Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho02.tex
changeset 443 67d7d239c617
parent 415 56bc53ba7c5b
child 445 9ad6445a0354 
--- a/handouts/ho02.tex	Tue Jan 05 01:37:31 2016 +0000
+++ b/handouts/ho02.tex	Mon Jan 11 02:05:24 2016 +0000
@@ -50,8 +50,8 @@
 opinion, but also shared by many security researchers amongst
 them Alex Halderman, who is the world-expert on this subject
 and from whose Coursera course on Securing Digital Democracy I
-have most of my information and inspiration. It is also a
-controversial topic in many countries:
+have most of my information and inspiration on this topic. It
+is also a controversial topic in many countries:
 
 \begin{itemize}
 \item The Netherlands between 1997--2006 had electronic voting
@@ -62,21 +62,24 @@
 
 \item Germany conducted pilot studies with e-voting, but in
       2007 a law suit has reached the highest court and it
-      rejected e-voting on the grounds of not being
-      understandable by the general public.
+      rejected e-voting on the grounds of the mechanisms
+      behind it not being understandable to the general
+      public.
 
 \item UK used optical scan voting systems in a few trail
       polls, but to my knowledge does not use any e-voting in
       elections.
       
-\item The US used mechanical machines since the 1930s, later punch
-  cards, now DREs and optical scan voting machines.  But there is a
-  lot of evidence that DREs and optical scan voting machines are not
-  as secure as they should be. Some states experimented with Internet
-  voting, but all experiments have been security failures. One
-  exceptional election happened just after hurrican Sandy in 2012 when
-  some states allowed emergency electronic voting. Voters downloaded
-  paper ballots and emailed them back to election officials.
+\item The US used mechanical machines since the 1930s, later
+      punch cards, now DREs and optical scan voting machines.
+      But there is a lot of evidence that DREs and optical
+      scan voting machines are not as secure as they should
+      be. Some states experimented with Internet voting, but
+      all experiments have been security failures. One
+      exceptional election happened just after hurrican Sandy
+      in 2012 when some states allowed emergency electronic
+      voting. Voters downloaded paper ballots and emailed them
+      back to election officials.
 
 \item Estonia used since 2007 the Internet for national
       elections. There were earlier pilot studies for voting
@@ -101,6 +104,25 @@
       able to tally manually. 
 \end{itemize}
 
+\noindent If you are interested in the recent state of affairs
+of e-voting machinery, I recommend the talk Jeremy Epstein
+
+\begin{center}
+\url{https://www.usenix.org/sites/default/files/conference/protected-files/jets15_slides_epstein.pdf}
+\end{center}
+
+\noindent The abstract says:
+
+\begin{quote}\it 
+In April 2015, the US Commonwealth of Virginia decertified the
+Advanced Voting Solutions (AVS) WinVote voting machine, after
+concluding that it was insecure. This talk presents the
+results of Virginia's analysis of the WinVote, and explores
+how we got to the point where a voting machine using an
+unpatched version of Windows XP from 2004, using hardwired WEP
+keys and administrator passwords, could be used for over a
+decade in most of Virginia.
+\end{quote}
 
 The reason that e-voting is such a hard problem is that we
 have requirements about the voting process that conflict with
@@ -239,7 +261,7 @@
 One interesting attack against completely anonymous paper
 ballots is called \emph{chain vote attack}. It works if the
 paper ballots are given out to each voter at the polling
-station. Then an attacker can give the prefilled ballot to a
+station. Then an attacker can give a prefilled ballot to a
 voter. The voter uses this prefilled ballot to cast the vote,
 and then returns the empty ballot paper back to the attacker who now
 compensates the voter. The blank ballot can be reused for the
@@ -250,20 +272,22 @@
 To sum up, the point is that paper ballots have evolved over some time 
 and no single best method has emerged for preventing fraud.
 But the involved technology is well understood in order to
-provide good enough security with paper ballots.
+provide good enough security with paper ballots\ldots{}unless
+you lived in Florida at around 2000. 
+
 
