Full editorial:
http://www.blackboxvoting.orgStunning Flaws Found in the Certification Model Used to Approve Voting SystemsDoes anyone find it peculiar that, after reports like the RABA report (
http://www.raba.com/press/TA_Report_AccuVote.pdf), the CompuWare report (
http://www.sos.state.oh.us/sos/hava/files/compuware.pdf), the SAIC report (
http://www.dbm.maryland.gov/dbm_search/technology/toc_voting_system_report/votingsystemreportfinal.pdf) and the Original report by Avi Rubin, et. al (
http://avirubin.com/vote), reports which show that software with "stunning, stunning security flaws" (hey, the New York Times said it, not me) — and after two devastating reports demonstrating flaws with Diebold (
http://www.blackboxvoting.org/access-diebold.htm) and Sequoia (
http://www.blackboxvoting.org/sequoia-voting.htm) central count systems — after all this, we are allowing the manufacturers send their "corrected" software versions right back to the same certification labs for approval?
- "328 security flaws, 26 deemed 'critical'" — SAIC report.
- All four major manufacturers found to have critical security flaws — Compuware Report
- Hacked in 5 minutes, left no trace — RABA report
- Wyle labs admits to certifying Sequoia software despite known flaws — discovery materials from a recent lawsuit
Hey. Guys? Why are we sending the "new and improved" versions right back to the same places that missed all the problems the first time around?
Under the Help America Vote Act (HAVA), we were supposed to revamp certification procedures. Nice idea,
but they failed to fund it.
I've been saying for many months now that what we have is an auditing problem, not a certification problem. We've been using the wrong model to ensure the integrity of our elections. We can examine source code until we're blue in the face, but (even with a voter verified paper ballot) that won't provide the safeguards we need. What we have to do is use that ballot to verify the correctness of the election results, and we need to run reports to compare the vote totals as they travel through the system.
This is called auditing. It's not rocket science. It's not computer science either. It involves things like: Comparing the paper ballots against the voting machine totals; comparing the polling machine totals against the central count machine totals; using business reply mail (best) or postal receipts, to compare the number of absentee ballots received with the number counted.
I received this in an e-mail today, and speaks directly to our flawed certification model:
"A programer friend gave me an interesting website (
http://www.acm.org/classics/sep95/) to look at the other day...Mr. Thompson is the co-creator of an operating system called UNIX...what he did was reveal to the world that for 15 years UNIX had a bug. The bug was installed by him when he wrote the code and it allowed him to override any password protection by his unique knowledge of the key. For all those years he had waited for someone to question his implanted bug and no one ever did, so he dropped it on his peers at this award ceremony.
"His quote from this presentation pretty much tells the whole story...
No amount of source-level verification or scrutiny will protect you from using untrusted code. Think open source will solve it? Open source, which is the equivalent of writing the program in the town square, in plain view of all the computer programmers in the world who care to watch, is important. It can tell us if someone slipped something undesirable into the code.
Open source code, though, won't guarantee that the program is secure. Linux was compromised at one time simply by adding the "=" sign into one of the many thousands of code lines. That went undetected, and there are probably more eyes on Linux than any other program in the world.
Counting votes is just bookkeeping. As in accounting, we may use a computer to help us, but the computer can't dictate the procedures. Certification won't save us, but sensible, publicly observed, appropriately chosen auditing procedures will restore trust quickly.