What’s All the Fuss About Diebold in FL & CA?

Saturday, 31 December 2005, 3:00 pm
Opinion: John Washburn

What’s All the Fuss About Diebold in Florida and California?
What in the World is Interpreted Code and What’s Wrong With It Anyway?
By John Washburn, for VoteTrustUSA
December 29, 2005

See VoteTrustUSA's open letter to the EAC and our email action alert.Earlier this month Leon County, Florida Supervisor of Elections Ion Sancho, invited computer experts to demonstrate the existence of a security flaw in Diebold optical scanners described in a report published on July 4, 2005. The test was repeated in December in order to refute specific denials by Diebold.

In statements to two different election officials Diebold claimed it was not possible to alter the outcome of an election in such a way that the perpetrator would not need passwords and the tampering would not be noticed during normal canvassing procedures. Sancho set up the test environment on December 13, 2005 to prove these claims false. The outside experts had no access to the optical scanner and the complete canvassing procedure was followed for 8 test ballots. The result was that while the 8 paper ballots had a vote tally of 2 Yes and 6 No, all of the official reports - from the optical scanner on through to the publication of county results - showed an outcome of 7 Yes and 1 No.

Because of this design defect, which exists on all Diebold touchscreen machines (DRE) and optical scanners, the Secretary of State of California has demanded that the Diebold software be re-examined by the Independent Testing Authority (ITA), who originally certified that the systems were in compliance with the 2002 Federal Voluntary Voting System Guidelines.


This breach of security exploits an inherently insecure feature of the Diebold optical scanners and touch screens known as interpreted code. Below is a simplified diagram of a voting machine.



http://www.scoop.co.nz/stories/HL0512/S00303.htm

:kick:

to understand. It's like pressing the button for 7-Up on a soda machine and Coke comes out.

problems in Florida, California, now on to Ohio!

Okay, I've read the article and I don't understand why the interpreted aspect of the code is what's deemed so important. I'm a software engineer and it seems to me that non-interpreted code that is directly executable by the CPU would be just as vulnerable as interpreted code if it's stored on the memory card rather than in ROM.

What makes it vulnerable isn't the fact that it's interpreted but rather the fact that it's in writable memory instead of ROM (Read Only Memory). That's where the emphasis should be. Interpreted versus non-interpreted should be irrelevant. What am I missing here?

:tinfoilhat:Is this some kind of misdirection to get people to concentrate on the wrong thing?:tinfoilhat: I doubt it, but the emphasis on interpreted versus non-interpreted doesn't make sense to me.

As usual this is a technical term being mangled by laypeople. Interpreted code in theory offers less "security through obscurity" in that you can easily alter much more of the program without a compiler/without adjusting offsets/etc. That the law prohibits it in voting equipment is probably why it is being jumped on.

But you're right -- in this case, it wasn't even that they altered the interpreted code -- they just exploited a bug in the code that skipped over negative values when printing a zero report -- which looks like a perfectly innocent coding mistake: if there are no votes (as determined by a sum) just print "no votes" don't print the column values, or do print zero column values, without printing the values that are actually there. A bad practice, but certainly one you are very likely to see in production software these days given the lax coding standards. The words "plausible deniability" definitely come to mind here.

A liberal lay-definition of interpreted code as "when data becomes code" might be a way to express the objection to interpreted code, though it ignores the fact that no matter how close to the metal code is, instructions are still inherently "just data" on the architecture in question until they enter the i-cache/pipeline (and assuming there's no route in the CPU between the i and d paths.) Really in the end it's just about how maleable interpreted code is compared to a fully compiled executable -- and there are two separate issues here. Diebold broke the law by using interpreted code, #1, and the system as a whole had a glaring bug in the zero report code, #2. They aren't the same issue and shouldn't be so confused.

but simply making it harder to modify really isn't good enough. It shouldn't be possible to modify it at all. More difficult just means you need a little more time and a higher level of expertise, neither of which presents much of a barrier when the stakes are high enough.

In fact, if you think about it, you wouldn't even have to modify the existing code. You could simply replace it completely with your own code. That would be just as easy to do with straight executable code as it would be with interpreted.

funded by the voting machine companies?

that in the end the SOS of Cali let the machines in anyway? Something about being assured that the problems would be fixed? I'll hunt for link...


...little bathroom magnets...

CA SoS McPherson got on ES&S about six weeks ago, and we found out only two weeks ago. Then a few days later, we learn that, supposedly, ES&S took care of all the problems and are back in good graces.

Among my questions: Was the repaired version recertified by the ITA (for what little it's worth)?