I am going to use this thread to provide my own opinions on this issue, and how it fits into the wider context of evoting. It's 1am in Vancouver, but I will be awake for a little while.
Diesen Thread anzeigen
-
As I stated, we did not participate in the bounty. I feel that Swiss Post's terms and conditions were & are incompatible with the necessity for the public to be told about critical issues, like this one.
Diesen Thread anzeigen
We need to understand that it is unacceptable that the same organization that stands to benefit from running evoting infrastructure should be in a position of deciding what and when researchers can disclose issues.
-
-
That last point is very important in the context of an issue like the trapdoor we discovered. Do not let people minimize this issue. This isn't "some random hacker can steal an election" this is "SwissPost can prove they didn't steal an election, even if they did"
Diesen Thread anzeigen -
Media Break: This article by
@KimZetter about this research:https://motherboard.vice.com/en_us/article/zmakk3/researchers-find-critical-backdoor-in-swiss-online-voting-system …Diesen Thread anzeigen -
Let us not downplay this. This code is intended to secure national elections. Election security has a direct impact on the distribution of power within a democracy. The public has a right to know everything about the design and implementation of the system.
Diesen Thread anzeigen -
Media Break: Some more analysis of this finding from
@RepublikMagazinhttps://www.republik.ch/2019/03/12/gravierender-mangel-am-e-voting-system-der-post-entdeckt …Diesen Thread anzeigen -
I see that the official spin on this whole thing is that this was a successful result of the public intrusion test. I disagree completely with that characterization.
Diesen Thread anzeigen -
I can't tell the people of Switzerland what to do. They have to guide their own democracy. But I can suggest, that given the circumstances, they investigate mechanisms to halt further adoption (https://evoting-moratorium.wecollect.ch/de ) until the many critical questions have been answered.
Diesen Thread anzeigen -
Why did previous audits not catch this? If they did, as is claimed, why does the issue still exist 2-3 years later? Are those answers true for the many thousands of other lines of code?
Diesen Thread anzeigen -
And it is worth pointing out that this is bigger that Switzerland. Other countries are moving towards evoting, many are adopting systems that are related to this code base (how they are related is another big question worth asking).
Diesen Thread anzeigen -
I'm not here to tell you what to think, but I am here with a whole list of questions that I think are very important to answer if governments are really serious about giving these evoting systems the power to decide who controls a nation.
Diesen Thread anzeigen -
Interestingly I've talked to several journalists today & not one asked me what I think is one of the more interesting questions: "Do you know of other issues in the code?"
Diesen Thread anzeigen -
The answer is yes. I do. They are not as critical as this issue, but they are there. This code is simply not up to the standard we should require of critical public infrastructure.
Diesen Thread anzeigen -
Amazing how quickly "people in unofficial channels who don't understand cryptography" becomes "We are thankful to those researchers who helped us identify this issue "
Diesen Thread anzeigen -
Probably worth linking to the thread that started me down the path that lead to many long nights of analyzing code:https://twitter.com/SarahJamieLewis/status/1097223122405646336 …
Diesen Thread anzeigen -
I should also add that even though, according to some Swiss media over the last few weeks, I "look like someone who would have been burned at the stake" I want to assure you all that this isn't deep magic, it's just math.
Diesen Thread anzeigen -
Statement from the Swiss Federal Chancellery on this issue: https://www.bk.admin.ch/bk/de/home/dokumentation/medienmitteilungen.msg-id-74307.html …
Diesen Thread anzeigen
Ende der Unterhaltung
Neue Unterhaltung -
Das Laden scheint etwas zu dauern.
Twitter ist möglicherweise überlastet oder hat einen vorübergehenden Schluckauf. Probiere es erneut oder besuche Twitter Status für weitere Informationen.