So Alex Halderman and team hacked the DC Internet Voting pilot. The voting system they attacked was not particularly well secured, and the type of attack used is a fairly simple web input corruption attack with little novelty. This hack, however, performs a very useful task: educating election officials and the public about what hacks against an Internet Voting System look like.
What happens next is going to be very interesting. The folks who have been fighting hard against Internet Voting should be careful not to use the same faulty logic they’ve been criticizing for years. When the discussion was about paper was electronic voting machines, some election officials said “well, *I*’ve never seen anything go wrong, show me an example!” And the answer we, computer security specialists, gave was some variation of “how do you know nothing went wrong?” or, in the words of Dijkstra, “Program testing can be used to show the presence of bugs, but never to show their absence.”
What reasoning applies, then, when we do find a bug? We are faced with an effective attack against a specific Internet Voting system. It’s easy to get carried away… Verified Voting just declared the Dangers of Internet Voting confirmed saying:
we have a visceral demonstration of just how serious the threats really are.
yes, so far I agree,…
But do legislators and election officials fully understand what Dr. Halderman’s team has taught us? We’ve been given a lesson on how easy it is for attackers to penetrate and control not just this system, but any Internet voting system.
Ummm, no. That’s incorrect reasoning. Remember the important question: how do you know? We know that this system in question is insecure. But we have no proof that all Internet Voting systems are insecure. This is the same faulty logic of inappropriate generalization we accused the election officials of only months ago!
Now, once again, I need to clarify: I agree that Internet Voting for high-stakes elections is deeply problematic, and I’m against it. Interestingly, I don’t think this server-penetration hack represents the inherent problem with Internet Voting, because, given sufficient work, we could probably secure a voting server. The core problem is that end-users’ computers can’t be secured, making it possible to defraud the election even if the server is very secure. But whatever I think, and whatever everyone else thinks, this particular hack does not prove anything about the security of all Internet Voting systems in general.
If we, as security professionals, attempt to leverage and over-generalize this one incident, we’re just as guilty of overlooking sound security reasoning to push a particular agenda, exactly what we saw some election officials doing in 2004-2006 with electronic voting machines. In the long run, this greatly undermines scientifically-based arguments against Internet Voting. The ends do not justify the means.