--- On Wed, 10/14/09, Danny Ching <[email protected]> wrote: > http://computerworld.com.ph/comelec-awards-source-code-review-to-us-lab-after-public-uproar/ > > Seems like SysTest will be reviewing the source as well. I > seem to have gotten the impression that they would not be > doing that. Anyone know the real score?
If you do a thorough reading of the news article, and I quote: "In its technical proposal, SysTest laid out a multi-faceted approach to detail system integration and the functional testing artifacts for testing the AES in various load and stress situations. SysTest specified areas of review and validation which include security of public fading devices, telecommunications, error notification, associated recovery aspects, apart from auditing capabilities." So SysTest will actually do user acceptance testing. The very thing we've been discussing here. Furthermore, the news article states: "Each module of the source code will be validated and verified following industry standards (US EAC VVSG 2005) and with logic that produces correct results and precludes malicious code." The term "source code" is incorrectly used here, since US EAC VVSG 2005 states (http://www.eac.gov/program-areas/voting-systems/voluntary-voting-guidelines/2005-vvsg): "The voluntary guidelines provide a set of specifications and requirements against which voting systems can be TESTED to determine if the systems provide all of the basic functionality, accessibility and security capabilities required of these systems." So again, VVSG2005 gives a set of test criteria, not criteria for source code review. The problem with COMELEC is that they have a collection of lawyers and CAC advisers who try to twist standard IT terminology as it applies to Smartmatic's PCOS technology to suit the requirements of Section 12, to cover up Smartmatic's failure to get the proper source-level licensing from Dominion. Why did COMELEC not get its own source-level licensing from Dominion, instead of being at the mercy of Smartmatic? > On Wed, Oct 14, 2009 at 2:33 PM, > Danny Ching <[email protected]> > wrote: > > Doc Manalastas, I think the COMELEC announced that they > will make the source code available on Feb 6, 2010 after the > SysTest is done. Is this true? Is this acceptable: (1) to > satisfy the law and (2) to satisfy the time requirements for > a proper review. According to Atty Rafanan and Mr. Renato Garcia, during the ANC TV show on election automation last month, COMELEC will show the source code after Feb 6, 2009 to interested political parties and groups, and the manner of showing the source code is akin to the manner that a company shows its financial statements to the public. I can only take this to mean that the results of testing that SysTest will do will be shown to the public, in lieu of the source code. I think this is an insult to the intelligence of the Filipino programming community and is a big "bullsh*t" (pardon my my "not-so-Ateneo" language, but I sometimes become this eloquent when people are "bullsh*ting" me. ~Pablo Manalastas~ > > > > Two to three months, right? But Feb 6, 2010 is a Saturday, > so we'll get the code Feb 8, 2010 (Monday). If we allot > exactly three months, that means review will be done May 8, > 2010 (also a Saturday). Isn't the election on May 10, > 2010? Is this deliberate, so that the review process will > either be moot and academic or it will be used to declare a > failure of elections? > > > > On Wed, Oct 14, 2009 at 2:21 PM, > Pablo Manalastas <[email protected]> > wrote: > > > --- On Tue, 10/13/09, Michael Mondragon <[email protected]> > wrote: > > > Given the fact > > > that we are petitioning Comelec and take a source > code > > > review, this would take us so much time > > > and now the petition or case (some sort if > > > ever) needs to be filed in court > > > > I am sorry, but a petition for mandamus has already > been filed at the Supreme Court by CenPEG, to force COMELEC > to release the source code of the election programs to > interested political parties and groups. PLUG does not need > to file a case anymore, because the necessary case is > already at the Supreme Court. > > > > > > > and source code > > > review be done by the US will be postpone, > > > > Again, I am sorry, but SysTest, a U.S. based company > contracted by COMELEC will not do a source code review, but > instead will do a user acceptance testing. If we go by > what the newspaper reports are saying, then user acceptance > testing will not be delayed, because SysTest will be paid > PHP70 million, and for that amount SysTest will do a UAT on > time. > > > > > > > this