Source Code Access Denied in Disputed Race

MrMetlHed writes "A judge ruled Friday that congressional aspirant Christine Jennings has no right to examine the source code that runs the electronic voting machines at the center of a disputed Southwest Florida congressional race. From the article: 'The ruling Friday from Judge Gary prevents for now the Jennings camp from being able to use the programming code to try to show voting machines used in Sarasota County malfunctioned. Jennings claims that an unusually large number of undervotes (ballots that didn't show a vote) recorded in the race implies the machines lost the votes.'"

Outrageous

[Xeth]

This is precisely why government shouldn't be using closed-box commercial software. We have no idea whether the machines are functioning as advertised. Do people not realize that we're essentially just handing a bunch of ballots to these companies and then just accepting the verdict they hand down? It boggles the mind that any democracy-loving representative can stand for this. Maybe there just aren't any left?

Re:first post

[Anonymous Coward]

Is it possible to browse /. without such completely uninteresting american bs? Kind of a /. minus american flag articles?
I'm not bashing because /. is filled with US junk which most readers don't care about, I am seriously interested in a non-us-crap-articles version of /.

Thanks.

Beautiful system we have here.

[ponderance]

This is exactly why I didn't vote. I didn't want to use the electronic machines. All we had around here, all I had available was either electronic machines. They gave me the runaround for weeks concerning absentee ballots. I tried several times and just threw my hands up.

How I understand it, the only way the machines can put votes where malicious programs want (IF they're infected) is if someone votes. If I don't vote, my vote can't be misused. And I surely don't trust this technology, especially how fast and secretive it was implemented.

I could be wrong. I hope this isn't the *future of voting.



*less and less trust. less accountability and verifiability. easier to rig an election.

Judge's credentials?

[Monoman]

I would really like to know the judge's credentials for this kind of case. He may have a law background but what does he know about computers and technology (and related laws)?

IIRC there were cases in the early 80s where judges made bad rulings because they simply had little or no understanding of computers/technology.

Re:unfuckingbelivable

[Cuppa 'Joe' Black]

It is a glaring *glaring* affront to democracy itself to continue running elections in this manner.

Judge Gary and the butterfly ballot ..

[rs232]

"Testifying on behalf of Democrat Christine Jennings, MIT political scientist Charles Stewart said Jennings would have won the race by as many as 3,100 votes if there had not been an "excessive" undervote in the Nov. 7 election"

"Without the source code [heraldtribune.com], it would be very difficult or impossible for me to determine how the software behaved," Dan Wallach, Rice University

was Re:Nothing tests code like the real world

Re:Outrageous

[leenks]

That's true, but it only shows half the picture (like most statistics). If you look at the time it took to fix the exploits and ship the fix to customers then most Open Source projects win hands down. Microsoft does occasionally do this in quite a timely manner, but most of the time it is weeks, months or even years.

The other thing to consider is the number of holes that might be discovered if everyone had access to the Windows source code :)

Re:unfuckingbelivable

[TheRaven64]

Not knowing the source code for a voting machine is the equivalent to saying "a miracle happens here" at a critical part in a mathematical proof. Completely utterly unnaceptable.

Having any kind of electronic voting machine is unacceptable in a democracy. Do you have the skill to audit the source code and say with 100% certainty that there are no exploitable bugs? I could with maybe 40-60% certainty. Is that enough for democracy? I would say that less than 1% of the population is more qualified than me to perform the audit (assuming access to the source code). Is it good enough that 1% of the population can say 'I am fairly confident that this doesn't have any holes.

Why should Joe Public have to rely on someone like me saying 'trust me, it's secure?' Would you be willing to have a ballot paper written in Kanji and an expert tell you which set of symbols corresponded to your candidate? I certainly wouldn't, so why should the rest of the population have to place the same faith in experts?

Even if you could "verify" source code ...

[carpeweb]

... what would that prove?

I'm not saying it's a bad idea to know the source code. I'm just saying that wouldn't eliminate most of the problem.

1. Who can look at source code and certify that it cannot be hacked?
2. Even if (1) were possible, who can certify that the exact source code was (the only code) resident on every machine at the time of the voting?

