U.S. Voting Software Hashes Made Public

fibonacci2000 writes "From the NIST website: 'This effort is a first step in being able to trace software from the vendor through the accreditation process to the states and other purchasers of voting systems. Now election authorities have a reference database to compare with the digital signatures of software provided to them by vendors.'"

What about the paper?

[FifthRaven]

As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure.

Re:What about the paper?

[NEOtaku17]

"As a general computer geek, I don't trust anything that dosen't have a paper trail. You can kill a computer hardrive and do funky things to code in such a mallicous fashion as to say or do anything you want. If there isn't a carbon trail, it isn't secure."

Yeah if it was done with a paper trail people couldn't forge votes receipts or vote for dead people or....oh wait.

This is meaningless.

[schmaltz]

If I compute the hash an already vulnerable voting machine program, or its server component, what does it matter? It was ready to tamper with when it left Diebold, and with the same hash it'll still be vulnerable.

This is a red herring. The voting software's already open to tampering, so a hash is meaningless.

they didn't have this already?

[j0nb0y]

wtf? You would think that security would be a foremost concern for a voting machine, but diebold has shown from the beginning that security is an afterthought for them. Cryptographic hashes of the software should have been available *from the very beginning*. Even *Microsoft* signs their code nowadays. But for Diebold, the cryptographic hashes, that are standard in most of the software industry, are an afterthought. Here's the hashes a week before the election! See, aren't we secure? What a joke...

Diebold's executives should go to jail for pulling this scam on the government. Those in the government who went along for the ride should be severely punished.

We have enough vote fraud in this country *without* Diebold. The last thing we need are unverifiable voting machines.

a nice gesture, but only a gesture

[timothy]

This does one necessary thing, which is provide a way to prove (near enough) that the software being used is the software that the voting software company provided, that no one hijacked the delivery truck carrying the voting machine and swapped in one favorable to candidate X. (Or W, or K.)

What it specifically does *not* do is do anything to prove the actual security, accuracy of the included software when running as intended, or that it can't be used *other* than as intended, in a 99-extra-lives "cheat mode." While incrementing by one a pretty small number of piles several thousand times doesn't sound like a computationally tough job, Bev Harris and others have shown the numerous and substantial flaws that current systems have; I'm aware of only one state (Nevada) that will be requiring a paper trail for its electronic voting machines in case of a dispute over the electronic returns.

Hashes? Great! Put them on the outside of the envelope containing every scrap of the sourcecode in machine-readable form, along with documentation that you have completed the publically available test suite, please, and take a seat in the lobby. The taxpayers will get around to you in your turn.*

timothy

*Oh, if it were that simple ;)