On Thursday, March 21, in the midst of Kentucky’s deliberation over allowing votes to be cast over the Internet, the daily poll of the Louisville Courier-Journal asked the readers, “Should overseas military personnel be allowed to vote via the Internet?” This happened the day before their editorial rightly argued against Internet voting at this time. One of the multiple choice answers was “Yes, it can be made just as secure as any balloting system.” This brings up the old adage, “we are all entitled to our own opinions, but we are not entitled to our own facts.” The simple fact is that Internet voting is possible – but it is definitely NOT as secure as some other balloting systems. This is not a matter of opinion, but a matter of fact. Votes cast over the Internet are easily subject to corruption in a number of different ways.
To illustrate this point, two colleagues, both former students, wrote simple software scripts that allowed us to vote multiple times in the paper’s opinion poll. We could have done this with repeated mouse clicks on the website, but the scripts allowed us to do it automatically, and by night’s end we had voted 60,000 times. The poll vendor’s website claims that it blocks repeated voting, but that claim is clearly not entirely true. We did not break in to change the totals. We did not breach the security of the Courier-Journal’s computers. We simply used programs instead of mouse clicks to vote on the poll website itself.
In one case, the script was a bash script that looped a specified number of times and issued a curl command. My colleague’s comment was:
I started by looking at the source code of the website, which is possible with any browser. The poll in question used a HTTP form to submit the result, and only using cookies to prevent duplicate voting. One quick Google search later, I was reading a website about how to submit form data with curl (a linux utility that allows you to send all kinds of HTTP requests from a shell). From there, it was a simple matter of tinkering with the curl command until it submitted the result I wanted, and then looping it to run a large number of times. Curl doesn’t store or use cookies unless you explicitly tell it to, so it avoided the poll’s duplicate voting system entirely.
In the other case, what we had was a simple HTML script to enter data into the web form, and the script was run repeatedly with iMacros in Firefox.
Full Article: Internet Voting Security: Wishful Thinking Doesn’t Make It True.