Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Programming Security The Internet

Experts Find Serious Problems With Switzerland's Online Voting System (vice.com) 63

An anonymous reader quotes a report from Motherboard: Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system's design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what's going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly.

"Most of the system is split across hundreds of different files, each configured at various levels," Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England's GCHQ intelligence agency, told Motherboard. "I'm used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding." She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. "It is simply not the standard we would expect," she told Motherboard. [...] It isn't just outside attackers that are a concern; the system raises the possibility for an insider to intentionally misconfigure the system to make it easier to manipulate, while maintaining plausible deniability that the misconfiguration was unintentional.
"Someone could wire the thing in the wrong place and suddenly the system is compromised," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "And when you're talking about code that is supposed to be protecting a national election, that is not a statement someone should be able to make." "You expect secure code to be defensively written that would prevent the implementers of the code from wiring it up incorrectly," Lewis told Motherboard. But instead of building a system that doesn't allow for this, the programmers simply added a comment to their source code telling anyone who compiles and implements it to take care to configure it properly, she said.

The online voting system was developed by Swiss Post, the country's national postal service, and the Barcelona-based company Scytl. "Scytl claims the system uses end-to-end encryption that only the Swiss Electoral Board would be able to decrypt," reports Motherboard. "But there are reasons to be concerned about such claims."
This discussion has been archived. No new comments can be posted.

Experts Find Serious Problems With Switzerland's Online Voting System

Comments Filter:
  • by Ecuador ( 740021 ) on Thursday February 21, 2019 @07:22PM (#58161228) Homepage

    Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
    We are talking about job security, right?

    • by K. S. Kyosuke ( 729550 ) on Thursday February 21, 2019 @07:43PM (#58161324)
      There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. I guess they picked the latter way.
    • by Anonymous Coward on Thursday February 21, 2019 @10:21PM (#58161764)

      Meanwhile in extremely related news, North Carolina's 9th district is provably fraudulent, because all those paper write-in ballots the GOP collected and completed/destroyed/altered had the same people writing the same fake signatures on them, mailed in batches by the same people passing the same cameras. Over and over and over again, the same handwriting.

      It's not just that a few witnesses tell investigators they were paid to collect those ballots. There is a paper trail proving the fraud.

      Paper ballots, watched by all candidates, counted in front of all candidates is the only solution.

      I see his son is now publicly telling people he warned his GOP dad that it was a felony to do this.... he's a lawyer, he's throwing his dad under a bus so that he isn't arrested on a conspiracy charge for not telling the FBI of the crime. He's not an idiot, he knows there is massive documentation of the voter fraud if anyone looks.

      https://abcnews.go.com/Politics/video/son-north-carolina-congressional-candidate-warned-absentee-votes-61199843

    • Surely, the more convoluted a software design is, the more secure it is. And inability to audit is always extra security.
      We are talking about job security, right?

      The thing which makes this joke even more bitter is that here the voting tools are required to be autidable by design.
      Any citizen could go and check that the counting of booth votes, or of postal votes is going as it should.
      (While at the same time enforcing privacy: there shouldn't be a way for a potential repressive adversary to use the system to spy who voted what. Though the current implementation of remote voting over post has a few potential failure points, and relies on everybody along the chain accom

  • No shit (Score:2, Insightful)

    by rsilvergun ( 571051 )
    who thought this was a good idea? In 2016 Russia was able to significantly interfere with US elections and we're several times their size. China and Iran are doing the same. This is just nuts. Mail paper f'n ballots already. They work, they're secure, and they can't be hacked over the bloody internet.
    • Re: (Score:3, Insightful)

      I am with you on paper ballots. We also need proof of ID, as most nations around the world require. But Russian hacking of the election? I know it's been claimed, but outside some questionable ads and social media trolling - did they actually affect the vote tally?
      • by rtb61 ( 674572 )

        ID is a waste of time and money, simply take their photo when they ID themselves, the number of votes is inconsequential and the penalties quite severe. Just make sure everyone who votes illegally is penalised. You could just video record the entire event from various locales and you are done, every polling station. To kick it up a notch, make it a responsibility of every adult citizen to vote, compulsory elections, makes the government work harder at making them accessible.

        Elections are about people and n

      • by AmiMoJo ( 196126 )

        Problem is that proof of ID requirements are always abused to stop people voting. On balance there is so little fraud that it's usually better to have higher participation than to worry about a tiny and mostly irrelevant problem.

        The Russian election hacking was all directed at voters, not the hardware. The DNC hack, for example, and the timing of the release of those emails.