Furthermore, because ballots are anonymous, what do we have to tie people to votes on a one-to-one basis? Granted, the tie-in is imperfect in the paper world, but the potential for abuse seems higher in the electronic world. As I think about how a "vote hacker" might operate, it seems pretty likely to me that such a person would be motivated to cover tracks. For instance s/he would replace the source code with the evil code before the voting but would also switch it back to the source code after the voting. That's a pretty simplistic scenario. I envision that "good" e-voting security would require polling stations to begin looking like secure server rooms. That would give civil libertarians (and maybe even the rest of us) the creeps, even if it were feasible to issue every voter a security badge, etc.

I'm no security expert, but is it not generally accepted that simple systems are easier to secure, all other things being equal? Pencil and paper are pretty simple, right?

Re:Outrageous

[Anonymous Coward]

What is interesting is not how much security holes found, but:

A) They`re usefulness in gaining inappropriate access.
B) How many holes are left.

Now with A), Windows with its single user administration accounts and open privileges to system by all users, makes any userland bug into an root-level access nightmare. Yes, you can have a separate admin-account. No, XP doesn`t support this fully on the file-level (I`ve done it many times, and it`s a PITA because of bugs in XP regarding running programs or installing software as administrator)
A) will hopefully be fully solved in VISTA. How many years after UNIX solved this?

With B), you cannot really know. Open access to the source code and the whole world watching, makes it pretty obvious you`re going to have more fixes for Linux and BSD. With closed source, you never really know how many holes are left except when someone stumbles on one in the dark, you never really know what the software does or if it contains any backdoors.

It is not so far-fetched to state that the more fixes you have to a system, the more secure it is. But it`s really hard to say. Are NT programmers more proficient than Linux-programmers concerning security? Experience shows that security has never been Microsoft`s priority, marketshare has.

So IMHO Linux and BSD are very much more secure than Windows / NT / XP, maybe even BECAUSE of more fixes for the systems.. But also for the multi-user models used in UNIX which adds a layer of security with the root user, unless the user runs as root all day long of course.

So ANY system will be insecure if the user do stupid things.

Re:Nothing tests code like the real world

[Tony Hoyle]

A 'None of the above would be great'. IMO we already have that though.... people who stayed at home.

I have this continual argument with a friend who believes that voting should be compulsory and the spoiling the paper should be a crime - forcing you to vote for *someone*.

I argue the other way - that actually the way the voting turnout is dropping is actually healthy. People should vote for what they believe in... ideally policies, but 'he has a nice suit', although not something I'd encourage as a voting decision, is at least a positive vote.

People stay home for 4 reasons:

1. They don't believe in the system
2. They believe in the system, but are not in a marginal so believe it doesn't work for them (similar to (1)).
3. They don't like any candidate
4. They don't give a flying fuck.

I don't *want* people in 3. and 4. to vote. They'll vote randomly, introducing noise into the results. If the purpose of democracy is to elect good government (debatable in itself, probably) then making them vote is against that purpose. 1. and 2. can be sorted out by things like politicians getting off their butts and actually canvasing (thus involving the people.. I haven't seen a politician around here ever), some education, and maybe reform (smaller voting regions perhaps, making them more representative to counter 2.).

Me, I'm a 3. so a 'none of the above' answer would be great. If a politician actually bothered to even ask for my vote, or *gasp* try to tell me why I should vote for them (and party policies don't count - I don't vote for parties I vote for people) then I probably would vote positively.

Re:Outrageous

[aztracker1]

Here in Arizona, we've had scan-tron style voting for quite a while.. it works well, and has a paper trail... this last election they've started offering the "e-voting" machines... imho they suck, even more for cost and logistical reasons. They're each as expensive as one scan-tron, and each is tied up while the person is voting.. a single scan-tron style unit can handle dozens of voters to one e-voting machine... But, people are sheep.

Re:Outrageous

[Jahz]

linux code - freely available. Number of linux exploits - minimal.
windows code - closed source. Number of windows exploits - incredible.

Well yeah, but it is misleading that you suggest Windows is less secure just because it is closed source. To disqualify that statement you just need to consider that if Linux became closed source tomorrow it would be no less secure than it is today.

No, the problem with Windows is that M$ made some bad design choices in the early days (90's) and opted to endlessly patch problems rather than rearchitect the kernel/OS (what Vista is supposed to be). The community around linux on the other hand represents "oversight" and helps force speedy correction of underlying flaws. So basically I am saying that with Linux-like oversight on its closed source code, Windows would be really good. To bad that is not feasable.

Re:Outrageous

[Bob3141592]

There's no reason this code should ever be closed. In the computers that run casino games, the government regulatory agencies requires all source code be provided for scrutiny, as well as mandating registered CRCs and digital signatures to prove that the code executing is the code that was inspected. There's all sorts of inspections and reliability tests done on initial submittal and also throughout the lifetime of the computer's use. They do this because those computers affect money, and everyone knows money is important.

If the public/government doesn't require similar validation and reliability for electronic voting machines, it's because your votes aren't considered important or valuable. I don't see any way to escape that conclusion, given the way things are.

Re:Outrageous

[canajin56]

I happen to agree that a completely secure system can be established fairly easily. Give the voter a touch screen for all of their choices, they push buttons, it says "Person/Initiative/Proposal/Whatever X are you sure?" and you confirm it, once all things you are voting on are done with, you get a final summary page to confirm, then it records that information and says have a nice day, and also prints out a human readable slip that contains all your votes. You fold it in half just like a normal paper ballot, the person running things seals it and plops it in the ballot box like always. There you have it. Instant the polls close, you have your numbers, and the number can be verified by hand counting of the printouts. In fact, have the electronic number the "Tentative" count, and only the hand count is official. You get instant preliminary results and trusted final results.

That being said voting regardless of system boils down to trust. I will use trust in the same sense the parent has used it as, severely scrutinized. The problem with pure electronic voting is that, while it requires utmost trust, as do all methods of voting, this trust cannot be given. The machine has a tally in it, and the master machine tallies all of the tallies and gives the final result. A person wrote the code and a person assembled the machine. Let us say the code is fully open and completely trusted. How trusted is the fact that the machine is running THAT code? How hard is it to switch out a rom chip? Was the machine fully inspected to make sure the code is identical in all ways to that which is trusted? Its just not possible to trust this machines numbers. Trust is an issue because there is nothing to prevent this machine from being designed to randomly, with chance 1/5, reassign votes from person X to person Y when writing them down. Where is the log? The log may be 10000% fool proof but the vote was logged normally, everything was normal. All it takes is one tiny piece of code to switch how the vote is recorded. Its displayed for the user as normal, but a single line of code randomly flips it over when its recorded. How can this sort of thing be stopped? Hopefully such tampering would be obvious in the code with enough eyes looking for it. As I said however, how hard is the code to change? If its just on a disk of a windows box as some of these voting stations are...well its trivial to swap the code out at any point. If its on a ROM as it should be, how hard is it to switch out the ROM? Is there only one ROM? It ended up that in many of the voting terminals used in previous elections, there were actually TWO ROM chips, and a hidden switch in the back to switch between them. With such a device, it would be trivial to have your trusted code on one, and your malfeasant code on the other. No amount of auditing the code and verifying the correct code is running will save you from this, you would have to fully verify the hardware too. But what if it wasn't a switch, what if the hidden rom is selected by a timer, only active when its actually the election, and switching back to the trusted ROM the second the polls close? Well, then you could set the system clock to whenever the election is supposed to be and always test under those conditions. Unless of course there is a second clock elsewhere that is not changed when the admin adjusts the system clock.

That was a lot of text. What it boils down to is its possible to build a very devious voting machine that to the user appears fully functional and seems to record their votes correctly, but does not actually record them correctly. A software audit will not protect you, and machine audit will not protect you, and a detailed examination of the device will not protect you. You would have to crack them open and verify every circuit in there, every IC chip, every single ROM. How could you do this? A full verification would, I imagine, destroy the machine beyond all hope of repair. It would be impossible to verify the actual machines used in vot