Attacking the DC Internet Voting System
March 19, 2012 12:43 AM Subscribe
Attacking the Washington, D.C. Internet Voting System (PDF). "When we inspected the terminal server’s logs, we noticed that several other attackers [from Iran, New Jersey, India, and China] were attempting to guess the SSH login passwords." J. Alex Halderman, a computer scientist at the University of Michigan, describes how thoroughly he and his team were able to penetrate a pilot Internet voting system run by the District of Columbia, as part of an open public test in 2010. An earlier report on the attack. Via comp.risks.
The part about evidence of other attacks reminds me of this quote from Bruce Sterling's Distraction:
The part about evidence of other attacks reminds me of this quote from Bruce Sterling's Distraction:
"I guess it's time for me to explain how I found you," Kevin said. "I bugged your shoes, Dr. Penninger."From the paper:
"You put listening devices into my shoes?"
"Yeah. Nothing to it. And I wasn't the only guy on the job, either. Your shoes had six other bugs planted inside the heels and seams. Very nice devices, too--I figured them to be planted by players a lot heavier than I am. I could have removed them all, but I figured ... hey, this many? There must be some kind of gentlemen's agreement going on here. I'll do better if I just stand in line."
Internet voting exposes what might otherwise be a small, local race of little global significance to attackers from around the globe, who may act for a wide range of reasons varying from politics to financial gain to sheer malice. In addition to compromising the central voting server as we did, attackers can launch denial-of-service attacks aimed at disrupting the election, they can redirect voters to fake voting sites, and they can conduct widespread attacks on voters’ client machines. These threats correspond to some of the most difficult unsolved problems in Internet security and are unlikely to be overcome soon.Perhaps the most entertaining detail in the paper:
We found a pair of webcams on the DVBM network — both publicly accessible without any password — that showed views of the server room that housed the pilot. As shown in Figure 4, one camera pointed at the entrance to the room, and we were able to observe several people enter and leave, including a security guard, several officials, and IT staff. The second camera was directed at a rack of servers.Includes before-and-after images from the webcams.
These webcams may have been intended to increase security by allowing remote surveillance of the server room, but in practice, since they were unsecured, they had the potential to leak information that would be extremely useful to attackers. Malicious intruders viewing the cameras could learn which server architectures were deployed, identify individuals with access to the facility in order to mount social engineering attacks, and learn the pattern of security patrols in the server room. We used them to gauge whether the network administrators had discovered our attacks — when they did, their body language became noticeably more agitated.
Instead of compromising the election software, me and my rich friends just compromise the elected officials. It costs more, but it's a lot easier.
posted by twoleftfeet at 12:56 AM on March 19, 2012 [9 favorites]
posted by twoleftfeet at 12:56 AM on March 19, 2012 [9 favorites]
Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots.
...
Everything we've seen suggests that the design is /brittle/: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.
We need more disclosures of this type, the only way to fix this is to increase knowledge of the vulnerabilities so attention is paid to the need to fix them.
posted by arcticseal at 1:10 AM on March 19, 2012 [1 favorite]
...
Everything we've seen suggests that the design is /brittle/: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I'm confident that we would have found another way to attack the system.
We need more disclosures of this type, the only way to fix this is to increase knowledge of the vulnerabilities so attention is paid to the need to fix them.
posted by arcticseal at 1:10 AM on March 19, 2012 [1 favorite]
The before and after pictures depicting the guy yawning are indeed priceless.
I think they deserve a good deal of credit for open-sourcing this proposed system in the first place, but honestly Ruby on Rails would not be my first choice for an application where security is paramount (I'm thinking more about the monkey-patching in Ruby and similarly dynamic languages than RoR itself here).
posted by whir at 1:58 AM on March 19, 2012
I think they deserve a good deal of credit for open-sourcing this proposed system in the first place, but honestly Ruby on Rails would not be my first choice for an application where security is paramount (I'm thinking more about the monkey-patching in Ruby and similarly dynamic languages than RoR itself here).
posted by whir at 1:58 AM on March 19, 2012
online voting is not a good idea at all.
And the best reasons have nothing to do with computer security. If someone's voting online, you have no way of telling if someone else is standing behind them with a baseball bat.
There's no compelling reason to make voting systems more complex. Pencil and paper, people. It works.
posted by Jimbob at 2:36 AM on March 19, 2012 [26 favorites]
And the best reasons have nothing to do with computer security. If someone's voting online, you have no way of telling if someone else is standing behind them with a baseball bat.
There's no compelling reason to make voting systems more complex. Pencil and paper, people. It works.
posted by Jimbob at 2:36 AM on March 19, 2012 [26 favorites]
If someone's voting online, you have no way of telling if someone else is standing behind them with a baseball bat.
If someone's filling out an Absentee Ballot, you have no way of telling if someone else is standing behind them with a baseball bat.
I've mentioned before my experience with Republicans in L.A. in 1972 (when my mother was a proud Republican Women's Group-er), sending volunteers to nursing homes to 'assist' old GOPers to fill out their Absentee Ballots... the right way.
Pencil and paper. The old ways of stuffing ballot boxes are still just fine.
posted by oneswellfoop at 2:51 AM on March 19, 2012 [9 favorites]
If someone's filling out an Absentee Ballot, you have no way of telling if someone else is standing behind them with a baseball bat.
I've mentioned before my experience with Republicans in L.A. in 1972 (when my mother was a proud Republican Women's Group-er), sending volunteers to nursing homes to 'assist' old GOPers to fill out their Absentee Ballots... the right way.
Pencil and paper. The old ways of stuffing ballot boxes are still just fine.
posted by oneswellfoop at 2:51 AM on March 19, 2012 [9 favorites]
To be fair you can spin up a $15 linode box doing nothing important at all and get ssh attackers from Iran, New Jersey, India, and China within minutes. That's just part of the noise floor for servers on the public internet.
posted by Skorgu at 3:31 AM on March 19, 2012 [11 favorites]
posted by Skorgu at 3:31 AM on March 19, 2012 [11 favorites]
That's just part of the noise floor for servers on the public internet.
Still, probably not a smart idea to just put a voting machine on a public-facing Internet, all the same. That seems to be a core part of this nuttiness, anyway.
posted by Blazecock Pileon at 3:35 AM on March 19, 2012
Still, probably not a smart idea to just put a voting machine on a public-facing Internet, all the same. That seems to be a core part of this nuttiness, anyway.
posted by Blazecock Pileon at 3:35 AM on March 19, 2012
Just because you can update things doesn't mean you have to or you should. Implementing "future" tech does not always mean better and more secure.
posted by littlesq at 3:46 AM on March 19, 2012 [3 favorites]
posted by littlesq at 3:46 AM on March 19, 2012 [3 favorites]
Instead of compromising the election software, me and my rich friends just compromise the elected officials. It costs more, but it's a lot easier.
You over estimate how much politicians cost to buy. A good programmer is more expensive.
posted by srboisvert at 3:48 AM on March 19, 2012 [3 favorites]
You over estimate how much politicians cost to buy. A good programmer is more expensive.
posted by srboisvert at 3:48 AM on March 19, 2012 [3 favorites]
"The Digi Passport 8 terminal server provides an HTTP-based administrative interface. We were able to gain access using the default root password (dbps) obtained from an online copy of the user manual."
*shakes head*
"We hid our presence in the terminal server using a custom JavaScript rootkit, which we installed over an SSH session (the same account names and passwords used in the web interface were accepted for SSH)."
...really? I mean, really? Live on the net with default password enabled for SSH logins for something that has plaintext passwords run over it for the switches? You could very easily reroute the incoming voters to your own MITM evil box.
"After about 3.5 hours using the cracker’s default settings, we recovered the secondary administrator password cisco123 from a salted MD5 hash."
In other news, even when the network admins change the password on network infrastructure they change them to terrible, terrible passwords. This system wasn't meant to be part of the trial. It was real, live infrastructure.
TL;DR: Came for the server root, gained root on the surprisingly incompetently set up entire network infrastructure.
posted by jaduncan at 4:19 AM on March 19, 2012 [3 favorites]
*shakes head*
"We hid our presence in the terminal server using a custom JavaScript rootkit, which we installed over an SSH session (the same account names and passwords used in the web interface were accepted for SSH)."
...really? I mean, really? Live on the net with default password enabled for SSH logins for something that has plaintext passwords run over it for the switches? You could very easily reroute the incoming voters to your own MITM evil box.
"After about 3.5 hours using the cracker’s default settings, we recovered the secondary administrator password cisco123 from a salted MD5 hash."
In other news, even when the network admins change the password on network infrastructure they change them to terrible, terrible passwords. This system wasn't meant to be part of the trial. It was real, live infrastructure.
TL;DR: Came for the server root, gained root on the surprisingly incompetently set up entire network infrastructure.
posted by jaduncan at 4:19 AM on March 19, 2012 [3 favorites]
oneswellfoop: "If someone's filling out an Absentee Ballot, you have no way of telling if someone else is standing behind them with a baseball bat."
Then you're doing voting by mail wrong. The solution isn't to move to internet voting.
posted by brokkr at 4:29 AM on March 19, 2012
Then you're doing voting by mail wrong. The solution isn't to move to internet voting.
posted by brokkr at 4:29 AM on March 19, 2012
There's no compelling reason to make voting systems more complex. Pencil and paper, people. It works.
Actually, there is one reason: With a suitable cryptographic system, voters could verify that their votes were counted correctly without anyone else being able to tell for whom they voted. But such a system is going to be computationally big and would need computers. The ends might not justify the risk of the means.
And of course the reason the above is needed is that voters have a lack of trust in government. A big complicated system, even if it works perfectly, isn't going to restore that trust. The government has to restore that trust by working for people again. Throw out corporate influence, invest in bread-and-butter issues (education, infrastructure, etc) and support popular movements (marijuana, let big banks fail, etc).
posted by DU at 4:37 AM on March 19, 2012 [2 favorites]
Actually, there is one reason: With a suitable cryptographic system, voters could verify that their votes were counted correctly without anyone else being able to tell for whom they voted. But such a system is going to be computationally big and would need computers. The ends might not justify the risk of the means.
And of course the reason the above is needed is that voters have a lack of trust in government. A big complicated system, even if it works perfectly, isn't going to restore that trust. The government has to restore that trust by working for people again. Throw out corporate influence, invest in bread-and-butter issues (education, infrastructure, etc) and support popular movements (marijuana, let big banks fail, etc).
posted by DU at 4:37 AM on March 19, 2012 [2 favorites]
not a smart idea to just put a voting machine on a public-facing Internet
Just use anti-virus!
posted by DU at 4:38 AM on March 19, 2012 [4 favorites]
Just use anti-virus!
posted by DU at 4:38 AM on March 19, 2012 [4 favorites]
There's no compelling reason to make voting systems more complex. Pencil and paper, people. It works.
You seem to have contradicted yourself.
(or 'compelling for whom?')
posted by pompomtom at 4:42 AM on March 19, 2012
You seem to have contradicted yourself.
(or 'compelling for whom?')
posted by pompomtom at 4:42 AM on March 19, 2012
Ah. This explains how Marion Barry keeps getting re-elected.
posted by crunchland at 4:45 AM on March 19, 2012
posted by crunchland at 4:45 AM on March 19, 2012
Sorry, that was overly glib, but I really should finish this drink and go to bed...
It seems to me that, given the consistent absurdity of American voting systems, that someone relevant has an interest in increasing their complexity. Whether that's the people who sell the boxen, or the Bavarian Illuminati is beyond me. Every Australian who ever approaches the issue says something like: (a) pencils and paper; (2) independent electoral commission; (iii) (but only if you fancy an argument) compulsory voting on a day when poor people might make it to the polling booth.
The fact that the latest new system is daft is not really adding any information to the whole schmozzle.
posted by pompomtom at 4:54 AM on March 19, 2012 [1 favorite]
It seems to me that, given the consistent absurdity of American voting systems, that someone relevant has an interest in increasing their complexity. Whether that's the people who sell the boxen, or the Bavarian Illuminati is beyond me. Every Australian who ever approaches the issue says something like: (a) pencils and paper; (2) independent electoral commission; (iii) (but only if you fancy an argument) compulsory voting on a day when poor people might make it to the polling booth.
The fact that the latest new system is daft is not really adding any information to the whole schmozzle.
posted by pompomtom at 4:54 AM on March 19, 2012 [1 favorite]
(four) A choice of candidates that differ in something relevant.
posted by Obscure Reference at 5:07 AM on March 19, 2012 [3 favorites]
posted by Obscure Reference at 5:07 AM on March 19, 2012 [3 favorites]
Let's not be silly.
posted by pompomtom at 5:14 AM on March 19, 2012 [1 favorite]
posted by pompomtom at 5:14 AM on March 19, 2012 [1 favorite]
Pretty bad security setup, and what's worse, no real auditing before a public penetration test.
Audit needs to be baked into your architecture. Security checklists for every item on your network, and every scrap of software on your servers, need to be filled out and triple-checked before you hook up the cable to your ISP's CPE. It needs to be reviewed by trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools. You need configuration monitoring software to raise red flags when something leaves spec.
SSH should not have been left open on anything resembling a payload interface on the server, and a SSH session should not have made it past the DMZ firewalls, and if it did, it should have been stopped by the DMZ switch ACLs. Since a SSH session from a hostile network made it into the network, the network intrusion system should have been raising alerts all up in that business. Four pieces of equipment with a fatal misconfiguration. Unreal. Even the simplest security review should have shown this was an issue. I kind of wonder if the project was set up to fail?
Above and beyond simple incompetence, there are some modern firewalls that filter out anomalous behavior - once you go through a "burn in" period where QA tests your setup by pounding it with a gazillion simulated sessions, flip the switch, and the firewall will block (or at least alert) on users doing strange things, and are pre-programmed to recognize common attacks. For security-critical infrastructure, they're kind of a "must have" in modern DMZs. We're past the point where a simple outer-bastion/inner-bastion DMZ design is enough.
posted by Slap*Happy at 6:10 AM on March 19, 2012 [1 favorite]
Audit needs to be baked into your architecture. Security checklists for every item on your network, and every scrap of software on your servers, need to be filled out and triple-checked before you hook up the cable to your ISP's CPE. It needs to be reviewed by trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools. You need configuration monitoring software to raise red flags when something leaves spec.
SSH should not have been left open on anything resembling a payload interface on the server, and a SSH session should not have made it past the DMZ firewalls, and if it did, it should have been stopped by the DMZ switch ACLs. Since a SSH session from a hostile network made it into the network, the network intrusion system should have been raising alerts all up in that business. Four pieces of equipment with a fatal misconfiguration. Unreal. Even the simplest security review should have shown this was an issue. I kind of wonder if the project was set up to fail?
Above and beyond simple incompetence, there are some modern firewalls that filter out anomalous behavior - once you go through a "burn in" period where QA tests your setup by pounding it with a gazillion simulated sessions, flip the switch, and the firewall will block (or at least alert) on users doing strange things, and are pre-programmed to recognize common attacks. For security-critical infrastructure, they're kind of a "must have" in modern DMZs. We're past the point where a simple outer-bastion/inner-bastion DMZ design is enough.
posted by Slap*Happy at 6:10 AM on March 19, 2012 [1 favorite]
Jesus. Ruby on Rails as the backend, and uploading PDFs from untrusted PCs on the frontend?
I'm surprised it took as long as it did for this thing to get cracked, frankly.
posted by xbonesgt at 6:41 AM on March 19, 2012 [2 favorites]
I'm surprised it took as long as it did for this thing to get cracked, frankly.
posted by xbonesgt at 6:41 AM on March 19, 2012 [2 favorites]
jaduncan: ""The Digi Passport 8 terminal server provides an HTTP-based administrative interface. "
Hold the phone a second. While this is all pretty bad, did they really commission a brand new system that funnels all of its network traffic into a digiboard?
posted by schmod at 6:41 AM on March 19, 2012
Hold the phone a second. While this is all pretty bad, did they really commission a brand new system that funnels all of its network traffic into a digiboard?
posted by schmod at 6:41 AM on March 19, 2012
voters have a lack of trust in government.
And who's fault is it? The people who do not trust or government*? Or the untrusted institution for having acted in the pass like bozos?
It needs to be reviewed by trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools.
Just for yucks - got a cost figure you can put on these "needs"?
I kind of wonder if the project was set up to fail?
I doubt that. Budget VS needing to get the project done. Forgetting a password is expensive and makes you look like a chump.
Lets say you have a switch where you can lock a port down to the MAC or IP level. And you are doing the "right thing" and segmenting printers. How to you justify the $800 bill to move a printer to a small business that is barely making the monthly nut? How are these small businesses gonna stay connected to the Internet once Congress passes a "make work for IT security people" bill.
* lets be fair. Anytime the group gets large enough or there is an advantage to lying, lying happens. Add to that the kinds of people willing to lie then justify the lying like here and no sane and rational person should be shocked at a lack of trust.
posted by rough ashlar at 6:46 AM on March 19, 2012
And who's fault is it? The people who do not trust or government*? Or the untrusted institution for having acted in the pass like bozos?
It needs to be reviewed by trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools.
Just for yucks - got a cost figure you can put on these "needs"?
I kind of wonder if the project was set up to fail?
I doubt that. Budget VS needing to get the project done. Forgetting a password is expensive and makes you look like a chump.
Lets say you have a switch where you can lock a port down to the MAC or IP level. And you are doing the "right thing" and segmenting printers. How to you justify the $800 bill to move a printer to a small business that is barely making the monthly nut? How are these small businesses gonna stay connected to the Internet once Congress passes a "make work for IT security people" bill.
* lets be fair. Anytime the group gets large enough or there is an advantage to lying, lying happens. Add to that the kinds of people willing to lie then justify the lying like here and no sane and rational person should be shocked at a lack of trust.
posted by rough ashlar at 6:46 AM on March 19, 2012
As a web developer with enough experience to know how hard security is to get right, I love making my mark with a pencil on a plainly marked slip of paper and sticking it in a cardboard box. The Zen simplicity of the Canadian voting process makes me happy every time I use it.
posted by CaseyB at 6:47 AM on March 19, 2012 [4 favorites]
posted by CaseyB at 6:47 AM on March 19, 2012 [4 favorites]
By comparison, how difficult would it be to break an email voting system? Have it configured where all the registrants are white listed and have them email their vote to a specific account, say, if yes or no, or casting a vote for someone by name. No further communication required.
posted by Brian B. at 6:59 AM on March 19, 2012
posted by Brian B. at 6:59 AM on March 19, 2012
voters have a lack of trust in government.
And who's fault is it? The people who do not trust or government*? Or the untrusted institution for having acted in the pass like bozos?
I can't tell if you are accusing me of blaming voters, but if you read the rest of my comment you'll I'm definitely not.
posted by DU at 7:00 AM on March 19, 2012
And who's fault is it? The people who do not trust or government*? Or the untrusted institution for having acted in the pass like bozos?
I can't tell if you are accusing me of blaming voters, but if you read the rest of my comment you'll I'm definitely not.
posted by DU at 7:00 AM on March 19, 2012
I'm speaking as a not too fancy programmer, but the voting software DC had/has was written by some hacker in the Ukraine. That hacker used backtick'd shell commands (gpg) to encrypt a portion of the vote.
That is a stupid thing for a programmer to do and it wouldn't get past any sort of pseudo-rigorous code review.
posted by nutate at 7:42 AM on March 19, 2012
That is a stupid thing for a programmer to do and it wouldn't get past any sort of pseudo-rigorous code review.
posted by nutate at 7:42 AM on March 19, 2012
Just for yucks - got a cost figure you can put on these "needs"?
Yeah, the project doesn't go ahead without it. If you can't afford a security infrastructure, you can't afford to run something as sensitive as an e-voting system for a municipality. "I got a barn, let's put on a play!" doesn't fly for something like this. Actual dollar figures depend on the resources already in place. At the very least, they need a full-time compliance engineer and enough part-timers to cover the role. Configuration management tools, network audit software and automated pen-test suites can help here.
That said, even paying for adult supervision, an internet-voting system is likely cheaper than current electronic voting infrastructures - all that custom hardware and the support infrastructure for it ain't cheap.
To my mind, the insurmountable problem is DDOS - if voting is on Tuesday, we currently don't have the tech to catch and neutralize a massive DOS'ing on a same-day timescale. It may not bring things to a screeching halt with some planning and preparation, but it certainly will disenfranchise at least some voters, and discourage others from voting, which is unacceptable.
posted by Slap*Happy at 7:59 AM on March 19, 2012
Yeah, the project doesn't go ahead without it. If you can't afford a security infrastructure, you can't afford to run something as sensitive as an e-voting system for a municipality. "I got a barn, let's put on a play!" doesn't fly for something like this. Actual dollar figures depend on the resources already in place. At the very least, they need a full-time compliance engineer and enough part-timers to cover the role. Configuration management tools, network audit software and automated pen-test suites can help here.
That said, even paying for adult supervision, an internet-voting system is likely cheaper than current electronic voting infrastructures - all that custom hardware and the support infrastructure for it ain't cheap.
To my mind, the insurmountable problem is DDOS - if voting is on Tuesday, we currently don't have the tech to catch and neutralize a massive DOS'ing on a same-day timescale. It may not bring things to a screeching halt with some planning and preparation, but it certainly will disenfranchise at least some voters, and discourage others from voting, which is unacceptable.
posted by Slap*Happy at 7:59 AM on March 19, 2012
several other attackers [from Iran, New Jersey, India, and China]
The true Axis of Evil!
(Well, okay, maybe not India. But them other three are pretty bad...)
posted by scaryblackdeath at 8:01 AM on March 19, 2012
The true Axis of Evil!
(Well, okay, maybe not India. But them other three are pretty bad...)
posted by scaryblackdeath at 8:01 AM on March 19, 2012
They talk about changing the web site to play the University of Michigan fight song, but the HTML they use - an <embed> tag with an mp3 inside - does that work in most common browsers?
posted by ymgve at 8:07 AM on March 19, 2012
posted by ymgve at 8:07 AM on March 19, 2012
Who says America isn't the land of opportunity? It looks like any moderately informed script kiddie will soon be able to get themselves elected to the House of Representatives.
posted by ceribus peribus at 8:20 AM on March 19, 2012 [1 favorite]
posted by ceribus peribus at 8:20 AM on March 19, 2012 [1 favorite]
Forgetting a password is expensive and makes you look like a chump.
Not using password management software in the year 2012 makes you look like an incompetent chump.
Even back before we had password management systems, we would change all default passwords, put the new passwords on a document that was printed out and stored 1) in a locked filing cabinet or even a small safe in the CIO's office (COO if the operation was too small for a CIO, in the CSO's office if it was big enough for a CSO) 2) Offsite at the company's file storage company or in the company's safe deposit box at a bank. This is what good sysadmins do. There are not many good sysadmins, so now it's what security engineers do. If you can't afford a security engineer, unhook your internet connection and throw out your wireless equipment. Provided you can find all of your internet connections and wireless equipment.
Let's also contemplate the wisdom of exposing your DMZ terminal server - with the default password you didn't change because you didn't want to look like a chump - directly to the internet, instead of ensconcing it in a management network available only through a VPN.
posted by Slap*Happy at 8:22 AM on March 19, 2012 [1 favorite]
Not using password management software in the year 2012 makes you look like an incompetent chump.
Even back before we had password management systems, we would change all default passwords, put the new passwords on a document that was printed out and stored 1) in a locked filing cabinet or even a small safe in the CIO's office (COO if the operation was too small for a CIO, in the CSO's office if it was big enough for a CSO) 2) Offsite at the company's file storage company or in the company's safe deposit box at a bank. This is what good sysadmins do. There are not many good sysadmins, so now it's what security engineers do. If you can't afford a security engineer, unhook your internet connection and throw out your wireless equipment. Provided you can find all of your internet connections and wireless equipment.
Let's also contemplate the wisdom of exposing your DMZ terminal server - with the default password you didn't change because you didn't want to look like a chump - directly to the internet, instead of ensconcing it in a management network available only through a VPN.
posted by Slap*Happy at 8:22 AM on March 19, 2012 [1 favorite]
Who says America isn't the land of opportunity? It looks like any moderately informed script kiddie will soon be able to get themselves elected to the House of Representatives.
As long as Internet voting stays in DC, this is technically true but I'm guessing most script kiddies won't relish the prospect of being a non-voting member of Congress.
posted by Copronymus at 8:26 AM on March 19, 2012 [1 favorite]
As long as Internet voting stays in DC, this is technically true but I'm guessing most script kiddies won't relish the prospect of being a non-voting member of Congress.
posted by Copronymus at 8:26 AM on March 19, 2012 [1 favorite]
I kind of wonder if the project was set up to fail?
This. Slap, I'm going to be kind and suggest this _was_ the goal, to demonstrate its success with users at the same time hammering the idea home that security would easily be 3x production costs.
Otherwise I'm just gobsmacked.
posted by drowsy at 8:47 AM on March 19, 2012
This. Slap, I'm going to be kind and suggest this _was_ the goal, to demonstrate its success with users at the same time hammering the idea home that security would easily be 3x production costs.
Otherwise I'm just gobsmacked.
posted by drowsy at 8:47 AM on March 19, 2012
If you can't afford a security engineer, unhook your internet connection and throw out your wireless equipment.
How is a 5-10 person small business supposed to afford this security engineer if you have an Internet connection?
posted by rough ashlar at 8:52 AM on March 19, 2012 [1 favorite]
How is a 5-10 person small business supposed to afford this security engineer if you have an Internet connection?
posted by rough ashlar at 8:52 AM on March 19, 2012 [1 favorite]
I imagine that there are several government functions that are too expensive to be done correctly by a 5-10 person small business. Can't we put that small business in charge of, say, TSA instead of voting?
posted by ceribus peribus at 9:01 AM on March 19, 2012
posted by ceribus peribus at 9:01 AM on March 19, 2012
Just leave it on paper, for fucks sake.
posted by Slackermagee at 9:17 AM on March 19, 2012
posted by Slackermagee at 9:17 AM on March 19, 2012
How is a 5-10 person small business supposed to afford this security engineer if you have an Internet connection?
You hire a contractor or managed security service - actually, the outfit you hire to run your website does, and bakes the cost into their quote and/or monthly fee. A 5-10 user LAN is a cable modem and an off-the-shelf Apple Airport router (which comes with about as good a firewall as you need.) For an outfit that small, you don't even need a VPN, just use cloud services like drop-box and jabber.
An e-voting system for a major city is not a 5-10 person shop. It's a multi-million user web application, and it's political nature means security needs to be on-par with a major financial institution.
Just leave it on paper, for fucks sake.
Why? It's easier to put an audited security infrastructure in place than to make sure the incumbents overseeing the vote aren't ballot-stuffing. I'm still amazed over the Wisconsin vote where they "found" a few thousand votes for the incumbent judge just when he needed them the most.
posted by Slap*Happy at 9:32 AM on March 19, 2012
You hire a contractor or managed security service - actually, the outfit you hire to run your website does, and bakes the cost into their quote and/or monthly fee. A 5-10 user LAN is a cable modem and an off-the-shelf Apple Airport router (which comes with about as good a firewall as you need.) For an outfit that small, you don't even need a VPN, just use cloud services like drop-box and jabber.
An e-voting system for a major city is not a 5-10 person shop. It's a multi-million user web application, and it's political nature means security needs to be on-par with a major financial institution.
Just leave it on paper, for fucks sake.
Why? It's easier to put an audited security infrastructure in place than to make sure the incumbents overseeing the vote aren't ballot-stuffing. I'm still amazed over the Wisconsin vote where they "found" a few thousand votes for the incumbent judge just when he needed them the most.
posted by Slap*Happy at 9:32 AM on March 19, 2012
Why? It's easier to put an audited security infrastructure in place than to make sure the incumbents overseeing the vote aren't ballot-stuffing. I'm still amazed over the Wisconsin vote where they "found" a few thousand votes for the incumbent judge just when he needed them the most.
I've always liked electronic voting with a voter verifiable printed paper roll as the 'official' tally. If there's a discrepancy, the paper ballots count. It would be fairly easy to tell if there were shenanigans going on, you'd have to do both a physical and an electronic attack to make the ballots match up, should there be an attempt to ballot stuff or lose votes. You may not be able to tell what the 'real' vote tally was, but you would certainly be able to tell that something was fucked up if there are any major mismatches.
posted by empath at 10:32 AM on March 19, 2012 [2 favorites]
I've always liked electronic voting with a voter verifiable printed paper roll as the 'official' tally. If there's a discrepancy, the paper ballots count. It would be fairly easy to tell if there were shenanigans going on, you'd have to do both a physical and an electronic attack to make the ballots match up, should there be an attempt to ballot stuff or lose votes. You may not be able to tell what the 'real' vote tally was, but you would certainly be able to tell that something was fucked up if there are any major mismatches.
posted by empath at 10:32 AM on March 19, 2012 [2 favorites]
Just for yucks - got a cost figure you can put on these "needs"?
Yeah, that's a joke. I work for a large business-focused ISP and most of our customers don't do anything like that. Hell, a lot of them don't even change their passwords from the default and leave telnet access open on their routers..
posted by empath at 10:34 AM on March 19, 2012
Yeah, that's a joke. I work for a large business-focused ISP and most of our customers don't do anything like that. Hell, a lot of them don't even change their passwords from the default and leave telnet access open on their routers..
posted by empath at 10:34 AM on March 19, 2012
Slap*Happy: "It's easier to put an audited security infrastructure in place than to make sure the incumbents overseeing the vote aren't ballot-stuffing."No, no, a thousand times no.
It's as simple as making sure that people from all (major) involved factions are counting the votes.
posted by brokkr at 12:20 PM on March 19, 2012 [1 favorite]
... just use cloud services like drop-box ...
do you have any idea what their security track-record is like? "oops, we pushed broken code to production where any password would work for any account! won't happen again!"
posted by russm at 1:36 PM on March 19, 2012
do you have any idea what their security track-record is like? "oops, we pushed broken code to production where any password would work for any account! won't happen again!"
posted by russm at 1:36 PM on March 19, 2012
I appreciate the work Halderman and others like Ed Felten at Princeton and Avi Rubin at Johns Hopkins are doing bringing public awareness of e-voting issues to the public.
But I think the message they're sending is wrong and potentially dangerous.
Most of Felten's earlier hacks focus on traditional security vulnerabilities, like the Diebold flaws they discovered. They point out simple flaws like weak physical security or things like the shell-injection vulnerability in this example.
These are important issues, and they need to be very carefully audited in any voting system. But it creates the wrong impression in people's heads that the problem is hackers, not the actual voting system itself. That if we just fix all the security holes, everything will be fine.
But as most of the researchers are aware, the real problem isn't one of inadvertent flaws in the system. The problem is that most of these systems are purposefully designed to be black-box systems with no proper paper trail.
And when you have things like the classic quote by Diebold ex-CEO Walden O'Dell, being "committed to helping Ohio deliver its electoral votes to the president next year." Well, properly escaping your shell commands or using a real library interface to a crypto system isn't going to fix the problem.
The problem is one of architecture. Many of these systems were designed from the start to allow vote manipulation. You look at Diebold's GEMS central tabulation system and the use of two separate databases, one shown to auditors, and the other not shown but uploaded to the central server. When you have the audit logs not recording deleted votes. When one of the senior VPs and developers was a felon with a record of embezzling and accounting fraud* .
Talking about shell escape exploits and other bugs gives most people a mistaken impression that the problem is buggy software.
The problem is we need transparent voting. Paper trails. Cryptographically secure records and protocols that allow individual voters to verify their vote, and elections officials to verify there was not altering.
*I fully support the re-incorporation of ex-felons into society and providing more job opportunities for them. My issues here is it's indicative of a pattern by the company, not an indictment of all who have broken the law.
posted by formless at 2:16 PM on March 19, 2012 [1 favorite]
But I think the message they're sending is wrong and potentially dangerous.
Most of Felten's earlier hacks focus on traditional security vulnerabilities, like the Diebold flaws they discovered. They point out simple flaws like weak physical security or things like the shell-injection vulnerability in this example.
These are important issues, and they need to be very carefully audited in any voting system. But it creates the wrong impression in people's heads that the problem is hackers, not the actual voting system itself. That if we just fix all the security holes, everything will be fine.
But as most of the researchers are aware, the real problem isn't one of inadvertent flaws in the system. The problem is that most of these systems are purposefully designed to be black-box systems with no proper paper trail.
And when you have things like the classic quote by Diebold ex-CEO Walden O'Dell, being "committed to helping Ohio deliver its electoral votes to the president next year." Well, properly escaping your shell commands or using a real library interface to a crypto system isn't going to fix the problem.
The problem is one of architecture. Many of these systems were designed from the start to allow vote manipulation. You look at Diebold's GEMS central tabulation system and the use of two separate databases, one shown to auditors, and the other not shown but uploaded to the central server. When you have the audit logs not recording deleted votes. When one of the senior VPs and developers was a felon with a record of embezzling and accounting fraud
Talking about shell escape exploits and other bugs gives most people a mistaken impression that the problem is buggy software.
