Re: Is Open Source Enough?

From: Arthur Keller <voting_at_kellers_dot_org>
Date: Thu Sep 06 2007 - 18:57:29 CDT

At 11:05 PM -0700 9/4/07, Brian Behlendorf wrote:
>On Mon, 3 Sep 2007, Arthur Keller wrote:
> > 4. If we are to go through the trouble of replacing old electronic
>> voting systems with new electronic voting systems run on open source,
>> unless the new systems are designed to be secure based on a threat
>> analysis model, the new systems may still have security
>> vulnerabilities.
>This isn't stated strongly enough. I don't know who said it first, but it's
>been said that for any given software package, the last defect is fixed when
>the last user is deceased. There is no provably secure software out there,
>only software whose security defects have not yet been found. Even the most
>security-minded open source projects, like OpenBSD and OpenSSH, occasionally
>have security defects and issue patches, and often vulnerabilities are known
>about and shared amongst black-hat groups before they're publicly known and
>corrected. We should take it *as a given* that all software has defects, that
>any system might be compromisable. That's back to my reasoning that it's the
>process, not the software, that should create trust in the system.

So should we be considering threat models and alternative
architectures? Should we be doing threat analysis on Open Voting
Solutions' software? Or is the fact that Open Voting Solutions'
software is open source enough to give us confidence that it is a
secure and reliable system merely awaiting (known-to-be flawed)
certification process?

My own suggestion is to proceed with certification of OVS' system
while we develop threat models and new architectures that vendors
(particularly OVS) can adopt. Adoption of OVS would be a good thing
but the job of ensuring security and reliability would not yet be
done at that point. For example, has anyone on this list who does
not work for OVS actually reviewed the OVS code? I'd like to hear on
this list from someone who has, because it says something about the
viability of the public review of software model. (Of course, the
fact that the software is not certified and that no one is using
systems from this undercapitalized vendor would tend to reduce the
number of code lookers, compared with the number that voluntarily
inspected the inadvertantly released Diebold software.

Some on this list have advocated open test environments. How do we get there?


Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
OVC-discuss mailing list
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Sun Sep 30 23:17:06 2007

This archive was generated by hypermail 2.1.8 : Sun Sep 30 2007 - 23:17:20 CDT