back to article Swiss electronic voting system like... wait for it, wait for it... Swiss cheese: Hole found amid public source code audit

The Swiss Federal Chancellery (SFC) on Tuesday said security researchers have found an fascinating flaw in the Swiss Post's e-voting system as part of an ongoing penetration test. Said flaw, if successfully exploited by miscreants, would prevent officials from detecting unauthorized changes to citizens' electronically-cast …

  1. GnuTzu Bronze badge

    Such A Wait-for-it

    Can I have that on rye with spicy mustard?

    1. Aladdin Sane Silver badge

      Re: Such A Wait-for-it

      Better on rye with sauerkraut, Russian dressing and half a hundredweight of corned beef.

  2. Bronek Kozicki Silver badge

    Say what you will

    ... but the Swiss are taking their voting seriously. At least they are trying to find and fix the problems, unlike many others.

    1. Anonymous Coward
      Anonymous Coward

      Re: Say what you will

      Yes, I lived there. I have no problem with them being so precise - it's one of the reasons you can still trust things that are Swiss made. They just don't have the tolerance for anything less than perfect (caveat: at least the people I dealt with, which is mostly in the German speaking part of the country).

    2. anothercynic Silver badge

      Re: Say what you will

      I'd rather trust an e-voting system designed by the Swiss than anyone else. The Confoederatio Helvetica would *never* allow anything to affect what makes Switzerland Switzerland negatively.

      Well... Mostly. They have their moments in some instances (like their referendum on restriction of movement... which backfired spectacularly).

      1. Velv Silver badge
        Coat

        Re: Say what you will

        There is an old joke...

        Heaven:

        The police are British

        The cooks are French

        The engineers are German

        The administrators are Swiss

        The lovers are Italian

        Hell:

        The police are German

        The cooks are British

        The engineers are Italian

        The administrators are French

        The lovers are Swiss

        1. Aladdin Sane Silver badge
          Coat

          Re: The lovers are Swiss

          In fact, if one of those Swiss boys ever came across a pretty girl he would probably yell 'eins, zwei, drei' and try to push her down some ice!

  3. Stork Bronze badge

    Are they going to vote on whether to adopt electronic voting?

    I mean, that would be the Swiss way.

    1. ratfox Silver badge

      Re: Are they going to vote on whether to adopt electronic voting?

      Probably, considering a petition of only 50'000 signatures is enough to demand it.

    2. Korev Silver badge

      Re: Are they going to vote on whether to adopt electronic voting?

      Yes, just get everyone in the village square*, don't forget your sword to identify yourself...

      *This is how Appenzell didn't allow women to vote until the 90s!!!!

      1. Doctor Syntax Silver badge

        Re: Are they going to vote on whether to adopt electronic voting?

        A wapentake!

  4. This post has been deleted by its author

  5. canthinkofagoodname

    Potentially unpopular opinion

    Does voting actually need to be electronic?

    Admittedly, not something I have given a whole lot of thought, so feel free to tear this to shreds, but I don't fully get the need for voting to be electronic (operative word here being "need").

    Will it enable speedy vote counts, reduce paper waste, all that guff? Sure. But in the context of "[insert foreign nation here] is meddling with our election", why would you want to move to a solution that would, in some way, be more susceptible to remote manipulation?

    I get that manual counting has its flaws, and people can be compromised just like systems, but I am thinking that in the case of voting maybe staying with an analogue solution is better? At least until something better comes along, that's been thoroughly tested and has a very slim risk factor associated with it?

    I dunno, need to think about it more, just seems silly to me.

    1. pavel.petrman

      Re: Potentially unpopular opinion

      I for one spend considerable resources (spacetime, money) on my voting every years, since I travel for work and, lo and behold, it's a messy tangle of loops I'd need to hop through to change my address of residency (which are difficult to hop through as I tend to be far away from the responsible authorities during business hours). So for me its "ties to my official spot on the face of the Earth" versus workforce mobility.

      I guess you can judge by the process of implementing the Internet vote whether it's actually beneficial for the voters (and this Swiss story looks to me like it's being based on some meaningful thoughts) od just the typical political showing off that "I'm the modern day internet guy just like Obama was with his raspberry pi satellite internet phone in his day", like you see quite often in other places where over-overpriced windows XP things connected directly to the Internet seem to pass or where a thoroughly planned Internet census fails miserably because the only thing the contracted blue whale young and promising staff is capable of is rebooting a router without having had the configuration saved first.

      1. Doctor Syntax Silver badge

        Re: Potentially unpopular opinion

        So for me its "ties to my official spot on the face of the Earth" versus workforce mobility.

        The whole point of voting is to make decisions on behalf of a community. That's a community in the sense of a group of people sharing the same physical space. It makes sense to tie qualification to some spot you habitually inhabit.

        OTOH there's an attraction in electronic voting if we could give Facebook users an electronic vote for their own MP. They could choose to vote for either the FB MP or their geographical constituency MP. The successful FB candidate could be called the Honourable Member for B Ark.

        1. pavel.petrman

          Re: Potentially unpopular opinion

          Re: "make decisions on behalf of a community" and "tie qualification to some spot you habitually inhabit" - I have my family, friends, house, dentist and doctor there, I pay my local taxes there, I just happen not to have a 9-5 job across the block. Does it disqualify myself in your view? And that is for the local ballot only. In my country the "working for the constituency" is not a big deal, if it is a deal at all. But still as a citizen I believe i have the right to have a say in who will be the face in TV debates for the next few years, yet I regularly have to travel hundreds of kilometers to exercise that right.

      2. 2+2=5 Silver badge

        Re: Potentially unpopular opinion

        > So for me its "ties to my official spot on the face of the Earth" versus workforce mobility.

        You are conflating electronic voting with electronic voting!

        There is electronic voting which replaces the paper ballot and box with something computerised but you still have to attend the polling station and vote in person.

        Then there is remote, over the Internet voting, which I don't think anyone thinks can be made secure, yet.

        I'm not sure what benefit the former brings: the equipment costs just as much as printing ballot papers if not more. The count will be quicker but currently (in the UK at least) counts happen overnight so for most people they wake up the next day to the result. A faster count means they might know by midnight instead. Whoopy doo.

        1. pavel.petrman

          Re: Potentially unpopular opinion

          You are right and I stand corrected. I plead guilty to grievous wishful thinking about the remote vote. I am doubtful about the benefit of the electronic (not remote) voting, too.

        2. Brangdon

          Re: in the UK at least

          Voting in the UK is simple because we only vote on one thing at a time. Each ballot gets its own piece of paper, and they are counted in two steps: first sort the paper into piles according to who they vote for, then count the number of pieces in each pile. Both steps are easy to do in parallel, so if you use counting staff proportional to the voting population it happens in constant time. It's also relatively easy to spot-check that no votes got into the wrong pile, or that each pile has the reported count. Basically, it scales well.

          In America they vote on vastly more things. Not just president, but elected officials at various levels. Instead of each vacancy getting its own piece of paper, they combine them all onto one sheet. This makes it impossible to count manually using the UK method. That's why they use automated systems of various designs. (Not saying their system couldn't be adapted, eg by using perforated paper and splitting up the sheet into one strip per vote. Historically they've not done that.)

          I've no idea whether the Swiss are like the UK or like the US.

    2. Zolko

      Re: Potentially unpopular opinion

      @canthinkofagoodname: "the need for voting to be electronic"

      if not, then it's by paper, and then the question of "who pays for the paper" arises : if it's the candidates, then money becomes a deciding factor to be candidate, if it's the state then you can overwhelm the system with many tiny useless candidates. If it's electronic, 2 candidates or 10 or 100 don't make a difference.

      "susceptible to remote manipulation"

      that might be a problem if the electronic voting is not well though and tested (which is the exact point of this article), but paper voting is exposed to local manipulation, rigging of results at the local level: much easier, and much more dangerous

    3. jmch Silver badge
      Thumb Up

      Re: Potentially unpopular opinion

      On you with this one. People can be compromised (see the latest US election absentee ballot fraud that was picked up in... North Carolina, was it??), but there are enough systems in place around manual / analogue elections that it probably can be caught and almost definitely can be recounted. It would also happen more probably on a local level with less impact on large results, which also means it could be more easy t spot as a statistical anomaly in a local district that is far different from surroundings and/or past votes and/or forecasts and polls.

      If e-voting is compromised, then it can be compromised on a massive scale, and also in such a way that it looks evenly distributed in a way that could resist being caught out by statistical analysis. With full e-voting there is never any way of being sure of the result.

      If you want to get a fast vote count, use a hybrid model:

      - voting machine is completely standalone and needs just an electricity connection

      - modified hardware / OS that does not have any wifi, bluetooth or other wireless hardware, no network port, whole TCP/IP stack removed from the OS. The only I/O is USB ports for keyboard, mouse, data download.

      - machines are assembled / configured / updated at secure site at manufacturers, and are based off an imaged SSD with OS and software already preinstalled. Voting data goes on a seperate SSD. SSDs allow no-ventilation running so box can be completely locked and sealed. Setup is ordered by local voting entities and configured / set up at the factory. It should not be possible to do any setup, updates, configurations etc away from the secure area at the factory. For good measure, secure area is completely open plan with a viewing window that is publically accessible without restriction.

      - There is a single hardware on/off/reset button that is in a seperate panel, locked, with keys kept be local voting officials at polling station. the panel also includes space to refill ballot papers. Ballot papers should be already in sheets so it's as simple to load as a photocopier, not on a roll that is more fiddly.

      - There is a box for physical ballot results that is transparent and sealed, with keys NOT available to local officials at polling station, only to state or federal voting officials. panel for USB access is also locked and sealed with availability only for state / federal officials, not local ones.

      - Voting process - voter is IDed* and gets to the booth. Choices are on screen, if there are multiple ballots, each gets it's own screen, voting choices clearly presented etc. Votes, presses OK, gets a paper readout printed out which has human-readable voting record plus QR code with equivalent data. Voter can read that vote is correct, scan QR code (and e-vote is only recorded at this point), and slip vote into ballot box.

      - Ballot stations have double the amount of machines needed in case of failure. In case of complete failure, manual ballots and traditional ballot boxes are available.

      - e-votes are downloaded at central state / federal location at stations with no outside comms access, and open-plan with public visibility. Random audits are done that (a) verify that QR code vote matches human-readable printout and (b) manually tally whole boxes and compare results to e-vote count.

      - Any anomaly is always resolved by counting paper ballots.

      - All original voting machines and any computers used for tally should be stored only for as long as result is certified plus any legal challenges are resolved. Then all hard disks are electronically wiped, physically destroyed and disposed of securely. Paper records are held for statutory period after which they are also destroyed.

      It's still not going to save paper - deal with it. It's still not going to be cheap - if proper democracy is expensive that's worth it. It still might not be 100% accurate or secure - any other safeguards might be suggested / added. It still might not get 100% accurate results - voters aka users CAN be morons - deal with it. It WILL give a much quicker tally, which is great. It will also potentially give a much more detailed picture of voting patterns which could be dangerous, which is why it's so important to destroy / wipe all data after.

      *how to make sure all eligible voters can vote, and prevent multiple voting, is a whole other huge issue

      1. Doctor Syntax Silver badge

        Re: Potentially unpopular opinion

        "If you want to get a fast vote count"

        Good, fast, cheap. Pick any two. Whichever of the other two is chosen I'd want "good" as one choice. Now we have to ask whether "fast" is worth spending silly sums on and still compromise "good"

    4. Carpet Deal 'em

      Re: Potentially unpopular opinion

      As a practical matter, it can enable more people to vote that might not have otherwise been able to. For example, it's used in my county to enable anyone to vote at any polling place, regardless of precinct. You could theoretically manage that with paper, but with nearly one hundred precincts(and therefore nearly a hundred ballots), it's just not doable in reality.

  6. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    Wha? Zis voting machine hez gone emmental!

  7. Anonymous Coward
    Anonymous Coward

    Swiss Miss

    All things Swiss aren't what they used to be.

    Quality control is slipping in the mountain state.

    1. Korev Silver badge

      Re: Swiss Miss

      You've just reminded me of the Archer episode...

    2. Anonymous Coward
      Anonymous Coward

      Re: Swiss Miss

      I don't think they had much choice here - the thing is written in Java.

    3. jmch Silver badge

      Re: Swiss Miss

      "Quality control is slipping in the mountain state."

      Rather the opposite I would say - publishing the source code and allowing independent researchers to test is is an excellent part of testing, and (if I understood the article correctly), this particular evoting system had not yet been used for official votes

    4. Archtech Silver badge

      Re: Swiss Miss

      On the contrary: the fine article is all about how quality control is up and working in the mountain state.

      As opposed to some other countries (which shall remain nameless to protect the guilty), where electronic voting machines run secret proprietary code which - in terms of holes - probably looks more like a spider web than Swiss cheese.

      Incidentally, please note that in a reasonably thick slice of holey Swiss cheese, the holes do not go right through. So the slice is still watertight.

      Although of course, they would do better to aim for Gruyere, which doesn't even have bubbles.

      1. jmch Silver badge
        Thumb Up

        Re: Swiss Miss

        "Although of course, they would do better to aim for Gruyere, which doesn't even have bubbles."

        Actually most Swiss cheeses are hole-less

  8. John Smith 19 Gold badge
    Unhappy

    Now, compare that to the US system

    Closed source and security by obscurity model.

    I know which I'd prefer.

  9. Tomato42 Silver badge

    oh, so they solved the problem of verifying that the voting machine is running the same code that the researchers reviewed? and made the process so simple that people that call ZuckBook "the Internets" are able to do this reliably? /s

  10. Korev Silver badge

    Better than in the UK...

    ....Where you turn up with a bit of paper and are then allowed to vote. According to the Guardian, it'd undermine democracy to demand ID whilst voting...

    1. Rich 11 Silver badge

      Re: Better than in the UK...

      And yet the instances of voting fraud are remarkably rare, and the scale of it nothing compared to the overall number of votes cast. Even if you look at marginal wards and constituencies where a few dozen votes could have swung it one way or the other you don't find anything to suggest our democracy is under threat.

      On the other hand, requiring voter ID when some people simply don't have photographic ID creates a hurdle to voting, and it is well known that this trends with poorer sections of society. The experience of voter suppression in the US, backed by unfounded claims of millions of illegal votes, might give you a hint to where an actual threat to democracy lies.

      1. Doctor Syntax Silver badge

        Re: Better than in the UK...

        "And yet the instances of voting fraud are remarkably rare"

        Not only rare but ?almost always involve postal, ie. remote, votes.

      2. Archtech Silver badge

        Re: Better than in the UK...

        "And yet the instances of voting fraud are remarkably rare..."

        And yet the instances of DETECTED voting fraud are remarkably rare...

        FTFY.

        1. BebopWeBop Silver badge
          Trollface

          Re: Better than in the UK...

          Of course, proving a negative always has its problems :-) But politicians among others would not have it any other way.

      3. Korev Silver badge

        Re: Better than in the UK...

        I almost did it accidentally as a student - I shared a house with a man and a woman and I just grabbed the slip and then was informed that "You don't look much like a Miss", had I taken the bloke's form instead then I'd have fraudulently voted.

    2. Cuddles Silver badge

      Re: Better than in the UK...

      "Where you turn up with a bit of paper and are then allowed to vote."

      This is an oddly common misconception. All that is required is that you turn up, no bit of paper is needed. Your voting slip is just a reminder of when and where you can vote, it's not any sort of identification and there's no need to bring it with you.

    3. Archtech Silver badge

      Re: Better than in the UK...

      " According to the Guardian, it'd undermine democracy to demand ID whilst voting..."

      Yeah. It would indeed undermine what The Guardian calls "democracy".

      1. Anonymous Coward
        Anonymous Coward

        Re: Better than in the UK...

        All pols and parties that need fraud to win say ID undermines democracy, even though the instances of legit voters not having any are rarer than detected fraud. You need it to buy a ticket of most kinds, drive, have a bank account, rent a car...and so on. I managed without for a short time when I was too broke to buy a candy bar extra. But then...if you want state assistance you need ID too. At least most places and if not - you should. US has had multiple cases of people using more than one identity to collect bennies in the past.

        Saying you need people without ID to be able to vote means you want to enable fraud, plain and simple - the assumption is that it will be in your party's favor. Now if the other side figures out that means they can do it too - say here in the US a bunch of right wingers decide to take a bus ride to California and vote a little extra...you'll see the lefties make the fastest turnaround ever and start noticing fraud. Oh wait, last time they just invented some fake fraud because when Jill Stein checked some precincts, she found more than 100% of registered voters had already voted for the left - and that investigation shut down *real* fast.

        1. Rich 11 Silver badge

          Re: Better than in the UK...

          All pols and parties that need fraud to win

          Like the Republicans who have been engaging in blatant gerrymandering for the last three decades? They understand where the projected demographic changes over the next generation will leave them, but instead of democratically adapting by modifying their policies to appeal to more Americans, they instead choose to rig the system in their favour wherever they can. They wrap themselves in the flag in public while spitting on it in private.

  11. Archtech Silver badge

    A great advertisement for open source

    All in all, this looks like terrific PR for governments using open source software.

    1. BebopWeBop Silver badge

      Re: A great advertisement for open source

      You and I may think that, but you can bet that others, probably more influential will seize on it to demonstrate that Open Source does have flaws (true) while their favourite bespoke system has none (that have been shown).

  12. Aladdin Sane Silver badge
    Coat

    Is the person who discovered the flaw the hero of [the] canton, the man they call Jayne?

  13. Anonymous Coward
    Anonymous Coward

    Meanwhile in Venezuela...

    That's why Venezuela used the Brazilian eletronic voting system...

    Even the Swiss couldn't sort theirs out, but the Brazilian voting machine is "flawless", right...

    US of A still uses paper for a reason.

    1. anothercynic Silver badge

      Re: Meanwhile in Venezuela...

      The US of A is happily riding the electronic vote wagon... Diebold? Yeah, we believe them. No problem. They say it's not hackable. Ok then. Please go ahead and vote.

      The Swiss at least expose their dirty laundry (*gasp* so un-Swiss) by making their code publicly available and asking people to see if there are problems with it. Problems are found, fixed, and checked again... better than Diebold's "Nothing to see here, everything's fine" hand-wave.

      1. DCFusor Silver badge

        Re: Meanwhile in Venezuela...

        My county WAS using electronic voting by WinVote. As I'm well known in this small town (pop of whole county is around 20k) for my expertise, they allowed me to "test" - with them present - if I could bork a machine and make it count wrong. Took way under one minute. Xp underneath....and you were already "in" as admin. Typical. They went back to paper. Yay!

        Which can still have fraud, it just leaves more tracks, as in Broward County Fla.

  14. molletts
    1. DCFusor Silver badge

      Re: Relevant xkcd

      Yup, even nuking it from orbit wouldn't be sure - some clown would just reintroduce it. Makes fraud easier by far - even if the machines aren't wrong, something has to collate and sum it all...in some office you aren't allowed to witness using code you can't see run by people with a stake in the outcome.

  15. Scott Pedigo
    Headmaster

    How Swiss Voting Currently Works

    Every resident must register with a municipal office when they move into or out of a municipality. The person's nationality is part of the registration. If you are not Swiss, you must of course have obtained a residence / work permit in the first place. This registration is checked by your landlord and employer, so you won't be able to legally rent a flat or work, or take advantage of any government services, if you don't register.

    Voting typically happens several times (I think a max of 4 times) per year. It always takes place on a Sunday. Votes have to be in by 12 midday on Sunday. The results are often known within a few hours. There are only 8 million residents, of which about 1/3 are non-Swiss, so not a huge number of votes to count.

    About a month before the day of a vote, ballot packets are mailed by the municipality to all the voters, i.e. all the Swiss, or depending on the canton, to even non-Swiss who are allowed to vote in some local elections. The packets contain paper ballot slips for federal, cantonal, and municipal elections and/or referendums. Elections happen every couple of years, like everywhere else. Referendums happen all.the.time.

    The ballot card, on which your mailing address was printed, must be signed. The ballot slips can be filled out, placed into an inner envelope with no identifying information, and mailed back in the same pre-paid outer envelope -- you just turn the ballot card upside down so that the return address is shown in the envelope window.

    Or, on voting day or the Saturday before, you can go to any of several local polling stations and personally hand over your ballot. The polling places and opening times are all conveniently listed on the ballot card.

    I believe that the e-voting being tested is a "keeping up with the times" thing, with the view to someday supplant the paper ballots with voting over the Internet. I don't see why they'd want electronic voting machines in the polling places, because if they got rid of the paper ballots and didn't have voting over the Internet, then people would be forced to go to the polling stations, a big step backwards in convenience.

    Further, I doubt that saving money, or getting faster results is the impetus. They have a proven system which already has fast results. If anything, it is being considered as a further convenience for the voters, who would no longer have to mark the ballots and carry the envelope to a post box or to the post office, and also wouldn't be confronted with having to show up at a polling place on Sunday if they procrastinated until it was too late to mail in the ballot. They could vote over the Internet up to the last minute.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019