Re: 2008: The year of hack the vote?
Well, for all of you who want to prove that hacking the vote is easy, here's your chance to do something: http://apnews.myway.com/article/20080121/D8UA8VGG0.html [ ObDebate: is a winner-take-all state more or less attractive to vote hacking? ] --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
Dan wrote: > Let's not do this or we'll have to talk about JF Kennedy > who, at least, bought his votes with real money. That's because Democrats had become more professional, and the tradition of buying votes with whiskey only works for the retail level, not wholesale. Dan also wrote: May I point out that if voting systems have a level of flaw that says only an idiot would use them, then how can you explain electronic commerce, FaceBook, or gambling sites? More people use just those three than will *ever* vote. The primary threats of electronic voting machines aren't to the individual voter, who can slightly increase the chances of getting his/her vote counted accurately by insisting on paper ballots, but to the aggregate vote count, which can be hacked if the precinct has _any_ electronic machines. The big problem in Ohio appears to have been Denial of Service - not that there weren't lots of other problems, but electronic voting systems have sufficient complexity that an elections department can arrange to have enough missing parts or supplies or passwords or powercords or whatever in demographically appropriate precincts so that the results get skewed even without Other Technical Means. Some of the black inner-city precincts had two-hour lines (on a rainy day), while white Republican-leaning precincts had all the equipment they needed. (Also, if you're saying "only an idiot would use it" and ask how gambling sites exist, the answer is that only idiots gamble... As Ed Gerck pointed out, risk in e-commerce can be managed and amortized into the price, but that doesn't work for voting.) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
Jack Lloyd wrote: > The only reason this 'must' be true is because an anonymous and secure > payment system is a terror which thankfully our federal governments > and central banks protect us from. While Amazon and others obviously > like being able to build customer profiles of everyone, I don't doubt > that they would be perfectly willing to accept an anonymous payment as > long as the money is good (and, of course, that the transaction costs > are no more than a credit card and/or the order flow is sufficient > that it is worth building support for it). in the mid-90s, the x9a10 financial standard working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments ... which resulted in the x9.59 standard http://www.garlic.com/~lynn/x959.html#x959 in the same timeframe, the EU (in conjunction with eu-dpd) made statements that electronic payments at point-of-sale should be as anonymous as cash. this was interpreted as meaning that names should be removed from payment cards (plastic and magstripe). the contention was that (because of poor authentication) retail outlets could cross-check names on the cards against some other form of "ID". the implication that removing names might help promote other integrity measures. in the x9.59 standard, we claimed that the improved integrity allowed meeting the EU-DPD objectives. We also claimed that x9.59 was privacy agnostic i.e. it allowed for privacy. The "ALL" requirement given to the x9a10 financial standard working group met internet, face-to-face, point-of-sale, electronic commerce. It also met debit, credit, ACH, as well as stored-value cards ... aka the same X9.59 was applicable to *ALL*. In the debit/credit scenario some countries have "know your customer" mandates associating account numbers with individuals ... which we claimed was outside the x9.59 standard. Supposedly with appropriate regulated access to information, govs can obtain information associating account activity with individuals. However, the very same x9.59 standard also works with stored-value/gift cards ... which doesn't have similar "know your customer" mandates. http://www.garlic.com/~lynn/subpubkey.html#privacy And in fact, most stored-value/gift cards share a lot of the same exact processing with the debit/credit processing ... the addition of x9.59 could provide for the exactly same level of integrity thruout debit, credit, and stored-value/gift processing. for other drift, in the mid-90s ... there were some of the other payment efforts specifically for the internet which had so much payload and processing bloat that it made it impractical past the toy demo stage http://www.garlic.com/~lynn/subpubkey.html#bloat related recent post on infrastructure provisioning and bloat of toy demos: http://www.garlic.com/~lynn/2007v.html#64 folklore indeed about the same time, there were completely different chip card oriented efforts for point-of-sale. one of the