Hacker News new | past | comments | ask | show | jobs | submit login
Bulgaria Passes a Law Requiring Open Source (medium.com)
537 points by bozho on July 4, 2016 | hide | past | web | favorite | 86 comments

You wouldn't know the background motivating this decision unless you have been a frustrated user of the nearly non-functional software of Bulgarian state institutions.

Ludicrous amounts of money are paid by the government to a selected niche of companies for developing all kinds of useless websites which barely work under load and have abysmal implementations with blatant security holes. This law can act as a safeguard against such "epic failures", so that the taxpayers can be aware of what they are actually paying for. 300k euros for a static website? Let's hope it's over.

I hope it helps, but it doesn't seem like a sure thing on the face of it. To the extent these big, expensive government projects are similar to smaller “dumb-customer” projects, I don’t think this will help.

Anything that requires working with a hard to work with organization is “expensive” in one way or another. You need to sell them the project, which could take months or years. You need to figure out what they need, which will be difficult and you’ll be wrong because no one knows, nevermind articulating it . You’ll be forced to take numerous long cuts to meet unnecessary requirements. There will be iterations, slow progress, long waits for client input, training…

The companies who succeed at this are the ones who are experts in this process. They sell well. They’re good at “managing the process” and winning when a project is 3 years overdue, over budget, the spec is on iteration 46, and no one can remember the original goal.

OTOH, if the government is developing software, why shouldn’t it be open source. At the least, its good transparency.

Yes, this is mostly about preventing taxpayer rip-off for trivial software. Similar fraud schemes are exploited in almost every infrastructure development project. The government would repave a road with 1/3 of the official budget and the rest would be shared among the officials and shady business owners.

The Bulgarian government is unable to undertake a surveillance project of any substantial scale simply because it lacks the technological expertise.

I do not think you can imagine what kind of money (huge amounts) and what kind of software (worse possible you can release) is developed in fraudulent schemes where corrupt governments meet corrupt businesses. Having them by law open spurce I believe it will stop a lot of money to be wasted and quality of software to be much better compared to what is happening now.

This is the same or even worse in Romania. I just sent to Romania prime minister a link to this article via his FB account. I am curious to see if I will get any kind of answer.

If you have a government sponsored monopoly like that, at least do a half-way decent job. I will never understand getting paid $300k for a static website and being so desperate to squeeze another ounce of profit out of an already absurdly profitable contract that you shoot yourself in the foot by not at least delivering something pretty.

I mean, wow.

The predetermined companies chosen to execute these projects have never operated in real market conditions and they employ underpaid, demotivated people. No competent programmer would ever want to work there. Most of these companies are actually ill-transformed former communist enterprises which started importing and selling hardware in the 1990s, doing the occasional state software project when it comes up.

What happens is they pocket $295k and spend $5k on an actual project. In Poland a company got ~$150k to make a system to collect and count votes for local elections, it failed spectacularly. It turned out they employed one 23 year old CS student to make everything over about a half year. No public salary data, but I bet they paid her something like $800/month. The saddest thing is she got most of the blame for failure, if you google her name it's the only thing that comes out.

You mean like the Obamacare website that cost nearly $2 Billion to develop?

By none other than CGI, HQ'd down the street from me in Montreal?

Governments and Big Corps have quite an ability to spend money :). Understand that it's a game of distribution of power - not outcomes, and you understand it a little bit better :).

Exceptionalism and efficiency is for small companies and startups, for the most part.

In all fairness to CGI and company, the government set them up for abject failure, no dream team of programmers could have succeeded with it taking the role of integrator for which is did not have the talent or realization of the testing required, so many delayed decisions, and last minute changes (like a very big one a week or two before), being forced to use an unfamiliar database that, worse, implemented an unfamiliar paradigm (wasn't an RDBMS), etc.

I wrote more details on this on HN at the time, ask and I'll dig some up.

I don't doubt that, but it's $2 Billion we're talking.

An 'unfamiliar database' does not begin to cover it.

Neither do 'last minute changes'.

It was a boondogle from the start, failure in gov, failure in planning etc., failure to understand what they are doing.

Google Engineers had to come in and fix it.

I'm sorry for my lack of clarity:

An unfamiliar database paradigm. If it was some random RDBMS there wouldn't have been a huge problem there.

You ignored the constantly late transmission of requirements, and I can't believe you're saying that a fundamental re-engineering of the way the site worked 2 or less weeks before launch should be trivialized. How are you even going to test that, when you don't really have the time to implement it well?

Considering the US is a powerhouse of software engineering, and this was a state project, why did they pay CGI a Canadian company to do this?

Because at the national scale, there are only a few outfits that could feasibly make the bid.

IBM, Accenture, a couple of others.

CGI is maybe the biggest 'go to' shop for this stuff. They have zillions of developers ready to go, and a deeply entrenched lobbyist/salesforce.

It's not as though the US Gov could just go to some little startup. Even though the probably should have - big governments and companies don't understand innovation and how these things work.

They see it like building 12 football stadiums - how could a small team do it? They need massive industries, tons of experts, lawyers, business analysts! :)

These things are hard.

How exactly is open source going to fix that? The same companies can write the same garbage code for too much money with open source software just as easily. In fact they're probably already using open source.

Their end code must now be open source. Taxpayers can review the code they produce and raise a stink.

So again I ask: how does that fix anything? The government still spent too much money. The site still sucks.

People are already raising a stink they're spending too much money for subpar work, and nothing has changed. Having the code has exactly 0 effect on either of those two issues. Even if a concerned citizen FIXED the code, the odds of the politicians refusing to accept the fixes "for the security of their infrastructure" is upwards of 5-9s. Why on earth would they take those fixes when they're beholden to the people they're already overpaying for the work who likely donate large sums of money to their political campaigns?

I can take my best shot here. This is how I would see it at least:

These politicians probably know nothing about the software they are receiving. 300k for a static site? Good deal! By making the sites open source, it allows groups that wouldn't be reviewing the code / bids to do so and then validate the work.

For a US example, the TSA has that iPad application which is essentially a pRNG. Or is it? There is speculation that it might be much more than that, but no one can know without seeing the source code. If we could see the source code, we would know for sure and could verify if this project was really worth hundreds of thousands of tax-payer dollars.

It would prevent vendor lock-in. Some time ago, before government officials become more aware of IT matters, it was common practice in government contracts in Poland that consulting company creating website or bespoke IT system would keep code copyrights for themselves and then charge huge amount of money for even simplest change requests. That ended once they start requiring that source code is delivered together with binaries. Open-sourcing apps is just one small step further in the same direction.

> 300k euros for a static website? Let's hope it's over.

That is actually not that bad considering the fact that to sell to the government usually requires going through a lengthy bureaucratic process that involves metric tons of meetings, paperwork, constant back-and-forth, changes and revisions, guarantees, insurance, etc, that costs the seller easily north of 100k+ just to get started.

Meaning the cost is not in the product nor service, it is rather in the process.

I hope our country gets to your level. Our online tax system is an excel sheet and the site doesn't handle load well.

I remember the CEO of Information Services JSC (the de-facto Bulgarian monopolist in governement software procurement), prof. Mihail Konstantinov, making the ridiculous claim on TV that "We can't release the source code of the elections counting software. Anyone who has the source can hack into the system, even children know that. If you don't understand that, you should tear your diploma". Glad to see that morons such as him will no longer have the final say.

If it makes you feel better, the Australian government said the same thing:

"Ronaldson refused to table any documents relating to the case, stating that publishing the source code could lead to the EasyCount software being hacked. "In relation to the source code for the Senate counting system, I am advised that publication of the software could leave the voting system open to hacking or manipulation," he said. "In addition, I am advised that the AEC classifies the relevant software as commercial-in-confidence as it also underpins the industrial and fee-for-service election counting systems."" [1]

Australia's federal senate vote count software is a Visual Basic application. It was developed when an upgrade to Windows 2000 broke the previous COBOL application. [2]

[1] http://www.zdnet.com/article/government-blocks-aec-source-co...

[2] http://www.itnews.com.au/news/the-tech-behind-was-senate-rec...

These politicians are right - simply opening the existing source, with all it's flaws, bugs, and security holes, would be dangerous. It would be a huge help to any malicious party. I don't think they're suggesting open source is worse from a security point of view; they're saying that you can't open up an existing product without doing a lot of work first.

Where they are wrong is in the assumption that keeping the source closed makes them safe from an attack.

To some extent yes, but this is only good if you can make sure that not a single malicious adversary has access to the source code. My assumption would be that in the voting case, the ones in power do have access to the code, which is actually worse than open sourcing it. Offtopic: IMHO, the only way to fix the voting software issue is to deanonymize the voting process to some extent, which is a hard problem by itself too.

I don't see the huge issue with using VB. You can engineer a solution in a modern language terribly, and similarly engineer a VB application well.

However I do suspect that they engineered the VB application terribly. But them using VB should not automatically disqualify them from writing good code.

Actually, we made sure that the e-voting provisions in the new electoral code explicitly require the whole software to be open source. Especially for voting this is mandatory, otherwise there is no trust.

And how do you ensure that the actual deployed code doesn't differ from the one posted on GitHub?

From the electoral code, rough translation: "Independent observers are allowed to verify whether the digital fingerprint of the system in the data centers matches the publicly announced one"

The more people insist such verification is possible, the less you should trust them, they don't understand the issues[1]. It might be possible to come up with some provably verifiable scheme but they are very sophisticated and revised often because people still come up with ways to skew them[2].

[1] https://www.youtube.com/watch?v=w3_0x6oaDmI

[2] https://evoting.bismark.se/verifiable-electronic-voting/

While I love Tom Scott's videos, Andrew Appel (CS Prof. at Princeton) has a much better explanation[1] of the history of voting and why electronic voting is a terrible idea.

We have hundreds of years of experience learning how to secure paper ballots. Complexity creates attack surface, and usually fails to provide all of the security features provided by a simple paper ballot that is hand counted in view of all parties.

[1] https://www.youtube.com/watch?v=abQCqIbBBeM

That YouTube video is full of logical fallacies and wrong claims.

And even if such a verification is impossible, I don't think we should reject incremental improvements just because the result is not yet perfect.

A couple of examples from the first minute of the video:

- A ridiculous example of "electronic voting" is presented - voters download ballot papers, fill them, then email or fax them back. This obviously sucks in multiple ways. Therefore, all kinds of "electronic voting" must be broken.

- Physical voting is very old, therefore it must have become solid and tamper-proof by now. This is not true. Physical voting is vulnerable to all kinds of manipulations, and they do happen on large scales.

The wrong claims continue forward. Just because that dude sounds smart doesn't mean his clip has any value.

This "ridiculous" example is very real and famously practised to this day MASSIVELY in many countries [1]. It is the prime example of what most people understand as e-voting. He does address other types of voting as well later, including the "open-source bullet-proof machines".

The guy explicitly says physical voting can be compromised easily too, but it requires much more people and it will exhibit patterns such as location stats, violence or outbursts of whistleblowers and it is more or less contained unless the whole country is on it in which case - good for them anyway. While with e-voting, you could technically be a very small group of people and you can model your fake results to be statistically plausible much better with no patterns.

[1] https://travel.state.gov/content/passports/en/abroad/legal-m...

This video is a highly cited source on the issue, admittedly aimed at less educated viewers, but quite accurate. There have been no rebuttals since it was posted and there are serious computer scientists putting their name on it. If you want to write a substantial rebuttal, I am sure it will be huge news in the community.

Even the simplest verifiable voting system is so complicated normal people will be confused how to use it and take advantage of it.

Well this article throws a bunch of different things out there suggesting that, first, Bulgaria will adopt verified electronic voting, and second, that electronic voting is sound enough and ready for deployment. Both of these points are false or unclear at best. Then the blog seems to suggest there is some sort of middle ground between verified voting and non-verified voting and it's OK to make some half-assed step in this direction, which is exactly what the video warns against.

When people talk about electronic voting, typically this means the US-type of voting. And when someone talks about verifiable electronic voting, then they should start by making it clear that this is orders of magnitude more ambitious, it hasn't been deployed anywhere and Bulgaria will be the first country in the world to do it. This is a project of historical scale including the known practical difficulties with the current methods. It should not be advertised like a proven system working in EU and US like it is now. And like I said even if Bulgaria really adopts any sort of verifiable voting there will be so many confused people due to the nature of the process it will skew the results.

Finally, again as the video explains paper vote counting may not be perfect, but it does require more people to involved in the fraud. This is a very important point. Results are available per area and each party makes sure the sum makes sense at least from a small sample.

I would assume that the primary method is the same method that police use to match evidence gathered at a crime and evidence provided at a trial, ie trust. Independent observers is more of a safeguard, there to increase trust and make it riskier for a malicious actor to tamper with an election.

I don't see a way. However this would work: The government machine counts, and prints coupons. These coupons are scanned on a second machine installed from GitHub. At the end of the day both machines print their total count on paper (otherwise we cannot grantee anonymity.) These 2 results are compared and passed along. And then the only guaranteed way to ensure anonymity is to destroy the government machine. Less drastic would be wiping the HDD, but who says there is no hidden ROM ?

That's awesome to hear. Many thanks for your efforts :)

Unlike private companies, the CEO of Information Services is a political position rather than an actual management position. The decision-making power within the company rests in the hands of the regional chapter executives, who devise and negotiate the projects their chapter will take on. Coordination between the chapters is usually done by the Sofia head chapter's executive(who is not the CEO). The likelihood of prof Konstantinov actually being involved in a decision made by the company is pretty low.

The election counting software is as open as it can be, without having open source. There is a clear specification that is published online on the actual mechanics of the voting process(e.g. how votes are translated into representatives). Records detailing the actual paper vote tallies, signed off by regional vote organizers and managers, are accessible in electronic and paper format. The committee handling the voting process encourages independent verification of the software's calculations.

It's far more likely(and often documented by journalists) that a party would commit voting fraud by purchasing votes or bribing vote organizers, rather than hacking the election software.

The quote was slightly off, apologies. I was quoting from memory, this was 3 years ago, and I can no longer edit the parent post. What he actually said was more like (translation): "Only someone who does not know how to turn on the computer, can suggest that the election counting software's source should be made public" [1].

[1] http://www.mediapool.bg/mihail-konstantinov-podade-ostavka-k...

Whichever subject Prof. Konstantinov is an expert in, it's not cryptography: https://en.wikipedia.org/wiki/Kerckhoffs%27s_principle.

He is a professor in Mathematics, and is often invited in popular TV shows as a supposed "expert" on elections, software, and politics in general.

Well, at least the TV shows invite mathematicians, that's not a bad start.

All Bulgarian TV shows invite the same bunch of around 50 self-proclaimed experts (supposed historians, economists, national security experts, sociologists). These people spread tons of lies and misconceptions to the wider public which is generally badly informed and uncaring. Mixing in a little bit of obvious truth with the rest of the garbage makes them look like a credible authority.

Estonia has published it's e-voting solution on Github: https://github.com/vvk-ehk/evalimine

> It means that whatever custom software the government procures will be visible and accessible to everyone. After all, it’s paid by tax-payers money and they should both be able to see it and benefit from it.

I've been thinking that way for a long time, nice to see I'm not alone. Let's hope other jurisdictions follow suit.

Would be nice if bigger nations like USA, UK/GB, Germany would adopt this policy and have to open source the exploits and root kits that where develop with tax payers money.

Open source XKeyscore, yay!

The UK government's digital services implement Open Standards for most of the code they develop. While this isn't something that third party vendors have to do, GDS/PDS/MOJDS/HMRCDigital are all rapidly reducing the amount of work external vendors do for government anyway.


Yes, in the linked presentation I mention GDS as a good example. The US also has a lot of opensource projects.

I think, the USA even already has a law like that, except that projects that were started prior to that law don't have to be open-sourced, so that's how XKeyscore is protected...

"The fact that something is in the law doesn’t mean it’s a fact, though."..."companies will surely try to circumvent it."

Yeah, this is very well said. Most laws in Bulgaria are either not enforced or "avoidable" :)

This is very interesting, I wish more countries followed suit.

In my ideal fantasy world, at some point other countries might have a look at one of the open source projects of Bulgaria and collaborate when the goals align closely.

It would be cool to have a Bulgarian version of the US Government's 18F:


They have public standards for government websites, server HTTPS configs, website user interfaces, etc. On GitHub!


It mentions "OpenOffice", which is now defunct.

In any case it is good. Future procurements will show how well the law is applied.

OpenOffice isn't defunct, it is still in development: https://www.openoffice.org.

It's nothing, compared with LibreOffice development pace.

Yes, but it is still alive. And even LibreOffice copied feature introduced in Apache OpenOffice by IBM(sidebar). But OpenOffice cannot copy code from LO due to license incompatiblity.

Although not strictly "defunct", point taken - changed it to LibreOffice.

This is Bulgaria. We treat laws as something below "vague recommendations".

I've personally seen the Dutch government spend millions implementing open source software. This was something that could've been fixed for a fraction using a closed source solution. After a couple of years, the project was canceled and the closed source solution was implemented anyway.

I'm not saying that using OSS is a bad thing. I don't, however, think that 'OSS only' is the solution to the problem at hand.

More background please? Because unless they were cutting corners in a huge way (probably security-wise), I don't see how open source would be so much more expensive than closed source. The statement that "[it] could've been fixed for a fraction using closed source" seems very weird since there are no fundamental differences in how one writes open or closed source code.

They were implementing an ESB. There wasn't any internal knowledge on it, so they had started a joint venture with a business that provided consultants. For some reason (not exactly sure why), the project went past its deadline by about 2 years. My own employer at the time also provided an ESB, though it was closed source. We had a lot of experience with the product, and therefore could've implemented it quickly and for a fraction of the price (like we'd done before). Unfortunately, no information on this is available online, for reasons I understand.

When they canceled the project, apparently they ended up hiring my employer anyway.

All this means is that new implementations of software created by contractors will required to be licensed differently than before (with an OSS license), so that contracted work is able to be audited by the public.

To me, it seems like this is not just about software created by contractors: > develop, upgrade or implementation of information systems and e-services Implementation infers that also OOTB software should be open source. To me this could lead to forced use of inferior OSS, or to costly implementations of OSS where there are only few experts.

That is great news, hope it works out well.

If facebook, google, twitter and others are able to run their world scale software on OSS solutions without being hacked, I am sure that OSS can power some national scale software as well.

They ARE being hacked from time to time :) But they also know that and they run bug-bounty programs.

Every law passed by Bulgarian parliament serves only one purpose - to put pressure on somebody, so people in the shadows can get a slice.

edit: A new government agency is tasked with enforcing the law

Ah, I see now.

I know the people who stand behind this and believe me, they have 0 (zero) dependence on the oligarchy and moreover they are a team of experts who have been in the private sector until recently. This law is one against the status quo.

There have been plenty of experts with 0 dependency from the oligarchy. They all either failed or started dancing to the tune. Even if they have pure intentions, they will get manipulated, used and eventually thrown out while the agency will serve as a means to block companies who don't know the right people.

Great to hear that, because I was ( still am ) skeptical about any government legislation these days.

The GERB party doesn't do any politics or strategic decisions in favour of the nation. Its sole purpose is to keep bureaucracy high and its favoured companies busy by distributing EU funds through "power channels". More bureaucracy means easy money for that same "elite".

There is no party which does politics or strategic decisions in Bulgaria. ALL of the political scene is usurped by ex-intelligence officers and they suffocate any possible alternative in infancy. It is quite depressing and I don't think there is a way out.

You are totally right about the power channels, but the truth is they are focused on the construction sector. The old commies who stand behind this are not that confident when working with IT and that is one of the biggest reasons the law passed. They still don't acknowledge or don't care that it will be harder for them to steal from IT public tenders.


I think this is a matter of perspective. I don't live in Bulgaria but my company has a pretty big lab in Sofia and I work with the engineers there constantly. They are excellent. I have had nothing but good experiences working with them. There are talented people around, and Sofia is pleasant and safe. The country itself is quite beautiful.

Bulgaria is not free of problems (see the corruption perceptions index [1]) but it's also far from doomed.

[1] https://en.wikipedia.org/wiki/Corruption_Perceptions_Index#2...

No national putdowns on HN, please.

(Even if you're a member of that group—as is often the case with outbursts this vehement, which come not from prejudice but more complex and intense emotions. We get that. But you still can't post like this here.)

That is irrelevant to the topic. Yes, there are big problems, but they are not fixed overnight. They are fixed slowly and patiently by introducing ever more transparency and safeguards.

No, they are not fixed slowly and patiently. There is ONLY one way to "fix" these "problems" and, unfortunately, it is the exact opposite of slowly and patiently. That's how absurd Bulgaria is.

Revolutions normally don't fix problems, they create new ones.

I'm not talking about an internal revolution - there is nobody left in that country to carry that out. Everyone with half a brain and access to a little bit of money has long left.

Gosh, you people think I'm kidding about this! You think I'm sketching a tasteless comic or something full of foul language just for kicks.. If anything, I've put it too kindly! It is A LOT worse than this.

It is a lot worse than this. It is jaw dropping terror.

This is super offending way of speech and this is not the place for it, if you have nothing meaningful to say just don't say anything.

This is the most meaningful thing I have said since I was born (in Bulgaria). If you feel offended, deal with it. I've dealt with far worse there and nothing bad that I can say about the communists running this country is bad enough.

Mind you, it's not the country itself that I dislike. I used to love that country, and somewhere deep inside I probably still do, or else I wouldn't care enough to say these things.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact