Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
Especially after the revelations with Russia in the 2016 election.
Ossoff may actually have won the georgia special House election instead of that lunatic Handel but there's no way to know if the numbers were tampered with. georgia is one of those states that doesn't have paper trails, just the electronic machines, and in particular when regarding Ossoff, the machines were wiped right before there could be an investigation. Handel was secretary of state of georgia, which means she was in charge of the elections. She very well could have had it stolen for herself and destroyed the evidence.
Even if she didn't (which I strongly suspect but she destroyed all the evidence, which makes me suspect it more strongly) there is this possibility, and it's very easy to exploit by people in power. This possibility should not exist.
Is that significantly changed with paper ballots though? I mean if you have the head of the election services deciding to try and game the system, it is going to be very difficult to create something that is resistant to someone with so much power inside.
I mean just a cursory google search turned up this florida election, where there was paper ballots and they went ahead and destroyed them in the middle of the court case contesting the election results (they claimed that scans of the original documents was good enough). So I guess paper doesn't really help you there.
"The world is a mess, and I just need to rule it" - Dr Horrible
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
Especially after the revelations with Russia in the 2016 election.
Ossoff may actually have won the georgia special House election instead of that lunatic Handel but there's no way to know if the numbers were tampered with. georgia is one of those states that doesn't have paper trails, just the electronic machines, and in particular when regarding Ossoff, the machines were wiped right before there could be an investigation. Handel was secretary of state of georgia, which means she was in charge of the elections. She very well could have had it stolen for herself and destroyed the evidence.
Even if she didn't (which I strongly suspect but she destroyed all the evidence, which makes me suspect it more strongly) there is this possibility, and it's very easy to exploit by people in power. This possibility should not exist.
Is that significantly changed with paper ballots though? I mean if you have the head of the election services deciding to try and game the system, it is going to be very difficult to create something that is resistant to someone with so much power inside.
I mean just a cursory google search turned up this florida election, where there was paper ballots and they went ahead and destroyed them in the middle of the court case contesting the election results (they claimed that scans of the original documents was good enough). So I guess paper doesn't really help you there.
This is how it works with paper ballots:
In each precinct you have neutral volunteers and representatives of each party. They are there for several reasons, but one of them is to make sure the ballot box stays secure.
The box is then moved to a central counting location, often with all those parties traveling together. There is a literal seal on the box usually.
The box is then opened in front of representatives of each party. It may then be fed into a scantron machine, or it may be hand counted. The ballots are then organized, with any disputed ballots put aside. Usually lawyers are now present as well.
Hundreds of people are involved with directly competing interests. It would take conspiracies of dozens to make substantial changes and it would be incredibly easy to get caught. And if there's a close race, its possible to check it again and be very specific. Specific ballots end up in court records and even online.
With computer voting, none of this happens. Its not possible for people to physically examine the data on a hard drive, and often voting is just sent over the internet. There's generally no independent auditing of the (proprietary) code. The machines are as secure as you'd expect a bunch of volunteers to be able to set up on a shoestring budget.
It has a bunch of disadvantages, including much higher cost, and almost no advantages. Scantron counting can be done very quickly and having results in 3 hours or 6 is not that important.
Somehow we deal with issues and have elections anyway. I’m not buying that paper ballots are somehow so inherently secure that moving away from them would be instant doom in terms of faked elections.
Instant doom, likely not - more prone to tampering, definitely. After Diebold I'm never trusting electronic voting again.
Especially after the revelations with Russia in the 2016 election.
Ossoff may actually have won the georgia special House election instead of that lunatic Handel but there's no way to know if the numbers were tampered with. georgia is one of those states that doesn't have paper trails, just the electronic machines, and in particular when regarding Ossoff, the machines were wiped right before there could be an investigation. Handel was secretary of state of georgia, which means she was in charge of the elections. She very well could have had it stolen for herself and destroyed the evidence.
Even if she didn't (which I strongly suspect but she destroyed all the evidence, which makes me suspect it more strongly) there is this possibility, and it's very easy to exploit by people in power. This possibility should not exist.
Is that significantly changed with paper ballots though? I mean if you have the head of the election services deciding to try and game the system, it is going to be very difficult to create something that is resistant to someone with so much power inside.
I mean just a cursory google search turned up this florida election, where there was paper ballots and they went ahead and destroyed them in the middle of the court case contesting the election results (they claimed that scans of the original documents was good enough). So I guess paper doesn't really help you there.
Counterpoint, the Franken election. The issues were all after the votes were counted.
In my county. we typically have a 5 person election board. An inspector, aka the supervisor, 2 clerks and 2 judges. both of the judges have to be different parties and both of the clerks have to be different parties. (or no party)
Before we start, both judges verify the ballot box is empty. It is then locked and the key is with the inspector.
Voter starts with clerk 1 and gives them their name. Clerk 1 then finds their name in the roll and once it is found, asks the voter for the address to see if it matches what's in the book (one problem I have with this is that the roll sheet is in plain sight and a savvy person could read the address right off the poll) This part usually takes the longest if someone has an unusual name or maybe they're not on the rolls and should be in a different precinct and that's where the inspector steps in to help out or have them vote provisionally which is a different process.
Clerk 2 then has the voter sign the register with their signature and address.
Judge 1 then gives the ballot to the voter (the ballot has to have the initials of both judges on the ballot to ensure it's a valid ballot. The voter then goes off to the booth to vote.
The voter returns and gives it to Judge 2 who then verifies that the ballot still has both initials on the ballot, then the ballot is put into the box, and the judge thanks them for voting and offers them a sticker.
At the end of the day and the polls are closed. we count up the number of votes in the register (then we have to do some modifications in case it was a multi-page ballot or a primary) but ultimately the number of votes or ballot pages has to match the number we have in the register.
The two judges go off to another room to count the ballot pages. (I'm usually Judge 1, so what we typically do is split the ballot pile in half. I count my pile, my counterpart counts their pile, we then switch and see if we came up with the same count for the two piles, assuming we do, we do the math and make sure the ballots match the number of voters in the register. Assuming all is well we put all the ballots in another box which is then sealed and all of the seals have both judges initials' and we inform the inspector that we have a good count and give the box to the inspector who then takes it to the election office and once we're cleaned up, we're done.
I've never gotten to see what happens after that, but all of our ballots are scantron ballots, so the machine is doing all the counting at that point presumably.
I still have yet to see anyone articulate both an electronic system and a means of securing said system such that it's superior to what is already possible with paper + machine counted + human verification.
I maintain that it's solving the wrong problem. Speed is not critical in this domain. Money is not critical in this domain. Security is, as is accessibility.
Use the electronic goodies to secure the physical ballots. Store them in bank vaults if you like. Chain of custody for physical artifacts has well-known ways of being secured since it requires local actors and you can't strike from halfway across the globe.
This happens across multiple precincts in every election.
Right and when it happens its notable enough to get in the news and cause a big to-do. In the linked article, a total of 0.1% of ballots were lost and people were aghast and could verify that the results were not altered. Every election digital voting systems go down and often have no paper trail with no recourse. That's on top of being subject to the exact same kinds of screw-ups that paper ballots are.
Mail-in ballots are also far less secure than in-person voting, which is its primary downside.
Storing the voting records on a single USB flash drive (for all intents and purposes) without a backup is obviously moronic.
I think I've been pretty clear in my position in this thread that electronic voting can be more secure than paper voting if properly implemented and I'm admittedly pessimistic about proper implementation.
"We kept all the votes on a single portable storage device" definitely falls under the category of "bad implementation."
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I don't really want to continue down the road of attacking individual points because it is a lot of work, but I feel like there is a disconnect here. Many of the responses I am getting are acting as if there is some fundamental issue with cyber-security that can not be overcome, and that by poking holes in my suggestions you have illustrated this fundamental flaw. I just don't see it that way. I am not a cyber security expert and I'm willing to admit that I have underestimated how close we are to having a workable system, but just because I don't have a full proof plan doesn't mean that it's not possible.
I mean just as an example (and again I am not trying to defend or discount all of your points), look at the bolded. You are insinuating that PINs are fundamentally flawed.
I didn't say that. That's a misinterpretation of my post.
Jebus, it isn't so much that there's a fundamental flaw, it's that you're doing this:
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
Feral on
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
the "no true scotch man" fallacy.
