0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/446 Thanks! 1 00:00:18,200 --> 00:00:20,509 So good morning and thank 2 00:00:20,510 --> 00:00:21,889 you, everybody, for showing up at this 3 00:00:21,890 --> 00:00:24,890 early hour, so 4 00:00:26,030 --> 00:00:27,889 the tabloid title of this talk is The 5 00:00:27,890 --> 00:00:29,149 Rise and Fall of Interest Voting in 6 00:00:29,150 --> 00:00:30,150 Norway. 7 00:00:31,460 --> 00:00:33,409 And I'm going to tell the story about 8 00:00:33,410 --> 00:00:35,719 some about the Norwegian 9 00:00:35,720 --> 00:00:36,659 trial. 10 00:00:36,660 --> 00:00:39,289 Try to do it for the voting rights. 11 00:00:39,290 --> 00:00:41,509 So how many of you were at 12 00:00:41,510 --> 00:00:43,489 Alex Halderman? Straight talk and Sunday 13 00:00:43,490 --> 00:00:44,770 on the voting in Estonia? 14 00:00:46,530 --> 00:00:47,760 Quite a few, so, you know, 15 00:00:48,810 --> 00:00:50,580 already everything about Internet voting, 16 00:00:52,890 --> 00:00:55,409 so there are basically two kinds 17 00:00:55,410 --> 00:00:56,520 of voting systems. 18 00:00:57,660 --> 00:00:59,339 It's the kind of voting system you use to 19 00:00:59,340 --> 00:01:01,709 tell what is the best of Coca-Cola 20 00:01:01,710 --> 00:01:03,209 and Pepsi. 21 00:01:03,210 --> 00:01:04,619 And it's the kind of voting system you 22 00:01:04,620 --> 00:01:06,389 use to decide who would you want to be in 23 00:01:06,390 --> 00:01:08,919 government and 24 00:01:08,920 --> 00:01:11,309 for the fall for the second 25 00:01:11,310 --> 00:01:13,259 kind of voting system. 26 00:01:13,260 --> 00:01:15,719 The stakes are a lot higher and 27 00:01:15,720 --> 00:01:17,969 this is a fundamental 28 00:01:17,970 --> 00:01:19,079 democratic samani. 29 00:01:19,080 --> 00:01:21,539 And it's really important that 30 00:01:21,540 --> 00:01:23,309 we get it right and we make sure that it 31 00:01:23,310 --> 00:01:25,260 stays democratic and secure and fair. 32 00:01:26,810 --> 00:01:28,519 And so this talk is going to be in three 33 00:01:28,520 --> 00:01:30,769 main parts, I'm going to talk 34 00:01:30,770 --> 00:01:32,509 about the Internet voting trial that was 35 00:01:32,510 --> 00:01:34,969 held in Norway in 2013, 36 00:01:36,050 --> 00:01:37,519 and then I'm going to give the historical 37 00:01:37,520 --> 00:01:40,039 background for the trial 38 00:01:40,040 --> 00:01:42,349 to try to look at how was 39 00:01:42,350 --> 00:01:44,479 it that we did this 40 00:01:44,480 --> 00:01:46,339 trial in Norway and what happened 41 00:01:46,340 --> 00:01:48,439 afterwards and what what was 42 00:01:48,440 --> 00:01:49,440 the story? 43 00:01:50,690 --> 00:01:52,099 And then finally, I'm going to talk about 44 00:01:52,100 --> 00:01:54,169 my own work auditing the 45 00:01:54,170 --> 00:01:55,219 crypto implementation 46 00:01:56,390 --> 00:01:57,830 used for the voting system. 47 00:01:59,830 --> 00:02:02,019 And so there are really three 48 00:02:02,020 --> 00:02:04,209 main points to take away from this, 49 00:02:04,210 --> 00:02:07,329 and I think the first point is that 50 00:02:07,330 --> 00:02:09,099 even though, in fact, voting is. 51 00:02:11,700 --> 00:02:14,849 Scary and something which 52 00:02:14,850 --> 00:02:17,009 I think we don't want, 53 00:02:17,010 --> 00:02:19,349 uh, the Norwegian trial 54 00:02:19,350 --> 00:02:20,380 really tried to do it right. 55 00:02:21,930 --> 00:02:24,479 In the sense that they wanted to make it, 56 00:02:24,480 --> 00:02:26,669 uh, they wanted 57 00:02:26,670 --> 00:02:28,589 to conduct a really open trial and be 58 00:02:28,590 --> 00:02:30,599 very honest and upfront about what they 59 00:02:30,600 --> 00:02:31,600 were doing. 60 00:02:32,280 --> 00:02:33,280 Uh. 61 00:02:34,000 --> 00:02:36,409 The second point is that, uh. 62 00:02:37,920 --> 00:02:40,139 This kind of event is not only about 63 00:02:40,140 --> 00:02:41,729 technology, it's also very much about 64 00:02:41,730 --> 00:02:43,799 politics, and you 65 00:02:43,800 --> 00:02:46,079 find that even though the hackers 66 00:02:46,080 --> 00:02:48,299 are saying, in fact, voting, no, we don't 67 00:02:48,300 --> 00:02:49,300 want this. 68 00:02:50,910 --> 00:02:53,039 It's a very there are a lot 69 00:02:53,040 --> 00:02:55,319 of other forces in play which 70 00:02:55,320 --> 00:02:56,940 shape what's actually going on. 71 00:03:02,870 --> 00:03:05,089 You might want to ask, why would anyone 72 00:03:05,090 --> 00:03:06,829 why would anybody want to do Wynford 73 00:03:06,830 --> 00:03:07,830 voting at all? 74 00:03:09,170 --> 00:03:10,170 And I think 75 00:03:11,690 --> 00:03:14,359 the main arguments, uh, 76 00:03:14,360 --> 00:03:16,279 10 years ago, which was definitely pre 77 00:03:16,280 --> 00:03:18,439 Snowden and when we were, 78 00:03:18,440 --> 00:03:20,509 I think as a whole, a bit more 79 00:03:20,510 --> 00:03:22,699 naive about the 80 00:03:22,700 --> 00:03:24,889 threats online was that I can 81 00:03:24,890 --> 00:03:26,599 do banking online, I can do my taxes 82 00:03:26,600 --> 00:03:28,009 online. Why can't I watch? 83 00:03:29,460 --> 00:03:32,039 And so some of the formal 84 00:03:32,040 --> 00:03:34,169 goals of the project was to 85 00:03:34,170 --> 00:03:36,629 improve accessibility for marginal groups 86 00:03:36,630 --> 00:03:38,849 and to make 87 00:03:38,850 --> 00:03:40,589 the voting experience better for people 88 00:03:40,590 --> 00:03:41,759 who are not voting in their home 89 00:03:41,760 --> 00:03:43,889 location, such as students. 90 00:03:45,310 --> 00:03:47,469 And at the beginning of the trial, 91 00:03:47,470 --> 00:03:49,269 they also wanted to increase turnout, 92 00:03:49,270 --> 00:03:50,270 but. 93 00:03:51,390 --> 00:03:53,519 Instead, voting in the experiment didn't 94 00:03:53,520 --> 00:03:54,720 really seem to have an effect on that. 95 00:03:56,990 --> 00:03:59,929 And finally, I think that 96 00:03:59,930 --> 00:04:01,130 from a purely 97 00:04:02,270 --> 00:04:03,889 technical or scientific point of view, 98 00:04:03,890 --> 00:04:05,389 this is kind of an interesting challenge. 99 00:04:05,390 --> 00:04:06,390 So. 100 00:04:07,840 --> 00:04:09,359 Want to say, we want to learn something 101 00:04:09,360 --> 00:04:11,999 about if 102 00:04:12,000 --> 00:04:13,829 we try to do this, what what are the 103 00:04:13,830 --> 00:04:16,708 actual roadblocks, both technologically 104 00:04:16,709 --> 00:04:18,329 and from a Democratic point of view? 105 00:04:20,560 --> 00:04:22,629 And so I 106 00:04:22,630 --> 00:04:23,979 guess some of you might wonder, who is 107 00:04:23,980 --> 00:04:25,809 this tall guy and why why am I here 108 00:04:25,810 --> 00:04:26,810 speaking about this? 109 00:04:28,210 --> 00:04:31,329 Well, I did my I did it in cryptography 110 00:04:31,330 --> 00:04:33,039 quite a few years ago. 111 00:04:33,040 --> 00:04:35,409 Uh, I'm working currently the I.T. 112 00:04:35,410 --> 00:04:37,479 security consultant at 113 00:04:37,480 --> 00:04:39,849 a security company in Oslo, Norway. 114 00:04:39,850 --> 00:04:41,769 And this is my sixth time ATCC. 115 00:04:41,770 --> 00:04:44,139 Uh, actually, 116 00:04:44,140 --> 00:04:45,969 I've been playing with computers since, 117 00:04:45,970 --> 00:04:46,929 uh, since forever. 118 00:04:46,930 --> 00:04:48,939 I got I got my first Unix account when I 119 00:04:48,940 --> 00:04:50,589 was four to play in attack. 120 00:04:54,070 --> 00:04:56,199 And I guess I sort of stayed along those 121 00:04:56,200 --> 00:04:57,519 lines for quite some time. 122 00:04:57,520 --> 00:04:59,889 Uh, my 123 00:04:59,890 --> 00:05:02,019 own role as regards to Internet voting 124 00:05:02,020 --> 00:05:04,059 in Norway is that I wasn't I've not been 125 00:05:04,060 --> 00:05:06,759 a part of the, uh, voting projects, 126 00:05:06,760 --> 00:05:09,009 but, uh, I did this crypto 127 00:05:09,010 --> 00:05:11,379 audit for them in 2013. 128 00:05:12,650 --> 00:05:13,650 And 129 00:05:15,110 --> 00:05:17,899 because the project has been so open, 130 00:05:17,900 --> 00:05:19,339 everything I'm saying here is based on 131 00:05:19,340 --> 00:05:21,439 public information, but some of it 132 00:05:21,440 --> 00:05:23,149 is subject to my own interpretation or 133 00:05:23,150 --> 00:05:25,279 understanding, based on the fact that I 134 00:05:25,280 --> 00:05:26,600 was outside the project itself. 135 00:05:29,350 --> 00:05:31,569 So Norway, 136 00:05:31,570 --> 00:05:33,999 I guess, uh, not everybody 137 00:05:34,000 --> 00:05:36,069 knows a lot about Norway, it's 138 00:05:36,070 --> 00:05:37,070 up here. 139 00:05:39,440 --> 00:05:41,659 So northern European country 140 00:05:41,660 --> 00:05:43,339 is quite small. Five million people, 141 00:05:44,750 --> 00:05:46,999 it's a stable and rich democracy, 142 00:05:47,000 --> 00:05:49,189 which has a really tremendous amount 143 00:05:49,190 --> 00:05:51,319 of public trust. So so 144 00:05:51,320 --> 00:05:52,789 people are trustful, maybe even to a 145 00:05:52,790 --> 00:05:55,009 fault of both the neighbors 146 00:05:55,010 --> 00:05:56,089 and of the governments. 147 00:05:57,370 --> 00:05:59,589 And I think, uh, in this sense, 148 00:05:59,590 --> 00:06:02,079 Norway has a lot of preconditions for 149 00:06:02,080 --> 00:06:03,729 doing this kind of Internet voting 150 00:06:03,730 --> 00:06:05,039 experiments. 151 00:06:05,040 --> 00:06:06,309 It's a small country. 152 00:06:06,310 --> 00:06:08,019 It's a pretty small trial. 153 00:06:10,350 --> 00:06:12,479 It's politically very 154 00:06:12,480 --> 00:06:14,789 stable, so if something really 155 00:06:14,790 --> 00:06:17,609 went wrong, it wouldn't 156 00:06:17,610 --> 00:06:19,529 it would be possible to recover in a 157 00:06:19,530 --> 00:06:20,530 stable manner. 158 00:06:21,540 --> 00:06:22,540 In fact, 159 00:06:24,450 --> 00:06:26,789 there was in 2011, there was a 160 00:06:26,790 --> 00:06:29,219 terror attack against the government 161 00:06:29,220 --> 00:06:31,049 only a few weeks before the election and 162 00:06:31,050 --> 00:06:33,359 before the first Internet voting trial, 163 00:06:33,360 --> 00:06:34,980 in fact, and 164 00:06:36,900 --> 00:06:38,999 was still able to carry to 165 00:06:39,000 --> 00:06:41,099 carry out the election under reasonably 166 00:06:41,100 --> 00:06:42,829 ordinary circumstances. 167 00:06:45,140 --> 00:06:47,269 And finally, Norway can afford 168 00:06:47,270 --> 00:06:48,739 to do it right? 169 00:06:48,740 --> 00:06:50,119 So and I think these are really 170 00:06:50,120 --> 00:06:51,769 preconditions for a successful 171 00:06:51,770 --> 00:06:53,869 experiment. So if anybody 172 00:06:53,870 --> 00:06:55,699 is able to do fact voting, it should be 173 00:06:55,700 --> 00:06:56,700 us, right? 174 00:07:00,590 --> 00:07:02,869 And so the overall 175 00:07:02,870 --> 00:07:05,329 concept for Internet voting in Norway, 176 00:07:05,330 --> 00:07:07,099 this is not electronic voting machines, 177 00:07:07,100 --> 00:07:09,169 it's online voting from your 178 00:07:09,170 --> 00:07:10,790 laptop, from your living room. 179 00:07:12,480 --> 00:07:13,480 And so. 180 00:07:14,950 --> 00:07:17,529 Uh, as a voter, 181 00:07:17,530 --> 00:07:19,779 you are able to log on 182 00:07:19,780 --> 00:07:20,860 and vote online. 183 00:07:22,220 --> 00:07:23,620 As many times as you want. 184 00:07:24,950 --> 00:07:27,079 And the Internet voting is only done 185 00:07:28,640 --> 00:07:30,739 before Election Day and on 186 00:07:30,740 --> 00:07:32,749 Election Day, you can go to a polling 187 00:07:32,750 --> 00:07:34,819 place and you can vote physically as 188 00:07:34,820 --> 00:07:35,820 well. 189 00:07:36,190 --> 00:07:38,439 And the system is integrated in such 190 00:07:38,440 --> 00:07:40,569 a way that only the 191 00:07:40,570 --> 00:07:42,789 last vote counts, and this 192 00:07:42,790 --> 00:07:45,129 is meant as sort of one of the main 193 00:07:45,130 --> 00:07:47,350 and tie vote selling anti-corruption 194 00:07:48,970 --> 00:07:51,149 techniques in the system. 195 00:07:51,150 --> 00:07:52,799 That's even if somebody forces you to 196 00:07:52,800 --> 00:07:54,929 vote for whatever, then you can go 197 00:07:54,930 --> 00:07:57,239 and you can vote again, either 198 00:07:57,240 --> 00:07:58,500 online or at the polling place. 