Network News

X My Profile
View More Activity

More about vote-hacking incident revealed at council hearing

The D.C. Council is hearing complaints about September's primary elections in a hearing underway now at the John A. Wilson Building.

Member Mary M. Cheh (D-Ward 3) convened the hearing today to review the performance of the Board of Elections and Ethics in Sept. 14's primaries, and also to review legislation that would make vote-buying illegal under local law and also expand the board's membership.

The vast majority of the comments have been about the elections. Dorothy Brizill, a civic activist and longtime election watcher, sharply criticized the board and its staff for poor preparation and training, as well as ballot security concerns. Tom Smith, chairman of the Ward 3 Democrats, raised questions about the new same-day registration process, saying it "opens our voting system unnecessarily to fraud and abuse."

But today's most dramatic moments concern a public testing of a "digital vote by mail" system that was intended to allow about 950 overseas voters to cast absentee ballots over the Internet.

J. Alex Halderman, a University of Michigan professor who infiltrated the system with his graduate students during a "bring it on" trial period, described how they were able to have complete control over the system's servers, allowing them to monitor incoming votes and change votes already cast for two days before being discovered. He described much of this in detail in a blog post this week.

But Halderman revealed more at the hearing this morning, including that his team was able to take control of routers and switches in the voting system. That gave them access to, among other things, security cameras in a BOEE server room. (After his testimony, Halderman showed reporters live video from the room, streaming to his iPhone.)

"This could easily have given us a totally separate second way to steal votes," he testified.

Halderman also reported that while he and his students had control of the system, they witnessed hackers from China and Iran prodding those routers and switches. They chose to modify a firewall and change the password to keep the would-be infiltrators out.

Halderman also revealed a more serious security breach: A document containing names and addresses of the more than 900 voters eligible for the Internet voting trial was left on the test server, he testified, along with crucial ID numbers that would have allowed hackers to request and complete ballots.

"This was the biggest shock we've had in a very long time," Halderman said after testifying. "I didn't believe what I was looking at. ... It's sort of the crown jewels of the security for the real election."

In a theatrical moment, Halderman opened a cardboard box he'd brought with him and pulled out a printout of the 953-page document.

"I'm just deeply concerned that the BOEE does not take security seriously," he testified, "and it fails to appreciate the security challenges faced by any Internet voting system."

The BOEE announced Monday that it was canceling the part of the system that would allow the return of completed ballots over the Internet, but it said it would continue refining the system for possible use in a future election.

"Should the council shut this down?" Cheh asked several elections experts who testified. They said it should.

Said Halderman, "There are some things that technology can do, and there are some things that technology can't do, at least not within the state of the art."

The board's executive director, Rokey W. Suleman II, is set to testify later today. In delivering a preliminary report Wednesday, he defended the board's performance and suggested that the council had asked it to do too much too fast.

By Mike DeBonis  | October 8, 2010; 12:44 PM ET
Categories:  DCision 2010, The District  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: DeMorning DeBonis: Oct. 8, 2010
Next: DeMorning DeBonis: Oct. 11, 2010

Comments

Unbelievable. Well, no, it's the BOEE, so it's not that unbelievable.

How bad does BOEE have to screw up before Suleman has to resign in disgrace? Or is he completely immune to disgrace?

Posted by: 20009matt | October 8, 2010 1:58 PM | Report abuse

First, I am going on record as opposing absentee ballots by Internet. I view it as breaking a problem that was fixed. Evidently, stupid is in right now. In the NY Times, Paul Stenbjorn is quoted as saying: “The lesson learned is not to be more timid, but more aggressive about solving the problem,” If there is anything that should give huge red flags, it is their very first paragraph here:

http://www.dcboee.us/DVM/ps_hacker_response.htm

They say that since nobody overseeing this thing went to the University of Michigan they finally concluded when the University of Michigan fight song was being played that they had been hacked? It reveals a deep defect in their thinking. The DC BOEE should have known they were hacked long before the Michigan fight song started playing when a vote was cast. This will take years of refinement before it will even pass muster with a wet behind the ears undergraduate in CS that is in favor of voting by Internet before they should consider it acceptable. These people are idiots to not realize just how bad the situation is. I was going to write to Dr Halderman to give some suggestions of how to improve this. After reading the rest of this I would say there is no hope. But if the DC BOEE, and the West Virginia counties intend to proceed I can only conclude these people don't realize that they have done less than 5% of the work needed on this before they actually use it. They probably think it will take just a few more tweaks and it is ready to go! I certainly hope that only the public side of the OpenPGP key that they used to encrypt was on the machine. The secret key should not be on the machine doing the encrypting. Washington Post, ask Dr Halderman and the BOEE if the secret key was there. THIS IS BAD!

Posted by: hhhobbit | October 14, 2010 4:12 PM | Report abuse

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




characters remaining

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company