How internet voting can go wrong

News from America:

Small coding mistake led to big Internet voting system failure

The main security weakness that let University of Michigan researchers take control over a planned city of Washington, D.C. Internet voting system pilot for overseas voters in 2010 was “a tiny oversight in a single line of code,” …

It’s evidence, say the researchers – led by Assistant Professor J. Alex Halderman – that Internet voting should be postponed until, when or if major new breakthroughs in cybersecurity occur. Mistakes like the one they exploited are all too common, hard to eradicate, and indicative of a brittleness in web applications, they say. Seemingly trivial errors can result in attackers gaining system dominance – and in the case of an internet voting system, controlling the outcome of an election.

Responding to a call by Washington, D.C., election officials for outsiders with no previous access to test system security, Halderman and his students penetrated the pilot system within 48 hours of it going online. Their successful attack went undetected for another 36 hours.

Quite how it was then detected is rather an amusing musical tale, as you can read in the full story.

* Mark Pack is Party President and Co-leader of the party. He is editor of Liberal Democrat Newswire.

Read more by or more about .
This entry was posted in News.
Advert

7 Comments

  • Andrew Suffield 26th Feb '12 - 5:25pm

    Piffle, we don’t need new breakthroughs. This sort of problem was solved decades ago; the techniques for writing code without this sort of error are known in the field as “formal methods”. They are widely used in fields where there is substantial liability for errors: medical equipment, some critical aspects of aerospace technology (NASA are a major player here), microprocessor design.

    The problem is not that we are unable to fix these issues. The problem is that the people involved are unwilling to do so. It would cost time and money, electronic voting in the US is all about profit margins, and there is no penalty for failure.

    The news article here does not even mention the company responsible for this abject failure, so they don’t even have the fairly weak spectre of reputation damage.

  • Matthew Huntbach 26th Feb '12 - 7:56pm


    Piffle, we don’t need new breakthroughs. This sort of problem was solved decades ago; the techniques for writing code without this sort of error are known in the field as “formal methods”.

    Piffle, formal methods has got nowhere near fully proving systems of this level of complexity. My colleague Peter O’Hearn’s work on separation logic (http://www.eecs.qmul.ac.uk/~ohearn/) is generally considered one of the biggest recent breakthroughs in this area, but they are still only just sorting out basic problems in heap assigned storage.

    If one looks at the paper on this bug, one can see that like most modern systems it ties together code from all over the place. If one wanted to write secure systems, this is not how one ought to do it.

    Of course, even if you really could run a system which mathematically proves it has no openings that could be abused, who proves the proof engine? Do we have all to become experts in separation logic to know for sure our ballots are secure?

    So far as I am concerned, the way in w hich the paper ballot system enables us to track the progress of all ballot papers form voter to count is a valuable safeguard we should NEVER throw away. You do not have to be an expert to see it is safe, no computer program can guarantee the same. Every reputable Computer Scientist I have spoken to on this issue agrees.

  • Richard Dean 26th Feb '12 - 8:08pm

    There’s no way that paper ballots are immune from rigging. See many o the world’s poorer countries for many examples, particularly those where there have been recent fi ds of oil or minerals. Talk to Putin for further info!

    One of the problems with software is that it has many layers, with different languages in each layer, and a writer at one level may have no idea at all of how his or her choicees create securiry issues in another.

  • Maybe we should postpone flying until we have found ways to prevent planes from crashing.

  • Andrew Suffield 27th Feb '12 - 1:25am

    is generally considered one of the biggest recent breakthroughs in this area, but they are still only just sorting out basic problems in heap assigned storage.

    There’s lots of mature techniques that are in widespread use; you’re looking at research rather than practical engineering.

    If one looks at the paper on this bug, one can see that like most modern systems it ties together code from all over the place. If one wanted to write secure systems, this is not how one ought to do it.

    Yes, anybody who knew they were going to verify their system would inevitably design it differently. That’s half the point. We do know how to make this stuff work, and the people who are failing to make it work are not failed heroes, they are scammers.

    Of course, even if you really could run a system which mathematically proves it has no openings that could be abused, who proves the proof engine? Do we have all to become experts in separation logic to know for sure our ballots are secure?

