Overview over 20 years of online voting in Switzerland, including publication of source code in 2019, collection of signatures for referendum, scientific dialogue, public consultation for new regulation and some bold predictions about the future.
Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021.
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post.
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...Christian Folini
The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes.
Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out.
In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections.
In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.
This document outlines the topics covered in a general informatics course over 6 semesters. It includes sections on internet concepts like networking, browsers, protocols and applications. Potential threats from internet like viruses, hacking and inappropriate content are also discussed. Internet usage statistics on users, reach and speed are mentioned.
January Ramblings 12, UK Today in Coronavirus, Dutch Government Collapse and ...Charlie
I go over a number of news stories that interest me from the just-gone weekend and also some from today. This one includes UK coronavirus news, the Dutch Government collapse and the outcome of the Uganda election.
DETECTING AND VERIFYING ONLINE DISINFORMATION:
HOW NLP AND DATA ANALYSIS CAN HELP.
By Carolina Scarton
Youtube link: https://www.youtube.com/watch?v=JPq3WFhbgsY
This document discusses the WeVerify project, which aims to enhance fact-checking of online information. It describes WeVerify's architecture and various tools it has developed, including a collaborative verification workbench, browser plugins, visual analysis of disinformation networks, a blockchain database of known fakes, analysis of online conversations, image OCR, a COVID-19 misinformation classifier, and ongoing/future work analyzing COVID-19 on social media and developing multilingual and digital assistant capabilities.
Historischer Ueberblick über 20 Jahre E-Voting in der Schweiz mit Schwerpunkten auf Entwicklungen im Jahr 2019, wissenschaftlicher Dialog 2020 und Vernehmlassung zur neuen Regulierung 2021.
Securing Access to Internet Voting with the OWASP ModSecurity Core Rule SetChristian Folini
This presentation from #RomHack2021 introduces the OWASP ModSecurity Core Rule Set Web Application Firewall (CRS). It then introduces the 20 years history of Internet Voting in Switzerland and then explains how the Swiss Post system was secured with the help of OWASP CRS. The presentation links several resources including government reports and an important tuning description by Swiss Post.
The Adventurous Tale of Online Voting in Switzerland (Usenix Enigma 2021 conf...Christian Folini
The Swiss tale with online voting serves as a typical example of the iterative development of highly critical IT systems and the growing involvement of scientists as a necessary step for a government that is willing to learn from past mistakes.
Switzerland has been experimenting with online voting for over 15 years. Several generations of electronic voting systems have been implemented and almost all of them died along the way because of their profound security problems or when the money ran out.
In 2019, Swiss Post published the source code of its online voting system, the last system that was still in the race. Several highly critical findings were discovered in a matter of weeks and the system was stopped right before the national elections.
In 2020, the government rebooted the process and invited two dozen international researchers into an intense dialogue that lasted several months. The resulting report is the base for the renewed regulation that will pave the way forward in 2021.
This document outlines the topics covered in a general informatics course over 6 semesters. It includes sections on internet concepts like networking, browsers, protocols and applications. Potential threats from internet like viruses, hacking and inappropriate content are also discussed. Internet usage statistics on users, reach and speed are mentioned.
January Ramblings 12, UK Today in Coronavirus, Dutch Government Collapse and ...Charlie
I go over a number of news stories that interest me from the just-gone weekend and also some from today. This one includes UK coronavirus news, the Dutch Government collapse and the outcome of the Uganda election.
DETECTING AND VERIFYING ONLINE DISINFORMATION:
HOW NLP AND DATA ANALYSIS CAN HELP.
By Carolina Scarton
Youtube link: https://www.youtube.com/watch?v=JPq3WFhbgsY
This document discusses the WeVerify project, which aims to enhance fact-checking of online information. It describes WeVerify's architecture and various tools it has developed, including a collaborative verification workbench, browser plugins, visual analysis of disinformation networks, a blockchain database of known fakes, analysis of online conversations, image OCR, a COVID-19 misinformation classifier, and ongoing/future work analyzing COVID-19 on social media and developing multilingual and digital assistant capabilities.
The document discusses challenges around understanding online misinformation. It notes that while citizens see misinformation as a problem, they don't feel able to identify it. There are also difficulties in distinguishing between misinformation, disinformation and malinformation. The document outlines the misinformation lifecycle and discusses challenges in analyzing what is spread, where, how, who spreads it, why and when. It covers examples and challenges around detecting and verifying rumors online.
Understanding Online Misinformation: Major Challenges Ahead, Rome, Weverify
The document discusses understanding online misinformation and the major challenges involved. It notes that most citizens are concerned about online misinformation but do not know how to identify it. Misinformation spreads in complex ways online through both automated and human networks and amplifiers. Analyzing the "6 Questions of Misinformation" (what, where, how, who, why, when) is important for understanding spread. Reducing the spread and impact of misinformation remains very challenging.
Using Apache Spark and Differential Privacy for Protecting the Privacy of the...Databricks
The document discusses using differential privacy to protect the privacy of respondents in the 2020 US Census. It describes how the Census Bureau is using Spark and differential privacy to perform roughly 2 million optimizations to balance data accuracy and privacy. Challenges include developing monitoring systems in Amazon's GovCloud to oversee multiple computing clusters running thousands of applications testing differential privacy techniques. The goal is to improve on privacy protections used in 2010 by quantifying and limiting re-identification risk from the published census data.
Read more: https://bit.ly/302LRao
Semiconductor sales finished 2Q20 with unprecedented weakness in June. Still, strength early in the quarter led to a 10% y/y gain. Memory closed out 2Q20 with strong double-digit growth. Logic was in the high single digits, while Analog and Power was down.
This document provides an overview and agenda for the Open Belgium 2016 conference. The one day conference will include:
- A plenary session from 9:00-10:30 AM
- Breakout sessions from 11:00 AM - 5:00 PM on topics like open data, open source, and open standards
- A closing keynote from 5:00-5:30 PM
- A reception at Antwerp's city hall from 6:00 PM
The document also discusses the current state of open data and open government in Belgium, provides examples of available open datasets, and highlights efforts to encourage more reuse of open data.
UK Report - Disinformation and Fake News - St Lucia ImplicatedTHINK FORWARD
The following election and referenda campaigns were mentioned by Mr. Turnbull and Mr. Nix, over the course of the Channel 4 meetings: Kenya ... Ex-SCL employees have also mentioned: ... St. Lucia; and Trinidad and Tobago.
This document provides an overview of cross-border investigative journalism by the International Consortium of Investigative Journalists (ICIJ). It discusses ICIJ projects like Swiss Leaks and Evicted and Abandoned, which involved collaborations of reporters in many countries investigating issues like tax evasion and failures by the World Bank. The document outlines ICIJ's methods, including finding systemic global stories, collaborating to share findings across borders, and using data and virtual newsrooms to facilitate collaborative reporting. Tips are provided on sources of investigative data and tools for working with documents and scraping web pages.
Over-the-Top (OTT) services use the public internet to create added value for consumers. A prominent example of these services are applications that enable rich interactions between consumers by sending pictures and videos, facilitating group chats and offering other innovative functions such as mobile payment or ordering a taxi. Also, consumers can use OTT services to stream their favourite media anywhere and anytime.1
Surprisingly, there are limited consistent insights across two or more years for market development of OTT services in Germany. Consequently, the present study extends two studies2 published by WIK and Fresenius University of Applied Sciences in 2016 with new data. To achieve comparability over time, this study revolves around the same research questions as the previous studies. Additionally, the study provides consumer insights to inform current public debate about algorithms and data privacy.
To gain a comprehensive understanding of consumer behaviour, the present study uses a mixed-methods approach. We surveyed a representative sample of more than 1,000 German consumers. To aid interpretation of the quantitative results, we also conducted 20 semi-structured interviews with consumers in Germany.
The document is a study guide for the Human Rights Council that discusses two topics: the right to privacy in the digital age and addressing the increase in domestic violence. For topic A on the right to privacy, the summary provides background on worldwide surveillance programs like the Five Eyes alliance and how digital technology has impacted privacy. It outlines different bloc positions, with China and Russia expressing concerns about privacy violations and data collection, while the UK and US take different regulatory approaches. The timeline highlights key events in surveillance programs and social media privacy issues.
Fake news detection for Arabic headlines-articles news data using deep learningIJECEIAES
Fake news has become increasingly prevalent in recent years. The evolution of social websites has spurred the expansion of fake news causing it to a mixture with truthful information. English fake news detection had the largest share of studies, unlike Arabic fake news detection, which is still very limited. Fake news phenomenon has changed people and social perspectives through revolts in several Arab countries. False news results in the distortion of reality ignite chaos and stir public judgments. This paper provides an Arabic fake news detection approach using different deep learning models including long short-term memory and convolutional neural network based on article-headline pairs to differentiate if a news headline is in fact related or unrelated to the parallel news article. In this paper, a dataset created about the war in Syria and related to the Middle East political issues is utilized. The whole data comprises 422 claims and 3,042 articles. The models yield promising results.
Presentation by Trilateral Research given at INSPEC2T's first Stakeholders Advisory Group and External Experts Group workshop, Vienna, November 2015 on the privacy and data security considerations for the design of the INSPEC2T system
Estimating migrant stocks and flows using social media dataJisu Kim
This document discusses using social media data from Twitter and Facebook to estimate migrant stocks and flows. It describes how geo-tagged tweets and Facebook advertising audience estimates can provide information about international migration patterns. Twitter data is used to assign country of residence and nationality to users based on location of tweets. Comparison to official statistics shows Twitter migration estimates have moderate accuracy. Facebook data tends to be more biased due to its smaller user base but can still provide useful information, especially when combined with other data sources. Both data sources allow estimating migration in near real-time and with finer geographic and temporal resolution than traditional surveys.
CORBEL/EOSC-Life webinar Practical Tips for Stepping Up Your Science Communic...CORBEL
CORBEL and EOSC-Life organise the webinar series "Engaging with your community through events and training". The series continues with a panel discussion between Caitlin Ahern (BBMRI-ERIC), Katri Ahlgren (ICOS ERIC), Stefan Swift (European Social Survey), and Luiza Fundatureanu (ZN Consulting).
Join us for an interactive discussion with science communicators who will share concrete examples and tips for improving your scientific communications – especially when budget and time resources are limited! The speakers come from a range of fields and will have plenty of time for Q&A and discussions.
This webinar includes an audience Q&A session during which attendees can ask questions and make suggestions. Please note that all webinars are recorded and available for posterior viewing.
This document discusses regulatory options for addressing disinformation. It defines disinformation and distinguishes it from misinformation. It reviews the evidence base around the harms of disinformation and whether policy approaches require hard evidence. It discusses the limitations of using automated technologies like AI to detect and moderate disinformation. It proposes five recommendations, including emphasizing media literacy and user choice, ensuring human review of AI moderation, independent appeals of platform decisions, standardizing notice and appeal procedures, and increasing transparency of platforms' techniques. It raises questions about what specifically should be regulated by platforms versus subject to court oversight, and whether oversight boards or co-regulation is most effective.
Presentation of the "COVID19 Edition" of the Science Science Barometer (www.Wissenschaftsbarometer.ch) at the "FORS Swiss Covid-19 Data Symposium", March 23, 2021
By Mike S. Schäfer, Niels Mede, Julia Metag & Kira Klinger
EUROPEAN PARLIAMENT TAKES INITIATIVE TO PUT CRYPTOCURRENCY, BLOCKCHAIN ON FAS...Steven Rhyner
Things are moving quickly in Europe at the moment in regards to cryptocurrency and theBlockchain. The Committee on Economic and Monetary Affairs of the European Parliament scheduled to vote on the virtual currencies report in a matter of days, with the hot summer for cryptocurrency and Blockchain legislation ahead.
Perceptions of Corruption in Sweden 2010EUROsociAL II
This document analyzes survey data from Sweden regarding citizens' perceptions of corruption. The survey was administered to 1,452 participants of an online panel in Sweden. It included both open-ended and closed-ended questions about how respondents would define corruption, how widespread they think it is, and what types of acts they consider justified or unjustified.
The results show that Swedes generally condemn corruption as morally wrong. However, some forms of corruption are seen as more acceptable than others. Most people also perceive the level of corruption in Sweden to be relatively low, but some think other, less illegal forms of corruption may exist. The document aims to provide data on perceptions of corruption in a country with low actual corruption, in order to
Wellbeing and Hybrid Working Strategies for Facility ManagersChris Leake
Employee wellbeing is a greater focus and will continue to be impacted as we continue to shift to a greater reliance on working from home and remote solutions post-COVID-19. These changes will have many implications that organizations and facility managers will have to address.
Full video:
https://youtu.be/7bHoA9FAGjU
OWASP ModSecurity - A few plot twists and what feels like a happy endChristian Folini
This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.
Crazy incentives and how they drive security into no man's landChristian Folini
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices.
There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc.
But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security".
But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money.
Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security!
Follow me on a journey and security will never look the same to you again!
More Related Content
Similar to The Adventurous Tale of Online Voting in Switzerland
The document discusses challenges around understanding online misinformation. It notes that while citizens see misinformation as a problem, they don't feel able to identify it. There are also difficulties in distinguishing between misinformation, disinformation and malinformation. The document outlines the misinformation lifecycle and discusses challenges in analyzing what is spread, where, how, who spreads it, why and when. It covers examples and challenges around detecting and verifying rumors online.
Understanding Online Misinformation: Major Challenges Ahead, Rome, Weverify
The document discusses understanding online misinformation and the major challenges involved. It notes that most citizens are concerned about online misinformation but do not know how to identify it. Misinformation spreads in complex ways online through both automated and human networks and amplifiers. Analyzing the "6 Questions of Misinformation" (what, where, how, who, why, when) is important for understanding spread. Reducing the spread and impact of misinformation remains very challenging.
Using Apache Spark and Differential Privacy for Protecting the Privacy of the...Databricks
The document discusses using differential privacy to protect the privacy of respondents in the 2020 US Census. It describes how the Census Bureau is using Spark and differential privacy to perform roughly 2 million optimizations to balance data accuracy and privacy. Challenges include developing monitoring systems in Amazon's GovCloud to oversee multiple computing clusters running thousands of applications testing differential privacy techniques. The goal is to improve on privacy protections used in 2010 by quantifying and limiting re-identification risk from the published census data.
Read more: https://bit.ly/302LRao
Semiconductor sales finished 2Q20 with unprecedented weakness in June. Still, strength early in the quarter led to a 10% y/y gain. Memory closed out 2Q20 with strong double-digit growth. Logic was in the high single digits, while Analog and Power was down.
This document provides an overview and agenda for the Open Belgium 2016 conference. The one day conference will include:
- A plenary session from 9:00-10:30 AM
- Breakout sessions from 11:00 AM - 5:00 PM on topics like open data, open source, and open standards
- A closing keynote from 5:00-5:30 PM
- A reception at Antwerp's city hall from 6:00 PM
The document also discusses the current state of open data and open government in Belgium, provides examples of available open datasets, and highlights efforts to encourage more reuse of open data.
UK Report - Disinformation and Fake News - St Lucia ImplicatedTHINK FORWARD
The following election and referenda campaigns were mentioned by Mr. Turnbull and Mr. Nix, over the course of the Channel 4 meetings: Kenya ... Ex-SCL employees have also mentioned: ... St. Lucia; and Trinidad and Tobago.
This document provides an overview of cross-border investigative journalism by the International Consortium of Investigative Journalists (ICIJ). It discusses ICIJ projects like Swiss Leaks and Evicted and Abandoned, which involved collaborations of reporters in many countries investigating issues like tax evasion and failures by the World Bank. The document outlines ICIJ's methods, including finding systemic global stories, collaborating to share findings across borders, and using data and virtual newsrooms to facilitate collaborative reporting. Tips are provided on sources of investigative data and tools for working with documents and scraping web pages.
Over-the-Top (OTT) services use the public internet to create added value for consumers. A prominent example of these services are applications that enable rich interactions between consumers by sending pictures and videos, facilitating group chats and offering other innovative functions such as mobile payment or ordering a taxi. Also, consumers can use OTT services to stream their favourite media anywhere and anytime.1
Surprisingly, there are limited consistent insights across two or more years for market development of OTT services in Germany. Consequently, the present study extends two studies2 published by WIK and Fresenius University of Applied Sciences in 2016 with new data. To achieve comparability over time, this study revolves around the same research questions as the previous studies. Additionally, the study provides consumer insights to inform current public debate about algorithms and data privacy.
To gain a comprehensive understanding of consumer behaviour, the present study uses a mixed-methods approach. We surveyed a representative sample of more than 1,000 German consumers. To aid interpretation of the quantitative results, we also conducted 20 semi-structured interviews with consumers in Germany.
The document is a study guide for the Human Rights Council that discusses two topics: the right to privacy in the digital age and addressing the increase in domestic violence. For topic A on the right to privacy, the summary provides background on worldwide surveillance programs like the Five Eyes alliance and how digital technology has impacted privacy. It outlines different bloc positions, with China and Russia expressing concerns about privacy violations and data collection, while the UK and US take different regulatory approaches. The timeline highlights key events in surveillance programs and social media privacy issues.
Fake news detection for Arabic headlines-articles news data using deep learningIJECEIAES
Fake news has become increasingly prevalent in recent years. The evolution of social websites has spurred the expansion of fake news causing it to a mixture with truthful information. English fake news detection had the largest share of studies, unlike Arabic fake news detection, which is still very limited. Fake news phenomenon has changed people and social perspectives through revolts in several Arab countries. False news results in the distortion of reality ignite chaos and stir public judgments. This paper provides an Arabic fake news detection approach using different deep learning models including long short-term memory and convolutional neural network based on article-headline pairs to differentiate if a news headline is in fact related or unrelated to the parallel news article. In this paper, a dataset created about the war in Syria and related to the Middle East political issues is utilized. The whole data comprises 422 claims and 3,042 articles. The models yield promising results.
Presentation by Trilateral Research given at INSPEC2T's first Stakeholders Advisory Group and External Experts Group workshop, Vienna, November 2015 on the privacy and data security considerations for the design of the INSPEC2T system
Estimating migrant stocks and flows using social media dataJisu Kim
This document discusses using social media data from Twitter and Facebook to estimate migrant stocks and flows. It describes how geo-tagged tweets and Facebook advertising audience estimates can provide information about international migration patterns. Twitter data is used to assign country of residence and nationality to users based on location of tweets. Comparison to official statistics shows Twitter migration estimates have moderate accuracy. Facebook data tends to be more biased due to its smaller user base but can still provide useful information, especially when combined with other data sources. Both data sources allow estimating migration in near real-time and with finer geographic and temporal resolution than traditional surveys.
CORBEL/EOSC-Life webinar Practical Tips for Stepping Up Your Science Communic...CORBEL
CORBEL and EOSC-Life organise the webinar series "Engaging with your community through events and training". The series continues with a panel discussion between Caitlin Ahern (BBMRI-ERIC), Katri Ahlgren (ICOS ERIC), Stefan Swift (European Social Survey), and Luiza Fundatureanu (ZN Consulting).
Join us for an interactive discussion with science communicators who will share concrete examples and tips for improving your scientific communications – especially when budget and time resources are limited! The speakers come from a range of fields and will have plenty of time for Q&A and discussions.
This webinar includes an audience Q&A session during which attendees can ask questions and make suggestions. Please note that all webinars are recorded and available for posterior viewing.
This document discusses regulatory options for addressing disinformation. It defines disinformation and distinguishes it from misinformation. It reviews the evidence base around the harms of disinformation and whether policy approaches require hard evidence. It discusses the limitations of using automated technologies like AI to detect and moderate disinformation. It proposes five recommendations, including emphasizing media literacy and user choice, ensuring human review of AI moderation, independent appeals of platform decisions, standardizing notice and appeal procedures, and increasing transparency of platforms' techniques. It raises questions about what specifically should be regulated by platforms versus subject to court oversight, and whether oversight boards or co-regulation is most effective.
Presentation of the "COVID19 Edition" of the Science Science Barometer (www.Wissenschaftsbarometer.ch) at the "FORS Swiss Covid-19 Data Symposium", March 23, 2021
By Mike S. Schäfer, Niels Mede, Julia Metag & Kira Klinger
EUROPEAN PARLIAMENT TAKES INITIATIVE TO PUT CRYPTOCURRENCY, BLOCKCHAIN ON FAS...Steven Rhyner
Things are moving quickly in Europe at the moment in regards to cryptocurrency and theBlockchain. The Committee on Economic and Monetary Affairs of the European Parliament scheduled to vote on the virtual currencies report in a matter of days, with the hot summer for cryptocurrency and Blockchain legislation ahead.
Perceptions of Corruption in Sweden 2010EUROsociAL II
This document analyzes survey data from Sweden regarding citizens' perceptions of corruption. The survey was administered to 1,452 participants of an online panel in Sweden. It included both open-ended and closed-ended questions about how respondents would define corruption, how widespread they think it is, and what types of acts they consider justified or unjustified.
The results show that Swedes generally condemn corruption as morally wrong. However, some forms of corruption are seen as more acceptable than others. Most people also perceive the level of corruption in Sweden to be relatively low, but some think other, less illegal forms of corruption may exist. The document aims to provide data on perceptions of corruption in a country with low actual corruption, in order to
Wellbeing and Hybrid Working Strategies for Facility ManagersChris Leake
Employee wellbeing is a greater focus and will continue to be impacted as we continue to shift to a greater reliance on working from home and remote solutions post-COVID-19. These changes will have many implications that organizations and facility managers will have to address.
Full video:
https://youtu.be/7bHoA9FAGjU
Similar to The Adventurous Tale of Online Voting in Switzerland (20)
OWASP ModSecurity - A few plot twists and what feels like a happy endChristian Folini
This is about the history and the future of OWASP ModSecurity. The venerable WAF engine was transferred for OWASP in January 2024. This presentation looks back and presents a project plan moving forward.
Crazy incentives and how they drive security into no man's landChristian Folini
Everybody, Blueteam and Redteam players alike, are driven by incentives. Good incentives persuade us to do the right thing and patch our servers. Bad incentives make us eat unhealthy food and follow stupid security practices.
There is a huge resource problem in the IT industry and especially in the security industry. So you would expect people to pay attention to the existing incentives and th incentives they create with their documentation, their awareness trainings, their security reports, etc.
But reality paints a different picture: Bad incentives all around! We see insane security practices eating valuable time and online trainings annoying users, slowly teaching them to become a brainless zombie whenever they hear the keyword "security".
But it's even worse. I've come across incentives that lure companies into creating bad products and I've seen companies create products that incentivize their customers to waste their time and money.
Sometimes the mechanisms are too strong to fight. But sometimes it takes people like you and me to say NO and stand up for real security!
Follow me on a journey and security will never look the same to you again!
Never Walk Alone - Inspirations from a Growing OWASP ProjectChristian Folini
The OWASP ModSecurity Core Rule Set (CRS) was a dormant project, when a group of three developers picked it up in 2016. Today, this open source web application firewall project counts 14 active developers, annual sponsoring of over 40K USD and the rules run on over 100Tbit/s. This presentation explains how the new management took over the project and developed it in three key areas: (1) the code, (2) the developers and (3) the users and partners. The growth of OWASP CRS serves as an example how you can grow and mature your project too.
What’s new in CRS4? An Update from the OWASP CRS projectChristian Folini
Christian Folini presented news and updates about the OWASP ModSecurity Core Rule Set (CRS) project. Some key points included:
- Trustwave announced end of life for their ModSecurity product and a new open source WAF engine called Coraza.
- The CRS documentation was overhauled and a sandbox and private bug bounty program were launched.
- Major changes in CRS v4 include a plugins architecture, early blocking, configurable reporting levels and removing PCRE dependency.
- New rules are being added around SSRF, email protocols, Log4Shell, webshell detection and improved RCE and SQLi detection.
- The CRS v4 release was delayed to fix issues
Extensive Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
This document outlines an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented at a security conference. It discusses what a web application firewall (WAF) and ModSecurity are and how the CRS works. The presentation covers key concepts like rule groups, paranoia levels to control false positives, and anomaly scoring. It also demonstrates installing and configuring ModSecurity and the CRS. The document promotes the CRS as a first line of defense against web attacks and provides resources for additional tutorials, courses, and support.
Introduction to ModSecurity and the OWASP Core Rule SetChristian Folini
This document discusses ModSecurity and the OWASP Core Rule Set (CRS). ModSecurity is an open source web application firewall that can be embedded into servers. It uses rules to provide granular control over requests and responses. The CRS is a set of generic rules that can block 80% of common web attacks in its default configuration with minimal false positives. It is organized into different rule groups and has different paranoia levels to control security and false positives. The presentation demonstrates how to install and configure ModSecurity and CRS to provide a first line of defense against web application attacks.
Folini Extended Introduction to ModSecurity and CRS3Christian Folini
This document provides an introduction to ModSecurity and the OWASP Core Rule Set (CRS) presented by Christian Folini. The presentation covers what a web application firewall (WAF) and ModSecurity are, an overview of the CRS including rule groups and paranoia levels, how to install and configure ModSecurity with the CRS, and handling false positives. The goal of ModSecurity and CRS is to provide a first line of defense against web application attacks and block around 80% of attacks with minimal false positives in the default installation.
We have been building castles and fortifications for thousands of years. Many of them were never breached. IT security, on the other hand, is a very young discipline where defense mechanisms have not really stood the test of time and breaches are happening every day.
Looking at historical defense techniques and fortress architectures can therefore serve as an inspiration for strong IT security architectures. This presentation looks at agile and flexible defenses, layered security and whitelisting. None of these concepts are entirely new to the IT security industry. But implementations usually stop with the buzzword or at the network level. This talk brings evidence for the effectiveness of the concepts across the centuries and hopes to help them achieve a breakthrough on all levels.
Furthermore, the talk educates the audience about medieval castles and how the metaphor can be put to use when explaining complicated IT security concepts to non-technical audiences. Again, the metaphor is not new, but people are usually only scratching the surface when they talk of medieval castles and modern servers.
- Trend I: DDoS attacks are increasing in size over time
- Trend II: More attacks are targeting applications instead of just bandwidth or servers
- Trend III: Increased encryption makes defense against DDoS attacks more difficult
- CDNs like Cloudflare play a large role in defending against DDoS attacks and their infrastructure controls much of the internet
- Using local route announcements could guarantee better geographic blocking of attacks but risks balkanizing the internet
- Nation states may fail to protect internet traffic that moves outside their jurisdictions
Christian Folini gave a presentation on optimizing ModSecurity on NGINX and NGINX Plus. Some key points:
- ModSecurity is an open source web application firewall that provides a rule-based system. The OWASP ModSecurity Core Rule Set (CRS) is the default rule set that blocks over 80% of attacks.
- To use ModSecurity with NGINX, one must compile ModSecurity 3.0 and the ModSecurity NGINX connector module, then compile NGINX with the connector. Alternatively, precompiled binaries are available with NGINX Plus.
- Initial optimization steps include adjusting the anomaly threshold, learning to read logs using aliases, and handling false positives by
A General Look at the State of Security - AFCEA 2017Christian Folini
Overview presentation for the participants of the AFCEA Hack conference within AFCEA TechNet 2017 in Stockholm, October 10, 2017.
The overview covers the topics dependency / complexity / interoperability, online crime, digitalisation, spear phishing, manipulation, internet of things, and denial of service.
The CRS is a set of generic attack detection rules for use with ModSecurity or compatible web application firewalls that saw a new major release in November 2016 (3.0 -> CRS3). CRS is the 1st line of defense against web application attacks like those summarized in the OWASP Top Ten and all with a minimum of false alerts.
This talk demonstrates the installation of the rule set and introduces the most important groups of rules. It covers key concepts like anomaly scoring and thresholds, paranoia levels, stricter siblings and the sampling mode. The important handling of false positives is also covered as well as pre-defined lists of rule exclusions for popular web applications helping to avoid false positives.
This presentation was delivered at AppSecEU 2017 in Belfast.
Running ModSecurity with the OWASP ModSecurity Core Rules is hard. A huge wave of false positives drowns sysadmins and logfile servers alike. The upcoming 3.0.0 release of the Core Rules comes with a new paranoia mode. This feature organises the various rules in different paranoia levels. The higher the paranoia level, the more paranoid the rules and the more false positives you will get. However, the default installation gives you a decent security level without too many false positives. This allows for a straight forward ModSecurity setup which is not threatening an existing productive service. Instead you start with a limited set of rules and then you raise the paranoia level step by step to the number that suits the desired security level of your site. In this talk, we will look at the configuration of the paranoia mode. We will look at rules and we will look at ModSecurity defending against popular attack kits at various paranoia levels
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
The Adventurous Tale of Online Voting in Switzerland
1. The Adventurous Tale of
Online Voting in Switzerland
Christian Folini – Insomni’Hack 2022 Keynote
2. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Plan for Today
⚫ Overview of the past 20 years
⚫ A new perspective on the events of 2019
⚫ Expert dialogue and scholarly report of 2020
⚫ Public consultation and new regulation 2021/22
⚫ Several ridiculous predictions about the future
3. Boring BIO
⚫ Dr. Christian Folini
⚫ Historian and Swiss Security Engineer
⚫ Open Source Security Project Lead (OWASP CRS)
⚫ Election worker blog at www.christian-folini.ch
⚫ Wearer of many hats helmets with
Swiss E-Voting
@ChrFolini
4. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
"We simply can’t build an Internet
voting system that is secure against
hacking because of the requirement
for a secret ballot."
Bruce Schneier, Online Voting Won’t
Save Democracy, The Atlantic, May 2017
Key Argument against Online Voting
5. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Arguments in Favor of Online Voting
6. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
• Citizens living abroad
Arguments in Favor of Online Voting
7. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
• Citizens living abroad
• Visually impaired and quadriplegic voters
Arguments in Favor of Online Voting
8. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots
Arguments in Favor of Online Voting
9. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
• Citizens living abroad
• Visually impaired and quadriplegic voters
• Formally invalid ballots
• Security weaknesses of physical voting
Arguments in Favor of Online Voting
10. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2004 2009 2011
2004
2000
1st project
1st Geneva trial
Entering Scytl
Consortium
Steering Board
1st Swiss internet voting
project is launched with
three pilot cantons.
Swiss canton Neuchâtel
deploys Spanish Scytl
software for online voting.
Federal administration and
cantons establish a joint
steering committee.
Canton Geneva runs the
first Swiss internet voting
trial.
Eight Swiss cantons form a
consortium and
commission Swiss branch
of American Unisys with
the creation of an internet
voting system.
Timeline Online Voting in Switzerland
11. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2015 2017
2015
2011
Steering Board
Consortium dies
Scytl/Swiss Post join
Mainstreaming attempt
Federal administration and
cantons establish a joint
steering committee.
