Esse pessoal de Princeton (J.A. Halderman) é muito bom. Eles estão desmontando todos os mitos de voto eletrônico seguro. Era preciso conseguir um "exemplar" de urna brasileira para levar para eles testarem.
2012/3/5 Joaquim Salles <[email protected]> > > > > http://pcworld.co.nz/pcworld/pcw.nsf/news/hackers-elect-futuramas-bender-to-the-washington-dc-school-board > Hackers elect Futurama's Bender to the Washington DC school boardElectronic > voting has earned a pretty bad reputation for being insecure and > completely unreliable. Well, get ready to add another entry to e-voting's > list of woes.KEVIN LEE | MONDAY, MARCH 05 2012 | 2 > COMMENTS<http://pcworld.co.nz/pcworld/pcw.nsf/news/hackers-elect-futuramas-bender-to-the-washington-dc-school-board#comment_top> > > - > Share85<http://www.facebook.com/sharer.php?u=http%3A%2F%2Fpcworld.co.nz%2Fpcworld%2Fpcw.nsf%2Fnews%2Fhackers-elect-futuramas-bender-to-the-washington-dc-school-board&t=Hackers%20elect%20Futurama%27s%20Bender%20to%20the%20Washington%20DC%20school%20board%7C%20PC%20World%20Magazine%20New%20Zealand&src=sp> > - > - > inShare<http://pcworld.co.nz/pcworld/pcw.nsf/news/hackers-elect-futuramas-bender-to-the-washington-dc-school-board> > 4 > > > - > > <http://pcworld.co.nz/pcworld/pcw.nsf/news/hackers-elect-futuramas-bender-to-the-washington-dc-school-board#comment_post> > - > > <http://pcworld.co.nz/pcworld//pcw.nsf/email?OpenForm&parentunid=37A32C372670E53FCC2579B7006C3188> > - > > <http://pcworld.co.nz/pcworld/pcw.nsf/printer/37A32C372670E53FCC2579B7006C3188> > > > *Electronic voting has earned a pretty bad reputation for being insecure > and completely > unreliable<http://cityroom.blogs.nytimes.com/2010/09/14/problems-reported-with-new-voting-machines/>. > Well, get ready to add another entry to e-voting's list of woes. > * > One Bender Bending > Rodríguez<http://en.wikipedia.org/wiki/Bender_%28Futurama%29> was > elected to the 2010 school board in Washington DC. A team of hackers from > the University of Michigan got Bender elected as a write-in candidate who > stole every vote from the real candidates. Bender, of course, is a cartoon > character from the TV series *Futurama*<http://en.wikipedia.org/wiki/Futurama> > . > > This was not some nefarious attack from a group of rouge hackers: The DC > school board actually dared hackers to crack its new web-based absentee > voting system four days ahead of the real election. University of Michigan > professor Alexander Halderman <https://jhalderm.com/>, along with two > graduate students, did the deed within a few hours. > > After looking over the e-voting system's Ruby on Rails software framework, > Halderman's team discovered that they could use a shell injection > vulnerability to get into the system. This allowed them to retrieve the > 'public key', which is used to encrypt the ballots. With the public key in > hand, the hackers were able to change every ballot already in the system > and replace any subsequent real ballots with fakes. > > While the hackers were mucking about the system's server, they discovered > other files that were not ballot-related in the /tmp/ directory. Among them > was a 937-page PDF containing instructions to individual voters as well as > authentication codes for every voter. If someone with malicious intent got > their hands on these codes, they could use them to cast ballots as a real > voter. > > The researchers also managed to hack into the network, allowing them to > gain access to other systems within the building. The team was able to get > into the surveillance system, which gave them access to the security > cameras. This allowed them to time their attacks so that the technicians > would not notice the additional server activity. > > When the team tried to get into the terminal server, they noticed there > was an attack coming from Iran; they traced the IP address to the Persian > Gulf University. The team realised the Iranians were getting in with one of > the default admin logins (user: admin, password: admin). To stop the > outside attacks the team blocked the offending IP address with > iptables<http://en.wikipedia.org/wiki/Iptables> (a > piece of software for server admins) and replaced the admin password with > something more challenging. The team also blocked similar attacks launched > from New Jersey, India, and China. > > For the team's pièce de résistance, the researchers replaced the "Thank > you for voting" note with "Owned", and programed the site to start playing > the University Of Michigan's Fight Song "Hail To The > Victors!<http://www.youtube.com/watch?v=mY3M_9l_Rg8>" > 15 seconds later. Despite all this, the system administrators did not > notice anything strange until two days later. > > Halderman's closing statements on e-voting are that a single flaw in the > configuration of the system could be fatal, and secure internet -based > voting won't be ready until there are significant fundamental advances in > computer security. Be sure to check out the full paper onAttacking the > Washington, D.C. Internet Voting > System<https://jhalderm.com/pub/papers/dcvoting-fc12.pdf> > . > > [Attacking the Washington, D.C. Internet Voting > System<https://jhalderm.com/pub/papers/dcvoting-fc12.pdf> (pdf) > via The > Register<http://www.theregister.co.uk/2012/03/01/electronic_voting_hacked_bender/> > and > Gizmodo<http://gizmodo.com/5889838/hacked-dc-school-board-e+voting-elects-bender-president> > ] > > -- __________________________________________________ O texto acima e' de inteira e exclusiva responsabilidade de seu autor, conforme identificado no campo "remetente", e nao representa necessariamente o ponto de vista do Forum do Voto-E O Forum do Voto-E visa debater a confibilidade dos sistemas eleitorais informatizados, em especial o brasileiro, e dos sistemas de assinatura digital e infraestrutura de chaves publicas. __________________________________________________ Pagina, Jornal e Forum do Voto Eletronico http://www.votoseguro.org __________________________________________________ Você recebeu esta mensagem porque está inscrito no Grupo "VotoEletronico" em Grupos do Google. Para postar neste grupo, envie um e-mail para [email protected] Para cancelar a sua inscrição neste grupo, envie um e-mail para [email protected] Para ver mais opções, visite este grupo em http://groups.google.com/group/votoeletronico?hl=pt-