The problem is we need transparent voting. Paper trails. Cryptographically secure records and protocols that allow individual voters to verify their vote, and elections officials to verify there was not altering.
*I fully support the re-incorporation of ex-felons into society and providing more job opportunities for them. My issues here is it's indicative of a pattern by the company, not an indictment of all who have broken the law.
posted by formless at 2:16 PM on March 19, 2012 [1 favorite]
Wow, I was actually kind of shocked how simple the first exploit was. They were calling GPG using a shell command with the filename of the upload as a parameter. insane
With the proliferation of absentee and early voting in the U.S, ballot secrecy is basically over if the voter chooses to show how they voted.
posted by delmoi at 2:19 PM on March 19, 2012
And the best reasons have nothing to do with computer security. If someone's voting online, you have no way of telling if someone else is standing behind them with a baseball bat.No different then any other vote by mail system. Not that security is easy but these guys didn't even know the first thing about running a secure setup.
Uh, what? By what method could you conduct vote by mail that would prevent that situation? (Or, alternatively, paying people to vote a certain way, and verify with them that the vote was cast as you wanted.)oneswellfoop: "If someone's filling out an Absentee Ballot, you have no way of telling if someone else is standing behind them with a baseball bat."Then you're doing voting by mail wrong. The solution isn't to move to internet voting.
With the proliferation of absentee and early voting in the U.S, ballot secrecy is basically over if the voter chooses to show how they voted.
posted by delmoi at 2:19 PM on March 19, 2012
But as most of the researchers are aware, the real problem isn't one of inadvertent flaws in the system. The problem is that most of these systems are purposefully designed to be black-box systems with no proper paper trail.I actually think they were just completely incompetent. If they had been competently programmed then exploits could have been a little more subtle and hard to detect. If you wanted to steal elections, it would make more sense to build a system that appeared to be hyper-secure, but actually had some hidden system that appeared innocuous that would let you change votes.
posted by delmoi at 2:27 PM on March 19, 2012
it looks like we'll be getting (limited) Internet voting here in .AU as an extension of the existing postal vote option.
I'm not sure how thrilled I am by this, but they at least seem to be talking the right talk as regards verifiability.
It was expected online voting would provide an alternative to current paper systems for remote, overseas and postal voters which are deemed more at risk than those cast at the polling station, as they are handled by people outside the electoral commission.
The system --- and indeed all voting platforms -- was not imprevious to hacking. Rather, it was designed to meet or improve on the current level of risk experienced by remote and disadvantaged voters.
Victorian Electoral Commission (VEC) electronic voting manager, Craig Burton, said the system was designed to return an accuracy rating of 99.35 per cent or higher chance of detecting any fraudulent, missing or damaged votes.
posted by russm at 3:54 PM on March 19, 2012
I'm not sure how thrilled I am by this, but they at least seem to be talking the right talk as regards verifiability.
It was expected online voting would provide an alternative to current paper systems for remote, overseas and postal voters which are deemed more at risk than those cast at the polling station, as they are handled by people outside the electoral commission.
The system --- and indeed all voting platforms -- was not imprevious to hacking. Rather, it was designed to meet or improve on the current level of risk experienced by remote and disadvantaged voters.
Victorian Electoral Commission (VEC) electronic voting manager, Craig Burton, said the system was designed to return an accuracy rating of 99.35 per cent or higher chance of detecting any fraudulent, missing or damaged votes.
posted by russm at 3:54 PM on March 19, 2012
delmoi: "By what method could you conduct vote by mail that would prevent that situation?"If it's important to you to guarantee that there is no coercion (and it should be), you don't allow unsupervised mail voting. Allow early voting by going to a civic centre or whatnot where you can fill in your ballot in private, seal it and have them mail it to wherever it needs to go. People with a legitimate excuse can receive a visit from a polling official who will accept the filled-in ballot*.
This is what's done in Denmark, which has about 85% voter turnout on average (and no, voting isn't mandatory or otherwise carries incentives) and quick, reliable voting results within hours of polling stations closing.
*) I realize that larger distances in the US make it less convenient / more costly to visit remote areas. Democracy ain't cheap.
posted by brokkr at 5:22 PM on March 19, 2012 [1 favorite]
brokkr - if I'm traveling outside my home country, and the nearest Australian embassy or high commission is 2 days travel away, am I disenfranchised?
posted by russm at 5:52 PM on March 19, 2012
posted by russm at 5:52 PM on March 19, 2012
If they had been competently programmed then exploits could have been a little more subtle and hard to detect
Plausible deniability
posted by empath at 6:41 PM on March 19, 2012
Plausible deniability
posted by empath at 6:41 PM on March 19, 2012
empath - have you ever seen the underhanded c contest? you can get plausible deniability without looking like a monkey...
posted by russm at 7:11 PM on March 19, 2012 [1 favorite]
posted by russm at 7:11 PM on March 19, 2012 [1 favorite]
To everyone saying pencil and paper is fine enough, what's wrong with providing something supplemental, especially for the people who may need it? Try voting in an area where the polling office is severely mismanaged and opens late in the day, if at all. Assuming you have a car and a 9-to-5 job, try making it to the polls in time to be able to go inside and vote. I can probably come up with worse case scenarios like voter intimidation and people driving by yelling obscenities at you and your children, but I'm too tired.
Sorry if I'm prejudging anyone, but when you blindly resist change you're also refusing to progress.
posted by Johann Georg Faust at 9:08 PM on March 19, 2012
Sorry if I'm prejudging anyone, but when you blindly resist change you're also refusing to progress.
posted by Johann Georg Faust at 9:08 PM on March 19, 2012
Try voting in an area where the polling office is severely mismanaged and opens late in the day, if at all. Assuming you have a car and a 9-to-5 job, try making it to the polls in time to be able to go inside and vote.
Or you could take a few tips from countries where, for example, polling places are managed and staffed by a central authority controlling the election, rather than leaving it up to local dimwits in every little town to come up with their own rules and bullshit. Never seen a polling place open late or close early in Australia.
You could also have your voting days on a weekend rather than a weekday. Revolutionary idea, I know...
posted by Jimbob at 11:26 PM on March 19, 2012
Or you could take a few tips from countries where, for example, polling places are managed and staffed by a central authority controlling the election, rather than leaving it up to local dimwits in every little town to come up with their own rules and bullshit. Never seen a polling place open late or close early in Australia.
You could also have your voting days on a weekend rather than a weekday. Revolutionary idea, I know...
posted by Jimbob at 11:26 PM on March 19, 2012
russm: "brokkr - if I'm traveling outside my home country, and the nearest Australian embassy or high commission is 2 days travel away, am I disenfranchised?"Yes. I fail to see this should somehow be a major problem.
posted by brokkr at 4:32 AM on March 20, 2012
Johann Georg Faust: "Sorry if I'm prejudging anyone, but when you blindly resist change you're also refusing to progress."You describe a severely mismanaged voting system, and your answer is to either throw technology at or circumvent it, rather than fix the problem?
What works very well in Denmark is to have representatives from all parties currently seated in parliament run the elections together (with administrative support from the ministry of the interior). Everybody has an interest in the election being run as fairly as possible and discovering if the other guy next to you is trying to skew the elections in his party's favour. Exit polls confirm vote counts within statistical uncertainty (except for the nationalist/populist party — whose voters won't own up to voting for them in exit polls — which is consequently under-reported in the exit polls).
Having electronic voting would enable you to check through a cryptographic hash that your vote was counted, but with the number of votes involved getting the count exactly right very rarely matters.
I am not "blindly resisting change". I am pointing out that pen and paper voting can work very well — this is known from multiple countries — and there are no immediate, major benefits to electronic voting. Indeed, it creates a whole host of issues you patently do not have with pen and paper voting.
posted by brokkr at 4:42 AM on March 20, 2012
Try voting in an area where the polling office is severely mismanaged and opens late in the day, if at all.
If the people involved with counting the vote do not fear or expect punishment, it matters not what is done to try and keep an election honest.
This cycle people who voted in Maine did not show up on the State tally.
This cycle in Missouri there has been the use of police to keep people out of polling locations.
posted by rough ashlar at 6:03 AM on March 20, 2012
If the people involved with counting the vote do not fear or expect punishment, it matters not what is done to try and keep an election honest.
This cycle people who voted in Maine did not show up on the State tally.
This cycle in Missouri there has been the use of police to keep people out of polling locations.
posted by rough ashlar at 6:03 AM on March 20, 2012
Just for yucks - got a cost figure you can put on these "needs"?
Yeah, that's a joke. I work for a large business-focused ISP and most of our customers don't do anything like that.
That is why I was asking for how much something like that actually costs.
I'll also note part of the response to the small business query was:
You hire a contractor or managed security service - actually, the outfit you hire to run your website does, and bakes the cost into their quote and/or monthly fee.
As a large business-focused ISP how much of this is 'rolled in' : trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools. You need configuration monitoring software to raise red flags when something leaves spec. (Most of the ISP world sure looks like it is run via phone calls say this is broken, lets go look!)
On one hand businesses on the Internet are to have DMZ firewalls, and if it did, it should have been stopped by the DMZ switch ACLs. Since a SSH session from a hostile network made it into the network, the network intrusion system should have been raising alerts all up in that business. Four pieces of equipment with a fatal misconfiguration. then later . A 5-10 user LAN is a cable modem and an off-the-shelf Apple Airport router (which comes with about as good a firewall as you need.) For an outfit that small, you don't even need a VPN
posted by rough ashlar at 6:23 AM on March 20, 2012
Yeah, that's a joke. I work for a large business-focused ISP and most of our customers don't do anything like that.
That is why I was asking for how much something like that actually costs.
I'll also note part of the response to the small business query was:
You hire a contractor or managed security service - actually, the outfit you hire to run your website does, and bakes the cost into their quote and/or monthly fee.
As a large business-focused ISP how much of this is 'rolled in' : trained IT auditors, and tested to within an inch of its life by both tiger teams and automated pen-test tools. You need configuration monitoring software to raise red flags when something leaves spec. (Most of the ISP world sure looks like it is run via phone calls say this is broken, lets go look!)
On one hand businesses on the Internet are to have DMZ firewalls, and if it did, it should have been stopped by the DMZ switch ACLs. Since a SSH session from a hostile network made it into the network, the network intrusion system should have been raising alerts all up in that business. Four pieces of equipment with a fatal misconfiguration. then later . A 5-10 user LAN is a cable modem and an off-the-shelf Apple Airport router (which comes with about as good a firewall as you need.) For an outfit that small, you don't even need a VPN
posted by rough ashlar at 6:23 AM on March 20, 2012
« Older miraculous and dream-worthy and mysterious | Eurovision Newer »
This thread has been archived and is closed to new comments
if a person is stopped from altering vote casting, preventing DoS attack is near to impossible. internet giant such google, amazon and twitter are still not DoS proof.
hackers know many zero-day exploits.
posted by johnstendicom at 12:55 AM on March 19, 2012