Oh my god, this is the source code review for one particular certified voting machine.pic.twitter.com/dXlPSWocPj
You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
And the anomalies are some seriously amateur hour stuff: - line too long - improper indentation - file header out of sync with version
You may notice that basically all of these things can be caught by IDEs at dev time or linters integrated into a CI environment
Which is a strong indication that the mfg is not using version control or adequate engineering praxis.
Else why would you drop $10000s into certification to find errors you can catch with < 2 hours of work setting up Jenkins?
But this is what really worries me. Adequate source control practices make it harder for a rogue employee to sneak in backdoor code.
And these failures are not the kinds of failures you'd get with adequate code control in place.
Look at this. Are you kidding me? 1st year front end devs easily navigate tools to prevent these issues.pic.twitter.com/JUjgK6apuW
Hay frends, wanna run COBOL, VB, C, C++, SQL, and Java in the same environment? Democracy depends on it.pic.twitter.com/tqMNDtFHaR
This... this doesn't give me comfort.pic.twitter.com/n3eSIIUyvL
My eyes are starting to go blurry from reading too many technical reports... soup time.pic.twitter.com/Z6HNFUUKXh
"Emily, how did you spend your bank holiday?" "Reading test reports and mourning the death of democracy."
I'm 21 reports in and I found so far ONE test report that validated the vote-handling logic... by a test lab no longer accredited.
Arbitrary file length guidelines, hoorah.pic.twitter.com/dfBKQDeFL0
I hope y'all are liking learning how the sausage gets made. This discovery process is validating so many feels right now.
Some of these source files are hashed with MD5.pic.twitter.com/TR3lPp6ZUI
Why would you hash the source files individually then compile everything and deploy what does that even solve.
I've got 5 more reports to process. Meatball cat is helping me power through.pic.twitter.com/UQPLnsmEYh
If you code in a backdoor, and then put /* THIS IS A BACKDOOR */ good news you have a 90% chance of succeedingpic.twitter.com/GBQgpM9PT4
I'm taking photos of my screen with my phone because it's 1000x faster than dealing with screenshots. Sorry.
As a reminder in this thread, these standards are *voluntarily* adhered to and compliance is only required in a handful of states.
I'm wrapping this thread up. I've put my summary on Github:https://github.com/Gorcenski/voting-machines …
My summaries are very brief, but for simplicity I also copied the public records into the repo. Or download them at http://eac.gov
I also added a non-technical summary as to why this is concerning.
This thread, btw, thanks to @Slestac who pointed me to the data source. 
Waking this one up briefly to add this screenshot from a Glassdoor review of ES&Spic.twitter.com/DuCGEfA17Y
And a review froma Lead Software Engineer for the company that did the majority of the cert tests.pic.twitter.com/GTjQQEqNle
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.