[E-voting] UK govt circular mentions open-source e-voting

Craig Burton caburt at alphalink.com.au
Thu Jul 21 06:43:50 IST 2005


Catherine,

An incident where someone was able to contribute code to the Linux 
kernel which had a very subtle Trojan in it is a good example of how at 
least one OSS acceptance methodology is quite robust.  That is, even 
though it looks like another hack (a root kit) allowed the contribution 
of malware in the first place, the use of a proper source control system 
overseen by a number of people caught this hack in a very short time.  
It is my opinion that the loose association among contributors to this 
and other OSS projects has resulted in hardened acceptance mechanisms 
being more common.   In contrast, I have seen weaker controls and weaker 
process over access to source codes within private companies where I 
have worked.   The strength of the acceptance system is possibly assumed 
to be perimeter security, or that all insiders are trustworthy.

The media painted the attempted Linux hack as a bad thing, in fact it is 
a good thing.
http://www.apcmag.com/apc/v3.nsf/0/06F992F180384F75CA256E12000087DD

An evoting application could be an open source development in my 
opinion, with contributions from untrusted sources, if the acceptance 
and code control mechanisms are good enough.  If the software was then 
code-audited, compiled and signed by some testing lab this would be 
better.  But being able to check the signature on the running code would 
require a trusted supervising application or trusted device and probably 
network to a common trust party hosting a verification and revocation 
service.  At least the openness of the development might attract 
computer science classes of students to pick through the code.

Best,
Craig

cansbro at eircom.net wrote:

>Aidan,
>
>I hope that some folks over there realise that open source is NOT an answer
>to avoiding election fraud.  
>
>There are too many points of vulnerability.  Virtually impossible to ever
>prove that what was run on a machine was only what was tested/approved. 
>Too easy to manipulate (e.g. put in a trojan that does its business then
>removes all trace of itself).  No chance that every voting machine and
>every piece of software will underdo forensic testing to prove that all was
>well.  No chance that fraudulent results could be counted on to be
>obviously fraudulent--in fact, fraud is more likely to avoid drawing
>attention to itself.
>
>I sure hope they wake up over there.  There's problems with a group in the
>USA trying to promote open source as a solution.  They are ignoring the
>horrendous problems revealed by recent security tests that show the
>machines were designed in a way to facilitate hacking through various
>modalities.  (see blackboxvoting.org for details)
>
>Catherine
>
>Original Message:
>-----------------
>From:  A.J.Delaney at brighton.ac.uk
>Date: Wed, 20 Jul 2005 16:22:00 +0100
>To: e-voting at lists.stdlib.net
>Subject: [E-voting] UK govt circular mentions open-source e-voting
>
>
>Hey all,
>We're not an open-source group, yada yada, however this may be of
>interest to some
>" E-voting: with the transition to e-voting, political parties
> or the public might wish to inspect any software used in
> the process to counter electoral fraud or vote-rigging.
> Some say that OSS is one possible way of doing this
> because the source-code is freely available to anyone
> wishing to scrutinise it."
>from 
>http://www.parliament.uk/documents/upload/POSTpn242.pdf
>
>  
>



More information about the E-voting mailing list