Tim Lee

You Can’t Patch an Election

A great insight from Avi Rubin, who attributes it to California Secretary of State Debra Bowen:

The current certification process may have been appropriate when a 900 lb lever voting machine was deployed. The machine could be tested every which way, and if it met the criteria, it could be certified because it was not likely to change. But software is different. The software lifecycle is dynamic. As an example, look at the way Apple distributes releases of the iPhone software. The first release was 1.0.0. Two minor version numbers. When the first serious flaw was discovered, they issued a patch and called it version 1.0.1. Apple knew that there would be many minor and some major releases because that is the nature of software. It’s how the entire software industry operates.

So, you cannot certify an electronic voting machine the way you certify a lever machine. Once the voting machine goes through a lengthy and expensive certification process, any change to the software requires that it be certified all over again. What if a vulnerability is discovered a week before an election? What about a month before the election, or a week after it passes certification? Now the point is that we absolutely expect that vulnerabilities will be discovered all the time. That would be the case even if the vendors had a clue about security. Microsoft, which arguably has some of the best security specialists, processes and development techniques issues security patches all the time.

Software is designed to be upgraded, and patch management systems are the norm. A certification system that requires freezing a version in stone is doomed to failure because of the inherent nature of software. Since we cannot change the nature of software, the certification process for voting machines needs to be radically revamped. The dependence on software needs to be eliminated.

August 8, 2007 | Comments |

Viewing 3 Comments

    • ^
    • v
    Yes! Our election track record suggests the need for a more rigorous business approach to election equipment. Quick-quick dump the punch cards. Hurry up and scrap the touch screens. Errors will occur…technology just speeds up the process and mega-increases the volume. Our procedures and laws need to be brought inline with technology.

    Paper ballots offer the means to verify and recount votes. Unfortunately, these and other paper trails will not ensure one-voter-one-vote-every-time with state-of-the-art independent, stand-alone vote counting machines. Optical ballot scanners are just as suspect as touch screens. Until we implement high-bar stringent guidelines for voting machine providers and elections officials to uphold, until we fix our election laws to protect us from machine and human error, and human interpretation our election process will continue to be broken.

    Lani Massey Brown,
    A MARGIN OF ERROR: BALLOTS OF STRAW, a novel
    • ^
    • v
    I disagree with the comparison, because software for voting machines should be dead simple. It should run on dedicated hardware, not on Windows. It should be designed according to principles which make it immune from attack in a way that an Internet device or a computer which loads arbitrary files can never be.

    And every new version of the software SHOULD be recertified from scratch.

    But Rubin's comments do apply to existing voting machine software, and are an excellent argument against using it. Every time gaping holes are found in its voting systems, Diebold cries, "But the next version fixes it!" Sure, we'll believe it when that version is shown to be free of security flaws by equally extensive testing.
    • ^
    • v
    You Can’t Patch an Election

    Really? I thought Bush did a good job of 'patching' his loss in 2000 and again in 2004...

Trackbacks

blog comments powered by Disqus