[EL] The $45M Heist from NYC ATMs - Hall
Jack Cushman
jcushman at gmail.com
Thu May 16 08:06:35 PDT 2013
>
> Over the past few years nearly 100 trials of Internet voting have been
> conducted w/o any reports of security breaches. ...
>
> Here is a testable hypothesis: the ones who have actually built successful
> Internet voting systems believe it can be done; while the ones w/o such
> experience are positive it can’t be done.
This line of argument -- that internet voting has been successfully
conducted in the past without reports of security breaches, and therefore
"can be done" -- is not really responsive to the security concerns around
internet voting. No one doubts that internet voting *can* be conducted in a
*particular* election without a security breach in fact occurring. The
technology for asking computer users their opinion and then recording that
opinion on a large scale is well-understood. *See, e.g.,* [image: Inline
image 1]
The pessimists' claim, instead, is: internet voting cannot be conducted
such that it is possible to prove in advance that a security breach is
impossible, or that it is possible to prove afterward whether one has
occurred. In order to rebut this claim, you need to show that internet
voting can be conducted in a mathematically secure way even assuming your
adversary controls both the client computer and the server.
This is because of a number of well-understood and intractable problems in
computer security which make it impossible to assume you have either a
secure client computer or a secure server. For example:
1) Local infections. In the United States, approximately 30% of computers
are infected with
malware<http://www.infoworld.com/t/cyber-crime/malware-infects-30-percent-of-computers-in-us-199598>.
Numbers are similar worldwide. If malware is running on your local
computer, the *only* way you can be confident that your vote was not
intercepted and modified is if your vote is independently communicated back
to you on a different device; you cannot trust anything you see on your
screen. So at a minimum, the nearly 100 tests you are referring to above
contained only 70% reliable votes; the others could have been cast by
botnet owners, most likely Russian organized crime. You have no way of
knowing whether or not that in fact occurred; you must simply rely on the
(reasonable in this case) hope that Russian organized crime had no
incentive to interfere with the elections where internet voting was used.
2) Zero-day exploits. Any remote voting scheme will rely on a stack of
technologies, such as SSL encryption between the browser and server, a web
server like Apache, a server-side programming language like (but hopefully
not) PHP, a database like (but probably not) MySQL, etc. The ones I
mentioned are interesting because they have been used for many years on
millions of computers handling important jobs or lots of money. And
each<http://www.informationweek.com/security/vulnerabilities/serious-ssl-vulnerability-found/221600478>of
them <http://www.cvedetails.com/cve/CVE-2010-0425/> has
had<http://www.cvedetails.com/cve/CVE-2012-1823>vulnerabilities
discovered <http://www.securiteam.com/exploits/5AP3G0K8VU.html> in the last
few years that would allow for an attacker to subtly modify votes, either
by interfering with messages in transit, or by remote code execution to
modify requests and responses on the server. A well-designed system will
include some redundancy of course, but its security claims will ultimately
come down to "this works assuming SSL is secure and assuming Apache is
secure" and so on. The assumption of security regarding technologies of
that complexity has been *uniformly* proved false.
"Sure," you say, "but our system will be run by experts who ensure the
latest security updates are applied. What is the likelihood that some
hacker has access to an Apache vulnerability no one else knows about yet?"
And it turns out the likelihood is rather good, because there is a gray
market selling that kind of exploit to governments around the
world<http://www.slate.com/articles/technology/future_tense/2013/01/zero_day_exploits_should_the_hacker_gray_market_be_regulated.html>,
with a premium on exclusivity.
3) Targeted attacks on individuals. Targeted hacking attacks can be
incredibly sophisticated -- such as the high-profile one last
August<http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/>where
hackers combined weaknesses in Amazon and Apple's security processes
to gain access to a Google email account for the pressing purpose of
posting racist messages on the owner's Twitter. Another example is Chinese
spear phishing attacks -- this first-person account by a nonprofit working
on Taiwan issues in Washington,
DC<http://www.lottaworld.com/2009/04/ghostnet-social-malware-spear-phishing-and-social-engineerin>,
which had fake emails sent out under its name that were tailored to the
sender, but that actually contained malware, is fascinating. It is simply
unrealistic for anyone, including a security expert, to assume that they
can protect their own computer from a concerted effort by people *pretending
to be their friends and colleagues* to break in. So it is also unreasonable
to assume that the computers of the programmers and system administrators
running voting systems will be uncompromised.
4) Hardware attacks. Like, I don't know, back doors added to microchips by
overseas manufacturers<http://www.schneier.com/blog/archives/2012/05/backdoor_found.html>.
This gets into the realm of paranoia, but we're only talking about a few
machines that need to be compromised at the hardware level, so there are
plausible physical attacks here.
I am not aware of a way to prove, for a particular system, either in
advance that none of these attacks are possible, or afterward that none of
them has occurred.
--
OK so: all of this is getting at the fundamental weakness that internet
voting rests the entire outcome of your election on a few hundred physical
devices running astronomically complex software and, by definition,
accessible from anywhere in the world. In order to be comfortable with that
situation, you need a protocol where: (1) you assume that users' computers
are compromised by malware; (2) you assume that communications between
those computers and the servers may be modified in transit; (3) you assume
that the server software is vulnerable to zero-day remote code execution
exploits; (4) you assume that the administrators of the system themselves
may be using compromised computers; and (5) you assume that the hardware
itself may be vulnerable to sabotage. And then you need to clearly explain
how the system will work so that *even if all of those things are true*, we
are still quite confident that the resulting election is no less inaccurate
than it is with current technology.
