DC Suspends Tests of Online Voting System 170
Fortran IV writes "Back in June, Washington, DC signed up with the The Open Source Digital Foundation to set up an internet voting system for DC residents overseas. The plan was to have the system operational by the November general election. Last week the DC Board of Elections and Ethics opened the system for testing and attracted the attention of students at the University of Michigan, with comical results. The DC Board has postponed implementation of the system for 'more robust testing.'" Update: 10/06 02:42 GMT by T : University of Michigan computer scientist J. Alex Halderman provides an explanation of exactly how the folks at Michigan exploited the DC system.
Re:open public review (Score:3, Informative)
It's open software, so you can look at it any time you like.
Of course, so can the h4xx0rs.
And they don't have to pwn it until election day. By which time you no longer have open access to the code in the box. You can try to hack it, but you probably won't be able to tell what other hacks have been applied by looking at the binary.
The fact is, if the voting system is built on an operating system that allows a superuser access to all things, then it's ultimately vulnerable to all types of hack, as long as there's any exploit that allows superuser access.
And if it has an IP component over the public interwebs, all bets are off, no matter what TLA you're using to encrypt it.
Re:Inline PDF forms!?! (Score:3, Informative)
And of course, their servers were obviously insecure, as evidenced by someone managing to alter content on the servers.
Bad sign that what with the fact that one of the OSDV directors, also its nominal CTO [osdv.org] sells himself as a security consultant. [sebes.com]
GNU Free (Score:5, Informative)
Many years ago there was a GNU project to create an online secure voting software. It's a great idea.
In 2002, they finally stopped development. They explain why here: http://www.gnu.org/software/free/ [gnu.org]
Quoting from that page:
"As Bruce Schneier points out "a secure Internet voting system is theoretically possible, but it would be the first secure networked application ever created in the history of computers."
and...
"Mr.Schneier points out, 'building a secure Internet-based voting system is a very hard problem, harder than all the other computer security problems we've attempted and failed at. I believe that the risks to democacy are too great to attempt it.'"
I think anyone wanting to build a secure online voting system should give those quotes some really serious thought before starting. Then before they write any code, they should be to explain why they believe they are right and one of the field's most respected experts is wrong.