Go to previous post:
Your astrology moment.

Go to Electrolite's front page.

Go to next post:
Open thread.

Our Admirable Sponsors

October 21, 2003

General protection fault. Tom Runnacles of Crooked Timber waxes wroth about the underpinnings of Diebold’s voting machines. (Cue Groucho Marx: “Is Roth in there? Tell him to come out and wax me for a while.”)
Back to Diebold. As someone who fiddles with relational databases as part of my living, I don92t know whether to laugh or cry when it is revealed that the system which is offered as the backing infrastructure for American democracy involves as its lynchpin an Access database.

Access, as any fule kno, is a toy program for putting together a database upon which you want to record the details of your CD collection or keep track of the contents of your sock-drawer; it does not supply a platform which anyone with the tiniest bit of nous would use for anything that actually mattered.

If a reader can provide me, in confidence, with the name of a financial institution which relies on Access as a core component of a critical business system, I shall be gigantically surprised, and then move my account with them, if I have one, when I have recovered. Perhaps I92m just weird, but I really do care at least as much that I can trust the means by which my government is elected as that my bank statements should be correct each month.

Really, there is no more important domestic political story than the growing voting-machine scandal. And we need to start acting like it, instead of just insta-clucking as if it’s just one enormity among many. [10:43 PM]
Welcome to Electrolite's comments section.
Hard-Hitting Moderator: Teresa Nielsen Hayden.

Comments on General protection fault.:

LauraJMixon ::: (view all by) ::: October 21, 2003, 10:49 PM:

Oh. My. God. Access? No way.

Holy shit.


-l.

Claude Muncey ::: (view all by) ::: October 21, 2003, 11:37 PM:

It's actually worse than that. I am searching for the link (if I find it I will post it here) where there were discussions that not only were the Access .mdb files essentially unprotected by passwords (as shown in the Sierra Times link) but that ability to easly read the data has been used to get around the operating problems -- in other words some jurisdictions rely on it being insecure to get their work done. Access will work in storing input from a touch screen device. It simply is the wroing platform for a high security device like a voting system

For those who don't know, I am a professional Microsoft SQL Server DBA (in fact, I am posting from work while a SQL service pack installs on the cluster). I use Access a lot for a variety of chores. Mission critical secure data storage isn't one of them as anybody who knows the technology will tell you.

Diebold has been involved in the ATM business where Triple-DES and remote audit trails are the norn now. They goddam well know better. From the descriptions that have been published of the problems in Georgia with last minuite patching and mislaid memory cards, it sounds like somebody got enamored of slick hardware, and got some relatively inexperienced programmers to knock out what looked like a simple app.

This kind of application reminds me a lot of the plant floor data aquisition work I have been involved with (except that the physical environment in a voting booth is friendlier). The software is often quite simple (people have tried to use Access for it, in fact) but the realities of how all the parts of the system have to work together with users of limited technical experience are well beyond the experience of most programmers. Technical or economic feasiblitiy are not your biggest problems -- operational feasibility is. And that is the problem here. The program works -- but it is not the right technology for the operational environment.

Lydia Nickerson ::: (view all by) ::: October 21, 2003, 11:49 PM:

Diebold has been involved in the ATM business where Triple-DES and remote audit trails are the norn now. They goddam well know better. From the descriptions that have been published of the problems in Georgia with last minuite patching and mislaid memory cards, it sounds like somebody got enamored of slick hardware, and got some relatively inexperienced programmers to knock out what looked like a simple app.

That's a very comforting explanation. I feel terribly paranoid because my first guess was that Diebold was deliberately making the system easier to hack. It would have made Florida far less sticky if they'd had better control over the output. The problem is, I don't think I'm unreasonably paranoid. And even if Diebold has no such intentions, the capability remains, and not everyone in the world is as ethical as Diebold.

Avram ::: (view all by) ::: October 21, 2003, 11:49 PM:

I've been thinking that the only solution to this problem is for some smart hackers (or crackers, if you prefer) to break into the systems this coming Election Day and get some really implausible results entered. The easiest would be just making sure obscure minor-party candidates get elected in every county that uses electronic voting machines, but it would be more dramatic (and therefore get more news coverage) to get fictional characters (Frodo Baggins, Mickey Mouse, Cthulhu) into office, or to get vote tallies that totaled 150% of the county's population.

