The point is that open source code *can* be reviewed, compiled, and tested by anyone. Closed source code is only subject to analysis by the owners and their agents.

An open system doesn’t guarantee no bugs or exploit vulnerabilities, but it certainly is a step up from closed systems.

feather-in-the-cap of someone that discovered a flaw and was able to get it fixed.

My bet is that thousands of people would be poring over that code line by line to discover any flaws they could, even typos in the comments/documentation.

And don't get me started on the ridiculous idea that there is some kind of uber-coding skills needed to essentially "add one to cell D5...now add 1 to cell F7...etc etc ".

whatever code is supposed to be in the machines may not be what's actually there -- whether proprietary or open source

software is open source and is lying that would be fraud. For closed systems obviously there is no access.

The point is that an audit able open source election system is a good idea, not a bad idea, as the cited article seems to claim.

My take is that the article makes the case for removing computers from the voting process altogether -- that computerized voting is nontransparent and any added cybersecurity adds too much complexity and vulnerability to the process.

.

Everyone keeps perpetuating the myth that people are reviewing open-source software and making it more secure.

The truth is that the only people reviewing open-source are college academia, hackers and nation state actors. The development communities are infiltrated by hackers who inject code to weaken the code and install access points. Many of the vulnerabilities are kept quashed so allow intrusion. One of the least secure offerings is Spring, which most banks rely on to develop code. Open-source presents the source, instead of trying to disassemble code, which most private ISVs use their own compiler variants to make decryption more difficult. Folks using open-source, often use standard compilers which makes hacking easy for the rest of their code.

Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC).

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

https://www.infosecurity-magazine.com/news/not-managing-open-source-opens-1/

.

Managed software supply chains are 2X more efficient and 2X more secure
Automated OSS security practices reduce the presence of vulnerabilities by 50%
DevOps teams are 90% more likely to comply with open source governance when security policies are automated

The window to respond to vulnerabilities is shrinking rapidly
Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed 400%, going from an average of 45 days to just 3

Hackers are beginning to assault software supply chains
Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications

Industry lacks meaningful open source controls
1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications


https://www.marketwatch.com/press-release/sonatypes-2018-state-of-the-software-supply-chain-report-reveals-use-of-vulnerable-open-source-increased-120-despite-equifax-breach-2018-09-25

Last edited Tue May 28, 2019, 01:09 AM - Edit history (3)

to switch from hand marked paper ballots to BMDs with open source code just in time for 2020. They are going to DECERTIFY hand marked paper ballots. Above & beyond scam...



I think of all the dilapidated schools in LA County, the 55,000+ homeless, underpaid teachers ---- and somehow, the Board of Supes thinks we want nontransparent voting machines with bells & whistles that print out bar coded 100% nonverifiable "ballots"???? 31,000 fancy "voting" machines for $300,000,000 -- that comes out to be about $10,000 per voting booth -- compare that to the cost of a paper ballot with a table with a 3 sided attachment to add privacy, no software or hardware or insurance or techies required. We've got the equivalent of the $1000 toilet seat lid on steroids coming to LA County.

is that the code that runs the machines cannot be changed until review of the proposed changes is completed. That process takes a long time (~1 year). So the machines will be vulnerable to published potential exploits for a year or so and the boards of election can do nothing to block the exploits.

There are no good solutions - but at least the closed source code is not subject to publication of potential exploit which cannot, by law, be fixed prior to a full review.

If you're a top-notch programmer and designer involved in cybersecurity you'll probably be doing this for a living.

That means industry. Which, of course, means bias: Industries tend to be pro- or anti-Trump. Look at Google, Microsoft, Apple. Etc.

Or the computer folk are connected to government. Not necessarily (just) the US government.

Or they're connected to both, since governments tend to be tied in with cybersecurity. Go figure.

And if you're connected with either in ways that involve cybersecurity, you're going to be tied in somehow with intelligence, government or military (or both). For the same reasons.

There are exceptions. But many of them are hackers. As though hackers have no conflicts of interest.

How you evaluate conflicts of interests itself has conflicts of interests. But open-source is like peer review. It may not be great, but it's better than nothing.

At the same time, notice Yasha Levine's a Russian. (Ooh, big bad russky!) At the same time, he's apparently a satirist, and not in Putin's pocket. Unless that's what he *wants* us to think, so he can have cover as being "on the side of the ark (sic) of history" while undermining something that might inconvenience or hobble his masters.

Ah, it's complicated trying to discern all the possible conflicts of interests and tangled webs that we don't see.