Page 481

Hacking the Papal Election

As the College of Cardinals prepares to elect a new pope, security people like me wonder about the process. How does it work, and just how hard would it be to hack the vote?

The rules for papal elections are steeped in tradition. John Paul II last codified them in 1996, and Benedict XVI left the rules largely untouched. The “Universi Dominici Gregis on the Vacancy of the Apostolic See and the Election of the Roman Pontiff” is surprisingly detailed.

Every cardinal younger than 80 is eligible to vote. We expect 117 to be voting. The election takes place in the Sistine Chapel, directed by the church chamberlain. The ballot is entirely paper-based, and all ballot counting is done by hand. Votes are secret, but everything else is open.

First, there’s the “pre-scrutiny” phase.

“At least two or three” paper ballots are given to each cardinal, presumably so that a cardinal has extras in case he makes a mistake. Then nine election officials are randomly selected from the cardinals: three “scrutineers” who count the votes; three “revisers” who verify the results of the scrutineers; and three “infirmarii” who collect the votes from those too sick to be in the chapel. Different sets of officials are chosen randomly for each ballot.

Each cardinal, including the nine officials, writes his selection for pope on a rectangular ballot paper “as far as possible in handwriting that cannot be identified as his.” He then folds the paper lengthwise and holds it aloft for everyone to see.

When everyone has written his vote, the “scrutiny” phase of the election begins. The cardinals proceed to the altar one by one. On the altar is a large chalice with a paten—the shallow metal plate used to hold communion wafers during Mass—resting on top of it. Each cardinal places his folded ballot on the paten. Then he picks up the paten and slides his ballot into the chalice.

If a cardinal cannot walk to the altar, one of the scrutineers—in full view of everyone—does this for him.

If any cardinals are too sick to be in the chapel, the scrutineers give the infirmarii a locked empty box with a slot, and the three infirmarii together collect those votes. If a cardinal is too sick to write, he asks one of the infirmarii to do it for him. The box is opened, and the ballots are placed onto the paten and into the chalice, one at a time.

When all the ballots are in the chalice, the first scrutineer shakes it several times to mix them. Then the third scrutineer transfers the ballots, one by one, from one chalice to another, counting them in the process. If the total number of ballots is not correct, the ballots are burned and everyone votes again.

To count the votes, each ballot is opened, and the vote is read by each scrutineer in turn, the third one aloud. Each scrutineer writes the vote on a tally sheet. This is all done in full view of the cardinals.

The total number of votes cast for each person is written on a separate sheet of paper. Ballots with more than one name (overvotes) are void, and I assume the same is true for ballots with no name written on them (undervotes). Illegible or ambiguous ballots are much more likely, and I presume they are discarded as well.

Then there’s the “post-scrutiny” phase. The scrutineers tally the votes and determine whether there’s a winner. We’re not done yet, though.

The revisers verify the entire process: ballots, tallies, everything. And then the ballots are burned. That’s where the smoke comes from: white if a pope has been elected, black if not—the black smoke is created by adding water or a special chemical to the ballots.

Being elected pope requires a two-thirds plus one vote majority. This is where Pope Benedict made a change. Traditionally a two-thirds majority had been required for election. Pope John Paul II changed the rules so that after roughly 12 days of fruitless votes, a simple majority was enough to elect a pope. Benedict reversed this rule.

How hard would this be to hack?

First, the system is entirely manual, making it immune to the sorts of technological attacks that make modern voting systems so risky.

Second, the small group of voters—all of whom know each other—makes it impossible for an outsider to affect the voting in any way. The chapel is cleared and locked before voting. No one is going to dress up as a cardinal and sneak into the Sistine Chapel. In short, the voter verification process is about as good as you’re ever going to find.

A cardinal can’t stuff ballots when he votes. The complicated paten-and-chalice ritual ensures that each cardinal votes once—his ballot is visible—and also keeps his hand out of the chalice holding the other votes. Not that they haven’t thought about this: The cardinals are in “choir dress” during the voting, which has translucent lace sleeves under a short red cape, making sleight-of-hand tricks much harder. Additionally, the total would be wrong.

The rules anticipate this in another way: “If during the opening of the ballots the scrutineers should discover two ballots folded in such a way that they appear to have been completed by one elector, if these ballots bear the same name, they are counted as one vote; if however they bear two different names, neither vote will be valid; however, in neither of the two cases is the voting session annulled.” This surprises me, as if it seems more likely to happen by accident and result in two cardinals’ votes not being counted.

Ballots from previous votes are burned, which makes it harder to use one to stuff the ballot box. But there’s one wrinkle: “If however a second vote is to take place immediately, the ballots from the first vote will be burned only at the end, together with those from the second vote.” I assume that’s done so there’s only one plume of smoke for the two elections, but it would be more secure to burn each set of ballots before the next round of voting.

The scrutineers are in the best position to modify votes, but it’s difficult. The counting is conducted in public, and there are multiple people checking every step. It’d be possible for the first scrutineer, if he were good at sleight of hand, to swap one ballot paper for another before recording it. Or for the third scrutineer to swap ballots during the counting process. Making the ballots large would make these attacks harder. So would controlling the blank ballots better, and only distributing one to each cardinal per vote. Presumably cardinals change their mind more often during the voting process, so distributing extra blank ballots makes sense.

There’s so much checking and rechecking that it’s just not possible for a scrutineer to misrecord the votes. And since they’re chosen randomly for each ballot, the probability of a cabal being selected is extremely low. More interesting would be to try to attack the system of selecting scrutineers, which isn’t well-defined in the document. Influencing the selection of scrutineers and revisers seems a necessary first step toward influencing the election.

If there’s a weak step, it’s the counting of the ballots.

There’s no real reason to do a precount, and it gives the scrutineer doing the transfer a chance to swap legitimate ballots with others he previously stuffed up his sleeve. Shaking the chalice to randomize the ballots is smart, but putting the ballots in a wire cage and spinning it around would be more secure—albeit less reverent.

I would also add some kind of white-glove treatment to prevent a scrutineer from hiding a pencil lead or pen tip under his fingernails. Although the requirement to write out the candidate’s name in full provides some resistance against this sort of attack.

Probably the biggest risk is complacency. What might seem beautiful in its tradition and ritual during the first ballot could easily become cumbersome and annoying after the twentieth ballot, and there will be a temptation to cut corners to save time. If the Cardinals do that, the election process becomes more vulnerable.

A 1996 change in the process lets the cardinals go back and forth from the chapel to their dorm rooms, instead of being locked in the chapel the whole time, as was done previously. This makes the process slightly less secure but a lot more comfortable.

Of course, one of the infirmarii could do what he wanted when transcribing the vote of an infirm cardinal. There’s no way to prevent that. If the infirm cardinal were concerned about that but not privacy, he could ask all three infirmarii to witness the ballot.

There are also enormous social—religious, actually—disincentives to hacking the vote. The election takes place in a chapel and at an altar. The cardinals swear an oath as they are casting their ballot—further discouragement. The chalice and paten are the implements used to celebrate the Eucharist, the holiest act of the Catholic Church. And the scrutineers are explicitly exhorted not to form any sort of cabal or make any plans to sway the election, under pain of excommunication.

The other major security risk in the process is eavesdropping from the outside world. The election is supposed to be a completely closed process, with nothing communicated to the world except a winner. In today’s high-tech world, this is very difficult. The rules explicitly state that the chapel is to be checked for recording and transmission devices “with the help of trustworthy individuals of proven technical ability.” That was a lot easier in 2005 than it will be in 2013.

What are the lessons here?

First, open systems conducted within a known group make voting fraud much harder. Every step of the election process is observed by everyone, and everyone knows everyone, which makes it harder for someone to get away with anything.

Second, small and simple elections are easier to secure. This kind of process works to elect a pope or a club president, but quickly becomes unwieldy for a large-scale election. The only way manual systems could work for a larger group would be through a pyramid-like mechanism, with small groups reporting their manually obtained results up the chain to more central tabulating authorities.

And third: When an election process is left to develop over the course of a couple of thousand years, you end up with something surprisingly good.

This essay previously appeared on CNN.com, and is an update of an essay I wrote for the previous papal election in 2005.

Tags: ,

Posted on February 22, 2013 at 11:12 AMView Comments

All Those Companies that Can't Afford Dedicated Security

This is interesting:

In the security practice, we have our own version of no-man’s land, and that’s midsize companies. Wendy Nather refers to these folks as being below the “Security Poverty Line.” These folks have a couple hundred to a couple thousand employees. That’s big enough to have real data interesting to attackers, but not big enough to have a dedicated security staff and the resources they need to really protect anything. These folks are caught between the baseline and the service box. They default to compliance mandates like PCI-DSS because they don’t know any better. And the attackers seem to sneak those passing shots by them on a seemingly regular basis.

[…]

Back when I was on the vendor side, I’d joke about how 800 security companies chased 1,000 customers—meaning most of the effort was focus on the 1,000 largest customers in the world. But I wasn’t joking. Every VP of sales talks about how it takes the same amount of work to sell to a Fortune-class enterprise as it does to sell into the midmarket. They aren’t wrong, and it leaves a huge gap in the applicable solutions for the midmarket.

