[ISN] Firm invites experts to punch holes in ballot software

InfoSec News isn at c4i.org
Thu Apr 8 10:06:13 EDT 2004


Forwarded from: Kurt Seifried <listuser at seifried.org> 

How do we know that this is the software that they compile and ship?
We don't. Source disclosure is useless in this situation unless the
build process is somehow audited, or they ship source and whatever
else I need to build identical binaries to theirs, which I can then
compare and go "yes, these binaries are identical, ergo it's probable
that the sources we used are identical, ergo the source I audited and
found to be correct is probably what was used to build the production
binaries".

I'm sorry but I see no reason to trust these companies implicitly, I
think they should be held to an extremely high standard of "guilty
until proven innocent". They have the ability to change the laws and
governments we live within. Any other object with this capability
(judges, politicians/etc) is generally made to go through a rigourous
process and/or when they make/change laws there are multiple checks
and balances (appeal courts, congress, the preseidents veto, the
queen's veto, etc.). With voting machines there appear to be no checks
and balances.

Kurt Seifried, kurt at seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/





More information about the ISN mailing list