Slashdot Mirror

The trick is to NOT use a DRE, but instead use a Voter Verified Paper Ballot. That is, the electronic device can help you vote, preventing overvotes and warning on undervotes, reading aloud to seeing impaired voters, etc., but the result is a printed out paper ballot which the voter then casts by putting it into a ballot box. The votes can be counted efficiently (i.e. scanned), and the paper ballots can be audited (by a separate system from a seprate vendor) and recounted.

That's untraceable and secure. There are a few systems like this (my favorite is the open source system at http://www.openvotingconsortium.org./ One nice thing is that you only have to trust the voter to verify the ballot - if the count is forged, the audit will find it. This means that you don't have to trust the software, just the process. That's a good thing.

"I am a poll worker in Virginia, and we follow a very similar protocol for our DRE voting machines. "

While it sounds like you're trying to do a good job, there are many fundamental problems with DRE machines.

- The software is proprietary, and not open to inspection, only to "black box" testing, which cannot only detect some kinds of errors, and cannot be counted on to detect all errors or intentional fraud.
- There is no way to prove that the vote recorded by the DRE is the same as the vote cast. The lack of voter verification of the actual recorded vote is the fundamental problem with DREs, rendering them unsuitable for use in elections. Note that printing a record of the vote within the machine does not help, because the receipt inside the machine is not verified by the voter, so there's no way to validate that it reflects actual votes cast, so it cannot be used as the basis of an audit or recount.
- There is no way to prove that the vote recorded by the DRE cooresponds to the votes reported.
- There is no way to audit reported vote counts against actual votes cast, so no way to discover fraud or error in the voting system.
- There is no way to recount actual votes cast by voters. You can recount whatever the software happened to record, but that can easily be different from the vote cost.

Or, as NIST put it "Simply put, the DRE architecture’s inability to provide for independent audits of its electronic records makes it a poor choice for an environment in which detecting errors and fraud is important."

There are advantages the electronic voting systems, such as providing immediate voter feedback to prevent overvoting and warning of undervoting, and assisting seeing impaired voters.

The right way to go, I believe, is to use electronic voting systems to assist voters in producing a paper ballot (AKA the Voter Verified Paper Ballot), which the voter can then inspect and cast. That gives the advantages of a DRE, but with the added benefit that the election results can be (relatively) trusted. That is, for example, the type of system used in Nevada after the Gaming Commission rejected all of the DRE systems. This is particularly relevant, because they're the only state with significant experience in securing DRE-like devices, because they certify gambling machines, which are under similar attacks to DREs.

Check out http://www.openvotingconsortium.org/ for an open source system that does the right thing.

"The protocol is invulnerable. The people executing the protocol aren't perfect, so in practice, real security on a well-designed e-ballot system greatly exceeds the current paper system."

Not even close. A well designed (people) process includes oversight sufficient to prevent any one person from succeeding, requiring large numbers of people to collude to affect more than a very small number of votes, which is easier to detect, and the presence of paper ballots allows for auditing and recounting, which will detect and correct for corrupt vote counting.

Digital voting mechanisms, on the other hand, lack any physical ballot, making cheating relatively easy, auditing impossible, and of course making recounts meaningless. And because it can be done in software, and the software is "proprietary" and cannot be audited, it's an obvious vulterability.

One good system that has the advantages of electronic voting (preventing overvoting, warning on undervoting, support for spoken prompts for the seeing impaired, efficient vote counting, etc.) and the advanages of paper ballots (validated record of votes, for auditing and recounting) is the one invented by the Open Voting Consortium, http://www.openvotingconsortium.org./

http://openvotingconsortium.org/

Please support.

.. We need open source software so that the voting process is transparent. I'll stick to any location I can find that still uses paper ballots otherwise. I also seem to remember these machines being trivially easy to tinker with.

I wanted to mod you insightful but I thought it may be better to let you know that an open source voting system already exists. A security analysis (pdf warning) has been performed and the ACT Electoral Commission has full details of the the behaviour of the code you can download.

You should also check out Open Voting Consortium because we are all friends so lets help each other be free.

Let's help to make it happen.

Dude, the OVC and Pvote are not competitors.

The OVC uses Pvote as part of their system.

Open voting consortium

The goal is not speed.

?

The goal is also speed. Don't throw the baby out with the bathwater.

