Electronic voting software code was left unprotected by a contractor, then accessed and republished, according to Wired News E-Vote Software Leaked Online. A company spokesman for Sequoia Voting Systems stated that the disclosure of its code did not compromise the security of the system itself.
The recent history of such leaks involving Diebold software suggests that the disclosure may yield more benefit than harm, by opening once-secret proprietary code to independent security analysis. (Read more ... )
An unrelated disclosure of Diebold software in January led to software analysis of it at Johns Hopkins and Rice. Their report of security flaws (PDF) includes their recognition that "the integrity of the election process is fundamental to the integrity of democracy itself. And, unsurprisingly, history is littered with examples of elections being manipulated in order to
influence their outcome."
The analysts noted that despite warnings about security concerns with new computerized voting systems, "neither source code nor the results of any third-party certification analyses have been available for the general population to study, because vendors claim that secrecy is a necessary requirement to keep their systems secure."
The report detailed technical standards against which they evaluated the revealed software, and, in its abstract stated that "this voting system is far below even the most minimal security standards applicable in other contexts," and emphasized "the fallacy of the closed-source argument for such a critical system." Only once the code became accessible for independent tests were the security flaws disclosed.
These issues echo the cautions of security experts such as Bruce Schneier, author of Secrets and Lies.
This critical report led to an audit by the State of Maryland, which proceeded with installation of the system after encryption and digital rights management tools recommended in a SAIC report (PDF) were incorporated into the Diebold system and the state e-voting process.
Posted by dougsimpson at October 31, 2003 10:15 AM | TrackBack