Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Government Security Politics

DC Suspends Tests of Online Voting System 170

Posted by timothy
from the vote-erlich-and-often dept.
Fortran IV writes "Back in June, Washington, DC signed up with the The Open Source Digital Foundation to set up an internet voting system for DC residents overseas. The plan was to have the system operational by the November general election. Last week the DC Board of Elections and Ethics opened the system for testing and attracted the attention of students at the University of Michigan, with comical results. The DC Board has postponed implementation of the system for 'more robust testing.'" Update: 10/06 02:42 GMT by T : University of Michigan computer scientist J. Alex Halderman provides an explanation of exactly how the folks at Michigan exploited the DC system.
This discussion has been archived. No new comments can be posted.

DC Suspends Tests of Online Voting System

Comments Filter:
  • has there been robust testing yet or not?
    • by blair1q (305137)

      He means "rigorous".

      You mean "robustness".

      0 marks all around.

      [Hail to the Redskins...
      Hail vic-to-ryyyyy...]

      • Hail to the Redskins...
        Hail vic-to-ryyyyy...

        Just hearing that makes me want to headbutt a wall!

        Go Skins!

  • open public review (Score:1, Insightful)

    by Anonymous Coward

    Every critical government system like this should be required to pass through a period of open public review before even being considered for use.

    They could actually use prizes to be paid by the government contractor who submitted the bid. If they do a shoddy job on security, they'll not only lose the bid, but they'll also lose additional money (a refundable deposit) to whoever finds their security flaws.

    • Re: (Score:3, Informative)

      by blair1q (305137)

      It's open software, so you can look at it any time you like.

      Of course, so can the h4xx0rs.

      And they don't have to pwn it until election day. By which time you no longer have open access to the code in the box. You can try to hack it, but you probably won't be able to tell what other hacks have been applied by looking at the binary.

      The fact is, if the voting system is built on an operating system that allows a superuser access to all things, then it's ultimately vulnerable to all types of hack, as long as t

      • Limited open source for electronic voting may be a good answer. The code shouldn't be proprietary, but I've no problem with private corps coming up with it. The code should be able to be essentially peer-reviewed by the public in some manner, but probably not created that way.
  • Voting machines should definitely be electronic.

    Online voting seems to be so problem-prone as to be useless. Something as simple as a smurf attack could potentially block every voter from casting their ballot in time.

    • Re: (Score:3, Insightful)

      by hedwards (940851)
      I have to agree, online voting has some very serious problems with it. Even if you solve the technological ones, you'd still have to figure out how to prove that the person that's actually voting is the intended voter and that there isn't anybody there that's suggesting how they should vote.
      • Re: (Score:3, Insightful)

        by hedwards (940851)
        Erm, on further thought, that would just make it like vote by mail.
    • Re: (Score:3, Insightful)

      by jd (1658)

      Not necessarily. It should be possible to devise an online voting system that worked securely and reliably. To defeat DoS/DDoS attacks, you would probably want to have virtual circuits (eg: MPLS) or bandwidth allocation (eg: RSVP) such that an attack cannot encroach on the voter's bandwidth. Alternatively, an ISP could run Snort or another NIDS system in such a manner as to detect a DDoS attack and block the source addresses. So long as it was done far enough upsteam that there was still available bandwidth

      • Re: (Score:3, Interesting)

        by Cylix (55374) *

        Nope,

        There several network appliances that can assistance and eliminate most of the overhead of a denial of service attack. This of course would not compensate for upstream saturation, but you have within your power to eliminate a good deal of it long enough to work with upstream providers.

        This is why lots of new denial of service attacks focus on exploiting content which has a high application cost. ie, find a page which has too much dynamic content or generates slowly due to dependent services being at th

        • by jd (1658)

          If an ISP is using per-flow UDP-aqare QoS, no flow can exceed the bandwidth allocated. True, this wouldn't stop an attack based on draining CPU cycles, but it would stop any attack based on network flooding.

          If voting software on the host computer specifically filed the RSVP request (so the user has to do nothing and the user is aware of nothing - which is, sadly, likely the case anyway), then host-based resource allocation would not be an issue. Alternatively, let us say that the voting software mandates a

    • by dkleinsc (563838) on Tuesday October 05, 2010 @09:53PM (#33803458) Homepage

      Voting machines should definitely be electronic.

      Why? What exactly do electronic voting machines give you that, say, an optical scan paper ballot doesn't? Electronic voting has more often than not been a solution in search of a problem.

