Microsoft Proposes Fix For E-Voting Attack 111
Trailrunner7 writes "Microsoft Research has proposed mitigation for a known potential attack against verifiable electronic voting machines that could help prevent insiders from being able to alter votes after the fact. The countermeasure to the 'trash attack' involves adding a cryptographic hash to the receipts that voters receive (PDF). Many verifiable voting systems already include hashes on the receipts, but that hash is typically made from the ballot data for each specific voter. The idea proposed by Microsoft Research involves using a running hash that would add a hash of the previous voter's receipt to each person's receipt, ideally preventing a privileged insider from using discarded receipts to alter votes. The trash attack that the mitigation is designed to address involves election workers or others who might be motivated to change votes gathering discarded receipts and then altering those votes."
Microsoft Research (Score:4, Insightful)
Still, Microsoft is actually one of the only companies that spends billions in research and doesn't just buy start-up companies like Google does.
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
It's one of the few companies producing scientific research for the sake of research these days.
You misspelled Patents.
Re:Microsoft Research (Score:4, Interesting)
They actually do a lot of great stuff there, which is not too surprising as they have many intelligent people working in Research. Just wish much more of their stuff would see daylight.
Can't say there's much of a market outside of Microsoft for a chair which will bounce.
Re: (Score:2)
Good application for it here though!
Re: (Score:2)
Re: (Score:3)
Hmm...UNIX...the same folks who origionally included the passwords in the passwd file which is readable by all users on the system. It doesn't mean that UNIX is shit. Like everything in the computer world they didn't plan for exploitation and had to learn a valuable lesson before the design was updated (ie. passwords are now stored in the separate 'shadow' file which is not readable by all users).
NTLM was badly designed and was replaced by Kerebos encryption way back in Windows 2000. I think Microsoft might
Re:Microsoft Research (Score:4, Insightful)
And yet windows XP - which is only 10 years old* and still has plenty of marketshare - still runs LM hashes by default, which are /case insensitive/ and in a max of 2 7-char chunks, making cracking trivial if you have access to the hashes.
*the OS is 10 years old. The service packs aren't. They could have fixed the flaw at any point in the past easily enough.
Re: (Score:2)
re: Microsoft original Research (Score:1)
So that's how Microsoft Research developed Android before Google stole it from Microsoft and tried to fob it off on the public as original results, shame on you Google
Re: (Score:1)
Re: (Score:2)
My problem is that I don't really trust my vote to any product. I know that ballots can become obscenely complicated, but paper ballots, in general, are more secure. A system that actually produces a printed receipt, regardless of who manufactures it or produces the software, would seem the appropriate intermediary.
Re: (Score:2)
To me, this is like saying you will only pay for things using paper checks because buying things from websites is insecure. Paper ballots can be lost, stolen, destroyed, or boxes stuffed. Entire boxes are lost sometimes. Polling places run out of ballots in some elections. The fact that specific platforms and software interactions can produce points of vulnerability does not mean paper is more secure. Even when paper is used, counting is arduous and waste is tremendous, to say nothing of the fact that ther
Re: (Score:2)
Some countries, like Canada, have been running paper ballots for decades without any of the substantial problems you invoke. Frankly, I think the fans of electronic voting do everything they can to make paper ballots seem insecure and inaccurate, even as more and more evidence comes to light of how shaky their own systems are.
Huge parts of the world run on paper ballots, and have, for the most part, well-run elections. Let's not overstate the problems here.
Re: (Score:2)
Re: (Score:2)
to say nothing of the fact that there are tens of millions of goobers in this country who can't even figure out how to fill out a paper ballot.
Small wonder when the ballots seem to be designed with malicious intent towards that end.
If you actually hear of people having difficulty figuring out a Canadian style ballot (Hell, my legally blind grandmother voted fine last election), let me know.
Re: (Score:2)
(insert Bill Gates being inexplicably elected President here)
Personally, it has bupkis to do with "votes" these days anyway. You vote for who you're told to; the only real difference is the "D" or "R" on the TV or newspaper tagline next to their names.
Now if you want *real* power to pick who gets elected to a federal office, then go build a huge corporation or a national-sized bank.
(The sad part is, I'm not really trolling...)
Re: (Score:2)
(insert Bill Gates being inexplicably elected President here)
Personally, it has bupkis to do with "votes" these days anyway. You vote for who you're told to; the only real difference is the "D" or "R" on the TV or newspaper tagline next to their names.
Now if you want *real* power to pick who gets elected to a federal office, then go build a huge corporation or a national-sized bank.
(The sad part is, I'm not really trolling...)
Actually, there are about 85% who vote for one side and would never ever vote for the other, and of the remaining 15%, about 14%of them vote based on who's better looking, or who they'd rather have come to their barbecue, not who'd be better at running the country.
Re: (Score:2)
Trouble is, through the choices of others, virtually all information about your life is already living in and being manipulated by microsoft products.
Why not... (Score:1)
Have the stupid voting machine keep track of the original vote, and each subsequent change. I think that would sort out who is cooking the vote as well as preserve integrity.
Re: (Score:2)
That and perma dyeing voters fingers third world style.
Re: (Score:2)
Nope, nope, we can't require finger-identification, there are some people who don't have fingers.
Re: (Score:2)
Re: (Score:2)
Why should someone who assists a disabled person in exercising their democratic right to vote lose that right themselves?
Re: (Score:2)
Re: (Score:2)
Only allowed to assist one person?
You would have to pick a spot to mark the hand less voters. Perhaps an earlobe, it doesn't really matter just so it's something. Plus a third spot for the hand and ear less.
I'm a strong proponent of a paper trail (Score:1)
I even voted "Protest E-vote" in the 2008 election
Re: (Score:1)
What happens locally: We mark paper ballots with a sharpie-like ink pen, coloring in the little bubble. The counting machine devours the ballot, storing it inside and tabulating the vote. Any question about the count, just run all the ballots thru again... simple...
Re: (Score:2)
Provide a paper trail that each voter verifies. You can then count by hand to loosely verify the vote in case of fraud.
I even voted "Protest E-vote" in the 2008 election
Two fold problem with cooking votes - preserve the original vote AND catch who is attempting to change it.
Some solutions don't require software, just good practices, like a written record and independent verification. My signature beside ballot number/receipt is a pretty good plan. Have the people who hand ou the receipts separate from the people who can touch the machines is another good plan. Put them together and you've got a stronger system.
Re: (Score:2)
Except that independent verification can almost always be bought.
vote.exe has caused a system error (Score:2)
Now what do you then the voteing systems goes down and a reboot does not fix it?
but that may wipe out the votes and you can't have (Score:2)
but that may wipe out the votes and you can't have that and after reinstall then you have to load the elections for that poling place.
Re: (Score:2)
A base image is just part of the voteing system each poling place has it's own elections that are not the same at each poling place. And the software should be in a read only rom or flash rom that can't be changed in the field so it's hard for a voter to come in a rig the box.
Re: (Score:2)
I'm sure changing America from a republic to a community democracy will go smoothly.
lets you buy/sell votes (Score:5, Informative)
Any system that shows how you voted after the fact opens up the possibility of purchasing votes.
Re: (Score:1)
... and it just happens to be patented by MS ... ? (Score:2)
Wow, that would be a cash cow! Getting a IP royalty payment for each and every vote cast, in every election!
One down, 99,999 more to go (Score:1)
1% (Score:2)
Won't happen.
There have been many similar proposals made over the years. None of them are implemented, because those who maintain power are apparently happy with the way things are. American democracy is a sham, highly susceptible to fraud, and anyone who makes such observations is dismissed by "serious" journalists and citizens.
I'm very glad MS made this proposal. Kudos to them. What would move me from mild approval to full-fledged fanboyism were they to take this idea and have it implemented universally.
Notary? (Score:2)
The idea proposed by Microsoft Research involves using a running hash that would add a hash of the previous voter's receipt to each person's receipt, ideally preventing a privileged insider from using discarded receipts to alter votes.
Isn't this the ancient notary system? take the previous hash, hash in the new document or a hash of the doc or just its sig or whatever, pub key sign the new hash, publish the new hash (maybe in a classified ad in an old fashioned news paper or something?), repeat...
Also it only works if the voters care, which is pretty unlikely, and it only matters if there is any difference between the two parties, also pretty unlikely. Democracy has failed here. Maybe it would work in a difference country?
That has already been covered and done better... (Score:4, Informative)
This is an old issue and people have done it better for a long time. The vendors (MS included) CHOSE to use half hearted, stupid, and short sighted solution. I saw proposal papers over a decade ago at the ISOC (Internet Society) NDSS conference:
Practical Approach to Anonymity in Large Scale Electronic Voting Schemes
Andrea Rierra and Joan Boerrell
http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/riera.pdf [isoc.org]
Start there and get serious.
With Democracy at stake... (Score:2)
... there is absolutely no reason to not count manually, in the presence of observers, and then pool manual counts, in the presence of observers.
Re: (Score:2)
Speed, accuracy, and trustworthiness aren't reasons?
Re: (Score:2)
Lol. Apparently you don't know about the voting fraud of years past.
Read:
http://freepress.org/departments/display/19/2011/4239 [freepress.org]
We didn't have accountability problems like this until electronic voting. I could spoonfeed you more, but I think its clear you need to do some research on your own.
There should be a "recount" just to be sure. (Score:1)
Foolishness (Score:2)
This doesn't work (Score:5, Interesting)
I worked on an electronic voting system a few years back. What I did got accepted for use in a local academic department, and I even gave a WIP on it at a LISA conference once, and then I ran into the constraints of the real world when I tried to build it into something useful for a wider audience. They include the following:
1) You must not provide to a voter any form of receipt that can be used to determine how that voter voted. This is to prevent voter intimidation that has apparently turned into a major issue in places that did not abide by this constraint. If a hash can be used to verify that a vote was correct, it can be used to verify that a vote was what was required. I attempted to get around this by pre-seeding the vote results with a good number of copies of every possible result (which would cancel each other out), so you could take with you a vote receipt matching what you were required to do, but I couldn't come up with a way to make this idea scale, especially when any form of ranked voting was used.
Microsoft could get around this by giving only the hash, and not the vote record, with the receipt, but then you have no way to prove that your vote was recorded the way you input it -- the system could just as well record something else, and give you the hash matching that something else.
2) Even if you don't care about voter intimidation, and you give out receipts, not enough voters care enough to check that their votes were counted or registered correctly for crowdsourced verification to be all that useful. I remember an election irregularity report on one of the very few properly-done electronic voting systems -- backed by a printout under glass that could go either to the permanent record or the wastebin, and the UI directed the voter to carefully compare what was on the screen with the printout before accepting the vote. There was a malfunction at a station where the printer was completely nonfunctional. It wasn't even reported until an absurd amount of time after the poll opened (I can't remember the details, but many hours, and who knows how many voters). The Microsoft technique of using a running hash to prevent insertions, deletions, or alterations to a vote that is known will never be verified is nifty, but the odds are good that none of the votes in the last few hours of the day will ever be verified just because the verification count is so low, so you simply pick a spot and alter thereafter.
3) Even if a voter triggered an irregularity report by noting that the hash didn't match, there is no political will to invalidate an election. Almost no elections go by without irregularities. Some elections go through with absurd irregularities, things that obviously had the potential to change the result, or even things that definitely would have changed the result, and the result is let stand.
Discovery of the above three points made me give up on electronic voting as a solvable problem. The counted ballot has to be on a media not easily tamperable, and it must be independently verifiable by the interested parties, which, taken from a purely historical standpoint, do not appear to include the voters. Microsoft's bright idea (and I will give credit, it's not a bad thought when your only context is "how do I let a small sample detect tampering"), actually exacerbates problem #3 very badly by leading into #4:
4) Elections are expensive. You cannot build a system that lends itself to repeated invalidation. If you could ignore #1 through #3, a straight hash would still be of value, because you would only invalidate if enough people brought back signed hashes that did not match the published counted values, and a few forged receipts would not throw out all of the real resuls. Unfortunately, using a running hash over the course of the entire voting period means that the ability to tamper with a vote early in the day means you can invalidate *every vote that follows*, even if your technique was something that would only normally work on a single vote. This me
Re: (Score:2)
The "do people check to see if their votes were counted" problem could easily be solved by having random people collect some hashes at the end of the day from people on their way out. Add a barcode to the receipt and it would only take a second to scan. I'm sure there are lots of people who would be interested in helping to verify the validity of an election.
No system is going to be guaranteed (Score:2)
until you take people out of the equation.
I don't care what system you choose, I can have all the receipts I want in any form I want, when I get home I have no more proof my vote even mattered as I have no guarantee that another vote or votes were not fraudulent.
So not only present a receipt that cannot be used to intimidate (why I really dislike all attempts to make union acceptance votes open in the US - card check) while assuring those who are voting that their vote doesn't get wasted by fraudulent votes
Re: (Score:2)
You're mistaken about "card check" legislation. It does not require elections to be open, it allows unions to be formed by merely signing up the required number of people. Unions are also free to hold secret ballot elections (which are just harder to do, generally because of intimidation by the boss).
Cards (Score:2)
There is a much better fix to this problem. It is called getting rid of electronic voting machines and going back to the cardboard punch cards. They were cheap, fast, easy to use, worked fine, 100% auditable, and are tamper-proof. Plus, they were guaranteed to be anonymous, which is NOT the case with the machines installed a few years ago in my state.
Some things are just NOT better with so-called "advanced" automation. They were trying to solve a problem that didn't exist by spending TONS of taxpayer mo
Re: (Score:1)
Re: (Score:2)
I think that was just a blown-up nothing story just from Florida. We had used that system in my state for many, many, many years without any such stories or issues,
But good dare :)
Re: (Score:1)
Re: (Score:2)
Punch cards are pretty much as bad as e-Voting. At the end of the day the vote counting is done by a machine, not by hand - so all you need to do is compromise the machine.
The Australian electoral system is 100% hand-counted, with machine verification. The problem with any automated system is that it magnifies the effect of any one bad actor.
Re: (Score:2)
The public has no access to "hack" the machine that is used... they simply insert their card. It is much, much MUCH better and safer than electronic voting machines. NO system is completely uncorruptable. But on a grade scale I would give "E-voting" machines an F and punch cards a B.
Bitcoin (Score:2)
Hash chain.
Just like Bitcoin.
Re: (Score:3)
CBC anyone? (Score:2)
Granted, in standard /. poster style, I didn't bother reading the FA but this sounds like cipher-block chaining [wikipedia.org] which has been part of modern crypto systems since forever; why has it taken until 2011 for someone to apply it to e-voting?
fail: what would you do about it? (Score:1)
Re: (Score:2)
Except for the issue that in that time it's highly probable whoever did it is outed, and their fiscal connections identified?
Re: (Score:2)
Give Up and Go Back to Ballot Boxes (Score:1)
I propose that, for the people to trust their democracy, they must be able to understand all aspects of the voting system. This rules out pretty well all automated systems, especially computers with cryptography and hashes. Just go back to people writing on paper and ballot boxes.
Sure counting the ballots by hand is expensive but it's tiny compared to the cost of travel and time for the voters. The risk of serious, undetected fixing of results can't be eliminated with automated systems.
Because we all know (Score:2)
E-voting is a terrible idea (Score:2)
In the entire history of computing, there has never been a computer system that has resisted a resourceful and well-financed attacker. Heck, 99.9% of computer systems fall to modestly-funded hobbyists.
Considering that it costs over $1billion to elect a president of the United States, I can see someone spending $300 million to crack an e-voting system and considering it a bargain.
Here in Canada, we use paper ballots. There has never to my knowledge been a federal election with any serious allegation of fra
Really bad idea..... (Score:2)
More headlines... (Score:1)
I had to smile reading the headline.
Comp.Risk has been Paul Revering computer election fraud warnings
for over a decade, nobody seems to care.
It's been proved many times that elections can be swung one
way or the other. Computer voting has made it so very easy.
Yet all we get is more headlines.
Was talking about voter fraud with a friend, and how Obama didn't stand a chance
when he took office as it was all coming down and he was in the way.
He mentioned "while trying not to sound of conspiracy", it's entirely
pos
Paper Ballots only possible clean voting answer. (Score:2)
Paper Ballots is the only voting system that could be made uncorruptible.
EU (Score:2)
Everyone advocating any sort of e-voting or use of electronic machines have agendas - none of which are related to free and fair elections.
Paper (Score:1)