[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:12.26,Default,,0000,0000,0000,,{\i1}rC3 preroll music{\i0}
Dialogue: 0,0:00:12.26,0:00:18.40,Default,,0000,0000,0000,,Herald: Now, our next talk is Hacking\NGerman elections, insecure electronic
Dialogue: 0,0:00:18.40,0:00:23.60,Default,,0000,0000,0000,,voting count, vote counting, how it\Nreturned and why you don't even know about
Dialogue: 0,0:00:23.60,0:00:32.33,Default,,0000,0000,0000,,it. For the Germans listening here, did\Nyou noticed that in Germany, voting became
Dialogue: 0,0:00:32.33,0:00:37.65,Default,,0000,0000,0000,,more electronic recently? In case you're\Nout of Germany. I do live in Germany and I
Dialogue: 0,0:00:37.65,0:00:43.20,Default,,0000,0000,0000,,did not notice that myself. However, both\Nof our speakers volunteered as election
Dialogue: 0,0:00:43.20,0:00:50.08,Default,,0000,0000,0000,,workers in Germany and research on the\Ntopic of security for elections. And they
Dialogue: 0,0:00:50.08,0:00:56.63,Default,,0000,0000,0000,,promised to tell us how this can be, how\Nelections can be made more secure again.
Dialogue: 0,0:00:56.63,0:01:01.68,Default,,0000,0000,0000,,Our speakers are Tobias, he is an IT-\NSecurity researcher focusing on offensive
Dialogue: 0,0:01:01.68,0:01:07.12,Default,,0000,0000,0000,,security, automotive security and capture\Nthe flag challenges. And Johannes. He's a
Dialogue: 0,0:01:07.12,0:01:11.96,Default,,0000,0000,0000,,post-doctoral IT-Security researcher and\Nboth work together at the
Dialogue: 0,0:01:11.96,0:01:18.53,Default,,0000,0000,0000,,Fraunhofer AISEC Institute.\NEnjoy the talk.
Dialogue: 0,0:01:18.53,0:01:24.72,Default,,0000,0000,0000,,{\i1}Stille{\i0}
Dialogue: 0,0:01:24.72,0:01:29.45,Default,,0000,0000,0000,,Johannes: Hello and welcome to our\Npresentation on Hacking German Elections.
Dialogue: 0,0:01:29.45,0:01:33.84,Default,,0000,0000,0000,,Insecure electronic vote counting, how it\Nreturned and why you don't even know about
Dialogue: 0,0:01:33.84,0:01:39.84,Default,,0000,0000,0000,,it. My name is Johannes Obermaier\NTobias: and I am Tobias Madl. We are both
Dialogue: 0,0:01:39.84,0:01:44.72,Default,,0000,0000,0000,,very much involved in elections in Bavaria\Nbecause we're election workers and offer
Dialogue: 0,0:01:44.72,0:01:49.20,Default,,0000,0000,0000,,support here in Germany.\NJ: And we are offensive IT-Security
Dialogue: 0,0:01:49.20,0:01:52.78,Default,,0000,0000,0000,,researchers.\NT: First of all, we want to talk about the
Dialogue: 0,0:01:52.78,0:01:59.55,Default,,0000,0000,0000,,scope we are presenting today. We got our\Ninformation and the software from today,
Dialogue: 0,0:01:59.55,0:02:06.05,Default,,0000,0000,0000,,from the municipal elections in Bavaria\Nhappening in the early 2020. And it was a
Dialogue: 0,0:02:06.05,0:02:12.24,Default,,0000,0000,0000,,computer based vote counting technology.\NSo we were very concerned, when we
Dialogue: 0,0:02:12.24,0:02:16.62,Default,,0000,0000,0000,,interacted with it. And in the end, we\Nfeatured the questions, are elections
Dialogue: 0,0:02:16.62,0:02:24.02,Default,,0000,0000,0000,,still secure? Next, I presented the\Noutline we are talking about today, and
Dialogue: 0,0:02:24.02,0:02:28.86,Default,,0000,0000,0000,,first of all, we are looking at the\Nelectronic vote counting system. And next,
Dialogue: 0,0:02:28.86,0:02:34.42,Default,,0000,0000,0000,,we identified some conceptual and\Npractical issues with this technology.
Dialogue: 0,0:02:34.74,0:02:40.63,Default,,0000,0000,0000,,Afterwards, we also inspected the software\Nand found some insecurities. And in the
Dialogue: 0,0:02:40.63,0:02:46.73,Default,,0000,0000,0000,,end, we have summary and conclude our\Npresentation.
Dialogue: 0,0:02:46.73,0:02:52.06,Default,,0000,0000,0000,,J: To understand why we need electronic\Nvote counting, let's just have a look at
Dialogue: 0,0:02:52.06,0:02:57.77,Default,,0000,0000,0000,,the voting ballot. This voting ballot is\Nin its paper form about one meter wide and
Dialogue: 0,0:02:57.77,0:03:03.47,Default,,0000,0000,0000,,50 centimeters high. So, that's a quite a\Nlarge ballot, that's a lot of candidates.
Dialogue: 0,0:03:03.47,0:03:11.09,Default,,0000,0000,0000,,Let's just sum up the facts. So, we have a\Ntotal of 599 candidates that are spread
Dialogue: 0,0:03:11.09,0:03:17.29,Default,,0000,0000,0000,,out over nine parties. Each citizen is\Nallowed to cast up to 70 votes in this
Dialogue: 0,0:03:17.29,0:03:23.15,Default,,0000,0000,0000,,election. So, that sounds simple, but it\Ngets even more complicated now, because
Dialogue: 0,0:03:23.15,0:03:28.62,Default,,0000,0000,0000,,you can cast up to three votes per\Ncandidate and you can even choose multiple
Dialogue: 0,0:03:28.62,0:03:35.57,Default,,0000,0000,0000,,candidates of different parties up to your\N70 votes. And even if you decide yourself
Dialogue: 0,0:03:35.57,0:03:40.77,Default,,0000,0000,0000,,to vote for a single party, you can still\Nstrike out candidate that you personally
Dialogue: 0,0:03:40.77,0:03:46.14,Default,,0000,0000,0000,,don't like. And so they don't get any\Nvotes from your ballot. That means, this
Dialogue: 0,0:03:46.14,0:03:51.98,Default,,0000,0000,0000,,voting system gives a lot of power to the\Ncitizens and voting is fun.
Dialogue: 0,0:03:51.98,0:03:57.90,Default,,0000,0000,0000,,However, counting out those ballots is very\Ndifficult because you need to know a lot
Dialogue: 0,0:03:57.90,0:04:03.99,Default,,0000,0000,0000,,of special rules in this voting system to\Nreally count each ballot correctly. That's
Dialogue: 0,0:04:03.99,0:04:09.32,Default,,0000,0000,0000,,the reason that a software such as OK.VOTE\Nhas been developed. OK.VOTE is a typical
Dialogue: 0,0:04:09.32,0:04:15.15,Default,,0000,0000,0000,,software for elections that's also used in\Nthe polling stations for vote counting.
Dialogue: 0,0:04:15.15,0:04:20.48,Default,,0000,0000,0000,,So, OK.VOTE has a quite large market\Nshare. They say they have a like 75% in
Dialogue: 0,0:04:20.48,0:04:26.11,Default,,0000,0000,0000,,Germany. So that software is used in\Nseveral states. OK. VOTE has several
Dialogue: 0,0:04:26.11,0:04:32.11,Default,,0000,0000,0000,,different modules for organizing\Nelections, for example. But what we know
Dialogue: 0,0:04:32.11,0:04:40.08,Default,,0000,0000,0000,,have a look at in this talk is only the\Nvote counting module of OK.VOTE Where the
Dialogue: 0,0:04:40.08,0:04:47.33,Default,,0000,0000,0000,,election voters insert each paper ballot\Nand manually type it in all the votes in
Dialogue: 0,0:04:47.33,0:04:52.93,Default,,0000,0000,0000,,each ballot and then they are stored in\Nthe computer system. So, and the task of
Dialogue: 0,0:04:52.93,0:04:58.73,Default,,0000,0000,0000,,OK.VOTE is to process each ballot to count\Nthe votes, to find out if the ballot is
Dialogue: 0,0:04:58.73,0:05:03.71,Default,,0000,0000,0000,,correct, then it stores all the ballots\Ninto its database and finally it does some
Dialogue: 0,0:05:03.71,0:05:10.06,Default,,0000,0000,0000,,magic and computes the final result. So,\Nthis sounds quite similar to what a voting
Dialogue: 0,0:05:10.06,0:05:17.59,Default,,0000,0000,0000,,machine does. But wait a moment. Voting\Nmachines, in my Germany?
Dialogue: 0,0:05:17.59,0:05:22.58,Default,,0000,0000,0000,,T: Wait, that's illegal.\NJ: Is it really illegal? Let's have a look
Dialogue: 0,0:05:22.58,0:05:29.62,Default,,0000,0000,0000,,at the legal regulations about it. So,\Nyes, in 2009, there was an important
Dialogue: 0,0:05:29.62,0:05:35.26,Default,,0000,0000,0000,,decision by the German federal\Nconstitutional court and they said, that
Dialogue: 0,0:05:35.26,0:05:40.47,Default,,0000,0000,0000,,the use of voting computers in the 2005\NBundestag election was unconstitutional.
Dialogue: 0,0:05:40.47,0:05:48.76,Default,,0000,0000,0000,,Because, for example, the voting computers were \Nnot transparently enough. So, that is very
Dialogue: 0,0:05:48.76,0:05:54.39,Default,,0000,0000,0000,,similar to that what we have also found\Nfor the municipal elections. But wait, we
Dialogue: 0,0:05:54.39,0:05:58.56,Default,,0000,0000,0000,,are here talking about the Bundestag\Nelection. But this is the municipal
Dialogue: 0,0:05:58.56,0:06:03.43,Default,,0000,0000,0000,,election and we have different rules for\Nthe municipal elections. For example,
Dialogue: 0,0:06:03.43,0:06:10.37,Default,,0000,0000,0000,,there is the GLKrWO, that's the Gemeinde-\Nund Landkreiswahlordnung Bayern,
Dialogue: 0,0:06:10.37,0:06:16.60,Default,,0000,0000,0000,,which basically translates to the Bavarian\Nmunicipal election rules. And those rules
Dialogue: 0,0:06:16.60,0:06:23.01,Default,,0000,0000,0000,,say, that we are indeed not allowed to use\Na computer for voting, but computers can
Dialogue: 0,0:06:23.01,0:06:29.42,Default,,0000,0000,0000,,be used for vote counting. So, and in this\Nsituation, I would expect, that we have
Dialogue: 0,0:06:29.42,0:06:35.69,Default,,0000,0000,0000,,some sort of security requirements there\Nin those regulations. But I try to find
Dialogue: 0,0:06:35.69,0:06:40.71,Default,,0000,0000,0000,,them. And I was really surprised. There\Nare exactly zero.
Dialogue: 0,0:06:40.71,0:06:45.37,Default,,0000,0000,0000,,T: So, if there are no legal requirements, \Nare there at least any software side
Dialogue: 0,0:06:45.37,0:06:50.59,Default,,0000,0000,0000,,requirements or certifications for \NOK.VOTE which promise some security?
Dialogue: 0,0:06:50.59,0:06:55.81,Default,,0000,0000,0000,,J: Yes, there are. So, I had a look at the\Nwebsite and I saw this nice little
Dialogue: 0,0:06:55.81,0:07:03.13,Default,,0000,0000,0000,,paragraph here. And it says, Elections\Nwith security and during the development
Dialogue: 0,0:07:03.13,0:07:10.54,Default,,0000,0000,0000,,of OK.VOTE, they put the highest emphasis\Non the topic security. They follow the BSI
Dialogue: 0,0:07:10.54,0:07:16.19,Default,,0000,0000,0000,,and OWASP recommendations on security, and\Nthey have a certified data center with
Dialogue: 0,0:07:16.19,0:07:20.54,Default,,0000,0000,0000,,very high security standards\NT: And how does this look like in
Dialogue: 0,0:07:20.54,0:07:23.51,Default,,0000,0000,0000,,practice?\NJ: Oh, I rather would not show you this
Dialogue: 0,0:07:23.51,0:07:29.60,Default,,0000,0000,0000,,here. It's it's really scary. This is what\NI have seen here, when I walked in the
Dialogue: 0,0:07:29.60,0:07:33.91,Default,,0000,0000,0000,,election room. This is not a stock photo.\NI took this photo myself and this is the
Dialogue: 0,0:07:33.91,0:07:40.19,Default,,0000,0000,0000,,reality. So, I walked up to the guys and\Nsaid, well, shall we really use these
Dialogue: 0,0:07:40.19,0:07:44.07,Default,,0000,0000,0000,,computers to count out the elections and\Nthey said, yes, that are the computers
Dialogue: 0,0:07:44.07,0:07:50.04,Default,,0000,0000,0000,,that are available here. So, and I pray to\NGod that for some reason does not work
Dialogue: 0,0:07:50.04,0:07:55.10,Default,,0000,0000,0000,,out. And Windows XP did not disappoint me\Nbecause when I tried to start the
Dialogue: 0,0:07:55.10,0:08:02.81,Default,,0000,0000,0000,,software, it failed because that are 32\Nbit systems and OK.VOTE needs 64 bits. So,
Dialogue: 0,0:08:02.81,0:08:09.35,Default,,0000,0000,0000,,yeah, that was great. So, we did not use\Nthat Windows XP machine. So, instead we
Dialogue: 0,0:08:09.35,0:08:14.33,Default,,0000,0000,0000,,had to search for another machine and came\Nacross this one here. That's a Windows 10
Dialogue: 0,0:08:14.33,0:08:20.75,Default,,0000,0000,0000,,machine. That's fine. However, it has an\Noutdated virus scanner. So, well, it it's
Dialogue: 0,0:08:20.75,0:08:26.92,Default,,0000,0000,0000,,better than nothing. So, this machine was\Nused instead then. So, but just let's keep
Dialogue: 0,0:08:26.92,0:08:34.25,Default,,0000,0000,0000,,in mind what they are promising us:\Nelection security. We really doubt that.
