DC Internet voting trial server totally compromised

[Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>]

Kudos to the District of Columbia for asking the public to test, and
try to hack, their new Internet Voting service during a public trial.
And kudos to them for recognizing that access to the source code
should not be restricted, especially for Internet voting.  When voting
companies assert proprietary rights over black box Internet voting
software, there are still lots of insiders and reviewers with access
to both the code and to the voting servers (which by definition are
accessible thru the Internet).  It also means that review of the code
is limited.  The overall security is thus generally less.

Despite the sort notice for the trial, as the experts predicted, the
system was indeed vulnerable.  One flaw and a "brittle" design was
enough to give Alex Halderman's team from the University of Michigan
access to the machine, and let them replace the voted ballots with
their own, and compromise the privacy of the voters.  They also found
other flaws which they haven't disclosed.  An academic paper will come
out about it all.

The team signalled their hack to anyone who was paying attention by
putting the Michigan fight song on the final "Thank You!"  page of the
voting process - a very nice touch.  I noticed the hack before the
developers or the folks in DC did - they were puzzled when I asked
about it.

Here are the details we have so far - an easy read that is very
enlightening:

Hacking the D.C. Internet Voting Pilot:
 http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot

I just hope that other jurisdictions contemplating Internet voting are
paying attention.  The very least they should do is conduct a trial
that is more open than this one was, with more time and more
transparency and funding for some skilled red teams.

And of course securing the server is just one critical task, the
easiest. Attacking client machines (many of which are already
infected) and Denial of Service attacks are just about always
feasible.

It is natural to want to improve voting for the military and overseas
citizens, and the MOVE act already does that.  But remember that it is
a much much harder problem than secure banking.  That's because of the
need to preserve the privacy of voters and to prevent selling of
votes.  Most states have finally learned that paperless electronic
voting machines can't be audited and are replacing them with systems
that include paper.  Internet voting is just like a paperless machine
- it can't be trusted.  Providing access to our ballot boxes for the
military via the Internet opens them up to attack by anyone in the
world and puts our elections at risk.  For more information see this
explanation by the top experts:
 http://usacm.acm.org/usacm/PDF/IB_Internet_Voting_UOCAVA.pdf

So the bottom line is - implement the MOVE act to enfranchise UOCAVA
voters.  If you must, deliver the ballots online for speed to those
who can't get fast paper delivery.  But get a voter-verified paper
ballot (via the postal service or the OVF "Express Your Vote" service)
so the election can be audited in a "software independent" way.  The
votes of folks overseas should have the same protections as anyone
else's.

Neal McBurnett                 http://neal.mcburnett.org/