“My main concern is somebody or some group, backed by massive funding, being able to find a vulnerability to specifically NOT disclose it. “
Absolutely. Look at the amount of money that was offered to Kari Lake to drop out of politics for a couple years. She could have been a very rich woman.
That is EXACTLY why all vote machines should use open-source software. The code would be available to the public for scrutiny.
There’s the historical argument for software security though - security through transparency (open source) or security through obscurity (closed source).
I’ve seen far too many deep-rooted vulnerabilities that have been in the wild for years before somebody realized a problem. This includes widely used libraries from open source (SSL, Log4J, etc.). When I was at an RTOS company we experienced a major issue, respective to security, because of Intel hardware. This forced a massive problem for our customer base. The only solution was to use a software implementation of what was being done by hardware - but some embedded systems our customers had relied on the performance. Their choice was to have their devices fail (due to load) or be insecure - this happening to them years and years after device deployment.
I’m at the point where I just can’t trust software driven voting, open or closed source.
There’s the historical argument for software security though - security through transparency (open source) or security through obscurity (closed source).
I’ve seen far too many deep-rooted vulnerabilities that have been in the wild for years before somebody realized a problem. This includes widely used libraries from open source (SSL, Log4J, etc.). When I was at an RTOS company we experienced a major issue, respective to security, because of Intel hardware. This forced a massive problem for our customer base. The only solution was to use a software implementation of what was being done by hardware - but some embedded systems our customers had relied on the performance. Their choice was to have their devices fail (due to load) or be insecure - this happening to them years and years after device deployment.
I’m at the point where I just can’t trust software driven voting, open or closed source.