\definecolor{javared}{rgb}{0.6,0,0} % for strings
\definecolor{javagreen}{rgb}{0.25,0.5,0.35} % comments
\definecolor{javapurple}{rgb}{0.5,0,0.35} % keywords
\definecolor{javadocblue}{rgb}{0.25,0.35,0.75} % javadoc
% beamer stuff
\renewcommand{\slidecaption}{APP 02, King's College London, 1 October 2013}
%Bank vs Voting
% first cyber attack
\begin{tabular}{@ {}c@ {}}
\LARGE Access Control and \\[-3mm]
\LARGE Privacy Policies (2)\\[-6mm]
Email: & christian.urban at kcl.ac.uk\\
Office: & S1.27 (1st floor Strand Building)\\
Slides: & KEATS (also homework is there)\\
\frametitle{\begin{tabular}{c}This Course is about\\[-2mm] ``Satan's Computer''\end{tabular}}
Ross Anderson and Roger Needham wrote:\bigskip
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
``In effect, our task is to program a computer which gives
answers which are subtly and maliciously wrong at the most
inconvenient possible moment\ldots{} we hope that the lessons
learned from programming Satan's computer may be helpful
in tackling the more common problem of programming Murphy's.''
\footnotesize Murphy's computer
\footnotesize Satan's computers
\frametitle{\Large\begin{tabular}{c}User-Tracking Without Cookies\end{tabular}}
Can you track a user {\bf without}:
\item Cookies
\item Javascript
\item LocalStorage/SessionStorage/GlobalStorage
\item Flash, Java or other plugins
\item Your IP address or user agent string
\item Any methods employed by Panopticlick\\
\mbox{}\hfill $\rightarrow$ \textcolor{blue}{\url{https://panopticlick.eff.org/}}
Even when you disabled cookies entirely, have Javascript turned off and use a VPN service.\\\pause
And numerous sites already use it (Google).
\draw[white] (0,0) node (X) {\includegraphics[scale=0.12]{pics/firefox.jpg}};
\draw[white] (0,0) node (X) {\includegraphics[scale=0.15]{pics/servers.png}};
\draw[white] (0,0) node (X) {};
\draw[white] (3,0) node (Y) {};
\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg}] at ($ (X)!.5!(Y) $) {};
\draw[white] (0,0) node (X) {};
\draw[white] (3,0) node (Y) {};
\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=below:\textcolor{black}{\small ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
\node [inner sep=5pt,label=above:{\includegraphics[scale=0.15]{pics/tvtestscreen.jpg}}] at ($ (X)!.5!(Y) $) {};
\draw[white] (0,0) node (X) {};
\draw[white] (3,0) node (Y) {};
\draw[red, ->, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=above:\textcolor{black}{\small GET static.jpg ETag: 7b33de1}] at ($ (X)!.5!(Y) $) {};
\draw[white] (0,0) node (X) {};
\draw[white] (3,0) node (Y) {};
\draw[red, <-, line width = 2mm] (X) -- (Y);
\node [inner sep=5pt,label=below:\textcolor{black}{\small HTTP/1.1 304 (Not Modified)}] at ($ (X)!.5!(Y) $) {};
\frametitle{Today's Lecture}
\large online banking & \hspace{6mm}\large e-voting\\
\textcolor{gray}{solved} & \hspace{6mm}\textcolor{gray}{unsolved}\\
\frametitle{\begin{tabular}{@ {}c@ {}}Voting as Security Problem\end{tabular}}
What are the security requirements of a voting system?\bigskip
\item<3->Ballot Secrecy
\item<5->Voter Authentication
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
\item The outcome matches with the voters' intend.
\item There might be gigantic sums at stake and need to be defended against.
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
\item Nobody can find out how you voted.
\item (Stronger) Even if you try, you cannot prove how you voted.
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
\item Only authorised voters can vote up to the permitted number of votes.
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
\item Authorised voters should have the opportunity to vote.
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm, text centered]
\item The voting system should accept all authorised votes and produce results in a timely manner.
\frametitle{\begin{tabular}{@ {}c@ {}}Problems with Voting\end{tabular}}
Integrity & vs. & Ballot Secrecy\bigskip\\
Authentication & vs. &Enfranchisement
Further constraints:
\item costs
\item accessibility
\item convenience
\item intelligibility
\frametitle{\begin{tabular}{@ {}c@ {}}Traditional Ballot Boxes\end{tabular}}
they need a ``protocol''
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
\item The Netherlands between 1997 - 2006 had electronic voting machines\\
\textcolor{gray}{(hacktivists had found: they can be hacked and also emitted radio signals revealing how you voted)}
\item Germany had used them in pilot studies\\
\textcolor{gray}{(in 2007 a law suit has reached the highest court and it rejected electronic voting
on the grounds of not being understandable by the general public)}
\item UK used optical scan voting systems in a few polls
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting\end{tabular}}
\item US used mechanical machines since the 30s, later punch cards, now DREs and
optical scan voting machines
\item Estonia used in 2007 the Internet for national elections
\textcolor{gray}{(there were earlier pilot studies in other countries)}
\item India uses e-voting devices since at least 2003\\
\textcolor{gray}{(``keep-it-simple'' machines produced by a government owned company)}
\item South Africa used software for its tallying in the 1993 elections (when Nelson Mandela was elected)
\textcolor{gray}{(they found the tallying software was rigged, but they were able to tally manually)}
\frametitle{\begin{tabular}{@ {}c@ {}}A Brief History of Voting\end{tabular}}
\item Athenians
\item show of hands
\item ballots on pieces of pottery
\item different colours of stones
\item ``facebook''-like authorisation
\textcolor{gray}{problems with vote buying / no ballot privacy}\bigskip
\item French Revolution and the US Constitution got things ``started'' with
paper ballots (you first had to bring your own; later they were pre-printed by parties)
\frametitle{\begin{tabular}{@ {}c@ {}}Ballot Boxes\end{tabular}}
Security policies involved with paper ballots:
\item you need to check that the ballot box is empty at the start of the poll / no false bottom (to prevent ballot stuffing)
\item you need to guard the ballot box during the poll until counting
\item tallied by a team at the end of the poll (independent observers)
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Ballots\end{tabular}}
What can go wrong with paper ballots?
\footnotesize William M.~Tweed, US Politician in 1860's\\
``As long as I count the votes, what are you going to do about it?''
{\bf Chain Voting Attack}
\item you obtain a blank ballot and fill it out as you want
\item you give it to a voter outside the polling station
\item voter receives a new blank ballot
\item voter submits prefilled ballot
\item voter gives blank ballot to you, you give money
\item goto 1
Which security requirements do paper ballots satisfy better than voice voting?\bigskip
\item Integrity
\item Enfranchisement
\item Ballot secrecy
\item Voter authentication
\item Availability
\frametitle{\begin{tabular}{@ {}c@ {}}Mechanical Voting Machines\end{tabular}}
\item<1-> Lever Voting Machines (ca.~1930 - 1990)
\item<2->Punch Cards (ca.~1950 - 2000)
\frametitle{\begin{tabular}{@ {}c@ {}}Electronic Voting Machines\end{tabular}}
Optical Scan
all are computers
\frametitle{\begin{tabular}{@ {}c@ {}}DREs\end{tabular}}
Direct-recording electronic voting machines\\
(votes are recorded for example on memory cards)
typically touchscreen machines
usually no papertrail
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
The work by J.~Alex Halderman:
\item acquired a machine from an anonymous source\medskip
\item the source code running the machine was tried to be kept secret\medskip\pause
\item first reversed-engineered the machine (extremely tedious)
\item could completely reboot the machine and even install a virus that infects other Diebold machines
\item obtained also the source code for other machines
\frametitle{\begin{tabular}{@ {}c@ {}}Diebold Machines\end{tabular}}
What could go wrong?\pause \;\;Failure-in-depth.\bigskip\pause
A non-obvious problem:
\item you can nowadays get old machines, which still store old polls
\item the paper ballot box needed to be secured during the voting until counting;
e-voting machines need to be secured during the entire life-time
\frametitle{\begin{tabular}{@ {}c@ {}}Paper Trail\end{tabular}}
Conclusion:\\ Any electronic solution should have a paper trail.
You still have to solve problems about
voter registration, voter authentification, guarding against tampering
\frametitle{\begin{tabular}{@ {}c@ {}}E-Voting in India\end{tabular}}
Their underlying engineering principle is ``keep-it-simple'':
Official claims: ``perfect'', ``tamperproof'', ``no need for technical improvements'' , ``infallible''
\frametitle{\begin{tabular}{@ {}c@ {}}Lessons Learned\end{tabular}}
\item keep a paper trail and design your system to keep this secure\medskip
\item make the software open source (avoid security-by-obscurity)\\
{\small\mbox{}\hfill source code for Estonian vote \textcolor{blue}{\url{http://goo.gl/oRMHAI}}}\medskip
\item have a simple design in order to minimise the attack surface
\draw (0,0) node[inner sep=2mm,fill=cream, ultra thick, draw=red, rounded corners=2mm]
def analyze(ik, vote, votebox):\\
\# TODO: implement security checks\\
\# such as verifying the correct size\\
\# of the encrypted vote\\
return []
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: