NY Legislature Rejects "Microsoft Amendment"

An anonymous reader writes "Finally, some good news on electronic voting. The New York state legislature rejected an amendment proposed by Microsoft's lobbyists which would have gutted New York's requirements for voting machine vendors to turn over their source code to the state Board of Elections. Assemblywoman Barbara Lifton commented: 'The voting machine vendors have known for two years what our laws said. Now they're saying that those parts of their systems using Microsoft software have to be proprietary? It's just wrong.'"

Nothing to see here. Move along.

[WilliamSChips]

Right next to a MS ad, even.

Re:Nothing to see here. Move along.

[Vulva R. Thompson, P]

I click on them all the time.

It's a deliciously satisfying way of transferring cold hard cash from Microsoft's wallet to Slashdot and Google.

Re:Nothing to see here. Move along.

[jamie]

You rock!!

Re:Nothing to see here. Move along.

[lena_10326]

I click on them all the time. It's a deliciously satisfying way of transferring cold hard cash from Microsoft's wallet to Slashdot and Google.

And you're also diluting the CPA, which is the real measure of ad performance. http://en.wikipedia.org/wiki/Cost_Per_Action [wikipedia.org]

Of course, you by yourself won't have much impact but there would be if 1% of Slashdot's reader base did.

Sorry, I missed that...

[msauve]

damn Proxomitron [proxomitron.info].

Was I the only one?

[pooh666]

Who reacted with a HA! HA! Nelson is my copilot...

no its not

[Zeinfeld]

I agree that the voting code should be published.

But platform code that is obtained from a third party vendor should be acceptable provided that it is widely used as a general purpose platform and there is a reliable demonstration that the code has not been modified.

I would rather see voting platforms built on microsoft trustworthy computing platforms without code review of the platform part of the system than built on a platform where I cannot be sure what code is running.

The code reviews are useless unless I am sure that the machines actually run the code that was reviewed.

Of course paper and pencil requires no code review.

Re:no its not

[WindBourne]

The voting system in old USSR, Current China, Cuba, taliban controlled afghanastan, etc were on systems that were widely used. Personally, I would not trust them. Why settle for a system like MS, when you can insist on having no chance of an illegal election. NY has it right. Insist on all the code up front. Have it compile and then that is installed on the systems. Otherwise, the ppl from other countries have it right; There is NOTHING wrong with a paper vote other than taking so long.

Paper ballots

[Nick Driver]

There is NOTHING wrong with a paper vote other than taking so long.
Oh yeah? What about the honesty of the people who are counting those paper votes.

Ballot-stuffing and outright deliberate miscounts can and still do happen with paper votes. Even right here in the USA, and even right here in my home state of Texas [wikipedia.org] not that very long ago.

Re:Paper ballots

[timmarhy]

thats why you don't trust them, and make them count in pairs with strict oversight, rotating the pairs and doing random checks. clearly you know nothing of how they count ballots.

Re:

[Kadin2048]

What's your point? If the election staff are compromised, then no voting system in the world (at least as long as you want one that's anonymous) is going to save you. An electronic system certainly isn't -- in fact it's going to make vote-tampering that much harder to detect.

Oversight and complete transparency are the only weapons against corruption.

Re:

[lawpoop]

The thing with paper ballots is that attempts at fraud leave a much wider trail of evidence. There are more people involved, You know that boxes of votes are missing, or you can actually determine if particular ballots are a result of stuffing by examining them. And you can count the again, leaving out whatever fraudulent ballots might exist.

The fact that you can point to clear cases of paper election fraud shows the resiliency of this system.

Meanwhile, it is within the realm of possibility that the elec

Re:

[dotwaffle]

You have the code? Do you have the code to the compiler?

Ok, it's GNU C Compiler. Do you have the blueprints for the chip so that you can tell it's not doing it's own routines whenever an interrupt is generated?

Oh, it's SPARC. Ok, here's one that'll get you - have you got at least two independant sources checking through the stack from top to bottom, making sure everything is ok? That's a shit-ton of code, I bet no-one does.

Trust no code you didn't write yourself. And even then, did you write *everything* -

Simplify the hardware

[Stephen Ma]

Simplify the hardware; you don't need the latest, fanciest CPU if all you want to do is count.

Buy a batch of Z-80s or even 8080s; they are still being made. The design is so old that it's unlikely to have been compromised; but if you are really paranoid, the circuitry of an 8-bit CPU is simple enough that you could easily verify it by hand. Build a little voting box around one of those chips, and you're done.

The design would take half a year and cost less than a $1 million -- which is peanuts when the goal is to ensure the honesty of a democracy's most important event.

8-bit voting

[Nurgled]

char voteCount;

...

// FIXME: This won't work if a candidate ever gets more than 255 votes,
// but that'll probably never happen
voteCount++;

Re:no its not

[Kadin2048]

Simplify the architecture as far as possible. Like, 1980s architecture simple. Publish all the code publicly, so as many people as want to can comb over it. Make the 'bootstrapping' of the compiler chain a public event, open to observers. Use a hardware design that's as simple as possible, using parts that are old and widely understood. Make one single, standard reference design, and test/audit the hell out of it. Allow opposing political parties to act as observers during the election and vote-counting process. Keep an audit trail and make that public, too.

Alternately, just use pencils and learn to be slightly more patient than usual. The whole desire for electronic voting is due to a desire for immediate gratification and a pointless requirement to have the votes tallied on the same day as the election. It's stupid; voting is the most important thing in our government, if it takes a week, it takes a week. Democracy functioned without e-voting; we're just making the system more opaque than it needs to be.

Re:no its not

[amRadioHed]

There is NOTHING wrong with a paper vote other than taking so long.

Not that it even takes that long. Most results are in by the 11 O'clock news. In a close race you may need to wait till the morning to get your election results. Who cares?

Electronic voting machines are the solution to a problem that doesn't exist and only result in complicating things immensely and making the results less reliable. I don't see the benefits.

Re:

[Mattintosh]

Most results are in by the 11 O'clock news.

Here in the midwest, we have you beat by an hour. We get it on the 10 o'clock news.

Re:no its not

[Anonymous Coward]

The solution is to create a system where you don't have to trust the source code to begin with

Touchscreen, vote, hit done, the machine prints a paper ballot. You review said ballot and deposit the paper ballot in the ballot box.

What could be simpler and less prone to manipulation or error?

In that scenario, you don't have to know jack shit about the voting machine or its source code. It doesn't matter. The voter reviews the output, not the internals. If people start noticing that a certain machine or certain brand of machines prints incorrect ballots frequently, well then steps can be taken to figure out why.

But the end to end system can't be gamed.

There is no level of code review or "trusted computing platform" specification that will provide anywhere NEAR that level of trust and confidence in the system. Add to that the fact that you have an incontrovertible source of paper ballots for recounts, what more does anyone want? why do we put up with anything less?

Re:

[FuzzyDaddy]

I agree that having the source code offers no assurances as to the legitimacy of the vote. It's too easy to hide stuff.

However, if there are general "quality" problems (lost votes, machines crashing, etc.) it will be that much easier to place the blame after the fact. Imagine your voting machine crashes, and an independent commission can look at the source code and find the problem without your cooperation. If they find serious bugs or code quality problems, the vendor is going to be in a nightmare pos

Re:no its not

[timmarhy]

why not just use paper then? hell of a lot simpler and cheaper.

how does that paper assure you the recorded vote is saved in the system is the same as what the paper says? it doesn't.

the only form of electronic voting i can see working is a system of electronic paper, which lets you press directly on the box you want and fills it. you deposit it in the secure box as normal and it's then counted by a machine, advantage being that it's digital so your counter won't run into false positive problems like with pencil, and it's still human verifible like paper.

Re:no its not

[KlomDark]

There's a better system than that - your vote is stored in a database, but your vote is also printed out for you to review. You then put the paper in a box that is kept under lock and key. For quick results, the database count is the one that is looked at. However, any third party can request to count the paper votes and compare them to the database count. If they do not match, then there is a physical audit trail to show that someone was monkeying with the software. This way, we get fast results, and verification.

Trust, then verify, is the solution in this case.

Re:

[Misch]

Kinda how New Jersey is going to be doing things. [nj.com]

It won't be in place until 2008, but it will be there.

Just make the database public

[Solandri]

Read-only access of course. But given the size of computer storage nowadays, it should be pretty simple to make the whole voting record publicly available on the Internet.

The voting machine has a public/private key pair. It generates a random public/private key pair in between votes which stays resident only in memory (is not written to disk). When you vote, your votes are coded. It's then encrypted with the voter's private key and the voting machine's public key. The voter's plaintext vote, an index number, the encrypted vote, his private key, and the voting machine's public key are then printed on a piece of paper the voter can take home. The voting machine then stores the encrypted vote and the voter's public key. Nothing else.

When tallying the votes, each machine runs through its stored votes, decrypting the record of encrypted votes using each voter's public key and the machine's private key. All this information is then sent to a central vote tallying database. The unencrypted votes are used for the official tally. The encrypted votes are used as proof against tampering. The index is used to allow voters to query the database.

Once home, the voter can log into the vote tally web site. He can query the database to make sure it's recorded his vote right. He asks it to send the vote recorded with his index number. It takes the unencrypted vote, encrypts it with the voting machine's private key and the public key associated with that index and sends it to him. His computer then uses the voting machine's public key and his private key to decrypt it. If all went well, it should match what's on his printout.

• The system does not record who voted which way. The only way to link a vote with the voter is via the index number and private key printed on the voter's slip, which he is free to shred, eat, burn, whatever. I think it may even be possible to validate that the votes match by comparing the encrypted votes, without ever looking at the plaintext vote. It's been a while since I did the RSA key pair stuff.
• Nobody can tamper with the votes in the database because the encrypted version is encrypted with the voter's private key, and only he has a copy of that key. If someone modifies his vote, they need to use a new public/private key pair. The voter's private key will no longer work against the returned result when he queries the vote counting database, tipping him off that something fishy is going on.
• The voter cannot tamper with his printout to fake vote counting fraud. To change it so his plaintext vote and the encrypted vote match, he needs the voting machine's private key.
• By virtue of the previous two bullets, if there is a discrepancy, you can localize where the problem occurred. The voter needs the voting machine's private key to alter his vote. The vote tallying people need the voter's private key to alter his vote (the encoded and unencoded vote on his paper would be encrypted with the voting machine's private key, authenticating that his printout is genuine).
• Don't do anything stupid like seed the RNGs in all the voting machines with the same seed, so they all generate the same key pairs. Include something like the millisecond the vote was cast in the seed.

