[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proposal for a local initiative

To: lpuls@xxxxxxxxxxxxx, cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: RE: Proposal for a local initiative
From: "alkolwicz" <alkolwicz@xxxxxxxxx>
Date: Sun, 29 Feb 2004 12:44:00 -0700
Delivered-to: mailing list cvv-discuss@coloradovoter.net
In-reply-to: <40423B0C.8020509@earthlink.net>
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mailing-list: contact cvv-discuss-help@coloradovoter.net; run by ezmlm
Organization: KOLWICZ-GROUP
Reply-to: <AlKolwicz@xxxxxxxxx>
Thread-index: AcP++NeoxBjGLYVbSqGQ0IzDjUiKvwAAb6wQ

Lou,

I'm very happy to see that you are thinking about this.

I'd like to add some additional thoughts.  

1.  There are multiple components, processes, and interfaces to the proposed
voting system.  Most have not been identified or discussed in public, and to
my knowledge none have been assigned metrics or performance standards.  All
must be identified and quantified from a quality perspective.

2.  CVV cannot take on the responsibility to find the defects -- this takes
big bucks.  Instead, I suggest that the vendors, the certification agencies,
the Clerk and the Secretary of State be required to publish every defect
discovered and/or reported.  This would include hardware/software,
procedure, training, legislation, etc. ambiguities as well as deviations.
CVV can take on the responsibility to record and track each defect that is
reported. 

Al Kolwicz
CAMBER
303-494-1540


 



-----Original Message-----
From: Lou Puls [mailto:lpuls@xxxxxxxxxxxxx] 
Sent: Sunday, February 29, 2004 12:19 PM
To: cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: Proposal for a local initiative

I would like to propose [for discussion and criticism and improvement by 
those far more computer-competent than me] that we (CVV) approach the 
Boulder County Clerk with the following offer to help assure the 
Trustworthiness of the InterCivic voting system under negotiation:

(1)    The InterCivic Microsoft Operating System(s) will be verified to 
our satisfaction with respect to installed and         working patches 
for: [using e.g Retina tools from eEye Digital Security or their open 
source equivalent]

(a) MyDoom Scanner to determine any infection by the recent MyDoom email
virus or its variants.

(b) Messenger Service Vulnerability Scanner to determine any vulnerabilities
to the recent Microsoft Windows Messenger Service flaw.

(c) RPC DCOM Scanner to determine any vulnerabilities to the two recent
Microsoft Windows RPC DCOM flaws.

(d) Sapphire SQL Worm Scanner to determine any vulnerabilities to the
Microsoft SQL buffer overflow vulnerability that the recent Sapphire Worm
uses to propagate.

(e) Spida/Digispid.B.Worm SQL Worm Scanner to determine any vulnerabilities
to the recent SQL worms.

(f) Nimda Scanner to determine any vulnerabilities to the "Nimda Worm".

(g) CodeRed Scanner to determine any vulnerabilities to the .ida "Code Red"
attack.

(h) nmapNT sp1, a windows port of the most popular network scanning tool to
date, nmap, which to date only ran under Unix, has a superior ability to map
out and scan remote networks. 

(i) LibnetNT from eEye Digital Security, a Windows NT port of the very
popular Libnet package, which allows for easy creation and manipulation of
low-level network packets [for testing].


(2)	InterCivic should commit to install Microsoft patches, when
available, for the following eEye vulnerability notifications
[as of 29 Feb 04] and to verify such to CVV satisfaction: [eEye
believes 30 days is a reasonable time period for Microsoft to
address a vulnerability after notification]

(a)	EEYEB-20030910-A 
	112 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: September 10, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 172  

(b)	EEYEB-20030910-B 
	112 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: September 10, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 172  

(c)	EEYEB-20031007 
	85 Days Overdue
	Vendor: Microsoft
	Severity: Low
	Date Reported: October 7, 2003
	Estimated Number of Vulnerable Machines: 91 Million*
	Days Since Initial Report: 145  

(d)	EEYEB-20031008 
	84 Days Overdue
	Vendor: Microsoft
	Severity: High
	Date Reported: October 8, 2003
	Estimated Number of Vulnerable Machines: 248 Million*
	Days Since Initial Report: 144  

(e)	EEYEB-20031117 
	44 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: November 17, 2003
	Estimated Number of Vulnerable Machines: 300 Million*
	Days Since Initial Report: 104  

(f)	EEYEB-20031121 
	40 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: November 21, 2003
	Estimated Number of Vulnerable Machines: 196 Million*
	Days Since Initial Report: 100  

(g)	EEYEB-20040209 				
	0 Days Overdue
	Vendor: Microsoft
	Severity: Medium
	Date Reported: February 9, 2004
	Estimated Number of Vulnerable Machines: 196 Million*
	Days Since Initial Report: 20  


If the preceding reasonable and minimally network-responsible steps are not
agreed to and carried out with suffifient dispatch, CVV will proceed, with
the cooperation of the Boulder ACLU, to obtain compliance by court order.



Lou
-- 
Corporations have been enthroned, an era of corruption in high places
will follow, and the money-power of the country will endeavor to
prolong its reign by working upon the prejudices of the people until
the wealth is aggregated in a few hands and the Republic is destroyed."

     -Abraham Lincoln, quoted in Jack London's "The Iron Heel"

References:
- Proposal for a local initiative
  - From: Lou Puls

Prev by Date: Proposal for a local initiative
Next by Date: RE: Proposal for a local initiative
Previous by thread: Proposal for a local initiative
Next by thread: RE: Proposal for a local initiative
Index(es):
- Date
- Thread