Thursday, July 18, 2013

Student Election Hack – Is it a Bad Omen for Internet Voting?



Does the Cal State San Marcos class president election hack mean that Americans should fear Internet voting? Not if you think critically about it.

Facts:
Matthew Weaver, 22, pleaded guilty* to wire fraud, access device fraud, and unauthorized access to a computer. He was sentenced to a year in prison. His crime was to plug keylogging devises into 19 school computers. The devises record computer user's keystrokes without the user's knowledge. Thus he stole the email passwords of more than 740 students. He used this information to vote for himself 630 times during the online student elections in March 2012.

Votes had to be cast from campus computers. Network administrators noticed all the voting activity from one computer. They quickly notified school police, who nabbed Weaver in the act.

Implications:
This news report has fired up David Jefferson’s flare for spinning scary stories. He warns ominously, on the Election Law Blog, that “In a high stakes public election we will not be so lucky [as to catch the crook in the act].”

“Had this been a public election conducted via Internet voting, it would have been much more difficult to identify any problem or to capture the perpetrator, [because] people would vote from their own private PCs.”

Well, that is scary! But how would the crime be carried out? Consider how many votes a crook would have to control to win a presidential election.  In 2012, Obama beat Romney by roughly 4,000,000 votes.  As a comment below reminds us, to win a majority of Electoral votes, a hacker using Weaver’s technique would have to control tens of thousands of votes. Obviously, a guy like Weaver couldn’t run around plugging keylogging devices into that many computers to steal log on info. So, how would it be done?

Leaving his readers hanging, Jefferson skips any detailed discussion of how a crook could steal an online presidential, or other public, election.

Instead, he creatively imagines that if Weaver had “used one of his keylogging devices to capture the password of a system administrator” Weaver could have “then used that password to install keylogger software on other campus computers to capture the students’ passwords.”

Jefferson omits mentioning how Weaver would gain access to the administrator’s computer so he could plug in the devise. Maybe Weaver could don a custodian disguise, and plug it in while pretending to clean the office.

Anyway, Weaver would have had to return to the office to retrieve his device so that he could take it home to download the password. 

Details aside, after Weaver installs his keylogging software into the school network, he has to hope that nobody checks the network event logs before the election. The logs would show the activity, and an alert administrator would remove the software.

Imagination on fire, Jefferson then declares that Weaver didn’t have to cast votes one at a time; instead, he “could have run a program to automate the casting of all of those phony votes.” Of course!

But wait, what if the voting website had a challenge/response authentication mechanism. Weaver’s voting program couldn’t copy words or add numbers automatically. All his efforts would have been for naught. But let us imagine that he could get past this little security challenge. The network administrator would still see the spike in activity coming from one IP address. That signal could be blocked, and could also be traced back to Weaver.

Lesson: 
Jefferson spins a chilling tale, but it requires his readers to suspend their critical faculties to be affective. Is that what you want to do?

PS
Good news! Obama’s Commission on Election Reform has posted my recent scholarly paper on Internet Voting!

The paper recounts the history of Internet voting in the USA, and shows how NIST has misled Congress and the American people about online voting insecurity. I take the same practical approach there that I did here in this blog post.

Also, my book, Internet Voting Now, is listed in the “Research Bibliography” provided to the Commission by CalTec/MIT.

William J. Kelleher, Ph.D.
Political Scientist, author, speaker,
CEO for The Internet Voting Research and Education Fund
Twitter: wjkno1

Author of Internet Voting Now! 
Kindle edition: http://tinyurl.com/IntV-Now

* ABC News -