Help Black Box Voting Examine ES&S Software

Gottesser writes, "Bev Harris of Black Box Voting has asked for the help of the Slashdot community. She would like people to take a look at ES&S's central tabulator software and start reporting on their impressions of it. This is a past release of the software but it is similar to the applications in production. Sorry, no source code." Read on for Bev's request and pointers to the code repositories. Update 23:38 GMT by SM Bev has confirmed that blackbox1.org is indeed owned by BlackBoxVoting making both a comment in the discussion and a post on the front page of blackboxvoting.org to help assuage reader fear/doubt.

From Bev:

"ES&S 'Unity' central tabulator software.

Software stash: three zip files --
http://www.blackbox1.org/ems.zip
http://www.blackbox1.org/un5.zip
http://www.blackbox1.org/Unity.zip

User Manuals for ES&S software can be found here:
http://www.bbvforum s.org/forums/messages/2197/2864.html

This is the ES&S central tabulator software, the ES&S counterpart to the Diebold GEMS central tabulator software. No source code, sorry, and no software for the precinct machines. This is reportedly one generation back, but from what I'm told has significant similarities to the new stuff. I would appreciate it if you can provide me with feedback on your impressions after looking at it. You may want to Slashdot it or whatever.

Best,

Bev Harris
Founder
Black Box Voting

Don't bother

[jrivar59]

I would argue that examining this software is counter productive, and not a good use of resources.

The fact that it is closed and "secret" is offensive enough on its own to protest for change. If democratic election is not the most obvious case for open source (and open hardware), then nothing is.

Legit?

[Khammurabi]

Please say someone at Slashdot verified this post with the people at Blackbox voting, and didn't unwittingly just fall for someone's email or post to get the organization in trouble.

Re:Don't bother

[CastrTroy]

How does open source software help voting machines anyway. I mean, how do you prove that the code that's released and analyzed is actually the code loaded onto the thousands (or more) of voting machines around the country? There's too little transparency with computerized voting. I don't care how many people have verified the code is secure, because nobody will be verifying that the code on every voting machine is the code it's supposed to be. It's much easier to just use hand counted paper ballots.

Re:Don't bother

[Chris Burke]

True, and I'll go further. Trying to examine the software for flaws makes it sound as though evident flaws in the software are the problem with the current crop of voting machines. They are not. The problem with the current crop of voting machines is that they do not produce a paper ballot that is the actual counted ballot.

Software is an illusion. You, as in a non-employee of an electronic voting firm, will never be able to prove that whatever software you audit and trust is actually running on the machine. You will never be able to guarantee that there isn't malicious code in the machine. You will never be able to prove it has no bugs. You will never be able to prove that it actually stored your vote in its internal memory exactly as you recorded it.

However, you can be sure that a printed ballot has correctly recorded your vote, because you can read it.

Give me a printed paper ballot, and I won't need to check the software for bugs. If it prints my ballot correctly, it's good enough. If it screws up, it's buggy. That easy.

Re:Don't bother

[SkunkPussy]

If you know the source code of the software (including build options etc), and the compiler/linker versions that have been used to build it, it will be possible to prove whether or not the binary code on the machine was generated from the source code in front of you.
To be more precise, you will be able to prove that the source code in front of you combined with those compiler/linker options generates the same binaries as exist on the machine. If your compilation does not generate the exact same binaries, then someone has some explaining to do.
This is the advantage of OSS voting code - it allows independent verification of the process without requiring a huge amount of trust to be invested in any stage of the process.

Re:Don't bother

[daveschroeder]

Why aren't we simply fighting for a permanent voter-verified paper trail, instead of always saddling every e-voting initiative with demands that EVERYTHING, hardware and software, be open source?

Don't get me wrong: I'm not saying it's not a good idea.

What I'm saying is this: since, even if recounts must be requested every time, a permanent voter-verified paper trail (and a true comprehensive system with regular audits and comparisons between paper vote counts and tabulations) solves almost everything, why are we instead trying to essentially unseat established, commercial enterprise e-voting vendors?

Wouldn't a more productive approach be to simply get a paper trail into place, since even an open source system is almost as worthless without one?

Keep in mind, too, that an open source system still needs to go through complex certification processes and code freezing just like the commercial products do. Even though the commercial products aren't "open source", the certification process allows for the necessary level of inspections by election agencies and external entities. The problem was the certification procedures being routinely ignored or bypassed for convenience, something that can just as easily happen with an "open source" solution.

The problem is that doing an electronic, anonymous, secret ballot that also exists in a system that attempts to enforce one-vote-per-person, combined with all the complexities and vagaries of local municipal and county systems is a lot harder than doing a vertically integrated system for one corporate customer (such as a bank).

Keep in mind, too, that much of the legislation (such as the Help America Vote Act) that essentially mandated e-voting in the hopes of ensuring uniform access to modern voting equipment was done in response to complaints about unfairness and inconsistency with manual systems in the 2000 elections, and not just in Florida. The one critical error was not explicitly recognizing that an electronic secret ballot is a hard thing to do, even without corruption, fraud, and incompetence, and a paper trail wasn't specifically mandated. And no, that wasn't by design. It was an error of omission.

Now, states, counties and municipalities have had to shell out hundreds of thousands, and sometimes millions, more dollars to add and retrofit certified paper trail functionality to existing systems (which, indeed, many are doing). But all e-voting vendors offer it. It just costs a lot of money.

So instead of trying to push out enterprise vendors with multi-million dollar contracts (which is essentially what demanding "all open source" would do, since no commercial vendor is going to open up ALL of their software and hardware code and designs), why not just work to get a permanent voter-verified paper trail in place in as many places as possible as soon as possible, perhaps even mandating it via legislation, since that will be required no matter what system is implemented?

What's more important: the egos of the people who have a vendetta against Diebold, Sequoia, and ES&S, or actually getting a mechanism into place as quickly as possible that guarantees votes will be accurately cast and counted (and at a minimum immediately shows if there is a problem? (And yes, I DO expect the burden of actually looking at the piece of paper to verify that it's correct to fall on the person who is voting.)

Atter the analysis is done...

[Dave21212]

We should take a vote using GEMS to see if the Diebold software is good or not :) I'm predicting a landslide !

Seriously though, I'm a little disapointed in the comments so far. First, this is not a political/partisan issue. Second, you don't need the source code to evaluate the operation of this software. Sure, it would be easier if we had it, but are you telling me that nobody here knows how to run a debugger or decompile some simple windows code ??? How many of you are drooling at the chance to take a whack at this stuff ? Go to it !@

For you people whining about no source code, how about you leave the real hacking to the real hackers and go back to your QA jobs :) Besides, I think it will be interesting to see what people come up with *without even having the source* - it's more of a real world test that way.

The procedure is what matters.

[Chandon Seldon]

The important thing isn't the voting software, it's an effective voting procedure.

There is a known effective voting procedure using paper ballots, ballot boxes, and little old ladies (err... party representatives) to count them. This procedure has one important property: fraud attempts tend to get thwarted because the little old ladies will yell when something fishy happens. ANY VOTING SYSTEM WITHOUT THIS PROPERTY SHOULD NOT EVEN BE CONSIDERED.

It may be possible to design a voting procedure using computers that is similarly effective. Here's the important thing: it needs to retain the property that little old ladies observing the process can immediately tell if something fishy is going on. NO FULLY COMPUTERIZED SYSTEM CAN HAVE THAT PROPERTY.

Someone suggested the following system here on Slashdot:

1. Paper ballots are marked, either with sharpies / pens or from touch-screen ballot generating machines.
2. They go into standard ballot boxes.
3. Those ballots are brought to a central tallying location using the standard ballot-box protection procedures.

At the central tallying location, for each race:

1. The ballots are put into a sorting machine that sorts based on the votes in that race.
2. Observers check the sorted piles to make sure that they are properly sorted.
3. The sorted piles are put into a counting machine - there's your counts. If the counts look wrong based on pile size to any observer, it's manual count time.

If any candidate, observer, or 50 signatures question the validity of the counting machine's results - a manual recount occurs for that precinct. Every time - no "but that would be effort" bullshit.

This system takes all the properties of the hand count system and preserves them while spending money to gain two properties: Ballot generating machines for the blind, and fast counting for people who think that matters. Ballot generating machines are an easy problem, and sorting / counting machines are pretty cheap. We might have to use heavy cardstock for the ballots to survive the sort/count process for every race - that's $50 I'm willing to spend.

Re:I won't ask...

[mackyrae]

99% of /. is using Linux. Only 1% will be affected.

Re:Don't bother

[CastrTroy]

My sibling poster seems to have gotten the point. You can verify 1 executable, but you can't verify all the executables, on all the voting machines. This is a significant problem, because someone has physical access to those machines. Think about game consoles. We've all seen what happens when you put a mod chip in a unit that was once thought only to run specific signed software. The point is, is that you can get these voting machines to run any software you like, and there's nothing guaranteeing you that when you walk up to that machine on election day, that it will be running the correct software.

Re:story is legitimate, I just talked to Bev by ph

[AJWM]

So you say. How do we know who you are?

(Nothing personal, just illustrating the chains of trust necessarily involved in any security.)

Thanks for checking. If you really did ;-)

Re:Don't bother

[Chris Burke]

From my first post, emphasis added: The problem with the current crop of voting machines is that they do not produce a paper ballot that is the actual counted ballot.

I'm not talking about a paper summary, I'm talking about a paper ballot.

That's the point. You can do whatever the hell you want inside the machine, perform whatever trickery you want, but if it prints a ballot with the choices I made on it, then that is all that matters and your trickery was for naught.

Anticipating the next question of "why electronic voting at all then?", the answer is the same reason we moved to it in the first place: preventing poorly formatted ballots from causing invalid votes, and for accessibility reasons.

Re:Hi, I'm Bev Harris. There's nothing fishy here.

[Anonymous Coward]

Hopefully you are Bev Harris, but you see that there's no way for us to know. I could create a Slashdot account claiming to be Elvis, and nobody could verify whether the King had truly returned.

It would help significantly if there were a post either on the home page of blackboxvoting.org, or in the bbvforums.org forums under your name. This way there would be some credible record that this information did truly come from Bev Harris.

Re:No source code, sorry

[Anonymous Coward]

Nobody said reverse-engineering was easy, young grasshopper.

How was this obtained?

[slackmaster2000]

BlackBoxVoting is essentially "Bev Harris", and it's an organization concerned about the implications of electronic voting.

No point in getting into the goods and bads of electronic voting, because all we have here is somebody not associated with ES&S posting a copy of the ES&S software. Another slashdotter has posted at least three times in this discussion that this is all legit because he called and spoke with Bev Harris -- but Bev Harris is *not* from ES&S. Her validation does not make the software legal to obtain.

I found a very interesting little news article from two years ago: http://www.seattleweekly.com/news/0410/040310_news _blackbox.php [seattleweekly.com]

"Harris started surfing the Web. On Jan. 23, 2003, she hit the mother lode. On an unprotected Web site, she found 40,000 files of Diebold Election Systems' source code--the guts of software to run touch-screen voting machines. ... After a little soul searching, Harris downloaded the Diebold software files. It took 44 hours, and they filled seven CDs. By July 2003, after months of informal review and discussion among her friends and allies, Harris decided to allow Scoop, an "unfiltered" news Web site in New Zealand (www.scoop.co.nz/mason), to make the files available to anyone who wanted them. It wasn't a decision she made lightly."

Given her past actions (and without getting into the ethical or moral value of her crusade) I highly doubt that she has the legal right to distribute the software that she's making available today.

Not only that...

[Burz]

You are correct... perhaps the only way to tell for sure would be to compile the software on-the-spot after performing diffs to check for authenticity. Plus the OS and compiler would have to be verified as not being tampered with.

People--- Maintaining the integrity of anonymous transactions just isn't compatible with the nature of complex computing systems. Even fully-identified transactions, as in banking, are precarious enough to warrant an industry of anti-malware (which sadly, often cannot create a secure environment).

Add to that the idiosyncracies and exploitability of what is essentially Personal Computing hardware consisting of billions of logic gates and almost infinately maleable storage media... all to record a few bits of information per transaction?

That is asking for trouble.

Even if polling authorities can somehow effectively and independantly verify the source code logic, there is no way to be sure about the hardware logic, as each IC is effectively its own "Black Box" that cannot be peered into.

Finally, a computerized ballot is an invisible ballot. The bits being displayed on the touchscreen are only a proxy for the bits being recorded, and the opportunities for de-linking the display information with the recorded info are myriad. The concept of a voting system where the voter never actually sees the ballot they are casting is bizarre and tragic.

For the above reasons, only physical ballots can ultimately be considered as real. Any such voting system that does not print a physical ballot is a fraud.

Re:Don't bother

[Chris Burke]

If you know the source code of the software (including build options etc), and the compiler/linker versions that have been used to build it, it will be possible to prove whether or not the binary code on the machine was generated from the source code in front of you.

No, you cannot prove it, because you cannot know that the software/hardware isn't lying to you. It's like a rootkit, designed to fool you into thinking everything is normal while simultaneously subverting the machine. It's only even conceivable to do this with some kind of Trusted Computing platform, but there's the rub -- when it is you the user who does not trust the manufacturer, how do you know that the Trusted Computing encryption chip isn't similarly designed to lie to you?

OSS is nice, but it does not solve the fundamental problem. Until we solve that fundamental problem, lobbying for open source is counter-productive. It will be a more difficult fight, and it won't fix anything. The real fight is for paper ballots. Once we know the machine is working right because it prints our ballots correctly, then we can worry about the source code if there is still a reason to.

Here's one difference:

[Bev Harris at BlackB]

Any of us can go out and buy Photoshop, Office, and HalfLife and get at least an operational overview of what they do and how they work.

None of us can buy the secret voting system software that we are forced to use as the sole means of exercising our voice as owners of our own government. Citizens own the government, not the other way around.

When you own something, you have to have a way to convey your management decisions. As citizens, the way we invoke our management rights is through our vote, and the system that defines, authenticates, records and counts our vote is owned by someone else who says we not only can't look at the source code, we can't even install a working version of the compiled code to see anything at all about how it works.

That's what's different. This situation is more akin to the owner of Halflife being told he is not allowed to see how his own product works.