will > > > definitely won't take source code review at > all. > > > I'm not sure if my calculation is correct, because > again > > > enough time is needed in this case and its > > > critical. What I am thinking guys is to think what > > > other things we can offer to be of help instead of > pushing > > > this review. > > > > I am not asking PLUG, as an organization, to do a > source code review. My original post was to tell the group > that CenPEG has already brought the request for the source > code to the Supreme Court, since COMELEC does not want to do > its duty under RA-9369 section 12. Also the reason that I am > informing PLUG that CenPEG has brought the case to the > Supreme Court is that a number of PLUG members, on an > individual basis (not as PLUG the organization) have > volunteered to help CenPEG do a source code review, and it > seems only proper to tell them what we at CenPEG are doing > to help make source code review a reality. > > > > > > ~Pablo Manalastas~ > > > > > > > I don't know maybe you can help us > > > out here and shed some light. > > > > > > > > > > > > > > > Thanks, > > > Michael > > > > > > > > > > > > > > > From: Dennis > > > Legaspi <[email protected]> > > > To: Michael > > > Mondragon <[email protected]>; > Philippine Linux > > > Users' Group (PLUG) Technical Discussion List > > > <[email protected]>; > Drexx Laggui [personal] > > > <[email protected]> > > > Sent: Tue, > > > October 13, 2009 11:46:53 AM > > > Subject: Re: > > > [plug] COMELEC SUED (Was: The Death of Election 2010 > Source > > > Code Review) > > > > > > > > > > > > > > > > > > Not the kind of task you can completely > > > divide into chunks. You're right. If you > > > have 20 auditors it doesn't mean you can reduce > audit > > > time to X/20. > > > > > > --- On Tue, 10/13/09, Drexx Laggui [personal] > > > <[email protected]> > wrote: > > > > > > > > > From: Drexx Laggui [personal] <[email protected]> > > > Subject: Re: [plug] COMELEC SUED (Was: The Death of > > > Election 2010 Source Code Review) > > > To: "Michael Mondragon" > > > <[email protected]>, > "Philippine Linux > > > Users' Group (PLUG) Technical Discussion > List" > > > <[email protected]> > > > Date: Tuesday, October 13, 2009, 1:48 AM > > > > > > > > > 12Oct2009 (UTC +8) > > > > > > On Mon, Oct 12, 2009 at 18:08, Michael Mondragon > > > <[email protected]> > > > wrote: > > > > I am just wondering, given the fact, let's > > > say, we got some TRO of some sort, do we still have > > > > time to do it? How many of us here, can go > with > > > source code review then if Comelec will allow > > > > us to review source code publicly? Though I > > > believe in our capability as Filipinos and most of > > > > the people here are best of breed, I'm just > > > checking since we are running out of time. How long > > > > can Supreme Court can interfere with this? > > > Let's say, 2 mos. from now, can we still have > much > > > > time? > > > > > > Very good questions. Depends on how many people do you > have > > > behind the > > > word "we" as well as how skilled are the > > > "we" people. If > > > many > > > volunteered but are there just to learn from the > exercise, > > > then your > > > "we" is just a mob. > > > > > > A proper evaluation and assurance project typically > runs > > > from 6 months > > > to 2 years. What you'd need now is an army of > highly > > > skilled > > > evaluators / auditors to do that. Less than that, > > > you'll get lower > > > assurance levels, and much less audit evidence to give > the > > > Filipinos > > > the confidence they require in the 2010 national > > > elections. > > > > > > > > > Drexx Laggui -- CISA, CISSP, CFE Associate, > ISO27001 > > > LA, CCSI, CSA > > > http://www.laggui.com > > > ( Singapore / Manila / California ) > > > Computer forensics; Penetration testing; QMS & > ISMS > > > developers; K-Transfer > > > PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 > FFEC > > > 3976 FF31 8A4E > > > > > > > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > _________________________________________________ > > > Philippine Linux Users' Group (PLUG) Mailing List > > > http://lists.linux.org.ph/mailman/listinfo/plug > > > Searchable Archives: http://archives.free.net.ph > > _________________________________________________ > > Philippine Linux Users' Group (PLUG) Mailing List > > http://lists.linux.org.ph/mailman/listinfo/plug > > Searchable Archives: http://archives.free.net.ph > > > > > -- > Regards, > Danny Ching > > > > > -- > Regards, > Danny Ching > > > -----Inline Attachment Follows----- > > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
