Hello all, I just read that the US EAC VVSG 2005 documents (particularly Volume 2) describes in detail the testing that will be done on a candidate election system. One of these tests as summarized in Volume 2 Section 1.3.1.3 is called Focus of Software Evaluation which reads:
"The software tests encompass a number of interrelated examinations, involving assessment of application source code for its compliance with the requirements spelled out in Volume I, Section 5. Essentially, the accredited test lab will look at programming completeness, consistency, correctness, modifiability, structure, and traceability, along with its modularity and construction. The code inspection will be followed by a series of functional tests to verify the proper performance of all system functions controlled by the software." If the government has already contracted SysTest Labs (Comelec Resolution 8677) to do the testing according to US EAC VVSG 2005 then I guess that should be compliant for the purposes of what we describe as source code audit. Of course, that is an if. It also looks that over and above this they will open the code base for review on February 2010. I am happy that there is a way forward. On Wed, 2009-10-14 at 00:03 -0700, Pablo Manalastas wrote: > I believe that Mr.Paolo Falcone has voiced out the sentiments of a good > number of members of this list. These members are for source code review as > a means for ascertaining that the election programs are implementing the > specifications of RA-9369 and the COMELEC Terms of Reference, for the > following reasons: > > 1. With source code review, you get the human readable code, and nothing is > hidden to you. You can see what the program is doing. With user acceptance > testing of the executable binary, you don't know what the program is doing, > and you are doing your best to generate test data that you hope will catch > the errors in programming and non-conformance to the specifications, but at > the back of your mind, you know that it is impossible to generate all > possible test case scenarios. > > 2. You are a member of PLUG. You are probably a programmer yourself. You do > programming or reviewing other people's programs as your occupation. You are > at home with programming -- and you hate it when RA-9369 gives you the right > to review the source code and COMELEC, which is supposed to implement > RA-9369, withholds that right from you. You do not understand why the COMELEC > commissioners, who are all lawyers, who know zilch about computer technology > or source code review, or automated elections -- you do not understand why > these commissioners tell you that you can not do a source code review (for > free), but instead that COMELEC must spend PHP70 million, to hire a US-based > company to do user acceptance testing. You also know that the brightest > programmers and IT people in these US based IT companies are most probably > Filipinos like you. > > 3. You are a member of PLUG, the Philippine LINUX Users' Group, and LINUX is > the greatest example of software that has been source code reviewed by > thousands of programmer-users all over the world, and this review of Linux > only made the program better, more secure, and more usable. You believe in > the freedom to study the source code of applications that you use, because > you know that only by studying the source code will the application improve > over time. You believe that the freedom to study the source code of the > election program is not only guarranteed by Section 12 of RA-9369, but also > by the Constitutional right to know, guarranteed by the Bill of Rights. > > 4. You have read news accounts on the Internet where rights advocates in the > U.S., Europe, and other places, are fighting for the right to do source code > reviews of their election programs. Here in the Philippines, we do not have > to fight for this right, because it is already in our laws (the Constitution > and RA-9369). All we have to do is fight for the implementation of these laws. > > ~Pablo Manalastas~ > > > --- On Tue, 10/13/09, Paolo Falcone <[email protected]> wrote: > > > From: Paolo Falcone <[email protected]> > > > > As much as I'd like to, the review must > > stay, given that this is the law. You can't correct > > something illegal by bowing to it. > > The issue of the source code review is already > > beyond a normal UAT as per industry standard practice, as > > the law didn't just stop on a UAT. We have to understand > > that the stakes are much higher, and despite claims that > > it's just a counting device, it is NOT just a counting > > device. Heck, if it all it did was count why spend the > > millions just to do AES and all the extra bells and whistles > > while a hacked up calculator will cost significantly > > less. > > > > > > Now, as how the source code review can go, I > > encourage COMELEC to stop this crazy stonewalling and have > > all the concerned parties sit down and talk and work > > something out without jeopardizing the spirit of the law. > > The law is clear - source code review - and not just mere > > acceptance tests. Not this utter bullshit of