Hackers Infiltrate D.C. E-Voting System, Force Testing Delays

While testing out its electronic vote-by-mail program for overseas voters, the District of Columbia invited hackers to do their worst to break into the system. The programming geeks answered with decisive force, with someone making the site play the University of Michigan’s fight song after a test subject submitted the ballot. D.C. officials suspended testing before patching things up and getting back online.

The voting system, dubbed Digital Vote by Mail, is said to be the first in the U.S. to give overseas voters a chance to cast their ballots with mouse clicks. For now electronic voting seems as corruptible as the old-fashioned variety.

Public Examination Announcement [District of Columbia Board of Elections & Ethics via The Washington Post]

Comments

Edit Your Comment

  1. TouchMyMonkey says:

    Go Wolverines!

    • axhandler1 says:

      Hail! to the victors valient…

      On one hand, online voting makes me very nervous about the increased succeptability for fraud. On the other though, if online voting was available for voters within the US, I’ll bet voter tunrout would be at an all time high (although with the way this country is nowadays, I’m not sure that that’s a good thing).

      • The hand that feeds, now with more bacon says:

        What would happen is there would be XSS attacks on just about every web page on the internet that would try to vote for you.

  2. IphtashuFitz says:

    They should hire some of the hackers to create a more secure system…

    • teh says:

      Isn’t this how open source software is supposed to work?

      • IphtashuFitz says:

        Open source software is only as good & secure as the individuals who install it and set it up. If all you do is install a stock version of linux from one of the major distributors and choose the defaults for installing things like the Apache web server then you’re installing a ton of extraneous stuff you don’t even realize you don’t want/need.

        To properly lock down a system, especially when you want it secure enough to do something like handle voting, requires a good amount of knowledge and a fair amount of effort. I worked briefly for a company that developed electronic gaming systems for casinos. The key to most modern games is a random number generator (RNG), and the regulations that Nevada and other states dictate for RNG’s are extremely strict. There’s only one or two companies in the country that manufacture ones certified for use in Vegas. The company I worked for worked on developing a linux-based one, and it was EXTREMELY difficult to design one that would satisfy the Nevada Gaming Commission regulations. Unfortunately there isn’t as much financial incentive in voting machines as there is in the RNG’s that control modern slot machines & video poker systems, so voting machines are no where near as secure as RNG’s.

    • mischlep says:

      Can’t be done on the modern internet. The system is still susceptible to a Distributed Denial of Service attack.

      • IphtashuFitz says:

        By your argument nobody should ever bother paying bills on-line or doing any other sort of on-line banking, investing, etc. or doing pretty much anything else at all that is business related since in theory any website/service could be DDoS’d. We might as well all give up buying products on Amazon.com, downloading music from iTunes, watching videos on Netflix, etc. since they could all be disrupted by DDoS’s at any time.

        • freelunch says:

          I think the idea is that anything that is necessary for us to function as a society (voting, utilities, property ownership, etc) should rely 100% on the internet. Otherwise a DDoS can bring down the system.
          If my utility company website is trashed, I can still mail in my check. If my bank website is DDoS’d, I can still walk into a local branch.

          • kujospam says:

            I wish I could walk in. I would have to mail a check, but I wouldn’t be able because I don’t know the address and their website would be down.

      • mac-phisto says:

        yeah, but you can overcome that by actively managing DNS traffic (traffic shaping).

  3. wonderkitty now has two dogs says:

    I always enjoy it when companies invite the hackers to do their work. It seems like a pretty real test for whatever program that’s being created. UM fight song? That’s creative.

  4. Southern says:

    *Duh*………….

    Have ANY of those “break into our system!” challenges EVERY gone unwon? I know PC Magazine used to do ‘em, someone always broke in.. lol :)

  5. teh says:

    I applaud DC for embracing technology and for vigorously and openly testing the voting system. Yes, it was hacked and will have to be delayed, but it’s better to have a delay and secure system. Now, if only the rest of the voting districts (especially those using electronic voting machines) would do the same.

  6. dg says:

    Electronic voting isn’t secure by any stretch of the imagination (google for diebold voting). Then again, regular print ballots are subject to various issues as well. The difference between the two is that the fake votes can be much greater in electronic systems – simply due to the fact that a program gets written or hacked instead of someone losing or adding a box of paper ballots…

    Still, having outside forces test the system is a step in the right direction… Peer review works for journal articles, why not voting systems?

  7. cynical_reincarnation says:

    Entering the votes seems to be one part of the problem.

    How can they be sure the person managing the results is on the level…

  8. MongoAngryMongoSmash says:

    I trust this about as much as I trust video gambling machines in a casino. I’d rather sit at a table and play against a dealer than leave a computer up to it.

  9. Hoss says:

    It’s vote by mail, but you use a computer?

  10. donovanr says:

    Any halfway decent programmer will tell you that any form of paperless voting should be banned as unworkable. Voting is different from say online banking in that with online banking you can audit your account. If you deposit some money and your account doesn’t reflect the full amount you would be all over that. But if you vote and it doesn’t go to your candidate you will never know. Thus cheating will work with there being no proof beyond a gut feeling in the electorate.

    What kind of politicians would we get if they cheated to win? The usual paper system is great very interested parties vet the voters and watch the paper go into the box and then those interested parties participate in the count. Very hard to do large scale cheating.

    The best comprise is to have an electronic voting machine that will print a ballot with the choices in large letters.(no hanging chads) Then the voter can verify the printed ballot and put it in a ballotbox. The computer can give a preliminary tally so that the probable results are known the second the election ends. But then the scrutineers begin counting the paper ballots to verify the electronic counts. The paper ballots have the final say.

    • Elcheecho says:

      Why can’t you be assigned a randomly generated number when you cast your vote. Then the results of the vote are put up on line for anyone to check/audit. You download or view the file a week later and check that your number matches up with who/what you chose.

      i suppose multiple people could be assigned the same number, but then you could have one company give out random numbers another compiling the votes.

      • sir_eccles says:

        Because I’m going to get hold of your number and make sure you voted for my candidate *holds baseball bat in a menacing way*

    • zlionsfan says:

      Any halfway decent programmer can give you the exact same response about systems that don’t involve computers: election fraud wasn’t invented with the computer. Paper ballots can be altered, miscounted, or otherwise turned away from the intended vote just like computer ballots can.

      There is no way to allow anonymous voting and end up with error-proof results. There will always be compromises somewhere. The most important thing is to identify the weaknesses in whatever system you use, computerized or not, and work to strengthen them. That sounds like what D.C. is trying to do, and they should be commended for it.

  11. friendlynerd says:

    I work in technology and I am by no means afraid of it. But not for voting. I want an old-fashioned paper trail. It’s been demonstrated too many times how easy this is to rig.

  12. ClaudeKabobbing says:

    I trust computers for voting even less than I trust florida paper ballots.

  13. sir_eccles says:

    A piece of paper and a pen.

    By all means use a scanner to count the votes, but a piece of paper can be looked at by the mark one eye ball and counted again if need be. Accurate counting and recounting is much more important than speed of counting. It is just the TV networks that want an answer right now now now!

  14. Geekybiker says:

    The fun bit is that not even the government knows how these systems work. They don’t have access to review the code. It would be super simple for the contractor to put a back door in their system. Voting systems are something that should be subject to public scrutiny. Security through obscurity is no security at all.

  15. KingPsyz says:

    Misleading headline is misleading…

    “Hackers Infiltrate D.C. E-Voting System, Force Testing Delays”

    Story

    They invited the hackers to break the system, and they did.

  16. ScandalMgr says:

    This is old news. None are safe.

    See http://www.bradblog.org and http://www.blackboxvoting.org for detailed analyses on hacking all electronic voting systems.