
Source code of Polish electoral voting system? - tartle
https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/ClassMd5.cs
======
q3k
The sourcecode wasn't leaked - an internal website (with the software, written
in C#) [1] was leaked, and then the program was decompiled and pushed to GH.

EDIT: The website leak itself is actually pretty old news, but the
decompilation and public shaming of the code itself is relatively new.
“Zaufana Trzecia Strona” has more information [2] about the leak itself (in
Polish).

[1] - [http://zapasdlakbw.home.pl/kalkulator-
wyborczy/kalkulator/](http://zapasdlakbw.home.pl/kalkulator-
wyborczy/kalkulator/)

[2] - [http://zaufanatrzeciastrona.pl/post/wersja-testowa-
systemu-p...](http://zaufanatrzeciastrona.pl/post/wersja-testowa-systemu-pkw-
dostepna-publicznie-w-trybie-debug/)

~~~
orian
Aren't you talking about backend? The code on github is a client used by a
polling place and it was publicly available (this is how they've it
distributed)

------
hdabrows
Summary of the more interesting comments here[1]: \- the ITT (invitation to
tender) had 26 pages \- questions from the contractors were answered with
"this information is not required to define the price/scope of the feature but
it has to be implemented anyway" \- huge scope (9 modules) + training +
administering the system \- everything has to be finished in 1.5-2.5 months
from when the results of the tender are published

It seems that only a single company has entered the auction for the tender
because everyone else could see that the project was destined for failure. The
company also allegedly employs three people and pays its programmers around
2000 zł/month (which is very low even by polish standards).

[1] - [http://www.poselska.nazwa.pl/wieczorna2/media/system-pkw-
do-...](http://www.poselska.nazwa.pl/wieczorna2/media/system-pkw-do-zliczania-
wynikow-wyborow-byl-modyfikowany-w-trakcie-ich-zliczania)

------
Kociub
Just to make it clear to everybody, this is not an electronic voting system.
This is only a set of applications to accelerate vote counting before the
official results. All of the votes must be counted and submitted the "old
fashion way". You couldn't mess with the actual results by hacking this
"appkenstein".

------
A1kmm
[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/Connection.cs)
\- if you can't connect to
[https://syswyb.kbw.gov.pl/](https://syswyb.kbw.gov.pl/), try an unencrypted
connection to [http://klk.kbw.gov.pl/](http://klk.kbw.gov.pl/).

It also looks like (unless I am missing something) 'liceneses' (signatures of
authorised officials as far as I can tell) are checked for common name /
organisational unit, but there is no check that the certificate trust chain is
anchored on a trusted certificate.

~~~
dgregd
[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/Certificate.cs#L257)
Is this correct generation of salt? It looks like someone just c&p an example
from
[http://www.cprogramdevelop.com/1263984/](http://www.cprogramdevelop.com/1263984/)

------
gaius
Is the definition of a secure system, that it is still secure even if you have
the source code?

~~~
coyotebush
By Kerckhoffs's principle, yes.
[https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle](https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle)

------
tartle
Context: State Electoral Commission declared a computer glitch is delaying the
vote count. The problem persists, and election results are not yet available.

------
fleitz
Leaked? Is the source code not public anyway? I mean generally you'd want to
know what method they are using to count votes.

~~~
cryptoz
Tens of millions of US voters use closed-source voting machines during our
elections. The companies who make the machines are generally a little too
friendly with the Republican party (Diebold, Premier Election Systems, or
whatever they recently changed their name to).

I'm shocked at how few people care that so many votes are "counted" through
Republican-friendly voting computers.

~~~
lukifer
Funny, I googled "programmer testifies..." and the first autocomplete was
"...about rigging elections":
[https://www.youtube.com/watch?v=tjvtSquZkhs](https://www.youtube.com/watch?v=tjvtSquZkhs)

Journalist Greg Palast also has evidence of electronic voter in Ohio in 2004.
(Disclaimer: I have not delved deep on his claims, but the mere fact of their
plausibility is deeply concerning.)

[http://www.gregpalast.com/how-they-stole-
ohio/](http://www.gregpalast.com/how-they-stole-ohio/)

------
desdiv
Here's a Google Translate of the README.md file:

 _Based on a cursory analysis of the executable file and application
development can be concluded that the performance of the Election Calculator
entrusted single Studénka, probably working for external contractors. Ms.
Agnieszka, I really sympathize, we are with you!_

 _Poland is a country in which the fate of thousands of members of the
committee rests on the shoulders of the novice programmer._

~~~
striking
A "more English" translation could read:

 _Based on a cursory analysis of the executable and application development,
it 's clear that the act of writing the Election Calculator was entrusted to a
single (female) student, who was probably working for external contractors.
Ms. Agnieszka, we really sympathize, we are with you!

Poland is a country in which the fate of thousands of committee members rests
on the shoulders of a novice (female) programmer._

~~~
q3k
The fact that the programmer is female is mentioned implicitly - the female
version of the “programmer” pronoun is used, the fact is not really stated
anywhere.

So it should not to taken as „the shoulders of a novice, female programmer”
(in which the fact that she is female is stated explicitly and could be used
to further put down the person's programming abilities) but as „the shoulders
of a novice programmer”.

~~~
klausa
Uhm, no, it is not.

Did you miss the "Pani Agnieszko, naprawdę współczujemy, jesteśmy z
panią!"("Ms. Agnes, we're really sorry too, we're here for you")(that's a
terrible translation, but oh well) part? There's absolutely no ambiguity here.

~~~
q3k
I meant the “(female)” remarks in the grand-grandparent post.

~~~
jpcosta
There is no way to avoid that in the polish language, as someone else pointed
out already. Nouns and sometimes even verbs or adjectives have gender, and you
need to use either the male form or female form according to the situation

~~~
nemetroid
Right, but a translation to English should not include "(female)" unless it's
essential information, which it isn't here.

------
Kiro
> And, decompiled or not; this is not the result of proper C#- or for that
> matter any modern language- coding:

> r = r + "<code>" \+ this.hardErrors[i] + "</code>";

What's wrong with this?

~~~
nitrogen
Assuming that _r_ contains XML and _this.hardErrors[i]_ is already escaped for
XML safety, that is probably what you'd expect to see a code-generated XML
generator doing, as well as hand-generated XML (if generating text directly
and not an intermediate abstract representation of the XML).

------
ndz
In few words - whole Polish voting system is dead now and the votes are
counted by the people. What is more interesting: in the tender for the
software started one company and of course won it - random case? I don't thing
so.. greets from Poland:)

~~~
pawelk
I like to believe it was the only company crazy (or inexperienced) enough to
participate in a project of this scale on such a short notice. Which would be
a sign of maturity of the Polish IT sector.

------
stogi
I'm still amazed that in the century of the Internet people still write stuff
like that as a desktop app. Not to mention it was waaaaaay to late to do it in
the first place (they picked the company to implement it in August 2014).

------
dang
Can anyone who knows about this recommend an accurate and neutral title for
the post?

------
grn
The government messed up the public procurement. They wanted to have the
system done in a very short time (one month?). Only one company submitted an
offer.

~~~
ndz
LOL, really belive that? Sorry but IMO it was set - app costs was around $120k
so..

------
jakozaur
Likely a fake. The company which wrote the system is recruiting just PHP
developers, while this is written in C#.

Of course this is all speculation. It may be truth and someone reconstruct the
original version by decompiling it. e.g.:
[https://github.com/wybory2014/Kalkulator1/commit/cdff9cb67b8...](https://github.com/wybory2014/Kalkulator1/commit/cdff9cb67b8d75a080ff098c4acc23b330322c58)

~~~
abalkan_msft
Electoral voting system written in PHP. Sounds like a good idea.

~~~
sarciszewski
Why not? WordPress runs 23% of the Internet. (WordPress is written in PHP of
course.)

~~~
wdewind
WordPress (and PHP) are not _bad_ things. They are things that have been
designed for very specific purposes, and they actually excel at those things.
Both are _extremely_ easy to get up and running. They can run practically
anywhere etc.

There are entire languages written with the design goal being security. It's
not a matter of whether or not something is a capable tool (ie: runs 23% of
the internet), it's whether or not it's the right tool for the job. PHP
clearly isn't.

~~~
MAGZine
I don't think an application written in PHP makes it inherently insecure.
Maybe if you're talking about some 2004-style PHP with magicquotes and
register globals enabled, but not in 2014 with a modern stack/framework. You
could write a shitty ruby app just as easily as you can write a shitty php
app.

~~~
wdewind
Writing your code in PHP, no matter how good of a programmer you are, makes it
more likely that your natural level of mistakes will insert security issues
into the code, especially when compared to a language with even basic features
like static typing. I'm not saying this as some idiot who thinks PHP is
bullshit and for noobs, I've worked on pretty large sites using PHP and I have
a pretty deep understanding of it.

Everyone likes to say security is mission critical, but for the vast majority
of people it really isn't. And for those people the development speed
advantage, massive developer market, libraries etc. you get working in Ruby or
PHP are well worth it.

Everything is tradeoffs, and it seems to me that in writing voting software
deployability, development speed etc., are not nearly as mission critical as
security.

~~~
sarciszewski
> Writing your code in PHP, no matter how good of a programmer you are, makes
> it more likely that your natural level of mistakes will insert security
> issues into the code

While I'm inclined to agree, this is a self-defeating premise. If you're "so
good" of a programmer that you do not make security affecting mistakes (i.e.
one of only a handful of PHP programmers I've met), then the probability of
inserting "security issues" into your code is still zero, regardless of
language.

> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs,
> I've worked on pretty large sites using PHP and I have a pretty deep
> understanding of it.

Good. :)

~~~
wdewind
I don't understand your reply. No one is good enough to write code without
bugs.

~~~
sarciszewski
> No one is good enough to write code without bugs.

This is congruent to saying, "Whitelists don't exist. Everyone implements
poorly scoped black-lists."

~~~
wdewind
I literally have no idea what you mean by this. Are you trying to imply there
are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If
mistakes are extremely costly it implies you should use certain tools and
development methodologies, if not you can use others.

~~~
sarciszewski
Code that is bug-free and code that is free of security-affecting bugs are not
the same thing.

For an example of an application that is currently free of application-layer
security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and
try to hack it. :P

~~~
wdewind
I feel like you're arguing against a strawman that I don't think secure
applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is
security, why _would_ you use PHP?

~~~
sarciszewski
Familiarity. I know its quirks inside out and therefore know which mistakes
not to do. If you point me to Python and say "build a secure web app," I'm
going to need to spend a lot of time researching.

------
Reef
Haven't we all frowned upon picking on females in tech industry just
yesterday?! It is NOT okay to wildly imply that the author of this code is of
certain age and gender.

EDIT: it was shown by the comment below that it was actually written by
someone with a popular Polish female name. I was shaken by the article
yesterday and thus oversensitive. Sorry about that.

~~~
q3k
Well, the implications are pretty well founded:

\- the binary has strings like `C:\Users\Agnieszka\\...\Visual Studio
2013\Projects\Kalkulator1`. Agnieszka is a female Polish name -> the
programmer is female. Although nobody really is using this as a discussion
point anywhere, but hey, the fact is there if it's interesting to you.

\- the code logic and layout is pretty convoluted and looks duct taped
together, even considering it's decompiled from binary form -> the author is
probably young and inexperienced, and/or this was extremely rushed.

Also, I'm not realy sure where anyone is “picking on females” here.

~~~
readerrrr
I don't know, I wouldn't judge a decompiled code.

Can you give a few examples why is it so bad?

~~~
q3k
Keep in mind this is decompiled from IL, so the class/method/object mapping
and naming remains from the original binary.

Here are a few, in my opinion, ugly examples:

[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/GetKlk.cs#L486)
and
[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/GetKlk.cs#L152)
and a few more instances of basically the same logic, copy-pasted (correct me
if this might have been optimized from source code, as I'm a reverse engineer
and not a C# programmer - but I'm pretty sure it's not)

[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/GetKlk.cs#L152-467)

[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/Commit.cs#L85-124)

[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/codeBar.cs#L24-115)

[https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul...](https://github.com/wybory2014/Kalkulator1/blob/master/Kalkulator1/printProtocol.cs#L407-442)
and string-based HTML generation in general. Oh, and this method in general.
It doesn't even fit on my screen without scrolling to the right.

I'm not saying it's a goldmine of DailyWTF-worth content - but it's still
pretty bad. In general, it doesn't really follow any MVC-separation, the
naming is arbitraty at best (and dictated by the IDE at worst - Kalkulator1,
anyone?), and DRY principles are vastly ignored.

