DC Suspends Tests of Online Voting System 170
Fortran IV writes "Back in June, Washington, DC signed up with the The Open Source Digital Foundation to set up an internet voting system for DC residents overseas. The plan was to have the system operational by the November general election. Last week the DC Board of Elections and Ethics opened the system for testing and attracted the attention of students at the University of Michigan, with comical results. The DC Board has postponed implementation of the system for 'more robust testing.'" Update: 10/06 02:42 GMT by T : University of Michigan computer scientist J. Alex Halderman provides an explanation of exactly how the folks at Michigan exploited the DC system.
"MORE robust testing" or "more ROBUST testing"? (Score:1, Troll)
Re: (Score:2)
He means "rigorous".
You mean "robustness".
0 marks all around.
[Hail to the Redskins...
Hail vic-to-ryyyyy...]
Re: (Score:1)
Hail to the Redskins...
Hail vic-to-ryyyyy...
Just hearing that makes me want to headbutt a wall!
Go Skins!
Re: (Score:2)
Well, since you seem to come in packs of 10, I think you're not the one we want investigating voting irregularities.
Re: (Score:1)
i have presented the truth, as can obviously be seen.
your attempt to suggest a game was being played, seemingly to justify your continued attempts at lying is pathetic.
you are NOTHING
Re: (Score:1)
Moriarty, s'tat choo?
Had to be asked.
open public review (Score:1, Insightful)
Every critical government system like this should be required to pass through a period of open public review before even being considered for use.
They could actually use prizes to be paid by the government contractor who submitted the bid. If they do a shoddy job on security, they'll not only lose the bid, but they'll also lose additional money (a refundable deposit) to whoever finds their security flaws.
Re: (Score:3, Informative)
It's open software, so you can look at it any time you like.
Of course, so can the h4xx0rs.
And they don't have to pwn it until election day. By which time you no longer have open access to the code in the box. You can try to hack it, but you probably won't be able to tell what other hacks have been applied by looking at the binary.
The fact is, if the voting system is built on an operating system that allows a superuser access to all things, then it's ultimately vulnerable to all types of hack, as long as t
Re: (Score:2)
Re:open public review (Score:4, Insightful)
But a paper vote can be audited by the original voter.
And electronic vote can be manipulated just long enough to pass through the counting register, and when it gets back to the original voter it can look exactly like it did before it was manipulated.
Electronic voting, yes! Online voting, no! (Score:2, Insightful)
Voting machines should definitely be electronic.
Online voting seems to be so problem-prone as to be useless. Something as simple as a smurf attack could potentially block every voter from casting their ballot in time.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Re:Electronic voting, yes! Online voting, no! (Score:5, Insightful)
Current history disproves this your statement. We cannot yet make online voting work and yet we function pretty well in the "digital age".
Re: (Score:1)
Re: (Score:2)
And when ballot boxes appear in the counting room what then?
Or the dead rise to vote with pen in hand.
Or people vote early and often.
Or some of the counters are sure that the mark was on the other side of the ballot.
etc
etc
etc
paper voting is exceptionally far from secure.
I'd not be too happy about voting over the net since the botnet herders would win every election but electronic voting in person? It should be possible to make a system far more secure than the current pen and paper one.
Re: (Score:2)
Why are we acting as though it will ever be possible to get a 100% perfect voting system? It won't be. Sure, paper ballots have flaws. Lots of them. And the system can be gamed - hell, my family's from Louisiana. I know all about the dead voting.
But all those problems exist in the digital voting systems as well. The dead can still vote. People can still vote early and often. Election workers can monkey with the cards that store the voting data. They can misread the final output. The voter can hit the wrong
Re: (Score:2)
You could try defining digital age if you want to make the argument that it has not begun or that we have failed at it. The current normal understanding is that we are living it right now.
Re: (Score:2)
perhaps whoever taught you to read was a dumb as your mother?
Ahh, exactly the kind of calm and level headed debate I am used to on /..
