Electronic voting feasibility

[Greg Steffensen]

I'm designing a web portal for universities (a free software, by/for
students thing), and I'm considering including an electronic voting
component. The site is cute, but I'd like the internet voting
component to be close to the real deal,as well as easy to install, use
and verify. Writing it in open Python code would be a big help in
making it easy to install, use and verify, I think, but I don't know if
there are technical reasons that Python would be a poor choice for this
(I don't care about performance). Its intentionally simple (because
I've been taught that complex == insecure), and is basically just a
wrapper around GPG.

Are there any technical reasons that Python would be a poor choice for
this? I have no illusions that its possible to build a perfect system,
but would Python be more vulnerable than C or Java for some reason?
I'm not a security guru, but it seems to me that the security of the
interpreter is meaningless next to the security of the os kernel (the
core of the system involves a series of nodes- election observers-
taking an encrypted package, encrypting it again, and passing it on...
the disk is never touched), so choice of language is largely arbitrary.
Is this wrong? Are there reasons to choose/avoid Python?
Greg Steffensen

 

[Peter Hansen]

I'm designing a web portal for universities (a free software, by/for
students thing), and I'm considering including an electronic voting
component. ...
Are there any technical reasons that Python would be a poor choice for
this? I have no illusions that its possible to build a perfect system,
but would Python be more vulnerable than C or Java for some reason?

If anything, Python will be much *more* secure than C, and possibly
slightly less secure than Java. On the other hand, once we're past
the old buffer overflow issues (always an issue with C, effectively
never an issue with Python) and similar low-level technical problems,
we are in the realm where the *design of your system* is more likely
to be the cause of any security flaws, rather than the tools used.

Here, too, Python may have an advantage, as it should allow you to
build the system in a way that more closely matches the design.
Python is fairly high level, even compared to Java, so in should
let you spend less time coding and more time designing, and for
a security-sensitive app that is the most important thing (after
what might really be the most important thing, which is to become a
security guru...or hire one).

I'm not a security guru, but ...


-Peter

choice of language is largely arbitrary.
Is this wrong? Are there reasons to choose/avoid Python?

Very few reasons to avoid, many reasons to choose. The choice
shouldn't be arbitrary, but neither should it be based solely
on the question you ask in this message (roughly, "is Python
more secure than C or Java?").

-Peter

 

[Paul Rubin]

I'm designing a web portal for universities (a free software, by/for
students thing), and I'm considering including an electronic voting
component. The site is cute, but I'd like the internet voting
component to be close to the real deal,as well as easy to install, use
and verify.

What is going to be voted on? Are you going to poll students about
their favorite color of socks? Or are you going to have real elections
where there is enough at stake that you have to be concerned about
serious attempts to rig the polling?

Are there any technical reasons that Python would be a poor choice for
this? I have no illusions that its possible to build a perfect system,
but would Python be more vulnerable than C or Java for some reason?
I'm not a security guru, but it seems to me that the security of the
interpreter is meaningless next to the security of the os kernel (the
core of the system involves a series of nodes- election observers-
taking an encrypted package, encrypting it again, and passing it on...
the disk is never touched), so choice of language is largely arbitrary.
Is this wrong?

Everything you say above is correct.

Are there reasons to choose/avoid Python?

As compared with other languages, Python is as good a choice as any.
But the whole concept of internet voting, at least for high-stakes
elections (like, say, the US Presidential election), is fundamentally
unsound and should be avoided. For lower-stakes elections it can be
done reasonably securely and convincingly, if the implementers are
honest, and if the voters can be persuaded to trust the implementers.

 

[Istvan Albert]

I'd like the internet voting
component to be close to the real deal

Like surrounded by negative advertising, mindless exaggerations
and populist lies?

Istvan

 

[Jaime Wyant]

I think the negativity is well founded. http://www.blackboxvoting.org/

 

[Peter Hansen]

Jaime Wyant wrote (top-posting):

I think the negativity is well founded. http://www.blackboxvoting.org/

Doesn't sound like it was a security issue involving choice of
programming language, operating system, or even technical design,
however...

"""This problem appears to demonstrate intent to manipulate elections,
and was installed in the program under the watch of a programmer who is
a convicted embezzler."""

-Peter

 

[Peter Hansen]

Jaime Wyant wrote (top-posting):

Doesn't sound like it was a security issue involving choice of
programming language, operating system, or even technical design,
however...

"""This problem appears to demonstrate intent to manipulate elections,
and was installed in the program under the watch of a programmer who is
a convicted embezzler."""

Sorry, I didn't read far enough.

Not only was the problem a matter of ethics, but clearly there were
significant technical flaws, to the point that if all the points
raised are factual, those who implemented and delivered the system
were unbelievably irresponsible... they certainly were neither
ethical nor competent.

-Peter

 

[Istvan Albert]

I think the negativity is well founded. http://www.blackboxvoting.org/

I was referring to the real voting not the real-electronic voting.

I can't judge whether this site speaks the truths or not but
their tone and style is very aggressive, steamrolling and
manipulative. Read a few sites that argue that the world
is flat or smoking is good for your health.

Istvan.

 

[Peter Hansen]

I was referring to the real voting not the real-electronic voting.

I can't judge whether this site speaks the truths or not but
their tone and style is very aggressive, steamrolling and
manipulative. Read a few sites that argue that the world
is flat or smoking is good for your health.

"Manipulative"?! What are they trying to manipulate you to do,
make wise decisions?

People in general, and most programmers, are ignorant about
security. This organization seems to be doing a very good public
service for these times...

-Peter

 

[Jason Lai]

I was referring to the real voting not the real-electronic voting.

I can't judge whether this site speaks the truths or not but
their tone and style is very aggressive, steamrolling and
manipulative. Read a few sites that argue that the world
is flat or smoking is good for your health.

Istvan.

Well, they certainly have an agenda. I wouldn't say particularly
manipulative though, especially compared to any sort of politician. And
I think you'll find a lot more support for this particular site than for
the Flat Earth Society.

There are definitely issues with electronic voting, regardless of
whether that site's contents and claims are true, and right now in the
U.S. many of them are political rather than technological.

- Jason

 

[Istvan Albert]

What are they trying to manipulate you to do,

Take everything they say as the only truth.

Istvan.

 

[Peter Hansen]

Take everything they say as the only truth.

Ah, I see. Anyone who doesn't explicitly tell you to
verify that what she says is the "only" truth is actually
trying to manipulate you into believing only her words...
Now I get it. ;-)

(By the way, so far I've been able to independently confirm
a lot of what is said there, from news reports and other
sites. But perhaps it's just a conspiracy?)

-Peter

 

[Istvan Albert]

By the way, so far I've been able to independently confirm
a lot of what is said there, from news reports and other
sites. But perhaps it's just a conspiracy?

In certain seasons certain kinds of articles just taste better
and thus sell better, it is not a conspiracy per se, it just
wise business to write on some topics.

Looking at what they claim, that in 2003 they discovered a back door
affecting every evoting machine, a backdoor that requires
a 2 digit code to overwrite the votes stored in the system,
moreover even a year later every system has this same flaw...

I don't find this credible, not that I think that evoting is
particularly secure, but then the election last time around
was decided by hanging chads and an oddly printed voting sheet.
What kind of e-voting problem is be worse that that?

I can think of another 'hysteria' of a very similar flavor.
Anyone here remember the Y2K bug that was supposed to end
life as it is?

Istvan.

 

[Peter Hansen]

Looking at what they claim, that in 2003 they discovered a back door
affecting every evoting machine, a backdoor that requires
a 2 digit code to overwrite the votes stored in the system,
moreover even a year later every system has this same flaw...

I don't find this credible, ...

Maybe, but I've found other articles that said that the Diebold
machines *all* had a hardcoded password of "1111" at one point...
not a stretch to think they also had a simplistic backdoor like that.

The president of the company says they "are not incompetent", so
we might as well believe him, though, and not Bev Harris. ;-)

-Peter

 

[Istvan Albert]

the disk is never touched), so choice of language is largely arbitrary.
Is this wrong? Are there reasons to choose/avoid Python?

All I know about designing secure systems is that if one has to
ask questions about it then it means that they cannot do it.

Istvan.

 

[JanC]

Peter Hansen schreef:

Maybe, but I've found other articles that said that the Diebold
machines *all* had a hardcoded password of "1111" at one point...
not a stretch to think they also had a simplistic backdoor like that.

The president of the company says they "are not incompetent", so
we might as well believe him, though, and not Bev Harris. ;-)

They are very competent security gurus:
<http://www.theregister.co.uk/2003/11/25/nachi_worm_infected_diebold_atms/>

;-)

 

[Alan Kennedy]

[Istvan Albert]
[Peter Hansen]

Maybe, but I've found other articles that said that the Diebold
machines *all* had a hardcoded password of "1111" at one point...
not a stretch to think they also had a simplistic backdoor like that.

The president of the company says they "are not incompetent", so
we might as well believe him, though, and not Bev Harris. ;-)

[JanC]
They are very competent security gurus:
<http://www.theregister.co.uk/2003/11/25/nachi_worm_infected_diebold_atms/>

Hmm, I read the content of that link, and I can't see anything that
would reassure me that Diebold are/employ competent security people.

Quite the opposite in fact:

"""
At both affected institutions the ATMs began aggressively scanning for
other vulnerable machines, generating anomalous waves of network traffic
that tripped the banks' intrusion detection systems, resulting in the
infected machines being automatically cut off, Diebold executives said.

"The outbound traffic from the ATM was stopped -- limited, from a
network standpoint -- and effectively isolated,"
"""

From the way I read it, the Diebold systems were completely helpless in
the face of the attack. It was the owning bank's IDS that spotted the
problem and cut the Diebold ATMs off from the network. If the banks IDS
hadn't taken that action, perhaps there might have been more serious
implications for the banks?

If I were in Diebold's position, I would feel extremely embarrassed that
my dedicated hardware "began aggressively scanning for other vulnerable
machines, generating anomalous waves of network traffic" and "the
infected machines being automatically cut off" by someone else's
actions, not mine.

And their performance in keeping watch on vulnerabilities doesn't
inspire confidence: "A patch for the critical RPC DCOM hole had been
available from Microsoft for over a month at the time of the attack, but
Diebold had neglected to install it in the infected machines."

Interesting that Diebold are now installing firewalls in their ATMs. It
seems to me that any "security guru" with a basic clue about network
security would have been doing that since the first day the ATMachines
were connected to a network.

regards,

 

[Michael Sparks]

All I know about designing secure systems is that if one has to
ask questions about it then it means that they cannot do it.

That would imply someone can never learn. I'm sure that is *not* what
you mean. Personally I would also say the point at which someone
*stops* asking questions about the security of their system and the
tools they use to build it, that's the point at which the system
becomes most vulnerable.

Best Regards,


Michael.
--
(e-mail address removed)
British Broadcasting Corporation, Research and Development
Kingswood Warren, Surrey KT20 6NP

This message (and any attachments) may contain personal views
which are not the views of the BBC unless specifically stated.

 

[Peter Hansen]

[JanC]

They are very competent security gurus:
<http://www.theregister.co.uk/2003/11/25/nachi_worm_infected_diebold_atms/>

Hmm, I read the content of that link, and I can't see anything that
would reassure me that Diebold are/employ competent security people.

You snipped JanC's winkey ;-) from the above... it was clearly
sarcasm, not a serious comment.

Quite the opposite in fact:

Agreed... the fact that a company would use Windows as the basis for
their ATMs is a direct indication of incompetence in the security
field. :-(

And their performance in keeping watch on vulnerabilities doesn't
inspire confidence: "A patch for the critical RPC DCOM hole had been
available from Microsoft for over a month at the time of the attack, but
Diebold had neglected to install it in the infected machines."

To be fair, though why I would want to be to these bumbling fools
is beyond me, they did say that they were testing the patch. If
we believe that (and I don't, but I'll give them the benefit of the
doubt here anyway), then it's a pretty reasonable and professional
thing to do and a one-month delay, while lengthy, is perhaps not
excessive.

Interesting that Diebold are now installing firewalls in their ATMs. It
seems to me that any "security guru" with a basic clue about network
security would have been doing that since the first day the ATMachines
were connected to a network.

Firewalls in this case seem more like a bandaid, unfortunately.
Better to design the things to be secure in the first place
and you wouldn't even *need* the firewall.

-Peter