Experts Find Serious Problems With Switzerland's Online Voting System

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."

Convoluted design = security

[Ecuador]

Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
We are talking about job security, right?

Re:Convoluted design = security

[K.+S.+Kyosuke]

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. I guess they picked the latter way.

Re: Convoluted design = security

This is just the latest iteration of java that sane programmers abandoned 20 years ago, so instead of 20 files 4 years ago now it's x4x4 and becoming unmanagable, at least for outsiders. It is Cobol2.0.

Why the complexity?

I fail to understand why online and even electronic voting systems would be so complex. They should all be simple, transparent, and open source. Why the need for "Leaked software"? They should be following the airplane rule with these kinds of things.

Re: Why the complexity?

It was opensource(in the source code is available sense) anyways. Leaks added to article for drama. https://www.post.ch/en/business/a-z-of-subjects/industry-solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-sourcecode

Re:Why the complexity?

[Sique]

Because electronic voting systems are inherently not capable to perform what they are supposed to do. Voting has to be equal (every vote has to be counted the same, only eligible voters can vote, but no one eligible must be disenfranchised), secret (no one can be compelled to reveal his vote) and accountable (it must be possible to prove the correctness of the ballot casting and the count). Because in general, you can't prove the correct count in a computer without tracking individual votes, you always run into danger of revealing individual votes in the process. So you have to tack additional layers onto the casting-and-counting system with different levels of privileges, which makes voting systems inherently complex and complicates audits. And to warrant secrecy while at the same time warranting accountability in principle, you have to use processes which can only be understood by specialists, which in turn makes audits less accountable, as the normal citizen has to trust the expertise and goodwill of the auditors.

Re:Why the complexity?

[Sique]

To make the difficulties more clear, here is a list of of problems to solve:

• How can you be sure it's an eligible vote and not just some vote signed by someone ineligible with access to the secret key (e.g. sysadmin, successful attacker)?
• If you can prove the vote is eligible, how can you preclude its connection to an individual voter?
• If you can connect it to an individual voter, how can you keep the actual vote secret?
• How can you prove that a vote is counted correctly, if the vote is secret?

And no, the answer is not simply "with cryptography and blockchain". How exactly are you using cryptography and blockchains in this case?

Re:Why the complexity?

[guruevi]

It's relatively simple to keep track of two datasets (a voter roll and the votes) and prove that your code authenticates the other without having them massively intertwined in code. There should be a very simple bridge between the two that is heavily documented and even someone with minimal coding skill can read.

We know why there is no company that wants to make such simple code, it is not in the best interest of a large government contractor to have fair and honest elections, typically companies are associated with people and parties and changes in that person or party threatens their paycheck.

Re:Why the complexity?

[Sique]

You aren't allowed to connect voter roll and votes directly, otherwise you would be able to reveal how someone has voted, as their vote can be traced back to the voter.

Re:Why the complexity?

[Sique]

Another problem: If you count immediately when someone casts a vote, then this reveals how the person has voted. If you don't count immediately, you have to store the votes and prove that they don't get altered. At the same time you have to keep the vote secret, and still you have to prove afterwards that it gets counted correctly without knowing what it actually contains.

Re:Why the complexity?

[guruevi]

You don't, keep track of them in a database, but one still has to authenticate the other cryptographically both at time of voting and at verification of the voting without revealing your vote to a third party. There are several papers that have various proofs of concept that would be (relatively) simple to implement.

No shit

[rsilvergun]

who thought this was a good idea? In 2016 Russia was able to significantly interfere with US elections and we're several times their size. China and Iran are doing the same. This is just nuts. Mail paper f'n ballots already. They work, they're secure, and they can't be hacked over the bloody internet.

Re:No shit

[LynnwoodRooster]

I am with you on paper ballots. We also need proof of ID, as most nations around the world require. But Russian hacking of the election? I know it's been claimed, but outside some questionable ads and social media trolling - did they actually affect the vote tally?

