Slashdot Mirror

← Back to Stories (view on slashdot.org)

Maryland Plans Code Review for Voting Software

Posted by ryuzaki0 on from the refactoring dept.

asmithmd1 writes "We already knew Diebold software is insecure, now the Baltimore Sun is reporting that the Governor of Maryland has asked SAIC to review the software in Diebold voting machines. Diebold has graciously allowed SAIC access to their proprietary code. Why isn't this code open source by law?" In a related story, a trade show for closed-source electronic voting systems is doing their best to keep critics out. Update: 08/07 15:23 GMT by M : Diebold's website security is less than outstanding.

24 of 307 comments (clear)

  1. the problem is... by borgdows · · Score: 5, Insightful

    even if the code is opensource, how can you be sure the voting machine executable has been compiled from the genuine source code ?

    1. Re:the problem is... by cybermace5 · · Score: 4, Funny

      Heh, guess we could teach all voters to type "./configure; make; make clean"

      --
      ...
    2. Re:the problem is... by digitalunity · · Score: 4, Insightful

      I won't trust digital voting. A lot of people won't. I seriously hope someone hacks it in November next year to such an extreme amount that the politicians see the error in their stupidity. This won't work. I hope the results are wacked out like this one

      --
      You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
    3. Re:the problem is... by maxume · · Score: 5, Informative

      Of course, Ken Thompson has said some very interesting things about trusting code and compilers. The only way to really trust the code would be to hand code/compile/enter your own compiler in asm, and use this to bootstrap a more powerful compiler etc, until you were able to compile the code that you had reviewed and elected to trust. If you don't do it all yourself, you really can't be sure how trustworthy a binary is, your compiler might have done some dirty business behind your back.

      --
      Nerd rage is the funniest rage.
    4. Re:the problem is... by ajs318 · · Score: 4, Insightful
      I agree with the original person. I can't state it loud enough that THE INTEGRITY OF ELECTION RESULTS IS A FAR GREATER CONCERN THAN ANY CORPORATION'S RIGHT TO SECRECY! The mechanism by which our leaders are chosen must be absolutely open to public scrutiny and any government that does not believe this so, deserves to be overthrown.
      even if the code is opensource, how can you be sure the voting machine executable has been compiled from the genuine source code ?
      I've looked at this one before and it is a problem, because the C compiler may be rigged so that when you try to compile it from source, then it modifies itself subtly so as to insert various backdoors; in other words, the code you get from the compiler does not match up against the source you compiled. Then, it does not matter how "clean" any of the source code is; because the compiler might modify the code during compilation. Even if you run the original, clean compiler source through it, chances are that the compiler could spot this and mung it, giving you a "dirty" compiler.

      Throughout the following, I'm assuming you - or someone you trust - can spot malicious C code just by looking at it, and can write assembler code you know is safe. You don't have to be able to look at someone else's C-generated assembler and know whether it's safe.

      You first need to write a simple C interpreter in assembler. Note, it only has to interpret; it doesn't have to compile. As long as the assembler instructions it generates do the same thing as the C source code you feed it - even if much more slowly than a compiled version - then it is good enough for the time being. It can even waste as much memory as you can spare. The most important thing is that you know the temporary interpreter is safe. Then you take the source code for the compiler you want to compile - you know this is safe, but the pre-compiled binary might not be safe - and run it through the interpreter. Now the output from the interpreted compiler is actually a compiled compiler, and it's safe. You haven't run the "dirty" compiler binary, which might have modified the compiler.

      Now you have a compiler which you know for certain isn't going to produce binaries which don't do what the source said. And that's the first step to trustworthy computing. Maybe get someone we all trust to sign the code by encrypting it with their secret key {so when you decrypt with their public key you recover the original; recall that P(S(x)) = S(P(x)) = x}. Problem is, you can't trust anyone with election results, because the stakes are so high.