199 00:08:02,660 --> 00:08:04,729 Uh, the second 200 00:08:04,730 --> 00:08:07,429 the second idea here is that you 201 00:08:07,430 --> 00:08:09,709 use a fancy cryptographic protocol 202 00:08:09,710 --> 00:08:11,869 on which you try to say something 203 00:08:11,870 --> 00:08:14,029 fundamental about to try 204 00:08:14,030 --> 00:08:16,549 to get some pretty strong 205 00:08:16,550 --> 00:08:18,259 guarantees that the core protocol you are 206 00:08:18,260 --> 00:08:19,260 using is actually 207 00:08:20,480 --> 00:08:21,970 sound and that's what you want. 208 00:08:23,450 --> 00:08:26,059 And the system was designed, 209 00:08:26,060 --> 00:08:27,619 at least in principle, to give advance 210 00:08:27,620 --> 00:08:30,379 security, which meant that 211 00:08:30,380 --> 00:08:33,639 you were supposed to have no trust. 212 00:08:33,640 --> 00:08:35,739 Between between each element in the 213 00:08:35,740 --> 00:08:38,168 processing chain of about 214 00:08:38,169 --> 00:08:39,879 and you would you would use cryptographic 215 00:08:39,880 --> 00:08:42,239 proofs to to link everything together. 216 00:08:43,760 --> 00:08:45,979 And similarly, there was quite 217 00:08:45,980 --> 00:08:48,049 a bit of separation of duties such that 218 00:08:48,050 --> 00:08:50,329 the fact that encryption keys were split 219 00:08:50,330 --> 00:08:51,919 in half and given to two different people 220 00:08:51,920 --> 00:08:53,989 so that they would both 221 00:08:53,990 --> 00:08:54,990 have to collude to 222 00:08:56,660 --> 00:08:57,660 to use the key. 223 00:09:00,830 --> 00:09:02,959 The final part of the concept is that the 224 00:09:02,960 --> 00:09:05,209 voters get some out-of-band feedback 225 00:09:05,210 --> 00:09:07,309 about the result of 226 00:09:07,310 --> 00:09:09,499 their online votes, which 227 00:09:09,500 --> 00:09:11,779 the voter but only the voter 228 00:09:11,780 --> 00:09:14,459 can use to verify that their votes. 229 00:09:14,460 --> 00:09:15,750 Posted online was 230 00:09:16,830 --> 00:09:19,200 was devoted, he intended to to costs. 231 00:09:23,340 --> 00:09:25,439 And so and 232 00:09:25,440 --> 00:09:27,809 so this sounds pretty reasonable, 233 00:09:27,810 --> 00:09:29,969 I guess, but then you get 234 00:09:29,970 --> 00:09:31,250 into the technical details 235 00:09:32,280 --> 00:09:34,409 and so for for a voting system, you 236 00:09:34,410 --> 00:09:36,029 want stronger authentication because you 237 00:09:36,030 --> 00:09:38,099 want to know who voted and you 238 00:09:38,100 --> 00:09:40,889 want to be able to make sure that. 239 00:09:40,890 --> 00:09:43,769 People voting multiple times are 240 00:09:43,770 --> 00:09:46,799 much loved correctly, so that's 241 00:09:46,800 --> 00:09:49,259 how you count the right votes in the end. 242 00:09:49,260 --> 00:09:51,239 So the system needs to be secure. 243 00:09:52,630 --> 00:09:53,949 And then at the same time, you want to 244 00:09:53,950 --> 00:09:55,599 have anonymous ballots, so you should be 245 00:09:55,600 --> 00:09:57,879 able to link the vote over here 246 00:09:57,880 --> 00:09:59,500 with the person who cast it on line. 247 00:10:00,990 --> 00:10:03,099 And the third requirement is that you 248 00:10:03,100 --> 00:10:04,980 want to be able to verify afterwards. 249 00:10:06,900 --> 00:10:08,279 The result of the election. 250 00:10:10,110 --> 00:10:12,269 And so those those 251 00:10:12,270 --> 00:10:14,339 three requirements are actually 252 00:10:14,340 --> 00:10:16,830 kind of opposing each other because 253 00:10:17,940 --> 00:10:19,469 it means that you need to have some sort 254 00:10:19,470 --> 00:10:21,839 of separation between different 255 00:10:21,840 --> 00:10:24,089 processing stages in 256 00:10:24,090 --> 00:10:26,399 such a way that you can link 257 00:10:26,400 --> 00:10:27,400 this together again. 258 00:10:30,280 --> 00:10:32,889 And there's really a fourth 259 00:10:32,890 --> 00:10:35,199 security requirement, which is not 260 00:10:35,200 --> 00:10:36,819 clearly stated here, and that's about 261 00:10:36,820 --> 00:10:38,559 verifiability. And what does that really 262 00:10:38,560 --> 00:10:39,879 mean? 263 00:10:39,880 --> 00:10:41,889 Because in a traditional paper ballot 264 00:10:41,890 --> 00:10:43,989 vote, there is a lot 265 00:10:43,990 --> 00:10:46,389 of weaknesses, limitations, and there's 266 00:10:46,390 --> 00:10:47,979 quite a high cost of running a paper 267 00:10:47,980 --> 00:10:49,149 election. 268 00:10:49,150 --> 00:10:51,279 But the threat model 269 00:10:51,280 --> 00:10:53,349 is pretty well understood and it's 270 00:10:53,350 --> 00:10:54,730 got high legitimacy. 271 00:10:55,780 --> 00:10:57,399 And you can more or less explain to a 272 00:10:57,400 --> 00:10:59,349 five year old that you are putting 273 00:10:59,350 --> 00:11:01,719 ballots in this box here and it's locked. 274 00:11:01,720 --> 00:11:03,939 And then people from different parties 275 00:11:03,940 --> 00:11:04,959 come and counted together. 276 00:11:04,960 --> 00:11:06,159 And so they make sure that 277 00:11:07,180 --> 00:11:08,769 there are checks and balances and there 278 00:11:08,770 --> 00:11:10,899 are a lot of people involved in in making 279 00:11:10,900 --> 00:11:11,900 this happen. 280 00:11:13,950 --> 00:11:14,950 And the. 281 00:11:16,520 --> 00:11:18,769 Make and realizing 282 00:11:18,770 --> 00:11:21,049 that kind of requirement in an electronic 283 00:11:21,050 --> 00:11:23,989 tech system using fancy crypto is 284 00:11:23,990 --> 00:11:26,149 kind of hard, and 285 00:11:26,150 --> 00:11:27,709 that's I think that's really one of the 286 00:11:27,710 --> 00:11:29,000 fundamental challenges about 287 00:11:30,080 --> 00:11:31,819 electronic voting and Internet voting, is 288 00:11:31,820 --> 00:11:34,519 that we need to make it so transparent 289 00:11:34,520 --> 00:11:35,659 as we possibly can. 290 00:11:35,660 --> 00:11:37,219 And I'm not sure we know how to do that 291 00:11:37,220 --> 00:11:38,220 yet. 292 00:11:41,110 --> 00:11:43,459 And so there's a fourth security 293 00:11:43,460 --> 00:11:44,749 requirements on the list here, which is 294 00:11:44,750 --> 00:11:46,929 the ability to detect attacks 295 00:11:48,500 --> 00:11:50,629 and one of the main goals 296 00:11:50,630 --> 00:11:52,699 of the Internet voting 297 00:11:52,700 --> 00:11:54,320 pilot in Norway was that. 298 00:11:57,900 --> 00:11:59,969 Even if there is some 299 00:11:59,970 --> 00:12:01,590 kind of attack on the system, 300 00:12:03,540 --> 00:12:05,789 then at least if it's affecting 301 00:12:05,790 --> 00:12:07,679 a lot of votes, there would need to be 302 00:12:07,680 --> 00:12:08,680 able to detect it. 303 00:12:09,910 --> 00:12:12,189 And we might 304 00:12:12,190 --> 00:12:14,139 be able to live with the effects of some 305 00:12:14,140 --> 00:12:16,389 kind of small scale abuse 306 00:12:16,390 --> 00:12:17,559 in the sense that. 307 00:12:19,950 --> 00:12:22,289 Below a certain threshold that 308 00:12:22,290 --> 00:12:24,299 might be unavoidable no matter how you 309 00:12:24,300 --> 00:12:26,610 implement an election, but. 310 00:12:28,490 --> 00:12:30,279 We should be able to detect any kind of 311 00:12:30,280 --> 00:12:32,289 large scale fraud attempts and if 312 00:12:32,290 --> 00:12:34,529 necessary, just. 313 00:12:34,530 --> 00:12:36,719 Or just rerun 314 00:12:36,720 --> 00:12:38,549 the election a few weeks later if. 315 00:12:39,810 --> 00:12:41,579 If if there's found evidence of some kind 316 00:12:41,580 --> 00:12:42,719 of large scale abuse. 317 00:12:45,990 --> 00:12:48,289 And so I think 318 00:12:48,290 --> 00:12:50,399 already at this point, we realize that 319 00:12:51,690 --> 00:12:53,759 if foreign and trade system, we 320 00:12:53,760 --> 00:12:55,319 are probably not going to be able to make 321 00:12:55,320 --> 00:12:56,789 it hundred percent bulletproof. 322 00:12:56,790 --> 00:12:58,859 People are going to have malware, people 323 00:12:58,860 --> 00:13:00,509 are going to get get hacked. 324 00:13:00,510 --> 00:13:02,879 But at least at some level, 325 00:13:02,880 --> 00:13:05,129 it should be possible to detect 326 00:13:05,130 --> 00:13:06,130 anything going up. 327 00:13:09,550 --> 00:13:11,199 And so there are also quite a few counter 328 00:13:11,200 --> 00:13:13,899 arguments against, uh, 329 00:13:13,900 --> 00:13:15,640 in red voting in particular, and 330 00:13:16,720 --> 00:13:18,099 I guess also electronic voting in 331 00:13:18,100 --> 00:13:20,669 general, uh, 332 00:13:22,510 --> 00:13:24,250 transparency and verifiability. 333 00:13:26,550 --> 00:13:28,920 As we just talked about is, uh. 334 00:13:31,620 --> 00:13:32,620 Difficult to solve. 335 00:13:33,900 --> 00:13:36,059 The main arguments in the public 336 00:13:36,060 --> 00:13:37,979 debate in Norway has been around coercion 337 00:13:37,980 --> 00:13:40,079 and the fact that you are voting in an 338 00:13:40,080 --> 00:13:42,389 uncontrolled environment rather 339 00:13:42,390 --> 00:13:44,579 than in a public out of public 340 00:13:44,580 --> 00:13:45,899 polling place in a close booth. 341 00:13:47,860 --> 00:13:49,989 And there's also been a claim in 342 00:13:49,990 --> 00:13:52,119 the public debate that Internet voting 343 00:13:52,120 --> 00:13:54,609 debases the ceremonial 344 00:13:54,610 --> 00:13:56,379 aspect of going to votes. 345 00:13:56,380 --> 00:13:57,880 And I don't know if. 346 00:14:00,860 --> 00:14:02,349 I don't know. 347 00:14:02,350 --> 00:14:03,350 Uh. 348 00:14:05,170 --> 00:14:07,569 How widely that applies, but at least, 349 00:14:07,570 --> 00:14:08,649 uh. 350 00:14:10,490 --> 00:14:12,079 At least for some people, going to the 351 00:14:12,080 --> 00:14:13,080 polls is. 352 00:14:14,330 --> 00:14:16,519 Is this a Democratic ceremony 353 00:14:16,520 --> 00:14:17,709 that. 354 00:14:17,710 --> 00:14:19,289 They value quite highly and. 355 00:14:20,510 --> 00:14:22,009 Basically, being able to vote from your 356 00:14:22,010 --> 00:14:24,109 cell phone is undermining that, 357 00:14:24,110 --> 00:14:25,110 and that's. 358 00:14:25,760 --> 00:14:27,679 I think also fair, a fair arguments. 359 00:14:30,850 --> 00:14:33,379 In the initial, um, 360 00:14:34,420 --> 00:14:37,069 risk analysis that were being done, 361 00:14:37,070 --> 00:14:38,829 threats like hacking were considered in 362 00:14:38,830 --> 00:14:41,109 general, but I 363 00:14:41,110 --> 00:14:43,179 think specific threat agents were 364 00:14:43,180 --> 00:14:44,440 considered to a lesser degree. 365 00:14:46,210 --> 00:14:48,339 Awareness of the nation states kind 366 00:14:48,340 --> 00:14:50,889 of threats has probably increased 367 00:14:50,890 --> 00:14:52,119 over the last few years. 368 00:14:53,170 --> 00:14:55,269 And Norway as a country has had 369 00:14:55,270 --> 00:14:57,009 quite poor diplomatic relations with 370 00:14:57,010 --> 00:14:57,669 China. 371 00:14:57,670 --> 00:14:59,470 We have a border with Russia and 372 00:15:00,580 --> 00:15:02,949 you might think 373 00:15:02,950 --> 00:15:03,950 that somebody 374 00:15:05,500 --> 00:15:07,599 would want to try to 375 00:15:07,600 --> 00:15:09,339 influence the outcome of a vote. 376 00:15:09,340 --> 00:15:10,340 And that's. 377 00:15:11,400 --> 00:15:13,469 Clearly a threat. 378 00:15:13,470 --> 00:15:14,470 To an online system. 379 00:15:18,790 --> 00:15:20,049 So I mentioned the cryptographic 380 00:15:20,050 --> 00:15:21,819 protocol, I'm not going to go very deeply 381 00:15:21,820 --> 00:15:23,199 into that because then we could spend an 382 00:15:23,200 --> 00:15:25,239 hour just talking about the crypto and 383 00:15:25,240 --> 00:15:27,099 that's a lot of fun for a geek like me, 384 00:15:27,100 --> 00:15:29,230 but it might be a bit narrow. 385 00:15:30,580 --> 00:15:31,580 Uh. 386 00:15:32,950 --> 00:15:34,779 From the cryptographic literature, this 387 00:15:34,780 --> 00:15:36,939 is a reasonably standard voting 388 00:15:36,940 --> 00:15:37,940 protocol. 389 00:15:40,570 --> 00:15:42,699 It uses Alkmaar 390 00:15:42,700 --> 00:15:44,979 encryption and it uses, 391 00:15:44,980 --> 00:15:46,630 uh, actually Helma morphic, 392 00:15:47,750 --> 00:15:49,419 the home of morphic property of the 393 00:15:49,420 --> 00:15:51,249 ultimate crypto system to make 394 00:15:51,250 --> 00:15:53,649 computations on encrypted 395 00:15:53,650 --> 00:15:54,219 ballots. 396 00:15:54,220 --> 00:15:56,379 So basically, 397 00:15:56,380 --> 00:15:58,629 they encrypt that encrypts 398 00:15:58,630 --> 00:16:00,909 the voters vote 399 00:16:00,910 --> 00:16:02,979 intent with El-Gamal 400 00:16:02,980 --> 00:16:04,869 and then they use that do further 401 00:16:04,870 --> 00:16:07,299 computations on the encrypted 402 00:16:07,300 --> 00:16:08,879 cipher texts and 403 00:16:09,900 --> 00:16:12,069 to do some transforms into to mask 404 00:16:12,070 --> 00:16:13,070 what's going on. 405 00:16:14,170 --> 00:16:15,489 And then between each 406 00:16:16,780 --> 00:16:19,449 step in the processing chain, 407 00:16:19,450 --> 00:16:22,059 the system uses Schnoor signatures or 408 00:16:22,060 --> 00:16:25,149 Schnoor based their analysis process 409 00:16:25,150 --> 00:16:27,519 to ensure that everything is 410 00:16:27,520 --> 00:16:29,799 is correct. 411 00:16:29,800 --> 00:16:31,839 And then there's a mixed network at the 412 00:16:31,840 --> 00:16:33,159 end which is used to. 413 00:16:35,970 --> 00:16:37,109 Basically a separate. 414 00:16:38,490 --> 00:16:40,260 Separate the voter from the ballots. 415 00:16:42,170 --> 00:16:44,329 Uh, they also use Shomer secret 416 00:16:44,330 --> 00:16:46,039 sharing to split the encryption keys 417 00:16:46,040 --> 00:16:47,239 again, to make sure that multiple 418 00:16:47,240 --> 00:16:48,240 operators 419 00:16:49,730 --> 00:16:51,469 have to collude, that that you don't have 420 00:16:51,470 --> 00:16:52,879 a single operator who sits on the key. 421 00:16:53,960 --> 00:16:56,299 And the protocol is pretty well described 422 00:16:56,300 --> 00:16:58,579 as being analyzed by by Christina Ersten 423 00:16:58,580 --> 00:16:59,809 in some public papers. 424 00:16:59,810 --> 00:17:01,580 Uh, there's nothing, 425 00:17:03,240 --> 00:17:05,439 uh, there's nothing really 426 00:17:05,440 --> 00:17:07,039 bad there. It's I think it's a good 427 00:17:07,040 --> 00:17:08,040 protocol. 428 00:17:09,569 --> 00:17:12,088 And so we come to the election trial in 429 00:17:12,089 --> 00:17:13,108 2013 430 00:17:14,430 --> 00:17:15,430 and 431 00:17:16,920 --> 00:17:18,779 the verdict trial happened in 12 432 00:17:18,780 --> 00:17:20,879 municipalities out of four 433 00:17:20,880 --> 00:17:22,799 hundred twenty eight, and they're marked 434 00:17:22,800 --> 00:17:23,799 in green on the map here. 435 00:17:23,800 --> 00:17:24,869 I don't know if you can see it. 436 00:17:26,859 --> 00:17:28,599 Uh, which meant that there were about 437 00:17:28,600 --> 00:17:30,849 250000 voters who 438 00:17:30,850 --> 00:17:33,159 cast about 70000 439 00:17:33,160 --> 00:17:34,720 ballots over the net 440 00:17:36,970 --> 00:17:39,099 and the Web page 441 00:17:39,100 --> 00:17:39,969 looked. 442 00:17:39,970 --> 00:17:41,499 Well, the starting page looked like this. 443 00:17:41,500 --> 00:17:43,839 It's in the region. It says that there's 444 00:17:43,840 --> 00:17:45,789 a column on the left which explains a bit 445 00:17:45,790 --> 00:17:46,900 about the Internet voting 446 00:17:47,930 --> 00:17:49,449 and then there's information about how to 447 00:17:49,450 --> 00:17:50,469 vote and how to log in. 448 00:17:50,470 --> 00:17:53,019 There's a link to a video and 449 00:17:54,280 --> 00:17:57,299 there's some information about, uh. 450 00:17:57,300 --> 00:17:59,729 The votes being secret, and you should 451 00:17:59,730 --> 00:18:00,959 you should make sure that you are in the 452 00:18:00,960 --> 00:18:02,789 private place when you are casting a vote 453 00:18:02,790 --> 00:18:03,790 online. 454 00:18:05,320 --> 00:18:06,939 And so the authentication for this system 455 00:18:06,940 --> 00:18:08,439 is based on the existing public 456 00:18:08,440 --> 00:18:10,869 infrastructure using 457 00:18:10,870 --> 00:18:12,819 two factor authentication, is that some 458 00:18:12,820 --> 00:18:13,820 sort of hardware token? 459 00:18:14,950 --> 00:18:16,749 Then there's a there are actually two 460 00:18:16,750 --> 00:18:18,999 feedback mechanisms 461 00:18:19,000 --> 00:18:20,000 for the router 462 00:18:21,430 --> 00:18:23,709 when after casting a vote online, 463 00:18:23,710 --> 00:18:26,379 you get you get Nessim code, 464 00:18:26,380 --> 00:18:28,389 which is, I think, a four digit number or 465 00:18:28,390 --> 00:18:29,390 a six digit number, 466 00:18:31,510 --> 00:18:33,579 which you can verify against 467 00:18:33,580 --> 00:18:36,279 a list of codes, which is written on, 468 00:18:36,280 --> 00:18:38,529 uh, on your, 469 00:18:38,530 --> 00:18:41,799 uh, on your voting card, 470 00:18:41,800 --> 00:18:43,389 which is a card that you you get in the 471 00:18:43,390 --> 00:18:43,749 mail. 472 00:18:43,750 --> 00:18:45,819 And so this this link here is 473 00:18:45,820 --> 00:18:46,990 actually one of the fundamental 474 00:18:49,000 --> 00:18:51,309 security assumptions that this document 475 00:18:51,310 --> 00:18:52,809 with the code cannot be linked to the 476 00:18:52,810 --> 00:18:54,219 access code, cannot be linked to the 477 00:18:54,220 --> 00:18:55,220 person. 478 00:18:56,430 --> 00:18:58,649 Uh, you in 479 00:18:58,650 --> 00:19:00,659 the Web interface itself, it also gives 480 00:19:00,660 --> 00:19:02,969 you a shot, 256 husch 481 00:19:02,970 --> 00:19:03,970 of, uh, 482 00:19:05,040 --> 00:19:07,169 of your encrypted votes. 483 00:19:07,170 --> 00:19:09,479 And the idea 484 00:19:09,480 --> 00:19:11,699 was the assigned list of Shata physics 485 00:19:11,700 --> 00:19:13,769 hashas would be published to, uh, to 486 00:19:13,770 --> 00:19:15,390 GitHub during counting, 487 00:19:17,220 --> 00:19:18,779 which meant that during counting you 488 00:19:18,780 --> 00:19:20,939 could actually go online and verify 489 00:19:20,940 --> 00:19:23,339 or verify that your hash was in the list 490 00:19:23,340 --> 00:19:24,340 if you wanted to. 491 00:19:25,870 --> 00:19:28,239 And so this is all a webapp running 492 00:19:28,240 --> 00:19:31,119 on Linux, I think it was S.O.S. 493 00:19:31,120 --> 00:19:33,109 It's a job application on the back end 494 00:19:35,140 --> 00:19:36,129 in 2013. 495 00:19:36,130 --> 00:19:38,349 The front end was all its 496 00:19:38,350 --> 00:19:39,999 HTML and JavaScript. 497 00:19:40,000 --> 00:19:42,039 So there was quite a bit of JavaScript 498 00:19:42,040 --> 00:19:43,040 crypto going on there. 499 00:19:45,470 --> 00:19:47,089 The project had a few additional 500 00:19:47,090 --> 00:19:49,399 safeguards, so 501 00:19:49,400 --> 00:19:50,809 I already talked about the feedback 502 00:19:50,810 --> 00:19:52,269 mechanism to the voter, which was the 503 00:19:52,270 --> 00:19:53,690 return codes and the Balthazar's. 504 00:19:55,430 --> 00:19:57,649 They also had election monitors to to 505 00:19:57,650 --> 00:19:59,899 shadow the system operator to and to 506 00:19:59,900 --> 00:20:01,339 basically follow them around and see what 507 00:20:01,340 --> 00:20:02,340 they were doing. 508 00:20:03,710 --> 00:20:06,229 I guess a drawback 509 00:20:06,230 --> 00:20:08,629 of that approach is that, uh, 510 00:20:08,630 --> 00:20:10,729 the election monitors don't necessarily 511 00:20:10,730 --> 00:20:13,039 know what the operator 512 00:20:13,040 --> 00:20:14,689 is typing into the system on the on the 513 00:20:14,690 --> 00:20:16,959 command line. Uh. 514 00:20:16,960 --> 00:20:18,069 Because the interface is kind of 515 00:20:18,070 --> 00:20:20,349 complicated, um, 516 00:20:21,490 --> 00:20:23,679 the source code is all the source 517 00:20:23,680 --> 00:20:25,269 code for the election system is public. 518 00:20:25,270 --> 00:20:27,819 It's under a proprietary license 519 00:20:27,820 --> 00:20:29,319 owned by the government, but at least 520 00:20:29,320 --> 00:20:30,819 it's that they publish it online. 521 00:20:32,400 --> 00:20:35,529 And they had quite a few Third-Party, uh, 522 00:20:35,530 --> 00:20:37,619 contractors to audit the solution. 523 00:20:37,620 --> 00:20:39,729 Uh, there was a Web security test of the 524 00:20:39,730 --> 00:20:40,730 front end. 525 00:20:41,360 --> 00:20:43,719 Uh, there was 526 00:20:43,720 --> 00:20:45,309 the external review of the crypto, which 527 00:20:45,310 --> 00:20:46,930 was, uh, my job. 528 00:20:48,400 --> 00:20:50,289 And there was actually an independent 529 00:20:50,290 --> 00:20:51,609 third party implementation of the vote 530 00:20:51,610 --> 00:20:53,769 counting module, which meant that on 531 00:20:53,770 --> 00:20:55,269 Election Day, there were 532 00:20:56,290 --> 00:20:58,659 they had two independent implementations 533 00:20:58,660 --> 00:21:00,109 of the counting system which were running 534 00:21:00,110 --> 00:21:02,289 in parallel on the same data. 535 00:21:02,290 --> 00:21:04,089 And so the idea was that 536 00:21:06,280 --> 00:21:07,989 if somebody tried to tamper with one of 537 00:21:07,990 --> 00:21:09,819 the counting systems, they hopefully 538 00:21:09,820 --> 00:21:11,949 shouldn't be able to 539 00:21:11,950 --> 00:21:13,509 to sabotage the other the other one as 540 00:21:13,510 --> 00:21:14,510 well. 541 00:21:15,560 --> 00:21:17,689 And then the entire electoral system was 542 00:21:17,690 --> 00:21:20,599 also monitored using using Splunk, 543 00:21:20,600 --> 00:21:22,009 which meant that the local logs were 544 00:21:22,010 --> 00:21:23,809 being collected continuously to to a 545 00:21:23,810 --> 00:21:25,219 different system in a different security 546 00:21:25,220 --> 00:21:26,220 zone. 547 00:21:26,570 --> 00:21:28,429 So so they had been thinking quite a bit 548 00:21:28,430 --> 00:21:29,779 about this. 549 00:21:29,780 --> 00:21:32,119 And then five 550 00:21:32,120 --> 00:21:33,349 days before the election, there was a 551 00:21:33,350 --> 00:21:34,350 critical bug. 552 00:21:38,580 --> 00:21:41,039 And so so the text here says 553 00:21:41,040 --> 00:21:43,079 this is from, uh, this is from a 554 00:21:43,080 --> 00:21:44,729 Norwegian newspaper and says there's a 555 00:21:44,730 --> 00:21:46,399 there's an error in the encryption of the 556 00:21:46,400 --> 00:21:47,400 events. 557 00:21:48,780 --> 00:21:51,089 And what actually happened was that 558 00:21:51,090 --> 00:21:53,249 the encryption, the encrypted 559 00:21:53,250 --> 00:21:55,859 ballots that the voter was sending, uh, 560 00:21:55,860 --> 00:21:57,119 actually leaked information about the 561 00:21:57,120 --> 00:21:59,249 plain text because of a bug 562 00:22:00,780 --> 00:22:02,909 and, uh, due to 563 00:22:02,910 --> 00:22:05,009 the layered security, uh, 564 00:22:05,010 --> 00:22:06,999 I mean, you were voting via SSL and that 565 00:22:07,000 --> 00:22:09,149 or and and then 566 00:22:09,150 --> 00:22:10,289 the votes were stored 567 00:22:11,910 --> 00:22:13,439 on on the secure system. 568 00:22:13,440 --> 00:22:15,659 Hopefully, uh, it meant that, 569 00:22:15,660 --> 00:22:17,789 uh, this information should 570 00:22:17,790 --> 00:22:21,329 not be leaking anyway, but, uh, 571 00:22:21,330 --> 00:22:23,669 at least one of the security layers was 572 00:22:23,670 --> 00:22:25,559 quite badly broken. 573 00:22:25,560 --> 00:22:27,719 And it seems like a combination of 574 00:22:27,720 --> 00:22:29,849 luck and preparation made sure 575 00:22:29,850 --> 00:22:32,159 that no votes 576 00:22:32,160 --> 00:22:33,629 were actually revealed. But it was a very 577 00:22:33,630 --> 00:22:34,709 close call. 578 00:22:34,710 --> 00:22:36,329 And we will get back to the course of 579 00:22:36,330 --> 00:22:37,759 this bug a bit later. 580 00:22:41,700 --> 00:22:43,679 And then what happened in 2014? 581 00:22:43,680 --> 00:22:46,139 Well, the project was ended 582 00:22:46,140 --> 00:22:48,359 and the government decided that the 583 00:22:48,360 --> 00:22:49,360 government had 584 00:22:50,430 --> 00:22:53,159 an evaluation by, um, 585 00:22:53,160 --> 00:22:54,929 by political scientists focusing on the 586 00:22:54,930 --> 00:22:56,399 project goals, which were to increase 587 00:22:56,400 --> 00:22:58,769 availability and to 588 00:22:58,770 --> 00:23:00,479 and to provide solutions tailored to 589 00:23:00,480 --> 00:23:02,129 young voters. 590 00:23:02,130 --> 00:23:03,130 And 591 00:23:04,350 --> 00:23:06,479 they found that voting was 592 00:23:06,480 --> 00:23:07,859 popular among the voters 593 00:23:09,510 --> 00:23:10,399 and the people. 594 00:23:10,400 --> 00:23:12,809 But turnout did not really change. 595 00:23:12,810 --> 00:23:15,569 And the online and the online voters were 596 00:23:15,570 --> 00:23:17,159 quite similar to the voting population at 597 00:23:17,160 --> 00:23:18,160 large. 598 00:23:21,010 --> 00:23:23,169 And so the project was ended 599 00:23:23,170 --> 00:23:25,299 and the BBC posted 600 00:23:25,300 --> 00:23:27,319 a story about this a few days later and 601 00:23:27,320 --> 00:23:28,320 looked like this. 602 00:23:30,890 --> 00:23:33,289 Uh, and so the press release 603 00:23:33,290 --> 00:23:35,419 mainly highlighted the lack of 604 00:23:35,420 --> 00:23:37,639 political will, but it 605 00:23:37,640 --> 00:23:39,949 also said that most voters didn't 606 00:23:39,950 --> 00:23:41,419 have much knowledge about the security 607 00:23:41,420 --> 00:23:43,609 mechanisms in 608 00:23:43,610 --> 00:23:44,959 the system. 609 00:23:44,960 --> 00:23:47,029 And so the BBC framed it like this and 610 00:23:47,030 --> 00:23:48,030 the government 611 00:23:50,060 --> 00:23:51,299 didn't quite like that angle. 612 00:23:51,300 --> 00:23:52,960 It said that BBC misreported. 613 00:23:54,950 --> 00:23:57,139 And so it's quite interesting what 614 00:23:57,140 --> 00:23:58,940 the Norwegian government says here. 615 00:23:59,990 --> 00:24:02,119 It says that Norway 616 00:24:02,120 --> 00:24:03,649 has a strong tradition of seeking 617 00:24:03,650 --> 00:24:05,569 consensus in all matters regarding 618 00:24:05,570 --> 00:24:07,639 electoral policy due to the 619 00:24:07,640 --> 00:24:09,409 lack of broad political will to introduce 620 00:24:09,410 --> 00:24:11,329 Internet voting, blah, blah, blah, blah, 621 00:24:11,330 --> 00:24:13,249 blah. The government decided not to 622 00:24:13,250 --> 00:24:14,959 continue expanding public resources on 623 00:24:14,960 --> 00:24:15,960 the pilots. 624 00:24:17,440 --> 00:24:19,839 And I think that's actually a completely 625 00:24:19,840 --> 00:24:20,840 honest statement 626 00:24:21,970 --> 00:24:24,430 that in the sense that. 627 00:24:25,660 --> 00:24:26,799 Instead, voting was. 628 00:24:28,080 --> 00:24:29,939 Kind of controversial among the different 629 00:24:29,940 --> 00:24:32,099 parties, but there's 630 00:24:32,100 --> 00:24:34,589 also a very important subtext here, 631 00:24:34,590 --> 00:24:37,199 which is that after the 2013 632 00:24:37,200 --> 00:24:38,819 elections, there was a change of 633 00:24:38,820 --> 00:24:39,820 government. 634 00:24:41,220 --> 00:24:43,289 And so in 635 00:24:43,290 --> 00:24:45,359 2014, when the revelations were 636 00:24:45,360 --> 00:24:47,549 complete, the main 637 00:24:47,550 --> 00:24:49,019 champions of this project were out of 638 00:24:49,020 --> 00:24:50,020 power. 639 00:24:50,670 --> 00:24:52,949 And so a lack of broad political will, 640 00:24:52,950 --> 00:24:54,299 that's completely true. But I think it's 641 00:24:54,300 --> 00:24:56,519 also important to note 642 00:24:56,520 --> 00:24:58,319 that it's also very politically 643 00:24:58,320 --> 00:25:00,119 expedient, like why do I want to spend 644 00:25:00,120 --> 00:25:01,829 money on my predecessors, like expensive 645 00:25:01,830 --> 00:25:02,830 pet projects? 646 00:25:05,180 --> 00:25:06,469 And that has nothing to do with 647 00:25:06,470 --> 00:25:08,599 technology and it has not it 648 00:25:08,600 --> 00:25:11,929 has nothing to do with the sort of the 649 00:25:11,930 --> 00:25:14,239 de facto trial, but it's it's 650 00:25:14,240 --> 00:25:14,899 convenient. 651 00:25:14,900 --> 00:25:17,299 I mean, you 652 00:25:17,300 --> 00:25:19,279 can just throw it and you can just throw 653 00:25:19,280 --> 00:25:20,479 it under the bus because 654 00:25:22,670 --> 00:25:23,879 you have a nice excuse. 655 00:25:23,880 --> 00:25:25,040 You can use the money for something else. 656 00:25:27,800 --> 00:25:29,149 And so the next thing I'm going to look 657 00:25:29,150 --> 00:25:31,009 at is how did we actually get to this 658 00:25:31,010 --> 00:25:32,509 trial in 2013? 659 00:25:32,510 --> 00:25:34,769 And so this timeline here is not 660 00:25:34,770 --> 00:25:36,799 100 percent exact, but it's I think it's 661 00:25:36,800 --> 00:25:38,389 close enough to to paint a picture of 662 00:25:38,390 --> 00:25:39,390 what's going on. 663 00:25:40,650 --> 00:25:42,690 So actually, in 2004, 664 00:25:45,000 --> 00:25:46,469 the government, the government at the 665 00:25:46,470 --> 00:25:48,809 time started doing a feasibility 666 00:25:48,810 --> 00:25:50,999 study about electronic voting and online 667 00:25:51,000 --> 00:25:53,339 voting, but there wasn't 668 00:25:53,340 --> 00:25:55,919 really any, uh, huge 669 00:25:55,920 --> 00:25:58,409 enthusiasm, as far as I know, about 670 00:25:58,410 --> 00:26:00,440 doing anything more about it at the time. 671 00:26:01,650 --> 00:26:03,809 Then in 2005, 672 00:26:03,810 --> 00:26:05,129 there was a parliamentary election and 673 00:26:05,130 --> 00:26:07,349 there was a new government where. 674 00:26:09,640 --> 00:26:11,139 Some of the parties in that was a 675 00:26:11,140 --> 00:26:12,849 coalition government of three parties and 676 00:26:12,850 --> 00:26:14,619 at least some of the parties were quite 677 00:26:14,620 --> 00:26:15,620 keen interest voting. 678 00:26:17,010 --> 00:26:19,109 And then the ball started 679 00:26:19,110 --> 00:26:20,299 rolling, they got some champions, 680 00:26:20,300 --> 00:26:21,779 government, and they got this feasibility 681 00:26:21,780 --> 00:26:23,999 study back a year later and so 682 00:26:24,000 --> 00:26:25,440 there was a project organization 683 00:26:26,460 --> 00:26:28,500 and everything went she went from there. 684 00:26:30,600 --> 00:26:31,780 So so 685 00:26:32,880 --> 00:26:35,289 I've I've I've been digging a bit 686 00:26:35,290 --> 00:26:37,409 in the electoral manifests 687 00:26:37,410 --> 00:26:39,899 from from 2005. 688 00:26:39,900 --> 00:26:42,899 And at least one of the parties said, 689 00:26:42,900 --> 00:26:45,089 quote, It must be easier 690 00:26:45,090 --> 00:26:46,199 to vote. 691 00:26:46,200 --> 00:26:48,209 Students and pupils must be able to vote 692 00:26:48,210 --> 00:26:51,419 on the place of their studying, and 693 00:26:51,420 --> 00:26:53,279 it must be open for electronic voting 694 00:26:53,280 --> 00:26:54,949 over the Internet and quote. 695 00:26:58,730 --> 00:27:00,799 And so that was that was in their party 696 00:27:00,800 --> 00:27:02,599 manifesto in 2005. 697 00:27:02,600 --> 00:27:04,669 And apparently 698 00:27:04,670 --> 00:27:06,439 they managed to get to get that ball 699 00:27:06,440 --> 00:27:07,789 rolling because there were some people 700 00:27:07,790 --> 00:27:09,589 who were keen on doing that. 701 00:27:11,420 --> 00:27:13,010 So in 2006, they got 702 00:27:14,030 --> 00:27:15,589 the result of the feasibility study 703 00:27:17,180 --> 00:27:18,589 showing basically the state of the art in 704 00:27:18,590 --> 00:27:19,669 2006. 705 00:27:19,670 --> 00:27:22,729 That was a 200 page report in the region. 706 00:27:22,730 --> 00:27:24,589 It contained quite a lot of information 707 00:27:24,590 --> 00:27:26,359 about experiences from other countries, 708 00:27:26,360 --> 00:27:27,360 including Estonia. 709 00:27:28,850 --> 00:27:30,799 It also included a high level threat 710 00:27:30,800 --> 00:27:33,259 assessment, which apparently 711 00:27:33,260 --> 00:27:35,209 didn't consider state actors. 712 00:27:35,210 --> 00:27:37,369 But it's it considered packing 713 00:27:37,370 --> 00:27:38,509 in general. But 714 00:27:39,680 --> 00:27:41,809 again, this was 2004, 2005, 715 00:27:41,810 --> 00:27:42,810 2006. 716 00:27:43,820 --> 00:27:45,529 The study, the study was circulated for 717 00:27:45,530 --> 00:27:46,159 common sense. 718 00:27:46,160 --> 00:27:47,160 In 2008, 719 00:27:48,890 --> 00:27:49,909 the ball started rolling. 720 00:27:49,910 --> 00:27:52,249 So they got some funding. 721 00:27:52,250 --> 00:27:53,599 They got the project organization. 722 00:27:55,040 --> 00:27:56,689 They started specifying the use cases in 723 00:27:56,690 --> 00:27:58,729 the processes and the documentation that 724 00:27:58,730 --> 00:27:59,839 they wanted to implement. 725 00:28:03,300 --> 00:28:05,459 In 2009, they got a vendor after 726 00:28:05,460 --> 00:28:06,839 a public tender, actually, they got two 727 00:28:06,840 --> 00:28:08,519 vendors in 2009 for 728 00:28:10,110 --> 00:28:11,819 various systems. 729 00:28:11,820 --> 00:28:13,919 The goal at this point was 730 00:28:13,920 --> 00:28:16,139 to make 731 00:28:16,140 --> 00:28:18,209 a pilot aiming for full 732 00:28:18,210 --> 00:28:19,850 Internet voting by 2017. 733 00:28:21,710 --> 00:28:23,779 And so the initial the initial version 734 00:28:23,780 --> 00:28:26,209 of this implementation was finished in 735 00:28:26,210 --> 00:28:27,230 the summer of 2011. 736 00:28:30,120 --> 00:28:32,099 So this is kind of funny because it's 737 00:28:32,100 --> 00:28:33,539 been a few years, and then suddenly in 738 00:28:33,540 --> 00:28:35,430 2010, people realized that, 739 00:28:36,780 --> 00:28:38,579 hey, we are going to have Internet voting 740 00:28:38,580 --> 00:28:40,259 next year. This is this is kind of 741 00:28:40,260 --> 00:28:41,639 interesting. 742 00:28:41,640 --> 00:28:42,929 So 743 00:28:44,370 --> 00:28:46,619 so so there finally was a bit of public 744 00:28:46,620 --> 00:28:49,019 debate, but at this point, 745 00:28:49,020 --> 00:28:50,020 I think. 746 00:28:51,420 --> 00:28:53,789 Uh, the forces in motion were such that 747 00:28:53,790 --> 00:28:55,169 in any case, there was going to be an 748 00:28:55,170 --> 00:28:56,970 experiment in 2011 because 749 00:28:58,080 --> 00:28:59,790 it was it was already decided. 750 00:29:01,410 --> 00:29:03,059 So there are quite a few skeptical 751 00:29:03,060 --> 00:29:04,439 voices, and it's kind of interesting 752 00:29:04,440 --> 00:29:06,629 because they didn't really split along 753 00:29:06,630 --> 00:29:07,630 political lines. 754 00:29:09,790 --> 00:29:11,629 One of the one of the most well-known 755 00:29:11,630 --> 00:29:13,579 political scientists in Norway, who 756 00:29:13,580 --> 00:29:14,869 Professor Frank Albright, 757 00:29:16,040 --> 00:29:18,319 who is a known supporter of the 758 00:29:18,320 --> 00:29:21,019 the government who was doing this, uh, 759 00:29:21,020 --> 00:29:23,209 stated quite flatly that Internet 760 00:29:23,210 --> 00:29:24,499 voting violates human rights. 761 00:29:26,030 --> 00:29:28,129 And then his argument, again, was 762 00:29:28,130 --> 00:29:30,289 about voting under UN control 763 00:29:30,290 --> 00:29:32,449 in an uncontrolled environment and under 764 00:29:32,450 --> 00:29:33,450 unclear circumstances. 765 00:29:36,370 --> 00:29:38,919 In any case, in 766 00:29:38,920 --> 00:29:40,780 2011, we had the local elections, 767 00:29:41,930 --> 00:29:43,989 uh, there were 768 00:29:43,990 --> 00:29:46,029 there were, of course, us, as there 769 00:29:46,030 --> 00:29:48,430 always is in this kind of, uh, 770 00:29:50,050 --> 00:29:51,729 in this kind of trial with a with a 771 00:29:51,730 --> 00:29:52,959 complicated technical system. 772 00:29:52,960 --> 00:29:54,519 There were a few bucks. 773 00:29:54,520 --> 00:29:56,709 Uh, some of the main 774 00:29:56,710 --> 00:29:58,809 problems were actually connected to 775 00:29:58,810 --> 00:30:00,909 this return codes that were supposed to 776 00:30:00,910 --> 00:30:02,829 be printed on it, printed and sent by 777 00:30:02,830 --> 00:30:03,830 mail. 778 00:30:04,240 --> 00:30:06,489 Uh, because there was, uh, 779 00:30:06,490 --> 00:30:07,490 there are some misprints. 780 00:30:08,620 --> 00:30:10,899 And there was also the fact that 781 00:30:10,900 --> 00:30:13,059 this terrorist attack happened six weeks 782 00:30:13,060 --> 00:30:15,369 before the elections and actually 783 00:30:15,370 --> 00:30:17,859 meant that the servers 784 00:30:17,860 --> 00:30:20,199 that were running the trial election 785 00:30:20,200 --> 00:30:21,879 were actually closed off as part of the 786 00:30:21,880 --> 00:30:22,880 crime scene, 787 00:30:23,950 --> 00:30:26,319 which was 788 00:30:26,320 --> 00:30:27,699 kind of inconvenient because they need to 789 00:30:27,700 --> 00:30:28,700 get to the servers. 790 00:30:30,250 --> 00:30:32,359 But in the end, there 791 00:30:32,360 --> 00:30:33,669 were twenty seven thousand five hundred 792 00:30:33,670 --> 00:30:35,889 people who voted over the nets 793 00:30:35,890 --> 00:30:38,109 and it seemed 794 00:30:38,110 --> 00:30:39,209 to be an overall success. 795 00:30:41,080 --> 00:30:42,639 The studies show that the voters were 796 00:30:42,640 --> 00:30:44,199 statistically quite similar to the voting 797 00:30:44,200 --> 00:30:45,849 public, except that they. 798 00:30:47,620 --> 00:30:49,149 When you are voting in Norway, you have 799 00:30:49,150 --> 00:30:51,279 some options to modify 800 00:30:51,280 --> 00:30:53,439 the ballots to 801 00:30:53,440 --> 00:30:55,089 in various ways and the people who are 802 00:30:55,090 --> 00:30:56,859 voting online were actually a bit more 803 00:30:56,860 --> 00:30:58,749 active in making those modifications 804 00:30:59,770 --> 00:31:02,079 because it might be that it's easier 805 00:31:02,080 --> 00:31:04,209 to do it in an online 806 00:31:04,210 --> 00:31:05,769 environment than the pen and paper. 807 00:31:07,240 --> 00:31:09,369 And there were nine invalid 808 00:31:09,370 --> 00:31:11,439 votes, and I'm actually not sure 809 00:31:11,440 --> 00:31:13,509 how that happened, but at any rate, 810 00:31:13,510 --> 00:31:15,729 it's quite a low 811 00:31:15,730 --> 00:31:16,179 number. 