+19
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
Or you could just use paper ballots and randomly spot-check the votes compared to what is read by your scantron readers.
This is already done, except not randomly spot-checked, in competitive races.
Counting all ballots by hand is completely feasible, and what I think of for those automatic recounts. The usual enhancement I see proposed is to audit the process by taking statistical samples of paper ballots to compare to the final result, and adding a full recount if it varies too much.
This is what I am proposing in order to gain more confidence in the system.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Jebus, it isn't so much that there's a fundamental flaw, it's that you're doing this:
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
I work in qa it is literally my job to poke holes in information systems to break them not even at a security level, but at a functional level.
I have never once in all my years seen a release without known bugs.
Jebus, it isn't so much that there's a fundamental flaw, it's that you're doing this:
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
The issue I have though, and maybe this is my fault, is that I haven't been trying to argue that I have everything figured out. I'm just spit balling ideas. But everyone who responds seems to be resolute in that it simply isn't possible and if only I had even a basic understanding of the topic I would also know that it isn't possible. It just seems too conclusive to me, like the topic should simply be closed because you can point out holes in the ideas that I came up with.
And again maybe this is my fault. To be clear I do not think I have all the answers or that there would be some simple solution to making electronic or internet voting secure. And normally I would welcome the input in the ways in which my ideas are not yet resilient. That's the whole reason I post here. To have people point out what I'm not seeing so that I can adjust my ideas. It's just this attitude I am perceiving about how it's completely obvious to anyone who has even a little cryptography background that the whole thing is just a non-starter.
Jebus314 on
"The world is a mess, and I just need to rule it" - Dr Horrible
I don't really want to continue down the road of attacking individual points because it is a lot of work, but I feel like there is a disconnect here. Many of the responses I am getting are acting as if there is some fundamental issue with cyber-security that can not be overcome, and that by poking holes in my suggestions you have illustrated this fundamental flaw. I just don't see it that way. I am not a cyber security expert and I'm willing to admit that I have underestimated how close we are to having a workable system, but just because I don't have a full proof plan doesn't mean that it's not possible.
I mean just as an example (and again I am not trying to defend or discount all of your points), look at the bolded. You are insinuating that PINs are fundamentally flawed.
I didn't say that. That's a misinterpretation of my post.
If your bank account is compromised, it doesn't directly affect me.
If your vote is compromised, it does.
Just out of curiosity what was your point about PINs? I was putting it forward as a second method of authentication for voting (or for anytime I use my SSN), and you seemed to be implying that because someone might be able to steal it (by hacking someone who uses it) it's ineffective as a more secure form of authentication. Which I replied by saying that it seems to work well enough in other areas so why would it be ineffective here?
Also as a side point, would we need to let equifax log that information, or could you have the social security administration provide the authentication (and thus have the actual PIN saved) and equifax just uses a SSA authenticator.
As for the bank account I don't understand why that is a meaningful difference. We want to avoid large amounts of people having their money stolen the same as we want to avoid having elections rigged. I know that election fraud by default affects everyone, but I fail to see why that is worse than everyone just being afraid they might be one of the unlucky ones who gets ripped off. Both seem bad and like they should be avoided. One uses the internet and still manages to do a very good job of avoiding the bad outcome. Seems like an apt comparison to me.
"The world is a mess, and I just need to rule it" - Dr Horrible
Jebus, it isn't so much that there's a fundamental flaw, it's that you're doing this:
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
The issue I have though, and maybe this is my fault, is that I haven't been trying to argue that I have everything figured out. I'm just spit balling ideas. But everyone who responds seems to be resolute in that it simply isn't possible and if only I had even a basic understanding of the topic I would also know that it isn't possible. It just seems too conclusive to me, like the topic should simply be closed because you can point out holes in the ideas that I came up with.
And again maybe this is my fault. To be clear I do not think I have all the answers or that there would be some simple solution to making electronic or internet voting secure. And normally I would welcome the input in the ways in which my ideas are not yet resilient. That's the whole reason I post here. To have people point out what I'm not seeing so that I can adjust my ideas. It's just this attitude I am perceiving about how it's completely obvious to anyone who has even a little cryptography background that the whole thing is just a non-starter.
Jebus man, like, it's not that there isn't a simple solution. It's that there isn't even a reliable complicated solution. Going back to the DDOS attack thing, look at it this way: Amazon, the world's largest provider of on demand computing power (AWS has more market share than GCloud and Azure combined) couldn't even keep up with demand on their own website for Prime Day today.
Sure, there's probably some DDOS going on in there, but a vast, vast majority of that is just pure demand driven hits. Now go pure digital and the US is basically setting the largest, brightest digital bullseye up for every Russian and Chinese bot network. You would be incredibly lucky if anyone was able to vote at all. The resources it takes to DDOS are insanely low (Possibly exponentially lower, though I'm not 100% sure on the math?) compared to the resources it takes to properly host and serve legitimate requests. And that's just problem #1.
Any real, proper authorization will require two factor authentication. Which means having the capability of distributing an authentication FOB to every registered voter, because poll taxes are illegal. Which means hardening and securing the FOBS as well. And since we're on the topic of hardening...
It was discussed earlier in the thread, but it really, really needs to be reiterated - every single processor or logic chip in every motherboard that is going to touch this voting system has to be verified as secure. Which means we basically need to award Intel a monopoly contract on all production of such, because I believe they are the only US based manufacturer who still makes their own chips in the States (Maybe TI, but I don't know if they have the capabilities to do what is needed). AMD's production company was spun off and is owned by the UAE (literally). So you have to basically have an entire division group of incredibly specialized and in demand engineers and workers who have to pass what would probably be the most rigorous CI background checks the FBI could perform, continually.
And then repeat that process for every keyboard, monitor, mouse, network device (hahahaha), headphone/microphone jack (Because blind people need to be able to use these systems), USB ports (because you have to have some way to get your software onto the system), not to mention the BIOS, RAM, and even hard drives. You have to secure the entire production lines of all of those items, in perpetuity. On top of that, because they are networked devices, you have to also force them to automatically accept and install updates to make sure that any vulnerabilities discovered are also addressed. And if that wasn't enough, forced updates just creates another vulnerability, because then all it takes is one bad update and at best a mistake in the code just bricked your entire voting system.
At worst you've given any foreign state complete control.
All of this hasn't even gotten into distribution logistics, cost, accessibility, ease of use, verification (which will be literally impossible to accomplish while still allowing votes to be anonymous), absentee voting and probably a half dozen things none of us here have even considered yet.
Edit: I think the best way to phrase it is this - digital voting is a way to reduce the manpower required in the voting process, but the manpower requirement is literally the single greatest security feature you can have. The more people that have eyes on a physical object, the harder it is to tamper with. With a national electronic system, all it takes is one dude in the right place at the wrong time having a bad day and his boss treating him like shit and the whole system is gone.
Jebus, it isn't so much that there's a fundamental flaw, it's that you're doing this:
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
The issue I have though, and maybe this is my fault, is that I haven't been trying to argue that I have everything figured out. I'm just spit balling ideas. But everyone who responds seems to be resolute in that it simply isn't possible and if only I had even a basic understanding of the topic I would also know that it isn't possible. It just seems too conclusive to me, like the topic should simply be closed because you can point out holes in the ideas that I came up with.
And again maybe this is my fault. To be clear I do not think I have all the answers or that there would be some simple solution to making electronic or internet voting secure. And normally I would welcome the input in the ways in which my ideas are not yet resilient. That's the whole reason I post here. To have people point out what I'm not seeing so that I can adjust my ideas. It's just this attitude I am perceiving about how it's completely obvious to anyone who has even a little cryptography background that the whole thing is just a non-starter.
In terms of the "basic understanding" stuff: any digital vote from home (henceforth VFH) initiative intrinsically relies on the security of the home computers/devices being used to vote, and the current state of home PC security is absolutely abysmal. It's certainly possible that in some future time this won't be as much of an issue -- but it's absolutely something we cannot ignore right now. I also think you're drastically underestimating the difference between petty -- or even organized -- crime and state actors when it comes to the ability to compromise a large number of home computers. The former are the ones going after bank accounts and so forth, while the latter are the ones that may go after -- that at least we certainly need to guard against for -- national elections.
I'm trying (and perhaps failing) to communicate that issues like these are not simply flaws in a specific approach you've espoused but endemic flaws in any approach that is feasible in the present and near future. (Of course if we set a timeline of decades or longer, it's much harder to meaningfully discuss.) Additionally, I find little value in discussing what could be done if we do the security "perfectly" or "ideally" -- we've seen time and again (and again, and again, and fucking again) that that never happens. We should assume, rather, that there are going to be flaws, and evaluate a potential system not only on how it works if the implementation is the Platonic ideal of that system, but also by considering what is at risk if it falls short of that lofty goal. In this instance, the risk is pretty much a total collapse of faith in our democracy, and the advantage is convenience and maybe some cost savings -- not a good trade, in my opinion.
Apologies if I was too harsh or dismissive in my posts yesterday; my goal was not to shut you down or exclude you from the conversation, but to illustrate exactly why this is a very difficult problem and seemingly straightforward approaches are typically deeply flawed.
Edit: Oh no I defined an acronym and then never actually used it *falls on sword*
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
A fundamental tenant in democracy is that the voter and vote can't be linked. Its called the secret ballot.
I do wonder if we aren't already screwed insofar as voter rolls seem to be digital at least in part.
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
Right, I mean the entire idea of having to be registered ahead of time is dumb.
actually no, being registered ahead of time lets the counties do their due diligence to check if you are even viable to vote there
I think we have already established why this is an idiotic idea.
Fuckin LoL
Sorry that's unproductive on its own.
I'm just super jaded to tech idiocy at this point so seeing a fuck up this severe just makes me laugh.
Like remote access is antithetical to voting machines, and is barely used in competent tech offices because any remote access client present in a system immediately opens an avenue up for attack. PCAnywhere is a name tarnished by particular vulnerability in the past. Like it used to be in a lot of tech offices that merely putting a remote client on a corporate box was possible grounds for termination.
I do wonder if we aren't already screwed insofar as voter rolls seem to be digital at least in part.
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
Right, I mean the entire idea of having to be registered ahead of time is dumb.
actually no, being registered ahead of time lets the counties do their due diligence to check if you are even viable to vote there
Man, CIS benchmarks allow for RDP access, it just requires one to lock down who can remote in. But PC anywhere? Ugh. And yeah that's separate from the idiocy of having that on a voting machine.
That's what gets me about this stuff is that it's done in the name of convenience. Sure, if you're a legitimate election worker, remoting into a machine that's many miles away sure is convenient.
But at what cost?
Evoting really doesn't make anything significantly better for the voter. We already have early voting and absentee voting so we're just talking about the difference between using a pencil vs clicking a button. Big deal. Like it or not we still have to deal with millions of older people who are not comfortable with even the most user friendly technology. Sure that may pull away some conservative votes, but that's not how I want to win elections.
Until cyber security is taken far more seriously, evoting is just a disaster and physical paper ballot security is leaps and bounds better for the foreseeable future.
If you're just trying to get more people to vote, well technology isn't going to fundamentally make that better even if the security is better. People refuse to vote for a myriad of perceived reasons. I'd rather have my tax money go towards better Civic education, or having a national voting day holiday or a law that mandates that employers must give time off to vote or eliminating voter suppression laws or something more foundational.
I do wonder if we aren't already screwed insofar as voter rolls seem to be digital at least in part.
Doesn't matter much in MN, because you can register at the polls with a very low bar for identification (a neighbor vouching for you is enough).
Focusing on voter rolls is pointless because 99.9% of people are going to be honest anyways and only vote once at the location they think is correct.
This is not the case everywhere though.
There are always stories each cycle of people being turned away at the polls. Sometimes even when they could legally vote or cast a provisional ballot.
I do contend that modifying voter rolls would represent a serious issue for suffrage.
Right, I mean the entire idea of having to be registered ahead of time is dumb.
actually no, being registered ahead of time lets the counties do their due diligence to check if you are even viable to vote there
No, it's an unnecessary barrier to voting. Registration at the polls is sufficient. I'm approaching this from the standpoint of how it works in MN, but it's not even a provisional ballot if you do that - just goes in the same scanner as everyone else.
Here is the reason you don't have electronic voting.
Lets imagine that you have developed a perfectly secure communications system, in which it is IMPOSSIBLE to hijack or prevent user communication with the voting server. Only real voters can vote, using their special token, and there is no risk of say someone logging in as someone else and faking out a vote, or hacking the counting totals. The voting system is simple, and easy to understand. Anyone and their grandmother can log in on their home PC or mac and vote online. Hooray!
If I'm a hostile power (or a corrupt domestic group) looking at your hard work then all I need to do is switch my attack to somewhere else in the chain. The users computer itself. I'm going to write a virus and embed it in someone elses shitty software, and get access to their computer. And then, I'm not going to use my control, and will instead just bide my time. I can then do one of a variety of things...
1) If I'm a conservative group, and I know that liberals are more likely to be using the new vote online tools, I have a simple attack vector. On voting day, if it's after 9 PM and too late to go to a physical poll, then if you turn on your PC and try to go to the voting website then I'm going to lock up your computer for 3 hours.
2) If I want to be smarter, I'm going to have my virus watch your website activity. If you go to CNN more than Fox news, then on voting day I'm going to delete your wireless modem drivers and make it so you can't install new ones. In fact, I'm going to have a whole suite of 'massive inconvenience' attacks I can use.
3) If I'm even more sophisticated, I'm going to build myself a little human interface hijacking suite. And what it's going to do is detect when you are on the voting page for president. Then, if you are hovering over the 'Hilary Clinton' box, and click on it then I'm going to intercede, click 'Trump' instead, and then move your mouse to the 'Confirm' button
To be clear, I'm no virus writer, but all these hijacks or similar things are totally possible, and because everyone is 'doing the same thing' and the thing you want to stop is highly consistent, user terminal side attacks are far more realistic.
The issue I have though, and maybe this is my fault, is that I haven't been trying to argue that I have everything figured out. I'm just spit balling ideas. But everyone who responds seems to be resolute in that it simply isn't possible and if only I had even a basic understanding of the topic I would also know that it isn't possible. It just seems too conclusive to me, like the topic should simply be closed because you can point out holes in the ideas that I came up with.
I do sympathize with that. I'm arguing that electronic voting at the polling place can be feasible, given good implementation, and it sometimes feels like some of the criticism is just closed-minded. But I also don't necessarily think that my perception of closed-mindedness is always accurate; I'm not saying that people are closed-minded, just that I get how that feels.
It doesn't feel good.
One important, salient difference here is that I'm arguing for electronic voting at the polling place while you've argued in favor of voting from home. There are a few general principles here that I think those of us who work in software/IT/information security take as truisms that are informing our reactions to that:
1) Home computers owned by the general public are untrusted devices, which means we cannot meaningfully control what software is installed on them, whether they have malware, whether they have adequate antivirus protection, whether they're logging in from private networks or public wifi subject to hijacking, etc. There are software tricks you can do to detect some of these issues, like you can check to see if a Windows computer has a known antivirus program installed - but all such tricks can be circumvented and undermined, relatively easily, on untrusted devices.
As @Clipse mentioned above, around 30% of home computers are compromised at given point in time. (Estimates range from 25% - 30%.) Most of the owners of these compromised computers have no idea they're compromised, so we can't expect them to just voluntarily walk into a polling place instead.
2) The general populace is woefully, hilariously, computer illiterate. Just by virtue of posting on this forum, you are likely in the top 10 percentile of computer literacy in the industrialized world.
About 35% of American working age adults (age 16 - 65) are functionally computer illiterate. Another 35% are capable of only very simple tasks. This is only slightly worse than the average across all OECD countries. (https://www.nngroup.com/articles/computer-skill-levels/)
I really urge you to read the descriptions of the OECD tests in that Nielsen-Norman Group link. They're depressing.
Click-through rates on phishing exercises (that is, how many people fall for a phishing email) vary depending on the sophistication of the exercise but averages around 25-30% are pretty common. (Examples: here, here, and here.) I've also found through my own experience that only about half of people who fail a phishing exercise realize that they failed it (vaguely corroborated here). In my experience, I've also found that there is about 10% of any corporation who will repeatedly fail phishing tests no matter how much you educate them.
One of my favorite anecdotes from recent years was when a Google search ranking glitch caused a random blog post about Facebook to be the first result on a Google search for the term "Facebook." Within a few hours, that poor blog had accumulated hundreds of angry comments from people who thought that they had arrived at the real Facebook and were confused about how to log in.
In other words, there were hundreds of people who 1) just Google search for the websites they want to visit instead of using bookmarks or typing in URLs, 2) can't tell when they've arrived at a site that isn't Facebook, and 3) react to this by gibbering into the first comment box they see.
So no matter how technologically secure your vote-from-home system is, you have a significant portion of the electorate who will happily click on a random link sent to them by email. Even if such a link doesn't harvest their information or install malware, if you can distract enough people and make them think that they voted, then you can skew election results.
3) Election hacking is a whole different league from common cybersecurity threats. Most cybersecurity threats just use a low-hanging fruit approach, randomly hitting systems to see what happens. You don't have to be terribly secure to be safe, you just have to be more secure than average. This is even true for banking. If all a criminal wants to do is to skim some money off the banking system, they can send out lazy phishing emails and as long as they get a handful of idiots falling for it, they can dredge up thousands (or in some rare cases, millions) of dollars. Anybody who works in IT or cybersecurity sees a constant steady deluge of these dumb attacks; badly-phrased phishing attacks, or obviously-scripted login attempts on websites using default usernames and credentials. There are even a few websites that turn these attacks into movie-like eye candy (at the expense of accuracy), such as https://threatmap.fortiguard.com/
When you say "what about online banking?" that is a salient difference. I can protect myself from most online banking attacks by using a complex password, two-factor authentication (though not the common SMS-based two-factor, which is broken, but stuff more like VASCO or Duo), and deleting obvious phishing attempts. These simple measures are good enough to divert most attackers to another, stupider, account holder.
An election system would have to be secure against what we call "advanced persistent threats", or APTs. The organizations that hacked the DNC during the 2016 are examples. An APT is highly funded, highly skilled, and highly motivated to compromise a specific system. Their real-world identities are rarely discovered, but they're generally believed to be funded and educated by government agencies. They can work around the clock, purchase expensive equipment, and hire expensive developers. Sometimes we call these "state-level actors."
APTs work full-time, and defending against them is a full-time job. A well-funded government agency or corporation might be able to protect themselves against an APT with constant system monitoring, frequent system updates, multiple levels of security measures, cybersecurity drills, and swift incident response. Even all those strategies have to be combined with human filtering - doing background checks at the hiring process to reduce the likelihood of accidentally letting in an insider threat.
Many smaller companies simply accept that they cannot protect against an APT and just hope that an APT would never give enough of a shit about them to make them a target. In IT circles, comments like "my firewall won't protect from state-level actors but it's secure enough" are commonplace.
The combination of #1 (untrusted devices) with #2 (illiterate device owners) means that defense against an APT is literally impossible.
Even if you took some of the smartest, most cybersecurity-literate people on this forum and had them design a secure system... 1) APTs are smarter, more experienced, better funded, and have more time and 2) you can get home users to do the IT equivalent of punching themselves in the dick with nothing but a phone call.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
Motherboard contacted two of the top vendors—Hart InterCivic and Dominion—to verify this, but neither responded. However, Douglas Jones, professor of computer science at the University of Iowa and a longtime expert on voting machines confirmed that other companies did routinely install remote-access software during this period.
“Certainly, [Diebold Election Systems] did the same, and I'd assume the others did too,” he told Motherboard. “In the case of [Diebold], many of their contracts with customers included the requirement of a remote-login port allowing [the company] to have remote access to the customer system in order to allow customer support.”
I know for my precinct we have scantron readers at the polling place and each voter puts their cards in themselves, then it drops into a locked box at the bottom. Results are available very quickly but they can go through and verify each box against the data in a particular scantron machine.
Of couse some boxes still end up rivers occasionally....
He's a shy overambitious dog-catcher on the wrong side of the law. She's an orphaned psychic mercenary with the power to bend men's minds. They fight crime!
Motherboard contacted two of the top vendors—Hart InterCivic and Dominion—to verify this, but neither responded. However, Douglas Jones, professor of computer science at the University of Iowa and a longtime expert on voting machines confirmed that other companies did routinely install remote-access software during this period.
“Certainly, [Diebold Election Systems] did the same, and I'd assume the others did too,” he told Motherboard. “In the case of [Diebold], many of their contracts with customers included the requirement of a remote-login port allowing [the company] to have remote access to the customer system in order to allow customer support.”
hahahaha who knows who won 2016.
Well, most places have some kind of record outside the machines as well.
But not Pennsylvania.
I would not be surprised if Wisconsin were won on pure disenfranchisement, Pennsylvania was won by just outright fraud, which just leaves ...my home state.
Self-righteousness is incompatible with coalition building.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
And again, even if the voting side of things is perfectly secure and can never be hacked, you just hack the users computer instead. Even if you can't generate 'false votes' for your candidate due to say the voting procedure being...
A person must speak, on camera, while matching their facial ID a command phrase AND their vote choice...
Then you just say, cause all computers which think they are in large cities to crash repeatedly on voting day. Or mess up the install of the web camera drivers so your perfect voting system can't communicate with it for authentication. Or make it so that the monitor displays the wrong 'command phrase' by hacking the GPU. And so on.
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
Private blockchains are still blockchains, and are not directly replaceable by any arbitrary database, if (and only if) newer records are cryptographically dependent upon older records.
I'm not saying that followmyvote is (or is not) doing that. I'm just saying that if you meant to make a general claim about blockchain technology (rather than a specific claim about followmyvote) then your claim is inaccurate.
every person who doesn't like an acquired taste always seems to think everyone who likes it is faking it. it should be an official fallacy.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
And again, even if the voting side of things is perfectly secure and can never be hacked, you just hack the users computer instead. Even if you can't generate 'false votes' for your candidate due to say the voting procedure being...
A person must speak, on camera, while matching their facial ID a command phrase AND their vote choice...
Then you just say, cause all computers which think they are in large cities to crash repeatedly on voting day. Or mess up the install of the web camera drivers so your perfect voting system can't communicate with it for authentication. Or make it so that the monitor displays the wrong 'command phrase' by hacking the GPU. And so on.
Well, yes.
But aside from duplicating the voting app distribution entirely with some malicious vector, and somehow not being detected doing so, I'm a little bit hesitant to say that a loose network of compromised voters could be used to affect an election in a meaningful manner.
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
Private blockchains are still blockchains, and are not directly replaceable by any arbitrary database, if (and only if) newer records are cryptographically dependent upon older records.
I'm not saying that followmyvote is (or is not) doing that. I'm just saying that if you meant to make a general claim about blockchain technology (rather than a specific claim about followmyvote) then your claim is inaccurate.
I'll cede the point if the private blockchain has any need of mining or some other means of settling on a consensus, and if that private blockchain, which implicitly trusts the people adding blocks in, has a reason to need a system of settling conflicts due to inherent distrust.
That is, if it doesn't use Proof Of X, then it's not blockchain, as that's blockchain's only innovation.
And private blockchains have little need of Proof Of X.
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
Private blockchains are still blockchains, and are not directly replaceable by any arbitrary database, if (and only if) newer records are cryptographically dependent upon older records.
I'm not saying that followmyvote is (or is not) doing that. I'm just saying that if you meant to make a general claim about blockchain technology (rather than a specific claim about followmyvote) then your claim is inaccurate.
I'll cede the point if the private blockchain has any need of mining or some other means of settling on a consensus, and if that private blockchain, which implicitly trusts the people adding blocks in, has a reason to need a system of settling conflicts due to inherent distrust.
That is, if it doesn't use Proof Of X, then it's not blockchain, as that's blockchain's only innovation.
And private blockchains have little need of Proof Of X.
There are two features that defined the original Bitcoin block chain, the proof of X and, as feral mentioned:
newer records are cryptographically dependent upon older records.
The proof parts are only necessary if you're trying to make a system with no central authority, which is a case not likely to be necessary outside of cryptocurrency, and certainly doesn't apply to a voting system.
The other feature is the one that has some possibly useful applications in the wider world, mainly in cases where you want a highly tamper resistant database, even tampering a write-authorized user. Since changing one entry requires recalculating every subsequent entry (ideally with a process that is fast enough to handle recording new transactions as they come in but computationally intensive enough that reflowing the database is extremely slow).
Granted I'm not sure if we'll ever see that used anywhere and there might be better solutions out there but 'blockchain" is as good as anything else to call a database like that. It's certainly more similar to the Bitcoin blockchain than it is to SQL.
life's a game that you're bound to lose / like using a hammer to pound in screws
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
Private blockchains are still blockchains, and are not directly replaceable by any arbitrary database, if (and only if) newer records are cryptographically dependent upon older records.
I'm not saying that followmyvote is (or is not) doing that. I'm just saying that if you meant to make a general claim about blockchain technology (rather than a specific claim about followmyvote) then your claim is inaccurate.
I'll cede the point if the private blockchain has any need of mining or some other means of settling on a consensus, and if that private blockchain, which implicitly trusts the people adding blocks in, has a reason to need a system of settling conflicts due to inherent distrust.
That is, if it doesn't use Proof Of X, then it's not blockchain, as that's blockchain's only innovation.
And private blockchains have little need of Proof Of X.
There are two features that defined the original Bitcoin block chain, the proof of X and, as feral mentioned:
newer records are cryptographically dependent upon older records.
The proof parts are only necessary if you're trying to make a system with no central authority, which is a case not likely to be necessary outside of cryptocurrency, and certainly doesn't apply to a voting system.
The other feature is the one that has some possibly useful applications in the wider world, mainly in cases where you want a highly tamper resistant database, even tampering a write-authorized user. Since changing one entry requires recalculating every subsequent entry (ideally with a process that is fast enough to handle recording new transactions as they come in but computationally intensive enough that reflowing the database is extremely slow).
Granted I'm not sure if we'll ever see that used anywhere and there might be better solutions out there but 'blockchain" is as good as anything else to call a database like that. It's certainly more similar to the Bitcoin blockchain than it is to SQL.
The thing is that the blockchain is not meaningfully different from a standard block cipher, except that (iirc) it's using the signature operation rather than encryption. Cipher block chaining is a very old technique. The novel part is the distribution of trust via proof of X.
My own country just spent 3 years and several million euros on a taskforce for electronic voting, because the previous minister was also very optimistic that a solution could be found with all the exciting new technological options.
And the outcome was "Please don't do this"
And this with the added fact that the Netherlands already has a pretty robust personal governmental login system (Which will improve security wise over the next few years, currently there is a flaw with it using SMS as 2FA, which is vulnerable to some forms of attacks).
The solution is simpler:
Spend more on elections. Over here we spend about $3.2 per capita per election. The return for that is the following:
-99.8 percent of people get a voting card mailed to them
-In national elections, voting can be done in any precinct in your municipality with that card, and with 1 extra form, in all other polling places.
-Polling places have to be within 1km for the vast majority of people. Special care is taken to put them close to commute hotspots, like major trainstations.
-Waiting time last election, where roughly 81% of the population voted, was avg 3 minutes. I never heard of anyone waiting more than 15mins.
-Polls are open from 07.00 - 20.00
Steam: SanderJK Origin: SanderJK
+8
Options
Giggles_FunsworthBlight on DiscourseBay Area SprawlRegistered Userregular
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
And again, even if the voting side of things is perfectly secure and can never be hacked, you just hack the users computer instead. Even if you can't generate 'false votes' for your candidate due to say the voting procedure being...
A person must speak, on camera, while matching their facial ID a command phrase AND their vote choice...
Then you just say, cause all computers which think they are in large cities to crash repeatedly on voting day. Or mess up the install of the web camera drivers so your perfect voting system can't communicate with it for authentication. Or make it so that the monitor displays the wrong 'command phrase' by hacking the GPU. And so on.
Well, yes.
But aside from duplicating the voting app distribution entirely with some malicious vector, and somehow not being detected doing so, I'm a little bit hesitant to say that a loose network of compromised voters could be used to affect an election in a meaningful manner.
Okay. Get a few people with .50 cal rifles, take out a handful of power substations, cause a catastrophic failure that takes out the power for SF, LA, and NY.
I believe that this is 100% a technologically solvable problem. Though its probably not feasible in reality as it requires a complete overhaul of the voting infrastructure. That would require a literal act of congress and while we're at it we should get rid of First Past the Post. But I don't want this congress anywhere near the Constitution with a sharpie and some white out.
i know I'll get laughed off these forums but https://followmyvote.com/ is a blockchain solution( Don't roll your eyes too hard). i think its a clever solution to a very very hard problem.
Well, for a start, that doesn't appear to be a blockchain.
But second, it requires the Voter ID authority to recognise your id and then agree with the Voting authority to issue your ballot.
Aside from just hijacking the voter's computer, the obvious attack vector would be to compromise the Voter ID authority, issue a bunch of false requests to the Voting authority, and then add these verified votes to the database.
The false requests would need to match people who exist in the Voting authority's records, but you're inside the Voter ID authority already so pulling the relevant data from the shouldn't be an issue.
Not to mention you still have the problem with disenfranchising people who don't have government IDs.
And a webcam.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
And again, even if the voting side of things is perfectly secure and can never be hacked, you just hack the users computer instead. Even if you can't generate 'false votes' for your candidate due to say the voting procedure being...
A person must speak, on camera, while matching their facial ID a command phrase AND their vote choice...
Then you just say, cause all computers which think they are in large cities to crash repeatedly on voting day. Or mess up the install of the web camera drivers so your perfect voting system can't communicate with it for authentication. Or make it so that the monitor displays the wrong 'command phrase' by hacking the GPU. And so on.
Well, yes.
But aside from duplicating the voting app distribution entirely with some malicious vector, and somehow not being detected doing so, I'm a little bit hesitant to say that a loose network of compromised voters could be used to affect an election in a meaningful manner.
Okay. Get a few people with .50 cal rifles, take out a handful of power substations, cause a catastrophic failure that takes out the power for SF, LA, and NY.
?
Wouldn't taking out the power or threatening people with guns sabotage a paper election too?
I can't imagine the cities would handle no traffic signals very well.
I mean, rendering people's computers inert one way or the other could certainly work, but I expect mass/targeted distribution of malware would not be possible in time for a election.
I'd sort of expect that the voting app would be released a month or so beforehand, and so a subtle mass infection would take too long.
Either the attacker would have to work with what they've got or slowly infect vulnerable machines, both of which would likely produce a random scatter across the population which may not have a great enough effect.
You could also infect the distribution hub so that it distributes a pre-infected voting app.
Or just build the app poorly so it can be found and exploited easily.
I mean, rendering people's computers inert one way or the other could certainly work, but I expect mass/targeted distribution of malware would not be possible in time for a election.
I'd sort of expect that the voting app would be released a month or so beforehand, and so a subtle mass infection would take too long.
Either the attacker would have to work with what they've got or slowly infect vulnerable machines, both of which would likely produce a random scatter across the population which may not have a great enough effect.
You could also infect the distribution hub so that it distributes a pre-infected voting app.
Or just build the app poorly so it can be found and exploited easily.
Just DOS the local infrastructure in areas you don't want voting on election day.
Point about the power wasn't so much to say that there it wouldn't screw up a normal election, but that the points of failure for something like this are legion.
You don't have to attack the app, you can attack any number of things to make it unusable on a local level.
Posts
Is that significantly changed with paper ballots though? I mean if you have the head of the election services deciding to try and game the system, it is going to be very difficult to create something that is resistant to someone with so much power inside.
I mean just a cursory google search turned up this florida election, where there was paper ballots and they went ahead and destroyed them in the middle of the court case contesting the election results (they claimed that scans of the original documents was good enough). So I guess paper doesn't really help you there.
In each precinct you have neutral volunteers and representatives of each party. They are there for several reasons, but one of them is to make sure the ballot box stays secure.
The box is then moved to a central counting location, often with all those parties traveling together. There is a literal seal on the box usually.
The box is then opened in front of representatives of each party. It may then be fed into a scantron machine, or it may be hand counted. The ballots are then organized, with any disputed ballots put aside. Usually lawyers are now present as well.
Hundreds of people are involved with directly competing interests. It would take conspiracies of dozens to make substantial changes and it would be incredibly easy to get caught. And if there's a close race, its possible to check it again and be very specific. Specific ballots end up in court records and even online.
With computer voting, none of this happens. Its not possible for people to physically examine the data on a hard drive, and often voting is just sent over the internet. There's generally no independent auditing of the (proprietary) code. The machines are as secure as you'd expect a bunch of volunteers to be able to set up on a shoestring budget.
It has a bunch of disadvantages, including much higher cost, and almost no advantages. Scantron counting can be done very quickly and having results in 3 hours or 6 is not that important.
QEDMF xbl: PantsB G+
Counterpoint, the Franken election. The issues were all after the votes were counted.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Before we start, both judges verify the ballot box is empty. It is then locked and the key is with the inspector.
Voter starts with clerk 1 and gives them their name. Clerk 1 then finds their name in the roll and once it is found, asks the voter for the address to see if it matches what's in the book (one problem I have with this is that the roll sheet is in plain sight and a savvy person could read the address right off the poll) This part usually takes the longest if someone has an unusual name or maybe they're not on the rolls and should be in a different precinct and that's where the inspector steps in to help out or have them vote provisionally which is a different process.
Clerk 2 then has the voter sign the register with their signature and address.
Judge 1 then gives the ballot to the voter (the ballot has to have the initials of both judges on the ballot to ensure it's a valid ballot. The voter then goes off to the booth to vote.
The voter returns and gives it to Judge 2 who then verifies that the ballot still has both initials on the ballot, then the ballot is put into the box, and the judge thanks them for voting and offers them a sticker.
At the end of the day and the polls are closed. we count up the number of votes in the register (then we have to do some modifications in case it was a multi-page ballot or a primary) but ultimately the number of votes or ballot pages has to match the number we have in the register.
The two judges go off to another room to count the ballot pages. (I'm usually Judge 1, so what we typically do is split the ballot pile in half. I count my pile, my counterpart counts their pile, we then switch and see if we came up with the same count for the two piles, assuming we do, we do the math and make sure the ballots match the number of voters in the register. Assuming all is well we put all the ballots in another box which is then sealed and all of the seals have both judges initials' and we inform the inspector that we have a good count and give the box to the inspector who then takes it to the election office and once we're cleaned up, we're done.
I've never gotten to see what happens after that, but all of our ballots are scantron ballots, so the machine is doing all the counting at that point presumably.
Enlist in Star Citizen! Citizenship must be earned!
Storing the voting records on a single USB flash drive (for all intents and purposes) without a backup is obviously moronic.
I think I've been pretty clear in my position in this thread that electronic voting can be more secure than paper voting if properly implemented and I'm admittedly pessimistic about proper implementation.
"We kept all the votes on a single portable storage device" definitely falls under the category of "bad implementation."
the "no true scotch man" fallacy.
I didn't say that. That's a misinterpretation of my post.
It depends on how the PIN is used.
I explained that upthread.
If your bank account is compromised, it doesn't directly affect me.
If your vote is compromised, it does.
the "no true scotch man" fallacy.
You don't have to be an expert in information security to contribute to this topic, but I think your ignorance of the field has led you to not only severely underestimate the vulnerabilities in the methods you've proposed, but also underestimate just how nitpicky information security can get.
Information security requires a method of thought where you specifically look for weaknesses in a process and acknowledge those weaknesses. You might compare them to weaknesses in a competing process, or you might find ways to mitigate those weaknesses. "Poking holes in [my] suggestions" and "attacking individual points" are essential to the topic.
Edit: minor terminology shift
the "no true scotch man" fallacy.
This is what I am proposing in order to gain more confidence in the system.
It appears to be a blockchain. Voters publish a public key, the authority publishes a verification and then the voter publishes their votes signed by their key
Compromising the authority is not as easy as you might think. There's no need to have that part of it connected to the internet, all of that can happen offline with periodic batch uploads. All the verification requests can be manually reviewed by humans too which again can be on an isolated network and done by batch processing
I work in qa it is literally my job to poke holes in information systems to break them not even at a security level, but at a functional level.
I have never once in all my years seen a release without known bugs.
The issue I have though, and maybe this is my fault, is that I haven't been trying to argue that I have everything figured out. I'm just spit balling ideas. But everyone who responds seems to be resolute in that it simply isn't possible and if only I had even a basic understanding of the topic I would also know that it isn't possible. It just seems too conclusive to me, like the topic should simply be closed because you can point out holes in the ideas that I came up with.
And again maybe this is my fault. To be clear I do not think I have all the answers or that there would be some simple solution to making electronic or internet voting secure. And normally I would welcome the input in the ways in which my ideas are not yet resilient. That's the whole reason I post here. To have people point out what I'm not seeing so that I can adjust my ideas. It's just this attitude I am perceiving about how it's completely obvious to anyone who has even a little cryptography background that the whole thing is just a non-starter.
Just out of curiosity what was your point about PINs? I was putting it forward as a second method of authentication for voting (or for anytime I use my SSN), and you seemed to be implying that because someone might be able to steal it (by hacking someone who uses it) it's ineffective as a more secure form of authentication. Which I replied by saying that it seems to work well enough in other areas so why would it be ineffective here?
Also as a side point, would we need to let equifax log that information, or could you have the social security administration provide the authentication (and thus have the actual PIN saved) and equifax just uses a SSA authenticator.
As for the bank account I don't understand why that is a meaningful difference. We want to avoid large amounts of people having their money stolen the same as we want to avoid having elections rigged. I know that election fraud by default affects everyone, but I fail to see why that is worse than everyone just being afraid they might be one of the unlucky ones who gets ripped off. Both seem bad and like they should be avoided. One uses the internet and still manages to do a very good job of avoiding the bad outcome. Seems like an apt comparison to me.
Jebus man, like, it's not that there isn't a simple solution. It's that there isn't even a reliable complicated solution. Going back to the DDOS attack thing, look at it this way: Amazon, the world's largest provider of on demand computing power (AWS has more market share than GCloud and Azure combined) couldn't even keep up with demand on their own website for Prime Day today.
Sure, there's probably some DDOS going on in there, but a vast, vast majority of that is just pure demand driven hits. Now go pure digital and the US is basically setting the largest, brightest digital bullseye up for every Russian and Chinese bot network. You would be incredibly lucky if anyone was able to vote at all. The resources it takes to DDOS are insanely low (Possibly exponentially lower, though I'm not 100% sure on the math?) compared to the resources it takes to properly host and serve legitimate requests. And that's just problem #1.
Any real, proper authorization will require two factor authentication. Which means having the capability of distributing an authentication FOB to every registered voter, because poll taxes are illegal. Which means hardening and securing the FOBS as well. And since we're on the topic of hardening...
It was discussed earlier in the thread, but it really, really needs to be reiterated - every single processor or logic chip in every motherboard that is going to touch this voting system has to be verified as secure. Which means we basically need to award Intel a monopoly contract on all production of such, because I believe they are the only US based manufacturer who still makes their own chips in the States (Maybe TI, but I don't know if they have the capabilities to do what is needed). AMD's production company was spun off and is owned by the UAE (literally). So you have to basically have an entire division group of incredibly specialized and in demand engineers and workers who have to pass what would probably be the most rigorous CI background checks the FBI could perform, continually.
And then repeat that process for every keyboard, monitor, mouse, network device (hahahaha), headphone/microphone jack (Because blind people need to be able to use these systems), USB ports (because you have to have some way to get your software onto the system), not to mention the BIOS, RAM, and even hard drives. You have to secure the entire production lines of all of those items, in perpetuity. On top of that, because they are networked devices, you have to also force them to automatically accept and install updates to make sure that any vulnerabilities discovered are also addressed. And if that wasn't enough, forced updates just creates another vulnerability, because then all it takes is one bad update and at best a mistake in the code just bricked your entire voting system.
At worst you've given any foreign state complete control.
All of this hasn't even gotten into distribution logistics, cost, accessibility, ease of use, verification (which will be literally impossible to accomplish while still allowing votes to be anonymous), absentee voting and probably a half dozen things none of us here have even considered yet.
Edit: I think the best way to phrase it is this - digital voting is a way to reduce the manpower required in the voting process, but the manpower requirement is literally the single greatest security feature you can have. The more people that have eyes on a physical object, the harder it is to tamper with. With a national electronic system, all it takes is one dude in the right place at the wrong time having a bad day and his boss treating him like shit and the whole system is gone.
In terms of the "basic understanding" stuff: any digital vote from home (henceforth VFH) initiative intrinsically relies on the security of the home computers/devices being used to vote, and the current state of home PC security is absolutely abysmal. It's certainly possible that in some future time this won't be as much of an issue -- but it's absolutely something we cannot ignore right now. I also think you're drastically underestimating the difference between petty -- or even organized -- crime and state actors when it comes to the ability to compromise a large number of home computers. The former are the ones going after bank accounts and so forth, while the latter are the ones that may go after -- that at least we certainly need to guard against for -- national elections.
I'm trying (and perhaps failing) to communicate that issues like these are not simply flaws in a specific approach you've espoused but endemic flaws in any approach that is feasible in the present and near future. (Of course if we set a timeline of decades or longer, it's much harder to meaningfully discuss.) Additionally, I find little value in discussing what could be done if we do the security "perfectly" or "ideally" -- we've seen time and again (and again, and again, and fucking again) that that never happens. We should assume, rather, that there are going to be flaws, and evaluate a potential system not only on how it works if the implementation is the Platonic ideal of that system, but also by considering what is at risk if it falls short of that lofty goal. In this instance, the risk is pretty much a total collapse of faith in our democracy, and the advantage is convenience and maybe some cost savings -- not a good trade, in my opinion.
Apologies if I was too harsh or dismissive in my posts yesterday; my goal was not to shut you down or exclude you from the conversation, but to illustrate exactly why this is a very difficult problem and seemingly straightforward approaches are typically deeply flawed.
Edit: Oh no I defined an acronym and then never actually used it *falls on sword*
A fundamental tenant in democracy is that the voter and vote can't be linked. Its called the secret ballot.
QEDMF xbl: PantsB G+
I think we have already established why this is an idiotic idea.
actually no, being registered ahead of time lets the counties do their due diligence to check if you are even viable to vote there
Fuckin LoL
Sorry that's unproductive on its own.
I'm just super jaded to tech idiocy at this point so seeing a fuck up this severe just makes me laugh.
Like remote access is antithetical to voting machines, and is barely used in competent tech offices because any remote access client present in a system immediately opens an avenue up for attack. PCAnywhere is a name tarnished by particular vulnerability in the past. Like it used to be in a lot of tech offices that merely putting a remote client on a corporate box was possible grounds for termination.
Everyone should be registered automaticly.
That's what gets me about this stuff is that it's done in the name of convenience. Sure, if you're a legitimate election worker, remoting into a machine that's many miles away sure is convenient.
But at what cost?
Evoting really doesn't make anything significantly better for the voter. We already have early voting and absentee voting so we're just talking about the difference between using a pencil vs clicking a button. Big deal. Like it or not we still have to deal with millions of older people who are not comfortable with even the most user friendly technology. Sure that may pull away some conservative votes, but that's not how I want to win elections.
Until cyber security is taken far more seriously, evoting is just a disaster and physical paper ballot security is leaps and bounds better for the foreseeable future.
If you're just trying to get more people to vote, well technology isn't going to fundamentally make that better even if the security is better. People refuse to vote for a myriad of perceived reasons. I'd rather have my tax money go towards better Civic education, or having a national voting day holiday or a law that mandates that employers must give time off to vote or eliminating voter suppression laws or something more foundational.
Enlist in Star Citizen! Citizenship must be earned!
No, it's an unnecessary barrier to voting. Registration at the polls is sufficient. I'm approaching this from the standpoint of how it works in MN, but it's not even a provisional ballot if you do that - just goes in the same scanner as everyone else.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
Lets imagine that you have developed a perfectly secure communications system, in which it is IMPOSSIBLE to hijack or prevent user communication with the voting server. Only real voters can vote, using their special token, and there is no risk of say someone logging in as someone else and faking out a vote, or hacking the counting totals. The voting system is simple, and easy to understand. Anyone and their grandmother can log in on their home PC or mac and vote online. Hooray!
If I'm a hostile power (or a corrupt domestic group) looking at your hard work then all I need to do is switch my attack to somewhere else in the chain. The users computer itself. I'm going to write a virus and embed it in someone elses shitty software, and get access to their computer. And then, I'm not going to use my control, and will instead just bide my time. I can then do one of a variety of things...
1) If I'm a conservative group, and I know that liberals are more likely to be using the new vote online tools, I have a simple attack vector. On voting day, if it's after 9 PM and too late to go to a physical poll, then if you turn on your PC and try to go to the voting website then I'm going to lock up your computer for 3 hours.
2) If I want to be smarter, I'm going to have my virus watch your website activity. If you go to CNN more than Fox news, then on voting day I'm going to delete your wireless modem drivers and make it so you can't install new ones. In fact, I'm going to have a whole suite of 'massive inconvenience' attacks I can use.
3) If I'm even more sophisticated, I'm going to build myself a little human interface hijacking suite. And what it's going to do is detect when you are on the voting page for president. Then, if you are hovering over the 'Hilary Clinton' box, and click on it then I'm going to intercede, click 'Trump' instead, and then move your mouse to the 'Confirm' button
To be clear, I'm no virus writer, but all these hijacks or similar things are totally possible, and because everyone is 'doing the same thing' and the thing you want to stop is highly consistent, user terminal side attacks are far more realistic.
I do sympathize with that. I'm arguing that electronic voting at the polling place can be feasible, given good implementation, and it sometimes feels like some of the criticism is just closed-minded. But I also don't necessarily think that my perception of closed-mindedness is always accurate; I'm not saying that people are closed-minded, just that I get how that feels.
It doesn't feel good.
One important, salient difference here is that I'm arguing for electronic voting at the polling place while you've argued in favor of voting from home. There are a few general principles here that I think those of us who work in software/IT/information security take as truisms that are informing our reactions to that:
1) Home computers owned by the general public are untrusted devices, which means we cannot meaningfully control what software is installed on them, whether they have malware, whether they have adequate antivirus protection, whether they're logging in from private networks or public wifi subject to hijacking, etc. There are software tricks you can do to detect some of these issues, like you can check to see if a Windows computer has a known antivirus program installed - but all such tricks can be circumvented and undermined, relatively easily, on untrusted devices.
As @Clipse mentioned above, around 30% of home computers are compromised at given point in time. (Estimates range from 25% - 30%.) Most of the owners of these compromised computers have no idea they're compromised, so we can't expect them to just voluntarily walk into a polling place instead.
2) The general populace is woefully, hilariously, computer illiterate. Just by virtue of posting on this forum, you are likely in the top 10 percentile of computer literacy in the industrialized world.
About 35% of American working age adults (age 16 - 65) are functionally computer illiterate. Another 35% are capable of only very simple tasks. This is only slightly worse than the average across all OECD countries. (https://www.nngroup.com/articles/computer-skill-levels/)
I really urge you to read the descriptions of the OECD tests in that Nielsen-Norman Group link. They're depressing.
Neilsen-Norman also found that about one-quarter of adults cannot successfully execute a Google search.
In a small study of Stanford undergraduates, about half could not differentiate between a mainstream professional organization and a fake one. (https://www.edweek.org/ew/articles/2016/11/02/why-students-cant-google-their-way-to.html)
Click-through rates on phishing exercises (that is, how many people fall for a phishing email) vary depending on the sophistication of the exercise but averages around 25-30% are pretty common. (Examples: here, here, and here.) I've also found through my own experience that only about half of people who fail a phishing exercise realize that they failed it (vaguely corroborated here). In my experience, I've also found that there is about 10% of any corporation who will repeatedly fail phishing tests no matter how much you educate them.
One of my favorite anecdotes from recent years was when a Google search ranking glitch caused a random blog post about Facebook to be the first result on a Google search for the term "Facebook." Within a few hours, that poor blog had accumulated hundreds of angry comments from people who thought that they had arrived at the real Facebook and were confused about how to log in.
In other words, there were hundreds of people who 1) just Google search for the websites they want to visit instead of using bookmarks or typing in URLs, 2) can't tell when they've arrived at a site that isn't Facebook, and 3) react to this by gibbering into the first comment box they see.
So no matter how technologically secure your vote-from-home system is, you have a significant portion of the electorate who will happily click on a random link sent to them by email. Even if such a link doesn't harvest their information or install malware, if you can distract enough people and make them think that they voted, then you can skew election results.
3) Election hacking is a whole different league from common cybersecurity threats. Most cybersecurity threats just use a low-hanging fruit approach, randomly hitting systems to see what happens. You don't have to be terribly secure to be safe, you just have to be more secure than average. This is even true for banking. If all a criminal wants to do is to skim some money off the banking system, they can send out lazy phishing emails and as long as they get a handful of idiots falling for it, they can dredge up thousands (or in some rare cases, millions) of dollars. Anybody who works in IT or cybersecurity sees a constant steady deluge of these dumb attacks; badly-phrased phishing attacks, or obviously-scripted login attempts on websites using default usernames and credentials. There are even a few websites that turn these attacks into movie-like eye candy (at the expense of accuracy), such as https://threatmap.fortiguard.com/
When you say "what about online banking?" that is a salient difference. I can protect myself from most online banking attacks by using a complex password, two-factor authentication (though not the common SMS-based two-factor, which is broken, but stuff more like VASCO or Duo), and deleting obvious phishing attempts. These simple measures are good enough to divert most attackers to another, stupider, account holder.
An election system would have to be secure against what we call "advanced persistent threats", or APTs. The organizations that hacked the DNC during the 2016 are examples. An APT is highly funded, highly skilled, and highly motivated to compromise a specific system. Their real-world identities are rarely discovered, but they're generally believed to be funded and educated by government agencies. They can work around the clock, purchase expensive equipment, and hire expensive developers. Sometimes we call these "state-level actors."
APTs work full-time, and defending against them is a full-time job. A well-funded government agency or corporation might be able to protect themselves against an APT with constant system monitoring, frequent system updates, multiple levels of security measures, cybersecurity drills, and swift incident response. Even all those strategies have to be combined with human filtering - doing background checks at the hiring process to reduce the likelihood of accidentally letting in an insider threat.
Many smaller companies simply accept that they cannot protect against an APT and just hope that an APT would never give enough of a shit about them to make them a target. In IT circles, comments like "my firewall won't protect from state-level actors but it's secure enough" are commonplace.
The combination of #1 (untrusted devices) with #2 (illiterate device owners) means that defense against an APT is literally impossible.
Even if you took some of the smartest, most cybersecurity-literate people on this forum and had them design a secure system... 1) APTs are smarter, more experienced, better funded, and have more time and 2) you can get home users to do the IT equivalent of punching themselves in the dick with nothing but a phone call.
the "no true scotch man" fallacy.
hahahaha who knows who won 2016.
Of couse some boxes still end up rivers occasionally....
Well, most places have some kind of record outside the machines as well.
But not Pennsylvania.
I would not be surprised if Wisconsin were won on pure disenfranchisement, Pennsylvania was won by just outright fraud, which just leaves ...my home state.
Nah, private blockchains are not blockchains at all.
They're just linked lists that are publicly viewable, whose tech could be replaced with any database but whose devs are riding the 'blockchain' buzzword as hard as they can.
On the other hand, it means that they're useful for something.
In any case the proposed solution is:
ID Auth Public key -> voter
Voter ID -> ID Auth
ID Auth voter permission request -> Vote Running body
Vote Running's Ballot permission -> ID Auth
ID Auth ballot permission -> Voter
Vote -> ID Auth
(ID Auth vote number -> Voter so someone can change the vote at a later date)
If there was a batch, then voters would need to be aware of the delay (or instead not be able to vote).
I imagine even if people were told to setup the software beforehand, that a not insignificant portion would still attempt to put their ID through the day of the vote.
I also don't see how you would airgap the ID checking part of the ID Authority.
People are using an ID number and facial recognition to prove that they are who they say they are, so unless the webcam is spitting the facial heuristics into a paper bin somewhere to then be matched against the face database, then that face matching system is still networked to the internet, and an attacker could still attack it to authenticate themselves with someone else's creds before stuffing it into the feed to the Voting Authority and waiting for their stolen ballot to arrive.
And again, even if the voting side of things is perfectly secure and can never be hacked, you just hack the users computer instead. Even if you can't generate 'false votes' for your candidate due to say the voting procedure being...
A person must speak, on camera, while matching their facial ID a command phrase AND their vote choice...
Then you just say, cause all computers which think they are in large cities to crash repeatedly on voting day. Or mess up the install of the web camera drivers so your perfect voting system can't communicate with it for authentication. Or make it so that the monitor displays the wrong 'command phrase' by hacking the GPU. And so on.
Private blockchains are still blockchains, and are not directly replaceable by any arbitrary database, if (and only if) newer records are cryptographically dependent upon older records.
I'm not saying that followmyvote is (or is not) doing that. I'm just saying that if you meant to make a general claim about blockchain technology (rather than a specific claim about followmyvote) then your claim is inaccurate.
the "no true scotch man" fallacy.
Well, yes.
But aside from duplicating the voting app distribution entirely with some malicious vector, and somehow not being detected doing so, I'm a little bit hesitant to say that a loose network of compromised voters could be used to affect an election in a meaningful manner.
I'll cede the point if the private blockchain has any need of mining or some other means of settling on a consensus, and if that private blockchain, which implicitly trusts the people adding blocks in, has a reason to need a system of settling conflicts due to inherent distrust.
That is, if it doesn't use Proof Of X, then it's not blockchain, as that's blockchain's only innovation.
And private blockchains have little need of Proof Of X.
There are two features that defined the original Bitcoin block chain, the proof of X and, as feral mentioned:
The proof parts are only necessary if you're trying to make a system with no central authority, which is a case not likely to be necessary outside of cryptocurrency, and certainly doesn't apply to a voting system.
The other feature is the one that has some possibly useful applications in the wider world, mainly in cases where you want a highly tamper resistant database, even tampering a write-authorized user. Since changing one entry requires recalculating every subsequent entry (ideally with a process that is fast enough to handle recording new transactions as they come in but computationally intensive enough that reflowing the database is extremely slow).
Granted I'm not sure if we'll ever see that used anywhere and there might be better solutions out there but 'blockchain" is as good as anything else to call a database like that. It's certainly more similar to the Bitcoin blockchain than it is to SQL.
fuck up once and you break your thumb / if you're happy at all then you're god damn dumb
that's right we're on a fucked up cruise / God is dead but at least we have booze
bad things happen, no one knows why / the sun burns out and everyone dies
The thing is that the blockchain is not meaningfully different from a standard block cipher, except that (iirc) it's using the signature operation rather than encryption. Cipher block chaining is a very old technique. The novel part is the distribution of trust via proof of X.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
And the outcome was "Please don't do this"
And this with the added fact that the Netherlands already has a pretty robust personal governmental login system (Which will improve security wise over the next few years, currently there is a flaw with it using SMS as 2FA, which is vulnerable to some forms of attacks).
The solution is simpler:
Spend more on elections. Over here we spend about $3.2 per capita per election. The return for that is the following:
-99.8 percent of people get a voting card mailed to them
-In national elections, voting can be done in any precinct in your municipality with that card, and with 1 extra form, in all other polling places.
-Polling places have to be within 1km for the vast majority of people. Special care is taken to put them close to commute hotspots, like major trainstations.
-Waiting time last election, where roughly 81% of the population voted, was avg 3 minutes. I never heard of anyone waiting more than 15mins.
-Polls are open from 07.00 - 20.00
Okay. Get a few people with .50 cal rifles, take out a handful of power substations, cause a catastrophic failure that takes out the power for SF, LA, and NY.
?
Wouldn't taking out the power or threatening people with guns sabotage a paper election too?
I can't imagine the cities would handle no traffic signals very well.
I'd sort of expect that the voting app would be released a month or so beforehand, and so a subtle mass infection would take too long.
Either the attacker would have to work with what they've got or slowly infect vulnerable machines, both of which would likely produce a random scatter across the population which may not have a great enough effect.
You could also infect the distribution hub so that it distributes a pre-infected voting app.
Or just build the app poorly so it can be found and exploited easily.
Just DOS the local infrastructure in areas you don't want voting on election day.
Point about the power wasn't so much to say that there it wouldn't screw up a normal election, but that the points of failure for something like this are legion.
You don't have to attack the app, you can attack any number of things to make it unusable on a local level.