So says the affidavit filed in the injunction against the Ohio Secretary of State Jon Husted by Bob Fitrakis of the Ohio Free Press and his attorney Cliff Arnebeck.Brad Freidman reporting via Salon.com lays out the case of the potential for foul play in the Ohio election with the uncertified software patch that is being applied to 39 counties in Ohio. Furthermore, this uncertified "experimental" software patch resides at the tabulator level of the network with full read/write privileges to the database.
Personal background: I sell enterprise software to large multinational corporations for one of the largest tax software companies in the world. In my role I am responsible for overseeing the process from first contact to implementation.
Read after the fold to find out why this is "unspeakably stupid, excessively complex and insanely risky. In medical terms it is the equivalent of doing open heart surgery as part of a method of removing somebody's hemorrhoids. Whoever came up with this idea is either the dumbest Information Technology professional in the US or has criminal intent against the Ohio election process."
For those of you who think that this is conspiracy theory bullshit I am here to attest to you that it is not. What you are witnessing is not run of the mill, nor would any company that I have ever sold to allow for such a blatant disregard for IT security. There are several questions that you need to ask yourself. The most obvious is why?
Why at this late date would there be a need to be an experimental patch loaded on these machines?Certainly there has been plenty of time before this election to add any needed updates.
Why would the contract allow for "experimental" uncertfied software to be allowed on such a security sensitive network?
Why wouldn't the Secretary of States office be forthright about the patch when originally presented these questions?
I have seen several diaries about this and I have seen a lot of criticism that we needn't focus on this kind of matter. The fact of the matter is that when I originally saw this reported I wrote to Brad Friedman myself to alert him to the report. I want to reiterate that this is not run of the mill. The idea that uncertified anything would be allowed on such a secure network is unthinkable and there is not a single Fortune 500 company in the United States that would allow it to happen. Hell I have a hard time getting internet access, and have to set it up well in advance just get on a "guest" access to a network. The idea that there would be an experimental patch put on a network at this late date is absurd on its face.
Art Levine at the Huffington Post is also reporting about Arnebeck's lawsuit.
Levine also reported that Arnebeck had referred the matter to the Cincinnati FBI for criminal investigation of what the Ohio attorney describes as "flagrant violation of the law."
"Before you add new software, you need approval of a state board," says Arnebeck. They are installing an uncertified, suspect software patch that interfaces between the county's vote tabulation equipment and state tabulators. Arnebeck's alarm is understandable.
3:55 PM PT: UPDATE: I was out and back and see that this has touched a nerve with a lot of people. I am glad this is getting the attention that it deserves. Once again I have no idea whether this patch is good or bad... and that is precisely the point. By the very nature of how this is being handled it is impossible to know. This is simply an unacceptable software management procedure that no IT department of any reputable company would accept.
The problem is that even with the best of intentions software patches can screw up. You do not throw them into a live environment without rigorous testing and certification. If for instance there was a glitch from this without anything nefarious afoot, it could screw up the results for days.
4:49 PM PT: Here is a link to more information about the lawsuit from The Free Press.
This from another diary that is up on the Rec list now.
Tue Nov 06, 2012 at 5:24 AM PT: There is a lot of discussion about whether or not there is a paper trail and I believe that if that is the discussion you are having, then you are totally missing the mark. The real point is not the nefarious or non-nefarious intent of introducing the non certified, experimental patch into a live environment days before a go-live event. It is the sheer STUPIDITY of doing so. This election could be totally thrown upside down by glitches in the software that never change a single vote. What it it were to bring the 30 something counties that are affected by the patch to a standstill when they are trying to transmit their votes to the tabulator? It could absolute throw the whole process into chaos. Absent the fact the software would not otherwise work without it (as has been pointed out by some of software engineers in the thread) and you were going to be sued because you were not meeting a contract obligation there is no reason to do it. This is my last update. I am off to give a software demo that I know will work ;0). Happy election everyone. Let's put BigBlue on the map.