is allowed (during the voting day) for inspector from any political party to enter and monitor what is going on. Often several authorities go to the rooms to check if everything is going accordingly, such as judges and public prosecutors. At the end of the voting day the machine prints a report in paper that many inspectors get a copy and anyone from the public can get a copy. The report says how many votes went to whom. The machine is then transported by other team of people and a pendrive that record the votes goes to a central that send all votes to a larger central. Then they give the final result. If an inspector (from a political party) notices something odd, they can show that the reports does not match the final voting. Even if the transmission is hacked, they later check the pendrives for any distortion. To fraud the voting system one would have to bribe dozens of randomly assigned people. A hacker could alter the transmissions but they are later compared with both the pendrive and the machine and the print paper, so a hacker would have to also alter several machines and the transmission and the papers. There is a possibility that all machines are altered by the government itself however, statistics show that all voting went according the expected outcome. Plus, political parties does not need to hack the election because people already vote on the worst candidates anyway.

Jon March 15, 2019 2:40 PM

There are zillions of problems with voting.

Let me think about just one here: How do you provide the voter with a receipt that allows them to verify their vote was recorded correctly without letting anyone else know how their vote was recorded? (the ‘secret ballot’).

My thought was you encrypt the ballot, then give the voter a receipt that contains only half of the decryption key. The polling place retains the ballot and only the other half of the key.

Then the voter, should they feel so inclined, can go to a ‘verification place’ (akin to a polling place) and after their identity has been suitably established, admitted into a private area like a ‘verification booth’, (akin to a voting booth) and therein they enter in their half of the key, the polling place provides the other half, and the ballot is decrypted and displayed.

Obviously you would need to add the results of the ballot to the summary before encryption, and trust in the machinery all the way down the line, but those are different questions.

For now, I think election security should be focussed on ‘making it difficult to cause mass changes’, rather than occasional hiccoughs. And here the Swiss Post system entirely collapsed – One person can change it all, without evidence. There will still be rotten elections, but make it very difficult to change lots of votes at once while not worrying as much about one vote at a time. imho.

Jon

Jesse Thompson March 15, 2019 3:42 PM

@Jon

The “who to trust” rub here is:

Go to a “secure” location to use your half of the key to confirm your previous vote, and you are placing trust in the parties who gain direct material gain from undermining your vote: the people trying to get re-elected, or the newly-elected trying to confirm their legitimacy. Because they run the government that administrates the secure room that this approach pivots upon.

Also, it would be impossible to prove 1,000 forged votes without those 1,000 people all coming in to audit their votes even if you could balance the checks and balances of each fiddling individual audit procedure.

I’m not certain I’m completely convinced of the importance of secret ballot anyway.

It’s got to cost more cumulative money for a party interested to sway a vote to either threaten or bribe enough people to succeed without being caught that it shouldn’t pencil out in their favor to attempt that approach, and if it did pencil out then both sides would have incentive to try and thus undermine one another’s expected criminal effectiveness.

In the face of gerrymandering and polarizing voting blocks (red state vs blue state) and other abuses of the system (such as being two-party, first past the post, etc to begin with) I don’t see secret ballot as being important enough to hobble every other potential gain we could be making in voting procedure.

It’s like a wedge criterion: this gotcha that gets thrown in just to ensure any solution with a chance of actually being productive gets undermined.

Secrecy, auditability at scale. Pick one because they are mutually exclusive.. and if you don’t pick the second one then every vote will get forged with impunity making the entire exercise pointless.

1&1~=Umm March 15, 2019 4:13 PM

First question should be ‘where’s the block chain’ it’s a trendy must have so there has to be one in there somewhere yes?

More seriously though, when you get down to it all of these ‘magic sauce’ protocols and algorithms tend to lack proofs that can be understood by even others in the knowledge domain without considerable thought and quite specific expertise. Worse they nearly all are when you chase it down based on assumptions that are often at best fragile.

So the first real question should be ‘How do we test the algorithms and protocols before we use them?’. Then secondly ‘How do we test our implementation is not just correct, but has not opened up other problems that were not in or not covered by the proofs?’.

Not asking those questions, or not having proper answers and procedures for them will almost certainly result in an insecure system.

There is an estimate floating around that the cost of getting a US President elected would need a pay back of a million USD per day for every day of the term to show a modest profit. Rather more than that million to be up with the average stock market fund returns.

Thus if you are looking on making that sort of investment, how much would you think on spending to ensure your required outcome?

Even a fraction of that investment would buy you several highly skilled black hats to go through a voting machine code rather more thoroughly than a handfull of in their own time pro-bona security experts from academia etc.

So if a handfull of pro-bona security experts discover a major security fault at best part time… Just how many more do you think several full time teams of expert black hats could find?

More importantly if the black hats did it independently, just how much do you think they could sell it for?

Now ask the question how much money did Swiss Post spend on testing?

I think most will agree there is quite an asymmetry there.

1&1~=Umm March 15, 2019 4:17 PM

@Faustus:

“How is it that we run large scale banking relatively safely and cannot do that with internet voting?”

Have you actually looked up what bank and credit card fraud costs the economy?

Cassandra March 15, 2019 5:36 PM

Votes in elections in the UK are potentially non-secret, as these letters describe:

The Guardian: What happens to the voting slips used in British elections after they have been counted?

If you vote for extremist parties, it is possible for the guardians of national security to trace from the numbered ballot paper back through the voter registration information to determine who voted for that party. Whether this is done or not is the subject of many stories with more or less reliable provenance.
In principle, it is possible to do for all ballot papers, but would be rather a large undertaking. The security services are more likely interested in the people who vote for small extremist parties – the vote counting process convenient bundles up together the ballot papers for each party, so extracting just the ballot papers of people who voted for e.g. the Official Monster Raving Loony Party would be a simple undertaking.

Cassandra

Jon March 15, 2019 9:02 PM

@ Jesse Thompson

I quote:
“Go to a “secure” location to use your half of the key to confirm your previous vote, and you are placing trust in the parties who gain direct material gain from undermining your vote: the people trying to get re-elected, or the newly-elected trying to confirm their legitimacy. Because they run the government that administrates the secure room that this approach pivots upon.”

You make many valid points, but those are the ones I was trying to deliberately simplify out. If you cannot trust the machinery (and, by extension, those who run the machinery) then you have many more problems.

You may also be right in that the secret ballot (and compelling ballots) may not be that important. If it costs you $20 to make someone vote some way, and you need a million votes to swing the election, that’s $20,000,000 (peanuts to the Koch brothers, George Soros, Peter Thiel, Bill Gates, or Jeff Bezos, but let’s overlook that for now). Few can afford to swing elections by simply bribing every voter.

Trusting the machinery is an entirely different kettle of fish. I have some opinions upon those lines, but they are not very highly educated opinions.

If you can think of an easier or better way to give the voter a receipt that they can take home, away from the polling place, and then re-confirm later on that their ballot was registered as they thought it should have been, preferably somewhere else, let me know. Thanks!

J.

Sed Contra March 15, 2019 9:03 PM

Re: secrecy protects voters

If there is a significant problem of retaliation against the voter who marks their ballot wrong, there are general problems that aren’t delimited in terms of voting, of which coerced voting is just a symptom. They need to be fixed, then voting will be really secure, and secure vorting will no longer be just a technical hack-kluge. So the problem is to make “government” responsible to the polity. Basically this means that the polity has real choices. If these obtain, coercion won’t work that well because the polity will exercise their choices. This is how the USA was founded. Also, the feudal system provided choices. The law bound all elements of the polity togther with mutual obligations. The one who betrayed and traduced those obligations was regularly sued in court. Also the supposedly “lower” elements could exercise the ultimate choice and vote with their feet. We should do likewise.

Jon March 15, 2019 9:13 PM

PS – Note that ‘costs you $20 to make someone vote’ does not necessarily mean you pay them $20 to vote the way you want to. It could mean the $200/hour labour costs of your heavies makin’ their way through the neighborhood and makin’ sure that the nice people done voted right properly, else something bad might happen to them, and nobody wants that, right? J.

Jon March 15, 2019 9:19 PM

@ Sed Contra

Judicial retaliation (for violating laws) takes years and has loopholes.
Gangland retaliation takes hours and there is no appeal from being dead.

And go with your feet where? Anywhere you go, there are already people there who don’t want you. J.

Guest March 15, 2019 10:34 PM

@ Jon, @ Jesse Thompson

Some of the papers on theoretical voting systems have described a receipt proof where, if there are 6 parties to vote for, you cast 1 base vote for each of them and 1 extra vote for the one you actually wanted to vote for – at the end, every candidate has 1 vote removed for each person who voted, leaving 1 vote for each voter. But the voters in the booth receive 1 receipt for each candidate, allowing for auditing (presume the paper ballots were printed out and then entered into a physically-mixing pile; no record is kept of which ballots a receipt exists for) but making the “proof” of casting one’s vote a certain way highly questionable.

Gunter Königsmann March 16, 2019 1:11 AM

Practical question: My Firefox on Android (no add-ons) from time to time requests permission to record audio without telling why. This only happens on IT news sites that contain ads.
In the source code of the web page itself I don’t see anything strange in these cases. Is there any way to debug that? The last time it happened was the “the verge” link above, but other websites like heise.de and golem.de are affected, too.

The program will request the permission only a while after the page shows on the screen, often does do so again when I switch to a different tab and switch back. It stops happening if I reload the page. On pages that load images only when you scroll down far enough to reach them scrolling down isn’t necessary to trigger the request. And if doesn’t matter if I am on WiFi or on mobile data nor does turning off images in the “advanced” preferences menu seem to change the chance of getting the request.

Faustus March 16, 2019 9:40 AM

@1&1~=Umm

“Have you actually looked up what bank and credit card fraud costs the economy?”

I’m pretty sure it’s a good deal less than what abusive credit practices and fraud in the banking industry cost the population. But why ask a question if you have the figures at hand? What are they? Do you have a link?

I’m sure such a number is pulled out of the air, the same way the costs of a million other things are, like disasters, or some kid hacking into the DOD and simply looking around. (Not to mention the cost to security to people in your home country by allowing just anybody to own a hammer: https://reason.com/blog/2019/01/30/buying-a-hammer-the-uk-worries-that-migh ) I’m not even mentioning the apocalyptic dangers of pocket knifes.

We lose $500 billion dollars but it has no obvious effect on anything? Hmm. I think these numbers are simply manufactured PR. “Do what we say, or your money will disappear!” When the government and banking are by far the most likely offenders to be stealing your money.

The parties involved have every reason to inflate the numbers and throw the cost of a yacht in for good measure.

“Have you actually looked up what bank and credit card fraud costs the economy?” No, but have you actually looked at credit card interest rates? And punitive bank fees? I am sure that the parties are well compensated by the abusive interest rates and fees they charge.

Sed Contra March 16, 2019 1:14 PM

@Jo

takes years

How true! Longing for a return of the day when Thomas Moore called for the next case and there wasn’t one. Also, people should not be afraid of gangs, gangs should be afraid of people, as they sometimes are e.g. in New York. Leadership, freedom isn’t free etc. Likewise governments. These are not problems in computerology. People still move inside the country to try for a better situation.

Sed Contra March 16, 2019 1:18 PM

@Jon

Apologies for misspelling your handle above ! Theorem: There is always more proofreading to be done.

1&1~=Umm March 16, 2019 4:46 PM

@Faustus:

“But why ask a question if you have the figures at hand? What are they? Do you have a link?”

The problem is finding the ‘real figures’ in amongst the hype and supposed confidentiality.

Take this article for instance,

https://www.businessinsider.com/2018-identity-fraud-declined-2019-3?op=1&r=US&IR=T

It starts of looking OK untill you realise it’s actually written by the payment card industry that are desperate to,

1, Get rid of cash transactions.
2, Pretend Chip-n-Spin is wonderful.
3, Extetnalise loss to merchants and customers.

That is they have only reported a fraction of the payment card industry losses and the customer and merchant losses have been mucked about with.

From reading it you would assume Chip-n-Spin had brought –all– CC fraud down. It has not it’s just caused it to move to different frauds such as on-line and new-card fraud.

Based on a multitude of other figure it’s safe to say that CC relayed fraud in the US is as strong if not stronger than it was a couple of years ago prior to Chip-n-Pin. All that’s happened is the deck chairs have been moved around.

So somewhere between 6-8billion for 2018 just for Payment Card Industry related fraud costs in the US might not be an unfair guess. But then there are other losses and costs such as to the merchants and to banks directly.

But remember on CC fraud US law might limit the personal customer loss to $50, but there are way more costs involved with sorting it out. Such costs don’t realy get counted thus the real figures are a significant multiple of that 6-8billion guestimate.

Oh and note thay the total US Population is ~330million depending on who’s trend figures you look at. But from the article, they say,

“‘14.4 million US adults'”

The reality is that between 1/6th and 1/4 of the US population hold CC type cards and that is falling as banks try to switch people to Debit Cards for various reasons. What ever the figures are exactly –and nobody is saying publically– there are only about 100million economically productive adults in the US so 14.4 million is a sizable fraction…

But the article also says,

“‘card fraud dropped from 5.47% to 4.40%'”

But they don’t say if it is ‘of transactions’ or ‘of value of transactions’.

Ross J. Anderson’s group over at the UK Cambridge Computer Labs indicated in the past it was of ‘total annual transaction value’

So if we look around for the total transactions on payment cards, again figures are hard to find but with a 15% growth expected from 2017’s figures for US e-Commerce alone in 2018 should have been 521billion… So 4.4% of that would be 23billion… And we know the fraud rate in e-Commerce is higher than the overall average…

So just on e-Commerce alone we will have seen about four times the fraud that the payment card industry owns upto as what are it’s losses are…

Anyway, as I said you have to look them up and draw your own conclusions, but I think I’ve shown they are way higher than many think.

@All:

This report from Experian is InfoSec related and should be read by many of the people on this blog our host @Bruce as well if he’s not already got it on his reading pile 😉

https://www.experian.com/assets/decision-analytics/reports/global-fraud-report-2018.pdf

Nicolas March 17, 2019 4:58 AM

As a security conscious professional in Switzerland, I tried to warn several organisations in the country (and keys persons in the .gov) about outstanding security issues on deployed infrastructures. Including, but not limited to the health care application deployed by the Swiss Post, an app already used to daily exchanges sensitive information about patients. What I heard back ? Nothing, crickets…

The Swiss post can’t even deploy their application with HSTS enabled on their front-end. They still exposes pre-production code on their public web servers, and I bared scratched the surface…

Faustus March 17, 2019 10:39 AM

@ 1&1~=Umm

Thank you for your extended response. Business Insider is inside a paywall kind of thing, and no, they cannot have my email address. I am at the end of all these data schemes, to the point where I probably wouldn’t give BI a glass of water if they were dying of thirst. Tough luck. Find water with your analytics!

And you finish of with Experian, a company that makes data theft, buying politicians and defrauding consumers its profession and avoidance of any and all responsibility its watchword. Why would I credit anything they say?

There are two important numbers concerning credit card fraud. X: What is the amount of attempted cc fraud? Y: How much money is actually irrevocably lost to cc fraud? Obviously, Y should be significantly less than X. Nobody makes a clear distinction between the two, but from context the 5% fraud rate seems to be talking about X, attempts, not Y, actual money lost. And so I say, “Yawn”.

Europe is supposed to be the land of socialism and limited capitalism, but Chip-N-Spin, based on what I have read in this blog, is mostly a scheme to stick the consumer with bank errors. Between Chip-N-Spin, the EU copyright insanity, and British snitch culture (“See a Muslim building a house with a hammer, report him! Driving a car? Report her! WITH A POCKET KNIFE (Oh, my deity!!)? Feed him chips until he has a heart attack!), every time I think the US is crazy I just have to look at Europe to be reassured that we are riding the crest of the IQ wave, as low as that crest may be.

I am not wedded to internet elections. I was very curious if anybody was applying security concerns to physical voting. My initial look was concerning, with esteemed Prof Dill opining that we had nothing to worry about if we didn’t see “suspicious” people disappearing into a back room with the ballot box. That’s like saying that an internet election can be considered safe if we don’t hear a hacker cackling!

But I researched back into Prof Dill’s org’s website and in fact they have an extensive protocol for the security of physical elections. So good on them, that sounds on the right track.

The fact that we use computers for everything but have very little trust in them is striking. People who have spent their whole lives on the issue of computer security are leaping out of windows at the thought of trusting internet elections. I guess I should believe them when they say “I made this and we certainly shouldn’t use it for anything important.” We have an internet that is mostly good for election fraud, social media mobbing, ordering dangerous drugs and videos games in which we kill people. And porn, lots of porn. And selfies. Lots of them too. (And pictures of food… You get the idea)

I guess a society gets the internet it deserves! In a sense it is good. I think smart people will start unplugging. I am, and like most people, I am the smartest person I know!

1&1~=Umm March 18, 2019 5:15 AM

@Faustus:

“Nobody makes a clear distinction between the two, but from context the 5% fraud rate seems to be talking about X, attempts, not Y, actual money lost. And so I say, “Yawn”.”

Err no that was my point about the UK Cambridge Computer labs under Ross J.Anderson. They had found in the past it was not ~4.5% of the Payment industries turnover, or the total number of card transactions processed ( your X), but of “total value of the transactions” (your Y).

“Prof Dill opining that we had nothing to worry about if we didn’t see “suspicious” people disappearing into a back room with the ballot box.”

That’s not quite what he said, he was pointing out after a question that even paper ballots are not secure, but the simplicity of the system if otherwise run honestly is difficult to subourn without it in general being noticed. But if the ballot is run dishonestly it won’t get seen especially in a complex system which very very few can look into, (few could understand both the code and hardware of computerised voting).

The complexity of computerised voting gives rise to the question of “Who is actually in control of the ballot?”. That is the election officials that ‘run the election’ or who ever controls the mechanisms that do the counting of the votes, be they the companies that make the machines, insiders within the companies, or unknown others with as much or more skill than those in the companies.

Look at it this way, if I somehow obtain the Code Signing Key used for software updates –as happened with Stuxnet– then I can put my own code on the machines, all I have to do is find a quiet route to inject my update into the existing update process.

Which would most likely prove trivial as it does with most update processes, hence the ‘heebies’ many industry insiders are having. Because they are very acutely aware of it, and worse see it as both a chronic and endemic industry failure. Hence your,

“The fact that we use computers for everything but have very little trust in them is striking.”

I could give reasons why but as it involves a certain short termism behaviour that has become much exploited, thus a political outlook on life, I think we both know where that will end up, as it has in the past, here and on other blogs. So for the sake of peace on the blog I’ll avoid it for now.

moops March 18, 2019 11:56 PM

Nicolas: yes, trusting Swiss Post seems like a big mistake for a highly technical thing like e-voting. They just don’t know what they don’t know. You can’t hire a competent contractor if you don’t even understand how hard the thing you are asking for is. In addition, shame on any country that trusts KPMG with their democracy.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.