The object is to get electronic voting systems even more thoroughly discredited than punch-cards, and to do it this year so that more trustworthy systems are in place for 2004.

Jon H ::: (view all by) ::: October 21, 2003, 11:56 PM:

"The object is to get electronic voting systems even more thoroughly discredited than punch-cards, and to do it this year so that more trustworthy systems are in place for 2004. "

The only problem with such a hacking campaign is that the response would not be to fix the electronic voting system, but to enact draconian measures to protect it as-is and punish unauthorized vote tampering.

Matt McIrvin ::: (view all by) ::: October 22, 2003, 12:52 AM:

One thing that is worrying me is that the buzz about this will keep people from voting. I'm already hearing statements to the effect that it's pointless. In my more paranoid moments I imagine that the RNC actually planted the Diebold story to sabotage get-out-the-vote efforts, but I suppose that has one more turn of the screw to it than is plausible.

Ali ::: (view all by) ::: October 22, 2003, 08:07 AM:

Oh boy. I use Access for my association's mailing list. Don't laugh. It was better than the 5x8 cards we had when I started. Besides, we're poor and it comes with Windows Pro. However, those two reasons are the principal ones for my using Access. If we could afford better or if I hadn't needed to move our data immediately into some electronic format, I would have done it differently.

When it comes to not whether someone gets their newsletter, but whether someone's vote gets counted, I think we can afford better.

Ali ::: (view all by) ::: October 22, 2003, 08:07 AM:

Oh boy. I use Access for my association's mailing list. Don't laugh. It was better than the 5x8 cards we had when I started. Besides, we're poor and it comes with Windows Pro. However, those two reasons are the principal ones for my using Access. If we could afford better or if I hadn't needed to move our data immediately into some electronic format, I would have done it differently.

When it comes to not whether someone gets their newsletter, but whether someone's vote gets counted, I think we can afford better.

Steve ::: (view all by) ::: October 22, 2003, 08:43 AM:

After Johns Hopkins released its utterly damning security review and defense contractor SAIC released it's "yeah but" explanation of how the Diebold machines had horrific flaws but could be used securely (including such apparently novel steps as preventing unauthorized physical access to the machines and changing the default passwords), Maryland decided to use them anyway. The Georgia story does not give me great hope.

Jon Meltzer ::: (view all by) ::: October 22, 2003, 09:54 AM:

The real issue isn't Diebold trying to maximize its profit by using cheap labor and software tools; it's the very concept of an unauditable voting system. The problem would be no less severe if they were using a secure, unhackable implementation.

Erik V. Olson ::: (view all by) ::: October 22, 2003, 10:43 AM:

It doesn't matter what RDBMS they use. Relational Databases are for finding, relating, and manipulating data.

THIS IS THE WRONG ANSWER FOR VOTING.

There aren't supposed to be any relations in voting. It's simply a totalizer. What other data are they creating relations to? This is even more contrary to the purpose of a voting machine than simple security.

At the end of a vote, the machine needs to produce the following data.

EXAMPLE PRECINT
FOO xxxx votes
BAR xxxx votes
..............
QUX xxxx votes
--------------
ALL yyyy votes.

The precint is a set field, determined by where the machine is set. Every other relation, other that "foo gets a vote" is antithetical to the secret ballot process, and should never be collected. Not time, not date, not who, where, why, whatfor, nothing! Given me a camera in the polling place -- not in the booths, mind you -- and a very accurate clock on the voting machine and the camera, and save the time voted with the vote, and I can tell you how almost every person in that polling station voted. Save machine number with that vote as well, and that become every voter. Period.

The fact that they are using a RDBMS is a declaration that they intend to treat voting as a relational database.

I don't care if they use Access, Oracle, PostGreSQL or DB2. All of them, from the first to the last, are the exact wrong tool for the job. Period. As voting tools, they're built for the purposes of tracking and manipulating votes. Period. Hell, they could seed the database with a winning vote, then, just before the vote starts, tell the database

"BEGIN TRANSACTION"

Then vote. Honestly record the vote. After polls close, a cron job fires, and runs.

"ROLLBACK"

and the votes are gone, poof -- and the preloaded "votes" magically appear as valid.

Don't curse them for picking Access. Access has more than enough capability for the job at hand. You make think it's insecure. If they built the machine, they'll have the sa password no matter what RDBMS they use.

Curse them for pick a tool that's expressly built to allow you to manipulate data.

LauraJMixon ::: (view all by) ::: October 22, 2003, 11:34 AM:

I'm an environmental engineer with a specialty in information management, and despite all our best efforts, one of our clients insisted on Access for a LARGE, COMPLEX compliance assurance database we were building for them.

It was a disaster. An unmitigated disaster. Crashes, corruption, translation errors, you name it.

Access is fine for smaller applications, but it falls apart quickly at greater size and complexity than the average, say, address list.

To use it for voting machine info management is insanity.


-l.

Claude Muncey ::: (view all by) ::: October 22, 2003, 11:38 AM:

Lydia - I wonder if you are being sarcastic in calling Diebold ethical in this case. Diebold knows better, and knows how important voting is, but is freely choosing to use inappropriate technology. That is unethical in a technology provider, at least in my opinion.

Ali - I wouldn't worry unless it was a rather big mailing list -- lets say on the order of 10**6 names. I've worked for mailing houses that routinely handle hundreds of thousands of names using cruder *.dbf (dBASE III/IV) files because all the existing third party software still works with that format and it can be processed more efficiently than various flavors of text.

Jon, in many ways I agree. My preference (and I have also worked in politics including watching recounts) is mark/sense technology which seems to work very well and is quite cheap -- capital costs are far lower than touchscreen but operating expenses can be a bit higher as you have to print the ballots -- and it's not something that Joe's QuikPrint down the block can do.

Ali ::: (view all by) ::: October 22, 2003, 11:49 AM:

Campaigns collect that data all the time. Precinct watchers (employees or volunteers on a campaign) go to polling places and see how many Republicans, Democrats or others have voted at a given polling place. That information is used during Get Out the Vote efforts so areas that have low turn-outs can be targetted by phone bankers and precinct walkers over the course of the day. Poll workers have to give an official campaign representative that information. It's the law.

After the elections, results are tabulated by precinct, giving a campaign an accurate picture of who voted for whom and where, information which is then used to target certain neighborhoods in future campaigns.

What I'm saying is that whether they use computerized voting linked to Access or someone manually counts votes for various people, information on precincts and parties, etc. gained via voting machines of whatever type is used for relational purposes now, with or without computers.

As to whether or not data is manipulatable, I have done a lot of poll-watching and frequently when a paper ballot is submitted, voters will hand their ballot to the specially trained polling place worker, who then sticks it in a box, often after the voter turns his or her back and walks away. In the middle of the day, there is no one else around and those ballots could go absolutely anywhere if no one is watching. High tech games or low tech games, no solution is without the opportunity for corruption. Don't even get me started on absentee ballots, which can't even be addressed by computer voting systems, the data from which is analyzed for weeks before the polls even close.

This information refers to California election laws and procedures. I am not as well versed on what happens in other states.

Jon Meltzer ::: (view all by) ::: October 22, 2003, 11:51 AM:

Adding verification (printing or otherwise) to an electronic voting system will only increase costs and reduce potential profit. And, of course, if the customer has no reason to care about verification, why do it?

Dave Slusher ::: (view all by) ::: October 22, 2003, 12:09 PM:

Patrick, I don't understand your "insta-clucking" comment. You seem to be dismissing the alarmed discussion of the issue. Isn't that how it gets on the citizen radar to the point where people take the next steps, like writing officials and so on? If you want to organize a group chaining ourselves to Diebold's front doors, I'm in. Tell me when to be there.

This is serious shit and I want to prevent my future from getting fucked by it. If talking about it, writing about it and exerting my political concerns with my representatives is not enough, tell me what is so that I can do that too. The spirit is strong, but the flesh is disorganized.

Patrick Nielsen Hayden ::: (view all by) ::: October 22, 2003, 12:30 PM:

I'm not dismissing the alarmed discussion of the issue, I'm helping to propagate it. At least, I hope I'm helping.

By "insta-clucking" I meant the tendency, very understandable when many of us feel overwhelmed on all fronts, to simply rank this issue's importance on a level with forty-seven other current political outrages, and move on to the next. This one is particularly important. I detect that you agree.

Claude Muncey ::: (view all by) ::: October 22, 2003, 12:52 PM:

Ok, Eric, before I get started, understand that we basically agree -- as stated above, I prefer mark/sense to touchscreen.

First off, relational does not necessarily have anything to do with relationships, it is a reference to the class of sets known as relations, which can be thought of as tables. The best short intro that I could find quickly on line is this article, here is a longer description of the history, or the well known page on databases and web systems by Philip Greenspun of MIT (a favorite of mine despite his biases toward Oracle).

Your example of SQL transaction processing (START TRAN . . . ROLLBACK) misses one important technical point. What makes rollback possible is the transaction log for the database, which records each operation made and allows them to be reversed to a specific set point or points. For example, using a specific transaction log backup strategy, I can restore the state of a database to an arbitrary selected point in time, perhaps days or weeks in the past. A forensic DP auditor with the right tools can recover quite a bit from those logs. And as someone who has to maintain systems that will withstand both financial and regulatory audits I know ways to keep the systems nicely locked down indeed. (BTW, while the JET engine that Access is built around does have rollback, it really does not have the kind of transaction logging mentioned above. Another reason not to use it or similar systems for serious database work.)

A relational database system is a great tool for collating, storing, and reporing on voting results once collected and verified. But all that you are doing with touchscreens is an expensive and flashy emulation of paper. So why not use the real thing?

Erik V. Olson ::: (view all by) ::: October 22, 2003, 01:43 PM:

I'll grant the technicality of relational/relationships, but for the populace not familar with SQL, it's a fine line to divide them. But what I don't agree with is this....

But all that you are doing with touchscreens is an expensive and flashy emulation of paper.

Well, no. All you are doing with touchscreens is taking input and displaying output.

What Diebold claims is that all they are doing with the software driving those screens is a flashy emulation of paper.

If you built touchscreens with printers, used them to collect the vote, then printed a filled out ballot that could be verified by the voter (and destroyed and redone) then the systems *are* nothing but flashy paper. Right now, they're *emulations* of paper.

And hacking emulators is trivial.

As to the rollback, yes, it depends on the transaction logs. Of course, dumping and reloading the transaction logs is just as simple as dumping and reloading *any* other database element. Do the rollback, dump and erase the transaction log, reload the old log, checkpoint, and the votes are gone, unless you do a very deep forensic analysis of the storage media themselves -- and a few dozen over-write cycles could beat that. Given the size of the database were talking here, it would take seconds, tops, on modern computing hardware.

James D. Macdonald ::: (view all by) ::: October 22, 2003, 03:01 PM:

Erik, why don't you write up a nice "My Turn" and submit it to Newsweek?

Mike Kozlowski ::: (view all by) ::: October 22, 2003, 03:56 PM:

Erik,

In order for the voting machine to work, it needs to know: 1) what positions are being voted on, 2) who the candidates for that position are, and 3) which votes went for each candidate for each office.

There are several relationships here. You have a relationship of candidates to office (the system needs to know this in order to display the ballot properly); you have a relationship of votes to candidate and position (so that the system knows which candidate/position combination a vote was cast for). You don't NEED an RDBMS to manage those relationships, but they do exist, and using a RDBMS to capture them is more elegant than hacking up relations in plain text files.

Avedon ::: (view all by) ::: October 22, 2003, 05:07 PM:

I'm not happy with machine calculation at all. I want the voting machines to do no more than print out a clear ballot after the voter has made out her selections, so that she can drop it in the box to be hand-counted afterwards. If the ballots are later run through a machine for verification of the counts, fine, but I want them hand-counted first.

