Saturday, October 25, 2014


Tangled Web

Zombies And Cyberattacks: The Pitfalls Of Russia's Opposition Elections

For the Russian opposition, the Internet has always been about circumvention. Circumventing the monotone pro-Putin media; circumventing the injustices of a political system that has shut them out for years; circumventing Putin's narrative of rebirth, national pride, and stability.
 
Thus it made perfect sense when the opposition decided to hold elections for a new Coordinating Council online. Starting on October 20, opposition supporters were given the chance to choose 45 members (from over 200) of a new Russian Opposition Coordinating Council. Over 80,000 people took part in the three-day poll.

The organizers of the online vote, however, have come under fire for potentially exposing participants' data, which could provide a database of dissent for the Russian authorities. And plagued by cyberattacks and "zombie voters," the opposition vote has shown how susceptible such platforms are to hijacking from malicious parties.
 
Things haven't been easy for Russia's opposition in recent years. A hodge-podge of hard-core leftists, Soviet-era dissidents, tech-savvy urban hipsters, and moneyed socialites, it has suffered from in-fighting and lacked a cohesive narrative or charismatic leader.
 
It was fitting then that Aleksei Navalny, an anticorruption blogger and opposition poster boy, came from the Internet. (Navalny came in first place in the online elections.) He became a symbol of this new Internet-powered civil society: diverse, atomized, and yes, mere blips on Russia's vast radar, but an emerging and important force nonetheless. Generation VKontakte weren't bound together by the ties of ideology, but rather by the social networks and blogging platforms they used.
 
The Opposition Coordinating Council is an attempt to bridge these divides and bring more organizational and ideological cohesion. In the future the council will coordinate protests and be involved in picking candidates for elections.
 
The man behind the opposition's election platform is Leonid Volkov, an IT specialist and municipal deputy from Yekaterinburg, an industrial city in the Urals. Volkov, who had once been prevented from running for the regional parliament and has called for a "cloud democracy" with virtual mayors, set up cvk2012.org, which features candidate lists, essays, discussion forums, and links to Facebook groups where participants could chat with the candidates. An independent Internet television station, Dozhd, ran debates between the candidates. Most importantly, cvk2012.org allowed people to vote for their preferred candidates.
 
The voting platform ran into trouble before the voting started when MMM, a shady pyramid scheme whose founder, Sergei Mavrodi, wants to bring down global capitalism, started registering candidates (and paying the $325 fee). Volkov claimed that the MMM has been paid by the Kremlin to disrupt the elections and blocked its candidacies.

The trouble continued when polls opened on October 20 when the website was hit by distributed-denial-of-service (DDoS) attacks and down for at least 36 hours. The voting was extended for two extra days, but a new problem emerged: a flood of "zombie" voters from MMM attempted to overrun the vote. According to "Time" magazine, the pyramid scheme "allegedly blocked thousands of MMM investors from accessing their investment accounts until they registered to vote."

According to TOL's Netprophet, Volkov was criticized for not doing enough to protect the website against DDoS attacks:

Volkov previously promised that the website was locked down tight, and was prepared to withstand any attacks. That, however, was not the case [ru]. Early on, one of the voting servers was successfully taken down by a LOIC attack – a famously easy to use and effective DDoS tool. (LOICs have been successfully used by the hacktivist group Anonymous in their attacks on the Church of Scientology.) The attackers then switched to using a Botnet, which caused further problems, prompting the use of a captcha response test. Both types of attacks are very low budget [ru].
 
Volkov was further criticized by opposition bloggers and activists for a potential leak of their personal data. When participants in the opposition election registered, they gave their names, birth dates, and telephone numbers. Before the poll, Volkov attempted to reassure concerned users that "malicious persons" would not be able to access participants' private information.
 
According to Kevin Rothrock at Global Voices, Volkov said that the website would not be storing any personal data and that "every voter is logged in the commission's database by a unique code that is computed using his full name and date of birth, but it's impossible to restore this data using that code." The names, birth dates, and telephone numbers were all stored as hash values, which would provide a level of encryption.

Volkov ran into trouble when he attempted to cross-check participants' phone numbers with participants from the MMM pyramid scheme, seemingly in an effort to root out the "zombies." A California-based Russian blogger pointed out that this could give MMM access to all of the participants' phone numbers. MMM's founder Mavrodi, who cheated millions of Russians out of their savings in the 1990s and served four years in prison, isn't the sort of man you'd trust with your data, especially not in light of Volkov's accusations that he was working in league with the Kremlin.
 
While Volkov quickly admitted the "screw-up" and said that there would be a technical audit, he has been criticized for his over-reliance on weak encryption before, with one blogger claiming the personal data could be deciphered easily with a brute force attack. Rothrock also raised questions about the anonymity of the users' information (i.e. whether the phone numbers were separate from the voters' other identifying data.)
 
In recent weeks, the Russian opposition has been under increasing pressure from the authorities. A statement from the Coordinating Council, which was posted on Navalny's website, said that the government was increasingly using direct pressure on its opponents, violating the provisions of Russian and international law. Leonid Razvozzhayev, an aide to an opposition deputy, claims he was tortured and abducted in Ukraine, before being shipped back to Russia.
 
Pro-Putin deputies are already seizing on the data scandal. Nationalist deputy Andrei Lugovoi, who was the chief suspect in the death of Aleksandr Litvinenko, has asked the Investigative Committee to look into the data breach. Prosecutors are also investigating whether the opposition council has defrauded the MMM members of their registration fees.

Often heralded as an opportunity for a truer and more representative democracy, the cyberattacks and potential data leak also show the vulnerability of such online platforms and the challenges grassroots initiatives face in maintaining sound information security.
This forum has been closed.
Comments
     
There are no comments in this forum yet. Be the first to add one.

About This Blog



Written by Luke Allnutt, Tangled Web focuses on the smart ways people in closed societies are using social media, mobile phones, and the Internet to circumvent their governments and the efforts of less-than-democratic governments to control the web. 
Partner Media

No records found for this widget:17474

Whistleblowing Survey

Griffith University and the University of Melbourne are running an international survey about attitudes to whistleblowing. The survey is anonymous and anyone can take part, not just whistleblowers. We invite you to participate in the World Online Whistleblowing Survey.