Re:No shit

" In 2016 Russia was able to significantly interfere with US elections "

How? With 4000$ worth of Twitter trolls? Your country must be very weak.

Re:No shit

This is a lie. They bought $200 000 worth of ads on Bookface and other social media platforms and played both sides of the fence.

Coca Colas social media spend dwarfs the so called Russiagate attempt by100's of million of dollars.

Get your head out of your arse and stop lying.

Re:No shit

[arglebargle_xiv]

the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad AutÃnoma de Barcelona

That's why. It's academic-grade code, which means it's (a) incredibly, massively, unnecessarily complex, (b) at a most charitable level, "experimental code", and (c) has been run on a single test case by a caffeineated grad student at 3am. Never, ever, ever put academic-grade code into production even if it's for use in a benign environment. If you're expecting serous attacks on it, make sure you're in another country when it's actively deployed.

Re:No shit

[arglebargle_xiv]

Although Swiss Post claims the system has undergone three audits by auditing giant KPMG

Oh, and there's another problem: You get your code audited by an accounting firm if you need to say you've passed an audit, not if you want to detect vulns in it.

Still reading, but it looks like a howto on how not to build a secure product. I expect the Verge will do a voting system build video on it in the near future.

Re: No shit

Academic code quality varies between poor and the best of commercial code. You can't a priori assign this code to a particular grouping without an audit.

Re:No shit

We also need proof of ID

Unfortunately everyone who is trying to bring in such legislation limits it to forms of identification that are only used by their own voters.
Such a legislation needs to come together with a method to provide every voter with suitable ID.

Not that I am particularly worried about that.
The big problem is like in North Carolina where someone changes the votes of thousands or throw away undesired votes.
Generally a few people voting illegally doesn't change the outcome of the election. You'll get a couple of fraudulent votes for each candidate and it sort of evens out.
It is a problem when the election is very close but that seldom happens and the problem isn't really with the election system in that case.
The problem is a "winner takes it all" system.

If we don't make a difference between someone winning with 51% of the votes and someone winning with 90% of the votes then there is not really any room for compromises.
When someone wins with 51% of the votes then it is pretty clear that the people wants a little bit of both.
If someone wins with 90% then clearly the people wants nothing to do with the other side.

In a system that handles that distinction we wouldn't really need to worry about a couple of fraudulent voters because it shouldn't matter that much if someone gets 49% or 51%.

Re:No shit

[rtb61]

ID is a waste of time and money, simply take their photo when they ID themselves, the number of votes is inconsequential and the penalties quite severe. Just make sure everyone who votes illegally is penalised. You could just video record the entire event from various locales and you are done, every polling station. To kick it up a notch, make it a responsibility of every adult citizen to vote, compulsory elections, makes the government work harder at making them accessible.

Elections are about people and not computers, people should be involved as much as possible. Hold the elections on the weekend, allowing charity events at polling stations, get people involved in the count, make it an important social event.

Re:No shit

[AmiMoJo]

Problem is that proof of ID requirements are always abused to stop people voting. On balance there is so little fraud that it's usually better to have higher participation than to worry about a tiny and mostly irrelevant problem.

The Russian election hacking was all directed at voters, not the hardware. The DNC hack, for example, and the timing of the release of those emails.

Re:No shit

[LynnwoodRooster]

So Canada, Germany, Mexico, the UK, Australia all abuse voter ID requirements to stop people from voting? As far as I can tell, it only keeps people who cannot prove their citizenship from voting. What's the problem?

Re:No shit

[AmiMoJo]

In the UK you have to register to vote once, but that's it. At that time you need a national insurance number, which everyone is assigned at age 16. You don't need to show ID when you go to vote, just state the address you registered at and your name. There is no check done, you are simply marked off a register.

There was an attempt to requite some kind of check at the polling station, but there has been a lot of push-back because we saw what happened in the US.

Re:No shit

[LynnwoodRooster]

Really? Is that why there an uproar about the expanding requirement for voter ID in the UK? And what about our neighbors - Canada and Mexico?