      • Less waste. Even if you were to print out receipts and keep a running log, it would still be much less wasted paper (and all the resources necessary to produce it) using electronic voting machines.

        Immediate results. Even assuming the necessity of an audit, the paper log can be scanned many times faster than hand-fed ballots.

        Accurate results. This is strangely a problem for electronic machines, but theoretically they should be able to give you an exact count without error. No lost ballots. No forgotten ballo

    • Why do people think that paper ballots are automatically better than any form of electronic voting? "Because thats the way we've done it for years and years" And how has that worked out for ya? I'm sure you've never heard of stuffing the ballot box or of mishandling of the ballot boxes, losing ballots, miss-reading of the ballots. Paper ballots have just as many problems as you can cite "e-voting" supposedly has. You can't judge "e-voting" by these buffoons using PDF's as a secure ballot. Must have be
  • by dgatwood (11270) on Tuesday October 05, 2010 @06:38PM (#33801714) Journal

    One of the articles mentioned that some browsers submitted blank forms because they don't support inline PDF forms. Who, exactly, thought that using PDF was a good idea? The whole point of the web is that it provides layout standards. Why even bother using a web browser if you're just going to try to hack around it by using a completely different content format, PDF, shoved in using browser plug-ins. It might has well have been Flash. Use the web or do not. There is no halfway.

    And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.

    What does all this tell us? Well, it tells us that:

    • For anything approaching secure content delivery, the actual content (the HTML pages, the javascript files, etc.) must be signed prior to installation on the servers, not signed by the servers that provide it.
    • Web-based clients lack the infrastructure to verify signatures on the content itself except for the signatures provided by the servers.
    • Web-based clients are therefore inherently insecure.

    Not that this shouldn't have been anything less than obvious to anyone with even a basic understanding of computer security.... Real secure networks built on top of HTTP use client applications that verify signatures on the content that the servers provide, ensuring that it is legitimate before acting on it. This also, of course, requires that people obtain the client software in a secure fashion, which is a problem in and of itself, in much the same way that obtaining the client on-the-fly from a web server is a problem, and for precisely the same reason.

    • by dgatwood (11270)

      Err.. it might as well have been Flash. Stupid typos.

    • Re: (Score:3, Informative)

      by Jah-Wren Ryel (80510)

      And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.

      Bad sign that what with the fact that one of the OSDV directors, also its nominal CTO [osdv.org] sells himself as a security consultant. [sebes.com]

    • by guanxi (216397) on Tuesday October 05, 2010 @09:19PM (#33803210)

      Web-based clients are therefore inherently insecure.

      Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?

      Imagine this: You're a security consultant. A client says: Secure this system, it can change the course of U.S. history (so it has a little value). And by the way, the system extends to 150 million clients running every kind of hardware, software, and configuration imaginable, maybe 25% of which are infected with malware, and to which we have no access and over which we have no control. Oh yeah, and any computer on earth could be a vector of attack and everything from foreign intelligence agencies to corrupt politicians to radical political groups to greedy businesses might have a motive.

      Why are we even discussing this as a possibility?

      • by Lehk228 (705449)
        that's an easy problem, beat the tar out of him with a large trout, then go home.
      • by dgatwood (11270)

        The difference is that if somebody hijacks the client's machine, that person's ballot might be forged. If somebody hijacks the servers, everyone's ballots might be forged. Also, a properly written (non-web) client can take a lot of steps to secure itself from malware corrupting the results, starting with not allowing keyboard input, using positional randomization to thwart any preprogrammed click event modification, and having dozens of internal consistency checks throughout the code to detect tampering,

        • by guanxi (216397)

          The difference is that if somebody hijacks the client's machine, that person's ballot might be forged. If somebody hijacks the servers, everyone's ballots might be forged.

          It's not hard to imagine an automated attack on a very large number of client machines. And in addition to forging, we risk the confidentiality of the ballots.

          I agree security could be improved, but it's a valuable target on a ridiculous distributed system; it seems like a long shot that security will ever be sufficient. A large scale atta

          • by dgatwood (11270)

            Yes, but a targeted attack on computers requires hiring shady programmers for probably a few hundred grand. A targeted attack on mail-in ballots could be done by going to each city and hiring either one unscrupulous illegal immigrant with a car or a handful of not-so-bright kids with bicycles for a few bucks a day.

