Experts Find Serious Problems With Switzerland's Online Voting System

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional. "Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."

Convoluted design = security

[Ecuador]

Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
We are talking about job security, right?

Re:Convoluted design = security

[K. S. Kyosuke]

There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. I guess they picked the latter way.

Paper ballots, tracked, counted, verified, paper

[Anonymous Coward]

Meanwhile in extremely related news, North Carolina's 9th district is provably fraudulent, because all those paper write-in ballots the GOP collected and completed/destroyed/altered had the same people writing the same fake signatures on them, mailed in batches by the same people passing the same cameras. Over and over and over again, the same handwriting.

It's not just that a few witnesses tell investigators they were paid to collect those ballots. There is a paper trail proving the fraud.

Paper ballots, watched by all candidates, counted in front of all candidates is the only solution.

I see his son is now publicly telling people he warned his GOP dad that it was a felony to do this.... he's a lawyer, he's throwing his dad under a bus so that he isn't arrested on a conspiracy charge for not telling the FBI of the crime. He's not an idiot, he knows there is massive documentation of the voter fraud if anyone looks.

https://abcnews.go.com/Politics/video/son-north-carolina-congressional-candidate-warned-absentee-votes-61199843

Auditable

[DrYak]

Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
We are talking about job security, right?

The thing which makes this joke even more bitter is that here the voting tools are required to be autidable by design.
Any citizen could go and check that the counting of booth votes, or of postal votes is going as it should.
(While at the same time enforcing privacy: there shouldn't be a way for a potential repressive adversary to use the system to spy who voted what. Though the current implementation of remote voting over post has a few potential failure points, and relies on everybody along the chain accom

Re: Why the complexity?

[Anonymous Coward]

It was opensource(in the source code is available sense) anyways. Leaks added to article for drama. https://www.post.ch/en/business/a-z-of-subjects/industry-solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-sourcecode

Re:Why the complexity?

[Sique]

Because electronic voting systems are inherently not capable to perform what they are supposed to do. Voting has to be equal (every vote has to be counted the same, only eligible voters can vote, but no one eligible must be disenfranchised), secret (no one can be compelled to reveal his vote) and accountable (it must be possible to prove the correctness of the ballot casting and the count). Because in general, you can't prove the correct count in a computer without tracking individual votes, you always run into danger of revealing individual votes in the process. So you have to tack additional layers onto the casting-and-counting system with different levels of privileges, which makes voting systems inherently complex and complicates audits. And to warrant secrecy while at the same time warranting accountability in principle, you have to use processes which can only be understood by specialists, which in turn makes audits less accountable, as the normal citizen has to trust the expertise and goodwill of the auditors.

Re:

[Sique]

To make the difficulties more clear, here is a list of of problems to solve:

• How can you be sure it's an eligible vote and not just some vote signed by someone ineligible with access to the secret key (e.g. sysadmin, successful attacker)?
• If you can prove the vote is eligible, how can you preclude its connection to an individual voter?
• If you can connect it to an individual voter, how can you keep the actual vote secret?
• How can you prove that a vote is counted correctly, if the vote is secret?

And no, th

Re:

[guruevi]

It's relatively simple to keep track of two datasets (a voter roll and the votes) and prove that your code authenticates the other without having them massively intertwined in code. There should be a very simple bridge between the two that is heavily documented and even someone with minimal coding skill can read.

We know why there is no company that wants to make such simple code, it is not in the best interest of a large government contractor to have fair and honest elections, typically companies are associ

Re:

[Sique]

You aren't allowed to connect voter roll and votes directly, otherwise you would be able to reveal how someone has voted, as their vote can be traced back to the voter.

Re:

[guruevi]

You don't, keep track of them in a database, but one still has to authenticate the other cryptographically both at time of voting and at verification of the voting without revealing your vote to a third party. There are several papers that have various proofs of concept that would be (relatively) simple to implement.

Re:

[Sique]

Another problem: If you count immediately when someone casts a vote, then this reveals how the person has voted. If you don't count immediately, you have to store the votes and prove that they don't get altered. At the same time you have to keep the vote secret, and still you have to prove afterwards that it gets counted correctly without knowing what it actually contains.

No shit

[rsilvergun]

who thought this was a good idea? In 2016 Russia was able to significantly interfere with US elections and we're several times their size. China and Iran are doing the same. This is just nuts. Mail paper f'n ballots already. They work, they're secure, and they can't be hacked over the bloody internet.

Re:

[LynnwoodRooster]

I am with you on paper ballots. We also need proof of ID, as most nations around the world require. But Russian hacking of the election? I know it's been claimed, but outside some questionable ads and social media trolling - did they actually affect the vote tally?

Re:

[rtb61]

ID is a waste of time and money, simply take their photo when they ID themselves, the number of votes is inconsequential and the penalties quite severe. Just make sure everyone who votes illegally is penalised. You could just video record the entire event from various locales and you are done, every polling station. To kick it up a notch, make it a responsibility of every adult citizen to vote, compulsory elections, makes the government work harder at making them accessible.

Elections are about people and n

Re:

[AmiMoJo]

Problem is that proof of ID requirements are always abused to stop people voting. On balance there is so little fraud that it's usually better to have higher participation than to worry about a tiny and mostly irrelevant problem.

The Russian election hacking was all directed at voters, not the hardware. The DNC hack, for example, and the timing of the release of those emails.

Re:

[LynnwoodRooster]

So Canada, Germany, Mexico, the UK, Australia all abuse voter ID requirements to stop people from voting? As far as I can tell, it only keeps people who cannot prove their citizenship from voting. What's the problem?

Re:

[AmiMoJo]

In the UK you have to register to vote once, but that's it. At that time you need a national insurance number, which everyone is assigned at age 16. You don't need to show ID when you go to vote, just state the address you registered at and your name. There is no check done, you are simply marked off a register.

There was an attempt to requite some kind of check at the polling station, but there has been a lot of push-back because we saw what happened in the US.

Re:

[LynnwoodRooster]

Really? Is that why there an uproar about the expanding requirement for voter ID in the UK [theguardian.com]? And what about our neighbors - Canada and Mexico?

Not to mention even VOX (not really a right-wing site) admits that voter ID laws do not suppress turnout [vox.com]. Yes, CONVICTIONS for voter fraud are few, but there is a growing list of actual voter fraud convictions [heritage.org]. If the vote is so sacrosanct and important, why let ANYONE be disenfranchised by an illegal vote?

Re:

[AmiMoJo]

Yeah that's what I was referring to. They did a pilot, there was outrage... Hopefully it gets killed off.

Re:

[arglebargle_xiv]

the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad AutÃnoma de Barcelona

That's why. It's academic-grade code, which means it's (a) incredibly, massively, unnecessarily complex, (b) at a most charitable level, "experimental code", and (c) has been run on a single test case by a caffeineated grad student at 3am. Never, ever, ever put academic-grade code into production even if it's for use in a benign environment. If you're expecting serous attacks on it, make sure you're in another country when it's actively deployed.

Re:

[arglebargle_xiv]

Although Swiss Post claims the system has undergone three audits by auditing giant KPMG

Oh, and there's another problem: You get your code audited by an accounting firm if you need to say you've passed an audit, not if you want to detect vulns in it.

Still reading, but it looks like a howto on how not to build a secure product. I expect the Verge will do a voting system build video on it in the near future.

Obligatory C. A. R. Hoare quote

[Ichijo]

"There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."

Re:Who cares about encryption

[roc97007]

It's a voting system. Encryption is irrelevant. What matters is integrity and authenticity.

Enh well... My understanding is, voting should be (a) secret and (b) authenticated to a given person. To do both you kinda need encryption. I do agree that integrity and authenticity are the parts that seem to be missing.

Reminds me of the old Russian joke. At election, peasant woman arrives, is given ballot in envelope, shown ballot box.
Peasant woman starts ripping open envelope. Guards stop her, ask what is she doing? She says, wants to see who she's voting for.
Election official says "Nyet, nyet! This is SECRET ballot!"

Badum-bum

It's full of holes?

[jfdavis668]

Like some other Swiss products?

Re: It's full of holes?

[Anonymous Coward]

That's why they opened it up for public pentesting ;) https://www.post.ch/en/business/a-z-of-subjects/industry-solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-sourcecode

Re:

[jfdavis668]

Also useful for punching holes.

There's too much at stake

[roc97007]

I don't see online voting as ever not being corrupt, except perhaps momentarily, by accident. There's just too much at stake in an election, and the payoff for being able to manipulate the results is too high. BTW, the place to start if you're going to corrupt an online voting system is in the software writing stage. Make it really convoluted so that the attack vectors can't easily be found.

Elections with paper ballots can still be influenced (for instance, accidentally dumping cartons of ballots from precincts with generally the "wrong" political leaning, something that happened recently in my area) but I think it's harder to do, and easier to get caught.

Re:

[AmiMoJo]

Better to target voters than voting machines. If you tamper with voting machines/online voting and it gets detected, it's going to de-legitimize the result and probably result in a re-run.

If you go after the voters people will just argue that it had no effect or that it's protected speech and do everything they can to resist investigation or a do-over. Essentially you got people invested in their own manipulation.

Re:

[david_thornley]

Where I live, the voting machines count paper ballots. That gives an approximate count right off, which is good enough for all but the closest elections. There will be some precincts randomly chosen for hand counts to verify the voting machines. The result is that, if someone ditched a carton of ballots, the numbers would be way off and the meddling detected.

Obligatory xkcd, and why it's nonsense

[Ashthon]

Somebody will inevitably post this xkcd:

https://xkcd.com/2030/ [xkcd.com]

However, it's not a remotely valid comparison. They're comparing planes and buildings operating under normal circumstances with software being attacked by a malicious actor. Software is actually far more robust than aeroplanes and buildings when faced with a malicious attack.

An unskilled person can easily destroy an aeroplane or demolish a building. We saw this on 9/11, when a few people equipped with nothing more than pen knives were able

Re:Obligatory xkcd, and why it's nonsense

[Ecuador]

Hmm. I don't know where you work, but the world is full of crappy software developers. Bad aircraft design will not go unnoticed, but bad software is the norm. I can tell you a couple of obvious bugs on almost every software I use daily. And it will only get worse - e.g. web designers pick up on js, and then find out they can do backend suddenly etc. Have you ever been in an interview process for a developer position? It is crazy how bad some developers are, and they come from banks, the government, automotive industry etc (the examples where not actually random) and when you reject them, they have no trouble finding their next gig!
And security is nowhere close to being a field that is free from bad practices / bad developers - I'd say it is the opposite. Even simple concepts like monthly changes to passwords lead to insecure passwords etc seem to elude most "security professionals". And the voting machine space... that's probably the worse and the most dangerous. Yeah, the thought does terrify me - especially the closed machines some US states use - the xkcd comic is right on point I think.

Re:

[Anonymous Coward]

When faced with an attack by a malicious actor both the aviation engineers and the civil engineers failed utterly.

That was nonsense too.

The planes did not fail; they flew perfectly until they crashed into the buildings. You're not clever.

The buildings failed as they were designed to: vertical collapse, most material being contained within the sides of the external structure. Would you be happier if they had tipped over, like monstrous Red Wood trees? You're especially not clever here. Leave Engineering to the engineers.

Obligatory xkcd. Always not clever, this is... Oh fuck it.

Re:

[Immerman]

The big difference is that physical malicious attacks are unlikely and expensive, and so defending against them normally only makes sense if you're dealing with something very valuable or dangerous. The initial 9/11 attacks succeeded only because it was official policy to comply with terrorists so everyone could go home safely at the end of the day. Once people realized what was going on, later attacks failed as crew and passengers fought back.

In contrast, digital attacks are so cheap and easy to perform

Re:

[david_thornley]

If I want to use a low-tech method of crashing a plane, I have to get on the plane, and can crash at most one plane. If I want to use a method to subvert an Internet voting system, I can sit in another country and subvert an entire system.

Use paper

[AHuxley]

Everyone votes on the day with paper.
No mass use of postal votes. Go vote. Vote at a hospital.
Make block voting It gets counted by hand in front of witnesses, gov officials and people selected by political parties.
They all see the count and numbers. The local, regional, national tally is added in front of people.
The numbers match local to city to nation.
Why the secretive rush to computer systems?
Who needs to sway the Swiss elections and referendums by pushing electronics?
Stay with paper and the

Re:

[drinkypoo]

" Vote at a hospital."

Not only don't I want to go near to a hospital if I'm not already sick, since they are full of illness, but having people go there for reasons other than medical care can impede medical care. Voting should be done at fairgrounds, stadiums and the like. They are designed for traffic, and events are easily scheduled away from voting day (which should be done anyway so as not to compete with the vote.)

It's the Colossal Cave Architecture

[mveloso]

"You are in a maze of twisty passages, all alike."

In short, it's too complicated for this person to understand, which is not saying that it's insecure. They're basically saying that it's un-auditable by this particular individual.

The question is, was that part of the requirements? I mean, most computer systems are incomprehensible to managers, but management understanding isn't generally a requirement.

Which cryptosystems?

[bill_mcgonigle]

She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this

One way to interpret this is "our auditors don't understand what's going on in this code".

Is the spec public?

trust

[e**(i pi)-1]

e-voting will almost certainly remain impossible to implement in a way that it is secure, autitable and trusted by the population.The last point is the most important one so that democracy works. Security through obscurity does not help. But even if there should be a secure, and auditable and intelligable system, how can one be sure as a voter that this system is really used in the end. How can one audit, whether the data are not tempered with, independent of that secure system? Again, even if there is an audit trail, how can make sure that it so simple that can be understood. There appears currently only one way to make sure that voting is secure and this is to have a paper trail which can be audited by many, also by non-experts and which is more difficult to temper with just because of the physical presence of the paper.

Internet voting is broken even if it is secure

[Frankie70]

Internet voting breaks secret ballot. If you are being bribed or threatened into voting for someone & you are voting at booth, then you can vote for anyone without the perpetrator knowing who you actually voted for.

Internet voting, OTOH, doesn't ensure this - the briber or the "threatener" will be looking over your shoulder when you are e-voting.

Re:

[Mateorabi]

While it's a concern, this is also a weakness of the existing absentee ballot. (Or they can just demand you hand over the ballot and do it themselves.) See also: some organizations holding "lets all get together and fill out our ballots together; there will be cake" "voting parties". Also, cell phone cameras exist. And while voting-booth selfies are usually not allowed, it'd be difficult for the voting judges to catch someone taking a quick snapshot. The person just has to be nearby enough to make sure

Cheaper than possible coding

[gweihir]

This is just one of the effects of the ongoing race-to-the-bottom in programmer cost. At some point, things are so bad that they can just be thrown away.

Dear MBA-morons: Get it in your heads that writing good code is vastly more difficult than anything you could ever hope to do in your lives and that this makes the people that can do it expensive and rare. Also remember (as you should have learned) that a project producing an inadequate result is vastly more expensive in its TCO as one that uses more expens

Re:

[gweihir]

You think I am easy to replace? I am not. But you are a dime a dozen and all equally incompetent.

TFA is crap

[bradley13]

I don't know anything about the system, but what kind of statement is this, from Lewis (the primary person interviewed):

"Someone could wire the thing in the wrong place and suddenly the system is compromised."

That's true of any security protocoll I can imagine. Anyway, "wire the thing in the wrong place"? This is the way a supposed security professional describes software vulnerabilities?

Then Matthew Green (the other person interviewed) says: "At this point I think the only appropriate way to evaluate it is

I know what's missing

[Chelloveck]

It needs more blockchain.