[bragh]

Please try to think here in terms of probabilities, not absolutes and about the threat model.

1. Closed source and loaded on an USB stick is the simplest case. But in the end, how will you still know what is the actual code that the eventual tallying system is running?

2. Verification of votes is not about encryption. If you allow it to be unlimited, then you can actually sell your vote. In Estonia, you can verify your vote 3 times for 30 minutes after your vote was cast: https://www.oiguskantsler.ee/sites/default/files/field_docum... (point 14 on page 5)

3. Mostly agreed with you about the rate of vulnerabilities. But the issue here is that voting is such an important of how democractic society works that there should be no obvious vulnerabilities or any exploitations of vulnerabilities can be easily discovered. E-voting has neither of these because again, how can we know what code is actually being executed?

4., 5., 6., 7. Yes, one vote can get lost. Hell, thousands can get lost. But on average, I can still count on the process eventually working out due to the observability. Somebody will find ballots thrown in trash, pre-filled ballots, 117% of eligible people voting. Sure, in those cases the country is unsalvageable, but you will at least know that it is happening.

8. OK, but that is neither here nor there.

9., 10. If you open up Google Maps and look one country eastward, you will understand. As a reference, https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia Not sure on what their planning divisions are cooking up, but I do not doubt that they will use any angle they can. What is the going price for a Windows 10 0-day anyway, on the order of a few hundred k to 1M, I assume? Peanuts.

[aj3]

You’re the one that seems to be thinking in absolutes (when it suits you).

  1. In cryptographical/philosophical sense that’s a tough problem. But our goal is to improve on existing solution not come up with an absolutely ideal scheme, right? So let’s look at what sort of trust our current system provides us. Do you get to see how the whole system works? No. Does any single person gets to see the whole system for that matter? No. But you are provided with the description of the process and large part of it is happening in the open even though though you can’t attend all the places / oversee everything in a single election due to real life and restrictions. Some people are also provided with the power to inspect arbitrary components of the whole scheme  when they see fit and even though they don’t inspect even the whole components all the time and no one is inspecting absolutely everything, these people are attracted from all interested parties and can act on random, so we believe that if there were any symptomatic fault play someone would have found it simply by chance. And we generally don’t believe in conspiracies but we try to counteract them by providing more incentives for people to speak up, get involved, become a whistleblower if that’s necessary so that any largish conspiracy would inevitably become public knowledge quickly enough. Well, we can arrange all of these in electronic voting as well and we can even double down on all the in depth mitigations by providing more monitoring capabilities in real time & possibly even making data openly available in whole after election.
  2. You can sell your vote in our current system as well. But somehow that’s fine because we have different standards for what we grandfathered already, am I right? Yeah, you could pay people if they film themselves voting, but there is no evidence of they being widespread so no need to worry. Mail ballots aren’t anonymous and could be spied/spoofed easily but there is no evidence of that ever happening, so no need to worry. Lack of strong ID requirements in US could lead to massive voter fraud but there is no evidence of they ever happening in a large enough numbers to skew the election, so no need to worry about. And yet when it comes to electronic voting, geek versions of Penn and Teller - cryptographers have shown us in their stage shows that they can conceive such situations where the victim gets unknowingly duped into disclosing their vote, or the vote being miscounted. So that means literally anyone could carry out the same attack in practice and at an arbitrary scale (or maybe not but we’d better err on side of caution).
  3. How do you know that that nice lady overseeing voting in your district isn’t a secret Trump/Clinton/Nazi/Communist sympathizer? You don’t, but you have a faith in the system as a whole that it won’t crumble because of a single person. Similarly we can use defense in depth tactics in designing election security. The hardware would only be able to run signed code in a minimal environment, you could even make the decided stateless, meaning the code gets reset before each new vote gets accepted, maybe even provide an option for voters to reflash the device themselves (with a click of a button on their phone). Devices themselves don’t have to be generic PCs with USB ports and what not, these could be a really dumb chips enclosed into sealed & transparent casing with each one being certified etc. You could make the system modular by having multiple devices each doing their small thing - like the Unix utilities but with each utility being separate hw and most of them disconnected from any networking / being air gapped with obvious input/output interfaces. There are so many things we could do it we approached this in a sane manner as a serious engineering challenge instead of trying to out-cynic each other.
  4,5,6,7 That’s exactly my point, electronic voting can be made even more transparent and with the records being forensically preserved they could be analyzed in full at any time after the votes have been casted (with the operational stuff being able to run all sort of threat hunting / anomaly detection during the Election Day). Granted this assumes the whole system uses the same protocols and is run/overseen by a joint committee which might or might not be viable in US, but the discussion started from Estonia - European country, where this would be totally expected.
  9, 10 Not all 0days are noclick RCEs present in a default configuration (of a desktop/mobile). In fact we haven’t seen such a beauty in a long time. So no, there isn’t a price for that as it’s not something you could buy off the shelf. And if you could get one you would burn it pretty fast by using it in such a campaign. Makes much more sense to keep it as a nuclear option as no matter how aggressive in your opinion nation state attackers are, their primary incentive is fear for the survival/integrity of their own country (yes the bears crap their pants thinking about possible armed intervention any year soon and so do the pandas). So no I don’t think there is any conceivable way to exploit large portion of private devices in a country in a uniform fashion. You totally could do that using top bottom approach - sort of like exploiting DC and pushing malware from it via group policy. But in case of Estonia voting apps would be the last tech to use for that. They are already mandated to use governmental services for various everyday tasks, they have centralized ID and there are just a couple of major banks - all of which require having an app for modern banking. So there are already plenty of avenues to wreck havoc for a skillful/motivated attacker. And yet we don’t have panic attacks over it, it’s just operational risk that we seek to understand & mitigate just like in every other enterprise.