Re: 2008: The year of hack the vote?

May I point out that if voting systems have a level
of flaw that says only an idiot would use them, then
how can you explain electronic commerce, FaceBook,
or gambling sites?  More people use just those three
than will *ever* vote.

--dan

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

dangeer.org wrote:
> May I point out that if voting systems have a level
> of flaw that says only an idiot would use them, then
> how can you explain electronic commerce, FaceBook,
> or gambling sites?  More people use just those three
> than will *ever* vote.

The answer is NO, and that is so because it's different.

In elections, you must have a "Chinese wall"
between the voter and the ballot. If I get the vote I don't
know who the voter is, if I get the voter I don't know what
the vote is. And that doesn't happen in e-commerce. In
e-commerce I have a traceable credit card. I have a
traceable name, I have an address for delivery. Anything
that's bought must be delivered. I have a pattern of buying,
if you go to Amazon.com, they will suggest the next book to
you if you want, based on what you bought. They may know a
lot more about you than you think they know.

And so there is a basic difference between e-commerce and
Internet voting, which must not be ignored, otherwise
ignorance is bliss, we don't see it.

In e-commerce there must be no privacy, the merchant must
know who I am, my credit card must be valid. There are laws
against [fraud in] this. So there is a basic divide here,
which you need to take into account. There is a paradigm
shift, there is a very strong technological point which
those on the political side don't see, because that's
natural. And there is a very strong political side that us,
on the technological side don't see. For us, yes, voter
participation is very good, or don't we all care if voter
participation may decrease?

So the point that I wanted to make is that it [Internet
voting] is not as easy [as in e-commerce], because it's a
fundamentally different problem. The solution is not the
same, what we have today [for e-commerce] does not
transpose, and the solution, the final comment, the solution
that we have today for e-commerce is not cryptography, is
insurance, for 20 percent of fraud that is the Internet
fraud in credit cards. And how is that paid? By us,
cardholders, we socialize the cost. Imagine telling, yes,
you were elected president, but you know, there was a fraud,
here is our insurance policy. You collect your million
dollars, next time play again. You know, we cannot socialize
fraud in elections. We cannot accept 20 percent of fraud
paid for by insurance, which is what happens today. We did
solve the e-commerce security problem, by putting in
insurance. We can not solve it that way [for elections].

(from my Brookings Symposium comment, Washington, DC,
January 2000).

Cheers,
Ed Gerck

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

The usual excuse, Dan: ignorance.

Those of us who know how companies maintain the security
of their systems minimize the use of, or eschew, such
sites.  We also always ask for an Absentee (paper) ballot
in places where electronic voting is the only choice at
the polling booth.

Arshad Noor
StrongAuth, Inc.

dangeer.org wrote:
> May I point out that if voting systems have a level
> of flaw that says only an idiot would use them, then
> how can you explain electronic commerce, FaceBook,
> or gambling sites?  More people use just those three
> than will *ever* vote.
> 
> --dan

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

On Wed, Dec 26, 2007 at 09:57:52AM -0800, Ed Gerck wrote:

> In e-commerce there must be no privacy, the merchant
must know who I am, my 
> credit card must be valid.

The only reason this 'must' be true is because an anonymous
and secure
payment system is a terror which thankfully our federal
governments
and central banks protect us from. While Amazon and others
obviously
like being able to build customer profiles of everyone, I
don't doubt
that they would be perfectly willing to accept an anonymous
payment as
long as the money is good (and, of course, that the
transaction costs
are no more than a credit card and/or the order flow is
sufficient
that it is worth building support for it).

Jack

------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Jack Lloyd wrote:
 > The only reason this 'must' be true is because an
anonymous and secure
 > payment system is a terror which thankfully our
federal governments
 > and central banks protect us from. While Amazon and
others obviously
 > like being able to build customer profiles of
everyone, I don't doubt
 > that they would be perfectly willing to accept an
anonymous payment as
 > long as the money is good (and, of course, that the
transaction costs
 > are no more than a credit card and/or the order flow
is sufficient
 > that it is worth building support for it).

in the mid-90s, the x9a10 financial standard working group
had
been given the requirement to preserve the integrity of the
financial infrastructure for all retail payments ... which
resulted
in the x9.59 standard
http://www
.garlic.com/~lynn/x959.html#x959

in the same timeframe, the EU (in conjunction with eu-dpd)
made statements that electronic payments at point-of-sale
should be as anonymous as cash.

this was interpreted as meaning that names should be
removed from payment cards (plastic and magstripe).
the contention was that (because of poor authentication)
retail outlets could cross-check names on the cards against
some other form of "ID". the implication that
removing
names might help promote other integrity measures.

in the x9.59 standard, we claimed that the improved
integrity allowed meeting the EU-DPD objectives.
We also claimed that x9.59 was privacy agnostic
i.e. it allowed for privacy. The "ALL"
requirement
given to the x9a10 financial standard working
group met internet, face-to-face, point-of-sale,
electronic commerce. It also met debit, credit,
ACH, as well as stored-value cards ... aka the
same X9.59 was applicable to *ALL*. In the debit/credit
scenario some countries have "know your customer"
mandates associating account numbers with individuals
... which we claimed was outside the x9.59 standard.
Supposedly with appropriate regulated access to
information, govs can obtain information associating
account activity with individuals.

However, the very same x9.59 standard also works
with stored-value/gift cards ... which doesn't have
similar "know your customer" mandates.
ht
tp://www.garlic.com/~lynn/subpubkey.html#privacy

And in fact, most stored-value/gift cards share a lot
of the same exact processing with the debit/credit
processing ... the addition of x9.59 could provide for
the exactly same level of integrity thruout debit,
credit, and stored-value/gift processing.

for other drift, in the mid-90s ... there were some
of the other payment efforts specifically for the
internet which had so much payload and processing bloat
that it made it impractical past the toy demo stage
http
://www.garlic.com/~lynn/subpubkey.html#bloat

related recent post on infrastructure provisioning and bloat
of
toy demos:
http://www.
garlic.com/~lynn/2007v.html#64 folklore indeed

about the same time, there were completely different
chip card oriented efforts for point-of-sale. one of the
scenarios of some of the chipcard pilot projects in
the late 90s and early part of this century was that
they managed to increase the vulnerabilities
(magstripe vis-a-vis chipcards)
http://www.garlic.com/~lynn/subintegrity.html#yescard

the common excuse from the period, was that chips
cost so much that it wasn't possible to afford integrity
that actually improved over magstripe. The other
possible observation was that some of the chipcard
efforts were so chip myopic ... that they couldn't
realize that they were actually making it worse
for the overall infrastructure.

A big issue for merchants isn't anonymous payments
... it is cost of doing business. This has been in
the news quite a bit recently in the form of
interchange fees ... recent posts
http://www.
garlic.com/~lynn/2007v.html#62 folklore indeed

the other area is in the liability related to breaches
(and/or the costs of countermeasures to breaches).

i've mentioned before that we had been called in
to consult with small client/server startup that wanted
to do payments on their server. They had this technology
they called SSL and it is frequently now referred to
as electronic commerce
h
ttp://www.garlic.com/~lynn/subnetwork.html#gateway

and then we got dragged into involved with the x9a10
financial standard. as part of attempting to meet the
requirement to preserve the integrity of the financial
infrastructure for all retail payments ... we did some
detailed
threat and vulnerability analysis. A big item that came out
were infrastructure vulnerabilities ... breaches, skimming,
harvesting, evesdropping, ... a whole slew of things.

we identified that much of the vulnerability could be
attributed to the account number and transaction
information has diametrically opposing requirements
... 1) it has to be readily available for large number of
different business processes and 2) since the crooks
can use the same information for various kinds of
essentially replay attacks ... the information has to
be kept confidential and never divulged.

we've also talked about this as the dual-use nature
of the information ... and that even if the planet
was buried under miles of (information hiding) encryption,
it still wouldn't be able to prevent information leakage.

So another part of the x9.59 financial standard
was to eliminate the dual-use nature of the information,
making it useless for crooks ... aka x9.59 didn't do
anything to prevent information leakage ... it just
eliminated
the information leakage as a vulnerability. a related
recent post
http://www.
garlic.com/~lynn/2007v.html#74 folklore indeed

from this stand-point ... the x9.59 financial standard
addresses
both drastically reducing fraud in the infrastructure as
well
as drastically reducing the infrastructure costs for fraud
countermeasures.




------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com

Dan wrote:
 > Let's not do this or we'll have to talk about JF
Kennedy
 > who, at least, bought his votes with real money.

That's because Democrats had become more professional,
and the tradition of buying votes with whiskey
only works for the retail level, not wholesale.

Dan also wrote:
>May I point out that if voting systems have a level
>of flaw that says only an idiot would use them, then
>how can you explain electronic commerce, FaceBook,
>or gambling sites?  More people use just those three
>than will *ever* vote.

The primary threats of electronic voting machines aren't
to the individual voter,
who can slightly increase the chances of getting
his/her vote counted accurately by insisting on paper
ballots,
but to the aggregate vote count, which can be hacked
if the precinct has _any_ electronic machines.

The big problem in Ohio appears to have been Denial of
Service -
not that there weren't lots of other problems,
but electronic voting systems have sufficient complexity
that
an elections department can arrange to have enough
missing parts or supplies or passwords or powercords or
whatever
in demographically appropriate precincts so that the
results get skewed even without Other Technical Means.
Some of the black inner-city precincts had two-hour lines
(on a rainy day), while white Republican-leaning precincts
had all the equipment they needed.

(Also, if you're saying "only an idiot would use
it"
and ask how gambling sites exist, the answer is that
only idiots gamble...   As Ed Gerck pointed out,
risk in e-commerce can be managed and amortized into the
price,
but that doesn't work for voting.)


------------------------------------------------------------
---------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography"
to majordomometzdowd.com