Diebold Threatens to Pull Out of North Carolina 615
foobaric writes "A North Carolina judge ruled that Diebold may not be protected from criminal prosecution if it fails to disclose the code behind its voting machines as required by law. In response, Diebold has threatened to pull out of North Carolina." From the article: "The dispute centers on the state's requirement that suppliers place in escrow 'all software that is relevant to functionality, setup, configuration, and operation of the voting system,' as well as a list of programmers responsible for creating the software. That's not possible for Diebold's machines, which use Microsoft Windows, Hanna said. The company does not have the right to provide Microsoft's code, he said, adding it would be impossible to provide the names of every programmer who worked on Windows."
The headline should read: (Score:5, Informative)
"Under pressure to comply with State Law, Diebold insead chooses to leave the field to its competitors."
Re:Proprietary shitware (Score:5, Informative)
The list of developer names is pretty unreasonable, but code escrow is something that happens all the time, and only Microsoft manages to get out of it.
Aren't these guys using Windows CE? (Score:5, Informative)
http://www.microsoft.com/resources/sharedsource/L
With Windows CE, "OEM customers worldwide can create and distribute commercial derivatives of the Windows CE 5.0 operating system source code for shipping in commercial devices without notifying Microsoft or sharing their derivative works with the embedded community."
as well as a list of programmers (Score:4, Informative)
If they were using Linux, do you really think they could provide a list of programmers? I mean come on think of the thousands upon thousands who have contributed, many times without mention...
-everphilski-
Re:How about disclosing circuit designs for the ch (Score:1, Informative)
Re:*Who* threatens? (Score:5, Informative)
If Diebold pulls out and somebody else steps in Diebold will sue the state for choosing a vendor which did not qualify under the original bid.
Most often laws and bids are written to benefit just one company like when a law gets passed exempting "any aluminum processing company which employs more then 300 people in a designated enterprise zone" meaning the alcoa plant down the street.
Procurement is the same. The specs are written so that only product complies.
Background info (Score:5, Informative)
Note: I have been working on voting integrity issues in North Carolina for a little while now, and advised the committees that drafted the bill in question.
The state passed a pretty comprehensive election reform bill, which included the provision that all vendors must hand over all code that runs, is installed on, or is otherwised used in the operation of the voting machines. No if, ands, or buts.
Our State Board of Elections did not like this. They want paperless voting machines, and badly. Like a six-year-old that's been told to clean up its room, they're dragging their feet on enforcing these (and other provisions). When writing the Request For Purchase (bid requirements), some staffer added a "clarification" that the vendors only had to hand over "available" software, and simply explain why they couldn't hand over the rest. In other words, "Here's why I'm going to be breaking the law today."
Lawmakers were not happy. The SBOE, however, didn't particularly care. They didn't see a problem with only handing over a portion of the code, and wanted to interpret the law as loosely as possible.
Diebold pointed out that "available" was different than "everything", and actually got a restraining order that prevented the state from suing them for not complying with any of the new provisions of the law. This case essentially overturned that ruling, saying "Uh, no, you actually have to comply with the law." Technically it says, "Ask your lawyers for legal advice, not the court, we're not going to pre-judge the law before there's an actual conflict (i.e., you actually get sued for violating these provisions."
So Diebold is going to take their ball and go home, since they would actually have to play by the rules. Oh well.
On a side note, I didn't see any evidence that Diebold actually tried to get a Shared Source [microsoft.com] license from Microsoft, which would actually let them escrow the code. Maybe Diebold didn't actually want to escrow, well, anything?
Imagine that.
-jdm
Re:Message Loud and Clear... (Score:4, Informative)
You haven't read Ken Thompson's famous bit on how to trojan the compiler and a particular application [bell-labs.com] so that you can't find any trace of the trojan in the source code for either one, then? (Was the first hit on a Google for "compiler trojan trust".)
Basically, if you don't have the entire stack, and a completely independent way to compile it, you have no idea what is happening in a completed stack. Especially if the code running at high privilege; you could have your I/O drivers replacing code blocks on load so that the application suite audits correctly.
