Wednesday, November 28, 2012

Dr. Strangevote or: How I learned to stop surfing and love the paper ballot

(Guest Post by Kirk Schmidt)

TeH Interwebz are all the rage these days. The kids use the twitter. The facebook is where I go to find the people that my coworkers want to know more about when they find interesting people on eHarmony.

In an age where the Internet is such an integral part of our lives, and where democracy seems to slowly be losing a battle to apathy, it makes sense to look into online voting as a potential option. You know, the same way that the invention of the telephone brought in phone-in ballots. No, wait.

What is an online ballot?

I will assume, for the purposes of the post, that the following are true. However, I want to state some things to think about with these as well.

1)      Online voting is performed through standard software such as browsers. Utilizing other platforms introduces other issues, some of which will be similar, if not identical to using browsers. Others will be the fact that software can be deconstructed, reverse engineered, and rebuilt (this is common strategy by anti-virus companies when attempting to build virus definitions)

2)      Online voting does not require additional security parameters to be set up such as VPN tunnels. The more complex the setup to vote online becomes, the less it becomes a viable option.

How do online ballots work?

Most online balloting would work this way (give or take). You are given some sort of authentication protocol to log in. This is unique to you in some way. When the ballot is submitted, a cryptographic key is given to you – theoretically this is used to verify that you voted, and can sometimes even be built to show you who you voted for, assuming you have the proper keys in place. Some online voting systems will allow you to vote multiple times, and only take the last vote.

Tenets of the Vote

Here are the basic tenets of what I see as fundamentally important here.

1)      Votes should be verifiable. There should be a way to ensure that what I clicked for is what the computer registered.

2)      Votes should be counted. There needs to be an auditable way to see which ballots were indeed counted, and to prove that some were not lost, deleted, changed, etc.

3)      One vote per voter. This does not mean that a voter cannot vote more than once, but that at the end, only one vote counts (usually the last)

4)      The voter cannot be reverse-engineered from the ballot, or the combined information on the servers.

5)      A vote cannot be “listened to” or interfered with during processing, and secure from tampering.

Issue #1: Server uptime

Election after election, servers go down. There is normally at least one point in time where the place to look up where you go to vote goes down on election day. This is often because servers typically don’t handle the massive loads that come in during an electoral period.

Let’s assume that the ONLY people connecting to the server are potential voters. We can reasonably expect that most voters do not vote during “random” times during the day – the peaks will likely be before work, upon arriving at work, during lunch, just before leaving work, just after getting home, and within a time period prior to closing of the vote. Namely, 6:00-9:00, 11:30-1:30, 4:00-6:00, and then one hour before election closes.

Now, assuming people are trying to connect within the last few minutes of the vote closing, and the system goes down from a denial of service (too many connections), what are the odds that those people can get to the polls before they close?

The other peak times may very well cause other problems, unless the server infrastructure is made robust enough.

Then, this assumes that there is no value in taking down the servers regardless. Let’s say a party knows that its voters tend to vote early – is there value in taking down the servers later in the day? Possibly. So outside of merely voters, a distributed denial of service might be a great way for someone to purposefully suppress voters.

Where this could become even more dangerous is if online connection is required to verify whether someone has voted or not. Since the counterfoil is ripped off as a paper ballot is submitted, it is impossible upon counting of paper ballots to verify whether someone has voted both online and offline. As such, that verification would need to be performed in real-time, and the counting server will need to be updated as a person makes their vote (or we’ll all need to vote online), in order to ensure tenet #3. As such, a distributed denial of service could halt not only online ballots, but offline as well.

Issue #2: The secrecy of the ballot (or, I can bank and/or submit my taxes online – why can’t I vote online)

This is a very common question, so I want to attack this in three different ways. Way number 1 is target analysis. Way number 2 is our view of security. Way number 3 is the audit trail and secrecy of the ballot.

Way #1: Target Analysis

When it comes to hacking a target, value of the target needs to be taken into account. Think of this as the “club” effect. If there are two cars of exact make and model parked besides each other, and you intend to steal one, and one has “The Club” on the wheel and the other does not, it would make sense to try to steal the one without, as it is the method with potentially least problem.

When you submit your taxes online, you are effectively submitting your income and your deductions into a centralized system. I do not care about your line 150 – I can likely get that other ways, such as analysis of your LinkedIn profile versus standard salary charts, all through public data. The only possible thing of use to me is your SIN, which again, is easier to get through other methods such as phishing attacks.

