There are many ways. I'll start with the actual voting part. Several proposals are listed here
https://crypto.stanford.edu/pbc/notes/crypto/voting.html.
But as for an example. We could generate a cryptographic key for each voter. The voter gets a private key that can only encrypt, the government keeps a public key that can decrypt it. This key would not be tied to the voter beyond initial generation. The voter uses the key to encrypt or sign some identifier that identifies the candidate. After the election, all the votes are decrypted and tabulated. The authority can ensure any votes with that key after the first one are discarded. As a result, we have all the votes, don't know who voted for whom, and can ensure that each key capable of voting was only handed to eligible voters. The private keys can be destroyed after the election ensuring that anonymity remains long after the election. There are many other options apart from this. I just came up with this one on the spot. It is absolutely doable. Using modern cryptography we can ensure that the electronic votes are unforgeable, anonymous, and publicly vetting. As good as if not better than paper voting. In practice we would probably provide voting machines for people to use, providing them with perhaps a smart card containing their key.
It could also be done online with peoples home computers. People can't be trusted to have a secure computer of course, but it could be done in theory. Perhaps you could provide a secure usb stick that enables you to boot into a secure environment on the home computer, using an internal physical tamperproof chip that contains the required cryptographic key to establish a secure authenticated connection to the voting server. Then we can make the home computer secure for the purpose of voting.
Sort of like a Clipper chip? That worked out well. As soon as it goes tamperproof (which of course isn't "tamper proof," estimates in 1994 of what it would take to reverse one were in the $100,000-$1 million range), out with tamperproof goes verifiability. As I said before, then nationwide PKI is troubling; the user should be able to generate his own key, but protocols allowing that don't scale if they allow for any sort of verification of eligibility and don't do well with eliminating the problem of dual-voting. A lot of very clever protocols have been invented, but the really clever ones, the ones that come close to solving all of the desiderata, don't scale.
I agree with SKL in that for that last part, we would likely want to custom design an open source environment for such a live usb key. We could take advantage of the ubiquity of TPMs and secure booting to further improve security. There are other options too.
As for SKLs concerns regarding public operating systems, I think it's unfounded. A fully locked down and secured environment of say, openbsd or SELinux perhaps. With all unnecessary packages removed, should be perfectly safe. The main treat is external attacks and given most people are behind NATs and after closing down all inbound ports, with the openbsd or SELinux kernel there's no way someone breaking in. And the certificates would prevent all but the most basic connections from even being established with the remote server in the event of a man in the middle attack, and even that's unlikely to begin with given the number of voters. Nevertheless this only applies with the hypothetical online voting. If we keep doing it at polling booths we can lock it down even more.
The problem is even though all this technology exists, we repeatedly fail to use it properly. Again and again giant companies and governments don't just make extremely small obscure oversights creating vectors of attack. Most of the big public hacks we hear about, when we learn how it happened, turn out to be amateur hour across the board.
It is exceedingly rare that I hear about big public hacks that don't turn out to have been caused because of astonishingly poor design. It's kinda sad, so rare is it that something truly impressive, like say stuxnet, is the cause.
Everything I've said is just the beginning, there are lots of other, I'm sure even better approaches. Its been a while but ive seen some very secure solutions for cryptographic voting.
If you wanna encrypt stuff securly, ditch the 386, set up a locked down openbsd or similar setup, root access disabled at kernel level while booted, locked down kernel, chrooted user environment. Perhaps an IDS. Keep it offline, store it on a livecd or something. Ditch the ancient linux distro. You can probably root it in 5 seconds with one of the old kernel vulnerabilities like the ptrace syscall vulnerability from a decade ago.
It could be the 386 running Linux, it could be something equally antiquated, another architecture than Intel is actually probably preferable, running something custom made that I could quite easily hack up in assembly language and C on bare metal in a few days of sustained work and then months of debugging; the point is for it to be small and easily understood to lower the attack space, and for it to be airgapped and to both take in and receive read-only memory. The rest doesn't really matter. MS-DOS is fine too. A $20 Raspberry Pi which I think is open hardware too is fine. I would be absolutely fine with a 386 or even worse running DOS (i.e. bare metal with some built in calls and hooks which might actually better than Linux in this case) for the purposes of doing any encryption, as long as I could read and burn CDs, or otherwise securely and unidirectionally transfer information (although interpreting this information once in unsafe space again is a problem.) I'm primarily just talking about airgapping, and also on the fact that old systems are reliable and well-known (hence the example of old, elegantly-designed guns with few moving parts; you could add the 1911) whereas systems we have these days are so complex and layered nobody really understands them and all the layers; let alone once you connect them to the Internet (even with whatever firewalls, proxies, etc. or other measures you can imagine.) This is the sort of thing that I would use if I was involved in serious criminal or political activity, and the absolute
minimum of what I'd want to see in terms of securing
voting machines, I consider voting from home to be impossible to secure and also extremely undesirable as it makings voting easier.
Yes we want a secure and locked down OS, one well vetted like openbsd or SELinux which is made for the purpose. But our main concern is often remote code execution vulnerabilities, and once you close down all remote port access, put in shit like address space randomization, disable execution in writable memory pages, etc. It's effectively impossible for someone to break in. I invite to find an instance where such a set up has been defeated by remote because of a problem in the code rather than a user error. And as for user errors like social engineering, that's why we would set it up so the user can't modify it or do anything with it except vote. As unlikely as it would be given we are trying to stop people impersonating other voters, we would probably set it up so that it disables hardware like pccard, firewire, and similar DMA capable attack vectors.
It can be done. We would make it open source and invite people and offer a sizeable cash reward for anyone who can break it long before we ever use it.
