Ludicrous amounts of money are paid by the government to a selected niche of companies for developing all kinds of useless websites which barely work under load and have abysmal implementations with blatant security holes. This law can act as a safeguard against such "epic failures", so that the taxpayers can be aware of what they are actually paying for. 300k euros for a static website? Let's hope it's over.
Anything that requires working with a hard to work with organization is “expensive” in one way or another. You need to sell them the project, which could take months or years. You need to figure out what they need, which will be difficult and you’ll be wrong because no one knows, nevermind articulating it . You’ll be forced to take numerous long cuts to meet unnecessary requirements. There will be iterations, slow progress, long waits for client input, training…
The companies who succeed at this are the ones who are experts in this process. They sell well. They’re good at “managing the process” and winning when a project is 3 years overdue, over budget, the spec is on iteration 46, and no one can remember the original goal.
OTOH, if the government is developing software, why shouldn’t it be open source. At the least, its good transparency.
The Bulgarian government is unable to undertake a surveillance project of any substantial scale simply because it lacks the technological expertise.
I mean, wow.
By none other than CGI, HQ'd down the street from me in Montreal?
Governments and Big Corps have quite an ability to spend money :). Understand that it's a game of distribution of power - not outcomes, and you understand it a little bit better :).
Exceptionalism and efficiency is for small companies and startups, for the most part.
I wrote more details on this on HN at the time, ask and I'll dig some up.
An 'unfamiliar database' does not begin to cover it.
Neither do 'last minute changes'.
It was a boondogle from the start, failure in gov, failure in planning etc., failure to understand what they are doing.
Google Engineers had to come in and fix it.
An unfamiliar database paradigm. If it was some random RDBMS there wouldn't have been a huge problem there.
You ignored the constantly late transmission of requirements, and I can't believe you're saying that a fundamental re-engineering of the way the site worked 2 or less weeks before launch should be trivialized. How are you even going to test that, when you don't really have the time to implement it well?
IBM, Accenture, a couple of others.
CGI is maybe the biggest 'go to' shop for this stuff. They have zillions of developers ready to go, and a deeply entrenched lobbyist/salesforce.
It's not as though the US Gov could just go to some little startup. Even though the probably should have - big governments and companies don't understand innovation and how these things work.
They see it like building 12 football stadiums - how could a small team do it? They need massive industries, tons of experts, lawyers, business analysts! :)
These things are hard.
People are already raising a stink they're spending too much money for subpar work, and nothing has changed. Having the code has exactly 0 effect on either of those two issues. Even if a concerned citizen FIXED the code, the odds of the politicians refusing to accept the fixes "for the security of their infrastructure" is upwards of 5-9s. Why on earth would they take those fixes when they're beholden to the people they're already overpaying for the work who likely donate large sums of money to their political campaigns?
These politicians probably know nothing about the software they are receiving. 300k for a static site? Good deal! By making the sites open source, it allows groups that wouldn't be reviewing the code / bids to do so and then validate the work.
For a US example, the TSA has that iPad application which is essentially a pRNG. Or is it? There is speculation that it might be much more than that, but no one can know without seeing the source code. If we could see the source code, we would know for sure and could verify if this project was really worth hundreds of thousands of tax-payer dollars.
That is actually not that bad considering the fact that to sell to the government usually requires going through a lengthy bureaucratic process that involves metric tons of meetings, paperwork, constant back-and-forth, changes and revisions, guarantees, insurance, etc, that costs the seller easily north of 100k+ just to get started.
Meaning the cost is not in the product nor service, it is rather in the process.
"Ronaldson refused to table any documents relating to the case, stating that publishing the source code could lead to the EasyCount software being hacked. "In relation to the source code for the Senate counting system, I am advised that publication of the software could leave the voting system open to hacking or manipulation," he said. "In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems."" 
Australia's federal senate vote count software is a Visual Basic application. It was developed when an upgrade to Windows 2000 broke the previous COBOL application. 
Where they are wrong is in the assumption that keeping the source closed makes them safe from an attack.
However I do suspect that they engineered the VB application terribly. But them using VB should not automatically disqualify them from writing good code.
We have hundreds of years of experience learning how to secure paper ballots. Complexity creates attack surface, and usually fails to provide all of the security features provided by a simple paper ballot that is hand counted in view of all parties.
And even if such a verification is impossible, I don't think we should reject incremental improvements just because the result is not yet perfect.
- A ridiculous example of "electronic voting" is presented - voters download ballot papers, fill them, then email or fax them back. This obviously sucks in multiple ways. Therefore, all kinds of "electronic voting" must be broken.
- Physical voting is very old, therefore it must have become solid and tamper-proof by now. This is not true. Physical voting is vulnerable to all kinds of manipulations, and they do happen on large scales.
The wrong claims continue forward. Just because that dude sounds smart doesn't mean his clip has any value.
The guy explicitly says physical voting can be compromised easily too, but it requires much more people and it will exhibit patterns such as location stats, violence or outbursts of whistleblowers and it is more or less contained unless the whole country is on it in which case - good for them anyway. While with e-voting, you could technically be a very small group of people and you can model your fake results to be statistically plausible much better with no patterns.
Even the simplest verifiable voting system is so complicated normal people will be confused how to use it and take advantage of it.
When people talk about electronic voting, typically this means the US-type of voting. And when someone talks about verifiable electronic voting, then they should start by making it clear that this is orders of magnitude more ambitious, it hasn't been deployed anywhere and Bulgaria will be the first country in the world to do it. This is a project of historical scale including the known practical difficulties with the current methods. It should not be advertised like a proven system working in EU and US like it is now. And like I said even if Bulgaria really adopts any sort of verifiable voting there will be so many confused people due to the nature of the process it will skew the results.
Finally, again as the video explains paper vote counting may not be perfect, but it does require more people to involved in the fraud. This is a very important point. Results are available per area and each party makes sure the sum makes sense at least from a small sample.
The election counting software is as open as it can be, without having open source. There is a clear specification that is published online on the actual mechanics of the voting process(e.g. how votes are translated into representatives). Records detailing the actual paper vote tallies, signed off by regional vote organizers and managers, are accessible in electronic and paper format. The committee handling the voting process encourages independent verification of the software's calculations.
It's far more likely(and often documented by journalists) that a party would commit voting fraud by purchasing votes or bribing vote organizers, rather than hacking the election software.
I've been thinking that way for a long time, nice to see I'm not alone. Let's hope other jurisdictions follow suit.
Open source XKeyscore, yay!
Yeah, this is very well said. Most laws in Bulgaria are either not enforced or "avoidable" :)
In my ideal fantasy world, at some point other countries might have a look at one of the open source projects of Bulgaria and collaborate when the goals align closely.
They have public standards for government websites, server HTTPS configs, website user interfaces, etc. On GitHub!
In any case it is good. Future procurements will show how well the law is applied.
I'm not saying that using OSS is a bad thing. I don't, however, think that 'OSS only' is the solution to the problem at hand.
When they canceled the project, apparently they ended up hiring my employer anyway.
edit: A new government agency is tasked with enforcing the law
Ah, I see now.
Bulgaria is not free of problems (see the corruption perceptions index ) but it's also far from doomed.
(Even if you're a member of that group—as is often the case with outbursts this vehement, which come not from prejudice but more complex and intense emotions. We get that. But you still can't post like this here.)
Mind you, it's not the country itself that I dislike. I used to love that country, and somewhere deep inside I probably still do, or else I wouldn't care enough to say these things.