Not to mention even VOX (not really a right-wing site) admits that voter ID laws do not suppress turnout. Yes, CONVICTIONS for voter fraud are few, but there is a growing list of actual voter fraud convictions. If the vote is so sacrosanct and important, why let ANYONE be disenfranchised by an illegal vote?

Re:No shit

[AmiMoJo]

Yeah that's what I was referring to. They did a pilot, there was outrage... Hopefully it gets killed off.

Obligatory C. A. R. Hoare quote

[Ichijo]

"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."

BORK BORK BORK

Meatballs! Spaghetti code!!!

BORK BORK BORK

Who cares about encryption

It's a voting system. Encryption is irrelevant. What matters is integrity and authenticity.

Re:Who cares about encryption

[roc97007]

It's a voting system. Encryption is irrelevant. What matters is integrity and authenticity.

Enh well... My understanding is, voting should be (a) secret and (b) authenticated to a given person. To do both you kinda need encryption. I do agree that integrity and authenticity are the parts that seem to be missing.

Reminds me of the old Russian joke. At election, peasant woman arrives, is given ballot in envelope, shown ballot box.
Peasant woman starts ripping open envelope. Guards stop her, ask what is she doing? She says, wants to see who she's voting for.
Election official says "Nyet, nyet! This is SECRET ballot!"

Badum-bum

Re:Who cares about encryption

To do both you kinda need encryption. I do agree that integrity and authenticity are the parts that seem to be missing.

no, it's there. the bad design is just incompetence, but their algorithms do guarantee integrity and authenticity. if deployed right, the voter himself can identify his vote in the ballot box (i.e., counted) without giving away any privacy. there's no doubt of that if you go over the math.

the quality of the software implementation, of course, is a different matter. i worked there, i implemented part of it. it was a mad house. no political corruption whatsoever, though.

Re:Who cares about encryption

no, it's there. the bad design is just incompetence, but their algorithms do guarantee integrity and authenticity.

No. Not all encryption algorithms provide authenticity, and none on their own provide integrity.

Learn to use the shift key. Learn to stop lying. Learn a little about security before posting again.

It's full of holes?

[jfdavis668]

Like some other Swiss products?

Re: It's full of holes?

That's why they opened it up for public pentesting ;) https://www.post.ch/en/business/a-z-of-subjects/industry-solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-sourcecode

Re:It's full of holes?

Being full of holes is part of transparency - so you can see whats inside, nothing is hidden. Do you have something to hide?

Re:It's full of holes?

My victorinox knife has to have holes, it is where the accessories are inserted.

Re:It's full of holes?

[jfdavis668]

Also useful for punching holes.

There's too much at stake

[roc97007]

I don't see online voting as ever not being corrupt, except perhaps momentarily, by accident. There's just too much at stake in an election, and the payoff for being able to manipulate the results is too high. BTW, the place to start if you're going to corrupt an online voting system is in the software writing stage. Make it really convoluted so that the attack vectors can't easily be found.

Elections with paper ballots can still be influenced (for instance, accidentally dumping cartons of ballots from precincts with generally the "wrong" political leaning, something that happened recently in my area) but I think it's harder to do, and easier to get caught.

Re:There's too much at stake

[AmiMoJo]

Better to target voters than voting machines. If you tamper with voting machines/online voting and it gets detected, it's going to de-legitimize the result and probably result in a re-run.

If you go after the voters people will just argue that it had no effect or that it's protected speech and do everything they can to resist investigation or a do-over. Essentially you got people invested in their own manipulation.

Re:There's too much at stake

[david_thornley]

Where I live, the voting machines count paper ballots. That gives an approximate count right off, which is good enough for all but the closest elections. There will be some precincts randomly chosen for hand counts to verify the voting machines. The result is that, if someone ditched a carton of ballots, the numbers would be way off and the meddling detected.

Obligatory xkcd, and why it's nonsense

[Ashthon]

Somebody will inevitably post this xkcd:

https://xkcd.com/2030/

However, it's not a remotely valid comparison. They're comparing planes and buildings operating under normal circumstances with software being attacked by a malicious actor. Software is actually far more robust than aeroplanes and buildings when faced with a malicious attack.