The only way I can think of to commit vote fraud against this system would be by stuffing the ballot box with false votes. And even there you could do a sanity check by comparing the number of votes cast by the number of voters the precinct operators counted (they mark off your name after you vote, so it's fairly easy to count how many names they've marked off).

That's all I can think of off the top of my head.

Re:

[swillden]

The only way I can think of to commit vote fraud against this system would be by stuffing the ballot box with false votes.

How about: You vote the way I tell you to, and you bring your receipt home to prove it in front of me. If you can't prove it, I break your kneecaps.

Re:

[ASBands]

I like it - you're almost there, but you've got some problems. If I'm mistaken, feel free to correct me.

• Bringing a plaintext vote out of the ballot box is bad and should not be done. While it may seem ridiculous, we don't want members of organized crime checking who voted which way. Only have the index number and an encrypted vote - they can check to see if the values are the same. This ensures that the vote has been properly recorded, beyond that doesn't really matter (we're running DRM - the user shou

Re:Just make the database public

[Phroggy]

The system does not record who voted which way. The only way to link a vote with the voter is via the index number and private key printed on the voter's slip, which he is free to shred, eat, burn, whatever. I think it may even be possible to validate that the votes match by comparing the encrypted votes, without ever looking at the plaintext vote. It's been a while since I did the RSA key pair stuff.

If you vote for my candidate, then bring me your slip with the private key so I can verify it online, I'll pay you $20.

Re:

[Rakishi]

Of course to count those votes a machine would need to be used, after all the paper ballots are of high quality and likely designed specifically so a machine can count them. But since we know its a law of the universe that only voting machines not vote counting machines are susceptible to abuse there is nothing to worry about at all.

In the end the result is exactly the same in terms of how valid the vote is but without all the wasted time in feeding the votes into the vote counting machine.

Re:

[Rakishi]

Of course they would be countable by people by my point is that a full recount would be done, by default, by machines. Now you could test the machine counts with random hand counted samples and so on. However you can do the exact same thing with a fully electronic system that has paper ballots. In either case you'd have a machine in charge of the ballot counting with a hand recount (or count by different companies machine) if discrepancies were found except that in one case you'd waste a lot of time (and mo

Re:

[timmarhy]

obviously you've never written any computer system for the general public. no one will check their ballot, and if it misprints a single ballot, all the ballots before it must be discarded because who knows how long it was misbehaving? that system is ripe for the picking.

atleast with electronic paper, you know for sure that each ballot was marked by the person casting the vote. oh, and you never once mentioned that you'd use the paper ticket for counting, so you've only got yourself to blame for people not

Re:

[dangitman]

Touchscreen, vote, hit done, the machine prints a paper ballot. You review said ballot and deposit the paper ballot in the ballot box.

So, why even use the computer in the first place, if you're going to be counting paper anyway? Wouldn't it be a lot cheaper and more reliable to use pencil and paper?

What could be simpler and less prone to manipulation or error?

Marking a ballot manually with a pencil?

I'm not sure why you think this won't be prone to error. I'd bet that at least 50% of people won't even look at the printout. It could say "I vote to be enslaved by Satan" and they'll just blindly place it in the ballot box. At least with a manual method, the voter actually has to make the marks in

Re:

[dgatwood]

Why is two-factor authentication marginally better than one-factor? Same principle applies. If you stuff the ballot electronically and also have to stuff the paper ballot, it's at least twice as hard to do it as only having to fudge the software or print up a bunch of extra ballots and punch or mark them.

IMHO, an ideal system would have several different protections:

• A crypto key per voting machine generated randomly on the day of voting to sign each electronic ballot. The private key would be writte

Re:

[Goaway]

Yeah, that's pretty much exactly how you don't want to do voting.

One of the big stated reasons for electronic voting is to make it easier for the disabled to vote.

Re:

[drinkypoo]

But platform code that is obtained from a third party vendor should be acceptable provided that it is widely used as a general purpose platform and there is a reliable demonstration that the code has not been modified.

Widely used as a general purpose platform doesn't mean it's any good.

And "the code has not been modified" from what? There's no reason you couldn't have collusion between Microsoft [or any other vendor] and someone trying to hack the vote. The specific code to tamper with eVoting could be bu

Re:

[Zeinfeld]

Given that Ashcroft took the DOJ off Microsoft's ass, and given that Ashcroft is a known criminal, I think assuming that there is a relationship there is probably more reasonable than believing that there is not. Maybe that's just because I'm paranoid, but more likely it's because I know a little something about history. Anyone read the CIA crown jewels yet? Or the parts that aren't marked out, heh heh...

Since the family jewels were written in 1973 under the Ford administration it is not at all likely tha

Re:

[drinkypoo]

Since the family jewels were written in 1973 under the Ford administration it is not at all likely that they have any mention of electronic voting.

Well, that's not what I meant. What I'm saying is that it's clear that our government (what? no, surely, not ours!?) is continually engaged in skullduggery and dirty tricks, and such are also par for the course for presidential candidates. And just how many of our recent presidents have been members of Balls and Shaft? er, sorry, Skull and Bones. There's a reaso

Re:

[dangitman]

If the code base is small enough for someone to actually perform a review, that is fine. The problem here is that the systems are huge and performing a comprehensive review is not practical on a hundred thousand plus lines of code.

There's a warning sign right there. Why should these systems be "huge"? They only have to perform a very simple task. If you're using a complex system to do that, then that demonstrates that there's stuff in there that doesn't need to be, and could cause problems.

Ever heard of the "KISS" principle?

Don't stop at the code. Schematics too

[EmbeddedJanitor]

Since it is more than just theoretically possible to hijack a voting machine via hardware methods, all aspecs of the design should be held for review.

Re:

[bl8n8r]

> I would rather see voting platforms built on microsoft trustworthy computing platforms

Here you are [fisher-price.com]. Point the arrow at your candidate and pull the handle.

Wait a minute; I LIKE it.

[WindBourne]

We may finally get a decent and honest candidate that way.

Re:

[91degrees]

If it was necessary to use proprietry software then I'd agree. But Linux is an option. So is BSD. So are various other operating systems. Given that there's no major harm in eliminating the closed source ones, why make an exception?

Re:

[Torvaun]

Still won't stop Micah.

Nathan Petrelli for President!

Re:

[Zeinfeld]

That's some rigorous requirement you've got there. So how much does Redmond pay you to be the local /. shill?

So the only reason someone would disagree with your point of view is that they are paid to do so? That is some opinion of your abilities you have there. Would not have taken very much effort to follow the link to my blog and find out who I am.

Security is risk control, not risk elimination. In this particular case the risk of a trapdoor in the platform code is a lower concern than the risk of the

Re:no its not

[WindBourne]

palladium says that the OS that was installed on the OS was not modified from what the controller wants. It does NOTHING to guarantee that the OS was not compromised before being put on there. I will take a locally compiled version of BSD and/or Linux. In fact, better yet, I will take something that is DO-178B compliant in which the feds have already looked over it, and still looked over. BTW, when MS was asked if they would submit one of their OSs for Do-178B, they asked for the certs. A month later when asked, they laughed the CEO out. They said that NONE of their OSs could come close to close inspection.

Re:

[morgan_greywolf]

Mod parent up! MSFT operating systems are simply not secure enough for mission critical applications. That's why you see most mission critical apps running on either big iron, Unix, or a realtime embedded system from companies like WindRiver.

Re:no its not

[nschubach]

Doesn't the Microsoft EULA state that their OS is not to be used in mission critical applications or applications where the lives of people could be at risk anyway? I remember reading that on the NT4 EULA. Not sure if it remained in the text...

Re:

[scatters]

The Royal Navy's Windows for Warships progam probably counts as both a critical application and one where people's lives are at risk.

e.g.

Prompt: An inbound missile has been detected that could hit your ship (time to impact: 15 seconds). Allow or Deny?
User: Clicks Deny.
Prompt: Are you sure (time to impact: 13 seconds). Yes or No?
User: Clicks Yes.
Prompt: Anti-Missile Counter Measures Application has encountered a problem and needs to close - we are sorry for your impending destruction. Send error report to

Re:no its not

[Original Replica]

In this particular case the risk of a trapdoor in the platform code is a lower concern than the risk of the running code being substituted on the final machine.

IANAProgrammer, But for this application neither is acceptable.
Given what the code is required to do (allow for the selection of a vote in each catagory, record said votes, provide totals for each catagory) shouldn't the code be blindingly simple? Give me ANSI graphics and no mouse driver. Give me three imputs: cursor up, cursor down, enter/select. Hell, it can print out on a dot matrix. It should be a requirement that the code be small enough to be reviewed completely, without excessive effort.

Risk analysis

[grcumb]

So the only reason someone would disagree with your point of view is that they are paid to do so?

Without agreeing with the rhetorical gist of the GP, I believe the point being made was that the suggestion was so absurd that nobody would put it forward unless they were paid to do so.

I disagree with that premise, but I do agree that obscuring any aspect of a voting system that is being used to decide, among other things, the next president of the United Sates is the height of folly.

Security is risk control, not risk elimination. In this particular case the risk of a trapdoor in the platform code is a lower concern than the risk of the running code being substituted on the final machine.

Risk is measured as a combination of:

• How easy it is to attack using a particular vector;
• What the payoff will be for the attacker;
• What the cost will be to the defender if the exploit succeeds;
• What the cost of securing that vector is.

In this case, the prize is political control of the most powerful nation in the world. So we need to ask ourselves: How much are fair and free elections worth? What, in effect, is the price of the democratic process in the US?

I think it's worth billions of dollars. That means stringent code review, impeccable chain of custody and constant supervision. Saving a few bucks by using an off-the-shelf operating system - especially one that is orders of magnitude more complex than what is actually required - that's absurd, in my opinion.

Sucks to be MSFT...

[Penguinisto]

...or any other proprietary vendor.

Sorry Steve, Bill - but some of us want to see what these things actually do when we use 'em to cast a vote.

Meanwhile, I'm damned sure that somebody in Diebold went all Ballmer on the furniture... though I can't wait to see their source code ; I'm sure it's gonna be worth some huge laughs @ your nearest code-monkey pit, punctuated with lots of sounds along the lines of: "WTF were these asshats THINKING!?".

/P

Re:Sucks to be MSFT...

[Kalriath]

You sure as hell wont be seeing it. It'll be shown to a couple of high profile professional auditors who will give it the green or red light, and that's that. At NO point will the public see it.

Re:

[Penguinisto]

You sure as hell wont be seeing it. It'll be shown to a couple of high profile professional auditors who will give it the green or red light, and that's that. At NO point will the public see it.

Not even with a FIOA - like request? I'm sure New York has to have some sort of public records transparency law.

/P

Re:

[Kalriath]

Not even then. The code will not be visible to us regular people, period. You might be able to read the results of the audit, but that's it.

Glad to see NYS grew a pair...

[Coopjust]

After that amendment passed, I was worried about NYS letting this fly. I'm glad to see that the legislators are attentive.

The real question is: What does Microsoft have to hide from election officials?
-Are they worrying that the source will be leaked?
-Due to the above fear, is MS afraid of getting crap from the DRM loving media cartels?
-Is there something in the code that MS doesn't want seen?
-Are they afraid this mentality hurts the "security through obscurity" idea?

Of course this is all speculation. I'm just so curious why Microsoft is so opposed to sharing their code with a state government.

Re:

[The Warlock]

Microsoft doesn't want to put the Windows source code in escrow because if they do, it will hit everyone's favorite Swedish website the very same day. They aren't stupid. They know that some near-minimum-wage state employee would jump at the chance to leak something like that, damn the concequences.

That said, sucks to be them. We need to see all the code that's in any computerized voting machine. If they can't afford to put their source code in escrow, sucks to be them. They can either write something from

Re:Glad to see NYS grew a pair...

[WrongSizeGlass]

I'm no fan of MS in any way, shape or form, but I can completely understand their reluctance to hand over their source code. In this day and age there is a good chance that it would be leaked faster than you can say BitTorrent.

If the price of admission into the eVoting game is handing over their source code then they made a wise business decision. It's far too small of a market for MS to chance exposing Windows source (and all the security breaches that would soon follow). In the big picture of things, MS made the right decision. That aside, they still suck for trying to sneak that amendment in.

Re:

[MightyMartian]

This has been my feeling all along. To be honest, I doubt Microsoft really gives a damn, precisely because it's such a small market. But the fact is that some guys out there have written voting software on their platform. I don't really blame Microsoft for this one. I blame the lazy turds who wrote the voting software. Now they're going to have to seek out a platform that they will be able to put in escrow.

Re:

[DragonWriter]

To be honest, I doubt Microsoft really gives a damn, precisely because it's such a small market.

I bet they do, because the more access to source code becomes a recognized priority in the public sphere (and while e-Voting is the hot area right now in the US, policies with a much broader scope, and requiring more than disclosure, have been implemented elsewhere, so MS certainly sees the threat that this could be a wedge in the US) the less advantage Microsoft is going to have over open source alternatives, wh

Re:

[MightyMartian]

The worst case here for Microsoft is that New York State refuses to allow any voting machines that run Windows. New York State isn't going to force Microsoft to anty up the code to Windows, unless Microsoft decides that they do want to be part of an incredibly small and specialized market. Microsoft is making a declaration of principle here, and one I don't blame them for. The people who are going to be on the hotseat are those companies who are running their voting software on top of Windows.

Re:Glad to see NYS grew a pair...

[drinkypoo]

The worst case here for Microsoft is that New York State refuses to allow any voting machines that run Windows.

You are thinking way too small here.

The worst case for Microsoft is that this is the first step towards all government computers being forced to run freely auditable code. That means no Windows.

This is frankly the only responsible thing to do from a security standpoint, and barring illegal collusion we would probably be there already.

Re:

[garcia]

In this day and age there is a good chance that it would be leaked faster than you can say BitTorrent.

Too bad we're even having this discussion in the first place. The devices are not necessary as pen and paper work just fucking fine. Since the morons at the state and federal levels believe these pointless machines are good then they should have been all open and presented to the public (even via BitTorrent) for comment.

That wouldn't make for good drama though.

Re:

[Kalriath]

No, but I've seen strategic misspellings used as an identifying feature of code before. "Your honour, I KNOW he leaked it because 'fuck' is spelled as 'fcku' in that comment!"

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What I want to know..

[WrongSizeGlass]

Is why the HELL anyone is trying to build a voting machine around an unsecureable platform in the first place?

Because you can't rig an election if the voting machines are secure.

Re:

[JoeCommodore]

A) Its cheaper and faster (more profit)
B) Nobody has complained (much) before about it
C) They don't really posses the skillset to do it properly
D) Because someone ignorant of the above, probably paid them to.

Re:

[jimicus]

You have a point, but you're not thinking like a government.

AFAICT, government officials - at least the ones tasked with dreaming up projects like this - don't know the first thing about technology. All they see is a magic black box that can count votes a lot more quickly and easily than a bunch of people can, so "magic black box takes votes and counts them" is about the only thing on their list of requirements.

You or I or anyone in IT knows full well that the "magic black box" that people consider their c

Re:

[bhmit1]

Is why the HELL anyone is trying to build a voting machine around an unsecureable platform in the first place?

I suspect the answer is "that's business." Companies don't always get the best programmers, and programmers use what they know. The technical requirement to be secure was likely never considered, but rather user friendly enough for the retiree old manning the machine and profitable enough to make a business out of it.

What I want to know is why the states don't band together, form a group to wr

Don't Trust Microsoft With Our Elections...

[Eric Damron]

It seems to me that what Microsoft is asking is that we "trust them" without having earned that trust. Without seeing the code how do I know that there isn't a backdoor?

Microsoft's security record has been dismal to put it politely. I certainly don't want to gamble my freedoms on a company that can't secure its own operating system and a company who has shown flagrant disregard for our laws.

As far I'm concerned Microsoft has shown that it will do almost anything to get what it wants. We don't need the fairness of our elections endangered by a company unwilling to provide transparency.

Re:

[MightyMartian]

I think what Microsoft is saying is "We're not going to give your our source code." E-voting is such a small market that it's not worth their time. I'm no fan of Stinky Ballmer and Co., but on this one, I don't blame them. This wasn't a fight they picked. It was some dumbass software developers who, for whatever reason, didn't ponder the possibility that voting authorities might actually want to know what's going on beneath the hood, all the way down. It's those stupid bastards who you should be direct

Re:

[Nasarius]

Actually, I don't really see the problem. Microsoft already releases their source code, or at least large parts of it, to some educational institutions. Why would it be a problem to release it to a government agency, under similar terms?

Re:

[Kalriath]

Actually, governments can get the ENTIRE source code. The NY state could probably ask the federal government to review such things as ntoskrnl.c and green light it for them, since they probably already have it.

Re:

[Eric Damron]

"his wasn't a fight they picked. It was some dumbass software developers who, for whatever reason, didn't ponder the possibility that voting authorities might actually want to know what's going on beneath the hood, all the way down."

The fact that a third party used a proprietary OS isn't Microsoft's fault. The fact that Microsoft came in with a resolution that would gut a bill designed to give transparency to the process IS Microsoft's fault. I find that action more offensive than the use of a closed sour

Re:

[MightyMartian]

I agree completely. There are no lack of open source alternatives out there. I simply won't bash Microsoft for an issue which really isn't their fault. If I owned a propietary operating system and New York State demanded that I turn over the source code because some potential e-Machine suppliers are running their software on it, I'd probably do a quick mental calculation as to the risk of a few hundred or thousand Windows seats not being sold versus the risk of some civil servant leaking my code. Now ma

Re:

[secPM_MS]

Microsoft's software can be configured for high security applications -- otherwise it would not be found suitable for use in classified environments. Consumer - focused feature-rich configurations have a far larger attack surface than minimal hardened configurations. Rich products such as OSX, Linux, and Open Office have been doing no better and in many ways worse than Microsoft's newer products. This does not mean that any of them are suitable for a high assurance application -- none of them are high assu

Windows for Classified

[DragonHawk]

Microsoft's software can be configured for high security applications -- otherwise it would not be found suitable for use in classified environments.

Every AIS (Automated Information System, the NSA TLA for "computer") I've ever seen running a Microsoft OS that was also processing classified information ran in "system high" or "dedicated" mode -- where you treat the whole system as classified, only let cleared people touch it, and lock the whole thing up. The security of the OS is practically inconsequent

Re:

[secPM_MS]

All single level OS's run in system high. Systems intended for use with sensitive data have to be appropriately configured. In the past, you started for this by running the hisec template with the security configuration editor to reset system ACL's and permissions. Microsoft publishes very lengthy security guides that allow security administrators to appropriately configure systems. One of the most important issues is to have users run as normal users without administrative privledges. There is a definite t

Re:

[DragonHawk]

Systems intended for use with sensitive data have to be appropriately configured.

"Appropriately", yes. For example, on Win XP, you need to enforce the use of strong passwords. But for, say, a Win 98 or DOS box, there's really not much to do, except make sure you lock it up when you're done. Which was my point: If a Win 98 box can be approved to operate in a classified environment (and it can), your original statement ("Microsoft's software can be configured for high security applications -- otherwise i

Re:

[Eric Damron]

"This does not mean that any of them are suitable for a high assurance application -- none of them are high assurance products."

I guess that depends on you definition of "high assurance products." If you mean products that are stable enough to be used in critical application I would say that embedded Linux is way more stable than Microsoft's offerings.

"We have trained the world to know and love GUI's."

If by "we" you mean Microsoft I have to disagree. XWindows on Unix and Apple products were doing the GUI

Open Source Voting Machine?

[Anonymous Coward]

Why isn't there an open source voting machine?

