[EM] Is Helios online voting secure?

Kathy Dopp kathy.dopp at gmail.com
Thu Feb 23 06:30:45 PST 2012


There are always multiple ways to violate the integrity of secretly
cast e-ballots.  For instance, even in encryption systems the ballot
definition files are another point of attack.  The system cannot be
protected from insiders who program it and administer the system. I.e.
with voting we cannot have both voter anonymity and verifiable
security with any e-ballots

Small coding mistake led to big Internet voting system failure

Read more: Small coding mistake led to big Internet voting system
failure - FierceGovernmentIT

 http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22#ixzz1nDP1a2Kg

http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22

The main security weakness that let University of Michigan researchers
take control over a planned city of Washington, D.C. Internet voting
system pilot for overseas voters in 2010 was "a tiny oversight in a
single line of code,"

Read more: Small coding mistake led to big Internet voting system
failure - FierceGovernmentIT
http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22#ixzz1nDPGFUVN
Subscribe: http://www.fiercegovernmentit.com/signup?sourceform=Viral-Tynt-FierceGovernmentIT-FierceGovernmentIT




On Thu, Feb 23, 2012 at 6:36 AM, Jameson Quinn <jameson.quinn at gmail.com> wrote:
>
>
> 2012/2/23 Jameson Quinn <jameson.quinn at gmail.com>
>>
>>
>>
>> 2012/2/22 Kathy Dopp <kathy.dopp at gmail.com>
>>>
>>> Below is a quote from Ben Adida, creator of Helios.
>>>
>>>    We now have documented evidence ...that viruses like Stuxnet that
>>> corrupt nuclear power plants by spreading from one Windows machine to
>>> the other have been built. And so if you run a very large scale
>>> election for a president of a G8 country, why wouldn’t we see a
>>> similar scenario? Certainly, it’s worth just as much money; it’s worth
>>> just as much strategically. . . . All the verifiability doesn’t change
>>> the fact that a client side corruption in my browser can flip my vote
>>> even before it’s encrypted, and if we . . . must have a lot of voters
>>> verify their process, I think we’re going to lose, because most voters
>>> don’t quite do that yet.
>>>
>>> - Adida, Ben. 2011. Panelist remarks – Internet voting panel.
>>> EVT/WOTE’11, the Electronic Voting Tech. Workshop / Workshop on
>>> Trustworthy Elections. Aug. 9, 2011. URL http://www.usenix.
>>> org/events/evtwote11/stream/benaloh_panel/index.html.
>>>
>>> The above quote on Helios was sent to me from Barbara Simons,
>>> coauthor, with another computer scientists Doug Jones of an upcoming
>>> very well-researched and well-written book: "Broken Ballots: Will Your
>>> Vote Count?"  The book will be published by April 15th approx.
>>>
>>>
>>>
>> Yes, I said that: "It is insecure against trojans on the voter's machine
>> at the time of the initial vote, ... not something I'd trust for public
>> elections...."
>>
>> This actually is not an insurmountable difficulty. There are two ways you
>> could face it:
>>
>> 1. Still using the voter's home machine, you could combine the
>> cryptography with captchas: the voter would have to match a picture next to
>> the candidate with a list of pictures in different order in order to
>> rate/rank that candidate. However, this is inconvenient, and to make it
>> secure you would need time limits. It also does nothing to address the
>> digital divide. This latter issue, not security, is the reason I find this
>> solution unacceptable for political elections.
>>
>> 2. You could use secure machines, booted from CD with no hard drive, at
>> polling stations.
>
>
> Of course, if you're using polling stations anyway, you should be printing
> hand-marked or at least voter-verified paper ballots and giving
> cryptographically-verifiable receipts. That is to say, even if you can build
> a context where Helios is 100% secure (less than one flaw expected in the
> age of the known universe), there is no good reason not to add other reasons
> for people to trust the result. The goal of an election is not just to BE
> secure, but to APPEAR secure, even to people who don't understand or trust
> mathematical and computational security measures.
>
> Jameson
>
>>
>> But yes, I explicitly stated that helios as-is is NOT secure enough to use
>> for a high-stakes election with more than around 10K voters.
>>
>> Jameson
>
>



-- 

Kathy Dopp
http://electionmathematics.org
Town of Colonie, NY 12304
"One of the best ways to keep any conversation civil is to support the
discussion with true facts."
"Renewable energy is homeland security."

Fundamentals of Verifiable Elections
http://kathydopp.com/wordpress/?p=174

View some of my research on my SSRN Author page:
http://ssrn.com/author=1451051



More information about the Election-Methods mailing list