E-Voting Company Reveals Their Source Code

Kodi writes "VoteHere has decided to release their source code so that other people will have confidence in it (MSNBC, press release.) It's definitely NOT open source (unlike OVC) but it's still a step in the right direction."

First Glance

[monstroyer]

1) Pain in the ass. Asks me to submit my Full Name, Organization, and email. Along with an Opt-Out in check mark for a newsletters and licence agrement.

2) You may not download this Software if you are located in any country (or are a national of a country) subject to a general U.S. or U.N. embargo or are deemed to be a terrorist country (i.e., Cuba,Iran, Iraq, Libya, North Korea, Sudan and Syria). Ouch! Why the patriotic license clause?

3) A quick glance at the source code seems to indicate that it's cygwin dependent C++. Not really the best platform to open your source code on since the windows world encourages closed development.

Also, who's to say that this is the source code that will be compiled on the voting terminals? What prevents any e-voting company to build binaries that have "secret conspiracy back doors" in them? Are voting polls expected to compile their own code? And if so, why chose windows when there is no built in compiler available by default on that platform?

Re:First Glance

[alecks]

Are you saying that You read the article, registered to download source code, browsed through it, and still managed to get FP?

Re:First Glance

[monstroyer]

Subscriber bonus. I see the future baby.

Re:First Glance

[jpetts]

Are you saying that You read the article, registered to download source code, browsed through it, and still managed to get FP?

No problem: he's the /. subscriber...

Re:First Glance

[whovian]

There's only one subscriber?!?!

Re:First Glance

[forii]

No problem: he's the /. subscriber...
I always wondered who that sucker was.

Re:First Glance

[pete-classic]

2) You may not download this Software if you are located in any country (or are a national of a country) subject to a general U.S. or U.N. embargo or are deemed to be a terrorist country (i.e., Cuba,Iran, Iraq, Libya, North Korea, Sudan and Syria). Ouch! Why the patriotic license clause?

That is almost certainly because it contains strong encryption, which is considered munitions (!) under US export law.

We can debate that law (I think it is foolish), but it isn't VoteHere's fault.

-Peter

Re:First Glance

[pete-classic]

I'm sure that you think it is very clever to pick on President Bush. Everyone's doing it, it must be cool.

Now, I'm no defender of the current administration, but here are two facts that put your comment in perspective:

1. The law in question here predates this administration. I believe that it was enacted under President Clinton -- but quite possibly by a Republican Congress. We just can't win, can we?

2. I personally "exported democracy" to the Balkans under the previous administration, to my personal

Re:First Glance

[lcde]

Also, who's to say that this is the source code that will be compiled on the voting terminals?

these are the same arguments for anything you don't compile yourself. Who is really to say that RedHat RPM's don't have a patch that opens them up. Because they don't show it in the source RPM? Because they're not microsoft? Sometimes you have to have a little trust.

It may be true that they want people to submit bug reports or other things they see wrong and they will closely look over and patch with their own patch.
[tin_foil_hat]
But with it being e-voting and used for US politics. i wouldn't be to surprised if some gov. agency makes them have a back door.
[/tin_foil_hat]

Re:First Glance

[AntonyBartlett]

these are the same arguments for anything you don't compile yourself.

Ah-ha, trust the compiler do you? No amount of source-level verification or scrutiny will protect you from using untrusted code. [acm.org]

Re:First Glance

[Valar]

You're right. The advantage to the code being publically availible is that if there is an unintentional backdoor (security flaw) it might be spotted sooner. It wouldn't protect from intentionally mallicious actions by the company.

Re:First Glance

[Talthane]

Also, who's to say that this is the source code that will be compiled on the voting terminals?

You can take paranoia too far, you know. Who's to say the people counting the votes at the polling stations are counting the same pieces of paper you filled in there? If you're going to take that extreme a view, then all voting is irrelevant and utterly without any means of proof. Linux is as unreliable as Windows, the OVC as Diebold, because anyone could have compiled your nice open source software and turned i

Re:First Glance

[interiot]

Paranoia can't be taken too far regarding voting, at least not conceptually. In practice, you can only spend so much time and effort on proving that votes haven't been tampered with, but if you combine electronic voting machines with the results of 50 years of research in computer security, then software should be able to do most of the grunt work, and it may be possible to have MUCH stronger proof that no tampering took place than is available with paper, without requiring very much reoccuring human time/effort.

Re:First Glance

[meringuoid]

Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria

This is voting software, with which one would run an election in a democracy. Wouldn't we be happy if these countries downloaded and used it?

Then there would be no more phony rigged elections in these places - you can't possibly rig an e-voting machine, Diebold said so.

Re:First Glance

[Freddles]

Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria

This is voting software, with which one would run an election in a democracy. Wouldn't we be happy if these countries downloaded and used it?

Perhaps. But US law prohibits [ustreas.gov] (or with certain countries severely restricts) US persons and companies from having any business dealings whatsoever with any person or company in any of those countries. The sancations vary from country to country with an outright ban on dealings with Cuba and lesser restrictions o

Re:First Glance

[Mark_in_Brazil]

Wouldn't we be happy if these countries downloaded and used it?

Well, if by "we," you mean the US government, then no.
For all the talk about establishing democracy in Iraq, the powers-that-be in Washington will not permit open, free, and fair elections in Iraq because Shiite fundamentalists would win.

--Mark

Re:First Glance

[4of12]

Also, who's to say that this is the source code that will be compiled on the voting terminals?

Precisely.

And how many voters or voting officials will be able to verify the digital signature of the binary that the voting machines run (which would potentially thwart trojan replacement of compiled code with different binaries)?

Or, to verify the voting machine hardware itself does not contain any backdoors?

Yes, that's right. The same number of informed caring intelligent voters and educated informed voting officials you saw participating in previous elections. (To be fair there are many intelligent caring voters and officials - it's just that intelligence and caring don't guarantee successful secure electronic voting measures.)

With all the potential avenues for compromise and the levels of expertise, scrutiny and trust required for proper implementation, there's good reason some of the best computer scientists in the country think electronic voting is not a good idea.

At least I'll credit this company for taking one step forward in a mile long journey. I just hope decision-makers get the hint about vulnerabilities and realize how far we have to go.

Re:First Glance

[krazy_kc]

And how many voters or voting officials will be able to verify the digital signature of the binary that the voting machines run (which would potentially thwart trojan replacement of compiled code with different binaries)?

Ken Thomson proved this won't help, while I don't disagree with your sentiment, remember that all the open source in the world can still be circumvented by a compiler that you didn't write...

Re:First Glance

[4of12]

Ken Thomson proved this won't help, while I don't disagree with your sentiment, remember that all the open source in the world can still be circumvented by a compiler that you didn't write...

I remember that story, of hiding the login.c backdoor into the compiler binary.

It makes me think I should be more careful to check the .sig for my downloads of gcc .

But, then, I'm thinking back, wondering what version of gcc I used to compiled gpg , or what version of gcc Red Hat used to build my kernel....

It seems trustworthiness is only asymptotic and not absolute.

Re:First Glance

[SpaceLifeForm]

Here's a link to Reflections on Trusting Trust [acm.org].

Re:First Glance

[Tassach]

It's unlikely that a general release compiler (gcc, vc++, etc) would have a specific back-door for a voting system built in to it. Any backdoor of this variety would be present in any system built with that compiler

. In this case it doesn't really matter if you can trust the compiler or not -- what you want to do is ensure that the version of the software installed on deployed machines matches the audited reference copy. This can be done easily. Then you can test the hell out of the reference copy to ma

Re:First Glance

[Anonymous Coward]

Also, who's to say that this is the source code that will be compiled on the voting terminals?

Well, all bets are off if the company decides to purposefully make a "bad" (evil?) product. In that case, you just have to hope for a whistle blower inside the company.

BUT...by opening the source code...they allow other people to look and see what precautions have been made security-wise.

In other words, if an unintentional mistake was made everyone will have a chance to see it.

So, no, making the source avail

Why the patriotic license clause?

[exp(pi*sqrt(163))]

Because then those countries might reverse engineer the code and figure out what a cool idea democracy is. And then the US would no longer have conventient scapegoats to wage war against.

Re:First Glance

[Tassach]

What prevents any e-voting company to build binaries that have "secret conspiracy back doors" in them?

1. Release the makefiles along with all the details of how the release executables were built (exact details of the build platform, compiler flags, etc) -- basically all the details you need to produce an identical executable.
2. Calculate the MD-5 and SHA-1 hashes of the test version you built yourself. EG:

   find / -name \* | xargs md5sum | sort > checksums; \
   find / -name \* | xargs sha1sum | sort >> checksums; \
   cat checksums

3. Have independent auditors perform this process on a random sample of deployed machines.
4. diff the checksum file for the machine being tested against the one for your reference build.

If all the hashes match, you're assured that the executables on that machine have not been tampered with.

You may not download this Software if you are located in any country (or are a national of a country) subject to a general U.S. or U.N. embargo or are deemed to be a terrorist country (i.e., Cuba,Iran, Iraq, Libya, North Korea, Sudan and Syria). Ouch! Why the patriotic license clause?

Same reason any made-in-the-USA software containing strong crypto has a similar warning -- US law prohibits the distribution of strong crypto software to "bad" countries.

Re:First Glance

[ReelOddeeo]

2) You may not download this Software if you are located in any country (or are a national of a country) subject to a general U.S. or U.N. embargo or are deemed to be a terrorist country (i.e., Cuba,Iran, Iraq, Libya, North Korea, Sudan and Syria).

Ouch! Why the patriotic license clause?

That license clause is to protect us from people in other countries who might start getting ideas about having tamper-free elections.

Re:First Glance

[nadamsieee]

Everything else: Look buddy, unless you're going to physically check every voting machine in the country, you are gonna have to trust somebody. Even with paper ballots, the only way that someone as paranoid as yourself is going to be sure if to personally count every ballot yourself. That's the ONLY way to be sure, which is a physical impossibility...

The method being advocated by the OVC [openvotingconsortium.org] proves your statement wrong. In our voting system, the good old fashion, voter-verified PAPER is the legal ballot. Troj

Obscured?

[dolo666]

Something is really wrong with this move by Votehere. Nowhere on their site is a place to access the revision history of the code, or upload changes, or even contact them about bugs in the code for credit or what-have-you.

Obscured security relies on obscurity; therefore we have a previously obscured source code that is now revealed (as is) and the creator expects the public to be pleased? The key element of Open Source is the insight from a million minds into security, feasibility and programming efficienc

Re:Obscured?

[Anonymous Coward]

The key element of Open Source is the insight from a million minds into security, feasibility and programming efficiency;

Oh, you must have missed the part where it said "To avoid any doubt, this Software is not being licensed on an open source basis.".

Re:Obscured?

[medication]

I realize that it takes a bit more effort the RTFA, but in the pdf include in the source they make it very plain how to submit bugs:

Reporting an Issue
VoteHere appreciates your e(R)orts in helping us identify and resolve issues and
inaccuracies with our products, specifications and documentation. If you feel you
have identified an issue with the VHTi API or documentation set, please proceed
with the following steps for submitting the issue to the VoteHere support team:
1. Record the version number of the API or document you are referencing,
and if documentation-related note the page and /or section number.
2. Record and document the issue as clearly and in as much detail as possible.
3. Record your name, company name, and a telephone number where you can
be reached during normal business hours.
4. Contact VoteHere using one of the following methods:
Email: support@votehere.net
Fax: 1.425.450.2861
Phone: 1.888.457.6863

And again, in the tarball

[pheared]

How to provide feedback
We welcome constructive feedback as part of this review process. You can submit
any feedback you have to vhtifeedback@votehere.com. We will address any valid is
sues and/or suggestions.


Conveniently located in the top-level directory in a file cryptically named README.Feedback.

I see your Bah and raise you a Huf

[pavon]

This is not a free software project! They didn't release the code to get the benifits of the open source development methodology, or to give back to the community. They released it so that the source could be audited by anyone who cared to do so, and the framework they provided is sufficent for this. Transparency has long been deemed important in the security world and has it's own benifits that still exist even without a distributed development method.

I don't understand what your concern is, because I don

Re:Sigh

[pavon]

That's not true. As another post pointed out, the author of PGP released his code under very simular conditions, and people did audit it, and having the code out in the open did not make it less secure.

Fun programming is not the only motivator. If that were they case, then why would security experts have exerted all the effort they have so far to investigate these machines and try to convince their legislators that they are not secure enough? That didn't allow for any technical involement at all. This is a

Prove them wrong...

[TamMan2000]

If people are so convinced that this code must be insecure, find a bug... Break the thing and tell the company, if they don't fix it, tell the press.

I think this is an enormous step in the right direction, it allow a much greater degree of public oversite for e-voting. I am actaully satisfied with this, I would love a more open process, but I think this is good enough...

Re:Obscured?

[Analogy Man]

The key words are transparency and accountability.

A) There can be no accountability without transparency (something that our press has been doing a poor job at supporting for the last 20 years...worsening of late). What we don't know hurts us!

B) Transparency is meaningless without accountability. So I punched you in the nose...bugger off and deal with it you big baby! We lost all the votes from Precinct 27 oops, sorry. We had 2x as many votes as registered voters in precinct 43 so it comes out a wash

Re:Obscured?

[Ninja Programmer]

Something is really wrong with this move by Votehere. Nowhere on their site is a place to access the revision history of the code, or upload changes, or even contact them about bugs in the code for credit or what-have-you.

Read their license agreement carefully. They don't intend on accepting feedback of any kind. They also do not authorize forking of the code at all. The only purpose that you are allowed to make from downloading the source is to *EVALUATE* it. This is not an open source license that wo

Open the Moderation Code

[Anonymous Coward]

Now, if only slashdot would 'Open' their source (secret blacklists, obscured karma scores, hidden moderations, editor modpoints and bitchslaps).

Time to stop this hypocrisy of criticizing closed e-voting, while implementing it here.

Re:Open the Moderation Code

[juggaleaux]

http://www.slashcode.com [slashcode.com]
Is this not the slashdot source code?

In Other News...

[ravenspear]

In a move to inspire confidence, Diebold agrees to have Microsoft review their code.

The company was quoted as saying, "Microsoft's highly qualified software testers will objectively review all source to determine any bugs. We are confident their analysis will put speculation about the reliability of our software to rest."

Re:In Other News...

[tiger99]

What highly qualified software testers? M$ always let the customer do the testing.......

