[Tfug] Let's play "ID this code"! (serious issue actually)
Jim March
1.jim.march at gmail.com
Sun Aug 23 22:14:55 MST 2009
Let's look at where I'm at with this data:
1) It came as part of a public records request, so it's 100% legal to
do anything we want with it. IF the voting system vendor were to for
some reason choke on what we've found and went for a court injunction
trying to "pull it back", they would fail miserably. Copies are now
in several states; if they went forward in state court somewhere, we'd
just examine it in another. If they tried to get the Feds
involved...that *might* work, maybe. Except for point two:
2) The county we got it from (in California, I don't want to say which
one) claims they stripped voting system vendor proprietary crap from
it, specifically the "schema" which they (jointly, county and voting
system vendor) claim was vendor trade secrets or other intellectual
property. We have that in writing from the county government. BUT:
3) Peering into the raw data with a good text editor I've been able to
confirm the existence of thousands of lines of MS-SQL source code such
as the snippets I showed y'all. While SQL isn't normally my thing,
I've seen it before and it's not all that hard to understand. From
what I can gather so far, and this needs to be confirmed by people
better at this than me, there is a ton of "logic" here regarding how
votes are processed. Which leads to...
4) There are RULES about voting systems. Two of them are "all code
used needs to be checked out by test labs and then hash-checked to
make sure the code in the field is the approved crap" (paraphrase
obviously). This mess doesn't just violate that rule, it stomps all
over it. Because data and program code are mixed into the same file,
hash-checking is impossible. It violates two more rules: "no
machine-modified code" (these databases with the program code embedded
are created by one of two apps from this vendor) and "no interpreted
code" - the latter mainly because it's "field modifiable" which is
supposed to be banned too.
So where does that leave us? What I want out of the data is...
a) I want to know what the reported vote totals are for this county,
by precinct, so I can compare it to official numbers. To do this, I
need readable tables.
b) I want to do at least a preliminary analysis of the source code, to
see if it leaves security holes in place and/or whether or not the
logic present could flip an election if tweaked. Either (esp. the
latter) would bolster the case that this junk is illegal top to bottom
and yet another failure of the oversight/testing process that's failed
so many times before. This can actually be done to some degree just
with the level of access to the files I have now, the ability to page
through them with a (good) text editor. (So far "NEdit" dated 2004,
present in the Ubuntu Karmic64 repos has been the best available...the
files are filled with null characters and other such problems and
range in size from 600megs to a gig. Opening them pushed my poor
budget 2gig lappy to the max.)
If ALL we end up with is even a partial source code/security analysis,
we'll have pushed the ball forward.
Hope this helps,
Jim
More information about the tfug
mailing list