Voting machine source-code leak shows election-rigging subroutines?

Sequouia, a company that makes many of the electronic voting machines used in the US and elsewhere, has inadvertently leaked much of the secret source-code that powers its systems. The first cut at analysis shows what looks like illegal election-rigging code ("code that appears to control or at least influence the logical flow of the election") in the source.

Sequoia blew it on a public records response. We (basically EDA) have election databases from Riverside County that Sequoia insisted on "redacting" first, for which we paid cold cash. They appear instead to have just vandalized the data as valid databases by stripping the MS-SQL header data off, assuming that would stop us cold.
They were wrong.
The Linux "strings" command was able to peel it apart. Nedit was able to digest 800meg text files. What was revealed was thousands of lines of MS-SQL source code that appears to control or at least influence the logical flow of the election, in violation of a bunch of clauses in the FEC voting system rulebook banning interpreted code, machine modified code and mandating hash checks of voting system code.
I've got it all organized for commentary and download in wiki form.
This is the first time we can legally study a voting system's innards without NDAs or court-ordered secrecy.

Sequoia Voting Systems hacks self in foot (via MeFi)

Previously:

I write books. My latest is a YA science fiction novel called Homeland (it's the sequel to Little Brother). More books: Rapture of the Nerds (a novel, with Charlie Stross); With a Little Help (short stories); and The Great Big Beautiful Tomorrow (novella and nonfic). I speak all over the place and I tweet and tumble, too.

MORE: Action • Civlib • Gadgets • politics

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

wallybrane

We still use stubby pencils and hand counting. I think there is still some minor fraud (our identification procedures are lamentable) but mostly it works.
Ian70

Cory, your Glenbeckery with these headlines is becoming so much more polished.
zikman

yay old bbg layout! sort of…
andyduncan

The smoking gun snippet posted on the linked site is hardly procedural, executable code. It’s describing a show/don’t show column in a database. It’s even commented nicely. The single “exec” call is creating a foreign key (a type of reference) to another table. In some versions of SQL you don’t have to call exec to do that, but apparently you do in MSSQL.

If they have stored procedures in their DB, then that’s one thing, but it doesn’t appear that the person who leaked this code knows the difference between DDL and a stored procedure.
- andyduncan
  
  @self: after downloading the source and taking a quick glance through it, they do, in fact, have stored procedures in the code, although it appears to mostly be reporting calls for reports like “voter turnout”, and for database creation/setup. So while the example chosen by the linked site is, in fact harmless, the rest of the code in here does appear have “business logic” as it is referred to in the non-election industry. Whether that business logic is limited to diagnostic-type reporting and setup, and whether that code is innocuous, would require more detailed analysis.
  
  As to whether stored procedures in SQL count as “interpreted code” is a whole other problem.
siliconsunset

Story about Yahoo! hiring strippers… 58 posts.

Story about the machines that effect the leaders of our government… 5 posts.

And we wonder why these things are allowed to happen? No one really seems to care!
Anonymous

Agree with bazzargh above. A lot of that “code” looks like chunks of test data and other unused detritus that was never zeroed out in the file.
dculberson

I recommend that you watch this:

http://www.thedailyshow.com/watch/wed-september-13-2006/the-question-mark

and avoid headlines that need question marks. ;-)
Brandon West

I might even describe this headline as “regrettable”
AirPillo

Please don’t be so sensationalist and conclusive with headlines.

News is a living, breathing thing. I can think of several times lately where further evidence in the case you are mentioning with a very bold headline has surfaced and made that headline factually false.

I know you’re too busy a person to carefully redact and edit every post that infers things that turn out to be wrong… so perhaps just be more careful with hyperbole?

Genuinely outraging news is easy to water down when it comes from a source who has a problem with attaching emphatics and outrage and hyperbole to things which turn out to be quite benign. That’s the sort of road that leads to tabloid-style writing.
Anonymous

I would think the question mark in the headline would be enough for people to conclude that maybe Cory was not stating a fact, but I guess that’s too subtle for all the budding journalists here. Cut him some slack or go away.
- AirPillo
  
  Mentioning bad writing habits of someone who has publicly criticized those same habits in others is hardly unfair or misplaced.
  
  It wouldn’t really be reasonable to call others out for using question marks to justify specious headlines, or spend years criticizing the printing of potentially misleading information, and then expect it that doing it oneself is perfectly fine and shouldn’t be criticized.
  
  I seriously doubt Cory intends to mislead people, after all. He does often make corrections when prompted by new information. It doesn’t hurt to suggest maybe lighting fewer fires with one’s writing, so there are fewer to put out with redactions.
RevEng

Whoa, let’s not jump the gun on this. From the original article, it seems like their SQL database is holding code, which could well be stored procedures (quite standard for an MS-SQL database). The original article says this is against FEC regulations, but even it doesn’t go as far as to say that it’s being used to rig elections.

Fox News jumps to conclusions and asks leading questions, not BoingBoing. Report on what is known and leave the rest to the discussion.
Anonymous

“The people who cast the votes decide nothing. The people who count the votes decide everything.” -Joseph Stalin
Chrs

Looking forward to actual analysis of this code. I appreciate the heads up that it’s out there.
TheNewModern

Please remember Occam’s Razor. “Election-rigging” is a far cry from the evidence here or elsewhere.

Personally, with the birthers, truthers, and anti-vaxxers, I’ve grown extremely weary of conspiracy thinking. I don’t want to see more of it at this wonderful website.
Anonymous

Please tell me somebody’s going to get the death penalty over this.
pelrun

Careful about jumping to conclusions here – “influence the logical flow of the election” just means there appears to be code for the election machine in the SQL statements (against federal laws prohibiting interpreted code). As yet there isn’t any evidence of vote rigging.
Anonymous

But I used “strings”…
fantastic mr. fox

Cory, your blog entry is inaccurate and misleading.

The studysequoia page is simply saying that some of the voting logic appears to be implemented by stored procedures in the database, in contravention of laws designed to minimize opportunity for changing code in the field.

This strikes me as a very real concern. But how you got from that to “election-rigging code” is beyond me.
pidg

I heard if you read the code backwards, it just says “SATAN” again and again.
Anonymous

WHY THE FUCK ARE WE ALLOWING CLOSED SOURCE MACHINES TO DETERMINE THE LEADER OF OUR COUNTRY?

I’m sorry, but what. the. fuck.

Every minutae of the process should be wide open to public scrutiny. It should be put into law that any machine that is directly used to determine our president should not have an ounce of closed source code in it.
yish

Are you listening, Karzai? We told you you should go for mechanised voting. but no, you wanted hand counting. now look where that got you!
bazzargh

This really needs to be read in the light of this followup:

http://www.codersrevolution.com/index.cfm/2009/10/21/Sequoia-Voting-System-Witch-Hunt-err-Study-Project

This guy pointed out to studysequoia that the files weren’t vandalized, and open fine. There’s evidence of stored procs and other code that has been dropped from the database, which can be recovered because the DB wasn’t compacted; these are the strings they saw. Studysequoia have a correction up on their website.

As some of the /. commenters who saw this pointed out, its not clear that this code was removed as part of the redaction, or was ever live on a site, since it doesn’t appear to be the vote-tallying code itself. Its possible this was code that was run to set up the db, and was then dropped to comply with the federal requirement that it shouldn’t be there.

(for the record: I’ve no sympathy for sequoia – I don’t think any of e-voting vendor should be allowed to claim that the mechanisms of democracy are a trade secret. I just don’t think this is quite the smoking gun its being presented as)
yannish

Where in the article does it state:

“Voting machine source-code leak shows election-rigging subroutines”?

Yes their code sucks, but its a long way from the yellow journalism screed of “election rigging subroutines”.

/rant
Anonymous

thats called, old technology. Buy voting machines from Brazil that are the most avanced and secure electronic system of vote. Sequoia… pfff… what tha hell is that?
blueelm

I’ll withold my reaction until I see reports that show the actual evidence of rigging within the code. This seems pre-emptive.
Thebes

Love all the vote-theft apologists… Yes, go back to sleep, its all a “conspiracy theory” and at least “our man” in in the Whitehouse now so its cool.
douchesniper

Shh bazzargh!, you are not furthering Cory’s narrative.
Anonymous

Isn’t the electoral college evidence of vote rigging???
Besides, voting sucks because someone inevitably get’s screwed.
Anonymous

why do people keep picking on a fiction writers blog posts as if they were the end all be all of accurate journalism?

he’s just some guy who writes on the interbutts people he’s not supposed to be held to journalistic standards.

gawd stop ruining boingboing. if you’re honestly coming here for your daily news you have bigger problems than cory’s shitty headlines.
snej

WTF? This hugely misleading post has been up all day — over 12 hours? — and still no one’s even corrected the headline. As the second commenter pointed out, the article does NOT imply that the voting machine is “rigging” the election or anything illicit, just that it may be using insecure (SQL) code.

If any other site left this kind of fear-mongering stuff online, I’d rightly expect BB to raise a stink. Why doesn’t that apply to your own mistakes?
Anonymous

If you look at the way elections are done, the voting machine’s don’t get the say, the electoral college does. For the conspiracy theorists out there, isn’t that conspiracy enough, and for the sheep. Gov’t's have been rigging elections since it became profitable, like when taxes were invented (you know way before everything else, and if you read douglas adams i believe they’ve been around since before the dawn of man ;) lol). But really, none of us get to chose the pres u rtards, u should already be pissed at the gov’t for not running popular votes hmmmmmm think about it! You all need to stop nit picking and stand up = DON’T VOTE any more, it’s a ploy!!!! DON’T believe the hype!!!!
masamunecyrus

Perhaps it would bed wise to submit this to wikileaks?
Brandon West

Sensational with very little substance.