Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Hackers Invited To Crack Internet Voting

Posted by samzenpus on Wed Apr 18, 2007 09:43 PM
from the I-wonder-what-will-happen dept.
The Internet Security
InternetVoting writes "The Philippine government and the International Foundation for Electoral System will be soliciting hackers to test the security of of their Internet voting system that will be tested in an upcoming pilot program." From the article,"Local and foreign computer hackers will be tapped to try and break into an Internet-based voting system that will be pilot tested by the country's Commission on Elections (Comelec) starting July 10."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Hackers Invited To Crack Internet Voting 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • So... (Score:3, Insightful)

    by Anonymous Coward on Wednesday April 18 2007, @09:47PM (#18792473)
    they got a formal invitation this time?

    I'm sure all the REAL hackers will RSVP.

  • What if (Score:5, Funny)

    by killa62 (828317) on Wednesday April 18 2007, @09:56PM (#18792557)
    1. Find bug
    2. Don't report it
    3. ????
    4. Profit!

    • Think they have not thought about that? (Score:5, Insightful)

      by WindBourne (631190) on Wednesday April 18 2007, @10:11PM (#18792713) Journal
      Almost certainly, they are recording ALL the packets that travel across the line as well as checking the state of the system. And if not, then they deserve what will happen. And if it is on a OSS platform, then they will be able to modify the kernel so that it gives more info during the cracking attempt.
      • What if it get's slashdotted?
        • The system sitting in front of it (probably with a hub or via a broadcast) can record the traffic and then replay it at a later time. In fact, they can (and probably will) replay the data against the system as it comes from 1 connection at a time. This way they can see who is doing what. As to a /.ing, assume that it happens. Then it means that they have a LOT of work to do.

    • Re:What if (Score:5, Insightful)

      by quanticle (843097) on Wednesday April 18 2007, @10:29PM (#18792941) Homepage
      Two words: honeypot system.

      The way I would do something like this is to put the voting system inside a fully monitored and logged virtual machine. Then I would open it up to hackers, knowing that all changes to the system state will be logged and can be scanned for malicious actions.

      • Re: (Score:3, Funny)

        by Anonymous Coward
        Madness...? This IS PHILIPPINES!

      • Re:What if (Score:4, Insightful)

        by mackyrae (999347) on Wednesday April 18 2007, @11:42PM (#18793535) Homepage
        I think they're trusting that more than one person will notice it. With OSS, we know that it's possible someone will find a security bug and not report it because that would benefit them. We also figure that there's a high enough probability of someone else noticing too that the first person's secrecy will be nullified anyway. With the people who pay for each issue you find, the hacker has a better shot at cash through trying to report it first than through hoping nobody else does.

      • Re: (Score:2, Insightful)

        by fred911 (83970)
        "That could possibly give them the power to take over a country, or receive some big payments from a political party who would really like to win"

        Sounds like a diebold system to me.
        • So, explain to me how this would work, with thousands of legitimate users, and tens of thousands of illigitimate users, many of which may be successfully posing as legitimate users. Remember, if they can just "post" more votes than phillipines has people, then the whole thing is proved invalid.

  • What a dumb idea (Score:3, Insightful)

    by EmbeddedJanitor (597831) on Wednesday April 18 2007, @09:57PM (#18792585)
    What they want is to be able to say:"We got the best hackers on the job and nobody could hack it".

    Of course any hacker with intentions of being a naughty boy is not going to show up and (a) make himself known or (b) reveal the holes.

    • Re:What a dumb idea (Score:4, Insightful)

      by TodMinuit (1026042) <todminuit&gmail,com> on Wednesday April 18 2007, @10:21PM (#18792845)
      Of course any hacker with intentions of being a naughty boy is not going to show up and (a) make himself known or (b) reveal the holes.

      But freelance security professionals and security companies looking to make a name for themselves will.

      • It actually surprised me (Score:5, Interesting)

        by grahamsz (150076) on Wednesday April 18 2007, @11:03PM (#18793249) Homepage Journal
        But someone I did some consulting for years ago had a PC security product that they claimed was unhackable. It was some disk arrangement where the OS could write to the disk, and those sectors would be saved in a scratch table so that when you rebooted the machine it reverted to its original state.

        They took it to one of the big conventions and had a briefcase with $10k in it for the first person that could make a permanant change to the disk without opening the case. Guys showed up with their own latex gloves so they wouldn't leave prints and one managed to come up with the proprietory vendor unique command set for the particular drive model that was in the system.

        I don't think that was really the sort of adversary that they expected would show.
    • I think this is dumb for another reason. Internet voting is heavily flawed.

      What's to stop someone from controlling/buying other people's votes? In a normal election you vote alone and secretly. Online it's very easy to have someone guiding/controlling your mouse.

      What happens when you're raised in a house that always votes for X but you want to vote for Y?

  • Update (Score:5, Funny)

    by Aqua OS X (458522) on Wednesday April 18 2007, @10:01PM (#18792621) Homepage
    Posted by samzenpus on Wednesday April 18, @10:43PM

    "The Philippine government and the International Foundation for Electoral System will be soliciting hackers to test the security of of their Internet voting system that will be tested in an upcoming pilot program."

    UPDATE:
    Posted by samzenpus on Wednesday April 18, @10:53PM
    Internet voting has now been cracked.

  • Phillipine Election 2008 Headlines: (Score:5, Funny)

    by Organic Brain Damage (863655) on Wednesday April 18 2007, @10:02PM (#18792633)
    Ferdinand Marcos elected for another term as President with 3,000,000,000 votes. Runner up, D4v1d 3. P3t3rs0n had only 2,000,000,000 votes. Second runner up, Nikolay Sokratov from St. Petersberg had 1,5000,000,000 votes and the remaining 10,000,000,000 votes were split among 1,000,000,000 minor party candidates.
    • Marcos is going back [wikipedia.org] about 4 presidents. And, now that they have a new constitution [chanrobles.com], don't imagine that the Philippines is any different to any other country's system of a one party state posing as a two party state...take your pick between Christian-Muslim Democrats [wikipedia.org] and the republicans [wikipedia.org] or to put it literally, "Struggle of the Patriotic Filipino Masses". All the same really...
    • 1,5000,000,000 votes

      Wow...the system has already been cracked and the formatting system altered...fast work!
      • You know, I can completely see him starting off his show, on a makeshift throne, with a crown on his head and a scepter in hand, declaring himself "King of the Philippines".
  • for handing out wads of cash to the poor to get them to vote a certain way come elections

    200 peso notes famously become scarce before elections

    no need to hack the system to alter the vote, just keep buying the votes

    the philippines is a beautiful land, with beautiful people... and a corrupt political establishment, it's a sad commentary on corruption the philippines, the vote buying
    • as people vote in their own self-interest.

      Whether that self-interest is 200 Pesos thrust into their hand as they walk into the booth, or 200 Pesos less tax paid due to new tax system voted in doesn't make much difference.

      Actually the more I think about it - In the Phillippines the cash seems to be given to you by the politician if you promise to vote for them. In the 'democratic West',we get nothing for our vote apart from the promise from the politician. Personally I'd prefer to see the cash in my hand, ra

    • the philippines is a beautiful land, with beautiful people... and a corrupt political establishment, it's a sad commentary on corruption the philippines, the vote buying

      In the context of corruption, perhaps this will be handy, Reverse engineering corruption [nytka.org]. The essay has quite a few hidden references to Slashdot subculture [wikipedia.org].

      • When you vote for our candidate, the voting machine automatically direct deposits PHP200.00 to your bank account.

  • If you get in... (Score:3, Funny)

    by Anonymous Coward on Wednesday April 18 2007, @10:12PM (#18792731)
    ...make sure to add n+1 votes for CowboyNeal!

  • I live in the Philippines... (Score:3, Insightful)

    by RuBLed (995686) on Wednesday April 18 2007, @10:32PM (#18792967)
    Seriously, nothing to see here, move along...

    On a related topic = I can't believe our Comelec is advertising this thing, a few months ago they don't even have a feasible electronic voting solution. I remember that they got a "Diebold" like deal for use in the last national elections but we know that the expensive machines had been now rotting in warehouses (and never had seen the light of the day, that makes Diebold more succesful). There are even local programmers/firms who are willing to "donate" their services just to make the election electronic but I guess that did not work out.

    And I still don't have that promised "Electronic Voter's ID" when I registered at 18 (I'm in my 20's now). Now, how could they validate if I am the one who had casted my vote.. Hmmm...

    As I said, nothing to see here.. move along.. I'm going to make some coffee...

    Regards,
  • the problem is the internal hackers, like the diebold tech who has testified before congress that he was told by the VP to override the machine's security and install "unauthorized patches" without alerting the polling officials.

    i dont know many people outside the phillipines who get up every morning saying "i really have a stake in rigging the phillipine election this year".
    • Wait, wasn't that on an episode of Numb3rs? Are you getting reality and TV confused? Or am I...? -ponder-
      • Senator Clelland, Georgia. War vet, hero amputee. Ahead in polls by large number days before election in race with draft dodger who impugns Clelland's patriotism. Weasel somehow wins by small margin.

        That is a rigged election. I'm not a scientist, so I can state the obvious. Someone flipped the switch. And there are so many others, with margins so slim that recounts are not automatic and therefore expensive. And the few recounts that have occured have Diebold techs cherrypicking districts to recount that mat
  • "Ok, boys you know what to do. Explore the weaknesses look around and give a thumbs up. Come election time we go for gold"
  • This is black box testing with dubious motivation for the attackers.

    The right way to do this is to publish everything and pay people like Adi Shamir and Ross Anderson for blocks (big blocks) of consulting time. Even that's futile without the will and the budget to fix problems -=>WHEN<=- the security people find them.

    What they're doing is a good way to get headlines and to impress the impressionable. It's not a good way to make sure a system is secure.
  • I understand that any electronic voting machine, if hacked, can completely invalidate an election. Therefore the only way to make a voting system credible is to encourage the public to develop, and crack it.

    I personally think the OSTG, FSF, or some other open source advocacy group needs to start an open source, high profile, project to create an "uncrackable" solution for electronic voting. I know uncrackable is unobtainable, but there is a level where physical access to internal components is required to
  • How much is the reward for cracking it? Or is there none?

    Either way, if it's less than what someone running for president can give you, then creating problems for themselves :D

  • 100% foolproof guaranteed exploit (Score:4, Insightful)

    by Builder (103701) on Thursday April 19 2007, @02:46AM (#18794715)
    1. Go to relatives house
    2. Hold gun to their head and insist that they vote for who you tell them to
    3. Watch them cast the vote
    4. Tell them that you will kill them and their pet rabbit if they tell anyone
    5. Win the election

    Sadly, that is a problem that will always exist if people aren't voting in a private cubicle in a public place.

    After the recent postal voting in the UK, it was found that many heads of families coerced the rest of the family into voting a certain way. That just can't happen in a private cubicle where you can always lie to dad later, but vote for who you want to now.

  • Procedural comparison (Score:5, Insightful)

    by Random BedHead Ed (602081) on Thursday April 19 2007, @04:35AM (#18795233) Homepage Journal

    How things work outside the United States:

    • Government announces plan to implement a voting system.
    • Government devises detailed plan for a system, working with experts in field.
    • Government runs pre-launch plan for rigorous testing of system reliability. Experts invited to oversee tests.
    • System implemented, possibly with modifications based upon lessons learned in testing.

    How things work in the United States:

    • Government announces plan to implement a voting system.
    • Industry lobbyists head to Washington. Meet with lawmakers, attempting to steer business toward their sponsors.
    • Dinners held, bribes exchanged.
    • Select lawmakers refuse to give in to lobbyists, are denied funding for upcoming campaigns, lose next election. Most capitulate, are re-elected.
    • Revised bill reintroduced. Spending increased by a factor of 10.
    • Experts review bill, criticize flaws, are ignored. Who needs 'em?
    • Bill to implement system passes. Includes provision allowing NSA to nuke a US city without prior oversight if it finds suspicious activity in said city. Pre-absolves president of guilt for said annihilation. Also includes subsidy of corn processing industry in midwest, tax breaks for plastics industry executives. Last-minute rider added to provide additional funding for superhighway from Mexico to Kansas (now standard in all bills), and provide funding for evangelical law school that advocates a new wars to prevent the coming of the Antichrist.
    • President signs bill in televised ceremony. Pen used to sign bill is framed.
    • System implemented with no modifications. Massive failures nationwide.
    • Experts point out that they predicted failures, are ignored again. Who needs 'em? Industry spokespersons call experts 'communists trying to undermine the free market,' deny there are any problems. Evening news ignores story, focuses on a recent celebrity divorce.
    • Lawmakers vow to raise new spending bill to correct problems. Lobbyists return to Washington ...
  • The real problem of Internet Voting isn't that you can hack the system. Even if you have an unhackable system, Internet Voting is still a bad idea.

