Hacker News new | past | comments | ask | show | jobs | submit login
Software to capture votes in upcoming German national election is insecure (ccc.de)
291 points by heinrich5991 on Sept 7, 2017 | hide | past | favorite | 116 comments

Here's the report: https://ccc.de/system/uploads/230/original/PC-Wahl_Bericht_C...

It's truly disastrous. Some of the findings:

- The automated software updates have no signature and are downloaded insecurely over HTTP

- The webserver the updates are downloaded from is hosted using a shared hosting package at 1&1, on a host with >5000 other customers (implying an easy takeover using local privilege escalation)

- The reason they know this? They found multiple PHP scripts vulnerable to arbitrary read and write vulnerabilities, so they got full RCE on the server.

- FTP access credentials for the website were contained in a public ZIP file (named test.zip)

- Vote results are transmitted using either insecure FTP whose credentials weren't rotated for years or an equally insecure XML protocol. No signatures in sight.

- Said insecure XML protocol is a government standard

They also took a look at one of the local government's infrastructure:

- test/test were valid VPN credentials

- FTP credentials were publicly downloadable with R/W access to vote results

- Vote result encryption was reversible thanks to a hardcoded symmetric key

The report goes on to detail even more trivial security issues, including home-grown "encryption" algorithms worse than what you'd find in a beginner CTF challenge.

None of the steps taken in response addressed the fundamental, obvious security policy issues. Even their band-aid fixes were broken. For example, they started signing their binaries, but forgot to check the signature.

Given the lack of any security awareness whatsoever, even if they properly sign their binaries, their build server is probably easy to compromise.

RCE demo: https://vimeo.com/232581770

Have a look at the site in question: https://www.wahlinfo.de/

The local government they worked with responded by enforcing verification and transmission of the results using an independent channel.

Forget the problems electronic voting has if it's implemented well, this sort of stuff is the real reason to be worried about systems like this. Because there's a tendency for governments and councils to outsource the work to whatever contractors are the cheapest or to hire developers who don't know a thing about security.

A secure evoting system is hard enough to implement, and even a well done version is worse than a paper ballot. But it's the kind of system described here that'd be the likely result of electronic voting being implemented in countries like the US. A hacked together, insecure piece of junk that's wide open to being compromised by bad actors at every level.

> there's a tendency for governments and councils to outsource the work to whatever contractors are the cheapest

Not just a tendency. When choosing a contractor, government offices in Germany are required to choose the lowest bidder who fulfils (or rather, claims to fulfil) the requirements stated in the call for bids.

They are bound to take the most economical offer which is not necessarily the cheapest. Cost must always be a significant factor but others can be included. The criteria must be fixed before starting the process and can include follow-up cost, technical aspects, environmental considerations, duration, user experience, or anything else that is quantifiable, appropriate, and non-discriminatory.

It is far easier to just look at the cost but it's absolutely not uncommon to have other criteria included in a tender.

An offer that is unusually cheap has to withstand additional scrutiny. It is not allowed to choose such an offer (even if it's the cheapest) if it's price-dumping or unlikely to be completed due to the tight calculation.

Yes, but that's only half of the story. We just spent 40 mio on a thing that had 10 year old cabling contracts. We managed to fix it, but there's plenty of trash that we didn't manage to fix. The problem is that there is close to zero accountability on senior management.

Germany is full of stuffed old guys, who have no reason to be afraid of ANYTHING. Nothing is ever going to happen to them. All the people that screwed up the major government construction projects went straight to go on to continue doing the next government construction projects. Same with every other industry here.

Blaming the "Ausschreibung" or bidding stuff is only a tiny part of the problem. Every time I see the people responsible for this crap I almost puke when I see them give each other a pat on the back.

Oh and while I'm at it. We have a software contractor that has a contract that basically lets them build anything they want and bill it to us. Add to that I'm supposed to architect their software and micromanage, so they get to bill us for the work. On top of it we pay them to get training in Angular 2.0, which we will then pay for to have them train us. I asked management to change the contract so they couldn't do what they want, but they just don't want to touch it.

They were not chosen as part of the bidding process btw. I've seen the same in the US. It's the same crap you have in any other country.

To be fair, that is more a rationale for having rally good people speccing your system and producing detailed requirements.

Ok, let's just do that : spec a voting system. Such a system should be as secure as physical paper and anybody should be able to assess its security by inspecting it (good luck with that one).

The level of detail your talking about to prevent the kind of mistakes they made is so specific that you might as well just develop the thing in house since you clearly already have the experience.

Maybe what we need is a rules that any critical government infrastructure should be independently pen tested before it's bought. This should hopefully put off the inexperienced from taking on such projects and offer a way out for governments should the contract go sour.

I agree, this is often an issue. In my company a lot of people only make specs, and the "development" for a lot of components is outsourced. But these specs are basically developed already, so in the end, we're only making the expensive developers write a spec that's so detailed that it's more work to write the detailed spec, than if you programmed it directly from a non-detailed spec.

That's certainly not wrong, but it also is somewhat at odds with how we know modern software projects should be managed, which is a reasonable explanation for why so many government projects work out the way they do.

> even a well done version is worse than a paper ballot.

It is not. There are many voting schemes that offer all the benefits of paper voting together with the verifiability and transparency of cryptographically verifiable vote counting.

All experts I've heard from on this agree that we're decades from being able to implement such systems in a secure way, if it's possible at all. Most people trying to tell you that's not true are trying to sell you something, usually with some vague blockchain reference.

I'd recommend the various talks and papers J. Alex Halderman has given/written on this topic, especially on Estonia's e-voting system.

I also recommend Andrew Appel's talk on the mechanics of voting. In addition to the dangers inherent in any complex electronic system, he also discusses how we invented the secret paper ballot. It may look "low tech", but the secret paper ballot is several hundred years of bugfixes and security features that we would be foolish to ignore.


> There are many voting schemes that offer all the benefits of paper voting

A major benefit of paper voting is that you don't need a math PhD to verify for yourself the integrity of the vote process.

Do you need a math PhD to do use encrypted messaging apps? To use SSL? Clearly that's a fallacious argument. The math can be wrapped inside an easy to use shell, just like it is in your https enabled web browser.

I don't need a Math PhD to use all of those. But if I want to be audit it? Probably. I can audit paper ballots just fine, anyone can. But that easy to use shell? How do I know that it does what people claim it does? I have to trust those people. The people that have the ability to audit now hold absolute power over the result

You can make an interface that hides the complexity and lets people check their votes in a user-friendly way. There's nothing that makes it fatally complicated to use.

As I said: The problem is not using the software itself but knowing that the green checkmark (or whatever) it displays actually means the vote was correctly counted. The former is trivially done by a competent team, the latter not so much.

Just an example from another field: It is easy to compare key fingerprints shown by WhatsApp/Signal/GPG but how do I know that the software does not encrypt the text with a second key? Personally I am not competent to do so and have to trust others. Don't forget that it's not enough to audit the code itself but you would also need the check the whole build process from scratch (and processors it was done on for that matter - and while we are at it: how can I know that the display actually shows that it was asked to do?). How many people know how to do so?

Hiding the complexity is exactly the wrong approach. You want to reduce the complexity so that the average person can understand it just fine.

How do you verify that the machine actually does what it displays and/or print without hooking a hardware debugger on it?

Could you link to details of one such scheme (perhaps the one you feel is best), please?

When I've thought about e-voting it's seemed tractable except the conflict between verifiability and keeping the ballot secret. I'd be interested to see how such schemes manage this point in particular.

Read this algorithm: https://en.wikipedia.org/wiki/Homomorphic_secret_sharing#Exa...

It's a proof of concept, it still has drawbacks, but it proves that you can have a system where all the votes can be accounted for without any information being revealed about any individual's vote: the ballot is secret.

>"There are many voting schemes that offer all the benefits of paper voting [...]"

You appear to have one incomplete theoretical scheme?

Thanks in any case for sharing it.

Edit: just on a quick reading - if I think I'll lose a seat, and can corrupt a single authority, I can get them to return a random set of numbers for their part of the polynomial, this randomises the results, doesn't it, giving me a chance to win. As there's no verifiability, it can not be observed in the voting data?

The ballot is secret – as long as the vote counters are not colluding, nobody can observe the votes in transit, and nobody can access all votes. It seems better than most proposals I have seen but I certainly would claim that this system offers "all the benefits of paper voting". And I haven't even mentioned that voters can generate polynomials that gives them multiple votes without anyone noticing.

Like I said, it's a proof of concept that shows it is possible to have transparent auditability and secret ballots at the same time. It's not ready for implementation as it is, though, for the reasons you mentioned.

From what I understand, verifiability and transparency is something you don't really want because it enables vote selling. In a secret ballot, someone dishonest enough to sell you their vote is probably dishonest enough to vote the other way.

You can already sell votes, see this start-up: https://www.votebuddy.de/

Quite telling are their FAQ:

Is this legal?

According to German law this is illegal. Thus we're based in New York and the website is served from the US.

Just FYI, that site doesn't actually do anything. It is designed by the Peng Collective to create outrage, nothing more. The same happened during the 2000 US presidential elections with voteaction.com, a German-based site (as it's against US law) that turned out fake as well.

But of course, postal votes make vote selling possible.

> None of the steps taken in response addressed the fundamental, obvious security policy issues. Even their band-aid fixes were broken.

I feel like it is a universal truth of engineering, that you can't expect anyone who implemented such a grossly broken system in the first place to be capable of anything but band-aid fixes of the specific flaws pointed out to them.

>- The automated software updates have no signature and are downloaded insecurely over HTTP

I have two conflicting thoughts at the moment:

1. It's insane

2. It's awesome. I wish I could get my hands onto one of those machines.

... my personal website has better security than this :|

This is worrisome

Would you be interested in hosting the next German election? Sounds like they need someone!

I uh.. Sure :) I'm all up for it, I'll read a book or two on cryptography and security and leggo! Good intentions will definitely be enough.

This is why electronic voting is such a huge problem to solve. You can't just check one or two boxes like "blockchain" and "biometric authentication" and think "there, we now have secure electronic voting". There are so many other things that should go into securing the electronic voting, including doing thorough audits of the code before the election, keeping the systems up to date, having anti-tampering protection, allowing users to verify their vote in a secure way, and so many other things I can't think of right now.

But all of those things will get lost when talked about in the media or on TV, and the politicians won't care to implement them either. It's a little like nuclear energy being "safe" - except for all the problems humans and their corruption could cause around it. But electronic voting is much worse, because I very much doubt the current political climate would want to handle electronic voting with at least as much care (it's the democracy at stake after all) as they do nuclear power plants. If anything, the two main parties would probably be fine with some vulnerabilities if they think only they can exploit them.

So I guess what I'm trying to say is that electronic voting has always been doomed to fail and will always be doomed to fail due to all of the other implementation details that always lack from the discussion beyond a few main check boxes. All of that stuff is "nerd talk" so few of the leaders will care about them, which means budgets won't go towards solving those problems and ensuring those other checks exist, too, and are properly managed.

... well, wow. (Great summary.)

How widely is this system used in the the german national elections? Is it just one of the states? (Which one?)

Note that this isn't a system running in the voting booth. All votes are cast on paper ballots. The software is just for tabulating the results and maybe maintenance of the voting rolls.

It's obviously a terrible situation, but I'm somewhat confident that you couldn't actually throw the election even with complete access. I, for example, always stop by at a polling place a friend volunteers at after the polls are closed and watch them count the ballots. Everyone is free to observe, and you can get as close as you could want, and count the ballots yourself.

There are only a few hundred voters per precinct, so any person can, if they want, verify their (or another) precinct's results end-to-end: count some or all the ballots, then compare with the results posted online.

The volunteers manning the polling places are also incredibly dedicated and professional. I'm pretty sure that at least one of them also verifies the data. It's a diverse crowd (not, for example, party officials or public servants), which makes it practically impossible to get their buy-in to any corruption.

> and you can get as close as you could want, and count the ballots yourself

It usually is no problem if they do but an outside observer should not touch the ballots themselves and is not allowed to. They can look closely though which gives them the same degree of certainty.

One more info: this software is just used for the preliminary results, not for the final results.

The software for the final results is entirely different and seems to be much more secure.

Knowing how German government offices operate, the "software" for the final results is likely sending letters stamped with an official seal by post and calculating the result manually/with very low-tech software.

Which is how election results should be handled. Sealed letters are cheap and extremely hard to forge.

The two products by "vote IT", one of which is the vulnerable "PC-Wahl", are used by 2700 authorities, responsible for ~66% of Germans. ("Insgesamt haben 2.700 Behörden die Produkte von vote iT lizensiert. Damit werden für rund 66 % der Einwohner Deutschlands die Wahlen mit unseren Produkten organisiert und präsentiert.") [1]

[1] https://vote-it.de/

That's insanely messed up. Very high level heads have got to roll for this, right? Like at least one direct report to Merkel?

Direct reports to Merkel have absolutely nothing to do with this. This software was procured by local authorities which are completely independent from the federal government. Even if Merkel wanted, she has no authority whatsoever on local authorities.


So maybe one conclusion is that the responsibility for the voting process should be on the federal level, then.

What indication do you have that any federal solution would be better than the state one? They're operating under the same laws and RFP/selection requirements.

The only difference at the federal level would be it affects 100% of Germans instead of 66%.

So my theory was: Having a federal, shared solution would allow more money to spent on this. Thus avoiding embarassing fuckups like this one.

Anyway, I just think you should scrap all electronic voting; your local regional governments clearly don't have the chops to avoid idiotic things like this. Just go back to paper ballots. They work fine!

We still have paper ballots. This whole story is only about the software that calculates the numbers announced on election night (i.e. does a bit of summation of the manual counts).



Of note in general regarding elections in Germany is that there's constitutional right to be able to follow the process of elections including the vote count. That's also the reason behind electronic voting machines being banned because, while counting votes by hand is cumbersome, it's a process that everyone can follow and understand. You can actually watch the counting process if you want to.

And as the article states, at least one state apparently don't trust this software enough that they mandate verification that the correct results have been transmitted and obtained via an independent channel.

The only benefit all this has is that a preliminary result of an election can be obtained a few hours earlier. Whether that's worth having an election that can be manipulated without anyone noticing is anyone's guess, but I believe the BVerfG may have a say in that, as it did for voting machines.

Out of curiosity, to what extent are German political parties involved in the voting process? In the US, it's usually state governments that run it and they can be susceptible to whichever political party controls the government then. Sounds like Germany may handle this issue better?

Citizens are asked to manage the voting process and counting.

I've helped in this role for a long time, but considered my duty done as it sometimes was a lot of work deep into the nights especially if several elections and referendums where conducted at the same time.

Everyone can attend the voting process and counting process.

Schools etc. for places to vote, voting booths, paper etc. is supplied by the administration as is the selection of citizens who manage the voting and counting process. The Federal Returning Officer is responsible for organizing elections (for federal elections, similar posts exists for state elections and I assume local ones).


> Everyone can attend the voting process and counting process.

As a sidenote, this is not just a theoretical right. People are exercising it.

I volunteered as an election assistant in one of the previous elections in Germany. We were a team of five assigned to a constituency of about 1000 voters, and when we counted the votes, three citizens were present to observe the counting. As I submitted the results (via phone) to the next-higher level, I also noted the numbers down for myself and checked, later in the evening, that the numbers on the website of the returning officer matched those that I recorded. (They did.)

"As a sidenote, this is not just a theoretical right. People are exercising it."

Same experience here.

Thank you for volunteering and verifying!

there's something similar in Belgium. Many people from the general society, from various political parties are involved and are checking that everything is going smooth.

they've tried eVoting but had to stop in one of the region because it's too expensive (i.e. the totally unrelated reason to stop it, but anyway, it's gone)

See http://www.poureva.be

There's basically an independent part of the administration that oversees elections. Voting points are manned by volunteers and counting happens by volunteers as well. Every citizen is allowed to witness the counting and visit the voting point. Since it's all paper ballots, this doesn't require any knowledge beyond mostly simple math (local elections can have some more elaborate rules on what constitutes a valid vote, but federal elections are fairly simple in that regard.) The tally is announced locally before transferred to the regional and higher offices.

I'd be surprised if someone manages to slip in an invalid count and not be detected: Most crucial voting points are monitored by people from polling institutes that want results as early as possible. Significant differences would likely raise flags. (I did that a few times for infratest, it's actually fairly ok paid for sitting there and watching).

n.B.: The software seems to be an absolute clusterfuck and it's probably possible to sow discord and confusion, I just don't believe that you can actually change the election result with these issues - just make people question it, which is bad enough.

> I'd be surprised if someone manages to slip in an invalid count and not be detected: Most crucial voting points are monitored by people from polling institutes that want results as early as possible.

That particular part does not protect from rigging. What the polling institutes do is taking a very small representative sample of voters and conducting an exit poll (they essentially have another voting office set up where people can vote a second time in secret for their exit poll). However, if you're clever about how you rig the election, exit polls won't notice that because of the small sample size.

You're right about exit polls not being particularly effective here, unless you're being very obvious with the rigging.

Luckily, the published results can also be cross-checked by the volunteers - often, but not exclusively representatives of parties up for election - that actually count the paper ballots and observe the process. This process ensures that a very large number of people from diverse political groups would have to be in on it in order to rig the election.

Any attack via this software would be detected with very high likelihood. However, the bigger problem would be the impact on the public's trust in the voting process. It's very likely that such an election would have to be repeated (as has happened recently in Austria, due to procedural reasons).

Your last paragraph is essential to making sense of this whole story. The same sentiment is also present in the original report, on page four.

The institutions who bought that software were like aware of those safety nets, which is why they had no problem buying from a vendor that basically looks like a two-man Delphi shop (no idea what they actually used). Had the system been more critical, we would probably be talking about a whole different set of shocking security problems, in some absurdly overengineered T-Systems monstrosity. Personally I feel less unsafe with paper and the obvious insecurities of a glorified excel sheet than with a titanic money-sink twenty layers deep that is feeding an army of salespersons and lobbyists paid to silence every voice of concern.

What the institutions who bought this thing underestimated is the terrible impact a caught manipulation (and even this preemptive disclosure, despite being orders of magnitude preferable to only finding out after a caught manipulation) would have on trust, and the spring time for radicals that would follow. A caught manipulation could destabilize the country more than a cruise missile hitting the Reichstag.

No, polling institutes do not only do exit polls. They also collect the final numbers. I've had that job a fair number of times and my mother actually does that this year at her polling station. They want the official numbers as early as possible, before they are announced on the official site.

Interesting, thanks for that insight.

It's kind of "volunteers", as the adminstration sends you a letter and asks you. It's sometimes not easy to get out of that.

This happens if there are insufficient "real" volunteers. Before every election, there are calls for people to staff the voting places and do the vote counting. Only if that doesn't bring enough people, you'll get drafted.

(same as with the volunteer fire brigade by the way. there, too, you can be volunteered)

"same as with the volunteer fire brigade by the way. there, too, you can be volunteered"

Do you have any information? Counting votes is easy, fire fighting isn't :-)

It's called Pflichtfeuerwehr and I think we currently have five of them. Before you actually fight fires you have to take part in mandatory courses. I don't think those five brigades have problems, a team of conscripts is still better than no fire fighters at all.

My uncle did it for years and he was a member of the SPD, so I guess parties are involved quite a bit.

Yeah, but there are also members of all the other parties there. Also, when I volunteered, I got the feeling that most (if not all) election assistants take their duty seriously and emphasize their neutrality while performing it.

Yes, he was very neutral and forbade every political activity in the election rooms.

But what can I say, politically interested people are more likely to be party members, so it's more likely that they work there.

Whenever I've been observer I never had the slightest feeling that any of the volunteers would place party allegiance over diligent work. But that's exactly why we're all invited to go and observe.

I had the same impression.

This is a misleading description of how US elections work.

On the ground, the election is run by local volunteers. You can sign up to check peoples' voter registrations and count votes yourself.

The state 'runs' the election in that the state and the state's Secretary of State establish the rules and certify the results.

Why can't voting just be done on the blockchain with a public ledger? Any vote could be verified. I'd feel more secure with this than paper ballots, which are very insecure and have been tampered with so many times.

What? Pen-and-paper, with the ability to observe, is a provably secure system, and its security is easily observable by anybody. That

Blockchains are voodoo, and I'd really think the ongoing disaster of Ethereum should have cooled some of these absurd claims of perfect security.

Pen-and-paper is not observable by anybody. It's a complete black box, and there's no way for me to verify that my vote went through.

With a blockchain on the other hand, anybody could verify that their vote went through (just like anybody can verify any Bitcoin/Ethereum transaction). I'd feel much more confident in this than some black box pen and paper because there's zero way to verify anything under a pen-and-paper system.

What disaster of Ethereum? Ethereum is doing pretty well.

With a blockchain, you could verify that your vote went through but so can your neighbour. Even if you find some way around that: If you can see how you see how your vote was counted, you are able to prove to someone else how you voted making vote selling possible. These are two big reasons not to use such a system.

Personally, I know for certain that my vote in the last election went through because I have seen the complete process myself and have verified that the published vote counts match the once counted in the polling station. There is no black box left.

You would need a hash to verify the transaction, and hashes wouldn't be publicly tied to one's identity. Thus if I claim that a hash represents me, then there'd be no way for anybody else to verify that. It's a legitimate concern, but not a hurdle that can't be overcome.

So you worked at a polling station that had it's shit together? Great, but that doesn't inspire me much confidence. Though really the main reason I want electronic voting is for convenience (it really is a hassle, and election days aren't national holidays), increased participation, and so that we could move more towards direct democracy and liquid democracy.

Election days are always Sundays and even if you work on that day, your employer must let you vote. Voting by letter also exists if you absolutely can't make it.

You'd need an elaborate operation involving hundreds of people to tamper with paper ballots in a meaningful way. There's no way such operation would go unnoticed. How many people are needed to hijack e-voting system?

You would also need an elaborate operation involving tons of people to hijack a blockchain-based e-voting system. The beauty of blockchain is that anybody could verify their own vote on the public ledger (eg. like etherscan.io for Ethereum).

I don't know why people have so much faith in black box paper-based voting systems. There's absolutely no way for any of us to verify that our own votes really went through. If there was vote rigging in Florida or New Mexico in 2000, then none of us would know.

In South Korea's 2012 presidential election (won by Park Geun-hye who's now in jail), there's reasonable reason to suspect that the voting may have been manipulated [1]. There was even a documentary made on it called "The Plan". Even if one dismisses this as mere conspiracy, the reality is that there's absolutely no way for us to verify it.

The move to electronic voting is inevitable, and I long for the day that this is commonplace because then it would enable us to do cool things like direct democracy and liquid democracy.

[1] http://mengnews.joins.com/view.aspx?aId=3032435

Actually it is good that nobody can get proof for their own vote. Thus votes selling is harder - provider cannot provide anything to seller. And yes, taking pictures of your own ballot is not allowed over there. Camera shutter sound may cause quite an issue.

Another issue is employers pressing workers to vote for certain politician etc. They could flat-out ask for one's blockchain ID. With paper voting, there's no way to valid way to get proof.

Paper voting trust is based on crowd trust. Anyone can check voting make sure everything is going smoothly. Don't trust your local voting committee? Go and sign up to volunteer!

Either way, we need to move to electronic voting eventually, and inevitably will. The reason being that our political system is broken, and the people don't feel represented. In this day and age, we have the technology to accommodate a real direct democracy instead of our broken representative system, but this isn't feasible without e-voting.

Why do we "need" to? I'm yet to hear a single reason. Pen&paper just works. And it's as good as electronic voting regarding representation.

Direct democracy has more issues than technical challenges. #1 being education. And that very few people would bother to put enough time to go over proposals and cast in informed vote. Even in today's loose voting cycles, a lot of people vote based on feels and shitty advertising.

We can't expect a major chunk of population to participate in day-to-day politics and vote frequently. We'd be stuck with low participation and only "interested" votes which would very likely not be representative of whole population. And paper&pen works pretty well for voting once a year or so.

Just to clarify, voting machines are not used at all in Germany. The votes are made on paper ballots and counted entirely by hand.

The software this is about is for collecting the vote counts and transferring it to a central location, as far as I understand it. It's still a serious issue, but a quite different one to compromised voting machines.

"It's not the people who vote that count. It's the people who count the votes." (Joseph Stalin)"

s/people/machines/ and you get the gist. Centralized tabulation machines are a ripe target for abuse.

you have paper as the source of truth. Sample paper counts look them up in the aggregated computer count, if they don't match exactly invalidate the count and get the raw ballots.

Really it is serious, but not so serious as when you have no paper as your source of truth, USA.

The US situation varies by state. Most states do have paper ballots.


So here's how I'm thinking the exploit could work: 1) fudge the tabulations so your candidate wins 2) if successful, then go back and bribe/hide/spoil the paper ballots.

The goal is you often don't have to do #2 if either #1 is very successful (i.e., push the margin over the recount range) or if #1 is a complete failure (competitor won't care - he/she will have won anyway).

> It's still a serious issue

It's as least as serious, I think. More dangerous, too, since the regular people don't see that there is technology involved, as opposed to voting machines, where it's obvious that electronics are involved.

But, conveniently, the block parties have adapted the narrative of the Evil Russian™ as scapegoat for everything that might go wrong.

I'd say the fact that everyone involved in or using their right to monitor the counting process for a district can trivially detect tampering with its numbers is a pretty big win over intransparent voting machines.

Norway recently decided [0] it would manually count the votes in the upcoming election (11th of Sep) after it was revealed that the machines responsible for automatic counting were connected to the Internet and full of potential security exploits [1].

Some details on the software (ReadSoft FORMS) and the process (EVA Scanning): https://valg.no/om-valg/om-valg2/maskinell-opptelling-av-val...

Sources (Norwegian only):

[0]: https://www.nrk.no/norge/krever-manuell-stemmetelling-i-alle...

[1]: https://www.nrk.no/norge/teller-opp-stemmer-i-valget-pa-data...

I have yet to hear a compelling argument for any form of voting that involves networked computers.

I worked with a guy who was in charge of the IT for Colombia's elections years ago. He had many interesting (i.e., harrowing) stories of the attempts by "bad guys" to gain physical access to the central servers. Plus what are probably the usual stories of hacking attempts. I remember thinking, Why not just use paper ballots? No one is going to take office until months after the election.

The chief advantage of computers, speed of counting and providing results, is not needed in that situation, so the liabilities from its inherent vulnerability to altering votes outweigh the benefits.

>I have yet to hear a compelling argument for any form of voting that involves networked computers.

You do bigger and more important decisions than voting everyday from your phone and computer.

If voting were as easy as sending an email, you would be able to vote on every topic, instead of voting on someone every 4 years.

As scary as it is, this is one of the official websites of that software:

https://www.wahlinfo.de/pcwahl/index.html (German only)

There is also https://vote-it.de/?page_id=156 which is a bit more modern, but also shows this is a <10 person shop. Not at all what I expected.


Looks like their page on "security" completely misunderstands what computer security means. They write long-winded paragraphs only about data integrity and backup issues, and completely ignore any issues around actual attackers trying to compromise their system.

> but also shows this is a <10 person shop

It's a niche market, I'm not surprised. I'd actually prefer if the software was paid for by the government and developed by a single (or a pair of) competent developers and open-sourced. It's probably possible to pull it of with that man-count, you certainly won't need more than a handful.

In the UK one of our problems is that a couple of companies really own it on 'expertise at winning government contracts'.

A small company isn't going to be able to compete there, Capita or someone will get it. They know how to go over budget by £Billions and still not deliver a working product ... I'm guessing it's similar across Europe because of procurement regulations for governments??

Australia has not moved to electronic voting, I can't see it moving to electronic voting (especially in light of the recent online Census debacle), and I'm very glad for this.

Paper based elections are the only way to ensure and verify elections are taking place honestly and fairly.

The use of voting machines has been ruled unconstitutional in Germany: http://www.bverfg.de/e/cs20090303_2bvc000307en.html (English version of the ruling!). Only paper ballots are used in Germany, and they are counted by hand. This article is about the software used to tabulate and transmit the hand-counted vote counts.

On the supreme court decision: the key section is "When electronic voting machines are deployed, it must be possible for the citizen to check the essential steps in the election act and in the ascertainment of the results reliably and without special expert knowledge." - since it's just about impossible to build a voting machine in a way that anyone can convince themselves of its proper operation without special expert knowledge, voting machines are effectively unconstitutional. Everyone can follow the process of counting votes on a paper ballot.

I'm old enough to remember "hanging chads" and "pregnant chads"... Paper isn't perfect but I tend to agree.

Why? Can you provide more detail?

I really like Tom Scott's explenation: https://www.youtube.com/watch?v=w3_0x6oaDmI

It can be inspected and visible. You cannot verify a computer is running the exact same code you want it to be.

In a properly designed end-to-end verifiable voting system, you don't need to verify the code. Black boxes work just fine, you need to be able to verify that the output had indeed matched your input.

I'm not advocating use of computers, though. Believe paper ballots with some math attached are the way to go. That way there are both anti-fraud properties baked in the system (one can verify that their vote wasn't messed with), and the classic hard copies so any person who can do some basic arithmetic can count and re-count votes just fine.

Unfortunately, I think all the systems I've read about either were found to have some issues (usually, it's about vote secrecy) or just too new (essentially, not so well reviewed).

In order to verify the output matched the input, you will need paper and to verify it by hand. Which, is just a waste of time adding computers...

Not really. To verify, you need to perform the computations using the tools you can trust. It can be pen-and-paper-and-brain, or it can be a personal computer.

It's also totally unnecessary to use computers. Paper ballots work just fine.

even then those counting the paper ballots can be biased.

That's why literally anybody can volunteer and there're lots of people from different backgrounds counting the ballots and checking each other.

I think cybersecurity in general is hugely lacking. I have had personal devices compromised by an individualized targeted attack and found that there are no tools to easily and reliably diagnose which of your devices are compromised (at least for someone who is not a cybersecurity expert). It seems to me that if someone wants to compromise your devices, they can; offensive tools far outperform current defensive tools. There also does not seem to be any strong legal recourse.

From a PR perspective, it would make sense that some White Hat Hackers (possibly crowd funded) put in the effort to actually capture such an election and turn the result into an obvious joke (e.g. by voting a fictional character or an obvious third-tier lunatic outsider).

This could be used as very illustrative material to teach the general public about these risks, better than some hypothetical scenarios and "boring" articles that the average voter is not going to read anyway.

To be fair, that's not really "white hat". Also being resistant to rigging is only one of the threat models of an election. The votes remaining anonymous is another one. I doubt that you can hack that in a "white hat" way.

Congratulations, your "white hats" just earned five years prison each.

There is also a YT-stream in German with one of the three authors (#heiseshow).


Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact