[liberationtech] E-Voting

Richard Brooks rrb at g.clemson.edu
Wed Dec 7 07:17:59 PST 2016 

With all these discussions too often vote selling
is overlooked. If I can vote from an insecure location,
I can vote in front of someone paying me $100 to
vote as they want.

On 12/07/2016 09:24 AM, Rich Kulawiec wrote:
> On Fri, Dec 02, 2016 at 02:26:49PM -0500, Andres wrote:
>> Rich, the article you link to talks about the risk of one individual voting machine being tampered with.
> 
> I think you missed the point Schneier was making.  It's NOT about one
> individual voting machine, it's about attacker budgets.  Look at the
> big picture, not the small one he used to illustrate the point.
> 
> An attacker with a $100M budget (a conservative estimate in 2004, now
> clearly only a fraction of that available) isn't going to use it to
> attack just one voting machine: that'd be a poor return on investment.
> A 2016 attacker, who could have a budget an order of magnitude larger,
> would likely attack in a systemic, distributed -- and subtle -- fashion.
> 
>> When voting online you can use any hardware (PC, Mac, Linux, iPhone
>> or Android phone, public or private) to vote and later verify your vote.
> 
> That last part ("...later verify your vote") disqualifies the system
> from use.  This is a well-known problem with election systems (electronic
> of otherwise): if you can verify your vote at some later point, then
> so can someone else.  And if someone else can verify your vote, then
> you can be induced (willingly or otherwise) to vote as directed.
> 
> And even if that's addressed, there's a massive problem with this approach,
> or ANY approach that allows voters to use their own computing systems.
> End-user systems are compromised in enormous numbers.  This is a well-known
> problem that's been discussed at length for much of this century, e.g.:
> 
> 	Vint Cerf: one quarter of all computers part of a botnet
> 	https://urldefense.proofpoint.com/v2/url?u=http-3A__arstechnica.com_news.ars_post_20070125-2D8707.html&d=CwICAg&c=Ngd-ta5yRYsqeUsEDgxhcqsYYY1Xs5ogLxWPA_2Wlc4&r=V-iMGiA8Z-z_leHLkLSzXQ&m=qMImdh9SPdSh0J1lYvW6lT4Efp8_E0PG25r-1X0yqnY&s=uc0iCxMO3Cofo8KoWjuvBByD54w0bAmxBXLjanHMkII&e= 
> 
> When Cerf made that estimate, I thought -- based on my own research and
> consultation with others doing similar work -- that it was too high by
> perhaps 25% to 50%.  With the benefit of hindsight, I think he was right
> and I was wrong.  Given the passage of time since then, the numbers are
> undoubtedly far higher.  (Doubly so since nothing truly effective has
> been done to reduce them or even slow down the growth rate, and many
> things have happened to make the situation much, much worse.)  I suspect
> that the number of compromised systems is probably ten times what it was
> ten years ago and no doubt the mass deployment of IoT devices with horrible
> (or no) security will make this even worse.  And if various governments
> are successful in forcing vendors to build in backdoors, it will get
> MUCH worse in a big hurry.
> 
> Why does this matter?  Because (as I've said ad nauseum) if someone else
> can run arbitrary code on your computer, it's not YOUR computer any more.
> 
> If your phone is compromised, and you use it to vote, and you later
> use that phone to verify that your vote was cast as you think it was,
> how do you know that what you're seeing on the screen is correct?
> Why couldn't the same malware that redirected your vote from candidate
> A to candidate B also show you that you voted for candidate A?  (That isn't
> a particularly challenging software problem given that the former has
> been solved.)
> 
> Remember: it's not your phone any more.  It's theirs.  You may walk
> around with it, you may use it, but you don't own it.  Not any more.
> So why would you expect someone else's phone to behave as you think
> or believe or want it to?
> 
> Does that malware exist?  I don't know.  But I do know that if a
> sizable enough population starts using their phones to vote, it WILL
> exist, because it will become worth someone's effort.  (And by the way:
> this will require far less than even the small $100M budget from 2004.)
> 
> Substitute "tablet" or "laptop" or "smart home IoT device" or "desktop"
> or whatever without loss of generality for "phone". 
> 
> Any voting system which allows voters to use their own computing devices
> is fatally flawed and must be dismissed, with prejudice, immediately.
> 
> ---rsk
> 


-- 
===================
R. R. Brooks

Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

313-C Riggs Hall
PO Box 340915
Clemson, SC 29634-0915
USA

Tel.       864-656-0920
Fax.       864-656-5910
Voicemail: 864-986-0813
email:     rrb at acm.org
web:       http://www.clemson.edu/~rrb
PGP:       48EC1E30

More information about the liberationtech mailing list