Look at how much spyware for Windows works by intercepting basic system calls. Unless you have a trustable, independent way of re-creating the software stack, and then verifying that exact stack is actually running on the machine, you've got no reason to trust the box.
So, for any environment where trust is important, almost any operating system is too complicated.
Maybe not "COMMODORE BASIC V2", even though it's from Microsoft.
Re:Background info (Score:4, Informative)
To be honest, I think that the software's the wrong thing to be looking at. Simply require an audit trail that's independent of the machine count and will let you verify whether the machine tallies are correct without having to assume any part of the machine side is accurate, eg. a paper ballot printed, inspected by the voter and deposited in a ballot box handled seperately from the machine's memory packs.
The law also requires that. But examining the source code also gives you insight into the development process, not just the product.
Then mandate random comparisons of a sample of the machine results with the audit trail, with any significant discrepancy triggering an automatic across-the-board audit.
The law also requires that. It's a pretty good election reform law, across-the-board.
-jdm
Re:how about california (Score:3, Informative)
That's false. California in no way, shape, or form 'agreed' to anything. BBV required them to comply with their own laws. "Agreed" makes it sound like they had an option.
California is required by law to allow registered political parties to inspect the machines used for voting.
The Libertarian party hired the Black Box Voting group for a dollar to 'hack' the machines on their behalf after Black Box Voting filed a request under "California Election Code 19202, which governs
Basically the law allows for a political party to request replication of previous testing by their own experts.
More detail here: http://www.bbvforums.org/cgi-bin/forums/board-aut
Re:Proprietary shitware (Score:5, Informative)
Second, your comment is interesting, considering two things:
First, that this is an article about how Diebold can't profide North Carolina with source escrow because it can't provide the Windows code. (You did read the article, right? Or perhaps you'd like to borrow some clue?) Regardless, the shared source license it part of the marketing bullshit that Microsoft uses to create their special case, and you've completely bought into it. Source escrow typically guarantees your right to continue to redistribute and advance development a third party product should the producer cease to exist or to terminate support for a particular product. Find that guarantee in the Microsoft Shared Source license. If Microsoft terminated production of CE, people who make products based on it would be screwed. The shared source license is not even close to equivalent to source escrow.
Second that it's naive to think that any developer list is complete, or that there is even a remote chance of proving it either way. Require it all you want, but in the end you're going to end up with a worthless list of names with no way to know if it's complete, or correct.
Re:Proprietary shitware (Score:4, Informative)
Only some of the code from the operating systems your listed is available under the shared source license.
Some Diebold programmers were criminals (Score:5, Informative)
But as a practical matter it's impossible to name all of the Windows programmers either. The court wouldn't expect that of Diebold any more than they'd require a total list of Linux programmers from an open-source voting project.
What Diebold could easily do is name their own programmers.
Except there's no way in hell they'd want to do that.
In 2002 Diebold bought Global Election Systems, which became the Diebold Election Systems unit. Global was founded under another name in 1988 by Norton Cooper, Michael K. Graye and Charles Hong Lee...all with damned interesting resumes (footnote 1):
Norton Cooper - jail for a year mid-1980s for fraud against the Canada government; ordered out of stock pitch schemes and was part of the collapse of the Vancouver stock exchange - ordered by decree not to pitch stock after 1992 or so because he caused havoc every time. Written up by Barron's and Forbes as a "hazard to avoid at the golf course". First convicted of political corruption in 1974 - look up a Canadian case titled "The Queen v. Norton Cooper" 1977 Canadian Supreme Court.
Charles Hong Lee - stock schemes; Cooper's partner pitching deals. Defrauded Chinese immigrants, $600,000(Can) court-ordered restitution mid-90s. Sold "real estate" which was actually the bail for the third partner below to the tune of about $300,000(can) circa 1995ish.
Michael K. Graye - nailed for stealing $18mil from three companies in the '88-'89 era, caught in '94, jailed in the US for stock fraud around '94 re: Vinex wines, released around 2000 - 2002(3?) in the US, brought back to Canada, still in jail there. Arrested for tax evasion and money laundering circa '94.
Those three in turn hired even more "colorful" staff:
John Elder was a cocaine trafficker, in a WA prison early/mid 1990s...fellow inmate was Jeffrey Dean (see next entry). Handled ballot printing for Global late 1990s. Seems to have been the one to bring Dean into Global.
Jeffrey Dean was convicted early '90s of 23 counts of computer-aided embezzlement. He was a computer consultant for a large Seattle law firm and defrauded them of about $450,000 in what US courts called a "sophisticated computer-aided scheme". In a statement to Seattle PD, he claimed he needed the money because Canadians were blackmailing him; in that country, he'd gotten into a fistfight and the other guy had died. (Yes, I've seen the police report.) He joined Elder in the Global ballot printing business late '90s, and with Global's introduction was doing computer consulting with the King County WA elections division - they had no idea of his criminal record. By 2000 he was doing programming for Global and by early Oct. of 2000 he was a full employee and lead programmer for the GEMS vote-tally product still in use. By late Oct. 2000 and shipping in time for the November election, GEMS ver.1.17.5 contains the first "double set of books" problem where all votes are recorded twice internally and don't need to match...long story but it apparantly hides some forms of vote fraud. At the time Diebold bought Global in 2002, Dean quit and was immediately hired back as a consultant via management decision made within the division. This appears to be an attempt to keep Dean's criminal past out of Diebold corporate head office's scrutiny.
At the time Diebold bought Global, Dean owned 10% of Global's stock.
We don't know how many other lower-level progammers within Global/Diebold have criminal records. It's rather obvious that Diebold sure as hell doesn't want us finding out.
Footnote 1 - see also "Black Box Voting: Ballot Tampering In The 21st Century" by Bev Harris, esp. the "Diebold" section at the end of Chapter 8. Free PDF downloads can be found at: http://blackboxvoting.org/ [blackboxvoting.org]
Re:Hmm... (Score:3, Informative)
So how exactly did you expect anyone to comply? There will always be an operating system, probably either windows or a *nix.
Or a home-brew embedded system. Which is how four other vendors were able to comply with the provisions of the new law and bid without also filing a lawsuit. The computer world is not just Windows, *nix, and Mac.
And while you're right in that the auditors won't go through most of the code, it's useful to have the whole ball of wax for several reasons, such as being able to recreate the entire system on a whim and ensuring that running systems actually conform to what the vendors say they're running.
-jdm
Clarification (Score:2, Informative)
why they can't hire some people to custom-write some software to do this is beyond me. It'd probably end up cheaper and more stable
Although the development tools are $1000 (if, for some reason, Diebold didn't already have them) licenses for Windows CE run between $3-$12 a machine. Unless the voting machines cost less than $100, cost is hardly a consideration.
Windows CE, besides making the GUI programming easier, also uses the same API as pretty much every version of Windows since 95. Anyone who's programmed anything at all (for Windows) can instantly apply their skills to CE.
Maybe there are pre-existing drivers for some of the hardware they are using as well (network, flash memory cards).
Exactly. There are drivers. Tons of them, in fact. Almost any programmer can write a Windows program - how many do you think can create a secure implementation of Internet Protocol in machine language?
Kinda makes you wonder what Diebold expects North Carolina to pay them for when Microsoft did most of their work for them
Err... Microsoft didn't. They wrote a program for Windows to tally votes, just like any other program out there. Valve spent years developing Half-Life 2, and pioneered new technologies such as HDR along the way. Because they released it for Windows, too, did Microsoft do "most of the work" for them, too?
I do fault Diebold for one thing, though. The law that pretty much stated they had to release all their source was around before they started developing the machine. Yet, they made it for Windows CE, whose source they cannot turn over to the Government because they didn't write it, it's not theirs, and they don't have it. How did they fail to anticipate that this could potentially be a problem?
you're kidding, right? (Score:3, Informative)
Having had my entire account emptied and overdrawn because the bank screwed up with security and I provably didn't, I can tell you: the bank doesn't expose themselves to lawsuits if they screw up with your money.
In real life, you are entirely at their mercy. You can forget about getting any compensation for the time, headaches, late fees, and other costs resulting from their mistake.
If you make yourself enough of a nuisance and jump through their hoops, you may get your money back and if you're really lucky, you may even get out with your credit rating intact.
