Displaced NJ Voters Told To Email Ballot Requests To A Hotmail Account

from the you've-absolutely-got-to-be-kidding-me dept

Tue, Nov 6th 2012 12:28pm — Timothy Geigner

The election day news is coming in rather fast today, but we're already seeing reports of voting issues. There's some viral videos floating around showing voting machines acting up. This, of course, can be added to the long history of voting machine nonsense we've written about in the past. But adding to the the confusion is that a great section of the East Coast is still recovering from Hurricane Sandy.

You may have seen the news over the past few days that displaced New Jersey voters are being allowed to (sorta) vote via email. Or, rather, they would be allowed to vote via email if the state's election officials could manage to act like they know what they're doing. Instead, reports indicate massive amounts of people have been unable to request ballots at the email addresses originally provided. This is causing frustration and confusion across the state, but the real absurdity shows up in Essex County.

Aware of the problems with the official e-mail system, Essex County Clerk Christopher Durkin suggested an alternative option: "Displaced voters can email a request for a ballot at cj_durkin@hotmail.com," according to a post on the Facebook page of the town of West Orange, NJ. Interestingly, security researcher Ashkan Soltani notes that Durkin's Hotmail address has his mother's maiden name as a "password recovery" question. This means that anyone who can figure out Durkin's mother's maiden name could seize control of his Hotmail account and intercept voters' official ballot requests.

I'll be clear in saying that I understand that the situation in New Jersey is a difficult one and I'm sure election officials there are simply trying to do their best under the circumstances. Unfortunately, Durkin's best appears to suck. You simply cannot put something of such importance (voting) in the hands of someone who cannot either provide a working and secure email address for ballot access or, at the very least, take the most trivial security steps on another email address. We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: e-voting, email, new jersey, security

11 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Trails (profile), 6 Nov 2012 @ 12:45pm

Missing the point?
It's email. SMTP is sent in the clear, routed through a shit ton of servers, interceptable, unauditable, forgeable, and no access control.

Saying he has a bad password recovery question is like complaining about a shitty lock on a house made of tissue paper.
[ link to this | view in chronology ]
- Tyson (profile), 6 Nov 2012 @ 1:05pm
  
  Re: Missing the point?
  Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?
  [ link to this | view in chronology ]
  - Trails (profile), 6 Nov 2012 @ 1:23pm
    
    Re: Re: Missing the point?
    SMTP is not a secure communication mechanism (unless over VPN/SSL or contents themselves are encrypted by PGP or similar). There is no security in that type of exchange. "But it's all geek computer to computer stuff, so much easier to circumvent hotmail password recovery" might be true, but it's not like it's secure.
    [ link to this | view in chronology ]
  - ltlw0lf (profile), 6 Nov 2012 @ 1:40pm
    
    Re: Re: Missing the point?
    Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?
    
    Or intercept all email coming from ISPs in New Jersey, as that would seem easier (less drinking from the firehose.)
    [ link to this | view in chronology ]
ricebowl (profile), 6 Nov 2012 @ 12:58pm

A fairly major assumption is being made...
While the password recovery question may, indeed, be 'mothers' maiden name,' there's no reason to believe the answer to the question is, in fact, his mother's maiden-name. I know I have, essentially, nonsense (or at least non-sequitur) answers to email password-recovery questions.

Still, I can't imagine any part of Hotmail (or any other webmail service) is inherently secure against interested parties.
[ link to this | view in chronology ]
- New Mexico Mark, 6 Nov 2012 @ 1:39pm
  
  Re: A fairly major assumption is being made...
  You're right. In his case, the answer to "what is your mother's maiden name" is probably: "12345678" Fortunately, he has no problem remembering that since it matches his e-mail, workstation, and voting system management passwords.
  
  MUCH better. ;)
  [ link to this | view in chronology ]
- The eejit (profile), 6 Nov 2012 @ 1:44pm
  
  Re: A fairly major assumption is being made...
  The fact that it's to a Hotmail account should be the part that worries you. It's akin to bolting a stable door when there are no walls on the stable.
  [ link to this | view in chronology ]
  - Anonymous Coward, 6 Nov 2012 @ 2:36pm
    
    Re: Re: A fairly major assumption is being made...
    hey.. there are some kind of walls, or at least they pretend to be.
    
    as someone wrote above the walls are made of tissue paper. At the first rain or if someone starts pissing on them, they tend to develop holes and in a short while they allow the liquid to pass through.
    
    / :p
    [ link to this | view in chronology ]
Anonymous Coward, 6 Nov 2012 @ 5:10pm

Hotmail? Fucking A!! Looks like I will be directing the entire state of New Jerseys votes to Ron Paul.
[ link to this | view in chronology ]
mematematica (profile), 7 Nov 2012 @ 4:19am

Context matters but...
"We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks."

Something inside me cried in agony the moment I read this sentence on a techdirt post.
[ link to this | view in chronology ]
Pak Circles, 18 Feb 2013 @ 8:35pm

The idea of emailing ballot requests to a hotmail account sounds really strange. What would happen if someone hacks the account?
[ link to this | view in chronology ]