Voting software security

Bruce Schneier has something to say about a Los Angeles election official who defended the choice of secret, proprietary voting software:

What she should be saying is something like: "I think it's odd that everyone who has any expertise in computer security doesn't want the software to be proprietary. Speaking as someone who knows nothing about computer security, I think that secrecy is an asset." That's a more realistic quote.

The use of secret, proprietary security products is something which makes security experts either laugh or cry; laugh, because it is such a foolish thing to do, and cry because it invariably ends up making the security weaker rather than stronger. Secret security products are invariably snake-oil, or worse.

It is like this: which would you rather trust, a public lock made to a standard, one that any locksmith can inspect at will? Or a secret lock, made by a single company that tells you it is secure, but won't let anybody independent inspect it?

In the first case, the security of the lock depends on the properties of the lock itself. It must be secure, even if people know how it works. But in the second case, the proprietary, secret lock works only if people don't know how it works. Once the bad guys discover its secrets, and they will, they can crack it with impunity, and nobody will know.

Of course the analogy with locks is not perfect -- ordinary locks are very simple to pick. They are more of a deterrant to casual thieves than a really secure system. But the principle holds: inherent security beats secret security every time. If you really want to protect something, you protect it with something that doesn't lose its power if you know how it works.