The sourcecode wasn't leaked - an internal website (with the software, written in C#) [1] was leaked, and then the program was decompiled and pushed to GH.
EDIT: The website leak itself is actually pretty old news, but the decompilation and public shaming of the code itself is relatively new. “Zaufana Trzecia Strona” has more information [2] about the leak itself (in Polish).
Aren't you talking about backend? The code on github is a client used by a polling place and it was publicly available (this is how they've it distributed)
Summary of the more interesting comments here[1]:
- the ITT (invitation to tender) had 26 pages
- questions from the contractors were answered with "this information is not required to define the price/scope of the feature but it has to be implemented anyway"
- huge scope (9 modules) + training + administering the system
- everything has to be finished in 1.5-2.5 months from when the results of the tender are published
It seems that only a single company has entered the auction for the tender because everyone else could see that the project was destined for failure. The company also allegedly employs three people and pays its programmers around 2000 zł/month (which is very low even by polish standards).
Just to make it clear to everybody, this is not an electronic voting system. This is only a set of applications to accelerate vote counting before the official results. All of the votes must be counted and submitted the "old fashion way". You couldn't mess with the actual results by hacking this "appkenstein".
It also looks like (unless I am missing something) 'liceneses' (signatures of authorised officials as far as I can tell) are checked for common name / organisational unit, but there is no check that the certificate trust chain is anchored on a trusted certificate.
Context: State Electoral Commission declared a computer glitch is delaying the vote count. The problem persists, and election results are not yet available.
Tens of millions of US voters use closed-source voting machines during our elections. The companies who make the machines are generally a little too friendly with the Republican party (Diebold, Premier Election Systems, or whatever they recently changed their name to).
I'm shocked at how few people care that so many votes are "counted" through Republican-friendly voting computers.
Journalist Greg Palast also has evidence of electronic voter in Ohio in 2004. (Disclaimer: I have not delved deep on his claims, but the mere fact of their plausibility is deeply concerning.)
The method is widely known, but last weekend there were election with new system for reporting protocols from electoral commisions etc. and it appears to be quite huge swindle since it's been made in three months before elections and failed as fuck. Finally some of votes needed to be counted in Excel.
Feel free to ask about details, because I'm from Poland and hadn't found any sufficient article about it.
Based on a cursory analysis of the executable file and application development can be concluded that the performance of the Election Calculator entrusted single Studénka, probably working for external contractors. Ms. Agnieszka, I really sympathize, we are with you!
Poland is a country in which the fate of thousands of members of the committee rests on the shoulders of the novice programmer.
Based on a cursory analysis of the executable and application development, it's clear that the act of writing the Election Calculator was entrusted to a single (female) student, who was probably working for external contractors. Ms. Agnieszka, we really sympathize, we are with you!
Poland is a country in which the fate of thousands of committee members rests on the shoulders of a novice (female) programmer.
The fact that the programmer is female is mentioned implicitly - the female version of the “programmer” pronoun is used, the fact is not really stated anywhere.
So it should not to taken as „the shoulders of a novice, female programmer” (in which the fact that she is female is stated explicitly and could be used to further put down the person's programming abilities) but as „the shoulders of a novice programmer”.
Well, that's the thing about Polish tongue (and many other too). Every single word does have a gender and you can't run away from it - in theory, masculine could represent gender-neutral meaning, but it would be very awkward to say (in Polish) "student" in one sentence and "Agnieszka" (Agnes) in the next one.
I don't find any emphasis on the sex of the person in question in the Polish text. It's only about experience and skill of the poor soul. Translations are hard because cultural context.
Did you miss the "Pani Agnieszko, naprawdę współczujemy, jesteśmy z panią!"("Ms. Agnes, we're really sorry too, we're here for you")(that's a terrible translation, but oh well) part? There's absolutely no ambiguity here.
There is no way to avoid that in the polish language, as someone else pointed out already. Nouns and sometimes even verbs or adjectives have gender, and you need to use either the male form or female form according to the situation
It is probably worth nothing that "female" is really a parenthetical. Source is simply using the appropriate Polish word (which is gendered). The translation could be read as implying that the person's gender has anything to do with the issues they've had, but source's wording doesn't really imply that. (They may have in fact wanted to imply that; but we can't determine that from the wording.)
To be fair it's a voting system, i.e. a program whose main function is to count, and unless the definition of "novice" these days is not what it used to be, it should be well within the ability of a "novice" programmer to write one.
Given the potential impact of the results, and the incentives in place for the final tally to be something other than the correct sum, the problem is not quite as simple as counting your sheep.
Think of it more like counting your sheep as lean and hungry gentlemen shout random numbers in your ear, dump disguised goats into your flock, continually jog your elbow if you try to write anything down, and toss sheep over the fences in both directions.
And then, just for fun, they stab you in a kidney and take your wallet.
The hard part is not the counting. It's dealing with the potential attacks and still being able to verify precise and accurate results.
Assuming that r contains XML and this.hardErrors[i] is already escaped for XML safety, that is probably what you'd expect to see a code-generated XML generator doing, as well as hand-generated XML (if generating text directly and not an intermediate abstract representation of the XML).
In few words - whole Polish voting system is dead now and the votes are counted by the people. What is more interesting: in the tender for the software started one company and of course won it - random case? I don't thing so.. greets from Poland:)
I like to believe it was the only company crazy (or inexperienced) enough to participate in a project of this scale on such a short notice. Which would be a sign of maturity of the Polish IT sector.
I'm still amazed that in the century of the Internet people still write stuff like that as a desktop app. Not to mention it was waaaaaay to late to do it in the first place (they picked the company to implement it in August 2014).
The government messed up the public procurement. They wanted to have the system done in a very short time (one month?). Only one company submitted an offer.
It is amazing that I knew your comment was sarcastic. But, a computer parsing this sentence would never be able to tell. This is a reason that humans are special :)
A computer programmed to deal with sarcasm would contrast this statement with (local) popular opinion and deduce from the large contrast between the certitude of the statement and the popular opinion that this statement is either sarcasm or obliviousness. I think exactly as humans do. It's not that sarcasm is hard to detect for computers, it's just that it's hard for computers to collect enough contextual information to judge the validity of any statement.
WordPress (and PHP) are not bad things. They are things that have been designed for very specific purposes, and they actually excel at those things. Both are extremely easy to get up and running. They can run practically anywhere etc.
There are entire languages written with the design goal being security. It's not a matter of whether or not something is a capable tool (ie: runs 23% of the internet), it's whether or not it's the right tool for the job. PHP clearly isn't.
I don't think an application written in PHP makes it inherently insecure. Maybe if you're talking about some 2004-style PHP with magicquotes and register globals enabled, but not in 2014 with a modern stack/framework. You could write a shitty ruby app just as easily as you can write a shitty php app.
Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code, especially when compared to a language with even basic features like static typing. I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.
Everyone likes to say security is mission critical, but for the vast majority of people it really isn't. And for those people the development speed advantage, massive developer market, libraries etc. you get working in Ruby or PHP are well worth it.
Everything is tradeoffs, and it seems to me that in writing voting software deployability, development speed etc., are not nearly as mission critical as security.
> Writing your code in PHP, no matter how good of a programmer you are, makes it more likely that your natural level of mistakes will insert security issues into the code
While I'm inclined to agree, this is a self-defeating premise. If you're "so good" of a programmer that you do not make security affecting mistakes (i.e. one of only a handful of PHP programmers I've met), then the probability of inserting "security issues" into your code is still zero, regardless of language.
> I'm not saying this as some idiot who thinks PHP is bullshit and for noobs, I've worked on pretty large sites using PHP and I have a pretty deep understanding of it.
I literally have no idea what you mean by this. Are you trying to imply there are people who write bug free code? If so please point me in their direction.
People make mistakes. Systems should be designed for this expectation. If mistakes are extremely costly it implies you should use certain tools and development methodologies, if not you can use others.
Code that is bug-free and code that is free of security-affecting bugs are not the same thing.
For an example of an application that is currently free of application-layer security bugs, see my blog. It's not a CMS, I wrote it myself. Go ahead and try to hack it. :P
Familiarity. I know its quirks inside out and therefore know which mistakes not to do. If you point me to Python and say "build a secure web app," I'm going to need to spend a lot of time researching.
According to media PHP is used server-side (the system was written using CakePHP). This is decompiled client app that is used by electoral commissions (the one that is hardly working at the moment).
Haven't we all frowned upon picking on females in tech industry just yesterday?! It is NOT okay to wildly imply that the author of this code is of certain age and gender.
EDIT: it was shown by the comment below that it was actually written by someone with a popular Polish female name. I was shaken by the article yesterday and thus oversensitive. Sorry about that.
- the binary has strings like `C:\Users\Agnieszka\...\Visual Studio 2013\Projects\Kalkulator1`. Agnieszka is a female Polish name -> the programmer is female. Although nobody really is using this as a discussion point anywhere, but hey, the fact is there if it's interesting to you.
- the code logic and layout is pretty convoluted and looks duct taped together, even considering it's decompiled from binary form -> the author is probably young and inexperienced, and/or this was extremely rushed.
Also, I'm not realy sure where anyone is “picking on females” here.
I'm not saying it's a goldmine of DailyWTF-worth content - but it's still pretty bad. In general, it doesn't really follow any MVC-separation, the naming is arbitraty at best (and dictated by the IDE at worst - Kalkulator1, anyone?), and DRY principles are vastly ignored.
See, this is the kind of problem I have with feminism (and a few other things). It was just a feature of the language, exhibited heavily by most slavic languages (which have much richer grammars than English f. eg.) and thus impacting thought process, yet it was your a natural response to "defend the beatnen".
If you position yourself as a victim, don't be surprised when you are treated this way.
EDIT: The website leak itself is actually pretty old news, but the decompilation and public shaming of the code itself is relatively new. “Zaufana Trzecia Strona” has more information [2] about the leak itself (in Polish).
[1] - http://zapasdlakbw.home.pl/kalkulator-wyborczy/kalkulator/
[2] - http://zaufanatrzeciastrona.pl/post/wersja-testowa-systemu-p...