« Bulk Deletion of Spam Comments... | Permalinks for California Bills? » |
Alex Halderman's DC Council Testimony
elections, certification/testing, reform, news, open source, secrecy, problems, photos, friends, research, policy I captured video from today's DC Council Hearing of The Committee on Government Operations and The Environment.
Prof. Alex Halderman (Michigan), Susannah Goodman (Common Cause), Jeremy Epstein and Pamela Smith (Verified Voting) testified by yielding all their time to Halderman to speak to the technical challenges involved with internet voting and specifically the recent compromise of the DC Digital Vote-By-Mail pilot project that Alex' team was able to achieve. Alex' team included two of Alex' PhD students, Scott Wolchok and Eric Wustrow, Dawn Isabel (Michigan's Ethical Hacker) and Nadia Heninger, a PhD student from Princeton; I was an adviser to Alex' team.
This video is in raw form, so it's very big (318.2 MB):
http://dl.dropbox.com/u/8173121/DCCouncil-hearing-panel3-20101008.mov
(Here is a smaller version (153.1MB).)
I've done some paraphrasing of the key technical bits below.
Personally, as an adviser to Alex' team and as someone who was afraid that there would be no serious attack mounted during the test period, I couldn't have imagined a more successful demonstration of the technical challenges involved with fielding and defending an internet voting system. I have some thoughts that I'm writing up about what this test tells us from a policy perspective, but don't expect that very soon.
(I want to apologize for the beginning of the video capture where I'm looking at my twitter client without realizing that I'm capturing that over the video. Oh well.)
Interesting bits from the video
- Cheh: "Basically, you're a hacker, is that what we're to understand?"
- Alex: "No, I'm a professor of computer science."
Key new insights from Halderman, starting 9:01:
- Other attacks did go undetected.
- The Michigan team had been controlling and monitoring the routers and switches connected to the pilot network from the beginning.
- Access was easily achieved because a default master password was left unchanged, which one can look up in the owner's manual. This was a 4-letter password.
- The team could watch in real-time as system administrators configured and tested the equipment.
- They Could also watch staffers on camera as the team found that security cameras in the data center were on the same network as the testbed.
- 10:13: Alex passes out pictures from the cameras taken of people in the data center.
- The team could observe these system administrators as they entered passwords on the system as well as watch them on camera.
- This network-based attack amounts to a separate, second way to steal votes, etc. in a real election.
- 11:20: It became clear that the team was not the only ones trying to attack.
- While they were in control, they observed other attack attempts originating from Iran and China, attempting to guess the same default master password.
- They defended the network by blocking these attacks, adding firewall rules and changing the default password.
- Cheh: So, you changed the password of the BOEE system?
- Alex: Yes, of the pilot system.
- Alex does not feel that these were part of a targeted attack against the BOEE.
....
- 12:40: All these things could be fixed, but it's vastly more difficult to create a secure internet voting system.
- The crux is that there is no independent record of the vote.
...
- 14:05: it will probably be decades, if ever, before we can perform voting over the internet safely.
- Web security is a terribly hard problem.
....
- 14:34: Alex later examined the data they had collected, files left around on the server, and one thing was incredibly shocking.
- They had tested the file upload portion to make sure that files either too small or too large were not allowed.
- These files look like they were just files laying around on some BOEE computer.
- Some were simple single-page PDFs. One was the installation file for a Macintosh development tool.
- 16:16: One of the files, which Alex has with him (he pulls out a cardboard box and takes out a large document, looking like two reams of paper).
- This file was a 937-page PDF document... it appears to be the 937 invitation letters that each voter was sent to participate in this election.
- They examined the file metadata; the author of the file is Paul Stenbjorn.
- It appears that this may be the real thing.
- Alex found the document on the testbed server, a system that the BOEE invited people to break into and that the team did break into.
- We have no way of knowing who else has access to this.
- The PINs in these documents are the most critical secrets to protect these votes.
- If the digital ballot return had been used, a criminal could have used these to cast a vote for each voter and prevent them from voting.
- Why was this file on the testbed system?
- Alex is deeply concerned that the BOEE does not take security seriously and that it fails to appreciate the security challenges that are faced by any internet voting system.