[CAVO] Open Source Election Software

Lawrence Rosen lrosen at rosenlaw.com
Tue Aug 8 16:26:30 UTC 2017 

Here is an article from Linuxinsider.com about open source election
software.

 

http://www.linuxinsider.com/story/Is-the-Path-to-Secure-Elections-Paved-With
-Open-Source-Code-84730.html

 

I'm copying the entire article below for your convenience. /Larry

 

************************************

Increased use of open source software could fortify U.S. election system
security, according to an op-ed published last week in The New York Times.

Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their
case for open source elections software after security researchers
demonstrated how easy it was to crack some election machines in the Voting
Machine Hacking Village staged at the recent DefCon hacking conference in
Las Vegas.

"Despite its name, open-source software is less vulnerable to hacking than
the secret, black box systems like those being used in polling places now,"
Woolsey and Fox wrote.

"That's because anyone can see how open-source systems operate," they
explained. "Bugs can be spotted and remedied, deterring those who would
attempt attacks."

Open source software has proven to be so reliable and secure that it's being
used by the U.S. Defense Department, NASA <http://www.nasa.gov/>  and the
U.S. Air Force, noted Woolsey and Fox. 


Microsoft Resistance 


Despite the benefits of open source software, Microsoft and other companies
selling proprietary voting systems have lobbied aggressively against moving
to open source, Woolsey and Fox contended.

"If the community of proprietary vendors, including Microsoft, would support
the use of open-source model for elections, we could expedite progress
toward secure voting systems," they suggested.

Microsoft did not respond to our request to comment for this story.

"There's a role for proprietary software," said Lawrence Rosen, an
intellectual property attorney with Rosenlaw  <http://rosenlaw.com/> &
Einschlag and former general counsel for the Open Source Initiative.

"Everything doesn't have to be open source," he told LinuxInsider, "but when
we're talking about elections software that requires the confidence of the
voters, that's different from whether my car radio is proprietary or open." 


Cracking Fest 


Woolsey and Fox's Times piece was particularly timely, coming as it did on
the heels of the cracking fest at the Voting Machine Hacking Village.

"They confirmed what we already knew," said James Scott, a senior fellow at
the Institute for Critical Infrastructure Technology
<http://www.icitech.org/> . "These are extremely vulnerable machines."

"Think of what a voting machine is," he told LinuxInsider. "It's a 1980s PC
with zero endpoint security in a black box where the code is proprietary and
can't be analyzed."

Although the researchers at DefCon impressed the press when they physically
hacked the voting machines in the village, there are more effective ways to
crack an election system.

"The easiest way to hack an election machine is to poison the update on the
update server at the manufacturer level before the election," Scott
explained. "Then the manufacturer distributes your payload to all its
machines for you." 


Security Through Obscurity 


Advocates for open source elections software argue that more transparency is
needed in the systems.

"With closed source systems, you really have no idea what they're doing,"
said Nicko van Someren, executive director for the core infrastructure
initiative at The Linux Foundation.

"Diligent states will do some sort of auditing of their own, but we know
from history that any sort of security audit on any sort of code seldom
shows up everything," he told LinuxInsider.

"The more people you have examining the code, the more vulnerabilities
you're likely to find," van Someren added.

Although largely discredited, a belief persists that keeping source code
secret is more secure than open sourcing code.

"That's wrong-minded," van Someren said. "In practice, hackers can look at
binaries and still find vulnerabilities."

Still, an ostrich attitude about security still prevails at some businesses,
according to Brian Knopf, senior director of security research at Neustar
<http://www.neustar.biz/> .

"There are still some companies that have the idea that if they bury their
head in the sand, if I ignore everyone else and don't provide access, then
no one will find anything," he told LinuxInsider. "Clearly, that's not the
truth." 


Can't Hack Paper 


If elections systems makers aren't willing to go the open source route, they
at least need to open their code to expert eyes outside their organizations,
maintained Mark Graff, CEO of Tellagraff <http://www.tellagraff.com/> .

"The source could be placed in escrow so an expert panel could look at it,"
he told LinuxInsider, " but I don't think that's worked in the past, and I
don't know if you could line up the commercial interests to agree to do what
the experts say."

A simpler solution to the security problem involves paper ballots and
post-election ballot auditing, said Barbara Simons, president of
VerifiedVoting <http://www.verifiedvoting.org/> .

After all the votes are cast, a sampling of paper ballots would be compared
manually to the electronic tally to determine the accuracy of the vote.

"Open source is good thing -- we support it -- but there are always bugs
that are not going to be caught," Simons told LinuxInsider.

"What we need are paper ballots and manual post-election ballot audits," she
said.

"If we have those, even with proprietary software, we can protect our
election from being hacked," Simons maintained. "You can't hack paper." 

  _____  

John P. Mello Jr. has been an ECT News Network reporter since 2003. His
areas of focus include cybersecurity, IT issues, privacy, e-commerce, social
media, artificial intelligence, big data and consumer electronics. He has
written and edited for numerous publications, including the Boston Business
Journal, the Boston Phoenix, Megapixel.Net and Government Security News.
Email John. <mailto:john.mello at newsroom.ectnews.com> 

 

 

Lawrence Rosen

Rosenlaw ( <http://www.rosenlaw.com/> www.rosenlaw.com) 

3001 King Ranch Rd., Ukiah, CA 95482

Cell: 707-478-8932 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/a74845ba/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/a74845ba/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.gif
Type: image/gif
Size: 1023 bytes
Desc: not available
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/a74845ba/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image003.jpg
Type: image/jpeg
Size: 4665 bytes
Desc: not available
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/a74845ba/attachment.jpg>

More information about the CAVO mailing list