I believe that Mr.Paolo Falcone has voiced out the sentiments of a good number of members of this list. These members are for source code review as a means for ascertaining that the election programs are implementing the specifications of RA-9369 and the COMELEC Terms of Reference, for the following reasons:
1. With source code review, you get the human readable code, and nothing is hidden to you. You can see what the program is doing. With user acceptance testing of the executable binary, you don't know what the program is doing, and you are doing your best to generate test data that you hope will catch the errors in programming and non-conformance to the specifications, but at the back of your mind, you know that it is impossible to generate all possible test case scenarios. 2. You are a member of PLUG. You are probably a programmer yourself. You do programming or reviewing other people's programs as your occupation. You are at home with programming -- and you hate it when RA-9369 gives you the right to review the source code and COMELEC, which is supposed to implement RA-9369, withholds that right from you. You do not understand why the COMELEC commissioners, who are all lawyers, who know zilch about computer technology or source code review, or automated elections -- you do not understand why these commissioners tell you that you can not do a source code review (for free), but instead that COMELEC must spend PHP70 million, to hire a US-based company to do user acceptance testing. You also know that the brightest programmers and IT people in these US based IT companies are most probably Filipinos like you. 3. You are a member of PLUG, the Philippine LINUX Users' Group, and LINUX is the greatest example of software that has been source code reviewed by thousands of programmer-users all over the world, and this review of Linux only made the program better, more secure, and more usable. You believe in the freedom to study the source code of applications that you use, because you know that only by studying the source code will the application improve over time. You believe that the freedom to study the source code of the election program is not only guarranteed by Section 12 of RA-9369, but also by the Constitutional right to know, guarranteed by the Bill of Rights. 4. You have read news accounts on the Internet where rights advocates in the U.S., Europe, and other places, are fighting for the right to do source code reviews of their election programs. Here in the Philippines, we do not have to fight for this right, because it is already in our laws (the Constitution and RA-9369). All we have to do is fight for the implementation of these laws. ~Pablo Manalastas~ --- On Tue, 10/13/09, Paolo Falcone <[email protected]> wrote: > From: Paolo Falcone <[email protected]> > > As much as I'd like to, the review must > stay, given that this is the law. You can't correct > something illegal by bowing to it. > The issue of the source code review is already > beyond a normal UAT as per industry standard practice, as > the law didn't just stop on a UAT. We have to understand > that the stakes are much higher, and despite claims that > it's just a counting device, it is NOT just a counting > device. Heck, if it all it did was count why spend the > millions just to do AES and all the extra bells and whistles > while a hacked up calculator will cost significantly > less. > > > Now, as how the source code review can go, I > encourage COMELEC to stop this crazy stonewalling and have > all the concerned parties sit down and talk and work > something out without jeopardizing the spirit of the law. > The law is clear - source code review - and not just mere > acceptance tests. Not this utter bullshit of binary-only > review that will cost 70 million pesos that doesn't > conform to the law, does not erase doubts, that would be > better spent aiding our typhoon-affected folks. > > > I don't buy the chairborne commando > conspiracy theories, but I already find the reluctance too > doubtful, tempting me to want to utterly distrust the people > behind COMELEC and Smartmatic, given that effectively what > they're saying is "just blindly trust us, you > don't need to know the internals, here are some tests to > play with". > > > > On Tue, Oct 13, 2009 at 12:29 PM, > Michael Mondragon <[email protected]> > wrote: > > > You're right. > That's what I am actually after. Given the fact that > we are petitioning Comelec and take a source code review, > this would take us so much time and now the petition or > case (some sort if ever) needs to be filed in court > and source code review be done by the US will be postpone, > this will definitely won't take source code review at > all. I'm not sure if my calculation is correct, > because again enough time is needed in this case and its > critical. What I am thinking guys is to think what other > things we can offer to be of help instead of pushing this > review. I don't know maybe you can help us out here > and shed some light. > > > > > > > Thanks, > Michael > > > > > From: Dennis > Legaspi <[email protected]> > To: Michael > Mondragon <[email protected]>; > Philippine Linux Users' Group (PLUG) Technical > Discussion List <[email protected]>; > Drexx Laggui [personal] <[email protected]> > > > Sent: Tue, > October 13, 2009 11:46:53 AM > Subject: Re: > [plug] COMELEC SUED (Was: The Death of Election 2010 Source > Code Review) > > > > > > > > Not the kind of task you can completely > divide into chunks. You're right. If you have 20 > auditors it doesn't mean you can reduce audit time to > X/20. > > --- On Tue, 10/13/09, Drexx Laggui [personal] <[email protected]> > wrote: > > > > > From: Drexx Laggui [personal] <[email protected]> > Subject: Re: [plug] COMELEC SUED (Was: The Death of > Election 2010 Source Code Review) > > > To: "Michael Mondragon" <[email protected]>, > "Philippine Linux Users' Group (PLUG) Technical > Discussion List" <[email protected]> > > > Date: Tuesday, October 13, 2009, 1:48 AM > > > 12Oct2009 (UTC +8) > > On Mon, Oct 12, 2009 at 18:08, Michael Mondragon > <[email protected]> > wrote: > > > > I am just wondering, given the fact, let's say, > we got some TRO of some sort, do we still have > > time to do it? How many of us here, can go with > source code review then if Comelec will allow > > us to review source code publicly? Though I believe > in our capability as Filipinos and most of > > > > the people here are best of breed, I'm just > checking since we are running out of time. How long > > can Supreme Court can interfere with this? Let's > say, 2 mos. from now, can we still have much > > time? > > > > Very good questions. Depends on how many people do you have > behind the > word "we" as well as how skilled are the > "we" people. If > many > volunteered but are there just to learn from the exercise, > then your > "we" is just a mob. > > A proper evaluation and assurance project typically runs > from 6 months > to 2 years. What you'd need now is an army of highly > skilled > > > evaluators / auditors to do that. Less than that, > you'll get lower > assurance levels, and much less audit evidence to give the > Filipinos > the confidence they require in the 2010 national > elections. > > > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, > CCSI, CSA > http://www.laggui.com ( > Singapore / Manila / California ) > Computer forensics; Penetration testing; QMS & ISMS > developers; K-Transfer > > > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 > FF31 8A4E > > > > > > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > > > > -- > Paolo _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
