|
|
Subscribe / Log in / New account

Security quotes of the week

[Posted July 18, 2018 by jake]

This is the reason actual cryptographers and security engineers are very skeptical when a random company announces that their product is "secure." We know that they don't have the requisite security expertise to design and implement security properly. We know they didn't take the time and care. We know that their engineers think they understand security, and designed to a level that they couldn't break.

Getting security right is hard for the best teams on the world. It's impossible for average teams.

Bruce Schneier

Anyway, elections are a very tricky problem to do securely. It is a nearly impossible task. But there are lots of things that you clearly should not do, and for some reason, the e-voting manufacturers seem to want to do all of them, and don't seem particularly apologetic about any of it. And, while in the past the idea of hacking an election may have seemed far fetched and conspiracy-minded, these days... not so much. This is a key issue concerning our democracy, and the most incredible thing is how flippant many people are about all of this. Computer security professor Matt Blaze, who knows more about any of this than anyone reading this points out that "in the more than quarter century I've been doing computer security, I've never encountered a problem space nearly as difficult or complex as civil elections."

And yet, we're letting people who don't understand even the slightest bit of the problems and challenges run the show. What a mess.

Mike Masnick
to post comments

Security quotes of the week

Posted Jul 19, 2018 16:30 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link] (9 responses)

I serve as an election officer in my county.
The ultimate security constraint is the secret ballot.
Other security constraints are hugely important, but if you lack the confidence to vote your conscience because there is no way to tie a specific ballot to you, then the election is moot.
All of the shiny ideas about automating elections (that I've ever heard of) seem to end up making it possible to tie the ballot casting to the individual.
Too, there are some technologies, like a paper ballot, that provide advantages that are too often poo-pooed by technical people.
Trading immediate feedback for certain aspects of security could be a reasonable tradeoff, folks.

Security quotes of the week

Posted Jul 19, 2018 19:42 UTC (Thu) by tome (subscriber, #3171) [Link] (7 responses)

Followmyvote (https://followmyvote.com/online-voting-platform-benefits/) claims that

"Our end-to-end online voting platform provides a way for the voter to follow their vote into the ballot box to ensure their vote was cast as intended and counted as cast. It also provides the voters transparency into the ballot box as a whole to ensure the election results that are being reported are truly accurate. Elliptic curve cryptography technology keeps the voting process secure, while protecting each voter’s right to privacy within the system."

and that using this platform, a voter

"submits their ballot to a secure blockchain based ballot box, while retaining anonymity and ballot secrecy."

Superficially that all sounds just about perfect, though

1) I don't know if that ballot secrecy includes privacy from the eyes of platform administrators,

2) I haven't taken the time to verify these claims, and to do so would be very non-trivial and I haven't even started, and

3) the Matt Blaze quote might lead one to suspect it's full of holes.

So I'm curious what others have to say who know more about this stuff in general and Followthevote in particular.

Security quotes of the week

Posted Jul 19, 2018 22:35 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

Irrespective of the system advertised, you still have another system (at least in my locale) managing the poll book. If there is evidence outside of the ballot management system itself that can be correlated, even if by brute force attacks, we can expect it to occur.

Too, the insider threat cannot be eliminated.

This may be an example of a system with a requirement to sub-optimize itself by using a non-technical component, in support of a non-technical security requirement.

#NedLuddForever

Security quotes of the week

Posted Jul 26, 2018 0:07 UTC (Thu) by mstone_ (subscriber, #66309) [Link] (5 responses)

Yeah. So the problem with all of these "verify your vote" schemes is that it becomes possible to pay people for votes. Given the margins in elections around here, it would be *much* *much* cheaper to pay a relatively small number of people $100 or $1000 for a proven vote than it is to run a competitive campaign.

This is an actual thing, and it's why we have the secret ballot system that we have.

Also, since they mention blockchain, it's snake oil.

Security quotes of the week

Posted Aug 7, 2018 18:50 UTC (Tue) by bfields (subscriber, #19510) [Link] (3 responses)

Can't you mitigate by allowing people to change their vote? Then they can sell their vote and still go home and cast a new ballot for whoever they really want. That's not perfect, but it might make the vote-buying attack no longer worth risking jail for.

Security quotes of the week

Posted Aug 8, 2018 21:04 UTC (Wed) by nix (subscriber, #2304) [Link] (2 responses)

Yeah: the problem is that this is vulnerable to the opposite attack. You vote, go home, and shortly before the vote closes your village chief / abusive husband / local crimelord / evil twin sister (delete as applicable) is waiting at the door saying "you voted your way, now you're going to change the vote to vote the way *I* want you to."

(Sure, you could change it again -- but that's why this is done just before the vote closes. They stay with you to assume unchangingness until the vote has closed...)

Security quotes of the week

Posted Aug 14, 2018 18:17 UTC (Tue) by bfields (subscriber, #19510) [Link] (1 responses)

That's exactly what I was thinking of when I said "it might make the vote-buying attack no longer worth risking jail for." An attack that requires personally monitoring all of the voters whose votes you bought at the time of poll closing doesn't seem like it would scale to a level where it mattered.

But I'll admit I was imagining basically a single rogue actor. The "attacker" could be more pervasive (like husbands acting to protect a patriarchal system).

Security quotes of the week

Posted Aug 16, 2018 10:03 UTC (Thu) by nix (subscriber, #2304) [Link]

The classic cases here are village chiefs ordering everyone in the village to vote one way, and bosses ordering their underlings likewise. In both cases there aren't enough bad actors, *but* they usually have lots of people they can hire or convince to do some, uh, watching-and-threatening duty for one day. Whether this is too expensive depends on the cost of labour, I suppose. (I'm just guessing in the absence of data by this point.)

Security quotes of the week

Posted Aug 9, 2018 0:45 UTC (Thu) by nybble41 (subscriber, #55106) [Link]

> So the problem with all of these "verify your vote" schemes is that it becomes possible to pay people for votes.

Not *all* of them. Consider this scheme: Each choice on each ballot is secretly associated with a unique code. You record the code for your choice on a separate piece of paper and place that paper in the ballot box, optionally keeping a copy it for later verification. The page with all the codes on it is then destroyed. If you want to "prove" that you voted a different way, you record the code for that choice and then request a new ballot (without putting anything in the box). The first ballot is set aside. When the voting period is over all of the codes in the ballot boxes *and* all of the codes on the discarded ballots are shuffled together and publicized, along with the choices they represent—since the discarded ballots include one code for each choice these extra codes do not favor any particular position and can simply be subtracted from the final tally. Anyone who wishes to verify their vote can check that their code is present and associated with the correct choice. However, only the voter knows whether the code they recorded was the one they actually submitted or the one on the discarded ballot. To an aspiring vote-buyer these appear identical, but only the real code increases the tally for that choice relative to the other options.

Security quotes of the week

Posted Jul 23, 2018 15:40 UTC (Mon) by iabervon (subscriber, #722) [Link]

I don't think you can consider any of the constraints "ultimate"; it's easy to provide a secret ballot if you don't care about accuracy, by not counting them. It's only a hard problem if you insist on all of the properties together.

The system used in my district is actually pen on paper, with an optical scan machine that (a) counts the votes so they can announce provisional results and (b) tells you to try again if the ballot isn't valid or has stray marks. After the election, they can just count the ballots that didn't get rejected by hand if there's any question as to the accuracy of the results.

The main issue with paper is how you handle having one blind person in the district; I believe we let each blind person have a trusted assistant as the best available compromise, but I don't really know the details.

The UK system

Posted Jul 26, 2018 20:26 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

means that votes COULD be traced, but would need a serious insider attack.

When you turn up at the polling station, you are given a ballot, and the serial number is recorded on the voter list. The completed ballot is placed in a sealed box.

When the voting station closes, the voter list goes in one direction to secure storage. The ballot papers go off to the town hall to be counted. That is the LAST time the voter list and the ballot papers are in close proximity.

So to find out how someone voted you need to (a) know their voting station, (b) gain access to the voter lists, and (c) be able to search through the ballot papers to find their ballot. Do-able, but far from trivial.

Cheers,
Wol

The UK system

Posted Jul 26, 2018 23:09 UTC (Thu) by ErikF (subscriber, #118131) [Link]

The Canadian system also has serial numbers on the ballots, but the DRO (deputy returning officer)'s responsibility to remove the counterfoil, so there should be no way of tracing a vote to a voter once the ballot has cast. IMO, this is as private as you can probably get, while still preventing fraud.

The UK system

Posted Jul 27, 2018 9:36 UTC (Fri) by excors (subscriber, #95769) [Link]

It has to be considered in context too - probably any basic non-terrible voting system would be considered trustworthy* in the UK (ranked 8th best in the Corruption Perceptions Index), but would suffer from alleged widespread interference in, say, Pakistan (ranked 117 out of 180).

(* ignoring a few lunatics saying you should use pen instead of pencil, else MI5 will rub out your mark and change your vote)

If you don't have a society that strongly respects and enforces laws, and a free press that will investigate abuses and push for action to be taken even against the government's wishes, then I suspect no brilliant technical solution for voting will really be good enough. If you do live in a good society, you should be alright as long as you avoid pathetically bad technical solutions (like, say, most current electronic voting systems).


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds