Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Monday June 15 2015, @12:16PM   Printer-friendly
from the conflict-of-interest dept.

Roy Schestowitz at TechRights reports:

Microsoft wages war on politics in all sorts of ways, sometimes through lobbyists, sometimes through 'former' staff, pseudo 'charities' like the Gates Foundation, and pressure groups like the Business Software Alliance.

Today we present information given to us courtesy of the California Association of Voting Officials. They complain about Microsoft lobbyists and they have expressed an interest in aligning for global issues, for they too realise that Microsoft cannot be ignored if society wants fair elections and ultimately pursues voting machinery that can be trusted.

Microsoft lobbying in this area is a scarcely explored topic. There is very little information about it out there, hence we hardly ever covered the topic. It is widely known, however, that voting machines in the US use Windows, which has back doors and therefore can never be trusted, with or without tampering by a human operator.

[...]Somehow, despite public will to induce transparency, accountability, audits, etc. on the process, decades later we are still [...] heavily dependent on a proprietary, secretive system (or set thereof).

[...]"We put open source language into voting system legislation", told us [sic] someone from the California Association of Voting Officials, "and the Microsoft lobbyists have it removed.

"This must be stopped as OS voting systems are a preferred security environment for vote tabulation... the alternative being Diebold / Dominion / Microsoft, etc."[...]

The head attorneys for President Obama's election report (which omitted open source voting system solutions even though the information was gifted to them) work for firms that lobby and/or represent Microsoft (Bob Bauer of Perkins Coie and Ben Ginsburg of Pattons Boggs/Jones Day)

Nate Persily was tasked with presenting the President with all information...but inexplicably failed to include any reference to open source in the report. When asked about this omission--and possible steps to remedy (addendum etc)--Persily went silent.

No members of the Presidential Committee were responsive...

In California--which is the frontline of the battle for open source voting systems in the USA--the lobbyist for the California Association of Clerks and Elected Officials Barry Brokaw is also the lobbyist for Microsoft


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by urza9814 on Tuesday June 16 2015, @03:44PM

    by urza9814 (3954) on Tuesday June 16 2015, @03:44PM (#196895) Journal

    It's about reducing the number of attack vectors.

    Using proprietary software for voting, you have to trust the software and the hardware and the people setting it up.

    Using open software, you need to only trust the hardware and the people setting it up.

    If you could use open hardware too, you'd only need to trust the people setting it up.

    So, if a citizen is concerned and wants to try to investigate the security of the system...right now they need the source code from Microsoft (good luck getting that!) -- and they need to trust that it's correct. They also need hardware schematics and firmware code from someone like Diebold (never gonna happen) -- and they need to trust THOSE are correct. Then on top of all that, they've gotta go get involved with the local elections commission to verify all of this is deployed and set up properly. But if we were using open hardware and open software, that would skip the first two requirements in that chain. You don't have to get code or schematics out some major corporation that isn't willing to give it up. You already have those parts. You just have to go make sure the local elections commission isn't making any changes while they set it all up. The former would need a large and powerful organization to verify; the latter could be done by a single committed individual.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 0) by Anonymous Coward on Wednesday June 17 2015, @12:56AM

    by Anonymous Coward on Wednesday June 17 2015, @12:56AM (#197087)

    OK let me save Hairy some time and tell you to go back and read what he wrote.

    Open hardware and software does fuck all because the threat you have to worry about has TOTAL ACCESS TO THE HARDWARE AND SOFTWARE.

    Lets whack your hippie-dippy scenario with the baseball bat of reality, shall we? Do you really think local election officials are gonna let some prick, who looked at a couple of PDFs worth of wiring diagrams and source code and decided they know how to spot shenanigans in the equipment, crawl all over their polling equipment the day of the election? You'll have the guy wearing the Ron Paul T-shirt helping the person wearing the "I love the Patriot Act" shirt strap you down.

    How are the people setting up the equipment supposed to know that you or anybody else doesn't have malicious intentions? What if 20 people show up to "inspect" a polling place with only 8 people working it? You just gonna let everyone and anyone poke their peckers into the equipment and pray none of them are a bad actor? If you have an application process to inspect you're right back at the start since they can just stack the "inspectors" with people of their choosing.

    No, they aren't gonna let you stick your Cheetos stained fingers into the equipment all day long, which brings you right back to what Hairy said. "If they have control of the hardware the battle is over".

