[CAVO] Open Source Election Software

Brent Turner turnerbrentm at gmail.com
Tue Aug 8 16:36:17 UTC 2017 

Please use real nyt article rather than this proprietary community rewrite
that eliminates cavo and disinforms toward paper ballot

On Tue, Aug 8, 2017 at 9:26 AM Lawrence Rosen <lrosen at rosenlaw.com> wrote:

> Here is an article from Linuxinsider.com about open source election
> software.
>
>
>
>
> http://www.linuxinsider.com/story/Is-the-Path-to-Secure-Elections-Paved-With-Open-Source-Code-84730.html
>
>
>
> I'm copying the entire article below for your convenience. /Larry
>
>
>
> ************************************
>
> Increased use of open source software could fortify U.S. election system
> security, according to an op-ed published last week in *The New York
> Times*.
>
> Former CIA head R. James Woolsey and Bash creator Brian J. Fox made their
> case for open source elections software after security researchers
> demonstrated how easy it was to crack some election machines in the Voting
> Machine Hacking Village staged at the recent DefCon hacking conference in
> Las Vegas.
>
> "Despite its name, open-source software is less vulnerable to hacking than
> the secret, black box systems like those being used in polling places now,"
> Woolsey and Fox wrote.
>
> "That's because anyone can see how open-source systems operate," they
> explained. "Bugs can be spotted and remedied, deterring those who would
> attempt attacks."
>
> Open source software has proven to be so reliable and secure that it's
> being used by the U.S. Defense Department, NASA <http://www.nasa.gov/>
> and the U.S. Air Force, noted Woolsey and Fox. [image:
> http://www.linuxinsider.com/adsys/count/9675/?nm=a-ilin_160-1us&ENN_rnd=15022087902837&ign=0/ign.gif]
> Microsoft Resistance
>
> Despite the benefits of open source software, Microsoft and other
> companies selling proprietary voting systems have lobbied aggressively
> against moving to open source, Woolsey and Fox contended.
>
> "If the community of proprietary vendors, including Microsoft, would
> support the use of open-source model for elections, we could expedite
> progress toward secure voting systems," they suggested.
>
> Microsoft did not respond to our request to comment for this story.
>
> "There's a role for proprietary software," said Lawrence Rosen, an
> intellectual property attorney with Rosenlaw & Einschlag
> <http://rosenlaw.com/> and former general counsel for the Open Source
> Initiative.
>
> "Everything doesn't have to be open source," he told LinuxInsider, "but
> when we're talking about elections software that requires the confidence of
> the voters, that's different from whether my car radio is proprietary or
> open."
> Cracking Fest
>
> Woolsey and Fox's *Times* piece was particularly timely, coming as it did
> on the heels of the cracking fest at the Voting Machine Hacking Village.
>
> "They confirmed what we already knew," said James Scott, a senior fellow
> at the Institute for Critical Infrastructure Technology
> <http://www.icitech.org/>. "These are extremely vulnerable machines."
>
> "Think of what a voting machine is," he told LinuxInsider. "It's a 1980s
> PC with zero endpoint security in a black box where the code is proprietary
> and can't be analyzed."
>
> Although the researchers at DefCon impressed the press when they
> physically hacked the voting machines in the village, there are more
> effective ways to crack an election system.
>
> "The easiest way to hack an election machine is to poison the update on
> the update server at the manufacturer level before the election," Scott
> explained. "Then the manufacturer distributes your payload to all its
> machines for you."
> Security Through Obscurity
>
> Advocates for open source elections software argue that more transparency
> is needed in the systems.
>
> "With closed source systems, you really have no idea what they're doing,"
> said Nicko van Someren, executive director for the core infrastructure
> initiative at The Linux Foundation.
>
> "Diligent states will do some sort of auditing of their own, but we know
> from history that any sort of security audit on any sort of code seldom
> shows up everything," he told LinuxInsider.
>
> "The more people you have examining the code, the more vulnerabilities
> you're likely to find," van Someren added.
>
> Although largely discredited, a belief persists that keeping source code
> secret is more secure than open sourcing code.
>
> "That's wrong-minded," van Someren said. "In practice, hackers can look at
> binaries and still find vulnerabilities."
>
> Still, an ostrich attitude about security still prevails at some
> businesses, according to Brian Knopf, senior director of security research
> at Neustar <http://www.neustar.biz/>.
>
> "There are still some companies that have the idea that if they bury their
> head in the sand, if I ignore everyone else and don't provide access, then
> no one will find anything," he told LinuxInsider. "Clearly, that's not the
> truth."
> Can't Hack Paper
>
> If elections systems makers aren't willing to go the open source route,
> they at least need to open their code to expert eyes outside their
> organizations, maintained Mark Graff, CEO of Tellagraff
> <http://www.tellagraff.com/>.
>
> "The source could be placed in escrow so an expert panel could look at
> it," he told LinuxInsider, " but I don't think that's worked in the past,
> and I don't know if you could line up the commercial interests to agree to
> do what the experts say."
>
> A simpler solution to the security problem involves paper ballots and
> post-election ballot auditing, said Barbara Simons, president of
> VerifiedVoting <http://www.verifiedvoting.org/>.
>
> After all the votes are cast, a sampling of paper ballots would be
> compared manually to the electronic tally to determine the accuracy of the
> vote.
>
> "Open source is good thing -- we support it -- but there are always bugs
> that are not going to be caught," Simons told LinuxInsider.
>
> "What we need are paper ballots and manual post-election ballot audits,"
> she said.
>
> "If we have those, even with proprietary software, we can protect our
> election from being hacked," Simons maintained. "You can't hack paper." [image:
> http://www.ectnews.com/images/end-enn.gif]
> ------------------------------
>
> [image:
> http://www.linuxinsider.com/images/rws620514/John%20P.%20Mello%20Jr..jpg]*John
> P. Mello Jr.* has been an ECT News Network reporter since 2003. His areas
> of focus include cybersecurity, IT issues, privacy, e-commerce, social
> media, artificial intelligence, big data and consumer electronics. He has
> written and edited for numerous publications, including the *Boston
> Business Journal*, the *Boston Phoenix*, *Megapixel.Net* and *Government
> Security News*. Email John. <john.mello at newsroom.ectnews.com>
>
>
>
>
>
> Lawrence Rosen
>
> Rosenlaw (www.rosenlaw.com)
>
> 3001 King Ranch Rd., Ukiah, CA 95482
>
> Cell: 707-478-8932
>
>
> _______________________________________________
> CAVO mailing list
> CAVO at opensource.org
> https://lists.opensource.org/cgi-bin/mailman/listinfo/cavo
>
-- 
Sent from Gmail Mobile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/364a9caf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 43 bytes
Desc: not available
URL: <http://lists.opensource.org/pipermail/cavo_lists.opensource.org/attachments/20170808/364a9caf/attachment.gif>

More information about the CAVO mailing list