scenarios of some of the chipcard pilot projects in the late 90s and early part of this century was that they managed to increase the vulnerabilities (magstripe vis-a-vis chipcards) http://www.garlic.com/~lynn/subintegrity.html#yescard the common excuse from the period, was that chips cost so much that it wasn't possible to afford integrity that actually improved over magstripe. The other possible observation was that some of the chipcard efforts were so chip myopic ... that they couldn't realize that they were actually making it worse for the overall infrastructure. A big issue for merchants isn't anonymous payments ... it is cost of doing business. This has been in the news quite a bit recently in the form of interchange fees ... recent posts http://www.garlic.com/~lynn/2007v.html#62 folklore indeed the other area is in the liability related to breaches (and/or the costs of countermeasures to breaches). i've mentioned before that we had been called in to consult with small client/server startup that wanted to do payments on their server. They had this technology they called SSL and it is frequently now referred to as electronic commerce http://www.garlic.com/~lynn/subnetwork.html#gateway and then we got dragged into involved with the x9a10 financial standard. as part of attempting to meet the requirement to preserve the integrity of the financial infrastructure for all retail payments ... we did some detailed threat and vulnerability analysis. A big item that came out were infrastructure vulnerabilities ... breaches, skimming, harvesting, evesdropping, ... a whole slew of things. we identified that much of the vulnerability could be attributed to the account number and transaction information has diametrically opposing requirements ... 1) it has to be readily available for large number of different business processes and 2) since the crooks can use the same information for various kinds of essentially replay attacks ... the information has to be kept confidential an
Re: 2008: The year of hack the vote?
On Wed, Dec 26, 2007 at 09:57:52AM -0800, Ed Gerck wrote: > In e-commerce there must be no privacy, the merchant must know who I am, my > credit card must be valid. The only reason this 'must' be true is because an anonymous and secure payment system is a terror which thankfully our federal governments and central banks protect us from. While Amazon and others obviously like being able to build customer profiles of everyone, I don't doubt that they would be perfectly willing to accept an anonymous payment as long as the money is good (and, of course, that the transaction costs are no more than a credit card and/or the order flow is sufficient that it is worth building support for it). Jack - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
On Wed, Dec 26, 2007 at 04:34:55PM -0500, [EMAIL PROTECTED] wrote: | Quoting my friend Marcus Ranum, the Internet | will remain as insecure as it can and still | apparently function. Why should voting be | different? Voting is different (by which I mean worse) because the requirements are hard. Should voters and ballots be identified? Should you be required to show up in person? What about confirmability? How important is that versus usability? Electronic commerce, by comparison, is a walk in the park. Adam - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
Kevin Kretz writes: | [EMAIL PROTECTED] wrote: | > More people use just those three | > than will *ever* vote. | More people under 40, certainly. But in '04 there were 36 million | people over 65, most of whom are eligible to vote. You know a lot of | 70-year old e-gamblers or FaceBook members? I don't but my many over-70 relatives all have some sort of e-mail now, many from AOL where we know from history the price of buying the AOL screenames in bulk from an insider was at the rate of $0.001/name. Quoting my friend Marcus Ranum, the Internet will remain as insecure as it can and still apparently function. Why should voting be different? We are approaching a rat hole... --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
[EMAIL PROTECTED] wrote: More people use just those three than will *ever* vote. More people under 40, certainly. But in '04 there were 36 million people over 65, most of whom are eligible to vote. You know a lot of 70-year old e-gamblers or FaceBook members? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
The usual excuse, Dan: ignorance. Those of us who know how companies maintain the security of their systems minimize the use of, or eschew, such sites. We also always ask for an Absentee (paper) ballot in places where electronic voting is the only choice at the polling booth. Arshad Noor StrongAuth, Inc. [EMAIL PROTECTED] wrote: May I point out that if voting systems have a level of flaw that says only an idiot would use them, then how can you explain electronic commerce, FaceBook, or gambling sites? More people use just those three than will *ever* vote. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