Of course people are working on that -- there are a bunch of interesting
cryptographic systems<http://uwspace.uwaterloo.ca/bitstream/10012/5992/1/Clark_Jeremy.pdf>that
might allow sophisticated voters to verify that their vote was not
corrupted on the server, without verifying what it was. And there are some
systems <http://www.infsec.ethz.ch/people/michschl/material/icegov2012.pdf>that
might even allow voters to confidently vote without trusting their own
computers -- although they seem to rely on users going through ridiculous
gyrations to vote, or else typing in secret numbers communicated to them by
some separate trustworthy channel, such as mail or a phone system. These
systems have downsides, but would at least allow us to know after the fact
that tampering had occurred, so we could hold a new election.
If what you're actually saying is: don't worry about online security,
because I have an online voting system that is affordable, user-friendly,
and cryptographically secure over untrusted platforms while remaining an
improvement over existing voting methods, then that's interesting. If what
you're saying is that you don't need to solve that problem, because teams
of computer experts have successfully collected votes from small groups of
people in the past without being aware of any security breaches, that
doesn't get you very far.
Best,
Jack
On Wed, May 15, 2013 at 3:47 PM, wjk <wjkellpro at aol.com> wrote:
> Reply to Joe Hall’s comment, "David [Jefferson] speaks for an
> overwhelming consensus of the technical community with expertise in voting
> technology."*
> **** **
> One of my main criticisms of the anti-Internet voting activists is that
> they are extraordinarily flippant about making assertions that appear to be
> empirically accurate, but which lack any factual basis. Joe gives us his
> personal assurances that “David speaks for an overwhelming consensus of the
> technical community with expertise in voting technology.”
> ** **
> Got facts, Joe? I do. Over the past few years nearly 100 trials of
> Internet voting have been conducted w/o any reports of security breaches.
> These trials have been conducted all over the world. This includes: nearly
> a dozen cities in Canada; Cantons in Switzerland; Norway; New South Whales,
> Australia; Gujarat, the largest state in India; and, West Virginia in the
> 2010 primary and general election. Secretary of State Natalie Tennant
> continues to advocate for Internet voting (see
> http://www.govtech.com/e-government/Making-the-Case-for-Online-Voting.html)<http://www.govtech.com/e-government/Making-the-Case-for-Online-Voting.html>
> ** **
> In 2000, the US Department of Defense used Internet voting for some
> overseas military in a test of concept trial. In that year, the Republican
> Party in Alaska offered Internet voting for its Presidential Straw Poll,
> and the Democratic Party used it for its Primary. The Democratic Party used
> it in Michigan in 2004. SERVE had a big team of experts.
>
> In each case of Internet voting, there has been a team of technical
> experts in voting technology working on the project. That means scores
> of experts internationally.
> ** **
> These professionals most assuredly do NOT share the views of Mr. Jefferson
> or of that fabricated “consensus of the technical community with expertise
> in voting technology.”
> ** **
> Also, who does Joe include in his “technical community,” and what does Joe
> mean by “expertise in voting technology”? I’ll bet a dime that none of
> the anti-Internet voting members of his “consensus” have actual experience
> constructing successful Internet voting systems, including Joe and Mr.
> Jefferson. Can academics with no hands on practical experience claim the
> same “expertise” as the technicians who have constructed successful
> systems? Or, are the former mere arm chair critics and Monday morning
> quarterbacks?
> ** **
> Much ado is made of a hack of the Internet voting system in Washington, DC
> in 2010. But that was not during an election. It happened the first time
> the system was tested. It was not built by professionals with prior
> experience, but by amateurs trying their luck for the first time. Surly
> there are differences in levels of expertise.
> ** **
> Here is a testable hypothesis: the ones who have actually built successful
> Internet voting systems believe it can be done; while the ones w/o such
> experience are positive it can’t be done.
> ** **
> William J. Kelleher, Ph.D.
> Political Scientist, author, speaker,
> CEO for The Internet Voting Research and Education Fund
> Email: Internetvoting at gmail.com
> <http://tinyurl.com/IntV-Now>Blog: http://tinyurl.com/IV4All
> <http://tinyurl.com/IV4All>Twitter: wjkno1
> LinkedIn: www.linkedin.com/pub/william-j-kelleher-ph-d/9/466/687/
> ** **
> Author of Internet Voting Now!
>
> *Message: 32
> Date: Wed, 15 May 2013 14:10:25 -0400
> From: Joseph Lorenzo Hall <joehall at gmail.com>
> Subject: Re: [EL] The $45M Hiest (sic) from NYC ATMs
> To: David Jefferson <d_jefferson at yahoo.com>
> Cc: "law-election at department-lists.uci.edu"
>
> I'm not sure I need to say this but I will: David speaks for an
> overwhelming consensus of the technical community with expertise in
> voting technology. best, Joe
>
>
>
>
> _______________________________________________
> Law-election mailing list
> Law-election at department-lists.uci.edu
> http://department-lists.uci.edu/mailman/listinfo/law-election
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130516/70d37cf0/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 3422 bytes
Desc: not available
URL: <http://webshare.law.ucla.edu/Listservs/law-election/attachments/20130516/70d37cf0/attachment.png>
View list directory