I agree wholeheartedly that all voting machine code should be open for public inspection, but I don't think it helps the cause to make fantastic claims that are not supported by the evidence.

What is surprising is that people will jump the gun with stuff like this, if you really want to make a dent in these companies you have to get ironclad proof first, have it checked by someone else that is 'noteworthy' under NDA and then you go all out to the media.

It's almost as if they just cared about the short term exposure and not the longer term goal.

I have worked in the software for the Brazilian electronic voting system and I am astonished they used such a heavy pile of software.

The code I helped write had to run on as little as 8 megabytes of RAM on an embedded MS-DOS-like OS (our version targeted Windows CE, but it had to run on the older, 386-ish machines). It was written in very compact ANSI C, had data in plain-text files and certainly didn't need a relational database embedded in the ballot.

All this reeks of incompetence.

Yes but with that sort of primitive technology you have to wait until AFTER the election to know who won!

I never saw the rush. You USA'ians vote on 4 November, and Inauguration is not until January 20. Can't you afford to spend a day or two on getting the results right rather than fast?

I think the grandparent comment was meant humorously.

Akin to how in Chicago we say, "Vote early, and vote often!"

It was. But even with "waiting until after the election to know who won" you want to know who won by breakfast the next day. Would anything actually go wrong if you waited a day or three?

Would you happen to have any links you can recommend to particularly good information about that system (in English)?

Claim: "They appear instead to have just vandalized the data as valid databases by stripping the MS-SQL header data off, assuming that would stop us cold."

Correction: " It appears the files were NOT VANDALIZED and will open in MS-SQL Server 2005."

Claim: "This in turn revealed thousands of lines of Microsoft SQL code that appear to control the logical flow of the election. Stuff like:" (example follows)

The example they give looks like some code which adds a new candidate to the ballot.

This looks like an embarrassing debacle so far.

Hyperbole aside, it does appear that Sequoia is violating the laws regarding security in such a system. This is executable code which could impact the results of an election which is machine-generated, interpreted, dynamically loaded not integrity-checked. All these characteristics go against federal recommendations for the design of computerized voting machines and constitute cause for concern.

Actually, that "law" is a "Voluntary Voting System Guide".

I can't download that guide at the moment, but the part quoted says:

"Self-modifying, dynamically loaded, or interpreted code is prohibited, except under the security provisions outlined in section 6.4.e [sic - see note below]. This prohibition is to ensure that the software tested and approved during the qualification process remains unchanged and retains its integrity. External modification of code during execution shall be prohibited. Where the development environment (programming language and development tools) includes the following features, the software shall provide controls to prevent accidental or deliberate attempts to replace executable code"

and

6.4.e: "After initiation of election day testing, no source code or compilers or assemblers shall be resident or accessible."

I think that most readings of that would interpret it to mean that SQL statements to create tables would be permitted, but that the interfaces to the databases should be secured.

The whole thing is a beat-up.

They need to give that code in context. Just because you grep some code for the word delete and you see the line "delete vote" somewhere doesn't mean that someone is tampering with votes.

For now it seems that it doesn't, there is already much written about this and there are plausible explanations on how that stuff got in there. Best to wait and see and not jump the gun on this, if it is real it will definitely come out. Until then this is pure speculation.

Such accusations should only be made with very solid evidence in hand to avoid blowing the media attention on a 'dud', then next time when there is real evidence you'll get a small fraction of the response.

http://www.itwire.com/content/view/28715/1141/ is a rebuttal by someone with some actual technical skill (eg, he knew how to restore a database backup)

Nope. It does not show that.

Whenever a news article ends in a question mark, the answer is usually 'NO'.

The entire idea of electronic voting just rubs me the wrong way. Any way you shake it, it seems as if the security of the systems is only as good as the lowest-payed employee with access to the source code.