Displaced NJ Voters Told To Email Ballot Requests To A Hotmail Account

from the you've-absolutely-got-to-be-kidding-me dept

The election day news is coming in rather fast today, but we're already seeing reports of voting issues. There's some viral videos floating around showing voting machines acting up. This, of course, can be added to the long history of voting machine nonsense we've written about in the past. But adding to the the confusion is that a great section of the East Coast is still recovering from Hurricane Sandy.

You may have seen the news over the past few days that displaced New Jersey voters are being allowed to (sorta) vote via email. Or, rather, they would be allowed to vote via email if the state's election officials could manage to act like they know what they're doing. Instead, reports indicate massive amounts of people have been unable to request ballots at the email addresses originally provided. This is causing frustration and confusion across the state, but the real absurdity shows up in Essex County.
Aware of the problems with the official e-mail system, Essex County Clerk Christopher Durkin suggested an alternative option: "Displaced voters can email a request for a ballot at cj_durkin@hotmail.com," according to a post on the Facebook page of the town of West Orange, NJ. Interestingly, security researcher Ashkan Soltani notes that Durkin's Hotmail address has his mother's maiden name as a "password recovery" question. This means that anyone who can figure out Durkin's mother's maiden name could seize control of his Hotmail account and intercept voters' official ballot requests.
I'll be clear in saying that I understand that the situation in New Jersey is a difficult one and I'm sure election officials there are simply trying to do their best under the circumstances. Unfortunately, Durkin's best appears to suck. You simply cannot put something of such importance (voting) in the hands of someone who cannot either provide a working and secure email address for ballot access or, at the very least, take the most trivial security steps on another email address. We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: e-voting, email, new jersey, security


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Trails (profile), 6 Nov 2012 @ 12:45pm

    Missing the point?

    It's email. SMTP is sent in the clear, routed through a shit ton of servers, interceptable, unauditable, forgeable, and no access control.

    Saying he has a bad password recovery question is like complaining about a shitty lock on a house made of tissue paper.

    link to this | view in thread ]

  2. icon
    ricebowl (profile), 6 Nov 2012 @ 12:58pm

    A fairly major assumption is being made...

    While the password recovery question may, indeed, be 'mothers' maiden name,' there's no reason to believe the answer to the question is, in fact, his mother's maiden-name. I know I have, essentially, nonsense (or at least non-sequitur) answers to email password-recovery questions.

    Still, I can't imagine any part of Hotmail (or any other webmail service) is inherently secure against interested parties.

    link to this | view in thread ]

  3. icon
    Tyson (profile), 6 Nov 2012 @ 1:05pm

    Re: Missing the point?

    Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?

    link to this | view in thread ]

  4. icon
    Trails (profile), 6 Nov 2012 @ 1:23pm

    Re: Re: Missing the point?

    SMTP is not a secure communication mechanism (unless over VPN/SSL or contents themselves are encrypted by PGP or similar). There is no security in that type of exchange. "But it's all geek computer to computer stuff, so much easier to circumvent hotmail password recovery" might be true, but it's not like it's secure.

    link to this | view in thread ]

  5. identicon
    New Mexico Mark, 6 Nov 2012 @ 1:39pm

    Re: A fairly major assumption is being made...

    You're right. In his case, the answer to "what is your mother's maiden name" is probably: "12345678" Fortunately, he has no problem remembering that since it matches his e-mail, workstation, and voting system management passwords.

    MUCH better. ;)

    link to this | view in thread ]

  6. icon
    ltlw0lf (profile), 6 Nov 2012 @ 1:40pm

    Re: Re: Missing the point?

    Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?

    Or intercept all email coming from ISPs in New Jersey, as that would seem easier (less drinking from the firehose.)

    link to this | view in thread ]

  7. icon
    The eejit (profile), 6 Nov 2012 @ 1:44pm

    Re: A fairly major assumption is being made...

    The fact that it's to a Hotmail account should be the part that worries you. It's akin to bolting a stable door when there are no walls on the stable.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 6 Nov 2012 @ 2:36pm

    Re: Re: A fairly major assumption is being made...

    hey.. there are some kind of walls, or at least they pretend to be.

    as someone wrote above the walls are made of tissue paper. At the first rain or if someone starts pissing on them, they tend to develop holes and in a short while they allow the liquid to pass through.

    / :p

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 6 Nov 2012 @ 5:10pm

    Hotmail? Fucking A!! Looks like I will be directing the entire state of New Jerseys votes to Ron Paul.

    link to this | view in thread ]

  10. icon
    mematematica (profile), 7 Nov 2012 @ 4:19am

    Context matters but...

    "We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks."

    Something inside me cried in agony the moment I read this sentence on a techdirt post.

    link to this | view in thread ]

  11. identicon
    Pak Circles, 18 Feb 2013 @ 8:35pm

    The idea of emailing ballot requests to a hotmail account sounds really strange. What would happen if someone hacks the account?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.