Proposal for a local initiative

[Lou Puls <lpuls@xxxxxxxxxxxxx>]

I would like to propose [for discussion and criticism and improvement by 
those far more computer-competent than me] that we (CVV) approach the 
Boulder County Clerk with the following offer to help assure the 
Trustworthiness of the InterCivic voting system under negotiation:

(1)    The InterCivic Microsoft Operating System(s) will be verified to 
our satisfaction with respect to installed and         working patches 
for: [using e.g Retina tools from eEye Digital Security or their open 
source equivalent]

(a) MyDoom Scanner to determine any infection by the recent MyDoom email virus or its variants.

(b) Messenger Service Vulnerability Scanner to determine any vulnerabilities to the recent Microsoft Windows Messenger Service flaw.

(c) RPC DCOM Scanner to determine any vulnerabilities to the two recent Microsoft Windows RPC DCOM flaws.

(d) Sapphire SQL Worm Scanner to determine any vulnerabilities to the Microsoft SQL buffer overflow vulnerability that the recent Sapphire Worm uses to propagate.

(e) Spida/Digispid.B.Worm SQL Worm Scanner to determine any vulnerabilities to the recent SQL worms.

(f) Nimda Scanner to determine any vulnerabilities to the "Nimda Worm".

(g) CodeRed Scanner to determine any vulnerabilities to the .ida "Code Red" attack.

(h) nmapNT sp1, a windows port of the most popular network scanning tool to date, nmap, which to date only ran under Unix, has a superior ability to map out and scan remote networks. 

(i) LibnetNT from eEye Digital Security, a Windows NT port of the very popular Libnet package, which allows for easy creation and manipulation of low-level network packets [for testing].


(2)	InterCivic should commit to install Microsoft patches, when 			available, for the following eEye vulnerability notifications 			[as of 29 Feb 04] and to verify such to CVV satisfaction: [eEye 		believes 30 days is a reasonable time period for Microsoft to 			address a vulnerability after notification]

(a)	EEYEB-20030910-A 
	112 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: September 10, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 172  

(b)	EEYEB-20030910-B 
	112 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: September 10, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 172  

(c)	EEYEB-20031007 
	85 Days Overdue
	Vendor: Microsoft
	Severity: Low
	Date Reported: October 7, 2003
	Estimated Number of Vulnerable Machines: 91 Million*
	Days Since Initial Report: 145  

(d)	EEYEB-20031008 
	84 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: October 8, 2003
	Estimated Number of Vulnerable Machines: 248 Million*
	Days Since Initial Report: 144  

(e)	EEYEB-20031117 
	44 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: November 17, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 104  

(f)	EEYEB-20031121 
	40 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: November 21, 2003
	Estimated Number of Vulnerable Machines: 196 Million*
	Days Since Initial Report: 100  

(g)	EEYEB-20040209 				
	0 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: February 9, 2004
	Estimated Number of Vulnerable Machines: 196 Million*
	Days Since Initial Report: 20  


If the preceding reasonable and minimally network-responsible steps are not agreed to and carried out with suffifient dispatch, CVV will proceed, with the cooperation of the Boulder ACLU, to obtain compliance by court order.



Lou
--
Corporations have been enthroned, an era of corruption in high places
will follow, and the money-power of the country will endeavor to
prolong its reign by working upon the prejudices of the people until
the wealth is aggregated in a few hands and the Republic is destroyed."

    -Abraham Lincoln, quoted in Jack London's "The Iron Heel"