The Details On How To Elect Futurama's Bender To Whatever Election Is Using Online Voting
from the bite-my-shiny-metal-ass dept
Back in October of 2010, we wrote about how some “hackers” had broken into a test of the Washington DC e-voting system, and had managed to have the system play the University of Michigan “fight song” every time people voted — University of Michigan being where the researchers (led by e-voting security expert J. Alex Halderman) were from. A day later, we discussed some more details of the hack, noting how just a tiny vulnerability could take down the integrity of the entire system.
It’s been a bit of time since then, but Halderman has released the academic paper they wrote about the experience, which is now getting some new attention, including the fact that, beyond playing the UMich fight song, they also installed their own slate of “fictional” candidates, including Bender from Futurama, who is presumably running on a Kill All Humans platform.
The full paper has some other interesting tidbits, as well, including the fact that they didn’t just hack into the e-voting machines… but also accessed the security cameras watching the e-voting servers, which were left open to public access. I’m not kidding.
These webcams may have been intended to increase security by allowing remote surveillance of the server room, but in practice, since they were unsecured, they had the potential to leak information that would be extremely useful to attackers. Malicious intruders viewing the cameras could learn which server architectures were deployed, identify individuals with access to the facility in order to mount social engineering attacks, and learn the pattern of security patrols in the server room. We used them to gauge whether the network administrators had discovered our attacks—when they did, their body language became noticeably more agitated.
Either way, the entire thing suggests just how insecure e-voting can be, and the paper suggests these are fundamental, systematic problems with any e-voting approach these days, rather than just a poor implementation.
Filed Under: alex halderman, bender, dc, e-voting, hacking, security, university of michigan
Comments on “The Details On How To Elect Futurama's Bender To Whatever Election Is Using Online Voting”
Hahaha I wonder how many people would’ve voted for Skynet & Bender that is so funny I would’ve just left it like that all the voting crap is a waste of time anyway atleast people could get some laughs out of it.
Holy major security fail Batman!
From the paper
Wow… just wow…
However, we found that the Paperclip Rails plugin used to handle file uploads stored each ballot file in the /tmp directory before it was encrypted. The web application did not remove these unencrypted files, allowing us to recover
them.
After about 3.5 hours using the cracker?s default settings, we recovered the secondary administrator password cisco123 from a salted MD5 hash.
When we inspected the terminal server?s logs, we noticed that several other attackers were attempting to guess the SSH login passwords. […] We realized that one of
the default logins to the terminal server (user: admin, password: admin) would likely be guessed by the attacker in a short period of time, and therefore decided
to protect the device from further compromise [..]
Typical “win project, contract it to the cheapest programmers” stuff..
I've been saying this for years
The problems with e-voting are not just at the implementation layer — although those are clearly numerous and catastrophic, as we’ve seen over and over and over and over again. There are also problems at the architectural and procedural layers, and those are even worse: at the moment, they remain unsolved.
Voting machine vendors have of course emulated Mohammed Saeed al-Sahaf, Iraqi Minister of Information in their denials of all this. They’ll continue to do so, therefore the gullible, techno-illiterate buffoons at the local/state/federal level will continue to waste hundreds of millions of dollars on equipment that not only doesn’t work, but isn’t going to work.
The best available solution to this problem remains one of the simplest: pencil and paper. It’s not glamorous, it’s not high tech, it’s tedious…but it’s also (if properly administered) very well understood and thus extremely hard to game. Given the important of election results, I think it’s completely acceptable to undertake the onerous task of counting ballots by hand, and equally acceptable to tell the public that it may take a week.
All of this security hardening on e-voting systems is great, but in terms of systematic problems, they are no different in paper voting (non e-voting). In terms of security, storage, transport, counting, etc. (wherever humans are concerned) will have similar systematic problems. It would be great to see a security team attempt to breach the existing non e-voting system. I think that would provide some very interesting results.
Hmmm, this Kill All Humans Platform seems more appealing than either the repubs or dems.
What would Stalin say?
Josef Stalin said:
Those who cast the vote decide nothing, those who count the votes decide everything.
I imagine today he might say something like this:
Those who cast the vote decide nothing, those who count the votes decide nothing, those who hack the votes rule the world.
From the paper
And that’s why good coders implement a “you must change your password” protocol on initial default login.
