Sequoia Voting Systems Source Code Released 406
Mokurai sends a heads-up about Sequoia Voting Systems, which seems to have inadvertently released the SQL code for its voting databases. The existence of such code appears to violate Federal voting law: "Sequoia blew it on a public records response. ... They appear... to have just vandalized the data as valid databases by stripping the MS-SQL header data off, assuming that would stop us cold. They were wrong. The Linux 'strings' command was able to peel it apart. Nedit was able to digest 800-MB text files. What was revealed was thousands of lines of MS-SQL source code that appears to control or at least influence the logical flow of the election, in violation of a bunch of clauses in the FEC voting system rulebook banning interpreted code, machine modified code and mandating hash checks of voting system code." The code is all available for study or download, "the first time the innards of a US voting system can be downloaded and discussed publicly with no NDAs or court-ordered secrecy," notes Jim March of the Election Defense Alliance. Dig in and analyze.
To be honest... (Score:5, Insightful)
Open Source (Score:5, Insightful)
I absolutely hate the thought of my vote being inputted in to a closed magical-mystery box.
Re:What? (Score:5, Insightful)
Re:What? (Score:5, Insightful)
Anyone with half a brain realized converting from dumb paper ballots to "smart" electronic machines that could manipulate the votes was a Bad Idea (tm). Unfortunately that disqualifies most of our state politicians.
you're wrong. (Score:3, Insightful)
Re:While redacting... (Score:4, Insightful)
votes[candidate]++;
FCC violation = revote? (Score:1, Insightful)
If this code really is in violation of FCC regulations, shouldn't that invalidate all elections that the code was used in?
Re:What? (Score:5, Insightful)
As my Software Engineering instructor said...
Someone was thinking that voting was primarily a counting problem and had the idea that computers were excellent at counting, so computers would be excellent at registering votes.
Of course, voting is minimally about counting, and from what we've seen even these clowns couldn't do that right.
Re:you're wrong. (Score:4, Insightful)
How about this?
You select your candidate / party / referendum option on screen.
The computer prints out a ballot paper and records your vote.
You put the ballot paper in the ballot box.
The returning officer selects a sample of ballot boxes at random and checks them to the computer.
Re:Open Source (Score:5, Insightful)
The last administration isn't around any more. This administration could set its self apart from the old one by requiring all voting system code be open-sourced. But I agree; the chances of that happening are not any better than under the old overlord.
Re:Hyperbole much (Score:2, Insightful)
No need to show someone for whom the voter is not eligible to for.
(I assume English is a second language for you, because the statement was perfectly clear the first time).
Some states have closed primaries. Democrats only get to vote for democrats, republicans for republicans.
Some people are not voting in their proper polling place and can't vote for the local candidates (because they don't live there).
I could go on, but I suspect you will have difficulty reading much more thru your tin foil hat.
Re:Open Source (Score:3, Insightful)
Yeah but MY state is run by the Democrats (and has been for almost 60 years). What excuse do they have for not developing open-source voting for Maryland? Oh that's right... same as the GOP... holding onto the monopoly.
Too early to start the scandalising (Score:3, Insightful)
Re:you're wrong. (Score:5, Insightful)
Re:What? (Score:2, Insightful)
But the media will ignore it. Remember last year when voting machines were found to have *actually* lost votes in an Ohio election? No? That was an even bigger story, and the media ignored that as well...
Never underestimate the ability of the media in this country to ignore important news in favor of the latest distraction.
Re:Hyperbole much (Score:3, Insightful)
Does it matter to you at all that the presence of this logic in interpreted code (SQL) is a direct violation of federal law?
Re:To be honest... (Score:3, Insightful)
Which means if the 17th was repealed, Senators would be elected by the State Governments, and the States could use the power of the Senate to kick-around the U.S. government when it tries to abuse its power...... similar to how the UK, France, Germany and other members use their power to kick-around the EU government and keep it restrained.
