back to article Voteware source code review 'could lead to hacking'

Australia's special minister of state has weighed in on solicitor Michael Cordover's freedom of information request to peruse the source code of the application used to count votes in Australian Senate elections with a bizarre suggestion that granting such a request could “leave the voting system open to hacking or manipulation …

  1. Anonymous Coward
    Anonymous Coward

    exposing oneself does not lead to venerial disease

    sticking your bits in dubious places unprotected does however ...

  2. Tom 35

    such a request could “leave the voting system open to hacking or manipulation"... by other people?

    The source code includes variables like "Desired_Winner" and "Winning_margin" ?

    The hard coded admin password is 1234?

    1. Fluffy Bunny
      Boffin

      It's nothing like as simplistic as that. For efficiency, most of these systems use DBMS connection sharing to cut the load on the database server. The individual user's login credentials aren't used to access the database, instead the system loads shared credentials from a secret location. This would be pretty easy to get to once you see the source code, allowing any given change the hacker desired.

      There are a dozen similar ways to break into the average commercial grade software, even before you start looking for buffer overflow errors.

      1. Paul Crawford Silver badge

        @Fluffy Bunny

        I would have though that hard coding the login credentials (as in SSH key, etc) to the source code would be a BLOODY STUPID thing to do. He asked for the code, not the cryptography keys. There are numerous open-source projects that don't get magically hacked because they are fully inspected by all.

        And if, as you suggest, there are dozens of ways to break this then it is clearly not good enough for an important job such as vote-counting. At the very least it should have been subject to more than one security review by competent outfits and the result published after the flaws have been fixed (and not those with any ties to the supplier).

      2. h4rm0ny

        Regardless of whether there are reasons why viewing this particular code could lead to risk, we shouldn't be in this position in the first place - election code has to be able to survive public review because public review is the only way we can trust the election results.

        Here's an interesting fact - we don't know who won the 2008 Mayor of London election. We know that Boris Johnson got the job, but we don't know that he was actually elected. The Open Rights Group were monitoring the software and hardware used to count votes and concluded there wasn't sufficient evidence for them to actually audit the process. They also noted that the number of error messages, bugs and system freezes indicated "poor quality software".

        Citation

        I repeat - it is entirely possible that Boris Johnson did not win the mayor of London elections and we cannot determine the truth. He could have been elected by an error. Or better, it is factually accurate to say that a programmer somewhere or other technical person in the process may have decided who became mayor of London. We cannot tell.

        All of this is because that code was not up for public review.

        1. Eclectic Man Silver badge

          Verification

          Whilst I agree with most of what you posted, it is the absence of a paper trail that prevented a verification or recount in the London mayoral elections, not the absence of a review of the source code of the voting software.

          As Tom Stoppard pointed out - democracy is not in the voting, but in the counting. If you are in effect relying on a pop up dialigue box to state how many votes each candidate collected, then whoever codes the display chooses who wins.

        2. Tim Bates

          "We know that Boris Johnson got the job, but we don't know that he was actually elected."

          I don't follow London's Mayoral politics, but I gather Boris didn't care. I think he said it was verrry niiice.

        3. Anonymous Coward
          Anonymous Coward

          Code review of election software is all very well, but you're still left with the question of proving that the code that you reviewed is the code that is actually running on the voting machines.

          It still comes down to a question of trust. And even if you trust the people running this election, do you trust the people who will run the next election, or the one after that, or the one after that? In the long run, the closest* you'll get to a verifiable "vote" is a human readable paper ballot - you can automate the process as much as you like by having vote-printing booths, and optical scanners during the count, but if the worst comes to the worst, the ballots can always be counted manually.

          *Paper ballots are still vulnerable to ballot stuffing and ballot boxes going missing, but so are electronic voting schemes.

      3. Vic

        The individual user's login credentials aren't used to access the database, instead the system loads shared credentials from a secret location

        So the keys to the database are under the mat?

        That's the very worst sort of "security by obsdcurity". If what you say is true, the application needs to be withdrawn immediately, as it is entirely unsafe.

        Vic.

  3. Frank Oz

    Amateur Hour ...

    Oh God!

    If its that vulnerable, it really is amateur hour in the AEC ... and they should never even consider instituting an electronic voting system.

    I mean, if you're that incompetent at coding and setting up security you shouldn't even be thinking of using IT.

  4. Fluffy Bunny
    Boffin

    Once a trouble maker always...

    What a beat-up. Basic security principles state that you don't give the enemy anything at all. So, this guy wants to check out the code to see how it works, maybe if it has any security vulnerabilities? That's exactly what we don't want to happen.

    Remember, the AEC computer systems are connected to the Internet. It would be easy (yes there are precendents) to create a trojan that was attached to an e-mail that would be attractive to an AEC employee or contractor. Once activated, it would be easy for it to link into a vulnerability in the software, taking commands through an apparently benign web site.

    This is why only a fool would allow the source code out.

    1. GrumpyOldBloke

      Re: Once a trouble maker always...

      Basic principles of security are that you do not rely on obfuscation. Basic principles of democracy were once similar if my memory serves me correctly. If I am helping to foot the bill for our governments endless stupidity (esp at the federal level) then I want to be sure that the government we have is actually the government we voted for. The concept of odious debt suggests that the money lenders should share similar concerns. Nothing to hide, nothing to fear, right!

    2. h4rm0ny
      WTF?

      @ Fluffy Bunny

      I initially took your post to be humour, but I now think you may be serious. I hope you have no connection to computer security in your professional life.

    3. h4rm0ny

      Re: Once a trouble maker always...

      I feel I should have written a response that was a bit less adversarial and actually detailed what was wrong with it, but it's too late to edit that now. I was set off by the comment "only a fool would allow the source out". So here is a more detailed response.

      >>What a beat-up. Basic security principles state that you don't give the enemy anything at all

      Firstly, hiding the source from the public is treating the public as the enemy. It's voting code. We NEED to be able to verify it and reject it if it is not good enough. No closed body will ever be sufficient to replace public viewing of the code.

      Secondly, the above is wrong. It is useful if potential attackers do not have access to the source code, but not vital. There are many major Open Source projects vital to security and the code is exposed. The principle is that knowledge of the code does not allow one to compromise it. ANY reliance on obscurity is a flaw. Especially when we are guarding against internal threats from the vendor who, by definition, the code is not obscured to.

      >>"So, this guy wants to check out the code to see how it works, maybe if it has any security vulnerabilities? That's exactly what we don't want to happen."

      That's exactly what we DO want to happen because the more qualified people who look through the code, the greater our chance of identifying all vulnerabilities and fixing them.

      >>"Remember, the AEC computer systems are connected to the Internet. It would be easy (yes there are precendents) to create a trojan that was attached to an e-mail that would be attractive to an AEC employee or contractor. Once activated, it would be easy for it to link into a vulnerability in the software, taking commands through an apparently benign web site"

      If this is true then the software is not fit for purpose and hiding evidence of that is no kind of mitigation.

      There are massive risks with electronic voting because it is so easy for a small group in the right place to invisibly determine the results. Personally, I favour human counting - in elections trust is more important than speed, whatever the media would like. However, IF one is to have electronic counting, I would expect as a minimum the machines to not be accessible over the Internet or be deployed in such a way that an operator could infect one by getting an email.

      This is why only a fool would allow the source code out.

      If half of what you say is true, the company behind this system should be sued until not even Wikipedia remembers who they are.

      1. Lars Silver badge
        Stop

        Re: Once a trouble maker always...

        "There are massive risks with electronic voting because it is so easy for a small group in the right place to invisibly determine the results. Personally, I favour human counting."

        Thanks, exactly my oppinion too. One could of course think that a programmer would defend electronic voting but the fact is that as a programmer you understand how damned easy it is to manipulate it. I think there should be a law against electronic voting because it will never be reliable.

        The temptation to screw the results will always remain.

        1. Tim Bates

          Re: Once a trouble maker always...

          "I think there should be a law against electronic voting because it will never be reliable."

          Human counting is also potentially unreliable, as seen in many corrupted nations. Even in Australia we've had paper votes go missing... It can be accidental or intentional, just like with electronic systems.

          I personally think the electoral system in Australia is broken anyway. With what seems to be 99% of people thinking the Prime Minister is who they voted for, thanks to the media, there's almost no reason to care if the counting is flawed.

          1. h4rm0ny

            Re: Once a trouble maker always...

            >>"Human counting is also potentially unreliable, as seen in many corrupted nations. Even in Australia we've had paper votes go missing... It can be accidental or intentional, just like with electronic systems"

            It's possible in both systems, but electronic voting massively lowers the difficulty of pulling off successful election fraud. In cases such as this, the outcome could be determined by a single programmer or a handful of officials. Whereas with our normal elections (e.g. UK General Election), you're needing to subvert many hundreds of polling stations and staff and counters across the country.

            1. Denarius
              Big Brother

              Re: Once a trouble maker always...

              Absolutely correct. In an election and count one is trying to maximise trust. Even if this annoys the media commentards because it may take days to be sure sometimes. Paper is auditable, unlike electrons. Way, way back in the day when I brushed up against AEC systems they did care about security on their big systems. What concerns me is that AEC management have stated the AEC does not have the resources to properly check the voting rolls. That scares me. Successive governments have cut the public service as part of the magical efficiency mantra. Now the chooks are coming home to roost, with diarrhea. A cynic might suggest that this is part of a plot to subvert Oz democracy. But production code in VB ? Even more terrifying.

    4. Tom 35

      Re: Once a trouble maker always...

      "This is why only a fool would allow the source code out."

      The programmers and others at the company already know the source code.

      So if it's as crap as you say any one of them can pick the winner. Or maybe the owner of the company would like a change to the tax laws to go through, have his company get more contracts...

    5. Trevor_Pott Gold badge

      @Fluffy Bunny

      "The enemy" is your own citizens?

    6. Frank Oz

      Re: Once a trouble maker always...