Re:
I disagree. The problems are similar, but the scale is different. With any computer-based program, it’s vastly easier to make bulk changes since you can use the power of the computers themselves to distribute the attack. In the real world, you would need a massive coordinated effort to achieve the same result. Ballot stuffing and similar electoral fraud techniques require many, many people in the right places to accomplish. Hacking can get much greater results with only one or a few people.
From the paper
“After about 3.5 hours using the cracker?s default settings, we recovered the secondary administrator password cisco123 from a salted MD5 hash.”
They should have just Googled the hash it would have been quicker than waiting 3.5 hours. Google the worlds largest rainbow table.
Re:
but in terms of systematic problems, they are no different in paper voting (non e-voting).
Ah, but they are different. It’s certainly true that there exists a class of problems which applies equally to both (for example: vote purchasing), but there are several large classes of problems unique to e-voting: architecture, hardware, software, network, for starters. Nobody has yet demonstrated the ability to build a system that’s even plausible secure and reliable, let alone one that has been shown to be so when confronted with clueful attackers.
Eight years ago, Bruce Schneier posted this chilling analysis: Stealing an Election. Here’s the money quote: So when designing the security behind the software, one must assume an attacker with a $100M budget.”
That was in 2004. What’s the number today? And what tiny fraction of that did the researchers involved here need to not just compromise, but utterly destroy the security of the DC setup?
A hundred million dollars may sound like a lot…but if you look at what’s ALREADY been spent in 2012 on just the US Presidential campaign, let alone all the Congressional and other races, you’ll see that it’s a bargain. There are people out there ready, able and willing to cut that check if it will buy them the results they want.
Re:
Yup, sad huh
Open Source the Design and Test Test Test
I would love to see an open source effort in this area. I agree with the above statement that even the pencil and paper system has issues. The goal of this suggested effort would be to make it more secure than pencil and paper, since it is probable that totally secure is an unreasonable goal.
I am suggesting that such a system be designed from the ground up, including all hardware, and all software being not only open, but available for inspection by anyone and patent free. Triple redundancy, special hardware firewalls, local DVD backups and all the ideas I have not thought of.
Then, put the system on the net and let everyone have at it for say a couple of years. White hat, black hat, gray hat, red hat, and purple hats with feathers. At some point the number of vulnerabilities will approach 0. Then let the statisticians do some calculating to determine the risk of this electronic system vs the paper and pencil (or any other system).
I may be accused of being overly optimistic, but I do think we can do better.
What would Stalin say?
Well, no because those that count the vote still make the final decision as to who won. Although it would be an interesting test. Hack the vote just to see the actual vote tallies as a way to determine whether any shenanigans are going on.
Open Source the Design and Test Test Test
Yes!
In short–the cryptographer’s dilemma: It is assured that YOU can design an encryption which you cannot break; but that in no way means it’s any good.
The only way to know if it’s good is to open-source it–feedback from one’s peers lays bare all the flaws in your design.
Without that feedback and perspective, you never quite know if you’re submitting a shiny polished turd or a shiny flawless diamond.
Mr. Bender, you have my vote!
I’ll even help you round up the humans!
benderama
From the wiki:
‘Bender often shows signs of sociopath-like behavior, as he is a pathological liar, and rarely shows empathy towards anyone. He has a mostly voluntary morality and constantly steals’
ONG, he is programmed for politics!
Re:
That was in 2004. What’s the number today?
Obama spent $1B as in billion on his election so my guess is the $10M figure is just the down payment.
Open Source the Design and Test Test Test
And before some AC jumps all over this by saying that if the code is open sourced then attackers only need to read the code to crack it I just want to add this.
Open source is, by and large, more secure by an order or two of magnitude to closed source as has been demonstrated over and over again.
E-voting can certainly do better but I’m firmly of the opinion that pencil and paper is far better.
Open Source the Design and Test Test Test
Open-source software is clearly a necessary prerequisite, but it’s not a sufficient one. To point out just one (of a great many issues): read the comment I posted which cites Bruce Schneier’s $100M number for the attackers’ budget. With that kind of money to throw around, attacks based on hardware are possible.
And it won’t matter what the code says it’s doing, if the underlying hardware is ignoring it.
What would Stalin say?
