Comments on: Alex Halderman's totally epic hack of the DC internet voting system pilot program http://boingboing.net/2010/10/05/alex-haldermans-tota.html Brain candy for Happy Mutants Wed, 22 May 2013 11:34:00 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: Anonymous http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903693 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-903693 I have to give them kudos for actually paying attention to the results of their test, given that in similar situations other voting officials have often ignored or tried to suppress or discredit results like this. (Sure, it's arguable whether electronic voting provides any real benefit in the first place.) I have to give them kudos for actually paying attention to the results of their test, given that in similar situations other voting officials have often ignored or tried to suppress or discredit results like this.

(Sure, it’s arguable whether electronic voting provides any real benefit in the first place.)

]]> By: johnpaxton http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903703 johnpaxton Wed, 30 Nov -0001 00:00:00 +0000 #comment-903703 Yeah, diva snap. No matter that the DCBOEE did the right thing (perhaps with a shorter time period than it should have). They did their jobs right, opening up their voting machines to testing. So let's lord it over them and point and laugh when the testing proves that there's a problem. Doing so is *sure* to encourage further open testing, in DC and other jurisdictions. Yeah, diva snap. No matter that the DCBOEE did the right thing (perhaps with a shorter time period than it should have). They did their jobs right, opening up their voting machines to testing. So let’s lord it over them and point and laugh when the testing proves that there’s a problem. Doing so is *sure* to encourage further open testing, in DC and other jurisdictions.

]]> By: Anonymous http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903705 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-903705 Could boingboing possibly follow this up with a petition to support the good job done by the technical staff who allowed the public testing. We should ensure that good initiatives like this get public credit, which provides coverage for the people who suggested doing this, and encourages them to repeat the process. Could boingboing possibly follow this up with a petition to support the good job done by the technical staff who allowed the public testing. We should ensure that good initiatives like this get public credit, which provides coverage for the people who suggested doing this, and encourages them to repeat the process.

]]> By: adwkiwi http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903764 adwkiwi Wed, 30 Nov -0001 00:00:00 +0000 #comment-903764 Jumping on the 'good job DC for running the open trial and responding to the result' bandwagon. Save your diva snapping for people who don't do things the right way round. Jumping on the ‘good job DC for running the open trial and responding to the result’ bandwagon. Save your diva snapping for people who don’t do things the right way round.

]]> By: DrWJK http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-916839 DrWJK Wed, 30 Nov -0001 00:00:00 +0000 #comment-916839 Get the back story on how this hack could have happened (when West Virginia is having great success with its Internet voting system): “Does the DC Fiasco Damn Internet Voting?” http://www.opednews.com/articles/Does-the-DC-Fiasco-Damn-In-by-William-J-Kellehe-101015-957.html “Scary Stories Fail to Stop Internet Voting” Abstract: Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted. Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back. At, http://ssrn.com/author=1053589 (free download) Get the back story on how this hack could have happened (when West Virginia is having great success with its Internet voting system):
“Does the DC Fiasco Damn Internet Voting?”
http://www.opednews.com/articles/Does-the-DC-Fiasco-Damn-In-by-William-J-Kellehe-101015-957.html

“Scary Stories Fail to Stop Internet Voting”

Abstract:
Rather than using the results of scientific testing, and probability calculation, opponents of Internet voting have commonly resorted to telling scary stories about what might happen. In 2004 this tactic had spectacular success. The Department of Defense had already spent over $22,000,000 on an Internet voting project. It was ready to be used in the 2004 November election, but well publicized scary stories had it halted.

Since that time, state election officials, the military, and DoD have regained their reason, and Internet voting is coming back.

At, http://ssrn.com/author=1053589 (free download)

]]> By: Anonymous http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903784 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-903784 Huge props to the DC government for 1. trying this 2. testing it in the open and 3. actually listening to the results. I can't think of any state in the union that's done that well recently. Apparently someone in DC is on the ball. Huge props to the DC government for 1. trying this 2. testing it in the open and 3. actually listening to the results. I can’t think of any state in the union that’s done that well recently. Apparently someone in DC is on the ball.

]]> By: cjp http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903803 cjp Wed, 30 Nov -0001 00:00:00 +0000 #comment-903803 ..."By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding." Locutus would be proud. …”By formatting the string in a particular way, we could cause the server to execute commands on our behalf. For example, the filename “ballot.$(sleep 10)pdf” would cause the server to pause for ten seconds (executing the “sleep 10” command) before responding.”

Locutus would be proud.

]]> By: SamSam http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-904323 SamSam Wed, 30 Nov -0001 00:00:00 +0000 #comment-904323 Are there any laws or regulations that anyone is trying to push that would force e-voting applications to make their code open-source? Properly-reviewed open source code is, of course, many many times better at catching vulnerabilities than randomly seeing if people will find your security holes with three day's notice. The lesson that the D.C. Board of Elections <b>should</b> have learned from this is: what if Halderman <b>hadn't</b> found the security holes? Then the security holes would have been there for any hacker to exploit. They can't rely on Halderman assembling his crack team on a moment's notice every time. They can't assume that a successful three-day trial means anything about the security of the code. The White House's website already gets it: it's written using open source Drupal. Why can't some senator sponsor a law requiring that <b>all</b> e-voting applications -- and voting machines too, but Diebold would never allow it -- have open reviewable code? Are there any laws or regulations that anyone is trying to push that would force e-voting applications to make their code open-source?

Properly-reviewed open source code is, of course, many many times better at catching vulnerabilities than randomly seeing if people will find your security holes with three day’s notice.

The lesson that the D.C. Board of Elections should have learned from this is: what if Halderman hadn’t found the security holes? Then the security holes would have been there for any hacker to exploit. They can’t rely on Halderman assembling his crack team on a moment’s notice every time. They can’t assume that a successful three-day trial means anything about the security of the code.

The White House’s website already gets it: it’s written using open source Drupal. Why can’t some senator sponsor a law requiring that all e-voting applications — and voting machines too, but Diebold would never allow it — have open reviewable code?

]]> By: SamSam http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-904329 SamSam Wed, 30 Nov -0001 00:00:00 +0000 #comment-904329 erm.... so reading Halderman's post a little closer, the DC system <i>was</i> open source. This is how they were able to discover, and exploit, the security hole. Good! Then hopefully this project will be seen as strong, strong evidence for the need for all such systems to be open source. erm…. so reading Halderman’s post a little closer, the DC system was open source. This is how they were able to discover, and exploit, the security hole. Good! Then hopefully this project will be seen as strong, strong evidence for the need for all such systems to be open source.

]]> By: Camp Freddie http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903837 Camp Freddie Wed, 30 Nov -0001 00:00:00 +0000 #comment-903837 Wow, someone should get the DC sysadmin to read XKCD: http://xkcd.com/327/ Wow, someone should get the DC sysadmin to read XKCD:
http://xkcd.com/327/

]]> By: sic transit gloria C.F.A. http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903841 sic transit gloria C.F.A. Wed, 30 Nov -0001 00:00:00 +0000 #comment-903841 No. Not diva snap. DCBOE did exactly the right thing and should be applauded. No. Not diva snap. DCBOE did exactly the right thing and should be applauded.

]]> By: gregb http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903848 gregb Wed, 30 Nov -0001 00:00:00 +0000 #comment-903848 Even downloading the forms can be corrupted- by changing the names of the candidates, or selectively (via IP addresses linked to particular voting district) creating spoof files so districts unfavorable to your candidate receive invalid forms, ... can tip a close election. A long way to go still. Even downloading the forms can be corrupted- by changing the names of the candidates, or selectively (via IP addresses linked to particular voting district) creating spoof files so districts unfavorable to your candidate receive invalid forms, … can tip a close election.

A long way to go still.

]]> By: Anonymous http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903854 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-903854 Kudos to the D.C. Board of Elections and Ethics for doing the right thing. If they plan on continuing to develop the system, they should consider going into a partnership with a University or a technical institute. Kudos to the D.C. Board of Elections and Ethics for doing the right thing. If they plan on continuing to develop the system, they should consider going into a partnership with a University or a technical institute.

]]> By: TooGoodToCheck http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903614 TooGoodToCheck Wed, 30 Nov -0001 00:00:00 +0000 #comment-903614 The people who were setting up this system are going to learn one of two lessons: 1) it was an excellent idea to open this to the public and give people the chance to try the system because it exposed serious flaws or 2) this was a horrible idea because members of the public pwnd us I really hope they learn lesson 1. Kudos to all involved. The researchers for being civic minded badasses, and the DC government for being wise enough to open the system to scrutiny. The people who were setting up this system are going to learn one of two lessons:

1) it was an excellent idea to open this to the public and give people the chance to try the system because it exposed serious flaws
or
2) this was a horrible idea because members of the public pwnd us

I really hope they learn lesson 1. Kudos to all involved. The researchers for being civic minded badasses, and the DC government for being wise enough to open the system to scrutiny.

]]> By: bardfinn http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-904414 bardfinn Wed, 30 Nov -0001 00:00:00 +0000 #comment-904414 SCRUB YOUR INPUTS! regexES AND FUZZ TESTING ARE YOUR FRIENDS! SCRUB YOUR INPUTS! regexES AND FUZZ TESTING ARE YOUR FRIENDS!

]]> By: CatherineCC http://boingboing.net/2010/10/05/alex-haldermans-tota.html#comment-903647 CatherineCC Wed, 30 Nov -0001 00:00:00 +0000 #comment-903647 "...though they plan to continue to develop the system" For years and years and years, all the while sucking up tax dollars while bureaucrats get $150k a year to "manage" the project. But this is a government contract, that will never happen. “…though they plan to continue to develop the system”

For years and years and years, all the while sucking up tax dollars while bureaucrats get $150k a year to “manage” the project.

But this is a government contract, that will never happen.

]]>