1) First, I found the complete lack of security puzzling. I mean, they don't even use SSL in their site logins. You use md5 to check firmware...and the coders are obviously capable of using proper cryptography, but they won't. It's like they completely gave up on any kind of security whatsoever. Is this something deliberate?
2) Why the RFID to store the vote? why not a qr-code? it's hard to read? RFID tags are hundreds of times more expensive, they can be unlocked, re-written, must be protected with a weird faraday cage that do not work correctly (Faraday cages must be grounded!) they are a nightmare. I'm sure there must be a good reason.
1) Here you make a lot of false statements, and then conclude on the lack of security based on them. So let me answer to each of them:
> they don't even use SSL in their site logins.
Which sites? The only one I can think of having a login is the transmission site, and it not only uses SSL, it even has two way certs validation, so even the client has to have valid SSL certs which the server validates.
> You use md5 to check firmware
No. They use SHA256, not MD5, and to check the CD software, not firmware (there is no way you can checksum a firmware securely if the firmware wants to lie to you).
> and the coders are obviously capable of using proper cryptography, but they won't
Yes, they use encryption, where it makes sense, like the double SSL in transmission.
But I guess you are referring to the unencrypted chip data. It would be useless to encrypt that. Think for a second: the machine needs to be able to read that chip on the counting step. So you are distributing the unencryption keys in hundreeds of public CDs that very same day. Having the data on the chips encrypted would accomplish nothing, they keys to unencrypt them would be public. It's like puting a padlock in your bike, but leaving the key along the padlock.
So no, nobody has given up on security, you just probably have read misleading things.
2) Again, several wrong things, will answer separatedly:
> why not a qr-code? it's hard to read?
This is the only one I can't answer with full knowledge, but I think it had something to do with them being hard to read because of the quality of the print (thermical fast printing)
> they can be unlocked, re-written
No, they can't. It's a physical process that burns and cuts connections on the chip, you can't "rebuild" them to unlock it again.
The thing you probably saw was people rewriting demo ballots, which are created with the machine configured in demo mode, in which it doesn't burn the chips, to be able to reuse the same in several demos. The people claiming that even published photos of the supposed "real" ballots they where rewritting, and the ballots had in really big letters crossing all the print, the text "DEMOSTRACION USO NO OFICIAL". So, no, they weren't rewriting real ballots, it's obvious those where demo ones.
> with a weird faraday cage that do not work correctly
Reallity doesn't agree with you, hehe. Even people opposing the system had tried and weren't able to read the chips through the shield. It's simply a shield which has enough mass to absorb the signal that the chip emits.
print them bigger? change the printer? this makes no sense, unless you want to have the ability to change the vote. It's the only logical explanation.
>I guess you are referring to the unencrypted chip data.
No, I'm referring, for example, to software package signatures.
>No, they can't. It's a physical process
This is simply not true. Even if you had the power to physically burn something in the chip (you do not), many RFID chips allow unblocking with a special password, because they do not really burn anything. You don't know how the rfid chip works internally because the design is not public, and there are no ways to check the model of chip used.
> Even people opposing the system had tried
Who? were they qualified RF engineers or just some dudes with a commercial RFID reader? No signal can be "absorbed" completely.
1) First, I found the complete lack of security puzzling. I mean, they don't even use SSL in their site logins. You use md5 to check firmware...and the coders are obviously capable of using proper cryptography, but they won't. It's like they completely gave up on any kind of security whatsoever. Is this something deliberate?
2) Why the RFID to store the vote? why not a qr-code? it's hard to read? RFID tags are hundreds of times more expensive, they can be unlocked, re-written, must be protected with a weird faraday cage that do not work correctly (Faraday cages must be grounded!) they are a nightmare. I'm sure there must be a good reason.