Feeds

E-vote kit makers go 'shared source'

Showing a little ankle

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Several of the largest makers of touch screen ballot machines are submitting at least some of their source code to the National Software Reference Library, the Associated Press reports.

This is so that election officials can compare hashes of the original software to hashes of the software they've got, and detect tampering.

The publicity stunt is meant to engender public confidence in the design of the machines, but it actually raises more suspicions than it eases.

"Voting machine makers said Tuesday they would not submit their most valuable data -- their proprietary source code. And they might not provide the library with copies of software patches, updates and upgrades," the wire service says.

Code withheld does imply that the companies have something to hide, like slack work, for example. And since the potential for last-minute patching is quite real, omitting patches from the library makes it impossible for officials to verify ones they are issued, perhaps only days before an election.

It's clear that negative press has worried the vendors about public confidence in their kit, and they would do just about anything to address it, short of opening their source code, libraries, and compilers to rigorous third-party examination. No doubt this would reveal numerous snafus, which is why it's not happening.

Similarly, their apparent desire to patch at will, without pre-certification and verification mechanisms, itself implies that there is a lot wrong with their software, and raises questions of tampering, by making it too easy for 'unofficial' software to be installed.

So this 'library' approach addresses one problem, that of verifying the software one has been issued, but doesn't actually solve it. One might verify one's software with the official checksums three months before an election, then find, after two or three patches have been installed, that (of course) the checksums no longer match. It then becomes impossible to determine whether or not this situation indicates a problem. All you can say with confidence is, you had the right software installed three months earlier.

This development will remain a meaningless publicity stunt until security protocols are developed, and mandated by law, requiring that all software be tested and approved by a government body, and that no untested, un-approved software can be installed. This must include all source code, compilers, libraries, and patches. And it is not enough merely to make the checksums available; it must be illegal to deploy a machine unless all have been verified.

Touchy screens In related news, briefly, there have been anecdotal reports of touch screen machines registering the wrong choices. Because there are so many different types of screens, and because some use discrete and others continuous touch areas, it is impossible to guess the particular problem here. But we are, no doubt, going to hear a lot more such complaints on election day. We can hardly wait. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories E-voting security: getting it right
E-voting security: looking good on paper?
Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Facebook to let stalkers unearth buried posts with mobe search
Prepare to HAUNT your pal's back catalogue
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.