Re: Glossary from NIST/EAC

From: Charlie Strauss <cems_at_earthlink_dot_net>
Date: Thu Apr 07 2005 - 10:05:39 CDT

terms that I've found difficult to encapsulate but that has come up
over and over again in conversations with voting officials are the
concepts that could use some helper terminology.

1) that with regard to intentional hacking, that when software for use
in a non-networked voting terminal is being developed on a computer
connected to the internet that the software is prone at that moment.
the concept is considered simmilar to either the chain of custody rules
for evidence or the poison-tree rule for evidence integrity. One
disticntion is that many of the risks inherent in software hacking are
present just like the terminal were on the internet. Yet not all risks
are present. People cant remotely interrogate the machine during the
voting process for example.

the reason this is needed is because the head of the NASED and the Head
of NAS have said point blank that the software in voting machines that
are not connected to the internet cannot possibly be hacked.

2) the subtle distinction between binary and source code and validating
the binary is the right one. Since, usually, some part of the computer
has to be trusted to do this (the OS, or the Bios for example) this
topic becomes entangled with the fact that software resides in many
parts of the machine includng video cards and disk controllers.

3) the blurry line between data files and software. Often it is said
that the software is not changed but the configuration files were. Yet
sometimes configuration files are scripts. sometimes font files
contain programs. Sometimes perifrial drivers are not considered the
application software.

OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sat Apr 30 23:17:03 2005

This archive was generated by hypermail 2.1.8 : Sat Apr 30 2005 - 23:17:22 CDT