Argentina Rewards Programmer Who Exposed E-Voting Vulnerabilities With A Complimentary Home Police Raid
from the shoot-all-the-messengers dept
An Argentinian programmer who was trying to do a good thing in exposing severe vulnerabilities in the country’s e-voting system was rewarded for his actions — with a police raid on his home. According to Argentinian news outlet La Nación, Joaquín Sorianello informed MSA, the company than makes the Vot.ar e-voting system, that the SSL certificates used by the system to encrypt transmissions between the voting stations and the central election office could be easily downloaded, allowing for potential voting fraud (or just a good old-fashioned DDOS attack).
Sorianello, who says he never received a phone call from MSA after reaching out to the company to report the flaw, suddenly found his home being raided by Argentinian police, who seized computers, Kindles, and numerous storage devices (from a Google translation of the source):
“The truth is amazing, you notify the company that they have a failure in their voting system and the next thing they do is (raid my home) instead of looking for the real culprits…”I’m just a programmer, I’m not a hacker.” Sorianello told La Nacion that he contacted the police station in Caballito to corroborate the raid: “They said yes, but they could not tell me why or how it was going to take.” He also said he did not receive any call from the company (after having told them about the flaw a week) ago.”
Sorianello has pointed out to numerous news outlets that he’s a programmer — not a hacker, and if he had wanted to hack into the systems to cause damage, he certainly wouldn’t have informed the company of the flaw first. He’s also repeatedly pointed out that it was the protected @FraudeVotar Twitter account that published the core details of the e-voting internals, not him. That apparently didn’t matter to the Argentinian legal system.
This isn’t the first problem facing MSA and its e-voting technology, which is being used in Buenos Aires elections for the first time. Two weeks ago, the source code for the company’s Vot.ar technology was leaked to Git.hub. A number of researchers also discovered that a smartphone with NFC capabilities (pretty common at this point) could be used to create a specialized e-ballot, capable of tricking the system into counting a single vote numerous times. And this is all before you realize that in many instances, the technology Argentina is using just doesn’t appear to work very well:
“Earlier today, the Argentinian site La Pol?tica Online reported that 532 polling stations were unable to transmit their results electronically to the central electoral office, and had to be transported there physically for the 184,000 votes involved to be included in the final result. As the article points out, although this failure won’t change the outcome of the election for the head of local government in Buenos Aires, it will make a difference to the allocation of seats in the legislature and community boards.”
So not only is MSA’s e-voting system completely open to several vectors of fraud and attack, it works so damn well you need to physically move the machines back to the central office to count the tallied votes. Meanwhile, Argentinian locals are claiming that the same Judge that thought it was a good idea to authorize the police raid on Sorianello’s home, has also ordered Argentinian ISPs to block many of the websites where details on the e-voting flaws and source code can be found (like justpaste.it). Surely if you stop people from discussing the obvious flaws, the problem magically goes away, right?