
Security flaw in New South Wales puts thousands of online votes at risk - DiabloD3
https://freedom-to-tinker.com/blog/teaguehalderman/ivote-vulnerability/
======
badsock
It freaks me out that people are so nonchalant about this. Browsers and OSes
get cracked on a regular basis: you can't trust the server, you can't trust
the client, and you can't trust the pipe in between.

There is no voting algorithm in the world that can be trusted in that
environment, full stop.

Seriously, I'd love to hear how I'm wrong. And if not, then how could we
possibly consider handing power over our laws, our courts, our armies, to
whoever manages to figure out how to exploit this first? It's not like there
isn't reams of evidence that people will attempt to rig votes; so if there is
a way, eventually someone will succeed.

Why are people OK with this?

~~~
ecdavis
I have no idea why people are so fixated on electronic voting. Running
elections with paper ballots may be costly, but relative to other costs it's
very little - it's also probably the single most important service the
government provides.

It's not even like voting is particularly taxing in Australia. You go to your
local school on a Sunday, wait in line for a while then grab a sausage or a
lamington and go home. If that's too inconvenient there are pre-polling
stations open for weeks ahead of time.[0]

I think any software that has the potential to influence election outcomes
should be provably correct (the whole stack), open source and probably have
been out in the wild for years before getting used in a real election.

[0] As far as I'm aware, the AEC actually double-checks electronic results by
doing a human recount. When they use electronic voting it's so they can
declare a winner sooner.

~~~
vetler
> I think any software that has the potential to influence election outcomes
> should be provably correct (the whole stack), open source and probably have
> been out in the wild for years before getting used in a real election.

Let's remember that even when paper ballots are used, the counting is done
electronically. It's not something people often take time to consider.

When the ballot boxes are emptied, the ballots are scanned with scanners, and
the results put into some sort of software to be processed further. This is
how it's been done in Norway for many years, and we're only 5 million people
here, so I can't imagine other countries doing it any differently.

Norway introduced a new voting system a few years ago, which also included
Internet voting, but that has later been put on hold, as it was blocked by
political reasons. The entire system was open source (you could read the code,
but not allowed to use it), but I don't think it has been released since then,
and I'm not sure what the plans were. Fun fact, the settlement algorithm that
ranks the candidates is a Postgres stored procedure
([http://goo.gl/PPMipF](http://goo.gl/PPMipF)).

There is already a lot of places where there is software that can influence
election outcomes, and it's definitely not proved to be correct. Given how
trojans have been found everywhere in the recent years, I'd not be surprised
if some countries election software stack has been compromised.

~~~
eCa
> I can't imagine other countries doing it any differently.

Just over the border all votes are counted by hand (several times).

~~~
thret
In Australia they are also counted by hand.

~~~
vetler
Looks like they're scanned:
[http://www.elections.act.gov.au/elections_and_voting/scannin...](http://www.elections.act.gov.au/elections_and_voting/scanning_of_ballot_papers)

~~~
vetler
I was mistaken. ACT is only a territory(?), but steps are being taken towards
scanning paper ballots: [http://www.governmentnews.com.au/2015/02/electronic-
vote-cou...](http://www.governmentnews.com.au/2015/02/electronic-vote-
counting-one-step-closer/)

~~~
thret
My mother runs one of the voting stations in her area, I was simply repeating
what she has told me.

------
agwa
It's often overlooked how including external Javascript impacts the security
of your website (see also the recent Healthcare.gov information leak). It's
not just the external sites' TLS configuration you have to worry about, but
all their security and privacy practices. Even if piwikpro.com had had a
perfect TLS configuration, if an attacker had been able to compromise (or
corrupt/coerce) them, the attacker would have been able to execute arbitrary
Javascript on NSW's online voting website.

Stripe is the only external Javascript I load on my websites. I trust Stripe a
lot more than most, but still I would prefer not to load their Javascript.
This policy is frustrating because it means I can't use a lot of cool tools,
but I care too much about security and the privacy of my visitors to do
otherwise.

~~~
ams6110
An online voting site should not use javascript. Period. It should be bare-
bones simplest possible HTML form posting with all validation and logic
happening server-side. For one thing it needs to be accessible to disabled
voters and the more complex the UI implementation, the less accessible it will
be. Also for security peace of mind it should be usable with all scripting and
plugins disabled.

A ballot is not a complex UI. A basic HTML form with checkboxes and/or radio
buttons is all that's needed.

~~~
caf
New South Wales, where this election is being conducted, does actually need a
slightly more complex UI: it uses "optional preferential voting", requiring
voters to number the candidates in order of preference from 1, stopping at any
point after that. (The upper house ballot also has the option of numbering
either the group boxes above the line, or the individual candidate boxes
below).

Not that that requires Javascript, either.

~~~
thret
The online voting form should still allow for people to ignore the rules and
submit an invalid vote though, just like they can with pencil and paper.

~~~
aaron695
Although it is not illegal to vote informally, it does not follow you have a
legal right to vote informally.

~~~
meric
Of course it does. Following that argument: It isn't illegal to run on the
streets, it does not follow you have a legal right to run on the streets?
Clearly absurd. The population's rights include all except what is expressly
forbidden by the laws, and the government's rights include none except what is
expressly enumerated in law.

~~~
robzyb
> It isn't illegal to run on the streets, it does not follow you have a legal
> right to run on the streets?

It does NOT follow thaty ou have a legal right to run in the streets.

It some entity declared a street to be walking-only, then you could not claim
"WAH! I HAVE A RIGHT TO RUN IN STREETS!"

Similarly, if an entity will only allow you to submit votes that are "correct"
as per the definition of preferential voting, you can not claim "WAH! I HAVE A
RIGHT TO SUBMIT INFORMAL VOTES!"

~~~
meric
That means those legal rights exist until the authority decides otherwise. So
for now according to the laws the government has passed informal votes are a
legal right. It is a quirk of the software it isn't implemented. Imagine a
sidewalk paved with a material you can't run on, it's perfectly reasonable to
write a complaint to your local council about the quality of the road because
everyone deserves to have a space to run, according to existing laws that have
not prohibited running.

------
jimrandomh
A web site poll is not secure enough to be an election, even if its creators
do anything perfectly, and a web site poll pretending to be an election does
not grant the victor legitimacy.

The fundamental problem is that it leaves no evidence of how people voted
except for the testimony of a computer server, which can be hacked. The
practical result being that the election can be overturned by a single person
inside or outside the country working with a guarantee of secrecy, and it
would leave no evidence.

~~~
wsxcde
> how people voted except for the testimony of a computer server

Well, that's not an accurate claim. There are a number of verifiable voting
protocols, e.g., Helios
[https://vote.heliosvoting.org/](https://vote.heliosvoting.org/). This doesn't
mean that online voting is ready for mass adoption, but I think you're too
quick to dismiss it.

~~~
badsock
From the Helios FAQ:

Should we start using Helios for public-office elections? Maybe US President
2016?

No, you should not. Online elections are appropriate when one does not expect
a large attempt at defrauding or coercing voters. For some elections, notably
US Federal and State elections, the stakes are too high, and we recommend
against capturing votes over the Internet. This has nothing to do with Helios
itself: we just don’t trust that people’s home computers are secure enough to
withstand significant attacks.

~~~
wsxcde
It's conceivable that you can build a formally verified hardware device that
handles the actual voting, and you probably also make sure that the software
running on this device is all signed and authenticated with your trust rooted
in hardware. And you can then secure your connection to the voting servers
using this hardware device.

It would be very expensive, and you still can't be sure you don't have bugs,
but it would address a lot of the concerns you're raising.

------
ams6110
IMO the minimal security requirements for online voting must include fully
open source code. I don't mean open source licensing, but the entire
implementation must be open to public review and audit.

Even with that, I have my doubts. On the other hand, traditional paper ballots
are certainly prone to all kinds of fraud, and on balance I'd say an
electronic system _should_ be able to do better, if not be perfectly secure.

~~~
boyter
Agreed. I have argued for this with other technical people and they still
argue the opposite however.

I am in New South Wales and have raised the source issue to all the candidates
in my electorate. I usually get blank stares over this point. This worries my
deeply as how can someone who does not understand the implications of what
they are doing legislate laws about it.

I would like to see it done better. No idea how but perhaps the taking of a
test to prove some level of knowledge before being allowed to vote on any
issue.

~~~
jacques_chester
Ask the candidates if they would be happy if paper ballots were counted
without scrutineers.

Or with scrutineers from only one party, who have quietly replaced electoral
officials.

~~~
boyter
Thats a good point. I shall be doing that the next time one is at my local
train station.

------
krylon
Online _elections_? Are these people serious? I am struggling to come up with
the words to adequately describe what a bad idea this is.

~~~
arkem
It's been working ok in Estonia for a decade:
[http://en.wikipedia.org/wiki/Electronic_voting_in_Estonia](http://en.wikipedia.org/wiki/Electronic_voting_in_Estonia)

Sure there are risks to online voting but it's significantly less risky than
many of the other pieces of critical infrastructure that rely on the Internet.
The risks of online voting can generally be controlled through policy and
oversight, in a similar way to non-online elections.

~~~
jacques_chester
Paper ballots work fine and, in Australia, would require the systematic
subversion of hundreds of electoral officials and thousands of mutually-
hostile scrutineers to rig a vote.

Meanwhile, no electronic voting system, no matter how clever, is any further
than one fuckup or one dirty sysadmin away from being a total fraud.

Democratic legitimacy is an expensive feature, but it is worth every cent.

~~~
lazaroclapp
> no electronic voting system, no matter how clever, is any further than one
> fuckup or one dirty sysadmin away from being a total fraud.

Not entirely true. The best electronic voting systems require multiple fuckups
and/or multiple dirty developers and hardware manufacturers to become a total
fraud. Not saying that is safe enough for elections yet, though. But there is
no reason why you can't add multiple checks and balances and mutually-hostile
guarantors to an electronic voting system.

~~~
johnchristopher
> Not entirely true. The best electronic voting systems require multiple
> fuckups and/or multiple dirty developers and hardware manufacturers to
> become a total fraud. Not saying that is safe enough for elections yet,
> though. But there is no reason why you can't add multiple checks and
> balances and mutually-hostile guarantors to an electronic voting system.

But any citizens can check each of the paper voting system steps and it is
definitely not possible for electronic voting system.

~~~
lazaroclapp
It is possible: provided the system generates the right kind of audit
information and voting receipts, and the citizen has a trusted device in which
to check the protocol computation. You can use signatures for verification and
mix-nets or homomorphic encryption for anonymity. There are plenty of security
risks in practical implementations of electronic voting, but I would not say
"definitely not possible". Not saying I trust the system being discussed or
that I think we should have mass online elections just yet, but this is an
area under research and the results look more in the direction of "likely
feasible" rather than "likely unfeasible". Which is actually quite important
if we are ever going to move towards any form of democracy more direct/gradual
than voting every X years for people who vote on the actual decisions.

Note that the paper voting systems are also quite hackable in practice. It is
actually pretty hard to track your own vote and make sure it was counted
correctly, that the votes in all districts were added correctly and, when you
find your vote miscounted, proving fraud is quite hard as well. I should know,
I voted in this election:
[https://en.wikipedia.org/wiki/Mexican_general_election,_2006...](https://en.wikipedia.org/wiki/Mexican_general_election,_2006#Post-
election_controversy)

~~~
johnchristopher
> homomorphic encryption for anonymity.

You lost me there but I agree you are right concerning the possibilities of
electronic voting systems and its inherent safety and accountability depending
on the implementation.

But then I say paper requires less technical skills and is an order of
magnitude less expensive than the cost associated with a safe and sane voting
system ?

> Note that the paper voting systems are also quite hackable in practice. It
> is actually pretty hard to track your own vote and make sure it was counted
> correctly, that the votes in all districts were added correctly and, when
> you find your vote miscounted, proving fraud is quite hard as well. I should
> know, I voted in this election:
> [https://en.wikipedia.org/wiki/Mexican_general_election,_2006...](https://en.wikipedia.org/wiki/Mexican_general_election,_2006..).

> On August 28, the TEPJF announced the results of the partial recount,
> subtracting 81,080 votes for Calderón, 76,897 votes for López Obrador,
> 63,114 for Roberto Madrazo, 5,962 for Patricia Mercado, 2,743 for Roberto
> Campa, and 7,940 for the remaining candidates. A total of 237,736 votes were
> annulled out of the approximately 4 million votes recounted. Than means
> around 6% of the recounted votes were annulled.[29][30]

Wow. That is indeed a good example in favour of electronic voting system.

~~~
lazaroclapp
>> homomorphic encryption for anonymity.

>You lost me there

Intuitively: you can add a list of encrypted numbers and then decrypt only the
result. Additionally, you can prove that the decryption is correct without
revealing the private keys. Decryption keys can be distributed so that no
single person can decrypt the votes directly. So, you track your encrypted and
signed vote until it goes into the counting process and then you verify the
zero-knowledge proofs that tell you the counting was done correctly, but the
counting itself doesn't tell anyone anything about individual votes, just the
sum of votes for each candidate.

> But then I say paper requires less technical skills and is an order of
> magnitude less expensive than the cost associated with a safe and sane
> voting system ?

Right now? For national elections every X years? With our current
understanding and computing infrastructure? Absolutely! I am not in favor of
online voting right now (except perhaps for a limited number of remote votes
for nationals outside their countries, possibly with reduced anonymity).

Where secure electronic voting could shine is in direct democracy systems,
where you vote on at least some important resolutions directly or where you
can revoke an administration's mandate at any time by getting a threshold
number of "votes of no confidence" on it. If you have to vote every week, or
every month (let alone daily...), then paper voting is unworkable.

> Wow. That is indeed a good example in favour of electronic voting system.

Actually, we have had electronic fraud before as well (in the global
counting). So, I doubt electronic voting would fix democracy in Mexico either.
At least not by itself. Just pointing out that the system being replaced is
not infallible either...

------
thret
There is one way to make online voting secure that hasn't been discussed here:
make the votes public. Publish a full list of who voted online and who they
voted for. You could then vote online publicly or in person privately.

It isn't ideal, but it would remove any doubt.

~~~
harywilke
I see you voted for candidate 'B', you're fired.