No

[hanssprudel]

VoteHere has revealed _some_ source code, which may or may not be what is used in their machines. Unless the machines are produced in a truly open fashion, the fact that they have made some code available for viewing means very little.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:No

[canajin56]

Actually, you can do that with the Diebold machines. And you can insert fradulent votes for him, too. And it isn't traceable. All you have to do is either get phyiscal access to the box, by being an election official, or crack an NT box over WiFi. No need to see the source of the voting software, because the vote TALLY software is just VBScript written is MS Access. Sure, it has a fancy front end with forms, but you can just hold shift while it is loading and get straight at the underlying tables, and

Re:No

[molarmass192]

Doesn't anybody else think that this kind of software should be developed by the government in an open source fashion? I don't like the idea of a closed 3rd party system being responsible for electing my next government. The election process is supposed to be transparent.

Re:No

[pjt48108]

YES! I agree! Open up the code, and let voting machine makers MAKE THE MACHINES that run it. As an analogy, auto manufacturers don't determine the design and construction of roadways, only the cars that use them. A person should be able to read the code themselves. In fact, such open code could be used for free by a multitude of organizations across the spectrum of society in order to run their own elections, be it for city council, scout troop leader, union president, etc.

Of course, I am still a fan of a

Re:No

[surprise_audit]

Unless the machines are produced in a truly open fashion...

And even then, how is any random voter (geek or not) going to be reassured that the proper, open software is what's actually running on the machine he's touching??

I'm sure we can all think up tricky ways to very the code - maybe provide a "verify code" button which prompts for a passphrase, then generates a hash using that and the software, providing a printout that the voter could verify against a secure web page, using the same passphrase. That would work unless you're paranoid enough to think that maybe there's a second eprom in there that's actually handling the machine, checksumming against the original, unused version...

No, I think it's pencil-and-paper time again. Can anyone think of a really pressing need to use some kind of electronic vote machine, other than the "we can declare the result instantly!" reason?? I venture to suggest that voter confidence in an honest election ought to outweigh any "instant win!".

Sadly, society in this country has been pushed more and more towards instant gratification for minimal investment. Instead of wielding a pencil to make a mark you now barely have to touch the display. Instead of waiting a day or two for the results, you can watch the numerous "results" shows on TV as they attempt to predict the winners.

Election reforms I'd propose: 1) Pencil and paper ballots; 2) Absolute blackout of media coverage, at least until the polls close *all* over the country. None of that instant win crap on the East Coast while West Coast, Alaska & Hawaii voters are still making up their minds...

Re:No - Oblig. Futurama Ref.

[Paulrothrock]

"we can declare the result instantly!"

"The robot polls are opening... and the robot vote is in."

Re:No

[Have Blue]

What is the disadvantage of instant gratification in this instance, if all the security and trust issues can be worked out? Why should we have to wait a few days to find out who the leader of this country is? Why should we not be able to vote by touching the display if it can be done reliably and securely? I agree that security is more important than expedience, but if we can have the first we may as well go for the second.

Re:No

[pangian]

Can anyone think of a really pressing need to use some kind of electronic vote machine, other than the "we can declare the result instantly!"

Well I can think a few reasons why electronic voting machines would seem advantageos to the people who administer elections, and they have very little to do with speed of reporting (which isn't currently and issue):

1) Lower cost in the long run over printing paper ballots. This resonates particularly well with election managers who are forced to *reprint* a bunch of ballots because of a mistake or change in the race.

2)Electronic voting systems can be used to accommodate voters with special needs. Electronic voting machines can often display a ballot in several languages and large print and can be designed to provide Braille or audio through headphones. Currently, in many districts, the blind don't have an entirely secret vote. This is temping for election administrators as accessibility requirements expand.

3) Touchscreen e-voting systems often provide an opportunity for the voter to check and confirm his or her votes, and can reduce the need for election officials to divine the "intent of the voter" that occurs in some pencil and paper, optical or punch systems. This is attractive to managers since Florida.

I am also *very* skeptical of electronic voting, and would probably feel a lot more comfortable with pencil and paper voting (which is not immune from user error and manipulation, I'll remind you). However, too often skeptics rail on e-voting without an real understanding of the resons that election managers choose them.

Re:No

[rossjudson]

I want voting machines done RIGHT as much as the next technology guy -- no back doors, bad counting, etc etc...

We all bitch about them, and at the same time we don't talk much about the error rate of paper-based voting.

In fact, I have no idea what kind of error rate that is. How do we measure voting accuracy and error rates in a democracy that provides anonymous ballots?

Re:No

[pangian]

One indicator that is often used is the "missing vote rate," which is simply (number of voters at a polling station - number of votes for an office at that station)/number of voters at the polling station. The idea is that errors that switch voter preferences are either uncommon or random enough to cancel each other out, but the error of greater concern is rejecting a ballot for not being able to determine the intention of the voter. Of course, the missing vote rate isn't an exact reflection of error, sinc

Physical Ballots are worse

[forii]

No, I think it's pencil-and-paper time again.

And how is any random voter going to be reassured that their pencil-and-paper ballot ever gets counted, rather than, say, floating in San Francisco Bay? [trilliumprints.com]
Personally, I'm more worried about the very real troubles with a physical ballot being lost/stolen/miscounted than I am with a theoretical hardware/software exploit. For example, given that the names/positions on a ballot are different from election to election, and even from district to district, it seems th

It isn't just about the source...

[AtariDatacenter]

Exposing the source code for e-voting (and electronic voting systems) is good. But just as important are the methods and procedures that a company uses around the software. Without knowing how they handle data, what protections and precautions they take, what operational or administrative technical policies are in place, I don't think we can judge much about a system from the source code. But we can, of course, find flaws in the code itself.

Re:It isn't just about the source...

[laird]

I certainly agree with the parent's point that open sourcing the software isn't a magic bullet, and that the policies and procedures are critical.

The way I'd phrase it is that voting is a system componsed of hardware, software, people and procedures. Flaws in any aspect of the system can compromise it. You could have perfect software, but have procedures that (for example) allow election workers manipulate the results before they're collected. That's why things like auditing still critical.

That being said

It's not patriotic

[the_rev_matt]

It's called compliance with export law. Plenty of software companies have this restriction listed (for a long time you had to check the box to download Acrobat Reader until the export restriction were loosened slightly).

Re:It's not patriotic

[Analogy Man]

Right you are. Lord help us if dictators and meglomaniacs get their hands on vote tabulation software. Damn they may do something rash like...hold an election...HORRORS!!!

Summary of the source

[hng_rval]

If (Vote == Bush)
BushVotes++;
Else If (Vote == Gore)
If (Rand % 10 == 1)
BuchannenVotes++;
Else
GoreVotes++;

Re:Summary of the source

[Nynaeve]

A possible code snippet if the programmer forgets to put in break statements:

switch (vote)
{
case E_GORE: nGore++;
case E_BUSH: nBush++;
default:
}

818181 (HAHAHA)

[sgumby]

How to explain that every Congressional race in Maryland, for example, won by the same margin, of 818,181 votes? Funny how those numerals translated to HA HA HA in alpha characters..... www.countthevotecolorado.org [countthevotecolorado.org]

i hope this software will help prevent such things...(if it not cause it...)

Re:818181 (HAHAHA)

[surprise_audit]

Maryland as well, huh? In Comal County [votewatch2002.com], in 2002, three candidates for three different posts each got exactly 18,181 votes.

Re:818181 (HAHAHA)

[Just Some Guy]

818,181 votes? Funny how those numerals translated to HA HA HA in alpha characters

That number is fishy, but not because it can be made to map to "HAHAHA". You could also observe that 8+1+8+1+8+1 = 27 = 3^3, but that doesn't hint that it was written be a Jehovah-loving Kabbalist.

Sometimes, to paraphrase Freud, a number is just a number.

That's great, now:

[mystereys]

Where's my voter-verifiable paper printout?

Re:That's great, now:

[Derek]

Where's my voter-verifiable paper printout?

EXACTLY!

Even if that source code is nice, secure, proveable, and unbiased, HOW DO I KNOW THAT IT IS THE SAME CODE USED ON THE MACHINE? The truth is, I can't know it. That is why a voter verifiable prinout is needed. The machine may report bad numbers, but at least I was able to verify my paper vote for the recount.

-Derek

Like PGP

[Rick Zeman]

This is just like what Phil Zimmerman, then NAI, and then PGP Corporation did with Pretty Good Privacy. They'd publish their source code for peer audit, but you definitely weren't allowed to do anything with besides audit the source and compare the resultant binaries. It was NOT open source.
I don't have any problems with that, or with the election software not being open source.

Re:Like PGP

[tiger99]

Yes, in this case that sort of arrangement is quite acceptable. Because this is going into a commercial piece of hardware, the software needs to be controlled at one place, so even if it was Open Source, it would not be possible to get contributions from all and sundry. But it also shows something that such as Gates and Ballmer are incapable of realising, that you can freely expose the source of closed commercial code. It bears a copyright, so it can't be copied and used improperly, and more than can a binary. By showing your intellectual property, you actually make the detection of illegal copying easier, unlike the stupid SCOundrel case, where nothing has been shown, nor ever will be, therefore nothing can be proved.

Altogether it is much cleaner and tidier to show the source, in particular it does not involve giving away your intellectual property (but first you have to have some intellect, in order to develop some IP...) It clearly defines exactly what you have.

In a sensible world, there would always be the option to see source code, just as there used to be comprehensive maintenance manuals with many pages of circuit diagrams for hardware, which theoretically could have led to copying, but in practice did not. I used to love the Tektronix oscilloscope manuals, but judging by the mediocre performance of most of their competitors products, the fact that every design detail was exposed, to assist with maintenance, did not result in significant copying. However, it might have inspired lots of engineers in the way they designed other things, just the same as exposure to Minix (ugh!) source code may have inspired Linus. It might, and did, also result in some ingeneous modifications when the proper spare parts were not immediately available.....

I hope this disclosure is the beginning of a trend, it will benefit everyone, including the fact that the owners of the code can get some extra, free, code review.

It will not, of course, please RMS. You can't please all of the people all of the time.

My Idea

[Valar]

The problem is that this code might not be the code that is in the machines. I think we should give people to compile the released source themselves and somehow load that into the machine before voting. There would be a standard build procedure, so everyone would use the same (open) compiler. The code would be checked to make sure it is bit for bit identical to a version compiled by a trusted third party. That way, having produced the executable yourself, you can be fairly sure that the software can be trus

Re:My Idea

[Rope_a_Dope]

We can't get more than 20% of the population to vote, but you expect people to compile their own software?

I bet 80% of the people that do actually vote would be wondering just what button to push on their WebTV or AOL account to compile the source.

Re:My Idea

[Valar]

Not everyone would have to do it-- trust their stuff if you want. I am not advocating the ability to use a compiler as a prerequiste to be able to vote. I am saying, the option should be availible to those who care. It would make it possible to randomly check these machines for honesty.

Re:My Idea

[Zathrus]

That's just insane.

Look, it's pretty simple. If you don't trust the precompiled binaries they have on the machines, then why on earth would you trust the compiler they provide? I'm not talking about not trusting gcc... it would be fairly trivial to produce a hacked gcc that compiles the code in question differently (or simply compiles an embedded version of the code). And you'd have no way of knowing.

Heck, hack the diff tool for that matter. Either reject any schmuck who actually tries to pull this, or re

No matter, indeed.

[sean.peters]

Sure, I guess you could go to hand counting. That'll only take a few weeks to verify the results.

Somehow, the Republic managed to survive for a couple hundred years with paper ballots, waiting longer than "a couple weeks" for the results in the days before electronic communciations. What was the problem, again?

Sean

Re:My Idea

[Valar]

Unless, of course, you don't use their gcc. I'm saying they should pick a compiler, say, gcc 3.1. Then I can get (I wouldn't be required to do any of this to vote, see my clarification attached to the other reply) the gcc (from gnu) and the code (from them) and compile mine. Like I said, it doesn't solve the problem, it makes it makes the problem more difficult to exploit. If you combined this with hardware audits (i.e. somebody buys a voting machine and the company is unaware whether it will go to an elect

Re:My Idea

[thebatlab]

Worst...idea...ever

Why not use an Escrow/Build agent?

[mjallison]

Revealing source code is good, but that doesn't gaurantee that the code you review is the same code actually running in the deployed machines.

Some people would like to see paper trails and code review as a backup security measure, but I have another option I could feel comfortable with. How about a neutral third party, mutually selected by the state/city/etc and machine supplier? This third party can act as the review agent for the code, even bringing in outside experts. Public review of the code could even be done if all parties agree that this is the best thing to do.

Finally (and here is where I think things get better), the escrow company actually builds the reviewed code, performs quality and acceptance tests. This code built by the third party is then released to the state for installation in their machines. The machine supplier never releases code directly to state/county/city/etc.

Many large corporations use similar schemes to manage mission critical code. The IP still belongs to the machine supplier, of course, but there is now a very public and verifiable step in the process to ensure trust in the system.

Much more interesting

[Anonymous Coward]

Much more interesting than the source is the following document:

http://www.votehere.com/vhti/documentation/egshu f. pdf ...describing a neat method of establishing a voter-verifiable ballot data that makes it quite difficult for single terminals to "cheat".

Source is Not Enough...Start to Finish, Please

[IceAgeComing]

The source is not enough by itself. It only takes two extra lines of C code to rig an election:

if (some_condition)
votes[0]++;

They should allow people to double-check the veracity of the final product (the binary) by building it themselves.
It would be nice if they would reveal:

* The size of the binary
* The hardware/software configuration of the machine on which the compiling was done.
* The MD5 sum.

e-Voting in Brazil

[Anonymous Coward]

We've been having e-voting in Brazil for ten years now, the machine's source code is not open, it's a small machine that saves the result on a disk and prints a confirmation with each vote.

In ten years we had three presidential elections, as well as elections for governors, mayors and senators, all of them with e-voting, citizens between 18 and 60 years MUST vote (between 16 and 18 and above 60 voting is optional).

In this ten years, with plenty of elections and huge ammounts of votes not ONCE the result of an election have been contested by any political parties (winning or losing, left or right), individuals or the media. Usually the official results are released in one or two days after the election.

So my question is: Why the big fuss about e-voting in the USA?

Re:e-Voting in Brazil

[Mr. Piddle]

Why the big fuss about e-voting in the USA?

A lot of us in the USA are very cynical about the government and how it operates. It's the American Way and has been for 200+ years.

We look at a company like Diebold, whose management have made public statements showing political allegiance, we see that they base their systems off of MS Windows and MS Access, we see their memos about how incompetent their software development is, and we really have to work hard to not shit ourselves over just how corruptable s

Don't be unfair!

[Syncerus]

Look, these guys are trying to do the right thing to inspire trust and confidence in the integrity of their software. What they are doing is entirely reasonable and proper. Just because they want to make real money from their code doesn't mean they are evil. Just because you think that everyone should release everything under the GPL, doesn't mean that they should be forced to accept your values. The release license is the choice of the author; never forget that.

The purpose behind this excercise is to promote trust in the integrity of the electronic voting process; not to release Open Source voting software.

You should commend these guys, not snarl at them.

Re:Don't be unfair!

[PhxBlue]

Just because they want to make real money from their code doesn't mean they are evil.

Funny, I've yet to see a license that explicitly tells the licensor, "you are not allowed to generate revenue with this product under this license." Even the GPL allows people to sell software--and support, which is how a smart software company butters its bread to begin with--as long as they include the source code with the binary executable.

AES, FAA, Certification Authorities

[Discoflamingo13]

I won't be satisfied until voting machines are subjected to the same safety criteria as automotive or aerospace software (e.g. FAA's DO178B). This means clear requirements, traceability from requirements to implementation, formal verification by third parties, and an audit trail. Infrastructure already exists for this purpose - the FAA could take this on with little difficulty.

I thought our government was a bureaucracy - why didn't they think of this first?

Some people just like to bitch.

[Saeed al-Sahaf]

Boy, you just can't win at Slashdot. All the sputtering frothy yappers here demand a look at the code. They get a look at the code, but that's not good enough anymore.

I guess some people will bitch no matter what.

Re:Some people just like to bitch.

[alan_dershowitz]

It isn't about the source code. It's about verifiable #%^#@$^ elections! The source code is ONE component of this. It is NOT enough, and it was NEVER enough.

Definitions

[Quill_28]

They needs to be a standard way to refer to different licenses.

Most lay people would assume that open source means you could look at it. But in tech circles that is not the case. It has to be more than that.

And does the tech definition of open source include BSD, GPL, public domain, etc licenses?

Or is it just refering to GPL?

Or does it depend on who you ask.

Will it remain open???

[OGmofo]

"Lookie folks, you can download our source code, unlike those other evil opaque ne'erdowells."

What's to keep them from closing the source once everyone hops on the bandwagon? If there's no promise to keep it open in perpetuity, its worthless.

No it's not.

[lynx_user_abroad]

It's definitely NOT open source (unlike OVC) but it's still a step in the right direction."

No it's not a "step in the right direction" and you're not helping to fix things by claiming that it is.

Having a copy of some source code is not a "step in the right direction" if you can't understand it. Most people can't read source code.

Having a copy of some source code is not a "step in the right direction" if you can't have complete confidence it's implemented correctly. If it's at all complex, there's a good chance the are bugs in it. If the manufacturer ever admits they've fixed a bug in it, then they are admitting even their engineers who designed it didn't understand it enough to spot all the bugs. Will Joe Voter spend as much time reviewing the code? (If they never admit to a bug in it, then they are in denial.)

Having a copy of some source code is not a "step in the right direction" if you can't be sure the source you have is the same one used to compile the binary runninng on the machine you're casting your vote on.

Having a copy of some source code is not a "step in the right direction" if you can't be sure the compiler wasn't trojaned. Or the hardware itself.

Unless you have evidence of a ballot cast, the best you can claim is heresay testimony of a ballot cast. Are you willing to accept that as a basis of your next government?

Re:No it's not.

[Kiryat Malachi]

Right now, all those problems exist.

Except that right now, we can't even verify that they've caught the obvious bugs.

It *is* a step in the right direction. Maybe not a big one, maybe not even an important one, but we are better off now than we were before.

Open source, closed source...I don't care!

[yoshi_mon]

Beacuse in the end what I want has nothing to do with software but the end result, what I put on my ballot.

It should be some sort of paper, to ensure some sort of paper trail. It should be human readable.

That simple.

Re:Open source, closed source...I don't care!

[CaptainTux]

While I understand your argument I think you're missing a part of the point. Some of it has to do with the end user - voters - but a lot of it has to do with the integrity of the system which has nothing to do with the voters.

Even with a paper trail, a closed source system is dangerous because it can be manipulated. Open source ensures that it simply cannot be manipulated without it being caught in an audit.

Anthony

Boy, nice license

[Rogerborg]

"You can look for 60 days, but if you touch, we own anything you modify. Oh, and we can can your license at any time and for any reason, and you also agree that we can and should gag you if you say anything that might be detrimental to our business."

We'll, that certainly inclines me to view their source in a charitable light.

Re:PR?

[xanie]

This is totally just a poly at PR.

I mean here's the thinking.

"Hey! We can appease the OS folks by making the code visable to them! And then the media, they'll be like 'Woah! No one would EVER release insecure code if they didn't think it was secure!'"

Yay... This is a joke.

Re:PR?

[onyxruby]

This doesn't have a damn thing to do with open source, don't fool yourself. This has to do with accountability and the public perception that e-voting machines don't have any. The license isn't open source because it doesn't need to be.

The code is reviewable, so it can be audited to avoid the kind of debacles diebold is facing. It's a marketing move, and a move that is in the public interest. Intead of complaining that it wasn't released in the license you like you should be grateful that it is available for review at all.

Open source is good, but that doesn't mean something is bad just because you can't do with it what you want.

Re:PR?

[onyxruby]

Marketing move: Yes.
Public interest: Yes.
License Irrelevant: Yes.

You don't get it do you? The license doesn't have to open to be reviewable. It's a good faith effort and complaining such as what your doing is a slap in the face of a company trying to do the right thing, and it makes open source look bad. Not everyone buys into the open source dogma, and it is asinine to expect that they do.

If they released the code once, chances are they'll do so again. It's pretty simple software relatively speaking, it

TUTORIAL: What all this means

[goombah99]

VoteHere a company that makes software to implement a particular voting crytographic scheme is the second outfit to release their source (the first was OVC).

http://www.votehere.com/news/archive04/040604.ht m

Until I know more details I wont pass judgement other than to say this underscores the point that making source code open does not diminish the rights of the company to its ownership and copyright of the code. It does allow bugs to be found and fixed. And expert independent testimony to its safety may result and thereby build public confidence. Thus this is all good.

I dont know what exactly was released. My understanding in the past was that VoteHere was not actually a voting machine maker but a seller of a patented system for validating encrypted votes. Sequoia Systems had in the past discussed the possibility of letting buyers purchase this for use on their machines, though I have not heard of any machines actually deployed with this.

More specifically, the VOTE HERE system still requires the machines to be error free. Recounts are not possible in the event of an error. The votehere system only eliminates certain kinds of fraud but not all and does nothing about errors, the discovery of errors, and recounting after errors. Additionally since machines using this system will for practical purposes look the same as machines with tampered software: how do know what is going on inside as a voter?

I have read the VoteHere White papers on the mathematics of their algorithm. Two things are apparent 1) It's so complex--and I am trained in advanced mathematics--it's not perfectly clear that all the loop holes are plugged 2) Even if it works as claimed to the voter its still a magic black box that offers no visual evidence of the vote. Thus on both counts voting confidence is not available.

Look at their logo--its a bunch of math symbols. To most folks that is more of a put-off than a confidence builder. Clearly they think they have a technical solution but dont appreciate the sociology issues.

It appears to mainly move where fraud and erros can occur from the polling place to the programming place and to the people who hold the encryption keys. Its not clear what happens if the keys are accidentally leaked.

Still clearly votehere sees it in their interest to get the issue of open source on the table and that is a great sign. kudos for them even if it is partly a bussiness decision.

Contaminated Source

[goombah99]

One of the possible problems here, and I'd like to hear comments on this, is that the best people will not be reading this source code. Since the code is not open source in the free-use sense it means anyone reading it who is working to develop their own code may become contaminated. Or am I wrong on this. If I'm right then the most skilled readers wont be reading it. And that partly defeats the purpose.

Re:New system

[HiThere]

If you aren't sure, you aren't thinking things through.

You can't trust it. You *might* be able to trust a system of which it was a component. One program doesn't make a secure voting system, though it can make an insecure one.

Re:Reading this story

[Carbonite]

I believe the statistic is that only 1 out of every 10 person (correct me if I am wrong) in America votes in the presidential election.

That's incorrect. In 2000, there were over 105,000,000 votes cast. This was 51.3% of the voting age population of 205,815,000 and 67.5% of the 156,421,311 registered voters.

Source: Federal Election Commission [fec.gov]

Re:Reading this story

[cpeterso]

you are assuming each voter cast just one vote.

Re:Reading this story

[pangian]

Usually a little more than 50% of registered voters votes in a presidential election. I'm not sure how that compares to the overall population, but its worth noting [reletively] recent Moter Voter laws have made it easier for people who are on the fringes about voting to get registered. This is a good thing, but something that needs to be kept in mind when people bemoan decreasing turnout rates

WRT internet voting, while it has been piloted in a few situations (most recently in the Michigan primaries), I

Re:Reading this story

[internewt]

I believe the statistic is that only 1 out of every 10 person... in America votes in the presidential election.

I thought it was 11 out of 10 in Florida?

Re:Reading this story

[Paulrothrock]

I don't want the village idiot making crystal meth in his trailer home to be voting for the president.

You don't want the president to vote? That's unamerican!

design/intent

[chadjg]

Well, by definition, software can only do what it was designed to do, right? If those functions are different from the stated intent of the developer, then tough beans.

Computers are wonderfully deterministic beasts. We shouldn't pretend that they aren't and blame our glitches on computers. If Ralph Nader is "accidentally" elected, it's not a machine/software problem. Somebody, a person or a group of people, screwed up.

I'm not saying that a law court would agree, but if a voting machine can be made to si