812 00:31:16,180 --> 00:31:17,180 Usually, 813 00:31:18,430 --> 00:31:20,589 I think I think they say 814 00:31:20,590 --> 00:31:21,790 that's between 815 00:31:23,020 --> 00:31:24,999 between half a percent or two percent of 816 00:31:25,000 --> 00:31:26,000 votes or something, 817 00:31:27,260 --> 00:31:29,579 uh, maybe maybe spoiled. 818 00:31:30,670 --> 00:31:32,769 So it's so actually, it 819 00:31:32,770 --> 00:31:34,899 would be even with paper voting that 820 00:31:34,900 --> 00:31:35,900 that number is quite high. 821 00:31:38,770 --> 00:31:41,139 So after evaluating 822 00:31:41,140 --> 00:31:42,819 2011, they decided to continue the 823 00:31:42,820 --> 00:31:45,220 project, this time with a single vendor. 824 00:31:47,590 --> 00:31:49,329 They did. They made some technical 825 00:31:49,330 --> 00:31:51,609 improvements for randomization. 826 00:31:51,610 --> 00:31:54,099 Among other things, they also 827 00:31:54,100 --> 00:31:56,259 replaced the clients, which 828 00:31:56,260 --> 00:31:58,659 in 2011 was Java applets. 829 00:31:58,660 --> 00:32:00,669 And then they found out the Java applets 830 00:32:00,670 --> 00:32:02,019 are not really very cool anymore. 831 00:32:03,940 --> 00:32:06,369 So in in 2013, 832 00:32:06,370 --> 00:32:07,899 they decided to replace it with a brand 833 00:32:07,900 --> 00:32:09,669 new JavaScript implementation because 834 00:32:09,670 --> 00:32:11,050 JavaScript script is really cool. 835 00:32:14,550 --> 00:32:17,309 And so in in 2013, 836 00:32:17,310 --> 00:32:18,359 we're back to where we started. 837 00:32:18,360 --> 00:32:20,459 There was a new election, this time 838 00:32:20,460 --> 00:32:22,549 in in 12 municipalities, 839 00:32:24,090 --> 00:32:27,539 more than 70000 votes cast online, 840 00:32:27,540 --> 00:32:28,889 and there was a change of government 841 00:32:28,890 --> 00:32:30,329 after after eight years. 842 00:32:32,040 --> 00:32:34,389 And so summing up this bit, 843 00:32:34,390 --> 00:32:36,449 I think there were some 844 00:32:36,450 --> 00:32:38,579 things that weren't quite right in 845 00:32:38,580 --> 00:32:40,739 this trial, uh, the 846 00:32:40,740 --> 00:32:42,629 system seems to have worked very well, 847 00:32:42,630 --> 00:32:45,559 technically, in the sense that it's 848 00:32:45,560 --> 00:32:48,119 it was, uh, it didn't have any 849 00:32:48,120 --> 00:32:50,069 significant trouble with the performance 850 00:32:50,070 --> 00:32:51,159 or down time. 851 00:32:51,160 --> 00:32:53,489 Uh, there were a few 852 00:32:53,490 --> 00:32:56,429 spoiled invalid or invalid ballots. 853 00:32:56,430 --> 00:32:58,619 Uh, 854 00:32:58,620 --> 00:33:00,689 there was there was quite a lot of 855 00:33:00,690 --> 00:33:02,639 audit log verification which did not show 856 00:33:02,640 --> 00:33:03,640 anything going wrong. 857 00:33:04,590 --> 00:33:06,719 And the system proved to be quite popular 858 00:33:06,720 --> 00:33:09,029 in in the areas that actually 859 00:33:09,030 --> 00:33:10,030 used that. 860 00:33:11,420 --> 00:33:13,039 So so there were several 861 00:33:14,090 --> 00:33:15,469 problems along the way, but 862 00:33:16,820 --> 00:33:19,699 at least snowboarded discovered any 863 00:33:19,700 --> 00:33:21,769 anything that they really, really hadn't 864 00:33:21,770 --> 00:33:22,759 thought about. 865 00:33:22,760 --> 00:33:23,760 And. 866 00:33:26,940 --> 00:33:28,319 On the other hand, there are also quite a 867 00:33:28,320 --> 00:33:30,540 few difficult areas, uh, 868 00:33:31,830 --> 00:33:34,199 there is, uh, 869 00:33:34,200 --> 00:33:36,719 there is a trade off between security and 870 00:33:36,720 --> 00:33:38,669 sort of verify verifiability and 871 00:33:38,670 --> 00:33:40,949 testability, like 872 00:33:40,950 --> 00:33:43,439 the fact that I was quite hard to, 873 00:33:43,440 --> 00:33:45,689 uh, was quite 874 00:33:45,690 --> 00:33:47,459 hard to provide runtime monitoring for 875 00:33:47,460 --> 00:33:49,739 some of the systems because, uh, 876 00:33:49,740 --> 00:33:51,210 because of security concerns, 877 00:33:52,380 --> 00:33:54,509 uh, the voting cards and return 878 00:33:54,510 --> 00:33:54,809 codes. 879 00:33:54,810 --> 00:33:56,609 So the physical artifacts caused a few 880 00:33:56,610 --> 00:33:57,610 problems. 881 00:33:59,200 --> 00:34:01,319 Uh, Kimelman suppression of duties is 882 00:34:01,320 --> 00:34:02,320 always hard. 883 00:34:04,500 --> 00:34:06,169 Uh, one of the really important aspects 884 00:34:06,170 --> 00:34:07,829 there is the voter understanding of 885 00:34:07,830 --> 00:34:09,658 security mechanisms and the ability to 886 00:34:09,659 --> 00:34:12,988 verify what's going on. 887 00:34:12,989 --> 00:34:15,329 And one one thing which was noted 888 00:34:15,330 --> 00:34:17,070 was that quite a few people. 889 00:34:18,530 --> 00:34:20,718 Uh, very, very 890 00:34:20,719 --> 00:34:22,698 diligent about checking the return codes 891 00:34:22,699 --> 00:34:24,888 and even fewer people would actually 892 00:34:24,889 --> 00:34:26,988 go to the step of trying to verify the 893 00:34:26,989 --> 00:34:28,429 shuttle features X hashas, 894 00:34:29,449 --> 00:34:31,519 and that's yeah, 895 00:34:31,520 --> 00:34:32,948 that's kind of understandable. 896 00:34:32,949 --> 00:34:35,059 Uh, on the other hand, it's, 897 00:34:35,060 --> 00:34:37,309 um, it 898 00:34:37,310 --> 00:34:39,619 means that having 899 00:34:39,620 --> 00:34:41,749 those mechanisms available doesn't 900 00:34:41,750 --> 00:34:43,218 necessarily mean that people will use 901 00:34:43,219 --> 00:34:44,238 them. 902 00:34:44,239 --> 00:34:45,829 And there was, uh, there was a fishing 903 00:34:45,830 --> 00:34:47,750 demonstration in 2011 where 904 00:34:50,060 --> 00:34:52,279 as an experiment, as an experiment 905 00:34:52,280 --> 00:34:54,738 under under control circumstances, 906 00:34:54,739 --> 00:34:57,199 a professor at a local college 907 00:34:57,200 --> 00:34:59,509 set up this, uh, fishing patch, 908 00:34:59,510 --> 00:35:01,999 which looked like the real patch and 909 00:35:02,000 --> 00:35:04,519 try to get information 910 00:35:04,520 --> 00:35:06,019 about the return codes from the voting 911 00:35:06,020 --> 00:35:07,549 cards from the voters. 912 00:35:08,690 --> 00:35:10,279 And that's the key piece of information 913 00:35:10,280 --> 00:35:13,129 which links the voter to the, 914 00:35:13,130 --> 00:35:15,889 uh, verification. 915 00:35:15,890 --> 00:35:19,129 And that was that was no problem because 916 00:35:19,130 --> 00:35:19,939 fishing works. 917 00:35:19,940 --> 00:35:20,940 Right. 918 00:35:21,530 --> 00:35:22,549 So 919 00:35:24,110 --> 00:35:26,119 you have these kind of you have these 920 00:35:26,120 --> 00:35:26,999 kind of problems. 921 00:35:27,000 --> 00:35:30,619 Uh, you also have the entire complex 922 00:35:30,620 --> 00:35:32,749 regarding secure software development 923 00:35:32,750 --> 00:35:34,909 and also, of course, running an online 924 00:35:34,910 --> 00:35:37,069 system and keeping it secure, 925 00:35:37,070 --> 00:35:38,070 which we know is hard. 926 00:35:41,870 --> 00:35:44,119 And so because of this 927 00:35:44,120 --> 00:35:45,889 before the 2013 election, 928 00:35:46,920 --> 00:35:49,519 which was decided to run a 929 00:35:49,520 --> 00:35:50,520 technical review. 930 00:35:51,560 --> 00:35:53,089 So I think a problem here was that even 931 00:35:53,090 --> 00:35:55,489 though the source code was public, 932 00:35:55,490 --> 00:35:57,589 uh, it didn't really 933 00:35:57,590 --> 00:36:00,379 get a lot of public scrutiny and 934 00:36:00,380 --> 00:36:01,969 the project didn't really succeed in 935 00:36:01,970 --> 00:36:03,529 making the tech community engaged with 936 00:36:03,530 --> 00:36:04,530 this. 937 00:36:05,090 --> 00:36:07,369 And after the fact, 938 00:36:07,370 --> 00:36:09,739 I was reminded a bit of this when 939 00:36:09,740 --> 00:36:10,740 the Heartbleed 940 00:36:12,050 --> 00:36:14,299 bug showed up earlier 941 00:36:14,300 --> 00:36:16,969 this year in the sense that, 942 00:36:16,970 --> 00:36:19,129 uh, kind of like open 943 00:36:19,130 --> 00:36:21,049 SSL, you have this huge bit of security 944 00:36:21,050 --> 00:36:23,149 critical code and it's open. 945 00:36:23,150 --> 00:36:25,669 But, uh, 946 00:36:25,670 --> 00:36:27,379 the barrier for somebody to actually look 947 00:36:27,380 --> 00:36:28,380 at it is kind of high. 948 00:36:30,080 --> 00:36:31,949 And there are a few exceptions, there was 949 00:36:31,950 --> 00:36:34,099 this fishing experiment that 950 00:36:34,100 --> 00:36:36,259 I talked about. There was also a 951 00:36:36,260 --> 00:36:38,779 report on cod quality, which actually 952 00:36:38,780 --> 00:36:39,869 was quite simple. 953 00:36:39,870 --> 00:36:41,269 Well, there were a couple of researchers 954 00:36:41,270 --> 00:36:43,399 who just ran 955 00:36:43,400 --> 00:36:45,499 some automated tools and saw that 956 00:36:45,500 --> 00:36:47,030 they got a lot of logs and 957 00:36:48,500 --> 00:36:50,269 did some basic analysis, analysis of 958 00:36:50,270 --> 00:36:51,109 those findings. 959 00:36:51,110 --> 00:36:52,759 And it gave an indication that the 960 00:36:52,760 --> 00:36:54,169 quality of the source code might not be 961 00:36:54,170 --> 00:36:55,549 very good. 962 00:36:55,550 --> 00:36:57,649 But anyway, the project wanted to 963 00:36:57,650 --> 00:36:58,639 get more information. 964 00:36:58,640 --> 00:37:00,859 And so I 965 00:37:00,860 --> 00:37:03,019 got this assignment to to perform 966 00:37:03,020 --> 00:37:05,539 a third party review of 967 00:37:05,540 --> 00:37:07,399 the cryptographic primitives in key 968 00:37:07,400 --> 00:37:08,859 generation implementations. 969 00:37:10,100 --> 00:37:12,469 And there are some quite big constraints 970 00:37:12,470 --> 00:37:13,639 on this review. 971 00:37:14,820 --> 00:37:16,789 Uh, one of those constraints was there 972 00:37:16,790 --> 00:37:18,919 was a time frame because this was in the 973 00:37:18,920 --> 00:37:21,109 summer of 2013 and the election 974 00:37:21,110 --> 00:37:22,380 was in September. And 975 00:37:23,840 --> 00:37:25,759 if we were to find something and actually 976 00:37:25,760 --> 00:37:28,229 do something about it, uh, 977 00:37:28,230 --> 00:37:29,539 there was be quite a limited timeframe to 978 00:37:29,540 --> 00:37:30,540 do it. 979 00:37:31,160 --> 00:37:32,929 There was also a question of manpower 980 00:37:32,930 --> 00:37:34,039 because it was in the middle of summer 981 00:37:34,040 --> 00:37:34,939 vacation in Norway. 982 00:37:34,940 --> 00:37:37,309 And so I did this analysis 983 00:37:37,310 --> 00:37:38,729 by myself. 984 00:37:38,730 --> 00:37:40,339 In the limited time span, I would have 985 00:37:40,340 --> 00:37:42,619 loved to involve more people and then 986 00:37:42,620 --> 00:37:44,719 much more work on it. But basically 987 00:37:44,720 --> 00:37:45,969 the resources weren't available. 988 00:37:47,180 --> 00:37:48,569 And so I got this assignment. 989 00:37:48,570 --> 00:37:49,849 I said, OK, what does this thing look 990 00:37:49,850 --> 00:37:51,379 like? Well, there's a subversion 991 00:37:51,380 --> 00:37:52,489 repository. 992 00:37:52,490 --> 00:37:54,349 So first thing you do, grab the code. 993 00:37:54,350 --> 00:37:56,299 Uh, second thing you do try to build the 994 00:37:56,300 --> 00:37:58,100 code and discover that it doesn't build. 995 00:38:01,250 --> 00:38:03,589 And apparently 996 00:38:03,590 --> 00:38:05,629 there were there were also some time 997 00:38:05,630 --> 00:38:07,489 availability issues for the repository 998 00:38:07,490 --> 00:38:09,649 because this was clearly not a 999 00:38:09,650 --> 00:38:11,299 main priority to keep online. 1000 00:38:11,300 --> 00:38:12,409 It was online. 1001 00:38:12,410 --> 00:38:14,329 It was nice to have online, but also 1002 00:38:14,330 --> 00:38:16,519 because of the limited interests 1003 00:38:16,520 --> 00:38:18,229 that wasn't the main focus and 1004 00:38:18,230 --> 00:38:20,599 particularly not in the middle of summer. 1005 00:38:20,600 --> 00:38:22,789 And so, OK, next thing you do, you start 1006 00:38:22,790 --> 00:38:24,379 to look at the system documentation and 1007 00:38:24,380 --> 00:38:25,609 you see the deployment diagram. 1008 00:38:25,610 --> 00:38:26,610 It looks like this. 1009 00:38:28,280 --> 00:38:30,679 And so 1010 00:38:30,680 --> 00:38:32,989 it's kind of a problem that 1011 00:38:32,990 --> 00:38:34,489 for security systems, you want to keep 1012 00:38:34,490 --> 00:38:35,490 things simple 1013 00:38:38,090 --> 00:38:39,499 for Internet voting, you need to keep 1014 00:38:39,500 --> 00:38:40,939 things a little bit complicated because 1015 00:38:40,940 --> 00:38:42,829 you need to keep everything separate. 