E-Voting Company Reveals Their Source Code
Kodi writes "VoteHere has decided to release their source code so that other people will have confidence in it (MSNBC, press release.) It's definitely NOT open source (unlike OVC) but it's still a step in the right direction."
VoteHere has revealed _some_ source code, which may or may not be what is used in their machines. Unless the machines are produced in a truly open fashion, the fact that they have made some code available for viewing means very little.
Exposing the source code for e-voting (and electronic voting systems) is good. But just as important are the methods and procedures that a company uses around the software. Without knowing how they handle data, what protections and precautions they take, what operational or administrative technical policies are in place, I don't think we can judge much about a system from the source code. But we can, of course, find flaws in the code itself.
This is totally just a poly at PR.
I mean here's the thinking.
"Hey! We can appease the OS folks by making the code visable to them! And then the media, they'll be like 'Woah! No one would EVER release insecure code if they didn't think it was secure!'"
Yay... This is a joke.
Fundamentalism stops a thinking mind.
Also, who's to say that this is the source code that will be compiled on the voting terminals?
these are the same arguments for anything you don't compile yourself. Who is really to say that RedHat RPM's don't have a patch that opens them up. Because they don't show it in the source RPM? Because they're not microsoft? Sometimes you have to have a little trust.
It may be true that they want people to submit bug reports or other things they see wrong and they will closely look over and patch with their own patch.
[tin_foil_hat]
But with it being e-voting and used for US politics. i wouldn't be to surprised if some gov. agency makes them have a back door.
[/tin_foil_hat]
Paranoia can't be taken too far regarding voting, at least not conceptually. In practice, you can only spend so much time and effort on proving that votes haven't been tampered with, but if you combine electronic voting machines with the results of 50 years of research in computer security, then software should be able to do most of the grunt work, and it may be possible to have MUCH stronger proof that no tampering took place than is available with paper, without requiring very much reoccuring human time/effort.
Ah-ha, trust the compiler do you? No amount of source-level verification or scrutiny will protect you from using untrusted code.
Also, who's to say that this is the source code that will be compiled on the voting terminals?
Precisely.
And how many voters or voting officials will be able to verify the digital signature of the binary that the voting machines run (which would potentially thwart trojan replacement of compiled code with different binaries)?
Or, to verify the voting machine hardware itself does not contain any backdoors?
Yes, that's right. The same number of informed caring intelligent voters and educated informed voting officials you saw participating in previous elections. (To be fair there are many intelligent caring voters and officials - it's just that intelligence and caring don't guarantee successful secure electronic voting measures.)
With all the potential avenues for compromise and the levels of expertise, scrutiny and trust required for proper implementation, there's good reason some of the best computer scientists in the country think electronic voting is not a good idea.
At least I'll credit this company for taking one step forward in a mile long journey. I just hope decision-makers get the hint about vulnerabilities and realize how far we have to go.
"Provided by the management for your protection."
If you aren't sure, you aren't thinking things through.
You can't trust it. You *might* be able to trust a system of which it was a component. One program doesn't make a secure voting system, though it can make an insecure one.
I think we've pushed this "anyone can grow up to be president" thing too far.
This is just like what Phil Zimmerman, then NAI, and then PGP Corporation did with Pretty Good Privacy. They'd publish their source code for peer audit, but you definitely weren't allowed to do anything with besides audit the source and compare the resultant binaries. It was NOT open source.
I don't have any problems with that, or with the election software not being open source.
VoteHere a company that makes software to implement a particular voting crytographic scheme is the second outfit to release their source (the first was OVC).
t m
http://www.votehere.com/news/archive04/040604.h
Until I know more details I wont pass judgement other than to say this underscores the point that making source code open does not diminish the rights of the company to its ownership and copyright of the code. It does allow bugs to be found and fixed. And expert independent testimony to its safety may result and thereby build public confidence. Thus this is all good.
I dont know what exactly was released. My understanding in the past was that VoteHere was not actually a voting machine maker but a seller of a patented system for validating encrypted votes. Sequoia Systems had in the past discussed the possibility of letting buyers purchase this for use on their machines, though I have not heard of any machines actually deployed with this.
More specifically, the VOTE HERE system still requires the machines to be error free. Recounts are not possible in the event of an error. The votehere system only eliminates certain kinds of fraud but not all and does nothing about errors, the discovery of errors, and recounting after errors. Additionally since machines using this system will for practical purposes look the same as machines with tampered software: how do know what is going on inside as a voter?
I have read the VoteHere White papers on the mathematics of their algorithm. Two things are apparent 1) It's so complex--and I am trained in advanced mathematics--it's not perfectly clear that all the loop holes are plugged 2) Even if it works as claimed to the voter its still a magic black box that offers no visual evidence of the vote. Thus on both counts voting confidence is not available.
Look at their logo--its a bunch of math symbols. To most folks that is more of a put-off than a confidence builder. Clearly they think they have a technical solution but dont appreciate the sociology issues.
It appears to mainly move where fraud and erros can occur from the polling place to the programming place and to the people who hold the encryption keys. Its not clear what happens if the keys are accidentally leaked.
Still clearly votehere sees it in their interest to get the issue of open source on the table and that is a great sign. kudos for them even if it is partly a bussiness decision.
Some drink at the fountain of knowledge. Others just gargle.
Look, these guys are trying to do the right thing to inspire trust and confidence in the integrity of their software. What they are doing is entirely reasonable and proper. Just because they want to make real money from their code doesn't mean they are evil. Just because you think that everyone should release everything under the GPL, doesn't mean that they should be forced to accept your values. The release license is the choice of the author; never forget that.
The purpose behind this excercise is to promote trust in the integrity of the electronic voting process; not to release Open Source voting software.
You should commend these guys, not snarl at them.
"Man is nothing without the works of man" -- Helvetius
- Release the makefiles along with all the details of how the release executables were built (exact details of the build platform, compiler flags, etc) -- basically all the details you need to produce an identical executable.
- Calculate the MD-5 and SHA-1 hashes of the test version you built yourself. EG:
- Have independent auditors perform this process on a random sample of deployed machines.
- diff the checksum file for the machine being tested against the one for your reference build.
If all the hashes match, you're assured that the executables on that machine have not been tampered with. Same reason any made-in-the-USA software containing strong crypto has a similar warning -- US law prohibits the distribution of strong crypto software to "bad" countries.Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
I won't be satisfied until voting machines are subjected to the same safety criteria as automotive or aerospace software (e.g. FAA's DO178B). This means clear requirements, traceability from requirements to implementation, formal verification by third parties, and an audit trail. Infrastructure already exists for this purpose - the FAA could take this on with little difficulty.
I thought our government was a bureaucracy - why didn't they think of this first?
I guess some people will bitch no matter what.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
No it's not a "step in the right direction" and you're not helping to fix things by claiming that it is.
Having a copy of some source code is not a "step in the right direction" if you can't understand it. Most people can't read source code.
Having a copy of some source code is not a "step in the right direction" if you can't have complete confidence it's implemented correctly. If it's at all complex, there's a good chance the are bugs in it. If the manufacturer ever admits they've fixed a bug in it, then they are admitting even their engineers who designed it didn't understand it enough to spot all the bugs. Will Joe Voter spend as much time reviewing the code? (If they never admit to a bug in it, then they are in denial.)
Having a copy of some source code is not a "step in the right direction" if you can't be sure the source you have is the same one used to compile the binary runninng on the machine you're casting your vote on.
Having a copy of some source code is not a "step in the right direction" if you can't be sure the compiler wasn't trojaned. Or the hardware itself.
Unless you have evidence of a ballot cast, the best you can claim is heresay testimony of a ballot cast. Are you willing to accept that as a basis of your next government?
The thing about things we don't know is we often don't know we don't know them.