Researcher Who Reported E-voting Vulnerability Targeted By Police Raid in Argentina 116
TrixX writes: Police have raided the home of an Argentinian security professional who discovered and reported several vulnerabilities in the electronic ballot system (Google translation of Spanish original) to be used next week for elections in the city of Buenos Aires. The vulnerabilities (exposed SSL keys and ways to forge ballots with multiple votes) had been reported to the manufacturer of the voting machines, the media, and the public about a week ago. There has been no arrest, but his computers and electronics devices have been impounded (Spanish original). Meanwhile, the information security community in Argentina is trying to get the media to report this notorious attempt to "kill the messenger." Another source (Spanish original).
Gazillion votes (Score:2, Funny)
Re:Gazillion votes (Score:5, Informative)
Just FTR, the group organizing this election is the government of the city of Buenos Aires. which is not run by the Kirchner but one of the opposition parties
Re: (Score:2)
And the raid order was sourced in the private company who runs the voting machines (MSA, Magic Software Argentina), they already organized elections for both major parties.
Re: (Score:2)
Thanks for sharing. Don't spend the 50 centavos all in one place.
Re: (Score:2)
Not kill the messenger ... (Score:4, Insightful)
Re: (Score:1)
So why would the next messenger bring any message?
Thus, killing the messenger. Period.
Re: (Score:2)
So why would the next messenger bring any message?
Because the next messenger would be smart enough to realize that if they have any electronic data more valuable than school assignment, video game save game files, selfies and letters to grandma then they should have offsite backups. Whether your data burns up in a fire, gets destroyed in a flood, gets stolen by non-government agents or impounded by government agents does not really matter; except that in the impounding case you might get it back. Back it up and there is much less to fear.
And perhaps thi
Re: (Score:2)
Are you retarded?
Re: (Score:2)
Do you often ask rhetorical questions? :D
(Sorry, couldn't resist.)
Re: (Score:1)
Perhaps English is not your first language. The phrase " to kill the messenger" is no longer expect d to be literal, but "kill" can be interpreted as "harm". Stealing someone's stuff falls into the definition of "harm".
Re: (Score:2)
Plenty of excuses, but sorry, if we're using English "kill the messenger" essentially means to act in such a way as to discourage others with the same (or sufficiently similar) message.
You may use the excuses to claim that the intent was other than "killing the messenger", but not to argue that that isn't what they did. To argue that that isn't what they did you would (probably) need to show that their action did not serve to discourage others with similar communications.
OTOH, perhaps in Spanish the phrase
Re: (Score:1)
I decided to poke around and they *may* have a legitimate argument if they wanted to make it though they would have to rely on, and you accept, a really piss-poor wiki page. Here is the link:
https://en.wikipedia.org/wiki/... [wikipedia.org]
It would require deciding what lashing out meant - is that a physical or a non-physical thing as would be expected by a rational language user in that environment. I do not know, personally, so I leave that up to you two to hash out if you opt to do so. I would have said 'attacking the m
Re:Not kill the messenger ... (Score:4, Insightful)
So why would the next messenger bring any message?
Because the next messenger would be smart enough to realize that if they have any electronic data more valuable than school assignment, video game save game files, selfies and letters to grandma then they should have offsite backups. Whether your data burns up in a fire, gets destroyed in a flood, gets stolen by non-government agents or impounded by government agents does not really matter; except that in the impounding case you might get it back. Back it up and there is much less to fear.
And perhaps this first messenger has a backup too.
In this case everybody has the information: "As reported Telam a specialist who preferred anonymity, which leaked on the web are "SSL certificates terminals that send data from the schools to the datacenter," which were published "on the site http: / /caba.operaciones.com.ar by poor settings on your servers. "" (translated version).
Re:Not kill the messenger ... (Score:5, Insightful)
So why would the next messenger bring any message?
Because the next messenger would be smart enough to realize that if they have any electronic data more valuable than school assignment, video game save game files, selfies and letters to grandma then they should have offsite backups. Whether your data burns up in a fire, gets destroyed in a flood, gets stolen by non-government agents or impounded by government agents does not really matter; except that in the impounding case you might get it back. Back it up and there is much less to fear.
And perhaps this first messenger has a backup too.
In this case everybody has the information: "As reported Telam a specialist who preferred anonymity, which leaked on the web are "SSL certificates terminals that send data from the schools to the datacenter," which were published "on the site http: / /caba.operaciones.com.ar by poor settings on your servers. "" (translated version).
The desired "evidence" may be unreported information. For example things that make otherwise anonymous people less anonymous. Again, the researcher is not necessarily the target.