[…]

To be clear, folks in security no-man’s land don’t go to the RSA Conference, probably don’t read security pubs, or follow the security echo chamber on Twitter. They are too busy fighting fires and trying to keep things operational. And that’s fine. But all of the industry gatherings just remind me that the industry’s machinery is geared toward the large enterprise, not the unfortunate 5 million other companies in the world that really need the help.

I’ve seen this trend, and I think it’s a result of the increasing sophistication of the IT industry. Today, it’s increasingly rare for organizations to have bespoke security, just as it’s increasingly rare for them to have bespoke IT. It’s only the larger organizations that can afford it. Everyone else is increasingly outsourcing its IT to cloud providers. These providers are taking care of security—although we can certainly argue about how good a job they’re doing—so that the organizations themselves don’t have to. A company whose email consists entirely of Gmail accounts, whose payroll is entirely outsourced to Paychex, whose customer tracking system is entirely on Salesforce.com, and so on—and who increasingly accesses those systems using specialized devices like iPads and Android tablets—simply doesn’t have any IT infrastructure to secure anymore.

To be sure, I think we’re a long way off from this future being a secure one, but it’s the one the industry is headed toward. Yes, vendors at the RSA conference are only selling to the largest organizations. And, as I wrote back in 2008, soon they will only be selling to IT outsourcing companies (the term “cloud provider” hadn’t been invented yet):

For a while now I have predicted the death of the security industry. Not the death of information security as a vital requirement, of course, but the death of the end-user security industry that gathers at the RSA Conference. When something becomes infrastructure—power, water, cleaning service, tax preparation—customers care less about details and more about results. Technological innovations become something the infrastructure providers pay attention to, and they package it for their customers.

[…]

The RSA Conference won’t die, of course. Security is too important for that. There will still be new technologies, new products and new startups. But it will become inward-facing, slowly turning into an industry conference. It’ll be security companies selling to the companies who sell to corporate and home users—and will no longer be a 17,000-person user conference.

Tags: , , ,

Posted on February 22, 2013 at 6:03 AMView Comments

More on Chinese Cyberattacks

Wow, is this a crazy media frenzy. We should know better. These attacks happen all the time, and just because the media is reporting about them with greater frequency doesn’t mean that they’re happening with greater frequency.

Hype aside, the Mandiant report on the hackers is very good, especially the part where the Chinese hackers outted themselves through poor opsec: they logged into Facebook from their work computers.

But this is not cyberwar. This is not war of any kind. This is espionage, and the difference is important. Calling it war just feeds our fears and fuels the cyberwar arms race.

In a private e-mail, Gary McGraw made an important point about attribution that matters a lot in this debate.

Because espionage unfolds over months or years in realtime, we can triangulate the origin of an exfiltration attack with some certainty. During the fog of a real cyber war attack, which is more likely to happen in milliseconds, the kind of forensic work that Mandiant did would not be possible. (In fact, we might just well be “Gandalfed” and pin the attack on the wrong enemy.)

Sadly, policymakers seem to think we have completely solved the attribution problem. We have not. This article published in Computerworld does an adequate job of stating my position.

Those of us who work on security engineering and software security can help educate policymakers and others so that we don’t end up pursuing the folly of active defense.

I agree.

This media frenzy is going to be used by the U.S. military to grab more power in cyberspace. They’re already ramping up the U.S. Cyber Command. President Obama is issuing vague executive orders that will result in we-don’t-know what. I don’t see any good coming of this.

EDITED TO ADD (3/13): Critical commentary on the Mandiant report.

Tags: , , ,

Posted on February 21, 2013 at 12:54 PMView Comments

Age Biases in Perceptions of Trust

Interesting research (full article):

Abstract: Older adults are disproportionately vulnerable to fraud, and federal agencies have speculated that excessive trust explains their greater vulnerability. Two studies, one behavioral and one using neuroimaging methodology, identified age differences in trust and their neural underpinnings. Older and younger adults rated faces high in trust cues similarly, but older adults perceived faces with cues to untrustworthiness to be significantly more trustworthy and approachable than younger adults. This age-related pattern was mirrored in neural activation to cues of trustworthiness. Whereas younger adults showed greater anterior insula activation to untrustworthy versus trustworthy faces, older adults showed muted activation of the anterior insula to untrustworthy faces. The insula has been shown to support interoceptive awareness that forms the basis of “gut feelings,” which represent expected risk and predict risk-avoidant behavior. Thus, a diminished “gut” response to cues of untrustworthiness may partially underlie older adults’ vulnerability to fraud.

EDITED TO ADD (3/12): I think this result reflects the fact that older people discount the future more than young ones, and therefore are more willing to gamble on a good outcome. It makes sense biologically; they have less future ahead of them. We see the same thing in pregnancy; older mothers have a higher threshold for spontaneous abortion of a risky embryo than younger mothers.

Tags: , ,

Posted on February 21, 2013 at 7:24 AMView Comments

Fixing Soccer Matches

How international soccer matches are fixed.

Right now, Dan Tan’s programmers are busy reverse-engineering the safeguards of online betting houses. About $3 billion is wagered on sports every day, most of it on soccer, most of it in Asia. That’s a lot of noise on the big exchanges. We can exploit the fluctuations, rig the bets in a way that won’t trip the houses’ alarms. And there are so many moments in a soccer game that could swing either way. All you have to do is see an Ilves tackle in the box where maybe the Viikingit forward took a dive. It happens all the time. It would happen anyway. So while you’re running around the pitch in Finland, the syndicate will have computers placing high-volume max bets on whatever outcome the bosses decided on, using markets in Manila that take bets during games, timing the surges so the security bots don’t spot anything suspicious. The exchanges don’t care, not really. They get a cut of all the action anyway. The system is stacked so it’s gamblers further down the chain who bear all the risks.

Tags: , , ,

Posted on February 20, 2013 at 7:29 AMView Comments

19th-Century Traffic Analysis

There’s a nice example of traffic analysis in the book No Name, by Wilkie Collins (1862). The attacker, Captain Wragge, needs to know whether a letter has been placed in the mail. He knows who it will have been addressed to if it has been mailed, and with that information, is able to convince the postmaster to tell him that it has, in fact, been mailed:

If she had gone to the admiral’s, no choice would be left him but to follow the coach, to catch the train by which she traveled, and to outstrip her afterward on the drive from the station in Essex to St. Crux. If, on the contrary, she had been contented with writing to her master, it would only be necessary to devise measures for intercepting the letter. The captain decided on going to the post-office, in the first place. Assuming that the housekeeper had written, she would not have left the letter at the mercy of the servant—she would have seen it safely in the letter-box before leaving Aldborough.

“Good-morning,” said the captain, cheerfully addressing the postmaster. “I am Mr. Bygrave of North Shingles. I think you have a letter in the box, addressed to Mr.—?”

The postmaster was a short man, and consequently a man with a proper idea of his own importance. He solemnly checked Captain Wragge in full career.

“When a letter is once posted, sir,” he said, “nobody out of the office has any business with it until it reaches its address.”

The captain was not a man to be daunted, even by a postmaster. A bright idea struck him. He took out his pocketbook, in which Admiral Bartram’s address was written, and returned to the charge.

“Suppose a letter has been wrongly directed by mistake?” he began. “And suppose the writer wants to correct the error after the letter is put into the box?”

“When a letter is once posted, sir,” reiterated the impenetrable local authority, “nobody out of the office touches it on any pretense whatever.”

“Granted, with all my heart,” persisted the captain. “I don’t want to touch it—I only want to explain myself. A lady has posted a letter here, addressed to ‘Noel Vanstone, Esq., Admiral Bartram’s, St. Crux-in-the-Marsh, Essex.’ She wrote in a great hurry, and she is not quite certain whether she added the name of the post-town, ‘Ossory.’ It is of the last importance that the delivery of the letter should not be delayed. What is to hinder your facilitating the post-office work, and obliging a lady, by adding the name of the post-town (if it happens to be left out), with your own hand? I put it to you as a zealous officer, what possible objection can there be to granting my request?”

The postmaster was compelled to acknowledge that there could be no objection, provided nothing but a necessary line was added to the address, provided nobody touched the letter but himself, and provided the precious time of the post-office was not suffered to run to waste. As there happened to be nothing particular to do at that moment, he would readily oblige the lady at Mr. Bygrave’s request.

Captain Wragge watched the postmaster’s hands, as they sorted the letters in the box, with breathless eagerness. Was the letter there? Would the hands of the zealous public servant suddenly stop? Yes! They stopped, and picked out a letter from the rest.

“‘Noel Vanstone, Esquire,’ did you say?” asked the postmaster, keeping the letter in his own hand.

“‘Noel Vanstone, Esquire,'” replied the captain, “‘Admiral Bartram’s, St. Crux-in-the-Marsh.'”

“Ossory, Essex,” chimed in the postmaster, throwing the letter back into the box. “The lady has made no mistake, sir. The address is quite right.”

Nothing but a timely consideration of the heavy debt he owed to appearances prevented Captain Wragge from throwing his tall white hat up in the air as soon as he found the street once more. All further doubt was now at an end. Mrs. Lecount had written to her master—therefore Mrs. Lecount was on her way to Zurich!

Tags: , ,

Posted on February 19, 2013 at 12:52 PMView Comments

← Earlier EntriesLater Entries →

Sidebar photo of Bruce Schneier by Joe MacInnis.