Fwd: [IP] Sequoia To Publish Source Code

Begin forwarded message:

From: Dave Farber Date: October 28, 2009 6:10:07 PM GMT-04:00 To: "ip" Subject: [IP] Sequoia To Publish Source Code

Begin forwarded message:

...

From: David Bolduc Date: October 28, 2009 5:46:23 PM EDT To: johnmacsgroup@yahoogroups.com, Dave Farber Subject: Sequoia To Publish Source Code

...

http://www.wired.com/threatlevel/2009/10/sequoia/

In Industry First, Voting Machine Company to Publish Source Code By Kim Zetter October 27, 2009 | 4:53 pm | Categories: E-Voting, Elections

Sequoia Voting Systems plans to publicly release the source code for its new optical scan voting system, the company announced Tuesday  a remarkable reversal for a voting machine maker long criticized for resisting public examination of its proprietary systems.

The companys new public source optical-scan voting system, called Frontier Election System, will be submitted for federal certification and testing in the first quarter of next year. The code will be released for public review in November, the company said, on its web site. Sequoias proprietary, closed systems are currently used in 16 states and the District of Columbia.

The announcement comes five days after a non-profit foundation announced the release of its open-source election software for public review. Sequoia spokeswoman Michelle Shafer says the timing of its release is unrelated to the foundations announcement.

Open-source software allows the public to participate in the actual development of the software. Whereas Sequoias public source, or disclosed-source, software only allows the public to see software that its developers have already created.

In the press release announcing the public-source system, a Sequoia vice president is quoted saying that Security through obfuscation and secrecy is not security.

Fully disclosed source code is the path to true transparency and confidence in the voting process for all involved, said Eric Coomer, vice president of research and product development for Sequoia, in the press release. Sequoia is proud to be the leader in providing the first publicly disclosed source code for a complete end-to-end election system from a leading supplier of voting systems and software.

Sequoia in fact has been a champion of security through obscurity since its been selling voting systems.

The company has long had a reputation for vigorously fighting any efforts by academics, voting activists and others to examine the source code in its proprietary systems, and even threatened to sue Princeton University computer scientists if they disclosed anything learned from a court-ordered review of its software.

Princeton University computer scientist Ed Felten, one of the targets of Sequoias legal threats, said he was pleasantly surprised to see the company opening its new system to examination after vehemently resisting it in the past.

I think Sequoia is recognizing that it wont do anymore to just urge people to trust them, Felten said, and that people want to know that the code that controls these machines is open and that experts have had a full chance to look at it.

Given that Sequoia is now acknowledging the value of code disclosure as something that can lead to better security rather than worse security, as it has claimed in the past, Felten said it seems that it should follow that they would now be willing to release code for all of their other products as well.

Last year, a judge ordered New Jersey election officials to give source code for the states Sequoia AVC Advantage touch-screen machines to Princeton University computer scientist Andrew Appel and others for a lawsuit that challenged the integrity of Sequoias paperless machines. Voting activists had sued the state to decommission the units out of security and reliability concerns. Appels team found several vulnerabilities with the system, but wasnt able to discuss them publicly.

Appel, in a separate issue, also found a discrepancy between summary tapes printed from Sequoia touch-screen machines during New Jerseys primary election and totals that were recorded on the machines memory cards. Summary tapes from machines in one district showed a phantom vote for then-presidential-candidate Barack Obama that didnt appear in the memory card totals.

The Sequoia machines deployed to Union County, New Jersey, also showed that Republican presidential candidates received 61 votes when only 60 ballots had been cast in the Republican primary. About 60 machines showed such discrepancies. When Union County election officials announced that they planned to have Princeton academics examine the machines to determine what went wrong, Sequoia threatened a lawsuit.

Sequoia initially blamed the problem on election officials for pushing the wrong buttons, but later claimed it uncovered a problem in its software that was creating the vote errors and announced that it had fixed the issue.

Earlier this year, in a separate case, Sequoia agreed, after a concerted battle, to hand over its source code to election officials in Washington, DC, to investigate why, during the citys September 2008 primary election, Sequoias optical-scan machines added about 1,500 phantom votes to races on ballots cast in one precinct.

Sequoia blamed the problem on static discharge or human error.

After the city demanded to look at the source code to determine the problem, Sequoia in turn demanded a $20 million bond from officials guaranteeing they wouldnt disclose information about the system. Sequoia finally relented to provide the code without a bond, though only after the city agreed to keep the companys trade secrets confidential.

The election integrity group Voters Unite has compiled a partial list of reported problems (.pdf) with Sequoia voting machines.

Spokeswoman Michelle Shafer said Sequoias public source system has been in the works for months, and that the announcement this week was timed for a National Institute of Standards and Technology workshop discussing a common data format for voting systems.

She said the firmware on the companys new Frontier optical-scan machines is written in C# programming language and runs on Linux. The election management software  which sits on a computer at the election office and is used to create ballots and tabulate votes  runs on Microsoft Windows XP and uses a Microsoft SQL database.

Pamela Smith, president of Verified Voting, a group that has long lobbied for fully auditable voting systems, applauded Sequoias efforts.

Its good to know the vendors are developing a new transparent optical-scan system, she said. That is probably the biggest recognition of the direction that the voting public wants to see the market going.

Asked if Sequoias history of hiding behind its proprietary code taints the sincerity of its public source effort, Smith said, Its never too late. If youre making a step toward a more transparent system, good for you. Thats a good thing.

------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com