I am sorry if my post (announcing that CenPEG has gone to the Supreme Court to force COMELEC to honor its commitment to CenPEG and to other interested political parties and groups, to release the source code of the election programs) has created so much disagreement in this list. To create a disagreement was never my intention. I just wanted the Linuxers to know that we have not forgotten our advocacy to contribute to clean and honest computerized elections by helping in a way we know how: to help review the source code of the PCOS and CCS programs. Many of you have written to CenPEG or to me, volunteering to help in the source code review, and we want you to know that we are trying our best (we have already gone to the Supreme Court) to make the source code review a reality. > --- On Mon, 10/12/09, Oscar Plameras <[email protected]> > wrote: > > > I think it's silly to spend so much > > money and time to test the > > Election System by reviewing Source code. Comelec is not going to spend a single centavo in the source code review to be done by the CenPEG volunteers, because YOU are the volunteers (you know who you are if you volunteered). We did not promise to pay you to do a review for CenPEG and for the people of the Philippines. CenPEG might be able to refund your fare and give you food and nourishment while doing the review, but CenPEG does not have the funds to pay you programmer rates, and you know that, and you agreed to it. > > From my experience, end users implement acceptance > testing > > of the > > system by developing a series of test > > other than source code review.The main idea is to > simulate > > scenarios > > of operations with input test data > > and pre-defining the expected results. Several > scenarios > > are covered > > with the input data that's prepared. On the other hand, COMELEC will be paying SysTest upwards of PHP70 million to do acceptance testing of the PCOS SAES-1800/Dominion Democracy Suite Image Cast firmware program (binary executable). I think this is highway robbery, to do an acceptance testing that has already been done during the SBAC testing in May 2009, that declared Smartmatic the winning bidder. Maybe, SBAC's acceptance testing was only for show? > > The Election system itself is a simple count and > tabulate > > system and > > that is not difficult to simulate. > > > > Hardly no commercial developer will allow third > parties to > > have source > > code access to their propriety > > software. And in general, commercial confidence > protects > > the privacy > > of these codes.under the trade > > secrets act of countries. I think the Philippines > is > > a signatory to that. While it is true that the PCOS SAES-1800 program and the CCS REIS v2.0 canvassing program are commercial closed source software, both Smartmatic and Comelec are required by law (RA-9369 section 12) and by COMELEC's own rules (COMELEC Terms of Reference to Bidders) to provide the source codes of the elections programs for review by interested political parties and groups, once the technology is selected for implementation. Furthermore the COMELEC and Smartmatic signed a contract specifying that Smartmatic MUST deposit with the Bangko Sentral ng Pilipinas a CD/DVD containing both source code and executable programs of the computers programs that will be used in May 2010. To date, Smartmatic has not done that and is therefore in breach of contract. > > And lastly, which source codes are they going to > review. > > The > > application source codes? But application > > source codes interacts with system source codes. Are > they > > going to > > review system source codes, too?
The PCOS firmware election program runs on top of uClinux, and uClinux has already been source code reviewed by the entire open source community. The CCS REIS v2.0 program runs on top of SUSE Linux, and SUSE Linux does not need reviewing, and you know this if you are a true Linux user. > What about the source codes of all firmware chips used > in > > the system? > > Are they goind to review those source codes, > > too? How long is a piece of string? The code done by > one > > programmer > > maybe anathema to another and so > > source code review leads to more controversies. As > you > > know > > programmers are full of egos and one argument > > leads to another and another. The point is if it does > the > > defined > > specifications, it does not matter how or why the > > code is written that way. > > > > Reviewing source codes is a mine field of difficult > issues > > to deal with. > > > > The simplest and easieast is to test by outcome, not > how > > the code and > > why the code is written that > > way. After all, we are interested in the integrity of > the > > system not > > the integrity of the code. There are things that you can reveal in a source code review that no amount of acceptance testing will reveal. For example, the following: 1. Earlier testing showed that the PCOS computer can only read voters' marks if the voter fully shades the entire oval, but not partial shading such as a single dot at the center of the oval, or a check mark, or a cross mark. Furthermore, the voter's mark must be done using felt-tip pen. Pencil and ball pen do not work. We want to know why. Testing already releaved WHAT, but it does not tell us WHY. The COMELEC Terms of Reference requires as a minimum capability that the PCOS machine must be able to read a dot, a check mark, a cross mark, or a full shade, done in pencil, ballpen, or felt-tip pen. The Smartmatic PCOS machine failed in many of the tests, but COMELEC still passed Smartmatic. 2. The law states that the three BEI members must digitally sign the precinct election returns (ER) electronically generated by the PCOS machine at the close of polls, but we have reason to believe that it is the PCOS machine which digitally signs the ER, and not the human BEI members. The BEI members just enter their passwords, but we are not sure if their passwords unlock the secret keys that are used for digital signing, because they do not even know if the security keys that they are using contain their secret keys or the secret key of the PCOS machine. Only a source code review will confirm which method used. I can name many other suspicions that we want to confirm if true or not, and the only way our suspicions can be verified is by source code review. While acceptance testing is good, the test data that the acceptance tester will use will not cover all possibilities that may be encountered in actual use situations. The tester, not matter how skilled, will never be able to exhaust all possibilities. If it were possible to do so, then Windows XP will not need to issue service packs 1, 2, and 3, and various other little patches that Microsoft has discovered after many years of testing and actual usage. On the other hand, if you have the source code for review, you can always compile the source code and do acceptance testing to your heart's desire, in addition to being able to read the source code and fix obvious errors of nonconformity to program specifications. THAT IS THE KEY HERE: We want to show that the computer programs conform to the specifications contained in RA-9369 and the COMELEC Terms of Reference to Bidders. No amount of acceptance testing will reveal this. ~Pablo Manalastas~ P.S. I tried my best to be non-personal and tackle only issues in this post. I believe that going personal does not achieve any beneficial effects, but only antagonizes members of this list. > On Mon, Oct 12, 2009 at 2:24 PM, Pablo Manalastas > > <[email protected]> > > wrote: > > > On SysTest Labs: It will do a testing of the > binary > > executable. The testing will be more scientific than > the > > testing done by the Special Bids and Awards Committee > (that > > awarded the contract to Smartmatic) but will cost > COMELEC > > more than PHP70 Million. Note that this is software > testing > > of the binary executable, not a review of the source > code, > > and the two are totally different "animals". > > > > > > On Monday, October 5, 2009, CenPEG filed with > the > > Supreme Court a petition for mandamus, asking the > Supreme > > Court to force COMELEC to release the source code of > the > > election programs that will be used in May, 2010 to > CenPEG > > and to all interested political parties and groups, > as > > provided for by law (RA-9369). > > > > > > The text of the petition can be found here: > > > http://www.cenpeg.org/POL%20PARTIES%20AND%20ELECTIONS/OCT%202009/Petition%20for%20Mandamus.pdf > > > > > > The lawyers for CenPEG are Atty Koko Pimentel, > and > > Atty Pancho Joaquin. I mention their names here, > because > > they render their services for important causes for > free, > > and by advertising them, I hope to give them business. > So if > > you need legal representation, please talk to them. > > > > > > ~Pablo Manalastas, for CenPEG~ > > > > > > > > > --- On Fri, 10/9/09, Drexx Laggui [personal] > <[email protected]> > > wrote: > > > > > >> From: Drexx Laggui [personal] <[email