To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones.
Just wait until the next-next generation of voting machines has network access. Then exploitation can really scale.
The article spends a significant portion of the first part of the article talking about how it was easier to get hands on the physical machine than it should be.
And in some cases, contrary to the mantra, "security by obscurity" is indeed an important _layer_ of security. But I'm not sure if this is one of them. Of all the domains that one would expect state actors to be trying to exploit, I'd think voting would be near the top. And I don't think trying to only make sure "authorized" people can get their hands on a voting machine is going to be much of a barrier to a state actor. The thing better really be secure no matter how much an attacker knows about it, to defend against state actors, no?
And of course these _weren't_. But I don't think making it harder to buy an old machine on ebay would provide enough barrier to the attackers in the realistic threat model, to even bother doing it. Better to spend the focus on the actual security of the machine. I feel like the "lifecycle management" of machines that the author prioritizes as a solution is a misdirection.
> By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.
A HUGE one? To the intelligence agency of a foreign state? I doubt it. If you think it was a huge one, it's a false sense of security that may lead you to insufficiently prioritize more important fixes. (Which may be _not using digital voting machines_.)
As long as they actually are simple - there have been instances (e.g. in the US) where poor design of the voting paper caused confusion as to who you were actually voting for. Then there's the case of improperly filling them in, invalidating a number of voting papers as well.
Maybe do a combination? Voting machine that prints a hard copy of your vote. Activate by scanning your passport or other proof of voting right, centralized secure repository of who has voted or some kind of deduplication of votes when counting.
It's a little off-point, but I can't help to note a bit of unmentioned fallout to exploitable voting machines -- I early-voted last week in Atlanta and again (as on every other voting day in Atlanta for the last 7-8 years) the voting booth had no curtains and virtually no privacy. I assume this is to make it more difficult for someone to swap in a card that could compromise that voting machine somehow. But I'd love to see an article addressing this issue - in some areas of the country you must vote 'publicly' - because the touch points are so huge on each screen (and color-coded) - each of your selections can [and are] seen by the poll workers. I'm too lazy to research this further, but isn't voting anonymity guaranteed/implied somewhere in our country's codicils (incorrect term, but you know what I mean)
Iirc, it is a state decision. It is hard to get firm answers as there are different concepts that overlap:
Is it legal to pay someone to vote a certain way? Saying 'no' does not mean it is a truly secret ballot, but it is something.
Is the ballot printed by the govt as opposed to parties or organizations? (Meaning there is an "official ballot" and not just any piece of paper) At one point this was a new thing.
Are you doing an oral vote?
As it is, I think in general you end up with no obligation to share your vote, but that is not the same as any legal obligation to make the voting booth well concealed, depending on state, but that is no small amount of reading between the lines and conjecture on my part, so dont trust me too much.
The constantly aghast tone makes every paragraph feel like clickbait. Shockingly. Surely. Alarmingly.
Why is it shocking that you can buy used voting machines? Why is it alarming the data is there and unencrypted? Why wouldn't a government (or supplier) sell on used hardware? Why would tamperproof screws stop you getting access? (They're for proof of access!)
It's nothing like sensitive medical data (a comparison made in tfa). It's anonymous data that should be publicly available.
The only concerning thing here is that these crappy machines were used in the first place. At least they're being flogged off now.
Don't want to turn this into another 'blockchains can solve anything' discussion - but I do feel some form of blockchain tech could be an effective way to solve e-voting.
Here's why:
- A central authority(government) can control issuance of new keys and maintain the association between keys and personal information. There are already plenty of gov ID cards which support digital signatures and can be used to sign voting keys as well. At the same time personal info would not show up on the blockchain.
- Blockchain explorers would be used as a way to verify the votes are legit by virtually anyone
- NVOs, governments, etc can run the blockchain nodes to ensure integrity of the blockchain
In combination with well designed UIs we can have simple voting apps that can make e-voting a breeze (see the Smart-ID implementation for a great example of such tech).
Obviously the attack vector shifts to the gov servers running the key issuance but its easier to do opsec on a datacenter level than on individual voting machines scattered around the country. There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
We obviously have the tech and the capabilities to create very effective e-voting solutions. Would even go so far as to say that a proper solution would drastically change the way we think about voting - it would make on-boarding a lot easier and provide some form of 'direct' democracy that we are already seeing flourish in countries like CH. So it seems very shady to me that we end up with BS like this thats very easily exploited and discarded as ineffective.
> - A central authority(government) can control issuance of new keys and maintain the association between keys and personal information. [...]
This means that you can tie a vote to a key, thus a person?
That's not how voting should work. Any vote cast must be secret. Or what's to prevent any one group from blackmailing you (or any other voter)?
> Voting app
You mean that a thug could coerce me into casting my vote from home?...
> There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
+ constantly verify that the machine was not tampered with (evil maid) + make sure the hardware was not compromised (supply chain attacks) + ... on TONS of devices?...
> We obviously have the tech and the capabilities to create very effective e-voting solutions.
I don't think the blockchain provides any value at all because you cannot verify if a transaction is valid without having a list of authorized voter... And that can only be the Gvt.
If you have already a list of public keys for each voter why do you even need a blockchain to verify anything? You just through the list of signed votes to ensure uniquness, and you can confirm you personal vote is genuine but that is all you can do.
