Attacks on other Swiss Post systems or applications
Attacks on the voter’s end device
Attacks based on the assumption that voters do not keep to instructions, e.g. a voter does not check the ballot casting key"
so like... they pass the test, and then they declare "it's secure! we did a 'hacker' test!". but then they deemed these giant vectors out of scope...
seems dangerous in that it fails to demonstrate that the thing is actually end to end secure, yet creates a straw man that sounds awfully close...
sure it's a hard problem. that's the point.
Attacks on other Swiss Post stuff are probably out of scope because it's hard to get agreement from all the stakeholders involved.
The other stuff sounds like things they can't reasonably control (voter device security and behaviour).
Going into the Ts&Cs, this looks more like a good faith effort than a blatant Telegram or BitFi style publicity stunt.
If they decide to go ahead with this approach, they should at least try to harden their system as much as they can against all possible approaches.
As an example, a few months ago the Swiss CCC demonstrated a DNS attack on the e-voting system of Geneva, which was easy since they deployed neither DNSSEC or HSTS Preloading. While DNSSEC is not trivial to deploy (but almost trivial when using a DNS server like Knot), HSTS Preloading can be done in two minutes and there's probably no reason not to do it.
A few months later, actual state-level votings are done through systems by both Geneva and the Swiss Post without DNSSEC and without HSTS preloading.
The Swiss Post is just doing the minimal they have to in order to fulfill the law, while at the same time using the intrusion test as a PR instrument. If you demonstrate a practical and scalable attack, but require a MITM attack vector (e.g. with a root certificate, see Superfish case for example), then they can claim it's out of scope and that their system was unhackable.
An e-voting system with an intrusion test is better than an e-voting system without an intrusion test. But the consequences of such a test and the way it's communicated is very problematic.
This is clearly unreasonable... and so is electronic voting.
Florida’s protracted 2018 midterm election has revealed the warts of an imperfect voting system that normally go unnoticed. This time, the world is watching, and South Florida election officials are being exposed for sloppy processes that in some cases, a judge found this week, violated both state law and the Constitution. Yet those very procedures are common during elections, political analysts in Florida say; they just don’t get much attention most of the time because most elections end with wide enough margins of victory that few people scrutinize them.
Our current election systems are pretty bad, as illustrated by the numerous examples in that article. And that's all just a mixture of internal ineptitude and maybe a pinch of decentralized maliciousness. If you're going to measure the security of a system by some standard of 'cannot be broken by enemy states kidnapping and torturing key staff members and their families [to coerce exploitable action]' then it should be clear that our current system fails abysmally. So you need to compare the pros, and indeed the cons, of both systems relative to one another.
 - https://www.nytimes.com/2018/11/11/us/florida-recount-electi...
The first one makes sense as they still have an important service to run outside of the scope of just voting - no one wants Swiss Post to go down for a month while they pen test because some hacker decided to bring it down.
So in most municipalities, anyone (!) can be present during the vote collection and counting procedures. The right is rarely used, but is the foundation of (1) trusting and (2) accepting the voting outcome.
This leads to a lot of stability and trust, even if you may not agree with the result of the vote.
With eVoting, we are doing away with that fundamental right and a process understandable to every single voter. Even given Universal Verifiability, the number of people understanding the concept (not even thinking about the implementation) is probably fewer than does understanding quantum gravity.
Just the rumors of things having run afoul will be able to substantially destabilise the trust in democracy and thus the country.
I do not think we should follow that slippery slope, especially as the major claims that started the eVoting debate have been refuted:
- eVoting does not add increase the voter turnout; charging 6 francs for not voting however increases it by 10%
- eVoting is not cheaper; the production and mailing of the required tamper-proof materials is more expensive than before
- eVoting is not simpler; in fact, the process includes many steps which look tedious and unnecessary
We also have an online voting platform already, which has been launched by the canton of Geneva in 2003. It has known several upgrades, security audits, and has been targeted by hackers a few times. It's proven quite successful and it is used by a few cantons besides Geneva. Sadly, due to a lack of federal support, Geneva doesn't want to bear the costs anymore.
Which is doubly unfortunate because their implementation was released under the AGPL; now it's the only one that is any kind of free software at all. The Swiss Post, however, only gives the minimum possible license grant (that also requires you to sign up) that applicable law mandates.
 https://www.post.ch/-/media/post/evoting/dokumente/nutzungsb... sections 6 and 7: You cannot even redistribute the code!
Otherwise information is usually scattered on the various canton's (districts) websites.
E.g. chapter 3.4.3 of the architecture PDF might be interesting to end-users/voters:
>End-to-end verifiability: Voters should be able to verify that their vote has been recorded-as-cast and cast-as-intended; and both observers and independent auditors should be able to check that votes are counted as recorded without compromising voter's privacy.
>>Recorded-as-cast verifiability: This verifiability level is achieved by means of vote confirmation receipts which are displayed to voters after their last vote has been cast and can be looked for once the election is closed on a Receipts Portal or a Receipts List made available to voters.
>>Cast-as-intended verifiability: This verifiability is achieved by means of Choice Return Codes, which are sent by mail to the voter before the election starts and univocally represent voter's valid options. The server can generate these Choice Return Codes and send them back to the voter while voting without knowing their real option reservation. This way, the voter can check if these codes match with the ones contained in the paper voting card.
The verification system for the proposed eVoting system works with verification codes individual to a voter. So even if you and I vote YES on a certain topic we will have different verification codes.
But if we want to scale Democracy to the modern world, where today tens of thousands of important decisions are taken without any citizen input during those 5 years, electronic voting is a necessity.
If voting does not happen in public, you cannot have democracy either. Instead, you have a rule of those who are best at manipulating the vote.
Electronic voting is either not secret or not public. You cannot use it to scale democracy, it destroys it.
"Without regular (daily) votes you cannot have a democracy. Instead, you have a series of temporary dictators selected from those with the connections, charisma, and budget to run campaigns and get put in charge."
Experimenting with something as important as our form of government is really scary, but it's not clear to me that it's more likely to destroy it than improve it.
i don’t necessarily think it’s a good idea because it’s better to have a low tech system that people can understand, even if it’s a little cumbersome and expensive. but it is possible!
Everyone can count paper ballots having 10 crypto experts that given that they are experts wouldn’t say that a system is 100% foolproof isn’t the same thing.
But if you solve this problem which is trust in something you can’t ubdsrstnsd, you can definitely scale it and have it both being secret and verifiable.
But then, for grown-up democratic countries with a stable political system, hardly anything is a reason to introduce eVoting :-)
I think of myself to be a well-informed person. I will not be able to cope with that level of decision making. Probably makes more sense to scale it up slowly, adding more and more issues to be voted as the citizens learn the consequences of their vote and are able to keep themselves informed.
But, I do not think that ever we will be taking tens of thousands of votes. That also looks like a very centralized system where all decisions are made from one place. If an issue is local it should be delegated locally.
What if it's just a question of having a platform to express these opinions?
I mark my votes with a pen on a piece of paper. No polling place in my country is more than 300 yards from the voter, at least in cities and towns. I can stick around and watch the counting close enough to verify the count. Costs are neglible compared to the overall budget, with most of the staff being volunteers.
Maybe it’s different with some ballot initiative every second week, or whatever the Swiss are doing. Maybe it doesn’t work as well if you vote for 26 up and down the government from president to dog catcher, to dog-to-be-caught.
But in those cases, I‘d still rather give up that surplus of choice, rather than the system that is not just safe, but so obviously safe even old people don’t believe conspiracy theories about it.
Having helped with an e-election system myself, I saw first-hand how it caught "bugs" in the process. For example some district entering wrong information (lots of cross-referencing checks tripped an "alarm").
In the U.S sure, I can see why people would be concerned. No offence, but the systems in place for social and other citizen-related info ain't excellent. If there's an entire market for false identities it's saying something. Taxes not being done automatically. Social security number being the one way to identify. Online banking being a pain in the ass.
Scalability is an issue. If a system is open to billions, there is more incentive to work on "theoretical" exploits. But let's not pretend paper-voting is a better alternative. E-voting doesn't solve the corruption problem, but it makes it easier to find.
Tom Scott and some of the pen-testers that shit on on the concept have good points. However they all are based on the idea that staffers manually counting works better. Tom Scott's New Hampshire example is anecdotal – that system was an insult to the word naïve. The pen-testers taking a dump on Estonian system were picking on stuff like WiFi passwords being visible and seeing over the shoulder an admin's terminal. The systems responsible for the counting weren't connected to the WiFi and it was there for guests. Lot of good staring at a terminal did with no access to the actual machines holding the program.
I don't see e-voting becoming a thing due to all the FUD spreading. But I hope it will be reviewed as a means of double-checking. Perhaps some studious people might actually go out and study the actually proposed architecture. It's really never as simple as one program doing the counting with a flavor of auditing. At least when done right(ish).
You don't have the same on electronic voting systems. There you need to ask experts, [which again need experts [which again need experts [...]] to explain to you what is going on.
I don't understand why these discussions are done in this black/white manner. There's valid policy discussions to be had, but treating the other side as maliciously dumb isn't helpful.
I understand the problem Swiss persons living abroad have with voting, but there are better ways to solve this than putting the whole vote at risk due to unsecurable Internet voting.
- All members of parliament do that only part-time; during the rest of the year, they do work (mostly) normal jobs.
- Once the (national) parliament has passed a law, the citizens have 100 days to collect the names of 50,000 opponents. If they achieve this, it that will mean the law is delayed for at least another year.
In a first world country like Switzerland it's unlikely this coercion would take place with an AK47 at the ballot box. It is, however, conceivable that it could take place on the shop floor by either a boss or a trade union representative threatening to withhold work or pay.
I wouldn't be comfortable using a system like this for a state level election. The stakes are too high. That said, I do actually offer a product that sacrifices the same property and is designed to be used in elections for community organisations, companies, etc.
My digital election product:
More information on the concept of receipt freeness:
As long as voters have to enter cryptic signs instead of clear text votes, the usability of the system is fundamentally screwed.
So it's either fundamentally screwed or fundamentally screwed. Which one do you want? That's what the Swiss research on the topic basically boils down after 20 years of trials.
Can we just stop it? Wanna help with the Initiative to stop e-voting in Switzerland? https://evoting-moratorium.wecollect.ch/
More info at https://e-voting-moratorium.ch/
It requires that you work for free if you think you find a problem (i.e. you are not allowed to just stop):
> Participants who have found or believe they have found a vulnerability are obliged to submit a report in the GitLab platform as an issue set explicitly to confidential
> Researchers shall provide sufficient information to reproduce the Vulnerability so that the Owners can act as quickly as possible. Usually, a vulnerability description is sufficient, but for more complex vulnerabilities, more detailed information may be needed.
> The Researcher accepts to provide support to the Owners to verify the potential Vulnerability,
It requires that you agree to an indefinite NDA, that extends to not disclosing issues you discover:
> No Vulnerability shall be published within a period of forty five (45) days since the last communication exchanged with the Owners with regards to such potential Vulnerability, unless the Owners have agreed to a shorter period or defined a longer period.
(In other words they can extend the NDA indefinitely by pinging you every 45 days, and the last sentence means they might not even need to bother pinging you every 45 days). Also:
> the information received in the Researcher e-mail account must not be shared with or forwarded to any other e-mail account.
It requires that you are not a company (or government) or acting on behalf of one, despite various companies providing, for free, some of the best security research (see project zero)
> Registration for the Program is open to all natural persons willing to comply with the Agreement, with the exception of natural persons who do not act under their own responsibility, but as employees, civil servants, officers or any other subordinate capacity. Registration is therefore not open to organizations, associations, institutions, administrations, governments, government agencies, foreign states, or any other entity that is not a natural person.
On the contrary to the article (which currently states "The source code is published permanently to ensure Swiss Post meets the legal requirements."), source code access is not permanent, but only until the end of the production release. I.e. research into past vulnerabilities appears to be forbidden:
> The Agreement and Source Code Access expires at the termination of the productive use of the release to which the Program is dedicated.
I'm not a lawyer, I'm certainly not a Swiss lawyer, but it is my understanding that the purpose of this program is to comply with article 7a and 7b of  (which is linked from ). I hope someone who is a Swiss lawyer (some equivalent of the EFF) is looking closely at this, because I don't see how it complies. I don't see how it can be said that "The source code for the system software must [has] be[en] made public" when companies are not allowed to view it and access is temporary. I don't see how it can be said that "Anyone is entitled to examine, modify, compile and execute the source code for ideational purposes, and to write and publish studies thereon." when you aren't allowed to publish vulnerabilities until they choose to release you from the indefinite NDA you signed.
Do you know what sort of time frame a "real trial" will happen in? I'd love to give the source a once over when I can do so on reasonable terms.
But you can check out the source code as it is, the lawyers of swiss post just added all kinds of random stuff to that TOS.
I think this TOS only applies if you participate in the pentest. Otherwise it makes absolutely no sense. The propositions that the researchers shall conduct tests etc. would create a contract for work, which only applies for the pentest due to the potential compensation.
But Swiss post clearly state that they publish the source code to comply with VEleS 7a, therefore it is public as in "It must be easily obtainable, free of charge, on the internet." any restrictions like we must conduct tests is clearly a charge and thus not valid with 7a.
I'm frankly more concerned with the indefinite NDA than the "you must continue to work for free clause". I'm reasonably confident that Swiss law doesn't allow for a clause to force me to work without compensation, and I'm quite confident that local law does not regardless of what Swiss law says. The indefinite NDA though strikes me as legally valid, and could plausibly put me in a situation where I'm stuck between keeping silent about vulnerabilities and civil disobedience .
I emphasized "without participating in the pen test" above because I just noticed an amusing loophole in the contract that makes the NDA somewhat (not completely, and still not the rest of the contract) reasonable.... The pen test agreement states
> If you sign up to the source code access programme and there is a conflict between the E-Voting Solution Source Code Access Agreement and the TC&CoC, the latter shall take precedence.
It also states
> Participants / researchers are allowed to publish their findings following a publication date agreed with the organizers. This date will be 45 days after the initial confirmation of the reported finding at the latest.
As such I think if I sign up for both programs the NDA on disclosing vulnerabilities is not indefinite.
 A similar example in Finland where companies and government agencies conspired to try and keep vulnerabilities secret: https://www.reddit.com/r/talesfromtechsupport/comments/9m8fz...
This story is largely verifiable via Google - The author has asked that his reddit account/recounting not be directly linked to his name, please respect that here as well.
Yes, this is not a valid clause.
> The indefinite NDA though strikes me as legally valid,
There isn't a indefinite NDA,
>"The expiry or termination of the Agreement shall not affect the
validity of the obligations of the Researcher entered into under
the Agreement (including but not limited to the Fair Use
Restrictions, the Reporting Procedure and the Responsible
With the termination of the Agreement, the contract is void, these obligations can't be prolonged. There is only an exception for trade secrets which will continue even after a work contract. But this is no work contract. And second there are no trade secrets in here.
Anyways the whole agreement is fuzzy, this clause
> "The Owners grant access to the EV Solution Source Code in the
Program to the extent required by the (Swiss) Federal
Chancellery Ordinance on Electronic Voting (“the Ordinance”)
(1). No part of this Agreement shall be construed as to provide
surpassing rights or to permit its use for other purposes. "
gives full public access, with no strings attached. The later clauses are contradictory to this one.
The later clauses being contradictory is an interesting point, but not one I would want to personally litigate.
“Japan gears up for mega hack of its own citizens
Unprecedented cyber attack on 200m internet enabled devices is designed to test the nation’s vulnerability”
The Swiss Post, totally unimpressed by the previous devastating hacker attacks on the e-voting system, is now about to launch its own official hacking „intrusion test”. For a pocket money, 400 people from all over the world are to test the proven unsafe system in a more controlled and limited setting. The initiators of the popular initiative «For a secure and trustworthy democracy (e-voting moratorium)» are dismayed at the useless exercise.
The Swiss Confederation is trying to establish e-voting since 2000. By 2019 it wanted to see two thirds of the cantons to provide electronic voting. But cantons are far from jumping the bandwagon as expected. Several of them have again withdrawn from the experiment — the latest being the Canton of Jura. Previously, the Canton of Geneva had decided to abandon development of its own e-voting system by 2020 after more than 10 years of development, allegedly for cost reasons. Previously, this e-voting system had been demonstratively hacked by the Chaos Computer Club Switzerland (CCC-CH) showing its weaknesses by all rules of cyber art: the demo hack passed the system like a hot knife through butter. The CCC-CH is unsurprisingly one of the most vehement supporters of the e-voting moratorium.
For Jean Christoph Schwaab, former SP National Councillor from the Canton of Vaud and co-initiator of the e-voting moratorium, the intrusion test is “a farce costing 250,000 Swiss francs. The idea of being able to exclude all relevant hacking methods is a well-intentioned illusion.”
Adding even further to the absurdity of the staged «intrusion test», all known weak spots of the system, those which easily permit to falsify votes and elections, are forbidden attack surfaces. It remains to be seen if organized criminals and secret services will also stick to these rules. Much higher sums than those offered by the Swiss are taken to hands by criminals and strategic organizations to develop attacks. It is unlikely that these actors will ever disclose their cyber arsenal to the Swiss for a 100 to 50.000 Swiss francs.
National Councillor Franz Grüter, head of the committee, commented that “the security of e-voting cannot be bought. Professional darknet hackers would never show themselves in public, thus never register for such a test. In addition, so-called nation-state hackers act at a much more sophisticated level and never take part in public penetration tests.”
Also Nicolas A. Rimoldi, campaign leader of the popular initiative sees nothing positive in this large-scale hacking trial with 400 participants: “The decisive findings have long been available: Swiss e-voting is fundamentally insecure, and the goals associated with it (generally higher voter turnout, motivation of internet-savvy young people) were all not achieved. Swiss Post is only interested in pushing out the project, while security has no priority whatsoever. The fundamental attacks pointed out by the CCC-CH haven’t been fixed and are still feasible today on both systems in use as of the current voting term on the 10th of february (Geneva’s system in in use for six cantons and Swiss Post’s for four cantons); the official claim — security before speed — is not enforced. Regardless of this, the Confederation is keeping the e-voting platforms up and running which is irresponsible. Ironically, Swiss Post is now disclosing the cyber risks for which it has no remedy. Swiss Post and the software supplier Scytl have no remedy against all those banned attack surfaces that often and successfully occur in the real world. Thus, they openly admit that the security of e-voting cannot be guaranteed.”
Rimoldi thinks it is overhearted of the authorities to invite potential attackers — not even excluding foreign secret services and criminal organizations — to test their attack tools for a little payment. “The so-called intrusion test is a pure PR campaign by Swiss Post to divert attention from fundamental and proven flaws in the system,” said Rimoldi.
The limited accessibility to the source code is also impractical: security holes and issues cannot be openly debated and thus hardly be closed, instead they should be reported exclusively to Swiss Post. This approach is out of touch with reality and does not correspond to the working principles of IT security engineering. Especially in an area as sensitive as democracy, maximum transparency and a free software license would have been appropriate. Swiss Post together with Scytl is failing in both respects.
The Swiss Federal Government’s insistence on e-voting has isolated Switzerland internationally. With the exception of Estonia, where a minority of the voting population votes electronically, all European states have rejected or abandoned e-voting.
> The Tricky Business of Democracy - For its prestigious electronic voting project, Swiss Post is relying on technology provided by the Spanish company Scytl. But reporting by Republik shows that the e-voting market leader has misused EU funds, bungled elections and encountered security problems during voting.
disclaimer: I work for Republik