The Washington D.C. Board of Elections & Ethics wanted to determine the user friendliness, robustness and security of its prototype elections voting web site "D.C. Overseas Digital Vote-by-Mail" (see this PDF for an overview description). The web site was designed to allow some 950 military and overseas voters cast ballots online, an APstory appearing in the Washington Examiner reports.

So the Board of Elections encouraged outsiders to test the web site out for a week.

Well, last Wednesday, some University of Michigan students "hacked" the web site and embedded an MP3 file of the university's fight song that would play after each ballot was cast.

The D.C. Board of Elections took down the site last Friday, and a scaled-back version was relaunched yesterday - without the fight song. The Board of Elections is still hoping to be able to use the site for the November elections, assuming that it stands up to continued scrutiny.

According to the AP story:

"The relaunched site will allow voters to download ballots, but not cast them online as originally planned. Instead, they'll have to mail, fax or e-mail them in. The system is still an improvement over past years when overseas voters were sent their ballots by mail."

The Board of Election plans to restore the ballot-casting feature in 2011.

More interestingly to me is how the Board of Elections went about testing the system. They set up a credential system for testers (and hackers) and then gave them the source code and the layout of the servers (see PDF) on which it executed. Some 100 people requested credentials to participate, including a professor at the University of Michigan who asked his students to try to hack the site.

The Board of Elections has received about 50 comments so far on how to improve the site or errors experienced when testing it out.

The D.C. Board of Elections deserves praise for what it did, even though their site was hacked fairly quickly. The effort hopefully will result in a much better and more secure web site in the future.

It would be nice to see other government and private organizations - the IEEE included - do the same thing with their sites.

Update 07 October 2010: 0930 EST

There were two useful stories yesterday (here and here) in ComputerWorld that provides a bit more information on the University of Michigan students' hack attack.

According to ComputerWorld, it was Professor Alex Halderman's class that did the hacking. He an assistant professor of computer science at the University of Michigan.

Professor Halderman is reported in ComputerWorld to have said that the security hole discovered (a shell injection flaw)  was serious, and that they could "access the database username and password and the public key used to encrypt ballots. In addition, [they] found [that] they could install a backdoor on the server for viewing and recording votes and the names of those who cast them."

In addition, the article says that the Digital Vote by Mail application "is based on software from the Open Source Digital Voting Foundation, a group developing voting systems based on open-source technology. It's written using the Ruby on Rails framework and runs on an Apache Web server and MYSQL database... "

You can find out more what Professor Halderman and his students found at this blog post.

The Conversation (0)

The Spectacular Collapse of CryptoKitties, the First Big Blockchain Game

A cautionary tale of NFTs, Ethereum, and cryptocurrency security

8 min read
Mountains and cresting waves made of cartoon cats and large green coins.
Frank Stockton

On 4 September 2018, someone known only as Rabono bought an angry cartoon cat named Dragon for 600 ether—an amount of Ethereum cryptocurrency worth about US $170,000 at the time, or $745,000 at the cryptocurrency’s value in July 2022.

It was by far the highest transaction yet for a nonfungible token (NFT), the then-new concept of a unique digital asset. And it was a headline-grabbing opportunity for CryptoKitties, the world’s first blockchain gaming hit. But the sky-high transaction obscured a more difficult truth: CryptoKitties was dying, and it had been for some time.

The launch of CryptoKitties drove up the value of Ether and the number of transactions on its blockchain. Even as the game's transaction volume plummeted, the number of Ethereum transactions continued to rise, possibly because of the arrival of multiple copycat NFT games.

That perhaps unrealistic wish becomes impossible once the downward spiral begins. Players, feeling no other attachment to the game than growing an investment, quickly flee and don’t return.

Whereas some blockchain games have seemingly ignored the perils of CryptoKitties’ quick growth and long decline, others have learned from the strain it placed on the Ethereum network. Most blockchain games now use a sidechain, a blockchain that exists independently but connects to another, more prominent “parent” blockchain. The chains are connected by a bridge that facilitates the transfer of tokens between each chain. This prevents a rise in fees on the primary blockchain, as all game activity occurs on the sidechain.

Yet even this new strategy comes with problems, because sidechains are proving to be less secure than the parent blockchain. An attack on Ronin, the sidechain used by Axie Infinity, let the hackers get away with the equivalent of $600 million. Polygon, another sidechain often used by blockchain games, had to patch an exploit that put $850 million at risk and pay a bug bounty of $2 million to the hacker who spotted the issue. Players who own NFTs on a sidechain are now warily eyeing its security.

Remember Dragon

The cryptocurrency wallet that owns the near million dollar kitten Dragon now holds barely 30 dollars’ worth of ether and hasn’t traded in NFTs for years. Wallets are anonymous, so it’s possible the person behind the wallet moved on to another. Still, it’s hard not to see the wallet’s inactivity as a sign that, for Rabono, the fun didn’t last.

Whether blockchain games and NFTs shoot to the moon or fall to zero, Bladon remains proud of what CryptoKitties accomplished and hopeful it nudged the blockchain industry in a more approachable direction.

“Before CryptoKitties, if you were to say ‘blockchain,’ everyone would have assumed you’re talking about cryptocurrency,” says Bladon. “What I’m proudest of is that it was something genuinely novel. There was real technical innovation, and seemingly, a real culture impact.”

This article was corrected on 11 August 2022 to give the correct date of Bryce Bladon's departure from Dapper Labs.

This article appears in the September 2022 print issue as “The Spectacular Collapse of CryptoKitties.”

Keep Reading ↓Show less