Re: vendors vowing to cooperate with disclosure?

From: Alan Dechert
Date: Sun Apr 22 2007 - 15:46:40 CDT

Joe Hall wrote,

> ..... I think both
> AB852 and disclosure text from feinstein's bill deal with COTS and
> third-party software (those are two different things, of course) in a way
> that moves us in the right direction but doesn't throw the baby out with
> the bathwater. ...
That's a good point to mention that third-party is different from COTS. I
should qualify what I wrote earlier to make that clear when I wrote:

>> > ... any component the voting equipment vendor makes or modifies as
>> > part of the system under consideration, needs to be reviewed during
>> > federal and/or state certification. If they incorporate a component
>> > they did not make or alter
>> > (i.e., COTS), it is not subject to review.

The way I have it, it sounds like if they didn't make it or they did not
alter it, it must be COTS. This does not account for something like the
bootloader made by BSQUARE for the Diebold TS. We want to see the
bootloader code, or, at least any part of the bootloader code that was
modified for the TS.

After "vendor makes or modifies," I should say "or causes to be made or
modified." This was a bigger issue for AB 2097, which would have required
immediate re-certification and disclosure for existing products. The bill
was not finished and we didn't really spell out the third-party issue.

Likewise, AB 852 is not finished. This issue needs some clarification
there, so this will be done this summer. Your comments are welcome.

I don't know, but it's possible that the bootloader code is entirely generic
for the class of SH3 board the TS uses. BSQUARE may have simply licensed
the code to Diebold, in which case we could treat it as COTS. However, it's
also possible that BSQUARE customized the code for the TS. In this case,
we'd like to see at least the modifications -- and, we may need to see all
the code to understand the context of those changes.

As I mentioned, AB 852 only applies to new certifications, so this problem
is not as difficult as for AB 2097.

Alan D.

