More about vote-hacking incident revealed at council hearing
The D.C. Council is hearing complaints about September's primary elections in a hearing underway now at the John A. Wilson Building.
Member Mary M. Cheh (D-Ward 3) convened the hearing today to review the performance of the Board of Elections and Ethics in Sept. 14's primaries, and also to review legislation that would make vote-buying illegal under local law and also expand the board's membership.
The vast majority of the comments have been about the elections. Dorothy Brizill, a civic activist and longtime election watcher, sharply criticized the board and its staff for poor preparation and training, as well as ballot security concerns. Tom Smith, chairman of the Ward 3 Democrats, raised questions about the new same-day registration process, saying it "opens our voting system unnecessarily to fraud and abuse."
But today's most dramatic moments concern a public testing of a "digital vote by mail" system that was intended to allow about 950 overseas voters to cast absentee ballots over the Internet.
J. Alex Halderman, a University of Michigan professor who infiltrated the system with his graduate students during a "bring it on" trial period, described how they were able to have complete control over the system's servers, allowing them to monitor incoming votes and change votes already cast for two days before being discovered. He described much of this in detail in a blog post this week.
But Halderman revealed more at the hearing this morning, including that his team was able to take control of routers and switches in the voting system. That gave them access to, among other things, security cameras in a BOEE server room. (After his testimony, Halderman showed reporters live video from the room, streaming to his iPhone.)
"This could easily have given us a totally separate second way to steal votes," he testified.
Halderman also reported that while he and his students had control of the system, they witnessed hackers from China and Iran prodding those routers and switches. They chose to modify a firewall and change the password to keep the would-be infiltrators out.
Halderman also revealed a more serious security breach: A document containing names and addresses of the more than 900 voters eligible for the Internet voting trial was left on the test server, he testified, along with crucial ID numbers that would have allowed hackers to request and complete ballots.
"This was the biggest shock we've had in a very long time," Halderman said after testifying. "I didn't believe what I was looking at. ... It's sort of the crown jewels of the security for the real election."
In a theatrical moment, Halderman opened a cardboard box he'd brought with him and pulled out a printout of the 953-page document.
"I'm just deeply concerned that the BOEE does not take security seriously," he testified, "and it fails to appreciate the security challenges faced by any Internet voting system."
The BOEE announced Monday that it was canceling the part of the system that would allow the return of completed ballots over the Internet, but it said it would continue refining the system for possible use in a future election.
"Should the council shut this down?" Cheh asked several elections experts who testified. They said it should.
Said Halderman, "There are some things that technology can do, and there are some things that technology can't do, at least not within the state of the art."
The board's executive director, Rokey W. Suleman II, is set to testify later today. In delivering a preliminary report Wednesday, he defended the board's performance and suggested that the council had asked it to do too much too fast.
Posted by: 20009matt | October 8, 2010 1:58 PM | Report abuse
Posted by: hhhobbit | October 14, 2010 4:12 PM | Report abuse