Spanish Scytl and Swiss
Post form joint venture
with Scytl providing the
software and Swiss Post
operating the systems on
premise.
The eight consortium
cantons throw towel after
federal administration
barrs system from use in
national elections.
The federal chancellor calls
for 2/3 of the cantons to
offer internet voting for
national elections in 2019.
Timeline Online Voting in Switzerland
12. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2017 / 2018 – The Resistance is Emerging
• Beyond 100 articles on Swiss E-Voting
• Feeling that 3 out of 4 quoted
Hernâni Marques
• Confrontation was fought
tooth and nail
• Sentiment Analysis: ️
13. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2018 / 2019 Geneva Quits
Source: Twitter: @GE_chancellerie (1141332323025195009)
2018: Development stopped
2019: System terminated
14. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2018.11 2019.2
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Bug Bounty
Source Code Publication
Spanish Scytl and Swiss
Post form joint venture
and go into production.
Political quarrels lead to
Geneva stopping all further
development. A year later,
the system is terminated.
The federal chancellor calls
for 2/3 of the cantons to
offer internet voting for
national elections in 2019.
Scytl / Swiss Post publish
the source code of their
system and run a 4 week
bug bounty.
Timeline Online Voting in Switzerland
15. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Swiss Post / Scytl Source Code: Total Desaster
16. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2018.11 2019.2
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
Start Bug Bounty
Source Code Publication
Spanish Scytl and Swiss
Post form joint venture
and go into production.
Political quarrels lead to
Geneva stopping all further
development. A year later,
the system is terminated.
The federal chancellor calls
for 2/3 of the cantons to
offer internet voting for
national elections in 2019.
Scytl / Swiss Post publish
the source code of their
system. Researchers
identify three critical
vulnerabilities within
weeks. The system is put
on hold.
2019.3
E-Voting
Referendum
Launched
Collection period for
popular initiative with the
goal of 100,000 signatures
started.
Timeline Online Voting in Switzerland
18. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Online Voting Headlines in Switzerland 2019
Data source: noevoting.ch, chart by Christian Folini
19. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Online Voting Signatures Promised to WeCollect
Source: archive.org → wecollect.ch (2019-03-22)
20. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Signatures Promised to WeCollect
Data source: https://christian-folini.ch/pub/wecollect-noevoting-numbers.csv
21. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2018 2019 2020.4
2017
2016
Scytl/Swiss Post join
Mainstreaming attempt
Geneva quits
E-Voting on hold
Rebooting
Spanish Scytl and Swiss
Post form joint venture
and go into production.
Political quarrels lead to
Geneva stopping all further
development. A year later,
the system is terminated.
The steering board
establishes a dialog with
25 scientists to assess
viability of internet voting
and support with writing
new regulation.
The federal chancellor calls
on 2/3 of the cantons to
offer internet voting for
national elections in 2019.
Scytl / Swiss Post publish
the source code of their
system. Researchers
identify three critical
vulnerabilities within
weeks. The system is put
on hold.
2020.6
E-Voting
Referendum
dies
Despite the promising
headlines in 2019, the
collection of signatures
fails miserably.
Timeline Online Voting in Switzerland
22. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
CRYPTOGRAPHERS AND ONLINE VOTING EXPERTS
David Basin, ETH Zurich
Srdjan Capkun, ETH Zurich
Eric Dubuis, BFH Bern
Bryan Ford, EPF Lausanne
Reto Koenig, BFH Bern
Philipp Locher, BFH Bern
Olivier Pereira, University of Leuven, Belgium
Vanessa Teague, Australia
Bogdan Warinschi, Bristol, UK
Rolf Haenni, BFH Bern
SECURITY INDUSTRY
Stéphane Adamiste, SCRT
Sergio Alves Domingues, SCRT
Tobias Ellenberger, One Consult
Source: https://www.bk.admin.ch/bk/de/home/politische-rechte/e-voting.html
COMPUTER SCIENTISTS
David-Olivier Jaquet-Chiffelle, Uni. of Lausanne
Oscar Nierstrasz, University of Bern
Adrian Perrig, ETH Zurich
Carsten Schürmann, Denmark
Matthias Stürmer, University of Bern
Ulrich Ultes-Nitsche, University of Fribourg
POLITICAL SCIENTISTS
Florian Egloff, ETH Zurich
Fabrizio Gilardi, University of Zurich
Uwe Serdült, Center for Democracy, Aarau
MODERATOR
Christian Folini, netnea.com
Expert Dialogue – Participating Scientists
23. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2020.4 2020.7 2020.11
2020.3
2020.2
Survey
Covid-19 hits
Online dialogue
Additional research
Scientific report
The dialogue starts with a
survey over 62 questions
sent to 25 scientists
The workshops are
replaced with a 12 weeks
online dialogue on a
dedicated gitlab platform.
The steering board
publishes the 70 pages
report with the re-
commendations of the
scientists.
When the on-site
workshops were slowly
taking shape, Switzer-land
entered a lock-down and
the on-site gatherings had
to be called off.
Several separate re-search
articles are commissioned
with individual scientists to
bring up more infor-mation
on individual questions.
Timeline Online Voting in Switzerland
25. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
• Cryptography: A ton of advice, also on quantum
• Call for diversity in hard- and software
• Maximum level of transparency, Open Source
• Cross-Channel plausibility checks
Key Recommendations of Dialogue
26. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
2020.4 2020.7 2020.11
2020.3
2020.2
Survey
Covid-19 hits
Online dialogue
Additional research
Scientific report
The dialogue starts with a
survey over 62 questions
sent to 25 scientists
The workshops are
replaced with a 12 weeks
online dialogue on a
dedicated gitlab platform.
The steering board
publishes the 70 pages
report with the re-
commendations of the
scientists.
When the on-site
workshops were slowly
taking shape, Switzer-land
entered a lock-down and
the on-site gatherings had
to be called off.
Several separate re-search
articles are commissioned
with individual scientists to
bring up more infor-mation
on individual questions.
2021.4
Public Consultation
Following standard Swiss
procedure the draft new
e-voting regulation is put
up for a public
consultation where all
interested parties are
invited to provide
feedback.
Timeline Online Voting in Switzerland
27. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Public Consultation for New Regulation
Source: Federal Chancellery
28. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
67 Responses in Public Hearing
Source: DigiGes Switzerland
29. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Response Report of Public Consultation
Source: Federal Chancellery
30. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Who Has Responded? And How?
Source: Federal Chancellery
67 Responses
48 positive
11 positive with fundamental
reservations
8 negative
697 pages all in all
Missing:
EVP
GLP
Swiss ICT
ISSS
CCC-CH
31. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Who Responded to the Technical Annex?
Source: Federal Chancellery
24 Responses:
6 minimal:
AI, GE, Pirate Party, SBb, Procap,
SZBlind
18 substantial:
AG, BE, BS, FR, GL, GR, SG, SO,
SZ, TG, VS, ZH
BFH, SBV, Post, SSK, Florian Moser, IsA
Missing:
Political Parties, SATW, DigitalSwitzerland,
SWICO, DigiGes
32. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Call for Open Source
Source: Federal Chancellery
11 responses support an enforced Open Source approach for the software.
Alternative Linke Bern "Open Source bedeutet Lizenzierung"
CH++ "vollständiger Open Source Ansatz eine essentielle Bedingung"
Digitale Gesellschaft "Versäumnis eines fehlenden Zwangs zu Open Source hat negative Signalwirkung"
digitalswitzerland* "Weiter begrüsst digitalswitzerland die Vorgaben zu Open Source"
Economiesuisse* "Vorgaben zu Open Source ... zu begrüssen"
Florian Moser "konkret die Publizierung sämtlichen Materials unter einer Open Source Lizenz vorschreiben"
Grüne "Wir fordern mehr Open Source"
IsA "im Widerspruch zur Empfehlung ... keine Open Source Lizenz verordnet"
Piratenpartei "Vollständige Publikation des Source Codes unter einer Open Source Lizenz"
SP "erachten wir bereits im Testbetrieb einen vollständigen Open-Source-Ansatz für notwendig."
Stift. Konsumentens. "keine umfassende Open-Source-Pflicht enthalten"
* The two marked organisations misread the regulation and believe Open Source was actually
in the draft regulation. It is not.
33. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Open Source in Federal Chancellery’s Media Release
Source: Federal Chancellery
“Others who took part in the consultation
also raised fundamental issues: for
example, some would like to see all e-
voting systems and their components
disclosed under an open source licence.
The Federal Council takes these
fundamental issues very seriously. They
concern the security of e-voting and the
public's confidence in this voting method
and will be addressed in the longer
term ...”
34. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Timeline Online Voting in Switzerland
2022 Q2/3 2022/23
2021.12
2021.4
Report on
Public Consultation
New Regulation
New E-Voting Trials
New regulation is expected
for Summer 2022
Report comes in at
whopping 697 pages with
67 individual responses.
A small number of Swiss
Cantons will take up new
E-Voting trials in late 2022
or 2023 aiming for national
elections in Autumn 2023.
Public Consultation
Following standard Swiss
procedure the draft new
online voting regulation is
put up for a public
consultation where all
interested parties are
invited to provide
feedback.
36. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Ridiculous Predictions Beyond 2022/23
• Slow expansion of E-Voting after the national election 2023
37. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Ridiculous Predictions Beyond 2022/23
• Slow expansion of E-Voting after the national election 2023
• E-Voting system of Swiss Post will become open source
38. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Ridiculous Predictions Beyond 2022/23
• Slow expansion of E-Voting after the national election 2023
• E-Voting system of Swiss Post will become open source
• A disability organization will sue for E-Voting
39. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Ridiculous Predictions Beyond 2022/23
• Slow expansion of E-Voting after the national election 2023
• E-Voting system of Swiss Post will become open source
• A disability organization will sue for E-Voting
• Cross-Channel plausibility checks will improve security for all
voting channels
40. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Ridiculous Predictions Beyond 2022/23
• Slow expansion of E-Voting after the national election 2023
• E-Voting system of Swiss Post will become open source
• A disability organization will sue for E-Voting
• Cross-Channel plausibility checks will improve security for all
voting channels
• On the mid-term we’ll see a severe security problem in a
public vote
41. Christian Folini / @ChrFolini – Insomni’hack 2022 Keynote
Questions and Answers, Contact
Contact: @ChrFolini
christian.folini@netnea.com
Election worker blog: www.christian-folini.ch