Hacker infiltration ends D.C. online voting trial

Source: Washington Post

Last week, the D.C. Board of Elections and Ethics opened a new Internet-based voting system for a weeklong test period, inviting computer experts from all corners to prod its vulnerabilities in the spirit of "give it your best shot." Well, the hackers gave it their best shot -- and midday Friday, the trial period was suspended, with the board citing "usability issues brought to our attention."

Here's one of those issues: After casting a vote, according to test observers, the Web site played "Hail to the Victors" -- the University of Michigan fight song.

"The integrity of the system had been violated," said Paul Stenbjorn, the board's chief technology officer.

Stenbjorn said a Michigan professor whom the board has been working with on the project had "unleashed his students" during the test period, and one succeeded in infiltrating the system.

The fight song is a symptom of deeper vulnerabilities, says Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues. "In order to do that, they had to be able to change anything they wanted on the Web site," Epstein said.

-snip-


Read more: http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_dc_on.html

---

I'm sorry, but everyone should be visiting the DU Election Reform Forum for this kind of news on a regular basis. So here's the link to the excerpt there:
http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x516403

This may be the tail wagging the dog, but elections are too important not to have their own forum that everyone checks regularly.

A few days ago, I posted about this story and it didn't even get 5 Recommends! So if you're interested in voting news, please visit the ER Forum on a regular basis from now on!:
http://www.democraticunderground.com/discuss/duboard.php?az=show_topics&forum=203

Thanks!

voting isn't secure!

I follow the Brad blog.

Online websites can be hacked.

DRE "voting" machines can do whatever they want, and some just need to have a USB key inserted to change their software.

Mail-in ballots can be waylaid.

Paper ballot boxes get stuffed or emptied, or loaded onto trucks with Bush/Cheney bumperstickers.

The more we try to make our voting system "more secure," the worse it gets. To quote Montgomery Scott, "the fancier they make the plumbing the easier it is to stop up the drain."

Yeah, yeah, I know, PAPER BALLOTS can be hand-counted to check the scanners. But it's rarely done.

or a close race.

Our county creates a header label on each batch of votes, with totals on it. If that is altered at any time, the scanner alarms. I'm sure it's not perfect, but it's pretty darn good.

We do a hand audit check of our scanners in Adams County Colorado every year. We select a number of batches, scan them ourselves as judges, then we trade batches and hand count them all. It's very difficult. I've done it for three years. Our machines are very accurate - way more accurate than the hand tallies.

Their protocol should be upgraded by the American Statistical Association, though.

After following Brad's blog for over 2 yrs, I'm not sure there is a secure voting system.

"no voting system is completely secure."

However it's a little more difficult for a computer hacker with a grudge and a political dogma to stuff ballot boxes.

Although no one thing is secure, all things being equal some are more secure than others.

I could design a digital voting machine that is far more secure than anything else we've seen.

The problem so far has been that most of the machines were designed without really even caring about security.

You know the designers like Diebold don't care when you can open one with a standard office cabinet key.

both the story, and the apathy.

I wonder whether Bill Gates or Mark Zuckerberg are aware of any of this?

Vital information.

"The fight song is a symptom of deeper vulnerabilities, says Jeremy Epstein, a computer scientist working with the Common Cause good-government nonprofit on online voting issues. "In order to do that, they had to be able to change anything they wanted on the Web site," Epstein said."

Completely wrong. The sound file MAY have been the ONLY thing they could alter, because it was relegated to an 'unimportant' status by the authors, or they used a turn-key system that considered it unimportant, possibly because it was authored for a different purpose, and they used a different set of permissions for it.

It didn't even work with all web browsers, esp. the ones that come with MACs!

So our latte-drinking, MAC-toting, different-thinking, progressive friends who probably think Internet Voting is "KEWL!" would be the first ones to be disenfranchised by this crap!:popcorn:

It may be breathless hyperbole, or the computer scientist may have simply noted that the hacked file(s) was only writable by root/Administrator (or the web "page" had somehow been modified to *play* a sound file that was located somewhere, such files don't have to come from the same machine).... and once somebody has escalated to that point, all bets are off.

TWO algorithms for undetectable cheating, I'm surprised that the dangers aren't obvious.

http://www.democraticunderground.com/discuss/duboard.php?az=view_all&address=102x4563927

Full story: http://www.bradblog.com/?p=8106

Thanks for helping to get it out there Bill Bored!

Not a huge Michigan fan (except when they play ND), but that was teh awesome! :yourock:

I'm a recent UM Computer Science Engineering graduate and my final course was a grad-level class on Computer and Network Security...our professor was a very accomplished hacker and I'm 99% sure this had to have been him.

GO BLUE!

I know several students in CSE though who have a reputation for this sort of thing, including some grads who are specifically studying voting machine security

Perhaps something from Klipsch.

This one:
http://www.youtube.com/watch?v=n77q4ifpgKU&feature=related

And watching the band in the stadium on football Saturdays, doing the fanfare and The Victors still gives me a chill. Can't wait for Saturday's big game against MSU! I hope Denard has a big day.

and Hail to the Victors Valiant!

just saying

:hide:

:rofl:

Just like Bill Maher and Keith Olbermann.

:evilgrin:

No doubt, a lot of bad people graduated from Michigan.

But we also get to claim Clarence Darrow...

right to count our votes. Give me paper and pen.

hackable electronic voting machines that have no verification (no paper trail) whatever the finally tally (vote numbers) that are on the easily hacked machines becomes the official count....

No way to check, no one allowed to even check the accuracy of the machines because our voting machine are owned not by the people who paid for them.....but by the corporations who own build and maintain them.

If that isn't enough to show you how easily the republicans can steal votes (and elections)....Each Secretary of State counts & controls & versifies certification of the vote....We saw republicans Secretary of State in FL, OH, GA, and many other states do what ever was needed to change the final vote count for the republicans. Republicans can't win elections in many places without stealing, purging and manipulating the votes.

Republicans are a amazingly arrogant shameless bunch of thugs!

My first time voting was 2002 in GA. They had just introduced the new Diebold "Vote Into the Void" system and I was not a happy camper.

outright reversed the voting on the GA Senate & Governors race Democrats (Both Dems had very comfortable leads going through the night) when both elections and in the early morning hours the hack was in and the votes were flipped - What a shame - The media said nothing about the obvious manipulations just went along with the republicans bullshit explanations for the strange early morning reversals - After that GA hacking in 2002 is when the republicans really saw how the Diebold (and other corporate owned) electronic voting machines would make it so easy for them to steal races around the country....and they will be doing the same this Nov. 2nd absolutely positively!

A rather terrible substitute phrase for the much more well understood "We got pwned."

The online system and (supposedly) offline cheat machines need to be eradicated. They were designed to flip elections and did their job in foisting the Chimp and Cheney on this country. Good God, it's so obvious and yet so few are paying attention!!!!!

This from someone who has 20+ years professional experience with computer tech, supporting it, building networks, and such. Each month, Microsoft comes out with "updates." These are merely plugs to the security that does not exist in their OS. Windows systems also get outdated, because, after a certain amount of time, Microsoft will not support them. This means that the voting systems will have to be repurchased every five or six years. If you think that it was costly to go to computer based voting systems, you haven't seen anything yet. Wait until your machines have to be upgraded, or replaced. The old lever machines were good for thirty to fifty years. Not so with computer based voting systems.

And, too soon before an election to actually do anything.

Delightful.

I bet it's someone I know who did it too...

the registered person can vote.

No, they really aren't trying, but secure banking transactions? I don't think so.
Just Google Zeus Trojan.
Banks factor in a certain amount of "acceptable loss".
What is the "acceptable loss" in an election?

Friends!

Don’t despair over the DC hacking. Here is a short list of positive news for Internet voting:

Pasadena Star News, Two Sunday editions
“Are you ready for Internet voting? For millions of Americans overseas, it's the only way to ensure their votes are counted”
http://www.pasadenastarnews.com/opinions/ci_16357185

Also, RE: CA Prop 14 (nonpartisan elections) and the future of CA politics
http://www.pasadenastarnews.com/ci_16172903?IADID

Both articles have excellent debates in the comments.


Op Ed News
“Does the DC Fiasco Damn Internet Voting?”
http://www.opednews.com/articles/Does-the-DC-Fiasco-Damn-In-by-William-J-Kellehe-101015-957.html


SSRN
“Scary Stories Fail to Stop Internet Voting”

Abstract:
Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted.

Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back.

At, http://ssrn.com/author=1053589 (free download)

William J. Kelleher, Ph.D.
Internetvoting@gmail.com