Either way, they'll just eat the loss; they'll just raise their fees a little. Loss due to fraud is just part of the banking business.
Re:WTF - here's the criminal records! (Score:5, Informative)
http://www.bbvdocs.org/elder.pdf [bbvdocs.org]
There's their criminal records.
Mention of both are extensive in the various online databases of Global/Diebold's internal memos between 1998 and early 2003. Go google:
"Jeffrey dean" diebold
To be fair, at the time Diebold bought Global Dean was moved to consultant status, possibly to avoid the Diebold corporate background check. They damned well know about him NOW of course ever since Bev Harris broke the news.
Look, Global was based out of Vancouver BC. Bev and others have gone up there to talk to current and former employees...a LOT appeared to be "coked up" or talked about rampant drug abuse up there. If what we're hearing is anywhere close to accurate, Global acted like the set of a John Belushi movie or something.
Trust me on this: ain't no WAY Diebold will want to publish lists of programmers.
Notice how Diebold talks about source code escrow as the issue in NC? It's a red herring. Diebold does source code escrow in California no problem.
The issue is the programmer names. Major-grade doom involved.
Some background on NC voting (Score:2, Informative)
In NC, each county has been able to choose what voting system to use, as long as it meets certain state requirements. For example, here in Raleigh, since the early '90s, we've used paper ballots that are optically scanned [wakegov.com] . In Charlotte, they use touch screens [meckboe.org]. Out of 100 counties, the majority are optical (48) and direct record electronic (DRE - 40). A few counties use punch cards (6) paper ballots (3) and some still use the old lever voting booths (3). There are over 8 different manufacturers used, Diebold being used in 20 counties, most of them small.
In the 2004 election, some of the smaller counties (don't recall which) had lost votes and other discrepencies, so this legislation was passed in August mostly a result of that.
Diebold DOES have the WinCE source code! (Score:5, Informative)
It's unique among Windows versions in that it's not a finished product - each hardware vendor has to finish it for their own weird gear. WinCE was made to run on hardware that is NOT industry standard, everything from PDAs to TV set-top boxes.
Up through CE 3.0 you could download the entire source code from Microsoft's website. I think once they included the
At the central vote tally box, the Diebold GEMS central tabulator runs on top of WinNT/2000 series so they can't put THAT source in escrow.
Fun fact about GEMS: not only was convicted embezzler and admitted murderer Jeffrey Dean in charge of development for at least a couple of years, the program icon is a hoot. It's a fist holding a globe, basically a day-glow-colors version of the corporate logo for Dr. Evil in the Austin Powers movies
We should prowl around Diebold HQ looking for midgets, bald cats and sharks with unusual head prosthetics...
Jim March
Black Box Voting (staff)
Re:Hmm... (Score:1, Informative)
As an example, say Miami county's recount officials would throw out a ballot if 2 corners of the chad were still attached, while another county would throw out the ballot if 3 corners of the chad were attached.
Voter recounts are possible and are used any time the difference in vote percentage is smaller than a certain amount (I think
Re:Hmm... (Score:2, Informative)
The votes were cast and tabulated. Bush won by so small of a margin that FL law required a recount. The recount resulted in Bush winning again by an even slimmer margin. Gore legally (by FL law) requested a recount in a few heavily democratic counties. The republicans protested that Gore was cherry picking which counties to recount, so Gore suggested that ALL Florida counties be recounted - the republicans quickly backed off that claim. The FL secretary of state (a republican) couldn't legally deny the recount, but insisted that no extra time was going to be given for it. The republicans staged riots and filled suits to stop the recount hoping to delay it long enough for the first recount (the one required by FL law when the margin of victory is below a certain percent) to be certified as the official count. The democrats filed counter suits which eventually ended up with the supreme court refusing to step in, effectively making the 2nd recount moot.
Of course I'm not getting into all the controversy over the butterfly ballots, the purging of so-called felons from the voter lists, intimidation and misinformation in heavily democratic counties, etc. I'm not saying the democrats are innocent, but in my opinion at least, the republicans dealt a serious blow to democracy during the 2000 election.