What's in those EAC guidelines? you ask.pic.twitter.com/EeSXcuh3Wm
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
What's in those EAC guidelines? you ask.pic.twitter.com/EeSXcuh3Wm
So you can literally code in a backdoor but as long as it fits a style guide and has exception handling it'll pass certification.
The source code review is literally running an automated linter. That's it.
More to come on this later.
I've started diving into this. It's even worse than I feared.
I'm going to be getting all this up on Github later. I have about 25 more reports to process. Initial findings are not great.
The accredited testing labs publish test reports. These reports document the software review process and report any anomalies.
So far the testing is just "we ran a linter against a style guide and hashed the build".
And the anomalies are some seriously amateur hour stuff: - line too long - improper indentation - file header out of sync with version
You may notice that basically all of these things can be caught by IDEs at dev time or linters integrated into a CI environment
Which is a strong indication that the mfg is not using version control or adequate engineering praxis.
Else why would you drop $10000s into certification to find errors you can catch with < 2 hours of work setting up Jenkins?
But this is what really worries me. Adequate source control practices make it harder for a rogue employee to sneak in backdoor code.
And these failures are not the kinds of failures you'd get with adequate code control in place.
Look at this. Are you kidding me? 1st year front end devs easily navigate tools to prevent these issues.pic.twitter.com/JUjgK6apuW
Hay frends, wanna run COBOL, VB, C, C++, SQL, and Java in the same environment? Democracy depends on it.pic.twitter.com/tqMNDtFHaR
This... this doesn't give me comfort.pic.twitter.com/n3eSIIUyvL
My eyes are starting to go blurry from reading too many technical reports... soup time.pic.twitter.com/Z6HNFUUKXh
"Emily, how did you spend your bank holiday?" "Reading test reports and mourning the death of democracy."
I'm 21 reports in and I found so far ONE test report that validated the vote-handling logic... by a test lab no longer accredited.
Arbitrary file length guidelines, hoorah.pic.twitter.com/dfBKQDeFL0
I hope y'all are liking learning how the sausage gets made. This discovery process is validating so many feels right now.
Some of these source files are hashed with MD5.pic.twitter.com/TR3lPp6ZUI
Why would you hash the source files individually then compile everything and deploy what does that even solve.
I've got 5 more reports to process. Meatball cat is helping me power through.pic.twitter.com/UQPLnsmEYh
If you code in a backdoor, and then put /* THIS IS A BACKDOOR */ good news you have a 90% chance of succeedingpic.twitter.com/GBQgpM9PT4
I'm taking photos of my screen with my phone because it's 1000x faster than dealing with screenshots. Sorry.
As a reminder in this thread, these standards are *voluntarily* adhered to and compliance is only required in a handful of states.
I'm wrapping this thread up. I've put my summary on Github:https://github.com/Gorcenski/voting-machines …
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.