Alternatively....

Erik V. Olson ::: (view all by) ::: October 22, 2003, 06:01 PM:

In order for the voting machine to work, it needs to know: 1) what positions are being voted on, 2) who the candidates for that position are, and 3) which votes went for each candidate for each office.

Way too complicated. All you need is a bunch of counters.

There's no relation between *any* of these counters. If you have the odd case of someone running for two different offices, you code one counter as "Foo_pres" and another as "Foo_sen", or what not. At no time should one counter affect another.

That's all voting is. Incrementing counters. The minor programmtic task is making the User Interfaces for each vote, and assigned them to a counter. This is, well, cargo cult programming. Type title, type names. Assign counters to names. Next screen. Type title, type names, assign counters. When you're done, a sanity check make sure that each counter is incremented by only one vote, and that each vote increments one counter and a check counter. Internally, you have a few hundred counters. An output routine spits them out with pretty printing to make it more readable, but you could collect the votes with a debugger.

The voting machine *does not* need to know that Counters 0xAB and OxAC are counting votes for Proposition X. The UI portion needs to know, but all it needs to tell the counter for this vote is "increment 0xAB" for a yes, and "increment 0xAC" for no. You'd want a special counter that would increment if either of these two increments, as a sanity check.

That's *it*. Any relations exist only on screen. Setup is simply telling which counter counts which vote. Input is simply "Increment these counters." Output is simply "Dump the counters." I'd make it so that it's impossible to clear the counters until a full dump of the counters state is done.

Your thinking now that this would be easy to cheat. Well, yeah -- any computing device makes vote fraud trivial, if you can gain access to the programming of the machine. Period.

But saying you need an RDBMS is silly.

Lenny Bailes ::: (view all by) ::: October 22, 2003, 06:20 PM:

Let's not lose this link to a site where you can urge Congressional representatives to support legislation requiring an audit trail for voting machines. (Neil Lancaster posted it in an earlier thread.) Urging an apathetic Congress to pass this may be one step beyond "insta-clucking."


In addition to more exposure of the flaws in the Diebold machines, I think it may also be important to hit on the way various local election boards are sticking their fingers in their ears on the issue. One local fan I know of lost his volunteer job in his local precinct for raising objections to installing the electronic ballot machines. Maybe he can be lured into providing more detailed information.

The issue of responsible people quitting Election Boards in disgust may be an adjunct to the issue of Diebold steamrollering in the easily-hackable voting machines. What's going on to make the election boards ignore rational objections and get rid of people who protest? One would think that these people don't necessarily have a vested interest in the Republican administration or stock options in Diebold. Are they fooled into thinking the new machines will make their job easier, or is it something worse?

Earl Kemp (a de-gafiated codger who some of you may remember) recently posted the following on the mailing list. The post was in response to a link posted to an old (to us) story on the November 2002 Georgia election reports:

[Reposted with Earl's permission]

---------------------------------


From: "Earl Kemp"
Date: Sun, 19 Oct 2003 11:58:04 -0700
Subject: [trufen] more on electronic voting


I forwarded Dave Locke's original URL to a friend who had worked for the Mohave County Election Dept. for a long time (that's Arizona) for his information.

I got back the following snip and am passing it along FYI:

Thanks.

Although I'd come to the conclusion that the DRE Diebold system's would not work as advertised, and that it would be subject to misuse and fraud, it is good to see independent verification. Arizona, and Mohave County, are going to the Diebold system.

The article makes me glad that I'm no longer associated with voter registration/elections. I predict that the entrenched Republican administration will keep going, and winning, elections. And that no one will notice the corruption and fraud. And if they notice, nothing will ever be done.

However, it makes little difference what system is used. For instance, the local Elections Director and Recorder came to me, beating up on me, trying to make me change the count for the results on a 5,000 person petition. The Elections Director had already announced the results to the local papers (based on nothing but pie-in-the-sky figures, pulled out of thin air), when I turned in mine (based on signed forms with voters signatures), and they didn't match, they tried everything to make me recant and change my results.

I believe that this is what cost me my job.

Like I said I'm glad that I'm no longer a part of that corrupt system.

Further, even with paper ballot systems, the Elections director and Recorder, are always in a position to alter the final vote tabulations according to their favored candidates. No one ever notices, even with recounts. Thousands of ballots go missing, and thousands can easily be remade with any candidate indicated. Remember, these are the people who print these ballots, and they can take them home, and punch them and exchange them for voted ballots.

The voters in Arizona go home with no paper trail. There is no way to find one persons voted ballot. So it is always easy to exchange one anonymous ballot for another. It's done all the time.

--------------------------------------------------

Mike Kozlowski ::: (view all by) ::: October 22, 2003, 06:52 PM:

So, Erik, in the system you describe, how do you specify that on some pages, you can only vote for one candidate, and on others you can vote for multiple candidates? How do you handle straight party-line tickets (which some districts may have mandated)? How do you handle write-ins? How do you handle the half-dozen other exceptions that neither of us is aware of, but will certainly pop up when you try to deploy your machine?

Pete Smith ::: (view all by) ::: October 23, 2003, 01:31 PM:

No need to worry about touch screen voting. In every election they do exit polling, and that always tracks the real numbers.

Jon Meltzer ::: (view all by) ::: October 23, 2003, 03:06 PM:

No longer true, at least on the national level. Google on "exit polling" "Voter News Service".

James D. Macdonald ::: (view all by) ::: October 23, 2003, 03:51 PM:

Miraculously, exit polling suddenly stopped working in Florida last time around, even though it was the standard way of checking to see if third-world elections were honest.

How about that?

Jon Meltzer ::: (view all by) ::: October 23, 2003, 04:01 PM:

Polling predicted a clear Gore victory. Must have been an error.

Patrick Nielsen Hayden ::: (view all by) ::: October 23, 2003, 04:43 PM:

Why do you guys hate America?

Jon Meltzer ::: (view all by) ::: October 23, 2003, 04:56 PM:

It's those troops. We don't support them.

David Moles ::: (view all by) ::: October 23, 2003, 04:58 PM:

I’m with Heinlein: The best way to assure honest elections is to station US Marines at all the polling places. Yeah. That’s the ticket.

Adam Stephanides ::: (view all by) ::: October 24, 2003, 11:48 AM:

I agree with Patrick that this is the most important domestic political issue. Jon Meltzer is right, too: regardless of whether any hanky-panky has happened yet, to be compelled to trust a corporation not to steal an election--to put it another way, to hope that they will allow a genuine election to be held--is unacceptable.

But what do we do about it? If there is a conspiracy to permanently fix our elections--or even if the Republicans are merely ideologically determined to foist paper-trail-less electronic voting machines on us--a few thousand people contacting their representatives or writing letters to the editor won't be enough.

I'm asking seriously; I really don't know. In an article in the Oct. 9 NY Review of Books, Alexander Stille says "if something does not appear on television, it does not exist." And even if, by some miracle, this story did get on TV, would enough people care? The Republicans stole the 2000 Presidential election, and even most people who voted for Gore preferred to let the Supreme Court get away with it rather than raise a stink.

On an earlier thread Patrick (iirc) scolded another poster for saying that Diebold looked unstoppable. I'd like to be optimistic, but I don't see much grounds for it.

Jon Meltzer ::: (view all by) ::: October 24, 2003, 12:11 PM:

The general elections aren't the only ones vulnerable.

We will have primaries in four months. Can we trust their results? And who's running those elections - the Democratic party, or state/local governments? I'm concerned that even after over twenty years of voting, I don't know who's responsible for primary election vote counts and polling place administration.

Can someone reassure me?

Lenny Bailes ::: (view all by) ::: October 24, 2003, 04:49 PM:

What can we do? What can we do?

Maybe support Rep. Rush Holt's Voter Confidence
ACT HR2239, that would require a voter-verifiable audit trail on every voting system. Details at
this link .

Am I missing something that no one has considered this bill worthy of comment? Have we all written to our Representatives and Senators? Has it already been voted down? Or is it just boring?