[EM] Is Helios online voting secure?

Thu Feb 23 06:35:03 PST 2012

Basically, we agree. I am working on helios not because I think it should
or will be used for public elections, but because I think it can be useful
for private elections, and introduce users to better voting methods. Also,
honestly, the math is fun.

Jameson

2012/2/23 Kathy Dopp <kathy.dopp at gmail.com>

> There are always multiple ways to violate the integrity of secretly
> cast e-ballots.  For instance, even in encryption systems the ballot
> definition files are another point of attack.  The system cannot be
> protected from insiders who program it and administer the system. I.e.
> with voting we cannot have both voter anonymity and verifiable
> security with any e-ballots
>
> Small coding mistake led to big Internet voting system failure
>
> Read more: Small coding mistake led to big Internet voting system
> failure - FierceGovernmentIT
>
>
> http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22#ixzz1nDP1a2Kg
>
>
> http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22
>
> The main security weakness that let University of Michigan researchers
> take control over a planned city of Washington, D.C. Internet voting
> system pilot for overseas voters in 2010 was "a tiny oversight in a
> single line of code,"
>
> Read more: Small coding mistake led to big Internet voting system
> failure - FierceGovernmentIT
>
> http://www.fiercegovernmentit.com/story/small-coding-mistake-led-big-internet-voting-system-failure/2012-02-22#ixzz1nDPGFUVN
> Subscribe:
> http://www.fiercegovernmentit.com/signup?sourceform=Viral-Tynt-FierceGovernmentIT-FierceGovernmentIT
>
>
>
>
> On Thu, Feb 23, 2012 at 6:36 AM, Jameson Quinn <jameson.quinn at gmail.com>
> wrote:
> >
> >
> > 2012/2/23 Jameson Quinn <jameson.quinn at gmail.com>
> >>
> >>
> >>
> >> 2012/2/22 Kathy Dopp <kathy.dopp at gmail.com>
> >>>
> >>> Below is a quote from Ben Adida, creator of Helios.
> >>>
> >>>    We now have documented evidence ...that viruses like Stuxnet that
> >>> corrupt nuclear power plants by spreading from one Windows machine to
> >>> the other have been built. And so if you run a very large scale
> >>> election for a president of a G8 country, why wouldn’t we see a
> >>> similar scenario? Certainly, it’s worth just as much money; it’s worth
> >>> just as much strategically. . . . All the verifiability doesn’t change
> >>> the fact that a client side corruption in my browser can flip my vote
> >>> even before it’s encrypted, and if we . . . must have a lot of voters
> >>> verify their process, I think we’re going to lose, because most voters
> >>> don’t quite do that yet.
> >>>
> >>> - Adida, Ben. 2011. Panelist remarks – Internet voting panel.
> >>> EVT/WOTE’11, the Electronic Voting Tech. Workshop / Workshop on
> >>> Trustworthy Elections. Aug. 9, 2011. URL http://www.usenix.
> >>> org/events/evtwote11/stream/benaloh_panel/index.html.
> >>>
> >>> The above quote on Helios was sent to me from Barbara Simons,
> >>> coauthor, with another computer scientists Doug Jones of an upcoming
> >>> very well-researched and well-written book: "Broken Ballots: Will Your
> >>> Vote Count?"  The book will be published by April 15th approx.
> >>>
> >>>
> >>>
> >> Yes, I said that: "It is insecure against trojans on the voter's machine
> >> at the time of the initial vote, ... not something I'd trust for public
> >> elections...."
> >>
> >> This actually is not an insurmountable difficulty. There are two ways
> you
> >> could face it:
> >>
> >> 1. Still using the voter's home machine, you could combine the
> >> cryptography with captchas: the voter would have to match a picture
> next to
> >> the candidate with a list of pictures in different order in order to
> >> rate/rank that candidate. However, this is inconvenient, and to make it
> >> secure you would need time limits. It also does nothing to address the
> >> digital divide. This latter issue, not security, is the reason I find
> this
> >> solution unacceptable for political elections.
> >>
> >> 2. You could use secure machines, booted from CD with no hard drive, at
> >> polling stations.
> >
> >
> > Of course, if you're using polling stations anyway, you should be
> printing
> > hand-marked or at least voter-verified paper ballots and giving
> > cryptographically-verifiable receipts. That is to say, even if you can
> build
> > a context where Helios is 100% secure (less than one flaw expected in the
> > age of the known universe), there is no good reason not to add other
> reasons
> > for people to trust the result. The goal of an election is not just to BE
> > secure, but to APPEAR secure, even to people who don't understand or
> trust
> > mathematical and computational security measures.
> >
> > Jameson
> >
> >>
> >> But yes, I explicitly stated that helios as-is is NOT secure enough to
> use
> >> for a high-stakes election with more than around 10K voters.
> >>
> >> Jameson
> >
> >
>
>
>
> --
>
> Kathy Dopp
> http://electionmathematics.org
> Town of Colonie, NY 12304
> "One of the best ways to keep any conversation civil is to support the
> discussion with true facts."
> "Renewable energy is homeland security."
>
> Fundamentals of Verifiable Elections
> http://kathydopp.com/wordpress/?p=174
>
> View some of my research on my SSRN Author page:
> http://ssrn.com/author=1451051
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.electorama.com/pipermail/election-methods-electorama.com/attachments/20120223/fbfba3d9/attachment-0004.htm>