BY DYLAN CINTI
Daily Staff Reporter
Published October 7, 2010
It was 3:30 in the morning, but J. Alex Halderman was a long way from sleep.
More like this
And despite the fact that he was in his University office, Halderman was also a long way from his day job as an assistant professor in the College of Engineering.
At that moment, Halderman had taken on a very different role — that of a computer hacker.
In a story that has been widely reported this past week, Halderman and two of his Ph.D. students successfully hacked into the pilot site of an internet voting system in Washington, D.C.
As part of their hack, the small group programmed the system to play “Hail to the Victors” after each vote was cast. And as a result of the group’s efforts, the site — a trial for a system that would have allowed overseas voters to cast their ballots online in the upcoming November elections in the nation’s capitol — was shut down and the voting system axed.
Interviewed yesterday, Halderman and one of his students — Eric Wustrow, a Ph.D. candidate in computer security — explained how they pulled it off.
It began, Wustrow said, when the basic layout and language of the test site was published several days in advance of the site’s debut.
Accessing the layout, Halderman’s team scoured it for flaws in a process Wustrow likened to “trying to break into a house.”
As Wustrow explained, “The first thing you do is look around the house to see if there’s any obvious way in … if the windows are open or something.”
For Halderman and his team, that window opened at 3:30 on the morning of Sept. 29 — the day the site was slated to go live. According to Halderman, it was then that the team discovered a weakness in the site’s design that would allow any good hacker to infiltrate it.
So Halderman’s team decided to do just that — break into the site and take control.
“That was the big ah-ha moment,” Halderman said of his team’s late-night discovery.
First, though, the team needed some rest.
“We spent most of Tuesday recovering from staying up all night,” Halderman said.
But by Wednesday, Halderman said, the team was well-rested and ready to get their hands on the site, which had since gone live.
Halderman said that within hours of hacking into the site, “we had the same access to the server as someone who controls it.”
And control it they did.
First, Wustrow said, they replaced all existing ballots with write-in votes for famous robots like HAL 9000.
“It was our own evil ballot,” Wustrow said.
After that, according to Wustrow, the team rigged the system to reveal personal information about the people who’d cast their votes.
And to top it all off, the team programmed the site to play “Hail to the Victors” every time a vote was cast.
“That was our calling card,” Halderman explained.
Of course, since it was only a test site for the election, Halderman’s hacking didn’t do any real damage — quite the opposite, in fact.
As an official behind the site explained, the test phase was launched in large part to encourage undercover work like Halderman’s.
In an interview yesterday, Paul Stenbjorn, the chief technology officer for the Washington, D.C. Board of Elections and Ethics, called the test phase “an exercise to help us develop a better online ballot.”
According to Stenbjorn, Halderman’s hacking helped uncover a major vulnerability the election board might have otherwise overlooked.
“Part of this process was to ensure that there was no hackability to this application,” Stenbjorn said.
Thanks to Halderman, Stenbjorn said, the online voting system is now headed back to the drawing board.
“I credit (Halderman’s team) with helping us,” Stenbjorn said. “But I also encourage them to help us build a better one.”
However, both Halderman and Wustrow said they don’t want to play any part in an online voting system — at least not yet.
“The takeaway we really want people to see here is that Internet voting is just not ready to be implemented, definitely not now,” Wustrow said. “It’s a very difficult problem that can’t be solved fixing just this.”
Halderman added that he was concerned how easy it was to hack into the site and doesn’t think that bodes well for the future of online voting.
“Internet voting is really dangerous,” Halderman said. “It’s too dangerous to be used today or any time in the near future.”
Nevertheless, Alysohn McLaughlin, a spokeswoman from the elections board, said her group plans to continue developing its program for use in future elections.
“We’re committed to this product and we’ll continue testing for it,” McLaughlin said.