Remember the LinuxWorld open source voting demonstration? It only just happened in August.

They were able to tally on the fly, and still perform a paper audit later.

Try to do that with a pure-paper system.

Absolutely, an Open Source electronic voting system seems like the perfect solution.

The best approach in my mind would be to build the thing almost from the ground up with the intention of being:

1. Simple
2. Secure
3. Reliable
4. Scalable
5. Transparent (code-wise)

Seems the first thing a lot of Open Source coders tend to gravitate toward when thinking of a new hardware-software integration project is Linux. However to meet these goals I think the community ought to ensure that the project is highly tailored to this particular project, with virtually no extraneous functionality.

Google turns up a couple interesting links on the open source voting concept:

• http://www.wired.com/politics/security/news/2004/01/61968
• http://www.openvotingconsortium.org/

http://www.openvotingconsortium.org/

Here's your forum.

http://www.openvotingconsortium.org/

This is precisely why we need a citizen-backed voting platform. The Open Voting Consortium provides this. They're our votes. We should do everything in our power to protect them.

that members of this site haven't started an open source project

You mean, like the Electronic Voting Machine Project and OpenSTV and the Voting Software Project and the Open Voting Consortium and Blue Screen Democracy and probably a dozen other projects?

One problem is that voting software/hardware has to be certified by the state. A ponderous, time-consuming, and expensive bureaucratic nightmare not particularly friendly to amateurs (or even corporations, unless there's a good prospect for vast sales).

But they need our support. http://www.openvotingconsortium.org/our_solution Anyone out there care to match a $30.00 donation to help stop the next GWB® from buying key districts in swing states.

Consider giving a couple bucks to this group. Alan Dechert has been doing good work in CA and elsewhere.

Agreed, MD did use optical a while back. Also, though I'm not sure I believe that the makers of the optical machines may have been Diebold. Personally I would like to see the system from http://openvotingconsortium.org/ implemented widely since it is open source and uses a optical & paper system.

"[1] In case any techies want to see some code, here is the program for the voting counting program, written by Asheesh: http://www.openvotingconsortium.org/ad/voting_thing.tar
Here is Jan's code (if you want to run it and have some trouble, let me know and I will help you with it) http://user.it.uu.se/~jan/test/straw.tar"

I love the name.

So far, nobody's mentioned projects like the Open Voting Consortium in this discussion. This might be a perfect time to point Colorado officials in the right direction. Just a thought...

You can have electronic voting that doesn't suck.

It just has to have a paper trail, not reveal to outsiders who you voted for, and, y'know, not be backed with Microsoft Access.

Something like this?

I'm not big on voting machines, but if we're going to have them, they should be open.

This guy (Alan Dechert) is active in CA and needs your help. I've ponied up some dough; please join me.

He's speaking at the Red Hat Summit today!

I think that attorneys for the government should be able to demand to see source code for all the machines already deployed. If source cannot be produced (or it does not compile to the same machine code present on the voting machines) then those responsible should be rounded up and tried for treason. Seriously: at no point should *anything* related to how these machines tally votes have been regarded as a secret: that's simply not how voting works in the US.

I believe that California shouldn't have to demand transparency, I think that we citizens have implicitly expected transparency all along.

Donate to the Open Voting Consortium, they've been working with Debra Bowen and many others to fix the system.

(and I searched through the comments, FYI :) - GOOD RIDDANCE!

What we need is voting solutions like this:

http://www.openvotingconsortium.org/our_solution

or this:

http://punchscan.org/faq.php

or some combination of the above two.

Let's make this country the #1 democracy in the world all over again. Let everyone know that feasible voting solutions exist in the here and now and are solved with current technology!

• I'm confident we can build a computer that works reliably for at least a day. Even Diebold should be able to pull this off. They do make ATMs.
  
  
• Thousands of restaurants use POS systems with touchscreens day in and day out, and if they weren't reliable, they wouldn't be using them.
  
  
• How many pages can your average run-of-the-mill HP LaserJet print before needing maintenace? How many receipts can your average supermarket cash register print? I agree that the printer is the most likely component to have problems, which is why I would suggest that the entire printer should be a removable component that each polling location has at least one extra of. But seriously, look at businesses that rely on printing things thousands of times a day, and what kinds of printers can fill their needs.
  
  
• Finally, the scanner. Again, look at scanners used commercially. What does the College Board use to scan SATs? How does the US Postal Service scan envelopes? Reliable scanners shouldn't be hard to come by.
  

• Balancing the budget
  
• Research & Development Grants
  
• Education Loans/Grants
  
• Small business loans/Grants
  
• public financing of elections
  

Partisan bias obstructs cleaning up the electoral process.

Don't let your always short-lived victory lodge your head in your ass. Now with the Republicans smarting maybe they can be encouraged to get behind some improvements?

Your "democracy" is owned by private interests. Your vote barely counts. Fix it.

One way your vote doesn't count:
    http://video.google.com/videoplay?docid=-723679120 7107726851

Organizations to support for change:
    Black Box Voting
    Open Voting Consortium

I understand your argument about any obfuscation being unacceptable, however your issues are addressed within the design. I recommend you take a look: http://www.openvotingconsortium.org/our_solution

Perhaps go through a quick sample ballot, check for yourself.

From TFWS:

In the polling place there will be a station with a scanner where you can have the barcode scanned while you're wearing headphones so you can hear your selections read to you. The ballot does not have to be removed from the folder; your privacy is assured. Then you go to the ballot box for depositing of your ballot.

The problem with the machines is you need to look at a lot of the people running the polling places. Machines should not be used unless they're so simple to set up that your grandmother could set it up.

I am also hoping that the democratic candidate wins as secretary of state for California. She has proven to be highly receptive to the Open Voting Consortium, which advocates a fully open-source voting system with a good paper trail. Remember, machines are also used to scan the paper ballots as well. The OVC solution looks pretty good as far as machines go. It prints a human and machine readable ballot and is designed to handle many different voting methods like instant runoff. Not only that, it can run on commodity hardware and so far one voting machine manufacturer has signed on.

By being open and available for experts to study, it will result in a much more transparency.

Paper ballots are not perfect either. Though they are easily humanly readable, they are also easily humanly fallable. I.e. if grandma doesn't fill in the oval completely or too lightly it might not be read, or if they accidently mark where it shouldn't be marked. The only solution for this is to have the ballots scanned at each precinct so the voter can verify their vote.

-Aaron

Barcodes on machine generated ballots are super-sketchy. The user needs to be able to be able to see and understand the marking on the ballot that the counting machine will read.

(Not to suggest you mean so.)

Anyway, it is a solvable problem.

Get your open source and well-working solution from openvotingconsortium.org.

Slashdotter SAFH already shared a summary of the system.

Secret source be damned.

http://www.openvotingconsortium.org/

Open Voting System Explained
What is the Open Voting system?

The Open Voting system is very much like a traditional system in which the voter enters the voting place, marks his or her choices onto a paper ballot, and inserts the ballot into a ballot box except the voter marks the ballot using a computerized voting station rather than a pencil or colored marker. The Open Voting system preserves the paper ballot. However, which is printed in plain text that the voter can read. Voters have the opportunity to inspect the ballot to ensure that it properly reflects their choices. Poll workers then scan the ballot to count your votes and deposit it into a secure ballot box. The Open Voting system ballots contain a bar code in addition to the plain text. This bar code provides a system of accountability for recounts and prevents voters from voting more than once, although it provides confidentiality for the voter. Open Voting systems can be engineered to accommodate the special needs of those who who have physical impairments and can be operated with touch-screen features and provides audio playback for sight impaired.

This is the Technology Age. Information has to be the most valuable commodity around. And this is both good and bad.

I'm fully for such things as the Open Voting Consortium. In fact, I'm an active supporter. The Consortium wants to change the implementation of the voting system by making it open. But this knowledge of nuclear warfare can go unknown by the masses. Not knowing something can be a part of honesty and integrity. If you don't know the location of the secret hideout of your secret organization (that is, you've been brought there blindfolded), all the sodium thiopental in the world can't make you remember (although you could be overdosed and die).

On the other hand, if your government is lying to you, your honesty and integrity is absolutely based on the relative truth value of that administration. The latter is as good as a house built on sand during a storm, and the former is as good as shingles on the roof of that house.

I don't see how anyone could feel entitled to this knowledge, and I support the United States' decision. An important part of this Age of Information is that, in my opinion, with knowledge should come responsibility. Everyone should be able to handle the responsibility of knowing that there may have been some government scandal. Too many cooks spoil the broth, and the masses simply can't handle the responsibility of knowing how to make an atomic bomb. So I'm assuming bad faith? You betcha.

I'm sure we all remember the Diebold exposé back in September?

[sarcasm]So nice to see that Florida is so on-top of things.[/sarcasm]

Seems like all they do is say, "that's just the way it is." All the while, Jebbie is racking-up the GOP vote in a pathetic attempt to regain his brother's favor after debacles in both 2000 and 2004.

Let's take back our right to a fair election!

They can only take it away if we let them.

a moratorium would be more appropriate. There are open source voting systems (google for "open source voting") developed by the Open Voting Consortium which can do it all - enable electronic voting, provide a paper trail and the ability to do recounts/vote verification by using the paper trail.

To those who have knee-jerk reactions when they hear "electronic voting" and think "fiasco" right off the top of their head - open-source, non-vendor,non-proprietary electronic voting+paper trail ARE possible - _today_.

Now the hardest part about this isn't the technology, but rather getting off your bum, visiting congress.gov, writing your congress(man|woman) by email/letter, urging them to adopt open-source voting. Check out http://www.openvotingconsortium.org/ - it should make you a believer, even if you are technologically challenged (and who on /. is, right? :).

Check out http://www.openvotingconsortium.org/ and contribute, please. Money or time. (There is a $9000 challenge grant waiting for about $1500 more in contributions.) OVC has been /.ed three times, and the San Jose Mercury News called its system "the Holy Grail of touchscreen voting." The prototype was built in Python on Linux, and is available under GPL. All of the benefits of touchscreens for the disabled, for multiple languages, for preventing over- and under-voting, and all of the benefits of paper for counting (Bar code and OCR) and auditing.

The certification process also needs to be published, so that an independent group can create a test suite to be run on every machine just before an election. None of this nonsense with uncertified patches illegally performed by vendor personnel.

* Paper ballot printed by machine
* Ballot verifiable by independent hardware/software system
* Election setup data to be supplied on CD-ROM, not memory cards
* Protocol for correct use to be published

But remember: None of this matters if election law violations don't come with jail time attached.

(Disclosure: I am a Founding Member of OVC.)

You're absolutely right; it's not that difficult, and don't let anyone make excuses for Diebold by saying it's a "complex problem". It's not. The Open Voting Consortium has a spec for a cheap, reliable and secure voting system using physically-secured home PCs and barcode readers. I suggested a system that uses barcoded-receipts and removable hard drives to do two separate counts on the same data in order to provide some sort of error correction in the event of a discrepancy between the counts. But seriously, any computer science graduate worth his salt could come up with and implement a better system than what we have.

The OVC is all about leaving a paper trail...

http://www.openvotingconsortium.org/our_solution

You do get both. But I agree that 2) is the most important part. It would be fine if everyone just put a big X on a box next to their chosen candidate or issue. Really not that hard.

There is an open source project!

Thier solution as stated on thier site:

Stops Secrecy in Vote Tabulation: OVC has a team of scientists ready to program computer software for voting machines and electoral tabulation that would be publicly owned or open source. Open source software could be checked by any party or group by hiring a capable computer programmer.

Provides Paper Trail: The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit (See Sample Ballot).

Scientifically Verifiable: In addition to open source voting machine and tabulation software, the Open Voting Consortium is also working on a database checklist for standard practices in vote tabulation that would assure transparency and accountability. Some aspects of the OVC concept will soon be enfolded into California legislation.

Saves Money: Typical voting machines cost between $2,000 and $3,000, but OVC open source software could be run on any personal computer (PC) and ballots could be printed on a normal printer. OVC envisions PCs with tamper-proof cases as the new voting terminals at a savings of hundreds or thousands of dollars per terminal.(See page on OVC Cost Analysis).

Multi-lingual, Handicap Accessible, and Ready for Non-Traditional Voting: Unlike most voting machines and systems, the OVC system can be easily adapted for ballots in multiple languages. The OVC system also provides for the capability for sight impaired or blind voters to have their votes played back to them through headphones at the ballot box. Old voting machines and systems can't accommodate non-traditional elections like proportional representation, but these changes could be easily accommodated with the OVC system.

http://www.openvotingconsortium.org/

But "open source" voting systems are just as useless as proprietary ones without a permanent voter-verifiable paper audit trail.