 \subsection*{E-Voting}
 
 If one is to replace paper ballots by some electronic
 mechanism, one should always start from simple premise taken
-from an Australian white paper about e-voting:
+from an Australian government white paper about e-voting:
 
 \begin{quote} \it ``Any electronic voting system should
 provide at least the same security, privacy and transparency
 as the system it replaces.''
 \end{quote}
 
-\noindent Whenever people argue in favour of e-voting they
+\noindent Whenever people argue in favour of e-voting, they
 seem to be ignoring this basic premise.\bigskip
 
 \noindent After the debacle of the Florida presidential
@@ -305,11 +329,12 @@
 incompetence and the inferiority of their products by
 requiring that election counties must not give the machines up
 for independent review. They also kept their source code
-secret. This meant Halderman and his group had to obtain a
-machine not through the official channels. They then had to
-reverse engineer the source code in order to design their
-attack. What all this showed is that a shady security design
-is no match for a determined hacker. 
+secret. This meant Halderman and his group could not obtain a
+machine through the official channels, but whoever could hope
+that revented them from obtaining a machine? Ok, they got one.
+They then had to reverse engineer the source code in order to
+design an attack. What all this showed is that a shady
+security design is no match for a determined hacker. 
 
 Apart from the obvious failings (for example no paper trail),
 this story also told another side. While a paper ballot box
@@ -328,8 +353,8 @@
 shown that seals can easily be circumvented. The moral of this
 story is that election officials were incentivised with money
 by the central government to obtain new voting equipment and
-in the process fell prey to pariahs which sold them a
-substandard product. Diebold was not the only pariah in this
+in the process fell prey to pariahs which sold them 
+substandard products. Diebold was not the only pariah in this
 area, but one of the more notorious ones.\footnote{An e-voting 
 researcher recently made a connection between the VW-exhaust
 scandal and e-voting: His argument is that it is very hard
@@ -367,18 +392,19 @@
 
 
 \noindent This brings us to the case of Estonia, which held in
-2007 the worlds first general election that used the Internet.
-Again their solution made some good choices: for example voter
-authentication is done via the Estonian ID card, which
+2007 the World's first general election that used the
+Internet. Their solution made some good choices: for example
+voter authentication is done via the Estonian ID card, which
 contains a chip like on credit cards. They also made most of
-their source code public for independent scrutiny. Of course
-this openness means that people (hackers) will look at your
-fingers and find code such as this snippet.
+their source code public for independent scrutiny---unlike
+pariah companies like Diebold. Of course this openness means
+that people (hackers) will look at your fingers and find code
+such as this snippet:
 
 {\footnotesize\lstinputlisting[language=Python,numbers=none]
 {../progs/estonia.py}}
 
-\noindent If you want to have a look at their code it can be
+\noindent If you want to have a look at their code, it can be
 downloaded from their github
 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}}
 Also their system is designed such that Internet voting is
@@ -455,13 +481,14 @@
 with your communication partner. We will look at
 zero-knowledge-proofs in a later lecture in more detail. 
 
-The point of these theoretical/hot-air musings is to show that
-such an e-voting procedure is far from convenient: it takes
-much more time to allow, for example, scrutinising whether the
-votes were cast correctly. Very likely it will also not pass
-the benchmark of being understandable to Joe Average. This was
-a standard, a high court ruled, that needs to be passed in the
-German election process. 
+The point of these theoretical/hot-air musings like above is
+to show that such an e-voting procedure is far from
+convenient: it takes much more time to allow, for example,
+scrutinising whether the votes were cast correctly. Very
+likely it will also not pass the benchmark of being
+understandable to Joe Average. This was a standard, a high
+court ruled, that needs to be passed in the German election
+process, for example. 
 
 The overall conclusion is that an e-voting process involving
 the Internet cannot be made secure with current technology.
@@ -474,8 +501,8 @@
 can be made reasonably secure and fraud-safe. That does not
 mean there are no problems with online banking. But with
 enough thought, they can usually be overcome with technology
-we have currently. This is different with e-voting: even the
-best have not come up with something workable yet.
+we have currently avialable. This is different with e-voting:
+even the best have not come up with something workable yet.
 
 
 This conclusion does not imply that some special cases of
sen-material