Feeds

E-vote kit makers go 'shared source'

Showing a little ankle

  • alert
  • submit to reddit

Intelligent flash storage arrays

Several of the largest makers of touch screen ballot machines are submitting at least some of their source code to the National Software Reference Library, the Associated Press reports.

This is so that election officials can compare hashes of the original software to hashes of the software they've got, and detect tampering.

The publicity stunt is meant to engender public confidence in the design of the machines, but it actually raises more suspicions than it eases.

"Voting machine makers said Tuesday they would not submit their most valuable data -- their proprietary source code. And they might not provide the library with copies of software patches, updates and upgrades," the wire service says.

Code withheld does imply that the companies have something to hide, like slack work, for example. And since the potential for last-minute patching is quite real, omitting patches from the library makes it impossible for officials to verify ones they are issued, perhaps only days before an election.

It's clear that negative press has worried the vendors about public confidence in their kit, and they would do just about anything to address it, short of opening their source code, libraries, and compilers to rigorous third-party examination. No doubt this would reveal numerous snafus, which is why it's not happening.

Similarly, their apparent desire to patch at will, without pre-certification and verification mechanisms, itself implies that there is a lot wrong with their software, and raises questions of tampering, by making it too easy for 'unofficial' software to be installed.

So this 'library' approach addresses one problem, that of verifying the software one has been issued, but doesn't actually solve it. One might verify one's software with the official checksums three months before an election, then find, after two or three patches have been installed, that (of course) the checksums no longer match. It then becomes impossible to determine whether or not this situation indicates a problem. All you can say with confidence is, you had the right software installed three months earlier.

This development will remain a meaningless publicity stunt until security protocols are developed, and mandated by law, requiring that all software be tested and approved by a government body, and that no untested, un-approved software can be installed. This must include all source code, compilers, libraries, and patches. And it is not enough merely to make the checksums available; it must be illegal to deploy a machine unless all have been verified.

Touchy screens In related news, briefly, there have been anecdotal reports of touch screen machines registering the wrong choices. Because there are so many different types of screens, and because some use discrete and others continuous touch areas, it is impossible to guess the particular problem here. But we are, no doubt, going to hear a lot more such complaints on election day. We can hardly wait. ®

Thomas C Greene is the author of Computer Security for the Home and Small Office, a comprehensive guide to system hardening, malware protection, online anonymity, encryption, and data hygiene for Windows and Linux.

Related stories E-voting security: getting it right
E-voting security: looking good on paper?
Dutch e-voting software goes open source
E-voting promises US election tragicomedy
California preps e-voting ban bill
Ireland to scrap e-voting plan
California set to reject Diebold e-voting machines
UK not ready for e-voting
Campaign calls for safe e-voting

Internet Security Threat Report 2014

More from The Register

next story
The 'fun-nification' of computer education – good idea?
Compulsory code schools, luvvies love it, but what about Maths and Physics?
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Ex-US Navy fighter pilot MIT prof: Drones beat humans - I should know
'Missy' Cummings on UAVs, smartcars and dying from boredom
Yes, yes, Steve Jobs. Look what I'VE done for you lately – Tim Cook
New iPhone biz baron points to Apple's (his) greatest successes
Lords take revenge on REVENGE PORN publishers
Jilted Johns and Jennies with busy fingers face two years inside
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.