1016 00:38:42,830 --> 00:38:45,049 And so here you have a whole 1017 00:38:45,050 --> 00:38:47,629 bunch of systems doing different stuff. 1018 00:38:47,630 --> 00:38:49,909 Uh, several of the service are aircrafts, 1019 00:38:49,910 --> 00:38:51,199 but this is just a huge amount of 1020 00:38:51,200 --> 00:38:52,200 complexity right here. 1021 00:38:53,630 --> 00:38:54,710 And so 1022 00:38:56,090 --> 00:38:57,919 you look a bit more closely to code. 1023 00:38:57,920 --> 00:38:59,779 You see there's it's 200000 lines of 1024 00:38:59,780 --> 00:39:00,780 Java. 1025 00:39:02,260 --> 00:39:04,449 And that's 1026 00:39:04,450 --> 00:39:07,329 and that's source lines, that's no 1027 00:39:07,330 --> 00:39:09,489 no comments, no whitespace, no unit 1028 00:39:09,490 --> 00:39:11,589 tests, and I think also 1029 00:39:11,590 --> 00:39:14,229 the modules that are not actually used 1030 00:39:14,230 --> 00:39:15,819 are excluded. 1031 00:39:15,820 --> 00:39:17,050 So it's quite big. 1032 00:39:21,090 --> 00:39:23,819 This is this is code, 1033 00:39:23,820 --> 00:39:25,589 which is part of the project is not third 1034 00:39:25,590 --> 00:39:26,590 party libraries, 1035 00:39:27,910 --> 00:39:30,119 uh, these are kind of also approximate 1036 00:39:30,120 --> 00:39:31,559 sizes because when I was looking at the 1037 00:39:31,560 --> 00:39:33,569 source code, I find out that sometimes 1038 00:39:33,570 --> 00:39:34,949 quite hard to determine whether a 1039 00:39:34,950 --> 00:39:37,079 specific Java class was part 1040 00:39:37,080 --> 00:39:39,299 of the 1041 00:39:39,300 --> 00:39:40,849 production system or not. 1042 00:39:40,850 --> 00:39:43,139 Uh, that 1043 00:39:43,140 --> 00:39:44,489 was actually quite hard to figure out. 1044 00:39:44,490 --> 00:39:46,649 And I had a recurring 1045 00:39:46,650 --> 00:39:48,509 problem trying to map the high level 1046 00:39:48,510 --> 00:39:49,949 description of the system to the source 1047 00:39:49,950 --> 00:39:50,950 code, because 1048 00:39:52,290 --> 00:39:53,659 that wasn't really well documented. 1049 00:39:54,750 --> 00:39:56,059 And so. OK. OK. 1050 00:39:56,060 --> 00:39:57,869 Next thing you do, you run some automated 1051 00:39:57,870 --> 00:39:59,769 tools. Somebody had done it before I did 1052 00:39:59,770 --> 00:40:00,359 it again. 1053 00:40:00,360 --> 00:40:02,459 And this is only 1054 00:40:02,460 --> 00:40:04,619 from parts of the code base and I don't 1055 00:40:04,620 --> 00:40:06,029 think you can read it, but there's 1056 00:40:06,030 --> 00:40:07,380 several hundreds of 1057 00:40:08,880 --> 00:40:10,589 several hundred Yellowbird findings from 1058 00:40:10,590 --> 00:40:12,839 Five Bugs, which says that, OK, this 1059 00:40:12,840 --> 00:40:14,399 might not be critical, but it's 1060 00:40:16,050 --> 00:40:17,849 pretty clear that the team is not using 1061 00:40:17,850 --> 00:40:19,639 automated tools proactively. 1062 00:40:21,360 --> 00:40:23,429 And so actually the hard part here is 1063 00:40:23,430 --> 00:40:24,869 that you get so many warnings that it's 1064 00:40:24,870 --> 00:40:26,549 hard to determine which ones are serious 1065 00:40:26,550 --> 00:40:28,169 and which ones are. 1066 00:40:28,170 --> 00:40:29,170 Can be ignored. 1067 00:40:30,870 --> 00:40:33,029 And so it looks kind 1068 00:40:33,030 --> 00:40:34,249 of perfect. 1069 00:40:34,250 --> 00:40:36,419 Um, 1070 00:40:36,420 --> 00:40:38,669 just just from this high level analysis, 1071 00:40:38,670 --> 00:40:40,739 you get some kind of idea that, 1072 00:40:40,740 --> 00:40:42,839 uh, the 1073 00:40:42,840 --> 00:40:45,629 complexity of the security system is is 1074 00:40:45,630 --> 00:40:46,630 quite high. 1075 00:40:48,960 --> 00:40:50,400 So 1076 00:40:51,480 --> 00:40:52,949 to summarize some of the findings from 1077 00:40:52,950 --> 00:40:54,440 just going on a safari, 1078 00:40:55,650 --> 00:40:56,789 uh, 1079 00:40:57,930 --> 00:41:00,059 there's some trouble with a separation 1080 00:41:00,060 --> 00:41:01,829 between the security logic and sort of 1081 00:41:01,830 --> 00:41:03,979 the the business logic, the sort 1082 00:41:03,980 --> 00:41:05,430 of voting process implementation. 1083 00:41:06,670 --> 00:41:08,729 Uh, as I said earlier, I 1084 00:41:08,730 --> 00:41:11,009 had trouble mapping the high level design 1085 00:41:11,010 --> 00:41:12,010 to the implementation. 1086 00:41:13,020 --> 00:41:15,179 And also because the project was 1087 00:41:15,180 --> 00:41:16,619 spraying in the EU's dependency 1088 00:41:16,620 --> 00:41:18,629 injection, it was quite hard to to read 1089 00:41:18,630 --> 00:41:19,829 the code and to see what was actually 1090 00:41:19,830 --> 00:41:21,089 going on, because you had all these 1091 00:41:21,090 --> 00:41:22,859 dependencies to the configuration and 1092 00:41:22,860 --> 00:41:23,860 runtime setup. 1093 00:41:24,820 --> 00:41:26,939 Uh, basically, 1094 00:41:26,940 --> 00:41:29,099 it's pretty 1095 00:41:29,100 --> 00:41:30,989 heavy lifting just to get into the code. 1096 00:41:32,900 --> 00:41:35,059 And my focus 1097 00:41:35,060 --> 00:41:36,739 was not the code in general, but the 1098 00:41:36,740 --> 00:41:38,569 crypto. Well, there's a huge amount of 1099 00:41:38,570 --> 00:41:39,570 crypto here. 1100 00:41:40,490 --> 00:41:42,229 And so there's a huge amount of low level 1101 00:41:42,230 --> 00:41:44,329 crypto and it's quite clear that 1102 00:41:44,330 --> 00:41:45,770 the developers have made the system 1103 00:41:47,030 --> 00:41:49,669 clearly know a lot about crypto. 1104 00:41:49,670 --> 00:41:51,739 But the problem is that when you have 1105 00:41:51,740 --> 00:41:53,569 this sort of copy and paste development 1106 00:41:53,570 --> 00:41:54,570 and 1107 00:41:55,730 --> 00:41:57,649 you have code all over the place, it's 1108 00:41:57,650 --> 00:42:00,150 not consistent and. 1109 00:42:03,040 --> 00:42:05,259 It's it makes it very hard to 1110 00:42:05,260 --> 00:42:06,819 to audit and makes it definitely very 1111 00:42:06,820 --> 00:42:09,039 hard to verify anything, and you get 1112 00:42:09,040 --> 00:42:10,359 this separation between the system, which 1113 00:42:10,360 --> 00:42:12,489 is either obviously secure or not 1114 00:42:12,490 --> 00:42:13,490 obviously insecure. 1115 00:42:16,130 --> 00:42:18,760 And so so one of the examples was that. 1116 00:42:23,000 --> 00:42:24,139 Get to that later. I think 1117 00:42:25,370 --> 00:42:26,929 there was also some kind of this 1118 00:42:26,930 --> 00:42:28,999 enterprise software syndrome, 1119 00:42:29,000 --> 00:42:31,399 I've been working on quite a lot of big 1120 00:42:31,400 --> 00:42:33,769 enterprise software projects, and 1121 00:42:33,770 --> 00:42:35,449 this looked suspiciously like one of 1122 00:42:35,450 --> 00:42:36,450 those. 1123 00:42:37,580 --> 00:42:38,790 And so. 1124 00:42:40,750 --> 00:42:42,879 Uh, it's difficult 1125 00:42:42,880 --> 00:42:44,979 to establish and enforce 1126 00:42:44,980 --> 00:42:46,929 sort of technical quality metrics in this 1127 00:42:46,930 --> 00:42:48,219 kind of code basis, and 1128 00:42:50,500 --> 00:42:52,209 it's kind of unclear what what are the 1129 00:42:52,210 --> 00:42:53,829 appropriate quality and assurance levels 1130 00:42:53,830 --> 00:42:54,830 for critical code. 1131 00:42:57,820 --> 00:43:00,699 So looking at some of the bugs, 1132 00:43:00,700 --> 00:43:02,949 so this was some code in in a method 1133 00:43:02,950 --> 00:43:04,659 called cipher symmetrically, which was 1134 00:43:04,660 --> 00:43:06,459 used to to to password encrypt the 1135 00:43:06,460 --> 00:43:08,619 security token for export to 1136 00:43:08,620 --> 00:43:09,849 disk. 1137 00:43:09,850 --> 00:43:11,739 And so the really bad thing here is that 1138 00:43:11,740 --> 00:43:13,449 there's actually a developer coding this 1139 00:43:13,450 --> 00:43:14,450 thing. 1140 00:43:15,160 --> 00:43:16,689 And there are some kind of strange things 1141 00:43:16,690 --> 00:43:18,309 here, like they're using predictive, too, 1142 00:43:18,310 --> 00:43:19,989 which is, well, it's more or less what 1143 00:43:19,990 --> 00:43:20,990 you have available in Java. 1144 00:43:22,540 --> 00:43:24,669 Uh, so so I guess that's reasonable, even 1145 00:43:24,670 --> 00:43:26,409 though you might have like something 1146 00:43:26,410 --> 00:43:27,429 else. 1147 00:43:27,430 --> 00:43:28,929 OK. Oh, they're using counterfeit back 1148 00:43:28,930 --> 00:43:30,339 mode with. That's that's kind of 1149 00:43:30,340 --> 00:43:32,409 interesting, but it's not illegal. 1150 00:43:32,410 --> 00:43:33,460 Uh, 1151 00:43:34,600 --> 00:43:36,699 but, uh, they have a PPK, they have 1152 00:43:36,700 --> 00:43:38,679 two iteration, kind of two, which is kind 1153 00:43:38,680 --> 00:43:39,469 of bad. 1154 00:43:39,470 --> 00:43:41,139 Uh, you should do you should use 1155 00:43:41,140 --> 00:43:42,140 something like ten thousand. 1156 00:43:43,450 --> 00:43:45,519 So, uh, which means that the passwords 1157 00:43:45,520 --> 00:43:47,499 would be quite a lot easier to brute 1158 00:43:47,500 --> 00:43:48,589 force than there should be. 1159 00:43:48,590 --> 00:43:50,199 Uh, there's also this factor that that 1160 00:43:50,200 --> 00:43:52,449 we're using a static IV, which 1161 00:43:52,450 --> 00:43:54,939 meant that, uh, basically 1162 00:43:54,940 --> 00:43:57,069 the encryption was not, uh, 1163 00:43:57,070 --> 00:43:59,229 you could see 1164 00:43:59,230 --> 00:44:01,029 the encryption was really not secure 1165 00:44:01,030 --> 00:44:02,439 because you really shouldn't be 1166 00:44:02,440 --> 00:44:03,940 encrypting, which is static vis. 1167 00:44:07,500 --> 00:44:09,539 And so there's also an inconsistency here 1168 00:44:09,540 --> 00:44:11,459 and that they are suddenly using attack 1169 00:44:11,460 --> 00:44:13,529 mode and pickaxes, seven padding, 1170 00:44:13,530 --> 00:44:14,579 whereas elsewhere they're using 1171 00:44:16,110 --> 00:44:17,939 CPC mode and because it's five Badeh. 1172 00:44:17,940 --> 00:44:18,940 So it's. 1173 00:44:22,780 --> 00:44:24,219 There was not a bag I found which was 1174 00:44:24,220 --> 00:44:26,319 related to Shamos secret sharing, 1175 00:44:26,320 --> 00:44:28,869 which is really 1176 00:44:28,870 --> 00:44:30,530 secure if implemented, right? 1177 00:44:31,930 --> 00:44:33,549 Actually, it's mathematically you can 1178 00:44:33,550 --> 00:44:35,199 prove that it's mathematically secure if 1179 00:44:35,200 --> 00:44:36,699 it's implemented with proper random 1180 00:44:36,700 --> 00:44:39,729 numbers and you do everything correctly. 1181 00:44:39,730 --> 00:44:40,629 But they didn't. 1182 00:44:40,630 --> 00:44:43,089 So the security proof broke. 1183 00:44:43,090 --> 00:44:44,409 And so this is a sign of the 1184 00:44:44,410 --> 00:44:45,849 vulnerability that probably can be 1185 00:44:45,850 --> 00:44:46,339 exploited. 1186 00:44:46,340 --> 00:44:49,149 But it's it's 1187 00:44:49,150 --> 00:44:50,679 well, who knows? It would have to analyze 1188 00:44:50,680 --> 00:44:51,680 it to tell. 1189 00:44:52,670 --> 00:44:53,989 And then there was a lot of awareness, 1190 00:44:53,990 --> 00:44:56,119 such as in one 1191 00:44:56,120 --> 00:44:58,279 place and five to to 1192 00:44:58,280 --> 00:45:00,409 verify file integrity for some 1193 00:45:00,410 --> 00:45:02,119 temporary files, and then they were 1194 00:45:02,120 --> 00:45:03,799 saying that, uh, but integrity for these 1195 00:45:03,800 --> 00:45:05,509 temporary files is not really important. 1196 00:45:05,510 --> 00:45:07,339 And I say, well, but you shouldn't be 1197 00:45:07,340 --> 00:45:08,340 using the five anyway. 1198 00:45:09,450 --> 00:45:11,539 Uh, there was a really strange 1199 00:45:11,540 --> 00:45:13,489 custom implementation of data enveloping. 1200 00:45:13,490 --> 00:45:15,799 So instead of using 1201 00:45:15,800 --> 00:45:18,109 some sort of standard for that standard 1202 00:45:18,110 --> 00:45:20,029 encryption envelope to to to encrypt 1203 00:45:20,030 --> 00:45:21,030 data, there were 1204 00:45:22,620 --> 00:45:23,899 there were there were some custom code 1205 00:45:23,900 --> 00:45:25,099 for it. 1206 00:45:25,100 --> 00:45:27,499 There was a secure audit logger, 1207 00:45:27,500 --> 00:45:29,569 which was, uh, when I was analyzing the 1208 00:45:29,570 --> 00:45:31,399 code, I said, aha, the secure audit 1209 00:45:31,400 --> 00:45:34,039 logger is not secure against attacks. 