1) The coding mistake was typographically small, but <i>HUGE</i> in impact.<p>2) Reading further, the test included the exposed network, which had <i>more</i> critical flaws: default passwords, no passwords, and terminal server keylogger feature that they used to capture the switches' admin password.<p>See "4 Attacking the Network Infrastructure" where they thoroughly penetrated the internal network. The funniest (in a sad way) part was...<p>"The first SSH attack we observed came from an IP address located in Iran (80.191.180.102), belonging to Persian Gulf University. We realized that one of the default logins to the terminal server (user: admin, password: admin) would
likely be guessed by the attacker in a short period of time, and therefore decided to protect the device from further compromise that might interfere with the voting system test. We used iptables to block the offending IP addresses and changed the admin password to something much more difficult to guess. We later blocked similar attacks from IP addresses in New Jersey, India, and China."