Matt Woodward pointed out this Slash Dot article today about the accidental release of code from the Sequoia Voting Systems and a web site dedicated to studying that code. Apparently the Election Defense Alliance obtained a copy of the election data for Riverside County, California. It came in the form of a Microsoft SQL Server backup that was SUPPOSED to have all the code such as stored procs and triggers redacted. I wandered over to the "Sequoia Voting System Study Project" and scored me a copy of the data.
Apparently what happened, was a DBA at Sequoia simply ran drop statements for all the code in the database, backup it up, and sent it on. What he didn't realize was that SQL Server doesn't automatically shrink the data files when you do that. It's like when you delete files, but don't wipe your hard drive's free space. The content is still there until it gets written over with something else. If you parse through the files as text you can find thousands of lines of code from stored procedures, triggers, and functions laying around the file. Sequoia's DBA presumably had no clue those were still in there.
Well, the source code for Sequoia's voting system is NOT open source. In fact, it must adhere to a number of federal guidelines including one that forbids "Self-modifying, dynamically loaded, or interpreted code" in any voting system. Whatever that means. I installed the latest version of SQL Server 2008 express and restored the backup to a database. At first it errored, but then I realized all it wanted was for me to specify a different file name for the two data files contained in the backup.
What's interesting is that the Sequoia Voting Project site originally accused them of "vandalizing" the database backup but later reneged on that admitting it was a perfectly valid backup file. That was a pretty strong charge and I think the Sequoia Project site needs to watch what they claim. In fact, the whole web site and all the comments on the Slash Dot article seem to be on a witch hunt to prove Sequoia are horrible people who will rot for breaking federal law. Interestedly enough, most (if not all) of the Slash Dot comments appeared to be from people who had not event checked out the code first hand. The comments seemed to be centered around a specific example posted on the site of some table and index create statements.
I don't know that I'm convinced though. I'm not exactly sure what qualifies as "Self-modifying, dynamically loaded, or interpreted code". CFML is interpreted, so does that mean you couldn't use ColdFusion for a voting machine? What about dynamic SQL that is passed into the EXEC command? I guess it depends on what it is doing.
Here is one of the popular code samples I copied from the BAK file:
2 -- 1 - show candidate on ballot (default)
3 -- 0 - remove candidate from the ballot
4 -- 2 - don't show candidate on the ballot, but reserve space for
5 -- her on the layout
6 , IS_ON_BALLOT T_P_BOOL null
7 -- Code used by State reports
8 , STATE_CODE char(7) null
9 -- Reference to AUDIO; clip used to describe candidate header
Most people seem up in arms that the Sequoia software appears to have the "real working code ... buried in with the data" and therefore the application flow is determined at run time. What? Simply because there is an IF statement somewhere based on the value in a column? I don't see the travesty yet. Further to the point, who says that all the code strewn about the backup file is even used by the voting software. For all we know, we are looking at maintenance scripts which are never run by the voting software.
Further to that point, here is another interesting procedure I found buried in the data files:
3 PROCEDURE: CreateAllObjects
4 Description: This procedure creates the following tables:
5 AUDIO, BALLOT_CONTEST, BALLOT_CONTEST_POSIUION,
6 BALLOT_PRECINCT, BALLOT_STYLE, CANDIDATE,...
This proc totally looks like some sort of maintenance proc-- not something the voting app would use.
Most of the code contains this header:
2 2005 Sequoia Voting Systems,
3 Inc. All Rights Reserved.
4 Any distribution of source code by others is prohibited.
One thing to be sure is Sequoia commented their code judiciously and performed code reviews. Here are some sample header comments:
2 Date Author Comments
3 7/16/98 ToolSmith Initial creation.
4 8/1/05 ECoomer Added comment blocks, removed unused or redundant
5 variables. Modified line lengths- all to meet
6 code review comments. Combined multiple calls
7 to the same function into creation of a single
8 temp table.
9 9/20/05 MMcKinney Formatting compacted to meet 240 line limit
10 9/20/05 MMcKinney Comments added in response to code review for
11 following issues:
12 1) Numeric constant other than 1 or 0 needs to
13 be enumerated or defined or commented
14 2) thrown error needs to be listed in header
15 as output
Frankly, I find the existence of standards to be vaguely comforting.
So anyway, it will be interesting to where this goes. Especially if the Sequoia company flips over their source code being spilled. If anything, I think this faux pas will stand to help them not hurt them. I believe that reliable software CAN be developed to accurately score an election. I also don't think they meant to open source their code, but if there are any flaws, I guarantee they will be pointed out.
One last note-- I took a quick look at the [WRITEIN] table to see the kinds of names people put in by hand. 22 people voted for "MICKEY MOUSE", 15 for "NONE OF THE ABOVE", and 7 for "POOH". (Whinnie the?) Other notable writeins included "BONO", "OBAMA", "SANTA CLAUS", "NO PREFERENCE" (anyone heard of him?), "DAFFY DUCK", "DONALD DUCK", and "F**K REPUBLICANS". (I added the asterisks) Way to go, Riverside County-- you sure showed them. :)