You are viewing a single comment's thread.

view the rest of the comments →

[–] UrCoolerOlderBrother ago 

Am I wrong that by open source/releasing the code to the public, that would assist people that wanted to hack the voting machines in doing so? Like, I think about how whenever an iPhone is released, with extremely proprietary code, some 15 year old is still able to hack it. If that iPhone was open source, wouldn't that make it much easier for that kid to figure out how to hack it? (Because they can see how it all works and where a vulnerability might be?). If I am wrong, if you could please tell me why, id appreciate it.

[–] buckhorn ago  (edited ago)

You are correct that it's easier to discover existing exploits with access to the source. However, this is a double-edged fact that cuts both ways...

Closed source can slow those with malicious intent but not stop them. If the payoff of a successful hack is high enough, people will undertake the effort. Some might just do it for the intrinsic motivation of solving a puzzle or the lulz. It only takes one person with secret knowledge of a zero-day exploit to do a lot of damage. A group with the resources of a state- level actor arguably wouldn't even be slowed down by closed source.

On the other hand closed source, backed by the threat of legal prosecution is too high of a barrier to entry for honest people that would otherwise pitch in reviewing and improving the code. E.g., some might be curious. Some might be students assigned to read the code as an example of good design. Some might want to understand how to adapt it for use in their chess-club elections. Some might be paid security researchers working for McAfee or Norton who will earn publicity if they write up a blog post detailing their 'responsible disclosure' and recommendations about how to make the code safer. Open source makes it much easier and therefore much more likely that these kinds of people will notice and report exploitable flaws so that exploitation can be prevented.

The alternative is to hope that the few blessed/trusted souls with access to the source will consider every minute detail in every possible context/scenario against every possible creative/novel attack. Sometimes, a few big brains are no match for thousands or millions of brains, especially when the crowd has even bigger brains among it's numbers. You also have to trust that the high priests haven't been tempted to intentionally leave backdoors that they can exploit for themselves or those who've bribed or threatened them.

I already mentioned it but the quip is, "many eyes make all bugs shallow". This includes security bugs.

[–] captnemo ago  (edited ago)

Potentially but those exploits will have more eyes on them so more potential for fixes. closed source with suspect results and no chance for public to investigate is clearly worse