| |||||||||||||
|
| |||||||||||||
Will 'controlled open source' software take over election work? (NewsForge)Will 'controlled open source' software take over election work? (NewsForge)Posted Aug 19, 2004 19:22 UTC (Thu) by jabby (subscriber, #2648)In reply to: Will 'controlled open source' software take over election work? (NewsForge) by QuisUtDeus Parent article: Will 'controlled open source' software take over election work? (NewsForge)
I agree that a paper trail is a necessary condition for the proper recording of votes. I also hold that open source code is a necessary condition. Neither is by itself sufficient, but taken together they create a set of circumstances that are the best one can hope for with computerized electronic voting.
I disagree with this statement, however: "Even an open source voting program cannot prove that that is the software running on the machine."
Open source software built using an open toolchain (compiler, linker, etc.) and running on an open source OS would be sufficient for being able to literally *prove* that the code over here resulted in the binary over there.
Now if you're talking about the span of time between when the binary was verified and the election, more conventional means have to be relied upon, such as putting the binaries on a read-only medium and locking them in a safe until election time. I'm specifically thinking about KNOPPIX-like CDs with an entire open source election "distro". Everything could be run from read-only media bearing verified binaries of open source code.
Another option would be to avoid compilation altogether and go for an interpreted language, like Python or Perl. Then you would literally have the source code available on the machine *during* the election. It could even be compared against a read-only medium carrying the original before *every* vote is cast.
With open source code, a plethora of options are available for protecting the integrity of a voting system. With paper ballots as a backup, the resulting system earns my confidence. But, as they say, "trust, but verify". No matter how much I might trust such a system, all voting solutions require constant vigilance. Someone must still be actively looking for tampering and comparing exit polls to the computerized tallies.
(Log in to post comments)
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 20:19 UTC (Thu) by JoeBuck (subscriber, #2330) [Link] I would be satisfied with a paper printout for every vote that is checkable by the voter (printed out in large type for easy reading by the elderly), then dropped into a locked box for use in recounts as well as for cross-checking.The code need not be open source, however, it would need to be made available in source form to trusted third parties (including opponents of software voting machines) for inspection and review, with no restrictions placed on the inspectors that harm their ability to report flaws to the public. Regardless of whether the code is open source or not, the third-party inspectors should verify the process for producing the binary code (possibly by running the build process themselves with the specified software development tools, and checking that the binaries match). Open source would be nice, but it's not a necessary condition for confidence in the election, and that's the problem that vitally needs to be fixed.
open source necessary condition for voter confidence Posted Aug 20, 2004 2:49 UTC (Fri) by jabby (subscriber, #2648) [Link] I don't trust any third party... or even a couple of them. I want to be able to review the code myself and to have the local computer science department perform a code review and the military and all interested political parties and the foreign governments who are affected by our political choices... Yes, everyone should be able to inspect the code. No more "trade secret" or "competitive advantage" whining from the companies who are making money hand over fist at the taxpayers' expense.
Remember Linus' Law: "Given enough eyes, all bugs are shallow." How long do you think it would take for *someone* *somewhere* in the world to find subverted code? With as much as there is at stake in the general election, my guess is "not long." When the Diebold source was leaked on the internet it took very little time for computer scientists to examine the code and find dozens of critical weaknesses.
Also, the compiler has to be open source and inspectable as well. I'm not forgetting the famous backdoor-inserting compiler hack by Ken Thompson:
http://www.acm.org/classics/sep95/
This actually demonstrates that you can't trust any program that handles programs, but I would still maintain that you are *far* better off with open source than with closed source. With closed source, only those "trusted parties" (who sign NDAs and are therefore bound in ways that make them untrustworthy) can see the source code and try to compile it and verify the binary. That's when you have the problem of closed source compilers and the inability to verify that the binary produced actually obeys the code that you approved and fed to it.
As for confidence in the election, I fail to see how closed-source (secret) software running on closed-source, proprietary operating systems and inspected by only a few "trusted parties" is going to inspire confidence. In general, people are smart enough to know that transparency is good and trustworthy and that wherever something is hidden from public view there resides the temptation to deceive the public.
open source necessary condition for voter confidence Posted Aug 20, 2004 17:59 UTC (Fri) by tzafrir (subscriber, #11501) [Link] You should realise though, that the "software" is the whole stack, not only the the voting software itself.
Backdoors cdan be added in the underlying OS. Quite easily.
But you can go even further: What about the firmware of the CPU? The firmware of the BIOS? The firmware of the disk controller?
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 19, 2004 20:23 UTC (Thu) by bdixon (subscriber, #1055) [Link] Ownership and visibility into the codebase that constitutes an open voting machine does not mean that we can be assured that a subversion hasn't been planted. It is impossible to be assured that inspection has found all subversions.
Solving this problem will take a codebase that is simpler and far more verifiable then either Windows or Linux.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 20, 2004 13:58 UTC (Fri) by hummassa (subscriber, #307) [Link] " Ownership and visibility into the codebase that constitutes an open voting machine does not mean that we can be assured that a subversion hasn't been planted. It is impossible to be assured that inspection has found all subversions. "... but it is possible (even easy) to establish a system of distributed, formalized testing that finds /many/ possible subversions (read my other posts in this same thread)
" Solving this problem will take a codebase that is simpler and far more verifiable then either Windows or Linux. "... I won't argue this, the simpler the system, the easier to make it secure.
Will 'controlled open source' software take over election work? (NewsForge) Posted Aug 20, 2004 18:28 UTC (Fri) by tzafrir (subscriber, #11501) [Link] No. This is practically impossible.
Yes, programs in OCAML (?) can be officially verified. How nice. But what about the implementation of the OCAML compiler? run-time environment? (which are probably written in C)?
What about the libraries and the kernel of the underlying OS? A formally-verifiable OS is, ATM, a non-practical academic research subject.
But then again, the aim is not a totally safe system, but a practically-safe system. If someone wants winning hard enough one can always take a shot at bribing citizens and other low-tech methods. See http://www.schneier.com/crypto-gram-0404.html#4 for a better insight.
|
|
||||||||||||