E-Voting Firms Recognize That Open Source Software Exists... But Seem Confused About What It Means

from the not-too-surprising dept

We've never quite understood why e-voting software shouldn't be required to be public information. For the sake of actually allowing an open and transparent voting system, it's hard to understand how any governing body would allow proprietary software to be used. There's simply no way you can prove that the system is fair and transparent if the counting mechanism is totally hidden away. For years, the big e-voting firms have simply shrugged this off, but it looks like they're at least open to discussing it. A trade group representing the big e-voting firms has put out a whitepaper discussing open source voting systems, where all they really do is show that they don't actually understand much about open source technologies.

First, they claim that, even though they understand that "security through obscurity" isn't effective, "there remains some underlying truths to the idea that software does maintain a level of security through the lack of available public knowledge of the inner workings of a software program." Computer Science professor Dan Wallach does a nice job responding to that claim:
Really? No. Disclosing the source code only results in a complete forfeiture of the software's security if there was never any security there in the first place. If the product is well-engineered, then disclosing the software will cause no additional security problems. If the product is poorly-engineered, then the lack of disclosure only serves the purpose of delaying the inevitable.

What we learned from the California Top-to-Bottom Review and the Ohio EVEREST study was that, indeed, these systems are unquestionably and unconscionably insecure. The authors of those reports (including yours truly) read the source code, which certainly made it easier to identify just how bad these systems were, but it's fallacious to assume that a prospective attacker, lacking the source code and even lacking our reports, is somehow any less able to identify and exploit the flaws. The wide diversity of security flaws exploited on a regular basis in Microsoft Windows completely undercuts the ETC paper's argument. The bad guys who build these attacks have no access to Windows's source code, but they don't need it. With common debugging tools (as well as customized attacking tools), they can tease apart the operation of the compiled, executable binary applications and engineer all sorts of malware.

Voting systems, in this regard, are just like Microsoft Windows. We have to assume, since voting machines are widely dispersed around the country, that attackers will have the opportunity to tear them apart and extract the machine code. Therefore, it's fair to argue that source disclosure, or the lack thereof, has no meaningful impact on the operational security of our electronic voting machines. They're broken. They need to be repaired.
The next oddity, is the claim that if a problem is found in open source software, then it won't get fixed as quickly, because you have to wait for "the community" to fix it. That completely mistakes how open source software works. Again, Wallach points out how silly that is, noting that plenty of commercially-focused companies run open source projects, including maintaining and contributing code to the project. If these companies were to open source their code, there's nothing stopping them from continuing to improve the security of the code. There's no need to wait around... The paper has other problems as well, which Wallach discusses at the link above. To be honest, though, it's quite telling that these firms don't even seem to understand some of the basics of how open source software works.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: e-voting, open source


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Tor, 21 Apr 2009 @ 2:29am

    Let me quote security expert Bruce Schneier:

    "If I take a letter, lock it in a safe, hide the safe somewhere in New York, and then tell you to read the letter, that's not security. That's obscurity. On the other hand, if I take a letter and lock it in a safe, and then give you the safe along with the design specifications of the safe and a hundred identical safes with their combinations so that you and the world's best safecrackers can study the locking mechanism--and you still can't open the safe and read the letter, that's security. "

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 21 Apr 2009 @ 4:12am

    Wait for the community? Come on, we all know that the community is much faster than the 2 guys you have on staff. We already know that the machines aren't secure, and no one has fixed them. So we are already waiting.

    If voting machines went open source, that software is solidly secure in no time. You have techies in all parties and all of them want to make sure no one else gets anything.

    I don't know why governments don't require open source for everything that is ultimately needed for the public.

    link to this | view in thread ]

  3. identicon
    fogbugzed, 21 Apr 2009 @ 6:02am

    Available for public scrutiny != FOSS

    Voting machine systems should be required to publish their code even if they don't want to put it under a GNU or other FOSS-type license.

    The source code can be made available for public scrutiny without it being GNU or other open source software. There is nothing that prevents a company from publishing their code under traditional copyright. This would allow them to retain their rights to the code and still demonstrate the integrity of their software. If another company used their code in competing voting machines, then that would become apparent very quickly when the copying company published their source code.

    The one essential element in a requirement to publish would be that public entities would be allowed to (in fact they should be required to) compile the published source using an open source compiler and load it onto the machines.

    link to this | view in thread ]

  4. identicon
    Sean Henry, 21 Apr 2009 @ 9:02am

    Re:

    I wish more places and companies used open source software. As a Student Government Senator at Northern Kentucky University I'm pushing to have OpenOffice installed on the school computers and want to get the schools programing department to participate in the creation of open source software.

    link to this | view in thread ]

  5. identicon
    Richard Salzman, 21 Apr 2009 @ 9:39am

    Open Source Software

    We successfully used open source software (Ballot Browser) here in California for an pilot program to verify election results, which as it turned out, were NOT accurate when first counted by Diebold's black box system.
    You can read about it here : http://humtp.com/
    and here: wwwTEVSystems.com

    link to this | view in thread ]

  6. identicon
    Gene Cavanaugh, 21 Apr 2009 @ 9:46am

    e-voting

    Well written and very appropriate! Congratulations!
    As to the comment: "The next oddity, is the claim that if a problem is found in open source software, then it won't get fixed as quickly, because you have to wait for "the community" to fix it." What I am reading is they are really saying "if it were open source software, people would see the defects, and we would have to fix them".

    link to this | view in thread ]

  7. identicon
    midofo, 21 Apr 2009 @ 6:58pm

    OSS is used for e-voting

    OSS is currently used in the Australian state of the ACT for e-voting and has been since at least 2001.

    http://www.elections.act.gov.au/elections/electronicvoting.html

    link to this | view in thread ]

  8. identicon
    John Washburn, 22 Apr 2009 @ 7:02am

    Re: Available for public scrutiny != FOSS

    At this point there would be a takings isssue: Amendment 5 prevents the taking of private property for Public Purposes. Either govenment has to pay for the source code or it has to stay private property.

    But, the sad thing is the Election Assistance Commission (EAC) HAD the chance last year to prevent this dilemma.

    When the the EAC created the Certification and Testing Program, the refuse to incorporate into this new process the requirement that certification under the EAC requires source code disclosure.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.