  • (Score: 2) by Hairyfeet on Thursday June 18 2015, @01:14PM

    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Thursday June 18 2015, @01:14PM (#197788) Journal

    Okay friend explain EXACTLY how having source to a system in control of a potential bad actor "reduces the number of attack vectors"? Does it stop them from inserting malicious code? NO. Does it stop them from inserting malicious hardware? NO. Does it keep them from altering the system at any time? NO.

    So please explain to me how having code, which you have ZERO proof was on the machine in question at the time, have ZERO proof wasn't altered, have ZERO proof didn't have malware injected at the crucial time, and have ZERO proof that the hardware itself or the compiler can be trusted provide any more reduction than me just saying "trust me its good"?

    Because your entire post seems to ignore the crucial fact that the threat is the one in control of the hardware so in that scenario that code? Its pixie dust, security theater, AKA bullshit.

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 2) by urza9814 on Thursday June 18 2015, @02:02PM

      by urza9814 (3954) on Thursday June 18 2015, @02:02PM (#197805) Journal

      Okay friend explain EXACTLY how having source to a system in control of a potential bad actor "reduces the number of attack vectors"? Does it stop them from inserting malicious code? NO. Does it stop them from inserting malicious hardware? NO. Does it keep them from altering the system at any time? NO.

      Try reading my goddamn post next time, I already explained that.

      Because your entire post seems to ignore the crucial fact that the threat is the one in control of the hardware so in that scenario that code? Its pixie dust, security theater, AKA bullshit.

      That is ONE threat, yes. And you are correct that this is a threat that open code and even open hardware can't fully prevent. Nothing can really prevent that -- there's no such thing as 100% perfect security. But you seem to be assuming that this is the only possible threat. It isn't. In fact, it's among the least effective attack methods.

      If Microsoft (or your favorite TLA) inserts malicious code, nobody else can check it, and it affects damn near every voting machine in the country all at once just by making a single change upstream. If you use open code, the people installing it on the hardware can still change it, but if you do it right they'd have to repeat that change *at every single individual precinct*. Or I suppose they could try to intercept the packets on the wire on a national scale, but proper use of some hashes could stop that easily enough. And those attacks take significantly more skill and effort and is therefore less likely to be worthwhile and also far more likely to be noticed. A conspiracy of five or ten people at Microsoft or the NSA could be kept quiet for a while. But how are they gonna get a few thousand volunteer poll watchers to install some exploit and keep quiet about it?

      • (Score: 2) by Hairyfeet on Friday June 19 2015, @07:32PM

        by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday June 19 2015, @07:32PM (#198383) Journal

        You didn't explain a damned thing, just made some vague reducing attack vectors bullshit which again has zero evidence or proof to back it up, any more than my magical anti-hack rock does!

        And that isn't "just one vector" as every. single. instance. of. tampering that has been in the news to this very date has involved insiders with access to the hardware! From 2K in FLA, to 2004 OH, to the first Al Franken run where votes for both sides kept "being found" you can't even cite a single example, not one, where an outsider has done jack shit to affect the vote one way or another, in every single case the suspected threat had access to the hardware and as Boss Tweed said way back in 1871 "As long as I get to count the votes, what are you going to do about it?".

        So again given that every single case of suspected voter fraud involved insiders who had access to the hardware please explain EXACTLY how you having a piece of paper with some source code printed on it 1.- Keeps the one in charge of the hardware from running different code than what he gave you, 2.- Keeps them from running malware on top of this code, 3.- Keeps them from altering the hardware (as they can use excuses like "calibration error" to switch votes like they did in Chicago [tpnn.com]) 4.- Keeps them from using a known exploit like Shellshock, or finally 5.- Keeps them from injecting alterations via the compiler.

        Because so far all you are doing is spouting security theater with no more proof than the TSA. Right now I can hand you code and say "This is what was running on Ohio voting machines in 2004"...is it? Can you in any way, shape or form verify that this code was the correct code? That is was running in an unaltered state in the time in question? Nope you just have to take my word for it even though I could be a bad actor which is exactly what you are claiming as "reducing the number of attack vectors" now because you have ZERO REASON to trust the one giving you the fucking code, get it now? Or are you a FOSSie that believes in magical thinking and the St. iGNUcious?

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.