On Fri, Sep 25, 2009 at 9:35 AM, Pablo Manalastas <prmanalas...@yahoo.com> wrote: > The Death of Election 2010 Source Code Review > [Para hindi maging OT, the election programs run on uClinux and SUSE Linux]
<sarcasm>OMG, they run on bloated software?</sarcasm> > What I do not understand is why "computer security experts" like Mr. Mara and > others from the CyberSecurity groups do not want the political parties to do > a source code review. Why should reviewing the source code make the election > programs more susceptible to external attacks? Have they not seen the > experience of Linux and OpenOffice and GIMP and so many other programs that > are freely available on the Net? Their source codes are available for ANYONE > to download and review and modify to their hearts' content, and never have I > seen a report stating that the security of Linux or OpenOffice or GIMP has > been compromised as a result of these reviews. On the other hand, the source > code of Microsoft Windows XP and Vista, are not available for download > anywhere, and yet there are gazillions of viruses and vulnerabilities of > Windows. This is because opening up the source code for review allows more > people to study and to help correct the vulnerabilities. For FOSS, code reviews do discover vulnerabilities that could result in compromise. The difference against private reviews, though, is the fact that such vulnerabilities are reported to the public and given only the smallest possible window for exploitation. Of course, there have been spectacular blunders, like the Debian OpenSSL fiasco, but that's really more a problem of developer communication rather than a deliberate technical loophole. Them "Cybersecs" probably don't want it because they still subscribe to a "security through obscurity" model. Do they run Linux distributions? Do they participate in FOSS development, making good use of their "security" training? If so, they should know better than to advocate a position that deliberately hides problems from the voting public. As an aside, it is also likely that the code itself sucks. And maybe even a non-expert might see bugs in them (even the critical non-security bugs!) It may not even pass muster in basic reviews, and maybe some sap might post the story for the TheDailyWTF and friends to gawk at. > These corrections for improvement can be accepted by COMELEC, if it wants > and rejected otherwise. It is still COMELEC's call. It is COMELEC's acceptance or rejection of suggestions for improvements that will determine the future quality of the election programs, not the source code review itself. > > But Director Rafanan has already made his final word on the issue, and I > believe Director Rafanan's word is god's word. May God bless COMELEC, and > may I ask, like Jesus asked, to "Father forgive them, for they know not what > they do". Well, WTF. What would be a good LART for this? -- Zak B. Elep || zakame.net 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph