Slashdot Mirror
Experts Find Serious Problems With Switzerland's Online Voting System (vice.com)
An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.
"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.
The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."
"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.
The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."
Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
We are talking about job security, right?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
Like some other Swiss products?
It's a voting system. Encryption is irrelevant. What matters is integrity and authenticity.
Enh well... My understanding is, voting should be (a) secret and (b) authenticated to a given person. To do both you kinda need encryption. I do agree that integrity and authenticity are the parts that seem to be missing.
Reminds me of the old Russian joke. At election, peasant woman arrives, is given ballot in envelope, shown ballot box.
Peasant woman starts ripping open envelope. Guards stop her, ask what is she doing? She says, wants to see who she's voting for.
Election official says "Nyet, nyet! This is SECRET ballot!"
Badum-bum
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Hmm. I don't know where you work, but the world is full of crappy software developers. Bad aircraft design will not go unnoticed, but bad software is the norm. I can tell you a couple of obvious bugs on almost every software I use daily. And it will only get worse - e.g. web designers pick up on js, and then find out they can do backend suddenly etc. Have you ever been in an interview process for a developer position? It is crazy how bad some developers are, and they come from banks, the government, automotive industry etc (the examples where not actually random) and when you reject them, they have no trouble finding their next gig!
And security is nowhere close to being a field that is free from bad practices / bad developers - I'd say it is the opposite. Even simple concepts like monthly changes to passwords lead to insecure passwords etc seem to elude most "security professionals". And the voting machine space... that's probably the worse and the most dangerous. Yeah, the thought does terrify me - especially the closed machines some US states use - the xkcd comic is right on point I think.
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
e-voting will almost certainly remain impossible to implement in a way that it is secure, autitable and trusted by the population.The last point is the most important one so that democracy works. Security through obscurity does not help. But even if there should be a secure, and auditable and intelligable system, how can one be sure as a voter that this system is really used in the end. How can one audit, whether the data are not tempered with, independent of that secure system? Again, even if there is an audit trail, how can make sure that it so simple that can be understood. There appears currently only one way to make sure that voting is secure and this is to have a paper trail which can be audited by many, also by non-experts and which is more difficult to temper with just because of the physical presence of the paper.
Meanwhile in extremely related news, North Carolina's 9th district is provably fraudulent, because all those paper write-in ballots the GOP collected and completed/destroyed/altered had the same people writing the same fake signatures on them, mailed in batches by the same people passing the same cameras. Over and over and over again, the same handwriting.
It's not just that a few witnesses tell investigators they were paid to collect those ballots. There is a paper trail proving the fraud.
Paper ballots, watched by all candidates, counted in front of all candidates is the only solution.
I see his son is now publicly telling people he warned his GOP dad that it was a felony to do this.... he's a lawyer, he's throwing his dad under a bus so that he isn't arrested on a conspiracy charge for not telling the FBI of the crime. He's not an idiot, he knows there is massive documentation of the voter fraud if anyone looks.
https://abcnews.go.com/Politics/video/son-north-carolina-congressional-candidate-warned-absentee-votes-61199843
Internet voting breaks secret ballot. If you are being bribed or threatened into voting for someone & you are voting at booth, then you can vote for anyone without the perpetrator knowing who you actually voted for.
Internet voting, OTOH, doesn't ensure this - the briber or the "threatener" will be looking over your shoulder when you are e-voting.
Because electronic voting systems are inherently not capable to perform what they are supposed to do. Voting has to be equal (every vote has to be counted the same, only eligible voters can vote, but no one eligible must be disenfranchised), secret (no one can be compelled to reveal his vote) and accountable (it must be possible to prove the correctness of the ballot casting and the count). Because in general, you can't prove the correct count in a computer without tracking individual votes, you always run into danger of revealing individual votes in the process. So you have to tack additional layers onto the casting-and-counting system with different levels of privileges, which makes voting systems inherently complex and complicates audits. And to warrant secrecy while at the same time warranting accountability in principle, you have to use processes which can only be understood by specialists, which in turn makes audits less accountable, as the normal citizen has to trust the expertise and goodwill of the auditors.