Sharing Our Ideas

E-Voting System Hacked, Futurama's Bender Elected

Tech heads like ourselves have been witnessing, and to varying degrees encouraging, the digitizing of our lives. As more and more things become electronic and web based, however, security comes to the forefront as the ultimate concern. Despite efforts to make e-voting the norm, those very doubts of whether or not privacy and integrity can be preserved have proved to be a massive obstacle.

Bender from Futurama TV Show

The Washington, DC school board definitely didn't seem to think so. In fact, they were so confident in their absentee voting system that they challenged anyone to hack their Ruby on Rails framework of Futurama fame was elected to the District's board.

Alexander Halderman, a computer science professor from the University of Michigan, teamed up with a pair of graduate students and decided to take a crack at the test. From PC World:

After looking over the e-voting system's Ruby on Rails software framework, Halderman's team discovered that they could use a shell injection vulnerability to get into the system. This allowed them to retrieve the 'public key', which is used to encrypt the ballots. With the public key in hand, the hackers were able to change every ballot already in the system and replace any subsequent real ballots with fakes.

Despite the scholastic hackers changing the "thank you for voting" screen to display the simple message, "owned", and playing the university's fight song, site admins did not notice anything strange until two days after the "attack".

With this report, paired with today's news of Github's security being exploited, questions have been raised on Ruby on Rails' vulnerability. In the past, the technology has been criticized for its insecure apps, and the relative difficulty it gives developers to take preemptive measures to mitigate its risks.

Still, it's safe to say that anything comprised of code will always be threatened by hackers. And until you can be assured otherwise, perhaps the best practices would be to avoid welcoming them to your software's doorstep.