Sequoia To Publish Source Code For Voting Machines

cecille writes "Voting machine maker Sequoia announced on Tuesday that they plan to release the source code for their new optical-scan voting machine. The source code will be released in November for public review. The company claims the announcement is unrelated to the recent release of the source code for a prototype voting machine by the Open Source Digital Voting Foundation. According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'"

plan to

[poetmatt]

okay, so they "plan to"

yet, we don't have a release yet.

is this to just avoid press or do people actually believe them?

Re:

[TheKidWho]

No, everyone's out to trick you and lying.

Re:

[kalirion]

Don't listen to parent, he is lying. So am I.

They are NOT open sourcing it.

[goombah99]

Voting companies have traditionally offered to "disclose" their source code in the past. By disclose they do not mean open source. in the past it has always meant that certain designated people can get access under certain conditions. E.g. state voting officials under rabid NDA's can see it if they sue.

Until they actually publish it, assume that "disclose" does not mean either access without NDA or open source.

Re:plan to

[sunderland56]

Is there any guarantee that the source code they release is the actual code that will run on the machines during an election?

Re:plan to

[CityZen]

My thought exactly. In fact, there's no way to trust vendor-supplied hardware on this account, or any hardware of reasonable complexity at all.

I still think there's only one sensible way to do voting:

1. Let the voter fill in an optical scan form.
2. Let lots of different interested parties scan the form.
3. Verify that all parties have the same count after every form.
4. Lock the forms away in case a recount is needed.

If there's only one party doing the counting, they can never be trusted.
Only by having every competing interest do the counting (with constant cross-checking) can a system be potentially trusted.
Even then, you have to have enough parties involved to avoid the possibility of collusion.

Combine this with a system like Punchscan.org to add privacy, and maybe you've got something.

Re:

[shentino]

If only there was a way to verify a vote without compromising the anonymity of the voter.

Re:

[CityZen]

Um, that's why I mentioned http://punchscan.org/ [punchscan.org] . Check it out.

Re:

[KillerBob]

Y'know, in Canada, we use this funky invention, called pen & paper for voting. You are given a ballot that clearly lists each candidate's name, their party affiliation, and has a white circle to the side. You make your mark in the circle of the candidate you want to vote for. If you mark more than one candidate, or if you mark outside of the circle, or make any kind of personally identifying mark on the ballot, your vote is considered spoiled and rejected. It's really idiot-proof, when you think about i

Re:

[sunderland56]

True - but in Canada, you are only voting for one person. The Senate is appointed, not elected; and you don't vote for Prime Minister at all.

In the USA, an election is actually about 50 simultaneous voting opportunities. You may be voting for your congressman, your senator, the President, your town mayor, several state-level positions, the county sheriff, a few propositions, your local school board... the list seems endless. The ballot is so long and so complicated that they have to mail out booklets to

Re:

[Phurge]

mod -5 stupid

Re:

[KillerBob]

In the USA, an election is actually about 50 simultaneous voting opportunities. You may be voting for your congressman, your senator, the President, your town mayor, several state-level positions, the county sheriff, a few propositions, your local school board... the list seems endless. The ballot is so long and so complicated that they have to mail out booklets to voters ahead of time just to explain all of the choices.

That over-complication is what I was getting at. If there's multiple elections going on

Re:

[conureman]

In my county in California, We use the scanners to count the paper ballots, which get secured and stored in case recount or verification is needed. The hand-counting took an extra couple of hours, at worst, (and I don't think it is missed) which is not insignificant at the end of an already long day. We have a one-office ballot coming up in a few weeks, as a matter of fact; The task varies, but it is do-able.

Re:

[CityZen]

What you describe has many of the elements that I suggested, such as the paper record and multiple parties overseeing the count.

Many parts of the US use a similar system. Unfortunately, the method of doing voting is not something that is set at the national level in the US. Every state has its own laws & regulations, and every county makes its own choices within what the state allows.

The result is that there are thousands of bodies making the same mistakes over and over again, being taken advantage of

Re:

[wwahammy]

I know its nice to get up on your high horse but let me explain to you our situation. In Wisconsin our polls require at MINIMUM 4 poll workers, a chief voting inspector, an assistant chief voting inspector, and two people to sign in voters. The chief and assistant chief are usually of different political parties and rotate responsibilities for each election. The sign in workers use two different lists and the lists much match at all times.

We receive a set number of empty ballots. The number of ballots ca

Re:

[Bootarn]

There is [wikipedia.org]

Re:

[RemyBR]

What if forms start to disappear between scans? For example, a party starts to "take care" of forms with votes contrary to them.

