Hackers Inject Univ. of Michigan 'Fight Song' Onto System During D.C. Internet Voting Scheme Tests
By Brad Friedman on 10/4/2010 12:27pm
Latest incident in long, growing list of e-vote hack events...
[UPDATED: Hacker fesses up, took total control of system]
Last week we told you about D.C.'s intention of running an insane live experiment on live voters in a live election with an untested, wholly unverifiable, easily-manipulated Internet Voting scheme this November, and about just some of the computer security and election experts who have been desperately trying to warn them against it.
And now we find out that the very short planned pre-election test phase, in which hackers were invited to try to manipulate the system, has been abruptly aborted in the wake of a, um, disturbing (if not wholly unpredictable) development.
The failed system in D.C. was developed with the Open Source Digital Voting Foundation, an outfit that is working with election officials around the country to push Internet Voting everywhere, along with other computerized voting schemes. Simply because a system is "open source" does not mean it's secure, particularly when it relies on concealed vote counting, as all of their e-vote schemes do.
Below, along with our quick list of other recent known e-voting hack events, computer scientist Jeremy Epstein in "The Risks Digest," which describes itself as a "Forum on Risks to the Public in Computers and Related Systems," offers the quick timeline of recent developments in the District of Columbia's plan "against advice from many computer scientists, pursuing a trial of a prototype system for the November election."
The result, as seen below, in this latest assault on citizen-overseeable democracy is, of course, a stunning surprise to absolutely nobody other than perhaps the D.C. election officials interested in this horrific scheme and the profiteers who must have tricked them into believing that it was a secure and/or good idea [emphasis added]...
- A brief timeline:
- Summer 2010: DC announces the pilot, with the open testing period to be in August
- Sep 20: DC releases a network map and requirements document; test server to be available Sep 24-30 [1]
- Sep 24: Common Cause and Verified Voting write to Mary Cheh, chair of the DC Council oversight committee on elections, suggesting that Internet voting appears to violate DC law due to lack of voter-verifiable ballots [2]
- Sep 24: 13 prominent computer scientists and lawyers write to Mary Cheh, pointing out numerous difficulties with the test program [3]
- Sep 24: Test server availability delayed for an undefined time
- Sep 28: Test server available, source code availability announced publicly; test period to run through Oct 06 at 5pm
- Sep 30 morning: After casting a "vote" on the test server, the browser plays the Univ of Michigan fight song
- Oct 01 afternoon: DC takes the test server down, citing "usability issues" It's unclear when the test period will resume, if it all. It's also not clear at this point the extent of the compromise of the system. While it's true that the DC BoEE can fix whatever problems allowed introduction of the "fight song," it's also clear that this is the tip of the iceberg - we know from 30 years of experience that the "penetrate and patch" method doesn't produce secure systems. The RISK? Ignoring the advice of computer scientists and charging full steam ahead on a technology project doesn't work!
- Sequoia AVC Advantage DRE, 2010, Pac-Man hacked onto machine by scientists from University of Michigan and Princeton University without breaking "tamper-evident" seals.
- Sequoia AVC Advantage DRE, 2009, hacked by computer scientists at UC San Diego, University of Michigan, and Princeton University by swapping out its chips in a matter of minutes, with no access to source code or other "closely guarded technical information."
- Sequoia Edge DRE, 2007, hacked by computer scientists at U.C. Santa Barbara (video release in 2008)
- Diebold, ES&S, Sequoia, and Hart Intercivic systems, 2006 & 2007, Independent tests commissioned by the states of CA, OH, and CO all found they were able to hack every system tested. In seconds.
- Diebold Touch-Screen, Op-Scan Systems, 2007, Physical key to all Diebold voting systems (same one is used for every machine) confirmed by Princeton computer scientists as accurately copied from photo of key posted by Diebold in its own online store.
- Diebold touch-screen system, 2006, hacked by computer scientists at Princeton
- Sequoia tabulator, 2006 accidentally hacked by Michael Shamos in PA (while trying to demonstrate that the system was not hackable)
- Diebold touch-screen system, 2006, hacked by Harri Hursti in Emery County, UT
- Diebold optical-scan system, 2005, hacked by Harri Hursti in Leon County, FL (video)
Anything. They. Want.
Other than that, let's keep working towards Internet Voting! It's a great idea! Local e-voting has worked out so great, what could possibly go wrong by extending it onto the Internet?!
No comments:
Post a Comment