Hacker News new | comments | ask | show | jobs | submit login
Public hacker test on Swiss Post’s e-voting system (evoting-blog.ch)
124 points by donohoe 7 days ago | hide | past | web | favorite | 55 comments

"Other attacks are not permitted to be used and no compensation will be granted if used. These include:

Attacks on other Swiss Post systems or applications

Attacks on the voter’s end device

Attacks based on the assumption that voters do not keep to instructions, e.g. a voter does not check the ballot casting key"

so like... they pass the test, and then they declare "it's secure! we did a 'hacker' test!". but then they deemed these giant vectors out of scope...

seems dangerous in that it fails to demonstrate that the thing is actually end to end secure, yet creates a straw man that sounds awfully close...

sure it's a hard problem. that's the point.

The scope has to end somewhere.

Attacks on other Swiss Post stuff are probably out of scope because it's hard to get agreement from all the stakeholders involved.

The other stuff sounds like things they can't reasonably control (voter device security and behaviour).

Going into the Ts&Cs, this looks more like a good faith effort than a blatant Telegram or BitFi style publicity stunt.

Using insecure browsers on insecure unpatched devices for trusted secure state-level voting is a bad idea to begin with.

If they decide to go ahead with this approach, they should at least try to harden their system as much as they can against all possible approaches.

As an example, a few months ago the Swiss CCC demonstrated a DNS attack on the e-voting system of Geneva, which was easy since they deployed neither DNSSEC or HSTS Preloading. While DNSSEC is not trivial to deploy (but almost trivial when using a DNS server like Knot), HSTS Preloading can be done in two minutes and there's probably no reason not to do it.

A few months later, actual state-level votings are done through systems by both Geneva and the Swiss Post without DNSSEC and without HSTS preloading.

The Swiss Post is just doing the minimal they have to in order to fulfill the law, while at the same time using the intrusion test as a PR instrument. If you demonstrate a practical and scalable attack, but require a MITM attack vector (e.g. with a root certificate, see Superfish case for example), then they can claim it's out of scope and that their system was unhackable.

An e-voting system with an intrusion test is better than an e-voting system without an intrusion test. But the consequences of such a test and the way it's communicated is very problematic.

Correction: Actually the Swiss Post does HSTS-preload their e-voting system. Geneva doesn't.

No, it absolutely doesn't. The scope for an electronic voting system is anything and everything that a hostile world power's intelligence agency might be able to try. If you want to use a bounty program to convince people a voting system is secure, it needs to include immunity for kidnapping and torturing key staff members and their families, and other real-world activities, in addition to all the electronic attack surface in the universe.

This is clearly unreasonable... and so is electronic voting.

When comparing one system to another you should generally do just that. Not compare one system to an absolutely perfect and flawless system. The NYT had a pretty solid article [1] on the fiasco that happened in Florida in their 2018 elections. But I think a couple of paragraphs cut to the heart of the issue:

Florida’s protracted 2018 midterm election has revealed the warts of an imperfect voting system that normally go unnoticed. This time, the world is watching, and South Florida election officials are being exposed for sloppy processes that in some cases, a judge found this week, violated both state law and the Constitution. Yet those very procedures are common during elections, political analysts in Florida say; they just don’t get much attention most of the time because most elections end with wide enough margins of victory that few people scrutinize them.

Our current election systems are pretty bad, as illustrated by the numerous examples in that article. And that's all just a mixture of internal ineptitude and maybe a pinch of decentralized maliciousness. If you're going to measure the security of a system by some standard of 'cannot be broken by enemy states kidnapping and torturing key staff members and their families [to coerce exploitable action]' then it should be clear that our current system fails abysmally. So you need to compare the pros, and indeed the cons, of both systems relative to one another.

[1] - https://www.nytimes.com/2018/11/11/us/florida-recount-electi...

Meh. Mail voting shares that part, so removing it from the scope of testing for electronic voting makes plenty sense.

To be fair, the last two are spearphishing attacks and so are limited to manipulating a single vote. While important, the scope of this test is to ensure that a single actor cannot manipulate masses of votes at once to skew things heavily in one direction.

The first one makes sense as they still have an important service to run outside of the scope of just voting - no one wants Swiss Post to go down for a month while they pen test because some hacker decided to bring it down.

Generally, the Swiss concept of democracy is based on the maxim that citizens can observe and influence any political process (notwithstanding that lobby groups are typically more effective).

So in most municipalities, anyone (!) can be present during the vote collection and counting procedures. The right is rarely used, but is the foundation of (1) trusting and (2) accepting the voting outcome.

This leads to a lot of stability and trust, even if you may not agree with the result of the vote.

With eVoting, we are doing away with that fundamental right and a process understandable to every single voter. Even given Universal Verifiability, the number of people understanding the concept (not even thinking about the implementation) is probably fewer than does understanding quantum gravity.

Just the rumors of things having run afoul will be able to substantially destabilise the trust in democracy and thus the country.

I do not think we should follow that slippery slope, especially as the major claims that started the eVoting debate have been refuted:

- eVoting does not add increase the voter turnout; charging 6 francs for not voting however increases it by 10%

- eVoting is not cheaper; the production and mailing of the required tamper-proof materials is more expensive than before

- eVoting is not simpler; in fact, the process includes many steps which look tedious and unnecessary

For people not familiar with voting in Switzerland, we already trust the Swiss Post, given that most ballots are mailed in. I've never been at a physical polling booth in my life, and we vote at least four times a year.

We also have an online voting platform already, which has been launched by the canton of Geneva in 2003. It has known several upgrades, security audits, and has been targeted by hackers a few times. It's proven quite successful and it is used by a few cantons besides Geneva. Sadly, due to a lack of federal support, Geneva doesn't want to bear the costs anymore.

> Geneva doesn't want to bear the costs anymore.

Which is doubly unfortunate because their implementation was released under the AGPL[1]; now it's the only one that is any kind of free software at all. The Swiss Post, however, only gives the minimum possible license grant (that also requires you to sign up)[2] that applicable law[3] mandates.

[1] https://github.com/republique-et-canton-de-geneve/chvote-1-0...

[2] https://www.post.ch/-/media/post/evoting/dokumente/nutzungsb... sections 6 and 7: You cannot even redistribute the code!

[3] https://www.admin.ch/opc/en/classified-compilation/20132343/...

The Geneva system has been cancelled because achieving the "universal" verification would have meant to rebuild the whole system from scratch.

Is there a historical list of the items you vote on each election? I am curious to see a real world example of such regular voting.

The most broad collection from all cantons was just now published into a smartphone app called VoteInfo, see https://www.admin.ch/ site for more details.

Otherwise information is usually scattered on the various canton's (districts) websites.

Thanks for the head start. Looking around on admin.ch I found https://www.bk.admin.ch/ch/f/pore/va/vab_2_2_4_1_gesamt.html with results from 1848-present.

These are the federal subject votes; it does not include federal elections or cantonal/communal votes/elections. So I would guess one has about six topics on average to decide on, 4-5 times a year.

I'm swiss, so I guess that soon I'll have to vote about this voting system :)

E.g. chapter 3.4.3 of the architecture PDF might be interesting to end-users/voters:

>End-to-end verifiability: Voters should be able to verify that their vote has been recorded-as-cast and cast-as-intended; and both observers and independent auditors should be able to check that votes are counted as recorded without compromising voter's privacy.

>>Recorded-as-cast verifiability: This verifiability level is achieved by means of vote confirmation receipts which are displayed to voters after their last vote has been cast and can be looked for once the election is closed on a Receipts Portal or a Receipts List made available to voters.

>>Cast-as-intended verifiability: This verifiability is achieved by means of Choice Return Codes, which are sent by mail to the voter before the election starts and univocally represent voter's valid options. The server can generate these Choice Return Codes and send them back to the voter while voting without knowing their real option reservation. This way, the voter can check if these codes match with the ones contained in the paper voting card.

Can it verify that votes that have been added to the system have been cast by the actual voters and not by anyone else?

No. But this is the same with ballot or mail votes in Switzerland, identity is not verified. So in theory you could fake paper voter cards already today, but it's difficult to scale this onto a useful level.

The verification system for the proposed eVoting system works with verification codes individual to a voter. So even if you and I vote YES on a certain topic we will have different verification codes.

Cool that they do this although fundamentally subscribe to the point of view advocated by Tom Scott in "Why Electronic Voting is a BAD Idea" https://www.youtube.com/watch?v=w3_0x6oaDmI which argues that it's hard to scale up an large-scale attack against paper-based systems among other things.

Most African countries and Russia have managed large-scale attacks on their own paper-based systems just fine. Crypto-based vote-counting systems must protect the voters not from evil outside hackers, but from electoral commissions themselves.

Yes... but most people are aware that those elections are a farce. I doubt there's many people that would agree to the statement "Putin was legitimately elected".

It may be a bad idea for a vote so important that it happens only once every 5 years and citizens have no recourse in the periods between.

But if we want to scale Democracy to the modern world, where today tens of thousands of important decisions are taken without any citizen input during those 5 years, electronic voting is a necessity.

Without a secret ballot, you cannot have democracy. Instead, you have a rule of those who bought the most votes.

If voting does not happen in public, you cannot have democracy either. Instead, you have a rule of those who are best at manipulating the vote.

Electronic voting is either not secret or not public. You cannot use it to scale democracy, it destroys it.

I wonder if this is just a case of preferring the devil we know.

"Without regular (daily) votes you cannot have a democracy. Instead, you have a series of temporary dictators selected from those with the connections, charisma, and budget to run campaigns and get put in charge."

Experimenting with something as important as our form of government is really scary, but it's not clear to me that it's more likely to destroy it than improve it.

you can definitely have cryptographic schemes where individual votes are secret but the result is publicly verifiable.

i don’t necessarily think it’s a good idea because it’s better to have a low tech system that people can understand, even if it’s a little cumbersome and expensive. but it is possible!

Like others have mentioned it’s easy to develop a cryptographic system which would provide both vote assurance and and vote anonymity the problem is that unlike paper ballots people can’t understand those systems and people don’t trust what they can’t understand and democracy doesn’t work when there is no trust.

Everyone can count paper ballots having 10 crypto experts that given that they are experts wouldn’t say that a system is 100% foolproof isn’t the same thing.

But if you solve this problem which is trust in something you can’t ubdsrstnsd, you can definitely scale it and have it both being secret and verifiable.

Switzerland manages to hold state-wide votes four times a year, usually combined with local topics, with a paper/ballot based system quite well. Voting more often than every 4 or 5 years is not a reason to introduce eVoting.

But then, for grown-up democratic countries with a stable political system, hardly anything is a reason to introduce eVoting :-)

> tens of thousands of important decisions

I think of myself to be a well-informed person. I will not be able to cope with that level of decision making. Probably makes more sense to scale it up slowly, adding more and more issues to be voted as the citizens learn the consequences of their vote and are able to keep themselves informed.

But, I do not think that ever we will be taking tens of thousands of votes. That also looks like a very centralized system where all decisions are made from one place. If an issue is local it should be delegated locally.

Exactly. This is why we developed republics instead of direct democracy: nobody has the time to weigh in on every decision.

I've been thinking about this: people are generally eager to jump into pointless political flamewars.

What if it's just a question of having a platform to express these opinions?

Perhaps it's not the only case, but Italy's M5S party has built exactly that kind of platform as a mean to differentiate from the other political groups. Somehow it workded and now they're governing the country (along with other forces). From a democracy point of view, the result is a mixed bag but i think it's a start.

Why do you think it's cool that they do something that is a bad idea?

I think it's cool they make a public call for people to attempt to hack the system they built, even if I don't think e-voting is a good idea.

I yearn for the times when the tech community still believed e-voting was a bad solution in search of a problem.

I mark my votes with a pen on a piece of paper. No polling place in my country is more than 300 yards from the voter, at least in cities and towns. I can stick around and watch the counting close enough to verify the count. Costs are neglible compared to the overall budget, with most of the staff being volunteers.

Maybe it’s different with some ballot initiative every second week, or whatever the Swiss are doing. Maybe it doesn’t work as well if you vote for 26 up and down the government from president to dog catcher, to dog-to-be-caught.

But in those cases, I‘d still rather give up that surplus of choice, rather than the system that is not just safe, but so obviously safe even old people don’t believe conspiracy theories about it.

So I hear the cons for e-voting all the time. It's absolutely true no system is sound and secure. However consider this: most politicians aren't exactly tech-savy. There are way more cost-effective methods to "rig" elections (for the Swiss scale). Dead people voting. Volunteering staffers. Depending on country method of vote transfer. Human error when counting.

Having helped with an e-election system myself, I saw first-hand how it caught "bugs" in the process. For example some district entering wrong information (lots of cross-referencing checks tripped an "alarm").

In the U.S sure, I can see why people would be concerned. No offence, but the systems in place for social and other citizen-related info ain't excellent. If there's an entire market for false identities it's saying something. Taxes not being done automatically. Social security number being the one way to identify. Online banking being a pain in the ass.

Scalability is an issue. If a system is open to billions, there is more incentive to work on "theoretical" exploits. But let's not pretend paper-voting is a better alternative. E-voting doesn't solve the corruption problem, but it makes it easier to find.

Tom Scott and some of the pen-testers that shit on on the concept have good points. However they all are based on the idea that staffers manually counting works better. Tom Scott's New Hampshire example is anecdotal – that system was an insult to the word naïve. The pen-testers taking a dump on Estonian system were picking on stuff like WiFi passwords being visible and seeing over the shoulder an admin's terminal. The systems responsible for the counting weren't connected to the WiFi and it was there for guests. Lot of good staring at a terminal did with no access to the actual machines holding the program.

I don't see e-voting becoming a thing due to all the FUD spreading. But I hope it will be reviewed as a means of double-checking. Perhaps some studious people might actually go out and study the actually proposed architecture. It's really never as simple as one program doing the counting with a flavor of auditing. At least when done right(ish).

Paper voting has a big advantange: any random person from the street can understand all parts of it, and can think of virtually all possible manipulations.

You don't have the same on electronic voting systems. There you need to ask experts, [which again need experts [which again need experts [...]] to explain to you what is going on.

Paper based voting also excludes me, a Swiss person living abroad, from reliably voting.

I don't understand why these discussions are done in this black/white manner. There's valid policy discussions to be had, but treating the other side as maliciously dumb isn't helpful.

The proposed eVoting solution will not do you much good then. It still relies on paper mail getting to you in time, and untampered with.

I understand the problem Swiss persons living abroad have with voting, but there are better ways to solve this than putting the whole vote at risk due to unsecurable Internet voting.

your Politicians might not be tech savvy, but hostile state actors are.

Yes, indeed, we do vote around 5 times a year on several more or less important subjects and elect officials. That does not mean that a mistake can be fixed quickly, because the entire lawmaking process is (deliberately) slow:

- All members of parliament do that only part-time; during the rest of the year, they do work (mostly) normal jobs.

- Once the (national) parliament has passed a law, the citizens have 100 days to collect the names of 50,000 opponents. If they achieve this, it that will mean the law is delayed for at least another year.

I have serious concerns about electronic voting. But: One of the predecessor systems allows me to vote in referenda from abroad, and it significantly increases the likelihood I vote successfully. Having to send back the paper ballot weeks in advance (to be sure it arrives in time) makes it easy to miss the deadlines, and also requires to skip over discussion still happening at that stage.

So it looks like the property that the Swiss system sacrifices is receipt freeness. In short, there is nothing to protect voters against someone coercing them to reveal their vote.

In a first world country like Switzerland it's unlikely this coercion would take place with an AK47 at the ballot box. It is, however, conceivable that it could take place on the shop floor by either a boss or a trade union representative threatening to withhold work or pay.

I wouldn't be comfortable using a system like this for a state level election. The stakes are too high. That said, I do actually offer a product that sacrifices the same property and is designed to be used in elections for community organisations, companies, etc.

My digital election product: https://scrut.in/

More information on the concept of receipt freeness: http://www.lsv.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf

As long as voters have to click votes in clear text on a screen, the security of the system is fundamentally screwed.

As long as voters have to enter cryptic signs instead of clear text votes, the usability of the system is fundamentally screwed.

So it's either fundamentally screwed or fundamentally screwed. Which one do you want? That's what the Swiss research on the topic basically boils down after 20 years of trials.

Can we just stop it? Wanna help with the Initiative to stop e-voting in Switzerland? https://evoting-moratorium.wecollect.ch/

More info at https://e-voting-moratorium.ch/

The contract you are required to agree to view the source code [0] is unreasonable:

It requires that you work for free if you think you find a problem (i.e. you are not allowed to just stop):

> Participants who have found or believe they have found a vulnerability are obliged to submit a report in the GitLab platform as an issue set explicitly to confidential

> Researchers shall provide sufficient information to reproduce the Vulnerability so that the Owners can act as quickly as possible. Usually, a vulnerability description is sufficient, but for more complex vulnerabilities, more detailed information may be needed.

> The Researcher accepts to provide support to the Owners to verify the potential Vulnerability,

It requires that you agree to an indefinite NDA, that extends to not disclosing issues you discover:

> No Vulnerability shall be published within a period of forty five (45) days since the last communication exchanged with the Owners with regards to such potential Vulnerability, unless the Owners have agreed to a shorter period or defined a longer period.

(In other words they can extend the NDA indefinitely by pinging you every 45 days, and the last sentence means they might not even need to bother pinging you every 45 days). Also:

> the information received in the Researcher e-mail account must not be shared with or forwarded to any other e-mail account.

It requires that you are not a company (or government) or acting on behalf of one, despite various companies providing, for free, some of the best security research (see project zero)

> Registration for the Program is open to all natural persons willing to comply with the Agreement, with the exception of natural persons who do not act under their own responsibility, but as employees, civil servants, officers or any other subordinate capacity. Registration is therefore not open to organizations, associations, institutions, administrations, governments, government agencies, foreign states, or any other entity that is not a natural person.

On the contrary to the article (which currently states "The source code is published permanently to ensure Swiss Post meets the legal requirements."), source code access is not permanent, but only until the end of the production release. I.e. research into past vulnerabilities appears to be forbidden:

> The Agreement and Source Code Access expires at the termination of the productive use of the release to which the Program is dedicated.

I'm not a lawyer, I'm certainly not a Swiss lawyer, but it is my understanding that the purpose of this program is to comply with article 7a and 7b of [1] (which is linked from [0]). I hope someone who is a Swiss lawyer (some equivalent of the EFF) is looking closely at this, because I don't see how it complies. I don't see how it can be said that "The source code for the system software must [has] be[en] made public" when companies are not allowed to view it and access is temporary. I don't see how it can be said that "Anyone is entitled to examine, modify, compile and execute the source code for ideational purposes, and to write and publish studies thereon." when you aren't allowed to publish vulnerabilities until they choose to release you from the indefinite NDA you signed.

[0] https://www.post.ch/-/media/post/evoting/dokumente/nutzungsb...

[1] https://www.bk.admin.ch/dam/bk/de/dokumente/pore/Federal_Cha...

This program doesn't comply with VEleS 7b but it doesn't have to, yet. The requirement for publishing the source code only applies when the system is actually authorized for a real trial.

Oh, interesting.

Do you know what sort of time frame a "real trial" will happen in? I'd love to give the source a once over when I can do so on reasonable terms.

I don't know about the time frame, there is a current proposition which would allow e-voting at the national level which is up for public comments until the 30.4.2019, but then it'll go back to parliament and at some point should be up for a vote. So it may take another year or two.

But you can check out the source code as it is, the lawyers of swiss post just added all kinds of random stuff to that TOS. I think this TOS only applies if you participate in the pentest. Otherwise it makes absolutely no sense. The propositions that the researchers shall conduct tests etc. would create a contract for work, which only applies for the pentest due to the potential compensation.

But Swiss post clearly state that they publish the source code to comply with VEleS 7a, therefore it is public as in "It must be easily obtainable, free of charge, on the internet." any restrictions like we must conduct tests is clearly a charge and thus not valid with 7a.

Access to the source without participating in the pen test is clearly governed by the contract I linked, both because that's what the page you need to click through to access the source says [0], and there is a different contract governing participants in the pentest [1].

I'm frankly more concerned with the indefinite NDA than the "you must continue to work for free clause". I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says. The indefinite NDA though strikes me as legally valid, and could plausibly put me in a situation where I'm stuck between keeping silent about vulnerabilities and civil disobedience [2].

I emphasized "without participating in the pen test" above because I just noticed an amusing loophole in the contract that makes the NDA somewhat (not completely, and still not the rest of the contract) reasonable.... The pen test agreement states

> If you sign up to the source code access programme and there is a conflict between the E-Voting Solution Source Code Access Agreement and the TC&CoC, the latter shall take precedence.

It also states

> Participants / researchers are allowed to publish their findings following a publication date agreed with the organizers. This date will be 45 days after the initial confirmation of the reported finding at the latest.

As such I think if I sign up for both programs the NDA on disclosing vulnerabilities is not indefinite.

[0] https://www.post.ch/en/business/a-z-of-subjects/industry-sol...

[1] https://onlinevote-pit.ch/conduct/

[2] A similar example in Finland where companies and government agencies conspired to try and keep vulnerabilities secret: https://www.reddit.com/r/talesfromtechsupport/comments/9m8fz...

This story is largely verifiable via Google - The author has asked that his reddit account/recounting not be directly linked to his name, please respect that here as well.

>I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says.

Yes, this is not a valid clause.

> The indefinite NDA though strikes me as legally valid,

There isn't a indefinite NDA,

>"The expiry or termination of the Agreement shall not affect the validity of the obligations of the Researcher entered into under the Agreement (including but not limited to the Fair Use Restrictions, the Reporting Procedure and the Responsible Disclosure)."

With the termination of the Agreement, the contract is void, these obligations can't be prolonged. There is only an exception for trade secrets which will continue even after a work contract. But this is no work contract. And second there are no trade secrets in here.

Anyways the whole agreement is fuzzy, this clause > "The Owners grant access to the EV Solution Source Code in the Program to the extent required by the (Swiss) Federal Chancellery Ordinance on Electronic Voting (“the Ordinance”) (1). No part of this Agreement shall be construed as to provide surpassing rights or to permit its use for other purposes. "

gives full public access, with no strings attached. The later clauses are contradictory to this one.

This is part of the reporting procedure/responsible disclosure, and thus lasts past the end of the agreement. It is an NDA. It can be extended indefinitely by the owners without my consent.

> No Vulnerability shall be published within a period of forty five (45) days since the last communication exchanged with the Owners with regards to such potential Vulnerability, unless the Owners have agreed to a shorter period or defined a longer period.

The later clauses being contradictory is an interesting point, but not one I would want to personally litigate.

i’m also waiting to hear more on

“Japan gears up for mega hack of its own citizens

Unprecedented cyber attack on 200m internet enabled devices is designed to test the nation’s vulnerability”


I didn’t know about that. Great story!

Our press release in response: Swiss Post e-voting intrusion test: a farce!


The Swiss Post, totally unimpressed by the previous devastating hacker attacks on the e-voting system, is now about to launch its own official hacking „intrusion test”. For a pocket money, 400 people from all over the world are to test the proven unsafe system in a more controlled and limited setting. The initiators of the popular initiative «For a secure and trustworthy democracy (e-voting moratorium)» are dismayed at the useless exercise.

The Swiss Confederation is trying to establish e-voting since 2000. By 2019 it wanted to see two thirds of the cantons to provide electronic voting. But cantons are far from jumping the bandwagon as expected. Several of them have again withdrawn from the experiment — the latest being the Canton of Jura. Previously, the Canton of Geneva had decided to abandon development of its own e-voting system by 2020 after more than 10 years of development, allegedly for cost reasons. Previously, this e-voting system had been demonstratively hacked by the Chaos Computer Club Switzerland (CCC-CH) showing its weaknesses by all rules of cyber art: the demo hack passed the system like a hot knife through butter. The CCC-CH is unsurprisingly one of the most vehement supporters of the e-voting moratorium.

For Jean Christoph Schwaab, former SP National Councillor from the Canton of Vaud and co-initiator of the e-voting moratorium, the intrusion test is “a farce costing 250,000 Swiss francs. The idea of being able to exclude all relevant hacking methods is a well-intentioned illusion.”

Adding even further to the absurdity of the staged «intrusion test», all known weak spots of the system, those which easily permit to falsify votes and elections, are forbidden attack surfaces. It remains to be seen if organized criminals and secret services will also stick to these rules. Much higher sums than those offered by the Swiss are taken to hands by criminals and strategic organizations to develop attacks. It is unlikely that these actors will ever disclose their cyber arsenal to the Swiss for a 100 to 50.000 Swiss francs.

National Councillor Franz Grüter, head of the committee, commented that “the security of e-voting cannot be bought. Professional darknet hackers would never show themselves in public, thus never register for such a test. In addition, so-called nation-state hackers act at a much more sophisticated level and never take part in public penetration tests.”

Also Nicolas A. Rimoldi, campaign leader of the popular initiative sees nothing positive in this large-scale hacking trial with 400 participants: “The decisive findings have long been available: Swiss e-voting is fundamentally insecure, and the goals associated with it (generally higher voter turnout, motivation of internet-savvy young people) were all not achieved. Swiss Post is only interested in pushing out the project, while security has no priority whatsoever. The fundamental attacks pointed out by the CCC-CH haven’t been fixed and are still feasible today on both systems in use as of the current voting term on the 10th of february (Geneva’s system in in use for six cantons and Swiss Post’s for four cantons); the official claim — security before speed — is not enforced. Regardless of this, the Confederation is keeping the e-voting platforms up and running which is irresponsible. Ironically, Swiss Post is now disclosing the cyber risks for which it has no remedy. Swiss Post and the software supplier Scytl have no remedy against all those banned attack surfaces that often and successfully occur in the real world. Thus, they openly admit that the security of e-voting cannot be guaranteed.”

Rimoldi thinks it is overhearted of the authorities to invite potential attackers — not even excluding foreign secret services and criminal organizations — to test their attack tools for a little payment. “The so-called intrusion test is a pure PR campaign by Swiss Post to divert attention from fundamental and proven flaws in the system,” said Rimoldi.

The limited accessibility to the source code is also impractical: security holes and issues cannot be openly debated and thus hardly be closed, instead they should be reported exclusively to Swiss Post. This approach is out of touch with reality and does not correspond to the working principles of IT security engineering. Especially in an area as sensitive as democracy, maximum transparency and a free software license would have been appropriate. Swiss Post together with Scytl is failing in both respects.

The Swiss Federal Government’s insistence on e-voting has isolated Switzerland internationally. With the exception of Estonia, where a minority of the voting population votes electronically, all European states have rejected or abandoned e-voting.

our investigative report about the e-voting at swiss post and its technology partner scytl: https://www.republik.ch/2019/02/07/the-tricky-business-of-de...

> The Tricky Business of Democracy - For its prestigious electronic voting project, Swiss Post is relying on technology provided by the Spanish company Scytl. But reporting by Republik shows that the e-voting market leader has misused EU funds, bungled elections and encountered security problems during voting.

disclaimer: I work for Republik

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact