HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Main » General Discussion (Forum) » Microsoft's ElectionGuard...

Sun May 26, 2019, 04:44 PM

Microsoft's ElectionGuard a Trojan Horse for a Military-Industrial Takeover of US Elections

https://www.mintpressnews.com/microsoft-electionguard-a-trojan-horse-for-a-military-industrial-takeover-of-us-elections/258732/

May 24th, 2019 By Whitney Webb Whitney Webb @_whitneywebb

Earlier this month, tech giant Microsoft announced its solution to “protect” American elections from interference, which it has named “ElectionGuard.” The election technology is already set to be adopted by half of voting machine manufacturers and some state governments for the 2020 general election. Though it has been heavily promoted by the mainstream media in recent weeks, none of those reports have disclosed that ElectionGuard has several glaring conflicts of interest that greatly undermine its claim aimed at protecting U.S. democracy.

In this investigation, MintPress will reveal how ElectionGuard was developed by companies with deep ties to the U.S. defense and intelligence communities and Israeli military intelligence, as well as the fact that it is far from clear that the technology would prevent foreign or domestic interference with, or the manipulation of, vote totals or other aspects of American election systems.
SNIP
However, investigative journalist Yasha Levine likened Microsoft’s promotion of ElectionGuard’s still unreleased open source code to a “PR move.” Levine told MintPress:

Open source inevitably has bugs and vulnerabilities that are there accidentally because all code has vulnerabilities. This is true for open source and closed source systems. Open source just means that people can look at it, but then that code has to be run through a compiler that actually runs an executable program. So there you already have a degree of abstraction and separation from the open source code. But even if the executable code and the source code are the same, there are bugs which can be exploited.

So, what open source does is give a veneer of openness that leads one to think that thousands of people have probably vetted the code and flagged any bugs in it. But, actually very few people have the time and the ability to look at this code. So this idea that open source code is more transparent isn’t really true because few people are looking at it.”


SNIP

12 replies, 1470 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread

Response to diva77 (Original post)

Sun May 26, 2019, 04:55 PM

1. The attack on open source is nonsense.

The point is that open source code *can* be reviewed, compiled, and tested by anyone. Closed source code is only subject to analysis by the owners and their agents.

An open system doesn’t guarantee no bugs or exploit vulnerabilities, but it certainly is a step up from closed systems.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Voltaire2 (Reply #1)

Sun May 26, 2019, 05:48 PM

3. No shit. Plus, think of the...

feather-in-the-cap of someone that discovered a flaw and was able to get it fixed.

My bet is that thousands of people would be poring over that code line by line to discover any flaws they could, even typos in the comments/documentation.

And don't get me started on the ridiculous idea that there is some kind of uber-coding skills needed to essentially "add one to cell D5...now add 1 to cell F7...etc etc ".

Reply to this post

Back to top Alert abuse Link here Permalink


Response to ret5hd (Reply #3)

Sun May 26, 2019, 10:51 PM

4. +1 Well said!

 

thousands of people would be poring over that code line by line to discover any flaws they could


Computer geeks are going to have a field day. They live for this stuff.
This is the DU member formerly known as earthshine.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Voltaire2 (Reply #1)

Mon May 27, 2019, 12:20 AM

5. good luck getting access to any of the voting machines or tabulators to inspect the code --

whatever code is supposed to be in the machines may not be what's actually there -- whether proprietary or open source

Reply to this post

Back to top Alert abuse Link here Permalink


Response to diva77 (Reply #5)

Mon May 27, 2019, 07:48 AM

6. Well if the vendor is claiming that its

software is open source and is lying that would be fraud. For closed systems obviously there is no access.

The point is that an audit able open source election system is a good idea, not a bad idea, as the cited article seems to claim.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Voltaire2 (Reply #6)

Mon May 27, 2019, 02:33 PM

8. Where in the article did it state that an auditable open source election system is a good idea?

My take is that the article makes the case for removing computers from the voting process altogether -- that computerized voting is nontransparent and any added cybersecurity adds too much complexity and vulnerability to the process.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Voltaire2 (Reply #1)

Mon May 27, 2019, 09:15 AM

7. That's a Myth--Open-Source is the most vulnerable Code Base, infiltrated by Hackers & Nation States

.

Everyone keeps perpetuating the myth that people are reviewing open-source software and making it more secure.

The truth is that the only people reviewing open-source are college academia, hackers and nation state actors. The development communities are infiltrated by hackers who inject code to weaken the code and install access points. Many of the vulnerabilities are kept quashed so allow intrusion. One of the least secure offerings is Spring, which most banks rely on to develop code. Open-source presents the source, instead of trying to disassemble code, which most private ISVs use their own compiler variants to make decryption more difficult. Folks using open-source, often use standard compilers which makes hacking easy for the rest of their code.


Organizations continue to face challenges with managing open source risk, according to a new report published today by published today by Synopsys Cybersecurity Research Center (CyRC).

The annual Open Source Security and Risk Analysis (OSSRA) Report, analyzed the anonymized data of over 1,200 commercial codebases from 2018 and found that 96% contained open source components, with an average of 298 open source components per codebase. The results reflect an increase from the number of codebases in 2017, which was only 257.

