Synopsis

After all the information I've put here, I've decided to do a synopsis of the events that transpired to try and keep things clear and concise; if you want the full story, you'll have to go back to the beginning of this blog and read the first half-dozen or so posts in order of posting. Additionally, I believe that posting a link to this Synopsis at the beginning of each and every future post on this blog will keep people from getting overly confused as to why this blog exists.

Events: Late 2008 - Mohawk College holds an online referendum vote which is found to have a major security flaw allowing users to vote multiple times.
Early 2009 - The College requests help from myself and others, even to the point of paying for our services to assist in closing security holes mentioned above, new voting system is created, used for Student Presidential elections.

November 2009, Online Referendum vote held, system is found to be extremely similar too initial system from 2008, after brief testing, I find that this system is nearly identical to earlier system in almost every way. Finding this, I submit an email to the CIO of the college describing the problem, how and what I proved through the brief tests I ran, what effects the tests would have and what to remove as illegitimate data, a suggestion on how to change/improve the voting system and an offer of assistance with no mention of compensation for services (aka payment).

For the record, I was never searching to be paid for services, I merely wanted to help my school be the best it could be and clearly the voting system was not the best it could be. I was happy in knowing I was involved in that improvement, and required nothing more than that satisfaction and recognition.

within a few weeks of informing the CIO of the flaw, I was talked to by my Dean, the CIO, Security and eventually suspended. I appealed the suspension due to the fact that I was unable to find where I was in violation of any rule (a stance I maintain to this day), and as a result of my appeal, my suspension was extended, despite, again, not being able to determine nor be told exactly how I violated which policy, just abstract descriptions of which policies were "broken".

I attempted contact with my Student's association, Legal and Government, and nothing, to this day, has been done. I remain suspended from Mohawk at least until September of this year.

On the technical side, I utilized a command-line scripting process, which can be reproduced in almost every operating system, where I used text-based Internet browsers to submit requests to specific URLs with specific data, in a massive way. Never did I attempt to mask my identity, nor did I intend or accomplish altering the outcome of the voting process. According to Mohawk's Policies, the ITSCC Definition of hacking is the willful misrepresentation of yourself of your computer for the purposes of either gaining access to which you are not otherwise entitled, or for the purposes of obtaining information to which you are not otherwise entitled (eg, passwords). Therefore password hacking/cracking, or spoofing of system information is a violation of the ITSCC policy, since I was not doing either of these activities, I was not in violation of any policy.

Additionally, The voting system was "secured" (I use the term loosely) by two variables. The first was a student ID which was easily able to be changed by manipulating the HTML code of the page, the second was cookie data that was transmitted for authentication of the session. As most sites do, Mohawk uses SSL to encrypt data transmission when submitting usernames and passwords, however, it does not use SSL in any other capacity, therefore, the authentication cookies are transmitted in plain text, every time you make an access to any server or service that requires you to be "logged in to mocomotion". With the Wireless at Mohawk using a Pre-Shared Key system for encryption, every person with access to that key is capable of decrypting everyone else's traffic using commonly available tools and a general understanding of the encryption. THEREFORE, anyone with this knowlege and publicly available tools, could get the cookie data from anyone using Mocomotion on wireless, and therefore authenticate to the voting server using that data if so inclined.

The story gets worse from there, but the general point of the previous two paragraphs is to demonstrate that there are SEVERAL security failings, that could cause anyone with the intention of altering the voting outcome, to do so without being directly implicated as doing anything wrong. Also, it would be the only way to NOT be suspended is to be breaking the rules to the point at which it would be nearly impossible for the faculty to actually narrow down who performed the attack by using cookie data other than that from your own session (which I did).

Long story short, I discovered, and proved there was a problem, offered to help, and got suspended. None of those that I would have expected to be obligated or have any interest in helping me did so, and overall everyone who may have any capability of helping is keeping distance from the situation.