How do you preserve the secrecy of the ballot with a blockchain? Wanting to verify that an elector has voted but obscuring who for seems like a challenge.
[+] [-] kanyethegreat|7 years ago|reply
Just wait until the next-next generation of voting machines has network access. Then exploitation can really scale.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] jrochkind1|7 years ago|reply
And in some cases, contrary to the mantra, "security by obscurity" is indeed an important _layer_ of security. But I'm not sure if this is one of them. Of all the domains that one would expect state actors to be trying to exploit, I'd think voting would be near the top. And I don't think trying to only make sure "authorized" people can get their hands on a voting machine is going to be much of a barrier to a state actor. The thing better really be secure no matter how much an attacker knows about it, to defend against state actors, no?
And of course these _weren't_. But I don't think making it harder to buy an old machine on ebay would provide enough barrier to the attackers in the realistic threat model, to even bother doing it. Better to spend the focus on the actual security of the machine. I feel like the "lifecycle management" of machines that the author prioritizes as a solution is a misdirection.
> By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.
A HUGE one? To the intelligence agency of a foreign state? I doubt it. If you think it was a huge one, it's a false sense of security that may lead you to insufficiently prioritize more important fixes. (Which may be _not using digital voting machines_.)
[+] [-] remify|7 years ago|reply
I'm glad France is sticking to simple paper and ballot are publicly open.
[+] [-] Cthulhu_|7 years ago|reply
Maybe do a combination? Voting machine that prints a hard copy of your vote. Activate by scanning your passport or other proof of voting right, centralized secure repository of who has voted or some kind of deduplication of votes when counting.
[+] [-] maeln|7 years ago|reply
[+] [-] bayouborne|7 years ago|reply
[+] [-] ergothus|7 years ago|reply
Is it legal to pay someone to vote a certain way? Saying 'no' does not mean it is a truly secret ballot, but it is something.
Is the ballot printed by the govt as opposed to parties or organizations? (Meaning there is an "official ballot" and not just any piece of paper) At one point this was a new thing.
Are you doing an oral vote?
As it is, I think in general you end up with no obligation to share your vote, but that is not the same as any legal obligation to make the voting booth well concealed, depending on state, but that is no small amount of reading between the lines and conjecture on my part, so dont trust me too much.
[+] [-] rootsudo|7 years ago|reply
[+] [-] aacook|7 years ago|reply
[+] [-] oliwarner|7 years ago|reply
Why is it shocking that you can buy used voting machines? Why is it alarming the data is there and unencrypted? Why wouldn't a government (or supplier) sell on used hardware? Why would tamperproof screws stop you getting access? (They're for proof of access!)
It's nothing like sensitive medical data (a comparison made in tfa). It's anonymous data that should be publicly available.
The only concerning thing here is that these crappy machines were used in the first place. At least they're being flogged off now.
[+] [-] hkai|7 years ago|reply
[+] [-] Antifragile1|7 years ago|reply
[deleted]
[+] [-] crypt1d|7 years ago|reply
- A central authority(government) can control issuance of new keys and maintain the association between keys and personal information. There are already plenty of gov ID cards which support digital signatures and can be used to sign voting keys as well. At the same time personal info would not show up on the blockchain.
- Blockchain explorers would be used as a way to verify the votes are legit by virtually anyone
- NVOs, governments, etc can run the blockchain nodes to ensure integrity of the blockchain
In combination with well designed UIs we can have simple voting apps that can make e-voting a breeze (see the Smart-ID implementation for a great example of such tech).
Obviously the attack vector shifts to the gov servers running the key issuance but its easier to do opsec on a datacenter level than on individual voting machines scattered around the country. There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
We obviously have the tech and the capabilities to create very effective e-voting solutions. Would even go so far as to say that a proper solution would drastically change the way we think about voting - it would make on-boarding a lot easier and provide some form of 'direct' democracy that we are already seeing flourish in countries like CH. So it seems very shady to me that we end up with BS like this thats very easily exploited and discarded as ineffective.
[+] [-] moviuro|7 years ago|reply
This means that you can tie a vote to a key, thus a person?
That's not how voting should work. Any vote cast must be secret. Or what's to prevent any one group from blackmailing you (or any other voter)?
> Voting app
You mean that a thug could coerce me into casting my vote from home?...
> There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
+ constantly verify that the machine was not tampered with (evil maid) + make sure the hardware was not compromised (supply chain attacks) + ... on TONS of devices?...
> We obviously have the tech and the capabilities to create very effective e-voting solutions.
No, clearly we don't! The current paper ballot model has been battle-tested since elections became a thing. See https://www.youtube.com/watch?v=w3_0x6oaDmI
[+] [-] lucozade|7 years ago|reply
One of the key features of a secret ballot voting system is that there's no practical way to tie a voter to a vote.
If you have a direct relation between a voter and a unique key, and that key and a vote, you've basically built an automated corruption system.
And a lot of people might not be entirely comfortable with the assertion that it's fine, only the government knows who you voted for.
[+] [-] batiste|7 years ago|reply
If you have already a list of public keys for each voter why do you even need a blockchain to verify anything? You just through the list of signed votes to ensure uniquness, and you can confirm you personal vote is genuine but that is all you can do.
[+] [-] involans|7 years ago|reply