[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Proposal for a local initiative
How do you reconcile patching with certification?
I.e., certification is (supposed to be) issued upon completion of a suite of
tests by a fixed, identified configuration of hardware and software; one
intention is that the exact configuration, bit for bit and chip for chip,
can be replicated to repeat any test, or address the configuration with a
new test that may arise out of questionable performance in use.
So any alteration, including a vendor-supplied security patch, jeopardizes
the validity of the certification. Furthermore, the protocol and hygiene of
vendor-directed patching breaks the seal, and creates a channel, for
malicious changes. Who watches the patchers? Who vets the patch contents?
Which is better, an untested, varying, security-updated configuration, or a
tested, stable, unpatched configuration?
My own preference would be not to have any such complexity at all. There is
no excuse, no valid need, for an "operating system" at all in an embedded
application that need only read a screen and singulate voters; particularly
if it is a non-recording, non-counting touch-screen user interface that
transfers a ballot directly to print and then forgets it!
--
Pete Klammer / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
3200 Routt Street / Wheat Ridge, Colorado 80033-5452
(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
Idealism may not win every contest, but that's not what I choose it for!
> -----Original Message-----
> From: Lou Puls [mailto:lpuls@xxxxxxxxxxxxx]
> Sent: Sunday, February 29, 2004 12:19 PM
> To: cvv-discuss@xxxxxxxxxxxxxxxxx
> Subject: Proposal for a local initiative
>
>
> I would like to propose [for discussion and criticism and
> improvement by
> those far more computer-competent than me] that we (CVV) approach the
> Boulder County Clerk with the following offer to help assure the
> Trustworthiness of the InterCivic voting system under negotiation:
>
> (1) The InterCivic Microsoft Operating System(s) will be
> verified to
> our satisfaction with respect to installed and
> working patches
> for: [using e.g Retina tools from eEye Digital Security or their open
> source equivalent]
>
> (a) MyDoom Scanner to determine any infection by the recent
> MyDoom email virus or its variants.
>
> (b) Messenger Service Vulnerability Scanner to determine any
> vulnerabilities to the recent Microsoft Windows Messenger
> Service flaw.
>
> (c) RPC DCOM Scanner to determine any vulnerabilities to the
> two recent Microsoft Windows RPC DCOM flaws.
>
> (d) Sapphire SQL Worm Scanner to determine any
> vulnerabilities to the Microsoft SQL buffer overflow
> vulnerability that the recent Sapphire Worm uses to propagate.
>
> (e) Spida/Digispid.B.Worm SQL Worm Scanner to determine any
> vulnerabilities to the recent SQL worms.
>
> (f) Nimda Scanner to determine any vulnerabilities to the
> "Nimda Worm".
>
> (g) CodeRed Scanner to determine any vulnerabilities to the
> .ida "Code Red" attack.
>
> (h) nmapNT sp1, a windows port of the most popular network
> scanning tool to date, nmap, which to date only ran under
> Unix, has a superior ability to map out and scan remote networks.
>
> (i) LibnetNT from eEye Digital Security, a Windows NT port of
> the very popular Libnet package, which allows for easy
> creation and manipulation of low-level network packets [for testing].
>
>
> (2) InterCivic should commit to install Microsoft patches,
> when available, for the following eEye
> vulnerability notifications [as of 29 Feb
> 04] and to verify such to CVV satisfaction: [eEye
> believes 30 days is a reasonable time period for Microsoft to
> address a vulnerability after notification]
>
> (a) EEYEB-20030910-A
> 112 Days Overdue
> Vendor: Microsoft
> Severity: High
> Date Reported: September 10, 2003
> Estimated Number of Vulnerable Machines: 300 Million*
> Days Since Initial Report: 172
>
> (b) EEYEB-20030910-B
> 112 Days Overdue
> Vendor: Microsoft
> Severity: High
> Date Reported: September 10, 2003
> Estimated Number of Vulnerable Machines: 300 Million*
> Days Since Initial Report: 172
>
> (c) EEYEB-20031007
> 85 Days Overdue
> Vendor: Microsoft
> Severity: Low
> Date Reported: October 7, 2003
> Estimated Number of Vulnerable Machines: 91 Million*
> Days Since Initial Report: 145
>
> (d) EEYEB-20031008
> 84 Days Overdue
> Vendor: Microsoft
> Severity: High
> Date Reported: October 8, 2003
> Estimated Number of Vulnerable Machines: 248 Million*
> Days Since Initial Report: 144
>
> (e) EEYEB-20031117
> 44 Days Overdue
> Vendor: Microsoft
> Severity: Medium
> Date Reported: November 17, 2003
> Estimated Number of Vulnerable Machines: 300 Million*
> Days Since Initial Report: 104
>
> (f) EEYEB-20031121
> 40 Days Overdue
> Vendor: Microsoft
> Severity: Medium
> Date Reported: November 21, 2003
> Estimated Number of Vulnerable Machines: 196 Million*
> Days Since Initial Report: 100
>
> (g) EEYEB-20040209
> 0 Days Overdue
> Vendor: Microsoft
> Severity: Medium
> Date Reported: February 9, 2004
> Estimated Number of Vulnerable Machines: 196 Million*
> Days Since Initial Report: 20
>
>
> If the preceding reasonable and minimally network-responsible
> steps are not agreed to and carried out with suffifient
> dispatch, CVV will proceed, with the cooperation of the
> Boulder ACLU, to obtain compliance by court order.
>
>
>
> Lou
> --
> Corporations have been enthroned, an era of corruption in high places
> will follow, and the money-power of the country will endeavor to
> prolong its reign by working upon the prejudices of the people until
> the wealth is aggregated in a few hands and the Republic is
> destroyed."
>
> -Abraham Lincoln, quoted in Jack London's "The Iron Heel"
>
>