Network Hacked

by Jon Mandle on December 31, 2003

Not a big deal, you say, that someone hacked their way into a corporate network? According to the CEO, the intruder took advantage of a network security hole “that we were a patch behind on.” Happens all the time, except that this company is VoteHere, which is “developing encryption-based software for secure electronic voting.” I admit I’d feel a little better if they were one patch ahead. Yes, encrypted voting results were stored on the network, but according to the CEO, “there is no evidence that any election was compromised.” Most reassuringly of all, it turns out that the system had only been tested on some “British local elections and nongovernmental tallies such as the Country Music Awards.”



coder 12.31.03 at 6:10 am

I’m sure that you know, but still it should be noted that staying a patch ahead is literally impossible. Furthermore it is also literally impossible to not be a patch behind for at least a short time, unless you yourself issue the patch. The fact of the matter is that unless you are running a very simplistic operation, sooner or later you will be vulnerable. The window of opportunity may be short, and the technical skills required may be high, but if someone is smart enough or rich enough, and cares enough, then they will get you eventually.

Which is not necessarily to excuse these guys in this case. I have heard exactly zero technical descriptions of the attack, so don’t know whether they had good, competent sysadmins who dealt with the situation in an efficient and professional manner, or incompetent cowboys sticking up a web-server with default settings and a site powered by a motley collection of PHP scripts in perpetual beta.

And obviously the whole electronic voting industry is a stinking cess-pit of awful politics, business, and code.


dsquared 12.31.03 at 9:19 am

“A patch ahead” is neither here nor there; surely it is not an excessive burden to require that no election voting data, encrypted or otherwise, should be stored on a system connected to the Internet? Inconvenient, I know, but this is bloody democracy we’re talking about, after all.


coder 12.31.03 at 2:41 pm

I fully agree, and must apologise. I hadn’t read the part where they describe “what the software does”. My comments were related to the network intrusion intself only.

Actually, the description in the article doesn’t make much sense. It is hard to tell if they are doing something very stupid (sending results over the Internet to be tallied on a central server,) or innocuous (storing results that are derived in a more secure, and therefore difficult and time-consuming manner elsewhere.) Although the bollocks about “encrypt ballots in such a way that voters can make sure their votes have been counted correctly, even after the election” does not inspire confidence.


dsquared 12.31.03 at 3:32 pm

Although the bollocks about “encrypt ballots in such a way that voters can make sure their votes have been counted correctly, even after the election” does not inspire confidence.

Indeed; I detect the presence of David Chaum, although Google doesn’t show up any connection between him and this company …


asg 12.31.03 at 7:56 pm

On an only marginally related tangent (it has to do with elections) can one of the British political mavens here enlighten me as to when, precisely, a British prime minister is obliged to call for a general election? In the U.S. of course the president is elected every 4 years; my understanding of the British system is that the ruling party has some discretion as to when to call for elections. Is there a law saying that elections must occur within some time period?


Antoni Jaume 01.01.04 at 1:23 pm

IIRC in the UK like in most EU, there is a limit to the time a legislature may run, 4 years in UK I believe, but the governement can call for an election if wanted. In some cases it may be forced by the parliament, like when the government is a minority one and the opposition feels that they can get a shot at governing.



coder 01.01.04 at 3:41 pm

In the British electoral system, a general election can be held any time up to five years after the previous one. The exact date is at the discretion of the ruling party, who will, of course, choose the most politically advantageous time as best they can. In addition, if a government loses a vote of confidence at any time then they must immediately call a general election.

Governments do not usually wait the full five years before calling elections. I would guess the average time is around 4 – 4.5 years, but I’m really not sure. Waiting the full five years is generally considered a sign of weakness, as it implies that the government is not confident of their ability to win, and just want to hang on for as long as possible. No confidence motions very rarely succeed in Britain. Only one general election in recent times has been caused by a lost confidence motion, the one that brought Thatcher into power in ’79.

When an election is called at short notice (I think the minimum notice period required is about 6 weeks?) it is called a snap election. The ability of the ruling party to choose the date of the election can make for some very interesting politics. New Zealand has a very similar system to Britain’s, and the more politically aware Kiwis have fond memories of the announcement of the ’84 election. The then Prime Minster, Robert Muldoon, turned up unannounced and very drunk in the state TV newsroom. He demanded to go live-to-air, and proceeded to tell the bemused nation that he was calling a snap election. That night his deputy Prime Minister (currently Commonwealth Secretary General) Don McKinnon let down his car tyres in the studio parking lot, to prevent him driving home blind drunk. He later said that he thought they were going to have a hard enough time of it anyway, without their leader killing himself in a drunken car crash. Needless to say, that election didn’t go too well for the incumbent.

Comments on this entry are closed.