Slashdot Mirror
Maryland Plans Code Review for Voting Software
asmithmd1 writes "We already knew Diebold software is insecure, now the Baltimore Sun is reporting that the Governor of Maryland has asked SAIC to review the software in Diebold voting machines. Diebold has graciously allowed SAIC access to their proprietary code. Why isn't this code open source by law?" In a related story, a trade show for closed-source electronic voting systems is doing their best to keep critics out. Update: 08/07 15:23 GMT by M : Diebold's website security is less than outstanding.
even if the code is opensource, how can you be sure the voting machine executable has been compiled from the genuine source code ?
"Why isn't this code open source by law?"
because we haven't made it so yet. Remember Government by the people...
Voting via absentee ballot. At least there is a greater chance of my vote not being screwed up or changed.
Anyone who thinks these voting computers are going to be flawless and secure by Nov. 2004 is greatly mistaken.
Well because the US is a capitalist country and because currently most people seem to believe that the best way to make money in software is by keeping the code proprietary and because US government favors money-making corporations.
I agree that if it were open source it would be far more likely the security problems would be discovered quickly.
So how about creating an open source alternative... anyone ready to register an OpenVote system on SourceForge?
John.
It makes sense that they don't want their code to be open source, because then ALL the bugs will be found. When open source code is developed normally, people notice bugs/security holes a few at a time and fix them. But when software has been closed source for a long time, it's bound to have tons of bugs and holes. Opening the code up to public scrutiny would unveil A LOT of problems. And that's just not good for PR... especially in voting.
My guess is they just want someone to look through the code, maybe suggest a couple quick fixes, and then give the OK, so they can reassure the public. They don't really want to get to EVERY hole in the code. They probably just want show that they get numbers close enough that we should keep using/buying their stuff.
Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
Security through Obscurity is not Inherently Evil.
Of course, if the only security a system has is based on the fact that nobody can see the code, I'd say that system is hosed. I highly doubt voting software would fall into this category. It's unfortunate that obscuring code has taken on the negative connotation of "hiding bugs." That's not always the case. Keeping the inner workings of a system secret is a valid security measure, and used in conjunction with other means it can create a well-secured system.
I think the process they are taking is a step in the right direction. I believe that independent code reviews strengthen privately owned code. I think it's a mistake to deny access to those who have the ability to challenge the system. But I'm not sure open sourcing the code will make it any more secure.
But for the love of god and all that is holy, WHY are they fighting so hard against paper records? It makes no sense. (unless you are conspiracy-minded) Seriously. I just can't come up with any decent reason that Diebold et al would be so strongly against hooking a printer up to the system to produce a physical record. Much less why our elected officials would buy into such an idea.
Bush: He's Liberal in all the wrong ways.
Not only should the code for voting machines be made open to any interested member of the public, the whole voting process should be opened to the public.
Provided that it does not infringe on the privacy of individual voters, it seems reasonable and much more secure to allow any interested party to view the voting process in real time and at any level, provided, of course, that the process were set to read only
you need to build it. They're not interested in building it open source apparently. Remember, Diebold makes ATM machines and other commercial products, and they have stiff competition. By the design of their business plan their software won't be open.
So, if you want to see an open source implementation of voting software, something that you can argue is perfect and be able to show the world such, you need to make it. Diebold and their competitors won't.
If you can build the software to make a secure voting system, someone else can design the hardware once the software is ready. That seems to be what people are missing here. Design the system right and the hardware will be built to work. Design the hardware first, and the system will be dependent on whatever wacky design is chosen.
Do not look into laser with remaining eye.
your vote has caused a fatal exception in kernel32.dll - try picking another option
Independant hopefull Kevin Mitnick was elected President of the 2004 elections.
.sig
Before, it was whoever had the best campaign and the most money that won. Will elections in the 21st century be determined by whoever has the best crackers?
"Why isn't this code open source by law?"
This wouldn't fix the problem of faulty(by design) hardware, lack of audit trails, and no trust in the delivery method.
Sure with open source we can see the code, but that doesn't help if it is compiled by a compiler that you can't see the code for, run on microchips that you can't see the code for, and administered by people you can't trust.
The ``but it should be open source'' comment that gets thrown around in every single story about electronic voting does not take into account everything that happens to the code _AFTER_ we would be able to see it.
Anyway,
here is a link to a page on Electronic Voting:
Dr. Mercuri's Page on Electronic Voting
--xPhase
The following sentence is TRUE. The previous sentence is FALSE.
It is still possible to have a valid election, even with a closed source voting system. The key is to have the voting machine spit out a piece of paper where the voter can see the votes written down and then confirm them. It doesn't even have to be a paper the voter handles, it could be behind glass so the voter merely can see that what they voted for is on the paper. Then, in the case of a contested election, the checks can be made against paper as well as the bits. In a case where the ballots don't match, paper overrules the bits.
Granted, I think an open source system is the only sensible way to go, and the people writing them should be protected by copyright and patents, not secrecy. After all, if they're all required to be open, its going to be awfully hard to hide the source code you stole.
"If electronic voting becomes the norm (likely), I just won't vote."
The odds are already heavily against your voting currently anyway, so I don't see how this will matter much.
At least we don't use the "Telelection" methodology a'la Max Headroom...
Do not look into laser with remaining eye.
According to this story Wired is running today, Diebold got 0wn3d back in March. They were given a nearly 2GB archive of the stuff that was found by a person claiming to be the hacker who got in.
If a company can't properly secure its own network, how can we possibly trust them to create a secure voting system?
~Philly
No. The point in having trusted binaries it to stop piracy so MSFT (and others) do not have to worry about people using their software with out a license. How else do you expect them to continue to grow their revenue each quarter?
Why should it be?
Why dont I get to follow my paper ballot, meet the person who counts it, give them a math test to make sure they can do the arithmetic required, and wont "carry the two" and fuck everything up?
Open source software wont fix anything.
I don't need no instructions to know how to rock!!!!
And that's exactly what's dead wrong about voting machines in general and Diebolds AccuVote in specific.
It's about as plausible like those industry strength, propriatery, uncrackable encryption devices with a secret, secret algorithm (which is certified by the association of creative spooks).
If we (as the voters) allow for such unaccountable, unauditable and error-rigged devices we can give the key to the town right away to he who maintains the devices (or even a few creative script kiddies for that matter)
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
Word Axis
Why isn't this code open source by law?
The source code doesn't strictly have to be under a free or open source license.
However it is vital that every single voter should have the right to examine the software and the hardware of the election process.
Without that right, there's nothing to prevent elections turning into the kinds of events that Robert Mugabe has been staging in Zimbabwe.
"Provided by the management for your protection."
I really like the system we are now using in Florida with some caveats. You're given a paper ballot with fill-in bubbles to mark your choices. You insert the paper ballot into a safe-like container that immediately scans and tallies the ballot. I've not seen any cases where there were mistakes, but I assume it would function like one of those vending machines that take paper money and reject the ballot if there was a problem. However, my one concern is that the questions and choices are stated and marked in clear text (of course). In the process of feeding your ballot into the machine, your choices are clearly visible to whoever is standing nearby. If they can deal with that privacy issue, I think it is the perfect solution.
Phoenix
The point is that media may have an opinion and they may express their opinion and print stories supporting their opinion. But they should make things clear. They should not try to hide that.
BTW: As a liberal left-winger, I only see the (neo)conservative, and far right-wing deceiving people by manipulating media, voting machines etc. by the quiet method. Often, not really legal.
Contrary, very leftish people get their attention more by exaggerating facts and then believing in them. Some kind of stupidity.
GW Bush: -234,524 votes
Troll4x0r: 538 votes
Howard Dean: 864,234,234 votes
Natalie Portman: 784,245 votes
Seriously. One of the things I do for Comp Sec is change management and version management. There are VERY strict auditing standards that companies like this need to meet. In the US there is a SAS 70 auditing standard that companies need to meet in order to do things like this. Up here in Canada, we call it a Section 5900 but its the same basic idea.
The way it works is, a company says that there are controls in place to assure people that something is or is not happening. If someone wants to test those controls, they'll call in a team of qualified IT auditors and we'll do a Section 5900.
For the 5900, the people hiring us to do the job (could be the company in question, a regulatory board, a judge, a client etc) will draft a list of risks or controls. These controls are things they want to see in place.
So, for a voting machine, the people requesting the 5900 would list controls similar to the following:
-All changes to code are authorized and approved.
-All changes are adequately tested, approved and testing is not carried out by the original developer.
-No changes are introduced to the code after testing.
-Changes are promoted and versioned by someone other than the original programmer.
-Code that is installed into the production system is the same code that was tested and approved.
... and so on.
Then the auditors will go in and verify that these controls exist, that the risks these controls are designed to cover off are adequately covered and that the controls are effective. If a company fails a SAS 70 or a 5900, they usually HAVE to fix the problems.
Also, it usually isn't that hard to get your hands on a Section 5900 or SAS 70 report. Most companies will happy give them out unless they failed them or there are other NDA issues. As a voter, you probably have rights to these reports, and even if you don't, your elected representatives definitely do.
You, like many others, misunderstand how bias in the media works. Look, you know who the author is, and you can take a pretty good guess at his political leaning. Therefore you have all the information you need to apply your own critical thinking filters to the article. If you know the author is left-wing then you are perfectly capable of filtering out the more obvious left-wing bias. If you're reading $ARTICLE in $NEWS_SOURCE by $AUTHOR you may not have this information available to you, and thus you have to take everything at face value, which in turn exposes you to more bias on the part of the author.
So I'd rather read something like this from an obviously biased source than one from a source that claims to be "unbiased"!
Okay I just checked sourceforge, and I saw one open source voting project, with no activity. Why aren't we doing something to change this? Why aren't we writing our own voting software? We can test it out in small groups, eventually use it in communities, counties, states, and finally in national elections. The country is tending toward electronic voting; IT NEEDS TO BE OPEN SOURCE.
A poster said earlier that the only reliable method of tallying votes is counting them by hand. That may be true, but look what happened last election. Wouldn't you feel safer if you could go through all the code line-by-line, and know for yourself it was secure, rather than have to trust some truck driver to not get lost with the ballots?
One huge benefit of electronic voting: we could be a true democracy. Want to decide if we should go to war? Lets all vote for it. Lower taxes? Get your vote in, Sept. 19th. Everyone voted for no taxes, and things got fucked up? We'll schedule another vote Oct. 19th to vote again, and unfuck them. Think about it: technology today is about to allow us to do something that has never before been even attempted on a large scale - rule by the people. The president could be a figurehead! Congress could exist for the purpose of suggesting laws for the American people to decide, rather than making them!
So who's the fucker who registered truedemocracy.org? Why don't you give it up so someone can put it to good use? I'm no programmer, but I'd be more than happy to give up some of my time to coordinate a project like this. Anyone who's interested, feel free to get in touch with me. Oh wait, I forgot - this is Slashdot - a lot of complaining about how things are, but no balls to fix them.
c-hack.com |
The state of Maryland just asked SAIC to issue a report on Diebold touch-screen voting machines.
E C LLC
My prediction: They will issue a report that puts a seal of approval on these voting machines. It will be almost impossible to debunk their report.
This is just to shut people up. SAIC = Military.
So far, we have the Pentagon involved with Accenture/election.com
General Dynamics,
Diversified Dynamics,
Northrop Grumman
All getting involved in voting systems -- as are the Saudis and the Pentagon. Why?
Take a gander at the companies run by SAIC and below this, their board of directors
At SAIC we have over 35 companies, subsidiaries and equity partners. A partial listing is provided below.
http://www.saic.com/about/companies/
AMS
Specialists in full ship systems support: command and control systems, combat systems, communications, information warfare, main propulsion systems, hull & deck systems, auxiliary systems.
