Who could have foreseen this?
Wired.com's Threat Level Blog reports: Votes cast yesterday on e-voting machines made by Election Systems & Software went to the wrong candidates, according to officials in Lawrence County, Ohio.
Better not vote. You might be supporting the wrong candidate.
On election day, when I was serving as a roving technician for my local county elections, I was wearing my "oh hi i fixed ur voting system" shirt. One of the poll workers saw it and asked me if I'd been "one of those hackers" over the summer. I said yes, and she thanked me for my work. I smiled and said it had been a fun job, and then I returned my attention to the problem machine at hand. As I did, another poll worker spoke up.
"That was rigged. They had the CODE!" he said. "No self-respecting hacker would take a job where they gave you the code." He then proceeded to spew venom in my direction for the next several minutes. What he said basically boiled down to two points: (1) Our work was worthless and proved nothing, and (2) If he'd been a part of the project, he'd be ashamed to have anybody know.
I didn't say a word to him. I really wanted to. I wanted to tell him that I'd worked over 60 hours/week for six weeks, taking a total of three days off (two Saturdays and one Sunday) over the course of the entire job. I wanted to inform him that I'd gotten paid very little for that work, that I'd done it because I believe that our democracy (such as it is, these days, in the hands of Bush, Inc.) needs some very rigorous investigation to ensure that votes continue to count. I wondered who had taught him that it was appropriate to speak so unkindly to a person he'd never met. But I bit my tongue, hoping that by not giving him the satisfaction of getting a rise out of me, others in the room would see that his venom was not even worth validating with a reply.
I have to say, though, that this whole, "It was rigged, because you had the code," shtick is really getting old.
Yes, we had the code. All 300,000+ lines of it. As it was, our *stellar* source code team from Princeton - led by the esteemed David Wagner of Berkeley - was not able to read even half the code in six weeks. Have you ever tried to read the source code of a 300,000+ line commercial software product?
Furthermore, a well-coded project will stand up to code investigation. It really kills me that people think a code investigation is like giving somebody the password to your account and then seeing if they're able to log in. We aren't stupid. There is a point to what we do. We're looking for the errors, the opportunities for buffer overflows or race conditions, instances of unvalidated input or poor memory handling. If you're selling software that's running elections for the most powerful Corporatocracy democracy on earth, maybe that software should be held to some high standards. That means your software should not be full of the kind of errors that first-year university students make. But the most efficient way for a team of security experts to find out whether or not your code is full of those kinds of errors is to give them the code.
It's not like we haven't seen that shit before. You know, half a decade ago when Diebold employees were using an unsecured FTP site as a code repository. The vendors can't keep this stuff secret, so it's obviously unsafe to assume that "hackers" will never see the code. And even if you think the code will never leak again - you're counting on every single vendor employee to be trustworthy. You honestly think there isn't a single programmer working for these vendors that can be bought? Not one?
Let's say you worked for the vendor and you wanted to put a backdoor into one of these systems. What would it look like? "The following code triggers a backdoor..."? No. If you had any brains at all, it would look like the kind of programming error that a first-year university student would make. Plausible deniability. Nobody can ever prove that you left that buffer overflow on purpose. It could just be that you're incompetent.
So, yeah. Ohio isn't the only one who's had issues with their electronic voting systems. They just got lucky enough this time to catch their error. That's the great thing about electronic voting. You'll never know what happened that you didn't see, because electronic records can change without leaving a trace.
Just like your rights.
Better not vote. You might be supporting the wrong candidate.
On election day, when I was serving as a roving technician for my local county elections, I was wearing my "oh hi i fixed ur voting system" shirt. One of the poll workers saw it and asked me if I'd been "one of those hackers" over the summer. I said yes, and she thanked me for my work. I smiled and said it had been a fun job, and then I returned my attention to the problem machine at hand. As I did, another poll worker spoke up.
"That was rigged. They had the CODE!" he said. "No self-respecting hacker would take a job where they gave you the code." He then proceeded to spew venom in my direction for the next several minutes. What he said basically boiled down to two points: (1) Our work was worthless and proved nothing, and (2) If he'd been a part of the project, he'd be ashamed to have anybody know.
I didn't say a word to him. I really wanted to. I wanted to tell him that I'd worked over 60 hours/week for six weeks, taking a total of three days off (two Saturdays and one Sunday) over the course of the entire job. I wanted to inform him that I'd gotten paid very little for that work, that I'd done it because I believe that our democracy (such as it is, these days, in the hands of Bush, Inc.) needs some very rigorous investigation to ensure that votes continue to count. I wondered who had taught him that it was appropriate to speak so unkindly to a person he'd never met. But I bit my tongue, hoping that by not giving him the satisfaction of getting a rise out of me, others in the room would see that his venom was not even worth validating with a reply.
I have to say, though, that this whole, "It was rigged, because you had the code," shtick is really getting old.
Yes, we had the code. All 300,000+ lines of it. As it was, our *stellar* source code team from Princeton - led by the esteemed David Wagner of Berkeley - was not able to read even half the code in six weeks. Have you ever tried to read the source code of a 300,000+ line commercial software product?
Furthermore, a well-coded project will stand up to code investigation. It really kills me that people think a code investigation is like giving somebody the password to your account and then seeing if they're able to log in. We aren't stupid. There is a point to what we do. We're looking for the errors, the opportunities for buffer overflows or race conditions, instances of unvalidated input or poor memory handling. If you're selling software that's running elections for the most powerful Corporatocracy democracy on earth, maybe that software should be held to some high standards. That means your software should not be full of the kind of errors that first-year university students make. But the most efficient way for a team of security experts to find out whether or not your code is full of those kinds of errors is to give them the code.
It's not like we haven't seen that shit before. You know, half a decade ago when Diebold employees were using an unsecured FTP site as a code repository. The vendors can't keep this stuff secret, so it's obviously unsafe to assume that "hackers" will never see the code. And even if you think the code will never leak again - you're counting on every single vendor employee to be trustworthy. You honestly think there isn't a single programmer working for these vendors that can be bought? Not one?
Let's say you worked for the vendor and you wanted to put a backdoor into one of these systems. What would it look like? "The following code triggers a backdoor..."? No. If you had any brains at all, it would look like the kind of programming error that a first-year university student would make. Plausible deniability. Nobody can ever prove that you left that buffer overflow on purpose. It could just be that you're incompetent.
So, yeah. Ohio isn't the only one who's had issues with their electronic voting systems. They just got lucky enough this time to catch their error. That's the great thing about electronic voting. You'll never know what happened that you didn't see, because electronic records can change without leaving a trace.
Just like your rights.