EDIT: The website leak itself is actually pretty old news, but the decompilation and public shaming of the code itself is relatively new. “Zaufana Trzecia Strona” has more information  about the leak itself (in Polish).
 - http://zapasdlakbw.home.pl/kalkulator-wyborczy/kalkulator/
 - http://zaufanatrzeciastrona.pl/post/wersja-testowa-systemu-p...
It seems that only a single company has entered the auction for the tender because everyone else could see that the project was destined for failure. The company also allegedly employs three people and pays its programmers around 2000 zł/month (which is very low even by polish standards).
 - http://www.poselska.nazwa.pl/wieczorna2/media/system-pkw-do-...
It also looks like (unless I am missing something) 'liceneses' (signatures of authorised officials as far as I can tell) are checked for common name / organisational unit, but there is no check that the certificate trust chain is anchored on a trusted certificate.
I'm shocked at how few people care that so many votes are "counted" through Republican-friendly voting computers.
Journalist Greg Palast also has evidence of electronic voter in Ohio in 2004. (Disclaimer: I have not delved deep on his claims, but the mere fact of their plausibility is deeply concerning.)
Feel free to ask about details, because I'm from Poland and hadn't found any sufficient article about it.
Based on a cursory analysis of the executable file and application development can be concluded that the performance of the Election Calculator entrusted single Studénka, probably working for external contractors. Ms. Agnieszka, I really sympathize, we are with you!
Poland is a country in which the fate of thousands of members of the committee rests on the shoulders of the novice programmer.
Based on a cursory analysis of the executable and application development, it's clear that the act of writing the Election Calculator was entrusted to a single (female) student, who was probably working for external contractors. Ms. Agnieszka, we really sympathize, we are with you!
Poland is a country in which the fate of thousands of committee members rests on the shoulders of a novice (female) programmer.
So it should not to taken as „the shoulders of a novice, female programmer” (in which the fact that she is female is stated explicitly and could be used to further put down the person's programming abilities) but as „the shoulders of a novice programmer”.
I don't find any emphasis on the sex of the person in question in the Polish text. It's only about experience and skill of the poor soul. Translations are hard because cultural context.
Did you miss the "Pani Agnieszko, naprawdę współczujemy, jesteśmy z panią!"("Ms. Agnes, we're really sorry too, we're here for you")(that's a terrible translation, but oh well) part? There's absolutely no ambiguity here.
Think of it more like counting your sheep as lean and hungry gentlemen shout random numbers in your ear, dump disguised goats into your flock, continually jog your elbow if you try to write anything down, and toss sheep over the fences in both directions.
And then, just for fun, they stab you in a kidney and take your wallet.
The hard part is not the counting. It's dealing with the potential attacks and still being able to verify precise and accurate results.
> r = r + "<code>" + this.hardErrors[i] + "</code>";
What's wrong with this?
Of course this is all speculation. It may be truth and someone reconstruct the original version by decompiling it. e.g.:
There are entire languages written with the design goal being security. It's not a matter of whether or not something is a capable tool (ie: runs 23% of the internet), it's whether or not it's the right tool for the job. PHP clearly isn't.
Everyone likes to say security is mission critical, but for the vast majority of people it really isn't. And for those people the development speed advantage, massive developer market, libraries etc. you get working in Ruby or PHP are well worth it.
Everything is tradeoffs, and it seems to me that in writing voting software deployability, development speed etc., are not nearly as mission critical as security.
While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.
> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.
This is congruent to saying, "Whitelists don't exist. Everyone implements poorly scoped black-lists."
People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.
For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P
Edit: put another way: if you are starting from scratch and your main focus is security, why would you use PHP?
EDIT: it was shown by the comment below that it was actually written by someone with a popular Polish female name. I was shaken by the article yesterday and thus oversensitive. Sorry about that.
- the binary has strings like `C:\Users\Agnieszka\...\Visual Studio 2013\Projects\Kalkulator1`. Agnieszka is a female Polish name -> the programmer is female. Although nobody really is using this as a discussion point anywhere, but hey, the fact is there if it's interesting to you.
- the code logic and layout is pretty convoluted and looks duct taped together, even considering it's decompiled from binary form -> the author is probably young and inexperienced, and/or this was extremely rushed.
Also, I'm not realy sure where anyone is “picking on females” here.
Can you give a few examples why is it so bad?
Here are a few, in my opinion, ugly examples:
https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and a few more instances of basically the same logic, copy-pasted (correct me if this might have been optimized from source code, as I'm a reverse engineer and not a C# programmer - but I'm pretty sure it's not)
https://github.com/wybory2014/Kalkulator1/blob/master/Kalkul... and string-based HTML generation in general. Oh, and this method in general. It doesn't even fit on my screen without scrolling to the right.
I'm not saying it's a goldmine of DailyWTF-worth content - but it's still pretty bad. In general, it doesn't really follow any MVC-separation, the naming is arbitraty at best (and dictated by the IDE at worst - Kalkulator1, anyone?), and DRY principles are vastly ignored.
At least she used a fairly recent version Visual Studio...
If you position yourself as a victim, don't be surprised when you are treated this way.