BBV: Question for Techies

Can someone write me a nice, one-paragraph description of Open SOurce Code -- what it is exactly, why it produces the best product, whatever other benefits you can think of? I unerstand it, but I'm sure some of our IT talent can explain it MUCH better.

For submission to Congress, as well as other documentation.

Thanks!

Eloriel

"The basic idea behind open source is very simple: When programmers can read, redistribute, and modify the source code for a piece of software, the software evolves. People improve it, people adapt it, people fix bugs. And this can happen at a speed that, if one is used to the slow pace of conventional software development, seems astonishing.

We in the open source community have learned that this rapid evolutionary process produces better software than the traditional closed model, in which only a very few programmers can see the source and everybody else must blindly use an opaque block of bits."

http://www.opensource.org/

....and that about says it all! :evilgrin:
Of course start with "According to Opensource.org,....:)

and yes, punpirate. Most definitely properly attributed.

Eloriel

....LOL! :evilgrin:

And a good reason to :kick: :)

Am I starting to get a reputation as an old schoolmarm with a ruler? *smile*

But, if I can try to distill what's been said here into a short paragraph (I missed this thread when it first showed up):

"For software to run efficiently on a computer, it must be compiled, which effectively hides the source code from line-by-line examination. Proprietary software usually contains a legal clause in its use license forbidding decompiling and, therefore, casual inspection of the source code is impossible. Open-source software, however, is free and its license permits decompiling to examine the code line-by-line. As it applies to electronic voting machine technology, open-source software enables the certifiers, the state and county examiners and other interested parties to examine the code and determine if the code is as described and will function as intended. Any attempt at voting fraud by altering the code would be readily apparent with open-source software in a way that it would not be with proprietary software, due to the legal constraints regarding decompilation."

Cheers.

Be careful using the word "free" with open-source. This word often has to come along with the explanation "free as in liberty" or "free as in beer".

In this case, we can avoid this additional issue and leave the word free out. What's important here is that the original human-readable program is available for anyone to inspect.

... and in the case of the software provided with a machine, certainly the cost to produce specialty code would be included in the cost of the machine. I guess the distinction to me is obvious because of M$. (!)

Cheers.

You mean besides the fact that Microsoft can't keep the barn door closed? Or that they haven't 'innovated' a damn thing since uhhh, oh yeah they originally wrote Word didn't they? Everything else on their shelf they bought from smaller companies including DOS.

I'm an IT'er - been making my living for 25 years that way. Open source is attractive to me as a concept, but I have to make software work. I don't have time to track down code trying to write to incorrect ports. When open source software doesn't work who do I call? The author of the module that's causing the problem? Which module is the troublemaker? I've been through the "it's the other guy's fault" enough times to curl your hair.

We standardized on Microsoft long ago. And until there is another company that will take responsibility for all the software woes we encounter on a daily basis, we'll stay with the Borg.

You can get support from companies like Red Hat who package the open-source developed code and sell it and support services as a business.

Here's more:

"And the one group of users who were by far most often cited as providing the help needed were the users of Linux and other "free" versions of Unix. So the winner we're naming for Best Technical Support this year is the Linux user community.

As something you can download for free, of course, Linux doesn't necessarily come with the support of a commercial entity, but that's exactly why many readers said they like it.

"The online support via Usenet, Web pages, and IRC is far better than anything that you can get from a commercial vendor, as far as resolving real-world problems," wrote one InfoWorld Electric forum participant, who offered the analogy of a Microsoft Access customer calling Microsoft on a hard-to-solve problem. "So imagine, if you will, that the Microsoft staffer on the line directs you to a Web page where you can download free of charge the latest release of SQL Server and a free copy of C++ in order to solve your problem, and then follows this up a week later by e-mailing you a program that was written in his/her spare time that extends your program in some new way ... `Impossible! never happen!' you say ... this sort of thing literally happens hundreds of times, every day of the week, all year long.""

http://www.infoworld.com/cgi-bin/displayTC.pl?/97poy.supp.htm

I also have several years of experience using both proprietary (Microsoft) and open-source code.

Some programmers expect it will be easier to get help from a single vendor such as Microsoft, rather than turning to a bunch of volunteers on the net when something goes wrong. However, it often turns out that "the best things in life are free". I have had many situations where getting answers or fixes from Microsoft support was like pulling teeth - sometimes took several weeks, even with deluxe service contracts.

On the other hand, the voluntary, collaborative nature of open-source code means that while you don't have a single vendor to turn to for your questions, you have a bunch of volunteers on the net. In many cases, this "labor of love" gets the problems solved much faster than a paid Microsoft tech-support contract.

I actually know of several projects that have stopped dead in their tracks because an obscure Microsoft bug was found that the "Borg" couldn't or wouldn't fix.

Microsoft is recognized by many computer professionals as holding the entire industry BACK by a factor of around ten years - because of its slow pace of innovation, and the lack of transparent, scientific collaboration on its increasingly bloated code base.

The reasons people choose Microsoft are (1) everybody else already chose Microsoft and (2) throwing money at a problem gives a sense of security. When you are free to use any software you want (for a new project) and you don't have a venture capitalist willing to let you burn through millions of dollars for your project, then "open source" has proven to be a very viable option.

To cite an important example, more web servers use open-source Apache rather Microsoft's paid, proprietary option IIS, which is know to be buggier and less secure.

Of course, this is an issue which could take up volumes in a flame war. I have used Microsoft products when a client has a big budget and feels safer having a single vendor to call. I have used open-source products when budget constraints are tighter and I know I can get free support from the army of developers on the web.

I understand the feeling of security that can come from "paying more". I have often been at this point myself, in various spheres of life.

To use an analogy which isn't entirely beside the point: Sometimes you feel like sitting down in a restaurant because you have money in your pocket and you don't want to deal with cooking. Other times you have the energy and the desire to put together a home-cooked meal. Both have their advantages. But nobody says that restaurants are the "Borg" and we have no choice but to eat in them. When you're feeling inspired, you can still save some money and put together a great home-cooked meal!

They are talking about "Open Source Software", which is a totally different kettle of fish to what you mean when you are talking about having voting machine source code available for inspection.

Open source software is software that anyone can change and redistribute the source code for, such as Linux.

What you are talking about is having the ability to inspect the source code of proprietry software being used to run voting machines.

The reason such source code should be open to inspection is to make the electoral process transparent. Much as justice must be seen to be done, resulting in open trials unless there are specific reasons to hold a trial in secret, the electoral process must be seen to be fair. What this should mean is that any interested party must be able to examine the source code of voting machines to ensure that no bugs or features of the software could contribute to false counts, resulting in incorrect election results.

With mechanical electoral machines, it is easy to open the machine and see if any parts have been tampered with, or through normal wear and tear have failed, causing incorrect results. With computerised voting machines, such inspections are impossible unless the source code of the software running on the machine is available.

One argument against making the source code available to any interested party is the idea that the source code is the "guts" of the machine, and making it available may help competitors to build better machines. The answer to this already exists - the source code itself is copyrighted and thus anyone using it would be in breach of copyright and liable to prosecution.

If a competitor however used it to get ideas on how to make a better voting machine program, without actually stealing any of the code, then copyright would not apply. However, any competitor would also have to make their source code available should they win the contract, and thus the original company could use their competitor's advancements to get ideas on how to improve their own software.

What we must remember, is that the client for these programs is the entire population of the country, and thus, the client has the right to demand to see the source code of software they are using. If the company is not willing to expose their code in this way, they are perfectly capapble of keeping their code secret by not selling it to the client. Of course, there is not much of a market for voting machine software, so one would assume that any company in this line of business would prefer to keep the few clients they have happy.

Aside from making the elctoral process transparent, such open availability of the source code will almost gaurantee that there are no bugs that result in incorrect results. The reason for this is that every competitor for such a program will pour over the source code trying to find errors that they can use to show why their software is better. Thus not only is there a very good economic reason to ensure your software is bug free, there is a very good economic reason to try and find every possible bug in your competitors software.

This makes it much more likely that a foolproof program will be adopted and thus much more likely that elections will be fair, while improving the quality of voting machine software across the board.

Aside from making the elctoral process transparent, such open availability of the source code will almost gaurantee that there are no bugs that result in incorrect results.

No. Open source allows the public to verify that the software does whtat it is supposed to. It is not a magic wand that can prove an entire electronic voting system to be secure against bugs or fraud. The security of an electronic voting system relies just as much on the hardware, its physical security, and the design model around which the system is built. Open source software addresses none of these issues.

shows why I say that having free access to the source code can almost gaurantee bug free software:

The reason for this is that every competitor for such a program will pour over the source code trying to find errors that they can use to show why their software is better.

Imagine if Microsoft's source code was available for viewing (although not modification or redistributing). Any Microsoft competitor would pour over the MS code looking for every bug they could find in order to show why their OS is better.

In other words, with the source code hidden, MS has an economic reason to ignore bugs and ship the software anyway. With the source available, this scrutiny from competitors will have the opposite affect, causing MS to ensure that THEY find the bugs and fix them BEFORE shipping the product, and thus not giving their competitor an opening.

However, you are right that having the source available will not "prove" that the system is 100% secure, but what it will do is enable an informed choice to be made in order to find the MOST secure, and it will encourage developers to do everything in their power to make their program the most secure.

With freely viewable source, there won't be any more instances where, as was shown in the internal Diebold e-mails, the developer says "well if they don't find it, it doesn't matter", because someone WILL find it, just as has happened now that the Diebold source has been exposed.

By the way, don't take this to mean that I believe that making the source freely viewable is the cure-all. It isn't. However, with open source and a paper trail, election fraud will be practically impossible.

something that i think we should also be demanding but i would certainly settle for an OPEN/TRANSPARENT code review process which brings up the inherant problems with ANY process no matter how supposedly TRANSPARANT if it is unauditable and why our first priority should be that i think... and 2nd in line should be a TRANSPARANT certification proccess but finally to gain even more securty and CONFIDENCE - nothing is 100% - in the system as a whole it should belong to the community, most likely contributed by local universities.

:hi:



peace

Most open-source licenses are designed to ensure that the code remains property of the community. This is of course not an inherent quality of the human-readable code itself - it is a legal stipulation that can be enforced by choosing a good open-source license.

Here is a non-techie website (the user-written "Wikipedia") summarizing a lot of the ideas of open-source software and open-source licensing.

http://www.wikipedia.org/wiki/Open_source

On C-span, when they're having a vote, the numbers come up and you can see the tally as it happens. What machines are the Congress using to vote? It all seems pretty transparent to me.

of Open Source Code.

Eloriel

http://www.gnu.org/philosophy/philosophy.html


What kind of arguments are you going to make regarding open source BBV machines? Open source is absolutely not a guarantee against vote tampering as there is no way to know that the software that is actually inside the BBV machine is the same as the software that the vendor has published.

Were developed and verified in the open community, could there NOT be standard loadtime verifications applied ? .. Like CRC or Checksum verifications ? ...

ONCE a program is loaded, and then checksummed, and THEN locked down ... one can have a reasonable level of confidence of the integrity of the system ..... right ? ...

A digital signature would be needed rather than a checksum but in principle something like this could be done. As with all other aspects of electronic voting, however, the devil is in the implementation and the details.

A trusted authority could load the code and digitally sign it, but where does one find a trusted authority in an age where polling staff have been caught handing out marked ballots and election officials routinely strip wrong-party voters from the rolls? Trust could be distributed among several people (i.e. one from each party, one from the state, and two from the UN...) but some way of ensuring that the code seen by each person is actually the code that will be used to run the election.

Further, hardware tampering would need to be addressed separately. It would be trivial to design dishonest hardware that would give out different code depending on the circumstances. Even if the software was honest, the hardware could be manipulated in creative ways which would negate the reliability advantages of publically-verified open source software.

Another issue is locking down the 'ballot boxes.' It's not going to be a showstopper but it's not trivial to lock down a piece of hardware to prevent hardware tampering and software manipulation while still providing a means to get votes in and get the totals out. 'Ballot box' security is just as vital as software integrity; open source does not address physical integrity either.

Finally, there is the big issue of getting the totals out of the 'ballot box' in a format that cannot easily be altered or processed more than once per vote count. The only really secure ways to do this involve hardware solutions, such as write-once memory chips, that are beyond the realm of open source software.

Open source software can certainly help make BBV 'ballot boxes' more secure but it is not a panecea or a gaurantee of accuracy. Reliable electronic voting requires the use of a complete system designed from the ground up to be secure and tamper-proof. Trustworthy software is but one of the necessary components.

not even seeing the code -- in fact, not ANYone but the developers seeing the code. It's also better for eliminating bugs. AND ensuring that vote-tampering "features" are built in.

On the other matter, we'll have to develop some heavy-duty chain-of-custody procedures, won't we? And that's part of the argument we're making.

Thanks for your insight.

Eloriel

All computer software involves at least two versions of the program: the original version written by a human being in a programming language (the "source code") and the translated version tailored to be run efficiently by a computer (the "compiled code"). Source code can be read and written by anyone who understands the programming language: other programmers can easily read the code to understand and verify what it does, or they can easily create an new and improved version of the code. Compiled code generally cannot be read by a human being; it is like a "black box" which is illegible to humans and optimized to run on a computer.

"Open source" computer software is released along with a copy of the human-readable source code, to encourage other programmers to read, understand, verify and improve the code. (The software may be copyrighted and released under an open-source licence to legally ensure that the code as well as any improvements remain open.) "Proprietary" computer software is released in the compiled, machine-readable version only, in order to protect trade secrets and discourage other programmers from understanding, re-using or enhancing the code. Because of the collaborative, transparent nature of open-source software development, open-source software naturally tends to become more reliable, secure, and efficient over time.

Most large-scale scientific and military software projects - where notions of tranparency and verifiability obviously trump vendor profitability - explicitly mandate open-source software to handle mission-critical programming tasks. Many countries' voting systems, such as Australia's, also mandate open-source code for this reason. Proprietary code, on the other hand, has had its greatest success in commercial and desktop applications, where software vendor profitability is an important factor and users are willing to sacrifice transparency and verifiability in return for the perceived convenience of having a single software vendor to turn to for improvements or fixes.

= = =

© 2003 Democratic Underground.

Open-source software gives rise to an efficient free market of intellectual effort encouraging collaboration, competition and a "trust but verify" mentality, while proprietary, "black box" software gives rise to an inefficient centralized system with a "just trust me" mentality which can lead to bureaucratic bloat if not outright fraud.

= = =

© 2003 Democratic Underground.

The very best. I am non-technical, and only recently did I figure out the difference between open source linux bs. proprietary MS. and what you said completely jives with my a-ha moment when I said, "Oh, so this is what they are saying when they say we need open source for voting software!"

But it took me researching a lot when I was looking to get away from MS products and learning that the reason MS is crap is because it isn't open source.

I would say 90% of the US population hasn't made that connection. And until that connection is made, we can yell "open source" till we are hoarse and it won't have an impact.

Kudos to Eloriel for crafting something for the congress.

Here's a non-techy take:

Technically, "open source" simply means that the code that runs the program is open to public view and improvement. In general, it means that the software is kept honest by a whole community of people (in this case people fluent in the relevant programming language) who have a vested interest in knowing that the software does just what it claims to do. As a user (not a programmer) it means that I am assured by that expert community that the programs I use actually do what they claim -- no more, no less. As a user, I have to rely on "experts," but with open source software there are thousands of independent reviewers and the facts of the matter (the lines of cose) are visible to all. By contrast, with copyright protected proprietary software any review of the product takes place at the discretion of and under conditions set by the owner and is not open to public oversight. When the users of the software, as individuals, cannot actually witness that the software performs as expected, they must be allowed to see exactly how it operates and what it really does if they are to have any confidence that it is working honestly.

You people should get in touch with Bruce Schneier/Counterpane, the Electronic Frontier Foundation, and the Association for Computing Machinery.

http://www.counterpane.com
http://www.eff.org
http://www.acm.org

Open Source Software benifits a great deal by employing our greatest model for success known to man, evelotion, by creating an envioronment that alows for maximum exposure to change by creating a direct interface to all its users by simply allowing folks to actually see - open - and modify/verufy the code - source in contrast to closed source - commercial/secret - code which tends to stunt its growth and alow for bugs - errors/security holes - to flurish.

well off the top of my head...

please see 'The Cathedral and the Bazaar' by Eric S. Raymond
http://www.oreilly.com/catalog/cb/ he is the 'movements' leading spokesperson and can certainly give you a greater insight into exactly what it is and what our its benifits, certainly better than my rambling could ;->

:hi:

peace

When I read a lot of the paragraphs above, I see those words: free, open, lots of people analyzing it and fixing it -- and if I were a computer illiterate congress person, I would think: Yah, that's why we want black box closed source software - so no one can mess with it. That creates integrity.

So, I see it as an issue of really educating the congress people and the public about why open source rules. Computer technology is a beast that can only be tamed by allowing as many good brains on it as possible. That's why we have computers -- because they exceed the capabilities of the human brain; so to compete with the computer beast, man must amass as much brain power to get as much control of the uncontrollable beast as we can.

I promise I am not smoking anything. LOL

that's what MS and pretty much any closed source developer wants. Now here's always some amount of obscurity involved in security; ie a password which has te be kept secret from unauthorized persons. However, the obscure information should be as minimal as possible and must be easily changed by authorized persons. Ie different password very few days, and certainly the password should be changed promptly when you find out it has been leaked.

With closed source software there's a tendency to have security depend much more on obscurity. Ie if there's some bug/security hole in Windows, the 'solution' is to keep it secret - as though that prevents anyone from discovering the security hole. It's like putting the key to you front door under the flower pot, and make it secure by not telling anyone. For any (true) hacker most security holes are that trivial to find and exploit.
Additionally you could try to make it illegal to look under flower pots at front doors. Then you can sue anyone trying to warn you about the security hole.

Of course they real solution to fixing such a security hole is to change the software: patch the security hole, which will be done eventually. But that is much more complicated and time consuming (and thus far less secure) than changing 'minimal obscure info' such a password.

Wrt security OS basically says you shouldn't put your key under the flower pot to begin with, that the security system should be so good that it's exceedingly difficult to enter without the right key - even if you are a lock smith.
The only way to make a system that good is to have a whole lot of bright people work on its development so that the security does not depend on only a few people knowing the design of the system, but depends only on keeping the key secret.
A lock smith might be able to forge the key, but that's not trivial, while looking under the flower pot is trivial. It's pretty obvious which approach provides the better security, and it has everything to do with it being Open Source.

Open-source software is software that can be examined, tested, commented on, and--with appropriate controls--modified by anyone in the world who has the necessary technical skill and interest. This effectively creates an engineering team many times the size that even the largest corporation could afford to assign to even the most important project. Having the original code--the source code--always available for public inspection, testing, and comment means that errors are typically more quickly found and fixed, it becomes impossible to insert malicious functions, and people can have confidence in the end product because they can re-create it themselves if they wish. None of this is true of proprietary software.

(edit) I like Scott's better than mine, though his is longer

I really want a bunch of tech-writers to collaborate on this. This is a really big opportunity to present something to Congress which ties together the notions of "open source" in the sense of transparency in several fields: programming, voting, auditing and accounting.

I think a LOT of DUers have a good intuition on this. Remember that open-source is not a programming language or a style - it is a POLITICAL or MANAGERIAL decision about who is privy to the system development process. This is a social issue which I think a lot of people with experience in various organizations can comment on intelligently.

Yes, open source software is "special" among other assets that can be managed as a "commons" - that's why it's the main thing which can turn the tide against the increasing privatization (and tragedy) of the commons.

I have to run out the door now but here is a slight rewrite to the opening of Mairead's...

"Open-source software is software that can is publicly designed, examined, tested and critiqued at various stages of its development by computer specialists, users and other interested parties. Improvements can also be suggested, approved and incorporated via a organized, public process.

Many limited concrete assets in human history have been developed and managed as a "commons" - and as an unlimited virtual asset, software is intuitively perceived by many as the ideal..."

I'll try to check in later.

There's more to OS then it being 'liberal', cheap/free (as in beer and/or speech), and a better way to organize devellopment of software:


http://www.theregister.co.uk/content/4/25157.html
MS in Peruvian open-source nightmare
By Thomas C Greene in Washington
Posted: 05/05/2002 at 20:26 GMT

There's a letter circulating, purportedly from Peruvian Congressman David Villanueva Nuñez to Microsoft Peru, which cuts the heart out of Redmond's chief 'panic points' to chill those considering open-source migration.

Apparently, the Peruvian government is considering a bill mandating open-source software for all public bureaux.
<snip>

Lima, 8th of April, 2002
To: Señor JUAN ALBERTO GONZÁLEZ
General Manager of Microsoft, Perú

Dear Sir:
<snip>

It is also necessary to make it clear that the aim of the Bill we are discussing is not directly related to the amount of direct savings that can by made by using free software in state institutions. That is in any case a marginal aggregate value, but in no way is it the chief focus of the Bill. The basic principles which inspire the Bill are linked to the basic guarantees of a state of law, such as:

Free access to public information by the citizen.
Permanence of public data.
Security of the State and citizens.

To guarantee the free access of citizens to public information, it is indespensable that the encoding of data is not tied to a single provider. The use of standard and open formats gives a guarantee of this free access, if necessary through the creation of compatible free software.

<snip>

more:
http://slashdot.org/article.pl?sid=02/05/06/1739244&mode=thread&tid=109
http://slashdot.org/search.pl?query=peru

This is an amazing letter you found, rman!

More people should read this letter from the Peruvian congressman. Specifically, I think American Congresspeople would understand this letter quite well- they'd really "get it".

Here's a separate link to the final paragraph of Dr. Villanueva Nuñez's letter so hopefully more people will see it:

http://www.democraticunderground.com/discuss/duboard.php?az=show_topic&forum=104&topic_id=380511

Open source is like having Congress make decisions, while a single, closed, secret source is akin to the White House making all the decisions.

Kick!

Open Source simply means people can look at the source code. This has a variety of benefits, one being it's easier for the user, as opposed to the person who originally wrote it, to make changes. So if hundreds of people need little customizations, they can do it, instead of having to wait for the author to do it. Many people share their changes, and this may help with the better product thing, instead of a company having 6 developers working on it, you have possibly hundreds of developers working on it. Some open source products bypass commercial alternatives, I think Apache is one example.

There are different types of open source licenses and sometimes people mix them up. For example, businesses can use and privatize BSD open source code, the only condition is that they credit BSD. GPL open source requires businesses to release their open source changes, something BSD does not do. Sometimes people confuse things (or try to confuse things) and accuse open source of doing something that say only GPL does.

There are some truly great comments here. Thanks!!

My immediate use is just a follow up for Jan Schakowsky of what we want Congress to do about this problem, and I am including a brief description just so they have a slightly expanded understanding of the term. (Ideally it should've gone in Hedda_Foil's and my 50-page report, but it didn't.)

However, "that damn document" (the 50-pager) will get rewritten as soon as I'm psychically able to deal with it again, and some of these fab comments WILL find their way into it. And yes -- properly attributed, punpirate. ;-)

Eloriel

Using open source development software is not in itself a guarantee that the counting program used on a particular day is the same one given to the auditors. In fact I think it's a false assurance that invites other kinds of trickery.

It's a standard part of a magician's repertoire to get somebody from the audience to attest that yes, the hidden card is indeed the ace of hearts. In this case some group of software whizzes will examine the program allegedly used to do the vote counting, but it won't really have been that program!

Yes, there are ways to detect substituting one algorithm for another, but I'd hesitate to rely solely on open source software as the answer to software fraud.

would DREAM of "relying solely on open source software as THE answer to software fraud."

Thanks for your comments,

Eloriel

I love the Open Source Movement (it really is a movement). My company uses it in all our networking work. It is one of the best things for IT since the integrated circuit.

But I'm with Devils Advocate NZ (above) on this. Simply having access to original source code is what is required to secure this aspect of election integrity. Along with the actual compiler(s) and compile-time options used by the vendor. That code should be compiled as indicated and the result compared byte-by-byte to the production code (simple). In this situation, experts can detect any bugs, chicanery, etc. This will be light-years from where we are today.

Going for an open source approach to voting machine software is biting off a HUGE bite with many complications that are totally extraneous to the simple issue: insuring that votes count. There are many different machines involved; that means there would have to be many open sources, so you start out of the gate with multiple code forks in the project.

In addition, these vendors are selling hardware that costs probably less than $1,000(?) for $4,000-$5,000(?). The value add is their software and expertise. Remove that, and they are in a near-commodity business, unless the taxpayers do some big-time subsidizing (I imagine the vendors would embrace open source and let us do their coding, provided they still get the full price).

Don't get me wrong. Reliable, open source voting machine software would be the cat's meow B-). But the "right" software development method is a separate kettle of fish from voting machine integrity.

// end