DC Internet Voting Trial Attacked 2 Different Ways

mtrachtenberg writes "University of Michigan Professor J. Alex Halderman and his team actually had two completely separate successful attacks on Washington, DC's internet voting experiment. The second path in was revealed by Halderman during testimony before the District of Columbia's Board of Elections and Ethics on Friday. Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices. In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November. Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was not allowing them to be stored on internet-connected computers. When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting. Clips from the testimony are available on YouTube." Update: 10/09 19:24 GMT by T : Reader Cwix points out two newspaper stories noting these hearings: one in the Washington Post, the other at the Chicago Tribune. Thanks!

Please use internet voting

to mod me up to +5 informative, to show it does work perfectly!

Inventor?

> the inventor of public key cryptography, MIT professor Ronald Rivest,

Rivest is a brilliant, very accomplished man, and was one of the inventors of one of the earliest and best-known public-key cryptosystems. But it's misleading to refer to him as "the" inventor of public-key cryptography in general. He co-invented RSA with Shamir and Adleman (several years after Cocks came up with it and kept it secret). But the concept of public-key cryptography was described before RSA, by such luminaries as Diffie, Hellman, and Merkle. He is certainly one of the pioneers of public-key crypto, and deserves acclaim for that, but is not "the" inventor of the concept.

Incidentally, much of Rivest's recent work is in the area of electronic voting (how to make it simultaneously accurate/auditable, privacy-preserving, and usable by non-technical people)--so he's not just speaking as a luminary in the field, but as someone who has studied this specific problem.

Actual article

[Cwix]

The youtube videos are all well and good.. heres a few links to written articles about this though

http://voices.washingtonpost.com/debonis/2010/10/prof_explains_how_dc_online_vo.html

http://www.chicagotribune.com/news/chi-ap-dc-dcelections-heari,0,541741.story

Corrrections to post text

[EvilSporkMan]

It was a terminal server, not a router, and the previously-published attack was shell injection, not SQL injection.