
Bounty Hunt Announced on Swiss eVoting System - tzmudzin
https://onlinevote-pit.ch/details/
======
lolc
The central issue with electronic voting is that it's opaque to observers. You
can't guarantee vote privacy and monitor the counting process at the same time
in electronics. I find that problem alone should mean no electronic voting
should be used at scale.

Further, vote privacy is threatened at the client side. The fact that they
specifically exclude client vulnerabilities is telling: "... known and
accepted characteristics of the system will however not be accepted. Such
“issues” include: Any operation compromising the vote privacy on the client-
side (e.g. browser extension);" They even met "issues" in quotes, even tough
these are a common attack vector. They are real and dangerous.

It's common in Switzerland to vote by mail, so there's the possibility that
people get pressured into voting in a certain way by their relatives. But the
scale is very different when people must expose their voting preferences to a
machine they already know watches them.

~~~
Mirioron
I agree about the risk of client-side vulnerabilities. Another state-level
actor could easily abuse this to influence an election.

On the counting side though, I don't fully agree. Paper voting sees some
enormous mistakes. Whether they are intentional or not, but it has happened
before where an entire town's votes for a candidate missed a zero. No election
observers or people sent from either party noticed it until a volunteer
pointed it out. Electronic voting isn't going to make such mistakes and I
believe that if the process is handled well, then the secrecy of the vote
shouldn't be an issue from the server side.

But again, there's nothing you can do about the client side attack vector.

~~~
sametmax
In your example it worked: a volunteer pointed it out. The volunteer probably
would not have been able to with e-vote.

Who has the skill to be able to assess such a system ? And among those, who
has the time ?

I've been a programmer for 15 years and I'm pretty sure I would not be able to
look at such a system and feel confident there is no error. And definitly not
in the reasonable time period required for voting.

~~~
godelski
> In your example it worked: a volunteer pointed it out. The volunteer
> probably would not have been able to with e-vote.

I believe the parent's example was to show that it was missed by the system
that was intended to catch it. That the catch in itself was a fluke, lucky.

It should bring into question "How many times have we missed and not caught
it?" not "Well it worked this time, it must always work." In fact, we can only
recognize cases if we catch them. Therefore it is confirmation bias to use
this example as a "proof of it working". It can only serve as an example of
"We have caught failures in the system" and suggest that we should be wary of
others existing (neither proving nor disproving fault in the system).

~~~
sametmax
We can't know how many, but we know it's possible. For e-vote, i'm not sure
it's possible. Hell, i can't tell with certainty my own laptop is clean.

------
nairboon
This program is a failure for the get go.

> Scalable manipulation of votes that is undetectable by voters and trusted
> auditors;

Such a bug would be a complete worst-case failure and if you report it, it
would net you up to 50'000 CHF. This is a ridiculously low amount for such a
critical infrastructure. The expected black market value of such a
vulnerability is way way higher. Just to give you a frame of reference, in
Switzerland we have 4 national votes a year and depending on the topic,
affected interest groups and parties spend between 3 to 6 Mio CHF per vote for
ads and influence. Now do the math yourself, whats the expected value of a
vulnerability "undetectable by voters and trusted auditors" in a 10-20 Mio/y
market (just at the national level) for influence?

~~~
TheSpiceIsLife
I am from a far far away land.

Would you mind explaining what _Mio_ means in this context.

~~~
PetitPrince
Mio == million

~~~
TheSpiceIsLife
There are, what, 6 million or so voting age people in Switzerland.

6 million x 3 to 6 million CHF = I’m confused.

1 CHF = about 1 USD?

36,000,000,000,000 CHF four times a year. M

I know I’m very tired. Did I miss something?

~~~
jobigoud
They mean "3 to 6 M per vote" as in per election, not per citizen.

~~~
nairboon
Exactly, on any of the 4 voting days a year, there can be multiple
issues/proposition/topics and for the important ones of those, we see budgets
in the millions

------
biggerfisch
Posted 19h ago:
[https://news.ycombinator.com/item?id=19127631](https://news.ycombinator.com/item?id=19127631)

------
sschueller
Stop trying to fix something that isn't broken.

The paper ballot and manual counting here is Switzerland works and needs no
fixing.

~~~
mittermayr
So did a pair of feet, but the car made things a whole lot easier eventually.
Humanity is only here for a bit, I feel we owe it to ourselves to keep
innovating, regardless of whether or not all of our innovations turn out to be
great.

------
runeks
> An amount of CHF 150'000.- is available for compensations.

Seems to me like this is the wrong approach. Essentially, they’re saying they
they have no idea how much they can pay per bug.

A sensible approach would be to insure bug bounties, at least up to the amount
that a black hat could profit from compromising the system.

~~~
janekm
Good luck getting a legislature to sign off on an unlimited bug bounty budget
though...

~~~
heartbreak
An insurance policy would suffice.

~~~
consp
Good luck insuring this. I'm pretty sure the insurance premium will be the
same as the actual cost.

------
StreakyCobra
Not exactly related to this e-voting system, but more generally there will
probably be a federal popular initiative for a moratorium on e-voting in
Switzerland [1,2]. It is possible (for Swiss citizens) to support the
collection of signatures by registering here [3].

[1]
[https://www.admin.ch/gov/en/start/documentation/events.event...](https://www.admin.ch/gov/en/start/documentation/events.event-
id-7231.html)

[2] [http://e-voting-moratorium.ch/](http://e-voting-moratorium.ch/)

[3] [https://evoting-moratorium.wecollect.ch/](https://evoting-
moratorium.wecollect.ch/)

~~~
born2discover
Oh, that is great to know, thank you!

~~~
chirau
username checks out

------
atemerev
First of all, great news! I live in Switzerland, and this is really good to
hear.

To those who think that 150’000 Fr. compensation is too low — think of the
prestige! Hacking the Swiss voting system, the only direct democracy in the
world! No amount of money is equal to that.

~~~
nostrebored
Right, because extolling political capital from one of the centers of global
banking is definitely not more valuable than a CV blurb

~~~
atemerev
The Swiss are actually ready to shut down the e-voting system for good. This
is the final “military excercise” test; if it will be able to stand the
combined power of the finest hackers of the planet (which is doubtful), it
might survive. But I don’t think so. This is a suicide letter for the system.
At the very least, it will be DDoSed out of existence.

------
mfsch
For a bit more background: The online newspaper Republik recently published a
piece about this project and some of the problems with the company Scytl
providing the system. They provide an English translation of that article:

[https://www.republik.ch/2019/02/07/the-tricky-business-of-
de...](https://www.republik.ch/2019/02/07/the-tricky-business-of-democracy)

------
beefhash
After Geneva made their system available as free software (AGPLv3), I can't
help but feel a tiny bit disappointed about the restrictive terms for the
release of the source code.

------
sosodev
Why is arbitrary code execution worth so little? Isn't that usually considered
the worst bug somebody could find?

~~~
mithr
The way I read it, if you can leverage arbitrary code execution to manipulate
votes, then you can claim one of the higher-paying categories... but if you
can execute code, but can't figure out how to use that to actually affect
votes, they don't care as much.

I can't say I'm 100% sure that's the best strategy, but I think it makes at
least some sense.