        • So Canada, Germany, Mexico, the UK, Australia all abuse voter ID requirements to stop people from voting? As far as I can tell, it only keeps people who cannot prove their citizenship from voting. What's the problem?
          • by AmiMoJo ( 196126 )

            In the UK you have to register to vote once, but that's it. At that time you need a national insurance number, which everyone is assigned at age 16. You don't need to show ID when you go to vote, just state the address you registered at and your name. There is no check done, you are simply marked off a register.

            There was an attempt to requite some kind of check at the polling station, but there has been a lot of push-back because we saw what happened in the US.

    • the Barcelona-based company Scytl, which was formed by a group of academics who spun it off of their research work at the Universidad AutÃnoma de Barcelona

      That's why. It's academic-grade code, which means it's (a) incredibly, massively, unnecessarily complex, (b) at a most charitable level, "experimental code", and (c) has been run on a single test case by a caffeineated grad student at 3am. Never, ever, ever put academic-grade code into production even if it's for use in a benign environment. If you're expecting serous attacks on it, make sure you're in another country when it's actively deployed.

      • Although Swiss Post claims the system has undergone three audits by auditing giant KPMG

        Oh, and there's another problem: You get your code audited by an accounting firm if you need to say you've passed an audit, not if you want to detect vulns in it.

        Still reading, but it looks like a howto on how not to build a secure product. I expect the Verge will do a voting system build video on it in the near future.

  • by Ichijo ( 607641 ) on Thursday February 21, 2019 @07:26PM (#58161252) Journal

    "There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult."

  • by jfdavis668 ( 1414919 ) on Thursday February 21, 2019 @07:41PM (#58161316)
    Like some other Swiss products?
    • by Anonymous Coward

      That's why they opened it up for public pentesting ;) https://www.post.ch/en/business/a-z-of-subjects/industry-solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-sourcecode

  • by roc97007 ( 608802 ) on Thursday February 21, 2019 @08:04PM (#58161392) Journal

    I don't see online voting as ever not being corrupt, except perhaps momentarily, by accident. There's just too much at stake in an election, and the payoff for being able to manipulate the results is too high. BTW, the place to start if you're going to corrupt an online voting system is in the software writing stage. Make it really convoluted so that the attack vectors can't easily be found.

    Elections with paper ballots can still be influenced (for instance, accidentally dumping cartons of ballots from precincts with generally the "wrong" political leaning, something that happened recently in my area) but I think it's harder to do, and easier to get caught.

    • by AmiMoJo ( 196126 )

      Better to target voters than voting machines. If you tamper with voting machines/online voting and it gets detected, it's going to de-legitimize the result and probably result in a re-run.

      If you go after the voters people will just argue that it had no effect or that it's protected speech and do everything they can to resist investigation or a do-over. Essentially you got people invested in their own manipulation.

    • Where I live, the voting machines count paper ballots. That gives an approximate count right off, which is good enough for all but the closest elections. There will be some precincts randomly chosen for hand counts to verify the voting machines. The result is that, if someone ditched a carton of ballots, the numbers would be way off and the meddling detected.

  • Somebody will inevitably post this xkcd:

    https://xkcd.com/2030/ [xkcd.com]

    However, it's not a remotely valid comparison. They're comparing planes and buildings operating under normal circumstances with software being attacked by a malicious actor. Software is actually far more robust than aeroplanes and buildings when faced with a malicious attack.

    An unskilled person can easily destroy an aeroplane or demolish a building. We saw this on 9/11, when a few people equipped with nothing more than pen knives were able

    • by Ecuador ( 740021 ) on Thursday February 21, 2019 @08:58PM (#58161536) Homepage

      Hmm. I don't know where you work, but the world is full of crappy software developers. Bad aircraft design will not go unnoticed, but bad software is the norm. I can tell you a couple of obvious bugs on almost every software I use daily. And it will only get worse - e.g. web designers pick up on js, and then find out they can do backend suddenly etc. Have you ever been in an interview process for a developer position? It is crazy how bad some developers are, and they come from banks, the government, automotive industry etc (the examples where not actually random) and when you reject them, they have no trouble finding their next gig!
      And security is nowhere close to being a field that is free from bad practices / bad developers - I'd say it is the opposite. Even simple concepts like monthly changes to passwords lead to insecure passwords etc seem to elude most "security professionals". And the voting machine space... that's probably the worse and the most dangerous. Yeah, the thought does terrify me - especially the closed machines some US states use - the xkcd comic is right on point I think.

    • by Anonymous Coward

      When faced with an attack by a malicious actor both the aviation engineers and the civil engineers failed utterly.

      That was nonsense too.

      The planes did not fail; they flew perfectly until they crashed into the buildings. You're not clever.

      The buildings failed as they were designed to: vertical collapse, most material being contained within the sides of the external structure. Would you be happier if they had tipped over, like monstrous Red Wood trees? You're especially not clever here. Leave Engineering to the engineers.

      Obligatory xkcd. Always not clever, this is... Oh fuck it.

    • The big difference is that physical malicious attacks are unlikely and expensive, and so defending against them normally only makes sense if you're dealing with something very valuable or dangerous. The initial 9/11 attacks succeeded only because it was official policy to comply with terrorists so everyone could go home safely at the end of the day. Once people realized what was going on, later attacks failed as crew and passengers fought back.

      In contrast, digital attacks are so cheap and easy to perform

    • If I want to use a low-tech method of crashing a plane, I have to get on the plane, and can crash at most one plane. If I want to use a method to subvert an Internet voting system, I can sit in another country and subvert an entire system.

  • Use paper (Score:2, Insightful)

    by AHuxley ( 892839 )
    Everyone votes on the day with paper.
    No mass use of postal votes. Go vote. Vote at a hospital.
    Make block voting It gets counted by hand in front of witnesses, gov officials and people selected by political parties.
    They all see the count and numbers. The local, regional, national tally is added in front of people.
    The numbers match local to city to nation.
    Why the secretive rush to computer systems?
    Who needs to sway the Swiss elections and referendums by pushing electronics?
    Stay with paper and the
    • " Vote at a hospital."

      Not only don't I want to go near to a hospital if I'm not already sick, since they are full of illness, but having people go there for reasons other than medical care can impede medical care. Voting should be done at fairgrounds, stadiums and the like. They are designed for traffic, and events are easily scheduled away from voting day (which should be done anyway so as not to compete with the vote.)

  • "You are in a maze of twisty passages, all alike."

    In short, it's too complicated for this person to understand, which is not saying that it's insecure. They're basically saying that it's un-auditable by this particular individual.

    The question is, was that part of the requirements? I mean, most computer systems are incomprehensible to managers, but management understanding isn't generally a requirement.

  • She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this

    One way to interpret this is "our auditors don't understand what's going on in this code".

    Is the spec public?

  • trust (Score:4, Insightful)

    by e**(i pi)-1 ( 462311 ) on Thursday February 21, 2019 @09:50PM (#58161702) Homepage Journal
    e-voting will almost certainly remain impossible to implement in a way that it is secure, autitable and trusted by the population.The last point is the most important one so that democracy works. Security through obscurity does not help. But even if there should be a secure, and auditable and intelligable system, how can one be sure as a voter that this system is really used in the end. How can one audit, whether the data are not tempered with, independent of that secure system? Again, even if there is an audit trail, how can make sure that it so simple that can be understood. There appears currently only one way to make sure that voting is secure and this is to have a paper trail which can be audited by many, also by non-experts and which is more difficult to temper with just because of the physical presence of the paper.
  • by Frankie70 ( 803801 ) on Thursday February 21, 2019 @10:49PM (#58161832)

    Internet voting breaks secret ballot. If you are being bribed or threatened into voting for someone & you are voting at booth, then you can vote for anyone without the perpetrator knowing who you actually voted for.

    Internet voting, OTOH, doesn't ensure this - the briber or the "threatener" will be looking over your shoulder when you are e-voting.

    • While it's a concern, this is also a weakness of the existing absentee ballot. (Or they can just demand you hand over the ballot and do it themselves.) See also: some organizations holding "lets all get together and fill out our ballots together; there will be cake" "voting parties". Also, cell phone cameras exist. And while voting-booth selfies are usually not allowed, it'd be difficult for the voting judges to catch someone taking a quick snapshot. The person just has to be nearby enough to make sure
  • This is just one of the effects of the ongoing race-to-the-bottom in programmer cost. At some point, things are so bad that they can just be thrown away.

    Dear MBA-morons: Get it in your heads that writing good code is vastly more difficult than anything you could ever hope to do in your lives and that this makes the people that can do it expensive and rare. Also remember (as you should have learned) that a project producing an inadequate result is vastly more expensive in its TCO as one that uses more expens

  • I don't know anything about the system, but what kind of statement is this, from Lewis (the primary person interviewed):

    "Someone could wire the thing in the wrong place and suddenly the system is compromised."

    That's true of any security protocoll I can imagine. Anyway, "wire the thing in the wrong place"? This is the way a supposed security professional describes software vulnerabilities?

    Then Matthew Green (the other person interviewed) says: "At this point I think the only appropriate way to evaluate it is

  • It needs more blockchain.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...