Dialogue: 0,0:08:34.73,0:08:39.50,Default,,0000,0000,0000,,Let's now look at the IT environment and\Nwhy it came to that situation. So, first
Dialogue: 0,0:08:39.50,0:08:46.21,Default,,0000,0000,0000,,of all, this is not fully the fault of\NOK.VOTE, because it's the task for the
Dialogue: 0,0:08:46.21,0:08:53.68,Default,,0000,0000,0000,,local administration to provide hardware\Nfor vote counting and AKDB, the vendors of
Dialogue: 0,0:08:53.68,0:08:59.77,Default,,0000,0000,0000,,OK.VOTE say, that they recommend to use\Nsecure administration computers. That's
Dialogue: 0,0:08:59.77,0:09:05.52,Default,,0000,0000,0000,,fine so far, but we simply don't have\Nenough secure administration computers for
Dialogue: 0,0:09:05.52,0:09:10.84,Default,,0000,0000,0000,,that purpose. So, for example, in the town\Nwhere I'm from, we needed around 8
Dialogue: 0,0:09:10.84,0:09:16.57,Default,,0000,0000,0000,,computers to count out this election and\Nwe simply did not have enough in the town
Dialogue: 0,0:09:16.57,0:09:23.21,Default,,0000,0000,0000,,hall. And whats even more, the election\Nroom, it was in a school and there are
Dialogue: 0,0:09:23.21,0:09:27.92,Default,,0000,0000,0000,,already school PCs available there. So,\Nthey were just using the school PCs. So,
Dialogue: 0,0:09:27.92,0:09:33.52,Default,,0000,0000,0000,,and those were even elementary school\Ncomputers. So, I'm not really sure about,
Dialogue: 0,0:09:33.52,0:09:38.47,Default,,0000,0000,0000,,if all the pupils know, which link they\Nare allowed to click and which one they
Dialogue: 0,0:09:38.47,0:09:43.99,Default,,0000,0000,0000,,should rather not click on. So, this\Nsystems might be insecure, there might be
Dialogue: 0,0:09:43.99,0:09:49.04,Default,,0000,0000,0000,,malware within, and even if it's possible\Nthat someone had manipulated them in
Dialogue: 0,0:09:49.04,0:09:55.85,Default,,0000,0000,0000,,advance, we cannot really exclude that.\NHowever, I don't want to blame the
Dialogue: 0,0:09:55.85,0:10:00.06,Default,,0000,0000,0000,,administration here because they did a\Ngreat job in organizing this election.
Dialogue: 0,0:10:00.06,0:10:05.97,Default,,0000,0000,0000,,It's really much to do for them and it did\Nreally well. So, everything worked out
Dialogue: 0,0:10:05.97,0:10:12.28,Default,,0000,0000,0000,,well at the end. However, they are no IT-\NSecurity specialists and we cannot demand
Dialogue: 0,0:10:12.28,0:10:18.53,Default,,0000,0000,0000,,from them, that they know each detail on\Nhow to set up a system correctly and what
Dialogue: 0,0:10:18.53,0:10:24.04,Default,,0000,0000,0000,,are the risks that are associated with\Ninsecure computer systems in elections?
Dialogue: 0,0:10:24.04,0:10:29.89,Default,,0000,0000,0000,,That's just not their job. So, however, we\Nstill ended up with untrustworthy systems
Dialogue: 0,0:10:29.89,0:10:36.07,Default,,0000,0000,0000,,here. Because, as we have seen before,\Nthere are no legal regulations against it.
Dialogue: 0,0:10:36.07,0:10:40.11,Default,,0000,0000,0000,,Now, let's see how we create a digital\Nresult.
Dialogue: 0,0:10:40.11,0:10:47.21,Default,,0000,0000,0000,,T: Exactly. So, we went to our voting\Nplaces. We were presented with each one
Dialogue: 0,0:10:47.21,0:10:52.81,Default,,0000,0000,0000,,got a PC and we got the ballot stack we\Nhad to count and then enter the results.
Dialogue: 0,0:10:52.81,0:10:59.47,Default,,0000,0000,0000,,So, Johannes is Team 2 and I was Team 1\Nand we started entering the ballots in the
Dialogue: 0,0:10:59.47,0:11:06.23,Default,,0000,0000,0000,,PC. And from this on, they were digitized\NTeam 1 in green and Team 2 in blue.
Dialogue: 0,0:11:06.23,0:11:11.10,Default,,0000,0000,0000,,J: As soon as I was finished entering my\Nballots, I put them on a USB drive and
Dialogue: 0,0:11:11.10,0:11:16.74,Default,,0000,0000,0000,,handed them over to Team 1.\NT: Exactly. I imported these votes,
Dialogue: 0,0:11:16.74,0:11:22.09,Default,,0000,0000,0000,,because I was the master machine at this\Ntime, and the OK.VOTE software then
Dialogue: 0,0:11:22.09,0:11:28.58,Default,,0000,0000,0000,,finalised these voting elections and\Nexported their results finally again on an
Dialogue: 0,0:11:28.58,0:11:34.06,Default,,0000,0000,0000,,USB stick. And these were then delivered\Non for further processing.
Dialogue: 0,0:11:34.06,0:11:39.16,Default,,0000,0000,0000,,J: What is the problem with that all?\NFirst of all, there's a lot of
Dialogue: 0,0:11:39.16,0:11:43.30,Default,,0000,0000,0000,,intransparency. So, for example, the\Nsoftware that is being used for vote
Dialogue: 0,0:11:43.30,0:11:49.17,Default,,0000,0000,0000,,counting, OK.VOTE, it's not an open source\Nsoftware. It's closed source and nobody
Dialogue: 0,0:11:49.17,0:11:55.57,Default,,0000,0000,0000,,was able to analyze this yet. So, and\Nsince this is closed source software, it
Dialogue: 0,0:11:55.57,0:12:00.43,Default,,0000,0000,0000,,is also very hard to understand how the\Nsoftware works and if it really counts
Dialogue: 0,0:12:00.43,0:12:05.19,Default,,0000,0000,0000,,correctly, Because we have, in the end, we\Nhave hundreds of ballots there and it's
Dialogue: 0,0:12:05.19,0:12:10.22,Default,,0000,0000,0000,,really difficult to tell, if they have,\Nindeed, been counted correctly. So, and
Dialogue: 0,0:12:10.22,0:12:16.89,Default,,0000,0000,0000,,although we have seen this before, there\Nis no basis for a secure vote counting, if
Dialogue: 0,0:12:16.89,0:12:22.26,Default,,0000,0000,0000,,we have possibly rigged computer system.\NSo, we cannot exclude that someone has
Dialogue: 0,0:12:22.26,0:12:29.35,Default,,0000,0000,0000,,manipulated them pre-election wise. So, if\Nthere is some manipulation, this would
Dialogue: 0,0:12:29.35,0:12:34.99,Default,,0000,0000,0000,,hardly be detectable by a standard\Nelection worker. So, this means that the
Dialogue: 0,0:12:34.99,0:12:40.95,Default,,0000,0000,0000,,entire election process becomes very\Nintransparent and hard to understand for a
Dialogue: 0,0:12:40.95,0:12:46.46,Default,,0000,0000,0000,,person who just wants to observe the\Nelection. So, that is strictly against the
Dialogue: 0,0:12:46.46,0:12:52.95,Default,,0000,0000,0000,,idea of a public counting of votes.\NT: So, now let's talk about the step that
Dialogue: 0,0:12:52.95,0:12:58.32,Default,,0000,0000,0000,,happens after we finish counting \Nin each of the teams.
Dialogue: 0,0:12:58.32,0:13:02.04,Default,,0000,0000,0000,,J: So, what do you do after you have\Nexported the final election results?
Dialogue: 0,0:13:02.04,0:13:04.58,Default,,0000,0000,0000,,How do they come to the \Ncentral administration?
Dialogue: 0,0:13:04.58,0:13:10.67,Default,,0000,0000,0000,,T: Yeah, I've just entered my vehicle and\Ntook the USB sticks in my pocket and drove
Dialogue: 0,0:13:10.67,0:13:17.87,Default,,0000,0000,0000,,to the master PC. But, as you maybe know,\NElection Day is always very busy day and
Dialogue: 0,0:13:17.87,0:13:24.39,Default,,0000,0000,0000,,might some teams are slower at counting.\NSome teams are faster. So, the master team
Dialogue: 0,0:13:24.39,0:13:29.05,Default,,0000,0000,0000,,doesn't know when these USB sticks arrive.\NIf they take two or three hours or half an
Dialogue: 0,0:13:29.05,0:13:33.19,Default,,0000,0000,0000,,hour, they don't know really. So, I could\Njust go and grab something to eat on my
Dialogue: 0,0:13:33.19,0:13:39.31,Default,,0000,0000,0000,,way. Or I can manipulate the vote. I mean,\Ndeliver the votes. And yeah, in the end,
Dialogue: 0,0:13:39.31,0:13:44.31,Default,,0000,0000,0000,,one day, when I arrive at the master PC, I\Njust give them my USB stick, they enter it
Dialogue: 0,0:13:44.31,0:13:48.34,Default,,0000,0000,0000,,and they take the data that is stored on\Nthere and nothing else. And afterwards,
Dialogue: 0,0:13:48.34,0:13:52.57,Default,,0000,0000,0000,,they just uploaded the final \Nresults on the page.
Dialogue: 0,0:13:52.57,0:13:59.04,Default,,0000,0000,0000,,J: Now you might think, why is it possible\Nfor him to manipulate election results?
Dialogue: 0,0:13:59.04,0:14:04.84,Default,,0000,0000,0000,,Because there's no authenticity. There's\Nonly integrity protection of the file that
Dialogue: 0,0:14:04.84,0:14:10.39,Default,,0000,0000,0000,,he is transporting. So some CRC32 and a\NSHA hash, but nothing like a cryptographic
Dialogue: 0,0:14:10.39,0:14:16.46,Default,,0000,0000,0000,,signature. So, even if he alters the data,\Nhe can just regenerate all the integrity
Dialogue: 0,0:14:16.46,0:14:22.09,Default,,0000,0000,0000,,protection data and the data will just be\Naccepted. So, the main issue here is also,
Dialogue: 0,0:14:22.09,0:14:28.51,Default,,0000,0000,0000,,that this is one of the few spots where\Nonly a single person has unsupervised
Dialogue: 0,0:14:28.51,0:14:34.27,Default,,0000,0000,0000,,access to the data during transport of the\Nvoting data at all. And that makes
Dialogue: 0,0:14:34.27,0:14:39.26,Default,,0000,0000,0000,,manipulations possible and easily feasible\Nin this case. And that should not be the
Dialogue: 0,0:14:39.26,0:14:48.14,Default,,0000,0000,0000,,case, especially in an electronically\Nsupported election. Now, let's have a look
Dialogue: 0,0:14:48.14,0:14:52.49,Default,,0000,0000,0000,,at the vote counting software itself,\Nbecause there we found even more
Dialogue: 0,0:14:52.49,0:14:55.96,Default,,0000,0000,0000,,interesting results.\NT: Exactly. Let's begin with the system
Dialogue: 0,0:14:55.96,0:15:01.95,Default,,0000,0000,0000,,architecture. First of all, this is the\Nlocal or decentralized version of the
Dialogue: 0,0:15:01.95,0:15:08.01,Default,,0000,0000,0000,,software system. So all this is taking \Nplace on the local host, on the machine we
Dialogue: 0,0:15:08.01,0:15:13.15,Default,,0000,0000,0000,,encountered in the lecture rooms and on \Nthese machines, where it was an Apache Tomcat
Dialogue: 0,0:15:13.15,0:15:18.01,Default,,0000,0000,0000,,Web server running, which was connected to\Na MariaDB, and the user was interacting
Dialogue: 0,0:15:18.01,0:15:25.41,Default,,0000,0000,0000,,with the voting system via a portable\NFirefox and as AKDB said in before they
Dialogue: 0,0:15:25.41,0:15:33.17,Default,,0000,0000,0000,,were very concerned with security. So,\Nlet's think about what attackers are they
Dialogue: 0,0:15:33.17,0:15:38.35,Default,,0000,0000,0000,,had in mind when they designed the system\Nand from which the system is to protect
Dialogue: 0,0:15:38.35,0:15:44.34,Default,,0000,0000,0000,,from. Is it the user that maybe attacks\Nthe system, the vote count system, which
Dialogue: 0,0:15:44.34,0:15:51.34,Default,,0000,0000,0000,,is normally just election workers that are\Non their free time there to help executing
Dialogue: 0,0:15:51.34,0:15:57.55,Default,,0000,0000,0000,,the election, or are they having the\Nnetwork attackers in minds that come from
Dialogue: 0,0:15:57.55,0:16:03.08,Default,,0000,0000,0000,,completely different places and try to\Nmanipulate the network from outside? First
Dialogue: 0,0:16:03.08,0:16:09.90,Default,,0000,0000,0000,,of all, we took the user as one of the\Npossible attackers. And even in this
Dialogue: 0,0:16:09.90,0:16:15.41,Default,,0000,0000,0000,,environment, we found some really broken\Nstuff. First of all a broken access
Dialogue: 0,0:16:15.41,0:16:20.52,Default,,0000,0000,0000,,control. But how it's how it's all about.\NWell, that's the log in page when we just
Dialogue: 0,0:16:20.52,0:16:26.63,Default,,0000,0000,0000,,logged in our voting system and clicked on\Nadministration page where we can change
Dialogue: 0,0:16:26.63,0:16:31.47,Default,,0000,0000,0000,,our password and edit our profile. These\Nare the buttons on the left. And as you
Dialogue: 0,0:16:31.47,0:16:36.58,Default,,0000,0000,0000,,can see, we are clearly logged in as the\Nuser42. And there is no more things to do
Dialogue: 0,0:16:36.58,0:16:42.98,Default,,0000,0000,0000,,than select which counting part we want \Nto do, the general regional vote or the
Dialogue: 0,0:16:42.98,0:16:48.22,Default,,0000,0000,0000,,municipal votes. And that's all we can \Ndo on this page. Now let's switch to the
Dialogue: 0,0:16:48.22,0:16:53.73,Default,,0000,0000,0000,,system administrator. There we have the \Nadmin account, as you can see on the left
Dialogue: 0,0:16:53.73,0:17:00.19,Default,,0000,0000,0000,,upper side, where we can now do very much\Nmore than the normal user. We are again on
Dialogue: 0,0:17:00.19,0:17:04.48,Default,,0000,0000,0000,,the administration page, but now we have\Nthe user administration where we can
Dialogue: 0,0:17:04.48,0:17:12.50,Default,,0000,0000,0000,,create or delete users. We have the reopen\Nor close voting mechanisms. We have
Dialogue: 0,0:17:12.50,0:17:18.47,Default,,0000,0000,0000,,imports, we have exports and also what's\Nnot included in the screenshots submenus
Dialogue: 0,0:17:18.47,0:17:25.00,Default,,0000,0000,0000,,like deleting finalized results or and so\Non. So, we picked out two very interesting
Dialogue: 0,0:17:25.00,0:17:31.60,Default,,0000,0000,0000,,URLs for you. First of all, we are taking\Nthe "Bezirk wieder eröffnen" which is
Dialogue: 0,0:17:31.60,0:17:36.36,Default,,0000,0000,0000,,translated just to reopen the election\Nafter election as closed at normal. It's
Dialogue: 0,0:17:36.36,0:17:41.30,Default,,0000,0000,0000,,normally finalized, so no more votes can\Nbe entered in the system. And the other
Dialogue: 0,0:17:41.30,0:17:46.71,Default,,0000,0000,0000,,link is "Löschen". So that translates to\Ndelete data, which then in the end deletes
Dialogue: 0,0:17:46.71,0:17:53.16,Default,,0000,0000,0000,,all the data from from the machine. So, no\Nmore private or secure data is stored on
Dialogue: 0,0:17:53.16,0:17:59.47,Default,,0000,0000,0000,,there. And this is what they look like\Nwhen we only open them on the left side.
Dialogue: 0,0:17:59.47,0:18:04.43,Default,,0000,0000,0000,,We see to reopen dialog. On the right\Nside, we see the data delete. But wait,
Dialogue: 0,0:18:04.43,0:18:12.61,Default,,0000,0000,0000,,this is not the admin view, this is the\Nuser view. So, they did not check if this
Dialogue: 0,0:18:12.61,0:18:18.18,Default,,0000,0000,0000,,user is even allowed. And we also have to\Nsay, that this is not just the view of it,
Dialogue: 0,0:18:18.18,0:18:22.01,Default,,0000,0000,0000,,it is fully working and is completely\Nfunctional, when you just go through the
Dialogue: 0,0:18:22.01,0:18:25.53,Default,,0000,0000,0000,,process of deleting or reopening as an\Nelection.
Dialogue: 0,0:18:25.53,0:18:29.30,Default,,0000,0000,0000,,{\i1}Alarm sound{\i0}\NJ: What's the problem with that?
Dialogue: 0,0:18:29.30,0:18:33.75,Default,,0000,0000,0000,,T: Yeah, as you maybe already guessed,\Nreopening elections could create a
Dialogue: 0,0:18:33.75,0:18:38.53,Default,,0000,0000,0000,,probability of sneaking in some additional\Nvotes for the candidate I favor and
Dialogue: 0,0:18:38.53,0:18:44.80,Default,,0000,0000,0000,,additionally, if I want to mess with all\Nof the voting, I could just delete all the
Dialogue: 0,0:18:44.80,0:18:50.04,Default,,0000,0000,0000,,election data and we would have to start\Nfrom the beginning and completely delay or
Dialogue: 0,0:18:50.04,0:18:53.42,Default,,0000,0000,0000,,deny the voting.\NJ: But why is this even possible?
Dialogue: 0,0:18:53.42,0:18:59.71,Default,,0000,0000,0000,,T: Yeah, we found out that this is their\Naccess control check in their software
Dialogue: 0,0:18:59.71,0:19:05.69,Default,,0000,0000,0000,,this function is called getZugriffRollen,\Nwhich translates to get access roles. So
Dialogue: 0,0:19:05.69,0:19:10.86,Default,,0000,0000,0000,,normally there will also be the software\Nin place to check if this role is allowed
Dialogue: 0,0:19:10.86,0:19:15.30,Default,,0000,0000,0000,,to access this kind of site. But they just\Nreturned null and not implemented it.
Dialogue: 0,0:19:15.30,0:19:21.86,Default,,0000,0000,0000,,And that's also nice work to implement\Naccess control. However, I think we can
Dialogue: 0,0:19:21.86,0:19:27.42,Default,,0000,0000,0000,,propose some mechanisms that could have\Nprevented this. First of all, hidden
Dialogue: 0,0:19:27.42,0:19:33.17,Default,,0000,0000,0000,,information is nothing you could rely on.\NIf you just don't show where you can click
Dialogue: 0,0:19:33.17,0:19:38.84,Default,,0000,0000,0000,,to get to this url or to this page. That's\Nnot really secret because maybe you find
Dialogue: 0,0:19:38.84,0:19:43.49,Default,,0000,0000,0000,,some leaked source code or you make sure\Nserving at an admin or you just by
Dialogue: 0,0:19:43.49,0:19:48.77,Default,,0000,0000,0000,,accident type in the wrong url and get to\Nthis hidden information. Or you, exactly,
Dialogue: 0,0:19:48.77,0:19:54.50,Default,,0000,0000,0000,,use software scanners to find something\Nhidden. So hidden data is just not secure.
Dialogue: 0,0:19:54.50,0:19:59.01,Default,,0000,0000,0000,,And on the other hand, you should finalize\Nyour implementation of access control to
Dialogue: 0,0:19:59.01,0:20:03.39,Default,,0000,0000,0000,,have access control and even test it \Nonce to be sure that it works. So in the
Dialogue: 0,0:20:03.39,0:20:07.68,Default,,0000,0000,0000,,end we can conclude that hidden \Ndata is not protected data.
Dialogue: 0,0:20:07.68,0:20:11.80,Default,,0000,0000,0000,,T: Let's now come to another type of\Nattacks. Cross-site attacks. A cross-site
Dialogue: 0,0:20:11.80,0:20:17.01,Default,,0000,0000,0000,,attack is some sort of interference\Nbetween two websites. Where one website,
Dialogue: 0,0:20:17.01,0:20:21.86,Default,,0000,0000,0000,,for example, tries to do something on\Nbehalf of the other. The goal is often to
Dialogue: 0,0:20:21.86,0:20:27.05,Default,,0000,0000,0000,,deceit the user or to trigger the\Nmanipulations. First of all, we were quite
Dialogue: 0,0:20:27.05,0:20:33.22,Default,,0000,0000,0000,,sure that they have thought of cross-site\Nattacks. Because doing our testing, we saw
Dialogue: 0,0:20:33.22,0:20:39.98,Default,,0000,0000,0000,,that they included some HTTP-Headers that\Ntarget a wide range of attack vectors that
Dialogue: 0,0:20:39.98,0:20:45.14,Default,,0000,0000,0000,,use Cross-site scripting attacks. For\Nexample, here we have X-Frame-Options:
Dialogue: 0,0:20:45.14,0:20:52.18,Default,,0000,0000,0000,,same origin. That means that other pages\Ncan not include the voting software into
Dialogue: 0,0:20:52.18,0:20:56.61,Default,,0000,0000,0000,,their own frames and so on. And also\Ncross-site scripting protection is enabled
Dialogue: 0,0:20:56.61,0:21:03.74,Default,,0000,0000,0000,,via X-XXS-Protection. So this looks quite\Ngood because this already excludes several
Dialogue: 0,0:21:03.74,0:21:10.33,Default,,0000,0000,0000,,attack vectors. But how about cross-site\Nrequest forgery? When we first tested
Dialogue: 0,0:21:10.33,0:21:16.16,Default,,0000,0000,0000,,this, we found out that the vote counting\Nsystem is not fully protected against it.
Dialogue: 0,0:21:16.16,0:21:21.49,Default,,0000,0000,0000,,What is cross-site request forgery? So in\Nthe first step, the election worker uses
Dialogue: 0,0:21:21.49,0:21:26.57,Default,,0000,0000,0000,,the integrated Firefox Browser to accept \Na malicious website. So the user is
Dialogue: 0,0:21:26.57,0:21:31.96,Default,,0000,0000,0000,,triggered to visit this website. For\Nexample, someone sent him a link triggered
Dialogue: 0,0:21:31.96,0:21:37.80,Default,,0000,0000,0000,,him to click on the link by the promise,\Nfor example, of a cute animal picture or
Dialogue: 0,0:21:37.80,0:21:43.09,Default,,0000,0000,0000,,some sort of that. And then the user\Nvisits this website. And this website
Dialogue: 0,0:21:43.09,0:21:47.97,Default,,0000,0000,0000,,contains form fields that resemble the\Nform fields of the actual vote counting
Dialogue: 0,0:21:47.97,0:21:53.89,Default,,0000,0000,0000,,software. And the malicious website now\Ntriggers your browser to submit this form
Dialogue: 0,0:21:53.89,0:21:59.58,Default,,0000,0000,0000,,data, not to the original website, but\Nrather to the vote counting software. And
Dialogue: 0,0:21:59.58,0:22:04.49,Default,,0000,0000,0000,,as soon as it reaches the Tomcat web\Nserver, the web server is confused.
Dialogue: 0,0:22:04.49,0:22:11.27,Default,,0000,0000,0000,,Because the web server cannot discern the\Ninput from the cross-site attack from the
Dialogue: 0,0:22:11.27,0:22:15.43,Default,,0000,0000,0000,,malicious website from original user\Ninput. And then the Apache Tomcat server
Dialogue: 0,0:22:15.43,0:22:20.48,Default,,0000,0000,0000,,just thinks that this is original user\Ninput and will process it. And that's
Dialogue: 0,0:22:20.48,0:22:25.55,Default,,0000,0000,0000,,called a cross-site request forgery\Nattack. So we saw that there is sometimes
Dialogue: 0,0:22:25.55,0:22:31.36,Default,,0000,0000,0000,,a protection against this sort of attacks.\NBut many pages are not protected against
Dialogue: 0,0:22:31.36,0:22:37.65,Default,,0000,0000,0000,,it. And that is very concerning because\Nthat's a 2001's vulnerability. It's almost
Dialogue: 0,0:22:37.65,0:22:43.87,Default,,0000,0000,0000,,20 years old now and it's still present in\Nsuch a software. So this is quite
Dialogue: 0,0:22:43.87,0:22:49.95,Default,,0000,0000,0000,,unsettling here. Now, let's sum this up.\NWhat we can do with it. So, first of all,
Dialogue: 0,0:22:49.95,0:22:55.51,Default,,0000,0000,0000,,the issue is that they have missing CSRF\Ntokens or any other good countermeasure
Dialogue: 0,0:22:55.51,0:23:00.46,Default,,0000,0000,0000,,against cross site request forgery\Nattacks. And the second point is here,
Dialogue: 0,0:23:00.46,0:23:05.16,Default,,0000,0000,0000,,that only minimal user interaction is\Nrequired. The user often doesn't even see
Dialogue: 0,0:23:05.16,0:23:11.23,Default,,0000,0000,0000,,that a cross-site request forgery attack\Nis currently being executed on his behalf.
Dialogue: 0,0:23:11.23,0:23:15.70,Default,,0000,0000,0000,,So it's almost undetectable by the user.\NAnd it's very simple to trick a user into
Dialogue: 0,0:23:15.70,0:23:22.82,Default,,0000,0000,0000,,clicking a link. So the impact is very\Ndevastating because we can now manipulate
Dialogue: 0,0:23:22.82,0:23:29.41,Default,,0000,0000,0000,,settings in the vote counting software.\NAnd we can even insert fake ballots here.
