Re: Sequoia Test Group

From: <SomeThoughts_at_aol_dot_com>
Date: Mon Jun 12 2006 - 16:12:30 CDT writes:

> 1. Is your note an invitation to submit a request to join the red team, or
> to submit a request to join a group attempting to supervise the red team?

JIM: (as Arthur said): it's an invitation to join a discussion group of
activists who will try to develop a collective position on what to
recommend that Alameda County should do.  One of the things the group
may do is to recommend who should be on the red team.

> 2. Assuming the former, what are the conditions on the red team's efforts?
> a. Are team members subject to any NDAs?

That's one of the things that would have to be worked out.

> b. Does Sequoia provide all system source code, build scripts and software,
> etc., such that team members can build the entire system from source and
> compare it to what's preloaded in the machines?

No, but we have access on the internet to an earlier version
of the tabulator software

> c. Does Sequoia give the team any tech support?
> d. Ditto (b) for firmware?

Probably not. They would not provide support to real hackers...
unless it's an inside job.

> e. Are team members allowed to disassemble the hardware to analyze the
> firmware, check for communications devices (e.g., BPL, wireless, optical...),
> etc.?

That would not be my understanding, but we may go back and ask.

> f. How much time has the county given the team to conduct its analysis and
> write its report?
> g. Have the county, Sequoia, et al, declared any form of investigation or
> criticism "off limits"?

Needs to be worked out, which is why we need to talk about what
we want ahead of time.

> h. Have the county, Sequoia, et al, committed, in writing, to making public
> the entire report promptly following its completion?
Even the RoV was opposed to any publication of a report. That's
unacceptable, but we could agree to a somewhat redacted report.
Again, we need to work out ahead of time what the rules will be.

In am a software engineer with a background in AI, not security,
yet I understand enough to know what's going on, or when to
ask questions.

I am also a leader in the VRTF, the activist group that made this
happen, and have access to the supervisors and the RoV. The
supes basically overruled the acting RoV, who is also the county's
CIO. We have to assume that he's going to be defending
Sequoia's interests, but I think we can get good things done if
we are smart about it, above all, politically. This is a chess game,
and I introduced the ideas of red team testing and source code
review on March 13. I was surprised that they went for the testing
idea, but delighted, and it caught Sequoia by surprise. We need
to stay ahead of them, which is why I am asking for assistance.

On March 21, I also proposed that the county build it's own open
source system, in conjunction with other counties. That idea hasn't
taken yet, but if Sequoia flunks badly, we can bring the proposal
up again. (Thanks to Arthur for his assistance on that proposal).

Jim Soper

510 258 4857

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Fri Jun 30 23:17:05 2006

This archive was generated by hypermail 2.1.8 : Fri Jun 30 2006 - 23:17:12 CDT