Alice, Bob, and Mallory: Did Little Bobby Tables migrate to Sweden?

Did Little Bobby Tables migrate to Sweden?

Jonas Elfström — Thu, 23 Sep 2010 22:36:00 +0200

As you may have heard, we've had a very close election here in Sweden. Today the Swedish Election Authority published the hand written votes. While scanning through them I happened to notice

R;13;Hallands län;80;Halmstad;01;Halmstads västra valkrets;0904;Söndrum 4;pwn DROP TABLE VALJ;1

The second to last field¹ is the actual text on the ballot². Could it be that Little Bobby Tables is all grown up and has migrated to Sweden? Well, it's probably just a joke but even so it brings questions since an SQL-injection on election data would be very serious.

Someone even tried to get some JavaScript in there:

R;14;Västra Götalands län;80;Göteborg;03;Göteborg, Centrum;0722;Centrum, Övre Johanneberg;(Script src=http://hittepa.webs.com/x.txt);1

I'm pleased to see that they published the list as text and not HTML. This hacker/joker voter seems to think³ they "censored" his vote/script. I'm not so sure about that, a more reasonable explanation is that they couldn't enter brackets, quotation marks, and so on.

There are also a couple of URL:s to online retailers and three votes on a conspiracy friendly site. I chose not to link to any of those.

This time the pen and paper scripting attack failed. Let's hope it stays that way.

PS. Someone noticed that there are no votes from Stockholm in there right now (2010-09-24). I asked the Swedish Election Authority about this and it turns out that The County Administrative Board (Länsstyrelsen) gets two months to register all the handwritten votes. There's a good chance that those will bring more attempts like the ones above. DS.

EDIT 2010-09-24
Links:
Aftonbladet DN SvD Expressen SVT - all in Swedish.
Slashdot BBC Wired

¹The name of the party, not a name of a person.
²Almost all Swedish voters use the preprinted ballots but you are allowed to write your own by hand.
³The site disappeared after this post was published.

"Did Little Bobby Tables migrate to Sweden?" by Dan

Fri, 30 Mar 2012 04:35:07 +0200

I wonder if little Bobby Tables is planning to migrate to the US as the 2012 presidential election is just a few months away. HA!

"Did Little Bobby Tables migrate to Sweden?" by Ian Best

Sat, 24 Mar 2012 04:08:11 +0100

Haha, nice idea, will start a party and try to get on the ballot. A win with predefined margin is guaranteed :)

"Did Little Bobby Tables migrate to Sweden?" by Dom

Tue, 19 Apr 2011 14:35:12 +0200

Haha wicked!

"Did Little Bobby Tables migrate to Sweden?" by Jan Tagesgeld

Fri, 26 Nov 2010 12:09:53 +0100

Are there any legal implications with votes trying to mess up the voting system? I guess, there authorities are not too happy with these attempts but as nothing happened and the votes are anonymous, there is nothing, they can do :) And at first, I thought that “hittepa” was an attempt to write “http”, hehe.

"Did Little Bobby Tables migrate to Sweden?" by Jonas Elfström

Wed, 03 Nov 2010 10:22:09 +0100

Yes they did. They actually answered in a couple of hours.

"Did Little Bobby Tables migrate to Sweden?" by Headboards for beds

Wed, 03 Nov 2010 04:35:29 +0100

The Swedish Election Authority actually got back to you? Kudos!

"Did Little Bobby Tables migrate to Sweden?" by Security Tester

Fri, 15 Oct 2010 16:25:32 +0200

Lurker….character encoding might just work

"Did Little Bobby Tables migrate to Sweden?" by Jonas Elfström

Fri, 15 Oct 2010 12:45:55 +0200

@Lurker111 There are a lot of good advice on how to prevent SQL injection on Wikipedia.

"Did Little Bobby Tables migrate to Sweden?" by Lurker111

Fri, 15 Oct 2010 02:09:42 +0200

I occasionally code SQL to interface with customer data-bases. It had never occurred to me that the syntax of the overall SQL statement could be short-circuited in this way. Now that I think of it, it is rather obvious. One thing I do before accepting a character field is run it against a routine to double quote marks–this may prevent the attack. Does anyone know?

(Naturally, quote marks & special characters in a numeric field trigger an edit error right away.)

"Did Little Bobby Tables migrate to Sweden?" by Thomas

Mon, 27 Sep 2010 12:43:21 +0200

If those findings show anything, than that: your swedish voting software seems to be secure in terms of Web Application Security. Be proud!

"Did Little Bobby Tables migrate to Sweden?" by Been there, done that

Sat, 25 Sep 2010 00:43:41 +0200

http://bit.ly/by6uDd

"Did Little Bobby Tables migrate to Sweden?" by pipe

Fri, 24 Sep 2010 18:43:53 +0200

Argh. Someone should recall their “utgivningsbevis”. This is so stupid.

"Did Little Bobby Tables migrate to Sweden?" by Jonas Elfström

Fri, 24 Sep 2010 18:36:15 +0200

http://www.dn.se/nyheter/valet2010/forsokte-hacka-valet-med-rostsedlar-1.1176677

"Did Little Bobby Tables migrate to Sweden?" by Finnjävel, not the previous one

Fri, 24 Sep 2010 17:56:41 +0200

Same thing in the Finnish IT press: http://www.mikropc.net/kaikki_uutiset/article506116.ece http://www.tietoviikko.fi/kehittaja/article506196.ece

"Did Little Bobby Tables migrate to Sweden?" by Jonas Elfström

Fri, 24 Sep 2010 17:00:47 +0200

This is big news here in Sweden and totally blown out of proportion.

http://www.aftonbladet.se/nyheter/valet2010/article7844634.ab

http://www.svd.se/nyheter/politik/valet2010/forsokte-hacka-valet-med-rostsedlar_5394833.svd

http://www.expressen.se/nyheter/val2010/1.2149620/forsokte-hacka-valet-med-rostsedlar

"Did Little Bobby Tables migrate to Sweden?" by Name

Fri, 24 Sep 2010 16:43:30 +0200

@yaw and others: Thank you for correcting me, I did not know that. So, @Uwe, good luck with your project :)

"Did Little Bobby Tables migrate to Sweden?" by humus

Fri, 24 Sep 2010 16:04:45 +0200

@finnjävel igen “Kalle Anka” is the name of donald duck in sweden ;D but your name sounds scandinavian..u probably know that already ^^

"Did Little Bobby Tables migrate to Sweden?" by Finnjävel Igen

Fri, 24 Sep 2010 15:19:42 +0200

Haha, candidate called Kalle Anka got 178 handwritten votes, which is quite a lot in a situation where 800 votes made a difference between majority and minority:-)

"Did Little Bobby Tables migrate to Sweden?" by Jonas Elfström

Fri, 24 Sep 2010 14:18:55 +0200

@Martin Thanks! Corrected.

"Did Little Bobby Tables migrate to Sweden?" by Super

Fri, 24 Sep 2010 13:44:51 +0200

I would recommend that you place your vote on a real party instead.

Why cast 1 vote when you could cast 10 :)

"Did Little Bobby Tables migrate to Sweden?" by Ivar

Fri, 24 Sep 2010 13:44:38 +0200

So I should have voted for “Myself;1000000” to get a million votes?

"Did Little Bobby Tables migrate to Sweden?" by Martin

Fri, 24 Sep 2010 13:16:06 +0200

Haha, that’s about the only good thing this election has brought us.

However, unless you possess the ability to time travel (kudos if you do), I’d say that now should probably be 2010-09-24 and not 2010-10-24.

"Did Little Bobby Tables migrate to Sweden?" by Stefan

Fri, 24 Sep 2010 11:47:09 +0200

@Name: Elections for mayors, at least in Germany’s federal state of Baden-Wuerttemberg allow voters to put a handwritten name on the ballot. So this idea is applicable in Germany as well.

"Did Little Bobby Tables migrate to Sweden?" by Rias

Fri, 24 Sep 2010 11:04:15 +0200

@yaw

you could also start a party and try to get on the ballot. You need about 2000 signatures in one Bundesland … As far as I know der no juristic restrictions on the party name ;)

"Did Little Bobby Tables migrate to Sweden?" by killswitch

Fri, 24 Sep 2010 10:49:36 +0200

@ name: in some of germany’s federal states you can propose your own candidate if it’s a mayoral election in a small commune

@ topic: gogo gadget javascript