Feeds

E-vote kit makers go 'shared source'

Showing a little ankle

  • alert
  • submit to reddit

High performance access to file storage

Several of the largest makers of touch screen ballot machines are submitting at least some of their source code to the National Software Reference Library, the Associated Press reports.

This is so that election officials can compare hashes of the original software to hashes of the software they've got, and detect tampering.

The publicity stunt is meant to engender public confidence in the design of the machines, but it actually raises more suspicions than it eases.

"Voting machine makers said Tuesday they would not submit their most valuable data -- their proprietary source code. And they might not provide the library with copies of software patches, updates and upgrades," the wire service says.

Code withheld does imply that the companies have something to hide, like slack work, for example. And since the potential for last-minute patching is quite real, omitting patches from the library makes it impossible for officials to verify ones they are issued, perhaps only days before an election.

It's clear that negative press has worried the vendors about public confidence in their kit, and they would do just about anything to address it, short of opening their source code, libraries, and compilers to rigorous third-party examination. No doubt this would reveal numerous snafus, which is why it's not happening.

Similarly, their apparent desire to patch at will, without pre-certification and verification mechanisms, itself implies that there is a lot wrong with their software, and raises questions of tampering, by making it too easy for 'unofficial' software to be installed.

So this 'library' approach addresses one problem, that of verifying the software one has been issued, but doesn't actually solve it. One might verify one's software with the official checksums three months before an election, then find, after two or three patches have been installed, that (of course) the checksums no longer match. It then becomes impossible to determine whether or not this situation indicates a problem. All you can say with confidence is, you had the right software installed three months earlier.

This development will remain a meaningless publicity stunt until security protocols are developed, and mandated by law, requiring that all software be tested and approved by a government body, and that no untested, un-approved software can be installed. This must include all source code, compilers, libraries, and patches. And it is not enough merely to make the checksums available; it must be illegal to deploy a machine unless all have been verified.

Touchy screens In related news, briefly, there have been anecdotal reports of touch screen machines registering the wrong choices. Because there are so many different types of screens, and because some use discrete and others continuous touch areas, it is impossible to guess the particular problem here. But we are, no doubt, going to hear a lot more such complaints on election day. We can hardly wait. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories E-voting security: getting it right
E-voting security: looking good on paper?
Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

SANS - Survey on application security programs

More from The Register

next story
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Audio fans, prepare yourself for the Second Coming ... of Blu-ray
High Fidelity Pure Audio – is this what your ears have been waiting for?
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Number crunching suggests Yahoo! US is worth less than nothing
China and Japan holdings worth more than entire company
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
Apple DOMINATES the Valley, rakes in more profit than Google, HP, Intel, Cisco COMBINED
Cook & Co. also pay more taxes than those four worthies PLUS eBay and Oracle
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.