Washington's newly elected U.S. Representative went by the name of Colossus. A villainous computer from science-fiction lore captured the city-council chairmanship. And 15 seconds after voters cast their ballots, they were serenaded by the University of Michigan fight song. The system had been hacked.

Fortunately the vote was merely a test, and the disruption was designed to be instructive. For the first time, Washington planned to allow overseas and military voters to submit their ballots over the Internet during next month's elections. To gauge its security and iron out the kinks, officials invited hackers to take a whack at breaching the system's defenses. That task turned out to be far too easy. "It just took one open door," says J. Alex Halderman, the University of Michigan computer scientist who led the assault. Within three hours, Halderman and two graduate students located a flaw in the system's "brittle" security design. After waiting a day for votes to stream in, the trio hijacked the server — changing ballots, broadcasting the maize and blue's fight song, seizing control of the security cameras in the board's offices and unearthing a folder containing the personal information of the more than 900 overseas voters who were to receive online ballots next month. It took 36 hours for officials to notice they had indeed been hacked.

Halderman says the exercise was meant to educate election officials about the dangers of online voting. "The question is not whether these systems can be broken into," he says. "It's whether anyone wants to."