Counting Votes is Pointless When Voting Machines Are Closed-Source
Although I’m not a very eloquent writer, I’ve tried to stress the importance of voting machines running on Open Source software, instead of Closed Source software.
Please understand: There is no point in having elections when the voting machine source code is a secret (aka. Closed-Source). No point whatsoever.
How much faith would you have in a system where everyone passed their ballots under the door of a dark closet where one man is trusted to announce the results at the end?
Would that make sense to you? Would you trust that man to be honest? Would you still bother voting?
Of course not.
However, this is exactly what closed-source voting machines are. There are a handful of guys who write the code and then keep it a secret. That code is then used to tabulate the results, and then we just trust whatever it says.
Doesn’t anyone realize how bat-shit-insane that is?!?
Think I’m nuts? Watch this video:
Want to watch someone actually rig a random voting machine? Watch the last half of Hacking Democracy:
Here’s a short clip about a different Diebold model, although it’s not documented as well as the video above:
Wednesday, March 5th 2008 at 7:30 pm
I strongly disagree with you. The problems with open source, is all it would take would be one person smarter then those that coded it to locate a hole and go through it. With proper cryptography and proper numerical checking a closed source program would be far safer.
Wednesday, March 5th 2008 at 8:13 pm
Logan,
Thank you for your comment!
The problem with closed source is that said “person smarter then those that coded it” exists regardless of whether the code is open for world-wide peer review or kept secret. Said malicious person can “locate a hole and go through it” as things are right now. The difference is that with closed source voting machines, only the people with malicious intent will be looking for these holes, and the holes they find will also be kept secret, whereas if you were to make the source code open for peer-review, every programmer on the planet can look for the holes - and point them out before the software is used for voting.
Luckily, history is on my side in this regard. You need only examine the security track record of Closed Source operating systems or encryption algorithms and compare them to their Open Source counterparts to be convinced.
Wednesday, March 5th 2008 at 8:27 pm
Logan, I think history has shown that security-through-obscurity simply does not work. ‘Proper cryptography’ and ‘proper numerical checking’ is not a true representaion when comparing both open source and closed source on their merits. If everything was done ‘properly’ there would not be a problem in the first place. The issue here is with regard to ‘improper’ actions and situations where the solution fails.
Using your logic, the same could be said that ‘proper’ code autiting of an open source solution would circumvent any security hole as well. What is not clear is what you qualify as ‘proper’ security. You are correct in saying that all it takes is one person smarter than the collective group of developers can find a hole - I agree. However, this is true regardless of whether the software is open source or not. The real issue here is whether or not these holes would be proactively sought, discovered and fixed, or would they be kept secret due to the closed nature of the code.
I for one have more confidence in a larger collective body of developers auditting the code trasparently, than to entrust this on a closed system and a restricted and reduced development team.
You admit yourself that all it takes is one person to be smarter than the development team, so how does having a smaller pool of developers and a closed system of code autiting mitigate these risks at all?
It is simple. They do not. It is the myth of closed source software that somehow not being able to see the source adds another layer of security to the overall solution. As I have already stated, history has cleary shown this is simply untrue.
Wednesday, March 5th 2008 at 8:53 pm
In response to Logan: How can you, the public, trust the closed source program to include proper cryptography or even proper numerical checking?
In Hamburg, Germany an electronic pen voting system was approved for use without being sufficiently reviewed by the security oversight committee. This system was defeated in two different ways by outsiders before the first widescale use of the tech. One method involved manipulating the dot pattern used by to pen to track where it is on the paper; the other was via a “trojan pen” which carried a payload that gave the attacker unrestricted access to the Windows based docking system that stored/tallied the results. These hacks were performed by a few geeks (the security experts in this article: http://news.monstersandcritics.com/europe/news/article_1373725.php/Germans_abandon_plan_for_2008_electronic_voting) in their spare time. For anyone who speaks german, here is the link to the presentation at 24c3: http://events.ccc.de/congress/2007/Fahrplan/events/2371.en.html
Security through obscurity (proprietary/closed technology) is not real security at all. Even the US government underwent several years of open review when choosing the cypher for the AES encryption standard. The latent benefit of open review was that the government had the entire cryptographic community freely contributing to the decision process.