Interpreted Code, Diebold, and California: a Primer

Interpreted Code, Diebold, and California: a Primer

By Sherry Healy, California Election Protection Network

December 30, 2005

Interpreter Code = a translation program. There are Federal Election Commission ("FEC") standards set for the Independent Testing Authorities ("ITAs") dated 1990 and 2002. In 2002 the standards forbid "interpreter code" because it is not transparent--it's very difficult to see what is going on when you have two complex languages and something mediating the two. The other reason why it is forbidden is that it is easier to modify from the field. A memory card with malicious code can't perform its function without its partner--the interpreter code--lying in wait within the computers. All the CA Diebold equipment has interpreter code, including the precinct scanners--EXCEPT for the absentee ballot scanners.

Yes, Diebold is most certainly using interpreter code on their CA equipment (except the absentee voting scanners) . In fact Steve Freeman (our primary CA SoS sanctioned tech) even said so in November 2005. Scroll to end for his "Executive Summary."

What's Up In California with the Diebold equipment: Whether McPherson did it out of intelligence OR, more likely, it was just dumb luck--the fact that he sent the Diebold equipment back to the ITA's actually was, according to BBV, a stroke of genius. During the recent Voting Summit (that CEPN were persona non grata) all the experts more or less scape goated the ITAs for all the implications of negligence of due diligence (which is incorrect, because there's plenty of blame to go around). BUT we have long known that the ITAs are a "house of cards" that don't check for vulnerabilities brought to their attention by activists, which is a likely because they are partially funded by, and essentially work for, the e-vendors.

As a result the ITAs are being watched like never before and so now that McPherson has asked them to again review the Diebold equipment specifically with an eye for the possibility of interpreter code, then they will have a difficult time avoiding looking for it. If they claim it's not there, then they are liable. Alternatively, if they do reveal it is present, then Diebold will have to pull out of California, which would send shockwaves across the nation--at least 35 states would have to pull their Diebold certifications.

snip

http://www.votetrustusa.org/index.php?option=com_content&task=view&id=656&Itemid=113

was passing the buck--to Bush appointed Feds--in order to short-circuit California's grass roots election reform movement. It certainly looked that way when he sent a secretary and a tape recorder to the last public meeting, and did not even appear, let alone listen to the public. But it may be an avoidance act, rather than direct buck passing--that is, he just wants to avoid being the actor in denying Diebold certification. We'll see.

For those who hate all this gobble-de-gook, or who impatiently insist on "paper ballots, hand-counted at the precinct level!," or me myself, whose mantra is, "Throw Diebold and ES&S election theft machines into 'Boston Harbor' NOW!" (I'm giving advice to myself, here), these careful efforts, by knowledgeable people, to expose Diebold's (and, next it will be ES&S's) failure to meet even these minimum federal standards for security and integrity in electronic voting systems, are constantly ratcheting up public consciousness of the complete absurdity and non-transparency of this election system. It's all to the good. Today Diebold. Tomorrow ES&S. And the day after that, 'Boston Harbor'!

--------------

Some resources:

www.votersunite.org
www.verfiedvoting.org
www.UScountvotes.org
www.TruthIsAll.net
www.solarbus.org/election/index.shtml

Also of interest:
www.tmsfeatures.com/tmsfeatures/subcategory.jsp?file=20051124ctnbk-a.txt&catid=1824&code=ctnbk
www.democraticunderground.com/discuss/duboard.php?az=view_all&address=203x380340
and
Sign the petition. http://www.rushholt.com/petition.html

...to know what "interpreted code" is.

I didn't know about this requirement, but it makes sense. Here is why:

A computer doesn't understand the language a programmer writes in. It understands a very abstract language called machine language composed entirely of numbers. It's very hard for humans to read and write machine language.

Most programs in general use are written in a higher-level language and compiled. A compiler is a program that reads the human-written program, and writes a machine language program that should do the same thing. Compilers are standard items, and if you have a bunch of binaries (the machine language program written by a compiler) and the source (what the programmer wrote) you can compile it yourself and verify that the binary in the machine matches the source you were given.

When an language is interpreted it's not converted into machine language. In olden days it wouldn't be converted into anything; it might be dumped into the machine in straight text form just as the programmer wrote it. That's very inefficient, and most modern interpreters compile their code into an intermediate form called p-code. As with a compiler, you can double check to make sure the p-code you have matches the source it's supposed to represent.

BUT, unlike machine code, the machine still doesn't know how to run p-code. It depends on another program, the interpreter, to read the p-code and perform the actions it specifies. Since p-code operations can be very complex, there is much opportunity for the interpreter in the machine to do something other than what it's supposed to do. You generally don't get the source code for the interpreter, since it's usually written by some company like Microsoft. This makes it much harder to guarantee that the code you are given and which runs correctly in the test machine will do the same thing in the field.

I would note additionally that a complex operating system like Windows offers a similar set of vulnerabilities, for the same reason; the compiled program calls Windows to do many complex things like reading the touchpad, drawing to the display, and recording results to the local mass storage device. If the operating system were compromised -- and you can't tell that without the source code -- then it could apply rules that make it work correctly most of the time, but fail by design to record wrong results in an election. An open-source operating system like Linux would be better, because you can compile it yourself and examine the source code, but it's such a vastly complicated affair that there aren't many experts around capable of guaranteeing its integrity even though it's open. Tabulating votes is a much simpler exercise than being a general-purpose operating system.

Most security experts prefer for systems like this to be developed in an embedded manner, which is to say with no operating system at all, and the application directly controlling the hardware. That way if you verify the application, you have verified the entire system. Of course this is more expensive, because you can't depend on commodity drivers for video, sound, and touchpad hardware. You can't just pull any commodity hardware off the shelf and incorporate it into your system.

But then again, what is the security of our elections worth? Read the Risks Digest sometime and you'll see that even devices like ATM's, whose owners care very deeply about their security, have disturbingly frequent problems for these exact reasons. And that's not even given an owner who is out to cheat the machine himself.

AccuBasic. Who knows what back-doors are coded into that interpreter!

And, if a memory card had, say, a program to report -100 Kerry and 100 Bush as 0 Kerry, 0 Bush at the start of the election, no one could detect that even if they did examine the card's program.

(Or at least I hope it is.)

Here are the 2002 Voting Systems Standards

http://www.eac.gov/election_resources/vss.html


I added the bolding.

Volume I, Section 4 of the 2002 Voting Systems Standards states:




So we go over to "section 6.4.e" to look at the exception and we find there is no Section 6.4.e

(It's a word doc., too.)
http://www.eac.gov/election_resources/v1/v1s6.doc

:shrug:

Perhaps they mean Section 6.4.1 Software and Firmware Installation


Which I don't comprehend.

Anyone?

Source-code based interpreters would be prohibited, but p-code based interpreters are not precluded by 6.4.1e as they do not require source, compilation or assembly.

On edit: A further issue is the nature of these files. Are they truly source code or configuration selections more along the lines of ballot definitions which will naturally vary.

those which execute raw human-readable source code files and those that require the source to have been transformed to an optimized file. See:

http://en.wikipedia.org/wiki/Interpreter_%28computer_software%29

and

http://en.wikipedia.org/wiki/P-Code_machine

The mock election hack was done by altering the zero totals. Then votes added to these were totaled incorrectly, based on the incorrect zero totals. I don't consider zero totals to be ballot defs, but do they qualify as source code???

I wish the specs were clearer myself.

http://en.wikipedia.org/wiki/Configuration_file

The zero totals would be considered a data file.

localroger's post up thread is pretty comprehensive.

Thanks for sharing info about this interpreter code.