Opening Diebold Source, the Hard Way

Doc Ruby writes to tell us about an article in the Baltimore (MD) Sun, reporting that someone sent a package to a former legislator containing what appears to be Diebold source code. From the article: "Diebold Election Systems Inc. expressed alarm and state election officials contacted the FBI yesterday after a former legislator received an anonymous package containing what appears to be the computer code that ran Maryland's polls in 2004... The availability of the code — the written instructions that tell the machines what to do — is important because some computer scientists worry that the machines are vulnerable to malicious and virtually undetectable vote-switching software. An examination of the instructions would enable technology experts to identify flaws, but Diebold says the code is proprietary and does not allow public scrutiny of it." Read on for more of Doc Ruby's comments and questions.
Maryland's primary elections last month were ruined by procedural and tech problems. Maryland used Diebold machines, even though its Republican governor "lost faith" in them as early as February this year, with months to do something about it before Maryland relied on them in their elections.

The Diebold code was secret, and was used in 2002 even though illegally uncertified — even by private analysts under nondisclosure. Now that it's being "opened by force," the first concern from Diebold, the government, and the media is that it could be further exploited by crackers. What if the voting software were open from the beginning, so its security relied only on hard secrets (like passwords and keys), not mere obscurity, which can be destroyed by "leaks" like the one reported by the Sun? The system's reliability would be known, and probably more secure after thorough public review. How much damage does secret source code employed in public service have to cause before we require it to be opened before we buy it, before we base our government on it?

Cracker or insider?

[WindBourne]

If this is an insider, then I have to guess that it is somebody who is concerned about some piece of the code. Otherwise, I would guess that it is a cracker who was able to break through the famous Windows security at diebold and grab the source.

Re:Source code not even needed to hack these machi

[maynard]

The difference is that the Princeton team wrote a vote-switching virus which would spread itself through the smart cards used to tabulate votes. Thus, one infection could -- in time -- spread to any arbitrary number of machines without the knowledge of poll workers (or voters).

That outcome is obviously not possible with manual election rigging.

On a related note

[value_added]

I saw on Lou Dobbs yesterday a piece that showed election officials rushing out to hire grad students to help out with the coming election. The reasoning was that widespread failures (mechanical, networking, software, etc.) were expected and election officials and staffers unanimously considered themselves as both unprepared and unable to deal with anticipated problems. A quick search for election jobs seems to validate the story.

What's in the code?

[HangingChad]

Or maybe they're worried that the code contains evidence of tampering with election results? Otherwise it's just code. Just because it's public doesn't mean Diebold loses their copyright.

But if that code contains evidence of treason...which is what tampering with election results would be...then anyone involved deserves to be stood up against the nearest wall and shot. Then leave the bodies as a permanent reminder to anyone else thinking about ballot stuffing.

The real question is if the results were rigged, what's that do to the Bush presidency? It would seem to invalidate the '04 election. That means anything he's done while in office should be voided and Kerry should be allowed to serve out the rest of his term. It gets really interesting to consider that the deciding vote on the Supreme Court would be one of those invalidated actions.

Re:What's in the code?

[Sven+Tuerpe]

Or maybe they're worried that the code contains evidence of tampering with election results?

My favorite conspiracy theory at this point is this:

If you were in a position to tamper with election results by manipulating the code of voting machines, what would be the most obvious cover-up?

Exactly. You would make sure that a clean version of the code "leaks", which shows no evidence of any tampering whatsoever.

Re:Open source & Availability

[mabhatter654]

the whole issue revolves around that issue. The machines sit in closets for 6 months then are drug out for an election. Diebold is supposed to be installing and using certified software, but they can't even do that right. The issues started because Maryland election officials were catching Diebold personel putting patches on without the proper paperwork... and they got VERY upset, wanting to know what they were doing. Even the company refused to cooperate... private software and doing their job and all.

That's what's so screwed up about all this, even Diebold employees weren't following their own companies rules and election offical rules (remember they are the customer). Several Diebold run elections have had outcomes highly suspect... and Diebold is answering concerns with contept for the customers and citizens instead of openness and cooperation.

Here's one thing I want to know

[erroneus]

Who are the people, other than DieBold, that support DieBold's secrecy? Who are the people who would like to preserve things as they are rather than fix the problems that the rest of the interested public is concerned about?

I think that when we can publically identify who these people are, we can either have a proper public debate on the topic or we can put the matter to rest by exposing the corruption that has been going on.

My suggestions..

[Seigen]

The roll printer idea, where the people see their votes printed, but don't actually get to touch the printout is fine. This should be done regardless, but i'm going to go a few steps beyond that.

Basically for some of the rest of the design, if your going to make it electronic, first look at all the ways the xbox security system, for instance could have been made much harder to hack. [I wouldn't necessarily limit it with that, but that is actually a decent start.] For simplicity I'll list some ideas, off the top of my head, and then justify them.

1) Soldered in main cpu (The cpu will be important, and as such must not be something that can be easily changed.)

2) Security seals on the case that show signs of tampering.

3) Ideally the GPU will be inside the cpu. [This prevents what is display from being easily tampered with, although the need for this can be argued, but what you see on the screen, is, of course, what you hoep you are voting for.]

4) The system on boot will be able to read from only one source for its OS. The CPU will read the OS and compute a crytographic hash on the entire system. The ROM image (or whatever) will also have a separate field which contains a public key encrypted version of that same hash. The cpu will decrypt that hash with its public key and if the two match, the system will finish booting.

5) Obviously the private key originally used to encrypt that hash must be
stored in a very safe place. [The cpu never needs to know that key, and as such, there is no way that possesion of one of the devices can alloy you to create an arbitrary rom image that check out.]

6) The bottom part of the screen should, at minimum show the cryptographic hash of the software, at all times, so that independent people can verify things.

7) Optional: Take the original hash and use say the last so many bits from it to randomly select from a stack of pictures, or perhaps several pictures. The key part here is to create a visual representation of what the cryptographic hash is, at least in part. You can show this to the voter as a series of icons on the bottom of the screen say to the right of that hash, as an additional check on security. If all of the code that does this is in hardware, this provides an additional check to verify the software has not been modified that people might remember. Of course there are lots of variations of this, including just say making the last 4 digits of the hash bold, or whatever.

8) Keep the code open source. There is no particular reason this is 8, it could as easily be (1). If the cpu is a custom chip, it might require releasing an open source emulator so people can test it. Of course, most likely you are going to use some common cpu core, even if you say put the cpu/gpu on the same chip. Just to reinterate, the key with some of this to be on the same silicon is to prevent tampering. If say the chip that verified the hash was elsewhere, then you might be able to just send a "it passes" signal for everything. Similarly if the code that computes the hash or the encryption is elsewhere, you also have a vulnerability. By having everything security related on the same silicon, you can be reasonably assured that when it checks out the election software that it truly is secure.

9) You can argue with the need to be able to update these fast, and if you agree with that, then you might have to boot from a second source, in order to update the flash, or whatever storage the device uses. All in all though, i don't buy that argument. if you say put it on a flash device that is behind a seal, then you can as easily physically change the flash module. Of course, if you are going to allow a second booting source to reprogram the device, it had better pass its own cryptographic checks to insure it comes from a trusted source.

10) Don't forget the paper trail. While, I've tried to make the previous ideas sound, I likely missed things. This is, after all, a relatively quick post, and I'm only one pe

Re:Source code not even needed to hack these machi

[Catbeller]

Forensic evidence indeed. To prove fraud, you simply tally up the paper ballots. If the tally doesn't match the electronic total, fraud occured. So simple.

Also, you can pinpoint exactly where and when and to what advantage the Diebold hack occured. If we had such a system in place in 2004, there would have been hell to pay in Ohio. And it would prevent the upcoming hack in November, as they simply have to pinpoint individual precincts to alter -- no need to hack every machine. The pattern would be obvious if there were a paper trail.

Why else do you think Diebold has fought so hard to prevent paper trails at all costs? It makes no sense, as they would simply make more money with paper trails. Occam's razor: they know that the paper tally would not match their electronic tally, and HELL would break loose. In a rational country, this would be obvious. We aren't rational. The Republican faction in this country has a lot invested in these machines.

e-voting

[falconwolf]

I agree with paper elections. I also think that digital machines can have a place in elections. You make your choices on a computer, the computer prints out the ballot. The ballot is plain english and human readable. Nothing computer readable, not even a barcode.

Actually India has a pretty good e-voting system:

Slate magazine pokes fun at America's continuing electronic voting anxiety by using India as an example of how to do things right:

While we in the United States agonize over touch screens and paper trails, India managed to quietly hold an all-electronic vote. In May, 380 million Indians cast their votes on more than 1 million machines. It was the world's largest experiment in electronic voting to date and, while far from perfect, is widely considered a success. How can an impoverished nation like India, where cows roam the streets of the capital and most people's idea of high-tech is a flush toilet, succeed where we have not?

Apparently India uses an incredibly simple technology that may not be as fancy as the machines here, but does the job well.

The result is a machine that looks like a cross between a computer keyboard and a Casio music synthesizer. In fact, it's not much of a computer at all, more like a souped-up adding machine. A column of buttons runs down one side. Next to each button is the name and symbol of a candidate or party. These are written on slips of paper that can be rearranged. That means unscrupulous politicians couldn't rig the machines at the factory, since they wouldn't know which button would be assigned to which candidate. Also, the software is embedded--or hard-wired--onto a microprocessor that cannot be reprogrammed. If someone tries to pry open the machine, it automatically shuts down. After much testing, India adopted the machines for nationwide use this year.

Why do our machines suck?

American machines, by contrast, may be vulnerable to wholesale fraud. Our machines are far more complicated and expensive--$3,000 versus $200 for an Indian machine. The U.S. voting machines are loaded with Windows operating systems, encryption, touch screens, backup servers, voice-guidance systems, modems, PCMCIA storage cards, etc. They have millions of lines of code; the Indian machines hardly any at all.

Falcon

Re:Closed source?

In the case of Diebold, they made this very clear before the 2004 election, when then-CEO Wally O'Dell said - in writing - to the Ohio Republicans that he would deliver their state to George Bush. He lived up to that promise, and there are good grounds to suspect that this wasn't at all accidental. They want their code secret so that we can't find out some of the things they've got hidden there.

From Mother Jones: "Diebold machines were used in only 2 of Ohio's 88 counties."

So how did Diebold's code 'deliver the state to George Bush'? Or are you just making stuff up?