Mercurial Mercurial > hg > sen-material / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
handouts/ho02.tex
changeset 227 7807863c4196
parent 199 20af800ce736
child 276 d7109c6e721d 
--- a/handouts/ho02.tex	Tue Oct 07 12:48:07 2014 +0100
+++ b/handouts/ho02.tex	Thu Oct 09 14:41:36 2014 +0100
@@ -10,7 +10,7 @@
 phenomena: for example I am happy (more or less) to use online
 banking every day, where if something goes wrong, I can
 potentially lose a lot of money, but I am staunchly against
-using electronic voting (lets call it e-voting for short).
+using electronic voting (let's call it e-voting for short).
 E-voting is an idea that is nowadays often promoted in order
 to counter low turnouts in elections\footnote{In my last local
 election where I was eligible to vote only 48\% of the
@@ -35,8 +35,8 @@
 unsolvable with current technology. This is not just my
 opinion, but also shared by many security researchers amongst
 them Alex Halderman, who is the world-expert on this subject
-and from whose course on Securing Digital Democracy I have
-most of my information and inspiration. It is also a
+and from whose Coursera course on Securing Digital Democracy I
+have most of my information and inspiration. It is also a
 controversial topic in many countries:
 
 \begin{itemize}
@@ -56,6 +56,9 @@
       
 \item The US used mechanical machines since the 1930s, later
       punch cards, now DREs and optical scan voting machines.
+      But there is a lot of evidence that DREs and optical 
+      scan voting machines are not as secure as they should
+      be.
 
 \item Estonia used since 2007 the Internet for national
       elections. There were earlier pilot studies for voting
@@ -89,13 +92,13 @@
         what should be ensured is that the error rate does not
         change the outcome of the election. Of course if
         elections continue to be on knives edges we need to
-        ensure that we have a rather small error rate. 
+        strive for rather small error rates. 
           
   \item There might be gigantic sums at stake and need to be
         defended against. The problem with this is that if
         the incentives are great and enough resources are
         available, then maybe it is feasible to mount a DoS
-        attack against voting server and by bringing the
+        attack against the voting server and by bringing the
         system to its knees, change the outcome of an
         election. Not to mention to hack the complete
         system with malware and change votes undetectably.                
@@ -132,7 +135,7 @@
         one reason or another just do not have driving
         licenses. They are now excluded. Also if you insist on
         paper ballots you have to have special provisions for
-        blind people. Otherwise they cannot vote.
+        blind people. Otherwise they too cannot vote.
  \end{itemize}
   
 \item {\bf Availability}
@@ -155,12 +158,12 @@
 \noindent If we had ballots with complete voter
 identification, then we can improve integrity because we can
 trace back the votes to the voters. This would be good when
-verifying the results or recounting. But such an
+verifying the results or when recounting. But such an
 identification would violate ballot secrecy (you can prove to
 somebody else how you voted). In contrast, if we remove all
 identification for ensuring ballot secrecy, then we have to
 ensure that no ``vote-stuffing'' occurs. Similarly, if we
-improve authentication by requiring a to be present at the
+improve authentication by requiring to be present at the
 polling station with an ID card, then we exclude absentee
 voting.
 
@@ -170,7 +173,7 @@
 is not entirely trivial and immune from being hacked. We know
 for sure that elections were held in Athens as early as 600
 BC, but might even date to the time of Mesopotamia and also in
-India some kind of ``republics'' might have existed before the
+India some kind of republics might have existed before the
 Alexander the Great invaded it. Have a look at Wikipedia about
 the history of democracy for more information. These elections
 were mainly based on voting by show of hands. While this
@@ -180,21 +183,22 @@
 Romans did not perceive this as a problem, but the result was
 that their elections favoured rich, famous people who had
 enough resources to swing votes. Even using small coloured
-stones did not really mitigate the problem with ballot
-secrecy. The problem of authorisation was solved by friends or
-neighbours vouching for you to prove you are eligible to vote
-(there were no ID cards in ancient Greece and Rome).
+stones, which were also used at that time, did not really
+mitigate the problem with ballot secrecy. The problem of
+authorisation was solved by friends or neighbours vouching for
+you to prove you are eligible to vote (there were no ID cards
+in ancient Greece and Rome).
 
 Starting with the French Revolution and the US constitution,
-people started to value a more egalitarian approach to voting
+people began to value a more egalitarian approach to voting
 and electing officials. This was also the time where paper
 ballots started to become the prevailing form of casting
 votes. While more resistant against voter intimidation, paper
 ballots need a number of security mechanisms to avoid fraud.
-For example you need voting booths to fill out the ballot in
-secret. Also transparent ballot boxes are often used in order
-to easily detect and prevent vote stuffing (prefilling the
-ballot box with false votes). 
+For example you need voting booths for being able to fill out
+the ballot in secret. Also transparent ballot boxes are often
+used in order to easily detect and prevent vote stuffing
+(prefilling the ballot box with false votes). 
 
 \begin{center}
 \includegraphics[scale=2.5]{../pics/ballotbox.jpg}
@@ -203,16 +207,18 @@
 \noindent Another security mechanism is to guard the ballot
 box against any tampering during the election until counting.
 The counting needs to be done by a team potentially involving
-also independent observers. One interesting attack against
-completely anonymous paper ballots is called \emph{chain vote
-attack}. It works if the paper ballots are given out to each
-voter at the polling station. Then an attacker can give the
-prefilled ballot to a voter. The voter uses this prefilled
-ballot to cast the vote, and then returns the empty ballot
-back to the attacker who now compensates the voter. The blank
-ballot can be reused for the next voter. 
+also independent observers. 
 
-The point is that paper ballots have evolved over some time 
+One interesting attack against completely anonymous paper
+ballots is called \emph{chain vote attack}. It works if the
+paper ballots are given out to each voter at the polling
+station. Then an attacker can give the prefilled ballot to a
+voter. The voter uses this prefilled ballot to cast the vote,
+and then returns the empty ballot paper back to the attacker who now
+compensates the voter. The blank ballot can be reused for the
+next voter. 
+
+To sum up, the point is that paper ballots have evolved over some time 
 and no single best method has emerged for preventing fraud.
 But the involved technology is well understood in order to
 provide good enough security with paper ballots.
@@ -229,25 +235,30 @@
 \end{quote}
 
 \noindent Whenever people argue in favour of e-voting they
-seem to be ignore this basic premise.\bigskip
+seem to be ignoring this basic premise.\bigskip
 
 \noindent After the debacle of the Florida presidential
-election in 2000, many counties used Direct-Recording
-Electronic voting machines (DREs) or optical scan machines.
-One popular model of DRE was sold by the company called
-Diebold. In hindsight they were a complete disaster: the
-products were inferior and the company incompetent. Direct
-recording meant that there was no paper trail, the votes were
-directly recorded on memory cards. Thus the voters had no
-visible assurance whether the votes were correctly cast. The
-machines behind these DREs were ``normal'' windows computers,
-which could be used for anything, for example for changing
-votes. Why did nobody at Diebold think of that? That this was
-eventually done undetectably is the result of the
-determination of ethical hackers like Alex Halderman. His
-group thoroughly hacked them showing that election fraud is
-easily possible. They managed to write a virus that infected
-the whole system by having only access to a single machine.
+election in 2000, many voting precincts in the US used
+Direct-Recording Electronic voting machines (DREs) or optical
+scan machines. One popular model of DREs was sold by a
+company called Diebold. In hindsight they were a complete
+disaster: the products were inadequate and the company
+incompetent. Direct recording meant that there was no paper
+trail, the votes were directly recorded on memory cards. Thus
+the voters had no visible assurance whether the votes were
+correctly cast. Even if there is a printout provided;
+it does not give any guaranty about what is recorded on
+the memory card.
+
+The machines behind these DREs were ``normal'' windows
+computers, which could be used for anything, for example for
+changing votes. Why did nobody at Diebold think of that? I
+have no idea. But that this was eventually done undetectably
+is the result of the determination of ethical hackers like
+Alex Halderman. His group thoroughly hacked Diebold's DREs
+showing that election fraud with them is easily possible. They
+even managed to write a virus that infected the whole system
+by having only access to a single machine.
 
 \begin{figure}[t]
 \begin{center}
@@ -262,35 +273,35 @@
 \end{figure}
 
 What made matters worse was that Diebold tried to hide their
-incompetency and inferiority of their products, by requiring
-that election counties must not give the machines up for
-independent review. They also kept their source secret. 
-This meant Halderman and his group had to obtain a machine
-not in the official channels. Then they had to reverse 
-engineer the source code in order to design their attack. 
-What this all showed is that a shady security design is no 
-match to a determined hacker. 
+incompetency and the inferiority of their products, by
+requiring that election counties must not give the machines up
+for independent review. They also kept their source secret.
+This meant Halderman and his group had to obtain a machine not
+through the official channels. They then had to reverse
+engineer the source code in order to design their attack. What
+this all showed is that a shady security design is no match to
+a determined hacker. 
 
 Apart from the obvious failings (for example no papertrail),
 this story also told another side. While a paper ballot box
 need to be kept secure from the beginning of the election
 (when it needs to be ensured it is empty) until the end of the
 day, electronic voting machines need to be kept secure the
-whole year. The reason is of course one cannot see whether
-somebody has tampered with the program a computer is running.
-Such a 24/7 security costly and often even even impossible,
-because voting machines need to be distributed usually the day
-before to the polling station. These are often schools where
-the voting machines are kept unsecured overnight. The obvious
-solution of putting seals on computers also does not work: in
-the process of getting these DREs discredited (involving court
-cases) it was shown that seals can easily be circumvented. The
-moral of this story is that election officials were 
-incentivised with money by the central government to obtain
-new  voting equipment and in the process fell prey to pariahs
-which sold them a substandard product. Diebold was not the
-only pariah in this project, but one of the more notorious
-one.
+whole year. The reason is of course that one cannot see
+whether somebody has tampered with the program a computer is
+running. Such a 24/7 security is costly and often even
+impossible, because voting machines need to be distributed
+usually the day before the election to the polling stations.
+These are often schools where the voting machines are kept
+unsecured overnight. The obvious solution of putting seals on
+computers did not work: in the process of getting these DREs
+discredited (involving court cases) it was shown that seals
+can easily be circumvented. The moral of this story is that
+election officials were incentivised with money by the central
+government to obtain new voting equipment and in the process
+fell prey to pariahs which sold them a substandard product.
+Diebold was not the only pariah in this area, but one of the
+more notorious ones.
 
 Optical scan machines are slightly better from a security
 point of view but by no means good enough. Their main idea
@@ -307,36 +318,38 @@
 India. Essentially they designed a bespoke voting device,
 which could not be used for anything else. Having a bespoke
 device is a good security engineering decision because it
-makes the attack surface smaller. If you have a full-fledged
-computer behind your system, then you can do everything a
-computer can do\ldots{}that is a lot, including a lot of
-abuse. What was bad that these machines did not have the
-important paper trail: that means if an election was tampered
-with, nobody would find out. Even if they had by their bespoke
-design a very small attack surface, ethical hackers were still
-able to tamper with them. The moral with Indian's voting
-machines is that even if very good security design decisions
-are taken, e-voting is very hard to get right.\bigskip 
+makes the attack surface much smaller. If you have a
+full-fledged computer behind your system, then you can do
+everything a computer can do\ldots{}and that is a lot,
+including a lot of abuse. What was bad about the devices in
+India was that these machines did not have the important paper
+trail: that means if an election was tampered with, nobody
+would find out. Even if they had by their bespoke design a
+very small attack surface, ethical hackers were still able to
+tamper with them. The moral with Indian's voting machines is
+that even if very good security design decisions are taken,
+e-voting is very hard to get right.\bigskip 
 
 
 \noindent This brings us to the case of Estonia, which held in
 2007 the worlds first general election that used Internet.
-Again their solution made some good choices: for example
-voter authentication is done via the Estonian ID card,
-which contains a chip like credit cards. They also made most
-of their source code public for independent scrutiny. Of
-this openness means that people (hacker) will look at your 
-fingers and find code such as
+Again their solution made some good choices: for example voter
+authentication is done via the Estonian ID card, which
+contains a chip like on credit cards. They also made most of
+their source code public for independent scrutiny. Of course
+this openness means that people (hackers) will look at your
+fingers and find code such as this snippet.
 
 {\footnotesize\lstinputlisting[language=Python,numbers=none]
 {../progs/estonia.py}}
 
-\noindent which can be downloaded from their github
+\noindent If you want to have a look their code can be
+downloaded from their github
 repository.\footnote{\url{https://github.com/vvk-ehk/evalimine/}}
 Also their system is designed such that Internet voting is
 used before the election: votes can be changed an unlimited
-amount of times, the last vote is tabulated, you can even
-change your vote on the polling day in person. This is an
+amount of times, always the last vote is tabulated, you can
+even change your vote on the polling day in person. This is an
 important security mechanism guarding against vote coercion,
 which of course is an important problem if you are allowed to
 vote via Internet.
@@ -345,7 +358,7 @@
 voters' computers and the central server. Unfortunately, their
 system is designed such that they needs to trust the integrity
 of voters’ computers, central server components and also the
-election staff. In 2014, group of independent observers around
+election staff. In 2014, a group of independent observers around
 Alex Halderman were able to scrutinise the election process in
 Estonia. They found many weaknesses, for example careless
 handling of software updates on the servers. They also
@@ -365,7 +378,7 @@
 \noindent This brings us to the question, what could be a
 viable electronic voting process in
 \underline{\textbf{\emph{theory}}} with current technology?
-In the literature one can find proposals such as
+In the literature one can find proposals such as this one:
 
 \begin{enumerate}
 \item Alice prepares and audits some ballots, then casts an
@@ -379,11 +392,11 @@
 
 \item When the election closes, all votes are shuffled and the
       system produces a non-interactive proof of a correct
-      shuffling. Correct in the sense that one cannot determine
+      shuffling---correct in the sense that one cannot determine
        anymore who has voted for what. This will require a 
-       zero-knowledge-proof based shuffling procedure.
+       shuffling procedure based on zero-knowledge-proofs.
 
-\item After a reasonable complaint period to let auditors
+\item After a reasonable complaint period, let auditors
       check the shuffling, all shuffled ballots are decrypted,
       and the system provides a decryption proof for each
       decrypted ballot. Again this will need a 
@@ -397,15 +410,15 @@
 
 \noindent As you can see the whole process is not trivial at
 all and leaves out a number of crucial details (such as how to
-best distribute public keys). It even depends on a highly
-sophisticated process called \emph{zero-knowledge-proofs}.
-They essentially allow one to convince somebody else to know
-a secret without revealing what the secret is. This is a kind
-of cryptographic ``magic'', like the Hellman-Diffie protocol
-which can be used to establish a secret even if you can only
-exchange postcards with your communication partner. We will
-look at zero-knowledge-proofs in a later lecture in more
-detail. 
+best distribute public keys for encryption). It even depends
+on a highly sophisticated process called
+\emph{zero-knowledge-proofs}. They essentially allow one to
+convince somebody else to know a secret without actually
+revealing what the secret is. This is a kind of cryptographic
+``magic'', like the Hellman-Diffie protocol which can be used
+to establish a secret even if you can only exchange postcards
+with your communication partner. We will look at
+zero-knowledge-proofs in a later lecture in more detail. 
 
 The point of these theoretical/hot-air musings is to show that
 such an e-voting procedure is far from convenient: it takes
@@ -421,7 +434,7 @@
 secrecy. This is different from online banking where the whole
 process is designed around authentication. If fraud occurs,
 you try to identify who did what (somebody’s account got zero;
-somewhere the money went). Even if there might be even more 
+somewhere the money went). Even if there might be more 
 gigantic sums at stake in online banking than with voting,
 it can be solved. That does not mean there are no problems
 with online banking. But with enough thought, they can
@@ -431,7 +444,7 @@
 
 
 This conclusion does not imply that in some special cases
-Internet voting cannot be made to work securely. Just in a
+of Internet voting cannot be made to work securely. Just in a
 general election where stakes are very high, it does not work.
 For example a good-enough and workable in-lecture online
 voting system where students' votes are anonymous and students
sen-material