Re: [OVC-discuss] Something really big: Sequoia source code, free to download and study, no NDAs.

From: Edward Cherlin <echerlin@gmail.com>
Date: Thu Oct 22 2009 - 00:51:56 CDT

Charlie, our concern is not whether this SQL is on the voting machine
(unless the Microsoft SQL server is also present for some bizarre
reason), but what it is doing in the results database, which is
unquestionably processed using the database server software.

o Does the SQL code present correct data for queries, or can it skew
election results?

o Can it be changed on the fly to give incorrect results?

o Is is presence legitimate or not under FEC rules?

On Wed, Oct 21, 2009 at 19:45, Charlie Strauss <cems@browndogs.org> wrote:
> Jim, I don't want to be an apologist for Seqoia, but I would like to make
> sure of what you are confident about and what you are not confident about.
> Now as I understand things you are using the unix "strings" commands to grab
> text looking segments of binaries.  You are not for example simply opening
> text files and finding plain text.

Correct. However, we can also open the binary files in certain text
editors and examine the context of each string we find.

> It's conceivable then that these curious text sequences are not actually
> things that a voting machine executes but are there for some latent or
> deliberate reasons.

They are in the results database, and should never be on a voting machine.

> for example.  suppose that the voting machine itself has no command
> interpret for the text SQL commands you found.  But suppose that these lines
> of code are intended to be written out by the voting machine into headers
> and instruction files that accompany the data files.

No, they would be written on the machine where the tabulations are done.

> I sometimes do this in
> my own code (admittedly rarely).  I will write a comment string at the top
> of the data file that gives examples of how to parse the data that follows
> this header.  One can imagine giving explicit code in such a header.
> Another possibility is that these are like oracle "blobs".  executable
> command sequences stored in a data base that could be executed if a suitable
> interpreter existed.

Yes, up to a point. That point is whether this interpreted code is
legal, where compiled blobs seem much more likely to pass that test.

> This is how one often stores an "object" in a
> database system.  It does not mean the interpreter is present.

The only reason to use a database storage format is to load it into a
database instance, in this case to tabulate the vote counts and get
election results, or for auditing.

> it means
> some other program (not in the voting machine itself) could retrieve the
> Blob and execute it on some data it also retreived.  this technique is very
> frequent.  it allows one to store data in a data base without having to give
> a specification of it's storage format.  instead you store the data in a raw
> unspecified format and then supply an executable program that allows queries
> on that data.

This should not apply. This is a voting database with formats known in
advance. The source data consists entirely of integers, although the
software could conceivably calculate something else from them, such as
percentages.

> Another possibility is that these are just accidents.  Maybe some files that
> were left in some directory, perhaps there for other purposes, just got
> copied onto the voting machine along with the real code.

No, this is a standard database backup format, where SQL is normal.

> A final possibility is that it's just Chaffing from seqouoia.  extra
> obfuscating crud they shove into code to make disassembly or analysis really
> hard.

They appear not to have done any obfuscating. We originally thought
that some header data were missing, but in fact the file loads into
the software without error, and can be queried normally.

> The real smoking gun is if there is a SQL interpreter on the voting machine.
> has that been found?

There would be no excuse for that, but also no reason to do it, and
significant licensing expense. The voting machine deals with one
integer per contest. The file would be more complex with ranked
preference voting, but we aren't there yet, and even there we are
dealing with sequences of integers of known length.

> can the other possibilities be discounted?

Working. Jim?

> On Oct 20, 2009, at 4:17 PM, Jim March wrote:
>
> On Tue, Oct 20, 2009 at 3:03 PM, Edward Cherlin <echerlin@gmail.com> wrote:
>>
>> Can we get out a press release?
>
> Well...we want to get a lot of attention, but not necessarily press just
> yet.  We were hoping that the first step will happen fairly quickly: proving
> vandalism of the data files instead of redaction.  If that can be confirmed,
> cool:

OK, not a problem, as it turns out.

> 1) Mainstream newspapers will be REAL interested, as they are with any
> public records related problem.
>
> 2) It really hurts Sequoia on multiple levels: makes it much harder to
> challenge what's going on in court for example, under the "unclean hands"
> doctrine.  It will also make it much harder for them to screw with
> additional public records requests.
>
> So we wanted to wait to hit the newspapers and such until we can prove the
> vandalism issue.
>
> Go ahead and get it on Daily Kos though, in the interest of attracting geeks
> :).

Google News shows

dKos, Slashdot, HuffPo, KESQ, Techdirt, scoop.co.nz, ITwire, Bradblog.
That's three that we posted ourselves, and five that picked up the
story. There may be others.

> Jim

-- 
Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.
http://www.earthtreasury.org/
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at  http://gnosis.python-hosting.com/voting-project/
Received on Mon Nov 30 23:17:08 2009

This archive was generated by hypermail 2.1.8 : Mon Nov 30 2009 - 23:17:17 CST