    In a voting booth, you can put your vote wherever you want, even if someone bribed or threatened you or your family to make you vote his way. You can put your mark somewhere else, nobody will know.

    At home, your vote can be checked before it's sent.
  • It seems that with things like this, they usually fall because the programmers are either incompetent or lazy, and do not write code that is secure by design. Because of that they are scared stiff that someone will get a peek at the source code and find their sloppy hacks, identify careless assumptions, or discover that the outwardly formidable security is based on a model with a difficult to fix design flaw.

    So they should publish the source code to the machines. There's nothing like a good public mugging

  • WRONG. Q: Can it be manipulated by insiders? (Score:3, Insightful)

    by Catbeller (118204) on Thursday April 19 2007, @09:14AM (#18797451) Homepage
    Wrong question, a straw man. The problem isn't outside hackers playing with the system, but political insiders who have full access to the machines and code inperceptibly changing elections and the voting logs. A hacker may not be able to change an election, but a fully vested operative in the voting machine company can. Want a real test? Give the testers full access to the machines from soup to nuts. All code, accumulators, logs, access to the paper trail printouts, the works. NOW can they change the election?

    Yes. Always, untraceably, if you can manipulate the traces.

    This test they are running is worthless. They are playing to the myth of the superhacker, master of all crimes. The problem with evoting is that the evoting system programmers own the democracy, and you cannot test for that.

    These evoting systems are the answer to the question: how do we fix elections without anyone noticing, or even understanding the system so that they notice that we can? The paper systems are foolproof, if done correctly, as in Canada. Those systems aren't broken. So we are fixing an uncrackable system for one that is cracked by design.

    People. Someone is really determined to own democracy. Follow the money.

    • 0wn th31r machines and figure out how to make sure the Boss isn't in the room telling the v0t3r how t0 v0t3!!!

      Whoever modded this as troll missed an important point: no hacking/counterhacking measures will prevent voters being influenced by their bosses or bribed or forced to vote by abusive spouses, yada, yada, yada, you get the point.

      Unless of course the e-voting procedure requires a signoff from a trusted third party who assures that the voter isn't showing their vote to their boss /person who paid t

      • I would like to know what's so seriously wrong with Paper ballots counted by people that we want to abandon them? People have used this system for hundreds(?) of years, without too many problems. I would like to know why so many places are trying to move to more expensive, more complex, less secure means of voting when a better method already exists. I'm all for using computers where they have a place, such as things like filing taxes, but I fail to see the need for computers in voting. It doesn't speed

        • Re:Hey mods, supress your knee-jerk reaction (Score:4, Insightful)

          by skarphace (812333) on Thursday April 19 2007, @10:17AM (#18798519) Homepage

          I would like to know what's so seriously wrong with Paper ballots counted by people that we want to abandon them? People have
          2000 Florida, USA is one example.

          I would like to know why so many places are trying to move to more expensive, more complex, less secure means of voting when a better method already exists. I'm all for using computers where they have a place, such as things like filing taxes, but I fail to see the need for computers in voting.
          You just answered your own question. It's exactly like taxes. It keeps you from having to go somewhere or mail something out to get (taxes/voting) done. This'll allow people to vote from work, take 5 minutes at breakfast to place their vote before leaving for work. All kinds of good reasons for the voters.

          It doesn't speed up the counting process.
          Oh yes it does. Tabulation takes seconds instead of days/weeks/months. You only have to do a hand count if it's challenged.

          It doesn't make it any cheaper.
          Yes it does. Computers are cheaper then people.

          And it doesn't put any extra security into the system.
          Now this is the #1 argument against electronic/internet voting. This is also the reason I'm still on the fence about the whole thing. There are many benefits but if all it accomplishes is to allow people to rig elections easier, then it's not worth it. Until they start paying more attention to the security aspect, I'm staying on the fence.
    • The Phillipines is not a rich country. This is an opportunity for people to get their skills noticed and add to their resume.
    • Well, when you've got the money to hire BOTH Itallian leg-breakers, and a German hit-squad, then you get a little respect.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.