Voting Machine shenanigans



  • I have recently started following a few interesting people on twitter, and had this come up while I was slacking offworking. Thought you guys might appreciate the sheer incompetence shown here...



  • @Nocha said in Voting Machine shenanigans:

    few interesting people on twitter

    E_NOT_FOUND



  • @Luhmann internetofshit is a reasonable account to follow. But you are right, there is a lot of shite on there...



  • Basically: that "source code review" is a generic source code review to catch style violations, not even a proper code review, and definitely not a complete audit of every piece of the machine which is what you'd need to actually detect backdoors.

    The question is who ordered that review, and what were they intending to prove by passing it, because it sounds like purely a PR move to me.



  • @anonymous234 She has posted more since I first saw it. She now has a summary of the issues found on one of them up...



  • @anonymous234 said in Voting Machine shenanigans:

    it sounds like purely a PR move to me.

    It sounds like somebody doesn't have a clue about what they are doing is in charge...



  • @Nocha I have written code that legitimately doesn't need a default in a switch. If I did put one in, it'd be this:

    default:
        break;
    

    Which is just a waste of time.



  • @RaceProUK said in Voting Machine shenanigans:

    @Nocha I have written code that legitimately doesn't need a default in a switch. If I did put one in, it'd be this:

    default:
        break;
    

    Which is just a waste of time.

    It might be a "This page intentionally left blank" thing. It's just an explicit indicator that there isn't supposed to be any code in the default case, instead of people wondering if they forgot to consider it.



  • @Nocha I like this comment:



  • @RaceProUK said in Voting Machine shenanigans:

    @Nocha I have written code that legitimately doesn't need a default in a switch. If I did put one in, it'd be this:

    default:
        break;
    

    Which is just a waste of time.

    I'll go one up on that - I like switching on an enum. In those cases I insist on omitting the default clause, as that enables compiler warnings if I omit any of the enumeration values.



  • @PleegWat I've never seen a compiler warning for missing cases for an enum. I'm not sure if the C# compiler even does that.


  • Discourse touched me in a no-no place

    @RaceProUK said in Voting Machine shenanigans:

    I've never seen a compiler warning for missing cases for an enum.

    Compilers themselves usually don't. Some of the static analysers do with the “right” options.



  • @dkf I'll have to dig around in the Code Analysis rules


  • Discourse touched me in a no-no place

    I prefer to throw a NotImplementedException in an unneeded default. Because it being hit means someone only halfass implemented a new thing.

    @Dragnslcr said in Voting Machine shenanigans:

    @RaceProUK said in Voting Machine shenanigans:

    @Nocha I have written code that legitimately doesn't need a default in a switch. If I did put one in, it'd be this:

    default:
        break;
    

    Which is just a waste of time.

    It might be a "This page intentionally left blank" thing. It's just an explicit indicator that there isn't supposed to be any code in the default case, instead of people wondering if they forgot to consider it.



  • @Weng said in Voting Machine shenanigans:

    I prefer to throw a NotImplementedException in an unneeded default. Because it being hit means someone only halfass implemented a new thing.

    Ah, I see, in a:

    You managed to invoke the code part even the compiler flagged as "Unreachable code detected!" Well done!

    sort of way.


  • Discourse touched me in a no-no place

    @Rhywden said in Voting Machine shenanigans:

    Ah, I see, in a:

    You managed to invoke the code part even the compiler flagged as "Unreachable code detected!" Well done!

    sort of way.

    It's the shit-covered wooden spoon of achievements…



  • @RaceProUK gcc does - I primarily write C code. You end up handling 'impossible values' outside the switch because enums being in range doesn't get enforced anywhere. I like getting the warnings because then the compiler reminds me if I ever need to add enum values.



  • @dkf said in Voting Machine shenanigans:

    @RaceProUK said in Voting Machine shenanigans:

    I've never seen a compiler warning for missing cases for an enum.

    Compilers themselves usually don't. Some of the static analysers do with the “right” options.

    G++ does.





  • @PleegWat +1

    If you switch on an enum in C++, both gcc and clang will tell you if you missed any cases. Adding a default: will suppress the warning, though, because the compiler then assumes that that's where you handle the cases that weren't explicitly listed.

    Maybe you need to enable -Wall for that, but you should be using -Wall anyway. (You can even get them to tell you about missing breaks or [[fallthrough]]s with C++17.)

    Edit: :hanzo:d


  • Winner of the 2016 Presidential Election

    @PleegWat said in Voting Machine shenanigans:

    I'll go one up on that - I like switching on an enum. In those cases I insist on omitting the default clause, as that enables compiler warnings if I omit any of the enumeration values.

    In C++, you probably shouldn't do that. I usually put an assert(false) in the default clause.



  • @asdf said in Voting Machine shenanigans:

    @PleegWat said in Voting Machine shenanigans:

    I'll go one up on that - I like switching on an enum. In those cases I insist on omitting the default clause, as that enables compiler warnings if I omit any of the enumeration values.

    In C++, you probably shouldn't do that. I usually put an assert(false) in the default clause.

    Why would you choose a run-time error over a compile-time error?


  • Winner of the 2016 Presidential Election

    @ben_lubar said in Voting Machine shenanigans:

    Why would you choose a run-time error over a compile-time error?

    Because there's no guarantee that your "enum" instance is one of the values you defined. It could be any random integer. So I'm not choosing a runtime error over a compile-time error, I'm just practicing defensive programming.

    You're making a pretty bold assumption if you omit the default clause. Assuming anything without writing a matching assert to check your assumption in debug builds is a very bad idea in C/C++.

    In case you're not convinced, try it yourself. The following C++ snippet compiles without warnings with -std=c++14 -Wall -Wextra -pedantic:

    enum class exit_code {
            success = 0,
            failure = 1
    };
    
    int main() {
            exit_code result{exit_code::failure};
            result = static_cast<exit_code>(2);
            return static_cast<int>(result);
    }
    

    In C, the situation is even worse, since you don't even need a cast. The following C snippet compiles without warnings (again, with -Wall -Wextra -pedantic):

    enum exit_code {
            success = 0,
            failure = 1
    };
    
    int main() {
            enum exit_code result = failure;
            int bad_value = 2;
            result = bad_value;
            return result;
    }
    


  • @asdf

    enum class exit_code {
    success = 0,
    failure = 1,
    FILE_NOT_FOUND = -1
    };

    FTFY



  • @asdf You're still, IMO, suppressing a very useful warning by including the default. I'd normally wouldn't include the assert() (since it stinks a bit of an attempt to protect against purposefully malicious programmers, which is bound to fail anyway), but with a good reason for doing so, I'd probably add in the check before the switch, so that the warning remains enabled.


  • Discourse touched me in a no-no place

    @asdf said in Voting Machine shenanigans:

    Because there's no guarantee that your "enum" instance is one of the values you defined. It could be any random integer.

    0_1480162240490_upload-c76c1a97-adf9-49e7-8125-8f77cb81eb30


  • Winner of the 2016 Presidential Election

    @cvi said in Voting Machine shenanigans:

    You're still, IMO, suppressing a very useful warning by including the default.

    If you have good unit tests (INB4 unit tests? LOL!), you shouldn't need the warning.

    I'd normally wouldn't include the assert() (since it stinks a bit of an attempt to protect against purposefully malicious programmers, which is bound to fail anyway)

    Casting between an enum and an int is perfectly fine sometimes (depending on what you're using the enum for); that's not necessarily malicious code. In C, or if you use enum instead of enum class in C++, it's also easy to do so accidentally.

    Or are you trying to tell me you've never seen C/C++ code that casts between enums and integers? :)

    but with a good reason for doing so, I'd probably add in the check before the switch, so that the warning remains enabled.

    Hm, that might be an alternative. The check would not be trivial if the enum values are not consecutive, though.


  • Winner of the 2016 Presidential Election

    @dkf Don't tell me, tell those who think omitting default is okay. ;)



  • @asdf I still prefer the compile-time warning over the unit tests.

    Well, there's the bitfield:y enum (class) in the standard (like std::launch). Personally, I try to make these fixed-underlying-type (e.g., enum class X : uint32_t) and provide appropriate operators. (I.e., if X::a | X::b doesn't work, then probably one should not do static_cast<X>(static_cast<std::underlying_type_t<X>>(X::a)|static_cast<std::underlying_type_t<X>>(X::b))...). I do wish there was a standardized way to label enums as to whether or not values outside of the enumerated names should be expected.

    Hm, that might be an alternative. The check would not be trivial if the enum values are not consecutive, though.

    It's a bit of a pain. I hope that reflection (if SG7 goes anywhere) eventually makes it easier. However .. if you use a switch for the check, the compiler will helpfully warn you if you missed a case. ;-)



  • @RaceProUK Should probably be

    default:
        throw new IllegalArgumentException("Someone dun fucked up by adding a new case without changing the switch);
    

    Or whatever the equivalent is in whatever language you're using.

    If your complaint is "That turns off compiler warnings" get a better compiler/code introspector



  • @asdf said in Voting Machine shenanigans:

    are you trying to tell me you've never seen C/C++ code that casts between enums and integers? :)

    Casting an integer to an enum should result in an unrecoverable hard crash if the integer isn't a legal value for the enum. Bonus points if it melts your processor and electrocutes whoever's attached to the keyboard.


  • Winner of the 2016 Presidential Election


  • Winner of the 2016 Presidential Election

    @anotherusername said in Voting Machine shenanigans:

    Casting an integer to an enum should result in an unrecoverable hard crash if the integer isn't a legal value for the enum. Bonus points if it melts your processor and electrocutes whoever's attached to the keyboard.

    That would mean you cannot cast C "enums" you get from external libraries to proper C++ enum classes.

    Also, casting from int to enum or vice-versa is not UB. The result of assigning an integer outside the range of the enum is unspecified, though.



  • @asdf said in Voting Machine shenanigans:

    unspecified

    Would that allow a computer-destroying explosion?


  • Winner of the 2016 Presidential Election

    @ben_lubar said in Voting Machine shenanigans:

    Would that allow a computer-destroying explosion?

    Nope. But you could set the enum value to MIN_INT whenever an invalid assignment is detected, no matter what the user actually tried to assign.



  • @asdf said in Voting Machine shenanigans:

    @anotherusername said in Voting Machine shenanigans:

    Casting an integer to an enum should result in an unrecoverable hard crash if the integer isn't a legal value for the enum. Bonus points if it melts your processor and electrocutes whoever's attached to the keyboard.

    That would mean you cannot cast C "enums" you get from external libraries to proper C++ enum classes.

    Sure you could. You'd just need to check that it contains a valid number before you cast it to the enum.

    Also, casting from int to enum or vice-versa is not UB. The result of assigning an integer outside the range of the enum is unspecified, though.

    Yes... unrecoverable hard crash, melting computer, and electrocution all sound like a pretty good "unspecified" result.



  • @Nocha said in Voting Machine shenanigans:

    I have recently started following a few interesting people on twitter, and had this come up while I was slacking offworking. Thought you guys might appreciate the sheer incompetence shown here...

    That's just making sure the code was the same code that was sent, and fits syntax style.


  • Discourse touched me in a no-no place

    @xaade said in Voting Machine shenanigans:

    That's just making sure the code was the same code that was sent, and fits syntax style.

    Checkstyle can do some static analysis too. Whether that is adequate… well, I can't tell from the article as it depends on undescribed configuration.


  • sockdevs

    @dkf said in Voting Machine shenanigans:

    Whether that is adequate…

    for electronic voting machines? the answer is "no it's not adequate."



  • @dkf I watched a news story on a guy that had a way to alter the memory cards that delivered the voting configuration to the counting machines, which counted the paper ballots.

    Somehow he was able to misdirect the votes.

    Making this all a little moot, if even the paper ballots are compromised.



