The hackers, a team of computer scientists from Ann Arbor, Mich., were capable of damage far less sophomoric. When the District’s Board of Elections and Ethics issued an open invitation for hackers to find vulnerabilities in a pilot system to allow overseas and military voters to cast ballots over the Web, it took about 36 hours for J. Alex Halderman and his students to break in. They found a document containing the names and 16-digit passwords of all 937 voters who were invited to use the system during the real election on Nov. 2.
The team could have used the data to vote in the name of every real voter and keep the real voters from voting, Professor Halderman told the Council of the District of Columbia on Friday.
He said he also saw signs that computer users in Iran and China were trying to crack the system’s master password which his team obtained from an equipment manual. (Network administrators had never changed the four-character default password.) He said that the foreign hackers were probably not specifically trying to break into the District’s voting system, but that they represented a threat nonetheless.
It took the elections board two days to notice the pranks.
A real attack might be completely invisible and could’ve gone on undetected for much, much longer, Professor Halderman said. He testified with other members of a coalition that contends that security technology might never be adequate for voting by secret ballot.
The next set of people who test it will find a whole new set of problems, Jeremy Epstein, a computer scientist at the policy group SRI International who was also critical of the voting system, said Friday during an interview.
Since the test, the elections board has scaled back the Web voting plan, though voters may still print out a ballot and mail it in.
But Paul Stenbjorn, the board’s director of information services, said there were no plans to abandon the project. The lesson learned is not to be more timid, but more aggressive about solving the problem, he responded.
The computer science community needs to understand that this toothpaste is already out of the tube, and no volume of warnings can put it back, he said.
Mr. Epstein said that computer voting has been tried in Estonia and in some recent primaries in America, but added that the ballots had not been anonymous. Currently, several West Virginia counties are participating in a pilot project to use online voting next month for Americans overseas and in the military. A version of this article appeared in print on October 9, 2010, on page A12 of the New York edition.