Increased use of open source software could fortify U.S. election system security, according to former CIA head R. James Woolsey and Bash creator Brian J. Fox. The two made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines at the recent DefCon hacking conference in Las Vegas. “Despite its name, open-source software is less vulnerable to hacking than the secret, black box systems like those being used in polling places now,” Woolsey and Fox wrote.
The misconception being promulgated here is that "more eyes looking at the code" equates to "security". This could not be further from the truth. I am an avid supporter of open source technologies, and a career open source security practitioner, and I can tell you that there is far more to securing elections than simply "looking" at the voting application's code. For example, "testing" the code in a runtime environment for known vulnerabilities would yield greater confidence that the application is actually secure.
At the present time, a quick search of the National Vulnerability Database with the keyword "Linux kernel" returns 2,340 matching records. In the scheme of "more eyes" security, who would be "looking" for these underlying vulnerabilities? https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Linux%20kernel&search_type=all
But leaving aside the underlying linux operating system vulnerabilities and focusing exclusively on the voting application code, who in the "more eyes" security scheme is going to check the code against vulnerability categories? https://nvd.nist.gov/vuln/categories
Open source is made secure by a series of security techniques that are applied to the platform; Run-time testing the voting application, hardening the operating system, addressing the hardware's attack vectors, and penetration testing are a few of these security techniques.
No. As with so many tech solutions, the focus here is successfully solving a "problem" without bothering to ask if what they are doing may have unintended consequences. Here techies distract from the real problem: The political right has no interest in developing secure elections in which everyone can vote. They have strong interests in allowing states to determine voting because they control states. This work distracts from that problem, and seems to offer a "solution" that is not only politically impossible, but ignores the real issue. I think you need someone on staff who can see beyond a computer screen.
Is the Path to Secure Elections Paved With Open Source Code?
Posted by: John P. Mello Jr. August 8, 2017 05:00 AMIncreased use of open source software could fortify U.S. election system security, according to former CIA head R. James Woolsey and Bash creator Brian J. Fox. The two made their case for open source elections software after security researchers demonstrated how easy it was to crack some election machines at the recent DefCon hacking conference in Las Vegas. “Despite its name, open-source software is less vulnerable to hacking than the secret, black box systems like those being used in polling places now,” Woolsey and Fox wrote.
At the present time, a quick search of the National Vulnerability Database with the keyword "Linux kernel" returns 2,340 matching records. In the scheme of "more eyes" security, who would be "looking" for these underlying vulnerabilities?
https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=Linux%20kernel&search_type=all
But leaving aside the underlying linux operating system vulnerabilities and focusing exclusively on the voting application code, who in the "more eyes" security scheme is going to check the code against vulnerability categories?
https://nvd.nist.gov/vuln/categories
Open source is made secure by a series of security techniques that are applied to the platform; Run-time testing the voting application, hardening the operating system, addressing the hardware's attack vectors, and penetration testing are a few of these security techniques.