Thursday, January 20, 2005

Charlie clarifies

Here's my response to Charlie's response that I posted as a comment:

Charlie,
As always, your wordsmithing abilities have far outstripped my feeble attempts at articulating my thoughts. Upon re-examination I can certainly see where my interpretation may have come from. In the third paragraph you mentioned how the election officials were told by the manufacturer that their machines could tally 10,000 votes. I can see how the officials probably looked at this and thought.. "we only have about 8,000 registered voters in our precinct, so 10,000 should be plenty." However when the machine was delivered, it could only tally 3,005 votes. In light of that, the last sentence seemed to convey, to me at least, that he manufacturer *intentionally* delivered the less capable machine. I was only scoffing at the appearance that your statements seemed to place some level of hubris on the part of the manufacturer. I understand now that you were merely highlighting the incompetence of the folks involved.

Now, as far as open-source being the "solution" to this problem, let me toss in a few more kinks. I don't think that this is only a software issue. I think that it comes down to a hardware *and* a software issue. For instance, in this case, suppose *all* voting machines from this manufacturer contain the same exact core software (or firmware). Then, based on what physical hardware is installed, the system knows how many votes it can store. What if the manufacturer simply grabbed the wrong machine (ie. one without the correct number of flash memory devices) from the assembly-line and shipped it out. Incompitence one. Now when the machine was delivered to the voting authority, only a few test votes were cast to make sure the system functioned. Also nobody double-checked that the machine "sub-model" was in fact the correct one.

Most of these ideas about how all the various ways in which the machine could have failed have little to do with the software. In fact, prior to working for Borland, I used to design, build, and program magnetic stripe encoding and access control equipment. In order to save significant manufacturing costs, the embedded software (which I wrote in all 6800 assembly) contained *all* features that the customer could possibly order. Also, they could order varying levels of card storage and "store-and-forward" buffer. By simply using a single master ROM, we'd burn several hundred copies. By default all but only the core functionality was enabled. By placing the chips into a specialized EPROM burner, the tech could burn certain memory addresses in order to enable all the extended functionality. If the customer ordered more than a few units all with the same features, then a new temp master is created and then it is off to the gang programmer and the custom ROMs are burned.

I would imagine that most of these voting machines are in fact embedded systems, that in order to keep the costs way down, they are using much older technology. In fact they are probably not running any version of Windows, Linux, or whatever... Since they are single purpose systems, you can do a whole lot to cut costs, increase manufacturing efficiencies, all without compromising the core functionality of the machine.

Yes, there is room for programmer error. There is also room for manufacturing defects. And finally there is room for configuration errors. The latter two items have little to nothing to do with the embedded firmware. Also, since these hardware platforms are themselves proprietary, unless you have a full understanding of the environment under which the actual voting code is running, having the code may simply not be enough. About all you can hope to get from being open source is simple code reviews and find some of the more blatant errors. Most of which should be caught by simple in-house peer reviews and fundamental QA testing.

Finally, your ideas for making things verifiable and trackable are pretty good. However I'd take it a step further. There should be hardware keys that are burned into the actual device that uniquely identifies that machine. These keys should be similar to those funky paralell or USB port dongles that folks tend to loath. What is interesting about these devices is that they contain some "write-only" memory. Huh? What good is "write-only" memory? Well what you do is write to this memory a private key so that when you send data through the device (or onboard chip), it encrypts this information with this key. Since *only* that machine has that particular private key *and* there is no way ever retrieve it without destroying the device itself, you can be certain that a particular vote is from a valid machine. This is because the public key is well known and available to anyone. So basically as long as you can decrypt the data with specific public keys you know that the vote could have only come from a valid machine. Not even the manufacturer or the election officials should ever have this private key. That is just off the top of my head...

I better stop, or I'll start being accused of being a too "wordy." ;-)...