Maryland Plans Code Review for Voting Software

asmithmd1 writes "We already knew Diebold software is insecure, now the Baltimore Sun is reporting that the Governor of Maryland has asked SAIC to review the software in Diebold voting machines. Diebold has graciously allowed SAIC access to their proprietary code. Why isn't this code open source by law?" In a related story, a trade show for closed-source electronic voting systems is doing their best to keep critics out. Update: 08/07 15:23 GMT by M : Diebold's website security is less than outstanding.

That's my job

[Inexile2002]

Seriously. One of the things I do for Comp Sec is change management and version management. There are VERY strict auditing standards that companies like this need to meet. In the US there is a SAS 70 auditing standard that companies need to meet in order to do things like this. Up here in Canada, we call it a Section 5900 but its the same basic idea.

The way it works is, a company says that there are controls in place to assure people that something is or is not happening. If someone wants to test those controls, they'll call in a team of qualified IT auditors and we'll do a Section 5900.

For the 5900, the people hiring us to do the job (could be the company in question, a regulatory board, a judge, a client etc) will draft a list of risks or controls. These controls are things they want to see in place.

So, for a voting machine, the people requesting the 5900 would list controls similar to the following:
-All changes to code are authorized and approved.
-All changes are adequately tested, approved and testing is not carried out by the original developer.
-No changes are introduced to the code after testing.
-Changes are promoted and versioned by someone other than the original programmer.
-Code that is installed into the production system is the same code that was tested and approved.

... and so on.

Then the auditors will go in and verify that these controls exist, that the risks these controls are designed to cover off are adequately covered and that the controls are effective. If a company fails a SAS 70 or a 5900, they usually HAVE to fix the problems.

Also, it usually isn't that hard to get your hands on a Section 5900 or SAS 70 report. Most companies will happy give them out unless they failed them or there are other NDA issues. As a voter, you probably have rights to these reports, and even if you don't, your elected representatives definitely do.

Re:the problem is...

[maxume]

Of course, Ken Thompson has said some very interesting things about trusting code and compilers. The only way to really trust the code would be to hand code/compile/enter your own compiler in asm, and use this to bootstrap a more powerful compiler etc, until you were able to compile the code that you had reviewed and elected to trust. If you don't do it all yourself, you really can't be sure how trustworthy a binary is, your compiler might have done some dirty business behind your back.