I just saw that Bender has been elected to the school board of Washington
D.C. I had no idea he was interested in politics ;-)
Hackers Elect Futurama's Bender to the Washington DC School Board
By Kevin Lee, PCWorld Mar 2, 2012 11:39 AM
Bender as featured in 'Futurama: Bender's Big Score.' [Photo: Twentieth
Century Fox]Electronic voting has earned a pretty bad reputation for
being insecure and completely unreliable. Well, get ready to add another
entry to e-voting's list of woes.
One Bender Bending Rodríguez was elected to the 2010 school board in
Washington DC. A team of hackers from the University of Michigan got
Bender elected as a write-in candidate who stole every vote from the real
candidates. Bender, of course, is a cartoon character from the TV series
This was not some nefarious attack from a group of rogue hackers: The DC
school board actually dared hackers to crack its new Web-based absentee
voting system four days ahead of the real election. University of
Michigan professor Alexander Halderman, along with two graduate students,
did the deed within a few hours.
After looking over the e-voting system's Ruby on Rails software
framework, Halderman's team discovered that they could use a shell
injection vulnerability to get into the system. This allowed them to
retrieve the "public key," which is used to encrypt the ballots. With the
public key in hand, the hackers were able to change every ballot already
in the system and replace any subsequent real ballots with fakes.
While the hackers were mucking about the system's server, they discovered
other files that were not ballot-related in the /tmp/ directory. Among
them was a 937-page PDF containing instructions to individual voters as
well as authentication codes for every voter. If someone with malicious
intent got their hands on these codes, they could use them to cast
ballots as a real voter.
The researchers also managed to hack into the network, allowing them to
gain access to other systems within the building. The team was able to
get into the surveillance system, which gave them access to the security
cameras. This allowed them to time their attacks so that the technicians
would not notice the additional server activity.
When the team tried to get into the terminal server, they noticed there
was an attack coming from Iran, and traced the IP address to the Persian
Gulf University. The team realized the Iran-based hackers were getting in
using one of the default admin logins (user: admin, password: admin). To
stop the outside attacks the team blocked the offending IP address with
iptables (a piece of software for server admins) and replaced the admin
password with something more challenging. The team also blocked similar
attacks launched from New Jersey, India, and China.
For the team's pièce de résistance, the researchers replaced the "Thank
you for voting" note with "Owned," and programed the site to start
playing the University Of Michigan's Fight Song "Hail To The Victors!" 15
seconds later. Despite all this, the system administrators did not notice
anything strange until two days later.
Halderman's closing statements on e-voting are that a single flaw in the
configuration of the system could be fatal, and secure Internet -based
voting won't be ready until there are significant fundamental advances in
computer security. Be sure to check out the full paper on Attacking the
Washington, D.C. Internet Voting System.