In addition, 2018 yielded more open source vulnerabilities disclosed than in years past, with a notable list of more than 16,500 vulnerabilities reported on the National Vulnerability Database (NVD).

While more than 40% of codebases contained at least one high-risk open source vulnerability, the report noted that the use of open source software is not a problem in and of itself. Rather, failing to identify and manage the security and license risk associated with the open source components your organization uses can lead to significant negative business impacts and damage to your brand.

https://www.infosecurity-magazine.com/news/not-managing-open-source-opens-1/



Download the Synopsis report for more information.

.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #7)

Mon May 27, 2019, 02:34 PM

9. +1,000 Thank you for this info.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to diva77 (Reply #9)

Mon May 27, 2019, 05:52 PM

10. Here are a few reports, including one stating there are over a million unregistered vulnerabilities.

.

This year's report, in the aforementioned article.

"You probably have unpatched open source vulnerabilities in your code

But you’re not alone. Of the applications audited in 2018, 60% had vulnerabilities—and while that’s concerning, it’s a marked improvement from 78% in 2017."

"A substantial amount of open source is being used illegally

As shown in the report, the 20 most popular licenses cover about 98% of the open source in use. What about the 2,480+ other licenses? Plus, even if open source components have no identifiable license terms, you’re not off the potential litigation hook. Black Duck Audits found that 75% of companies had codebases with unknown licenses. In general, the absence of a license means no one can use, modify, or share the software without the explicit permission of its creators. This is because creative work (which includes code) is under exclusive copyright by default."

https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html?utm_term=blog



Last year's report:

https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/2018-ossra.pdf


====


Here's Sonatype's Analysis from 2018, it will scare the shit out of you! The report requires registering.



Managed software supply chains are 2X more efficient and 2X more secure
Automated OSS security practices reduce the presence of vulnerabilities by 50%
DevOps teams are 90% more likely to comply with open source governance when security policies are automated

The window to respond to vulnerabilities is shrinking rapidly
Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed 400%, going from an average of 45 days to just 3

Hackers are beginning to assault software supply chains
Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications

Industry lacks meaningful open source controls
1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications


https://www.marketwatch.com/press-release/sonatypes-2018-state-of-the-software-supply-chain-report-reveals-use-of-vulnerable-open-source-increased-120-despite-equifax-breach-2018-09-25



https://www.theregister.co.uk/2018/09/25/open_source_security/

Just search: SONATYPE OPEN SOURCE SECURITY




.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to TheBlackAdder (Reply #10)

Mon May 27, 2019, 08:04 PM

11. Yep, you scared the S*** out o' me, alright. LA County is spending nearly $300,000,000

Last edited Tue May 28, 2019, 12:09 AM - Edit history (3)

to switch from hand marked paper ballots to BMDs with open source code just in time for 2020. They are going to DECERTIFY hand marked paper ballots. Above & beyond scam...



I think of all the dilapidated schools in LA County, the 55,000+ homeless, underpaid teachers ---- and somehow, the Board of Supes thinks we want nontransparent voting machines with bells & whistles that print out bar coded 100% nonverifiable "ballots"???? 31,000 fancy "voting" machines for $300,000,000 -- that comes out to be about $10,000 per voting booth -- compare that to the cost of a paper ballot with a table with a 3 sided attachment to add privacy, no software or hardware or insurance or techies required. We've got the equivalent of the $1000 toilet seat lid on steroids coming to LA County.



Reply to this post

Back to top Alert abuse Link here Permalink


Response to Voltaire2 (Reply #1)

Mon May 27, 2019, 11:22 PM

12. The problem with open source & election code

is that the code that runs the machines cannot be changed until review of the proposed changes is completed. That process takes a long time (~1 year). So the machines will be vulnerable to published potential exploits for a year or so and the boards of election can do nothing to block the exploits.

There are no good solutions - but at least the closed source code is not subject to publication of potential exploit which cannot, by law, be fixed prior to a full review.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to diva77 (Original post)

Sun May 26, 2019, 05:45 PM

2. Of course there are conflicts of interest.

If you're a top-notch programmer and designer involved in cybersecurity you'll probably be doing this for a living.

That means industry. Which, of course, means bias: Industries tend to be pro- or anti-Trump. Look at Google, Microsoft, Apple. Etc.

Or the computer folk are connected to government. Not necessarily (just) the US government.

Or they're connected to both, since governments tend to be tied in with cybersecurity. Go figure.

And if you're connected with either in ways that involve cybersecurity, you're going to be tied in somehow with intelligence, government or military (or both). For the same reasons.

There are exceptions. But many of them are hackers. As though hackers have no conflicts of interest.

How you evaluate conflicts of interests itself has conflicts of interests. But open-source is like peer review. It may not be great, but it's better than nothing.

At the same time, notice Yasha Levine's a Russian. (Ooh, big bad russky!) At the same time, he's apparently a satirist, and not in Putin's pocket. Unless that's what he *wants* us to think, so he can have cover as being "on the side of the ark (sic) of history" while undermining something that might inconvenience or hobble his masters.

Ah, it's complicated trying to discern all the possible conflicts of interests and tangled webs that we don't see.

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread