Re: E-mail Voting Security Q
From: N. Thornton (bigcat@meeow.co.uk)Date: 09/12/02
- Next message: those who know me have no need of my name: "Re: Privilege-escalation attacks on NT-based Windows are unfixable"
- Previous message: Mark Guzowski: "Cisco security advisory"
- In reply to: Graper: "Re: E-mail Voting Security Q"
- Next in thread: Graper: "Re: E-mail Voting Security Q"
- Reply: Graper: "Re: E-mail Voting Security Q"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: bigcat@meeow.co.uk (N. Thornton) Date: 11 Sep 2002 15:02:48 -0700
graperdude@aol.com (Graper) wrote in message news:<de080a2a.0209110613.75d23a86@posting.google.com>...
> bigcat@meeow.co.uk (N. Thornton) wrote in message news:<a7076635.0209060747.76dcda6c@posting.google.com>...
> > identities. As long as we catch 19 out of 20 miscreants we could live
> > with that. With no security the system is wide open to abuse.
>
> Out of 100 voters, I don't see much of problem with one out of 20
> (i.e., 19 out of 20) playing the double and triple vote scam. These
> are the casual abusers. The petty criminals, similar to the
> shoplifters and pick pockets of the world. That equates to 5% of the
> voters affecting 10% to 15% of the vote. Like the retail analogy,
> it's all factored into the price of the product. Or, in your case,
> the error margin of the vote. Given the scammers themselves may be
> evenly distributed, the actual skewing would probably be inside of
> 10%.
>
> But what happens if "one" of the 100 is running a 50 vote scam? We're
> not talking shoplifter and pick pocket analogy any more, now we're
> talking organized crime analogy. The big bucks white collar scam.
> Now the 1% of vote is affecting 50% of the vote. That would be
> unacceptable.
>
> Continuing our anlogy, if you can ensure your voting group is limited
> to the occassional shoplifter or pick pocket (i.e., two or three vote
> scammer), then you should be OK. However, if there is a chance you
> have a hard core criminal amidst your voters, then you have a bigger
> problem. The integrity of your vote is probably limited to the
> probablity of this event take place.
>
> And, of course, there's the internal security of your server that
> compiles the vote. Instead of spending the time and effort to create
> 50 personas, that same "one" hacker might just go right for the heart
> and hack your server. Then they can make the vote anything they want.
> Or, it could even be an inside job.
Hi. That does help me to understand the theoretical risks. I'm not
convinced we're facing the hard core crimimnal scenario though. People
can't really profit out of it financially, and the reason for
multivoting would be more ego than anything. So I doubt they'd go to
the significant trouble of casting 50 votes from 50 email adrs wi 50
different email headers. Or hacking the server. I know its not
impossible, I just think the chance of that is pretty small, and
therefore acceptable.
Bear in mind if 50 supposed people voted, yet we never, or almost
never, met them in the room we would start to wonder. Though there are
ways round that.
Plus if we were hardcored like that we'd continue functioning. Its a
non profit org, not a corporation. At the moment nearly everyone is in
favour of us email voting with NO security in place. I have my
opinions on that, which is why I'm looking for a practical method
here.
Well, with input from you people who clearly know more about it that
I, I am thinking the webpage voting with cookie should be adequate. I
would appreciate your feedback on it. I have pasted the info and
comments below...
Regards, NT
Number of people voting 30 to 50 at present
Personal identities of voters are unproven
Sign up to the list is automated.
IMHO, the simplest way is to use a cookie that is given at sign up and
presented when voting. But it has at least three drawbacks: it binds
the
identity of the voter to the machine that was used when signing up,
anybody who has access to the machine can use the cookie to vote, and
the cookie can be stolen.
-- Lassi
Yup, I guess that would be a problem for some. But if the cookie is
delivered to their machine(s) whenever they go to the site, they will
quickly have the same cookie on both machines... hopefully that should
avoid problems.
> anybody who has access to the machine can use the cookie to vote,
Well, they'd have to get the sending email addr right too, so I think
we're OK there.
> and
> the cookie can be stolen.
Yeah, it could, but not by many people. I think we could live with
that.
But how does it stop one person signing up 8 times using different
identities?
And people delete their cookies sometimes, or refuse them, then they
couldnt vote. So I'm not sure how that'd work.
Thank you for your input. If you can explain the bits I can't, I'm all
ears.
> > But how does it stop one person signing up 8 times using different
> > identities?
>
> If one person is allowed only one vote, you'll have to use personal
> identities, issued by yourself (people coming too see you) or a trusted
> third party.
Unfortunately that would be impossible, we're talking a worldwide
organisation.
But perhaps a very similar idea - maybe you could tell me if this
would work well enough?
Quick situation overview first:
we have people who visit the site, mostly using a webpage (s). A few
visit mostly using mirc / IRC, but they do come via browser at least
sometimes.
Voting is via an automated sign up email list.
**** ****** ***** ****** ***** *****
Idea:
Everyone that comes to the site is given an ID cookie. The cookie is
somehow seen when voting - I dont know if thats poss. When voting the
puter will look for any other ID cookies from our site on it - if
there is more than one ID cookie there someone behind the scenes will
be informed, and we can look into it, and decide what to make of it.
So its an insecure ID basically. It wont stop someone multivoting if
they know how it works and never mix up 2 IDs on 2 different puters,
but I think we can accept that risk. But the ordinary person, or even
intelligent one, would normally be caught out by this. Am I right on
that?
The only thing is one would need to go visit one of our web pages to
vote, instead of sending a mail, cos of the ID cookie matter. But I
would think that could be quite doable.
Is that any good? Thanks for all your help, I do appreciate it.
> At this point you should define a threat model. What kind of users you
> are playing with? What are the risks? When you have a threat model, you
OK, I'm going to attempt... I have no expertise in this field...
The Misvoter will be someone who is being very self willed, and
decides it is for the greater good to change the vote to what they
believe is 'Right.'
Kiddy hackers will not be playing, they aren't a problem.
Currently people can only vote after being signed up for 30 days, so
any misvoting will be planned or expected by the misvoter.
Finally there is always the possibility of someone disaffected
deciding to muck about with the running of things.
Consequences of misvoting:
The org is a non profit goodwill type one. No-one stands to profit
financially, but people do sometimes decide they know The Truth and
can proceed to cause real problems if we let them.
Firstly decisions could be made which would concern members.
Secondly the org can be made less capable of meeting its aims by
decisions controlled by someone who simply cant see the problems they
would be introducing.
Thirdly interpersonal trust is a real issue at times, and we dont want
that to break down. That is actually the biggest issue here: we need a
process that enables those partaking to trust the process. Without
that trust there is room for trust breakdown and accusations to occur.
Those do very much affect the ability to carry out the task at hand,
and do happen.
- Next message: those who know me have no need of my name: "Re: Privilege-escalation attacks on NT-based Windows are unfixable"
- Previous message: Mark Guzowski: "Cisco security advisory"
- In reply to: Graper: "Re: E-mail Voting Security Q"
- Next in thread: Graper: "Re: E-mail Voting Security Q"
- Reply: Graper: "Re: E-mail Voting Security Q"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
