Re: Why on earth would online voting be insecure?
On Mon, Nov 14, 2016 at 05:52:51PM -0500, Alan Corey wrote: > It seems simple to me [...] It seems simple because you haven't studied voting systems and their requirements for privacy, security, integrity, reliability, etc. You have also failed to consider that the privacy, security, integrity, reliability, etc. problems that are now pervasive throughout computing and Internet operations are antithetical to those. In other words, the things that voting systems need are just about exactly the things that contemporary Internet computing environments lack. I suggest if you're really interested in this issue that you start your education here: Douglas W. Jones on Voting and Elections http://homepage.divms.uiowa.edu/~jones/voting/ That page has a large number of links to articles, reports, essays, papers, etc. on these topics -- and to many sites which contain still more. It's an excellent jumping-off point for enquiry into many aspects of this problem. After you've read for a few months, I think you'll see that the problem is anything but "simple". ---rsk
Re: Why on earth would online voting be insecure?
| Is this an OpenBSD mailing list? Yes, it is. The simple fact is that some peple cannot get an idea on a subject. Two examples are security and randomization. Something inside them tells them "you didn't get it" or " you almost got it" and they want to show this is not true. Hence the venting on misc@ for approval.
Re: Why on earth would online voting be insecure?
Apologies for speaking out of turn. Is this an OpenBSD mailing list? Vivek Sent from my BlackBerry 10 smartphone. Original Message From: Joel Wirāmu Pauling Sent: Tuesday 15 November 2016 20:46 To: gwes Cc: misc@openbsd.org Subject: Re: Why on earth would online voting be insecure? On 15 November 2016 at 09:47, gwes <g...@oat.com> wrote: > On 11/15/2016 00:55, Joel Wir��mu Pauling wrote: > >> So yes, back to my original point. A Civic's blockchain, one that does not >> rely on the integrity (or rather is resilient to) the system it runs on, >> or >> the security of the transmission media ; as a platform for use in civic's >> - >> needs to exist first. >> >> > Combining two systems entirely separate in concept, implementation, > and space increases the probability of a correct answer. Three > would be better. Using the electronic system as a supplement to > the traditional one could be good as long as it does not compromise > the virtues of the old system. > > The blockchain starts after the votes are entered. Two physically > separate systems composed of entirely different CPUs and peripherals > at the voting place would be good. > > You still haven't addressed the problems of privacy while casting > the vote. > > I think that your concepts for the technical parts of the > system are good. You haven't addressed some serious problems > where your system can be subverted. > > Suggesting weekly votes is a very bad idea. Search science > fiction, for instance, to see very plausible predictions > of voter burnout. > > I think this is no longer a computer systems discussion. > > ���This. Once you start to think about the problem further in terms of distributing the ledger via a public blockchain - as the datastore and mechanism for recording and verification, and that the blockchain exists entirely independently of the systems it runs on you are at least in the right place to start tackling this issue.
Re: Why on earth would online voting be insecure?
On 15 November 2016 at 09:47, gweswrote: > On 11/15/2016 00:55, Joel WirÄmu Pauling wrote: > >> So yes, back to my original point. A Civic's blockchain, one that does not >> rely on the integrity (or rather is resilient to) the system it runs on, >> or >> the security of the transmission media ; as a platform for use in civic's >> - >> needs to exist first. >> >> > Combining two systems entirely separate in concept, implementation, > and space increases the probability of a correct answer. Three > would be better. Using the electronic system as a supplement to > the traditional one could be good as long as it does not compromise > the virtues of the old system. > > The blockchain starts after the votes are entered. Two physically > separate systems composed of entirely different CPUs and peripherals > at the voting place would be good. > > You still haven't addressed the problems of privacy while casting > the vote. > > I think that your concepts for the technical parts of the > system are good. You haven't addressed some serious problems > where your system can be subverted. > > Suggesting weekly votes is a very bad idea. Search science > fiction, for instance, to see very plausible predictions > of voter burnout. > > I think this is no longer a computer systems discussion. > > âThis. Once you start to think about the problem further in terms of distributing the ledger via a public blockchain - as the datastore and mechanism for recording and verification, and that the blockchain exists entirely independently of the systems it runs on you are at least in the right place to start tackling this issue.
Re: Why on earth would online voting be insecure?
On 11/15/2016 00:55, Joel Wirāmu Pauling wrote: So yes, back to my original point. A Civic's blockchain, one that does not rely on the integrity (or rather is resilient to) the system it runs on, or the security of the transmission media ; as a platform for use in civic's - needs to exist first. Combining two systems entirely separate in concept, implementation, and space increases the probability of a correct answer. Three would be better. Using the electronic system as a supplement to the traditional one could be good as long as it does not compromise the virtues of the old system. The blockchain starts after the votes are entered. Two physically separate systems composed of entirely different CPUs and peripherals at the voting place would be good. You still haven't addressed the problems of privacy while casting the vote. I think that your concepts for the technical parts of the system are good. You haven't addressed some serious problems where your system can be subverted. Suggesting weekly votes is a very bad idea. Search science fiction, for instance, to see very plausible predictions of voter burnout. I think this is no longer a computer systems discussion. Geoff Steckel
Re: Why on earth would online voting be insecure?
So yes, back to my original point. A Civic's blockchain, one that does not rely on the integrity (or rather is resilient to) the system it runs on, or the security of the transmission media ; as a platform for use in civic's - needs to exist first. Block-chains are relatively new and we are still discovering properties and flaws in them, but I think if you view them as data-structure and as being useful for certain things, they potentially mitigate a lot of traditional security concerns. But we are a long way away from having them adopted as an everyday tool. I've been on the NZ government panel on on-line voting, and submitted a submission to the Canada electoral commission whilst living here. Unfortunately people view on-line voting and make the false comparison to banks "Well if some SSL secured website cluster, backed by some $sql database, in some $secure data centre is good enough for banks ..." falacy all the time. The problem is a bank is a centralised system, they have legal responsibilities and make calculated risk assessments and have insurance coverage. You have a one to one relationship with them and have choice (arguably) over choosing them or not. The trust relationship is between you and your bank, that's it. The bank is responsible for liability to third parties not you. Civics engagement by necessity needs to be verifiable, independent and distributed, not reliant on central systems where you trust some entity to negotiate on your behalf. It is a lot more nuanced that it appears at first glance. Would I design a voting station to run on OpenBSD ... sure... but I would also design it to work on /Linux, Windows or an Abacus. The paper comparison is a good one, block-chains provide a ledger verifiable by hand (yes with some hard math, but doable) but unlike paper can't be lost, or tampered with (the court is still out on exactly the best ways to implement this is...) and don't care how much they get graphetti'd on during passing around. You can also check your vote went to where you wanted it to go. Talking about traditional Databases, and Application system designs is simply the wrong mindset. On 15 November 2016 at 00:03, gweswrote: > On 11/14/2016 22:19, Alan Corey wrote: > >> OK, it's relevant to OpenBSD because I wouldn't consider anything else >> safe enough to run on the servers. Not that I'm in a position to do >> any of it. The servers could even be run from custom official live >> CDs so they were harder to tamper with, with maybe a RAM drive for >> speed. >> >> There seems to be a conflict between having anonymous votes and having >> something similar to paper ballots that can be recounted. So let >> authentication, identification, etc. be handled by one machine and >> stored in one database then the transaction is handed over to another >> machine which stores the votes. That could be something simple like a >> tab-delimited file which could be counted by hand, one line per voter. >> The file could be only writeable by the owner. The same person can't >> vote twice because the first machine wouldn't allow them in a second >> time. >> >> > How do you know if the voter is under duress or being watched? > > Paper can last two thousand years. It's pretty easy to make > paper that can't be duplicated in any useful quantity. > Functionally indelible ink, too. > > Using machines to assist voting is a good thing. > Physical objects are much more convincing and easier to secure. > > Oh yes -- the magic ghost Intel has put in every processor > for years. With a secret key -- security by obscurity. > Disk drives can be secretly reprogrammed. Network interfaces > have microcode, too. The memory system is also vulnerable > to secret tampering. All of these are back doors which are > or could be in place. > > Securing the system is far harder than securing a program > or group of programs. > > Geoff Steckel
Re: Why on earth would online voting be insecure?
On 11/14/2016 22:19, Alan Corey wrote: OK, it's relevant to OpenBSD because I wouldn't consider anything else safe enough to run on the servers. Not that I'm in a position to do any of it. The servers could even be run from custom official live CDs so they were harder to tamper with, with maybe a RAM drive for speed. There seems to be a conflict between having anonymous votes and having something similar to paper ballots that can be recounted. So let authentication, identification, etc. be handled by one machine and stored in one database then the transaction is handed over to another machine which stores the votes. That could be something simple like a tab-delimited file which could be counted by hand, one line per voter. The file could be only writeable by the owner. The same person can't vote twice because the first machine wouldn't allow them in a second time. How do you know if the voter is under duress or being watched? Paper can last two thousand years. It's pretty easy to make paper that can't be duplicated in any useful quantity. Functionally indelible ink, too. Using machines to assist voting is a good thing. Physical objects are much more convincing and easier to secure. Oh yes -- the magic ghost Intel has put in every processor for years. With a secret key -- security by obscurity. Disk drives can be secretly reprogrammed. Network interfaces have microcode, too. The memory system is also vulnerable to secret tampering. All of these are back doors which are or could be in place. Securing the system is far harder than securing a program or group of programs. Geoff Steckel
Re: Why on earth would online voting be insecure?
OK, it's relevant to OpenBSD because I wouldn't consider anything else safe enough to run on the servers. Not that I'm in a position to do any of it. The servers could even be run from custom official live CDs so they were harder to tamper with, with maybe a RAM drive for speed. There seems to be a conflict between having anonymous votes and having something similar to paper ballots that can be recounted. So let authentication, identification, etc. be handled by one machine and stored in one database then the transaction is handed over to another machine which stores the votes. That could be something simple like a tab-delimited file which could be counted by hand, one line per voter. The file could be only writeable by the owner. The same person can't vote twice because the first machine wouldn't allow them in a second time. I'm assuming there's physical security over the server room, if that was compromised all bets are off. When I last voted I verbally identified myself to one person who handed me my ballot, which I checked off in pencil, then identified myself to another worker who cranked my ballot into a simple counting machine about 40 years old. Yes, if one person got access to the files in seclusion they could alter something assuming they were root, that would have to be as impossible as erasing the pencil marks on the ballots and changing them. I assume there are always multiple scrupulous workers present. It doesn't have to be an SSN, a driver's license number would work as well. Some long number known mostly only to the voter and to the government which doesn't arrive by the same mailing as the key the town sends Somewhat analogous to a public key, with the private key being the number the town mails each voter for each election. Laziness isn't the only reason to do this, I would hope to expand it to maybe a weekly vote on things that are put to the House and Senate so there's direct input from voters instead of only electing people who do their voting. There probably wouldn't be a lot of interest but being able to provide feedback to elected representatives could be useful, conversely there would be statistics on what percentage of the time they voted as the public wanted. Instead of voting with a web browser, there might be some security to be gained by using a dedicated client. Or voting from something like an Android phone (I have no experience with IOS). Android security seems almost excessive. Incorporating the phone numbers on each end could be useful although not to be trusted as identification by itself. An app could connect to a phone number and load a ballot, fill it out offline, then dial another number to submit it in milliseconds which lessens the load on the server. For that matter you could produce live CDs to be booted and used only for voting, any operating system you want. I think bouncing ideas off a community of knowledgeable computer hobbyists and professionals is a useful thing to do. I became an OpenBSD user about 2001 because I inherited a Linux box at my job that had been root kitted and I needed something more secure, it's still my first choice. I later firewalled the entire office through another OpenBSD box, it worked very well. So yes, security in academia where student records were concerned, we had thousands of transcripts. -- Credit is the root of all evil. - AB1JX
Re: Why on earth would online voting be insecure?
On Mon, Nov 14, 2016 at 2:52 PM, Alan Coreywrote: > This sounds like heel-dragging to me, or they're trying to do it under > Windows or something: > https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ > > It seems simple to me, you use firewalls and only make the results https://twitter.com/mattblaze/status/788800648942944258
Re: Why on earth would online voting be insecure?
You need a civic blockchain or some-such that guarantee's data integrity and agnosticism of the platform that anyone can verify. The interface into / mechanics once you have a blockchain which you can issue tokens from is the simple bit. Not sure this is relevant for this list tho. -Joel On 14 November 2016 at 17:52, Alan Coreywrote: > This sounds like heel-dragging to me, or they're trying to do it under > Windows or something: > https://www.washingtonpost.com/news/post-nation/wp/2016/ > 05/17/more-than-30-states-offer-online-voting-but- > experts-warn-it-isnt-secure/ > > It seems simple to me, you use firewalls and only make the results > writeable by the process that should be writing to it, probably > nothing needs to have read access in the short term. As far as > security after the election, mount the servers in a Brinks truck or > something, it just sounds like a ludicrous excuse. > > Something like: for each election the town government mails you a > random number that's your key to vote that election. You go to a > website and put in your town, name, SSN, and the key. If somebody > steals the mail they won't have your SSN. If Russian hackers or > whoever tries to impersonate you online they won't have the key. It's > bringing those 2 pieces of information plus your name and town > together that makes it secure. Just guessing. Did I overlook anything? > > -- > Credit is the root of all evil. - AB1JX
Re: Why on earth would online voting be insecure?
[Off-topic; sorry. It's important to remind people of this issue, but I won't follow up any further.] This sort of security, no matter how well done, doesn't address one of the very important but often forgotten features of voting in person at a polling place: it makes it very difficult to buy or extort votes, since there's no way to reliably confirm how someone actually voted. With online (or by mail, etc) voting there's nothing to prevent someone from watching while a vote is cast. Dave On Mon, 14 Nov 2016, Alan Corey wrote: This sounds like heel-dragging to me, or they're trying to do it under Windows or something: https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ It seems simple to me, you use firewalls and only make the results writeable by the process that should be writing to it, probably nothing needs to have read access in the short term. As far as security after the election, mount the servers in a Brinks truck or something, it just sounds like a ludicrous excuse. Something like: for each election the town government mails you a random number that's your key to vote that election. You go to a website and put in your town, name, SSN, and the key. If somebody steals the mail they won't have your SSN. If Russian hackers or whoever tries to impersonate you online they won't have the key. It's bringing those 2 pieces of information plus your name and town together that makes it secure. Just guessing. Did I overlook anything? -- Dave Anderson
Why on earth would online voting be insecure?
This sounds like heel-dragging to me, or they're trying to do it under Windows or something: https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/ It seems simple to me, you use firewalls and only make the results writeable by the process that should be writing to it, probably nothing needs to have read access in the short term. As far as security after the election, mount the servers in a Brinks truck or something, it just sounds like a ludicrous excuse. Something like: for each election the town government mails you a random number that's your key to vote that election. You go to a website and put in your town, name, SSN, and the key. If somebody steals the mail they won't have your SSN. If Russian hackers or whoever tries to impersonate you online they won't have the key. It's bringing those 2 pieces of information plus your name and town together that makes it secure. Just guessing. Did I overlook anything? -- Credit is the root of all evil. - AB1JX