Re: Firm invites experts to punch holes in ballot software

[InfoSec News <isn () c4i org>]

Forwarded from: Kurt Seifried <listuser () seifried org> 

How do we know that this is the software that they compile and ship?
We don't. Source disclosure is useless in this situation unless the
build process is somehow audited, or they ship source and whatever
else I need to build identical binaries to theirs, which I can then
compare and go "yes, these binaries are identical, ergo it's probable
that the sources we used are identical, ergo the source I audited and
found to be correct is probably what was used to build the production
binaries".

I'm sorry but I see no reason to trust these companies implicitly, I
think they should be held to an extremely high standard of "guilty
until proven innocent". They have the ability to change the laws and
governments we live within. Any other object with this capability
(judges, politicians/etc) is generally made to go through a rigourous
process and/or when they make/change laws there are multiple checks
and balances (appeal courts, congress, the preseidents veto, the
queen's veto, etc.). With voting machines there appear to be no checks
and balances.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org