The perpetrators should be punished by being made to give a presentation on how they automated the process, what poor security practices allowed them to pull it off, and recommendations for preventing a similar incident in the future.
> “It just shows that people don’t make healthy cybersecurity decisions,” said Stern.<p>You mean like the administrators of the school? You can set a temp password to immediately expire. What's notable is that even after this incident they still didn't do so, just encouraged students to change the default password during orientation.
> Students were casting ranked-choice ballots via a Google Form accessed through district-provided Gmail accounts<p>> The investigators were also able to determine that the false votes were cast from a computer<p>I bet the real votes were cast from a computer too.
I did something very similar to this for my high school's prom queen vote who I wanted to win for teenager reasons. The voting system was just a bunch of laptops in front of the lunch room running a web app and all that was needed to vote was to know a student id. A few hours and some javascript later, I voted more than the entire senior class. It was only discovered after the event.
Ah, computerized highschool class elections.<p>I could have rigged the vote to win at my school too, except that I wasn't in the right cliques. It would have been very suspicious if I won, and everyone knew I was "good with computers".<p>Our program actually saved who voted for who in plaintext. At least I got to see who voted for me.
So default password was student ID? Who wants to bet there was a list of names and student IDs available somewhere that made this trivial to automate?<p>(Or they were sequential with blocks for each class)
I'm glad to see that it seems the student in question was afforded a measure of process and admitted guilt -- I could easily see the story ending where the weaker opponent casts fake votes for their competition to get them eliminated!
The number of responses which go to "...I did this too" are fascinating. I also did stupid things in my past which nowadays would incur severe penalty, as hacking. They felt mild right up to the point I was caught (this is 35 years ago) and then they stopped feeling mild very quickly.<p>I feel very sorry for people in todays world who don't get the "everybody gets one free pass" on these things we did back in the day. I think we need a clear statute of limitations on some stuff done by minors and near-minors, regarding their future lives. Nobody is going to be eligible for election to senate or the law courts, or to work in federal or state bodies if we don't work out how to deal with this kind of thing.<p>That said, I am pretty sure rigging an election is a good indication you have need of some ethics. Amusing, but also not a good idea.<p>This ranks (in my books) with the recurring "we thought we'd make a film about a bank robbery without informing the bank or the shopping mall about it" type cock-up: Actions have (unforseen) consequences.
Gosh, I did this back in my high school as a Senior, two years ago. Got myself suspended for two days and ruined my perfect attendance, oh well. It scared the shit out of me when two police officers barged into my U.S. History class and pulled me out.<p>The usernames of our voting system were our 5 digit student IDs. And the passwords... same as the usernames. I wrote a puppeteer script that looped through 2000 IDs and voted for everyone. They tracked me down through my home IP address -- if there is a next time, I'll definitely use Tor haha.<p>EDIT: Yeah, the school's VP picked up on it because normally about 40% of the student body actually votes -- but this time it was 100%; plus when student's started signing into their voting accounts, it claimed they already voted. Not my brightest moment.
Besides the fact that this "online voting" was immediately hacked, I wasn't fond of the notion that the votes had everyone's name attached.
<i>“When we spotted it, it was incredibly obvious,” said Stern, 17. “There were just massive alphabetical votes at random hours.”</i><p>Reminds me of an interview question: How would you do a reasonably good job of randomizing an incoming stream of items, while minimizing auxiliary storage?
> Schweng said the culture around this election, from the outset, was different than what she’d seen in the past. There were more reports of students taking down candidates’ posters, and more activity on social media. Some students suggested to the principal that the stakes felt higher because colleges are becoming increasingly more selective, and extracurriculars like student government are consequently more important.<p>This part was the most interesting revelation in the article to me! It never would have occurred to me as a HS student to "cheat on extracurriculars"! I just did the stuff that was interesting.
Nowhere in the article is it mentioned where the student gained access to a mapping of student IDs to student first and last names. As a recent BHS alumni, these ID numbers are not obviously derivable from a student's name (but I do think they are allocated sequentially). Getting access to this list implies some sort of social engineering or threat vector elsewhere.