Furthermore, you have a 3 month window to submit your taxes online (assuming you owe. If you don’t, you can submit your taxes after the deadline). This means that it’s far more difficult to pinpoint when an individual is going to submit those values.

This is similar with banking – I don’t know when you are going to bank online, so any attacks on the systems would have to be based on broader methods of attacking (think keyloggers) that are far more easily detected by anti- software.

Banking of course is a much higher target because of the financial movement, but I would argue still not as big a target as determining government.

Compare this to an electoral period – fixed times when one logs in, with the centralized systems capable of determining who will be elected and form government. When you consider that some of the biggest hacks are sponsored by government entities (outside of Canada), you can see where the government of the day could be a potential target.

Also consider the monies spent in an election. With around $100,000 per riding plus a central set of coffers worth almost $20 million per party, there is plenty of money and reason to effect change within our own country.

Way #2: Security

I hear a lot of “I bank online and that’s secure,” and have to hold back laughter. Most banks allow the following to occur:

1)      Mobile banking over the airwaves/wifi

2)      Nothing more than a username and password

Many of these usernames are card numbers. Many of the passwords are required to be 8 characters, at least one capital, at least one number, and at least one miniscule letter.

Now, there are all sorts of algorithms out there for passwords because people are predictable. You will find the majority of passwords will be dictionary words with a capital letter at the front, a number at the end (which rotates when people have to change password), and simple letter substitution on words such as 3 instead of E.

In fact, the standard 8-char model has a potential 52 alpha characters, 10 numeric characters, and for argument sake, let’s say another 2 punctuation (why, because that brings us to 64 characters).

64 is 2 to the power of 6. Multiply that by 8 characters, and you have 2 to the power of 48 potential password combinations.

Now, let’s say that my password system only allows 32 characters – perhaps only miniscule and 0-6 (2 to the power of 5). By forcing that, and enforcing a password length of 10, and my password combinations are 2 to the power of 50 – effectively, my method is more secure. In fact, it’s 4 times more secure than the other method (because we multiply the complexity by 2 and by 2 again).

Furthermore, a number of these systems require you to enter answers to standard questions, but are a number of items that can be phished out of people (or investigated). In fact, it is for that reason that NONE of my answers to questions have ANYTHING to do with the question itself, and my passwords are often keyboard-smashes.

These systems are not as secure as we are often led to believe. While they do provide some level of security, it should be noted that some European banks require you to have physical RSA keys, and that there are far more complex password methods out there than what is granted to us in the seeming standard North American method.

Even if you were not to listen to me, look at the target list of Anonymous. As said by Marc Garneau, “First, who is this group called Anonymous? Put simply, it is an international cabal of criminal hackers dating back to 2003, who have shut down the websites of the U.S. Department of Justice and the F.B.I. They have hacked into the phone lines of Scotland Yard. They are responsible for attacks against MasterCard, Visa, Sony and the Governments of the U.S., U.K., Turkey, Australia, Egypt, Algeria, Libya, Iran, Chile, Colombia and New Zealand.

Not a bad rap sheet, and I would venture to guess that some of their successful attacks had far better security teams than municipalities or Elections Canada.

Security on the internet is far less than it seems.

Way #3: The audit trail

Voter suppression is a real problem. Between the alleged robocall scandal to the slashing of tires in Toronto when some voters had certain signs on their lawns, knowing who will vote for whom is going to be big business. We can assume so much from social media and other public sources, but KNOWING who votes, who doesn’t vote, and who voted for whom is key data.

Now, when I go submit my taxes and work on my bank account, I WANT those entities to know who I am. I WANT the banks to audit my trail, and CRA to continually verify that I am, indeed, me. Why? If someone were to defraud me, there’s a trail. IP addresses, usernames, passwords, etc., are all built around this system to ensure that liability is minimal for the banks and that we can audit everything.

This is something that we specifically do NOT want in an election situation. We want the system to both be able to authenticate me, but not store how I voted. We also need to attempt to make sure that someone cannot vote on my behalf (so sending out simply a key to every house without other login information is not viable).

So how do you audit this? Without IP addresses to verify location, without usernames attached to ballots, it is possible, but difficult. However, it can only audit within itself, and even that is dangerous.

What do I mean by that? I can audit that a particular key was used to make a particular vote, but all that information exists within a number of servers that are not… supposed… to talk to each other. But as a Database Admin, I would look at it this way: There are normally some few hundred people to a single poll. Now, by getting timestamps of the authentication server versus usernames, and getting a timestamp of vote with electoral district and poll, the likelihood is that internally I can reverse engineer (to some degree) who voted for whom. Add to it only a 50% turnout and a time distribution over hours, and the likelihood goes up.

Then, if someone were to claim that they did not vote, but they have a vote in the system, how is it disproven? Is it marked as invalid? Do we have to accept it? What are the protocols? All we know is that *someone* with those credentials voted and it was accepted by the system, but to ensure secrecy of the ballot, more information cannot be readily available.

So the likelihood is that we will have to give up the potential right of the secret ballot to ensure auditability. This puts tenets #1, #2, and #3 at odds.

Issue #3: Centralized systems

Paper ballots are not perfect. This is also a common argument. “Well, if paper ballots are not 100% secure, why do you worry about online ballots?”

My experience is with Elections Canada, although most voting is the same within different government levels in the country.

When you go to vote, you are marked as having voted and a counter foil number is put beside your name. You mark your ballot, fold the ballot, and the counter foil is ripped from the ballot. The ballot is then placed in the box by you (never give it to someone to put in! I’ve seen this many times as a scrutineer). Oh, yes, scrutineers – every candidate can send scrutineers to the polls to watch the vote take place, and can identify problems to the Deputy Returning Officer.

When the ballot boxes are opened, the scrutineers watch the opening, the dumping, and the counting. The counting is done by NO LESS THAN two volunteers, and up to two scrutineers PER candidate are allowed to be there.

This is a decentralized system. This happens at every polling station. It is difficult, though not impossible, to influence this system, but in order to influence an election, the election either has to be close enough that one polling station is required, or they have to perform at multiple. This decentralization provides security.

Furthermore, the counterfoils are counted and compared with the number of ballots. There are a number of checks and balances to ensure that numbers align. Anyone can ask for judicial review of the ballots (although often at a cost), but it is possible.

While the voting system online may exist on multiple servers, that does not make it decentralized. In the end, it’s one internet at play. One set of servers to attack. What makes it even scarier is that an attack on these systems, if performed properly, might still show a proper auditable trail – number of votes cast = number of votes counted. But who cast the votes?

This centralized nature adds risk.

Issue #4: Personal computers and social attacks

This is the biggest fear of all. A voting system may be secure in a black box, but there are systems at play that are not the voting servers. Your computer, your browser (or application), your router, the DNS servers, the certificate agents; These all have to be trusted in an online system.

These “trust systems” are where the risk lies. This is because phishing attacks are a proven social attack, and the attacks in between can be just as problematic.

Consider this. The SSL certificate is based on a header and a leaf, with multiple parts in between. It is possible to provide a certificate in the middle that reads the information in between. Your data is encrypted, but because of the way SSL works, it might be encrypted to me, and then re-encrypted when it goes to the Elections Authority, with my ability to see all of your data in between. Now, this requires more than simply setting up a certificate; It requires redirecting you. But how would you do this?

DNS servers. DNS is the service that tells me that google.ca is at 74.125.129.94. What happens is my computer then talks to 74.125.129.94 and says, “I want google.ca.” Being google’s servers, google has it set up that when I type “google.ca” it handles it in some way.

Now, let’s say my server is 1.2.3.4. Let’s say I make my server handle google.ca, and send it to a site. Now, when I type in google.ca, it will not direct to 1.2.3.4 unless I have set up my DNS service to redirect that way. And if it does, and I have set it up to handle google.ca, then your browser will still show google.ca, even though I’m not officially on Google’s servers.

This is a trust system, and while new technologies are coming out such as DNSSEC that are supposed to alleviate issues, in the end, attacks will continue to be viable.

So consider this. Most often your computer is set to use the router’s DNS. However, your computer can be set up to use another DNS. What if I created a DNS that pointed elections.ca to my server and set up a site to look exactly like Elections Canada. Would most users know that their DNS was comprised? Probably not.

Or consider this – in a DEFCON talk a hacker talked about changing DNS settings by using the user’s gullibility (See “How I met your girlfriend.”) So what if I changed the router’s DNS? Would people know to check?

I add a security certificate to my system. I create a voting system. You enter your information, vote, and I even give you a key that you can enter to verify that you voted. Except you didn’t vote – you merely sent all information needed to log in to me.

Or what if, not using DNS, I send you an email from Elections Canada the morning of the election, and I tell you to vote “here”. I then send you not to “vote.elections.ca” but to a subdomain on my own server – a subdomain called vote.elections.ca?id=123456789123456789123456789123456789123456789123456789123456789.1.2.3.4
Now when you look at your address bar, you see vote.elections.ca, but miss the part that it’s actually a subdomain of another server. Same deal, I take your information.

Then, with appropriate control of your router, or your computer, I then log in with your credentials, through your network, into the real elections Canada and vote on your behalf.

A few months ago there was panic over a massive DNS virus that laid dormant for years and was set to change values at a certain time – this is the type of attack I would expect on an election. Change the DNS on election day, and perhaps even change it back once you’ve voted, removing evidence.

The possibilities are endless here. These are attacks that don’t even require imagination. I would hate to see what some of the world’s best hackers could come up with.

Issue #5: Undue Influence

Let’s get away from technology a bit and talk about the social aspect. When I was scrutineering in 2012 for the provincial election, a man with Downs Syndrome came in to vote. The Returning Officer was asked to help him vote. The RO has to take an oath before being able to do this, and cannot influence the vote – they may only assist in the process.

This check and balance is gone. A person could be subject to undue influence at home, at work, etc., based on their vote. Whether through physical or emotional abuse, a vote may be made without being a free vote.
There is safety and security behind the screen at a polling station. Nobody monitors you, nobody tells you how to vote. Your ballot is secret. I could say I voted NDP but really voted Conservative, and you would not know. This is not necessarily true when one could vote at home.

What is security?

In online ballots, what do we consider to be secure? Is it that the infrastructure itself on the voting end has the latest firewalls and virus security? Do the people working on it have the highest level of clearance? Has the code that accepts the vote been properly vetted?

In India, they opened up their voting systems to hackers for a brief period of time. When hackers could not break it, they declared the systems secure. When hackers figured it out later, they were hushed and some people thrown in jail.

An online ballot might be a long con. It might not be the first, nor the second vote that is attacked – those might be for watching and creating trust. Then, when it is known how the process works, the attack happens.
Do we know it happened? The inability of a full audit is scary. It might look like the election was secure, and that it happened without incident, but was subject to a massive changing of votes through social engineering and phishing attacks. How would we know?

What is the long term risk?

We have one of the most secure systems in the world. Is it perfect? No. Do you trust that who you voted for will be counted? Generally, yes.

If that faith is destroyed, where does our democracy go?

Who is Kirk Schmidt?

I don’t have a long chain of credz after my name. It’s Kirk Schmidt, B.Math. Most of my experience in online security is, well, experience.

I am also a political hack. I follow politics like Toronto follows the Leafs.  I was an independent candidate in a federal election in 2008 – and not a single-issue independent candidate. I ran a near $20,000 campaign and gained 3% of the vote.

Does this all make me an expert? Seemingly, no. But what I do have is a range of computer skills that I have developed for almost 30 years, a degree in mathematics, and I am well-versed in politics. Hopefully from the post above you can see that I have some knowledge and experience in these areas.

6 comments:

John Klein said...

Excellent. Having a BSc. Comp. Sci. I understood all of the parts I read. The URL ending in an IP address is clever, and easy to miss even for someone looking for a fake looking URL.

Kirk Schmidt said...
This comment has been removed by the author.
Kirk Schmidt said...

Actually that's one spot I made a mistake in my text. I did the general IP so I didn't have to come up with a domain name, but you cannot have a subdomain to an IP address.

However, it would be very easy to register a domain that still looks correct.

For example, some websites, rather than use html or php will us a .do extension for the dynamic html. .do is also a country TLD for the Dominican

So if my subdomain ended with file and then my address was votingsystem.do, it might still look valid.

I had read somewhere that you could put the ?= in a subdomain but THIS IS WRONG. So, in correction to that piece, what if we considered this:
vote.elections.ca.id-123456789123456789123456789123456789123456789123456789file-is.votesystem.do
While someone like you or I might spot that (assuming we parse the entire domain name, which could be up to 253 characters), for the most part a lot of people would likely miss it.

John Klein said...

Thanks for the correction. A Slashdot style link highlighter required in our email apps I assume that means. Each abbreviated should be followed by the actual visited domain name.

Kirk Schmidt said...

One thing I wanted to mention but forgot:

A few months ago I touched base with a constitutional expert. This lawyer did not provide a true legal opinion, and thus I will not name the person, but I wanted to bring up the conversation.

I asked the person, "If a government were elected by online ballot and then some time later it was determined that the government were elected fraudulently, would decisions/bills passed by that government be valid?"

The answer the person gave me was essentially, they believed that it would. I imagine this has to do with Royal Assent granted to bills at Federal or Provincial level. I don't know what would happen with civic.

Just an interesting thing to think about.

Kirk Schmidt said...

Add to the reading list:
http://www.technologyreview.com/news/506741/why-you-cant-vote-online/