As we posited in our coverage yesterday of D.C.’s Internet Voting scheme which was hacked with the University of Michigan fight song just days after experts had warned against the entire scheme, J. Alex Halderman, asst. professor of electronic engineering and computer science at the university, was, indeed, at the heart of the hack.
He details tonight that he and a small team of students were happy to participate in the test that D.C. election officials had announced, with just three days notice, inviting hackers to try and penetrate the system they planned to use this November, as developed with the Open Source Digital Voting Foundation.
Halderman writes in his explanation of how they did it:
And if you think that’s chilling, Halderman goes on to note that all cast ballots on the system were modified and overwritten with write-in votes, all passwords taken — including the encryption key, which e-voting supporters constantly suggest will keep such systems safe — before they went on to install a back door to let them view any votes cast later, after their attack, along with the names of voters and whom they voted for…
- We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
- We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
- We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
- To show that we had control of the server, we left a “calling card†on the system’s confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here’s a demonstration.
Halderman also notes what many of us have been trying to tell Internet Voting proponents for so many years: it’s incredibly difficult, if not impossible, to make the system secure…
Sounds like this Internet Voting thing for overseas and military voters, which has now been called off in D.C. as of last week’s hack, is as brilliantly thought out and executed as the electronic voting and concealed vote counting that nearly the entirety of the nation is currently saddled with at local polling places.
Halderman, as we also noted yesterday, was also behind hacking Pac-Man onto a Sequoia touch-screen voting machine last August, as well as on the Princeton team which initially hacked Diebold’s touch screen system with a vote-flipping virus back in 2006.
[Hat-tip @rickstah on the Twitters.]UPDATE 10/6/10, 11:49am PT: Livermore National Laboratories computer scientist Dr. David Jefferson, writing on behalf of VerifiedVoting.org comments on Halderman and Team’s successful hack of the D.C. Internet Voting scheme today by pointing out, among other things, that “effective defense” against such attacks is “virtually impossible”…
Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.
Jefferson also notes, among several other points very well worth reading, this one…
…and this one…
Want something actually worth being angry about “Tea Partiers”? How about the fact that your Congress has allocated millions of federal tax-dollars via the Military and Overseas Voting Empowerment (MOVE) Act to pay for these Internet Voting pilot project experiments which use real voters in real elections as guinea pigs to test this unoverseeable technology.
Want the self-governance guaranteed by our Constitution? Hint: When electronic, computerized systems are used to conceal vote casting and counting from public view — as is the case in virtually every election in the U.S., using the Internet or not — that ain’t self-governance.
UPDATE 10/11/10: New bombshell details released about the D.C. Internet Vote hack, including the revelation from Alex Halderman that Iranian and Chinese computers were also attempting to attack the system at the same time his team was. But that’s not all. Full explosive new details now here…
The corporate media has known for months exactly how this elecion will turn out. I’m voting absentee, which means my vote may count, but only if the results from the machines are close enough.
Um, how do you think those absentee votes get “counted”, HankyDub? (Hint: Same hackable computer systems using concealed vote counting as used on all the other ballots.)
Brad,
Does this not so-clearly sound the death knell for e-voting and any credibility that “open source” may have held for somehow being a security blanket? Yes, yes I know what I say may yet be a dream, but if I’m an Election official and you show me this, I’ll think twice on what my next election system will look like.
Paper ballots with paper trail matched exit polls.
Electronic voting with no paper trail does not match exit polls.
It’s annoying that we have to fight elections for our cause
The inconvenience of having to get a majority
If normal methods of persuasion fail to win us applause
There are other ways of establishing authority
Voting is now like the electronic crap shoot that is seen on electronic gambling machines. And we know who the winners are – the crooks.
So it was a SQL injection vulnerability?!! How amateur!
Mr. Halderman may not yet be aware of this, but he is going to go into the pages of American history as a great hero of his time. Finally. Point made. Can we stop this absurdity and have complete transparency in our elections so our votes don’t become cybertrash? Mr. Halderman and his bright students all get gold stars!!!!!!! and blue ones too!
The fools who keep complaining about people voting twice, dead people voting and all other improprieties in voting are so totally ignorant of the real problems with having our votes actually count.
Would be nice if the media actually did their job and reported on the hacking that can and most probably DOES take place when it comes to our votes the people would be up in arms.
Thanks for bringing this to our attention again. I’ve posted the latest info on our local newspapers forums area so more folks can get the info that I’ve been aware of for the last 4 years.
Thanks also for your work in investigating this flawed system!
Anyone who has worked with computers for any length of time knows that they can be manipulated to say anything you want, regardless of what is put into them. It’s a very easy thing to have the paper trail say the real thing, but the numbers say another one entirely.It’s a piece of cake, actually. To trust a computer to give the honest answer demands that the software be honest. If you can’t look at it, you will NEVER know the reality.
