The Communications Infrastructure
Cryptography can be used to protect the communication between the user's browser and the elections server. This technology is mature and can be relied upon to ensure the integrity and confidentiality of network traffic. This section doesn't deal with the classic security properties of the communications infrastructure; rather, we'll look at the availability of the Internet service, as required by remote electronic voting over the Internet.
Most people are aware of the massive distributed denial of service (DDOS) attack that brought down many of the main portals on the Internet in February 2000. The February attack consisted of the installation and execution of publicly available attack scripts. Very little skill was required to launch the attack, and minimal skill was required to install the attack. This attack was nothing compared to what a dedicated and determined adversary could do.
At the heart of a DDOS is a program called a daemon, installed on many machines. Any of the delivery mechanisms described above can be used. One other program is installed somewhere, called the master. These programs are placed anywhere on the Internet, so that there are many unwitting accomplices to the attack, and the real attacker cannot be traced. The system lies dormant until the attacker decides to strike. At that point, the attacker sends a signal to the master, using a publicly available tool, indicating a target to attack. The master conveys this information to all of the daemons, who simultaneously flood the target with more Internet traffic than it can handle. The effect is that the target machine is completely disabled.
Experimenting in the lab with one of the well-known DDOS programs called Tribe Flood Network (TFN), my team of researchers at AT&T discovered that the attack is so potent that even one daemon attacking a UNIX workstation disabled it to the point where it had to be rebooted. The target computer was so overwhelmed that we couldn't even move the cursor with the mouse.
There are toolseasily found by anyone with access to the webthat automate the process of installing daemons, masters, and the attack signal. People who attack systems with such tools are known as script kiddies, and represent a growing number of people. In an election, the adversary is more likely to be someone at least as knowledgeable as the writers of the script kiddy tools, and possibly with the resources of a foreign government.
There are many other ways to target a machine and make it unusable, and it's not too difficult to target a particular set of users, given domain name information that can easily be obtained from the online registries such as Register.com and Network Solutions, or directly from the WHOIS database. The list of examples of attacks goes on and on. A simple one is the ping of death, in which a packet can be constructed and split into two fragments. When the target computer assembles the fragments, the result is a message that's too big for the operating system to handle, and the machine crashes. This has been demonstrated in the lab and in the wild, and script kiddy tools exist to launch it.
The danger to Internet voting is that it's possible that during an election, communication on the Internet will stop because attackers cause routers to crash, election servers to get flooded by DDOS, or a large set of hostspossibly targeted demographicallyto cease to function. In some close campaigns, even an untargeted attack that changes the vote by one percentage point could sway the election.