1210 00:45:34,040 --> 00:45:36,229 But then in this 1211 00:45:36,230 --> 00:45:38,329 case, this was a problem which was not 1212 00:45:38,330 --> 00:45:39,229 being solved by crypto. 1213 00:45:39,230 --> 00:45:41,599 They were solving it by using Splunk to 1214 00:45:41,600 --> 00:45:43,849 to gather the logs on the fly 1215 00:45:43,850 --> 00:45:46,129 so that even 1216 00:45:46,130 --> 00:45:48,169 if you could truncate log on the server, 1217 00:45:48,170 --> 00:45:50,169 it would be you would capture it in 1218 00:45:50,170 --> 00:45:51,889 Splunk and vice versa. 1219 00:45:51,890 --> 00:45:53,549 So that actually thought about that. 1220 00:45:53,550 --> 00:45:56,209 But, uh, 1221 00:45:56,210 --> 00:45:58,699 so on junkie generation, 1222 00:45:58,700 --> 00:45:59,989 there was some sense of plain text being 1223 00:45:59,990 --> 00:46:01,929 written to disk, which was kind of silly. 1224 00:46:01,930 --> 00:46:04,039 Um, and this was on 1225 00:46:04,040 --> 00:46:05,899 an aggregate server, so it would be hard 1226 00:46:05,900 --> 00:46:08,149 to get through, but maybe you should try 1227 00:46:08,150 --> 00:46:09,150 to do disk. 1228 00:46:10,470 --> 00:46:12,689 Uh, and there's this thing about secure 1229 00:46:12,690 --> 00:46:14,659 and random not being explicitly 1230 00:46:14,660 --> 00:46:15,289 initialized. 1231 00:46:15,290 --> 00:46:17,809 So you 1232 00:46:17,810 --> 00:46:19,339 need to trust that you're aware that 1233 00:46:19,340 --> 00:46:20,929 you're always in your Java implementation 1234 00:46:20,930 --> 00:46:22,969 and set up correctly to to to use 1235 00:46:22,970 --> 00:46:23,970 something sensible. 1236 00:46:25,150 --> 00:46:27,129 And then finally, there was this critical 1237 00:46:27,130 --> 00:46:28,989 encryption bug, which I mentioned, which 1238 00:46:28,990 --> 00:46:30,310 actually hit the real election. 1239 00:46:31,840 --> 00:46:32,979 So 1240 00:46:34,270 --> 00:46:35,439 this was actually in the JavaScript 1241 00:46:35,440 --> 00:46:37,299 groups of clients, which was not 1242 00:46:37,300 --> 00:46:38,649 something I audited. 1243 00:46:38,650 --> 00:46:40,509 But quite honestly, I wouldn't have found 1244 00:46:40,510 --> 00:46:41,820 this one even if I did it. 1245 00:46:42,910 --> 00:46:45,339 But, uh, it's kind of like a Debian 1246 00:46:45,340 --> 00:46:46,839 run the bug in that in the sense that you 1247 00:46:46,840 --> 00:46:48,250 got really poor on numbers. 1248 00:46:49,600 --> 00:46:51,699 And and so what it meant 1249 00:46:51,700 --> 00:46:53,349 was that about thirty thousand ballots 1250 00:46:53,350 --> 00:46:54,819 were encrypted with the same randomness 1251 00:46:54,820 --> 00:46:56,949 instead of unique randomness, 1252 00:46:56,950 --> 00:46:59,379 which was kind of bad. 1253 00:46:59,380 --> 00:47:01,389 And it was actually caught by the team 1254 00:47:01,390 --> 00:47:02,709 who were implementing the redundant 1255 00:47:02,710 --> 00:47:04,299 ballot counter because they were using 1256 00:47:04,300 --> 00:47:05,829 the system to generate some test data and 1257 00:47:05,830 --> 00:47:07,629 then they were finding that this test 1258 00:47:07,630 --> 00:47:09,189 data looks suspiciously similar to 1259 00:47:09,190 --> 00:47:10,190 itself. 1260 00:47:11,290 --> 00:47:12,369 So so 1261 00:47:14,500 --> 00:47:16,749 wrapping up some thoughts, uh, 1262 00:47:18,160 --> 00:47:20,409 the stuff I did here was just a pure 1263 00:47:20,410 --> 00:47:21,579 source code analysis. 1264 00:47:21,580 --> 00:47:22,580 And so 1265 00:47:23,860 --> 00:47:25,509 the system is really too complicated to 1266 00:47:25,510 --> 00:47:26,469 verify that way. 1267 00:47:26,470 --> 00:47:28,539 So to do a more realistic 1268 00:47:28,540 --> 00:47:29,739 test, you should really be, 1269 00:47:30,880 --> 00:47:33,219 uh, interacting with the a 1270 00:47:33,220 --> 00:47:35,409 running code and trying to trying 1271 00:47:35,410 --> 00:47:37,359 to figure out which which interfaces you 1272 00:47:37,360 --> 00:47:40,060 can you you can play with, um. 1273 00:47:41,710 --> 00:47:44,589 And so I don't actually think anybody, 1274 00:47:44,590 --> 00:47:46,869 uh, tested this or the resilience 1275 00:47:46,870 --> 00:47:49,209 of the backend systems to do malware 1276 00:47:49,210 --> 00:47:51,699 infection or or 1277 00:47:51,700 --> 00:47:52,700 the kind of intrusion. 1278 00:47:54,070 --> 00:47:56,169 Uh, 1279 00:47:56,170 --> 00:47:58,419 there were some so 1280 00:47:58,420 --> 00:48:01,209 over the project and talked about 1281 00:48:01,210 --> 00:48:02,679 the fact that if they wanted to run this 1282 00:48:02,680 --> 00:48:03,879 on the national level, they want to have 1283 00:48:03,880 --> 00:48:05,949 common criteria certification. 1284 00:48:05,950 --> 00:48:08,169 But for the pilot, they prepared 1285 00:48:08,170 --> 00:48:09,399 some documentation, but it didn't go 1286 00:48:09,400 --> 00:48:10,719 through the certification process. 1287 00:48:12,310 --> 00:48:14,389 There was also trouble with the late 1288 00:48:14,390 --> 00:48:17,199 code delivery and lack of a really proper 1289 00:48:17,200 --> 00:48:19,359 freeze stabilization period, 1290 00:48:19,360 --> 00:48:22,059 which was also criticized by the 1291 00:48:22,060 --> 00:48:23,769 OSCE election observers. 1292 00:48:27,930 --> 00:48:29,249 There's also the question about how to 1293 00:48:29,250 --> 00:48:31,889 involve the tech community, and I think 1294 00:48:31,890 --> 00:48:33,509 part of the problem is the common 1295 00:48:33,510 --> 00:48:35,699 reaction, myself included, that no, I 1296 00:48:35,700 --> 00:48:36,899 don't want to look at this. 1297 00:48:36,900 --> 00:48:38,429 I don't want to engage with this kind of 1298 00:48:38,430 --> 00:48:39,839 project. 1299 00:48:39,840 --> 00:48:42,119 Uh, but 1300 00:48:42,120 --> 00:48:44,429 it also means that there's quite 1301 00:48:44,430 --> 00:48:47,459 a high barrier to entry, uh, 1302 00:48:47,460 --> 00:48:49,709 even for techies. If you wanted to try 1303 00:48:49,710 --> 00:48:51,779 to get into this, it's it 1304 00:48:51,780 --> 00:48:53,099 really takes a lot of time and a lot of 1305 00:48:53,100 --> 00:48:55,139 work to, uh, to understand what's going 1306 00:48:55,140 --> 00:48:57,479 on. And that's that's 1307 00:48:57,480 --> 00:48:58,649 hard to to deal with. 1308 00:48:58,650 --> 00:49:00,839 So there's a question if if the project 1309 00:49:00,840 --> 00:49:01,919 in some way could have improved 1310 00:49:01,920 --> 00:49:04,489 incentives for for people to participate. 1311 00:49:06,180 --> 00:49:07,889 And there's also, I think, a bit of a 1312 00:49:07,890 --> 00:49:10,319 cultural language barrier 1313 00:49:10,320 --> 00:49:11,669 inhibiting foreign interests. 1314 00:49:11,670 --> 00:49:13,919 So even though even though the source 1315 00:49:13,920 --> 00:49:16,319 code documentation is in English, 1316 00:49:16,320 --> 00:49:18,329 a lot of the discourse and context on the 1317 00:49:18,330 --> 00:49:20,459 analysis is, is in 1318 00:49:20,460 --> 00:49:21,139 the region. 1319 00:49:21,140 --> 00:49:22,559 Norway is a small country and 1320 00:49:23,880 --> 00:49:25,799 people don't necessarily follow what's 1321 00:49:25,800 --> 00:49:27,509 what's happening in Norway. So I guess 1322 00:49:27,510 --> 00:49:29,099 it's also slipped under the radar of 1323 00:49:29,100 --> 00:49:30,100 quite a few places. 1324 00:49:32,780 --> 00:49:34,879 And so it 1325 00:49:34,880 --> 00:49:36,259 seems like this is the end of Internet 1326 00:49:36,260 --> 00:49:38,419 voting in Norway for now 1327 00:49:38,420 --> 00:49:40,749 and as 1328 00:49:40,750 --> 00:49:42,709 security experts, electronic voting 1329 00:49:42,710 --> 00:49:44,449 scares me and at the same time. 1330 00:49:45,660 --> 00:49:47,279 I have a little bit mixed feelings about 1331 00:49:47,280 --> 00:49:49,859 this, because this was 1332 00:49:49,860 --> 00:49:52,049 really, I believe, a 1333 00:49:52,050 --> 00:49:54,359 good faith attempt at getting it right. 1334 00:49:54,360 --> 00:49:55,360 And 1335 00:49:56,490 --> 00:49:59,219 we now have a lot we've not lost 1336 00:49:59,220 --> 00:50:00,779 the knowledge and expertize and the 1337 00:50:00,780 --> 00:50:01,949 working organization 1338 00:50:03,600 --> 00:50:05,159 who are working on this project and 1339 00:50:05,160 --> 00:50:06,629 actually preparing this talk. 1340 00:50:06,630 --> 00:50:08,879 I was finding that a lot 1341 00:50:08,880 --> 00:50:10,619 of the links and a lot of the 1342 00:50:10,620 --> 00:50:12,299 documentation was getting harder to find 1343 00:50:12,300 --> 00:50:13,300 because of Glencross. 1344 00:50:15,150 --> 00:50:17,489 And obviously, technology 1345 00:50:17,490 --> 00:50:19,619 marches on elsewhere. 1346 00:50:19,620 --> 00:50:21,419 We have electronic voting rolls in Norway 1347 00:50:21,420 --> 00:50:22,799 and there's an electronic system for 1348 00:50:22,800 --> 00:50:24,239 scanning and counting votes. 1349 00:50:24,240 --> 00:50:26,219 I don't think that's been very heavily 1350 00:50:26,220 --> 00:50:28,729 analyzed by the security community yet. 1351 00:50:28,730 --> 00:50:31,619 It probably should be an 1352 00:50:31,620 --> 00:50:33,449 Internet. And computer voting is on the 1353 00:50:33,450 --> 00:50:34,450 agenda elsewhere as well. 1354 00:50:36,700 --> 00:50:38,769 And so that's it for 1355 00:50:38,770 --> 00:50:40,290 me. I'd like to thank you all for coming. 1356 00:50:52,070 --> 00:50:54,289 OK, now we have about 10 minutes for 1357 00:50:54,290 --> 00:50:56,899 question and answers, if your questions, 1358 00:50:56,900 --> 00:51:00,129 please line up at the microphones. 1359 00:51:00,130 --> 00:51:02,179 Um, do I have questions from the 1360 00:51:02,180 --> 00:51:03,349 Internet? 1361 00:51:03,350 --> 00:51:03,949 Yeah. 1362 00:51:03,950 --> 00:51:06,049 What do the 1363 00:51:06,050 --> 00:51:08,389 voters given us receive after 1364 00:51:08,390 --> 00:51:09,589 casting their vote? 1365 00:51:09,590 --> 00:51:11,869 Does this change when casting 1366 00:51:11,870 --> 00:51:14,809 a vote again in the same election? 1367 00:51:14,810 --> 00:51:17,029 And if so, does does not 1368 00:51:17,030 --> 00:51:19,549 open up an opportunity for vote selling? 1369 00:51:23,870 --> 00:51:26,029 So the question was whether the written 1370 00:51:26,030 --> 00:51:27,949 code switch were sent by ISIS 1371 00:51:29,300 --> 00:51:30,799 would change during the election and 1372 00:51:30,800 --> 00:51:33,019 whether that would open opportunities 1373 00:51:33,020 --> 00:51:33,829 for vote selling. 1374 00:51:33,830 --> 00:51:35,959 And I don't actually 1375 00:51:35,960 --> 00:51:36,960 know. 1376 00:51:37,460 --> 00:51:39,589 I've actually not I haven't seen 1377 00:51:39,590 --> 00:51:41,329 these voting cards because they were only 1378 00:51:41,330 --> 00:51:44,209 given out in in the municipalities 1379 00:51:44,210 --> 00:51:45,210 where they had the trial. 1380 00:51:46,250 --> 00:51:48,739 My understanding was that 1381 00:51:48,740 --> 00:51:50,809 there was a unique random code for 1382 00:51:50,810 --> 00:51:52,099 each party on the ballots 1383 00:51:53,600 --> 00:51:55,190 corresponding to that voter, 1384 00:51:56,480 --> 00:51:57,889 which you would get by Ausmus. 1385 00:51:57,890 --> 00:51:59,359 And then you can and then you could 1386 00:51:59,360 --> 00:52:01,879 verify this mess with the paper. 1387 00:52:01,880 --> 00:52:04,639 And I haven't really 1388 00:52:04,640 --> 00:52:07,279 spent a lot of time thinking about 1389 00:52:07,280 --> 00:52:09,039 vote selling scenarios related to that. 1390 00:52:09,040 --> 00:52:11,779 So I guess the main safeguard 1391 00:52:11,780 --> 00:52:13,849 is that you could always go 1392 00:52:13,850 --> 00:52:16,099 and vote on the 1393 00:52:16,100 --> 00:52:17,789 election day on paper as well. 1394 00:52:20,210 --> 00:52:22,489 OK, those who are going out, please be 1395 00:52:22,490 --> 00:52:24,679 quiet so that the question answers 1396 00:52:24,680 --> 00:52:26,739 can be understood. So question for 1397 00:52:26,740 --> 00:52:27,740 microphone to 1398 00:52:29,240 --> 00:52:31,459 did the online world do us vote 1399 00:52:31,460 --> 00:52:33,439 for different parties compared to offline 1400 00:52:33,440 --> 00:52:34,309 voters? 1401 00:52:34,310 --> 00:52:36,469 Because this might explain 1402 00:52:36,470 --> 00:52:38,300 the cancelation of the project. 1403 00:52:39,590 --> 00:52:41,779 Uh, the question 1404 00:52:41,780 --> 00:52:43,549 was whether online voters voted for 1405 00:52:43,550 --> 00:52:46,099 different parties than the 1406 00:52:46,100 --> 00:52:47,179 than the offline voters. 