An unskilled person can easily destroy an aeroplane or demolish a building. We saw this on 9/11, when a few people equipped with nothing more than pen knives were able to destroy multiple planes, bring down two buildings, kill thousands of people and do billions of dollars worth of damage. When faced with an attack by a malicious actor both the aviation engineers and the civil engineers failed utterly.

Meanwhile, an electronic voting system would stand up far better to a malicious attack. While an unskilled person can easily bring down a plane, the same unskilled person would have no clue how to circumvent an electronic voting system. With an online voting system like this Swiss one, the best an unskilled person could do is click around a bit on the website, and achieve precisely nothing. Even a skilled person would have trouble circumventing an electronic voting system, and it would likely require considerable research, extensive planning and effective execution.

So, contrary to what the xkcd comic says, aviation engineers and civil engineers are crap at their jobs, and an unskilled attacker with a pen knife can destroy their "safe" products. Meanwhile, software engineers are far better at their job, and an unskilled attacker would be powerless to circumvent their work, while even a skilled attacker will struggle.

Right, I'm glad I could get that off my chest, because that xkcd comic annoys me every time I see it.

Re:Obligatory xkcd, and why it's nonsense

[Ecuador]

Hmm. I don't know where you work, but the world is full of crappy software developers. Bad aircraft design will not go unnoticed, but bad software is the norm. I can tell you a couple of obvious bugs on almost every software I use daily. And it will only get worse - e.g. web designers pick up on js, and then find out they can do backend suddenly etc. Have you ever been in an interview process for a developer position? It is crazy how bad some developers are, and they come from banks, the government, automotive industry etc (the examples where not actually random) and when you reject them, they have no trouble finding their next gig!
And security is nowhere close to being a field that is free from bad practices / bad developers - I'd say it is the opposite. Even simple concepts like monthly changes to passwords lead to insecure passwords etc seem to elude most "security professionals". And the voting machine space... that's probably the worse and the most dangerous. Yeah, the thought does terrify me - especially the closed machines some US states use - the xkcd comic is right on point I think.

Re:Obligatory xkcd, and why it's nonsense

When faced with an attack by a malicious actor both the aviation engineers and the civil engineers failed utterly.

That was nonsense too.

The planes did not fail; they flew perfectly until they crashed into the buildings. You're not clever.

The buildings failed as they were designed to: vertical collapse, most material being contained within the sides of the external structure. Would you be happier if they had tipped over, like monstrous Red Wood trees? You're especially not clever here. Leave Engineering to the engineers.

Obligatory xkcd. Always not clever, this is... Oh fuck it.

Re:Obligatory xkcd, and why it's nonsense

[Immerman]

The big difference is that physical malicious attacks are unlikely and expensive, and so defending against them normally only makes sense if you're dealing with something very valuable or dangerous. The initial 9/11 attacks succeeded only because it was official policy to comply with terrorists so everyone could go home safely at the end of the day. Once people realized what was going on, later attacks failed as crew and passengers fought back.

In contrast, digital attacks are so cheap and easy to perform from anywhere in the world that they are an inevitable unending background against which all software is developed. If you are designing software where security matters, then securing against regular well-funded attacks by experts working for hostile governments, organized crime and other special-interest groups is just the reality you have to deal with. If you aren't well-versed in how to do that, and still write software where security matters, then you are bad at your job - no matter how good a developer you are in contexts where security doesn't matter.

Re:Obligatory xkcd, and why it's nonsense

[david_thornley]

If I want to use a low-tech method of crashing a plane, I have to get on the plane, and can crash at most one plane. If I want to use a method to subvert an Internet voting system, I can sit in another country and subvert an entire system.