protected]> > > >> Subject: Re: [plug] The Death of Election > 2010 > > Source Code Review > > >> To: "Philippine Linux Users' Group (PLUG) > > Technical Discussion List" <[email protected]> > > >> Date: Friday, October 9, 2009, 11:01 PM > > >> 09Oct2009 (UTC +8) > > >> > > >> On Fri, Oct 9, 2009 at 21:21, Richard > Paradies > > <[email protected]> > > >> wrote: > > >> > But Note Caution: Not certain if it's > the > > same > > >> company. > > >> > > >> I'm pretty sure it is. SysTest is one of the > > companies > > >> *currently* > > >> accredited by EAC: > > >> http://www.eac.gov/program-areas/voting-systems/test-lab-accreditation/eac-accredited-test-laboratories/ > > >> > > >> > > >> --And the list of the 5 testing labs in the > above > > URL is > > >> most probably > > >> what is referred to in this news article: > > >> http://services.inquirer.net/print/print.php?article_id=20090824-221835 > > >> > > >> Excerpt: > > >> "Meanwhile, Ateneo de Manila professor > Renato > > Garcia, who > > >> sits as > > >> consultant for the poll body's project > management > > office > > >> (PMO) for the > > >> 2010 elections, said they have written > letters to > > at least > > >> five of the > > >> international software certification bodies > that > > can > > >> conduct a > > >> “formal, thorough review” of the poll > > automation system > > >> software. > > >> > > >> “One of the five international software > > certification > > >> bodies, have > > >> already expressed interest to do the formal > review > > of the > > >> customized > > >> automation software. This body, we found out, > has > > been > > >> conducting a > > >> software review for Canadian-based Dominion, > the > > software > > >> provider for > > >> Smartmatic's poll machines,” Garcia said. > > >> > > >> “If we can get them, the certification will > be > > easier and > > >> faster,” he added." > > >> > > >> > > >> > > >> > For Immediate Release on 10/29/2008. > EAC > > Announces > > >> Intention to Suspend > > >> > SysTest Labs > > >> > > > >> > WASHINGTON, DC – The U.S. Election > > Assistance > > >> Commission (EAC) today > > >> > notified SysTest Laboratories Inc. of > its > > intent to > > >> suspend the laboratory’s > > >> > accreditation based upon actions taken > by the > > National > > >> Institute of > > >> > Standards and Technology (NIST). > > >> > > > >> > August 8, 2008 – Letter from NIST to > > SysTest > > >> regarding initial reassessment > > >> > findings. Reiterates EAC’s earlier > concerns > > by > > >> stating that SysTest has no > > >> > documented test methods, unqualified > > personnel > > >> conducting tests and concerns > > >> > regarding manufacturer influence. NIST > notes > > the need > > >> for an on-site > > >> > assessment, requires SysTest to submit > > specific > > >> testing information and > > >> > update NIST regarding testing > documentation. > > >> > > > >> > October 28, 2008 – NIST suspends > > accreditation of > > >> SysTest. > > >> > > > >> > EAC is United States Election > Assistance > > Commission > > >> 1225 New York Avenue > > >> > N.W. - Suite 1100 Washington, DC 20005 > > >> > > > >> > On Thu, Oct 8, 2009 at 6:36 PM, jan > gestre > > <[email protected]> > > >> wrote: > > >> >> > > >> >> What's with this? > > >> >> <snip> > > >> >> > > >> >> US-BASED SysTest Labs was declared > as the > > winning > > >> bidder that will certify > > >> >> the source code of the software to > be > > installed in > > >> the 82,200 precinct count > > >> >> optical scan (PCOS) machines for the > May > > 2010 > > >> elections. > > >> >> > > >> >> Poll Commissioner Rene Sarmiento > said > > that out of > > >> the four international > > >> >> companies that participated in the > > bidding last > > >> week, SystTest Labs was able > > >> >> to comply with all the requirements > set > > by the > > >> Bids and Awards Committee > > >> >> (BAC) of the Commission on > Elections > > (Comelec). > > >> >> > > >> >> Taken from > > >> >> --> http://www.sunstar.com.ph/manila/us-firm-wins-bid-review-pcos-source-code > > >> >> > > >> >> They're not allowing Cenpeg et al. > but > > the awarded > > >> a bid to a US based > > >> >> firm? WTF. > > >> > > > > _________________________________________________ > > > Philippine Linux Users' Group (PLUG) Mailing > List > > > http://lists.linux.org.ph/mailman/listinfo/plug > > > Searchable Archives: http://archives.free.net.ph > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > > > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
