Slashdot Mirror

← Back to Stories (view on slashdot.org)

Voting System Test Hack Elects Futurama's Bender To School Board

Posted by Soulskill on from the bite-my-shiny-metal-ballot dept.

mr crypto writes with this quote from El Reg: "In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election. 'It was too good an opportunity to pass up,' explained Professor Alex Halderman from the University of Michigan. 'How often do you get the chance to hack a government network without the possibility of going to jail?' With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory (PDF) on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn't spot them. The team also managed to guess the login details for the terminal server used by the voting system. ... The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman's personal favorite) Bender for head of the DC school board."

14 of 210 comments (clear)

  1. At least by stillpixel · · Score: 5, Insightful

    the election board had the common sense to ask for this publicly and not cross their fingers and hope no one did this when they used it for real. More gov't entities should open up to testing like this.

    1. Re:At least by Anonymous Coward · · Score: 5, Informative

      The protocol for a proper paper ballot vote is not vulnerable in that way. It goes like this:

      On the morning of the election day, observers of all parties and interested citizens witness the sealing of empty ballot boxes. The ballot boxes don't leave the room, and enough observers to prevent collusion must be present at all times.

      The election is carried out with observers of all parties watching to confirm that only people eligible to vote put one ballot each into the ballot box.

      At the end of the day, the ballots are counted under the eyes of observers of all parties. The result is signed by all observers, each observer makes a note of the result and the signed result is posted locally. The result is relayed upward, where all local results are posted again together with the aggregate result.

      This protocol ensures that no single entity can change a number without other interested parties having the opportunity to notice the manipulation.

      This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly. It is the only protocol with these important properties.

    2. Re:At least by rtfa-troll · · Score: 5, Insightful

      This protocol is simple enough that no expertise is necessary to memorize it, understand why it works, and verify that it is followed correctly.

      This can't be stated strongly enough. If there is any part of this that can't be understood by retired clerk without higher education and with no real interest in mathematics and/or computing then you are getting rid of some of the most important volunteers who can ensure that the voting goes correctly.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Why... by Daniel_is_Legnd · · Score: 5, Funny

    Why not Zoidberg?

    1. Re:Why... by Alter_3d · · Score: 5, Funny

      Why not Zoidberg?

      I'm surprised it was not Hypnotoad

  3. "managed to guess the login details" by chemicaldave · · Score: 5, Informative

    If you read the article, they didn't even have to guess really. The default root password for the HTTP admin interface was left intact. They then downloaded the etc/passwd file and cracked it in only 3.5 hours because, surprise surprise, the secondary administrator password was piss poor "cisco123"

    Seriously. Who hired these clowns?

    1. Re:"managed to guess the login details" by Anonymous Coward · · Score: 5, Insightful

      Indeed.

      Ruby does a lot of things, but encouraging security isn’t one of them. Building a properly secured application means thinking about security right from the beginning and working it in at the core levels. Upper level code shouldn't even be _able_ to do something insecure without some kind of token from the minimalist security layers at the base. A language designed to "handle that shit for you" leads to a lot of "oh, didn't think about that" type issues.

      See also: diaspora

    2. Re:"managed to guess the login details" by powerlord · · Score: 5, Funny

      New Jersey, India, and China.

      Ah yes, the new "Axis of Evil"!

      --
      This space for rent. All reasonable inquiries will be entertained at proprietors discretion.
  4. why evoting machines by Anonymous Coward · · Score: 5, Insightful

    Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

    1. Re:why evoting machines by GmExtremacy · · Score: 5, Insightful

      If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      Because what is popular is not always correct.

    2. Re:why evoting machines by jeffmeden · · Score: 5, Funny

      Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      That's just it, we took a vote on that and as it turns out about 190% of respondents said that they were in favor of electronic voting...

    3. Re:why evoting machines by Tackhead · · Score: 5, Insightful

      Every single technology profession I have EVER communicated with, does not think electronic voting machines are a good idea. If EVERYONE is in agreement this is a BAD idea, why the FUCK are we still making these things?

      Because neither politicians nor voters understand the concept of experimental error.

      And because in 2000, a Presidential election's electoral vote count was close enough that the entire contest depended upon the poopular vote count of a single state, which was itself close enough to fall within the experimental error of the measuring apparatus. (Hanging chads, ballots with improperly marked "X"s, scantron errors, etc.)

      After that, of course, the usual political process took care of itself, to wit:

      Ignorant public: "Something must be done to eliminate all experimental error!"
      Ignorant politicians: "Computers are something!"
      Frustrated techies: "Just because the computer always reports an unambiguous tally, doesn't mean that the tally reflects the will of the voters..."

      They were, of course, drowned out by a chorus of...

      Contractors and Lobbyists: "Hey, you politicians look like you want a whole lot of voting machines, and we happen to know some people who can build them... for a price."

      Most people (with the exception of politicians and rabid hyperpartisans, and in 2000, they were the minority of the electorate), whether they voted Jackass or Elephant, were willing to accept that it was possible that their candidate lost.

      But nobody - and I mean nobody - wanted to accept the possibility that there was insufficient data to discern the actual will of Florida's voters because the margin of victory was within the expected error of a voting process.

      The recorded vote count in Florida was 2,912,790 to 2,912,253. Even ignoring the experimental error associated with the voting process, a traffic accident on a highway leading to/from a Democratic- or Republican-leaning neighborhood (or a bad rainstorm, or any number of a thousand random occurrences) could have changed the outcome by making enough people stay home, delay voters' arrival at the polling stations after closing time, etc., to have changed the outcome. No matter what technology you use, 269 votes out of almost six million isn't signal, it's noise.

  5. Re:Ruby on Fails? LOL by kbob88 · · Score: 5, Insightful

    Nice troll. Actually, it's kind of a lame troll. I suppose, as is normal on /., you didn't read the report from Prof Halderman.

    The initial problem was a string interpolation vulnerability in a modified Ruby library that executes a shell command to encrypt PDF ballots. That's a pretty basic mistake that has nothing really to do with Ruby or Rails. If you interpolate into a string (or concatenate data into a string) without sanitizing the data, and then execute it, you're asking for trouble, no matter whether it's Rails or Java or C. This is also pretty basic security stuff, and there are tons of guidelines and tutorials in the Rails community for avoiding this kind of mistake. There are also plenty of code vulnerability scanners that would pick this up. It's amazing that the DC team didn't use one of these to check their code.

    But they had plenty of other problems such as easy-to-guess passwords and a lousy IDS configuration.

    So the real problem was with the people who developed and implemented the system, not with the tools. I've seen plenty of similar mistakes in systems developed using all sorts of technologies. The developers clearly didn't have a very solid background in security. That's OK actually, as long as you have someone on the project who does and who can check their designs and implementation. Sounds like they didn't have anyone well versed in security, which seems a bit odd for an e-voting project. I'm certainly no expert on security, but I am RoR coder, and even I know not to make these mistakes.

    But I suppose it's fun to bash the Rails programmers because they are in really high demand and able to command very high billing rates :-) I'll take the bashing along with the money and the ease of programming!

  6. Re:Bender would be great for head of the school bo by an+unsound+mind · · Score: 5, Funny

    Because "Insightful" is Secret Slashdot Code for "Funny, but enough so it deserves karma". And "Funny" is Secret Slashdot Code for "So painfully unfunny it induces groaning."

    Or possibly Groening. Not precisely clear on that.