Sequoia To Publish Source Code For Voting Machines 102
cecille writes "Voting machine maker Sequoia announced on Tuesday that they plan to release the source code for their new optical-scan voting machine. The source code will be released in November for public review. The company claims the announcement is unrelated to the recent release of the source code for a prototype voting machine by the Open Source Digital Voting Foundation. According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'"
plan to (Score:2)
okay, so they "plan to"
yet, we don't have a release yet.
is this to just avoid press or do people actually believe them?
Re: (Score:2)
No, everyone's out to trick you and lying.
Re: (Score:2)
Don't listen to parent, he is lying. So am I.
They are NOT open sourcing it. (Score:2)
Voting companies have traditionally offered to "disclose" their source code in the past. By disclose they do not mean open source. in the past it has always meant that certain designated people can get access under certain conditions. E.g. state voting officials under rabid NDA's can see it if they sue.
Until they actually publish it, assume that "disclose" does not mean either access without NDA or open source.
Re:plan to (Score:5, Insightful)
Re:plan to (Score:5, Interesting)
My thought exactly. In fact, there's no way to trust vendor-supplied hardware on this account, or any hardware of reasonable complexity at all.
I still think there's only one sensible way to do voting:
1. Let the voter fill in an optical scan form.
2. Let lots of different interested parties scan the form.
3. Verify that all parties have the same count after every form.
4. Lock the forms away in case a recount is needed.
If there's only one party doing the counting, they can never be trusted.
Only by having every competing interest do the counting (with constant cross-checking) can a system be potentially trusted.
Even then, you have to have enough parties involved to avoid the possibility of collusion.
Combine this with a system like Punchscan.org to add privacy, and maybe you've got something.
Re: (Score:2)
If only there was a way to verify a vote without compromising the anonymity of the voter.
Re: (Score:1)
Um, that's why I mentioned http://punchscan.org/ [punchscan.org] . Check it out.
Re: (Score:3, Interesting)
Y'know, in Canada, we use this funky invention, called pen & paper for voting. You are given a ballot that clearly lists each candidate's name, their party affiliation, and has a white circle to the side. You make your mark in the circle of the candidate you want to vote for. If you mark more than one candidate, or if you mark outside of the circle, or make any kind of personally identifying mark on the ballot, your vote is considered spoiled and rejected. It's really idiot-proof, when you think about i
Re: (Score:2)
In the USA, an election is actually about 50 simultaneous voting opportunities. You may be voting for your congressman, your senator, the President, your town mayor, several state-level positions, the county sheriff, a few propositions, your local school board... the list seems endless. The ballot is so long and so complicated that they have to mail out booklets to
Re: (Score:2)
Re: (Score:2)
That over-complication is what I was getting at. If there's multiple elections going on
Re: (Score:2)
In my county in California, We use the scanners to count the paper ballots, which get secured and stored in case recount or verification is needed. The hand-counting took an extra couple of hours, at worst, (and I don't think it is missed) which is not insignificant at the end of an already long day. We have a one-office ballot coming up in a few weeks, as a matter of fact; The task varies, but it is do-able.
Re: (Score:1)
What you describe has many of the elements that I suggested, such as the paper record and multiple parties overseeing the count.
Many parts of the US use a similar system. Unfortunately, the method of doing voting is not something that is set at the national level in the US. Every state has its own laws & regulations, and every county makes its own choices within what the state allows.
The result is that there are thousands of bodies making the same mistakes over and over again, being taken advantage of
Re: (Score:2)
We receive a set number of empty ballots. The number of ballots ca
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
This would result in an immediate discrepancy. But I take your point, in that there would need to be very careful handling of each & every scan sheet.
The fact that something "easy" like voting is hard (when there is motivation to hack the system) should be a lesson to every lawmaker and programmer. Laws & programs are easy to make when you can trust people to do the right thing all the time. But, in the real world, you need to design them both as if people will try to punch holes in them any way
Re: (Score:2)
As long as the voting machines are not completely locked high-security machines (what TCPA was *actually* meant to be for), and the source and binaries are signed and compiled by signed compilers inside the machine itself, one can meddle with it. Simple as that.
Of course then the process of signing the compiler would have to happen in an openly visible event, with the ability for third parties to check everything on the spot. Because as we know, one could simple modify a compiler, so that even if you compil
Re: (Score:2)
Here in Minnesota, we fill out an optical scan form. It's run through one scanner, and saved for later. A random selection of precincts does manual recounts, so that somebody will notice large discrepancies (the randomness of this has been questioned, though). If the reported vote is close enough, the law requires a manual recount; alternately, a losing candidate can ask for one.
It gets the vote totals in fairly fast, and these totals are accurate enough for most purposes. In event of a very close el
Re: (Score:2)
wow, I didn't even think about that part.
Re: (Score:2)
Is there any guarantee that the source code they release is the actual code that will run on the machines during an election?
Not unless they are forced to has the source released and the source on the machine. Upload it in front of the people and verify the hash.
Re: (Score:1)
Yes, and what prevents the machine from then throwing that away and using the secondary code from the hidden hardware?
You cannot trust any single piece of hardware. That's why I suggested the only way to gain trust is through consensus (multiple parties doing the counting and checking each other).
Re: (Score:1)
Open or closed source, how can you ever be sure what the software is on a device unless you personally compiled and loaded it? And even then what about the compiler and linker you used, the OS you're using, the BIOS and even the hardware itself?
Apparently there are no dependable guarantees. (Score:1)
In the past, Sequoia Voting has not seemed especially knowledgeable: Sequoia e-voting machines disturbingly easy to hack [arstechnica.com]. Quote: "Researchers from the Princeton University Center for Informati
Tag story "noshit". (Score:2)
According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'
About time they figured that out. Although it's probably still just some marketing PR-speak, rather than what they actually think....
Re: (Score:2)
Right. Hell is a bit chilly, but hasn't frozen over until the source is actually released, and it's actually all of it, and under a tolerable license.
Re: (Score:2)
Re: (Score:2)
That's what I meant by "actually all of it."
Re: (Score:2)
Right. Hell is a bit chilly, but hasn't frozen over until the source is actually released, and it's actually all of it, and under a tolerable license.
What exactly do you mean by "tolerable license"? They're not planning to open source it (in the sense of allowing people to use it in their own products.)
Re: (Score:3, Insightful)
How about a license that allows people to read it, comment on it (both pro and con) publicly without constraint, and doesn't automatically assume Sequioa own all voting-related code that person might subsequently write at some point in the future? (Obviously, that assumes the code isn't copied.)
That'd be about my minimum.
Re: (Score:2)
I mean a license where I could look at the source and not have to sign away other rights.
For example: One kind of intolerable license is what the Flash specs used to be available under, which forbade anyone from reading them to develop a player. In other words, if I didn't read the Flash specs, I'd be allowed to work on Gnash, but if I did read the specs, I could only develop authoring and server-side tools.
I believe Adobe has fixed this recently, but you can see why I have a problem with that kind of licen
Re: (Score:3, Informative)
I don't think they are releasing it as open source, or under any open license. Rather, they are planning to publish their proprietary code for all to see.
Spokeswoman Michelle Shafer [...] said the firmware on the company’s new Frontier optical-scan machines is written in C# programming language and runs on Linux. The election management software - which sits on a computer at the election office and is used to create ballots and tabulate votes - runs on Microsoft Windows XP and uses a Microsoft SQL database.
Looks like they use a combination of open and closed source for their OSes. I wonder why they went with C# on Linux?
Re: (Score:1)
I wonder why they went with C# on Linux?
I can only guess... Linux may be the easiest way to get a free OS and tweak it to your needs, since it already runs on everything from your generic PC to your electric toothbrush, then they probably held the opinion that C# was the current fashion in programming languages.
Re:Tag story "noshit". (Score:4, Interesting)
Their use of embedded Linux makes me wonder if their earlier refusals to release their code was legal. Not their C# stuff, or their DB schema or sql code, but if they took off-the-shelf Linux and resold it, aren't they at least required to make that source available along with any changes, if any, they made?
IANAL or GPL expert, just kind of wondering.
Tag it as... (Score:1)
A step in the right direction (Score:3, Interesting)
Re:A step in the right direction (Score:5, Insightful)
But we need another step: a requirement for a paper audit trail. According to the article, criticism of the Sequoia system first surfaced because some printed output didn't match the electronic totals. Open source is good, but in this case, it's not enough: we must be able to check the reliability of these machines and their operators against a paper record. That doesn't mean that every election has to involve an electronic and a paper count—but the paper will be there if we need it. As the reliability of a given system is proven over time, we'll come to trust it—though I think a cross-check of a statistically significant number of votes would always be a good idea.
Who owns vote data? (Score:2, Interesting)
Re: (Score:1)
Read it again. (Score:2)
This is for an optical-scan voting machine. It scans a paper ballot. The paper ballot can be re-counted later - by hand if necessary. No additional audit trail is necessary.
You should be able to take the scanned ballots out of the machine, run them through another machine, and compare the totals. If you do this a dozen times on different machines, and the totals are off by one single vote, there's a serious problem.
Re: (Score:1)
You could feed the ballots through 8 machines that all give you the same, but *wrong*, result.
Re: (Score:2)
Count them manually first. If the machines agree with each other but disagree with the manual count, manually count them again. If you're sure of your manual count and the machines disagree, find out why.
Re: (Score:2)
More work needs to be done; in particular, the government should simply mandate that no proprietary software may be used in any voting machine that is actually used in an election.
Why not? The security of open source comes not from being on the creative commons, but from being seen and commented upon by hundreds of eyes. If Sequoia publishes their source code, and it gets properly vetted by hungry young researchers eager for their first big bug, why would that be any less secure than if the implementation
I'd be more interested in this post (Score:3, Insightful)
"According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'""
Re: (Score:3, Insightful)
How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".
Last I checked, the touchscreen ones are the voting machines that have caused so much grief.
Re: (Score:2)
Pay no attention to the man behind the behind the curtain.
Re: (Score:2)
How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".
Last I checked, the touchscreen ones are the voting machines that have caused so much grief.
Yeah, that's what I was thinking! I think they are doing this in hopes people will forget about that.
-Taylor
Re: (Score:3, Informative)
How about they release the source code for their old voting machines.
You know, the ones that aren't "optical-scan".
Last I checked, the touchscreen ones are the voting machines that have caused so much grief.
The touchscreens are just the tip of the iceberg for problems with electronic voting. It may be the most advertised problem of voting but it certainly isn't the worst problem.
Central tabulation of votes, memory cards, chain of custody of those cards, manipulation of the tabulation database and virtually every part of electronic voting has been a huge problem.
Bev Harris of blackboxvoting.org gained a copy of the GEMS database software and showed how it could easily manipulate votes without much chance of bei
Re: (Score:2)
Security through obfuscation, and secrecy is not security.
Obviously, they are saying that secrecy is useless, but one can obtain security via obfuscation.
VP quote (Score:1)
"According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security."
But obfuscation and secrecy can bring much security! This VP should listen to that other VP, who obfuscated his house and kept his secrets in man-sized safes. He never had a security problem.
It's been tryed - U.S.A. election 2004 (Score:1)
Horray! (Score:5, Insightful)
Wow-- horray for them!
There are still a lot of things to worry about with electronic voting-- but this goes a long way toward making the process transparent, and transparency (of the vote counting method) is absolutely essential to confidence in the results.
Great news!
Programming Thinking...Again (Score:5, Insightful)
I've said it once, and I will say it again, you can publish ALL the code you want, but
1. In the event of a recount, can I get repeatable results?
2. In the event of a "software bug" can I hold someone responsible, will they pay for the cost of a reelection?
3. In the event of a hardware failure, can I hold someone responsible, are there contingency plans, will someone pay the cost of a reelection?
It's a matter of trust, and what you can put behind your software.
Since this is software, and programmers, the answer to these questions is generally "no" and "nothing".
Elections don't wait for service packs, bug fixes, hot fixes, etc A flaw in your software could cause chaos.
Simple programmers can't go to jail for negligence, can't get sued for bugs, and can't put anything concrete behind their code.
I can just picture reading the election software EULA, "NO WARRANTY" , "NO FITNESS FOR A PARTICULAR PURPOSE", "CONTAINS KNOWN DEFECTS"..
Re: (Score:1)
What the hell is a hot fix?
I've heard this term used so much and it's driving me nuts. I've literally been yelled at by my manager because I can't tell him the number of hot fixes for "Linux", while I'm holding a breakdown of every security patch (rpm/deb/etc).
WHAT is a "hot fix"?
Oh, and just to stay with the conversation in line here, no one is fully accountable for any huge issue that hasn't been tested.
The key is a test of the system beforehand. Most Open Source software is tested in pre-alpha/alpha (d
Re: (Score:2)
Re: (Score:2)
1. In the event of a recount, can I get repeatable results?
They should test this with sample ballots. Scan the same set of ballots hundreds of times on different machines, prior to the election. There should be no discrepancies. The margin of error should be zero. If one machine counts one vote incorrectly, don't pay for the machines until the problem is identified and fixed and the test is run again (with a different set of sample ballots).
2. In the event of a "software bug" can I hold someone responsible, will they pay for the cost of a reelection?
These are optical scan machines. In the event of a software bug that causes votes to be miscounted, the bug can be fixed
Re: (Score:2)
Posting the source code to the wider community for review would definitely help with 1. and 2. by increasing the amount of reported bugs and helping the developers to patch them. Hardware failures are a bit more difficult to face down, but hardware is pretty good these days.
You can get all 3 if you want, but the cost would be outrageous. Districts who are struggling to find funding for their schools simply wouldn't be able to pay for all of that. You're essentially asking for the equivalent of 99.999% up
secrecy is not security? (Score:2, Insightful)
Bad Time to be a Sequoia Developer (Score:5, Insightful)
Boss: OK, guys. Marketing and PR has decided to release the source code publicly. You guys said our software is really nice, clean, secure code. So you don't have any problems with that, right?
Developers: Umm, yeah, sure, no problem... You know, we might want to make one or two very minor fixes first... [runs frantically back to computer and pounds away]
Re: (Score:1)
Unit Tests? (Score:5, Funny)
I'll take unit tests as a show of interest by the developers that they did, kind of, sorta want to deliver a usable product. What I really want is the regression tests, certified by the fugly, old, chain-smoking harridan who runs QA and haunts the dreams of the developers.
Re: (Score:2)
Pesky flags! (Score:2)
Developers: Umm, yeah, sure, no problem... You know, we might want to make one or two very minor fixes first... [runs frantically back to computer and pounds away]
The ifElectionRiggedFlag is proving harder to remove than we thought. That sucker is everywhere. How about we just rename it to ifTesting and set it to false?...and lets rename the forceWinningCandidate and forceWinningParty strings to blank while we're at it.
You're still voting for crooks (Score:1, Insightful)
If you want real democracy, then work on open sourcing the legislative process [metagovernment.org].
Why a delay? (Score:1)
I'd guess it's worries about patents, partners, and other politically related things.
Closed source makes it harder to claim patent infringement, when such things as xor and swinging side-to-side are allowed to be patented.
Re: (Score:3, Interesting)
I'd guess it's worries about patents, partners, and other politically related things.
The solution for Sequoia is pretty simple, write the fancy vote counting machine as an exact emulator of a 1928 IBM 301 tabulating machine, then overclock the emulation a wee bit. Nobody screws around with IBM's patent portfolio, and frankly an overclocked 301 is massive overkill for "counting votes".
http://en.wikipedia.org/wiki/Tabulating_machine [wikipedia.org]
It is really a very elegant solution. Admittedly, I will freaking fall out of my chair laughing if I download their source code and discover this is exactly what
Re: (Score:1)
Released in November? (Score:5, Insightful)
And of course if they did the same thing next year - after midterm 2010 elections - we could have an even more dramatic situation on our hands.
Re: (Score:1)
I'll say. It's been a very, very odd year.
optical-scan? (Score:5, Insightful)
The key point here is actually that it's an optical-scan machine! You don't input votes on a keyboard or touchscreen but by feeding in an actual human-readable piece of paper (maybe it asks for confirmation that it read it correctly?), which then gets stored in a lockbox. This is obviously the Right Thing because it gives a built-in hardcopy audit trail.
In short, I think we're missing the SuddenOutbreakofCommonSense tag on this story...
Re: (Score:2)
Added bonus: You need fewer machines. You can have as many simultaneous voters as you've got room to put desks, and just a few machines to scan the completed forms.
Cynicism be damned... (Score:5, Insightful)
So say we find a bug... (Score:2)
So say we find a bug...
Do we disclose it, or do we sell it to the highest bidder?
I mean this assumes the bug will be discovered by at least one honest person who chooses to disclose, right?
-- Terry
Whoa (Score:5, Insightful)
According to a VP quoted in the press release, 'Security through obfuscation and secrecy is not security.'
Amazing. Did anyone notice whether there may have been an alien tentacle wrapped around the VP's throat manipulating his voice and his jaw?
That's such a turnabout (at least in publicly-stated position) that I may get whiplash trying to track.
Of course, words are cheap. We shall see how deeply this new-found wisdom is held.
Comprehensively and fairly open the subject source code for unfiltered public inspection, without explicit or implicit coercion against criticism, and respecting reasonable fair-use rights to quote and comment, and you will get full credit for your Damascus road conversion. Take one step towards intimidation, chilling of discourse, or SLAPP, and we will know that your glib sound-bite was just cheap empty talk.
And for as much or little as Nerd Rage counts, you will experience it.
good step (Score:2, Interesting)
Require Unanimous Vote (Score:1)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Articles of Confederation required Unanimous consent for changes
to it. Well some criminals conviened and came up with the US
Constitution - they did it in secret and nobody signed the document as
a signature, only as witnesses. This is a problem. People have
gotten away from unanimous consent and I think we really need to get
back to the idea that one lone dissenter can and should be able to
stand his ground. I tend to be that one person quite allot these
days.
T
Subject (Score:2)
See, Diebold? It's not so hard.
Just Because (Score:1)
Re: (Score:2, Insightful)
Dear Sir,
I have googled your ideas and only found forum posts similar to this one.
It does nothing for your credibility. Next time anchor your link or have a crawlable page if you want anyone to see what you have to say.