No More Mr. Nice Guy!

Throwing your Vote down a Black Hole

Tallahassee, FL: "Are we having fun yet?"

This is the message that appeared in the window of a county optical scan machine, startling Leon County Information Systems Officer Thomas James. Visibly shaken, he immediately turned the machine off.

Diebold's opti-scan (paper ballot) voting system uses a curious memory card design, offering penetration by a lone programmer such that standard canvassing procedures cannot detect election manipulation.

The Diebold optical scan system was used in about 800 jurisdictions in 2004. Among them were several hotbeds of controversy: Volusia County (FL); King County (WA); and the New Hampshire primary election, where machine results differed markedly from hand-counted localities. (Read more)

The 2004 election was largely decided by Diebold black box voting machines in Ohio. (It looks like CEO Walden O'Dell kept his promise to deliver Ohio's electoral votes to Junior.) And there will be even more of the damn things in use in the mid-term elections next year. Meanwhile, more and more horror stories are emerging on how trivial it is to hack into the machines and tamper with election results.

As a software professional with over 30 years of programming experience (does anyone else remember APL?), I am horrified by the sloppy and incompetent programming revealed in the article excerpted above. One example is the fact that the number of votes for a candidate will roll over from 65,536 to zero. This indicates that the number of votes is held in an "unsigned short" - 16 bits. Now, 65,536 is not a large number when you consider that the population of Maricopa County, where I live, is over 3 million. Granted, they won't all vote at the same precinct, but 32-bit computing is absolutely standard today, even on the lowest-end handheld, and desktop computers are rapidly moving over to 64 bits. With 32 bits you can store numbers up to about 4 billion without rollover problems, so there is no excuse for not using the piddling amount of extra memory needed. (Not only that, but, as the article explains, a hacker can easily use the rollover behavior to subtract any desired amount from a candidate's total without arousing suspicion.)

Even worse, I recall reading in another article - I don't have the link now - of a case where a candidate's vote total rolled over from 32,768 to minus 32,768! Obviously (at least it's obvious to a geek like me), the programmer used a "signed short", which is totally inappropriate since the vote total is never supposed to be negative. This sort of ignorant, slapdash programming would lead to the greenest summer intern being shown the door at any respectable company.

But what's really disturbing is that the software which controls the machine, and resides on a chip inside the bowels of the machine (presumably a ROM, or read-only memory chip, though that is not stated) actually transfers control to code residing in a RAM (writeable) memory card which is only supposed to be used for storing vote totals! There is zero security over these cards - anyone can remove a card from a machine while voting, and substitute a card with malicious code! Worse still, "[t]hese cards were seen scattered on tables in King County, piled in baskets accessible to the public in Georgia, and jumbled on desktops in Volusia county" according to the above article.

This is not just a monumental security blunder - it raises the strong possibility that the Diebold machines were designed to cheat state certification tests. The machines must pass these tests before going into service, but the state's election inspectors can only test the code that resides in ROM - once a RAM card is inserted, the machine can behave in a completely different way.

Take it from me, there is no legitimate reason for such a wide-open, totally insecure architecture. The only time I've seen this technique used was in space software, where you might need to change an unmanned spacecraft's software while it is in flight. I suppose you would also use this technique for unmanned deep-ocean probes and the like. But in any other sensibly designed embedded system, if you foresee the need to change the code after deploying the system, you will use a dedicated port for this purpose, and you will write some security into the base code so it does some checking of the new code you are trying to upload, rather than accepting code from any Tom, Dick or Harry. (Hmm, should that be Tom, Dick or George?)

This news strengthens my view that Diebold is a corrupt company surviving only because of its political ties. This story is potentially bigger than Enron. After all, Enron destroyed the careers and life savings of thousands of employees, but Diebold has perhaps destroyed our democracy.

When are we going to see Walden O'Dell doing a perp walk? Somehow I won't hold my breath.