comScore
Uncategorized Friday, March 2nd 2012 at 12:47 pm

Electronic Voting Machines Hacked, Bender Bending Rodriguez Elected to School Board

By ( ) Comments

Sure, widespread electronic voting would make the process of tallying and processing ballots exponentially easier, but can it ever really be secure? Maybe someday, but certainly not right now, as evidenced by a little experiment in Washington D.C. that ended with everyone’s favorite robo-sociopath Bender Bending Rodriguez being elected as the head of the Washington D.C. school board. Needless to say, there was a little bit of hacking involved.

Before we go any further, its worth noting that there was hacking involved partially because the Washington D.C. election board was asking for it. Literally. During the election in question, the election board actually invited all comers to try and break into the system as a test of its security. Among others, a team from University of Michigan took a crack at it, and cracked the system wide open.

In addition to asking for it literally, the election board was also “asking for it” from a security standpoint. During the course of the hack, the team, comprised of Professor Alex Halderman, and two graduate student sidekicks, found themselves having to break into the voting system’s terminal servers. Since the password and logon were both “admin,” it proved to be quite easy. They also found that hijacking the voting system’s surveillance cameras for their own purposes was equally trivial.

By exploiting a number of equally egregious security flaws, the team was able to get inside the system, block it off from other attackers, control the ballots, modify them to include SkyNet and Bender, and accomplish this all while remaining completely covert. As a victory dance of sorts, the team programmed the machines to play the University of Michigan fight song. Authorities remained unaware of the successful hack until a tester — who had just ruled the system “secure,” I might add — suggested they lose the music because it was annoying.

Whatever the benefits of electronic voting may be, they certainly aren’t worth the danger of fraud. These may not have been the most sophisticated systems available, but the D.C. election board still thought they were ready for a test despite the fact that no one had noticed, or changed, some very important credentials that were still set to their defaults. Electronic voting systems, as they stand, are probably still years, maybe even decades away from being passably secure either by fault of the systems themselves, or the boards that decide what constitutes “secure.” That’s why I’m going to go create my own electronic voting system, with blackjack. And hookers.

(via The Register)

Relevant to your interests

Filed Under |
  • verybored

    So, why are electronic voting machines not completely standalone systems? Remove all capability of internet connectivity, have a USB port that is physically secured, and have a printer that prints out the total votes for each candidate.
    Can anyone think of any security risks there?

  • Erin

    No matter how you slice it, I just cannot believe that electronic voting could be any less credible than hand-counting votes

  • https://plus.google.com/117851238453767672962/posts Jack Byer

    Neither method is particularly credible.

  • Zombie Pat Morita

    Forget the blackjack.

  • http://profile.yahoo.com/FRJD66AT6LQ6CZZ46XJO43A4FM Artor

    It’s the paper records that are the problem. The whole point of using the electronic machines is to avoid having that hard-copy record that can be used to dispute the declared total.
    Oregon does voting by mail, and it works great. There’s very little opportunity for fraud, and there’s a solid paper trail the whole way.

  • Anonymous

    Hand counting can be done publically, requires more people to perform, and recounts can be performed by different parties, making a guaranteed level of collusion much costlier.

    Electronic voting is epistemologically a smoked filled backroom before the first vote is even cast.

  • Anon

    those in power lose the security to stay in power.

  • Anonymous

    Bender for president!!

  • http://twitter.com/Al__S Al

    We have a postal ballot option in the UK- for people that would be out of the country, or have difficulty getting to a polling station. Or just because you feel like it. Anyway, most of the voting fraud/electoral corruption that occurs here (admittedly very little) tends to involve postal voting.

  • Calin

    I love the idea of electronic ballots.  I think, as with everything that has gone digital, it has the potential of increased security, reliability, and convenience.

    But it has to be done right, and with the right attitude.  True security means that every possible attempt to find holes has to be made.  That includes publishing the source code, asking people to try to break it, etc.  And then, most importantly, FIX THE HOLES THEY FIND.  Don’t sue them for cracking your broken code.  Don’t sweep them under the carpet.  Don’t treat them like criminals because they found out your claims of security were wrong.

    When you make a system that any hacker in the world is welcome to inspect and try to break… and STILL come out secure… then we’re ready to go.

  • Prof Protocol

    First, what do you mean by “physically secured”?  Do you mean like the Diebold voting machines that were locked with a mini-bar key; every Diebold machine made used the same key.  Diebold even posted a picture of the key on their website with sufficient resolution that someone could, and did, make a usable key from the picture.

    Secondly, the real problem with software-based election machines is that their operation is not transparent to the public.  How can a citizen know if the machine is behaving properly?  Even without maliciousness, how would you know if the system has bugs (as all software does) or if the ballot was programmed correctly?  Do you understand how many different ballots there are in just a single county?  When the election officers are up for election, every precinct has a different ballot.

    Thirdly, what is the chain-of-custody for the election machines on all the days that are not election days?  What assurance do we have that the machines haven’t been tampered with?  In most places, the machines are distributed to the polling places days in advance of the election; where’s the chain-of-custody?

    Lastly, without paper ballots or a voter-verified paper audit trail there is no way to perform a meaningful recount or audit.  Asking the voting machine “What was that total again?” is not recounting.  Recounting is counting again.

  • Prof Protocol

    First of all, paper ballots don’t have to be counted by hand; they can be counted by a scanner.  The beauty of paper ballots, though, is that they CAN be counted by hand for a recount or an audit.  It’s not that hand counting is better than scanners, it’s that it provides a second, independent mode of counting.  If both modes get the same results, then there is assurance that the count is correct.  If not, then perhaps a third count, maybe with a different model of scanner is called for.

    Secondly, do you understand that hand counting is not done by an individual in isolation?  Hand counting is done by a team of at least two people who represent different parties.  It’s hard to be malicious in those circumstances.

  • verybored

    The only thing I was addressing was their security, preventing them from getting hacked, or physically tampered with. I have no clue whether the electronic voting machines are better or worse than older ones. Except for a security standpoint, then they are worse…

    The USB port was for installing whatever software was needed, which would then be sealed in such a way as to show any evidence of tampering. (At first I was thinking a grate with a padlock of some sort, but something to show if its been messed with would be good.)As for bugs, well, test, test, test. Same as any software really. Trial runs would have to be made, preferably in addition to traditional paper ballots to for field tests.Printer for printing off totals, OR (unsure about the legality of this) Name of voter and who they voted for. (in case of recount, or dispute, list could be made public, say online somewhere, as well as physical copies in central places, and people could check that their vote was recorded correctly. ) No idea how well that would work, but its a possible substitute for recounts.As for chain of custody, I imagine that someone from a sheriffs office or a police station should be present at all times, especially when it changes hands. Manufacturers load it up to send, with them checked by the officer, then delivered to storage nearby, checked by officer, storage sealed and security posted until time to get them to the polling place, officer once again checks when unsealed, delivered to polling place, set up, final checks on machines made (including testing the voting operation is working correctly) Officer signs off on machine for a final time, and security is posted through day of election. I do not know what happens to machines after the election day, but if its sent into storage, then send an officer along to check it, sign off on it. At one point, it will need to be sent back to the manufacturer for reprogramming, which restarts the cycle.I THINK I addressed everything, if not point out what I didn’t and I will.

    Of course this is assuming the integrity of law enforcement, and those working the polls on election day.

  • John Thelin

    Secure electronic voting is an oxymoron of monumental proportions. No democracy should even remotely consider it an option. Paper ballots of various kinds work well all over the world.

  • Karl Meyers

    If someone wants to vote, they first must swear under penalty of perjury that they are a citizen of the UNITED STATES, a corporation. If you look up United States Code Title 28, Section 3002 it states that the UNITED STATES is a federal corporation. That means our country is a company like Taco Bell or IBM. So, how is it a requirement that we all must be a citizen of a corporation in order to vote? I asked my Congressman that question two years ago and I am still waiting for an answer, but I won’t hold my breath. I feel it is impossible to be a citizen of Taco Bell just like it is impossible to be a citizen of the UNITED STATES corporation. We have a country called the united States, and we have a corporation called the UNITED STATES but you can’t vote in the country unless you admit to being a citizen of a company.