#define DESKEY ((des_key*)”F2654hD4”)

In case any of you used a Diebold election machine the other week, that’s how your vote was encrypted – using a constant key set in a #define which is the same for every compile! What were they thinking!? Whoever wrote that should have their fingers chopped off if they ever touch a computer keyboard again. How can anyone write such terrible code? Not to mention that it’s been possible to brute-force single DES encryption for ages now.

// LCG - Linear Conguential Generator
// used to generate ballot serial numbers
// A psuedo-random-sequence generator
// (per Applied Cryptography,
// by Bruce Schneier, Wiley, 1996)
BallotResults.cpp, Diebold Election Systems

Tossing in the name of the bible of cryptography doesn’t make this any less stupid:

Unfortunately, linear congruential generators cannot be used for cryptography. – Bruce Schneier. Applied Cryptography, page 369.

In general I prefer to blame idiocy before malice, but it’s hard to believe software could get this bad without deliberate intent. Are there really people moronic enough to do this by accident? If so, I don’t want to meet them.

Updated: