Almost from the start my techie skeptical antennae were twitching. Who would have the motive to disrupt an NDP leadership convention? And who would do it so poorly that nothing of consequence resulted other than some frazzled nerves? The system never went offline, its performance was just degraded. The convention ended, a leader was chosen. Was this just a case of an anti-social basement dweller getting his kicks in between bouts of World of Warcraft?
The news releases to date have not ameliorated my skepticism either.
"Officials say they may be able to identify the source of the attack, which jammed the online voting system, provided by Spanish company Scytl.
Party president Rebecca Blaikie told Radio-Canada that they isolated two IP addresses behind the attacks, which at one point sparked more traffic than if all 131,000 members were trying to vote at same time. An IP address is a number assigned to an internet connection that may be able to point the party to the perpetrator."
Two IPs were able to generate enough traffic to take down the online voting system???? REALLY?
The outsourced partner that the NDP used is a global company whose primary purpose is to provide secure online voting systems. A company this big should have powerful enough, and protected enough, systems to handle small to large scale DoS attacks. If they don't, they need to get out of this business pronto. It is damnably difficult to DoS a "small" server with two IP addresses. If should be impossible to disrupt a large hosted cluster of servers. One would hope that if a country ran their federal election using Scytl's services that it would take an enormous army of attacking computers to disrupt the process. Full scale Cyber warfare in other words.
This whole story smells. Denial of Service attacks usually require hundreds, if not thousands, of computers to simultaneously attack their target. If it takes much less than that, then the code running on the system is so poorly written that a single legitimate user can take the system down by clicking "refresh" in their web browser over and over again.
The other problem with the story is the "isolation of two IP addresses". An attacker doesn't directly use their own computers to try to DoS a system. Such actions are illegal and can incur serious jail time. You use a network of compromised computers to attack your target. Computers owned by people that have been infected with malware. A botnet. (There is also the problem that DoS attacks do not always require a legitimate IP address to work. IP spoofing does work in this case.)
Based on the story released so far, we have a global company, whose only purpose is to provide online voting, has such a poorly protected system that it is taken down by two IP addresses that are then traceable back to a lazy hacker just waiting to be arrested.
You can never underestimate stupidity, but this is practically a conspiracy of the stupid and the inept. There's a lot more to this story and what has been released so far does not make sense. In any event, Scytl's reputation took a huge hit. Their system should not have been disrupted. If online voting is their bread and better, and they couldn't handle a small Canadian party convention, well, their investors should start getting the hell out now. DoS or regular old poor peformance, would you use Scytl to host a vote?