Bechtel SAIC Company, LLC
A joint venture between SAIC and Bechtel, Bechtel SAIC Company, LLC provides research, engineering and nuclear science capabilities to meet the unique challenge of science and engineering for the Yucca Mountain Project.
Data Systems & Solutions
A joint venture between Rolls-Royce and SAIC, DS&S incorporates Rolls-Royce engineering/controls expertise with SAIC's systems integration and information technology skills.
Hicks & Associates (H&AI)
Defense industry consulting.
Saudi SAI
Installation and maintenance of computer systems, telecommunications systems, and other data analysis systems in Saudi Arabia.
Members of the board:
D.P. Andrews
Corporate Executive Vice President, Federal Business, SAIC
W.A. Downing
General, US Army (Ret.)
B.R. Inman
Admiral, USN (Ret.)
H.M.J. Kraemer, Jr.
Chairman and CEO,Baxter International, Inc.
M.E. Trout
Executive Vice President, Cytyc Corporation (?? someone want to look this up?)
J.A. Welch
General,USAF, (Ret.)
A.T. Young
Executive Vice President, Lockheed Martin Corp. (Ret.)
It's not open source because a private company devoted it's resources to create it, and owns the copyright on it. (I'm assuming now)... It obviously needs to recoupe that investment, so it keeps it's code to it's own.
Simple enough. I really don't know why you'd question why it's not open source.
http://slashdot.org/~tf23/journal
I have to admit from the onset that I am no fan of open source. This is for a variety of reasons. (It is probably sacrilege to state that here.)
Voting machine software is however a case where I firmly believe that open source is not only important but necessary. The ability to vote either among a certain group or among the populace as a whole goes to the heart of our democratic republic. If votes are not tallied properly, not only may mistakes be made but there is the very real possibility that the country through forged votes may be manipulated by those who have nefarious purposes in their heart.
The cryptographic community a long time ago discovered the best way to ensure the security of a cryptographic algorithm is to provide the algorithm to their colleagues. The rest of the cryptographic community then responds by trying to break the algorithm or in the least trying to discover the weaknesses. Because of this review process, the algorithms are then adjusted until they are highly secure. On the other hand, when cryptographic algorithms are kept secret, the review process is skipped and it is not uncommon for unsecure algorithms to make it on the market. When this happens it can cost lives and money.
The same can be said in the case of voting machines. If the source code is not released, security problems will likely go unnoticed until discovered by accident by someone who may or may not have the public's best interest at heart. In fact, the likely hood of it being discovered by someone who wants to manipulate the system will actually go up as they are more likely to be able to obtain the source through deception or to take the time to decompile the voting machine binaries. With the large number of voting machines that could be used around the country -- or in storage between use -- it would not be hard for someone to obtain at least the binaries for the voting machine software. And this goes to the heart of the matter which is this: Someone who wants to manipulate the system will be able to obtain the source either by bribery, theft or through decompiling the software's object code. Thus in a closed source environment, the only people who would not have the source and be able to easily discover the problems would be the good guys.
If you think about it, an election is like a high speed race. The only difference is that the voters are behind the wheel. With that in mind, I'm surprised the system allows uninformed voters to actually cast a vote without knowing about the issues and the politicians.
Before you can drive, you take driver's ed. Every election before vote time, there voter's ed should be a requirement. The issues are constantly changing, as well as the politicians. If this was manditory like a driving test (written or hands on, doesn't matter), then the people would be far better informed. Imagine the difference that could make. Imagine the turnout.
...May be to throw up such discouraging obstacles that people will simply stop voting.
Call me paranoid if you want, but it strikes me as odd that the US government is even allowing voting machine software to be closed-source. SAIC has been a virtual lap-dog for all kinds of well-shrouded government and DoD contracts for decades, most of which are heavily classified (I know this because a friend of mine used to work for them).
And Diebold is now allowing SAIC to "review" its code? Given SAIC's heavy federal connections, does this not strike anyone else as a Fox-Guarding-the-Henhouse scenario?
Don't even get me started on the possibility of back doors in voting software that would allow special interests who shelled out enough $$ to easily rig an election.
Like I said, I hope this is just my paranoid side jumping at shadows. Unfortunately, I have little proof one way or the other.
Bruce Lane, KC7GR,
Blue Feather Technologies
Fools ignore complexity; pragmatists suffer it; experts avoid it; geniuses remove it. ~A. Perlis
Palladium is mainly about preventing the user from tampering. The binary containts a signed hash from the author. If the OS can't verify the signed hash it prevents it from running, or at least prevents it from accessing protected media like the DVD drive, or your encrypted music, etc.
Nothing in Palladium was designed to help users. It doesn't even help stop email viruses as they claim, because they're almost all exploits of "properly signed" software. Even if Palladium was did stop viruses, all it'd do is stop them from playing your DRMed MP3s while they wiped your drive and emailed your personal documents across the net.
The big problem with DRM to protect a voting machine is that if the software and hardware are done by the same company, there's no extra safety. You could be somewhat sure their software wasn't tampered with, except by them, but the problem here is that we don't trust "them".
Two interesting points, one which was brought up in the article and one which wasn't:
I'm a resident of Maryland, and employed by a state university. The previous administration made a mess of our finances (which were excellent up until then), and now the state is suffering budget cuts, particularly in higher education. This has resulted in hiring freezes, elimination of positions, and layoffs.
I've been voting in elections here for almost 8 years now, and I don't seem to recall us having problems like Florida's. Baltimore uses a system where you mark a paper with a special pen, and the paper is fed to a machine. It looks like a standard multiple-choice test, not confusing at all. Why is it absolutely necessary for us to be the first state to buy these shiny new toys when our financial situation is so dire? This will just bring more pressure to legalize gambling (although we already have a state lottery and Keno, so I don't see why people upset about real casinos aren't protesting those).
Second, remember that Maryland is a UCITA state. Under UCITA, isn't software required to be fit for the purpose for which it is designed? There's also something in there WRT implied warranties concerning data. It will be interesting to see whether this plays a part.
WMBC freeform/independent online radio.
For those of you who are in Northern VA. The Researcher at John Hopkins who looked at the Diebold systems is doing a presentation on his findings at the National Science Foundation, room 110 Aug 12th at 4pm.
If you can't make it, I've drafted an intern to tape and encode it for download. It will be archived a day later at http://www.ngi-supernet.org/conferences.html
If any of you are interested please tell me so I can post it as a bittorrent instead of burning down the web server.
Just respond to the thread...thanks!
You should really call it intestinal property. You could still call it IP, though.
And I'd be a Libertarian, if they weren't all a bunch of tax-dodging professional whiners.
Berke Breathed
"On the contrary, if the source were opened, one might not be able to trust that there would be more white hat hackers than black hats for such a high-profile application"
Hacking is of little concern here. Since we aren't talking about Internet voting, so the only opportunity to hack would be while you are in the voting booth, with nothing but the interface that is given to you. So assume there is a touch screen or something with a limited number of options.
Making this software open source so that we can all look at the code is really just to make sure that there isn't some algorithm that drops every 3rd vote for a particular party or adds it to the wrong tally. Paper ballots are retained for auditing by third parties after the fact if there are questions about how the human tally was conducted. But computer recorded voting does not have such directly auditable methods, so we must be certain that the systems are not flawed or biased.
Voting by computer terminal might make it faster to count the votes, but it is more akin to walking up to a sheet and telling the person behind the sheet who you are voting for. You lose the physical evidence of the vote unless there is some direct physical recording made. Regardless of how you desing the system, it is essentially relaying the vote without any direct physical evidence of the vote. Any subsequent recording of the vote is at least once removed from the actual person casting the vote. Unlike with paper ballots or even those horrible punch cards where the ballots are direct physical evidence of the vote.
So, that is the argument in a nutshell. If you are to be forced to trust a machine or person to record your vote accurately, then we have a right to know the procedures that they will use to record the vote.
Otherwise and unless there are many layers of accountability, both before the election and after, then let's just stick with paper ballots and optical scanners.
The only way I'll ever trust an electronic voting machine is if they provide a printout I can verify on the spot before dropping it in a box, so that it can be used for auditing purposes. Ideally, the source code should be open source. But even if it is not, providing a marked paper ballot that can be manually counted (if necessary) ought to be sufficient.
Constitutionally Correct
Absentee electronic voting.
"H.R. 1377, the Military Overseas Voter Empowerment Act of 2001 introduced by Representatives Mac Thornberry, Duke Cunningham, Sam Johnson and Helen Tauscher would be a major step in improving the process. This legislative initiative provides for the Secretary of Defense to expand an electronic voting pilot program to test the system in the 2002 general election for the implementation of the ultimate solution - Electronic Voting."
How dare you presume to tell me that I am not allowed to supervise the process by which my elected representative will speak in my name?
Get your head out of your arsehole. It's because of idiots like you that your country's in the mess it's in.
Je fume. Tu fumes. Nous fûmes!
Prevention alone can never be an adequate security measure.
This is a very simple principle that any person should be able to understand, if they only have the moral courage to accept it. This would greatly clarify situations like this one, because people would be asking the right questions.
I'm not saying that prevention is not useful, just that a wise assumption has to be that any preventive measures we take and and probably will be. These systems are not crackable because their preventive measures were bad although they may have been bad. They are crackable because any system is crackable. What I am afraid of is that an evaluation of these machines only will look at how robust the protective measures they provide are. While it is a good idea to get an independent review of these measures, it is a bad idea to put much credence in them. The fact is that even the brightest and most professional person in the world is not going to be able to anticipate all the ideas in the world.
Security has to consist of a number of independent goals, including:
We need to ask what any system provides in each of these areas in order to asses security.
For example, if I put Grandma's diamond ring in a a safe deposit box in the bank, the thick vault walls and doors do provide prevention. However without alarms (detection) and police (response), those walls wouldn't stand much of a chance to a determined attacker. Detection and response capabilities are in themselves the single most powerful preventive measure -- much more so than the vault design itself.
On top of that, if I am wise, I take out an insurance policy on the trinket (damage mitigation).
Looked at this way, how would we evaluate a voting system?
Looked at this way, the manual paper ballot would be an almost miraculously robust system if it were a piece of software. It is capable of accurate counting the voter's intent, while completely anonymizing the voters choices. Prevention is accomplished by physical control of access to the ballot box, and by chain of custody of the ballots to the counting place. The greatest opportunity for manipulation comes up in tallying the results.
However it is possible to detect and mitigate such manipulation by recounts. Of course we want to avoid situations where recounting is necessary, but the recounting process itself is not to blame. Electronic methods of vote recording eliminate recounting at the expense of making it impossible to establish independently whether fraud took place.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
It doesn't automatically eliminate fraud, but at very least, I should be given a receipt of my transaction (vote), and a printer ought to be making an archival copy at the same time for recounts.
Imagine if your bank instituted a no-paper-record policy.
What were you expecting?
Whoever wants assurance that the systems are working. An interest group of voters could hire the auditors if they wanted to. I've worked for government, banks, insurers, shareholders, the companies themselves... anyone with a stake in the process.
That doesn't mean that the company making the software would let them come in and audit - but these are a fairly big deal and it would be VERY strange if someone with an interest was willing to pay for an audit and the company in question was unwilling to let the audit go forward.
But auditors qualified to do 70/5900s are not something there are tonnes of. The big 4 Accounting firms maintain them, and some smaller shops. But this is all tied into accounting and business management standards.
And as much as people point to Enron/Anderson and say you can't trust the big four - its just not true. One falsified SAS 70 or Section 5900 report and a whole multi-billion dollar company with 10s of thousands of employees can unravel. There is checking, double checking and very rigid standards of audit evidence that are required for these things.
Every piece of work I do gets checked by at least three other people.