For the second day in a row, an apparent cyberattack took down the state of Maine’s website. A Twitter account with the handle Vikingdom2015 posted Tuesday morning that Maine.gov will be offline for more than five hours. Another post said other hackers helped make the website unaccessible. Service to Maine.gov was restored by 9:45 a.m. The outages lasted about 2 1/2 hours. On Monday, Vikingdom2015 took credit for knocking out Maine.gov for three hours.
Yesterday’s USA Today had an article entitled “Internet Voting ‘not ready for prime time.'” The story quotes Verified Voting as saying that there are about three million people eligible to vote online in today’s elections, most of them members of the military. Numerous security risks are cited that are inherent in Internet voting. Readers of The New American have often been warned about the dangers of Internet voting. For instance, the October 9, 2000 issue carried an article entitled “Voting on the Web,” in which readers were told of the dangers to electoral integrity due to the inherent insecurity of the Internet. … There are a great number of security weaknesses in Internet voting: no voter-verified paper audit trail, denial of service attacks, spoofing, eavesdropping by servers along the way capturing people’s passwords and enabling verification of vote selling, just to name a few. There are also security weaknesses in the user devices such as laptops or smart phones. They include key-stroke monitors, stored passwords, and many others. There are numerous special interests in both the United States and foreign counties for whom the outcome of our elections is of major importance. They have the resources to exploit these security weaknesses, and it’s well worth their investment.
A website built by volunteers to trawl through publicly available General Election Commission (KPU) data and conduct its own informal vote count came under attack from hackers on Thursday, according to the site’s founder — a day after it published data showing Joko Widodo in the lead. “Our team is fighting; there are only five of us against hundreds,” KawalPemilu.com founder Ainun Najib told news portal Tempo.co on Thursday. Ainun, a former International Math Olympiad champion, said the attacks began on Wednesday afternoon after news spread that the site had posted data showing Joko Widodo and running mate Jusuf Kalla ahead with just under 53 percent of the vote.
Markos Moulitsas of the Daily Kos recently published a commentary in the Hill claiming that “voting online is the future.” He also accused me of being against Internet voting because I want to “suppress” votes. That kind of ad hominem attack seems to always be the first refuge of those who are unable to argue substantively about a particular issue. I am against it because of the fundamental security problems presented by online voting and the fact that it could result in large-scale voter disenfranchisement. Moulitsas claims that creating a secure online voting system is “possible given current technology.” That is 100 percent wrong and shows how little he understands about the Internet or the voting process. You don’t have to take my word for it — that is the opinion of most computer scientists. In January 2004, a group of well-known computer experts issued a devastating report on the security of an Internet voting system proposed by the Pentagon for overseas military voters. As a result of that report, the project was cancelled. The vulnerabilities the experts discovered “are fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today. They cannot all be eliminated for the foreseeable future without some unforeseen radical breakthrough. It is quite possible that they will not be eliminated without a wholesale redesign and replacement of much of the hardware and software security systems that are part of, or connected to, today’s Internet.”
Sarong-clad anti-coal hippies have been marked as a chief threat to online voting at the election scheduled to take place in 2015 in the Australian state of New South Wales (NSW). The protestors are identified as a threat in a report penned by CSC for the NSW government. The Reg has seen a copy of the report, which suggests developers feared protesting farmers and fire fighters could launch an attack against New South Wales’ iVote online ballot system in objection to various coal mining projects across the state. “Anti-coal lobby groups could lead to the targeting of the SGE (state government election) in 2015,” the document read. The document also outlines scenarios in which protestors could launch denial of service attacks, knocking out the ability for 250,000 remote and blind users to vote online.
An online attack that delayed the results of the NDP’s 2012 leadership vote succeeded because it hit the party’s website, not the site of the company running the online vote, a company representative says. The voting that chose Tom Mulcair as the New Democratic Party’s leader was besieged by a “distributed denial of service” attack, which bombards a server with repeated attempts at communication to try to slow it down or crash it altogether. The process was delayed by several hours and left many delegates complaining they couldn’t access the site to cast their ballots. At the time, neither the NDP, nor Scytl, the company that provided the online voting service, would explain beyond saying it was a denial of service attack. But Scytl representatives now say the attack hit the NDP’s website and that its own technology was never compromised.