1407 00:52:47,180 --> 00:52:48,499 And as far as I've been able to 1408 00:52:48,500 --> 00:52:50,329 determine, the answer is no. 1409 00:52:50,330 --> 00:52:52,459 Statistically, statistically, it was, 1410 00:52:52,460 --> 00:52:54,889 uh, very similar, 1411 00:52:54,890 --> 00:52:56,599 both on the national level and then 1412 00:52:56,600 --> 00:52:58,420 locally in the different municipalities. 1413 00:52:59,510 --> 00:53:00,510 So 1414 00:53:01,730 --> 00:53:04,249 it didn't seem to be any differences 1415 00:53:04,250 --> 00:53:07,459 that weren't 1416 00:53:07,460 --> 00:53:08,869 explainable by all the statistical 1417 00:53:08,870 --> 00:53:09,870 factors. 1418 00:53:11,470 --> 00:53:13,879 OK, question from 1419 00:53:13,880 --> 00:53:14,880 one. 1420 00:53:16,380 --> 00:53:17,909 Yeah, I'm just wondering if. 1421 00:53:17,910 --> 00:53:20,039 Was there any attempt or what 1422 00:53:20,040 --> 00:53:21,929 was the procedure when the tenants were 1423 00:53:21,930 --> 00:53:24,449 selected in the process for selecting 1424 00:53:24,450 --> 00:53:26,799 who should make the system, 1425 00:53:26,800 --> 00:53:29,159 uh, as to, you know, vetting 1426 00:53:29,160 --> 00:53:30,160 who was 1427 00:53:31,710 --> 00:53:32,759 programing and so on? 1428 00:53:32,760 --> 00:53:34,259 I mean, did the persons involved was 1429 00:53:34,260 --> 00:53:35,339 there? 1430 00:53:35,340 --> 00:53:37,559 And is was that a factor in the selection 1431 00:53:37,560 --> 00:53:40,589 process or because, you know, 1432 00:53:40,590 --> 00:53:43,169 you could say that, well, this is a 1433 00:53:43,170 --> 00:53:45,479 pretty sensitive system for handling 1434 00:53:45,480 --> 00:53:47,759 sensitive data. And, you 1435 00:53:47,760 --> 00:53:49,709 know, the security services might want to 1436 00:53:49,710 --> 00:53:51,779 look into who is actually 1437 00:53:51,780 --> 00:53:53,879 programing because finding that 1438 00:53:53,880 --> 00:53:55,949 row in the right, a random 1439 00:53:55,950 --> 00:53:58,019 number generator, would be easy 1440 00:53:58,020 --> 00:53:59,669 to sneak in if you you know, you know, 1441 00:53:59,670 --> 00:54:00,670 what you doing. 1442 00:54:01,460 --> 00:54:03,089 So so the question was whether there was 1443 00:54:03,090 --> 00:54:05,459 any vetting of the companies 1444 00:54:05,460 --> 00:54:07,109 doing the software implementation of the 1445 00:54:07,110 --> 00:54:08,609 people doing the software implementation? 1446 00:54:08,610 --> 00:54:10,709 Uh, I don't I don't 1447 00:54:10,710 --> 00:54:12,989 know. Uh, actually, 1448 00:54:12,990 --> 00:54:15,059 the main uh, the main 1449 00:54:15,060 --> 00:54:16,799 company implementing the solution was 1450 00:54:16,800 --> 00:54:18,389 not, uh, Norwegian. 1451 00:54:18,390 --> 00:54:20,969 Uh, but I'm not, uh, 1452 00:54:20,970 --> 00:54:23,219 I'm not going to name names here, but 1453 00:54:23,220 --> 00:54:24,149 it's it's all public. 1454 00:54:24,150 --> 00:54:25,649 You can find it online, but I'm not going 1455 00:54:25,650 --> 00:54:26,650 to name names. 1456 00:54:27,360 --> 00:54:29,639 Uh, but, uh, whether 1457 00:54:29,640 --> 00:54:30,989 the whether the national security 1458 00:54:30,990 --> 00:54:32,579 services did any kind of vetting, I don't 1459 00:54:32,580 --> 00:54:32,819 know. 1460 00:54:32,820 --> 00:54:34,319 I know that during the tender process 1461 00:54:34,320 --> 00:54:36,689 there were five companies, uh, bidding 1462 00:54:36,690 --> 00:54:37,979 for this, uh, contract. 1463 00:54:37,980 --> 00:54:39,810 And I'm sure I hope that. 1464 00:54:40,950 --> 00:54:42,629 I hope that I thought about that angle as 1465 00:54:42,630 --> 00:54:44,699 well. But I don't I don't know anything 1466 00:54:44,700 --> 00:54:45,700 beyond that. 1467 00:54:46,740 --> 00:54:49,709 OK, uh, question from number three. 1468 00:54:49,710 --> 00:54:50,039 All right. 1469 00:54:50,040 --> 00:54:51,719 First of all, thanks for the talk. 1470 00:54:51,720 --> 00:54:53,939 Uh, that has been really interesting. 1471 00:54:53,940 --> 00:54:55,049 I have one question. 1472 00:54:55,050 --> 00:54:57,479 You mentioned that there are nine invalid 1473 00:54:57,480 --> 00:54:58,829 votes. 1474 00:54:58,830 --> 00:55:01,249 Um, when I get a paper ballot, 1475 00:55:01,250 --> 00:55:03,569 I can willingly make an invalid 1476 00:55:03,570 --> 00:55:04,559 vote. 1477 00:55:04,560 --> 00:55:06,749 Um, the nine votes, were 1478 00:55:06,750 --> 00:55:09,089 they invalid because of nobody 1479 00:55:09,090 --> 00:55:11,159 knows, technical bux or 1480 00:55:11,160 --> 00:55:12,689 invalid because of. No. 1481 00:55:12,690 --> 00:55:14,489 Someone volunteering made like three 1482 00:55:14,490 --> 00:55:16,230 crosses instead of one cross. 1483 00:55:17,610 --> 00:55:19,919 Uh, the question was about those 1484 00:55:19,920 --> 00:55:22,469 invalid invalid ballots in 2011. 1485 00:55:22,470 --> 00:55:23,609 That's a very interesting question. 1486 00:55:23,610 --> 00:55:25,939 I don't I don't know. 1487 00:55:25,940 --> 00:55:29,129 Um, I also 1488 00:55:29,130 --> 00:55:31,439 didn't find any numbers for twenty 1489 00:55:31,440 --> 00:55:32,790 thirteen regarding 1490 00:55:33,810 --> 00:55:36,289 whether any ballots were invalid. 1491 00:55:36,290 --> 00:55:37,290 Uh, 1492 00:55:38,880 --> 00:55:41,189 I, I'm really not sure 1493 00:55:41,190 --> 00:55:43,829 what's, uh, what happened there. 1494 00:55:43,830 --> 00:55:45,359 OK, thank you. 1495 00:55:45,360 --> 00:55:47,819 OK, uh, one question from 1496 00:55:47,820 --> 00:55:49,199 the Internet. 1497 00:55:49,200 --> 00:55:51,599 Um, was there any 1498 00:55:51,600 --> 00:55:53,759 studies of user users or 1499 00:55:53,760 --> 00:55:56,009 borders voters of the 1500 00:55:56,010 --> 00:55:58,469 understanding of the security mechanism 1501 00:55:58,470 --> 00:56:00,569 also? Are there any reports available 1502 00:56:00,570 --> 00:56:01,570 in English? 1503 00:56:02,610 --> 00:56:04,709 Uh, so so the question was if there 1504 00:56:04,710 --> 00:56:06,449 were any user studies regarding the 1505 00:56:06,450 --> 00:56:08,099 security mechanisms and also if there 1506 00:56:08,100 --> 00:56:10,089 were reports available in English? 1507 00:56:10,090 --> 00:56:11,090 Um, 1508 00:56:12,360 --> 00:56:14,579 I think I think the answer is yes to both 1509 00:56:14,580 --> 00:56:17,159 of those. Uh, most 1510 00:56:17,160 --> 00:56:19,139 of the technical documentation about the 1511 00:56:19,140 --> 00:56:21,659 system is available in English. 1512 00:56:21,660 --> 00:56:22,769 And also 1513 00:56:24,000 --> 00:56:26,249 regarding the political science, 1514 00:56:26,250 --> 00:56:27,479 I've learned the user studies. 1515 00:56:27,480 --> 00:56:29,459 I think it might not be available in 1516 00:56:29,460 --> 00:56:32,189 English. I know that there were several 1517 00:56:32,190 --> 00:56:35,459 user studies and user testing, um, 1518 00:56:35,460 --> 00:56:37,529 and then various also user 1519 00:56:37,530 --> 00:56:39,480 behavior regarding the, um, 1520 00:56:40,590 --> 00:56:42,389 uh, verification mechanisms. 1521 00:56:42,390 --> 00:56:43,390 Uh. 1522 00:56:45,810 --> 00:56:47,969 Which which which is, I think, 1523 00:56:47,970 --> 00:56:50,099 also the source to the to the fact that 1524 00:56:51,570 --> 00:56:53,999 a few a few voters are verifying but not, 1525 00:56:54,000 --> 00:56:56,219 uh, not very 1526 00:56:56,220 --> 00:56:57,449 many. 1527 00:56:57,450 --> 00:56:59,099 I think it's also a valid question to ask 1528 00:56:59,100 --> 00:57:00,749 how many how many percent of the voters 1529 00:57:00,750 --> 00:57:02,849 should do a 1530 00:57:02,850 --> 00:57:04,829 manual verification to get some sort of 1531 00:57:04,830 --> 00:57:06,479 statistical guarantee? 1532 00:57:06,480 --> 00:57:07,480 I don't know. 1533 00:57:08,370 --> 00:57:09,719 OK, from number two, 1534 00:57:10,800 --> 00:57:12,869 are there any countermeasures against an 1535 00:57:12,870 --> 00:57:14,969 inside attack, especially can 1536 00:57:14,970 --> 00:57:17,549 the voter verify 1537 00:57:17,550 --> 00:57:19,499 that they have not been added any 1538 00:57:19,500 --> 00:57:21,090 additional votes? 1539 00:57:23,190 --> 00:57:26,629 Uh, I think, uh, 1540 00:57:26,630 --> 00:57:29,159 the voter would be able to verify 1541 00:57:29,160 --> 00:57:31,229 as long as he or she would be able 1542 00:57:31,230 --> 00:57:33,329 to receive, uh, SMS for 1543 00:57:33,330 --> 00:57:34,419 that number. 1544 00:57:34,420 --> 00:57:35,670 Uh, 1545 00:57:38,000 --> 00:57:40,349 as for countermeasures against insider 1546 00:57:40,350 --> 00:57:42,989 attacks, we we had the election observers 1547 00:57:42,990 --> 00:57:45,119 and there were also the fact that they 1548 00:57:45,120 --> 00:57:47,439 used, uh, the secretariat to split 1549 00:57:47,440 --> 00:57:49,109 key so that you had to have two operators 1550 00:57:49,110 --> 00:57:50,639 at the same time. And there were, of 1551 00:57:50,640 --> 00:57:52,619 course, access controls and and so on and 1552 00:57:52,620 --> 00:57:54,719 so forth, meaning that it 1553 00:57:54,720 --> 00:57:56,310 was physical security at the sites. 1554 00:57:57,770 --> 00:57:59,039 OK, from one. 1555 00:58:00,450 --> 00:58:02,429 So I was wondering if they actually 1556 00:58:02,430 --> 00:58:04,349 looked at other existing systems and if 1557 00:58:04,350 --> 00:58:06,579 you looked at other existing systems 1558 00:58:06,580 --> 00:58:08,939 and and maybe just 1559 00:58:08,940 --> 00:58:10,589 generally, do you do you think it's a 1560 00:58:10,590 --> 00:58:13,019 good idea to to try to 1561 00:58:13,020 --> 00:58:14,519 make a system that doesn't have those 1562 00:58:14,520 --> 00:58:15,520 failures? 1563 00:58:16,140 --> 00:58:18,599 Uh, the question is whether 1564 00:58:18,600 --> 00:58:19,799 I have looked at other systems and 1565 00:58:19,800 --> 00:58:20,999 whether they had looked at all the 1566 00:58:21,000 --> 00:58:22,259 systems and whether it was a good idea to 1567 00:58:22,260 --> 00:58:23,019 do this. 1568 00:58:23,020 --> 00:58:25,259 Um, the 1569 00:58:25,260 --> 00:58:27,539 project certainly looked at other 1570 00:58:27,540 --> 00:58:29,789 systems, both in both 1571 00:58:29,790 --> 00:58:30,960 in 2006 1572 00:58:32,130 --> 00:58:34,409 during the feasibility study 1573 00:58:34,410 --> 00:58:36,719 and also up front 1574 00:58:36,720 --> 00:58:37,720 before they 1575 00:58:39,000 --> 00:58:40,029 started the project. 1576 00:58:40,030 --> 00:58:41,030 As such, 1577 00:58:42,120 --> 00:58:44,339 I have not I did not 1578 00:58:44,340 --> 00:58:45,689 have the opportunity to look at a lot of 1579 00:58:45,690 --> 00:58:47,789 other systems when I was looking at this 1580 00:58:47,790 --> 00:58:50,279 because I was in a hurry. 1581 00:58:50,280 --> 00:58:52,569 Um, but of course, I'm 1582 00:58:52,570 --> 00:58:54,899 I'm familiar with the voting in 1583 00:58:54,900 --> 00:58:56,679 Estonia and so on. 1584 00:58:56,680 --> 00:58:58,739 Uh, personally, I 1585 00:58:58,740 --> 00:59:00,449 don't think this is a good idea, but I 1586 00:59:00,450 --> 00:59:02,300 think that, um, 1587 00:59:03,390 --> 00:59:07,049 in order to in order to 1588 00:59:07,050 --> 00:59:09,299 get that message through, you 1589 00:59:09,300 --> 00:59:10,939 have to engage both on the technical the 1590 00:59:10,940 --> 00:59:12,269 technological level, but also on the 1591 00:59:12,270 --> 00:59:13,270 policy level. 1592 00:59:14,310 --> 00:59:16,379 OK, uh, since the time is almost 1593 00:59:16,380 --> 00:59:18,719 out, one last question from to. 1594 00:59:19,740 --> 00:59:21,209 Yeah. I was wondering if you have any 1595 00:59:21,210 --> 00:59:23,369 ideas about changes 1596 00:59:23,370 --> 00:59:25,559 to language or workflow used 1597 00:59:25,560 --> 00:59:27,869 to result in better quality source code. 1598 00:59:29,480 --> 00:59:31,159 Uh. 1599 00:59:32,380 --> 00:59:34,899 I think I think 1600 00:59:34,900 --> 00:59:36,999 from from my point of view 1601 00:59:37,000 --> 00:59:39,069 as a cryptographer, an engineer, and 1602 00:59:39,070 --> 00:59:41,169 my my perspective would be to 1603 00:59:41,170 --> 00:59:43,479 try to isolate and encapsulate 1604 00:59:43,480 --> 00:59:44,889 the cryptographic codes as much as 1605 00:59:44,890 --> 00:59:46,149 possible. 1606 00:59:46,150 --> 00:59:47,630 Uh, 1607 00:59:48,940 --> 00:59:50,619 regarding more general software 1608 00:59:50,620 --> 00:59:52,749 development techniques for for 1609 00:59:52,750 --> 00:59:55,099 guaranteeing high quality and 1610 00:59:55,100 --> 00:59:57,489 and so on, so forth, I'm probably not 1611 00:59:57,490 --> 00:59:58,490 the person to answer.