Hacker News new | comments | show | ask | jobs | submit login
Source code of Polish electoral voting system? (github.com)
111 points by tartle 1071 days ago | hide | past | web | 62 comments | favorite

The sourcecode wasn't leaked - an internal website (with the software, written in C#) [1] was leaked, and then the program was decompiled and pushed to GH.

EDIT: The website leak itself is actually pretty old news, but the decompilation and public shaming of the code itself is relatively new. “Zaufana Trzecia Strona” has more information [2] about the leak itself (in Polish).

[1] - http://zapasdlakbw.home.pl/kalkulator-wyborczy/kalkulator/

[2] - http://zaufanatrzeciastrona.pl/post/wersja-testowa-systemu-p...

Aren't you talking about backend? The code on github is a client used by a polling place and it was publicly available (this is how they've it distributed)

Summary of the more interesting comments here[1]: - the ITT (invitation to tender) had 26 pages - questions from the contractors were answered with "this information is not required to define the price/scope of the feature but it has to be implemented anyway" - huge scope (9 modules) + training + administering the system - everything has to be finished in 1.5-2.5 months from when the results of the tender are published

It seems that only a single company has entered the auction for the tender because everyone else could see that the project was destined for failure. The company also allegedly employs three people and pays its programmers around 2000 zł/month (which is very low even by polish standards).

[1] - http://www.poselska.nazwa.pl/wieczorna2/media/system-pkw-do-...

Just to make it clear to everybody, this is not an electronic voting system. This is only a set of applications to accelerate vote counting before the official results. All of the votes must be counted and submitted the "old fashion way". You couldn't mess with the actual results by hacking this "appkenstein".

https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... - if you can't connect to https://syswyb.kbw.gov.pl/, try an unencrypted connection to http://klk.kbw.gov.pl/.

It also looks like (unless I am missing something) 'liceneses' (signatures of authorised officials as far as I can tell) are checked for common name / organisational unit, but there is no check that the certificate trust chain is anchored on a trusted certificate.

https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... Is this correct generation of salt? It looks like someone just c&p an example from http://www.cprogramdevelop.com/1263984/

Is the definition of a secure system, that it is still secure even if you have the source code?

Context: State Electoral Commission declared a computer glitch is delaying the vote count. The problem persists, and election results are not yet available.

Leaked? Is the source code not public anyway? I mean generally you'd want to know what method they are using to count votes.

Tens of millions of US voters use closed-source voting machines during our elections. The companies who make the machines are generally a little too friendly with the Republican party (Diebold, Premier Election Systems, or whatever they recently changed their name to).

I'm shocked at how few people care that so many votes are "counted" through Republican-friendly voting computers.

Funny, I googled "programmer testifies..." and the first autocomplete was "...about rigging elections": https://www.youtube.com/watch?v=tjvtSquZkhs

Journalist Greg Palast also has evidence of electronic voter in Ohio in 2004. (Disclaimer: I have not delved deep on his claims, but the mere fact of their plausibility is deeply concerning.)


The method is widely known, but last weekend there were election with new system for reporting protocols from electoral commisions etc. and it appears to be quite huge swindle since it's been made in three months before elections and failed as fuck. Finally some of votes needed to be counted in Excel.

Feel free to ask about details, because I'm from Poland and hadn't found any sufficient article about it.

That's a pretty good article in Polish, tackles the issue from more than one perspective: http://niebezpiecznik.pl/post/problemy-w-pkw-zliczanie-gloso...

Here's a Google Translate of the README.md file:

Based on a cursory analysis of the executable file and application development can be concluded that the performance of the Election Calculator entrusted single Studénka, probably working for external contractors. Ms. Agnieszka, I really sympathize, we are with you!

Poland is a country in which the fate of thousands of members of the committee rests on the shoulders of the novice programmer.

A "more English" translation could read:

Based on a cursory analysis of the executable and application development, it's clear that the act of writing the Election Calculator was entrusted to a single (female) student, who was probably working for external contractors. Ms. Agnieszka, we really sympathize, we are with you!

Poland is a country in which the fate of thousands of committee members rests on the shoulders of a novice (female) programmer.

The fact that the programmer is female is mentioned implicitly - the female version of the “programmer” pronoun is used, the fact is not really stated anywhere.

So it should not to taken as „the shoulders of a novice, female programmer” (in which the fact that she is female is stated explicitly and could be used to further put down the person's programming abilities) but as „the shoulders of a novice programmer”.

Well, that's the thing about Polish tongue (and many other too). Every single word does have a gender and you can't run away from it - in theory, masculine could represent gender-neutral meaning, but it would be very awkward to say (in Polish) "student" in one sentence and "Agnieszka" (Agnes) in the next one.

I don't find any emphasis on the sex of the person in question in the Polish text. It's only about experience and skill of the poor soul. Translations are hard because cultural context.

Uhm, no, it is not.

Did you miss the "Pani Agnieszko, naprawdę współczujemy, jesteśmy z panią!"("Ms. Agnes, we're really sorry too, we're here for you")(that's a terrible translation, but oh well) part? There's absolutely no ambiguity here.

I meant the “(female)” remarks in the grand-grandparent post.

There is no way to avoid that in the polish language, as someone else pointed out already. Nouns and sometimes even verbs or adjectives have gender, and you need to use either the male form or female form according to the situation

Right, but a translation to English should not include "(female)" unless it's essential information, which it isn't here.

It is probably worth nothing that "female" is really a parenthetical. Source is simply using the appropriate Polish word (which is gendered). The translation could be read as implying that the person's gender has anything to do with the issues they've had, but source's wording doesn't really imply that. (They may have in fact wanted to imply that; but we can't determine that from the wording.)

To be fair it's a voting system, i.e. a program whose main function is to count, and unless the definition of "novice" these days is not what it used to be, it should be well within the ability of a "novice" programmer to write one.

Given the potential impact of the results, and the incentives in place for the final tally to be something other than the correct sum, the problem is not quite as simple as counting your sheep.

Think of it more like counting your sheep as lean and hungry gentlemen shout random numbers in your ear, dump disguised goats into your flock, continually jog your elbow if you try to write anything down, and toss sheep over the fences in both directions.

And then, just for fun, they stab you in a kidney and take your wallet.

The hard part is not the counting. It's dealing with the potential attacks and still being able to verify precise and accurate results.

> And, decompiled or not; this is not the result of proper C#- or for that matter any modern language- coding:

> r = r + "<code>" + this.hardErrors[i] + "</code>";

What's wrong with this?

Assuming that r contains XML and this.hardErrors[i] is already escaped for XML safety, that is probably what you'd expect to see a code-generated XML generator doing, as well as hand-generated XML (if generating text directly and not an intermediate abstract representation of the XML).

In few words - whole Polish voting system is dead now and the votes are counted by the people. What is more interesting: in the tender for the software started one company and of course won it - random case? I don't thing so.. greets from Poland:)

I like to believe it was the only company crazy (or inexperienced) enough to participate in a project of this scale on such a short notice. Which would be a sign of maturity of the Polish IT sector.

I'm still amazed that in the century of the Internet people still write stuff like that as a desktop app. Not to mention it was waaaaaay to late to do it in the first place (they picked the company to implement it in August 2014).

Can anyone who knows about this recommend an accurate and neutral title for the post?

The government messed up the public procurement. They wanted to have the system done in a very short time (one month?). Only one company submitted an offer.

LOL, really belive that? Sorry but IMO it was set - app costs was around $120k so..

Likely a fake. The company which wrote the system is recruiting just PHP developers, while this is written in C#.

Of course this is all speculation. It may be truth and someone reconstruct the original version by decompiling it. e.g.: https://github.com/wybory2014/Kalkulator1/commit/cdff9cb67b8...

Electoral voting system written in PHP. Sounds like a good idea.

It is amazing that I knew your comment was sarcastic. But, a computer parsing this sentence would never be able to tell. This is a reason that humans are special :)

A computer programmed to deal with sarcasm would contrast this statement with (local) popular opinion and deduce from the large contrast between the certitude of the statement and the popular opinion that this statement is either sarcasm or obliviousness. I think exactly as humans do. It's not that sarcasm is hard to detect for computers, it's just that it's hard for computers to collect enough contextual information to judge the validity of any statement.

Why not? WordPress runs 23% of the Internet. (WordPress is written in PHP of course.)

WordPress (and PHP) are not bad things. They are things that have been designed for very specific purposes, and they actually excel at those things. Both are extremely easy to get up and running. They can run practically anywhere etc.

There are entire languages written with the design goal being security. It's not a matter of whether or not something is a capable tool (ie: runs 23% of the internet), it's whether or not it's the right tool for the job. PHP clearly isn't.

I don't think an application written in PHP makes it inherently insecure. Maybe if you're talking about some 2004-style PHP with magicquotes and register globals enabled, but not in 2014 with a modern stack/framework. You could write a shitty ruby app just as easily as you can write a shitty php app.

Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code, especially when compared to a language with even basic features like static typing. I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Everyone likes to say security is mission critical, but for the vast majority of people it really isn't. And for those people the development speed advantage, massive developer market, libraries etc. you get working in Ruby or PHP are well worth it.

Everything is tradeoffs, and it seems to me that in writing voting software deployability, development speed etc., are not nearly as mission critical as security.

> Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code

While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.

> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.

Good. :)

I don't understand your reply. No one is good enough to write code without bugs.

> No one is good enough to write code without bugs.

This is congruent to saying, "Whitelists don't exist. Everyone implements poorly scoped black-lists."

I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.

People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.

Code that is bug-free and code that is free of security-affecting bugs are not the same thing.

For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P

I feel like you're arguing against a strawman that I don't think secure applications can be written in PHP. I don't think that.

Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?

Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.

WordPress is also far from the most secure or correct system in the world.

It's getting better. I, for one, am going to begin contributing to the core code :)

A voting counter shouldn't be compiled using hopes and dreams, but using proven coding methodologies. What you are suggesting, and what I see when I read it: http://www.usmra.com/repository/category/electrical/techsupp... (Indian electrical grid)

According to media PHP is used server-side (the system was written using CakePHP). This is decompiled client app that is used by electoral commissions (the one that is hardly working at the moment).

You can download the installation package here http://zapasdlakbw.home.pl/kalkulator-wyborczy/kalkulator/ and decompile it. pdf file was included.

Haven't we all frowned upon picking on females in tech industry just yesterday?! It is NOT okay to wildly imply that the author of this code is of certain age and gender.

EDIT: it was shown by the comment below that it was actually written by someone with a popular Polish female name. I was shaken by the article yesterday and thus oversensitive. Sorry about that.

Well, the implications are pretty well founded:

- the binary has strings like `C:\Users\Agnieszka\...\Visual Studio 2013\Projects\Kalkulator1`. Agnieszka is a female Polish name -> the programmer is female. Although nobody really is using this as a discussion point anywhere, but hey, the fact is there if it's interesting to you.

- the code logic and layout is pretty convoluted and looks duct taped together, even considering it's decompiled from binary form -> the author is probably young and inexperienced, and/or this was extremely rushed.

Also, I'm not realy sure where anyone is “picking on females” here.

What is more, it is possible to find an Agnieszka working at Nabino through a Polish LinkedIn clone...

I don't know, I wouldn't judge a decompiled code.

Can you give a few examples why is it so bad?

Keep in mind this is decompiled from IL, so the class/method/object mapping and naming remains from the original binary.

Here are a few, in my opinion, ugly examples:

https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and a few more instances of basically the same logic, copy-pasted (correct me if this might have been optimized from source code, as I'm a reverse engineer and not a C# programmer - but I'm pretty sure it's not)




https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and string-based HTML generation in general. Oh, and this method in general. It doesn't even fit on my screen without scrolling to the right.

I'm not saying it's a goldmine of DailyWTF-worth content - but it's still pretty bad. In general, it doesn't really follow any MVC-separation, the naming is arbitraty at best (and dictated by the IDE at worst - Kalkulator1, anyone?), and DRY principles are vastly ignored.

I was not aware of those paths. I give up.

At least she used a fairly recent version Visual Studio...

See, this is the kind of problem I have with feminism (and a few other things). It was just a feature of the language, exhibited heavily by most slavic languages (which have much richer grammars than English f. eg.) and thus impacting thought process, yet it was your a natural response to "defend the beatnen".

If you position yourself as a victim, don't be surprised when you are treated this way.

Totally agree. That was my first reaction after reading this. Not cool.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact