March 03, 2012

Paper ballots please

Been voting absentee mail-in ballots for the last 30 years. The idea of electronic or web-based voting gives me a clear case of the blue—blind paralytic willies.

Here is one reason why — say hello to the new Washington D.C. School Board member Bender Bending Rodríguez — from PC World:

Hackers Elect Futurama’s Bender to the Washington DC School Board
Electronic voting has earned a pretty bad reputation for being insecure and completely unreliable. Well, get ready to add another entry to e-voting's list of woes.

One Bender Bending Rodríguez was elected to the 2010 school board in Washington DC. A team of hackers from the University of Michigan got Bender elected as a write-in candidate who stole every vote from the real candidates. Bender, of course, is a cartoon character from the TV series Futurama.

This was not some nefarious attack from a group of rogue hackers: The DC school board actually dared hackers to crack its new Web-based absentee voting system four days ahead of the real election. University of Michigan professor Alexander Halderman, along with two graduate students, did the deed within a few hours.

After looking over the e-voting system's Ruby on Rails software framework, Halderman’s team discovered that they could use a shell injection vulnerability to get into the system. This allowed them to retrieve the “public key,” which is used to encrypt the ballots. With the public key in hand, the hackers were able to change every ballot already in the system and replace any subsequent real ballots with fakes.

While the hackers were mucking about the system’s server, they discovered other files that were not ballot-related in the /tmp/ directory. Among them was a 937-page PDF containing instructions to individual voters as well as authentication codes for every voter. If someone with malicious intent got their hands on these codes, they could use them to cast ballots as a real voter.

Yeah — it just is that easy.

One place I worked for, I put a README.TXT file in the root directory of one of their “secure” servers at the outset of the hiring process. I had not even visited their physical plant except to drop off a resume.

When I mentioned this during the first interview, the IT guy who left the room to check returned ten minutes later with a chalk-white face. Was hired that day.

Posted by DaveH at March 3, 2012 10:08 PM
Comments
Post a comment









Remember personal info?