Re: (Score:2)
Re: (Score:3)
They went into his house and took his shit. In South America. I think that qualifies as "kill the messenger".
In a region with a history of actual political assassinations (body found) and dissapearances (body not found), no that does not qualify. Such things happened as recently as the 1980s. About 10 years ago the Argentine Congress established a "Day of Remembrance for Truth and Justice" for such victims. Having to buy a new computer and restore from backups is not in the same league.
Re: (Score:3)
Having to buy a new computer and restore from backups is not in the same league.
Doesn't have to be in order to fit the definition. And milder forms of censorship and suppression are often preludes to greater forms especially in places where there's already a history of such tyranny.
Re: (Score:2)
Having to buy a new computer and restore from backups is not in the same league.
Doesn't have to be in order to fit the definition. And milder forms of censorship and suppression are often preludes to greater forms especially in places where there's already a history of such tyranny.
It remains to be seen if there is censorship. Impounding material evidence is not necessarily suppression. Its not clear that the researcher is the target, he may merely possess evidence that would make some black hat less anonymous. It premature to claim "kill the messenger" using any definition of that phrase.
As for the "definition". In a region where a generation or two ago "kill the messenger" was literal not figurative, the figurative definition doesn't work.
Re: (Score:2)
It remains to be seen if there is censorship. Impounding material evidence is not necessarily suppression.
But heavy-handed behavior is a good indication that such suppression is going on. After all, why wouldn't this researcher cooperate with the police?
As for the "definition". In a region where a generation or two ago "kill the messenger" was literal not figurative, the figurative definition doesn't work.
Bullshit. When the figurative definition is ignored the literal one comes back. Throwing elections (and thuggish suppression of evidence of that) is a phase I'd expect in a return to such tyranny.
Re: (Score:3)
It remains to be seen if there is censorship. Impounding material evidence is not necessarily suppression.
But heavy-handed behavior is a good indication that such suppression is going on. After all, why wouldn't this researcher cooperate with the police?
There was no censorship. The researcher who published the exploits was not arrested. His computers were impounded as part of an investigation. He may not be the target, they may be searching for a 3rd party he was in contact with, perhaps a black hat. Seizing evidence in such a case removes the opportunity for the evidence's destruction. Its a pretty standard thing in North America and Europe too.
As for the "definition". In a region where a generation or two ago "kill the messenger" was literal not figurative, the figurative definition doesn't work.
Bullshit. When the figurative definition is ignored the literal one comes back. Throwing elections (and thuggish suppression of evidence of that) is a phase I'd expect in a return to such tyranny.
The existence of an exploit is not evidence that anyone, government or not, is actually rigging an election. Its
Re: (Score:2)
There was no censorship.
That's wrong to say since this researcher doesn't have infinite time and resources to both deal with the alleged investigation and impounding of equipment as well as doing whatever they do for a living and discussing the security issue they have allegedly found. At best, it might be that the censorship is an unintentional consequence of a police investigation of a genuine criminal activity with genuine probable cause. But the above actions indicate the police did not think the researcher would be cooperativ
Re: (Score:2)
it might be that the censorship is an unintentional consequence of a police investigation of a genuine criminal activity with genuine probable cause.
That's my point, with the caveat that its not really censorship since the goal is not to silence anyone but to investigate a crime.
Again, all I'm saying is that its premature to claim censorship. As I said in the beginning all we can say for sure at this point is that it was rude to seize the equipment without asking for cooperation. Facts and opinions may change as more info unfolds.
But the above actions indicate the police did not think the researcher would be cooperative in the investigation. Why?
Might be standard procedure to seize evidence without warning to prevent tampering.
A researcher might want to not discl
Re: (Score:2)
That's my point, with the caveat that its not really censorship since the goal is not to silence anyone but to investigate a crime.
Unless, of course, the intent of the effort was to silence the researcher in question. Then it is.
Again, all I'm saying is that its premature to claim censorship. As I said in the beginning all we can say for sure at this point is that it was rude to seize the equipment without asking for cooperation. Facts and opinions may change as more info unfolds.
But a kind of rudeness that routinely shows up when authorities want to make an example of someone.
Might be standard procedure to seize evidence without warning to prevent tampering.
It also might be standard procedure to cause as much grief as possible when someone gets inconvenient to the powers-that-be. What more could they be doing to this guy given their current powers?
Re: (Score:2)
Or is it an inconvenience for his employer? A work computer that gets replaced?
Re: (Score:2)
The cause as much grief as possible argument fails since he was not arrested or charged with anything.
What is your reasoning for that argument? What would be the point of arresting the researcher, if you didn't have anything to charge him with at the time?
Its way premature to cry censorship, its crying wolf as things stand at the moment.
Again, what is the basis for your argument especially given that you admit this is a tremendous imposition requiring such things as "buying new computers".
Re: (Score:2)
The cause as much grief as possible argument fails since he was not arrested or charged with anything.
What is your reasoning for that argument? What would be the point of arresting the researcher, if you didn't have anything to charge him with at the time?
Censorship. Charging people is easy. Its convicting them that can be hard. No arrest, no faux prosecution, etc. An awfully poor attempt at censorship, so much so it would be reasonable to expect that something else is the motivation.
Its way premature to cry censorship, its crying wolf as things stand at the moment.
Again, what is the basis for your argument especially given that you admit this is a tremendous imposition requiring such things as "buying new computers".
It is a great inconvenience that silences no one. Assuming its not an employer's computer, then its a minor inconvenience. An awfully poor attempt at censorship, so much so it would be reasonable to expect that something else is the motivation.
Re: (Score:2)
In a region with a history of actual political assassinations and disappearances, I'd be quite concerned about a possible followup visit. But I guess that's just me.
Re: (Score:2)
If the researcher is not being arrested its not "kill the messenger". Impounding his equipment, the "evidence", is just a very rude way of getting his data on vulnerabilities and attacks. They could have asked. Then again perhaps they feared the "evidence" being tampered with, confidential sources and all that sort of thing. Again, rude, but a plausible path if such concerns were warranted.
In the U.S., they can take all of your stuff if they arrest. Well, technically they can't, because that would be unconstitutional and illegal, but they DO. So how much worse is it when they can take all of your stuff without even arresting you?
Re: (Score:2)
If the researcher is not being arrested its not "kill the messenger". Impounding his equipment, the "evidence", is just a very rude way of getting his data on vulnerabilities and attacks. They could have asked. Then again perhaps they feared the "evidence" being tampered with, confidential sources and all that sort of thing. Again, rude, but a plausible path if such concerns were warranted.
In the U.S., they can take all of your stuff if they arrest. Well, technically they can't, because that would be unconstitutional and illegal, but they DO. So how much worse is it when they can take all of your stuff without even arresting you?
In the US seizing material evidence of a crime and arresting a person are also two different things. The evidence may be of some third person's criminal activities, something the person who possesses the evidence was not involved in.
Re: (Score:2)
Unfortunately, by your definition I don't believe that there *are* any civilized nations. It's not that I disagree with you, exactly. But I believe that your idealized definition of civilized doesn't map to any country in the world either at the present time or at any previous time.
Can we get some confirmation of this? (Score:2, Insightful)
Come on, Slashdot editors! Get with it! Fix the fucking summary! It's fucking awful!
Jesus Christ, most of the links are to non-English articles, and the automatic translations are shitty. Like most people here, I don't read Spanish, so I have no idea if the automatic translations are actually accurate and match with what the Spanish articles are saying!
Additionally, I have no idea who is behind these articles. Being unfamiliar with them, I do not know how reliable they are, or what their biases are.
I know I
Re:Can we get some confirmation of this? (Score:4, Informative)
I can provide you with this english link. This has not been reported in english speaking media yet, sorry for not having something better but this is breaking news yet. https://gist.githubusercontent... [githubusercontent.com]
Re: (Score:2, Informative)
Some days before the elections taking place today in BsAs, a guy found "bugs" and other mistakes from which the Frente Para la Victoria, the PRO, the Frente Renovador, and other polithical parties from here may take advantage of. The article is fine and describes in a very suitable and short way what's really happening. This is obvious, just as with Nisman, and other cases: we are being ruled by a right-wing party disguised as a populist left-wing party who wants to stay in the power, no matter what
Re: (Score:1)
Hola, mí Español es muy mierda. Englais es facile. Es no "maintain his butt clean." En Englais es "keep his butt clean." Es no mucho problemo y tambien yo Englais is muy bueno.
My English is better than my rusty Spanish.
Re: (Score:1)
" As we already speak the most relevant language in the world, we have no need for other languages."
As you live in one of the most relevant countries in the world, you have no need for other countries?
Perhaps, as I am guessing you are an example of the dominant gender in the world, you have no need for other genders.
"No need". What a fucking idiot you are.
Re: (Score:1)
I doubt that they have a need for other genders but I think you have the motivations wrong. NTTAWWT
That's what happens when... (Score:5, Insightful)
You expose a backdoor that the current in-power government was going to use to win the election.
Election needs to be voided (Score:1)
If they (one man even!) can trivially create votes anyway they want, the election needs to be voided, and delayed a month while they get their paper election together,
The security researcher was right to expose the flaw, and seizing his equipment to shut him up does not make the flaw go away.
In Russia, when Putin lost the last election, the last few districts to report were insanely PRO-Putin with HUGE- turnouts, in other words he didn't rig the election enough to win it and had to do some major rigging at
The elections are not "next week". It's tomorrow (Score:2)
TFS is wrong. We hold elections on Sundays in Argentina, not on weekdays. In less than 11 hours we will be voting with this horribly unsafe system that hasn't really been tested.
Re: (Score:2)
Sorry for the summary. I sent this yesterday and sunday looked more like "next week"
Re: (Score:2)
Re: (Score:2)
"week end". At least in English-speaking world, Sunday is the last day.
Re: The elections are not "next week". It's tomorr (Score:2)
Not everywhere, in some parts of the world Monday is the first day of the week.
Re: (Score:2)
If you work in my org, the first day of the week is Thursday.
Estonia evoting (Score:2, Interesting)
Estonia also uses e-voting as an option, using an ID card. Basically software is opes source and anybody can check for backdoor, plus there is independent checking committee.
Bottom line of this is that it is much more difficult to fraud in e-voting than in ordinary voting with paper.
Interestingly the biggest critic of e-voting is our opposition party who relies heavily on russian and old people vote, basically less educated is the target group, they have raised hell after hell, and yet no one has yet to pro
The inherent problem with electronic voting (Score:5, Insightful)
There is one single very dangerous problem with electronic voting: Trust. People have to trust it, because they are unable to test it.
With paper and pen, it's easy. You can nominate anyone to work as an election monitor. The necessary qualification is "being able to find out where the X marks the spot" and "count". That's a skill set available to nearly everyone.
Working as an election monitor to rule out foul play with election machines requires someone to know quite a bit about computers. It's anything BUT simple to rule out foul play.
The danger here isn't even so much that manipulation can take place. And I don't even want to engage in the discussion whether or not these machines can easily be manipulated. The danger is that some populist aiming for the uneducated masses goes and cries foul play when he loses the election. And that's a danger not to some party but to the faith of the population in the whole democratic process. And that inherently is dangerous to democracy altogether.
It's not easy to debunk such claims. With paper, it's easy to go "oh please, count them yourself if you don't believe us. Here's the paper slips, and you can count, can't you?". Now try the same with election machines. Saying "you can do an audit yourself" isn't going to cut it. Why should we trust the computer experts? It's not something just anyone can do.
These machines are a danger to democracy. Nothing less.
Re: (Score:2)
Re: (Score:2)
It is?
Explain this to Joe Random who just heard some populist cry foul play, claiming that they can't be audited and that the auditors are all in league with the party that won the election. Yes, it's bull. But the problem is that you CANNOT debunk it. Joe Random can't imagine how such an audit takes place. He can imagine counting paper slips, and he can see through the ruse when someone cries foul in such an environment. Any party crying foul in a paper election will be told that they should've put some mo
Re: (Score:3)
Re: (Score:2)
Again. The problem is not whether or not manipulation takes place. The problem is that someone can cry foul and there is no way to convince the computer unsavvy that he's full of shit.
You can verify your vote with some device not under your control. That alone gives room for doubt.
Political processes are complicated and intricate. That's already plenty of room for people wanting to claim that politics is all shenanigans and foul play because it's so complicated that most people don't understand it and rathe
Re: (Score:2)
Re: (Score:2, Interesting)
The officials at the voting table sign the envelopes. Whenever they sign envelopes, they must sign a batch of them with the same pen and with the same amount of signatures (one official, two officials, three officials, etc), so that it's not possible to identify a specific voter by the signatures on their envelope (I think there's a minimum of 8 or so).
This is how the vote in Argentina has worked for many many years. This doesn't mean that it's impossible to fraud it. Voting table officials need to be car
Re: (Score:2)
RFID makes it a less likely that a party can print their own ballots. Also, the ballots have two cut-away pieces. The first one is cut off when the voting authority hands you the blank ballot. They keep it. The second one gets cut off just before you place the vote in the urn. They are physically placed one next to each other. They have printed symbols on them which must match up, or they don't let you place the ballot in the urn. This also prevents parties from printing and handing out pre-filled ba
Re: (Score:2)
You act as if that wasn't even easier with voting machines. "Whoopsie, computer crash!"
