The Details On How To Elect Futurama's Bender To Whatever Election Is Using Online Voting
from the bite-my-shiny-metal-ass dept
Back in October of 2010, we wrote about how some "hackers" had broken into a test of the Washington DC e-voting system, and had managed to have the system play the University of Michigan "fight song" every time people voted -- University of Michigan being where the researchers (led by e-voting security expert J. Alex Halderman) were from. A day later, we discussed some more details of the hack, noting how just a tiny vulnerability could take down the integrity of the entire system.It's been a bit of time since then, but Halderman has released the academic paper they wrote about the experience, which is now getting some new attention, including the fact that, beyond playing the UMich fight song, they also installed their own slate of "fictional" candidates, including Bender from Futurama, who is presumably running on a Kill All Humans platform.
The full paper has some other interesting tidbits, as well, including the fact that they didn't just hack into the e-voting machines... but also accessed the security cameras watching the e-voting servers, which were left open to public access. I'm not kidding.
These webcams may have been intended to increase security by allowing remote surveillance of the server room, but in practice, since they were unsecured, they had the potential to leak information that would be extremely useful to attackers. Malicious intruders viewing the cameras could learn which server architectures were deployed, identify individuals with access to the facility in order to mount social engineering attacks, and learn the pattern of security patrols in the server room. We used them to gauge whether the network administrators had discovered our attacks—when they did, their body language became noticeably more agitated.Either way, the entire thing suggests just how insecure e-voting can be, and the paper suggests these are fundamental, systematic problems with any e-voting approach these days, rather than just a poor implementation.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: alex halderman, bender, dc, e-voting, hacking, security, university of michigan
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Then with my Bat System analyzer, I'll be able to fix the flaws in twenty minutes.
Then with my Bat Hacker device, I'll be able to break the hacking codes all around the world, Robin.
It will only take me an extra thirty minutes.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Response to: Anonymous Coward on Mar 6th, 2012 @ 7:45am
[ link to this | view in chronology ]
From the paper
However, we found that the Paperclip Rails plugin used to handle file uploads stored each ballot file in the /tmp directory before it was encrypted. The web application did not remove these unencrypted files, allowing us to recover
them.
After about 3.5 hours using the cracker’s default settings, we recovered the secondary administrator password cisco123 from a salted MD5 hash.
When we inspected the terminal server’s logs, we noticed that several other attackers were attempting to guess the SSH login passwords. [...] We realized that one of
the default logins to the terminal server (user: admin, password: admin) would likely be guessed by the attacker in a short period of time, and therefore decided
to protect the device from further compromise [..]
Typical "win project, contract it to the cheapest programmers" stuff..
[ link to this | view in chronology ]
Re: From the paper
[ link to this | view in chronology ]
Re: From the paper
They should have just Googled the hash it would have been quicker than waiting 3.5 hours. Google the worlds largest rainbow table.
[ link to this | view in chronology ]
Re: From the paper
[ link to this | view in chronology ]
I've been saying this for years
Voting machine vendors have of course emulated Mohammed Saeed al-Sahaf, Iraqi Minister of Information in their denials of all this. They'll continue to do so, therefore the gullible, techno-illiterate buffoons at the local/state/federal level will continue to waste hundreds of millions of dollars on equipment that not only doesn't work, but isn't going to work.
The best available solution to this problem remains one of the simplest: pencil and paper. It's not glamorous, it's not high tech, it's tedious...but it's also (if properly administered) very well understood and thus extremely hard to game. Given the important of election results, I think it's completely acceptable to undertake the onerous task of counting ballots by hand, and equally acceptable to tell the public that it may take a week.
[ link to this | view in chronology ]
Re: I've been saying this for years
[ link to this | view in chronology ]
Re: I've been saying this for years
[ link to this | view in chronology ]
Re: Re: I've been saying this for years
[ link to this | view in chronology ]
Re: I've been saying this for years
Imagine a lone sysadmin with the power to alter the outcome of the elections?
One admin to rule them all...
[ link to this | view in chronology ]
Re: Re: I've been saying this for years
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Ah, but they are different. It's certainly true that there exists a class of problems which applies equally to both (for example: vote purchasing), but there are several large classes of problems unique to e-voting: architecture, hardware, software, network, for starters. Nobody has yet demonstrated the ability to build a system that's even plausible secure and reliable, let alone one that has been shown to be so when confronted with clueful attackers.
Eight years ago, Bruce Schneier posted this chilling analysis: Stealing an Election. Here's the money quote: So when designing the security behind the software, one must assume an attacker with a $100M budget."
That was in 2004. What's the number today? And what tiny fraction of that did the researchers involved here need to not just compromise, but utterly destroy the security of the DC setup?
A hundred million dollars may sound like a lot...but if you look at what's ALREADY been spent in 2012 on just the US Presidential campaign, let alone all the Congressional and other races, you'll see that it's a bargain. There are people out there ready, able and willing to cut that check if it will buy them the results they want.
[ link to this | view in chronology ]
Re: Re:
Obama spent $1B as in billion on his election so my guess is the $10M figure is just the down payment.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
I shall make myself useful and round up all useless members of society.
Starting with the RIAA and MPAA.
[ link to this | view in chronology ]
What would Stalin say?
Those who cast the vote decide nothing, those who count the votes decide everything.
I imagine today he might say something like this:
Those who cast the vote decide nothing, those who count the votes decide nothing, those who hack the votes rule the world.
[ link to this | view in chronology ]
Re: What would Stalin say?
[ link to this | view in chronology ]
Re: What would Stalin say?
I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this—who will count the votes, and how.
[ link to this | view in chronology ]
Open Source the Design and Test Test Test
I am suggesting that such a system be designed from the ground up, including all hardware, and all software being not only open, but available for inspection by anyone and patent free. Triple redundancy, special hardware firewalls, local DVD backups and all the ideas I have not thought of.
Then, put the system on the net and let everyone have at it for say a couple of years. White hat, black hat, gray hat, red hat, and purple hats with feathers. At some point the number of vulnerabilities will approach 0. Then let the statisticians do some calculating to determine the risk of this electronic system vs the paper and pencil (or any other system).
I may be accused of being overly optimistic, but I do think we can do better.
[ link to this | view in chronology ]
Re: Open Source the Design and Test Test Test
In short--the cryptographer's dilemma: It is assured that YOU can design an encryption which you cannot break; but that in no way means it's any good.
The only way to know if it's good is to open-source it--feedback from one's peers lays bare all the flaws in your design.
Without that feedback and perspective, you never quite know if you're submitting a shiny polished turd or a shiny flawless diamond.
[ link to this | view in chronology ]
Re: Re: Open Source the Design and Test Test Test
1. Due to the loss of information that occurs when you separate the voters' names from their ballots, there can never be a perfectly auditable or verifiable election.
2. You also have to protect the election from the people who are running it. There is very little defense against a corrupt admin. Measures that would purport to do so likely make the system unusable. The same is true for paper ballots.
[ link to this | view in chronology ]
Re: Open Source the Design and Test Test Test
Open source is, by and large, more secure by an order or two of magnitude to closed source as has been demonstrated over and over again.
E-voting can certainly do better but I'm firmly of the opinion that pencil and paper is far better.
[ link to this | view in chronology ]
Re: Open Source the Design and Test Test Test
And it won't matter what the code says it's doing, if the underlying hardware is ignoring it.
[ link to this | view in chronology ]
Re: Re: Open Source the Design and Test Test Test
The only part that would not be able to change is that part that goes over the Internet, though I think there are opportunities there with encryption and possibly multiple routings. I think that that part might be the greatest vulnerability, hence the suggestion for local DVD backup, which would be best done in real time. Then one could compare the write once read many DVD's to the reported results to see if there are issues.
[ link to this | view in chronology ]
Re: Re: Re: Open Source the Design and Test Test Test
2. Think about its applicability here.
3. Consider that you do not have a wafer fab plant in your basement, so you can't create the hardware, even if you know how and even if you really, really want to.
4. Consider how hard it is to find even an accidental bug in hardware, even when you're working with open-source software. How much harder would a deliberate one be to uncover?
5. How do you know that this hasn't already happened?
[ link to this | view in chronology ]
Re: Re: Re: Re: Open Source the Design and Test Test Test
My thought process was to create a system that has a single purpose (record votes accurately) from the ground up (hardware and software and then seal the system from outside changes), which after reading this would include the compiler, and not in a vacuum.
They would need to keep the system to the simplest possible architecture to improve the ability to find issues. This would increase the possibility of having fewer bugs, intentional or not. The long testing process would give opportunity to find any unintended issues.
Once again, I do not believe that a totally error free system would come out at the end, but one statistically able to beat the paper and pencil system we have used historically, and most certainly better than the closed electronic voting systems hyped by the likes of Diebold.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Open Source the Design and Test Test Test
But...trying to best paper-and-pencil systems is much harder. These systems are difficult to game in part because of their inherent simplicity, but also because they've been around for a very long time, and thus have been subjected to all manner of attacks. Those attacks have been catalogued, studied, analyzed, and as a result there now exist robust procedures to defend against them. Could we develop those as part of the process of developing substantially stronger e-voting systems? Yes. But we haven't yet, and if history is any guide, that development will take much longer than the development involved in the technology itself.
(As an analogy: we have all kinds of technology designed to facilitate pretty secure online banking. Yet people get phished all day, every day. Why? Because the procedures associated with the technology absolutely suck. And banks themselves are a large part of that problem.)
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: Open Source the Design and Test Test Test
That idea, however, does not remove the issue of the (profit or control) oriented person or group. If cost is less of an issue, along with the peer reviewing, the typical three legged stool of developement becomes more balanced. (cost, features, deadline). The feature set would be fixed from the begining. The time element would be iterate until the statistics beat paper and pencil. The cost would be whatever it takes.
It takes the correct motivation, along with the other factors we have both mentioned. Spending a significant amount of time on defining the feature set, architecture, and design will go a long way towards making
it better.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Open Source the Design and Test Test Test
Of course that would mean digging up the few geeks left that could write it in Assembly. :-)
[ link to this | view in chronology ]
Re: Open Source the Design and Test Test Test
That's what gets me. I think open source is essential for a system like this, but it's clearly not sufficient. This trial was, in a sense, part of the open source process (and it turned out to be vital), but I'm wondering how such a leaky design made it this far.
[ link to this | view in chronology ]
Re: Re: Open Source the Design and Test Test Test
[ link to this | view in chronology ]
I'll even help you round up the humans!
[ link to this | view in chronology ]
benderama
'Bender often shows signs of sociopath-like behavior, as he is a pathological liar, and rarely shows empathy towards anyone. He has a mostly voluntary morality and constantly steals'
ONG, he is programmed for politics!
[ link to this | view in chronology ]
Re: benderama
[ link to this | view in chronology ]
Re: Re: benderama
"Ah yes, John Quincy Adding Machine. He struck a real chord with the voters when he promised not to murder everyone."
"Yes, but like most politicians, he vowed more than he could deliver."
[ link to this | view in chronology ]
playing fair-- until they lose
'The attack was apparently brought to officials’ attention by an email on a mailing list they monitored that curiously asked, “does anyone know what tune they play for successful voters?” Shortly after another mailing list participant recognized the music as “The Victors,” officials abruptly suspended the public examination period, halting the tests five days sooner than scheduled, citing “usability issues.”'
I would have had a hell of a lot more respect for them if they had cited "massive breach". They were happy to hold a trial they were sure of winning, and as soon as they were beaten they went right into whitewash mode.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
http://siis.cse.psu.edu/everest.html
http://www.blackboxvoting.org/
http://people.csai l.mit.edu/rivest/voting/
http://rangevoting.org/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
herve leger sale
[ link to this | view in chronology ]