Slashdot Mirror

← Back to Stories (view on slashdot.org)

DC Suspends Tests of Online Voting System

Posted by timothy on from the vote-erlich-and-often dept.

Fortran IV writes "Back in June, Washington, DC signed up with the The Open Source Digital Foundation to set up an internet voting system for DC residents overseas. The plan was to have the system operational by the November general election. Last week the DC Board of Elections and Ethics opened the system for testing and attracted the attention of students at the University of Michigan, with comical results. The DC Board has postponed implementation of the system for 'more robust testing.'" Update: 10/06 02:42 GMT by T : University of Michigan computer scientist J. Alex Halderman provides an explanation of exactly how the folks at Michigan exploited the DC system.

25 of 170 comments (clear)

  1. Electronic voting, yes! Online voting, no! by BadAnalogyGuy · · Score: 2, Insightful

    Voting machines should definitely be electronic.

    Online voting seems to be so problem-prone as to be useless. Something as simple as a smurf attack could potentially block every voter from casting their ballot in time.

    1. Re:Electronic voting, yes! Online voting, no! by hedwards · · Score: 2, Insightful

      I have to agree, online voting has some very serious problems with it. Even if you solve the technological ones, you'd still have to figure out how to prove that the person that's actually voting is the intended voter and that there isn't anybody there that's suggesting how they should vote.

    2. Re:Electronic voting, yes! Online voting, no! by hedwards · · Score: 2, Insightful

      Erm, on further thought, that would just make it like vote by mail.

    3. Re:Electronic voting, yes! Online voting, no! by Obfuscant · · Score: 4, Insightful
      if we can't make online voting work, we can't function at all in the digital age.

      Current history disproves this your statement. We cannot yet make online voting work and yet we function pretty well in the "digital age".

    4. Re:Electronic voting, yes! Online voting, no! by jd · · Score: 2, Insightful

      Not necessarily. It should be possible to devise an online voting system that worked securely and reliably. To defeat DoS/DDoS attacks, you would probably want to have virtual circuits (eg: MPLS) or bandwidth allocation (eg: RSVP) such that an attack cannot encroach on the voter's bandwidth. Alternatively, an ISP could run Snort or another NIDS system in such a manner as to detect a DDoS attack and block the source addresses. So long as it was done far enough upsteam that there was still available bandwidth, this would prevent an attack. Or they could use a packet-dropping scheme that is designed to handle "unresponsive flows" such as UDP and ICMP.

      In the case of RSVP, there would be a certain bandwidth reservation (via UDP) between the client and the central server. This bandwidth is guaranteed by the protocol and the routers enforce this. Because it uses UDP, you have to then use a layer on top of that to provide the reliability. There are plenty of file-transfer protocols using UDP that have such layers, so the code is out there.

      However, ALL of this requires cooperation by ISPs at one level or another. In other words, the ISP would need to be certified as capable of guaranteeing vote delivery in order to provide any kind of guarantee. This could be done. The ISPs won't like it, but it could be done.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:Electronic voting, yes! Online voting, no! by Cylix · · Score: 2, Interesting

      Nope,

      There several network appliances that can assistance and eliminate most of the overhead of a denial of service attack. This of course would not compensate for upstream saturation, but you have within your power to eliminate a good deal of it long enough to work with upstream providers.

      This is why lots of new denial of service attacks focus on exploiting content which has a high application cost. ie, find a page which has too much dynamic content or generates slowly due to dependent services being at threshold. With this mindset you can essentially pressure point an application host even if it is well protected.

      If you have to secure, enforce constraints or manage much of anything at the host level you are going to suffer quickly.

      --
      "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
    6. Re:Electronic voting, yes! Online voting, no! by dkleinsc · · Score: 4, Insightful

      Voting machines should definitely be electronic.

      Why? What exactly do electronic voting machines give you that, say, an optical scan paper ballot doesn't? Electronic voting has more often than not been a solution in search of a problem.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    7. Re:Electronic voting, yes! Online voting, no! by NatasRevol · · Score: 3, Insightful

      Trivial? Yeah right. And you wonder why other moderators are rating you flamebait.

      Online voting is not trivial for one reason. Security from vote tampering.

      If you can get 300 million people to vote online, without vote tampering up to and including hacking 'your' system, then you're a hero.

      But you're not.

      --
      There are two types of people in the world: Those who crave closure
  2. Inline PDF forms!?! by dgatwood · · Score: 5, Insightful

    One of the articles mentioned that some browsers submitted blank forms because they don't support inline PDF forms. Who, exactly, thought that using PDF was a good idea? The whole point of the web is that it provides layout standards. Why even bother using a web browser if you're just going to try to hack around it by using a completely different content format, PDF, shoved in using browser plug-ins. It might has well have been Flash. Use the web or do not. There is no halfway.

    And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.

    What does all this tell us? Well, it tells us that:

    • For anything approaching secure content delivery, the actual content (the HTML pages, the javascript files, etc.) must be signed prior to installation on the servers, not signed by the servers that provide it.
    • Web-based clients lack the infrastructure to verify signatures on the content itself except for the signatures provided by the servers.
    • Web-based clients are therefore inherently insecure.

    Not that this shouldn't have been anything less than obvious to anyone with even a basic understanding of computer security.... Real secure networks built on top of HTTP use client applications that verify signatures on the content that the servers provide, ensuring that it is legitimate before acting on it. This also, of course, requires that people obtain the client software in a secure fashion, which is a problem in and of itself, in much the same way that obtaining the client on-the-fly from a web server is a problem, and for precisely the same reason.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

    1. Re:Inline PDF forms!?! by Jah-Wren+Ryel · · Score: 2, Informative

      And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.

      Bad sign that what with the fact that one of the OSDV directors, also its nominal CTO sells himself as a security consultant.

      --
      When information is power, privacy is freedom.
    2. Re:Inline PDF forms!?! by guanxi · · Score: 5, Insightful

      Web-based clients are therefore inherently insecure.

      Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?

      Imagine this: You're a security consultant. A client says: Secure this system, it can change the course of U.S. history (so it has a little value). And by the way, the system extends to 150 million clients running every kind of hardware, software, and configuration imaginable, maybe 25% of which are infected with malware, and to which we have no access and over which we have no control. Oh yeah, and any computer on earth could be a vector of attack and everything from foreign intelligence agencies to corrupt politicians to radical political groups to greedy businesses might have a motive.

      Why are we even discussing this as a possibility?

  3. Re:open public review by blair1q · · Score: 2, Informative

    It's open software, so you can look at it any time you like.

    Of course, so can the h4xx0rs.

    And they don't have to pwn it until election day. By which time you no longer have open access to the code in the box. You can try to hack it, but you probably won't be able to tell what other hacks have been applied by looking at the binary.

    The fact is, if the voting system is built on an operating system that allows a superuser access to all things, then it's ultimately vulnerable to all types of hack, as long as there's any exploit that allows superuser access.

    And if it has an IP component over the public interwebs, all bets are off, no matter what TLA you're using to encrypt it.

  4. Re:open public review by blair1q · · Score: 3, Insightful

    But a paper vote can be audited by the original voter.

    And electronic vote can be manipulated just long enough to pass through the counting register, and when it gets back to the original voter it can look exactly like it did before it was manipulated.

  5. Conspiracy? by supernatendo · · Score: 2, Insightful

    I find it scary that at the same time as trying to make it unlawful to use encryption that the government doesn't have a "backdoor" into, they are also trying to push "secure" internet voting. Goodbye democracy, we hardly knew you...

  6. GNU Free by Albanach · · Score: 5, Informative

    Many years ago there was a GNU project to create an online secure voting software. It's a great idea.

    In 2002, they finally stopped development. They explain why here: http://www.gnu.org/software/free/

    Quoting from that page:

    "As Bruce Schneier points out "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers."

    and...

    "Mr.Schneier points out, 'building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.'"

    I think anyone wanting to build a secure online voting system should give those quotes some really serious thought before starting. Then before they write any code, they should be to explain why they believe they are right and one of the field's most respected experts is wrong.

    1. Re:GNU Free by Albanach · · Score: 2, Insightful

      They could also be collected by political parties from voters through theft, bribery or coercion then used to cast multiple votes.

    2. Re:GNU Free by Albanach · · Score: 2, Insightful

      It wouldn't be hard

      It's thoughts like those that land coders in trouble.

      We have an expert on the record saying it's very very hard, and an AC posting saying the opposite. Who to trust???

      What if there's a flaw in the smart card hardware that allowed votes cast to be transmitted differently? What if the master key were to be exposed and someone launched a MITM attack? What if there's an exploitable flaw in the operating system of the server collecting or collating the votes?

      You have a solution to just one tiny part of the giant jigsaw puzzle. Still think it wouldn't be hard?

    3. Re:GNU Free by TheLink · · Score: 3, Insightful

      A lot of them miss out another important requirement for elections and voting systems, at least in actual democracies.

      Requirement #0: Convincing enough of the losers that they've lost.

      Doesn't matter if your fancy system is actually secure and proven. If the losers think they lost because "too much magic" happened, you could have riots on the streets or even civil war.

      While paper votes have problems, they are easier to explain to voters. And if you do them right, the losers tend to agree with the results- they might dispute with a few problem constituencies, but you won't get massive riots.

      You get riots when you do them wrong e.g. having one party do the counting in secret. And riots might even be justified or at least understandable since since having just one party count paper votes secretly is rather fishy.

      In my country I think they rig it with postal votes. The counting is done in front of various observers from different political parties and a few 3rd parties even.

      So where they can rig it is with postal votes, or in places which are more obscure - nobody bothers to show up to watch the counts, ballot boxes etc (but those places often don't make much of a difference ;) ). So that puts a limit to the cheating - so when enough voters get pissed off enough with you, despite your efforts you can still lose the elections - there are just so many postal votes to go around.

      Whereas most electronic voting systems tend to do their counts in a way that cannot be observed by others. There's too much magic :).

      And all for what? Make things faster? You want to do it right, take the time and money to do it right. What's so hard about scaling? Your education system should be good enough so that you have enough volunteer counters who can actually count.

      I find it funny that the US spends billions to supposedly hold elections in Iraq (regime change right? ;)), and they can't seem to be able to do it right at home... With Diebolded elections and all that.

      --
  7. Welp by Frogbert · · Score: 2, Insightful

    I suppose its a good thing they tested the system.

    Isn't this the type of thing testing is supposed to identify?

  8. Sad yankee system by iris-n · · Score: 3, Insightful

    Has anybody the comments section in the Washington Post website? It is disgusting to see how much hatred and ignorance is going on there. I hope they're not a representative sample of the USian population.

    Meanwhile, in Brasil, we just had a presidential and local election. About 100 million people voting, in an all-electronic process. There were no reports of fraud whatsoever, and the election results were available just 2 hours after the polling stations closed.

    Can't the US do better? Your voting system is just laughable.

    --
    entropy happens
    1. Re:Sad yankee system by Tanman · · Score: 2, Insightful

      We are doing better.

      If you take the viewpoint of The Man.

    2. Re:Sad yankee system by YrWrstNtmr · · Score: 4, Insightful

      There were no reports of fraud whatsoever

      Indeed.

  9. I can do everything else online. by Anonymous Coward · · Score: 4, Insightful

    I can check my bank accounts online.
    I can pay my bills online.
    I can order almost anything imaginable online.
    I can participate in auctions online.
    I can date online.
    I can gamble online.
    I can see my credit reports online.
    I can file my taxes online.

    Why is voting so different?

    1. Re:I can do everything else online. by mhotchin · · Score: 4, Insightful

      Because these other endevours do not require anonymity.

      Voter coersion is a real problem.

  10. Re:The Victors by pipedwho · · Score: 2, Funny

    And I too die a little whenever I see Jar used twice in the same sentence. I die a lot when George Lucas does it.