
Berkeley HS student tried to rig his own election, exposing cybersecurity flaws - incomplete
https://www.berkeleyside.com/2019/04/09/berkeley-high-student-tried-to-rig-his-own-election-exposing-flaw-in-districts-cybersecurity
======
nkrisc
The perpetrators should be punished by being made to give a presentation on
how they automated the process, what poor security practices allowed them to
pull it off, and recommendations for preventing a similar incident in the
future.

~~~
kemitche
Suppose I walk into the neighborhood 7-11, and steal the money from the cash
drawer when the cashier glances away. I'm only caught once the tapes are
reviewed and they find my license plate. Should my punishment be to give a
presentation to the cashier that they should be watching everyone at all
times?

Obviously the answer is no. Sometimes, catching someone breaking rules/laws
after the fact is sufficient - 100% prevention of a crime before it happens
shouldn't be the only way crimes are avoided.

Did the school make some poor choices with their cybersecurity? Sure. But an
open/unlocked door does not give permission to steal or break the law, whether
that door is digital or physical.

~~~
nkrisc
Are you suggesting these kids are criminals and committed a crime? Because I
don't really see the connection between theft and what this article is about.
It sounds like this can be turned into a learning opportunity. Learning seems
appropriate for a school setting as opposed to vengeful retribution.

If, as you suggested, you commit theft, engagement with the criminal justice
system seems appropriate, but maybe not if you rigged a school election.

~~~
kemitche
I'm suggesting the students be punished in the same way as if they had cheated
on a paper ballot election. Nothing more, nothing less.

I don't think it's a stretch to think that HS students should know better than
to cheat - whether that's on a test, or a school-wide election.

~~~
mieseratte
That is the kind of busy-body, authoritarian crap that makes children hate
school. Kids are there to learn. Given him a talking to, ask him to give up
the goods, and move on.

Having been one of them high school hackers, and having been both threatened
with jail and simultaneously being given the carrot of "don't do it again, and
tell us what you know," the latter is going to produce a better outcome and if
the student chooses to pick the former... well you gave them an honest choice.

Most kids doing this aren't malicious, but just trying to learn and have some
damn fun. If you just jump straight to the stick, you're just going to end up
with a bitter kid with some cybersecurity chops. Not the greatest combination.

~~~
kelnos
I don't think I would characterize "attempting to steal a student election via
unauthorized use of other students' accounts to commit voter fraud" as "trying
to learn and have some damn fun". This was a malicious, dishonest act. Full
stop. I think they're getting off easy: just being disqualified from the
election and perhaps losing in-school computer privileges. That doesn't seem
like it's going to teach them what they did was wrong. More likely it'll teach
them to be better at not getting caught.

~~~
godelski
I mean Bill Gates phreaked because it was "fun". The people that do this find
it fun breaking into systems. You need to understand who you're dealing with.
And understanding the motives of preparators helps in how you should
discipline them. At least effective discipline.

~~~
kelnos
Obviously I don't know the kid at all, but on the face of it, it appears he
wanted to win an election and decided to cheat to get what he wanted. Hardly
"just for funsies" or "following the hacker ethos". It's just a morally-
challenged kid behaving badly.

~~~
ilikehurdles
A student election is absolutely worthless. This is not like stealing money
from a convenience store — that has value - it’s more like taking home a
paperclip from your office once. I see absolutely no reason that someone
taking an office supply item home should be treated differently.

~~~
kelnos
To kids in school, the election is not worthless. Even when I was in HS that
wasn't the case, and the article mentions that with college admissions so
competitive now, every edge -- including being elected to a student government
-- is important.

Even if it's not _actually_ important, it's the _perception_ of importance to
the student that matters. The idea that "it's ok to commit fraud if I think
it's something important" is definitely one we don't want becoming widespread.

------
Someone1234
> “It just shows that people don’t make healthy cybersecurity decisions,” said
> Stern.

You mean like the administrators of the school? You can set a temp password to
immediately expire. What's notable is that even after this incident they still
didn't do so, just encouraged students to change the default password during
orientation.

~~~
OliverJones
Indeed. An immediately expiring temp password is the usual workflow for new
private-labeled Google accounts. I suppose, though, that somebody thinks
middle schoolers can't handle it.

------
thaumasiotes
> Students were casting ranked-choice ballots via a Google Form accessed
> through district-provided Gmail accounts

> The investigators were also able to determine that the false votes were cast
> from a computer

I bet the real votes were cast from a computer too.

~~~
smelendez
Presumably they mean as opposed to s smartphone, which might be the more
common way for students to vote.

------
mountainofdeath
I did something very similar to this for my high school's prom queen vote who
I wanted to win for teenager reasons. The voting system was just a bunch of
laptops in front of the lunch room running a web app and all that was needed
to vote was to know a student id. A few hours and some javascript later, I
voted more than the entire senior class. It was only discovered after the
event.

~~~
dustindiamond
Amanda?

------
RandomBacon
Ah, computerized highschool class elections.

I could have rigged the vote to win at my school too, except that I wasn't in
the right cliques. It would have been very suspicious if I won, and everyone
knew I was "good with computers".

Our program actually saved who voted for who in plaintext. At least I got to
see who voted for me.

~~~
veryworried
In a situation like this the best action is to install a puppet who you can
blackmail. Then use them to push policies you find favorable to you.

~~~
AnimalMuppet
I don't think student governments get to push policies that can actually help
students very much. I don't think school administrations let the student
government have any real control whatsoever.

~~~
InitialLastName
It's a puppet puppet.

IIRC, my high school government was very effective at choosing the prom theme
and lobbying for a specific brand of crackers in one of the vending machines.

~~~
nathancahill
The illusion of government power starts young.

~~~
erobbins
Government seems pretty powerful. I mean, there's one guy elected by 213k
people blocking the entire congress from passing any bills.

~~~
AnimalMuppet
That may make that one guy powerful, but it makes _government_ pretty
powerless...

------
bowmessage
My HS used birthdate as account password, for both students and teachers, with
no option to change! I hope they've updated since.

~~~
mfoy_
My _bank_ only allows for up to 6 alphanumeric (no special!) characters.

[https://www.bmo.com/olbb/help-centre/en/my-profile/change-
pa...](https://www.bmo.com/olbb/help-centre/en/my-profile/change-
password.html)

~~~
Scooty
Why is this such a common thing? Just about every bank I've used has had one
of these issues on their website:

\- Password can't be long

\- Password can't be pasted

\- Password must contain symbols

\- Password can't contain symbols

I even locked myself out of my credit card (AMEX) account 3 times in less than
2 days because they have multiple different password reset forms, but one of
them doesn't enforce their password length limit, so I successfully set my
password to a password that was too long for the web/mobile login forms.

~~~
ska

       Why is this such a common thing? 
    

Short answer I suspect is old systems with complicated dependencies.

~~~
lwansbrough
Even so, you could hash the password somehow in order to produce the number,
which then goes into that old system.

~~~
ska
There are always engineering solutions to such things, but I don't think most
of the decisions are made in terms of "it's possible". There is always a
risk/reward conversation, and a lot of conservatism in systems currently
processing a large number of transaction and/or $ successfully. Perceived risk
may or may not be analyzed correctly, mind.

~~~
mavhc
You'd think when they have all the money the risk would be really high

------
dontbenebby
So default password was student ID? Who wants to bet there was a list of names
and student IDs available somewhere that made this trivial to automate?

(Or they were sequential with blocks for each class)

~~~
hbosch
Or more simply, what pattern do student IDs conform to? I’d be absolutely
shocked if they were randomized.

~~~
dontbenebby
I wish there was a name for this kind of thing, because I see it a lot.
Something is used a username in one context, then a password/authentication
token in another.

(Ex: many libraries use your barcode number as your username)

I suspect the mistake stems from not understanding how passwords are stored.

(Eg: while yes, well set up systems hash passwords, _usernames_ or any other
identifier paired w the password are in cleartext, and in many cases huge
swathes of the userbase can access them)

------
jlrubin
I'm glad to see that it seems the student in question was afforded a measure
of process and admitted guilt -- I could easily see the story ending where the
weaker opponent casts fake votes for their competition to get them eliminated!

------
ggm
The number of responses which go to "...I did this too" are fascinating. I
also did stupid things in my past which nowadays would incur severe penalty,
as hacking. They felt mild right up to the point I was caught (this is 35
years ago) and then they stopped feeling mild very quickly.

I feel very sorry for people in todays world who don't get the "everybody gets
one free pass" on these things we did back in the day. I think we need a clear
statute of limitations on some stuff done by minors and near-minors, regarding
their future lives. Nobody is going to be eligible for election to senate or
the law courts, or to work in federal or state bodies if we don't work out how
to deal with this kind of thing.

That said, I am pretty sure rigging an election is a good indication you have
need of some ethics. Amusing, but also not a good idea.

This ranks (in my books) with the recurring "we thought we'd make a film about
a bank robbery without informing the bank or the shopping mall about it" type
cock-up: Actions have (unforseen) consequences.

------
ryanmjacobs
Gosh, I did this back in my high school as a Senior, two years ago. Got myself
suspended for two days and ruined my perfect attendance, oh well. It scared
the shit out of me when two police officers barged into my U.S. History class
and pulled me out.

The usernames of our voting system were our 5 digit student IDs. And the
passwords... same as the usernames. I wrote a puppeteer script that looped
through 2000 IDs and voted for everyone. They tracked me down through my home
IP address -- if there is a next time, I'll definitely use Tor haha.

EDIT: Yeah, the school's VP picked up on it because normally about 40% of the
student body actually votes -- but this time it was 100%; plus when student's
started signing into their voting accounts, it claimed they already voted. Not
my brightest moment.

------
zaroth
Besides the fact that this "online voting" was immediately hacked, I wasn't
fond of the notion that the votes had everyone's name attached.

------
stcredzero
_“When we spotted it, it was incredibly obvious,” said Stern, 17. “There were
just massive alphabetical votes at random hours.”_

Reminds me of an interview question: How would you do a reasonably good job of
randomizing an incoming stream of items, while minimizing auxiliary storage?

~~~
greiskul
Never heard of this question, how do you do that? Do you mean getting a random
sample from an incoming stream, using only O(1) space?

~~~
stcredzero
I'm thinking of randomizing the entire stream, and getting something that
looks "reasonably random" to casual inspection by human beings, using only
O(1) space.

~~~
DuskStar
It's easy if you don't need exact results! For instance if you want 1/2 votes
for A, 1/3 for B and 1/6 for C, well you roll a die and vote A for 1-3, B for
4-5 and C for 6 - do this enough times and it'll approximate that
distribution!

Things only get difficult if you need exact results OR start doing things to
make it "look" random - breaking up long runs of one vote, that sort of thing.
(which of course makes it look distinctly nonrandom to someone with a stats
background)

~~~
stcredzero
_It 's easy if you don't need exact results!_\

I didn't mean randomizing the votes. Perhaps I should have written
"shuffling." I meant randomizing the order of the stream.

~~~
Dylan16807
Let me see if I'm misunderstanding something about the problem.

1\. The items come in a stream, so you have to accept each one in order.

2\. You have to output a stream too.

3\. You get a fixed amount of storage, much smaller than the stream.

4\. The items are arbitrary and unique, so there is no way to compact n items
into significantly less then O(n) storage.

If the stream is large and sorted, you run out of buffer before the input
stream gets past 'A'. You're _forced_ to output thousands/millions of entries
in a row that start with A. That doesn't look at all random.

It seems impossible if I understand the problem. Is one of my numbered
statements wrong? Is there a way to get items out of order? Put items back
into the stream? Is there a limited range of items? Getting unique items in
order lets me compress the data _very slightly_ , but 25% more storage doesn't
fix anything either.

~~~
stcredzero
_getting something that looks "reasonably random" to casual inspection by
human beings, using only O(1) space._

7 (+/\- 2) is the magic number. However, you make a good point. This is highly
dependent on exactly how large the data is, and how "casual" the human are.

~~~
Dylan16807
The size of working memory... that sounds like a threshold for taking an
already-randomized list and turning it into another one that looks different
on casual inspection.

Even with a small size like 200 a shuffler that weak won't do a good job of
turning sorted into unsorted, even at a glance.

~~~
stcredzero
_a shuffler that weak won 't do a good job of turning sorted into unsorted,
even at a glance._

That depends on how casual the inspection is.

~~~
Dylan16807
I would expect the most casual inspection to actually be the least affected,
since it would be be the most focused on the first letter or two of each
entry.

------
dangrover
> Schweng said the culture around this election, from the outset, was
> different than what she’d seen in the past. There were more reports of
> students taking down candidates’ posters, and more activity on social media.
> Some students suggested to the principal that the stakes felt higher because
> colleges are becoming increasingly more selective, and extracurriculars like
> student government are consequently more important.

This part was the most interesting revelation in the article to me! It never
would have occurred to me as a HS student to "cheat on extracurriculars"! I
just did the stuff that was interesting.

------
bhsalumni123
Nowhere in the article is it mentioned where the student gained access to a
mapping of student IDs to student first and last names. As a recent BHS
alumni, these ID numbers are not obviously derivable from a student's name
(but I do think they are allocated sequentially). Getting access to this list
implies some sort of social engineering or threat vector elsewhere.

------
OliverJones
Internet voting. What could go wrong?

In my opinion these two have done us all a service by showing what could go
wrong.

------
MagicPropmaker
He didn't expose flaws. They caught him.

~~~
will_pseudonym
The flaws exposed were of general cybersecurity--they had default passwords
comprised of a static string for every student + their student ID, and did not
require students to change that default password immediately upon first login.

"If a student does not change the default password, “anyone with access to
your student ID number will be able to access and delete your emails,
schoolwork, personal documents and anything stored on your Google Drive,”
Stern wrote in his message to the student body."

------
anbop
LOL. Reminds me of LBJ’s Senate election in 1948.

------
QuamStiver
This kid is going to be fighting off job offers.

