Back in 2010, when the DC School Board adopted new voting software for the upcoming election, they issued a public invitation for hackers to attack it, to test its security and find vulnerabilities. A computer science professor at the Univ. of Michigan and his students took up the challenge.
According to a paper that the professor just released, they immediately circumvented the security system, found a file with authentication information for every DC voter, and set them all as votes for Bender B. Rodriguez, Futurama’s “towering inferno of physical perfection.” They even set it up so that later-arriving votes would be changed to Bender, too. They then changed the goodbye screen from “Thank you for voting” to “Owned,” and set it to play the Michigan fight song.
Their work went undiscovered by DC’s IT administrators for two days, until another hacker group reported (mistakenly) that the system was secure, but complained about the exit music.
Also, while they were in there, the Michigan team noted that the school board’s computers were under attack from Iran, China, and India, and they blocked those incursions.
Both hilarious and frightening; given that the UofM crowd took advantage of and even repaired some very obvious security mistakes and did them the favor of leaving giant digital graffiti all over the place and still it took two days for them to realize they’d been hacked, what if someone just wanted to quietly change a few hundred votes - enough to realistically swing an election? Think anyone would notice?
I actually voted for Bender for school board in that election, and now I know that the election has been stolen!!!
I also voted for Ralph Furley for my neighborhood advisory council, Ernie Bilko for at-large city council, and, as is my custom, Gladys Crabtree for mayor.
Was this just for school board? Does this mean that neither Fenty nor Gray won the election but that Bender B. Rodriguez is the current Mayor of the District of Columbia?
Default passwords. Who were the geniuses who did that? The Michigan team should’ve elected Homer Simpson instead, the true role model of the DC “security” team.
Is there such a thing as a company you can hire to try to hack your security before you go online? That strikes me as a business opportunity just dying to be launched.
And it’d be a great idea for a movie! You could have Christian Slater in it, and maybe Denzel Washington, and one of the cast of Ghostbusters! You could call it “Snoopers” and it’d be unlike any movie ever made!
This would be hilarious if it wasn’t so sad. I worked for the District’s Centralized IT Agency (OCTO) as the District’s Change Manager until just a few months ago and I never got wind of this.
OCTO tried in vain to merge the IT environments of many agencies onto the District’s data center, but failed in most cases. After a while it became clear that there were no real teeth in Fenty’s IT Centralization Mandate. I was OCTO’s program manager for Citywide IT Service Management (providing service desk, change management and asset management platforms to all agencies under the Mayor) as well as the District’s Change Manager for three years and never heard about this voting software implementation. It was like pulling teeth trying to get agencies to bring their service management systems into OCTO’s enterprise platform. Many agencies continued to retain large IT budgets and employ sizable IT staff. MPD, DDOT and DCPS are three good examples. Even after the merger of DCPS OIT into OCTO, schools continued to operate their own IT environment (with the exception of the network and data center, which was OCTO-managed by late 2009.
By the way, I’m not sure how PCW arrived at their article headline. I read the UofM’s PDF and didn’t see anything in there about Schools. Perhaps they mistook BOEE as board of ed, or something. I do recognize the people in the data center security cam snapshots though.
