Friday, May 19, 2006
Tuesday, May 02, 2006
A few weeks ago the ACM held its online elections for its officers. After receving an email with a "unique PIN", I was curious how random the distribution of voting PINs actually was. About a dozen of ACM members emailed me their PINs and the timestamp on the email from the election server. The graph plots the PIN number vs. the estimated time of day for receiving the email. The points look linear to me.
From: "Election Services Corporation for ACM"
To: "Kevin Fu"
Subject: ACM 2006 Election
Date: Fri, 7 Apr 2006 14:32:16 -0400
Dear Kevin Fu:
This e-mail is being sent on behalf of the Association for Computing
Machinery (ACM). To confirm authenticity of this message, go to
ACM is pleased to offer its members the opportunity to vote online in the
You are encouraged to participate in this election. Please note that 12:00
noon Eastern Time, May 23, 2006 is the deadline for submitting your vote.
It is important that the voice of ALL members be heard.
To vote online, please go to: https://www.escvote.com/acm2006
You will need your 7-digit ACM Member Number to log in to the secure
voting site. If you do not know your membership number, please go to
For additional help, please visit the help screen on the log-in page by
clicking on the "Help" button.
Enter the 10-digit unique PIN seen below.
Enter your 7-digit ACM Member Number.
Follow the online voting instructions.
ACM Council Election
Your Unique PIN is: 0502XXXXXX
If you have any questions, please e-mail firstname.lastname@example.org
or call toll-free 1-866-720-4357.
Thank you for taking the time to submit your vote online.
Association for Computing Machinery
The company conducting the election says:
Thank you for your interest and comments regarding the ACM election.The "unique PIN" turns out to simply be a user identifier, and the security of the election rests on the secrecy of the voter's ACM member number. This is probably reasonable for something minor like the ACM election, but it does create unnecessary dependencies.
The pins we generate are not in precise sequential order. They are however in ascending order when transmitted to the queue on the email server. There is no direct correlation between the member id and the pin.
However we thank you for your findings as we are always trying to improve our security and will review these finding in attempt to further improve the process.
The ACM election was mentioned once before in the Risks Digest