Forum

Dedicated trusted computer voting device

Kategoriregler
Use "NYTRÅD" for writing a comment. (Repeat the captcha in the field below it.)
Or "BESVARA" to make a replay.
Push "Skicka" for sending the comment.
You may register (and then change the language) from this form:
http://aktivdemokrati.se/wp-login.php?action=register

Besvara

OBS! Du är inte inloggad i forumet ännu. Klicka här för att logga in


Den här frågan är till för att indentifiera och förebygga automatiska registreringar.
Smilies
:D :) :( :o :shock: :? 8) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :wink: :!: :?: :idea: :arrow: :| :mrgreen:
BBCode är
[img] är
[flash] är AV
[url] är
Smilies är
Trådhistorik
   

Expandera Trådhistorik: Dedicated trusted computer voting device

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-10-12 10.19

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-05-20 08.48

The new digital threats conference in Stockholm 2 jun 2010 for Swedish people, I guess.
(De nya digitala hoten
KONFERENS Stockholm 2 juni 2010)
http://www.atomer.se/digitalahot/

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-02-24 04.19

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-02-16 03.57

An attack on the Swedish Piracy Party that was detected....
http://translate.google.com/translate?j ... l=sv&tl=en
...the ones not detected stays in their system...

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-02-03 15.52

For the one who do not belive in an attac in the future....
http://www.youtube.com/watch?v=JEzY2tnwExs

Re: Dedicated trusted computer voting device

Inlägg av Emvie » 2010-01-10 11.27

OK. Let's wait for more members and work with development in the pace possible for programming volunteers in the meantime

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2010-01-07 08.30

Maybe we will do both eventually, but maybe we should have more members first? I mean if people really want real and pure democracy they should at least engage in it a little bit. :)

Re: Dedicated trusted computer voting device

Inlägg av Emvie » 2010-01-05 06.50

Why not apply for money in som big NGO for this or why not apply for money in Switzerland?
There must be many people who would love to do something good with their money.

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-17 07.44

...designed and manufactured by people that actually know how to do these things


Hey it is us.

I am a Mechanical engineer and can design the mechanical shell. I can read a catalog with components and compare them. I know about prototyping and manufacturing. I know about measurements and tolerances.I know about materials. I worked for Ericsson with mobile phones. I know about many things. We have more engineers now. We have electric engineers and programmers.

If we have the time to make the sketches and believe it is a good thing to do, then why shouldn't we, especially now when unemployment is a problem? Fokus? Yes, but we all want to fokus on different things. In the end I am sure that the best solution will be the winner.

Hey, why not make every individual decide the security level they want?
1. Simple login (Easy to steal your mandate with a trojan horse. You will have to check voting database from other random computer device to confirm correct voting)
2. Bank security (Harder to steal your mandate with a trojan horse. You will have to check voting database from other random computer device to confirm correct voting)
3. Computer device (Almost impossible to steal your mandate)

At least http://www.aktivdemokrati.se would not be blamed for the security. The individual would be direct responsible for his/her security level.

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-15 07.46

No. There is no need to focus on this unless you feel that excellent is what is needed or that you simply enjoy making things as perfect as possible. If someone wants to develop this marvelous gadget I see no contradiction in this. Having good security does not contradict development of excellent security. On the contrary. If we get hacked now and someone says that there is a safety problem, we can say say:

- Yeah, we already know this. We have a good solution. Here it is -> Dedicated trusted computer voting device

I am happy we had this discussion. :D

Re: Dedicated trusted computer voting device

Inlägg av Magnus Gustavsson » 2009-11-15 00.18

I agree with ph7.3, we have since long time made the conclusion that a security in level with or better than what the swedish tax authority or the internet banks are using, will be enough for a internet voting system.
Can someone here explain why we now are losing the neccessary focus on creating the software it self for voting, and instead tries to create something that is better then internet banks?
Our resources are limited and I really do see more important issues.

Re: Dedicated trusted computer voting device

Inlägg av pH7.3 » 2009-11-14 22.41

MrPerfect72 skrev:or should we just wait until we have more money?


Or should we worry about getting more active members than the handful we got after 4+ years of struggling, rather than dream up dedicated trusted voting devices, which, by the time they'll be needed, will turn out to be designed and manufactured by people that actually know how to do these things. Who knows, it might really be RFID's implanted in the skull base of every citizen. No need for voting at all, the system KNOWS what you want! ;)

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-14 16.20

So. As I understand We should mainly focus on a module with display and some buttons and a USB contact?

And I guess the providers of communication and companies can focus on the other part if they see it as profitable and if people see a need for it?

Any unemployed electric engineers out there who want to have a fun time playing around with the first sketches of the electronics for the device or should we just wait until we have more money? :)

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-14 15.39

MrPerfect72's friend skrev:Re: Trusted Voting Module - a couple of mistakes/typos, plus some more ..
last paragraph ...

With RFID, stealing a chip amounts to stealing an identity (except when bound to a passport, photo or whatever) but a voting device identifies the person by something they possess (the device) and something they know (a secret password). This is called two factor authentication. Biometrics (e.g. thumb reader) could also be added, giving 3 factor authentication, to thwart identity theft but probably not necessary or desirable. Unreliable biometric readers could cause voting problems.

An important outcome for any such voting system is that it wins the trust of the people. For the system to gain wide acceptance any mishap must be avoided. Even small anomolies could be used by direct democracy opponents for spreading distrust in DD. It is therefore advisable to implement such a voting system in a trial mode a long time before using it for anything like national voting. It could be used in small scale DD for a long as it takes for interested people to understand the principles, become familiar with it's operation, refine it as needed, and develop trust in the system.

In addition to developing the concepts for a trusted electronic voting system, I would also like to propose a system of DD which uses a form of proxy voting as we previously discussed.

MrPerfect72 skrev:According to the people I spoke to, you would be able to put a video camera watching the person typing his/her code and then using the device and vote until the person discovers the deed.


A 3 factor authentication (requiring a voter's body part such as thumb) would avoid this possibility. But I think voter education and diligence (care taken while entering passwords) would be sufficient security. Significantly altering election results by this method is totally impractical and thus highly unlikely.

MrPerfect72 skrev:A person might re-program the device if he/she gets hold of it so that it votes faulty and this can only be discovered by an engineer. However, any electric/computer-engineer should be able to check the code.


It would be extremely difficult for large numbers of rogue versions of voting modules to be produced without detection and this fact alone should be a strong deterrent against such activity. Anyone caught doing it or attempting to do it would hopefully face severe penalties.

How would rogue modules be detected?

An important part of the device is it's self integrity check function. Admittedly this is quite tricky to implement in a trusted and tamper-proof way. There could be some dummy voting servers which are used to test the integrity of your device. You could do some trial votes with those servers and verify that your votes were recorded as intended, indicating the device is working as expected. The voting communication protocol would be designed to make it virtually impossible for a hacked version of a device to appear to work properly on the test server but incorrectly on the real voting server. But this requirement needs some serious security analysis and design work!

Better still is for everyone to be encouraged to verify their actual vote was registered as intended by looking up their vote on the public server. Actually this vote confirmation function is mainly designed to build confidence in the system rather than catch out rogue modules.

Here is how it might work ...

Each voter can look up and confirm their vote using 2 unpredictable and secret codes:

1) the secret vote confirmation code (VCC) which their voting module displayed in their vote confirmation message.
together with
2) a shared secret chosen by the user (a password entered into the voting device prior to voting) for accessing the vote confirmation data.

The VCC would be stored in your voting module memory for retrieval as required. However the password could not be read but only entered or reset.

Server hackers would not be able to trick voters into believing their vote was registered correctly while subverting the system because they could not reliably predict what vote confirmation data to send to the user each time. Although the user's computer for this operation is untrusted and therefore not reliable, any such hacking scenario would be quickly detected by sufficient voters for alarm bells to start ringing rendering such hacking attempts ineffective and futile.

Also ... auditing and monitoring systems could be implemented which automatically post dummy votes and verify that those votes appear as posted. But this would over complicate things somewhat and perhaps introduce a loophole. More thought required on this.

Or more simply ... hackers wouldn't try this because it would be easily and quickly detected and this rendered futile. However it is feasible that hackers would do this if only to create mistrust in the voting system. Perhaps server redundancy and diversity would be used to reduce this effect and make it less attractive for server hackers.

Designers also need to consider denial-of-service (DOS) attacks against both vote posting servers and vote confirmation servers. Constant server monitoring and clever rapid response mechanisms would need to be in place to avoid significant voter frustration by DOS attacks.

Intrusion detection and honeypots could also be used to make it more risky for hackers and to provide triggers for self-healing and server recovery strategies.

A full implementation for reliable large scale voting would require expert security analysis, advanced network security engineering, auditing and monitoring, etc. But compared to the cost of traditional style elections, the engineering required for a reliable DD voting system should be easily affordable for national or state governments.

MrPerfect72 skrev:Cracking the encryption of the sent message will be impossible if it is encrypted hard enough and I think it is possible to get special permission to encrypt very hard for such a device considering its limited purpose.


Strong encryption technology is now freely available and not an issue at all.

Re: Dedicated trusted computer voting device

Inlägg av pH7.3 » 2009-11-14 13.32

MrPerfect72's friend skrev:Briefly ... pH7.3's arguments about security of device appear flawed or at least lack depth of analysis or description.

Well of course, both my knowledge and time are limited.

MrPerfect72's friend skrev:. However one could make a device which contains two sections: 1) a trusted module and 2) some other more complex untrusted sub-system providing flexible communication such as USB, Wifi, 3G, 4G etc.

I thought that was obvious. (Maybe not.)

MrPerfect72's friend skrev:1) system security protocols will ensure vote data traffic cannot be altered without detection

Again, yes obviously.

MrPerfect72's friend skrev:Voters would need to be educated...

And there you have the problem.

I understand now that I have been sloppy in my commenting! :)

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-14 10.51

MrPerfect72's friend skrev:re: Voting technology discussion. I will put a bit of time into it but it will be limited ...

I tried registering on your forum but after 2 attempts it blocked me out. I don't think there was a problem either time except maybe reading the CAPCHA code which was quite difficult and error prone.

Briefly ... pH7.3's arguments about security of device appear flawed or at least lack depth of analysis or description.

The foundation of security, the executive auditing mechanism, needs to be extremely simple and open making it verifiable by a large number of engineers. This principle cannot be over-stated, it is paramount. This means that whatever hardware the trusted voting device uses must be very crude, hence the idea of a USB connected device. However one could make a device which contains two sections: 1) a trusted module and 2) some other more complex untrusted sub-system providing flexible communication such as USB, Wifi, 3G, 4G etc.

One principle which must not be broken is this ... the input (keypad) , output (screen) devices must be an integral part of the trusted module. One cannot rely on some sort of untrusted external I/O hardware/software such as provided by a phone manufacturer. Ideally if phones were all fitted with a standard communication port (such as USB ) the trusted voting device could be plugged into them and everything else. But current trends indicate it is unlikely all phone manufactures would provide such a port.

The argument about trojans being able to block data traffic is valid but fails to see the bigger picture ....
1) system security protocols will ensure vote data traffic cannot be altered without detection and also prevents a voter from being tricked into believing his/her vote was posted and counted if it was not. i.e. full end-to-end verfication and confirmation will be provided by the device.
Voters would need to be educated to check both ...
1) the trusted module's self test/audit verification code (which would be widely published, known and trusted) and
2) the vote registration verification/confirmation message which is sent back to the device when posting votes.

If a trojan was present (in the untrusted system) and blocked or corrupted the voting data packets, the vote confirmation message (2 above) would never occur. To avoid human error it might be useful to use a color display which continously displays a big RED "Vote NOT yet counted" message until the confirmation is received,at which time the display would change to a green "Your VOTE on issue xxxx registered as yyyy. Confirmation code zzzz" or whatever. (or perhaps a list of confirmation in the case of a vote on multiple issues in one post). It would be simpler and perhaps useful to limit the voting to a single vote per message. These details need to be worked out in the design requirements process.

If the voter is blocked by an infected untrusted communication pathway (certainly a possibility), the voter will be aware of this and able to plug their voting device into any number of available communication systems until a successful vote is posted. Because such blocking attempts would be futile and inaffective at altering voting behaviour i think we can assume such hacking modes to be unlikely, infrequent and irrelevant.

Before delving ino the specifics of port type, communication technology etc. used by the trusted voting device, we need to look at more relevant security considerations.

Rogue parties will typically attack any security system at it's weakest link. In this case, assuming a proper and well verified technical implementation, the weakest link will likely be in the human processes involved with registering and binding voting devices with eligible voters. Such a process would probably involve some sort of traditional paper based voter register with human auditors. I think this is the most practical (unless everyone is fitted with an RFID device which obviously has other insidious consequences and therefore not acceptable).

A problem is that some humans need to be trusted somewhere in this process. To thwart corruption of the human processes one could implement pretty good safeguards and procedures similar to those used in other high security systems such as banks. A common approach is to require many people together to open locks,. the idea being that it is much less likely that the whole team conspire and collaborate to subvert the system. This is not fool-proof but the technology can assist in the case of voter registration by binding and storing an administator (human) authorisation ID or signature to the device and it's registration data.

Let me explain ....

Let's say a government employee has the job of verifying the ID of a Swedish citizen and registering their voting module with the voting system. There are various ways this process could be corrupted and I think this is probably one of the weakest links in the proposed voting system - along with the process of issuing some sort of citizen ID document or device. As part of the registation process the government employee would need to electronically sign the registration data with another trusted ID device (such could be exactly the same device as the voting module but used slightly differently). This electronic signing would form the backbone of an audit trail which could trace and pinpoint any rogue voter registrations down to specific human individuals, administation functions, dates and times. The audit trail itself cannot prevent corruption but provides full transparancy all the way through the voting system. The risk of detection, exposure and severe punishment for deliberate wrong doing would hopefully be an effective deterent and keep the government processes honest and maintain integrity on the voting system. (Similar auditing processes could be implemented at every level of government to reduce corruption at all levels - but that is a much bigger subject!)

The secure identification of people becomes a necessity in the context of security and auditing of critical processes such as voting and voter registration. The trusted voting module could be made as a generic electronic ID and signing device but having some important differences to an RFID device:

1. an RFID works passively without requiring the consent of the person which it identifies, but a voting/ID device requires the acceptance and action by the human being identified.

# an RFID device links the identification event to a visible human, but a voting device can be used remotely and anonomously (anonomously to humans but with secure identification and secrecy within the voting process and data storage). The voter module could be used anonomously or not as required according to the choice of the person using it. i.e. according to the circumstances the person could submit data with a publicly available ID or not.
# because an RFID doesn't require the authorisation of the ID holder to transmit it's ID data, it doesn't have intrinsic protection against identity theft. With RFID, stealing a chip amounts to sealing an identity (except when bound to a photo passport or whatever) but a voting device identifies the person by something they possess (the device) and something they know (a secret password). This is called two factor authorisation. Biometric readers could also be used to thwart identity theft but not really required.

sorry, I've reached my time limit for today ....

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-14 07.10

You guess wrong.

Yes, maybe I am wrong.

According to PTS http://www.pts.se in 2005 85% of the population had 3G coverage (in Sweden that is).
In 2007 almost 8.9 million people were covered, which is about 95%.

Interesting. I guess the party eventually could make a deal with the providers if the people wants that. So how many people are actually using 3G? I guess you could use lower frequency systems as well, couldn't you? They are still supported I guess. I am thinking about GSM and GPRS.

USB sucks because trojans can block the device's access.

Seems to be a very good argument to me.

If people can use their sim-card in the device to connect, then we are close to using a normal cellphone. aren't we? Maybe it should even be a cell phone? A dedicated trusted crude cellphone and voting device?

Re: Dedicated trusted computer voting device

Inlägg av pH7.3 » 2009-11-13 12.01

MrPerfect72 skrev:Well, for grandma on the countryside WLAN or 3G wont help much either, I guess.


You guess wrong.

According to PTS http://www.pts.se in 2005 85% of the population had 3G coverage (in Sweden that is).
In 2007 almost 8.9 million people were covered, which is about 95%.


It might very well be that the majority of grandmas would prefer to continue voting every four years or so - and in person when health permits. Whether or not this is the case doesn't matter for the original argument: USB sucks because trojans can block the device's access. 3G suffices, but a device that also includes WLAN is great. But even the accessibility issue remains. 3G gives people more freedom to use the device, and this ought to be something good. Or are you afraid people will vote too much? ;)

Of course, when you plan on using multiple technologies anyway, the device could just as well have a USB connection included too.

Re: Dedicated trusted computer voting device

Inlägg av MrPerfect72 » 2009-11-13 08.47

Well, for grandma on the countryside WLAN or 3G wont help much either, I guess.

I guess she would prefer a piece of paper with some selected important issues where she can mark her opinion and then maybe send by snail mail or call up by phone and enter her opinion on her voting account.

Are you a salesperson for the operators selling 3G? :D

Re: Dedicated trusted computer voting device

Inlägg av pH7.3 » 2009-11-12 08.24

MrPerfect72 skrev:Well at least one reason for choosing to use only ONE technology is obvious. Cost.

How much would you save on using a single technology? I'd say peanuts.

MrPerfect72 skrev:There is a USB-connection available on most connected computers and it is usually easy to access.

1. Security risk as mentioned before - you can't get around that one.
2. Accessibility - Not every one has a computer. My grandma should be able to vote too, you know.

Upp

cron
π