[E-voting] UK govt circular mentions open-source e-voting
caburt at alphalink.com.au
Thu Jul 21 06:43:50 IST 2005
An incident where someone was able to contribute code to the Linux
kernel which had a very subtle Trojan in it is a good example of how at
least one OSS acceptance methodology is quite robust. That is, even
though it looks like another hack (a root kit) allowed the contribution
of malware in the first place, the use of a proper source control system
overseen by a number of people caught this hack in a very short time.
It is my opinion that the loose association among contributors to this
and other OSS projects has resulted in hardened acceptance mechanisms
being more common. In contrast, I have seen weaker controls and weaker
process over access to source codes within private companies where I
have worked. The strength of the acceptance system is possibly assumed
to be perimeter security, or that all insiders are trustworthy.
The media painted the attempted Linux hack as a bad thing, in fact it is
a good thing.
An evoting application could be an open source development in my
opinion, with contributions from untrusted sources, if the acceptance
and code control mechanisms are good enough. If the software was then
code-audited, compiled and signed by some testing lab this would be
better. But being able to check the signature on the running code would
require a trusted supervising application or trusted device and probably
network to a common trust party hosting a verification and revocation
service. At least the openness of the development might attract
computer science classes of students to pick through the code.
cansbro at eircom.net wrote:
>I hope that some folks over there realise that open source is NOT an answer
>to avoiding election fraud.
>There are too many points of vulnerability. Virtually impossible to ever
>prove that what was run on a machine was only what was tested/approved.
>Too easy to manipulate (e.g. put in a trojan that does its business then
>removes all trace of itself). No chance that every voting machine and
>every piece of software will underdo forensic testing to prove that all was
>well. No chance that fraudulent results could be counted on to be
>obviously fraudulent--in fact, fraud is more likely to avoid drawing
>attention to itself.
>I sure hope they wake up over there. There's problems with a group in the
>USA trying to promote open source as a solution. They are ignoring the
>horrendous problems revealed by recent security tests that show the
>machines were designed in a way to facilitate hacking through various
>modalities. (see blackboxvoting.org for details)
>From: A.J.Delaney at brighton.ac.uk
>Date: Wed, 20 Jul 2005 16:22:00 +0100
>To: e-voting at lists.stdlib.net
>Subject: [E-voting] UK govt circular mentions open-source e-voting
>We're not an open-source group, yada yada, however this may be of
>interest to some
>" E-voting: with the transition to e-voting, political parties
> or the public might wish to inspect any software used in
> the process to counter electoral fraud or vote-rigging.
> Some say that OSS is one possible way of doing this
> because the source-code is freely available to anyone
> wishing to scrutinise it."
More information about the E-voting