Re: readable source code [Re: OVC-discuss Digest, Vol 37, Issue 10]

From: Fred McLain <mclain_at_zipcon_dot_net>
Date: Sun Nov 04 2007 - 16:39:27 CST

On Nov 4, 2007, at 1:13 PM, Hamilton Richards wrote:
>>
>> As it turns out, I can read that code.
>
> No doubt you can, Fred, but the issue was whether it could be read by
> a significant fraction of the voting public. And the real issue is
> not how many people can read it, but how many could reason about it,
> well enough to construct a sound argument that it's correct.

As this exercise has made apparent, if the code is open at least
*someone* can read it and put forward a learned opinion as to it's
security.

> Fred, could you do that? I've spent quite a few years studying formal
> methods, and have a fair amount of practice in proving programs
> correct, but that chunk of Java would stymie me completely. For one
> thing, I have no idea what axioms I would be starting with. For
> another, I have no clue about what I should be trying to prove.

As it turns out, I have been exposed to formal methods over the last
couple years in my current gig. Admittedly, I am not leading up that
portion of the project (I focus more on tooling and design). I
strongly approve of applying them, and in fact am in favor of
requiring a formal security analysis for voting software. We need a
protection profile for voting systems. The one question I have left
is if a NIST Common Criteria level 3 would be sufficient. Perhaps it
is a good start and a more stingient evaluation could follow on
later. Until we have the protection profile we do not have a means by
which to evaluate the security of these systems.

>
>
> So I ask all of my fellow proponents of open-source election
> software: What would you do with it if you had it? Would you be able
> to construct such a convincing argument for its correctness that
> ballot printers could be dispensed with?

Please, no DREs. The process of ensuring election integrity is tough
enough without DREs.
>
>
> If so, let's see an example of such a correctness argument.
>
>
>
> + + +
>
> Because some readers of this list may misinterpret what I've just
> written as an attack on open source, let me reiterate that I am
> entirely in favor of making election software open-source. What I
> don't accept is the purported connection between open source and
> security, correctness, and validity.
>
> I agree fully with this statement:
>
> "But every computer security expert says that you can't
> make a system secure by hiding your code."
>
> But it's equally true that you can't make a system secure by opening
> its code.
>
>> [...]
>>
>> By the way, commenting the code is a good idea.
>
> That's the conventional wisdom, but it's hardly unchallenged. The
> argument against commenting code is that the comments tell the reader
> what the author intended, which is not necessarily what the author
> achieved.
>
> --Ham
>
>>
>> -Fred-
>>
>> On Nov 2, 2007, at 3:06 PM, Danny Swarzman wrote:
>>
>>> I promise you that code will not appear in any system running in an
>>> election. We recognize the problem. We are working on a new product.
>>> It will reflect a fanatic devotion to legibility.
>>>
>>> -Danny Swarzman, VP Software Engineering, OVS
>>>
>>> On Nov 2, 2007, at 2:45 PM, Hamilton Richards wrote:
>>>
>>>> At 10:45 AM -0700 2007/11/2, ovc-discuss-request@listman.sonic.net
>>>> wrote:
>>>>>
>>>>> Message: 2
>>>>> Date: Fri, 2 Nov 2007 10:45:52 -0700 (PDT)
>>>>> From: "Richard C. Johnson" <dick@iwwco.com>
>>>>> Subject: Re: [OVC-discuss] Representative Holt's OWN WORDS [Re:
>>>>> OVC-discuss Digest, Vol 36, Issue 9]
>>>>> To: Open Voting Consortium discussion list
>>>>> <ovc-discuss@listman.sonic.net>
>>>>> Message-ID: <479430.49366.qm@web408.biz.mail.mud.yahoo.com>
>>>>> Content-Type: text/plain; charset="iso-8859-1"
>>>>>
>>>>> Stuart,
>>>>>
>>>>> Here is some example Open Source code from the OpenScan system.
>>>>> See
>>>>> how difficult you think it would be to figure out. My own
>>>>> thought
>>>>> is that most people could correctly understand what is being coded
>>>>> and could also see that no subroutine doing nasty things was
>>>>> hidden
>>>>> in the code:
>>>>>
>>>>> <EML Id="230" SchemaVersion="5.0">
>>>>> <TransactionId>OK-2007-09-1</TransactionId>
>>>>> <CandidateList>
>>>>> <Election>
>>>>> <ElectionIdentifier Id=?Oklahoma 2007" />
>>>>> <Contest>
>>>>> <ContestIdentifier Id="State Governor" />
>>>>> <Candidate>Brad Henry</Candidate>
>>>>> <Candidate>John Wayne</Candidate>
>>>>> <Candidate>Bill Okapi</Candidate>
>>>>> <Candidate>Jane Smith</Candidate>
>>>>> </Contest>
>>>>> </Election>
>>>>> </CandidateList>
>>>>> </EML>
>>>>>
>>>>> ***************************
>>>>>
>>>>> I do believe that there are enough people who could read such code
>>>>> to make such Open Source a reasonable approach to increased
>>>>> transparency of elections. How many people can read the above and
>>>>> understand it? Quite a few, I would think. I admit, Open Source
>>>>> drivers for a scanner are more difficult, but I can read them even
>>>>> if it would be hard for me to write them myself.
>>>>>
>>>>> -- Dick
>>>>>
>>>>
>>>> Sure, many people could read code like that, if by "read" you mean
>>>> "recognize most of the words." But how many people could explain
>>>> how
>>>> one could determine whether that code is correct?
>>>>
>>>> For a more realistic example, spend a minute perusing the Java code
>>>> appended below
>>>> <http://emlvoting.cvs.sourceforge.net/emlvoting/USAballot/src/java/
>>>> action/CountingAction.java?revision=1.1&view=markup>.
>>>> Then give us an estimate of the fraction of the population that
>>>> could
>>>> formulate a coherent argument for its correctness. How many could
>>>> even give a coherent definition of "correctness"?
>>>>
>>>> Thanks,
>>>>
>>>> --Ham
>>>>
>>>>
>>>> public ActionForward execute(ActionMapping actionmapping,
>>>> ActionForm
>>>> actionform, HttpServletRequest httpservletrequest,
>>>> HttpServletResponse httpservletresponse)
>>>> 70 throws Exception
>>>> 71 {
>>>> 72 String forwardName = "defaultPage";
>>>> 73 try {
>>>> 74
>>
> [...]
>
> --
> ------------------------------------------------------------------
> Hamilton Richards, PhD Department of Computer Sciences
> Senior Lecturer (retired) The University of Texas at Austin
> ham@cs.utexas.edu hrichrds@swbell.net
> http://www.cs.utexas.edu/users/ham/richards
> ------------------------------------------------------------------
> _______________________________________________
> OVC-discuss mailing list
> OVC-discuss@listman.sonic.net
> http://lists.sonic.net/mailman/listinfo/ovc-discuss
> By sending email to the OVC-discuss list, you thereby agree to
> release the content of your posts to the Public Domain--with the
> exception of copyrighted material quoted according to fair use,
> including publicly archiving at http://gnosis.python-hosting.com/voting-project/
>

Instant Messaging (IM) Addresses:
Jabber: mclain@jabber.org
Yahoo: appworx_fred, schemalogic_fred
MSN: appworx_fred@hotmail.com, schemalogic_fred@hotmail.com
AIM: mclain98021
ICQ: 6947005
GTalk (Jabber): mclain98021@gmail.com
Skype: fmclain

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Nov 30 23:17:09 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST