mailing list archives
Re: Presidential Candidates' Websites Vulnerable
From: "Marek Isalski" <Marek.Isalski () smuht nwest nhs uk>
Date: Fri, 02 Jul 2004 09:33:16 +0100
"Kurt Seifried" <listuser () seifried org> 02/07/2004 02:47:55 >>>
It is of interest to note we just had our federal election here in Canada a
few days ago. I went to the polls, they checked my name, gave me a paper
ballot, I took it to the booth, made my "X" (within the circle using the
pencil provided), folded the ballot as indicated and handed it to them.
"Postal voting" was recently tried and tested in the local elections in various parts of the UK, and my area was one of
these "privileged" areas. The rationale is that most Brits are lazy bums and can't be bothered to get off their arses,
walk 100 yards to the polling station, and put the X in the box. Obviously in the run up to Euro 2004 we would be all
too enthralled with watching our national heroes flexing their text-messages on Sky One...
The postal voting did a lot of stuff for "anonymity", but it did not feel "anonymous" to me. If I remember correctly,
it went something like this:
1) receive a load of papers through the post
2) sign that you are the person to whom the papers were addressed on form D (declaration); get someone to countersign.
Form D, if I remember rightly, has your name and address written on it.
3) mark your votes on voting form V
4) put voting form V into envelope B. Envelope B has a window in it which, when V is correctly folded and placed
inside, will show the barcode on form V
5) seal envelope B
6) put envelope B and form D into envelope A so that the barcode from form V shows through the window of envelope A
The barcode on form V was a symbol for a 9 or 10 digit number represented in Code 39. The rationale for the barcode
showing through envelope A, as explained by the information enclosed with this paperchase, was that the barcode was an
authentication mechanism to prevent postal vote fraud. Presumably they would reject forms which hadn't been issued or
had been received twice.
So we now have:
A( D, B( V ) )
Where A and B can be thought of as cryptographic transforms for those of us who like analogies. This feels "secure" --
the voting office opens A and confirms the authenticity of D. It would then, presumably, pass B(V) on to the counting
machines, who would open up B and tally the V.
That's how I would have liked it to work. But actually, with this barcode showing through the window to the outside,
A( D, B( V, id ), id ), id
I have to take it on faith that the people who unwrap A (and therefore know the identity of the voter who submitted
B(V)) do not collude with the people who unwrap B to find out what they voted for.
To me, this is an additional vulnerability to the voting system. The other hole can occur where the people unwrapping
B or counting V, who have the barcode on my voting form, collude with the people who issed D (my identification).
So for an anonymous postal voting system like this, we have to assume that different and non-communicative agencies
issued the D form and the V form containing the id barcode.
Full-Disclosure - We believe in it.
- Re: Presidential Candidates' Websites Vulnerable Marek Isalski (Jul 02)