[EMAIL PROTECTED] wrote: May I point out that if voting systems have a level of flaw that says only an idiot would use them, then how can you explain electronic commerce, FaceBook, or gambling sites? More people use just those three than will *ever* vote. The answer is NO, and that is so because it's different. In elections, you must have a "Chinese wall" between the voter and the ballot. If I get the vote I don't know who the voter is, if I get the voter I don't know what the vote is. And that doesn't happen in e-commerce. In e-commerce I have a traceable credit card. I have a traceable name, I have an address for delivery. Anything that's bought must be delivered. I have a pattern of buying, if you go to Amazon.com, they will suggest the next book to you if you want, based on what you bought. They may know a lot more about you than you think they know. And so there is a basic difference between e-commerce and Internet voting, which must not be ignored, otherwise ignorance is bliss, we don't see it. In e-commerce there must be no privacy, the merchant must know who I am, my credit card must be valid. There are laws against [fraud in] this. So there is a basic divide here, which you need to take into account. There is a paradigm shift, there is a very strong technological point which those on the political side don't see, because that's natural. And there is a very strong political side that us, on the technological side don't see. For us, yes, voter participation is very good, or don't we all care if voter participation may decrease? So the point that I wanted to make is that it [Internet voting] is not as easy [as in e-commerce], because it's a fundamentally different problem. The solution is not the same, what we have today [for e-commerce] does not transpose, and the solution, the final comment, the solution that we have today for e-commerce is not cryptography, is insurance, for 20 percent of fraud that is the Internet fraud in credit cards. And how is that paid? By us, cardholders, we socialize the cost. Imagine telling, yes, you were elected president, but you know, there was a fraud, here is our insurance policy. You collect your million dollars, next time play again. You know, we cannot socialize fraud in elections. We cannot accept 20 percent of fraud paid for by insurance, which is what happens today. We did solve the e-commerce security problem, by putting in insurance. We can not solve it that way [for elections]. (from my Brookings Symposium comment, Washington, DC, January 2000). Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
John Denker writes: | | There is every reason to believe that the 2000 presidential | election was stolen. A fair/honest/lawful election would | have made Al Gore the 43rd president. | Let's not do this or we'll have to talk about JF Kennedy who, at least, bought his votes with real money. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
May I point out that if voting systems have a level of flaw that says only an idiot would use them, then how can you explain electronic commerce, FaceBook, or gambling sites? More people use just those three than will *ever* vote. --dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: 2008: The year of hack the vote?
On 12/23/2007 08:24 PM, ' =JeffH ' wrote: > 2008: The year of hack the vote? Shouldn't that be: 2008: Another year of hack the vote yet again? ..^^^...^ There is every reason to believe that the 2000 presidential election was stolen. A fair/honest/lawful election would have made Al Gore the 43rd president. There is every reason to believe the situation was even worse in 2004. If the election had been fair/honest/lawful Kerry would have won be a wide margin. Flipping Ohio's 20 electoral votes would have been sufficient all by itself to flip the election from Kerry to Bush ... and there is plenty of evidence of widespread fraud in Ohio. See e.g. the Conyers report, http://www.nvri.org/about/ohio_conyers_report_010505.pdf And Ohio was only the tip of the iceberg; there was large- scale hanky-panky in Florida and many other states. I like the book by Prof. Steven F. Freeman & Joel Bleifuss, _Was the 2004 Presidential Election Stolen_? Most of the crucial information can also be found on Freeman's web site http://www.appliedresearch.us/sf/epdiscrep.htm but the book is much better organized and easier to read. The book is dispassionate, scrupulous, and scientific ... which is something you don't often see, especially in the political sphere. Another book is by Mark Crispin Miller, _Fooled Again_ which is more passionate and less technical. It takes a broader view of the subject, and is far easier to read, especially for readers who are not well-versed in statistics. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
2008: The year of hack the vote?
2008: The year of hack the vote? http://blogs.zdnet.com/security/?p=753 December 17th, 2007 Posted by Larry Dignan @ 2:12 am The state of Ohio has released a comprehensive study of voting machine security and the report will have you longing for paper. A 334-page PDF report http://www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf from the Ohio Secretary of State reveals insufficient security, poor implementation of security technology, lax auditing and shoddy software maintenance. The report, which covers voting systems from Election Systems and Software (ES&S), Hart InterCivic and Premier Election Solutions formerly known as Diebold, was conducted by Ohio\u2019s EVEREST (Evaluation and Validation of Election-Related Equipment, Standards and Testing) initiative in conjunction with research teams from Penn State, University of Pennsylvania and WebWise Security. The EVEREST report was released Dec. 7 and I found it via Slashdot. Overall, the report really raises questions about election systems. Buffer overflows, leaky encryption, audit problems and firmware issues abound. One machine, the M100, from ES&S accepts counterfeit ballots. The Premier AV-TSX allows an unauthenticated user to read or tamper with its memory. The Hart EMS has audit logs that can be erased. In fact, the first 17 pages of the report\u2013essentially the table of contents\u2013is an indictment of these systems. To make matters worse, these machines don\u2019t run constantly. That means malicious software could be planted and not turn up until election time. These machines aren\u2019t patched regularly either. The report is too massive to detail completely here, but at a high level here are the takeaways from the EVEREST report: * Systems uniformly stunk at security and \u201cfailed to adequately address important threats against election data and processes.\u201d * A root cause of these security failures was \u201cpervasive mis-application of security technology.\u201d Standard practices for cryptography, key and password management and security hardware go ignored. * Auditing capabilities are a no show. \u201cIn all systems, the logs of election practices were commonly forgeable or erasable by the principals who they were intended to be monitoring.\u201d Translation: If there\u2019s an attack the lack of auditing means you can\u2019t isolate or recover from the problem. * Software maintenance practices \u201cof the studied systems are deeply flawed.\u201d The EVEREST report calls the election software \u201cfragile.\u201d Why would these machines be so enticing as a target? You could swing an entire election, produce incorrect results, block groups of voters, cast doubt on an election or delay results. And it may not take a brain surgeon to alter these systems. The EVEREST teams reported that they were able to subvert every voting system and not be detected \u201cwithin a few weeks.\u201d Meanwhile, the EVEREST teams found the issues with only limited access since vendors weren\u2019t exactly cooperative (Section 2.4 of the PDF has the details). The researchers say: Any argument that suggests that the attacker will somehow be less capable or knowledgeable than the reviewer teams, or that they will not be able to reverse engineer the systems to expose security flaws is not grounded in fact. As for the attackers, EVEREST ranks the following folks in ascending order of capabilities: * Outsiders have no special access to voting equipment, but could affect equipment to an extent that it is connected to the Internet. All of the systems reviewed run Microsoft Windows and occasionally connect to the Internet. In addition, an attacker could create a counterfeit upgrade disk and mail it to install malware. * Voters have limited and partially supervised access to voting systems while casting a vote. * Poll workers have extensive access to polling place equipment, management terminals before, during and after voting. They can authorize who votes and who doesn\u2019t and opportunities to tamper with equipment abound. * Election officials have extensive access to back-end election systems and voting equipment. Access is only loosely supervised if at all. One possibility: Bad software prompts election officials to \u201ccorrect\u201d results. * Vendor employees have access to the hardware and source code of system during development. Employees may also be on site to assist workers and election officials. \u201cSome vendors use third-party maintenance and election day support whose employees are not tightly regulated,\u201d according to EVEREST. Add it up and any hack the vote opportunities will most likely be an inside job of some sort. The attacks may or may not be detectable. --- end - The Cryptography Mailing List Unsubscribe by sending &quo