U.S. Voting Software Hashes Made Public

fibonacci2000 writes "From the NIST website: 'This effort is a first step in being able to trace software from the vendor through the accreditation process to the states and other purchasers of voting systems. Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors.'"

Different for the sake of being different.

[Stochio]

If you look through the file it has references to java files, pascal files, C++ files, and perl files. I don't get it. I understand that in this document just the hashes are listed to source code - but does this also imply that the source code is being distributed?
On an additional note, I see references to jpg, gif,and bmp files. I must be interpreting this files incorrectly. Why else would source code of 4+ high-level languages and 3+ image formats be in the same project?

Translation for the Layman?

[Richard+M.+Nixon]

Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors. However, only digital signatures of the same versions of software voluntarily provided by voting software vendors are available on the web site. Election authorities having other versions, or versions which have been altered for authorized reasons, will be unable to use this web site for a digital signature comparison.

I'm not sure but I think what this means is that their software can be used to verify that the software that the vendor has sold them is indeed the software that is installed on the machine.

For example, that DIEBOLD AccuVote-OS CC 2.0.12 AE is installed on a machine.

If this is true, then it only confirms that you have the software you think you have on the system. It does not mean that said software will tally an accurate vote. (Having competent software is a different question entirely of what software you have installed on a system.)

Also....

This data may only be used with software that has not yet been installed on a voting machine. With limited exception, once software is installed on a voting machine, it is incapable of generating a digital signature.

I'm not sure I understand why it couldn't be verified afterwards.

Can someone explain this?

At the very least couldn't you wipe the voting machines harddrive and do a re-install?

Re:What about the paper?

[schmaltz]

Except that with paper ballots there is a paper trail. With that you can find out that voter's dead, or the reg is fictitious.

However, with Diebold you can simply go in and manipulate totals directly. No physical evidence. Much easier to steal an election, in a currently uncontested way. Of course, the aftermath of this election will probably involve a couple orders of magnitude more attorneys and jurisdictions than in 2000, so it remains to be seen whether an election stolen by computer will go unchallenged.

Oops, scratch my previous post

[Rayonic]

Turns out that the paper trail is not printed out on the fly. The only thing captured on the fly is an "image" of the voter's ballot. What other kind of data is stored I do not know.

From the Diebold web site:

When a voter casts their ballot using the Diebold touch screen system, the ballot selections are immediately encrypted and stored in multiple locations within the voting station. When stored, the order of cast ballots is scrambled to further insure ballot anonymity. The image of each and every ballot cast on the voting station is captured, and can be anonymously reproduced on standard paper should a hard copy of ballots be required for recount purposes. Once voting concludes at a precinct, a printed election results report is printed as a permanent record of all activity at each voting station. This printed record is used to audit the electronic tabulation of votes conducted during the election canvas process, when final, official election results are reported.