Re: (Score:1)
Re:Electronic voting, yes! Online voting, no! (Score:4, Insightful)
Trivial? Yeah right. And you wonder why other moderators are rating you flamebait.
Online voting is not trivial for one reason. Security from vote tampering.
If you can get 300 million people to vote online, without vote tampering up to and including hacking 'your' system, then you're a hero.
But you're not.
Re: (Score:1)
Security from vote tampering.
are you claiming that vote tampering does not currently affect any paper based, hand-counted elections? are you claiming that online voting would certainly have more vote tampering? how? when a single person or small entrusted group can arbitrarily destroy any physical vote at their location, it's hard to argue in relative potentials.
again,
you're an idiot.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
Not necessarily. It should be possible to devise an online voting system that worked securely and reliably. To defeat DoS/DDoS attacks, you would probably want to have virtual circuits (eg: MPLS) or bandwidth allocation (eg: RSVP) such that an attack cannot encroach on the voter's bandwidth. Alternatively, an ISP could run Snort or another NIDS system in such a manner as to detect a DDoS attack and block the source addresses. So long as it was done far enough upsteam that there was still available bandwidth
Re: (Score:3, Interesting)
Nope,
There several network appliances that can assistance and eliminate most of the overhead of a denial of service attack. This of course would not compensate for upstream saturation, but you have within your power to eliminate a good deal of it long enough to work with upstream providers.
This is why lots of new denial of service attacks focus on exploiting content which has a high application cost. ie, find a page which has too much dynamic content or generates slowly due to dependent services being at th
Re: (Score:2)
If an ISP is using per-flow UDP-aqare QoS, no flow can exceed the bandwidth allocated. True, this wouldn't stop an attack based on draining CPU cycles, but it would stop any attack based on network flooding.
If voting software on the host computer specifically filed the RSVP request (so the user has to do nothing and the user is aware of nothing - which is, sadly, likely the case anyway), then host-based resource allocation would not be an issue. Alternatively, let us say that the voting software mandates a
Re:Electronic voting, yes! Online voting, no! (Score:5, Insightful)
Voting machines should definitely be electronic.
Why? What exactly do electronic voting machines give you that, say, an optical scan paper ballot doesn't? Electronic voting has more often than not been a solution in search of a problem.
Re: (Score:1)
Less waste. Even if you were to print out receipts and keep a running log, it would still be much less wasted paper (and all the resources necessary to produce it) using electronic voting machines.
Immediate results. Even assuming the necessity of an audit, the paper log can be scanned many times faster than hand-fed ballots.
Accurate results. This is strangely a problem for electronic machines, but theoretically they should be able to give you an exact count without error. No lost ballots. No forgotten ballo
Re: (Score:1)
Inline PDF forms!?! (Score:5, Insightful)
One of the articles mentioned that some browsers submitted blank forms because they don't support inline PDF forms. Who, exactly, thought that using PDF was a good idea? The whole point of the web is that it provides layout standards. Why even bother using a web browser if you're just going to try to hack around it by using a completely different content format, PDF, shoved in using browser plug-ins. It might has well have been Flash. Use the web or do not. There is no halfway.
And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.
What does all this tell us? Well, it tells us that:
Not that this shouldn't have been anything less than obvious to anyone with even a basic understanding of computer security.... Real secure networks built on top of HTTP use client applications that verify signatures on the content that the servers provide, ensuring that it is legitimate before acting on it. This also, of course, requires that people obtain the client software in a secure fashion, which is a problem in and of itself, in much the same way that obtaining the client on-the-fly from a web server is a problem, and for precisely the same reason.
Re: (Score:2)
Err.. it might as well have been Flash. Stupid typos.
Re: (Score:3, Informative)
And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.
Bad sign that what with the fact that one of the OSDV directors, also its nominal CTO [osdv.org] sells himself as a security consultant. [sebes.com]
Re:Inline PDF forms!?! (Score:5, Insightful)
Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?
Imagine this: You're a security consultant. A client says: Secure this system, it can change the course of U.S. history (so it has a little value). And by the way, the system extends to 150 million clients running every kind of hardware, software, and configuration imaginable, maybe 25% of which are infected with malware, and to which we have no access and over which we have no control. Oh yeah, and any computer on earth could be a vector of attack and everything from foreign intelligence agencies to corrupt politicians to radical political groups to greedy businesses might have a motive.
Why are we even discussing this as a possibility?
Re: (Score:2)
Re: (Score:2)
The difference is that if somebody hijacks the client's machine, that person's ballot might be forged. If somebody hijacks the servers, everyone's ballots might be forged. Also, a properly written (non-web) client can take a lot of steps to secure itself from malware corrupting the results, starting with not allowing keyboard input, using positional randomization to thwart any preprogrammed click event modification, and having dozens of internal consistency checks throughout the code to detect tampering,
Re: (Score:2)
It's not hard to imagine an automated attack on a very large number of client machines. And in addition to forging, we risk the confidentiality of the ballots.
I agree security could be improved, but it's a valuable target on a ridiculous distributed system; it seems like a long shot that security will ever be sufficient. A large scale atta
Re: (Score:2)
Yes, but a targeted attack on computers requires hiring shady programmers for probably a few hundred grand. A targeted attack on mail-in ballots could be done by going to each city and hiring either one unscrupulous illegal immigrant with a car or a handful of not-so-bright kids with bicycles for a few bucks a day.
And with many counties in California having vote-by-mail rates as high as 50%, it's much easier to skew their results far enough to affect the election results without people noticing than it is
For this particular problem, RTFAFGS (Score:2)
These are military personnel voting (absentee) from overseas. I can guarantee you that I can control the originating network, the terminating network and the client machine.
Conspiracy? (Score:2, Insightful)
Re: (Score:2)
Re: (Score:1)
GNU Free (Score:5, Informative)
Many years ago there was a GNU project to create an online secure voting software. It's a great idea.
In 2002, they finally stopped development. They explain why here: http://www.gnu.org/software/free/ [gnu.org]
Quoting from that page:
"As Bruce Schneier points out "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers."
and...
"Mr.Schneier points out, 'building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.'"
I think anyone wanting to build a secure online voting system should give those quotes some really serious thought before starting. Then before they write any code, they should be to explain why they believe they are right and one of the field's most respected experts is wrong.
Re: (Score:2)
Bruce is a perfectionist, but the real world isn't perfect. The existing voting system is not perfect (it has >0% error), and so any system that replaces it does not need to be perfect either - it merely has to be better. In the UK, voting cards (really a "right to vote" card) are mailed out through the postal service, and you must hand one over before being allowed into the voting booth. This has many theoretical problems. You could buy and sell the card. You could manufacture a fake card (there are no
Re: (Score:2)
Essentially, the system relies on most people being honest, but it still seems to work reasonably well.
More importantly the system relies on an attacker having to bride a lot of people to have a meaningful impact on the election result, thus making it pretty hard to not get caught. Electronic voting does not have this type of security: bribe the right guy and you change the election result. That's why it's dangerous.
ensures anonymity by giving each voter a randomised token [...] numbers and votes are published after the vote
This also makes vote selling possible and thus is no better than having the votes be fully public (it's just more insidious).
Re: (Score:1)
Re: (Score:1)
Re: (Score:3, Insightful)
They could also be collected by political parties from voters through theft, bribery or coercion then used to cast multiple votes.
Re: (Score:3, Insightful)
It's thoughts like those that land coders in trouble.
We have an expert on the record saying it's very very hard, and an AC posting saying the opposite. Who to trust???
What if there's a flaw in the smart card hardware that allowed votes cast to be transmitted differently? What if the master key were to be exposed and someone launched a MITM attack? What if there's an exploitable flaw in the operating system of the server collecting or collating the votes?
You have a solution to just one tin
Re:GNU Free (Score:4, Insightful)
Requirement #0: Convincing enough of the losers that they've lost.
Doesn't matter if your fancy system is actually secure and proven. If the losers think they lost because "too much magic" happened, you could have riots on the streets or even civil war.
While paper votes have problems, they are easier to explain to voters. And if you do them right, the losers tend to agree with the results- they might dispute with a few problem constituencies, but you won't get massive riots.
You get riots when you do them wrong e.g. having one party do the counting in secret. And riots might even be justified or at least understandable since since having just one party count paper votes secretly is rather fishy.
In my country I think they rig it with postal votes. The counting is done in front of various observers from different political parties and a few 3rd parties even.
So where they can rig it is with postal votes, or in places which are more obscure - nobody bothers to show up to watch the counts, ballot boxes etc (but those places often don't make much of a difference
Whereas most electronic voting systems tend to do their counts in a way that cannot be observed by others. There's too much magic
And all for what? Make things faster? You want to do it right, take the time and money to do it right. What's so hard about scaling? Your education system should be good enough so that you have enough volunteer counters who can actually count.
I find it funny that the US spends billions to supposedly hold elections in Iraq (regime change right?
Re: (Score:2)
Re: (Score:1)
The problem is the end user's system can't ever be guaranteed secure.
Imagine a malware which infects voter's computers just prior to the election.
User logs into the voting site (or application), uses PIN & smartcard votes for candidate X. The malwae hijacks all that information and votes for candidate Z instead. It then hijacks the response from the server and shows a confirmation for candidate X.
As far as the server is concerned a valid registered and authenticated voter cast a vote for candidate Z.
A
Welp (Score:3, Insightful)
I suppose its a good thing they tested the system.
Isn't this the type of thing testing is supposed to identify?
Sad yankee system (Score:4, Insightful)
Has anybody the comments section in the Washington Post website? It is disgusting to see how much hatred and ignorance is going on there. I hope they're not a representative sample of the USian population.
Meanwhile, in Brasil, we just had a presidential and local election. About 100 million people voting, in an all-electronic process. There were no reports of fraud whatsoever, and the election results were available just 2 hours after the polling stations closed.
Can't the US do better? Your voting system is just laughable.
Re: (Score:3, Insightful)
We are doing better.
If you take the viewpoint of The Man.
Re:Sad yankee system (Score:5, Insightful)
Indeed.
Re: (Score:2)
Mind you, it is very hard to rig an election without raising any suspicion whatsoever. Actually, plenty of time there's suspicion even when no one is trying to rig the election.
If you grant that the bralisians aren't dumber than USians, no report of fraud indicates less fraud than actual reports of fraud. Which you have.
Re: (Score:2)
Actually, I do know of an example in the 60's where the military tried to rig a regional election. They failed miserably.
Re: (Score:2)
I know of an example where Veterans had to save an election by force of arms.
The Battle of Athens: http://www.constitution.org/mil/tn/batathen.htm [constitution.org]
Re: (Score:2)
Actually, I do know of an example in the 60's where the military tried to rig a regional election. They failed miserably.
It depends on the type of fraud.
I think their main problem was that they did not hide their fraud, or it was too obvious.
When a hacker enters a system, it tries to keep the smallest foot-print, and it's the same thing when you try to hack a voting system.
If you change all the votes to one of the candidates, it will be obvious that there is a fraud.
In France, even though we use paper ballots, there is still a common way to change the votes !
During the counting, the papers are taken by people.
The guy in charg
Re: (Score:2)
It was plain old fraud, not a bloody military coup. Of course they tried to hide it. But the candidate that had actually won in the popular vote noticed that there was something wrong, and dug up the truth.
I'm sorry, I can't seem to find a link in english. http://www.pdt.org.br/diversos/prconsut.html [pdt.org.br]
Re: (Score:2)
Maybe it just means that the system has become so opaque that observers wouldn't be able to spot fraud. These researchers demonstrated they could hack the system without detection. How do you know the Brazilian system was secure?
Re: (Score:2)
Keep in mind that this was a test of a voting system, it never actually made it into official use.
Re: (Score:2)
I'm aware of that, I RTFS. A good test, btw, I find it surprising that the government would want to make it.
I'm talking about the existing voting system of the US; it is inconsistent, archaic, slow, and every now and then there's a report of fraud.
Re: (Score:2)
Anytime there's a close election there's a report of fraud. It's kind of like companies suing other companies - if they can't win in the market place the other guy must be cheating. Don't confuse reports of fraud with actual fraud. I'm not saying there isn't fraud, statistically I think is must exist to an extent in any election. I'm just saying that it's likely not at all as bad as it sounds from the media reports.
Likewise, one should not assume that because there are no reports of fraud that there is
Re: (Score:2)
Have you ever browsed slashdot without filtering the comments? Just as bad here.
Re: (Score:2)
About 100 million people voting, in an all-electronic process.
Was it all Internet; or all electronic, but within designated and staffed polling stations? There's a huge difference. This article is talking about the former, not the latter.
There were no reports of fraud whatsoever...
If it was Internet voting, lack of reports is not equal to lack of fraud.
Your voting system is just laughable.
Yes it is, but not for the reasons you're giving. The US voting system is laughable, by way of example, for our primaries in which we vote for parties instead of people.
I love the idea of not having to go to a polling place to cast a vote, but I despise the to
There were no reports of fraud whatsoever (Score:1)
"There were no reports of fraud whatsoever" != "no fraud."
Re: (Score:2)
It's always nice to hear from citizens of budding democracies. Brasil has had a democratic government since 1985. A full 25 years. Take it from a citizen from an 'old' democracy, now over 160 years old: democracy needs defending. Always. Even if an electronic process works now, if people start to trust it someone can still take advantage of the flaws at a later moment. Lets do a small mental excercise:
- 2010, electronic elections are a complete succes. No fraud whatsoever.
- 2014, people welcome a new democr
Re: (Score:2)
There seems to be a widespread belief amongst yankees that paper ballots are somehow more secure than electronic voting. May I remind you of the fiasco of your presidential election in 2000? Al Gore won by popular vote, and probably in the electoral college as well, but your courts forbade the recounting. Now tell me what use are the paper ballots if you can't use the paper trail to actually audit an election?
And need I remind you that all problems began exactly because the system was so slow and unreliable
Re: (Score:2)
1) I'm not a 'yankee'. I'm European.
2) http://politics.slashdot.org/story/10/10/09/1750214/DC-Internet-Voting-Trial-Attacked-2-Different-Ways [slashdot.org]
3) The problems with the 2000 presidential elections were exactly what I was refering to, as the problems were with votes that were to be counted electronically. The fact that they were paper ballots makes no difference whatsoever.
4) Are you mad? Paper voting is more secure than electronic voting according to all people that have studied the subject in depth (see point
Re: (Score:2)
"How would you even know if it happened in the US or not?"
Great point. Let me rectify my statement:
The chance that Brasil openly reverts to some form of dictatorship is quite a bit greater than the same thing happening in the US, or most western european states.
Re: (Score:2)
I accidentally the comments section in the Washington Post website. Sorry.
online voteing just makes it so the boss can force (Score:2)
online voteing just makes it so the boss can force you to vote his way or you can lose your job.
Re: (Score:2)
Re: (Score:2)
If you *have* to make your vote behind a private curtain, the man can't see it. If you can make your vote from any internet connection, then the man can use his power to insist that you vote while he watches.
Yes, this applies to absentee balloting as well. That's why absentee balloting *used* to be controlled with the voter needing to demonstrate a need for it before being allowed an absentee ballot, and why it disturbs me that it is now generally allowed without any controls at all.
Re: (Score:1)
I tried to get an absentee ballot in Michigan so I could avoid going to the polls. I read the fine print and the restrictions made it so that I would have to perjure myself to do so. I opted not to get an absentee because of that.
Seems like (Score:2)
Appropriate slogan (Score:2)
I see the OSDV Foundation's slogan is "Re-inventing How America Votes".
300,000 tax dollars (Score:2)
Really? We're going to blow over a quarter of a million dollars in tax money on a project damn near every IT pro in the US can say "This is a bad idea". Where we've already seen horrendous results from states and local municipalities trying ot impliment digital voting. Really? There was nothing better to spend $300,000 on? No other small business grants that could have been funded? No research grants? Nothing?
I mean, it's not a huge amount of money, when compared to the scope of the budget. But it is could
I can do everything else online. (Score:4, Insightful)
I can check my bank accounts online.
I can pay my bills online.
I can order almost anything imaginable online.
I can participate in auctions online.
I can date online.
I can gamble online.
I can see my credit reports online.
I can file my taxes online.
Why is voting so different?
Re:I can do everything else online. (Score:4, Insightful)
Voter coersion is a real problem.
Re: (Score:2)
Re: (Score:2)
Why is voting so different?
Because it's physically impossible for the union boss / supervisor / Godfather / policeman to stand in the voting booth with you while you vote against their interests. It's very easy for those same people to set up a voting computer in their office so they and their assistants can "help" you vote exactly like they want you to.
Re: (Score:2)
All of what you've listed involves your real identity, whereas votes need to be anonymous. The financial matters are reversible, in that if fraud is found it can be put right, and the others have no great lasting effects. Vote fraud can have major effects, and is difficult at best to reverse.
Anonymity is important in voting. It also means that elections cannot be fully auditable. It's not possible to go to a random sample of voters and confirm that the system correctly recorded their votes. Any audi
Re: (Score:2)
In the study of logic (a part of both computer science and philosophy) it is trivial to show that one cannot prove a negative.
If we take "a negative" to mean a statement on the form "not exists x: P(x)" for some predicate P, what you're saying is that you can prove "not exists V: is_proof_of(V, 'not exists x: P(x)')".
In order words, "You can't prove a negative" _is_ a negative: it's the statement that for each negative, there isn't a proof of it. So proving that you can't prove a negative is a contradiction.
(Maybe that takes second-order rather than first-order predicates, and I don't know _all_ of logic, so take it with a grain
According to the articles... (Score:2)
Who in their right mind uses a web served application for something such as this?
This calls for a secured, encrypted application, with a protocol that maintains it's own data security.
It can be done. I built one for the government in 2001:
Ruby scripts and duct tape (Score:2)
So it's all held together with Ruby scripts and duct tape. If you're going to open something like this up to the world you need to digitally sign everything and continuously validate against an isolated server that can shut everything down when it detects a compromise.
First, we need a decent foundation (Score:2)
A random anecdote having nothing to do with e-voting, but probably a lot to do with the quality of voting IT systems: Last year, I asked for an absentee ballot, and never received it. This year, I asked for an absentee ballot, and received three, sent at different times, over the course of several days.
Electronic voting may be a disaster, but there are some other really fundamental flaws in the system:
Right idea, wrong exploit (Score:2)
Making the hack obvious before the "results" were in was exactly the wrong thing to do.
The right thing to do would have been to subvert the results, then mail the chosen numbers and other evidence that you'd owned the system to various news outlets just prior to the tally being announced. Let them embarrass themselves by claiming that the system worked and was secure.
Remember, the worst vulnerability is the one you never discover, or admit to.
Denard Robinson was probably involved (Score:1)
Internet voting system (Score:2)
Internet voting system would be great, great thing! I could finally observe, with 100% profe, that my wife votes correctly.
This (Score:2)
Not to be outdone... (Score:2)
Whats the point (Score:1)
Re: (Score:2)
Re: (Score:3, Funny)
And I too die a little whenever I see Jar used twice in the same sentence. I die a lot when George Lucas does it.
Re: (Score:2)
DC elections are decided in the Democratic primary.
And since the city council has limited power and their representative in Congress has no vote, it's a moot point anyway.
Re: (Score:2)