DC Internet Voting Trial Attacked 2 Different Ways

mtrachtenberg writes "University of Michigan Professor J. Alex Halderman and his team actually had two completely separate successful attacks on Washington, DC's internet voting experiment. The second path in was revealed by Halderman during testimony before the District of Columbia's Board of Elections and Ethics on Friday. Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices. In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November. Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was not allowing them to be stored on internet-connected computers. When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting. Clips from the testimony are available on YouTube." Update: 10/09 19:24 GMT by T : Reader Cwix points out two newspaper stories noting these hearings: one in the Washington Post, the other at the Chicago Tribune. Thanks!

Please use internet voting

to mod me up to +5 informative, to show it does work perfectly!

Inventor?

> the inventor of public key cryptography, MIT professor Ronald Rivest,

Rivest is a brilliant, very accomplished man, and was one of the inventors of one of the earliest and best-known public-key cryptosystems. But it's misleading to refer to him as "the" inventor of public-key cryptography in general. He co-invented RSA with Shamir and Adleman (several years after Cocks came up with it and kept it secret). But the concept of public-key cryptography was described before RSA, by such luminaries as Diffie, Hellman, and Merkle. He is certainly one of the pioneers of public-key crypto, and deserves acclaim for that, but is not "the" inventor of the concept.

Incidentally, much of Rivest's recent work is in the area of electronic voting (how to make it simultaneously accurate/auditable, privacy-preserving, and usable by non-technical people)--so he's not just speaking as a luminary in the field, but as someone who has studied this specific problem.

Re:Facts don't matter

[_Sharp'r_]

Why then are they making voting machines less secure than ATMs?

You clearly don't understand enough about ATMs if you think they are more secure than voting machines.

Most ATMs are just barely secure enough to keep the cash from walking away as long as someone can keep a physical eye on the machine (something somewhat inhibited for voting machines by private voting requirements). ATMs generally do a decent job of recording and reporting transactions to a remote server so that when money invariably is stolen (physically or electronically) it can eventually be taken from the correct legally accountable bank account.

A variety of ATMs suffer from default passwords that aren't changed, physical cabinet keys that aren't unique, eavesdropping attacks in the form of card skimmers and cameras, unencrypted transmissions, insecure operating systems, administrative backdoors, etc...

ATMs and voting machines suffer from what are essentially illusions of security that rely on no one smart enough to bypass them having the real desire and resources to do so. When voting machines determine how real power in large amounts is distributed (say, in national elections), they can't hope to stand up to what's at stake unless they are simple enough to be essentially transparent in function to the public.