Source Code Disclosure

 
 
By Lisa Vaas  |  Posted 2007-07-30 Email Print this article Print
 
 
 
 
 
 
 


Would open-sourcing all code that goes into e-voting hardware and software help to avoid security holes? Sequoias Shafer argues that code is already reviewed, if not open-sourced. "Current voting systems undergo certification, inspection and review processes which provide authorized reviewers with access to software source code and reports on system performance, in a form of disclosed source," she wrote in a report from the Election Technology Council as a response to amendments to the Help America Vote Act. But whos testing the code testers? The largest tester of the countrys voting machines, a company called Ciber Inc., last summer was temporarily barred from approving new machines after feds found it wasnt following its own quality-control procedures and couldnt document whether it was actually conducting all required tests, according to a January 2007 article in The New York Times (requires free registration to view articles).
As the Times pointed out, if the reliability of Cibers tests have been called into question, that calls into question everything the company tested, including vote-counting software and security on many machines now in use.
"Whats scary is that weve been using systems in elections that Ciber had certified, and this calls into question those systems that they tested," Aviel D. Rubin, a computer science professor at Johns Hopkins, was quoted as saying in the Times article. Source code for e-voting systems is now "disclosed" in a number of ways. It is supplied to the Voting System testing Laboratories, which is accredited by the Election Assistance Commission (EAC) for use in testing and certifying voting systems. Many states also require manufacturer source code to be kept in escrow. Executable software also is required to be submitted to the National Institute of Standards and Technology (NIST) in order to produce hash codes, which can then be used to determine that a jurisdiction has the right version of certified software. As far as open-sourcing the code goes, though, Shafer suggests that full, unfettered public access could actually result in providing a potential criminal with the tools to rig an election. "Recently, someone claimed to have created a key to a Diebold voting units compartment by simply printing a picture of the key from a Web site and subsequently created a key made from the design. Many of those who are adamantly calling for full disclosure, to any person, are the very same people who called the release of this key a security flaw," Shafer said. "The key is just one layer of the defense provided on the devices, just as keeping the source code confidential is a layer of defense. … Providing the source code to the public removes that layer of security and could make it easier for someone to attempt to defraud an election."
Another aspect to the open-source debate thats often overlooked, Shafer said, is that current legislative proposals to open-source e-voting code makes no distinction between e-voting system manufacturers and third-party software makers such as Microsoft, which markets the Windows CE program used as an operating system for some parts of some voting systems. Read more here why the impact of e-voting glitches in the 2006 election was less than anticipated. "These third-party packages are useful in designing robust products, as the manufacturers dont have to re-invent a wheel that has been tried and trued by other developers," Shafer said. "Legally, manufacturers cannot provide source code for these third-party software programs or provide the names of the programmers involved in the creation of the third-party software." Meanwhile, DeForest Soaries, former chairman of the EAC, in June 2004 came out with a series of nonbinding suggestions for how to open-source e-voting code. First, he said, the EAC should ask that e-voting systems makers release source code to states under nondisclosure agreements. The code would then be made accessible to computer scientists in each state who would be asked to sign the NDA before reviewing the code. After that, Soaries said, an existing National Software Reference Library run by the Department of Commerce should be used as a repository in which to store the source code. States could then check their machines firmware to ensure theyre running the version theyre supposed to be running. Soaries final suggestion is for states to undertake enhanced security measures, such as cryptography, come November. Finally, problems with e-voting systems should be compiled and analyzed. At this point, theres no central federal database that lists all the problems known to exist in current e-voting systems. Open-source e-voting code was easier in Australia. The country seems to be doing just fine with its Linux-based systems, which are called eVACS (Electronic Voting and Counting System) and made by a company called Software Improvements. But thats Australia. At this point, its not looking like the 2008 U.S. elections will see a significantly improved e-voting scene in this country. Editors Note: This story was updated to include a reference to The New York Times article. Also, DeForest Soaries status as former EAC chairman was corrected, as was the date of when he gave his recommendations to fix e-voting security. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.


 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel