Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina

← Back to Stories (view on slashdot.org)

Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina

Posted by Soulskill on Saturday July 4, 2015 @09:30AM from the stay-safe dept.

TrixX writes: Police have raided the home of an Argentinian security professional who discovered and reported several vulnerabilities in the electronic ballot system (Google translation of Spanish original) to be used next week for elections in the city of Buenos Aires. The vulnerabilities (exposed SSL keys and ways to forge ballots with multiple votes) had been reported to the manufacturer of the voting machines, the media, and the public about a week ago. There has been no arrest, but his computers and electronics devices have been impounded (Spanish original). Meanwhile, the information security community in Argentina is trying to get the media to report this notorious attempt to "kill the messenger." Another source (Spanish original).

9 of 116 comments (clear)

Min score:

Reason:

Sort:

Re:Gazillion votes by TrixX · 2015-07-04 09:41 · Score: 4, Informative

Just FTR, the group organizing this election is the government of the city of Buenos Aires. which is not run by the Kirchner but one of the opposition parties
Not kill the messenger ... by perpenso · 2015-07-04 09:47 · Score: 3, Insightful

If the researcher is not being arrested its not "kill the messenger". Impounding his equipment, the "evidence", is just a very rude way of getting his data on vulnerabilities and attacks. They could have asked. Then again perhaps they feared the "evidence" being tampered with, confidential sources and all that sort of thing. Again, rude, but a plausible path if such concerns were warranted.
1. Re:Not kill the messenger ... by Trax3001BBS · 2015-07-04 11:39 · Score: 3, Insightful
  
  So why would the next messenger bring any message?
  Because the next messenger would be smart enough to realize that if they have any electronic data more valuable than school assignment, video game save game files, selfies and letters to grandma then they should have offsite backups. Whether your data burns up in a fire, gets destroyed in a flood, gets stolen by non-government agents or impounded by government agents does not really matter; except that in the impounding case you might get it back. Back it up and there is much less to fear.
  And perhaps this first messenger has a backup too.
  In this case everybody has the information: "As reported Telam a specialist who preferred anonymity, which leaked on the web are "SSL certificates terminals that send data from the schools to the datacenter," which were published "on the site http: / /caba.operaciones.com.ar by poor settings on your servers. "" (translated version).
2. Re:Not kill the messenger ... by perpenso · 2015-07-04 11:59 · Score: 4, Insightful
  
  So why would the next messenger bring any message?
  Because the next messenger would be smart enough to realize that if they have any electronic data more valuable than school assignment, video game save game files, selfies and letters to grandma then they should have offsite backups. Whether your data burns up in a fire, gets destroyed in a flood, gets stolen by non-government agents or impounded by government agents does not really matter; except that in the impounding case you might get it back. Back it up and there is much less to fear.
  And perhaps this first messenger has a backup too.
  In this case everybody has the information: "As reported Telam a specialist who preferred anonymity, which leaked on the web are "SSL certificates terminals that send data from the schools to the datacenter," which were published "on the site http: / /caba.operaciones.com.ar by poor settings on your servers. "" (translated version).
  The desired "evidence" may be unreported information. For example things that make otherwise anonymous people less anonymous. Again, the researcher is not necessarily the target.
That's what happens when... by Krojack · 2015-07-04 09:51 · Score: 5, Insightful

You expose a backdoor that the current in-power government was going to use to win the election.
Re:Can we get some confirmation of this? by TrixX · 2015-07-04 10:36 · Score: 3, Informative

I can provide you with this english link. This has not been reported in english speaking media yet, sorry for not having something better but this is breaking news yet. https://gist.githubusercontent...
The inherent problem with electronic voting by Opportunist · 2015-07-04 11:46 · Score: 4, Insightful

There is one single very dangerous problem with electronic voting: Trust. People have to trust it, because they are unable to test it.
With paper and pen, it's easy. You can nominate anyone to work as an election monitor. The necessary qualification is "being able to find out where the X marks the spot" and "count". That's a skill set available to nearly everyone.
Working as an election monitor to rule out foul play with election machines requires someone to know quite a bit about computers. It's anything BUT simple to rule out foul play.
The danger here isn't even so much that manipulation can take place. And I don't even want to engage in the discussion whether or not these machines can easily be manipulated. The danger is that some populist aiming for the uneducated masses goes and cries foul play when he loses the election. And that's a danger not to some party but to the faith of the population in the whole democratic process. And that inherently is dangerous to democracy altogether.
It's not easy to debunk such claims. With paper, it's easy to go "oh please, count them yourself if you don't believe us. Here's the paper slips, and you can count, can't you?". Now try the same with election machines. Saying "you can do an audit yourself" isn't going to cut it. Why should we trust the computer experts? It's not something just anyone can do.
These machines are a danger to democracy. Nothing less.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:The inherent problem with electronic voting by Opportunist · 2015-07-04 13:41 · Score: 3, Interesting
  
  But any party involved can (at least in my country, and pretty much all civilized countries I know of) nominate election observers that can easily identify whether everything's running correctly without any kind of special knowledge. They can easily tell whether the ballot is properly sealed, they can easily tell whether people step into the voting booth alone. They can easily find out whether the choice is free of influence. They can be present when the ballot seal is broken (actually, over here people are essentially locked in 'til the paper slips are counted, collected and sealed again, nothing going in or out in between) and when the paper slips are counted.
  It's pretty hard to manipulate anything in such an environment. It's easy to see whether someone tries to manipulate results since it takes little more than eyes to detect foul play.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:The inherent problem with electronic voting by Guillermito · 2015-07-04 16:09 · Score: 3, Interesting
  
  The system used in Argentina has a paper trail. When a vote is casted the machine saves the voter's choice to an RFID chip inside the ballot and at the same time the same information is printed as human-readable text on the ballot. The voter can use a separate machine to read the RFID and verify that the information printed matches the information stored.
  The votes are counted at each polling station primarily using a RFID reader, but each political party can designate monitors to oversee the process. In case of doubts the votes can be re-counted using the printed information. When everyone present agrees on the totals, the results are sent to a central location where they are aggregated. Results from each polling station are made available online so each party can verify that the totals add up correctly.
  As a final step, 5% of the polling stations are randomly selected the week after the election and votes are manually re-counted using the paper trail. This is done in the presence of monitors from the different parties. This is the second time this system is used. The first time the audit of the 5% of the polling stations showed no differences.
  I think there is a bit of exaggeration on these reports since even if the software is vulnerable, the system as a whole can be verified. The police raids can be explained since some of these "researchers" made available a list of all the employees of the company supplying the voting machines including phone numbers and addresses in an attempt to prove the incompetence of that company