# HG changeset patch # User Christian Urban # Date 1412338474 -3600 # Node ID 2cb42412f3fd9e7bb4e2647f446eef694d84f4c0 # Parent f675aa15b6d093897ced45debc18d3e07470e5cf updated diff -r f675aa15b6d0 -r 2cb42412f3fd handouts/ho02.pdf Binary file handouts/ho02.pdf has changed diff -r f675aa15b6d0 -r 2cb42412f3fd handouts/ho02.tex --- a/handouts/ho02.tex Fri Oct 03 06:17:25 2014 +0100 +++ b/handouts/ho02.tex Fri Oct 03 13:14:34 2014 +0100 @@ -229,7 +229,87 @@ \end{quote} \noindent Whenever people argue in favour of e-voting they -seem to be ignore this basic premise. +seem to be ignore this basic premise.\bigskip + +\noindent After the debacle of the Florida presidential +election in 2000, many counties used Direct-Recording +Electronic voting machines (DREs) or optical scan machines. +One popular model of DRE was sold by the company called +Diebold. In hindsight they were a complete disaster: the +products were inferior and the company incompetent. Direct +recording meant that there was no paper trail, the votes were +directly recorded on memory cards. Thus the voters had no +visible assurance whether the votes were correctly cast. The +machines behind these DREs were ``normal'' windows computers, +which could be used for anything, for example for changing +votes. Why did nobody at Diebold think of that? That this was +eventually done undetectably is the result of the +determination of ethical hackers like Alex Halderman. His +group thoroughly hacked them showing that election fraud is +easily possible. They managed to write a virus that infected +the whole system by having only access to a single machine. + +What made matters worse was that Diebold tried to hide their +incompetency and inferiority of their products, by requiring +that election counties must not give the machines up for +independent review. They also kept their source secret. +This meant Halderman and his group had to obatain a machine +not in the official channels. Then they had to reverse +engineer the source code in order to design their attack. +What this all showed is that a shady security design is no +match to a determined hacker. + +Apart from the obvious failings (for example no papertrail), +this story also told another side. While a paper ballot box +need to be kept secure from the beginning of the election +(when it needs to be ensured it is empty) until the end of the +day, electronic voting machines need to be kept secure the +whole year. The reason is of course one cannot see whether +somebody has tampered with the program a computer is running. +Such a 24/7 security costly and often even even impossible, +because voting machines need to be distributed usually the day +before to the polling station. These are often schools where +the voting machines are kept unsecured overnight. The obvious +solution of putting seals on computers also does not work: in +the process of getting these DREs discredited (involving court +cases) it was shown that seals can easily be circumvented. The +moral of this story is that election officials were +incentivised with money by the central government to obtain +new voting equipment and in the process fell prey to pariahs +which sold them a substandard product. Diebold was not the +only pariah in this project, but one of the more notorious +one. + +Optical scan machines are slightly better from a security +point of view but by no means good enough. Their main idea +is that the voter fills out a paper ballot, which is then +scanned by a machine. At the very least the paper ballot can +serve as a paper trail in cases an election result needs to +be recounted. But if one takes the paper ballots as the +version that counts in the end, thereby using the optical +scan machine only as a device to obtain quickly preliminary +results, then why not sticking with paper ballots in the +first place?\bigskip + +\noindent An interesting solution for e-voting was designed in +India. Essentially they designed a bespoke voting device, +which could not be used for anything else. Having a bespoke +device is a good security engineering decision because it +makes the attack surface smaller. If you have a fullfledged +computer behind your system, then you can do everything a +computer can do\ldots{}that is a lot, including a lot of +abuse. What was bad that these machines did not have the +important paper trail: that means if an election was tampered +with, nobody would find out. Even if they had by their bespoke +design a very small attack surface, ethical hackers were still +able to tamper with them. The moral with Indian's voting +machines is that even if very good security design decisions +are taken, e-voting is very hard to get right.\bigskip + + +\noindent This brings us to the case of Estonia, which held in +2007 the worlds first general election that used Internet. +Again their solution made some good choices: %\subsubsection*{Questions}