It should be constructed of off-the-shelf parts and it should run open source code!

Re:

[ChatHuant]

Why isn't there an open source voting machine?

It should be constructed of off-the-shelf parts and it should run open source code!

I'd be careful about what "off the shelf" means, given the requirements of the NY law. You can't really use modern processors - the BIOS, the firmware on the CPU and the firmware on all other components wouldn't be in escrow, would they? Anyway, if you want to be thorough the schematics of all versions of the voting machines, all the chip fabrication masks, the schematics o

Re:Open Source Voting Machine?

[MightyMartian]

Pen and paper don't seem to have all those issues - why not use those?

It's an awfully good question, and one that I think Americans should have been asking themselves since the 2000 election.

Up here in Canada, federal elections are administered by a single Federal body; Elections Canada. That means the ballot you get in Toronto is identical in structure to the ballot you'll get on Baffin Island. There's a single standard for marking and counting ballots. The provinces have control of their own elections, obviously, but tend to follow standards very close to that set out by Elections Canada. Only at the lower levels can things be a little different. In my city, they have vote-counting machines and those ballots where you color in the selections you want. Still, even with that automated system (which has been in use in many jurisdictions in North America for decades) there is still the key paper trail, so that if the election is contested, you can go back to a good ol' fashioned recount.

The only argument I've seen against pen and paper ballots for the US is that, unlike some countries, a lot of different elections get tossed on top of congressional, presidential or state elections. Various local positions, voter initiatives, referrenda and the like get tossed into the brew, so that paper ballots could get to be quite volumnious, and possibly confusing, and I guess there is some advantage there to an electronic voting system which can make display of such complicated ballots much easier.

But the US is a federation.

[Ungrounded Lightning]

Up here in Canada, federal elections are administered by a single Federal body; Elections Canada. That means the ballot you get in Toronto is identical in structure to the ballot you'll get on Baffin Island. There's a single standard for marking and counting ballots.

Given that Canada is a single republic and the provinces are divisions of it, that is easy to do.

But the US is a federation of separate republics - the "several states" - which banded together, creating a central mechanism to handle defense, for

That's great and all...

[r_jensen11]

Now don't mod me troll, but remind me again, what is so horrific about paper ballots? I know Florida had a huge fiasco in 2000 with them, but that had to do with punches, not filling in a bubble or anything....

Re:

[WrongSizeGlass]

Now don't mod me troll, but remind me again, what is so horrific about paper ballots?

I'm sure there are many opinions on this but I believe a primary problem with paper ballots is: speed. We want the results now, now,

• now

! We don't want to wait until tomorrow or the day after. I could blame the media or the internet or a few other things - but it comes down to all of us (well, not Linux users, their pretty cool, but the rest of us).

We live in an impatient society that doesn't want to wait. Not reading the articles on /. is a prime example (of which I too am guilty from time to time). Now

Re:

[jabuzz]

Rubbish, paper votes can be counted rapidly. Very rapidly if there is a will, just take a look a UK parliamentary elections as an example. They can get the result for a constituency in less than an hour after the polls close.

Basically vote counting has trivial to extract parallelism, and scales very well. The problem in Florida is having a stupid punched card system which is then tried to be counted by machines. A simple piece of paper with a cross, and counted by hand works much better.

Re:

[Max Littlemore]

We use paper counting in Australia. We also have compulsory voting. If you don't vote, you get a fine so we tend to have high turnouts. We also get preliminary election results within a few hours of polls closing. Of course final results take longer, due to absentees, etc.

I mean I understand you're just trolling and all, but really, everything you posted was total bullshit. Even that bit about how Americans vote on issues, and Brits on personality! Hahahahahahahahahahahahaha.

Hahahahahahahahahahahahahahaha

Re:

[CastrTroy]

Especially when the vote is in November, and the inauguration isn't until January. There's lots of time to count votes there.

I don't want to rain on everyone's parade but.....

[putch]

the legislature didn't actually "reject" it. they just didnt pass it. and yes, they concluded their regularly scheduled legislative session last week. BUT, they're expected back for a "special" session in July, and the governor has implied that he will call them back several times.

students of the NYS legislature will also tell you that the "special" sessions tend to be when the sneakiest things go on in NYS because, in general, they garner less attention and most of the legislators just want to make it as quick as possible and get back to their families.

that being said, NY does have a very strong voting rights coalition with a number of very smart and talented people working very hard to make sure that this DOESNT go through.

one good thing did happen at the end of session. is that NYVV's (New Yorker's for Verified Voting) Bo Lipari (who's been leading the charge AGAINST microsoft's lobbyists) has been granted a seat at the table. the citizen's advisory board now has statutory authority. which means that when the board of elections makes decisions about this stuff he's got a seat at the table to help shape the outcome.

Not too far removed

[HumanSockPuppet]

Wouldn't be surprised if MS tried to consolidate voting procedures the same way they have tried to do with the entertainment market.

"New to the Xbox Live Marketplace, vote for your favorite U.S. Presidential Puppet in the new 'Red Vs. Blue' civic action feature."

Don't knw what version of Windows

[Utopia]

these voting machines use. But if they are based of Windows CE 6.0 then the machine vendors have nothing to complain.
Windows CE 6.0 source code is available under a shared source code license.

If they are indeed using CE 6.0 then vendors not releasing code are just using Microsoft as a ruse to protect access to their own code.

Australian e-voting

[MrKaos]

Well this is good news, but I doubt M$ will give up quietly.

Australia has some e-voting software that is open sourced, http://www.elections.act.gov.au/Elecvote.html [act.gov.au] also has a link to the source code.

Why is M$ software even on voting machines........

[Joe The Dragon]

Why is M$ software even on voting machine in the first place?
Why is it on ATM systems as well at least there it is more
slot and video Casino games must have there source code turned over the NGC and if windows was being used as the os then that code may have be turned over well. Windows may not even pass the testing need for Casino games as it may crash in the middle of a game. I once had a slot slow down and crash on me and it still slowly finished the bonus round and printed out the ticket then it disable

This is funny...

[Tuoqui]

Is it just me or are we all over analyzing what is effectively a glorified bean counter.

Sure we want it to be secure and transparent which means Open Source has the best option for this to occur. Anything that is closed source should *NOT* be trusted. This includes the platform/OS the system runs on.

And is it *REALLY* that hard to ask that there be a god damn paper trail? I think just about every single person on /. has agreed that a paper trail is necessary. Anyone including Diebold who refuses to make a machine with a paper trail is definitely up to no good and likely WANTS their machine to be insecure in order to allow for vote stuffing/miscounting/false results/etc... I mean its not like it hasnt been done before [blackboxvoting.org].

How complicated could it be?

[twifosp]

I am not a programmer, so maybe I'm way off base here, but how complicated could this code be?

I can't think of any reasons why Microsoft is being difficult here. I can't think of any complex algorithms you'd have to invent and therefore protect to display and count votes.

All you need functions for: Security Wrapper. ID voter. Display Choices. Input Choices Into Database.

How is that going to be so complicated that it needs trade secret protection? Or is the final fucntion like, Collect Choices and Vo

Re:How complicated could it be?

[ChatHuant]

I am not a programmer, so maybe I'm way off base here, but how complicated could this code be?

I can't think of any reasons why Microsoft is being difficult here. I can't think of any complex algorithms you'd have to invent and therefore protect to display and count votes.

If I understand the problem correctly (please correct me if not - but I did RTFA, and went to the source, Bo Lipari's blog as well, and also to his organization's web site), the requirement is not for MS to escrow the code for the *voting* software; MS aren't writing it anyway, Diebold and others are. The requirement is that, since some manufacturers of the above-mentioned voting software wrote it for Windows, MS is supposed to escrow all the *Windows* source code to NYC. This is very silly IMHO (from an engineering point of view), but of course reason needn't apply.

Obviously, MS doesn't want to escrow all the Windows source to a bunch of political hacks. This has been presented on Slashdot as an attack by Microsoft on democracy and mum' apple pie, but what I believe is really hapenning is just a local political maneuver, as follows:
The hullabaloo was started by a certain Mr. Lipari who seems to have a complete dislike for any kind of electronic voting. IMHO, he invented this specific requirement knowing it's totally ridiculous. He presented it as defending democracy, and managed to sell it to the public. His intention is rather, I believe, to torpedo the whole e-voting concept in NY by getting ignorant politicians to vote for impossible requirements. Well, good for him - he seems to have succeeded. And if e-voting companies switch to Linux of FreeBSD or Windows CE (or any OS with available source code) he'll then ask for the BIOS, and the CPU firmware, and so on, until they give up.

Still missing the problem

[Touvan]

Source code or not, you can't look inside the machine and see what's running on it while it's running. Not ever. It doesn't matter who has access to whatever source code. It's just too easy for a very small number of people (or even just one) to tamper with these machines, and leave absolutely no meaningful trace. Anyone caught up in the source code debate has missed the problem.

Re:

[Touvan]

Sorry to reply to myself, but isn't it hypocritical to expect a software vendor to turn over their source code, without requiring the hardware makers to turn over their specifications? It would be just as possible (and there's plenty of motivation to do it) to hide malicious vote stealing code in the hardware somewhere. Why this focus on the software only?

Re:

[tele_player]

I agree completely, and I'll go further. The disadvantages of electronic voting cannot be gotten around - it cannot be trusted. Ever. We don't need it, and it's just another step away from a functional democratic system. We don't need printers and paper trails. We need traditional, diverse, impossible-to-centrally-subvert voting systems. I'm a computer geek - but this is one area where computers do not belong.

IBM Wins

[Doc Ruby]

This battle in the NY state legislature was between Microsoft's lobbyists for proprietary voting machines vs IBM's lobbyists to make the machines open and auditable outside the closed certification system that is totally rigged to sell vendor products.

IBM has won this battle. Possibly because it's a NY state based company (Armonk, NY). The trick will be seeing this victory applied elsewhere in the country.

NY is famous for being tough, smart and understanding security. I hope other people in other states are lucky enough to follow our lead.

Re:

[T-Ranger]

The second copy also makes it easy to take home, and to show to the guy either threating you with the baseball bat, or tempting you with a brown paper bag with rum in it. Good job, there.