Submission + - DC Internet Voting attacked TWO ways
mtrachtenberg writes: University of Michigan Professor J Alex Halderman and his team actually had two completely separate successful attacks on Washington, DC's internet voting experiment. The second path in was revealed by Halderman during testimony before the District of Columbia's Board of Elections and Ethics on Friday.
Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices.
In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November.
Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was NOT allowing them to be stored on internet-connected computers.
When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting.
Clips from the testimony are available on youtube at these links.
http://www.youtube.com/watch?v=LaR7n5PI_aE
http://www.youtube.com/watch?v=SDHtSU4qKzw
Apparently, a router's master password had been left at the default setting, enabling Halderman to access the system by a completely different method than SQL injection. He presented photographs of a video stream from the voting offices.
In addition, he found a file that had apparently been left on the test system contained the PINs of the 900+ voters who would have used the system in November.
Others on the panel joined Halderman in pointing out that it was not just this specific implementation of internet voting that was insecure, but the entire concept of using today's internet for voting at all. When a DC official asked why internet voting could not be made secure when top government secrets were secure on the internet, Halderman responded that a big part of keeping government secrets secret was NOT allowing them to be stored on internet-connected computers.
When a DC official asked the panel whether public key infrastructure couldn't allow secure internet voting, a panel member pointed out that the inventor of public key cryptography, MIT professor Ronald Rivest, was a signatory to the letter that had been sent to DC, urging officials there not to proceed with internet voting.
Clips from the testimony are available on youtube at these links.
http://www.youtube.com/watch?v=LaR7n5PI_aE
http://www.youtube.com/watch?v=SDHtSU4qKzw