Example:
California, Washington, and a bunch of other states legalize marijuana for use by doctors. President Dickhead ignores the laws and arrests CA, WA, and other citizens. California and the other states direct their Senators to censure the president and block all of his legislation from passing. He backs down. The States need to have the power to keep the central government from overreaching.
Re:Hyperbole much (Score:5, Insightful)
You could have kept reading, you know.
The FEC standards say "prohibited". They do not say "Any self-modifying, dynamically loaded or interpreted code is only okay if someone who is a really good programmer says it is" or "Interpreted code is okey dokey as long as it isn't called all that often". If the database itself contains application code which modifies the database, then that's a problem. It doesn't matter what kind of code it is or how benign you think it is, it should not be there at all.
If you would like to share your educated opinion where it matters, feel free to comment in the wiki [wikispaces.com]. That's what it's there for.
This is cool and all, but... (Score:4, Insightful)
* t violates the federal rulebook on voting systems on several levels: the rules require that code be hash-checked to prove authenticity in the field for obvious reasons. If the real working code is buried in with the data, no such hash-checks are possible.
Except that so far, I'm seeing table construction and table layouts. I guess that's technically code - as any SQL technically is - but a good case can be made to say that it's just the database structure. Which can, of course, be subjected to a hash check.
The federal rulebook is also clear that code can't be interpreted, apparently to avoid modification "in the field" (generally county or city election offices).
Well shit, in that case, they can't use SQL at all. Since a database is a fairly reasonable way to track the candidate data, display strings, etc... I'm pretty sure that this wasn't the intent of the law. (No, IANAL, just applying common sense).
I do think it's great and long overdue that this information is now available. But I also think they'll want to finish the analysis and get some people who understand what they're looking at, before they start making claims. There may be validity to them - but so far it's tenuous if there at all. (Full disclosure: I'd love to electronic voting either a) shut down or preferably b) administered in a 100% transparent fashion... so I'm not making this post in anybody's defense)
Re:This is cool and all, but... (Score:5, Insightful)
Except that so far, I'm seeing table construction and table layouts. I guess that's technically code - as any SQL technically is - but a good case can be made to say that it's just the database structure. Which can, of course, be subjected to a hash check.
Except that the DDL isn't in a bunch of scripts that are building the schema, the schema exists in a bunch of strings that are concatenated together in stored procedures with some arguments to the procs munged in, and passed to Exec statements when the stored procedures are run.
That's not normal table building, that's an unabashedly self-modifying database.
Re:you're wrong. (Score:3, Insightful)
Re:Hyperbole much (Score:4, Insightful)
Re:you're wrong. (Score:3, Insightful)
I've actually put some thought into this and I think I have an idea that could work. It could provide accountability, although not necessarily in a provable form, but at least to let the individual voter know if their vote was lost or changed.
When you vote, you can enter TWO votes. The first is your actual real it-counts vote. The second is a made up vote. It's totally optional, but lets you enter a second vote different than your first. One is vote A and one is vote B, and you pick which (A or B) is counted. When you leave the booth you get a receipt with a url and a long hashed ID number for your vote(s). If you chose not to enter a second vote, the second vote is randomly selected based on statistical averages of recent votes.
You can go home and get online and go to the govt website and enter your hash id. It will ask you if you want to see A or B. You pick one, and it shows your votes. You CANNOT look at your other vote. (it only lets you look at one vote per ID, you can go back later and see A again, but never look at B once you've looked at A or vice-versa) Important: it will NOT tell you if the vote you are looking at is the vote that counts or is the dummy.
This allows you to go into the system later and see that your vote was not lost or changed. It can't tell if the counter/dummy was toggled but if the dummy is statistical average of recent votes in that booth then the ability to do any heavy fraud by dummy swapping is minimized. If you are more concerned about swapping than being coerced, then you can just make both of your votes the same so a swap won't matter.
But it also prevents selling of your vote, or coercion. Lets say your boss says you WILL be voting for Kodos this year. OK go into the booth and put in your real vote, and then your alternate vote for Kodos. The only thing that puts any teeth in someone being able to sell their vote or coerce a vote is being able to prove who you voted for. So if you are forced to show your vote later, do the lookup in front of them but for the dummy vote. To prevent the possibility of them simply asking to see BOTH your votes to make sure they were both for who they wanted, you can only look at the A or the B ever. This makes it impossible to prove to an individual that you voted a certain way.
If there's a major cry of fraud, it's possible for the system to be queried and compared later to look for patterns.
I'd like to hear everyone's devil's advocate on this idea. Rip it up! (or improve it?)
The only downside is its a tad convoluted. But I maintain that people that can't deal with even slightly complicated voting processes have no business casting a totally uneducated vote.
Re:Hyperbole much (Score:2, Insightful)
A compiler translates source language to target language (usually executable machine code) and stops there. It does not execute the code.
An interpreter translates source language to target language (usually machine code), and executes it.
You are correct in that (most) languages are not inherently compiled or interpreted since you can do either with them, but claiming that there is no difference between a compiler and an interpreter is simply wrong. Most programmers know this, though I suppose not most lawyers do.
If the federal law requires there be no interpretation, all code has to be compiled before the election to comply. That is clearly not the case with T-SQL exec statements running dynamically constructed statements.
Re:Hyperbole much (Score:2, Insightful)
The difference between the two in terms of computer science is very clear, and very simple.
No, sorry, its not that simple.
You may have written code to Add two data elements AB and CD.
The compiler will almost certainly point to AB and CD and invoke a runtime library which will interpret your ADD verb for you. This involves determining the type of variables, fetching both conversion to a common type, putting into machine registers, executing the add instruction, converting the sum back to the type consistent with the storage target, then transferring it to that target. At each step of the way there is error checking to be sure the data types are compatible, that they exist, that overflow did not occur and that the target is actually addressable.
No, it is not clear. No it is not simple. No there is no clear line between compiled code vs interpreted code, and NO there is no common definition of interpreted code.
I've been messing with computers longer than you have been alive, and I'm here to tell you everything you learned about how things work is a simplification to avoid overwhelming you with the facts.
Re:Hyperbole much (Score:2, Insightful)
All computer code not written in binary is interpreted code.
Isn't that the job of the compiler? To turn the written code into "binary" or rather machine instructions, ergo assembler. You have a point in that all languages are interpreted into machine code, but that is not what interpreted refers to in this case. This [wikipedia.org] is what it refers to.
Presumably the law is there to make run-time modifications to the code harder, as well as allowing static analysis of binaries. I'm crap at SQL, but AFAIK stored procedures can be replaced at run-time.
Re:you're wrong. (Score:4, Insightful)
You are required to give your hash code to your boss. HE looks up your vote and picks A or B. 50-50 chance he picks the fake one and you live. 50-50 chance he picks the real one and you lose your job.
Re:What? (Score:2, Insightful)
Any sufficiently advanced incompetence is indistinguishable from malice.
Re:you're wrong. (Score:3, Insightful)
Re:you're wrong. (Score:4, Insightful)
I don't think the American public would really be all that upset if the election results didn't come in until the next morning. I suspect it's actually the news media that wants the results ASAP, in order to get everyone watching the election day evening news so that they can charge more for ad space.
Re:you're wrong. (Score:2, Insightful)
What difference does it make how quick the counting is? No matter how fast you count, the officials will still get sworn in on the same date ~2 months later.
Re:Hyperbole much (Score:3, Insightful)
From the site:
UPDATE 10/20/09 5:45pm Pacific Time: It appears the files were NOT VANDALIZED and will open in MS-SQL Server 2005. It also appears they did redact "code" to some degree. I'm still not clear on why there are thousands of lines of source code still left in there. I'm working on scoring a copy of SQL Server 2005 ASAP so I can look for myself. Check the discussion areas to follow along in realtime.
Interesting.
Re:There's somebody wrong on the internet... (Score:3, Insightful)
If I can verify my vote, I can prove to myself after the fact how I voted, and therefore I can prove it to somebody else.
Not necessarily. If an essential part of the algorithm (a key) is only in your head you can prove the results to yourself, but not to anyone else - especially if a wrong key produces a proof that is just as valid as the one made with the correct key. A simple XOR would be sufficient. You can store and publish such encrypted vote results all you want, only the original voter can tell what those numbers really mean. And if he wants he can disclose a different key, yielding a different "proven vote." The key can be randomly generated in the booth and shown to the voter, but not stored anywhere.
Re:All code is interpreted code (Score:3, Insightful)
All code is interpreted by something. That something might be hardware, microcode, firmware, a middle layer, or even a whole VM, but all code is interpreted.
Saying code is or is not interpreted is simply where you draw the line. Even "native" code on most processors these is really interpreted by the microcode or something similar.
I think you know exactly what they mean. Human-readable code == bad; byte-code == good.
Your argument boils down to the same sort of definition-shifting, intellectual masturbation as, "But everything humans make is natural because humans are natural," or "There's no such thing as an honest politician because everybody lies sometimes." Everyone knows what "interpreted," "natural," and "honest" actually mean in context, and pettifogging over terms like that adds nothing to any discussion ever.
Re:you're wrong. (Score:3, Insightful)
Of course it happened. A lot. That's why the voting process evolved. In my youth, when I went with my parents, boxes were made of wood, sometimes you would hand the envelope containing the ballot to the election judge for him to put into the box, etc. Nowdays, boxes are transparent, made out of plexyglas, the officials are forbidden to even touch your ballot. You give your id, a person checks you are on the list, if you're okayed the judge push a lever on top of the box. This advance a mechanical counter and open the slit just the needed time for you to cast your vote. At the end of the day, boxes are spilled open on wide tables, the judges still don't have the right to touch them. 4 voluntary citizens of the precinct man each table. They make a rough division in 4 stacks, count each stack, then swap stack with the counter in front of them. When done, counters pairs swap places and go over the process again. One juge continuously records counts for each table. When done, ballots are put back in box and box is sealed again. No official ever touch a ballot. There are still fraud attempts, but either they are very local (and suppose a high level of complicity between everyone there, so it's unlikely to matter to the result), or in some countries, they rely more on brute force than actual fraud (think Iran, for instance).
The question is not to know if a paper election can be rigged. The question is : does e-voting add more fraud possibilities to the voting process on top of already known frauds occurring with paper. And the answer is yes, it doesn't really avoid known frauding means, and it makes more subtle, new frauding schemes more likely. That's because the machine knows at any given time how many votes have already been cast, and who is leading. It can be made to cheat just enough to give a slight advantage that's not statistically detectable. OTOH, paper frauds must be very blunt to have any chance of being effective, and are therefore much more difficult to conceal. Especially if everybody has been given the right by law to attend every step of the process.
Re:There's somebody wrong on the internet... (Score:3, Insightful)
Again, why not just use a printer? Select your votes, all of them get tallied and a printout with machine readable and human readable output. Put that in a box. If there is a question about the final tally, you can A: verify that the initial digital count matches a barcode-scanned recount, B: verify that all or some of the barcode-scanned votes match the written out votes, C: count all of the human readable output manually.
The idea that we can't do industrial printers these days on the cheap and reliable is laughable, especially with the stupid costs of these voting machines.
Re:What? (Score:3, Insightful)
Re:What? (Score:4, Insightful)
The reason voting irregularities mean diddly squat in a presidential election is due to the fact that Joe Citizen's votes don't matter directly.
Thanks to the electoral college, any voting irregularities are overruled by the imprimatur elector fiat.
Re:too much voting? (Score:3, Insightful)
Except that Americans like to vote on everything.
And?
If it's important enough to vote on, it's important enough to count properly.
Re:Canadian Elections - KISS (Score:3, Insightful)
Not if you have 10 times as many people to count them. These massively parallel systems scale rather well you know.
Re:There's somebody wrong on the internet... (Score:4, Insightful)
As a matter of due diligence, I will look up your "David Chaum's blind signature" (I may have already). I'm certain it will have a fatal flaw, as has every system I've examined thus far. It doesn't matter how many people jump up and down in support of their ideologies or how vigorously. Nobody has shown me a secret ballot, end-to-end verifiable voting system. I do not believe one exists. (I would like to be proven wrong, but I don't think anybody can.)
Disclaimer: I am a cryptographer, and I have done research on topics related to electronic voting in the past.
As a matter of simply stating a fact, regardless of your due diligence, the fact is that blind signatures and their application to electronic voting is a subject which is about 15 years old by now. If you didn't already know about this concept, then you are clearly not an expert in electronic voting or even in any related field of cryptology. Cryptographic electronic voting is a highly technical subject involving many different areas and subfields of cryptology, some of them heavily number theoretic and mathematical. You are probably not technically knowledgeable enough to pass judgment on such heavily technical subjects in which you are uninformed (or worse, prejudiced against, as evidenced by your choice use of words such as "ideologies").
Even if I'm wrong about you, and you are technically knowledgeable enough to correctly evaluate cryptographic voting systems, it doesn't matter. For every one of you, there are thousands of other voters who are not technically knowledgeable, but who think that they are.
The problem with voting systems is not mathematical. It is not cryptographic. From the point of view of cryptography, secret ballot, end-to-end verifiable voting systems do exist, and have been known for decades. Either a mix net [wikipedia.org] or the Benaloh cryptosystem [wikipedia.org] together with threshold secret sharing delegation of trust is all that is required. The problem with cryptographic end-to-end voting systems is that for every one cryptographer in the world, there are thousands of uninformed members of the general public who don't understand the math, and who think that the scheme is either untrustworthy or that they have found a flaw. For this reason, even if there is a secret ballot, end-to-end verifiable voting system (which there is), it will never be accepted by the general public. As a research scientist, I have had far too much experience in dealing with such obstacles. The public does not trust scientists, even when the scientists clearly know more than they do.
Re:too much voting? (Score:3, Insightful)
Have you ever seen voter turn-out numbers? Americans don't like to vote at all.
Re:Open Source (Score:2, Insightful)
I really can't see why we can't have a government-commissioned open-source system developed and mandated for use for public voting functions. I absolutely hate the thought of my vote being inputted in to a closed magical-mystery box.
Open-sourcing the code or hardware is no help for the simple reason that on election day you, the voter, cannot verify that the machine in your voting booth is running the open-source code or hardware you verified the day before.
Re:There's somebody wrong on the internet... (Score:3, Insightful)
If you didn't already know about this concept, then you are clearly not an expert in electronic voting or even in any related field of cryptology. Cryptographic electronic voting is a highly technical subject involving many different areas and subfields of cryptology, some of them heavily number theoretic and mathematical. You are probably not technically knowledgeable enough to pass judgment on such heavily technical subjects in which you are uninformed (or worse, prejudiced against, as evidenced by your choice use of words such as "ideologies").
The public does not trust scientists, even when the scientists clearly know more than they do.
Still wondering why ? A 6th grader with a good pair of eyes can understand and control a paper vote. The more people you gather to keep watch, the better, no training necessary. It would take you, with all your intelligence and experience, weeks of efforts to verify an e-system implementation, and you'd be one of a handful able to do so. And all it would take to rig the system would be to outsmart your small lot of scientists. Just *imagine* for a second the source code is mathematically correct and you verified it. How about the compiler ? Do you know if the system really runs on the bare metal or is it trapped in a VM ? Are you per chance a computer scientist as well as a cryptologist ? How many scientists would it take to screw that light bulb in the end ? How long would it take ?