      On the other hand, why bother with voting machines at all? In this country, we count votes by hand. It may not be high-tech, but it works and it's harder to subvert. Hand-counting of small batches of papers {which are kept, in case of dispute, until the next election is out of the way} is not significantly slower than machine counting. Anyway, what's a few hours here or there when a term of office can last for four or five years? To throw an election, you would need to bribe several people, not all of whom are politicians. The ballot paper {taken at random from a book of identical ones and by a different person than the one who sees your voter ID - the only communication between them is a slight nod} is the only record of the vote, and the voter has already had the opportunity to verify it before depositing it.

      For how often elections are held, it probably is less work to keep on doing all this stuff by hand than it is to put the safeguards in place that would make machine voting trustworthy.
      --
      Je fume. Tu fumes. Nous fûmes!
    5. Re:the problem is... by Jeremi · · Score: 4, Insightful

      Who cares about the code? If the machines generated a voter-verified paper trail, you could check the results for accuracy. Since they don't, you can never be sure that the results were correct, no matter how carefully the source was scrutinized.

      --


      I don't care if it's 90,000 hectares. That lake was not my doing.
  2. I know what I am doing next election by chrisgeleven · · Score: 5, Insightful

    Voting via absentee ballot. At least there is a greater chance of my vote not being screwed up or changed.

    Anyone who thinks these voting computers are going to be flawless and secure by Nov. 2004 is greatly mistaken.

  3. Not open source because... by JohnGrahamCumming · · Score: 4, Insightful
    Why isn't this open source by law?

    Well because the US is a capitalist country and because currently most people seem to believe that the best way to make money in software is by keeping the code proprietary and because US government favors money-making corporations.

    I agree that if it were open source it would be far more likely the security problems would be discovered quickly.

    So how about creating an open source alternative... anyone ready to register an OpenVote system on SourceForge?

    John.

  4. It makes sense by Doesn't_Comment_Code · · Score: 4, Insightful

    It makes sense that they don't want their code to be open source, because then ALL the bugs will be found. When open source code is developed normally, people notice bugs/security holes a few at a time and fix them. But when software has been closed source for a long time, it's bound to have tons of bugs and holes. Opening the code up to public scrutiny would unveil A LOT of problems. And that's just not good for PR... especially in voting.

    My guess is they just want someone to look through the code, maybe suggest a couple quick fixes, and then give the OK, so they can reassure the public. They don't really want to get to EVERY hole in the code. They probably just want show that they get numbers close enough that we should keep using/buying their stuff.

    --

    Slashdot Syndrome: the sudden, extreme urge to correct someone in order to validate one's self.
  5. I don't care about the code... by JayBlalock · · Score: 5, Insightful

    But for the love of god and all that is holy, WHY are they fighting so hard against paper records? It makes no sense. (unless you are conspiracy-minded) Seriously. I just can't come up with any decent reason that Diebold et al would be so strongly against hooking a printer up to the system to produce a physical record. Much less why our elected officials would buy into such an idea.

    --
    Bush: He's Liberal in all the wrong ways.
    1. Re:I don't care about the code... by Obsequious · · Score: 4, Informative

      It's quite simple: because it adds cost.

      Just list the components: a printer; ink cartridges; paper. Note that the last two are consumables, and ink cartridges are even perishable, in a way. (If you let them sit around too long, they get dried out -- or at least non-laser cartridges do.)

      Envision, then, what it would take to run an election, remembering that these happen maybe once a year at best. You have, say, 10 machines per polling station. On the days leading to the election, each machine must be installed, powered up, and tested. Then, you have to connect the printer, test the printer, and change any cartridges that might have dried out in the meantime.

      During the election, you have to keep the printers fed with paper. The ink might run out on a system halfway through. The printer might jam. Because of this you have to keep spares on hand, from the ink to the paper to the print mechanisms themselves. You only get one shot at election day, after all.

      Meanwhile, of course, the polling workers have to be trained and prepared to deal with all this.

      In other words, it's a rather significant amount of cost and effort to add printing support to such a system. Even if you don't use standard printers but some other technology, you still have similar problems: e.g. a cash-register-style printer (which is all you'd need) might still jam, and needs to have its paper changed, etc.

      So, that's why the manufacturers (and probably even municipalities) are opposed to paper. I don't agree with them -- I believe there SHOULD be paper verification.

      I see their position, but it would be nice if they were thinking of something other than the almighty buck.

  6. If you want it open... by TWX · · Score: 5, Insightful

    you need to build it. They're not interested in building it open source apparently. Remember, Diebold makes ATM machines and other commercial products, and they have stiff competition. By the design of their business plan their software won't be open.

    So, if you want to see an open source implementation of voting software, something that you can argue is perfect and be able to show the world such, you need to make it. Diebold and their competitors won't.

    If you can build the software to make a secure voting system, someone else can design the hardware once the software is ready. That seems to be what people are missing here. Design the system right and the hardware will be built to work. Design the hardware first, and the system will be dependent on whatever wacky design is chosen.

    --
    Do not look into laser with remaining eye.
  7. Re:because by garcia · · Score: 4, Interesting

    but how many of "us" will realize the necessity of that? People are SO used to MS as being the only thing out there for computers and not knowing that there is such a thing as "open source" and that "trade secrets" aren't the most important thing when it comes to security.

    Who's to say that just because we see the source code that they actually use that code when they compile it?

    Who's to say that there isn't some hardware interface to mess with the votes?

    The list goes on.

    Basically what it comes down to is that the ignorance of the general public (and the fact that only a minority even care enough to vote as it is) is what is going to lead to the downfall of our voting systems.

  8. BSOD by Anonymous Coward · · Score: 5, Funny

    your vote has caused a fatal exception in kernel32.dll - try picking another option

  9. And in a surprise landslide... by packethead · · Score: 4, Funny

    Independant hopefull Kevin Mitnick was elected President of the 2004 elections.

    --
    .sig
  10. Open Source doesn't solve this problem! by xphase · · Score: 5, Insightful

    "Why isn't this code open source by law?"

    This wouldn't fix the problem of faulty(by design) hardware, lack of audit trails, and no trust in the delivery method.

    Sure with open source we can see the code, but that doesn't help if it is compiled by a compiler that you can't see the code for, run on microchips that you can't see the code for, and administered by people you can't trust.

    The ``but it should be open source'' comment that gets thrown around in every single story about electronic voting does not take into account everything that happens to the code _AFTER_ we would be able to see it.

    Anyway,
    here is a link to a page on Electronic Voting:
    Dr. Mercuri's Page on Electronic Voting

    --xPhase

    --
    The following sentence is TRUE. The previous sentence is FALSE.
  11. Paper vs paperless by Ioldanach · · Score: 4, Insightful

    It is still possible to have a valid election, even with a closed source voting system. The key is to have the voting machine spit out a piece of paper where the voter can see the votes written down and then confirm them. It doesn't even have to be a paper the voter handles, it could be behind glass so the voter merely can see that what they voted for is on the paper. Then, in the case of a contested election, the checks can be made against paper as well as the bits. In a case where the ballots don't match, paper overrules the bits.

    Granted, I think an open source system is the only sensible way to go, and the people writing them should be protected by copyright and patents, not secrecy. After all, if they're all required to be open, its going to be awfully hard to hide the source code you stole.

  12. Re:Electronic Voting by TWX · · Score: 5, Funny

    "If electronic voting becomes the norm (likely), I just won't vote."

    The odds are already heavily against your voting currently anyway, so I don't see how this will matter much.

    At least we don't use the "Telelection" methodology a'la Max Headroom...

    --
    Do not look into laser with remaining eye.
  13. Diebold's own network isn't secure! by phillymjs · · Score: 4, Informative

    According to this story Wired is running today, Diebold got 0wn3d back in March. They were given a nearly 2GB archive of the stuff that was found by a person claiming to be the hacker who got in.

    If a company can't properly secure its own network, how can we possibly trust them to create a secure voting system?

    ~Philly

  14. Re:Electronic Voting by vudujava · · Score: 4, Funny
    It doesn't matter, the code will vote for you.

    --

    Word Axis

  15. Re:Open Source != Secure by WindBourne · · Score: 5, Insightful

    Security through Obscurity is not Inherently Evil.
    In this case, it is.
    With normal elections, the abilty to tamper with the results are minimal. The reason is that the votes do not end up in one place. In addition, you have several different parties counting at all times (typically Dems and Republicans). With this approach, it offers a single point of entry. It is possible for the votes to be rigged here either directly or indirectly. Somebody could offer 10 to 100 million dollars to the coder or even CEO within the company (keep in mind that some elections are spending a great deal more money to win them these days; apparently it pays off). Or since it may have a unknown opening, only the bad guys would know. Only the problem is that the bad guys would be a party member.
    BTW, the orginal bribe may be to simply forget about an opening, rather than the introduction of one. Then the party would simply introduce something to manipulate it nationaly. At that point, they would manipulate close elections. Totally undectable.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  16. Results for 2004 Marlyand elections by Lord_Slepnir · · Score: 4, Funny
    They're showing off the source code for a voting system, so you know that some people will find security holes in them (and not tell anyone). Here's what I predict the presidental election will yeild:

    GW Bush: -234,524 votes
    Troll4x0r: 538 votes
    Howard Dean: 864,234,234 votes
    Natalie Portman: 784,245 votes

  17. That's my job by Inexile2002 · · Score: 5, Informative

    Seriously. One of the things I do for Comp Sec is change management and version management. There are VERY strict auditing standards that companies like this need to meet. In the US there is a SAS 70 auditing standard that companies need to meet in order to do things like this. Up here in Canada, we call it a Section 5900 but its the same basic idea.

    The way it works is, a company says that there are controls in place to assure people that something is or is not happening. If someone wants to test those controls, they'll call in a team of qualified IT auditors and we'll do a Section 5900.

    For the 5900, the people hiring us to do the job (could be the company in question, a regulatory board, a judge, a client etc) will draft a list of risks or controls. These controls are things they want to see in place.

    So, for a voting machine, the people requesting the 5900 would list controls similar to the following:
    -All changes to code are authorized and approved.
    -All changes are adequately tested, approved and testing is not carried out by the original developer.
    -No changes are introduced to the code after testing.
    -Changes are promoted and versioned by someone other than the original programmer.
    -Code that is installed into the production system is the same code that was tested and approved.

    ... and so on.

    Then the auditors will go in and verify that these controls exist, that the risks these controls are designed to cover off are adequately covered and that the controls are effective. If a company fails a SAS 70 or a 5900, they usually HAVE to fix the problems.

    Also, it usually isn't that hard to get your hands on a Section 5900 or SAS 70 report. Most companies will happy give them out unless they failed them or there are other NDA issues. As a voter, you probably have rights to these reports, and even if you don't, your elected representatives definitely do.

  18. Bad idea. by ShadeARG · · Score: 5, Interesting
    Why can't I buy people's votes? If I have a vote that I don't want, and someone wants a vote, they should be allowed to buy mine.
    Because that would make the system worse than it already is. The percentage of people that do not vote is astounding, and you can be sure those votes would be sold. It's bad enough that people vote just because they think a certain candidate is a good speaker or they are a member of their political party. If votes could be bought then the political giants with the most cash would win every time. This is exactly how government positions should never be filled.

    If you think about it, an election is like a high speed race. The only difference is that the voters are behind the wheel. With that in mind, I'm surprised the system allows uninformed voters to actually cast a vote without knowing about the issues and the politicians.

    Before you can drive, you take driver's ed. Every election before vote time, there voter's ed should be a requirement. The issues are constantly changing, as well as the politicians. If this was manditory like a driving test (written or hands on, doesn't matter), then the people would be far better informed. Imagine the difference that could make. Imagine the turnout.