Use paper

[AHuxley]

Everyone votes on the day with paper.
No mass use of postal votes. Go vote. Vote at a hospital.
Make block voting It gets counted by hand in front of witnesses, gov officials and people selected by political parties.
They all see the count and numbers. The local, regional, national tally is added in front of people.
The numbers match local to city to nation.
Why the secretive rush to computer systems?
Who needs to sway the Swiss elections and referendums by pushing electronics?
Stay with paper and the citizens vote counts.
Every citizen can then be reassured their vote is counted and their views on a referendum are correct.
No think tank, other nation, NGO, security service can sway the vote digitally during the vote.

Give the Swiss their vote back.

Re:Use paper

God shut up idiot.

Re:Use paper

[drinkypoo]

" Vote at a hospital."

Not only don't I want to go near to a hospital if I'm not already sick, since they are full of illness, but having people go there for reasons other than medical care can impede medical care. Voting should be done at fairgrounds, stadiums and the like. They are designed for traffic, and events are easily scheduled away from voting day (which should be done anyway so as not to compete with the vote.)

It's the Colossal Cave Architecture

[mveloso]

"You are in a maze of twisty passages, all alike."

In short, it's too complicated for this person to understand, which is not saying that it's insecure. They're basically saying that it's un-auditable by this particular individual.

The question is, was that part of the requirements? I mean, most computer systems are incomprehensible to managers, but management understanding isn't generally a requirement.

Which cryptosystems?

[bill_mcgonigle]

She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this

One way to interpret this is "our auditors don't understand what's going on in this code".

Is the spec public?

trust

[e**(i+pi)-1]

e-voting will almost certainly remain impossible to implement in a way that it is secure, autitable and trusted by the population.The last point is the most important one so that democracy works. Security through obscurity does not help. But even if there should be a secure, and auditable and intelligable system, how can one be sure as a voter that this system is really used in the end. How can one audit, whether the data are not tempered with, independent of that secure system? Again, even if there is an audit trail, how can make sure that it so simple that can be understood. There appears currently only one way to make sure that voting is secure and this is to have a paper trail which can be audited by many, also by non-experts and which is more difficult to temper with just because of the physical presence of the paper.

Paper ballots, tracked, counted, verified, paper

Meanwhile in extremely related news, North Carolina's 9th district is provably fraudulent, because all those paper write-in ballots the GOP collected and completed/destroyed/altered had the same people writing the same fake signatures on them, mailed in batches by the same people passing the same cameras. Over and over and over again, the same handwriting.

It's not just that a few witnesses tell investigators they were paid to collect those ballots. There is a paper trail proving the fraud.

Paper ballots, watched by all candidates, counted in front of all candidates is the only solution.

I see his son is now publicly telling people he warned his GOP dad that it was a felony to do this.... he's a lawyer, he's throwing his dad under a bus so that he isn't arrested on a conspiracy charge for not telling the FBI of the crime. He's not an idiot, he knows there is massive documentation of the voter fraud if anyone looks.

https://abcnews.go.com/Politics/video/son-north-carolina-congressional-candidate-warned-absentee-votes-61199843

Digital Age Asshats

You need one "file", and a blue or black pen. The Post Office will take care of the rest. If you don't know who the (here) President is for a couple days what's the difference? The country will stumble on regardless.

In a secular society the ballot vote is the only sacrament. That's why so many want to get rid of it.

Internet voting is broken even if it is secure

[Frankie70]

Internet voting breaks secret ballot. If you are being bribed or threatened into voting for someone & you are voting at booth, then you can vote for anyone without the perpetrator knowing who you actually voted for.

Internet voting, OTOH, doesn't ensure this - the briber or the "threatener" will be looking over your shoulder when you are e-voting.

Re:Internet voting is broken even if it is secure

[Mateorabi]

While it's a concern, this is also a weakness of the existing absentee ballot. (Or they can just demand you hand over the ballot and do it themselves.) See also: some organizations holding "lets all get together and fill out our ballots together; there will be cake" "voting parties". Also, cell phone cameras exist. And while voting-booth selfies are usually not allowed, it'd be difficult for the voting judges to catch someone taking a quick snapshot. The person just has to be nearby enough to make sure you then don't spoil the ballot and ask for a re-do before scanning it/dropping it in the box.

But still, yeah, never internet vote. Not even once. Other methods don't scale well. To use a fraudulent identity, for each single vote someone would be re-breaking the law, in person, and re-risking getting caught. But with internet voting it just takes one success and they can get a tremendous number of votes, and be far away in the process.

Re: Internet voting is broken even if it is secure

But its hard to threaten 1000s of people that way, most large votes aren't that close, so it's better to be pragmatic, worse than for a democracy is inflexible voting options, I work, emergencys, etc

Cheaper than possible coding

[gweihir]

This is just one of the effects of the ongoing race-to-the-bottom in programmer cost. At some point, things are so bad that they can just be thrown away.

Dear MBA-morons: Get it in your heads that writing good code is vastly more difficult than anything you could ever hope to do in your lives and that this makes the people that can do it expensive and rare. Also remember (as you should have learned) that a project producing an inadequate result is vastly more expensive in its TCO as one that uses more expensive personnel, but produces an adequate result.

Re:Cheaper than possible coding

Dear Brainiac,

we don't care what you think. We are in it only for personal benefits of corporate structure climbing and couldn't give less fuck about morons like you who we've successfuly duped into thinking we care. Now be a good boy and fuck off back to work, if i see you didn't reach the 'performance' level we set on meeting last month, your inadequate ass is so outta here.

Sincerely,
Your friendly MBA overlord

Re:Cheaper than possible coding

[gweihir]

You think I am easy to replace? I am not. But you are a dime a dozen and all equally incompetent.

Keep it simple stupid

Give everyone a public key encryption, have them encrypt their vote with the governments public key, email the vote

Auditable

[DrYak]

Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
We are talking about job security, right?

The thing which makes this joke even more bitter is that here the voting tools are required to be autidable by design.
Any citizen could go and check that the counting of booth votes, or of postal votes is going as it should.
(While at the same time enforcing privacy: there shouldn't be a way for a potential repressive adversary to use the system to spy who voted what. Though the current implementation of remote voting over post has a few potential failure points, and relies on everybody along the chain accomplishing their duty... though again, any citizen is supposed to be able to come and check that it's indeed the case).

The current mess that is used in the few pilot e-voting experience is the exact opposite of that.
  - non opensource components (mostly criticized by groups such as linux users, freesoftware advocate, etc.)
  - extremely complex know-how required to understand what's going on (anybody can understand paper ballot being tallied, not everybody understands the cryptography behind the e-voting system).

On the other hand, we're a direct democracy: there are already people doing bottom-up actions trying to move things forward and get the problem solved.
The meta joke being that the proposal in questions to fix the e-voting system, will partially be voted for using the currently broken e-voting systems.

terminology?

Team? Wiring? Configured? Who are these people.

TFA is crap

[bradley13]

I don't know anything about the system, but what kind of statement is this, from Lewis (the primary person interviewed):

"Someone could wire the thing in the wrong place and suddenly the system is compromised."

That's true of any security protocoll I can imagine. Anyway, "wire the thing in the wrong place"? This is the way a supposed security professional describes software vulnerabilities?

Then Matthew Green (the other person interviewed) says: "At this point I think the only appropriate way to evaluate it is through a professional evaluation by someone trained in this sort of advanced cryptography." Well, as it happens, even TFA states "the system has undergone three audits by auditing giant KPMG - among them an audit of the end-to-end encryption". So what problem is he pointing out again?

In addition the code is available to anyone who wants it, and there's now a public penetration test, which lots of people are signing up for. Seems like they're doing everything right. So back to Lewis, who says "Even if you sat down and read every line and determined everything was good, the code still wouldn’t pass the bar for being good code." Um...so good code is not good? Huh?

Again, I know nothing about the voting system being discussed - maybe it's good, maybe it's not. But TFA is just crap, and we have two security researchers who either don't know what they're talking about, or else they have some personal agenda in play.

I know what's missing

[Chelloveck]

It needs more blockchain.