Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Why Is Election Security So Hard? (Paranoia 2019)

314 Aufrufe

Veröffentlicht am

What makes the domain and requirements of elections so difficult to solve with computers? In this talk we will go through a lot of the requirements of an election and what motivates them, and show how computers surprisingly often introduce more vulnerabilities than they solve when applied to elections.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Why Is Election Security So Hard? (Paranoia 2019)

  1. 1. TurtleSec @pati_gallardo Turtle Sec @pati_gallardo
  2. 2. TurtleSec @pati_gallardo 2The Turtle vs The Hare
  3. 3. TurtleSec @pati_gallardo 3 The Turtle 63.1% The Hare 36.9%
  4. 4. TurtleSec @pati_gallardo@pati_gallardo Who can you trust? Who feeds you the data?
  5. 5. TurtleSec @pati_gallardo Why Is Election Security So Hard? Paranoia 2019 Patricia Aas Turtle Sec
  6. 6. TurtleSec @pati_gallardo Patricia Aas - Trainer & Consultant C++ Programmer, Application Security Currently : TurtleSec Previously : Vivaldi, Cisco Systems, Knowit, Opera Software Master in Computer Science Pronouns: she/her @pati_gallardo Turtle Sec
  7. 7. TurtleSec @pati_gallardo 7
  8. 8. TurtleSec @pati_gallardo 8@pati_gallardo Complex?
  9. 9. TurtleSec @pati_gallardo@pati_gallardo Is the Norwegian Election System complex? 9@pati_gallardo
  10. 10. TurtleSec @pati_gallardo No, not really. 10
  11. 11. TurtleSec @pati_gallardo “The testing is performed using a prototype implementation in Java. Though the implementation does not take into consideration security and anonymity concerns, it is a full implementation of the Electoral System.” Evaluating the suitability of EML 4.0 for the Norwegian Electoral System : A prototype approach Patricia Aas, Masters Thesis UiO, 2005 https://www.duo.uio.no/handle/10852/9298 11
  12. 12. TurtleSec @pati_gallardo What are these “security and anonymity concerns”? 12
  13. 13. TurtleSec @pati_gallardo It’s complicated. 13
  14. 14. TurtleSec @pati_gallardo 14@pati_gallardo What are we protecting?
  15. 15. TurtleSec @pati_gallardo Worst Case Scenario An accepted, but manipulated Election Result 15
  16. 16. TurtleSec @pati_gallardo@pati_gallardo What is the Election Result? 16@pati_gallardo
  17. 17. TurtleSec @pati_gallardo The Election Result is the distribution of the mandates 17
  18. 18. TurtleSec @pati_gallardo An Election doesn’t have to be flawless as long as The Election Result is correct 18
  19. 19. TurtleSec @pati_gallardo 19@pati_gallardo What is the Threat Model?
  20. 20. TurtleSec @pati_gallardo@pati_gallardo What are you afraid of? 20@pati_gallardo
  21. 21. TurtleSec @pati_gallardo Adding ballots Removing ballots Changing ballots Reporting wrong counts 21
  22. 22. TurtleSec @pati_gallardo At its most extreme: Preventing a coup Keeping a democracy 22
  23. 23. TurtleSec @pati_gallardo Who are the Threat Actors in Elections? 23
  24. 24. TurtleSec @pati_gallardo The most likely Threat Actor Historically Internationally Is the sitting (local) government 24
  25. 25. TurtleSec @pati_gallardo Others include: Foreign governments, private companies, terrorists, activists, lone wolfs 25
  26. 26. TurtleSec @pati_gallardo The most likely Threat Actor in an election is the sitting government 26
  27. 27. TurtleSec @pati_gallardo The same government running the election 27
  28. 28. TurtleSec @pati_gallardo Two “acceptable” outcomes 1. A correct election 2. Prevented a rigged election (hopefully correctable)¹ 28¹ How feasible is a new election?
  29. 29. TurtleSec @pati_gallardo 29@pati_gallardo What about Anonymity?
  30. 30. TurtleSec @pati_gallardo@pati_gallardo How does a secret ballot play into elections? 30@pati_gallardo
  31. 31. TurtleSec @pati_gallardo True democracy requires the freedom to Vote your conscience 31
  32. 32. TurtleSec @pati_gallardo Prevent coercion Prevent vote selling Prevent persecution now or in the future 32 #goals
  33. 33. TurtleSec @pati_gallardo No. The answer is not blockchain 33
  34. 34. TurtleSec @pati_gallardo Why? 34
  35. 35. TurtleSec @pati_gallardo To prevent persecution You don’t want to connect a vote to a person 35
  36. 36. TurtleSec @pati_gallardo To prevent coercion and vote selling You don’t want a person to be able to prove what they voted 36
  37. 37. TurtleSec @pati_gallardo And what put that vote on the blockchain? Who’s in charge of that? How about chain of custody? 37
  38. 38. TurtleSec @pati_gallardo 38@pati_gallardo Man vs Machine
  39. 39. TurtleSec @pati_gallardo@pati_gallardo What? You hate computers? 39@pati_gallardo
  40. 40. TurtleSec @pati_gallardo Nah. I love computers. But manual elections are hard to beat. They’re just that good. 40
  41. 41. TurtleSec @pati_gallardo Isn’t manual counting slow? 41
  42. 42. TurtleSec @pati_gallardo Surprisingly, no. It’s massively distributed. 42
  43. 43. TurtleSec @pati_gallardo Isn’t manual counting error prone? 43