Re:

[CityZen]

This would result in an immediate discrepancy. But I take your point, in that there would need to be very careful handling of each & every scan sheet.

The fact that something "easy" like voting is hard (when there is motivation to hack the system) should be a lesson to every lawmaker and programmer. Laws & programs are easy to make when you can trust people to do the right thing all the time. But, in the real world, you need to design them both as if people will try to punch holes in them any way

Re:

[Hurricane78]

As long as the voting machines are not completely locked high-security machines (what TCPA was *actually* meant to be for), and the source and binaries are signed and compiled by signed compilers inside the machine itself, one can meddle with it. Simple as that.

Of course then the process of signing the compiler would have to happen in an openly visible event, with the ability for third parties to check everything on the spot. Because as we know, one could simple modify a compiler, so that even if you compil

Re:

[david_thornley]

Here in Minnesota, we fill out an optical scan form. It's run through one scanner, and saved for later. A random selection of precincts does manual recounts, so that somebody will notice large discrepancies (the randomness of this has been questioned, though). If the reported vote is close enough, the law requires a manual recount; alternately, a losing candidate can ask for one.

It gets the vote totals in fairly fast, and these totals are accurate enough for most purposes. In event of a very close el

Re:

[poetmatt]

wow, I didn't even think about that part.

Re:

[Leafheart]

Is there any guarantee that the source code they release is the actual code that will run on the machines during an election?

Not unless they are forced to has the source released and the source on the machine. Upload it in front of the people and verify the hash.

Re:

[CityZen]

Yes, and what prevents the machine from then throwing that away and using the secondary code from the hidden hardware?

You cannot trust any single piece of hardware. That's why I suggested the only way to gain trust is through consensus (multiple parties doing the counting and checking each other).

Re:

[riverat1]

Open or closed source, how can you ever be sure what the software is on a device unless you personally compiled and loaded it? And even then what about the compiler and linker you used, the OS you're using, the BIOS and even the hardware itself?

Apparently there are no dependable guarantees.

[Futurepower(R)]

Even if they release source code, it is possible that the code they actually use in their voting machines is different than the code they release. It's entirely their choice which software is run on any given day, is that correct? They can do updates whenever they want. Their are apparently no dependable guarantees.

In the past, Sequoia Voting has not seemed especially knowledgeable: Sequoia e-voting machines disturbingly easy to hack [arstechnica.com]. Quote: "Researchers from the Princeton University Center for Informati

Tag story "noshit".

[cbiltcliffe]

According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'

About time they figured that out. Although it's probably still just some marketing PR-speak, rather than what they actually think....

Re:

[SanityInAnarchy]

Right. Hell is a bit chilly, but hasn't frozen over until the source is actually released, and it's actually all of it, and under a tolerable license.

Re:

[fuzzyfuzzyfungus]

Unfortunately, the "compiler" will turn out to be the binary installer for their previous version, with a new name...

Re:

[SanityInAnarchy]

That's what I meant by "actually all of it."

Re:

[kalirion]

Right. Hell is a bit chilly, but hasn't frozen over until the source is actually released, and it's actually all of it, and under a tolerable license.

What exactly do you mean by "tolerable license"? They're not planning to open source it (in the sense of allowing people to use it in their own products.)

Re:

[Daniel_Staal]

How about a license that allows people to read it, comment on it (both pro and con) publicly without constraint, and doesn't automatically assume Sequioa own all voting-related code that person might subsequently write at some point in the future? (Obviously, that assumes the code isn't copied.)

That'd be about my minimum.

Re:

[SanityInAnarchy]

I mean a license where I could look at the source and not have to sign away other rights.

For example: One kind of intolerable license is what the Flash specs used to be available under, which forbade anyone from reading them to develop a player. In other words, if I didn't read the Flash specs, I'd be allowed to work on Gnash, but if I did read the specs, I could only develop authoring and server-side tools.

I believe Adobe has fixed this recently, but you can see why I have a problem with that kind of licen

Re:

[NotBornYesterday]

I don't think they are releasing it as open source, or under any open license. Rather, they are planning to publish their proprietary code for all to see.

Spokeswoman Michelle Shafer [...] said the firmware on the company’s new Frontier optical-scan machines is written in C# programming language and runs on Linux. The election management software - which sits on a computer at the election office and is used to create ballots and tabulate votes - runs on Microsoft Windows XP and uses a Microsoft SQL database.

Looks like they use a combination of open and closed source for their OSes. I wonder why they went with C# on Linux?

Re:

[hrimhari]

I wonder why they went with C# on Linux?

I can only guess... Linux may be the easiest way to get a free OS and tweak it to your needs, since it already runs on everything from your generic PC to your electric toothbrush, then they probably held the opinion that C# was the current fashion in programming languages.

Re:Tag story "noshit".

[NotBornYesterday]

That makes about as much sense as anything I could think of. I thought they might be going with Linux on the optical scanners might be a cost-saving measure, and I figured that since they mostly seem to be a Microsoft shop, they might have more C# experience in-house than say, Java.

Their use of embedded Linux makes me wonder if their earlier refusals to release their code was legal. Not their C# stuff, or their DB schema or sql code, but if they took off-the-shelf Linux and resold it, aren't they at least required to make that source available along with any changes, if any, they made?

IANAL or GPL expert, just kind of wondering.

Tag it as...

[unixan]

suddenoutbreakofcommonsense

A step in the right direction

[betterunixthanunix]

More work needs to be done; in particular, the government should simply mandate that no proprietary software may be used in any voting machine that is actually used in an election. Hoping for these companies to volunteer their source code is just not enough, although I do applaud Sequoia for taking this step.

Re:A step in the right direction

[DrVomact]

But we need another step: a requirement for a paper audit trail. According to the article, criticism of the Sequoia system first surfaced because some printed output didn't match the electronic totals. Open source is good, but in this case, it's not enough: we must be able to check the reliability of these machines and their operators against a paper record. That doesn't mean that every election has to involve an electronic and a paper count—but the paper will be there if we need it. As the reliability of a given system is proven over time, we'll come to trust it—though I think a cross-check of a statistically significant number of votes would always be a good idea.

Who owns vote data?

[Pete Venkman]

The paper printout needs to be stored somewhere (maybe two or three different *somewheres*) so that if a question does come up after a vote, Sequoia can't say "Oh well, our warehouse leaked and those records were destroyed."

Re:

[Pete Venkman]

Well, I was thinking more along the lines of keeping data kind of like how a research project would, so that in case there were problems with one election *now*, those that wanted could look at past data too and see if there is a trend in the mistakes. I understand that eventually it wouldn't matter if there was a mistake 12 years ago, but this method of voting and vote counting needs to be proven too, almost like a research project's topic needs to be proven.

Read it again.

[Phroggy]

This is for an optical-scan voting machine. It scans a paper ballot. The paper ballot can be re-counted later - by hand if necessary. No additional audit trail is necessary.

You should be able to take the scanned ballots out of the machine, run them through another machine, and compare the totals. If you do this a dozen times on different machines, and the totals are off by one single vote, there's a serious problem.

Re:

[mirix]

That depends on the nature of the flaw, though.
You could feed the ballots through 8 machines that all give you the same, but *wrong*, result.

Re:

[Phroggy]

Count them manually first. If the machines agree with each other but disagree with the manual count, manually count them again. If you're sure of your manual count and the machines disagree, find out why.

Re:

[cgenman]

More work needs to be done; in particular, the government should simply mandate that no proprietary software may be used in any voting machine that is actually used in an election.

Why not? The security of open source comes not from being on the creative commons, but from being seen and commented upon by hundreds of eyes. If Sequoia publishes their source code, and it gets properly vetted by hungry young researchers eager for their first big bug, why would that be any less secure than if the implementation

I'd be more interested in this post

[al0ha]

if I didn't know that when someone makes a statement such as, "To Tell The Truth," they are generally trying to hide their true objective. This applies to the VP quote below, which is obviously not an original thought or deeply felt opinion, otherwise the company would have performed in this manner from day 1.

"According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'""

Re:

[TubeSteak]

How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".

Last I checked, the touchscreen ones are the voting machines that have caused so much grief.

Re:

[0100010001010011]

Pay no attention to the man behind the behind the curtain.

Re:

[Facegarden]

How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".

Last I checked, the touchscreen ones are the voting machines that have caused so much grief.

Yeah, that's what I was thinking! I think they are doing this in hopes people will forget about that.
-Taylor

Re:

[megamerican]

How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".

Last I checked, the touchscreen ones are the voting machines that have caused so much grief.

The touchscreens are just the tip of the iceberg for problems with electronic voting. It may be the most advertised problem of voting but it certainly isn't the worst problem.

Central tabulation of votes, memory cards, chain of custody of those cards, manipulation of the tabulation database and virtually every part of electronic voting has been a huge problem.

Bev Harris of blackboxvoting.org gained a copy of the GEMS database software and showed how it could easily manipulate votes without much chance of bei

Re:

[Red Flayer]

Eats, shoots, and leaves.

"According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'""

Security through obfuscation, and secrecy is not security.

Obviously, they are saying that secrecy is useless, but one can obtain security via obfuscation.

VP quote

[Magrovsky]

"According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security."

But obfuscation and secrecy can bring much security! This VP should listen to that other VP, who obfuscated his house and kept his secrets in man-sized safes. He never had a security problem.

It's been tryed - U.S.A. election 2004

[Vandilizer]

Not something I think we need to repeat. Why is it that every time I see 'Diebold' my mind replaces it with 'Diabolical'.

Horray!

[Geoffrey.landis]

Wow-- horray for them!

There are still a lot of things to worry about with electronic voting-- but this goes a long way toward making the process transparent, and transparency (of the vote counting method) is absolutely essential to confidence in the results.

Great news!

Programming Thinking...Again

[Anonymous Coward]

I've said it once, and I will say it again, you can publish ALL the code you want, but

1. In the event of a recount, can I get repeatable results?

2. In the event of a "software bug" can I hold someone responsible, will they pay for the cost of a reelection?

3. In the event of a hardware failure, can I hold someone responsible, are there contingency plans, will someone pay the cost of a reelection?

It's a matter of trust, and what you can put behind your software.

Since this is software, and programmers, the answer to these questions is generally "no" and "nothing".

Elections don't wait for service packs, bug fixes, hot fixes, etc A flaw in your software could cause chaos.

Simple programmers can't go to jail for negligence, can't get sued for bugs, and can't put anything concrete behind their code.

I can just picture reading the election software EULA, "NO WARRANTY" , "NO FITNESS FOR A PARTICULAR PURPOSE", "CONTAINS KNOWN DEFECTS"..

Re:

[arkane1234]

What the hell is a hot fix?
I've heard this term used so much and it's driving me nuts. I've literally been yelled at by my manager because I can't tell him the number of hot fixes for "Linux", while I'm holding a breakdown of every security patch (rpm/deb/etc).

WHAT is a "hot fix"?

Oh, and just to stay with the conversation in line here, no one is fully accountable for any huge issue that hasn't been tested.
The key is a test of the system beforehand. Most Open Source software is tested in pre-alpha/alpha (d

Re:

[Toonol]

I thought a hot fix was a fix, patch, or upgrade applied while a system was running (without needing a suspend or reboot). It would make no sense to ask how many hotfixes Linux had, though; a fresh installation would have none.

Re:

[Phroggy]

1. In the event of a recount, can I get repeatable results?

They should test this with sample ballots. Scan the same set of ballots hundreds of times on different machines, prior to the election. There should be no discrepancies. The margin of error should be zero. If one machine counts one vote incorrectly, don't pay for the machines until the problem is identified and fixed and the test is run again (with a different set of sample ballots).

2. In the event of a "software bug" can I hold someone responsible, will they pay for the cost of a reelection?

These are optical scan machines. In the event of a software bug that causes votes to be miscounted, the bug can be fixed

Re:

[cgenman]

Posting the source code to the wider community for review would definitely help with 1. and 2. by increasing the amount of reported bugs and helping the developers to patch them. Hardware failures are a bit more difficult to face down, but hardware is pretty good these days.

You can get all 3 if you want, but the cost would be outrageous. Districts who are struggling to find funding for their schools simply wouldn't be able to pay for all of that. You're essentially asking for the equivalent of 99.999% up

secrecy is not security?

[zerosomething]

so it's OK then to put my passwords on post-its?

Bad Time to be a Sequoia Developer

[kbob88]

Boss: OK, guys. Marketing and PR has decided to release the source code publicly. You guys said our software is really nice, clean, secure code. So you don't have any problems with that, right?

Developers: Umm, yeah, sure, no problem... You know, we might want to make one or two very minor fixes first... [runs frantically back to computer and pounds away]

Re:

[DeadDecoy]

Hope they release unit tests also. Otherwise I will be so very depressed.

Unit Tests?

[Nocuous]

Unit tests are worthless, given that they are done by developers.

I'll take unit tests as a show of interest by the developers that they did, kind of, sorta want to deliver a usable product. What I really want is the regression tests, certified by the fugly, old, chain-smoking harridan who runs QA and haunts the dreams of the developers.

Re:

[cecille]

Unit tests are good for ensuring that no one totals your code while making changes to other products/areas of the code base. But, yeah, I'd still rather have the QA guys sign off.

Pesky flags!

[syousef]

Developers: Umm, yeah, sure, no problem... You know, we might want to make one or two very minor fixes first... [runs frantically back to computer and pounds away]

The ifElectionRiggedFlag is proving harder to remove than we thought. That sucker is everywhere. How about we just rename it to ifTesting and set it to false?...and lets rename the forceWinningCandidate and forceWinningParty strings to blank while we're at it.

You're still voting for crooks

[Anonymous Coward]

If you want real democracy, then work on open sourcing the legislative process [metagovernment.org].

Why a delay?

[SnarfQuest]

I'd guess it's worries about patents, partners, and other politically related things.
Closed source makes it harder to claim patent infringement, when such things as xor and swinging side-to-side are allowed to be patented.

Re:

[vlm]

I'd guess it's worries about patents, partners, and other politically related things.

The solution for Sequoia is pretty simple, write the fancy vote counting machine as an exact emulator of a 1928 IBM 301 tabulating machine, then overclock the emulation a wee bit. Nobody screws around with IBM's patent portfolio, and frankly an overclocked 301 is massive overkill for "counting votes".

http://en.wikipedia.org/wiki/Tabulating_machine [wikipedia.org]

It is really a very elegant solution. Admittedly, I will freaking fall out of my chair laughing if I download their source code and discover this is exactly what

Re:

[mirix]

Why not skip the emulation, and just run the ancient IBM electromagnetic tabulators..?

Released in November?

[damn_registrars]

Last time I checked we had a habit of voting in the first week of November in the US. I know there are more than a few elections being held around the country this year even though it is an odd year. If the voting company takes votes in the first week and then releases their source code in the last week; is that really progress? A lot of election results could likely be certified before we'd have time to see the code that counted the votes...

And of course if they did the same thing next year - after midterm 2010 elections - we could have an even more dramatic situation on our hands.

Re:

[jggimi]

...even though it is an odd year...

I'll say. It's been a very, very odd year.

optical-scan?

[mikeee]

The key point here is actually that it's an optical-scan machine! You don't input votes on a keyboard or touchscreen but by feeding in an actual human-readable piece of paper (maybe it asks for confirmation that it read it correctly?), which then gets stored in a lockbox. This is obviously the Right Thing because it gives a built-in hardcopy audit trail.

In short, I think we're missing the SuddenOutbreakofCommonSense tag on this story...

Re:

[Nerdposeur]

You don't input votes on a keyboard or touchscreen but by feeding in an actual human-readable piece of paper

Added bonus: You need fewer machines. You can have as many simultaneous voters as you've got room to put desks, and just a few machines to scan the completed forms.

Cynicism be damned...

[SoTerrified]

But even a cynic like me sees this as a win. Seriously, this is what we've been fighting for. So in a world that manages to keep depressing me every time I turn on the news. I'm going to celebrate this little victory.

So say we find a bug...

[tlambert]

So say we find a bug...

Do we disclose it, or do we sell it to the highest bidder?

I mean this assumes the bug will be discovered by at least one honest person who chooses to disclose, right?

-- Terry

Whoa

[idontgno]

According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'

Amazing. Did anyone notice whether there may have been an alien tentacle wrapped around the VP's throat manipulating his voice and his jaw?

That's such a turnabout (at least in publicly-stated position) that I may get whiplash trying to track.

Of course, words are cheap. We shall see how deeply this new-found wisdom is held.

Comprehensively and fairly open the subject source code for unfiltered public inspection, without explicit or implicit coercion against criticism, and respecting reasonable fair-use rights to quote and comment, and you will get full credit for your Damascus road conversion. Take one step towards intimidation, chilling of discourse, or SLAPP, and we will know that your glib sound-bite was just cheap empty talk.

And for as much or little as Nerd Rage counts, you will experience it.

good step

[garynuman]

I'm one of "those people" who still requests a paper ballot due to not trusting diebold machines, this however is a big step in convincing me to trust the machines though, in the past electronic voting has been, to me at least, the equivalent of the board of elections refusing to disclose how exactly they count paper ballots, doing it in secret, and destroying the ballots afterward.... not exactly conducive to honest elections as far as I'm concerned...

Require Unanimous Vote

[j0ebaker]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The Articles of Confederation required Unanimous consent for changes
to it. Well some criminals conviened and came up with the US
Constitution - they did it in secret and nobody signed the document as
a signature, only as witnesses. This is a problem. People have
gotten away from unanimous consent and I think we really need to get
back to the idea that one lone dissenter can and should be able to
stand his ground. I tend to be that one person quite allot these
days.

T

Subject

[Legion303]

See, Diebold? It's not so hard.

Just Because

[__aalnoi707]

Just because they are releasing they source code, dose not mean that is the code that is complied on all there machines

Re:

[cheftw]

Dear Sir,

I have googled your ideas and only found forum posts similar to this one.

It does nothing for your credibility. Next time anchor your link or have a crawlable page if you want anyone to see what you have to say.