Another perspective: http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html
Rob On 10 12, 09, at 1:54 PM, Oscar Plameras wrote: > I think it's silly to spend so much money and time to test the > Election System by reviewing Source code. > > From my experience, end users implement acceptance testing of the > system by developing a series of test > other than source code review.The main idea is to simulate scenarios > of operations with input test data > and pre-defining the expected results. Several scenarios are covered > with the input data that's prepared. > > The Election system itself is a simple count and tabulate system and > that is not difficult to simulate. > > Hardly no commercial developer will allow third parties to have source > code access to their propriety > software. And in general, commercial confidence protects the privacy > of these codes.under the trade > secrets act of countries. I think the Philippines is a signatory to > that. > > And lastly, which source codes are they going to review. The > application source codes? But application > source codes interacts with system source codes. Are they going to > review system source codes, too? > What about the source codes of all firmware chips used in the system? > Are they goind to review those source codes, > too? How long is a piece of string? The code done by one programmer > maybe anathema to another and so > source code review leads to more controversies. As you know > programmers are full of egos and one argument > leads to another and another. The point is if it does the defined > specifications, it does not matter how or why the > code is written that way. > > Reviewing source codes is a mine field of difficult issues to deal > with. > > The simplest and easieast is to test by outcome, not how the code and > why the code is written that > way. After all, we are interested in the integrity of the system not > the integrity of the code. > > On Mon, Oct 12, 2009 at 2:24 PM, Pablo Manalastas > <[email protected]> wrote: >> On SysTest Labs: It will do a testing of the binary executable. >> The testing will be more scientific than the testing done by the >> Special Bids and Awards Committee (that awarded the contract to >> Smartmatic) but will cost COMELEC more than PHP70 Million. Note >> that this is software testing of the binary executable, not a >> review of the source code, and the two are totally different >> "animals". >> >> On Monday, October 5, 2009, CenPEG filed with the Supreme Court a >> petition for mandamus, asking the Supreme Court to force COMELEC to >> release the source code of the election programs that will be used >> in May, 2010 to CenPEG and to all interested political parties and >> groups, as provided for by law (RA-9369). >> >> The text of the petition can be found here: >> http://www.cenpeg.org/POL%20PARTIES%20AND%20ELECTIONS/OCT%202009/Petition%20for%20Mandamus.pdf >> >> The lawyers for CenPEG are Atty Koko Pimentel, and Atty Pancho >> Joaquin. I mention their names here, because they render their >> services for important causes for free, and by advertising them, I >> hope to give them business. So if you need legal representation, >> please talk to them. >> >> ~Pablo Manalastas, for CenPEG~ >> >> >> --- On Fri, 10/9/09, Drexx Laggui [personal] <[email protected]> >> wrote: >> >>> From: Drexx Laggui [personal] <[email protected]> >>> Subject: Re: [plug] The Death of Election 2010 Source Code Review >>> To: "Philippine Linux Users' Group (PLUG) Technical Discussion >>> List" <[email protected]> >>> Date: Friday, October 9, 2009, 11:01 PM >>> 09Oct2009 (UTC +8) >>> >>> On Fri, Oct 9, 2009 at 21:21, Richard Paradies <[email protected]> >>> wrote: >>>> But Note Caution: Not certain if it's the same >>> company. >>> >>> I'm pretty sure it is. SysTest is one of the companies >>> *currently* >>> accredited by EAC: >>> http://www.eac.gov/program-areas/voting-systems/test-lab-accreditation/eac-accredited-test-laboratories/ >>> >>> >>> --And the list of the 5 testing labs in the above URL is >>> most probably >>> what is referred to in this news article: >>> http://services.inquirer.net/print/print.php?article_id=20090824-221835 >>> >>> Excerpt: >>> "Meanwhile, Ateneo de Manila professor Renato Garcia, who >>> sits as >>> consultant for the poll body's project management office >>> (PMO) for the >>> 2010 elections, said they have written letters to at least >>> five of the >>> international software certification bodies that can >>> conduct a >>> “formal, thorough review” of the poll automation system >>> software. >>> >>> “One of the five international software certification >>> bodies, have >>> already expressed interest to do the formal review of the >>> customized >>> automation software. This body, we found out, has been >>> conducting a >>> software review for Canadian-based Dominion, the software >>> provider for >>> Smartmatic's poll machines,” Garcia said. >>> >>> “If we can get them, the certification will be easier and >>> faster,” he added." >>> >>> >>> >>>> For Immediate Release on 10/29/2008. EAC Announces >>> Intention to Suspend >>>> SysTest Labs >>>> >>>> WASHINGTON, DC – The U.S. Election Assistance >>> Commission (EAC) today >>>> notified SysTest Laboratories Inc. of its intent to >>> suspend the laboratory’s >>>> accreditation based upon actions taken by the National >>> Institute of >>>> Standards and Technology (NIST). >>>> >>>> August 8, 2008 – Letter from NIST to SysTest >>> regarding initial reassessment >>>> findings. Reiterates EAC’s earlier concerns by >>> stating that SysTest has no >>>> documented test methods, unqualified personnel >>> conducting tests and concerns >>>> regarding manufacturer influence. NIST notes the need >>> for an on-site >>>> assessment, requires SysTest to submit specific >>> testing information and >>>> update NIST regarding testing documentation. >>>> >>>> October 28, 2008 – NIST suspends accreditation of >>> SysTest. >>>> >>>> EAC is United States Election Assistance Commission >>> 1225 New York Avenue >>>> N.W. - Suite 1100 Washington, DC 20005 >>>> >>>> On Thu, Oct 8, 2009 at 6:36 PM, jan gestre <[email protected]> >>> wrote: >>>>> >>>>> What's with this? >>>>> <snip> >>>>> >>>>> US-BASED SysTest Labs was declared as the winning >>> bidder that will certify >>>>> the source code of the software to be installed in >>> the 82,200 precinct count >>>>> optical scan (PCOS) machines for the May 2010 >>> elections. >>>>> >>>>> Poll Commissioner Rene Sarmiento said that out of >>> the four international >>>>> companies that participated in the bidding last >>> week, SystTest Labs was able >>>>> to comply with all the requirements set by the >>> Bids and Awards Committee >>>>> (BAC) of the Commission on Elections (Comelec). >>>>> >>>>> Taken from >>>>> --> >>>>> http://www.sunstar.com.ph/manila/us-firm-wins-bid-review-pcos-source-code >>>>> >>>>> They're not allowing Cenpeg et al. but the awarded >>> a bid to a US based >>>>> firm? WTF. >>> >> _________________________________________________ >> Philippine Linux Users' Group (PLUG) Mailing List >> http://lists.linux.org.ph/mailman/listinfo/plug >> Searchable Archives: http://archives.free.net.ph > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