      360,000 lines of Visual Basic is what's being reported.

      Visual Basic? Brilliant for its scalability, ease of maintenance, security, currency and large systems capabilities. For the code necessary to determine out electoral voting, elect our Senate and safeguard our democracy?

      The AEC are amateurs, and I wouldn't trust them to code my bowel movements ... let alone a system for counting votes. And if you don't trust the electoral process, you don't trust the governments elected using that process, and it all starts to fall to pieces.

      1. h4rm0ny

        Re: Once a trouble maker always...

        >>"360,000 lines of Visual Basic is what's being reported"

        Dear gods...

        That's the only response I can think to make.

  5. glen waverley
    Coat

    manipulation fnaar fnaar

    " But another reason Ronaldson offers is bizarre, as he suggests “I am advised the publication of the software could leave the voting system open to hacking or manipulation.” "

    Given the increasing size of the Senate ballot papers especially in bigger states like NSW (110 candidates in 2013) or Vic, perhaps an insufficiently large value for NumberOfCandidates or MaximumPreference as a signed integer? Eg any preferences above eg 128 go negative, with unfortunate effects on flow of preferences.

    So the trick would be to make sure that enough minor parties nominate enough candidates to bust this number. But that could not be arranged in advance, could it?

    I am assuming that other commentards realise this is a vote *counting* system, not a voting system

    icon becos I'm sure I had some nomination forms with me

  6. Anonymous Coward
    Anonymous Coward

    They are 100% wrong that "releasing the source code" means you have "compromised the system". Infact it's been proven to be quite the opposite. Did you know that of the top 500 supercomputers in the world, 470 of them run "Linux", a comnpletely FREE and OPEN SOURCE system. sarcasm: If these 470 supercomputers are all "compromised" by this new discovery of yours, I'm sure all those people running them, are horrified, and will be changing their systems now...

    Also... (approximately) 60% of ALL servers on the internet run Linux, or some OPEN SOURCE operating system. Oh god, the website you are reading this on now, is probably running on open-source - what will we do, it's a disaster!

    And.... it's no better in your phone. Are you carrying around an iphone or an android based phone? They are all based on open source too!. the iphone is based on "FreeBSD", and android phones are based Linux, yet again. Does the integrity of your phone feel more "compromised" knowing this..? should it?

    http://www.linux.com/news/enterprise/high-performance/147-high-performance/666669-94-percent-of-the-worlds-top-500-supercomputers-run-linux-

    http://en.wikipedia.org/wiki/Usage_share_of_operating_systems#Servers_on_the_Internet

    http://en.wikipedia.org/wiki/Comparison_of_BSD_operating_systems

  7. Christoph

    Same as in the USA - they refuse to release the source code for voting machines.

    Meanwhile in Las Vegas if you want to run an electronic fruit machine you MUST make the source code available.

    So it's perfectly OK to fiddle elections, but no way do they let you fiddle money.

    1. Roj Blake Silver badge

      It reminds me of the run-up to the 2004 presidential election when the CEO of Diebold (who make voting machines) promised to deliver Ohio's electoral college votes to George W Bush.

      Bush went on to win because swing-state Ohio "voted" in his favour.

  8. Mike 16

    Thus it ever was

    i was a (minor) part of an attempt in the early 1970s to have the vote-counting software for the U.C. Berkeley Academic Senate audited by a third-party group of security professionals. We failed, of course. The reason given was essentially the same as this case. Why any sane person thinks these schemes are a good idea, or promote democracy is beyond me.

    I suspect that any Athenian who wanted to check that the voting urns were empty before the vote were similarly derided.

  9. Ken Hagan Gold badge

    It is an established fact that in the immediate post-war period, the US intervened to prevent Italy from going communist. They then spent the next few decades interfering in all sorts of countries to swing the local government their way. We now also got all the post-Snowden fallout about what the NSA have been up to.

    I'd take it as read that any electronic voting software used in national elections in any country in the world has been the target of a serious effort by more than one foreign power to force a particular result. It is simply naive to imagine that these people would leave such things to chance, or to the enemy's hackers.

  10. razorfishsl

    360,000 lines of code…..

    There are complete operating systems with less code than that….

  11. aberglas

    House of reps is OK, senate is a mess, will not get fixed

    For the house of reps I have scruitineered, and unlike the horrible US system it is all transparent and open. The votes are counted by hand on election night and independently tallied by the major parties.

    For the senate the system is too horrendously complex for anybody to care. We just left the pile of votes for the officials to deal with. It is that complexity which needs to be addressed.

    This is a large government sponsored piece of code, which cost an unholy amount to kludge together. It is presumably horrible inside in every way imaginable. And worse, if it was released then some hacker could probably rewrite most of it cleanly in a couple of months.

    If you were in charge of that mess, would you want any sort of public scrutiny? Of course not.

    The question is where our conservative government stands. On the one hand they hate public servants and could reasonably blame the discovered mess on the previous Labor government. But on the other hand they hate left wing open government types, and remember this was introduced by the odious Greens.

    So no, we will not see the code.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like