    The idea of everybody in the country understanding how votes are counted and how we attempt to prevent voting fraud is appealing but has never before been true.

    And to answer your question: no, there is no need to understand any of the logics used in order to validate the proof checker. Undergrad math is more than sufficient; a good proof checker uses only primitive and well-understood rules. This is a non-problem, solved a long time ago.

    So far as I am concerned, the way in w hich the paper ballot system enables us to track the progress of all ballot papers form voter to count is a valuable safeguard we should NEVER throw away.

    There is no legitimate or rational reason for building an electronic voting system that did not include this kind of paper trail. So far every system that fails to include one has done so for illegitimate or irrational reasons. Every time you see an electronic voting system without one, you should be immediately thinking that you’re being scammed. Because you are.

    You do not have to be an expert to see it is safe, no computer program can guarantee the same.

    Careful. No paper voting system is safe, and voting fraud happens often. No electronic counting system can do any better, because most fraud happens long before the ballots are counted. We merely attempt to keep the fraud as low as possible.

  • Matthew Huntbach 27th Feb '12 - 10:59am

    While I’m aware that paper voting systems can be defrauded, it seems to me the physical nature of the process is a very big part of the protection against fraud. When you can actually see and handle the ballot papers it is much easier to see where things are going wrong or could potentially go wrong than when it is a matter of information being transmitted through the execution of software. Human beings are physical creatures, we have evolved to live in a physical universe – that is why we do not have to be trained experts to gain a good understanding of how paper systems can be manipulated in the way we would if we were to fully understand the protections and any remaining risks of software proof checkers even supposing we could develop fully reliable proof checkers or at least restricted the software to forms where what we have is reliable.

    I write this as someone who develops new research software and teaches computer programming for a living, and has some knowledge and links with the formal methods approach. Sorry, but this stuff is just not as easy-peasy as Andrew is claiming. I have seen the struggle of even reasonably intelligent undergraduates to understand it. While of course I accept that the arcane details of how paper voting systems work are not something your average person knows much about, the barrier of comprehension is very much lower.

    I don’t see the throwing away of the safeguards given by a paper system in return for the convenience of internet voting as doing anything much to counter the malaise in democracy which seems to be an argument for it. To me, it’s just a silly – and potentially dangerous – gimmick, which like many other such gimmicks just works to turn people away from the real problems. The real problems are much more to do with the way politics is played, with its emphasis on top-down centralised campaigning in which ordinary people are seen as having just the role of making a passive choice between competing products, and also to do with the constant denigration of politics by the powerful figures in our society because it is very much in their interest to see the power of the ballot box degraded and the power of the money box enhanced. Every door slammed in your face when you are canvassing with the message “we’re not interested in politics – you lot are just in it for yourself” is a sign of how money boxes are winning out over ballot boxes. It is particularly sad that those who have least money box power tend to have been twisted into holding the most dismissive views of ballot box power.

Post a Comment

Lib Dem Voice welcomes comments from everyone but we ask you to be polite, to be on topic and to be who you say you are. You can read our comments policy in full here. Please respect it and all readers of the site.

If you are a member of the party, you can have the Lib Dem Logo appear next to your comments to show this. You must be registered for our forum and can then login on this public site with the same username and password.

To have your photo next to your comment please signup your email address with Gravatar.

Your email is never published. Required fields are marked *

*
*
Please complete the name of this site, Liberal Democrat ...?

Advert



Recent Comments

  • Roland
    @Hywel - It is a difficult area, however, fundamentally, what the Tavi offers is conversion therapy, just a variant that reinforces a person's perception of the...
  • Alex Wilcock
    Thank you, Caron (and Christine, and Daisy)! The best, simplest way I’ve seen of getting across the problem with the transphobic dog-whistle three words wa...
  • Mark ValladaresMark Valladares
    @ Denis, Maybe. But, if you knew that a phrase was one used by people in support of a contention that a group within the community simply shouldn’t be able...
  • Nigel Quinton
    Thank you Caron for highlighting Christine’s appearance on Women’s Hour. I listened on BBC Sounds today and thought she was excellent....
  • Denis Mollison
    @William Francis If you could look at it the other way round, perhaps it isn't "hatred" or a "dog whistle", just a defensive reaction from someone who feels eq...