NDP leadership vote marred by online attacks, low turnout

New Democrats face repeated attacks on last day of race to replace Jack Layton

<?xml version="1.0" encoding="UTF-8"?> <!--Xholon Workbook http://www.primordion.com/Xholon/wb/ (C) Ken Webb Sun Mar 25 2012 12:06:50 GMT-0400 (EDT)--> <XholonWorkbook> <Notes><![CDATA[ Xholon ------ Title: NDP leadership vote marred by online attacks, low turnout Description: New Democrats face repeated attacks on last day of race to replace Jack Layton Url: http://www.cbc.ca/news/politics/story/2012/03/24/ndp-leadership-voting-problems.html InternalName: YoutubeId: Keywords: My Notes -------- Saturday March 24 was the last day of the New Democratic Party (NDP) convention in Canada. The NDP is the official opposition in the Canadian Parliament. Online voting from across the country was delayed by several hours because of what's been reported as a denial of service attack. In this workbook I'll have a quick look at what a denial of service attack is, based on what's been reported in the media. My main source is an article by Laura Payton at the CBC. I've also consulted:: http://www.theglobeandmail.com/news/politics/hackers-attack-ndp-delaying-electronic-leadership-vote/article2380413/ http://www.ctv.ca/CTVNews/TopStories/20120324/ndp-convention-online-voting-problems-delays-120324/ In addition, I've added a few technical details based on my own knowledge of computers. To use this simulation of an online voting system:: Press the Run button above. Press the Pause button in the runtime overlay. Watch as requests are created by voters and attackers, and consumed by the server. To enable a denial of service attack in the simulation:: Scroll down to the Attackerbehavior editor, which contains multiple lines of JavaScript code. Uncomment the 5 lines of code. This means remove the two / characters at the start of each line. Rerun the simulation by pressing the Run button above, or the Refresh button in the runtime overlay. Press the Pause button in the runtime overlay. Note that the server in the simulation often gets behind when handling normal traffic, and is then able to recover. But the additional denial of service requests can quickly push the server beyond its capabilities. This is just a simplistic simulation. In the real world there would be a lot more requests comning in to the server. Note that the server in the simulation checks the password. It only updates the database if the password is valid. This is what is meant when the CBC story says that "The system was not hacked, Lavigne said, and the integrity of votes cast was not compromised." The votes are stored in the database. ]]></Notes> <script implName="lang:python:inline:"><![CDATA[ ]]></script> <script implName="lang:javascript:inline:"><![CDATA[ ]]></script> <_-.XholonClass> <!-- types of domain objects --> <PhysicalSystem/> <OnlineVotingSystem/> <DenialOfServiceAttack/> <Computer> <Server/> <!-- a computer that's connected to the internet and that provide online services --> <Database/> <!-- a computer that stores the voting results --> <Voter/> <!-- a computer used by a legitimate online voter --> <Attacker/> <!-- the source of the attack --> </Computer> <InternetConnection/> <Request/> <IPAddress/> <!-- an address indicating the source and destination of a Request --> <!-- collections of domain objects --> <Requests/> <Voters/> <Attackers/> </_-.XholonClass> <xholonClassDetails> </xholonClassDetails> <PhysicalSystem> <OnlineVotingSystem> <Server/> <Database>0</Database> </OnlineVotingSystem> <Voters> <Voter multiplicity="20"/> </Voters> <Attackers> <Attacker multiplicity="1"/> </Attackers> <Requests> <!-- Request objects will be added at runtime; each Request has an IPAddress --> </Requests> </PhysicalSystem> <Blockbehavior implName="lang:python:inline:"><![CDATA[ ]]></Blockbehavior> <Blockbehavior implName="lang:javascript:inline:"><![CDATA[ ]]></Blockbehavior> <Voterbehavior implName="lang:webEditionjs:inline:"><![CDATA[ if (Math.random() > 0.5) { var myVote = ""; if (Math.random() > 0.5) { myVote = "John Smith"; } else { myVote = "Jane Doe"; } var timestep = this.application("getTimeStep"); var votingRequest = "<div class='Request' sourceIPAddress='111.222.333.444' id='" + timestep + "' password='mysecretpassword'>My vote is for " + myVote + " (" + timestep + ")</div>"; var requests = this.parent('.Voter').parent('.Voters').siblings('.Requests'); requests.append(votingRequest); } ]]></Voterbehavior> <Serverbehavior implName="lang:webEditionjs:inline:"><![CDATA[ var database = this.parent('.Server').parent('.OnlineVotingSystem').children('.Database'); var requests = this.parent('.Server').parent('.OnlineVotingSystem').siblings('.Requests'); var count = 0; // server can only handle a maximum of 10 requests each time step requests.children('.Request').each( function() { if (count++ >= 10) {return false;} $this = $(this); if ($this.attr('password') == 'mysecretpassword') { database.incVal(1); } else { print('\ninvalid voting request'); } $this.remove(); }); ]]></Serverbehavior> <Databasebehavior implName="lang:webEditionjs:inline:"><![CDATA[ print("\n" + this.parent().attr('val') + " votes have been cast"); ]]></Databasebehavior> <Attackerbehavior implName="lang:webEditionjs:inline:"><![CDATA[ //if (Math.random() > 0.5) { // var votingRequest = "<div class='Request' sourceIPAddress='555.666.777.888'>Denial of service</div>"; // var requests = this.parent('.Attacker').parent('.Attackers').siblings('.Requests'); // requests.append(votingRequest); //} ]]></Attackerbehavior> <Blockbehavior implName="lang:bsh:inline:"><![CDATA[ ]]></Blockbehavior> <Blockbehavior implName="lang:jruby:inline:"><![CDATA[ ]]></Blockbehavior> <Blockbehavior implName="lang:groovy:inline:"><![CDATA[ ]]></Blockbehavior> <SvgClient><Attribute_String roleName="svgUri"><![CDATA[data:image/svg+xml, ]]></Attribute_String><Attribute_String roleName="setup">${MODELNAME_DEFAULT},${SVGURI_DEFAULT}</Attribute_String></SvgClient> </XholonWorkbook>