ANY computer program can be cracked. It’s part of the nature of programming, just like trying to keep people out of your house. If they REALLY want in, nothing you do will keep them out. Same thing with voting. The righties WANT to take over, and screw things up so badly that we will NEVER get back to a real country. They will do whatever they can to do so, and have been for 30 years. Too bad they can’t just be honest and let people decide for themselves.
racheal did an entire show last night from delaware trying to interview any1 from the odonnell campaign or any odonnell supporter from delaware…she couldn’t find one
according to the machine results she had over 30 thousand votes cast in her favor….but whr or who are the people that supposedly cast those votes?
http://www.rawstory.com/rs/2010/10/dems-claim-chamber-commerce-soliciting-political-donations-foreigners/
altho velvet revolution didnt get credit…congrats on getting this info out there
keith o did a report about it last night too
I hope Bernie Sanders will notice this report!
In politics. if it can be crooked it is crooked. I have been sure for a year that the fix was in on this election by the way the MSM was reporting. This confirms my suspicions. Get ready for a Teabagger, Bible trash landslide.
the following is a copy from blackboxvoting.org
bev says,
Brad, you are my hero, too.
KarenfromIllinois!!~ (@ #10 & 11) I thought of you *immediately* when I saw that last night / was wondering the exact same thing.
That was a fascinating Maddow report. Not only couldn’t she find ONE in state, registered O’Donnell voter, but she completely un-did the “conventional beltway wisdom” (false narrative) that is usually repeated ad nauseum to explain away impossible numbers.
That makes me optimistic Rachel will re-air / or re-investigate that if the election turns out wonky.
That said, I was very excited then subsequently disappointed when one of the citizens of Delaware pointed out to her that she was giving Christine O’Donnell way to much air, and Rachel was completely dismissive and laughed it off; muttered the ol’ “how can you blame me when…?” response which is exactly the response I get when I write letters to the progressive outlets (and friends( to point out the very real effects of their non-stop, round the clock TEABAGGER coverage.
Maddow laughed off a very serious threat, a really important point, and her own culpability on the matter. Worse, she did so under the guise of it “being too much fun” *not* to report. Giving her credit for her honesty, but I’m very upset that she can’t (or won’t) exert enough journalistic control to stop doing it.
I forgive Rachel this (major) transgression because her excellent reporting on a host of other under-reported issues makes up the better balance – but that really, really really pissed me off.
The “suggestion box for slaves” model of societal organization is inherently flawed and insecure. There is no system on earth that can protect the suggestion box from the predations of fellow slaves who are tasked with counting the votes. Offloading this responsibility to a machine does not fundamentally change the problem; it merely extends the power of a handful of slaves to corrupt or uphold the system over what was erstwhile a large and complex task requiring many more slaves and giving each less power. The proportion of corruption is bound to be the same, though with the statistical anomalies of smaller sample sets being more apparent in the short-term.
The root of this issue is not the machine, nor is it the conscience of the slaves; it is the obsession with the keeping of one group of people for the personal benefit and exploitation of another. As long as this model is pursued corruption and evil are inherent, as there is no scenario, however benevolent, where the power to commit violence with impunity is inherently moral or sane.
yes jeanie,just like there are not enough signatures in shelby county to account for the republican votes…there dont seem to be enough supporters in delaware to account for odonnells win..i was also amazed by racheals reporting and showing all those seniors(that supposedly support repubs) very vocally backing the democrat nominee
on ur second point,while some neo cons get too much air time and exposure,i do feel it is the medias job to tell about the nutty crap odonnell has come up with….that she lied about having a high security clearance,that she thought she was a witch,ect
now keith o did like a 7 min thing with a fake clown and a fake witch..that i thought was a waste of evry1s time but just listing the craziness that comes out of these tea party peops mouths is news
Brad: While I realize this hack was directed at an internet voting system, is there any reason why the central tabulators of any and all e-voting systems, whether DRE or optical scans, could not be subjected to a similar hack by anyone with access to the system?
There’s one thing to keep in mind about the election-fraud epidemic:
THE DEMOCRATS LET IT ALL HAPPEN!!
These problems have been known since 2000, and there has been abundant evidence of fraud every election since then, but nothing significant has been done about it.
Protest the election fraud: Vote Green Party!
Brad –
Thanks for a great story. So much so that I reposted in summary on my own blog http://www.geekablog.com with a link back to you for the full story. People always assume we geeks are always in a blind rush towards newer technologies, but it’s not true, and it’s great to see not only the invitation to try and hack the system, but the fact that the results bear out what we all already know. Electronic voting technology is not ready for primetime!
Bravo to Prof. Halderman and his team! And they especially make the rest of us geeks proud with the (let’s face it, it’s funny) insertion of the fight song to play on the machines. Yes, it’s a serious subject, and a serious situation, but damn! it’s funny to imagine those machines babbling like one-armed-bandits after every vote 😛
Speaking of election irregularities, see the latest posts in “Commoner,” about the state of Washington’s September 14th, 2004 primary: http://partyofcommons.blogspot.com