In fact, given the choice of 1.) open source voting systems, and 2.) a permanent voter-verifiable paper audit trail, you'd be foolish not to pick 2.) every time.

Now if we could have both, fantastic. However, you'll probably go a LOT further arguing for a paper trail in ALL instances than trying to unseat traditional enterprise and commercial vendors in any market.

Of course, I wouldn't be satisfied by anything but publishing the voters' choices. Not by name -- give them an anonymous unique voter ID so that they look at the database, they can say "ah, they got mine right".

And then, as you leave the polling place, a big guy mugs you, copies down your 'anonymous' voter ID along with your name (or just steals the voter ID and your ID), and delivers it to his boss. Hope you voted for the person they wanted you to... or else! In other words, you've just opened up the voting public to bullying.

The real solution to e-voting can be found at the Open Voting Consortium.

I am very disappointed with the open source and security communities. Instead of busting the closed source machines left right and sideways how about building a prototype of a secure voting machine

Yeah, why not?

Open source systems are just as useless as the Diebold equipment without a permanent voter-verified paper trail.

Dude, RTF Site:

The OVC recommended procedure for tabulating elections relies on a paper ballot that is then fed through a scanner into a locked ballot box so that all originals are saved in case of the need for a recount or audit.

Just for pointing that out, I want another damn +5!

I know I'm preaching to the Slashdot choir, and it's been said a thousand times before, but as long as we have closed voting processes, we're going to have people screwing up by doing things like having voting machines accessible with hotel minibar keys. We hate Microsoft for their closed-source software, yet we continue to accept this kind of idiocy.

Quick question: If we have viable alteratives, such as those presented by the Open Voting Consortium, why do we continue to bother with these stupid Diebold machines? I know, dumb answer, because Diebold pays the people who decide lots and lots of money.

I would say write to your Congresscritters and let them know that you want these screwed up pieces of junk out of our polling locations, but like I said, I know I'm preaching to the Slashdot choir, and you won't do it. >:-( But realistically, just know that until you do, we can look forward to many, many more articles about this kind of thing. Ooh, at least until we see the one that says, "Electronic voting machines hacked! Election results tainted!." Or even better, when we see nothing at all and Richard M. Stallman is mysteriously elected President in a write-in landslide.

sigh Oh well, it was worth a shot. Just give me my damn +5 and go back to reading about lasers on Intel's chips now.

http://www.openvotingconsortium.org/

I'll also be referencing the sample ballot at http://user.it.uu.se/cgi-bin/cgiwrap/jan/ballot.py in this response.

For example,the bar code to human text is validated in four ways.

This makes the assumption that the human text and barcode match. What would be the response when presented with a ballot where the barcode and text did not match? Simply presuming that it wll never happen is short-sighted. If such a system is truly open source, it would be trivial to produce something which looks like a real ballot but contains such an arbitrary flaw. We could, as a counter, require an out-of-context check (special paper, special ink, etc) at increased complexity and cost....

Second, any voter can swipe the bar code on an independent stand-alone machine for playback before casting the vote.

We can presume most people would not carry a barcode reader to the voting booth with them, which would represent an opportunity for exploitation, but let's presume they did. Reading-back the barcode presumably only gives me the number. 5124512451245124512451245124512451245124 But the vote I cast was not for a number, it was for a person. How am I (Joe Average Voter) supposed to make the translation between the selection of candidates I voted for and the encoded representation in the number. Unless I can perform such a decoding in my head, I have to trust that the system has not been compromised.

Now, I could program my own barcode reader to also decode the number back into a ballot, but now we've introduced complexity and with it, opportunity for exploit. How would a truly honest election official handle the situation where a voter presents a ballot which reads (text) for Candidate A, and scans (on the precinct-supplied verifier) for Candidate A but scans (of the voter-provided verifier) for Candidate B? We could presume that the voter-supplied equipment is faulty, but a corrupt election official who had tampered with the precinct-supplied scanner would surely say the same thing, and probably have an accomplice with his own compromised scanner on hand for back-up.

It's also not clear from the provided documentation if the information within the barcode represents only the information on the ballot, or if other unaccounted-for information is also included. Either possibility could be leveraged into an exploit by itself.

Third, Since the voter does not have to cast the ballot they can leave the poll with the completed but not cast ballot.

There's a minor DOS (Denial Of Service) exploit waiting to happen.

Any third party outside the poll can swipe the barcode and vaidate...

...or invalidate...

...it for the voter.

Fourth, at the end of the day the every single bar code is swiped by a human. The humans can also see the plain text of the ballot they are swiping. Thus they can validate as many ballots as they choose to.

This ignores human nature. Most people given the opportunity to use either the 'stare and compare, stack and add' count or the machine count will choose the machine count. Having the paper ballots as a backup only helps if the paper ballot is considered authoritative. And if you're planning to have the paper ballot be authoratitive, have any other count available only introduces the possibility of controversy, for the price of increased complexity.

Visit their mock-up at http://user.it.uu.se/%7ejan/voting-project/ballot2 .html and the result of your balloting as I walk you through the vulnerabilities.

1. Why the barcode?The voter intent is rendered in two seperate versions: the Native Language version (President ---> George Washington) and the barcode version. This raises the question: which one is authoritative? If a ballot should turn-up which lists the voter intent inconsistently, that ballot becomes invalid, as does the sanity of the machine and every vote cast upon it. Additionally, who knows what other information is contained in that barcode? We could argue that if the barcode says something different than the printed words, it would be exposed when read-back by the scanning-station, unless that machine has been compromised as well.
2. Why the survelliance? Does anyone else think it a bad idea to have anything reading the ballots before the election closes? We already get enough complaints about exit polls and pundits 'calling' the election before the polls close, so why do we go out of the way to allow machines to see how we're voting before we've even cast the ballot?

• Forget the barcode. Print the voter intent in "plain english" and let the computers key-off of that for counting. Computerized OCR can be as accurate as barcode reading if the printing conditions are controlled and the computer knows what it's looking for. If we agree beforehand on standardized meanings for each possible voter intent across several languages and representations (including braille) then there's no need to 'translate it back'.
• Forget the 'second box'. There should only be one way to 'cast a vote'; the 'device' accumulating the counts should be openly observable, analog (only idiots expect infallible analog behavior out of digital devices), and singular. If you create a situation where there are two (or more) places where the count is being kept, you create a situation where one of the counts is going to be ignored.

And, best of all, the solution (pen and paper, boxes and X's) has already been developed. There's no need to raise $1.5 Million to fund the development of this solution, or spend my nights in the run-up to the election going over the source code looking for vulnerabilities when I should be considering real issues.

Visit their mock-up at http://user.it.uu.se/%7ejan/voting-project/ballot2 .html and the result of your balloting as I walk you through the vulnerabilities.

1. Why the barcode?The voter intent is rendered in two seperate versions: the Native Language version (President ---> George Washington) and the barcode version. This raises the question: which one is authoritative? If a ballot should turn-up which lists the voter intent inconsistently, that ballot becomes invalid, as does the sanity of the machine and every vote cast upon it. Additionally, who knows what other information is contained in that barcode? We could argue that if the barcode says something different than the printed words, it would be exposed when read-back by the scanning-station, unless that machine has been compromised as well.
2. Why the survelliance? Does anyone else think it a bad idea to have anything reading the ballots before the election closes? We already get enough complaints about exit polls and pundits 'calling' the election before the polls close, so why do we go out of the way to allow machines to see how we're voting before we've even cast the ballot?

• Forget the barcode. Print the voter intent in "plain english" and let the computers key-off of that for counting. Computerized OCR can be as accurate as barcode reading if the printing conditions are controlled and the computer knows what it's looking for. If we agree beforehand on standardized meanings for each possible voter intent across several languages and representations (including braille) then there's no need to 'translate it back'.
• Forget the 'second box'. There should only be one way to 'cast a vote'; the 'device' accumulating the counts should be openly observable, analog (only idiots expect infallible analog behavior out of digital devices), and singular. If you create a situation where there are two (or more) places where the count is being kept, you create a situation where one of the counts is going to be ignored.

And, best of all, the solution (pen and paper, boxes and X's) has already been developed. There's no need to raise $1.5 Million to fund the development of this solution, or spend my nights in the run-up to the election going over the source code looking for vulnerabilities when I should be considering real issues.