

Modifying an Off-the-Shelf Wireless Router for PDF Ballot Tampering [pdf] - CapitalistCartr
http://galois.com/wp-content/uploads/2014/11/technical-hack-a-pdf.pdf

======
daenney
> Galois applies cutting edge computer science and mathematics to solve
> difficult technological problems.

Is this serious? Essentially what you're saying "when transmitting a PDF over
an unencrypted transport we can move in and alter it".

This is why we don't do banking over HTTP or any other sensitive transaction.
If it were ever allowed to submit a ballot over an unencrypted connection you
deserve your election to be tampered with.

This comment left by another user on their YouTube video demonstrating this
"hack" is rather to the point:

"So the only thing you've done is validated that things like end-to-end
encryption and digital signatures have a reason for existing. Bravo! I
sincerely hope using unsigned PDFs over plain-text channels, such as are
assumed in this video, aren't even considered to be used for voting? I feel
like this video is purposefully biasing people against digital voting by
omitting the fact that methods and systems to prevent exactly this kind of
tampering have already existed for a long time and are in use for countless
other applications where privacy and authentication matter. There are other
complications with digital voting such as guaranteeing anonymity while
preventing individuals from voting multiple times, but this hack is based on a
retarded way of digital voting. Who even sends e-mails with funny cat pictures
to their uncle over unsecured SMTP anymore?﻿"

~~~
lazaroclapp
They are involved with applying cutting edge research to difficult
technological problems (see e.g.
[http://galois.com/project/proceed/](http://galois.com/project/proceed/) ). I
don't think this paper is an example of that, but more of a way to issue an
expert opinion - supported by a demo - on the risks of what is unfortunately
not an uncommon practice. It might very well be obvious to everyone in HN why
you don't send votes over any clear-text unsigned format over the internet,
but unfortunately it is not obvious to the average voter or politician.

Note that just encrypting the link is not really a good fix in this scenario,
since that makes the server a single point of failure which attackers might
try to subvert if the stakes are high enough. We have indeed solutions even
for that (client-side signatures), but for really high stake elections we run
into much bigger problems: the need to protect vote confidentiality from the
polling authorities themselves, avoiding third-party verifiable proofs-of-vote
because it allows vote buying/selling, allowing first-party verifiable proofs-
of-vote since otherwise fraud is hard to detect, risk of fraud via compromised
clients, etc.

