spe
Winner of the Society of Professional Journalists’ Mark of Excellence award
cia on l gr th ims e b on ac is k! sue
April 9, 2014
sPRING, issue 6
Bugs in SGA ballot allow for multiple votes, non-student voters
Student Government 2014 Election results Presidential Results
Winner: Carla Deras
Vice Presidential Results Photo by Efram Goldberg Carla Deras, Jess Cushman and Maddie Sciullo conduct the first SGA meeting of the semester.
Drew Lacy Contributing Writer Bugs in the Student Government Association election ballot system allowed non-students to vote in the elections and allowed voters to vote multiple times. The Crimson determined through independent testing that at least one faculty member, two staff members and one alumnus were able to submit test ballots into the live system on April 4, the last day of SGA elections. Two Crimson staff members were also able to submit two test ballots each into the system by voting on different computers. The election ran from March 31 to April 4, and it is unclear how many other voters, if any, may have discovered or exploited these bugs. But ultimately, the bugs might not affect the final outcome of the elections. “Unless I receive documentation to indicate voter fraud changed the results of this election, the election results are valid,” said Dean of students Rodney Bowers, who certifies election results. Student Government president Carla Deras, who is running for re-election, first requested the form from web applications analyst Ian Koss on March 19, who responded by asking for a list of candidates. Koss intended to use an existing ballot form updated with the new candidate names. Deras said she sent the list of candidate names only five days before the voting opened because several candidates dropped out of the race. When Koss attempted to implement the names, he found that the original ballot system would not work on modern browsers. “The whole thing basically had to be rewritten in a couple
of days,” Koss said. “I finished it on Friday afternoon [March 28] and sent an email to Carla saying ‘Please test it over the weekend.’” Deras sent a link to the form to eight other SGA members for testing, including all four members of the election committee: Donald Thomas, Bella Schultz, Emily Burch, and Carolyn Chabuz. “We found mostly just dumb stuff,” Burch, an SGA senator, said. “The date on the form said
pend on identity is really, really hard,” Koss said. While Koss could “pretend” to vote as anyone – student, staff, faculty or alumni – when testing on his own computer, once he made the form live, he could only test as himself. It is nearly impossible to determine if these bugs were exploited because votes are anonymous, according to Koss. TRACKS usernames are converted by the system to “hash,” strings of characters that can be used by the computer to identify the TRACKS user but extremely difficult for a person to tie to an individual user. “There’s just no way of voting who voted for whom,” Koss said. “There’s really no way to be sure.” K o s s is currently working on replicating and determining the cause of the ballot bugs. “A student worker here in tech support was able to cast another ballot, but only one ballot,” he said over email. “Further attempts were properly denied, regardless of which computer he used.” Because the form was only live for a few more hours at the time the bug was discovered, Koss was unable to do significant testing on the live form and was reluctant to do so because of the potential to disrupt the results of the election. “If I can name a root cause to all these problems, it’s a tight deadline with no time for thorough testing,” Koss said in an email. “It’s hard to lay the blame for the short coding window at a single person’s feet.”
Unless I receive documentation to indicate voter fraud changed the results of this election, the election results are valid.” -Rodney Bowers SGA elections 2000 instead of 2014. The official candidate list on the SGA Facebook was also different than the ballot we first received, so that had to be fixed pretty quickly, but it all did.” The testing group didn’t catch the bugs that allowed multiple votes or ineligible voters to vote, and the form went live on Monday, March 31. It was not until the last day of voting that SGA and Koss were made aware of the bug. “As soon as I heard there was a problem […], I tried to update this code in the production form, but it was too restrictive and students were now being denied votes, which is an even worse problem,” Koss said. He removed the staff, faculty and alumni filter entirely, to allow voting to continue until the close of elections. “Testing systems that de-
Op/ed: SGA elections marred by apathy See sga, page 2
Winner: Jessica Cushman
Treasurer Results
Winner: Karley Herschelman
more election results, pg. 3
pro and cons: how i met your mother finale See mother, pg 6
OPINIONS....................... 2 campus life................. 3 sci/tech...................... 7