binary-only > > review that will cost 70 million pesos that doesn't > > conform to the law, does not erase doubts, that would be > > better spent aiding our typhoon-affected folks. > > > > > > I don't buy the chairborne commando > > conspiracy theories, but I already find the reluctance too > > doubtful, tempting me to want to utterly distrust the people > > behind COMELEC and Smartmatic, given that effectively what > > they're saying is "just blindly trust us, you > > don't need to know the internals, here are some tests to > > play with". > > > > > > > > On Tue, Oct 13, 2009 at 12:29 PM, > > Michael Mondragon <[email protected]> > > wrote: > > > > > > You're right. > > That's what I am actually after. Given the fact that > > we are petitioning Comelec and take a source code review, > > this would take us so much time and now the petition or > > case (some sort if ever) needs to be filed in court > > and source code review be done by the US will be postpone, > > this will definitely won't take source code review at > > all. I'm not sure if my calculation is correct, > > because again enough time is needed in this case and its > > critical. What I am thinking guys is to think what other > > things we can offer to be of help instead of pushing this > > review. I don't know maybe you can help us out here > > and shed some light. > > > > > > > > > > > > > > Thanks, > > Michael > > > > > > > > > > From: Dennis > > Legaspi <[email protected]> > > To: Michael > > Mondragon <[email protected]>; > > Philippine Linux Users' Group (PLUG) Technical > > Discussion List <[email protected]>; > > Drexx Laggui [personal] <[email protected]> > > > > > > Sent: Tue, > > October 13, 2009 11:46:53 AM > > Subject: Re: > > [plug] COMELEC SUED (Was: The Death of Election 2010 Source > > Code Review) > > > > > > > > > > > > > > > > Not the kind of task you can completely > > divide into chunks. You're right. If you have 20 > > auditors it doesn't mean you can reduce audit time to > > X/20. > > > > --- On Tue, 10/13/09, Drexx Laggui [personal] <[email protected]> > > wrote: > > > > > > > > > > From: Drexx Laggui [personal] <[email protected]> > > Subject: Re: [plug] COMELEC SUED (Was: The Death of > > Election 2010 Source Code Review) > > > > > > To: "Michael Mondragon" <[email protected]>, > > "Philippine Linux Users' Group (PLUG) Technical > > Discussion List" <[email protected]> > > > > > > Date: Tuesday, October 13, 2009, 1:48 AM > > > > > > 12Oct2009 (UTC +8) > > > > On Mon, Oct 12, 2009 at 18:08, Michael Mondragon > > <[email protected]> > > wrote: > > > > > > > I am just wondering, given the fact, let's say, > > we got some TRO of some sort, do we still have > > > time to do it? How many of us here, can go with > > source code review then if Comelec will allow > > > us to review source code publicly? Though I believe > > in our capability as Filipinos and most of > > > > > > > the people here are best of breed, I'm just > > checking since we are running out of time. How long > > > can Supreme Court can interfere with this? Let's > > say, 2 mos. from now, can we still have much > > > time? > > > > > > > > Very good questions. Depends on how many people do you have > > behind the > > word "we" as well as how skilled are the > > "we" people. If > > many > > volunteered but are there just to learn from the exercise, > > then your > > "we" is just a mob. > > > > A proper evaluation and assurance project typically runs > > from 6 months > > to 2 years. What you'd need now is an army of highly > > skilled > > > > > > evaluators / auditors to do that. Less than that, > > you'll get lower > > assurance levels, and much less audit evidence to give the > > Filipinos > > the confidence they require in the 2010 national > > elections. > > > > > > > > > > Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, > > CCSI, CSA > > http://www.laggui.com ( > > Singapore / Manila / California ) > > Computer forensics; Penetration testing; QMS & ISMS > > developers; K-Transfer > > > > > > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 > > FF31 8A4E > > > > > > > > > > > > > > _________________________________________________ > > > > Philippine Linux Users' Group (PLUG) Mailing List > > > > http://lists.linux.org.ph/mailman/listinfo/plug > > > > Searchable Archives: http://archives.free.net.ph > > > > > > > > -- > > Paolo > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph -- ------------------------------------------------------- William Emmanuel S. Yu (杨怀义) Department of Information Systems and Computer Science Ateneo de Manila University email : wyu at ateneo dot edu blog : http://hip2b2.yutivo.org/ web : http://CNG.ateneo.edu/cng/wyu/ phone : +63(2)4266001 loc. 4186 GPG : http://CNG.ateneo.net/cng/wyu/wyy.pgp Confidentiality Issue: This message is intended only for the use of the addressee and may contain information that is privileged and confidential. If you are not the intended recipient, you are hereby notified that any use or dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by reply and delete this message from your system. _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