Dialogue: 0,0:23:29.41,0:23:33.60,Default,,0000,0000,0000,,{\i1}Alarm sound {\i0}\NT: So what's the result of this?
Dialogue: 0,0:23:33.60,0:23:37.90,Default,,0000,0000,0000,,What we can do with it?\NJ: Well, we can manipulate the entire
Dialogue: 0,0:23:37.90,0:23:42.53,Default,,0000,0000,0000,,election with this. Let's just use a demo.\NHow we do this.
Dialogue: 0,0:23:42.53,0:23:45.01,Default,,0000,0000,0000,,T: Nice.\NJ: We are already logged in into the vote
Dialogue: 0,0:23:45.01,0:23:54.76,Default,,0000,0000,0000,,counting system. Our username is\Nadmin321934. Now let's count some votes.
Dialogue: 0,0:23:54.76,0:23:59.62,Default,,0000,0000,0000,,As we can see here, these are all the\Nballots that we can enter. They are still
Dialogue: 0,0:23:59.62,0:24:07.23,Default,,0000,0000,0000,,empty since we haven't entered any ballots\Nyet. So let's start. For simplicity, we
Dialogue: 0,0:24:07.23,0:24:12.34,Default,,0000,0000,0000,,just have two parties here. On the left\Nhand side we have the good party. Who
Dialogue: 0,0:24:12.34,0:24:16.81,Default,,0000,0000,0000,,wants the best for the people. On the\Nright hand side we have the bad party
Dialogue: 0,0:24:16.81,0:24:22.34,Default,,0000,0000,0000,,who wants to take power and is willing to\Neven commit election fraud. Let us begin
Dialogue: 0,0:24:22.34,0:24:27.96,Default,,0000,0000,0000,,and enter the first paper ballot. The\Nperson has voted for the good party. So we
Dialogue: 0,0:24:27.96,0:24:37.87,Default,,0000,0000,0000,,enter this into the software. Now we save\Nthe ballot and go to the next one. Again,
Dialogue: 0,0:24:37.87,0:24:44.74,Default,,0000,0000,0000,,it's a vote for the good party. Let's\Nenter it and save it and go to the third
Dialogue: 0,0:24:44.74,0:24:52.91,Default,,0000,0000,0000,,ballot. And again, it's for the good\Nparty. Let's save our third ballot. Now we
Dialogue: 0,0:24:52.91,0:24:59.87,Default,,0000,0000,0000,,go to the ballot overview and we look what\Nhas happened. As you can see, we now have
Dialogue: 0,0:24:59.87,0:25:05.24,Default,,0000,0000,0000,,three ballots that have successfully been\Nentered. At next, let's check the
Dialogue: 0,0:25:05.24,0:25:11.35,Default,,0000,0000,0000,,preliminary election results. As we can\Nsee here, we have a total of three ballots
Dialogue: 0,0:25:11.35,0:25:15.98,Default,,0000,0000,0000,,that have been entered into the system.\NThat's correct. Three ballots contained
Dialogue: 0,0:25:15.98,0:25:21.76,Default,,0000,0000,0000,,votes for the good party. That's also\Ncorrect. And zero votes have been given to
Dialogue: 0,0:25:21.76,0:25:28.24,Default,,0000,0000,0000,,the bad party. That's fine so far. Next, I\Nwill show you what happens if i open a
Dialogue: 0,0:25:28.24,0:25:32.62,Default,,0000,0000,0000,,malicious website. This website will\Nexecute a CSRF attack and manipulate the
Dialogue: 0,0:25:32.62,0:25:38.34,Default,,0000,0000,0000,,election results. Let's just assume we\Nwant to take a break and simply both
Dialogue: 0,0:25:38.34,0:25:54.06,Default,,0000,0000,0000,,twitter. OK, here we are. There's a cute\Ncat picture and there's a link to even
Dialogue: 0,0:25:54.06,0:26:02.39,Default,,0000,0000,0000,,more of them. Let's just play along and\Nget tricked into clicking that link. Oh,
Dialogue: 0,0:26:02.39,0:26:08.00,Default,,0000,0000,0000,,look at all those cute animal pictures,\Nlook a hungry rabbit, a monkey, a little
Dialogue: 0,0:26:08.00,0:26:14.32,Default,,0000,0000,0000,,hedgehog and two cute goats and so on, and\Nwhen we are done browsing, we close those
Dialogue: 0,0:26:14.32,0:26:23.34,Default,,0000,0000,0000,,tabs again and return to our vote counting\Nsoftware. What we notice now is, that our
Dialogue: 0,0:26:23.34,0:26:29.46,Default,,0000,0000,0000,,username has been altered and we just got\Npwned. We were tricked into visiting this
Dialogue: 0,0:26:29.46,0:26:34.60,Default,,0000,0000,0000,,malicious website. The website executed a\NCSRF attack on the vote counting software
Dialogue: 0,0:26:34.60,0:26:42.76,Default,,0000,0000,0000,,and did some manipulations. Let's see what\Nelse has changed. However, all three
Dialogue: 0,0:26:42.76,0:26:48.43,Default,,0000,0000,0000,,ballots are still there, but now we take a\Nlook at the preliminary election results.
Dialogue: 0,0:26:48.43,0:26:53.79,Default,,0000,0000,0000,,What you can see here is that the number\Nof ballots that are in the system has been
Dialogue: 0,0:26:53.79,0:26:58.19,Default,,0000,0000,0000,,increased to eight. We now have five\Nadditional ballots that were not entered
Dialogue: 0,0:26:58.19,0:27:03.73,Default,,0000,0000,0000,,by us. As you can see, the good party\Nstill has three votes. That is what we
Dialogue: 0,0:27:03.73,0:27:09.53,Default,,0000,0000,0000,,have entered. But now the bad party has\Ntaken the lead. They have five votes now.
Dialogue: 0,0:27:09.53,0:27:15.65,Default,,0000,0000,0000,,This attack has indeed manipulated the\Nelection results. This is really bad
Dialogue: 0,0:27:15.65,0:27:21.11,Default,,0000,0000,0000,,because we cannot even see those\Nadditional fake ballots that have been
Dialogue: 0,0:27:21.11,0:27:26.79,Default,,0000,0000,0000,,injected. However, we are lucky because we\Nnoticed it since we have expected this
Dialogue: 0,0:27:26.79,0:27:32.29,Default,,0000,0000,0000,,attack. But we won't notice \Nit in every case.
Dialogue: 0,0:27:33.56,0:27:39.12,Default,,0000,0000,0000,,T: But what happens if we don't notice?\NJ: Well, that happens. So, for this
Dialogue: 0,0:27:39.12,0:27:44.21,Default,,0000,0000,0000,,example, we just assume that team 1 had\Nthree ballots that they have entered into
Dialogue: 0,0:27:44.21,0:27:48.25,Default,,0000,0000,0000,,the computer system and team 2 has six\Nballots that have been entered into the
Dialogue: 0,0:27:48.25,0:27:55.04,Default,,0000,0000,0000,,computer system. Now team one visits a\Nmalicious website and five fake ballots
Dialogue: 0,0:27:55.04,0:28:01.08,Default,,0000,0000,0000,,are injected into the election results. In\Nthis case, the attacker is very smart and
Dialogue: 0,0:28:01.08,0:28:06.50,Default,,0000,0000,0000,,injects the ballots at the location where\Nthe team 2 ballots will be expected in the
Dialogue: 0,0:28:06.50,0:28:14.21,Default,,0000,0000,0000,,future. So what happens now is: team 2\Nexports their ballots and team 1 tries to
Dialogue: 0,0:28:14.21,0:28:20.74,Default,,0000,0000,0000,,import the ballots of team 2. And now the\Nfollowing thing happens: Because there are
Dialogue: 0,0:28:20.74,0:28:26.46,Default,,0000,0000,0000,,already ballots present at the location\Nwhere the team 2 ballots should go to, the
Dialogue: 0,0:28:26.46,0:28:32.35,Default,,0000,0000,0000,,import process is not fully successful and\Nonly a subset of the ballots are imported
Dialogue: 0,0:28:32.35,0:28:37.96,Default,,0000,0000,0000,,so that the majority of the ballots into\Nthis case, five or six ballots are just
Dialogue: 0,0:28:37.96,0:28:42.48,Default,,0000,0000,0000,,discarded because they don't fit in the\Ndatabase anymore because that location is
Dialogue: 0,0:28:42.48,0:28:48.12,Default,,0000,0000,0000,,already taken by the fake ballots. So\Nusually we would expect that this can
Dialogue: 0,0:28:48.12,0:28:52.79,Default,,0000,0000,0000,,generate an error message or at least a\Nwarning. But this does not happen. This is
Dialogue: 0,0:28:52.79,0:28:59.57,Default,,0000,0000,0000,,a silent failure of the software. And\Nwhat's even worst is now that the sums
Dialogue: 0,0:28:59.57,0:29:04.64,Default,,0000,0000,0000,,finally are correct. So that means we now\Nhave nine ballots present in the system
Dialogue: 0,0:29:04.64,0:29:09.93,Default,,0000,0000,0000,,and nine paper ballots that were initially\Navailable. So this looks like we have
Dialogue: 0,0:29:09.93,0:29:14.25,Default,,0000,0000,0000,,entered all the ballots and everything\Nseems to be fine. So we will now close the
Dialogue: 0,0:29:14.25,0:29:19.49,Default,,0000,0000,0000,,election and generate the final result.\NAnd that is what happens now. As you can
Dialogue: 0,0:29:19.49,0:29:25.62,Default,,0000,0000,0000,,see, we have only four votes for the good\Nparty, but five votes for the bad party.
Dialogue: 0,0:29:25.62,0:29:31.75,Default,,0000,0000,0000,,So the bad party has won the election by\Nmanipulating the voting system, using this
Dialogue: 0,0:29:31.75,0:29:38.27,Default,,0000,0000,0000,,CSRF attack. And that should never be\Npossible because this is not what we
Dialogue: 0,0:29:38.27,0:29:45.81,Default,,0000,0000,0000,,expect for a voting software. And in this\Ncase, the result is rigged. So have we
Dialogue: 0,0:29:45.81,0:29:50.57,Default,,0000,0000,0000,,thought about network vulnerabilities?\NT: Yeah, sure, that's exactly the other
Dialogue: 0,0:29:50.57,0:29:55.01,Default,,0000,0000,0000,,side of the coin. First, we checked the\Nelection worker side for attacks, but now
Dialogue: 0,0:29:55.01,0:30:00.34,Default,,0000,0000,0000,,we checked the network side and scanned\Nand analyzed the system at first. And then
Dialogue: 0,0:30:00.34,0:30:07.53,Default,,0000,0000,0000,,we looked like this: Open ports\Neverywhere. And as you can see, they fully
Dialogue: 0,0:30:07.53,0:30:13.73,Default,,0000,0000,0000,,exposed the Apache Tomcat and the MariaDB\Nto each available network on the system.
Dialogue: 0,0:30:13.73,0:30:19.01,Default,,0000,0000,0000,,And with this, we thought, well, let's maybe \Ntry some newly discovered vulnerability,
Dialogue: 0,0:30:19.01,0:30:25.09,Default,,0000,0000,0000,,which was recently found in 2020 called\NGhostcat. And Ghostcat is an attack
Dialogue: 0,0:30:25.09,0:30:31.29,Default,,0000,0000,0000,,against AJP protocol from Apache. But\Nlet's check the Apache system and how it's
Dialogue: 0,0:30:31.29,0:30:37.78,Default,,0000,0000,0000,,built. First, Apache has a web root which\Nserves static resources and HTML or JSP
Dialogue: 0,0:30:37.78,0:30:43.27,Default,,0000,0000,0000,,files. And additionally, it can include\Nclass files or class sublets which are
Dialogue: 0,0:30:43.27,0:30:48.98,Default,,0000,0000,0000,,combined with this JSPs or HTML files and\Nthen served to the user. So we prepared
Dialogue: 0,0:30:48.98,0:30:56.50,Default,,0000,0000,0000,,our ajpShooter with the URL of the\Napplication, the port and the file we want
Dialogue: 0,0:30:56.50,0:31:01.98,Default,,0000,0000,0000,,to read. In our case, it's a PrivateTest\Nclass file because, what we
Dialogue: 0,0:31:01.98,0:31:07.25,Default,,0000,0000,0000,,could leak about this, but we'll see. And\Nthen we said we only want to read it
Dialogue: 0,0:31:07.25,0:31:10.75,Default,,0000,0000,0000,,because there would even be the\Npossibility to evaluate it and execute the
Dialogue: 0,0:31:10.75,0:31:17.60,Default,,0000,0000,0000,,code in it. So we've done this attack and\NTADA we've got a result. This is the byte
Dialogue: 0,0:31:17.60,0:31:22.51,Default,,0000,0000,0000,,code of the PrivateTest class. So let's\Njust drop this byte code in our cup of
Dialogue: 0,0:31:22.51,0:31:29.13,Default,,0000,0000,0000,,coffee and maybe we can pull out some\Nsource code from it. And yeah that's what
Dialogue: 0,0:31:29.13,0:31:36.70,Default,,0000,0000,0000,,we've read out because why not. Just test\Nyour encryption mechanism with the string.
Dialogue: 0,0:31:36.70,0:31:42.02,Default,,0000,0000,0000,,But this is not a common string as you\Nlater found out. This is the real root
Dialogue: 0,0:31:42.02,0:31:45.66,Default,,0000,0000,0000,,productive password of the MariaDB. And\Nthis was like:
Dialogue: 0,0:31:45.66,0:31:51.78,Default,,0000,0000,0000,,{\i1}Alarm sound{\i0}\NSo what's the problem? As you maybe
Dialogue: 0,0:31:51.78,0:31:56.85,Default,,0000,0000,0000,,clearly see with this attack, we could\Nleak out the login of the MariaDB and
Dialogue: 0,0:31:56.85,0:32:02.36,Default,,0000,0000,0000,,probably even more logins or passwords.\NAnd additionally, we could leak the whole
Dialogue: 0,0:32:02.36,0:32:08.39,Default,,0000,0000,0000,,source code over the network without ever\Naccessing the PC in the election room. And
Dialogue: 0,0:32:08.39,0:32:15.53,Default,,0000,0000,0000,,this was only possible because they\Ncompletely exposed all machines and
Dialogue: 0,0:32:15.53,0:32:22.28,Default,,0000,0000,0000,,applications to the network and this\Nshould never be the case. So in result:
Dialogue: 0,0:32:22.28,0:32:26.90,Default,,0000,0000,0000,,How can this be prevented? First, you\Nshould never expose these unneeded ports
Dialogue: 0,0:32:26.90,0:32:31.44,Default,,0000,0000,0000,,to internet because they don't even use\Nthe AJP proxy in their application, but
Dialogue: 0,0:32:31.44,0:32:38.18,Default,,0000,0000,0000,,just left it on the 0.0.0.0 interface.\NNext is: You should keep your software up
Dialogue: 0,0:32:38.18,0:32:43.95,Default,,0000,0000,0000,,to date. That if some vulnerabilities were\Nfound. You should not be vulnerable to it.
Dialogue: 0,0:32:43.95,0:32:49.77,Default,,0000,0000,0000,,And last but not least: Never use\Nproductive passwords in your unit tests
Dialogue: 0,0:32:49.77,0:32:55.43,Default,,0000,0000,0000,,because that's not the best idea to do. In\Nthe end, to sum it up: Avoid at all costs
Dialogue: 0,0:32:55.43,0:33:01.32,Default,,0000,0000,0000,,any additional attack surface to prevent\Nthese kind of attacks, even if you don't
Dialogue: 0,0:33:01.32,0:33:04.67,Default,,0000,0000,0000,,know about them yet.\NJ: So, after Tobi has shown us a lot of
Dialogue: 0,0:33:04.67,0:33:09.76,Default,,0000,0000,0000,,interesting and patchy stuff. I tested the\Ndatabase for its security. For the first
Dialogue: 0,0:33:09.76,0:33:14.92,Default,,0000,0000,0000,,analysis. I was just starting with the\Nsame PC, but also the software was
Dialogue: 0,0:33:14.92,0:33:20.15,Default,,0000,0000,0000,,installed and I tried to gain access to\Nthe database. So it was coming from the
Dialogue: 0,0:33:20.15,0:33:25.04,Default,,0000,0000,0000,,host localhost. I tried to use the\Nusername root and then I saw that I am
Dialogue: 0,0:33:25.04,0:33:29.72,Default,,0000,0000,0000,,asked for a password before I'm allowed to\Nconnect to the database. However, finding
Dialogue: 0,0:33:29.72,0:33:35.34,Default,,0000,0000,0000,,the password was quite trivial to do\Nbecause all the stuff I needed to know for
Dialogue: 0,0:33:35.34,0:33:40.74,Default,,0000,0000,0000,,that was included in that last file and I\Nwas able to decrypt the password without
Dialogue: 0,0:33:40.74,0:33:46.40,Default,,0000,0000,0000,,any issue here. And that moment I realized\Nthat also the password that Tobi has shown
Dialogue: 0,0:33:46.40,0:33:51.31,Default,,0000,0000,0000,,us before, that he found with the Ghostcat\Nvulnerability is indeed the MySQL root
Dialogue: 0,0:33:51.31,0:33:58.85,Default,,0000,0000,0000,,password here. So after I had access to\Nthe MySQL system, I tried to dump the user
Dialogue: 0,0:33:58.85,0:34:05.51,Default,,0000,0000,0000,,table to look which users are allowed to\Naccess the database. So and that is how
Dialogue: 0,0:34:05.51,0:34:11.36,Default,,0000,0000,0000,,the user table looks like. We have four\Ntimes the user root and the user root
Dialogue: 0,0:34:11.36,0:34:16.58,Default,,0000,0000,0000,,requires a password if I'm coming from\Nlocalhost. But wait a moment. Here we also
Dialogue: 0,0:34:16.58,0:34:23.84,Default,,0000,0000,0000,,have the host pci90309. And as you can see\Nhere, there is no MySQL password
Dialogue: 0,0:34:23.84,0:34:29.69,Default,,0000,0000,0000,,statement. That means that someone coming\Nfrom host pci90309 is almost allowed to
Dialogue: 0,0:34:29.69,0:34:37.52,Default,,0000,0000,0000,,connect as root and does not even need to\Nprovide any password for that. And thats
Dialogue: 0,0:34:37.52,0:34:42.10,Default,,0000,0000,0000,,really strange.\N{\i1} Alarm sound {\i0}
Dialogue: 0,0:34:42.10,0:34:50.53,Default,,0000,0000,0000,,T: So what could happen from this?\NJ: Well, now someone on the network can
Dialogue: 0,0:34:50.53,0:34:56.31,Default,,0000,0000,0000,,now just lump voting manipulation. That's\Nquite trivial because as soon as I set my
Dialogue: 0,0:34:56.31,0:35:01.25,Default,,0000,0000,0000,,host to the correct hostname, I get full\Naccess to the database where all my local
Dialogue: 0,0:35:01.25,0:35:05.75,Default,,0000,0000,0000,,voting results are stored. And since I'm\Nroot, I can interfer with them. I can
Dialogue: 0,0:35:05.75,0:35:09.94,Default,,0000,0000,0000,,change them however I want to. And this\Nvulnerability is so damn weird and
Dialogue: 0,0:35:09.94,0:35:16.85,Default,,0000,0000,0000,,trivial, it takes me no effort to do this\Nat all. And so we won't even go into a
Dialogue: 0,0:35:16.85,0:35:22.77,Default,,0000,0000,0000,,demo here because it's so stupid simple in\Nthis case. Usually I would say that's
Dialogue: 0,0:35:22.77,0:35:28.37,Default,,0000,0000,0000,,enough for today because we already have\Nfull access to the voting system and can
Dialogue: 0,0:35:28.37,0:35:33.62,Default,,0000,0000,0000,,change whatever we want to. However, this\Ntime we decided to go deeper because we
Dialogue: 0,0:35:33.62,0:35:42.29,Default,,0000,0000,0000,,saw pci90309 is a real door opener. So we\Nhave access to the voting results. We can
Dialogue: 0,0:35:42.29,0:35:47.63,Default,,0000,0000,0000,,change them, but we still don't have\Naccess to the entire voting system. So
Dialogue: 0,0:35:47.63,0:35:52.19,Default,,0000,0000,0000,,what about the PC? Might it be possible,\Nwith that root access to the database
Dialogue: 0,0:35:52.19,0:35:59.84,Default,,0000,0000,0000,,server, to gain remote code execution at\Nthat machine? So for this experiment, I
Dialogue: 0,0:35:59.84,0:36:04.74,Default,,0000,0000,0000,,used the following setup. On the right hand\Nside we have a voting system with the
Dialogue: 0,0:36:04.74,0:36:10.62,Default,,0000,0000,0000,,exposed MariaDB database server. On the\Nleft hand side that's my system. I named
Dialogue: 0,0:36:10.62,0:36:16.48,Default,,0000,0000,0000,,myself pci90309, just because i can do it,\Nand I establish a connection to the
Dialogue: 0,0:36:16.48,0:36:23.93,Default,,0000,0000,0000,,MariaDB server. I use root as a username.\NI don't need any password. And it is
Dialogue: 0,0:36:23.93,0:36:30.12,Default,,0000,0000,0000,,immediately accepted. So now that I am\Nconnected, I'm allowed to issue commands.
Dialogue: 0,0:36:30.12,0:36:36.44,Default,,0000,0000,0000,,For example, I can now instruct MariaDB to\Nenable one of its plugins. This plugin is
Dialogue: 0,0:36:36.44,0:36:42.39,Default,,0000,0000,0000,,called ha_connect. It's one of the plugins\Nthat usually come directly with MariaDB.
Dialogue: 0,0:36:42.39,0:36:49.98,Default,,0000,0000,0000,,And this is a very powerful MySQL storage\Ndriver. So now I will show you what I can
Dialogue: 0,0:36:49.98,0:36:57.02,Default,,0000,0000,0000,,do with that storage driver. So at next, I\Nwill now create a table that's called pwn.
Dialogue: 0,0:36:57.02,0:37:02.54,Default,,0000,0000,0000,,And I'm using the ha_connect storage\Ndriver and instruct the storage driver to
Dialogue: 0,0:37:02.54,0:37:09.47,Default,,0000,0000,0000,,create a file that's called pwn.dll and to\Nplace it right into that plugin folder.
Dialogue: 0,0:37:09.47,0:37:14.27,Default,,0000,0000,0000,,There is nothing that stops me from doing\Nso. So that is one of the special features
Dialogue: 0,0:37:14.27,0:37:20.29,Default,,0000,0000,0000,,of the ha_connect storage driver, that I\Ncan just say, this table is mapped to that
Dialogue: 0,0:37:20.29,0:37:25.18,Default,,0000,0000,0000,,file in the file system. However, this\Nfile is still empty because the table is
Dialogue: 0,0:37:25.18,0:37:30.69,Default,,0000,0000,0000,,empty. But since this is a database, I can\Nnow just issue INSERT INTO statements and
Dialogue: 0,0:37:30.69,0:37:36.43,Default,,0000,0000,0000,,load whatever data I want to, for example,\Nsome malicious DLL. I can just load into
Dialogue: 0,0:37:36.43,0:37:41.27,Default,,0000,0000,0000,,the table, via that INSERT INTO a\Nstatement, and then it is directly written
Dialogue: 0,0:37:41.27,0:37:49.47,Default,,0000,0000,0000,,into our malicious DLL "pwn.dll". Ok, so\Nat next, after I've finished writing, I
Dialogue: 0,0:37:49.47,0:37:55.06,Default,,0000,0000,0000,,will instruct MariaDB to enable this\Nplugin that I have just uploaded. And
Dialogue: 0,0:37:55.06,0:38:00.45,Default,,0000,0000,0000,,enabling a plugin means that we are\Nexecuting the code that is stored in this
Dialogue: 0,0:38:00.45,0:38:05.18,Default,,0000,0000,0000,,DLL file. So that means we have remote\Ncode execution.
Dialogue: 0,0:38:05.18,0:38:09.96,Default,,0000,0000,0000,,{\i1} Alarm Sound {\i0}\NT: I don't even ask what you can with
Dialogue: 0,0:38:09.96,0:38:14.41,Default,,0000,0000,0000,,remote code execution.\NJ: Well, I can do anything. So that means
Dialogue: 0,0:38:14.41,0:38:19.87,Default,,0000,0000,0000,,I have no gate, full control over the\Nentire vote counting system. So I'm not
Dialogue: 0,0:38:19.87,0:38:24.52,Default,,0000,0000,0000,,only talking about the data in the\Ndatabase, I'm talking about the entire
Dialogue: 0,0:38:24.52,0:38:30.04,Default,,0000,0000,0000,,computer that I can now fully control and\Nmanipulate however I want to. And that's
Dialogue: 0,0:38:30.04,0:38:35.58,Default,,0000,0000,0000,,possible, only by using the voting\Nsoftware and accessing it over the network
Dialogue: 0,0:38:35.58,0:38:41.08,Default,,0000,0000,0000,,interfaces that it had exposed. And now\NI'll show you how simple this is to
Dialogue: 0,0:38:41.08,0:38:49.72,Default,,0000,0000,0000,,execute an arbitrary program on the system.\NT: This is the vote counting computer
Dialogue: 0,0:38:49.72,0:39:01.58,Default,,0000,0000,0000,,system. To begin, let's start the vote\Ncounting software. Now, the Apache Tomcat
Dialogue: 0,0:39:01.58,0:39:07.73,Default,,0000,0000,0000,,Web server and the MariaDB database server\Nare being launched. Finally, the Firefox
Dialogue: 0,0:39:07.73,0:39:14.60,Default,,0000,0000,0000,,portable is started. The system is now\Nready for operation. But beware, the
Dialogue: 0,0:39:14.60,0:39:21.95,Default,,0000,0000,0000,,attacker becomes active, his host name is\Nthe infamous pci90309, immediately it
Dialogue: 0,0:39:21.95,0:39:28.74,Default,,0000,0000,0000,,launches the python attack script\N"fun.py". It connects to the MariaDB
Dialogue: 0,0:39:28.74,0:39:34.84,Default,,0000,0000,0000,,server as root without a password and\Nuploads a malicious DLL plugin. When the
Dialogue: 0,0:39:34.84,0:39:41.51,Default,,0000,0000,0000,,upload has been finished, the malicious\Nplugin is executed. As we can see, the
Dialogue: 0,0:39:41.51,0:39:47.51,Default,,0000,0000,0000,,calculator was started thus remote code\Nexecution was successful. The vote
Dialogue: 0,0:39:47.51,0:39:52.87,Default,,0000,0000,0000,,counting computer system is now under\Ncontrol of the attacker.
Dialogue: 0,0:39:52.87,0:40:00.89,Default,,0000,0000,0000,,J: After we have found so devastating\Nissues with the vote counting Software, we
Dialogue: 0,0:40:00.89,0:40:06.16,Default,,0000,0000,0000,,immediately notified the vendor AKDB\NT: And they were very professional about
Dialogue: 0,0:40:06.16,0:40:11.27,Default,,0000,0000,0000,,it and responded very quickly to our\Ninitial emails. So we really like working
Dialogue: 0,0:40:11.27,0:40:18.11,Default,,0000,0000,0000,,together with them and telling them our\Nresults and they were always
Dialogue: 0,0:40:18.11,0:40:23.34,Default,,0000,0000,0000,,positive about it. So they also\Nrecommended some fixes.
Dialogue: 0,0:40:23.34,0:40:27.62,Default,,0000,0000,0000,,J: So, for example, they told us, you\Nshould only use that voting software in a
Dialogue: 0,0:40:27.62,0:40:31.66,Default,,0000,0000,0000,,secure environment like in an\Nadministrational network. However, we
Dialogue: 0,0:40:31.66,0:40:35.89,Default,,0000,0000,0000,,don't really believe that this is a good\Nsolution.
Dialogue: 0,0:40:35.89,0:40:39.56,Default,,0000,0000,0000,,T: Exactly. And we are not very happy\Nabout this proposal, because we have two
Dialogue: 0,0:40:39.56,0:40:44.64,Default,,0000,0000,0000,,problems that still arise, even if it's in\Na secure environment. First of all, an
Dialogue: 0,0:40:44.64,0:40:50.32,Default,,0000,0000,0000,,administrative PC could still be infected\Nwith some malware or it could be
Dialogue: 0,0:40:50.32,0:40:55.58,Default,,0000,0000,0000,,manipulated before the election takes\Nplace. And in the second hand, we have
Dialogue: 0,0:40:55.58,0:40:59.99,Default,,0000,0000,0000,,this bug with the broken access control,\Nyou remember. And even if you would have
Dialogue: 0,0:40:59.99,0:41:05.13,Default,,0000,0000,0000,,been in the secure environment, this bug\Nwould have been totally worked and you
Dialogue: 0,0:41:05.13,0:41:09.30,Default,,0000,0000,0000,,could have completely deleted all data\Nwork or reopened elections or something
Dialogue: 0,0:41:09.30,0:41:12.26,Default,,0000,0000,0000,,like this.\NJ: But we are still quite happy that they
Dialogue: 0,0:41:12.26,0:41:17.83,Default,,0000,0000,0000,,took us seriously, because they even have\Nannounced updates. So, for example, they
Dialogue: 0,0:41:17.83,0:41:23.09,Default,,0000,0000,0000,,wrote us that they are planning on adding\NXSRF tokens for the pages where we found
Dialogue: 0,0:41:23.09,0:41:28.30,Default,,0000,0000,0000,,cross-site vulnerabilities. So that's\Nalready a good step into the right
Dialogue: 0,0:41:28.30,0:41:35.02,Default,,0000,0000,0000,,direction. So now let's summarize what we\Nhave presented today. So first of all, we
Dialogue: 0,0:41:35.02,0:41:40.41,Default,,0000,0000,0000,,discovered several problematic aspects\Nin the concept and its practical
Dialogue: 0,0:41:40.41,0:41:45.24,Default,,0000,0000,0000,,implementation. So, first of all, the\Nentire voting system, it's running on
Dialogue: 0,0:41:45.24,0:41:50.38,Default,,0000,0000,0000,,untrustworthy computer systems. So it\Ncould have been manipulated beforehand.
Dialogue: 0,0:41:50.38,0:41:56.06,Default,,0000,0000,0000,,They could have malware on them or they\Njust could not function correctly. So
Dialogue: 0,0:41:56.06,0:42:00.64,Default,,0000,0000,0000,,that's already very problematic from the\Nbeginning, because we have no underlying
Dialogue: 0,0:42:00.64,0:42:05.95,Default,,0000,0000,0000,,trust that we can put into those systems\Nand we are using them to count out our
Dialogue: 0,0:42:05.95,0:42:11.70,Default,,0000,0000,0000,,votes, to count out the entire election.\NSo what's even more is, that even if they
Dialogue: 0,0:42:11.70,0:42:19.43,Default,,0000,0000,0000,,use the software and the PC, that lies\Nbeyond it, is secure, it still has not
Dialogue: 0,0:42:19.43,0:42:25.33,Default,,0000,0000,0000,,enough transparency. It's very hard to\Nunderstand what the software is exactly
Dialogue: 0,0:42:25.33,0:42:31.00,Default,,0000,0000,0000,,doing and how it is doing this. So, I\Ncannot really understand how does it come
Dialogue: 0,0:42:31.00,0:42:36.03,Default,,0000,0000,0000,,to its result. Please keep in mind, that\Nwe have almost 600 candidates and several
Dialogue: 0,0:42:36.03,0:42:42.44,Default,,0000,0000,0000,,hundreds of ballots that have all to be\Ninput into that computer system and then
Dialogue: 0,0:42:42.44,0:42:47.50,Default,,0000,0000,0000,,some magic happens and it spits out its\Nresult. So, then we just have to take this
Dialogue: 0,0:42:47.50,0:42:53.42,Default,,0000,0000,0000,,result, because it's just impossible to\Ncheck, if really each vote has been
Dialogue: 0,0:42:53.42,0:42:57.82,Default,,0000,0000,0000,,counted correctly or is there anything\Nstrange has happened or any manipulation
Dialogue: 0,0:42:57.82,0:43:00.62,Default,,0000,0000,0000,,took place.\NT: And this is also possible, because we
Dialogue: 0,0:43:00.62,0:43:07.26,Default,,0000,0000,0000,,found lots of vulnerable software and not\Njust the system security was affected, but
Dialogue: 0,0:43:07.26,0:43:12.21,Default,,0000,0000,0000,,it was also absolutely possible to\Nmanipulate the whole election from very
Dialogue: 0,0:43:12.21,0:43:19.95,Default,,0000,0000,0000,,many parts in the network. And this leads\Nus to conclude that these elections are at
Dialogue: 0,0:43:19.95,0:43:24.90,Default,,0000,0000,0000,,a high risk with this technology.\NJ: So, and that is the reason that we want
Dialogue: 0,0:43:24.90,0:43:31.12,Default,,0000,0000,0000,,you as election worker. The more eyes are\Nlooking at the election, the more secure
Dialogue: 0,0:43:31.12,0:43:35.54,Default,,0000,0000,0000,,it becomes. And if you are interested in\Nbecoming an election worker, just get into
Dialogue: 0,0:43:35.54,0:43:40.21,Default,,0000,0000,0000,,contact with the local administration.\NThey are always very happy to have
Dialogue: 0,0:43:40.21,0:43:45.22,Default,,0000,0000,0000,,volunteers, who want to take part as\Nelection workers. So and for my personal
Dialogue: 0,0:43:45.22,0:43:49.96,Default,,0000,0000,0000,,experience, I'm doing this for several\Nyears now. It's also a lot of fun. You get
Dialogue: 0,0:43:49.96,0:43:54.73,Default,,0000,0000,0000,,into contact with a lot of people. So I\Nenjoyed this a lot and I can just
Dialogue: 0,0:43:54.73,0:44:00.79,Default,,0000,0000,0000,,recommended it and this is a good way, how\Neveryone of us can support the democracy
Dialogue: 0,0:44:00.79,0:44:05.27,Default,,0000,0000,0000,,in their country.\NT: So, to conclude our talk, we found out
Dialogue: 0,0:44:05.27,0:44:11.59,Default,,0000,0000,0000,,that security in this technology is really\Nbad and that's not all of it.
Dialogue: 0,0:44:11.59,0:44:16.99,Default,,0000,0000,0000,,J: So, this is just the tip of the\Niceberg, because we look only at one of
Dialogue: 0,0:44:16.99,0:44:21.96,Default,,0000,0000,0000,,the solutions that is available for vote\Ncounting. And this was also in a special
Dialogue: 0,0:44:21.96,0:44:28.09,Default,,0000,0000,0000,,configuration. So what is even more\Ndifficult to see is, what happens behind
Dialogue: 0,0:44:28.09,0:44:34.60,Default,,0000,0000,0000,,all the stuff we have seen today, because,\Nwhen we export the data and bring it to
Dialogue: 0,0:44:34.60,0:44:40.26,Default,,0000,0000,0000,,the central administration and the data is\Nimported and uploaded, so where does all
Dialogue: 0,0:44:40.26,0:44:44.91,Default,,0000,0000,0000,,this data go, where are all the results\Nfrom all this data from all the polling
Dialogue: 0,0:44:44.91,0:44:49.60,Default,,0000,0000,0000,,stations are summarized? We don't know\Nthat yet, how this works. We don't have
Dialogue: 0,0:44:49.60,0:44:53.87,Default,,0000,0000,0000,,the software, that we can analyze. So\Nthere's still a lot of work that has to be
Dialogue: 0,0:44:53.87,0:44:59.36,Default,,0000,0000,0000,,done. Here to really check the entire\Nsystem, we just took a look at a very
Dialogue: 0,0:44:59.36,0:45:04.15,Default,,0000,0000,0000,,small portion and that is just the vote\Ncounting software here.
Dialogue: 0,0:45:04.15,0:45:08.65,Default,,0000,0000,0000,,T: Next, we were very shocked that this\Ninformation, that vote counting is already
Dialogue: 0,0:45:08.65,0:45:14.46,Default,,0000,0000,0000,,shifted to software, is not publicly\Nknown. And this is also why we we created
Dialogue: 0,0:45:14.46,0:45:19.95,Default,,0000,0000,0000,,this talk today as this is an information,\Nthat is crucial for the democracy, that
Dialogue: 0,0:45:19.95,0:45:26.79,Default,,0000,0000,0000,,there is already this software in use and\Nit is not really secure. So this was a big
Dialogue: 0,0:45:26.79,0:45:33.53,Default,,0000,0000,0000,,thing for us to keep bringing it out to\Nthe people.
Dialogue: 0,0:45:33.53,0:45:37.83,Default,,0000,0000,0000,,J: So and one other thing is, everything\Nthat we have seen today is entirely legal,
Dialogue: 0,0:45:37.83,0:45:44.31,Default,,0000,0000,0000,,because at least in Bavaria, we don't have\Nany rules or any laws against the use of
Dialogue: 0,0:45:44.31,0:45:50.10,Default,,0000,0000,0000,,unsecure computer systems, of unsecure\Nvote counting software. So, as we've seen
Dialogue: 0,0:45:50.10,0:45:55.61,Default,,0000,0000,0000,,in the beginning, we only have very rough\Nlegal guidelines that says, well, you can
Dialogue: 0,0:45:55.61,0:46:00.32,Default,,0000,0000,0000,,just use computers for vote counting, but\Nwe need stricter guidelines here, because
Dialogue: 0,0:46:00.32,0:46:06.79,Default,,0000,0000,0000,,it cannot continue as we've seen it today\Nand in other states in Germany there is
Dialogue: 0,0:46:06.79,0:46:12.30,Default,,0000,0000,0000,,sometimes something like, let's say,\Nguidelines or even certification process
Dialogue: 0,0:46:12.30,0:46:18.35,Default,,0000,0000,0000,,for such digital software. But in most\Nstates that I had a look at, there are no
Dialogue: 0,0:46:18.35,0:46:23.78,Default,,0000,0000,0000,,rules at all and nothing that should\Ncontinue in the next years that way.
Dialogue: 0,0:46:23.78,0:46:29.96,Default,,0000,0000,0000,,T: Additionally, in the end, before any of\Nthis software to electronically count the
Dialogue: 0,0:46:29.96,0:46:36.67,Default,,0000,0000,0000,,votes should go live, unbiased tests for\Neveryone should be available to prove
Dialogue: 0,0:46:36.67,0:46:41.96,Default,,0000,0000,0000,,themselves, that this software is secure\Nand this software is doing what it's
Dialogue: 0,0:46:41.96,0:46:46.53,Default,,0000,0000,0000,,promising to us. Because it is directly\Ninfluencing our democracy. And if this
Dialogue: 0,0:46:46.53,0:46:52.00,Default,,0000,0000,0000,,software is manipulated, it manipulates\Nour voting, our election and our
Dialogue: 0,0:46:52.00,0:46:56.33,Default,,0000,0000,0000,,democracy. So in the end, we can just\Nleave you with two questions.
Dialogue: 0,0:46:56.33,0:47:01.16,Default,,0000,0000,0000,,T: How much digital support is required?\NJ: And how much is tolerable?
Dialogue: 0,0:47:01.16,0:47:18.53,Default,,0000,0000,0000,,{\i1}No Audio{\i0}
Dialogue: 0,0:47:18.53,0:47:25.71,Default,,0000,0000,0000,,Herald: Thank you very much for the\Ninteresting talk, Johannes and Tobias. And
Dialogue: 0,0:47:25.71,0:47:30.14,Default,,0000,0000,0000,,thank you very much for your work on the\Ntopic. I hope you do have time for a
Dialogue: 0,0:47:30.14,0:47:36.10,Default,,0000,0000,0000,,little Q&A. We have quite a few questions,\Nactually.
Dialogue: 0,0:47:36.10,0:47:39.24,Default,,0000,0000,0000,,J: Sure.\NM: All right. So the first question from
Dialogue: 0,0:47:39.24,0:47:45.47,Default,,0000,0000,0000,,the Internet is, is there any suspicion\Nthat these vulnerabilities have been
Dialogue: 0,0:47:45.47,0:47:49.40,Default,,0000,0000,0000,,actively used?\NJ: Well, it's very hard to tell. So, at
Dialogue: 0,0:47:49.40,0:47:57.62,Default,,0000,0000,0000,,least for the town that I am from, I did\Nnot notice any special occurrences there.
Dialogue: 0,0:47:57.62,0:48:04.99,Default,,0000,0000,0000,,So, however, I don't have an overview of\Nentire Bavaria, so, that's quite hard to
Dialogue: 0,0:48:04.99,0:48:09.71,Default,,0000,0000,0000,,tell. I think it's even impossible to\Ntell, if there were any manipulation so
Dialogue: 0,0:48:09.71,0:48:15.40,Default,,0000,0000,0000,,far. So, unfortunately, we cannot say\Nthat.
Dialogue: 0,0:48:15.40,0:48:20.29,Default,,0000,0000,0000,,T: Additionally, we are just at one place\Nin this whole system. So we don't have an
Dialogue: 0,0:48:20.29,0:48:25.33,Default,,0000,0000,0000,,overview, if there was any mismatching\Nnumbers or any other influences that
Dialogue: 0,0:48:25.33,0:48:30.70,Default,,0000,0000,0000,,happened, but that we didn't see at the\Nmoment, because we were just at one
Dialogue: 0,0:48:30.70,0:48:35.59,Default,,0000,0000,0000,,position in the system, at one station \Nof the election.
Dialogue: 0,0:48:35.59,0:48:41.47,Default,,0000,0000,0000,,M: OK, thank you for the answer. Ah, do\Nyou believe that it is possible to have a
Dialogue: 0,0:48:41.47,0:48:46.30,Default,,0000,0000,0000,,digital ballot that is as secure and\Ntrustworthy as physical or paper based
Dialogue: 0,0:48:46.30,0:48:51.56,Default,,0000,0000,0000,,voting is?\NJ: Well, in my opinion, that's not
Dialogue: 0,0:48:51.56,0:48:56.56,Default,,0000,0000,0000,,possible, if you want to have the same\Nsort of transparency that we have in the
Dialogue: 0,0:48:56.56,0:49:02.01,Default,,0000,0000,0000,,paper based voting system, because, when\Nwe have paper based voting, we can just go
Dialogue: 0,0:49:02.01,0:49:07.47,Default,,0000,0000,0000,,into the voting room and watch what's\Ngoing on there. We can see the ballots
Dialogue: 0,0:49:07.47,0:49:12.69,Default,,0000,0000,0000,,that are handed in, the ballots that come\Nout of the box. Then, they are counted,
Dialogue: 0,0:49:12.69,0:49:17.99,Default,,0000,0000,0000,,are summed up. I can really try to find\Nout what's going on there. I can have a
Dialogue: 0,0:49:17.99,0:49:24.22,Default,,0000,0000,0000,,look at that. Understand what people are\Ndoing there, but at the moment, that we
Dialogue: 0,0:49:24.22,0:49:29.84,Default,,0000,0000,0000,,have only a digital vote, I cannot really\Nfind out, if the computer is doing the
Dialogue: 0,0:49:29.84,0:49:34.19,Default,,0000,0000,0000,,right thing, if there were some\Nmanipulations. So, in terms of
Dialogue: 0,0:49:34.19,0:49:40.83,Default,,0000,0000,0000,,transparency, I don't think it is possible\Nin the same. Yeah, in the same way as the
Dialogue: 0,0:49:40.83,0:49:47.91,Default,,0000,0000,0000,,paper based ballots, for example.\NT: I would have to add to this, if there
Dialogue: 0,0:49:47.91,0:49:53.75,Default,,0000,0000,0000,,would be the possibility to get the same\Ntraceability and visibility that you can
Dialogue: 0,0:49:53.75,0:50:00.24,Default,,0000,0000,0000,,always see which results came from, from\Nwhich position. And if they are signed
Dialogue: 0,0:50:00.24,0:50:07.26,Default,,0000,0000,0000,,very transparent, then it may be possible\Nin any future, but not with any kind of
Dialogue: 0,0:50:07.26,0:50:16.30,Default,,0000,0000,0000,,this software, we saw there.\NM: All right. Thank you. Do you, by any
Dialogue: 0,0:50:16.30,0:50:21.55,Default,,0000,0000,0000,,chance, know which states in Germany use\Nthese software OK.VOTE as far?
Dialogue: 0,0:50:21.55,0:50:29.26,Default,,0000,0000,0000,,T: We cannot directly say which states\Nactively use them, because we only took
Dialogue: 0,0:50:29.26,0:50:34.25,Default,,0000,0000,0000,,place in elections here in Munich or\NBavaria. But, we can tell, that we found
Dialogue: 0,0:50:34.25,0:50:40.13,Default,,0000,0000,0000,,very much hints in the source code that\Nthey were also used in, for example,
Dialogue: 0,0:50:40.13,0:50:47.48,Default,,0000,0000,0000,,Hamburg, Bremen, Hessen or Rheinland-\NPfalz, but we don't know if they were
Dialogue: 0,0:50:47.48,0:50:54.18,Default,,0000,0000,0000,,already used there or if it's planned to\Nbe used there or did they already used
Dialogue: 0,0:50:54.18,0:50:59.01,Default,,0000,0000,0000,,them in the past elections and decided\Nagainst them for future ones. We don't
Dialogue: 0,0:50:59.01,0:51:03.33,Default,,0000,0000,0000,,know about this, exactly.\NM: OK, maybe we can stay for a second on
Dialogue: 0,0:51:03.33,0:51:11.19,Default,,0000,0000,0000,,your job as an election worker. The\Nprocess of manually entering data into the
Dialogue: 0,0:51:11.19,0:51:16.61,Default,,0000,0000,0000,,system, is there a process for this? Do\Nyou have an idea on the risk of this part
Dialogue: 0,0:51:16.61,0:51:21.07,Default,,0000,0000,0000,,here?\NJ: Yes. So, it's basically the thing, that
Dialogue: 0,0:51:21.07,0:51:26.40,Default,,0000,0000,0000,,they are at least two or three people\Nsitting in front of each computer and then
Dialogue: 0,0:51:26.40,0:51:30.93,Default,,0000,0000,0000,,they are entering each ballot. So people\Nare really cross checking that the ballot
Dialogue: 0,0:51:30.93,0:51:36.18,Default,,0000,0000,0000,,has been entered correctly. So, it's like\None person has the ballot in front of him
Dialogue: 0,0:51:36.18,0:51:42.29,Default,,0000,0000,0000,,or her and the other person reads the\Nvotes and the other person types it in and
Dialogue: 0,0:51:42.29,0:51:47.64,Default,,0000,0000,0000,,they are cross checking each other. So,\Nthat there isn't any error doing typing in
Dialogue: 0,0:51:47.64,0:51:54.25,Default,,0000,0000,0000,,those election results in the computer.\NM: All right. Thank you for the
Dialogue: 0,0:51:54.25,0:52:00.30,Default,,0000,0000,0000,,elaboration. Someone is asking, how the\Nsystem's connected to the Internet or some
Dialogue: 0,0:52:00.30,0:52:05.87,Default,,0000,0000,0000,,other network of the understanding of the\Ntalk was correctly received by that
Dialogue: 0,0:52:05.87,0:52:09.74,Default,,0000,0000,0000,,person. The results are written to some\Nphysical medium which is turned into
Dialogue: 0,0:52:09.74,0:52:15.56,Default,,0000,0000,0000,,transmit the results. So you sense\Nsomething physically. So, why care for the
Dialogue: 0,0:52:15.56,0:52:20.30,Default,,0000,0000,0000,,Windows version or the, what is running on\Nthese machines? Is that correct
Dialogue: 0,0:52:20.30,0:52:24.94,Default,,0000,0000,0000,,understanding?\NJ: Well, the problem with that is, that it
Dialogue: 0,0:52:24.94,0:52:30.01,Default,,0000,0000,0000,,depends on the local administration, how\Nthey set up their computer systems. So, I
Dialogue: 0,0:52:30.01,0:52:36.24,Default,,0000,0000,0000,,also read this in a chat here. Someone has\Nwritten, that they had their voting
Dialogue: 0,0:52:36.24,0:52:44.53,Default,,0000,0000,0000,,software in a, yeah, in a very limited\Nnetwork connectivity. So, the computer was
Dialogue: 0,0:52:44.53,0:52:49.96,Default,,0000,0000,0000,,not connected to the Internet. However, it\Ndepends very on the administration and on
Dialogue: 0,0:52:49.96,0:52:54.67,Default,,0000,0000,0000,,the computer network that is being used\Nthere. So, it is entirely possible that
Dialogue: 0,0:52:54.67,0:52:59.90,Default,,0000,0000,0000,,computers are connected to the Internet,\Nbecause there are no guidelines on how
Dialogue: 0,0:52:59.90,0:53:06.48,Default,,0000,0000,0000,,these computers are allowed to be set up.\NSo, I cannot fully exclude this. So, and
Dialogue: 0,0:53:06.48,0:53:11.37,Default,,0000,0000,0000,,if someone, for example, just enables the\Nwireless network or connects to some
Dialogue: 0,0:53:11.37,0:53:16.83,Default,,0000,0000,0000,,unsecured hotspot, they are connected\Nthen. So, it's it's hard to tell here, but
Dialogue: 0,0:53:16.83,0:53:22.64,Default,,0000,0000,0000,,I would not exclude this possibility.\NT: To extend this answer. We even try to
Dialogue: 0,0:53:22.64,0:53:27.49,Default,,0000,0000,0000,,find out, if there's any software side\Nprotection that checks, if there is any
Dialogue: 0,0:53:27.49,0:53:31.19,Default,,0000,0000,0000,,internet connection is present and then\Nwould deny this voting system. But, there
Dialogue: 0,0:53:31.19,0:53:36.48,Default,,0000,0000,0000,,wasn't or at least we couldn't find one.\NSo even if the administration was not
Dialogue: 0,0:53:36.48,0:53:44.02,Default,,0000,0000,0000,,advised, if these PCs should be\Ndisconnected from the network. There isn't
Dialogue: 0,0:53:44.02,0:53:47.91,Default,,0000,0000,0000,,even a security mechanism in place, that\Nwould check this and stop it or even show
Dialogue: 0,0:53:47.91,0:53:51.86,Default,,0000,0000,0000,,a warning, that this is connected and they\Nshould be disconnected from the Internet
Dialogue: 0,0:53:51.86,0:53:59.70,Default,,0000,0000,0000,,before the counting can begin.\NM: Interesting. All right. We have one
Dialogue: 0,0:53:59.70,0:54:03.78,Default,,0000,0000,0000,,message on the IRC, from someone who\Nworked with this particular piece of
Dialogue: 0,0:54:03.78,0:54:09.54,Default,,0000,0000,0000,,software in demo mode by themselves,\Nobviously. And the question they have, is:
Dialogue: 0,0:54:09.54,0:54:17.89,Default,,0000,0000,0000,,Did you notice the possibility to enter a\Nnegative votes for a candidate? So saying
Dialogue: 0,0:54:17.89,0:54:25.76,Default,,0000,0000,0000,,minus two votes, for instance.\NJ: Well, that's difficult to tell. I
Dialogue: 0,0:54:25.76,0:54:31.20,Default,,0000,0000,0000,,thought about, if this is possible, so\Nperhaps you might have to manipulate the
Dialogue: 0,0:54:31.20,0:54:37.36,Default,,0000,0000,0000,,database directly. So I'm not entirely\Nsure. I'm not sure, if I tried this out
Dialogue: 0,0:54:37.36,0:54:43.60,Default,,0000,0000,0000,,this one. So, but however, as soon as I\Nhave a data, as I have database access,
Dialogue: 0,0:54:43.60,0:54:49.92,Default,,0000,0000,0000,,it's entirely possible to manipulate\Nanything. So. Well, we could try this out
Dialogue: 0,0:54:49.92,0:54:57.52,Default,,0000,0000,0000,,again. However, I don't think that changes\Nmuch in our result. So, yeah, that's
Dialogue: 0,0:54:57.52,0:55:03.04,Default,,0000,0000,0000,,interesting questions of I cannot answer\Nthis right now, so I'm not sure, you Tobi,
Dialogue: 0,0:55:03.04,0:55:10.08,Default,,0000,0000,0000,,have you tried out something like that?\NT: We've tried manipulating some already
Dialogue: 0,0:55:10.08,0:55:17.04,Default,,0000,0000,0000,,submitted votes, but I think, this was not\Nreally possible. However, as you showed,
Dialogue: 0,0:55:17.04,0:55:22.64,Default,,0000,0000,0000,,when you export the data and import into\Nthe main PC, the votes that were already
Dialogue: 0,0:55:22.64,0:55:28.08,Default,,0000,0000,0000,,in place, possibly by an attacker, would\Nthen discard the newly imported votes. So,
Dialogue: 0,0:55:28.08,0:55:34.24,Default,,0000,0000,0000,,this would probably replace this data and\Nthese votes, but via the Web interface, I
Dialogue: 0,0:55:34.24,0:55:38.99,Default,,0000,0000,0000,,think it was not possible. However, we\Nfound the enough vulnerabilities with
Dialogue: 0,0:55:38.99,0:55:43.51,Default,,0000,0000,0000,,database access that you could do it by\Nthis way, if you want to.
Dialogue: 0,0:55:43.51,0:55:50.52,Default,,0000,0000,0000,,M: All right. Thank you for your\Nexplanation. Out of pure curiosity, people
Dialogue: 0,0:55:50.52,0:55:55.98,Default,,0000,0000,0000,,ask, how did you get access to the software\Nin the first place? To start your analysis?
Dialogue: 0,0:55:55.98,0:56:00.51,Default,,0000,0000,0000,,J: Well, that's a good question here,\Nbecause, theres a nice story behind that.
Dialogue: 0,0:56:00.51,0:56:06.30,Default,,0000,0000,0000,,So, I was election worker and I was\Nsupporting setting up a system and doing
Dialogue: 0,0:56:06.30,0:56:12.47,Default,,0000,0000,0000,,some IT support in the evening. And at\Nsome point, we tried to merge our results.
Dialogue: 0,0:56:12.47,0:56:17.30,Default,,0000,0000,0000,,So we exported the results from one\Ncomputer to move them to the other one.
Dialogue: 0,0:56:17.30,0:56:22.38,Default,,0000,0000,0000,,However, the import failed, because, there\Nis some artificial limitation in the
Dialogue: 0,0:56:22.38,0:56:27.62,Default,,0000,0000,0000,,software. So, as soon as your export files\Nare larger than 10 megabytes, they cannot
Dialogue: 0,0:56:27.62,0:56:33.67,Default,,0000,0000,0000,,be imported anymore. So this happens quite\Nquickly, when you have a few hundreds of
Dialogue: 0,0:56:33.67,0:56:38.48,Default,,0000,0000,0000,,votes, of few hundreds of ballots and then\Nthe import doesn't work anymore. And I had
Dialogue: 0,0:56:38.48,0:56:42.11,Default,,0000,0000,0000,,a look at this file, and that was just a\NJSON file with a lot of whitespace. So, I
Dialogue: 0,0:56:42.11,0:56:46.75,Default,,0000,0000,0000,,copied all this stuff to my computer to\Nfix this. And there was also later on, a
Dialogue: 0,0:56:46.75,0:56:51.25,Default,,0000,0000,0000,,software fix that was published by the\Nsoftware vendor. However, then I had the
Dialogue: 0,0:56:51.25,0:56:56.47,Default,,0000,0000,0000,,software on my computer, just because I\Nwanted to fix this election. And it was
Dialogue: 0,0:56:56.47,0:57:00.33,Default,,0000,0000,0000,,very late at night. And I returned home\Nand I noticed, oh, I still have that
Dialogue: 0,0:57:00.33,0:57:06.87,Default,,0000,0000,0000,,software on my computer. Let's have a look\Nat this. So, yeah, it was just by chance.
Dialogue: 0,0:57:06.87,0:57:11.94,Default,,0000,0000,0000,,So, I tried to fix something, got all the\Nsoftware on my PC and then I had it ready
Dialogue: 0,0:57:11.94,0:57:18.03,Default,,0000,0000,0000,,to analyze even with some data on that, so\Nthat I really knew how this works in
Dialogue: 0,0:57:18.03,0:57:23.84,Default,,0000,0000,0000,,practice. And yes, but if someone would\Ntry to gain access to that software,
Dialogue: 0,0:57:23.84,0:57:28.94,Default,,0000,0000,0000,,that's quite simple, because they could\Njust restore the deleted data from one of
Dialogue: 0,0:57:28.94,0:57:33.27,Default,,0000,0000,0000,,the computers that are in the schools.\NPerhaps, someone doesn't even delete the
Dialogue: 0,0:57:33.27,0:57:38.38,Default,,0000,0000,0000,,election software from their computers, in\Nyour school, or some person could just
Dialogue: 0,0:57:38.38,0:57:43.29,Default,,0000,0000,0000,,steal one of the USB sticks, that have\Nbeen used for installation. So, I don't
Dialogue: 0,0:57:43.29,0:57:53.59,Default,,0000,0000,0000,,even think, that would be noticed then.\NM: Interesting, indeed, you mentioned in
Dialogue: 0,0:57:53.59,0:57:58.92,Default,,0000,0000,0000,,your talk, that the software is certified\Nby the BSI, that they claim to be
Dialogue: 0,0:57:58.92,0:58:02.67,Default,,0000,0000,0000,,certified by the Open Web Application\NSecurity project, but how could such a
Dialogue: 0,0:58:02.67,0:58:07.90,Default,,0000,0000,0000,,broken system can be certified by both\Nparties in the first place? And what's
Dialogue: 0,0:58:07.90,0:58:12.12,Default,,0000,0000,0000,,wrong with the certification process? Yes,\Nthis obviously happened. I mean, like, why
Dialogue: 0,0:58:12.12,0:58:19.22,Default,,0000,0000,0000,,not use a certified. What do we do\Ncertified in the first place, if it gets
Dialogue: 0,0:58:19.22,0:58:24.38,Default,,0000,0000,0000,,certified, even if it's broken?\NT: I think the first point about this is,
Dialogue: 0,0:58:24.38,0:58:28.16,Default,,0000,0000,0000,,that we already mentioned in the talk,\Nthat there are no legal requirements. You
Dialogue: 0,0:58:28.16,0:58:32.70,Default,,0000,0000,0000,,don't need any certification, that this\Nsoftware can be used in our voting, in our
Dialogue: 0,0:58:32.70,0:58:38.23,Default,,0000,0000,0000,,elections here in Germany or in most parts\Nof Germany. And additionally, this
Dialogue: 0,0:58:38.23,0:58:46.32,Default,,0000,0000,0000,,screenshot we show with OWASP and the BSI\Nwas just the promotion of the AKDB for
Dialogue: 0,0:58:46.32,0:58:52.18,Default,,0000,0000,0000,,their software, but I think there was no\Nreal certification attached. So, we don't
Dialogue: 0,0:58:52.18,0:58:57.93,Default,,0000,0000,0000,,know if we the BSI ever saw this software for \Nreal or if they just put it on there and said,
Dialogue: 0,0:58:57.93,0:59:02.73,Default,,0000,0000,0000,,yeah, BSI certificate certified or with\Nthe BSI standards in mind, like they
Dialogue: 0,0:59:02.73,0:59:07.23,Default,,0000,0000,0000,,already have already the IT Grundschutz\Nand they maybe tried to implement, after
Dialogue: 0,0:59:07.23,0:59:15.09,Default,,0000,0000,0000,,this system architecture. But the BSI\Nnever checked on it. So, I don't think
Dialogue: 0,0:59:15.09,0:59:18.82,Default,,0000,0000,0000,,there's any real certification for the\Nsoftware.
Dialogue: 0,0:59:18.82,0:59:23.04,Default,,0000,0000,0000,,J: So, just to add a few details here,\Nthat's not really a certification, that
Dialogue: 0,0:59:23.04,0:59:28.56,Default,,0000,0000,0000,,they just said that they follow the BSI\Nand OWASP guidelines. I think, that was
Dialogue: 0,0:59:28.56,0:59:32.65,Default,,0000,0000,0000,,also the wording that was used on the\Nwebsite. So, theres no real certification
Dialogue: 0,0:59:32.65,0:59:39.49,Default,,0000,0000,0000,,behind that, so far.\NM: Thank you for the answer. Do you know
Dialogue: 0,0:59:39.49,0:59:46.20,Default,,0000,0000,0000,,by chance, how the municipalities\Npublished the election results?
Dialogue: 0,0:59:46.20,0:59:53.58,Default,,0000,0000,0000,,J: Well, I don't know in detail how it\Nworks. So, when we handed in our election
Dialogue: 0,0:59:53.58,0:59:59.80,Default,,0000,0000,0000,,results, they got uploaded onto some other\Nsoftware. And that's also the end that
Dialogue: 0,0:59:59.80,1:00:05.69,Default,,0000,0000,0000,,I've seen. So end up in the computer\Nsystem and they are electronically
Dialogue: 0,1:00:05.69,1:00:10.35,Default,,0000,0000,0000,,transmitted. And that, first of all, it\Ngenerates a preliminary file. And finally,
Dialogue: 0,1:00:10.35,1:00:15.77,Default,,0000,0000,0000,,that's a final result generated by it.\NHowever, I don't really know how this
Dialogue: 0,1:00:15.77,1:00:20.24,Default,,0000,0000,0000,,works, but the election results that were\Ngenerated, with OK.VOTE are definitely
Dialogue: 0,1:00:20.24,1:00:28.56,Default,,0000,0000,0000,,going into the final result. So, perhaps\Nthere's also some paper based protocol
Dialogue: 0,1:00:28.56,1:00:33.33,Default,,0000,0000,0000,,between them. I don't really know if\Nthey're using the data that's in the
Dialogue: 0,1:00:33.33,1:00:38.13,Default,,0000,0000,0000,,computer or the data that is on the paper.\NBut, however, it doesn't change very much
Dialogue: 0,1:00:38.13,1:00:46.11,Default,,0000,0000,0000,,here.\NM: OK, on. Coming over here a bit, the
Dialogue: 0,1:00:46.11,1:00:50.83,Default,,0000,0000,0000,,last question would be: What, in your\Nexperience, how practical and expensive
Dialogue: 0,1:00:50.83,1:00:55.96,Default,,0000,0000,0000,,are hand recounts here and did you observe\Nthese?
Dialogue: 0,1:00:55.96,1:01:01.04,Default,,0000,0000,0000,,T: I think, this is very different from\Nelection to election and from city to
Dialogue: 0,1:01:01.04,1:01:07.17,Default,,0000,0000,0000,,city, if this is a rather small town, you\Ncould probably easily reelect all this or
Dialogue: 0,1:01:07.17,1:01:13.47,Default,,0000,0000,0000,,all the votes and recount the votes. But,\Nif this is a big city like Munich, for
Dialogue: 0,1:01:13.47,1:01:20.91,Default,,0000,0000,0000,,example, with millions of votes, and you\Nwould have to recount this, this would
Dialogue: 0,1:01:20.91,1:01:26.08,Default,,0000,0000,0000,,particularly delay the voting or the\Nresults pretty much. And this could have
Dialogue: 0,1:01:26.08,1:01:31.07,Default,,0000,0000,0000,,really bad influences, if this would\Nhappen. That software has shown that kind
Dialogue: 0,1:01:31.07,1:01:36.89,Default,,0000,0000,0000,,of manipulation has happened and they had\Nto recount all the stuff by hand again.
Dialogue: 0,1:01:36.89,1:01:42.24,Default,,0000,0000,0000,,J: So, counting this by hand is, indeed,\Nvery, very effortful, because they have
Dialogue: 0,1:01:42.24,1:01:48.70,Default,,0000,0000,0000,,like 70 votes per ballot. And even summing\Nup all that is still error prone, if it's
Dialogue: 0,1:01:48.70,1:01:54.66,Default,,0000,0000,0000,,done by hand. So, it's difficult to do\Nthat. And up to my knowledge, it's not
Dialogue: 0,1:01:54.66,1:02:00.85,Default,,0000,0000,0000,,generally recounted after the election.\NSo, I try to find something in the
Dialogue: 0,1:02:00.85,1:02:07.38,Default,,0000,0000,0000,,Internet regarding that. And I just found\Nsome PDF, that they said, well, it's not
Dialogue: 0,1:02:07.38,1:02:15.47,Default,,0000,0000,0000,,feasible to recount all the election\Nresults and all the ballots. So, that's
Dialogue: 0,1:02:15.47,1:02:21.78,Default,,0000,0000,0000,,just rather do a meter level check on: is\Nthe protocol complete? How about the
Dialogue: 0,1:02:21.78,1:02:26.89,Default,,0000,0000,0000,,special ballots, that were not really\Nclear and so on? But it's not like, every
Dialogue: 0,1:02:26.89,1:02:31.73,Default,,0000,0000,0000,,ballot will be recounted, as far as I\Nunderstand.
Dialogue: 0,1:02:31.73,1:02:37.88,Default,,0000,0000,0000,,M: OK. Oh, thank you very much Tobias an\NJohannes for answering all the questions.
Dialogue: 0,1:02:37.88,1:02:41.68,Default,,0000,0000,0000,,Thank you again for your talk.\NJ: Thank you.
Dialogue: 0,1:02:41.68,1:02:42.40,Default,,0000,0000,0000,,M: Thank you.
Dialogue: 0,1:02:42.40,1:03:10.21,Default,,0000,0000,0000,,{\i1}rC3 postroll music{\i0}
Dialogue: 0,1:03:10.21,1:03:22.14,Default,,0000,0000,0000,,Subtitles created by c3subtitles.de\Nin the year 2020. Join, and help us!