Evidently, there are some fundamental errors made by the original reporter that change the timbre of this story altogether. This report has Joseph Lorenzo Hall of the Centre for Democracy and Technology in DC, asserting very strongly that the tabulation machines are “air-gapped” — the tabulation results from the original voting system are in actuality walked over manually (via a data export to, say, a thumb drive or flash card) to the tabulation machines. Apparently, no code run on those machines can access the primary system because they’re isolated. So what the code has write access to, then, is apparently the export of the database, not the originals in any way.
It still means that processes should be followed to ensure the integrity of the data, to ensure that the exported data matches the CSV conversion. But I suspect these folks are more “with it” than I’d originally thought.
See below the fold for my original story.
So there’s apparently a software patch being installed on voting machines, a patch which has been described in an affidavit filed in an injunction against the action as “unspeakably stupid, excessively complex and insanely risky”. It’s been rolled out to tabulation machines — not the voting machines themselves, but the vote-counting (or “aggregating”) boxes — in 39 counties in Ohio. And it’s being rolled out despite the patch being uncertified, “experimental”, and providing full read/write access to the database, even though the patch’s stated intention is merely providing human-readable reports on the election results during the tabulation phase.
Sound even the teensiest bit suspicious to you?
According to Pam Smith, president of the nonpartisan watchdog group VerifiedVoting.org, her organization also sought explanations for the last-minute software changes from the secretary of state’s office.
She tells me that she was told that “the Secretary of State team installed the EXP tool” themselves in the counties that use the ES&S system. “It was not left to the counties to figure out the installation or the configuration.”
Moreover, she stressed, she was told the software “does not get installed on voting machines.”
But that makes little difference, since the software is installed directly onto the central tabulator machines, where it can affect — either accidentally, or by design — the main results of an entire county’s election. Software residing on the central tabulation systems is, in fact, far more dangerous than software on the voting systems, since it can have direct access to the entire set of county election results.
Note that this does not necessarily mean that Ohio will be stolen, or even that there’s anything untoward or shady going on here. This means only that there’s a huge potential attack vector being implemented without proper vetting on practically the eleventh hour. This same sort of action resulted in the Secretary of State decertifying Diebold voting machines in 2005.
Shady or not, though, this is at absolute minimum criminal negligence, especially with regard to something so important as a Presidential election.
Seriously people, what the fuck. You don’t install experimental code on a production machine on-the-fly for no good reason, especially not with something where data integrity is paramount, which is why everyone in the IT world has got their hackles raised here. The code could be entirely benign, but there’s no way to know in advance. This is beyond suspect to me. Either someone’s trying to pull a fast one, or dozens of people need to be forced to vacate their positions because as IT folks, they’re bloody hacks.
(See the top of this page for important updates!)