Dave Farber
2018-08-09 05:14:01 UTC
Right on djf
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180809011412:0B69818C-9B93-11E8-AFD7-9AF401C9545B
Powered by Listbox: https://www.listbox.com
Subject: Re: [IP] re Voting Software a to true comment on our field
Date: August 9, 2018 14:10:46 JST
[For IP]
What Geoff Kuenning seems to be missing is that the methods developed by the automobile, aeronautics, high-security, and critical systems software communities over those decades are directly applicable to the voting machine problem and are now taught in many schools. Mercedes' adoption of formal verification following their flirtation with bankruptcy over the first ABS system is legendary for a reason. In project after project, modern realizations of these methods have yielded much more complicated systems that have demonstrated zero defects (though many have contained flaws of specification). Spark ADA stands out as a system to examine along these lines, but there are others.
Voting systems must be designed as high-security systems. The evidence that bad actors will seek unrelentingly to compromise them, and that many past bad actors have been well funded and sophisticated, is beyond dispute. Many of you know the joke ending with "But who is Tovarisch Daley?" If that isn't enough, we have an extended sequence of demonstrations by researchers dating back nearly twenty years in which every electronic voting system tested has been found to be readily vulnerable. Including, just to be clear, every single one of the voting systems that are currently cast in doubt. That is: the manufacturers knew. Worse: these results are public, which means that the officials responsible for the integrity of the voting process in the several states knew or should have known. There is evidence that in many key states those officials set aside their lawful responsibilities in favor of political partisanship. Too many saw sacrificing Democracy itself as an acceptable price for supporting their preferred party.
The question isn't whether these machine implementations are grossly negligent. The question is when we will acknowledge that the critical role of software in society warrants substantial civil protections, up to and including civil and criminal liability, for knowingly shipping a critically flawed critical system and/or ignoring the most mundane levels of well-established routine practices. Penetration testing of critical public systems with public reporting should not only be routine, it should be mandated by statute. Yes, the expense of these systems will rise. Consider, however, that while these systems are vulnerable the market price of the American political and legal process is essentially "free".
A hard-wired password "abcde" in a voting machine and nobody goes to jail? The folks at Black Hat were not the first ones to find that!
Jonathan Shapiro, Ph.D.
(Formerly) Assistant Professor
Department of Computer Science
Johns Hopkins University,
Co-founder, Johns Hopkins University Information Security Institute
-------------------------------------------Date: August 9, 2018 14:10:46 JST
[For IP]
What Geoff Kuenning seems to be missing is that the methods developed by the automobile, aeronautics, high-security, and critical systems software communities over those decades are directly applicable to the voting machine problem and are now taught in many schools. Mercedes' adoption of formal verification following their flirtation with bankruptcy over the first ABS system is legendary for a reason. In project after project, modern realizations of these methods have yielded much more complicated systems that have demonstrated zero defects (though many have contained flaws of specification). Spark ADA stands out as a system to examine along these lines, but there are others.
Voting systems must be designed as high-security systems. The evidence that bad actors will seek unrelentingly to compromise them, and that many past bad actors have been well funded and sophisticated, is beyond dispute. Many of you know the joke ending with "But who is Tovarisch Daley?" If that isn't enough, we have an extended sequence of demonstrations by researchers dating back nearly twenty years in which every electronic voting system tested has been found to be readily vulnerable. Including, just to be clear, every single one of the voting systems that are currently cast in doubt. That is: the manufacturers knew. Worse: these results are public, which means that the officials responsible for the integrity of the voting process in the several states knew or should have known. There is evidence that in many key states those officials set aside their lawful responsibilities in favor of political partisanship. Too many saw sacrificing Democracy itself as an acceptable price for supporting their preferred party.
The question isn't whether these machine implementations are grossly negligent. The question is when we will acknowledge that the critical role of software in society warrants substantial civil protections, up to and including civil and criminal liability, for knowingly shipping a critically flawed critical system and/or ignoring the most mundane levels of well-established routine practices. Penetration testing of critical public systems with public reporting should not only be routine, it should be mandated by statute. Yes, the expense of these systems will rise. Consider, however, that while these systems are vulnerable the market price of the American political and legal process is essentially "free".
A hard-wired password "abcde" in a voting machine and nobody goes to jail? The folks at Black Hat were not the first ones to find that!
Jonathan Shapiro, Ph.D.
(Formerly) Assistant Professor
Department of Computer Science
Johns Hopkins University,
Co-founder, Johns Hopkins University Information Security Institute
Subject: Re: [IP] Re Voting Software a to true comment on our field
Date: August 9, 2018 13:19:25 JST
What Randall Munroe seems to be missing (the last panel and the popup are a bit unclear about what position he is taking) is that airplane engineers and elevator designers went through *decades* of learning how to make safe systems. See, for example, the history of the Airbus A320. Manufacturers of voting software don't have those years of experience, and in fact they have been highly resistant to suggestions from experts in software reliability and consistently reluctant to submit to outside testing (such as what the FAA does for airplanes, and other bodies do for elevator designs).
Furthermore, when an airplane or elevator fails, the failure is obvious. When a voting system fails, the failure can be incredibly subtle--and in fact, the beneficiaries of the failure can be astoundingly resistant to suggestions that the results might not be accurate (see 2000, 2004, and 2016 U.S. presidential elections).
So this is another case where reasoning by analogy breaks down completely. --
Orchestra retrospectively extremely satisfied with symphony [No. 1] as
result of barrel of free beer.
-- Gustav Mahler, post-premiere letter to Arnold Berliner
Archives <https://www.listbox.com/member/archive/247/=now> | Modify <https://www.listbox.com/member/?> Your Subscription | Unsubscribe Now <https://www.listbox.com/unsubscribe/?&&post_id=20180809002558:4E5C454E-9B8C-11E8-B14C-D2E1FE66B3A4> <https://www.listbox.com/>Date: August 9, 2018 13:19:25 JST
What Randall Munroe seems to be missing (the last panel and the popup are a bit unclear about what position he is taking) is that airplane engineers and elevator designers went through *decades* of learning how to make safe systems. See, for example, the history of the Airbus A320. Manufacturers of voting software don't have those years of experience, and in fact they have been highly resistant to suggestions from experts in software reliability and consistently reluctant to submit to outside testing (such as what the FAA does for airplanes, and other bodies do for elevator designs).
Furthermore, when an airplane or elevator fails, the failure is obvious. When a voting system fails, the failure can be incredibly subtle--and in fact, the beneficiaries of the failure can be astoundingly resistant to suggestions that the results might not be accurate (see 2000, 2004, and 2016 U.S. presidential elections).
So this is another case where reasoning by analogy breaks down completely. --
Orchestra retrospectively extremely satisfied with symphony [No. 1] as
result of barrel of free beer.
-- Gustav Mahler, post-premiere letter to Arnold Berliner
Archives: https://www.listbox.com/member/archive/247/=now
Modify Your Subscription: https://www.listbox.com/member/?member_id=26461375
Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=26461375&id_secret=26461375-c2b8a462&post_id=20180809011412:0B69818C-9B93-11E8-AFD7-9AF401C9545B
Powered by Listbox: https://www.listbox.com