And unlike in this case, you can't even claim that they're criminally incompetent. Because, hey, computers crash, that's what they do, right? Happens to you at home, too, and you can't be blamed for that, can you?
In other words, them running out of ballots and being unable/unwilling to allow voters to vote is something people can easily identify as something not being as it should be. Manipulation gets heaps easier with v
Re: (Score:3)
They (supposedly) didn't have enough ballots to go around, and thus polling places were closing hours ahead of schedule, with the reason given by the Registrar of Voters as "We didn't have enough ballots for everyone to be able to vote".
That's really a trivial problem to solve and the fact that it occurred means the election officials were criminally incompetent which is now obvious for all to see. In contrast detecting hacks in voting computers is close to impossible, proving them harder still and preventing them while maintaining transparency downright impossible.
Re: (Score:2)
Re:The inherent problem with electronic voting (Score:4, Interesting)
But any party involved can (at least in my country, and pretty much all civilized countries I know of) nominate election observers that can easily identify whether everything's running correctly without any kind of special knowledge. They can easily tell whether the ballot is properly sealed, they can easily tell whether people step into the voting booth alone. They can easily find out whether the choice is free of influence. They can be present when the ballot seal is broken (actually, over here people are essentially locked in 'til the paper slips are counted, collected and sealed again, nothing going in or out in between) and when the paper slips are counted.
It's pretty hard to manipulate anything in such an environment. It's easy to see whether someone tries to manipulate results since it takes little more than eyes to detect foul play.
Re: (Score:3)
I didn't say that paper elections cannot be rigged. They can, and have been more often actually than there have been fair elections.
I did not even say that it's easier to rig electronic elections than paper elections. Personally, I'd expect it to be as long as you're the one calling the shots.
What is harder is simply to debunk cries of foul play. People can easily imagine what a paper election is like and how counting them (with representatives of all parties involved present) can be somewhat trusted. It is
Re: (Score:2)
Re:The inherent problem with electronic voting (Score:4, Interesting)
The system used in Argentina has a paper trail. When a vote is casted the machine saves the voter's choice to an RFID chip inside the ballot and at the same time the same information is printed as human-readable text on the ballot. The voter can use a separate machine to read the RFID and verify that the information printed matches the information stored.
The votes are counted at each polling station primarily using a RFID reader, but each political party can designate monitors to oversee the process. In case of doubts the votes can be re-counted using the printed information. When everyone present agrees on the totals, the results are sent to a central location where they are aggregated. Results from each polling station are made available online so each party can verify that the totals add up correctly.
As a final step, 5% of the polling stations are randomly selected the week after the election and votes are manually re-counted using the paper trail. This is done in the presence of monitors from the different parties. This is the second time this system is used. The first time the audit of the 5% of the polling stations showed no differences.
I think there is a bit of exaggeration on these reports since even if the software is vulnerable, the system as a whole can be verified. The police raids can be explained since some of these "researchers" made available a list of all the employees of the company supplying the voting machines including phone numbers and addresses in an attempt to prove the incompetence of that company
Re: (Score:2)
Well, in a democracy a court could not just decide an election, so that example is not really a good one.
Re: (Score:1)
A Democracy could concede the right to judges to allow them to arbitrate elections if they wanted. They would still be a democracy just a Representative Democracy. Not that this means what happened in the US, Florida to be specific, was legal or anything. I am simply pointing out that they *could* democratically give up the right to a direct election (or an electoral college) and still be a democracy. It would be insanely stupid of them to give up that right but, then again, Hitler was democratically electe
Re: (Score:2)
Having watched how vote counting and election monitoring works in SoCal while doing security, I have to say that your trust is misplaced. There are "official" ways to alter the count including not even counting anything except Republican and Democratic Party votes while ignoring the rest or having an election working "accidentally" take boxes of votes home which will be counted later.
Re: (Score:2)
Not entirely true. The system works by printing the ballot and writing the data to a chip on the ballot. When voting is over, all the chips are scanned and the results sent to a central location. The system allows the voter to both read what got printed on the ballot and scan the chip and see the results on-screen again.
There is one machine per voting place (school) that is use to transfer the results from all the voting machines at that school to the central DB. The SSL keys from all of these machines
Re: (Score:2, Offtopic)
Sorry, for this article, it needs to be "Todos de Uds. son vacas. Vacas dicen mú. MÚÚÚÚÚ! MÚÚÚÚÚ! Mú dicen las vacas. UDS. SON VACAS!!"
Re: (Score:2)
No fucking inverted interrogation or exclamation points.
Further proof that Slashdot is indeed mired in 1997 or thereabouts.