Sunday, April 6, 2008

Voting Machine Hacking - The Saga of Sequoia

I don't know if anyone else has caught this - but electronic voting machines have had my attention lately. With the election this coming fall as critical as it is, we as a voting public can't afford to have shoddy code running on our election systems. Of course, there are always pundits who claim that every piece of hardware that vendors put out is insecure, will 'change their vote' and all that - but it's interesting to see that claim substantiated.

Enter "Sequoia Voting Systems". Back on Feb. 5th in the New Jersey primary, there was some discrepancy about the outcome of votes versus the number of votes cast - read here. While that may be old news, some of the aftermath and fallout is what concerns me. Specifically, here are the points that worry me:
  • Sequoia sends nasty-gram to Princeton professor asked to investigate the 'security' of these devices. This is an interesting response to Union County's request that Ed Felten of Princeton review these devices. I'm posting a link to his blog and some of his analysis here as well... Link here.
  • Sequoia's website gets hacked - interesting. They're obviously very serious about their security! Link here.
  • A March 20th press release from Sqeuoia mentions Kwaidan Consulting, the party which will do the source code review of their product. Who is Kwaidan Consulting? Check out this MySpace page (cached from Google)... the profile of the person is not "Private"...
Sequoia has commissioned an independent source code review of the software version currently in use on the Advantage voting equipment used throughout New Jersey.
  • We're still waiting on this report... I don't see any press release or results yet?
  • Why is Sequoia threatening law suits? What is this language they are using against the Princeton professor attempting to conduct a truly independent evaluation?
Sequoia threatened to sue Union County if Rajoppi turned over voting machines to Princeton Universityprofessor Edward Felten for analysis. Sequoia executives said the study would violate the terms of their licensing agreement and put their "trade secrets" at risk.
Trade Secrets?! Doing an independent security analysis of a critical piece of hardware will somehow tamper with trade secrets?

The two things that bother me, and I've extensively Googled this one... Who the heck is Kwaidan Consulting?? Why exactly is Sequoia trying to bury this issue? Another quote from a research site here...

Why is Sequoia so vigorously attempting to block a security review of its products? The company says that the machines have already been put through extensive independent review by federally-accredited voting test labs. The adequacy of those reviews is contested by critics, however. One of those labs, which had been doing work for the government for years, lost its accreditation last year after flaws were found in its review process by the Election Assistance Commission. Sequoia says that it is simply trying to protect its intellectual property rights
Fascinating. This blog has a great chronology and more information on the topic, if you're interested in digging deeper. But the bottom line is - someone claims shinanigans against your product, you throw up a smoke screen, threaten law suits, and then do your "own independent" investigation to show how great the results are. Is anyone buying this crap? I'm going to go vote and hope that the machine I use isn't a Sequoia machine.

No comments: