Back in 2010, when the DC School Board adopted new voting software for the upcoming election, they issued a public invitation for hackers to attack it, to test its security and find vulnerabilities. A computer science professor at the Univ. of Michigan and his students took up the challenge.
According to a paper that the professor just released, they immediately circumvented the security system, found a file with authentication information for every DC voter, and set them all as votes for Bender B. Rodriguez, Futurama’s “towering inferno of physical perfection.” They even set it up so that later-arriving votes would be changed to Bender, too. They then changed the goodbye screen from “Thank you for voting” to “Owned,” and set it to play the Michigan fight song.
Their work went undiscovered by DC’s IT administrators for two days, until another hacker group reported (mistakenly) that the system was secure, but complained about the exit music.
Also, while they were in there, the Michigan team noted that the school board’s computers were under attack from Iran, China, and India, and they blocked those incursions.
Both hilarious and frightening; given that the UofM crowd took advantage of and even repaired some very obvious security mistakes and did them the favor of leaving giant digital graffiti all over the place and still it took two days for them to realize they’d been hacked, what if someone just wanted to quietly change a few hundred votes - enough to realistically swing an election? Think anyone would notice?
And it’d be a great idea for a movie! You could have Christian Slater in it, and maybe Denzel Washington, and one of the cast of Ghostbusters! You could call it “Snoopers” and it’d be unlike any movie ever made!
This would be hilarious if it wasn’t so sad. I worked for the District’s Centralized IT Agency (OCTO) as the District’s Change Manager until just a few months ago and I never got wind of this.
OCTO tried in vain to merge the IT environments of many agencies onto the District’s data center, but failed in most cases. After a while it became clear that there were no real teeth in Fenty’s IT Centralization Mandate. I was OCTO’s program manager for Citywide IT Service Management (providing service desk, change management and asset management platforms to all agencies under the Mayor) as well as the District’s Change Manager for three years and never heard about this voting software implementation. It was like pulling teeth trying to get agencies to bring their service management systems into OCTO’s enterprise platform. Many agencies continued to retain large IT budgets and employ sizable IT staff. MPD, DDOT and DCPS are three good examples. Even after the merger of DCPS OIT into OCTO, schools continued to operate their own IT environment (with the exception of the network and data center, which was OCTO-managed by late 2009.
By the way, I’m not sure how PCW arrived at their article headline. I read the UofM’s PDF and didn’t see anything in there about Schools. Perhaps they mistook BOEE as board of ed, or something. I do recognize the people in the data center security cam snapshots though.