            And with many counties in California having vote-by-mail rates as high as 50%, it's much easier to skew their results far enough to affect the election results without people noticing than it is

      • Web-based clients are insecure simply because you don't have physical control over them. You don't control the network, the routers, or the client machine. Give me (or some malware author) the client machine, and who cares what you signed on the server or how?

        These are military personnel voting (absentee) from overseas. I can guarantee you that I can control the originating network, the terminating network and the client machine.

        And by the way, the system extends to 150 million clients running every kind

  • Conspiracy? (Score:2, Insightful)

    by supernatendo (1523947)
    I find it scary that at the same time as trying to make it unlawful to use encryption that the government doesn't have a "backdoor" into, they are also trying to push "secure" internet voting. Goodbye democracy, we hardly knew you...
    • It's already gone. Google "Stephen Spoonamore". The electronic voting machines have been compromised from the start. Paper ballots are the only way to go. They are not foolproof by any means, but they are far more reliable than electronic voting machines or online voting. Seriously, who thought online voting wouldn't be hacked?
      • This "example" of online voting has got to be one of the dumbest ever conceived. Don't let this be the rule by which you judge online voting. You don't need to spread your ignorance. There's already enough out there!
  • GNU Free (Score:5, Informative)

    by Albanach (527650) on Tuesday October 05, 2010 @07:20PM (#33802114) Homepage

    Many years ago there was a GNU project to create an online secure voting software. It's a great idea.

    In 2002, they finally stopped development. They explain why here: http://www.gnu.org/software/free/ [gnu.org]

    Quoting from that page:

    "As Bruce Schneier points out "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers."

    and...

    "Mr.Schneier points out, 'building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.'"

    I think anyone wanting to build a secure online voting system should give those quotes some really serious thought before starting. Then before they write any code, they should be to explain why they believe they are right and one of the field's most respected experts is wrong.

    • by chrb (1083577)

      Bruce is a perfectionist, but the real world isn't perfect. The existing voting system is not perfect (it has >0% error), and so any system that replaces it does not need to be perfect either - it merely has to be better. In the UK, voting cards (really a "right to vote" card) are mailed out through the postal service, and you must hand one over before being allowed into the voting booth. This has many theoretical problems. You could buy and sell the card. You could manufacture a fake card (there are no

      • by fgouget (925644)

        Essentially, the system relies on most people being honest, but it still seems to work reasonably well.

        More importantly the system relies on an attacker having to bride a lot of people to have a meaningful impact on the election result, thus making it pretty hard to not get caught. Electronic voting does not have this type of security: bribe the right guy and you change the election result. That's why it's dangerous.

        ensures anonymity by giving each voter a randomised token [...] numbers and votes are published after the vote

        This also makes vote selling possible and thus is no better than having the votes be fully public (it's just more insidious).

    • Rob Rivest presented on this topic - his position was clear: "The risks of "internet voting" more than negate any possible benefits from an increase in franchise." Reference: http://csrc.nist.gov/groups/ST/UOCAVA/2010/Presentations/RIVEST_2010-08-05-uocava.pdf/ [nist.gov]
  • Welp (Score:3, Insightful)

    by Frogbert (589961) <frogbert@@@gmail...com> on Tuesday October 05, 2010 @07:21PM (#33802132)

    I suppose its a good thing they tested the system.

    Isn't this the type of thing testing is supposed to identify?

  • Sad yankee system (Score:4, Insightful)

    by iris-n (1276146) on Tuesday October 05, 2010 @07:28PM (#33802208)

    Has anybody the comments section in the Washington Post website? It is disgusting to see how much hatred and ignorance is going on there. I hope they're not a representative sample of the USian population.

    Meanwhile, in Brasil, we just had a presidential and local election. About 100 million people voting, in an all-electronic process. There were no reports of fraud whatsoever, and the election results were available just 2 hours after the polling stations closed.

    Can't the US do better? Your voting system is just laughable.

    • Re: (Score:3, Insightful)

      by Tanman (90298)

      We are doing better.

      If you take the viewpoint of The Man.

    • by YrWrstNtmr (564987) on Tuesday October 05, 2010 @09:27PM (#33803256)
      There were no reports of fraud whatsoever

      Indeed.
      • by iris-n (1276146)

        Mind you, it is very hard to rig an election without raising any suspicion whatsoever. Actually, plenty of time there's suspicion even when no one is trying to rig the election.

        If you grant that the bralisians aren't dumber than USians, no report of fraud indicates less fraud than actual reports of fraud. Which you have.

        • by iris-n (1276146)

          Actually, I do know of an example in the 60's where the military tried to rig a regional election. They failed miserably.

          • by tibman (623933)

            I know of an example where Veterans had to save an election by force of arms.

            The Battle of Athens: http://www.constitution.org/mil/tn/batathen.htm [constitution.org]

          • by eulernet (1132389)

            Actually, I do know of an example in the 60's where the military tried to rig a regional election. They failed miserably.

            It depends on the type of fraud.
            I think their main problem was that they did not hide their fraud, or it was too obvious.

            When a hacker enters a system, it tries to keep the smallest foot-print, and it's the same thing when you try to hack a voting system.
            If you change all the votes to one of the candidates, it will be obvious that there is a fraud.

            In France, even though we use paper ballots, there is still a common way to change the votes !
            During the counting, the papers are taken by people.
            The guy in charg

            • by iris-n (1276146)

              It was plain old fraud, not a bloody military coup. Of course they tried to hide it. But the candidate that had actually won in the popular vote noticed that there was something wrong, and dug up the truth.

              I'm sorry, I can't seem to find a link in english. http://www.pdt.org.br/diversos/prconsut.html [pdt.org.br]

        • by Raenex (947668)

          Maybe it just means that the system has become so opaque that observers wouldn't be able to spot fraud. These researchers demonstrated they could hack the system without detection. How do you know the Brazilian system was secure?

    • Keep in mind that this was a test of a voting system, it never actually made it into official use.

      • by iris-n (1276146)

        I'm aware of that, I RTFS. A good test, btw, I find it surprising that the government would want to make it.

        I'm talking about the existing voting system of the US; it is inconsistent, archaic, slow, and every now and then there's a report of fraud.

        • Anytime there's a close election there's a report of fraud. It's kind of like companies suing other companies - if they can't win in the market place the other guy must be cheating. Don't confuse reports of fraud with actual fraud. I'm not saying there isn't fraud, statistically I think is must exist to an extent in any election. I'm just saying that it's likely not at all as bad as it sounds from the media reports.

          Likewise, one should not assume that because there are no reports of fraud that there is

    • by wiredog (43288)

      Have you ever browsed slashdot without filtering the comments? Just as bad here.

    • About 100 million people voting, in an all-electronic process.

      Was it all Internet; or all electronic, but within designated and staffed polling stations? There's a huge difference. This article is talking about the former, not the latter.

      There were no reports of fraud whatsoever...

      If it was Internet voting, lack of reports is not equal to lack of fraud.

      Your voting system is just laughable.

      Yes it is, but not for the reasons you're giving. The US voting system is laughable, by way of example, for our primaries in which we vote for parties instead of people.

      I love the idea of not having to go to a polling place to cast a vote, but I despise the to

    • "There were no reports of fraud whatsoever" != "no fraud."

    • by geschild (43455)

      It's always nice to hear from citizens of budding democracies. Brasil has had a democratic government since 1985. A full 25 years. Take it from a citizen from an 'old' democracy, now over 160 years old: democracy needs defending. Always. Even if an electronic process works now, if people start to trust it someone can still take advantage of the flaws at a later moment. Lets do a small mental excercise:

      - 2010, electronic elections are a complete succes. No fraud whatsoever.
      - 2014, people welcome a new democr

      • by iris-n (1276146)

        There seems to be a widespread belief amongst yankees that paper ballots are somehow more secure than electronic voting. May I remind you of the fiasco of your presidential election in 2000? Al Gore won by popular vote, and probably in the electoral college as well, but your courts forbade the recounting. Now tell me what use are the paper ballots if you can't use the paper trail to actually audit an election?

        And need I remind you that all problems began exactly because the system was so slow and unreliable

    • by alexo (9335)

      Has anybody the comments section in the Washington Post website?

      I accidentally the comments section in the Washington Post website. Sorry.

  • online voteing just makes it so the boss can force you to vote his way or you can lose your job.

    • Sorry I'm not following here. If the man can't see your votes while you are behind the curtain how is he going to know when you send your vote in from home.
      • If you *have* to make your vote behind a private curtain, the man can't see it. If you can make your vote from any internet connection, then the man can use his power to insist that you vote while he watches.

        Yes, this applies to absentee balloting as well. That's why absentee balloting *used* to be controlled with the voter needing to demonstrate a need for it before being allowed an absentee ballot, and why it disturbs me that it is now generally allowed without any controls at all.

        • by damonlab (931917)

          I tried to get an absentee ballot in Michigan so I could avoid going to the polls. I read the fine print and the restrictions made it so that I would have to perjure myself to do so. I opted not to get an absentee because of that.

  • They need to pay more attention to that crack problem and spend less money on frivolity like evoting systems. Evoting is a great idea but voter turnout has been less than stellar since I can remember so what are we really hoping acomplish here?
  • I see the OSDV Foundation's slogan is "Re-inventing How America Votes".

  • Really? We're going to blow over a quarter of a million dollars in tax money on a project damn near every IT pro in the US can say "This is a bad idea". Where we've already seen horrendous results from states and local municipalities trying ot impliment digital voting. Really? There was nothing better to spend $300,000 on? No other small business grants that could have been funded? No research grants? Nothing?

    I mean, it's not a huge amount of money, when compared to the scope of the budget. But it is could

  • by Anonymous Coward on Tuesday October 05, 2010 @10:06PM (#33803554)

    I can check my bank accounts online.
    I can pay my bills online.
    I can order almost anything imaginable online.
    I can participate in auctions online.
    I can date online.
    I can gamble online.
    I can see my credit reports online.
    I can file my taxes online.

    Why is voting so different?

    • by mhotchin (791085) <{ten.nihctoh} {ta} {todhsals}> on Tuesday October 05, 2010 @11:11PM (#33804174)
      Because these other endevours do not require anonymity.

      Voter coersion is a real problem.
    • by martyros (588782)
      Because controlling your bank accounts doesn't give someone the power to decide where billions of pork-barrel dollars are spent, much less control of the most powerful military on earth.
    • Why is voting so different?

      Because it's physically impossible for the union boss / supervisor / Godfather / policeman to stand in the voting booth with you while you vote against their interests. It's very easy for those same people to set up a voting computer in their office so they and their assistants can "help" you vote exactly like they want you to.

    • All of what you've listed involves your real identity, whereas votes need to be anonymous. The financial matters are reversible, in that if fraud is found it can be put right, and the others have no great lasting effects. Vote fraud can have major effects, and is difficult at best to reverse.

      Anonymity is important in voting. It also means that elections cannot be fully auditable. It's not possible to go to a random sample of voters and confirm that the system correctly recorded their votes. Any audi

  • The "web site was hacked".

    Who in their right mind uses a web served application for something such as this?

    This calls for a secured, encrypted application, with a protocol that maintains it's own data security.

    It can be done. I built one for the government in 2001:

    • No remote login
    • No ports open except for the three being used for the protocol:
      • Incoming request for software
      • Outgoing Datalink
      • Incoming Datalink
    • Special protocol used for the communication
    • End to end encryption (with AES-CBC signing on all pac
  • So it's all held together with Ruby scripts and duct tape. If you're going to open something like this up to the world you need to digitally sign everything and continuously validate against an isolated server that can shut everything down when it detects a compromise.

  • A random anecdote having nothing to do with e-voting, but probably a lot to do with the quality of voting IT systems: Last year, I asked for an absentee ballot, and never received it. This year, I asked for an absentee ballot, and received three, sent at different times, over the course of several days.

    Electronic voting may be a disaster, but there are some other really fundamental flaws in the system:

    • If someone dies, or for that matter if they move, there is no system in place to ensure that their vot
  • Making the hack obvious before the "results" were in was exactly the wrong thing to do.

    The right thing to do would have been to subvert the results, then mail the chosen numbers and other evidence that you'd owned the system to various news outlets just prior to the tally being announced. Let them embarrass themselves by claiming that the system worked and was secure.

    Remember, the worst vulnerability is the one you never discover, or admit to.

  • That kid can do anything, except tie his shoes.
  • Internet voting system would be great, great thing! I could finally observe, with 100% profe, that my wife votes correctly.

  • This should be a competition at the two yearly Blackhat conventions, which I suspect will prove it impossible to come up with a bulletproof e-voting system. What is wrong with paper ballots again? Oh yeah; Conservatives know millions of dead people and illegal aliens taint every election. As opposed to partisan election officials with untraceable access to a vote tally database and no paper trail to prove shenanigans.
  • Not to be outdone, an Ohio State CS Professor had his class change the logo of the Federal Election Commission to a Buckeye urinating on a Michigan Wolverine.
  • If they know who the absentee voters are why not just mail them a ballot instead of spending the typical fortune that gov. bodies spend on such useless projects?

No one gets sick on Wednesdays.

Working...