  • @xaade said in Voting Machine shenanigans:

    @dkf I watched a news story on a guy that had a way to alter the memory cards that delivered the voting configuration to the counting machines, which counted the paper ballots.

    Somehow he was able to misdirect the votes.

    Making this all a little moot, if even the paper ballots are compromised.

    I know this might seem like a totally 3rd-world solution, but in France (and many other countries!) votes are still counted manually and publicly, everyone being able to attend (or even help -- small villages usually are dying for volunteers as the few available council members have already spent the day manning the polling station...). There is a whole ritual around it (to be honest, the whole voting process in France looks like a ritual!) and no machines at any stage.

    So you'd have to find a way to compromise results after they leave the polling station, but at that point I guess that would be hacking the government communication network (each polling station reports directly to the local government office, I think) so if you can do that there are bigger problems than an election... (there is potentially a window of opportunity in the transmission of results to the government office, but after the first quick report by phone the official transmission involves a paper trail that would be difficult to alter without anyone noticing)

    It does cost money, but since voting machines don't come cheap either, that doesn't seem to be the main issue (and anyway, yes, an election costs money...). I haven't seen any argument for why voting machines are a good idea.



  • @remi said in Voting Machine shenanigans:

    I haven't seen any argument for why voting machines are a good idea.

    To rig the election



  • @TimeBandit Yep, there are enough stories about them machines that I start to think that anyone backing this kind of system must have a bad idea in mind.



  • @remi

    Well, you'd only have to socially engineer the upper tiers of the counting.

    But, hacking elections comes at a cost. You have to make the results believable. Which is why we have two parties and the results always seem to be around 50%.

    On the flip side, you can have an electorate, and always give the loser the popular vote, so that everyone can think they should be in charge. Then alternate the winning party every X years, so that half the population doesn't get pissed off for too long.

    I mean, technically the parties don't even have to hold half the population each, you just have to convince people they do.



  • @xaade said in Voting Machine shenanigans:

    Well, you'd only have to socially engineer the upper tiers of the counting.

    That would actually make more sense that hacking the true individual polling station results.

    At that point though, you're quickly sliding into conspiracy theory domain, so... :shrug:



  • @remi said in Voting Machine shenanigans:

    @xaade said in Voting Machine shenanigans:

    Well, you'd only have to socially engineer the upper tiers of the counting.

    That would actually make more sense that hacking the true individual polling station results.

    At that point though, you're quickly sliding into conspiracy theory domain, so... :shrug:

    I think human behavior arranges itself into patterns due to competing and symbiotic interests, and it ends up looking at lot like conspiracies.


  • Winner of the 2016 Presidential Election

    @remi said in Voting Machine shenanigans:

    I know this might seem like a totally 3rd-world solution, but in France (and many other countries!) votes are still counted manually and publicly

    Same in Germany. Every time someone suggests voting machines, you just have to point out how horribly insecure the ones in the US are and the politician will immediately shut up.



  • @xaade said in Voting Machine shenanigans:

    Well, you'd only have to socially engineer the upper tiers of the counting.

    Seems to me that the current trend is mostly about socially engineering the voters... which apparently is perfectly legal and called an "election campaign".



  • @ixvedeusi said in Voting Machine shenanigans:

    @xaade said in Voting Machine shenanigans:

    Well, you'd only have to socially engineer the upper tiers of the counting.

    Seems to me that the current trend is mostly about socially engineering the voters... which apparently is perfectly legal and called an "election campaign".

    Yeah...

    blah blah blah, something about both parties being the same. Two sides saying what they say they'll do, and how horrible the other one is.

    All while they do really bad things in secret, spend literally all their time covering it up, and do none of the things they promised.

    Then in come Lorne and Boomzilla to the forums to argue about which side is not being as evil...


  • mod

    @xaade said in Voting Machine shenanigans:

    Then in come Lorne and Boomzilla to the forums to argue about which side is not being as evil...

    Then comes Xaade to the forums to drag the argument out of the garage...


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.