Jack Ganssle is an expert in embedded software -- the kind of software that runs not on a computer but as part of another device -- controlling your car's performance, your digital cable converter box, your pacemaker or hearing aid. He writes that the Federal Election Commission's standards aren't sufficient to guarantee that the software running in voting machines is trustworthy.
California's recall election will be tallied by a mix of voting machines, ranging from punched cards to the latest in high-tech wizardry. Anyone following the comp.risks forum knows of the furor over electronic voting machines.They're junk.
That's a strong statement, but it applies to any product that does not fulfill its mission. In the case of voting, the only important feature is trust. And few computer scientists feel the devices deliver an accurate count.
Vendors claim their machines work correctly and are tamper-proof, citing the Federal Election Commission's standards. Well, check those standards out. Any computer jock with the faintest knowledge of building good code will be appalled.
Ganssle links to the FEC standard and delves into some technical detail, then proposes to replace the FEC standard with something more stringent and reliable:
The FEC's mandates are much too weak to eliminate miscounting machines. It's time for a different approach.Let's get the mob involved.
Don Corleone would never tolerate gambling machines that might rip off the five families of New York. State lotteries and casinos won't tolerate rip-offs either. They know how to instill trust in their products, trust that though everyone loses, customers know by how much. Customers would flock to other casinos at the faintest hint of a cheating machine.
Outside contractors verify the integrity of all gaming machines, electronic or otherwise. They do this so thoroughly that granny hasn't a care in the world when she pulls the lever of the one-armed bandit.
One such outside auditor is Gaming Laboratories International (GLI). To certify a new device, or even a software upgrade, vendors send GLI all of the source code, all of the tools needed to build the code, maybe a development computer, and even an in-circuit emulator if that's how you debugged your code. Expensive? You bet. Accurate? It sure seems to be.
GLI tears the design apart, digs into the guts, finds back doors impossible to isolate via testing and ensures the customer will lose by exactly the amount specified. Tests check both functionality and threat resistance. Technicians zap every square inch of the gaming machine with a 27 KV prod - because cheaters often try to rip off the devices using ESD to confuse the electronics. GLI jimmies the coin box, and generally simulates all of the attacks observed by those hidden cameras in the casino's roof. That's regression testing of a whole new order. ...
Change the code -- even just one line -- and the whole process repeats. The FEC has no such requirement. ...
If a gaming auditor certified voting machines, elections wouldn't be so much of a, uh, crap-shoot.