Canada: Liberals receive more than 1,000 calls from members, supporters who couldn’t vote online | The Hill Times
Liberal Party members and supporters had such difficulty with a complicated online voting system as the Liberal leadership election began over the past two days that the party had to beef up its telephone help lines to cope with a flood of calls, party members and a campaign officials say. Campaign phone banks with Liberal MP and candidate Justin Trudeau’s (Papineau, Que.) campaign received more than 1,000 calls from supporters who could not complete the electronic balloting—in part caused by the sequence for entering day and month numbers for birth places by the company conducting the election for the Liberals—and as of Monday afternoon the Liberal website numbers for registered voters in each province did not match the total number of registered voters. The number of registered voters according to the site’s display of provincial totals—represented in a map of Canada on the page displaying the vote results—totalled 125,471. The number of votes cast showed at 37,856. But the aggregate total displayed in a separate line on the website cited a total of 127,122 registered voters.
In what is being touted as the first known cyberattack on a U.S. election, many mainstream news outlets are reporting on the approximately 2,500 bogus absentee ballot requests that were flagged as suspicious by Miami-Dade County’s absentee ballot processing software in last year’s primary elections. A Miami-Dade County grand jury investigated the incident and described it as: a scheme where someone created a computer program that automatically, systematically and rapidly submitted to the County’s Department of Elections numerous bogus on-line requests for absentee ballots.
Fortunately, the software had safeguards that verified IP addresses on the absentee ballot requests. That was instrumental in detecting this cyberattack, but the incident still leaves questions unanswered regarding the inherent insecurity of the Internet and why it should be used at all in the balloting phase of elections. There’s also the question of how many cyberattacks might have been carried out elsewhere or at other times that were not detected.
If online voting is good enough for the Oscars, why isn’t it good enough for public elections? A panel of experts assembled on Feb. 14 to consider whether the Academy of Motion Picture Arts and Sciences’ decision to capture votes online for this year’s Oscars means that technology has matured to the point where public elections can be held online. According to an article in The Hollywood Reporter, voting to determine who would receive a nomination for an Academy Award began Dec. 17 and ended Jan. 3. While a majority of Academy members registered to take advantage of the online voting option, the process was not without its snags. Many confessed to password trouble, while others worried about hackers jeopardizing voter intent. … David Jefferson, a computer scientist at Lawrence Livermore National Laboratory and chairman of the board for the nonprofit Verified Voting, outlined several major differences between private elections, like those conducted for the Academy Awards, and public elections. Public elections, Jefferson said, inherently have much higher standards for security, privacy and transparency. “Just because this works for private elections or is useful for private elections, we don’t want people thinking … it is appropriate for public elections.”
For the first time ever, this year’s Oscar winners were selected online. The Academy of Motion Picture Arts and Sciences decided to let its members vote online, but cybersecurity and elections experts say that casting Internet ballots in public elections is still a long way off. Even picking Best Picture winners led to serious snafus. The voting deadline for the Oscars was extended in early January after some members had issues with account registration (password requests were answered by snail mail rather than email). But in public elections, deadlines can’t be extended. A group of cybersecurity and elections experts last week reiterated the dangers of modeling public elections after private ones. Companies who design online voting systems for award shows or corporate shareholder meetings may suggest these systems can also be used in congressional or presidential races. Those claims should be met with skepticism, said computer scientist David Jefferson, chairman of the nonprofit Verified Voting Foundation. “There are major differences between private and public elections: the degree of security required, the degree of privacy required, the degree of transparency required,” Jefferson said in a telephone press conference Thursday. “In a public election we’re talking about a national security situation.”
City councillors are concerned Edmonton isn’t ready to move ahead with plans to introduce Internet voting in October’s civic election. Although staff have recommended allowing online ballots in advance polls next fall, members of executive committee questioned Monday whether the process is safe. “I’m not 100-per-cent confident in the security of the Internet and never have been, whether it’s my credit card information or my personal address or how I choose to vote,” Coun. Linda Sloan said. “Would that be something you want to put out there in cyberspace?”
Holding an election is complicated. Holding an election eight days after a historically significant disaster? Probably exponentially so. This is the circumstance in which the state of New Jersey will find itself tomorrow. Gov. Chris Christie has ordered counties to provide ways for people who have been displaced by Hurricane Sandy to vote in Tuesday’s election by fax and email. The system will follow in part a similar scheme developed for New Jersey residents serving overseas in the military to cast their ballots. To say that no one is going to be happy with the result, no matter what it is, is probably understating it. To the extent that the process is understood — it was at this writing still in the process of being implemented — it will work like this.
The source of the cyber attack that disrupted voting at the NDP’s leadership convention in March remains a mystery, and further investigation to find out who was responsible has been dropped. The NDP was the victim of what’s known as a distributed denial of service attack when thousands of members were trying to vote online throughout the day on March 24. These kinds of attacks result in websites crashing or slowing down because the server is flooded with bogus requests for access. Legitimate voters couldn’t access the NDP’s website to vote and organizers ended up extending the time allotted for each voting round, delaying the final result until hours after it was expected. Thomas Mulcair was finally declared the winner at about 9 p.m. Scytl Canada, the company contracted to run the voting, quickly detected what was going on soon after voting began that day and reacted accordingly. They were able to keep the voting going by increasing the system’s capacity and by blocking some of the bogus IP addresses. Scytl, an international company based in Spain, conducted a forensic analysis after the convention but came up dry when trying to pinpoint exactly who was behind the co-ordinated campaign. “They weren’t able to locate the ultimate source of where this was all programmed,” said Chantal Vallerand, acting director of the NDP.
Voting Blogs: Anchorage’s Ballot Shortages and Denial of Service Attacks in “Meat Space” | Election Academy
Recently, I wrote about the denial of service (DoS) attack on a Canadian party’s leadership election. In that post, I discussed election officials’ (and their vendors’) responsibility for hardening their systems against such attacks. Moreover, I said said this responsibility exists whether the attack comes electronically or in the real world (aka “meat space” in the words of a programmer friend). Last Tuesday, municipal elections in Anchorage were somewhat chaotic – with ballot shortages across the city and many voters turned away from the polls. The problems appear to have been caused in part by an opponent of an equal-rights proposition who used email and Facebook to urge voters to the polls. Unfortunately, those appeals included incorrect information; namely, that voters could register at the polls and do so outside their home precincts. Alaska does not have election day registration, but rather requires voters to register 30 days before an election. The result was frustration as many voters visited numerous polling places in hopes – for some, in vain – of finding a ballot. The city clerk is investigating the problems and is weighing whether or not they could have been serious enough to invalidate the election.
An advanced cyber-assault, which created chaos during the federal NDP party’s election, has been attributed to a specialized Web hacker who utilized over 10,000 PCs globally for so slackening the pace of the online-voting that it started to crawl, thus published vancouversun.com dated March 28, 2012. Actually, according to the provider of the Internet-based balloting, Scytl Canada, one Denial-of-Service assault was deliberately unleashed with the objective of disrupting the voting exercise by the NDP on 24th March 2012. It was determined that the assault successfully clogged the channel of the voting mechanism so voters had to wait long to gain access. This slackening of the voting speed thus frustrated the party’s representatives gathered at Toronto.
The recent New Democratic Party convention in Toronto may have done more than just select Thomas Mulcair as the party’s new leader. It may have also buried the prospect of online voting in Canada for the foreseeable future. While Internet-based voting supporters have consistently maintained that the technology is safe and secure, the NDP’s experience — in which a denial of service attack resulted in long delays and inaccessible websites — demonstrates that turning to Internet voting in an election involving millions of voters would be irresponsible and risky. As voter turnout has steadily declined in recent years, Elections Canada has focused on increasing participation by studying Internet-based voting alternatives. The appeal of online voting is obvious. Canadians bank online, take education courses online, watch movies online, share their life experiences through social networks online, and access government information and services online. Given the integral role the Internet plays in our daily lives, why not vote online as well? The NDP experience provides a compelling answer.
Voting Blogs: “Nobody Goes There Anymore, It’s Too Crowded”: Election Officials’ Responsibility for Handling Denial of Service Attacks | Election Academy
Over the weekend, Canada’s New Democrats (NDP) conducted a vote for a new leader. The vote was conducted online so that registered party members could vote both in person at the NDP convention site and remotely from home computers or smartphones. Sometime during the second round of voting, the system slowed considerably, and eventually it became known that the system had likely been the target of a “denial of service” (DoS) attack aimed at clogging the the system and thus preventing (or at least discouraging) voters from casting ballots. The NDP, its vendor and consultants have identified two IP addresses that appear to have been the source of the attack and are investigating now. The results of that investigation are still forthcoming, but in the meantime I wanted to focus on a discussion I saw online yesterday about whether and how NDP and its vendor should have prepared for the possibility of a DoS attack.
The company that ran the online voting system used to help choose the winner of the weekend’s NDP leadership race is now blaming several hours of delays on a “malicious, massive” attack on its voting system. In a news release, Barcelona-based Scytl said “well over 10,000 malevolent IP addresses” were used in a Distributed Denial of Service attack, which generated hundreds of thousands of false voting requests to the system. “We deeply regret the inconvenience to NDP voters caused by this malicious, massive, orchestrated attempt to thwart democracy,” Susan Crutchlow, general manager of Scytl Canada said in a statement. The attack effectively “jammed up the pipe” into the voting system, delaying voter access, the statement said. “This network of malevolent computers, commonly known as a ‘botnet,’ was located on computers around the world but mainly in Canada.”