Part 1 of 2
The FBI is investigating the "possible theft" of the Diebold touch screen voting software in Maryland. Excuse me... but I fail to see what all the fuss is about. I certainly don't condone theft; it's just that I don't understand why anyone would bother with stealing the Diebold source code - or why anyone would take the time to read it.
Don't get me wrong: I've spent twenty five years in the financial services industry helping to protect billions of dollars of other people's money. I designed internet security services as an employee of American Express to protect the online financial identities of hundreds of thousands of people, and recently spent a year at one of the twenty largest companies in America as chief architect of a project to replace the foundation of all their internal and external security systems. I understand risks from thieves and embezzlers - I've designed financial audit and control systems. In the world I work in, there's no room for excuses.
Source code is irrelevant
I'll let you in on a dirty little secret of the computing profession: in the real world, there's simply no way to ensure that any program alleged to be written by Programmer Bob on June 24th bears any relationship whatsoever to what actually runs on computer "X" thousands of miles away on November 7th. Even if Programmer Bob's corporate public relations and sales reps swear up and down that it must be so.
When it comes to security, source code is irrelevant. The actual behavior of a computer at point of use is the only thing that matters. Yet many of my IT colleagues continue to believe that it is somehow possible to look at a vendor's source code and determine what a particular voting computer will actually do in a precinct or county election office during an election. This seems to be the rationale behind "open source voting": if I can see the program is benevolent, then must be safe to use. Sounds plausible. But in reality any computer academic or professional practitioner who tells you that anyone on earth can determine whether a vote tabulation system is secure and accurate simply by looking at a source code document... is either ill-informed or lying.
Consider Microsoft's Windows XP operating system. As a critically-important widely-used program nevertheless riddled with bugs and security holes, this is a particularly apt comparison to voting software. Even if I could obtain a copy of the current Windows XP source code and read its millions of lines of text in its entirety with perfect comprehension, the act of reading the program text tells me precisely nothing at all about the integrity and security of any of the hundreds of millions of computers running Windows XP all around the world.
Think about it. Some surveys indicate 70% or more of Windows PCs are infested with viruses, spyware or, worst of all, rootkits. Rootkits hijack precisely those portions of the operating system that are used to detect the presence of malicious software and in so doing so become effectively undetectable. Can looking at the source code version of Windows XP tell me whether your particular PC is echoing all your keystrokes to a server owner by the Russian mob while you're innocently doing your online banking?
Software is inherently untrustworthy...
How do so many of my colleagues get such a fundamental issue so wrong? Although computer technology can seem endlessly complex, the fundamental issues are simple enough.
Computer program "source code" is just a text document. It's written using a word processor in a highly specialized dialect that is a shorthand mishmash of English words and math symbols. In order to get a computer to do my bidding, I first edit and save a text file, then run other programs (called "compilers" or "interpreters") to convert my human-readable text into the binary electrical impulses that a computer can understand and execute.
Here's where it becomes one twisty hall of mirrors. All means of verifying the version and features of any program as it is running in a computer require use of other software, the version and features of which in turn are verified by use of other software, the version and features of which in turn is verified by other software... and so on. Software alone can't vouch for software. It is a very well-known maxim in my profession that the only way to truly know what is running in a computer at any given time is to present all the inputs, record all the outputs, and verify that the two match up as expected.
All computer systems which process high-value transactions include audit mechanisms that monitor the advertised features of the system to enable an independent means of detecting flawed or fraudulent program logic... uh, everywhere that is except for voting systems, which arguably process the most important transactions of all. Go figure.
I'm so tired of hearing e-voting compared to using an Automated Teller Machine. Voting could not be more different than using an ATM. ATMs ask for not one but two forms of identification - a bank card and a PIN. Whereas the act of voting is private and anonymous. "Private, anonymous banking" is just another way to say "robbery in progress" - as in sawing open the ATM and taking its cash. ATMs exchange transaction and audit records with multiple counterparties and offer the user a receipt. Some but not all e-Voting systems may create or scan a paper vote record, but the voter surely can't keep it, or votes could be coerced or sold. e-Voting machines and ATMs are truly "apples and bicycles".
When it comes to electronic voting, we can't use any of the techniques we apply to securing electronic financial transactions all of which are predicated on the strong proofs of identity and exchange of transaction data with multiple counterparties that are rightfully banned in voting systems. Voting systems are national security systems demanding a much higher standard of protection than mere financial systems.
1 | 2