University of Michigan students hacked a D.C. elections voting website to play the school's fight song when users cast their ballots. Security experts, meanwhile, have raised serious questions about the lackluster testing the site has undergone. Nevertheless, a board of election officials in Washington, D.C., still plans to make available a scaled-back version of the site for this year's election.
The website is designed to enable its target 950 users (registered voters residing abroad) to access PDF absentee ballots. Voters identify themselves by name, registration address, and a PIN provided by the board in advance of the election. From there, users can fill out the ballots and send them back digitally or as email attachments; alternatively, voters can also print and send them via fax or snail mail.
Officials on the District of Columbia Board of Elections and Ethics (DCBEE) opened the website to a brief public testing period recently, during which the University of Michigan students launched their successful hack. The attack, according to some computer scientists, reveals serious holes in the website's architecture.
The board has responded by announcing that users will not be able to access the site to send back their ballots digitally -- but they can use the site this year to generate PDF ballots, fill them out, and send them back via email, fax, or snail mail.
The problem here is, the site has been shown to be insecure in an informal testing process and has not undergone any kind of rigorous, transparent, verifiable audit. In fact, before the brief public testing period, a group of concerned citizens -- among them prominent computer security experts such as Ronald Rivest -- sent a letter to the board calling for independent security testing of the site.