Displaced NJ Voters Told To Email Ballot Requests To A Hotmail Account

from the you've-absolutely-got-to-be-kidding-me dept

The election day news is coming in rather fast today, but we're already seeing reports of voting issues. There's some viral videos floating around showing voting machines acting up. This, of course, can be added to the long history of voting machine nonsense we've written about in the past. But adding to the the confusion is that a great section of the East Coast is still recovering from Hurricane Sandy.

You may have seen the news over the past few days that displaced New Jersey voters are being allowed to (sorta) vote via email. Or, rather, they would be allowed to vote via email if the state's election officials could manage to act like they know what they're doing. Instead, reports indicate massive amounts of people have been unable to request ballots at the email addresses originally provided. This is causing frustration and confusion across the state, but the real absurdity shows up in Essex County.
Aware of the problems with the official e-mail system, Essex County Clerk Christopher Durkin suggested an alternative option: "Displaced voters can email a request for a ballot at cj_durkin@hotmail.com," according to a post on the Facebook page of the town of West Orange, NJ. Interestingly, security researcher Ashkan Soltani notes that Durkin's Hotmail address has his mother's maiden name as a "password recovery" question. This means that anyone who can figure out Durkin's mother's maiden name could seize control of his Hotmail account and intercept voters' official ballot requests.
I'll be clear in saying that I understand that the situation in New Jersey is a difficult one and I'm sure election officials there are simply trying to do their best under the circumstances. Unfortunately, Durkin's best appears to suck. You simply cannot put something of such importance (voting) in the hands of someone who cannot either provide a working and secure email address for ballot access or, at the very least, take the most trivial security steps on another email address. We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Trails (profile), Nov 6th, 2012 @ 12:45pm

    Missing the point?

    It's email. SMTP is sent in the clear, routed through a shit ton of servers, interceptable, unauditable, forgeable, and no access control.

    Saying he has a bad password recovery question is like complaining about a shitty lock on a house made of tissue paper.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    ricebowl (profile), Nov 6th, 2012 @ 12:58pm

    A fairly major assumption is being made...

    While the password recovery question may, indeed, be 'mothers' maiden name,' there's no reason to believe the answer to the question is, in fact, his mother's maiden-name. I know I have, essentially, nonsense (or at least non-sequitur) answers to email password-recovery questions.

    Still, I can't imagine any part of Hotmail (or any other webmail service) is inherently secure against interested parties.

     

    reply to this | link to this | view in thread ]

  3.  
    icon
    Tyson (profile), Nov 6th, 2012 @ 1:05pm

    Re: Missing the point?

    Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Trails (profile), Nov 6th, 2012 @ 1:23pm

    Re: Re: Missing the point?

    SMTP is not a secure communication mechanism (unless over VPN/SSL or contents themselves are encrypted by PGP or similar). There is no security in that type of exchange. "But it's all geek computer to computer stuff, so much easier to circumvent hotmail password recovery" might be true, but it's not like it's secure.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    New Mexico Mark, Nov 6th, 2012 @ 1:39pm

    Re: A fairly major assumption is being made...

    You're right. In his case, the answer to "what is your mother's maiden name" is probably: "12345678" Fortunately, he has no problem remembering that since it matches his e-mail, workstation, and voting system management passwords.

    MUCH better. ;)

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    ltlw0lf (profile), Nov 6th, 2012 @ 1:40pm

    Re: Re: Missing the point?

    Yeah, who would bother just logging in to someone's account when you can just intercept all emails going to Hotmail.com?

    Or intercept all email coming from ISPs in New Jersey, as that would seem easier (less drinking from the firehose.)

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    The eejit (profile), Nov 6th, 2012 @ 1:44pm

    Re: A fairly major assumption is being made...

    The fact that it's to a Hotmail account should be the part that worries you. It's akin to bolting a stable door when there are no walls on the stable.

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Nov 6th, 2012 @ 2:36pm

    Re: Re: A fairly major assumption is being made...

    hey.. there are some kind of walls, or at least they pretend to be.

    as someone wrote above the walls are made of tissue paper. At the first rain or if someone starts pissing on them, they tend to develop holes and in a short while they allow the liquid to pass through.

    / :p

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 6th, 2012 @ 5:10pm

    Hotmail? Fucking A!! Looks like I will be directing the entire state of New Jerseys votes to Ron Paul.

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    mematematica (profile), Nov 7th, 2012 @ 4:19am

    Context matters but...

    "We all want every citizen to be able to have their voice heard, but not at the cost of massive security risks."

    Something inside me cried in agony the moment I read this sentence on a techdirt post.

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Pak Circles, Feb 18th, 2013 @ 8:35pm

    The idea of emailing ballot requests to a hotmail account sounds really strange. What would happen if someone hacks the account?

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This