[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Subject: RE: Proposal for a local initiative

To: cvv-discuss@xxxxxxxxxxxxxxxxx, editor@xxxxxxxxxxxx, JosieHeath@xxxxxxx, repmaddenhd10@xxxxxxxxxxxxx, worlock@xxxxxxxxxxxxxx
Subject: Subject: RE: Proposal for a local initiative
From: Lou Puls <lpuls@xxxxxxxxxxxxx>
Date: Fri, 05 Mar 2004 13:30:40 -0700
Delivered-to: mailing list cvv-discuss@coloradovoter.net
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mailing-list: contact cvv-discuss-help@coloradovoter.net; run by ezmlm
Organization: Museion
Reply-to: lpuls@xxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Macintosh; U; PPC; en-US; rv:1.2.1) Gecko/20021130

"alkolwicz" <alkolwicz@xxxxxxxxx> Sun, 29 Feb wrote:

>> CVV cannot take on the responsibility to find the defects -- this takes big bucks... <<

All of the OS defects/vulnerabilities that I listed have already been found - they are known, indexed, publicized and admitted. It is minimal system management to patch them, and it should be minimal contract performance by Hart/InterCivic to prove before certification that for all known defects there exist issued patches, and only then sign off that all issued patches have been installed and can be verified and tested by the State certification process. The verification by CVV would not be a discovery, identification, reporting, or testing function - but rather simply to demand the proof of patch existence for each known defect before the application for certification.

"Pete Klammer" <pklammer@xxxxxxxxxxx> Sun, 29 Feb 2004 wrote:

>> How do you reconcile patching with certification? <<

This is the crux of Hart/InterCivic's problem as the vendor of a (presumably) well-intentioned system based on a fundamentally flawed and interminably patched OS: it can NEVER be certified in a reasonable (or even finite) time span. If the SOS and County election people try to claim the system is certified or certifiable, they must prove all known defects are patchable. At the moment this is impossible, because Microsoft has not caught up with issuing patches (never has, IMHO never will). The only alternative becomes a verifiable paper ballot of record, which will probably only be brought about by court order, via the ACLU with an air-tight case.

>> So any alteration, including a vendor-supplied security patch, jeopardizes the validity of the certification. Furthermore, the protocol and hygiene of vendor-directed patching breaks the seal, and creates a channel, for malicious changes. Who watches the patchers? Who vets the patch contents? <<

CVV would not watch anyone nor vet anything - CVV simply demands proof BEFORE any consideration of certification that every known defect XXX-XX-X has an available patch YYY-YY-Y. The OS will always lack a vital patch, the vendor can never prove the non-existent patch has been installed, any certification claimed is invalid and must await the final patch of the last known vulnerability. The vendors, whether M$ or InterCivic, cannot meet the burden of proof that the system has been or can be certified. As I understand it, M$ System 2003 is already scheduled for unsupported obsolescence and will never be fully patched. InterCivic's black box is doomed NEVER to be certifiable by any trustworthy process.

Lou

-----Original Message-----
From: Lou Puls [mailto:lpuls@xxxxxxxxxxxxx]
Sent: Sunday, February 29, 2004 12:19 PM
To: cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: Proposal for a local initiative

Prev by Date: Re: Plan Boulder's letter to Commissioners
Next by Date: Avoiding Another Florida Fiasco
Previous by thread: Re: HB 1227 - URGENT
Next by thread: Avoiding Another Florida Fiasco
Index(es):
- Date
- Thread