It's truly disastrous. Some of the findings:
- The automated software updates have no signature and are downloaded insecurely over HTTP
- The webserver the updates are downloaded from is hosted using a shared hosting package at 1&1, on a host with >5000 other customers (implying an easy takeover using local privilege escalation)
- The reason they know this? They found multiple PHP scripts vulnerable to arbitrary read and write vulnerabilities, so they got full RCE on the server.
- FTP access credentials for the website were contained in a public ZIP file (named test.zip)
- Vote results are transmitted using either insecure FTP whose credentials weren't rotated for years or an equally insecure XML protocol. No signatures in sight.
- Said insecure XML protocol is a government standard
They also took a look at one of the local government's infrastructure:
- test/test were valid VPN credentials
- FTP credentials were publicly downloadable with R/W access to vote results
- Vote result encryption was reversible thanks to a hardcoded symmetric key
The report goes on to detail even more trivial security issues, including home-grown "encryption" algorithms worse than what you'd find in a beginner CTF challenge.
None of the steps taken in response addressed the fundamental, obvious security policy issues. Even their band-aid fixes were broken. For example, they started signing their binaries, but forgot to check the signature.
Given the lack of any security awareness whatsoever, even if they properly sign their binaries, their build server is probably easy to compromise.
RCE demo: https://vimeo.com/232581770
Have a look at the site in question: https://www.wahlinfo.de/
The local government they worked with responded by enforcing verification and transmission of the results using an independent channel.
A secure evoting system is hard enough to implement, and even a well done version is worse than a paper ballot. But it's the kind of system described here that'd be the likely result of electronic voting being implemented in countries like the US. A hacked together, insecure piece of junk that's wide open to being compromised by bad actors at every level.
Not just a tendency. When choosing a contractor, government offices in Germany are required to choose the lowest bidder who fulfils (or rather, claims to fulfil) the requirements stated in the call for bids.
It is far easier to just look at the cost but it's absolutely not uncommon to have other criteria included in a tender.
An offer that is unusually cheap has to withstand additional scrutiny. It is not allowed to choose such an offer (even if it's the cheapest) if it's price-dumping or unlikely to be completed due to the tight calculation.
Germany is full of stuffed old guys, who have no reason to be afraid of ANYTHING. Nothing is ever going to happen to them. All the people that screwed up the major government construction projects went straight to go on to continue doing the next government construction projects. Same with every other industry here.
Blaming the "Ausschreibung" or bidding stuff is only a tiny part of the problem. Every time I see the people responsible for this crap I almost puke when I see them give each other a pat on the back.
Oh and while I'm at it. We have a software contractor that has a contract that basically lets them build anything they want and bill it to us. Add to that I'm supposed to architect their software and micromanage, so they get to bill us for the work. On top of it we pay them to get training in Angular 2.0, which we will then pay for to have them train us. I asked management to change the contract so they couldn't do what they want, but they just don't want to touch it.
They were not chosen as part of the bidding process btw. I've seen the same in the US. It's the same crap you have in any other country.
Maybe what we need is a rules that any critical government infrastructure should be independently pen tested before it's bought. This should hopefully put off the inexperienced from taking on such projects and offer a way out for governments should the contract go sour.
It is not. There are many voting schemes that offer all the benefits of paper voting together with the verifiability and transparency of cryptographically verifiable vote counting.
I'd recommend the various talks and papers J. Alex Halderman has given/written on this topic, especially on Estonia's e-voting system.
A major benefit of paper voting is that you don't need a math PhD to verify for yourself the integrity of the vote process.
Just an example from another field: It is easy to compare key fingerprints shown by WhatsApp/Signal/GPG but how do I know that the software does not encrypt the text with a second key? Personally I am not competent to do so and have to trust others. Don't forget that it's not enough to audit the code itself but you would also need the check the whole build process from scratch (and processors it was done on for that matter - and while we are at it: how can I know that the display actually shows that it was asked to do?). How many people know how to do so?
When I've thought about e-voting it's seemed tractable except the conflict between verifiability and keeping the ballot secret. I'd be interested to see how such schemes manage this point in particular.
It's a proof of concept, it still has drawbacks, but it proves that you can have a system where all the votes can be accounted for without any information being revealed about any individual's vote: the ballot is secret.
You appear to have one incomplete theoretical scheme?
Thanks in any case for sharing it.
Edit: just on a quick reading - if I think I'll lose a seat, and can corrupt a single authority, I can get them to return a random set of numbers for their part of the polynomial, this randomises the results, doesn't it, giving me a chance to win. As there's no verifiability, it can not be observed in the voting data?
Is this legal?
According to German law this is illegal. Thus we're based in New York and the website is served from the US.
But of course, postal votes make vote selling possible.
I feel like it is a universal truth of engineering, that you can't expect anyone who implemented such a grossly broken system in the first place to be capable of anything but band-aid fixes of the specific flaws pointed out to them.
I have two conflicting thoughts at the moment:
1. It's insane
2. It's awesome. I wish I could get my hands onto one of those machines.
This is worrisome
But all of those things will get lost when talked about in the media or on TV, and the politicians won't care to implement them either. It's a little like nuclear energy being "safe" - except for all the problems humans and their corruption could cause around it. But electronic voting is much worse, because I very much doubt the current political climate would want to handle electronic voting with at least as much care (it's the democracy at stake after all) as they do nuclear power plants. If anything, the two main parties would probably be fine with some vulnerabilities if they think only they can exploit them.
So I guess what I'm trying to say is that electronic voting has always been doomed to fail and will always be doomed to fail due to all of the other implementation details that always lack from the discussion beyond a few main check boxes. All of that stuff is "nerd talk" so few of the leaders will care about them, which means budgets won't go towards solving those problems and ensuring those other checks exist, too, and are properly managed.
How widely is this system used in the the german national elections? Is it just one of the states? (Which one?)
It's obviously a terrible situation, but I'm somewhat confident that you couldn't actually throw the election even with complete access. I, for example, always stop by at a polling place a friend volunteers at after the polls are closed and watch them count the ballots. Everyone is free to observe, and you can get as close as you could want, and count the ballots yourself.
There are only a few hundred voters per precinct, so any person can, if they want, verify their (or another) precinct's results end-to-end: count some or all the ballots, then compare with the results posted online.
The volunteers manning the polling places are also incredibly dedicated and professional. I'm pretty sure that at least one of them also verifies the data. It's a diverse crowd (not, for example, party officials or public servants), which makes it practically impossible to get their buy-in to any corruption.
It usually is no problem if they do but an outside observer should not touch the ballots themselves and is not allowed to. They can look closely though which gives them the same degree of certainty.
The software for the final results is entirely different and seems to be much more secure.
So maybe one conclusion is that the responsibility for the voting process should be on the federal level, then.
The only difference at the federal level would be it affects 100% of Germans instead of 66%.
Anyway, I just think you should scrap all electronic voting; your local regional governments clearly don't have the chops to avoid idiotic things like this. Just go back to paper ballots. They work fine!
And as the article states, at least one state apparently don't trust this software enough that they mandate verification that the correct results have been transmitted and obtained via an independent channel.
The only benefit all this has is that a preliminary result of an election can be obtained a few hours earlier. Whether that's worth having an election that can be manipulated without anyone noticing is anyone's guess, but I believe the BVerfG may have a say in that, as it did for voting machines.
I've helped in this role for a long time, but considered my duty done as it sometimes was a lot of work deep into the nights especially if several elections and referendums where conducted at the same time.
Everyone can attend the voting process and counting process.
Schools etc. for places to vote, voting booths, paper etc. is supplied by the administration as is the selection of citizens who manage the voting and counting process. The Federal Returning Officer is responsible for organizing elections (for federal elections, similar posts exists for state elections and I assume local ones).
As a sidenote, this is not just a theoretical right. People are exercising it.
I volunteered as an election assistant in one of the previous elections in Germany. We were a team of five assigned to a constituency of about 1000 voters, and when we counted the votes, three citizens were present to observe the counting. As I submitted the results (via phone) to the next-higher level, I also noted the numbers down for myself and checked, later in the evening, that the numbers on the website of the returning officer matched those that I recorded. (They did.)
Same experience here.
they've tried eVoting but had to stop in one of the region because it's too expensive (i.e. the totally unrelated reason to stop it, but anyway, it's gone)
I'd be surprised if someone manages to slip in an invalid count and not be detected: Most crucial voting points are monitored by people from polling institutes that want results as early as possible. Significant differences would likely raise flags. (I did that a few times for infratest, it's actually fairly ok paid for sitting there and watching).
n.B.: The software seems to be an absolute clusterfuck and it's probably possible to sow discord and confusion, I just don't believe that you can actually change the election result with these issues - just make people question it, which is bad enough.
That particular part does not protect from rigging. What the polling institutes do is taking a very small representative sample of voters and conducting an exit poll (they essentially have another voting office set up where people can vote a second time in secret for their exit poll). However, if you're clever about how you rig the election, exit polls won't notice that because of the small sample size.
Luckily, the published results can also be cross-checked by the volunteers - often, but not exclusively representatives of parties up for election - that actually count the paper ballots and observe the process. This process ensures that a very large number of people from diverse political groups would have to be in on it in order to rig the election.
Any attack via this software would be detected with very high likelihood. However, the bigger problem would be the impact on the public's trust in the voting process. It's very likely that such an election would have to be repeated (as has happened recently in Austria, due to procedural reasons).
The institutions who bought that software were like aware of those safety nets, which is why they had no problem buying from a vendor that basically looks like a two-man Delphi shop (no idea what they actually used). Had the system been more critical, we would probably be talking about a whole different set of shocking security problems, in some absurdly overengineered T-Systems monstrosity. Personally I feel less unsafe with paper and the obvious insecurities of a glorified excel sheet than with a titanic money-sink twenty layers deep that is feeding an army of salespersons and lobbyists paid to silence every voice of concern.
What the institutions who bought this thing underestimated is the terrible impact a caught manipulation (and even this preemptive disclosure, despite being orders of magnitude preferable to only finding out after a caught manipulation) would have on trust, and the spring time for radicals that would follow. A caught manipulation could destabilize the country more than a cruise missile hitting the Reichstag.
(same as with the volunteer fire brigade by the way. there, too, you can be volunteered)
Do you have any information? Counting votes is easy, fire fighting isn't :-)
But what can I say, politically interested people are more likely to be party members, so it's more likely that they work there.
On the ground, the election is run by local volunteers. You can sign up to check peoples' voter registrations and count votes yourself.
The state 'runs' the election in that the state and the state's Secretary of State establish the rules and certify the results.
Blockchains are voodoo, and I'd really think the ongoing disaster of Ethereum should have cooled some of these absurd claims of perfect security.
With a blockchain on the other hand, anybody could verify that their vote went through (just like anybody can verify any Bitcoin/Ethereum transaction). I'd feel much more confident in this than some black box pen and paper because there's zero way to verify anything under a pen-and-paper system.
What disaster of Ethereum? Ethereum is doing pretty well.
Personally, I know for certain that my vote in the last election went through because I have seen the complete process myself and have verified that the published vote counts match the once counted in the polling station. There is no black box left.
So you worked at a polling station that had it's shit together? Great, but that doesn't inspire me much confidence. Though really the main reason I want electronic voting is for convenience (it really is a hassle, and election days aren't national holidays), increased participation, and so that we could move more towards direct democracy and liquid democracy.
I don't know why people have so much faith in black box paper-based voting systems. There's absolutely no way for any of us to verify that our own votes really went through. If there was vote rigging in Florida or New Mexico in 2000, then none of us would know.
In South Korea's 2012 presidential election (won by Park Geun-hye who's now in jail), there's reasonable reason to suspect that the voting may have been manipulated . There was even a documentary made on it called "The Plan". Even if one dismisses this as mere conspiracy, the reality is that there's absolutely no way for us to verify it.
The move to electronic voting is inevitable, and I long for the day that this is commonplace because then it would enable us to do cool things like direct democracy and liquid democracy.
Another issue is employers pressing workers to vote for certain politician etc. They could flat-out ask for one's blockchain ID. With paper voting, there's no way to valid way to get proof.
Paper voting trust is based on crowd trust. Anyone can check voting make sure everything is going smoothly. Don't trust your local voting committee? Go and sign up to volunteer!
Direct democracy has more issues than technical challenges. #1 being education. And that very few people would bother to put enough time to go over proposals and cast in informed vote. Even in today's loose voting cycles, a lot of people vote based on feels and shitty advertising.
We can't expect a major chunk of population to participate in day-to-day politics and vote frequently. We'd be stuck with low participation and only "interested" votes which would very likely not be representative of whole population. And paper&pen works pretty well for voting once a year or so.
The software this is about is for collecting the vote counts and transferring it to a central location, as far as I understand it. It's still a serious issue, but a quite different one to compromised voting machines.
s/people/machines/ and you get the gist. Centralized tabulation machines are a ripe target for abuse.
Really it is serious, but not so serious as when you have no paper as your source of truth, USA.
The goal is you often don't have to do #2 if either #1 is very successful (i.e., push the margin over the recount range) or if #1 is a complete failure (competitor won't care - he/she will have won anyway).
It's as least as serious, I think. More dangerous, too, since the regular people don't see that there is technology involved, as opposed to voting machines, where it's obvious that electronics are involved.
But, conveniently, the block parties have adapted the narrative of the Evil Russian™ as scapegoat for everything that might go wrong.
Some details on the software (ReadSoft FORMS) and the process (EVA Scanning): https://valg.no/om-valg/om-valg2/maskinell-opptelling-av-val...
Sources (Norwegian only):
I worked with a guy who was in charge of the IT for Colombia's elections years ago. He had many interesting (i.e., harrowing) stories of the attempts by "bad guys" to gain physical access to the central servers. Plus what are probably the usual stories of hacking attempts. I remember thinking, Why not just use paper ballots? No one is going to take office until months after the election.
The chief advantage of computers, speed of counting and providing results, is not needed in that situation, so the liabilities from its inherent vulnerability to altering votes outweigh the benefits.
You do bigger and more important decisions than voting everyday from your phone and computer.
If voting were as easy as sending an email, you would be able to vote on every topic, instead of voting on someone every 4 years.
https://www.wahlinfo.de/pcwahl/index.html (German only)
There is also https://vote-it.de/?page_id=156 which is a bit more modern, but also shows this is a <10 person shop. Not at all what I expected.
Looks like their page on "security" completely misunderstands what computer security means. They write long-winded paragraphs only about data integrity and backup issues, and completely ignore any issues around actual attackers trying to compromise their system.
It's a niche market, I'm not surprised. I'd actually prefer if the software was paid for by the government and developed by a single (or a pair of) competent developers and open-sourced. It's probably possible to pull it of with that man-count, you certainly won't need more than a handful.
A small company isn't going to be able to compete there, Capita or someone will get it. They know how to go over budget by £Billions and still not deliver a working product ... I'm guessing it's similar across Europe because of procurement regulations for governments??
On the supreme court decision: the key section is "When electronic voting machines are deployed, it must be possible for the citizen to check the essential steps in the election act and in the ascertainment of the results reliably and without special expert knowledge." - since it's just about impossible to build a voting machine in a way that anyone can convince themselves of its proper operation without special expert knowledge, voting machines are effectively unconstitutional. Everyone can follow the process of counting votes on a paper ballot.
I'm not advocating use of computers, though. Believe paper ballots with some math attached are the way to go. That way there are both anti-fraud properties baked in the system (one can verify that their vote wasn't messed with), and the classic hard copies so any person who can do some basic arithmetic can count and re-count votes just fine.
Unfortunately, I think all the systems I've read about either were found to have some issues (usually, it's about vote secrecy) or just too new (essentially, not so well reviewed).
This could be used as very illustrative material to teach the general public about these risks, better than some hypothetical scenarios and "boring" articles that the average voter is not going to read anyway.