Slashdot Mirror
Sequoia Voting Systems Source Code Released
Mokurai sends a heads-up about Sequoia Voting Systems, which seems to have inadvertently released the SQL code for its voting databases. The existence of such code appears to violate Federal voting law: "Sequoia blew it on a public records response. ... They appear... to have just vandalized the data as valid databases by stripping the MS-SQL header data off, assuming that would stop us cold. They were wrong. The Linux 'strings' command was able to peel it apart. Nedit was able to digest 800-MB text files. What was revealed was thousands of lines of MS-SQL source code that appears to control or at least influence the logical flow of the election, in violation of a bunch of clauses in the FEC voting system rulebook banning interpreted code, machine modified code and mandating hash checks of voting system code." The code is all available for study or download, "the first time the innards of a US voting system can be downloaded and discussed publicly with no NDAs or court-ordered secrecy," notes Jim March of the Election Defense Alliance. Dig in and analyze.
I've fallen off your lawn, and I can't get up.
To be honest shouldn't -any- code used to tally votes be released in the public domain for any US citizen?
Taxation is legalized theft, no more, no less.
grep and find who should have won the election?
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
"Well you may throw your rock and hide your hand
Workin' in the dark against your fellow man
But as sure as God made black and white
What's down in the dark will be brought to the light"
-Johnny Cash
Quote taken from the index of http://studysequoia.wikispaces.com/. Wishful thinking, but how apt.
I really can't see why we can't have a government-commissioned open-source system developed and mandated for use for public voting functions.
I absolutely hate the thought of my vote being inputted in to a closed magical-mystery box.
"code that appears to control or at least influence the logical flow of the election"
Which means the uneducated inspecting strings saw things like:
BAL_ID null
-- 1 - show candidate on ballot (default)
-- 0 - remove candidate from the ballot
-- 2 - don't show candidate on the ballot, but reserve space for her on the layout
All of which is perfectly benign when voters are not eligible to vote for certain candidates for any number of reasons.
The more you read at the ultimate site more you realize the people digging thru this garbage know nothing about what they are reading, and not much about programming either.
Just because you know how to run grep or strings does not mean you can use the data it reveals.
Sig Battery depleted. Reverting to safe mode.
crypto primitives relies on a strong link between 2 ends. voting explicitly implies discarding the identity of the voter, hence the whole link thing breaks. If you maintain the link, you know who voted for whom : that's not a good idea at all to preserve democracy. If you discard the link, you have *no way on earth* to actually prove something hasn't been rigged somewhere.
votes[candidate]++;
http://michaelsmith.id.au
Now does stripping the illusion of voting away make us more or less free
Don't blame me! I voted for Kodos!
Science advances one funeral at a time- Max Planck
They may have violated the regulations, but it is still not clear that anything they did would have had any real impact. Best to wait and see what the analysis reveals.
http://lmgtfy.com/?q=sequoia+voting+machines
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I'll stick to voting with pencil, paper, and hand counted ballots. Of course, we in Canada have the advantage that binding referendums are unconstitutional (It's violation of parliamentary supremacy). Thus all we vote for is our representative. Of course this seems to be happening every 18 months, but with four political parties, this tends to happen. :)
Oh, and for those who are wondering, each ballot is hand counted, in triplicate, with scrutineers from each of the candidates on said ballot in attendance. It takes about 4 or 5 hours to count 10 000 000 ballots, and recounts rarely change the results by more than 1 or 2 votes per district.
...si hoc legere nimium eruditionis habes...
* t violates the federal rulebook on voting systems on several levels: the rules require that code be hash-checked to prove authenticity in the field for obvious reasons. If the real working code is buried in with the data, no such hash-checks are possible.
Except that so far, I'm seeing table construction and table layouts. I guess that's technically code - as any SQL technically is - but a good case can be made to say that it's just the database structure. Which can, of course, be subjected to a hash check.
The federal rulebook is also clear that code can't be interpreted, apparently to avoid modification "in the field" (generally county or city election offices).
Well shit, in that case, they can't use SQL at all. Since a database is a fairly reasonable way to track the candidate data, display strings, etc... I'm pretty sure that this wasn't the intent of the law. (No, IANAL, just applying common sense).
I do think it's great and long overdue that this information is now available. But I also think they'll want to finish the analysis and get some people who understand what they're looking at, before they start making claims. There may be validity to them - but so far it's tenuous if there at all. (Full disclosure: I'd love to electronic voting either a) shut down or preferably b) administered in a 100% transparent fashion... so I'm not making this post in anybody's defense)
Vote! Vote my little worms!
Divert your will and energies into our little show of "change"!
While another Goldman exec is put in charge of "Enforcement - ensuring that there is none...
You see, under the post-Kennedy era system of American government, executive and legislative sideshows are intended not to demonstrate and direct power - but to distract from the real power of the land.
Bang! One magic bullet. You buy that story, and they already had you in the Matrix.
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
The file they have is simply a SQL Server backup.
It takes a few minutes to restore using SQL 2005 Express + SSMSE
Nothing has been destroyed or sabotaged.
but...
When the database is restored you get the tables with the data in. :)
All the stored procedures have been deleted. Or so Seqoia thought
As the use of strings on the backup file demonstrates, the text of the sp's are still there.
There are various database tools (Lumigent was one from memory) that allow looking back through the database log and, I expect, returning the database to a previous state.
Just when companies had got the hang of cleaning up after track changes they move on to SQL database backups :)
Maybe it's a cultural thing, but I've never seen the necessity to complicate things any further than paper, pencil, double physical count. Cheap, no machines involved, fast. On a national election down here (about 15 million voters), voting booths close at 6pm and results are known nation wide right on time to open the 8pm evening news.
Except that Americans like to vote on everything.
Not just politicians, but sherifs, judges, district attorneys (i.e., head government prosecutors), etc. Add this to the fact that most elections (municipal, county, state, federal) tend to happen on one day, so that when you walk into the booth, you don't just have a piece of paper, but a small booklet to go through. Then add propositions (i.e., referendums) that many states have if enough people sign a petition. If you want to be an educated voter on all the possible choices you have to do some serious studying.
And then you have to count all of these 20+ separate run offs for the various levels of government.
I shouldn't be able to verify my own vote. If I can verify my vote, I can prove to myself after the fact how I voted, and therefore I can prove it to somebody else. That somebody else might try to coherce me into voting a specific way. I much prefer paper, pen, and hand counted. That way, I can verify the box is empty before everyone puts their vote in. Verify that my vote went into the box, and verify that the box was opened and that all votes in the box were counted correctly. I wouldn't be able to identify my ballot apart from the other ballots in the box, but that would be good, because nobody would be able to coherce me to vote a particular way. Just knowing that my vote was an a box, and that the box was counted correctly is enough for me to know that my vote was counted correctly.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Why, thank you, that's the justification we've been looking for. Invoke Article III!
How to restore the .bak file using Microsoft SQL Server Express 2008:
Step 1. Go download SQL Server Express 2008 (This is trivial, left up to the reader. You might have to go to a microsoft webpage) and install.
Step 2. Go download SQL Tools for SQL Server (Trivial) and install.
Step 3. Go download the .bak.zip file from the above wiki. Save it to 'C:\foofoo\'. Unzip the .bak file within it to 'C:\foofoo\'. You should now have: 'C:\foofoo\RIV_20081104_Canvass_Final_dbset_E.bak'
Step 4. Start up SQL Server Express
Step 5. Open SQL Management Studio and connect to your local SQLEXPRESS instance.
Step 6. Click on the top most node in (Should be your machine's name\SQLEXPRESS). Click "New Query".
Step 7. Run the following query:
RESTORE DATABASE RIV_20081104_E FROM disk='C:\foofoo\RIV_20081104_Canvass_Final_dbset_E.bak'
WITH MOVE 'RIV_20081104_Esys' TO 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\RIV_20081104_Esys.mdf',
MOVE 'RIV_20081104_Edat' TO 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\RIV_20081104_Edat.mdf',
MOVE 'RIV_20081104_Elog' TO 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\RIV_20081104_Elog.ldf',
REPLACE
go
Step 8. Wait.
Step 9. This should create a database called RIV_20081104_E.
Have fun.
If I can verify my vote, I can prove to myself after the fact how I voted, and therefore I can prove it to somebody else.
Not necessarily. If an essential part of the algorithm (a key) is only in your head you can prove the results to yourself, but not to anyone else - especially if a wrong key produces a proof that is just as valid as the one made with the correct key. A simple XOR would be sufficient. You can store and publish such encrypted vote results all you want, only the original voter can tell what those numbers really mean. And if he wants he can disclose a different key, yielding a different "proven vote." The key can be randomly generated in the booth and shown to the voter, but not stored anywhere.
This might hurt your feelings but: you're a Canadian. Most Americans don't consider you ever.
Help stamp out iliturcy.
All code is interpreted by something. That something might be hardware, microcode, firmware, a middle layer, or even a whole VM, but all code is interpreted.
Saying code is or is not interpreted is simply where you draw the line. Even "native" code on most processors these is really interpreted by the microcode or something similar.
I think you know exactly what they mean. Human-readable code == bad; byte-code == good.
Your argument boils down to the same sort of definition-shifting, intellectual masturbation as, "But everything humans make is natural because humans are natural," or "There's no such thing as an honest politician because everybody lies sometimes." Everyone knows what "interpreted," "natural," and "honest" actually mean in context, and pettifogging over terms like that adds nothing to any discussion ever.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
Again, why not just use a printer? Select your votes, all of them get tallied and a printout with machine readable and human readable output. Put that in a box. If there is a question about the final tally, you can A: verify that the initial digital count matches a barcode-scanned recount, B: verify that all or some of the barcode-scanned votes match the written out votes, C: count all of the human readable output manually.
The idea that we can't do industrial printers these days on the cheap and reliable is laughable, especially with the stupid costs of these voting machines.
The ______ Agenda
"CastrTroy! Get in here! You're going to fill out this absentee ballot just the way I tell you, and sign it. I'll mail it for you. If you don't, it's curtains for your grandmother!"
Or:
"CastrTroy! Get in here! You're going to carry this spy camera pen into the voting booth so I can make sure you vote the way I want you to. If you don't, it's curtains for your grandmother!"
So the whole "verifiable ballots allow coercion!" argument doesn't hold water: you can be coerced today. The defense against coercing votes isn't technical, it's that you're going to be locked in a cage for a very long time if you do it. (And rightly so.)
But besides that, it's just factually wrong. It is possible to have a ballot that you can verify but that can't be used to show others how you voted, because it relies on a secret that you know but can't prove. See, for example, Chaum's Punchscan.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
As a matter of due diligence, I will look up your "David Chaum's blind signature" (I may have already). I'm certain it will have a fatal flaw, as has every system I've examined thus far. It doesn't matter how many people jump up and down in support of their ideologies or how vigorously. Nobody has shown me a secret ballot, end-to-end verifiable voting system. I do not believe one exists. (I would like to be proven wrong, but I don't think anybody can.)
Disclaimer: I am a cryptographer, and I have done research on topics related to electronic voting in the past.
As a matter of simply stating a fact, regardless of your due diligence, the fact is that blind signatures and their application to electronic voting is a subject which is about 15 years old by now. If you didn't already know about this concept, then you are clearly not an expert in electronic voting or even in any related field of cryptology. Cryptographic electronic voting is a highly technical subject involving many different areas and subfields of cryptology, some of them heavily number theoretic and mathematical. You are probably not technically knowledgeable enough to pass judgment on such heavily technical subjects in which you are uninformed (or worse, prejudiced against, as evidenced by your choice use of words such as "ideologies").
Even if I'm wrong about you, and you are technically knowledgeable enough to correctly evaluate cryptographic voting systems, it doesn't matter. For every one of you, there are thousands of other voters who are not technically knowledgeable, but who think that they are.
The problem with voting systems is not mathematical. It is not cryptographic. From the point of view of cryptography, secret ballot, end-to-end verifiable voting systems do exist, and have been known for decades. Either a mix net or the Benaloh cryptosystem together with threshold secret sharing delegation of trust is all that is required. The problem with cryptographic end-to-end voting systems is that for every one cryptographer in the world, there are thousands of uninformed members of the general public who don't understand the math, and who think that the scheme is either untrustworthy or that they have found a flaw. For this reason, even if there is a secret ballot, end-to-end verifiable voting system (which there is), it will never be accepted by the general public. As a research scientist, I have had far too much experience in dealing with such obstacles. The public does not trust scientists, even when the scientists clearly know more than they do.
If you didn't already know about this concept, then you are clearly not an expert in electronic voting or even in any related field of cryptology. Cryptographic electronic voting is a highly technical subject involving many different areas and subfields of cryptology, some of them heavily number theoretic and mathematical. You are probably not technically knowledgeable enough to pass judgment on such heavily technical subjects in which you are uninformed (or worse, prejudiced against, as evidenced by your choice use of words such as "ideologies").
The public does not trust scientists, even when the scientists clearly know more than they do.
Still wondering why ? A 6th grader with a good pair of eyes can understand and control a paper vote. The more people you gather to keep watch, the better, no training necessary. It would take you, with all your intelligence and experience, weeks of efforts to verify an e-system implementation, and you'd be one of a handful able to do so. And all it would take to rig the system would be to outsmart your small lot of scientists. Just *imagine* for a second the source code is mathematically correct and you verified it. How about the compiler ? Do you know if the system really runs on the bare metal or is it trapped in a VM ? Are you per chance a computer scientist as well as a cryptologist ? How many scientists would it take to screw that light bulb in the end ? How long would it take ?
There are many good reasons for open source voting system but this story by the Daily Kos is a beat up, and is based solely on the lack of technical ability by the person making the claims. I've actually downloaded the database, restored it successfully in SQL Server 2008 and examined it and there really is no basis to this story. That doesn't mean I support Sequoia, that doesn't mean I support closed voting systems, just merely in this particular instance the story is not based on fact. Here's how to restore it and what you'll find: http://www.itwire.com/content/view/28715/1141/
Still wondering why ? A 6th grader with a good pair of eyes can understand and control a paper vote. The more people you gather to keep watch, the better, no training necessary. It would take you, with all your intelligence and experience, weeks of efforts to verify an e-system implementation, and you'd be one of a handful able to do so. And all it would take to rig the system would be to outsmart your small lot of scientists. Just *imagine* for a second the source code is mathematically correct and you verified it. How about the compiler ? Do you know if the system really runs on the bare metal or is it trapped in a VM ? Are you per chance a computer scientist as well as a cryptologist ? How many scientists would it take to screw that light bulb in the end ? How long would it take ?
Thanks, but I am neither a computer scientist, nor am I still wondering why. I figured out what you said a long time ago. Some computer scientists have also figured it out. That's why a lot of voting research these days is in the area of non-cryptographic voting schemes that still provide secret ballot end-to-end security. No such scheme is known today, but significant progress has been made, for example ThreeBallot by Ron Rivest.
I, and many researchers, are well aware that no solution to the voting problem can ever involve a system, or a compiler, or source code, or any sort of bare metal hardware. The solution has to be non-cryptographic. Unfortunately, the politicians and legislators have not realized this yet (or they have, and are committing intentional sabotage), and most importantly, the general public has not realized this yet. The general public still thinks that voting machines are the way to go.