Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho02.tex
changeset 192 2cb42412f3fd
parent 191 f675aa15b6d0
child 193 a97b828bf87f 
--- a/handouts/ho02.tex	Fri Oct 03 06:17:25 2014 +0100
+++ b/handouts/ho02.tex	Fri Oct 03 13:14:34 2014 +0100
@@ -229,7 +229,87 @@
 \end{quote}
 
 \noindent Whenever people argue in favour of e-voting they
-seem to be ignore this basic premise.
+seem to be ignore this basic premise.\bigskip
+
+\noindent After the debacle of the Florida presidential
+election in 2000, many counties used Direct-Recording
+Electronic voting machines (DREs) or optical scan machines.
+One popular model of DRE was sold by the company called
+Diebold. In hindsight they were a complete disaster: the
+products were inferior and the company incompetent. Direct
+recording meant that there was no paper trail, the votes were
+directly recorded on memory cards. Thus the voters had no
+visible assurance whether the votes were correctly cast. The
+machines behind these DREs were ``normal'' windows computers,
+which could be used for anything, for example for changing
+votes. Why did nobody at Diebold think of that? That this was
+eventually done undetectably is the result of the
+determination of ethical hackers like Alex Halderman. His
+group thoroughly hacked them showing that election fraud is
+easily possible. They managed to write a virus that infected
+the whole system by having only access to a single machine.
+
+What made matters worse was that Diebold tried to hide their
+incompetency and inferiority of their products, by requiring
+that election counties must not give the machines up for
+independent review. They also kept their source secret. 
+This meant Halderman and his group had to obatain a machine
+not in the official channels. Then they had to reverse 
+engineer the source code in order to design their attack. 
+What this all showed is that a shady security design is no 
+match to a determined hacker. 
+
+Apart from the obvious failings (for example no papertrail),
+this story also told another side. While a paper ballot box
+need to be kept secure from the beginning of the election
+(when it needs to be ensured it is empty) until the end of the
+day, electronic voting machines need to be kept secure the
+whole year. The reason is of course one cannot see whether
+somebody has tampered with the program a computer is running.
+Such a 24/7 security costly and often even even impossible,
+because voting machines need to be distributed usually the day
+before to the polling station. These are often schools where
+the voting machines are kept unsecured overnight. The obvious
+solution of putting seals on computers also does not work: in
+the process of getting these DREs discredited (involving court
+cases) it was shown that seals can easily be circumvented. The
+moral of this story is that election officials were 
+incentivised with money by the central government to obtain
+new  voting equipment and in the process fell prey to pariahs
+which sold them a substandard product. Diebold was not the
+only pariah in this project, but one of the more notorious
+one.
+
+Optical scan machines are slightly better from a security
+point of view but by no means good enough. Their main idea
+is that the voter fills out a paper ballot, which is then 
+scanned by a machine. At the very least the paper ballot can 
+serve as a paper trail in cases an election result needs to
+be recounted. But if one takes the paper ballots as the 
+version that counts in the end, thereby using the optical 
+scan machine only as a device to obtain quickly preliminary
+results, then why not sticking with paper ballots in the 
+first place?\bigskip 
+
+\noindent An interesting solution for e-voting was designed in
+India. Essentially they designed a bespoke voting device,
+which could not be used for anything else. Having a bespoke
+device is a good security engineering decision because it
+makes the attack surface smaller. If you have a fullfledged
+computer behind your system, then you can do everything a
+computer can do\ldots{}that is a lot, including a lot of
+abuse. What was bad that these machines did not have the
+important paper trail: that means if an election was tampered
+with, nobody would find out. Even if they had by their bespoke
+design a very small attack surface, ethical hackers were still
+able to tamper with them. The moral with Indian's voting
+machines is that even if very good security design decisions
+are taken, e-voting is very hard to get right.\bigskip 
+
+
+\noindent This brings us to the case of Estonia, which held in
+2007 the worlds first general election that used Internet.
+Again their solution made some good choices: 
 
 %\subsubsection*{Questions}
sen-material