That’s actually only a loose translation. The actual, and I think better fitting, quote was:
I consider it completely unimportant who in the party will vote, or how; but what is extraordinarily important is this?who will count the votes, and how.
playing fair-- until they lose
I was all set to praise the BOEE for allowing a public black hat trial of their system — it’s the right thing to do in so many ways — until I got to this part:
‘The attack was apparently brought to officials? attention by an email on a mailing list they monitored that curiously asked, ?does anyone know what tune they play for successful voters?? Shortly after another mailing list participant recognized the music as ?The Victors,? officials abruptly suspended the public examination period, halting the tests five days sooner than scheduled, citing ?usability issues.?’
I would have had a hell of a lot more respect for them if they had cited “massive breach”. They were happy to hold a trial they were sure of winning, and as soon as they were beaten they went right into whitewash mode.
benderama
… not like it’d be a step Down.
Open Source the Design and Test Test Test
I believe I included the Hardware in open sourcing. Why yes I did.
The only part that would not be able to change is that part that goes over the Internet, though I think there are opportunities there with encryption and possibly multiple routings. I think that that part might be the greatest vulnerability, hence the suggestion for local DVD backup, which would be best done in real time. Then one could compare the write once read many DVD’s to the reported results to see if there are issues.
Open Source the Design and Test Test Test
But… this WAS open source, at least in part.
That’s what gets me. I think open source is essential for a system like this, but it’s clearly not sufficient. This trial was, in a sense, part of the open source process (and it turned out to be vital), but I’m wondering how such a leaky design made it this far.
Yet because the top vote machine manufacturer in the country gives generous campaign contributions to one party it’ll take some dead dictator like Adolf Hitler winning an election for politicians of both parties to realize that E-Voting is really bad idea.
Open Source the Design and Test Test Test
1. Read this — it’s Ken Thompson’s Turing Award acceptance speech (from nearly 20 years ago): http://cm.bell-labs.com/who/ken/trust.html
2. Think about its applicability here.
3. Consider that you do not have a wafer fab plant in your basement, so you can’t create the hardware, even if you know how and even if you really, really want to.
4. Consider how hard it is to find even an accidental bug in hardware, even when you’re working with open-source software. How much harder would a deliberate one be to uncover?
5. How do you know that this hasn’t already happened?
Open Source the Design and Test Test Test
Agreed. But I don’t think they designed the hardware for a single purpose which I think would make a big difference. Also, what would happen if they took the lessons learned, and re-wrote the software portion and tested again? And then repeated that cycle? If they went through, say 24 iterations of lessons learned and re-writing over a couple of years, could they not reduce the issues significantly?
Re:
I, for one, welcome our new robot masters.
I shall make myself useful and round up all useless members of society.
Starting with the RIAA and MPAA.
benderama
He’s a step up!
“Ah yes, John Quincy Adding Machine. He struck a real chord with the voters when he promised not to murder everyone.”
“Yes, but like most politicians, he vowed more than he could deliver.”
Re:
Don’t worry, Robin! The Bat Computer can analyze the system flaws in under ten minutes.
Then with my Bat System analyzer, I’ll be able to fix the flaws in twenty minutes.
Then with my Bat Hacker device, I’ll be able to break the hacking codes all around the world, Robin.
It will only take me an extra thirty minutes.
Open Source the Design and Test Test Test
I think I get your point about the Turing award speech, though I am not a programmer, and it is a bit over my head ( I have had some experience in Project Management with a large bank that had a great interest in security).
My thought process was to create a system that has a single purpose (record votes accurately) from the ground up (hardware and software and then seal the system from outside changes), which after reading this would include the compiler, and not in a vacuum.
They would need to keep the system to the simplest possible architecture to improve the ability to find issues. This would increase the possibility of having fewer bugs, intentional or not. The long testing process would give opportunity to find any unintended issues.
Once again, I do not believe that a totally error free system would come out at the end, but one statistically able to beat the paper and pencil system we have used historically, and most certainly better than the closed electronic voting systems hyped by the likes of Diebold.
Good news, everyone!
It’s really hard to not laugh at some of the comments in this article. Futurama quotes galore! I hadn’t gotten my geek/nerd site fix yet, I came here first and felt right at home.
Open Source the Design and Test Test Test
A few other things to remember:
1. Due to the loss of information that occurs when you separate the voters’ names from their ballots, there can never be a perfectly auditable or verifiable election.
2. You also have to protect the election from the people who are running it. There is very little defense against a corrupt admin. Measures that would purport to do so likely make the system unusable. The same is true for paper ballots.
Open Source the Design and Test Test Test
You’re certainly right that a design process focused on simplicity is the way to go; and certainly one that includes huge amounts of peer review would be highly desirable. Such an approach would absolutely beat the systems from Diebold et.al., but frankly that’s very, very low bar to clear: those systems are the kind of garbage that would earn a college sophomore a failing grade.
But…trying to best paper-and-pencil systems is much harder. These systems are difficult to game in part because of their inherent simplicity, but also because they’ve been around for a very long time, and thus have been subjected to all manner of attacks. Those attacks have been catalogued, studied, analyzed, and as a result there now exist robust procedures to defend against them. Could we develop those as part of the process of developing substantially stronger e-voting systems? Yes. But we haven’t yet, and if history is any guide, that development will take much longer than the development involved in the technology itself.
(As an analogy: we have all kinds of technology designed to facilitate pretty secure online banking. Yet people get phished all day, every day. Why? Because the procedures associated with the technology absolutely suck. And banks themselves are a large part of that problem.)
It’s great to see electronic voting articles on TechDirt. Please do more! Electronic voting has some of the dirtiest technology dirt around. Further reading:
http://siis.cse.psu.edu/everest.html
http://www.blackboxvoting.org/
http://people.csail.mit.edu/rivest/voting/
http://rangevoting.org/
With Robocalls confusing the electorate and easily hackable electronic voting booths, what’s next? An alcoholic robot running on a, ‘Kill all humans platform.’
Re:
C’mon. Batman hacks everyone else. He never gets hacked.
Open Source the Design and Test Test Test
You are correct, no system will be perfect. Banks have one big issue that keeps getting in their way. Profit. They make descisions based on what will cost them less, developing a more secure system, or eat the losses. Take away that motive and lots of issues fall by the wayside.
That idea, however, does not remove the issue of the (profit or control) oriented person or group. If cost is less of an issue, along with the peer reviewing, the typical three legged stool of developement becomes more balanced. (cost, features, deadline). The feature set would be fixed from the begining. The time element would be iterate until the statistics beat paper and pencil. The cost would be whatever it takes.
It takes the correct motivation, along with the other factors we have both mentioned. Spending a significant amount of time on defining the feature set, architecture, and design will go a long way towards making
it better.
Re:
But this is the Adam West Batman!
I've been saying this for years
Look, if the screen shows a reassuring green shield graphic, then the system is secure and democracy is safe.
Open Source the Design and Test Test Test
I just had another thought. If they write it in Assembly Language (aka machine code), they could forget the compiler altogether.
Of course that would mean digging up the few geeks left that could write it in Assembly. 🙂
From the paper
These aren’t “systematic flaws.” This is poor security implementation.
I've been saying this for years
What are the problems at the architectural and procedural layers?
I've been saying this for years
You answer this below.
Re:
Nothing is secure at the billion-dollar level?
I've been saying this for years
I like pen and paper voting, precisely because it is inefficient – the number of people that must be corrupted/bribed/threatened to have a significant impact on the result should be large enough that keeping it under wraps becomes very difficult.
Imagine a lone sysadmin with the power to alter the outcome of the elections?
One admin to rule them all…
Response to: Anonymous Coward on Mar 6th, 2012 @ 7:45am
LULZ
I've been saying this for years
Bingo. One reason that it’s difficult to subvert pencil-and-paper voting systems is that doing so requires a conspiracy, and conspiracies of sufficient size nearly always include someone who’s careless, stupid or boastful…which is why they unravel.
herve leger sale
Herve Leger nowadays has grown for being recognized internationally. http://www.herveleger-shopoutloud.net Herve Leger Dress New is all about new style of 2012. Herve Leger v neck dresses has owned every woman’s heart. Herve Leger Sleeveless Dresses will be the hottest item in this summer and Herve Leger Strapless dress can make you be the lightspot among the crowd street. Karen Millen is also specializes in women’s dresses, it make women look elegant and sophisticated.