  44. 44. TurtleSec @pati_gallardo Yes. And no. It’s complicated. 44
  45. 45. TurtleSec @pati_gallardo Norwegian risk model for ballot counting errors Manual vs Machine 45
  46. 46. TurtleSec @pati_gallardo 46 1. Can it affect the Election Result? 2. Can it go undetected? 3. Can it discredit the Election Result? 4. Can it create more work? Evaluating severity
  47. 47. TurtleSec @pati_gallardo 47 1. Historically how common is it? 2. Is there a known threat? Evaluating likelihood
  48. 48. TurtleSec @pati_gallardo 48 Likelihood Severity Innocent manual Innocent machine Premeditated manual Premeditated machine Likelihood Innocent Premeditated Manual High Low Machine Low-Medium¹ Low Severity Innocent Premeditated Manual Low² Medium³ Machine Medium-High High Risk diagram: Counting Errors (no Machine Count Audit) ¹ Bugs: Has happened many times irl ² Distributed proportionally on parties ³ Will almost certainly be detected, but cast doubt and ballots are compromised
  49. 49. TurtleSec @pati_gallardo 49@pati_gallardo What is the alternative?
  50. 50. TurtleSec @pati_gallardo@pati_gallardo Manual elections? 50@pati_gallardo
  51. 51. TurtleSec @pati_gallardo Software independence¹ 51¹ Ron Rivest (The R in RSA) and John P. Wack (NIST)
  52. 52. TurtleSec @pati_gallardo 52 “A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome” On the notion of “software-independence” in voting systems http://people.csail.mit.edu/rivest/RivestWack-OnTheNotionOfSoftwareIndependenceInVotingSystems.pdf
  53. 53. TurtleSec @pati_gallardo 53@pati_gallardo Auditability
  54. 54. TurtleSec @pati_gallardo “Verify the election results, not the voting system” 54 Rivest & Wack, On the notion of “software-independence” in voting systems
  55. 55. TurtleSec @pati_gallardo What is a “manual” election? Paper ballots Manual count¹ 55¹ Keep computers for all parts that are auditable
  56. 56. TurtleSec @pati_gallardo Auditable elections Paper ballots Manual audit 56
  57. 57. TurtleSec @pati_gallardo 57 Likelihood Severity Innocent manual Innocent machine Premeditated manual Premeditated machine Premeditated machine Innocent machine Risk diagram: Counting Errors (with Machine Count Audit) An Audit will reveal - Bugs - Manipulations
  58. 58. TurtleSec @pati_gallardo What is an auditable election? 58
  59. 59. TurtleSec @pati_gallardo 59@pati_gallardo Implementation
  60. 60. TurtleSec @pati_gallardo Norway 2019 Manual preliminary count¹ 60¹ Ask me about this process sometime ;)
  61. 61. TurtleSec @pati_gallardo Norway has two counts: Preliminary and Final Results can be compared 61
  62. 62. TurtleSec @pati_gallardo Goal for many US researchers Risk-Limiting Audits 62
  63. 63. TurtleSec @pati_gallardo What’s a Risk Limiting Audit? A statistical model for manual ballot sampling 63
  64. 64. TurtleSec @pati_gallardo “The Norwegian electoral system: a study of EVA Skanning, implemented error detection mechanisms, and applicability of risk-limiting audits” Vilde Elise Samnøy Amundsen, Masters Thesis NTNU, 2019 Thesis Advisor: Patricia Aas http://www.valgforum.no/wp-content/uploads/2019/02/Masteroppgave-Vilde-Amundsen.pdf 64
  65. 65. TurtleSec @pati_gallardo What was the problem in Norway? 65
  66. 66. TurtleSec @pati_gallardo No audit. 66
  67. 67. TurtleSec @pati_gallardo Paper ballots are not enough There has to be an audit Performed by regular folks 67
  68. 68. TurtleSec @pati_gallardo Manually counted elections have a built-in audit People. 68
  69. 69. TurtleSec @pati_gallardo Manually counted elections can also be rigged But everyone knows they are 69
  70. 70. TurtleSec @pati_gallardo If an election is rigged and nobody knows, do you have a democracy? 70
  71. 71. TurtleSec @pati_gallardo No. You’ve had a coup. And you don’t even know it. 71
  72. 72. TurtleSec @pati_gallardo 72@pati_gallardo
  73. 73. TurtleSec @pati_gallardo Best way to rig an election? Internet voting. 73
  74. 74. TurtleSec @pati_gallardo Turtle Sec @pati_gallardo Than yo !
  75. 75. TurtleSec @pati_gallardo 75 Høringssvar, Patricia Aas, TurtleSec, https://elections.no/2018/12/13/hoeringssvar_turtlesec.html “Election Cybersecurity Progress Report”, Professor J. Alex Halderman (University of Michigan), https://youtu.be/U-184ssFce4 “Electronic Voting In 2018: Threat Or Menace”, Professor Matt Blaze, Joe Hall, Margaret MacAlpine, and Harri Hursti, https://youtu.be/Lo3iibtVh6M “Testimony of Prof. Matt Blaze”, Professor Matt Blaze (University of Pennsylvania), https://oversight.house.gov/wp-content/uploads/2017/11/Blaze-UPenn-Statement-Voting-Machines-11-29.pdf “Securing the Vote: Protecting American Democracy”, The National Academies of Sciences, Engineering, and Medicine, https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy “DEF CON 26 Voting Village Report”, Blaze, Braun, Hursti, Jefferson, MacAlpine, Moss, https://defcon.org/images/defcon-26/DEF%20CON%2026%20voting%20village%20report.pdf Resources