News Update from Citizens for Legitimate Government
November 10, 2004
http://www.legitgov.org/

http://www.legitgov.org/index.html#breaking_news

Diebold Source Code!!! --by ouranos (dailykos.com) "Dr. Avi Rubin is
currently Professor of Computer Science at John Hopkins University. He
'accidentally' got his hands on a copy of the Diebold software
program--Diebold's source code--which runs their e-voting machines.
Dr. Rubin's students pored over 48,609 lines of code that make up this
software. One line in particular stood out over all the rest:
#defineDESKEY((des_KEY8F2654hd4" All commercial programs have
provisions to be encrypted so as to protect them from having their
contents read or changed by anyone not having the key... The line that
staggered the Hopkins team was that the method used to encrypt the
Diebold machines was a method called Digital Encryption Standard
(DES), a code that was broken in 1997 and is NO LONGER USED by anyone
to secure programs. F2654hd4 was the key to the encryption. Moreover,
because the KEY was IN the source code, all Diebold machines would
respond to the same key. Unlock one, you have them ALL unlocked. I
can't believe there is a person alive who wouldn't understand the
reason this was allowed to happen. This wasn't a mistake by any
stretch of the imagination."

Apparently the "F2654hd4" thing is legit. There has been commentary on this for a while now, dating back to at least February of this year.

One has to look, though, at what exactly the risks are that are involved with this code. What we're talking about is, essentially, broken encryption. A malicious outsider, in order to change voting results, would have to simultaneously gain control of all the voting machines in the country-- note, by the way, that these are not networked or available via the Internet or anything-- and install some kind of output-modifying Trojan.

I appeal once more to Occam's Razor: if someone were so nefarious as to hijack all these voting machines (which are hardly used in a large portion of the US-- their deployment is still quite limited, and mostly in urban areas that turned out blue anyway), why would they allow voting to be so close? What good is an evil genius plan to subvert technology if it's no more effective than a lurid headline on Election Eve?

The main reason I have a hard time taking any of this stuff seriously is that the final popular vote turned out to pretty closely reflect the pre-election polls, or actually to be rather closer than most (which showed a pretty consistent Bush lead by 4-5%). If there were a huge discrepancy, or a reversal in outcome from the polls to the election, then it would be suspicious. But if the election is one data point, the polls are a whole bunch more, and they all would seem to agree. To suggest that the election results were wrong is to suggest that the polls were also similarly wrong, and necessarily for quite different reasons. To suggest that the tampering occurred in Ohio suggests that whoever did the tampering knew beforehand that Ohio would be the deciding state, just as with Florida in 2000. Too much implausibility.

Now, you'll get no argument from me that voting machines are a big risk to the very core of our democracy. Any security expert would be horrified at the very *concept* of voting machines, simply because they have no paper trail, no way for the voter to audit them. At my polling place, they activated a card with my voter ID on it, which I stuck into the machine to start the process; when it was done, it told me it had written out the data to the machine's internal hard drive and to internal paper tape. But how do I know what it's written? It's not like I have a punch-card in my hand where I can line up the holes and tell what number I punched out, or a box with a #2 pencil X in it next to the name of my guy. It's all faith with these machines: faith that the names I voted for are the ones that are eventually, after many transformations of physical media and data transmission and encoding, reported to the registrar. There is no assurance of this. None.

However, suppose you're in the shoes of a voter action group after 2000, incensed over hanging chads and the impression that human interaction-- biased or incompetent election officials-- presented an unfair risk to your PAPER ballots, by inadvertently "losing" them, leaving boxes of them in trunks of cars, outright making up numbers for the final tally, et cetera. What kind of voting-machine reform are you going to push for? A return to *more* dependence on paper and human interaction, like in the good old days? Or would you want to latest and greatest cutting-edge technology, one that's seen as a closed black box that humans can't tamper with?

It's that latter impulse that has ended up rushing machines like the Sequoia/Diebold ones onto the market before they'd been properly subjected to auditing. It's possible that the DES flaw shown in the code is the result of just some sloppy programmer's coding, putting in a hard-wired key so that early development testing would work, and then later forgetting to take it out. I know I've done stuff like that in my own code, especially when I'm on a deadline.

But let's be clear about this: the risk of voting machines is in their insidiously reassuring black-box nature. They *seem* like they're immune to human interaction, when in fact they could be little more than interactive Flash games that report nothing at all to anybody, while assuring voters that they voted. It's a far more complex charge to level, and far, far less likely, that there was any kind of malicious tampering that leveraged a flaw in the encryption algorithm to oh-so-subtly tweak the numbers in certain districts so that the results, uh, turned out all over the map, resulting in a very nearly half-and-half split outcome. Again: if you have to assume that the perpetrator is both an evil genius and an incompetent fool, it's not a plausible theory, especially if the results can be explained equally well by NO malfeasance on anybody's part.

I don't like the idea of electronic voting machines becoming the norm in our elections. It reduces accountability and verifiability to an unacceptable degree, for a much less (I think) important increase in convenience for the vote-counters assuming all works correctly. But if they're going to be adopted whether we like it or not, then they MUST be subject to source auditing at the public level. I think that's probably coming in the next few years; certainly the outcries I'm seeing seem to demand it. In the meantime, we have to remember that the results, to be frank, seem to reflect everybody's expected outcome more than any evidence of tampering.

Let's focus on getting these things right so we don't have to go through this again the next time around.

UPDATE: Here's the original analysis of the code, from last June, by Avi Rubin et al. Whatever the implications, it seems this has been under discussion for some time. As this guy says, "One thing I’m still not clear about: Are these polling machines actually getting used yet?" If it's the one I voted on, I guess; but I know that those machines were connected to each other only by a daisy-chained power cord. No UTP cable. These things weren't on the Internet, that much is for damn sure.

UPDATE: Frank J's all over this, of course.