Alex Halderman's totally epic hack of the DC internet voting system pilot program

Discuss

16 Responses to “Alex Halderman's totally epic hack of the DC internet voting system pilot program”

  1. Anonymous says:

    I have to give them kudos for actually paying attention to the results of their test, given that in similar situations other voting officials have often ignored or tried to suppress or discredit results like this.

    (Sure, it’s arguable whether electronic voting provides any real benefit in the first place.)

  2. johnpaxton says:

    Yeah, diva snap. No matter that the DCBOEE did the right thing (perhaps with a shorter time period than it should have). They did their jobs right, opening up their voting machines to testing. So let’s lord it over them and point and laugh when the testing proves that there’s a problem. Doing so is *sure* to encourage further open testing, in DC and other jurisdictions.

  3. Anonymous says:

    Could boingboing possibly follow this up with a petition to support the good job done by the technical staff who allowed the public testing. We should ensure that good initiatives like this get public credit, which provides coverage for the people who suggested doing this, and encourages them to repeat the process.

  4. adwkiwi says:

    Jumping on the ‘good job DC for running the open trial and responding to the result’ bandwagon. Save your diva snapping for people who don’t do things the right way round.

  5. DrWJK says:

    Get the back story on how this hack could have happened (when West Virginia is having great success with its Internet voting system):
    “Does the DC Fiasco Damn Internet Voting?”
    http://www.opednews.com/articles/Does-the-DC-Fiasco-Damn-In-by-William-J-Kellehe-101015-957.html

    “Scary Stories Fail to Stop Internet Voting”

    Abstract:
    Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted.

    Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back.

    At, http://ssrn.com/author=1053589 (free download)

  6. Anonymous says:

    Huge props to the DC government for 1. trying this 2. testing it in the open and 3. actually listening to the results. I can’t think of any state in the union that’s done that well recently. Apparently someone in DC is on the ball.

  7. cjp says:

    …”By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding.”

    Locutus would be proud.

  8. SamSam says:

    Are there any laws or regulations that anyone is trying to push that would force e-voting applications to make their code open-source?

    Properly-reviewed open source code is, of course, many many times better at catching vulnerabilities than randomly seeing if people will find your security holes with three day’s notice.

    The lesson that the D.C. Board of Elections should have learned from this is: what if Halderman hadn’t found the security holes? Then the security holes would have been there for any hacker to exploit. They can’t rely on Halderman assembling his crack team on a moment’s notice every time. They can’t assume that a successful three-day trial means anything about the security of the code.

    The White House’s website already gets it: it’s written using open source Drupal. Why can’t some senator sponsor a law requiring that all e-voting applications — and voting machines too, but Diebold would never allow it — have open reviewable code?

  9. SamSam says:

    erm…. so reading Halderman’s post a little closer, the DC system was open source. This is how they were able to discover, and exploit, the security hole. Good! Then hopefully this project will be seen as strong, strong evidence for the need for all such systems to be open source.

  10. Camp Freddie says:

    Wow, someone should get the DC sysadmin to read XKCD:
    http://xkcd.com/327/

  11. sic transit gloria C.F.A. says:

    No. Not diva snap. DCBOE did exactly the right thing and should be applauded.

  12. gregb says:

    Even downloading the forms can be corrupted- by changing the names of the candidates, or selectively (via IP addresses linked to particular voting district) creating spoof files so districts unfavorable to your candidate receive invalid forms, … can tip a close election.

    A long way to go still.

  13. Anonymous says:

    Kudos to the D.C. Board of Elections and Ethics for doing the right thing. If they plan on continuing to develop the system, they should consider going into a partnership with a University or a technical institute.

  14. TooGoodToCheck says:

    The people who were setting up this system are going to learn one of two lessons:

    1) it was an excellent idea to open this to the public and give people the chance to try the system because it exposed serious flaws
    or
    2) this was a horrible idea because members of the public pwnd us

    I really hope they learn lesson 1. Kudos to all involved. The researchers for being civic minded badasses, and the DC government for being wise enough to open the system to scrutiny.

  15. bardfinn says:

    SCRUB YOUR INPUTS! regexES AND FUZZ TESTING ARE YOUR FRIENDS!

  16. CatherineCC says:

    “…though they plan to continue to develop the system”

    For years and years and years, all the while sucking up tax dollars while bureaucrats get $150k a year to “manage” the project.

    But this is a government contract, that will never happen.

Leave a Reply