Friday, 30 March 2007


Some very silly thinking from Jason :

"Then Ms Prentice tells us that because electors will be able to provide a password of their choice the potential for credentials being stolen or misused will be reduced. Which is rather doubtful in my view. The password picked by the elector has to be sent to the election office, an obvious address for cherry-picking from the post. Furthermore these passwords will need to be entered into the system manually - so they'll be lying around, typed in by who (we don't know) and then stored in a central database ripe for the picking. Human picked passwords are going to be easier to brute-force guess also."

That's absolutely right Jason:

1. It's impossible to collect these details through, say, an electronic registration process (God, he'll scream blue murder about that... guess what? It's better than paper). Therefore no paper interception (maybe a man-in-the-middle, but they still haven't got all the credentials then, they're missing a PIN and possible PCIN / Candidate info in the case of a pre-encrypted ballot) and no manual re-entry (which century are we living in by the way? I forget when I'm reading Jasons blog sometimes).
2. Who in the name of all that's holy stores the secret in plain-text? Hash it at least (try a salt to prevent the GNU.Free mistake of easy brute forcing from the DB)
3. Is the "brute-force guess" meant to be at authentication for remote voting? If so that's impossible to detect... no really it is, I can't think of a single way to spot someone trying... aaaa, bbbb, cccc, etc in code, impossible I tells ya! If only there was something to tell me where authentication requests came from on the Interweb, maybe an address of some kind... nah.

"Next Ms Prentice helpfully tells us that electors will be using identifiers unique to them and that there will be no receipt to show to others how they have voted. But print screen, a photo of the computer screen or even an audio recording of the telephone vote would work as a receipt - there is no protection and receipts are possible. The unique identifiers don't protect from intimidation either - they just limit it to one vote that can be stolen at a time by intimidation."

What, exactly, stops an attacker from forcing me to take a photo of my ballot paper with a camera phone in the booth? Especially if the attacker is in the polling station to ensure I don't get a new ballot paper.

And Jason is well aware that an e-voting system could be configured to allow many votes off one set of credentials with only the last counting, and that it would be possible to issue new credentials to a voter that has been attacked and allow them to cast a new ballot (that can be adjudicated during the counting process).

Start thinking Jason. You're deliberately making issues where there aren't any, these problems CAN be, and will be solved.

Updated : polling station, not booth. Dangit!