Re: Why on earth would online voting be insecure?

[Rich Kulawiec]

On Mon, Nov 14, 2016 at 05:52:51PM -0500, Alan Corey wrote:
> It seems simple to me [...]

It seems simple because you haven't studied voting systems and their
requirements for privacy, security, integrity, reliability, etc.
You have also failed to consider that the privacy, security, integrity,
reliability, etc. problems that are now pervasive throughout computing
and Internet operations are antithetical to those.  In other words, the
things that voting systems need are just about exactly the things that
contemporary Internet computing environments lack.

I suggest if you're really interested in this issue that you start your
education here:

Douglas W. Jones on Voting and Elections
http://homepage.divms.uiowa.edu/~jones/voting/

That page has a large number of links to articles, reports, essays, papers,
etc. on these topics -- and to many sites which contain still more.  It's
an excellent jumping-off point for enquiry into many aspects of this
problem.  After you've read for a few months, I think you'll see that
the problem is anything but "simple".

---rsk

Re: Why on earth would online voting be insecure?

[Mihai Popescu]

| Is this an OpenBSD mailing list?

Yes, it is. The simple fact is that some peple cannot get an idea on a
subject. Two examples are security and randomization.
Something inside them tells them "you didn't get it" or " you almost
got it" and they want to show this is not true. Hence the venting on
misc@ for approval.

Re: Why on earth would online voting be insecure?

[Vivek Vinod]

‎Apologies for speaking out of turn. 

Is this an OpenBSD mailing list?

Vivek

Sent from my BlackBerry 10 smartphone.
  Original Message  
From: Joel Wirāmu Pauling
Sent: Tuesday 15 November 2016 20:46
To: gwes
Cc: misc@openbsd.org
Subject: Re: Why on earth would online voting be insecure?

On 15 November 2016 at 09:47, gwes <g...@oat.com> wrote:

> On 11/15/2016 00:55, Joel Wir��mu Pauling wrote:
>
>> So yes, back to my original point. A Civic's blockchain, one that does not
>> rely on the integrity (or rather is resilient to) the system it runs on,
>> or
>> the security of the transmission media ; as a platform for use in civic's
>> -
>> needs to exist first.
>>
>>
> Combining two systems entirely separate in concept, implementation,
> and space increases the probability of a correct answer. Three
> would be better. Using the electronic system as a supplement to
> the traditional one could be good as long as it does not compromise
> the virtues of the old system.
>
> The blockchain starts after the votes are entered. Two physically
> separate systems composed of entirely different CPUs and peripherals
> at the voting place would be good.
>
> You still haven't addressed the problems of privacy while casting
> the vote.
>
> I think that your concepts for the technical parts of the
> system are good. You haven't addressed some serious problems
> where your system can be subverted.
>
> Suggesting weekly votes is a very bad idea. Search science
> fiction, for instance, to see very plausible predictions
> of voter burnout.
>
> I think this is no longer a computer systems discussion.
>
> ���This. Once you start to think about the problem further in terms
of
distributing the ledger via a public blockchain - as the datastore and
mechanism for recording and verification, and that the blockchain exists
entirely independently of the systems it runs on you are at least in the
right place to start tackling this issue.

Re: Why on earth would online voting be insecure?

[Joel Wirāmu Pauling]

On 15 November 2016 at 09:47, gwes  wrote:

> On 11/15/2016 00:55, Joel Wirāmu Pauling wrote:
>
>> So yes, back to my original point. A Civic's blockchain, one that does not
>> rely on the integrity (or rather is resilient to) the system it runs on,
>> or
>> the security of the transmission media ; as a platform for use in civic's
>> -
>> needs to exist first.
>>
>>
> Combining two systems entirely separate in concept, implementation,
> and space increases the probability of a correct answer. Three
> would be better. Using the electronic system as a supplement to
> the traditional one could be good as long as it does not compromise
> the virtues of the old system.
>
> The blockchain starts after the votes are entered. Two physically
> separate systems composed of entirely different CPUs and peripherals
> at the voting place would be good.
>
> You still haven't addressed the problems of privacy while casting
> the vote.
>
> I think that your concepts for the technical parts of the
> system are good. You haven't addressed some serious problems
> where your system can be subverted.
>
> Suggesting weekly votes is a very bad idea. Search science
> fiction, for instance, to see very plausible predictions
> of voter burnout.
>
> I think this is no longer a computer systems discussion.
>
> ​This. Once you start to think about the problem further in terms of
distributing the ledger via a public blockchain - as the datastore and
mechanism for recording and verification, and that the blockchain exists
entirely independently of the systems it runs on you are at least in the
right place to start tackling this issue.

Re: Why on earth would online voting be insecure?

[gwes]

On 11/15/2016 00:55, Joel Wirāmu Pauling wrote:

So yes, back to my original point. A Civic's blockchain, one that does not
rely on the integrity (or rather is resilient to) the system it runs on, or
the security of the transmission media ; as a platform for use in civic's -
needs to exist first.



Combining two systems entirely separate in concept, implementation,
and space increases the probability of a correct answer. Three
would be better. Using the electronic system as a supplement to
the traditional one could be good as long as it does not compromise
the virtues of the old system.

The blockchain starts after the votes are entered. Two physically
separate systems composed of entirely different CPUs and peripherals
at the voting place would be good.

You still haven't addressed the problems of privacy while casting
the vote.

I think that your concepts for the technical parts of the
system are good. You haven't addressed some serious problems
where your system can be subverted.

Suggesting weekly votes is a very bad idea. Search science
fiction, for instance, to see very plausible predictions
of voter burnout.

I think this is no longer a computer systems discussion.

Geoff Steckel

Re: Why on earth would online voting be insecure?

[Joel Wirāmu Pauling]

So yes, back to my original point. A Civic's blockchain, one that does not
rely on the integrity (or rather is resilient to) the system it runs on, or
the security of the transmission media ; as a platform for use in civic's -
needs to exist first.

Block-chains are relatively new and we are still discovering properties and
flaws in them, but I think if you view them as data-structure and as being
useful for certain things, they potentially mitigate a lot of traditional
security concerns. But we are a long way away from having them adopted as
an everyday tool. I've been on the NZ government panel on on-line voting,
and submitted a submission to the Canada electoral commission whilst living
here. Unfortunately people view on-line voting and make the false
comparison to banks "Well if some SSL secured website cluster, backed by
some $sql database, in some $secure data centre is good enough for banks
..." falacy all the time.

The problem is a bank is a centralised system, they have legal
responsibilities and make calculated risk assessments and have insurance
coverage. You have a one to one relationship with them and have choice
(arguably) over choosing them or not. The trust relationship is between you
and your bank, that's it. The bank is responsible for liability to third
parties not you.

Civics engagement by necessity needs to be verifiable, independent and
distributed, not reliant on central systems where you trust some entity to
negotiate on your behalf.

It is a lot more nuanced that it appears at first glance.

Would I design a voting station to run on OpenBSD ... sure... but I would
also design it to work on /Linux, Windows or an Abacus.

The paper comparison is a good one, block-chains provide a ledger
verifiable by hand (yes with some hard math, but doable) but unlike paper
can't be lost, or tampered with (the court is still out on exactly the best
ways to implement this is...) and don't care how much they get graphetti'd
on during passing around. You can also check your vote went to where you
wanted it to go.

Talking about traditional Databases, and Application system designs is
simply the wrong mindset.

On 15 November 2016 at 00:03, gwes  wrote:

> On 11/14/2016 22:19, Alan Corey wrote:
>
>> OK, it's relevant to OpenBSD because I wouldn't consider anything else
>> safe enough to run on the servers.  Not that I'm in a position to do
>> any of it.  The servers could even be run from custom official live
>> CDs so they were harder to tamper with, with maybe a RAM drive for
>> speed.
>>
>> There seems to be a conflict between having anonymous votes and having
>> something similar to paper ballots that can be recounted.  So let
>> authentication, identification, etc. be handled by one machine and
>> stored in one database then the transaction is handed over to another
>> machine which stores the votes.  That could be something simple like a
>> tab-delimited file which could be counted by hand, one line per voter.
>> The file could be only writeable by the owner. The same person can't
>> vote twice because the first machine wouldn't allow them in a second
>> time.
>>
>>
> How do you know if the voter is under duress or being watched?
>
> Paper can last two thousand years. It's pretty easy to make
> paper that can't be duplicated in any useful quantity.
> Functionally indelible ink, too.
>
> Using machines to assist voting is a good thing.
> Physical objects are much more convincing and easier to secure.
>
> Oh yes -- the magic ghost Intel has put in every processor
> for years. With a secret key -- security by obscurity.
> Disk drives can be secretly reprogrammed. Network interfaces
> have microcode, too. The memory system is also vulnerable
> to secret tampering. All of these are back doors which are
> or could be in place.
>
> Securing the system is far harder than securing a program
> or group of programs.
>
> Geoff Steckel

Re: Why on earth would online voting be insecure?

[gwes]

On 11/14/2016 22:19, Alan Corey wrote:

OK, it's relevant to OpenBSD because I wouldn't consider anything else
safe enough to run on the servers.  Not that I'm in a position to do
any of it.  The servers could even be run from custom official live
CDs so they were harder to tamper with, with maybe a RAM drive for
speed.

There seems to be a conflict between having anonymous votes and having
something similar to paper ballots that can be recounted.  So let
authentication, identification, etc. be handled by one machine and
stored in one database then the transaction is handed over to another
machine which stores the votes.  That could be something simple like a
tab-delimited file which could be counted by hand, one line per voter.
The file could be only writeable by the owner. The same person can't
vote twice because the first machine wouldn't allow them in a second
time.



How do you know if the voter is under duress or being watched?

Paper can last two thousand years. It's pretty easy to make
paper that can't be duplicated in any useful quantity.
Functionally indelible ink, too.

Using machines to assist voting is a good thing.
Physical objects are much more convincing and easier to secure.

Oh yes -- the magic ghost Intel has put in every processor
for years. With a secret key -- security by obscurity.
Disk drives can be secretly reprogrammed. Network interfaces
have microcode, too. The memory system is also vulnerable
to secret tampering. All of these are back doors which are
or could be in place.

Securing the system is far harder than securing a program
or group of programs.

Geoff Steckel

Re: Why on earth would online voting be insecure?

[Alan Corey]

OK, it's relevant to OpenBSD because I wouldn't consider anything else
safe enough to run on the servers.  Not that I'm in a position to do
any of it.  The servers could even be run from custom official live
CDs so they were harder to tamper with, with maybe a RAM drive for
speed.

There seems to be a conflict between having anonymous votes and having
something similar to paper ballots that can be recounted.  So let
authentication, identification, etc. be handled by one machine and
stored in one database then the transaction is handed over to another
machine which stores the votes.  That could be something simple like a
tab-delimited file which could be counted by hand, one line per voter.
The file could be only writeable by the owner. The same person can't
vote twice because the first machine wouldn't allow them in a second
time.

I'm assuming there's physical security over the server room, if that
was compromised all bets are off.  When I last voted I verbally
identified myself to one person who handed me my ballot, which I
checked off in pencil, then identified myself to another worker who
cranked my ballot into a simple counting machine about 40 years old.
Yes, if one person got access to the files in seclusion they could
alter something assuming they were root, that would have to be as
impossible as erasing the pencil marks on the ballots and changing
them.  I assume there are always multiple scrupulous workers present.

It doesn't have to be an SSN, a driver's license number would work as
well.  Some long number known mostly only to the voter and to the
government which doesn't arrive by the same mailing as the key the
town sends  Somewhat analogous to a public key, with the private key
being the number the town mails each voter for each election.

Laziness isn't the only reason to do this, I would hope to expand it
to maybe a weekly vote on things that are put to the House and Senate
so there's direct input from voters instead of only electing people
who do their voting.  There probably wouldn't be a lot of interest but
being able to provide feedback to elected representatives could be
useful, conversely there would be statistics on what percentage of the
time they voted as the public wanted.

Instead of voting with a web browser, there might be some security to
be gained by using a dedicated client.  Or voting from something like
an Android phone (I have no experience with IOS).  Android security
seems almost excessive.  Incorporating the phone numbers on each end
could be useful although not to be trusted as identification by
itself.  An app could connect to a phone number and load a ballot,
fill it out offline, then dial another number to submit it in
milliseconds which lessens the load on the server.  For that matter
you could produce live CDs to be booted and used only for voting, any
operating system you want.

I think bouncing ideas off a community of knowledgeable computer
hobbyists and professionals is a useful thing to do.  I became an
OpenBSD user about 2001 because I inherited a Linux box at my job that
had been root kitted and I needed something more secure, it's still my
first choice.  I later firewalled the entire office through another
OpenBSD box, it worked very well.  So yes, security in academia where
student records were concerned, we had thousands of transcripts.
-- 
Credit is the root of all evil.  - AB1JX

Re: Why on earth would online voting be insecure?

[Philip Guenther]

On Mon, Nov 14, 2016 at 2:52 PM, Alan Corey  wrote:
> This sounds like heel-dragging to me, or they're trying to do it under
> Windows or something:
> https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/
>
> It seems simple to me, you use firewalls and only make the results


https://twitter.com/mattblaze/status/788800648942944258

Re: Why on earth would online voting be insecure?

[Joel Wirāmu Pauling]

You need a civic blockchain or some-such that guarantee's data integrity
and agnosticism of the platform that anyone can verify.

The interface into / mechanics once you have a blockchain which you can
issue tokens from is the simple bit.

Not sure this is relevant for this list tho.

-Joel

On 14 November 2016 at 17:52, Alan Corey  wrote:

> This sounds like heel-dragging to me, or they're trying to do it under
> Windows or something:
> https://www.washingtonpost.com/news/post-nation/wp/2016/
> 05/17/more-than-30-states-offer-online-voting-but-
> experts-warn-it-isnt-secure/
>
> It seems simple to me, you use firewalls and only make the results
> writeable by the process that should be writing to it, probably
> nothing needs to have read access in the short term.  As far as
> security after the election, mount the servers in a Brinks truck or
> something, it just sounds like a ludicrous excuse.
>
> Something like: for each election the town government mails you a
> random number that's your key to vote that election. You go to a
> website and put in your town, name, SSN, and the key. If somebody
> steals the mail they won't have your SSN. If Russian hackers or
> whoever tries to impersonate you online they won't have the key. It's
> bringing those 2 pieces of information plus your name and town
> together that makes it secure. Just guessing. Did I overlook anything?
>
> --
> Credit is the root of all evil.  - AB1JX

Re: Why on earth would online voting be insecure?

[Dave Anderson]

[Off-topic; sorry. It's important to remind people of this issue, but I 
won't follow up any further.]


This sort of security, no matter how well done, doesn't address one of 
the very important but often forgotten features of voting in person at a 
polling place: it makes it very difficult to buy or extort votes, since 
there's no way to reliably confirm how someone actually voted. With 
online (or by mail, etc) voting there's nothing to prevent someone from 
watching while a vote is cast.


Dave

On Mon, 14 Nov 2016, Alan Corey wrote:


This sounds like heel-dragging to me, or they're trying to do it under
Windows or something:
https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/

It seems simple to me, you use firewalls and only make the results
writeable by the process that should be writing to it, probably
nothing needs to have read access in the short term.  As far as
security after the election, mount the servers in a Brinks truck or
something, it just sounds like a ludicrous excuse.

Something like: for each election the town government mails you a
random number that's your key to vote that election. You go to a
website and put in your town, name, SSN, and the key. If somebody
steals the mail they won't have your SSN. If Russian hackers or
whoever tries to impersonate you online they won't have the key. It's
bringing those 2 pieces of information plus your name and town
together that makes it secure. Just guessing. Did I overlook anything?


--
Dave Anderson

Why on earth would online voting be insecure?

[Alan Corey]

This sounds like heel-dragging to me, or they're trying to do it under
Windows or something:
https://www.washingtonpost.com/news/post-nation/wp/2016/05/17/more-than-30-states-offer-online-voting-but-experts-warn-it-isnt-secure/

It seems simple to me, you use firewalls and only make the results
writeable by the process that should be writing to it, probably
nothing needs to have read access in the short term.  As far as
security after the election, mount the servers in a Brinks truck or
something, it just sounds like a ludicrous excuse.

Something like: for each election the town government mails you a
random number that's your key to vote that election. You go to a
website and put in your town, name, SSN, and the key. If somebody
steals the mail they won't have your SSN. If Russian hackers or
whoever tries to impersonate you online they won't have the key. It's
bringing those 2 pieces of information plus your name and town
together that makes it secure. Just guessing. Did I overlook anything?

-- 
Credit is the root of all evil.  - AB1JX