Voting machine source-code leak shows election-rigging subroutines?

Sequouia, a company that makes many of the electronic voting machines used in the US and elsewhere, has inadvertently leaked much of the secret source-code that powers its systems. The first cut at analysis shows what looks like illegal election-rigging code ("code that appears to control or at least influence the logical flow of the election") in the source.
Sequoia blew it on a public records response. We (basically EDA) have election databases from Riverside County that Sequoia insisted on "redacting" first, for which we paid cold cash. They appear instead to have just vandalized the data as valid databases by stripping the MS-SQL header data off, assuming that would stop us cold.

They were wrong.

The Linux "strings" command was able to peel it apart. Nedit was able to digest 800meg text files. What was revealed was thousands of lines of MS-SQL source code that appears to control or at least influence the logical flow of the election, in violation of a bunch of clauses in the FEC voting system rulebook banning interpreted code, machine modified code and mandating hash checks of voting system code.

I've got it all organized for commentary and download in wiki form.

This is the first time we can legally study a voting system's innards without NDAs or court-ordered secrecy.

Sequoia Voting Systems hacks self in foot (via MeFi)



  1. Careful about jumping to conclusions here – “influence the logical flow of the election” just means there appears to be code for the election machine in the SQL statements (against federal laws prohibiting interpreted code). As yet there isn’t any evidence of vote rigging.


    I’m sorry, but what. the. fuck.

    Every minutae of the process should be wide open to public scrutiny. It should be put into law that any machine that is directly used to determine our president should not have an ounce of closed source code in it.

  3. Are you listening, Karzai? We told you you should go for mechanised voting. but no, you wanted hand counting. now look where that got you!

  4. This really needs to be read in the light of this followup:

    This guy pointed out to studysequoia that the files weren’t vandalized, and open fine. There’s evidence of stored procs and other code that has been dropped from the database, which can be recovered because the DB wasn’t compacted; these are the strings they saw. Studysequoia have a correction up on their website.

    As some of the /. commenters who saw this pointed out, its not clear that this code was removed as part of the redaction, or was ever live on a site, since it doesn’t appear to be the vote-tallying code itself. Its possible this was code that was run to set up the db, and was then dropped to comply with the federal requirement that it shouldn’t be there.

    (for the record: I’ve no sympathy for sequoia – I don’t think any of e-voting vendor should be allowed to claim that the mechanisms of democracy are a trade secret. I just don’t think this is quite the smoking gun its being presented as)

  5. thats called, old technology. Buy voting machines from Brazil that are the most avanced and secure electronic system of vote. Sequoia… pfff… what tha hell is that?

  6. Story about Yahoo! hiring strippers… 58 posts.

    Story about the machines that effect the leaders of our government… 5 posts.

    And we wonder why these things are allowed to happen? No one really seems to care!

  7. Agree with bazzargh above. A lot of that “code” looks like chunks of test data and other unused detritus that was never zeroed out in the file.

  8. Whoa, let’s not jump the gun on this. From the original article, it seems like their SQL database is holding code, which could well be stored procedures (quite standard for an MS-SQL database). The original article says this is against FEC regulations, but even it doesn’t go as far as to say that it’s being used to rig elections.

    Fox News jumps to conclusions and asks leading questions, not BoingBoing. Report on what is known and leave the rest to the discussion.

  9. “The people who cast the votes decide nothing. The people who count the votes decide everything.” -Joseph Stalin

  10. Please remember Occam’s Razor. “Election-rigging” is a far cry from the evidence here or elsewhere.

    Personally, with the birthers, truthers, and anti-vaxxers, I’ve grown extremely weary of conspiracy thinking. I don’t want to see more of it at this wonderful website.

  11. Cory, your blog entry is inaccurate and misleading.

    The studysequoia page is simply saying that some of the voting logic appears to be implemented by stored procedures in the database, in contravention of laws designed to minimize opportunity for changing code in the field.

    This strikes me as a very real concern. But how you got from that to “election-rigging code” is beyond me.

  12. Where in the article does it state:

    “Voting machine source-code leak shows election-rigging subroutines”?

    Yes their code sucks, but its a long way from the yellow journalism screed of “election rigging subroutines”.


  13. I’ll withold my reaction until I see reports that show the actual evidence of rigging within the code. This seems pre-emptive.

  14. Isn’t the electoral college evidence of vote rigging???
    Besides, voting sucks because someone inevitably get’s screwed.

  15. If you look at the way elections are done, the voting machine’s don’t get the say, the electoral college does. For the conspiracy theorists out there, isn’t that conspiracy enough, and for the sheep. Gov’t’s have been rigging elections since it became profitable, like when taxes were invented (you know way before everything else, and if you read douglas adams i believe they’ve been around since before the dawn of man ;) lol). But really, none of us get to chose the pres u rtards, u should already be pissed at the gov’t for not running popular votes hmmmmmm think about it! You all need to stop nit picking and stand up = DON’T VOTE any more, it’s a ploy!!!! DON’T believe the hype!!!!

  16. We still use stubby pencils and hand counting. I think there is still some minor fraud (our identification procedures are lamentable) but mostly it works.

  17. Love all the vote-theft apologists… Yes, go back to sleep, its all a “conspiracy theory” and at least “our man” in in the Whitehouse now so its cool.

  18. why do people keep picking on a fiction writers blog posts as if they were the end all be all of accurate journalism?

    he’s just some guy who writes on the interbutts people he’s not supposed to be held to journalistic standards.

    gawd stop ruining boingboing. if you’re honestly coming here for your daily news you have bigger problems than cory’s shitty headlines.

  19. WTF? This hugely misleading post has been up all day — over 12 hours? — and still no one’s even corrected the headline. As the second commenter pointed out, the article does NOT imply that the voting machine is “rigging” the election or anything illicit, just that it may be using insecure (SQL) code.

    If any other site left this kind of fear-mongering stuff online, I’d rightly expect BB to raise a stink. Why doesn’t that apply to your own mistakes?

  20. The smoking gun snippet posted on the linked site is hardly procedural, executable code. It’s describing a show/don’t show column in a database. It’s even commented nicely. The single “exec” call is creating a foreign key (a type of reference) to another table. In some versions of SQL you don’t have to call exec to do that, but apparently you do in MSSQL.

    If they have stored procedures in their DB, then that’s one thing, but it doesn’t appear that the person who leaked this code knows the difference between DDL and a stored procedure.

    1. @self: after downloading the source and taking a quick glance through it, they do, in fact, have stored procedures in the code, although it appears to mostly be reporting calls for reports like “voter turnout”, and for database creation/setup. So while the example chosen by the linked site is, in fact harmless, the rest of the code in here does appear have “business logic” as it is referred to in the non-election industry. Whether that business logic is limited to diagnostic-type reporting and setup, and whether that code is innocuous, would require more detailed analysis.

      As to whether stored procedures in SQL count as “interpreted code” is a whole other problem.

  21. Please don’t be so sensationalist and conclusive with headlines.

    News is a living, breathing thing. I can think of several times lately where further evidence in the case you are mentioning with a very bold headline has surfaced and made that headline factually false.

    I know you’re too busy a person to carefully redact and edit every post that infers things that turn out to be wrong… so perhaps just be more careful with hyperbole?

    Genuinely outraging news is easy to water down when it comes from a source who has a problem with attaching emphatics and outrage and hyperbole to things which turn out to be quite benign. That’s the sort of road that leads to tabloid-style writing.

  22. I would think the question mark in the headline would be enough for people to conclude that maybe Cory was not stating a fact, but I guess that’s too subtle for all the budding journalists here. Cut him some slack or go away.

    1. Mentioning bad writing habits of someone who has publicly criticized those same habits in others is hardly unfair or misplaced.

      It wouldn’t really be reasonable to call others out for using question marks to justify specious headlines, or spend years criticizing the printing of potentially misleading information, and then expect it that doing it oneself is perfectly fine and shouldn’t be criticized.

      I seriously doubt Cory intends to mislead people, after all. He does often make corrections when prompted by new information. It doesn’t hurt to suggest maybe lighting fewer fires with one’s writing, so there are fewer to put out with redactions.

Comments are closed.