Re: Is Open Source Enough?

From: David RR Webber \(XML\) <"David>
Date: Sat Sep 08 2007 - 18:48:41 CDT
Edward,
 
Are you paying?  The ridiculous existing nebulous "certification" costs $280,000 for a first pass.  This means an impossible barrier for OSS solutions in voting - unless you happen to know Bill Gates or similar in a donating mood.
 
Now you want to add something that will cost another $500,000 to that as well?
 
Good thinking - that will GUARANTEE you will never have OSS in voting systems.
 
Academics of course can invent endless reams of this stuff - theoretical threats, and more.
 
What implementers need is the ability to provide "good enough" solutions - that provide field hardened protections - and most important of all - auditability and traceability.
 
Simple, obvious, clear and sound measures.  All these are missing from existing vendor implementations - as California recently showed.  Just getting to a solution that does the basics will be a vast improvement.
 
Providing the means to catch people is a much better threat deterent than fancy and endless "threat prevention".  Someone will always find some way into the castle - but making it easy to detect and catch them is the real and urgent need.
 
We believe we are achieving this today by using OSS and open OASIS EML public standards.
 
We need more help in implementing that base solution - and less of people moving the goal posts and inserting $500,000 impediments in the way.
 
If you had a spare $200,000 right now - we could apply that directly to paying professional development staff - rather than setting it aside to waste on esoteric "threat negation" exercises - unless of course you personally want to pay for those too?
 
I suspect not.
 
DW

"The way to be is to do" - Confucius (551-472 B.C.)


-------- Original Message --------
Subject: Re: [OVC-discuss] Is Open Source Enough?
From: "Edward Cherlin" <echerlin@gmail.com>
Date: Fri, September 07, 2007 10:34 pm
To: "Open Voting Consortium discussion list"
<ovc-discuss@listman.sonic.net>

Second the motion. I have also worked on 178B-certified software (avionics grade) for medical devices and other life-critical systems.

On 9/7/07, Fred McLain <mclain@zipcon.net> wrote:
Hi Brian,

Although this isn't directed at you personally, I've been noticing
that something is missing from OSS voting systems.  You just gave me
another opportunity to bring it up, thanks!

Yes, there is a formal "threat modeling" framework that we need to
apply to open voting - one that is seldom discussed.  I can't couch
it in the same terms you used since I don't believe that "every
possible attack vector" can be predicted by mortals.  None the less
we should consider implementing NIST Common Criteria standards to our
software.  This works very well for protection of life critical
systems (think nuclear).  In addition, the DOD has some pretty tight
guidelines under DOD-178B that could be applied to relativily simple
systems,  (like voting), at ! a level A standard.  In my discussions
with others in this community, applying existing and truly strict
standards based controls seems to be an under-discussed or even
missing point.

In the interests of full disclosure, I am a founding member of OVC,
former lead developer of the same and currently working on NIST CC/
DOD-178B certifiable software.

        -Fred-

On Sep 7, 2007, at 4:48 PM, Brian Behlendorf wrote:

>
> On Thu, 6 Sep 2007, Arthur Keller wrote:
>> So should we be considering threat models and alternative
>> architectures?
>> Should we be doing threat analysis on Open Voting Solutions'
>> software? Or is
>> the fact that Open Voting Solutions' software is open source
>> enough to give
>> us confidence that it is a secure and reliable system merely awaiting
>> (known-to-be flawed) certifi! cation process?
>
> For the sake of the reputation of the OVS solution, I would assume
> they have
> already and are constantly thinking of new ways to subvert the
> system.  I would
> assume they have run Agitar or a similar input-fuzzing tool or
> static analysis
> tool against the software to look for exploitable memory leaks or
> logic errors.
> I would assume they have a public list, as part of the development
> process, of
> secure coding practices (such as "never trust external input" and
> "no casts
> ever in C") or are have a wishlist of same with a timeline for
> applying them.
> But time is always a limiting factor and writing secure code is
> hard, so when
> holes are found none of us should be surprised; instead of judging
> the OVS
> software by how perfect the code is, the vendors deploying it
> should be judged
> by how quickly they can fix a hole once discovered.
>
> OVS ! or other vendors of open source software should also be looking
> for
> non-critical environments to test their solutions out - school
> elections?
> survey kiosks?  They should be looking for computer science
> professors at
> community or state schools willing to study the software as both an
> example of
> a voting system and for other potential holes that only a highly
> motivated and
> caffienated 17 year old can find.  :)
>
> But never rely on the license on the code to have any significance
> prima facie
> to its security.  All it can do is unleash potential.
>
>> My own suggestion is to proceed with certification of OVS' system
>> while we develop threat models and new architectures that vendors
>> (particularly OVS) can adopt.
>
> I have not looked at the OVS software so I can't comment on its
> mat! urity, but
> if it's something that you believe is ready for pro duction use, and
> ideally has
> already been used for real or semi-real elections successfully,
> then go for
> certification.
>
> My worry about the use of the word "threat modelling" is that it
> makes it sound
> like there's a formal process one can go through to articulate
> every possible
> attack vector, and by blocking each you then have provably secure
> software.  Or
> that there's a particular software architecture, or even language,
> that
> guarantees secure software or makes it hard to write insecure
> software.  I
> would wish to disabuse you of those notions; new ways to attack
> software emerge
> all the time, and as stated before a secure elections process
> shouldn't depend
> on inexploitable software anyways.
>
>> Some on this list have advocated open test environments.  How do
>>! we get
>> there?
>
> It'd be great if the certification process were transparent, so it was
> understood what was being tested.  That could even lead to the
> development of
> an automated test suite for some or all of the certification
> process, that
> could be run after any source code change to make sure the system
> remained in a
> certifiable state.
>
>       Brian
>
> _______________________________________________
> OVC-discuss mailing list
> OVC-discuss@listman.sonic.net
> http://lists.sonic.net/mailman/listinfo/ovc-discuss
> By sending email to the OVC-discuss  ! ;list, you thereby agree to
> release the content of your posts to the Public Domain--with the
> exception of copyrighted material quoted according to fair use,
> including publicly archiving at  http://gnosis.python-hosting.com/
> voting-project/
>

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at   http://gnosis.python-hosting.com/voting-project/



--
Edward Cherlin
Earth Treasury: End Poverty at a Profit
http://wiki.laptop.org/go/Earth_Treasury
WIRE AFRICA  http//www.wireafrica.org/
http://www.linkedin.com/in/cherlin
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Sep 30 23:17:08 2007

This archive was generated by hypermail 2.1.8 : Sun Sep 30 2007 - 23:17:20 CDT