Most of this goes without saying and should be a prerequisite for any trusted system. But you're still talking about a system that is not airgapped, which is inherently untrustworthy for sensitive functions. You're talking about something that I might feel reliable for digital banking or even, maybe, for information on internet-mediated drug sales on a relatively small scale (say, ~$100-250,000/year, enough to be pissing in the ocean as far as LE with serious resources is willing to go.) Osama bin Laden did quite well with airgapped communications, up until, as you go on to say, he was ultimately defeated by social engineering and synthesis of together a bunch of different streams of intelligence, and probably a lot of machinations within the Pakistani government and their not-always-aligned intelligence apparatus and between theirs and ours, that we aren't now, may never, or won't for a long to be privy to.
As for "every significant hack these days". Most are social engineering or the retarded "secret question" approach. Most of the rest are boneheaded amateur mistakes like poor input sanitization enabling sql injection or the like. Very very very very VERY few have been done by any truly impressive method. Ajs virtually none where the approaches ive mentioned have been properly put in place. And that's with a complex website setup usually. In this case we are talking about a fairly simple server for vote lodgement. No website needed at all. Just a basic SSL enabled server that the voting software can talk to. I wouldn't do it with a web server. Too many unknowns in a remotely access able port. Not a risk we need to take. Especially given we would be having the voters use a live environment where we can give them a custom voting interface that just collects the vote and lodges it with the server. The server would have no open ports except for the voting server and for extra peace of mind would be firewalled off. Just for extra over the top levels of certainty.
I think I put the clause in the wrong place in "every significant hack these days," because I'm more or less agreeing with you, I'm saying nobody attacks cryptography or protocols head on (unless there ends up being a significant vulnerability in them, like WEP), most everything else is executing dumb exploits.
But if voting were to be done over the wire, and yes, thank God you're not talking about a web server, we use them for way too much (remember the original online banking systems which were actually more or less built up from the ground up, or at least coded from the ground up? Few people will, they didn't see a lot of use, because they were too hard." They kept waiting in line and balancing their checkbooks. Eventually the bankers did some cost/benefit analysis and realized that maybe online banking as, more or less, we have it now wouldn't be so bad, and even handling of quite large, e.g. trading portfolios, and it's, effectively, not, see below. One thing it it did do is put a bunch of people out of work, but computers did that in general, and that was pretty much inevitable, so I can't really lay that one at their feet except that they were thinking economics over the security of the traditional way of doing this. Although, to tell the truth, in terms of physical security, online banking has probably mitigated some risks; why don't you really hear about bank robbing much anymore? It's definitely still going on. But in almost every case, the take is pissant stuff, >$10k,; the smart money in strong-arming is in robbing small pharmacies but then you have to take a dual-proficiency in drug dealing like half this forum, or, for more the skilled professional thief, high end jewelry stores and such. Who often don't like to advertise the fact and are well insured. No, none of this is like in the movies, just like hacking, of banks or anything else, is.)
But the very idea of voting from home over the Internet is a terrifying one. Everything I was writing about was about voting
machines.
On two accounts; (1)—it will mean that no election, ever, can be trusted again; and (2)—it will mean that more people will vote, just like more people started banking online; I outlined in my previous lengthy post about why this is bad.
Computer security is well beyond the needs of the voters. There will be a small percentage of vocal individuals that won't like it and we will spend billions on wasted studies that any high school student could write up the results for in 5 minutes.
If you have this little knowledge of the highly academic, rigorous nature of proven, verifiable computer systems ...
We bank with phones, computer and tablets and if asked which is more important to me to be secure I would say banking over voting. Hackers that are aledgedly going to jump through hoops to steal my vote or make fake votes should probably invest their skills in hacking banks, just a guess but if these people are so prevalent why is our financial world so secure? The logic just falls to the floor on why voting, which is of no value to 50% of the population, has to be more secure than money.
... and this little knowledge of the actual attack vectors (i.e. the low hanging fruit and the stuff that's not going to attract nation state-actor level attention) that are used to actually steal money, then I hope that you're not
my banker, or at least one of my bank's IT people.
The voter apathy we are experiencing is a sign of the health of our current political system. I spend nearly 50% of my labour to support these people running my country. Each year they claim, due to increasing complexity, they need more. It's gone well past the point of my being a fool to allow it to continue. Starting with new voting methods is just a step in the direction of a very long road.
You're completely on point except for the mistake in cause and correlation. Voter apathy may indeed correlated with the health of our political system, but how getting apathetic voters to vote on things and people they neither know nor understand is supposed to make things better I do not understand.
I wrote a long post about this the substance of which nobody's really responded to except to take something out of context about the campaigning-Obama versus governing-Obama's complete lack of charisma, and the falseness of it in the first place (which I think is evident to anyone who watches the news; sj, when's the last time you heard the man speak? He's among the most arrogant, smug, condescending bastards the entire political world has produced in my lifetime) taken out of context to call me racist.
Seeing voter apathy as the problem is just a scapegoat for the fundamental problems of our political and economic situation.
If voting is important, it would warrant the highest level of security, yes?
As someone said, voting is so important, it shouldn't be entrusted to the voters. They were being ironic, I think, but it's a point worth taking, if you're talking about good governance, adding more votes to the equation is unlikely to get you there unless you believe in some pretty antique 18th century ideals that were proven wrong quite conclusively by the end of the 19th and dead and buried by the 20th, although we still wage
war in the name of this toxic doctrine we call "democracy," people still celebrate it and we teach our kids it's the foundation of freedom, maybe best of all it's a source of great entertainment every few years.
Voting isn't important. In fact, for the purposes of good government and such, it's probably a net negative as it deceives a large number of politically engaged voters into believing that they're doing something. Making voting easier will only hasten the transition to the Kardashian administration.
