Opening Diebold Source, the Hard Way

Doc Ruby writes to tell us about an article in the Baltimore (MD) Sun, reporting that someone sent a package to a former legislator containing what appears to be Diebold source code. From the article: "Diebold Election Systems Inc. expressed alarm and state election officials contacted the FBI yesterday after a former legislator received an anonymous package containing what appears to be the computer code that ran Maryland's polls in 2004... The availability of the code — the written instructions that tell the machines what to do — is important because some computer scientists worry that the machines are vulnerable to malicious and virtually undetectable vote-switching software. An examination of the instructions would enable technology experts to identify flaws, but Diebold says the code is proprietary and does not allow public scrutiny of it." Read on for more of Doc Ruby's comments and questions.
Maryland's primary elections last month were ruined by procedural and tech problems. Maryland used Diebold machines, even though its Republican governor "lost faith" in them as early as February this year, with months to do something about it before Maryland relied on them in their elections.

The Diebold code was secret, and was used in 2002 even though illegally uncertified — even by private analysts under nondisclosure. Now that it's being "opened by force," the first concern from Diebold, the government, and the media is that it could be further exploited by crackers. What if the voting software were open from the beginning, so its security relied only on hard secrets (like passwords and keys), not mere obscurity, which can be destroyed by "leaks" like the one reported by the Sun? The system's reliability would be known, and probably more secure after thorough public review. How much damage does secret source code employed in public service have to cause before we require it to be opened before we buy it, before we base our government on it?

What's in the code?

[HangingChad]

Or maybe they're worried that the code contains evidence of tampering with election results? Otherwise it's just code. Just because it's public doesn't mean Diebold loses their copyright.

But if that code contains evidence of treason...which is what tampering with election results would be...then anyone involved deserves to be stood up against the nearest wall and shot. Then leave the bodies as a permanent reminder to anyone else thinking about ballot stuffing.

The real question is if the results were rigged, what's that do to the Bush presidency? It would seem to invalidate the '04 election. That means anything he's done while in office should be voided and Kerry should be allowed to serve out the rest of his term. It gets really interesting to consider that the deciding vote on the Supreme Court would be one of those invalidated actions.

Re:What's in the code?

[Sven+Tuerpe]

Or maybe they're worried that the code contains evidence of tampering with election results?

My favorite conspiracy theory at this point is this:

If you were in a position to tamper with election results by manipulating the code of voting machines, what would be the most obvious cover-up?

Exactly. You would make sure that a clean version of the code "leaks", which shows no evidence of any tampering whatsoever.

Here's one thing I want to know

[erroneus]

Who are the people, other than DieBold, that support DieBold's secrecy? Who are the people who would like to preserve things as they are rather than fix the problems that the rest of the interested public is concerned about?

I think that when we can publically identify who these people are, we can either have a proper public debate on the topic or we can put the matter to rest by exposing the corruption that has been going on.

My suggestions..

[Seigen]

The roll printer idea, where the people see their votes printed, but don't actually get to touch the printout is fine. This should be done regardless, but i'm going to go a few steps beyond that.

Basically for some of the rest of the design, if your going to make it electronic, first look at all the ways the xbox security system, for instance could have been made much harder to hack. [I wouldn't necessarily limit it with that, but that is actually a decent start.] For simplicity I'll list some ideas, off the top of my head, and then justify them.

1) Soldered in main cpu (The cpu will be important, and as such must not be something that can be easily changed.)

2) Security seals on the case that show signs of tampering.

3) Ideally the GPU will be inside the cpu. [This prevents what is display from being easily tampered with, although the need for this can be argued, but what you see on the screen, is, of course, what you hoep you are voting for.]

4) The system on boot will be able to read from only one source for its OS. The CPU will read the OS and compute a crytographic hash on the entire system. The ROM image (or whatever) will also have a separate field which contains a public key encrypted version of that same hash. The cpu will decrypt that hash with its public key and if the two match, the system will finish booting.

5) Obviously the private key originally used to encrypt that hash must be
stored in a very safe place. [The cpu never needs to know that key, and as such, there is no way that possesion of one of the devices can alloy you to create an arbitrary rom image that check out.]

6) The bottom part of the screen should, at minimum show the cryptographic hash of the software, at all times, so that independent people can verify things.

7) Optional: Take the original hash and use say the last so many bits from it to randomly select from a stack of pictures, or perhaps several pictures. The key part here is to create a visual representation of what the cryptographic hash is, at least in part. You can show this to the voter as a series of icons on the bottom of the screen say to the right of that hash, as an additional check on security. If all of the code that does this is in hardware, this provides an additional check to verify the software has not been modified that people might remember. Of course there are lots of variations of this, including just say making the last 4 digits of the hash bold, or whatever.

8) Keep the code open source. There is no particular reason this is 8, it could as easily be (1). If the cpu is a custom chip, it might require releasing an open source emulator so people can test it. Of course, most likely you are going to use some common cpu core, even if you say put the cpu/gpu on the same chip. Just to reinterate, the key with some of this to be on the same silicon is to prevent tampering. If say the chip that verified the hash was elsewhere, then you might be able to just send a "it passes" signal for everything. Similarly if the code that computes the hash or the encryption is elsewhere, you also have a vulnerability. By having everything security related on the same silicon, you can be reasonably assured that when it checks out the election software that it truly is secure.

9) You can argue with the need to be able to update these fast, and if you agree with that, then you might have to boot from a second source, in order to update the flash, or whatever storage the device uses. All in all though, i don't buy that argument. if you say put it on a flash device that is behind a seal, then you can as easily physically change the flash module. Of course, if you are going to allow a second booting source to reprogram the device, it had better pass its own cryptographic checks to insure it comes from a trusted source.

10) Don't forget the paper trail. While, I've tried to make the previous ideas sound, I likely missed things. This is, after all, a relatively quick post, and I'm only one pe

e-voting

[falconwolf]

I agree with paper elections. I also think that digital machines can have a place in elections. You make your choices on a computer, the computer prints out the ballot. The ballot is plain english and human readable. Nothing computer readable, not even a barcode.

Actually India has a pretty good e-voting system:

Slate magazine pokes fun at America's continuing electronic voting anxiety by using India as an example of how to do things right:

While we in the United States agonize over touch screens and paper trails, India managed to quietly hold an all-electronic vote. In May, 380 million Indians cast their votes on more than 1 million machines. It was the world's largest experiment in electronic voting to date and, while far from perfect, is widely considered a success. How can an impoverished nation like India, where cows roam the streets of the capital and most people's idea of high-tech is a flush toilet, succeed where we have not?

Apparently India uses an incredibly simple technology that may not be as fancy as the machines here, but does the job well.

The result is a machine that looks like a cross between a computer keyboard and a Casio music synthesizer. In fact, it's not much of a computer at all, more like a souped-up adding machine. A column of buttons runs down one side. Next to each button is the name and symbol of a candidate or party. These are written on slips of paper that can be rearranged. That means unscrupulous politicians couldn't rig the machines at the factory, since they wouldn't know which button would be assigned to which candidate. Also, the software is embedded--or hard-wired--onto a microprocessor that cannot be reprogrammed. If someone tries to pry open the machine, it automatically shuts down. After much testing, India adopted the machines for nationwide use this year.

Why do our machines suck?

American machines, by contrast, may be vulnerable to wholesale fraud. Our machines are far more complicated and expensive--$3,000 versus $200 for an Indian machine. The U.S. voting machines are loaded with Windows operating systems, encryption, touch screens, backup servers, voice-guidance systems, modems, PCMCIA storage cards, etc. They have millions of lines of code; the Indian machines hardly any at all.

Falcon