Pablo Manalastas wrote: > The Death of Election 2010 Source Code Review > [Para hindi maging OT, the election programs run on uClinux and SUSE Linux] > > http://pmana.multiply.com/journal/item/84/The_Death_of_Election_2010_Source_Code_Review_Sep_23_09 > > If you saw the ANC special on Election 2010 at 8:00 o'clock PM on Monday > night, where I asked Comelec when the source code of the Election 2010 > computer programs will be released for review by interested political parties > and groups, Director Rafanan said that CenPEG will not do a source code > review, but a international certification agency will do the review as a > prerequisite to TEC certification. After customization in November 2009, and > after code review by that international certification agency in February > 2010, the source code will be "shown" to interested political parties, but > not reviewed by them. The PPCRV representative and Ramon Casiple and Renato > Garcia even added that the source code will be presented in much the same > manner that a company shows its financial statements to the public. > I wonder how much this "international" certification will cost Filipinos again. I also wonder if this could be a good example of colonial mentality as I believe somewhere out here in the Philippines, there are Filipinos who can do good source code reviews too. If their defense is that Filipinos can easily be bought and thus can lend to a poor review, it's a weak argument as anyone without strong values can be bought. Even the ISO processes were manipulated (remember OOXML). > My daughter Karen keeps telling me that I should not cite the law, RA-9369 > Section 12, which reads: > > "Once an AES technology is selected for implementation, the Commission shall > promptly make the source code of that technology available and open to any > interested political party or groups which may conduct their own review > thereof." > > She says that I should not cite the law to the lawyers of COMELEC, since they > are better at the law, and they can can twist the meaning of the law to > whatever they want the law to look like. But I argue with her that this > provision is not just a question of law, but a question of computer > technology as well, at which I am slightly better than the lawyers of > COMELEC. No matter how I twist and turn and squeeze and pull and push these > words of Section 12, I see no way out but for COMELEC to release the source > code to the political parties and groups who are interested, and showing them > the advertizing page of a company giving a healthy financial statement of the > company is not a substitute for source code review. Ask any computer > programmer, ask Supreme Court Justice Antonio Carpio, ask the members of the > Philippine Linux Users' Group and they will NEVER agree that showing the > public a certification by an international certification agency that states > that the Dominion Voting Systems "Democracy Suite Ballot Marking System plus > the Democracy Suite Image Cast" has been certified and is suitable for use in > the Primaries in New York, is not an acceptable certification that the > "Democracy Suite Image Cast" alone (which Smartmatic has renamed to SAES-1800 > PCOS computer) is suitable for use in the Philippines. > "Once an AES technology is selected for implementation, the Commission shall promptly make the source code of that technology available and open to any interested political party or groups which may conduct their own review thereof."
Lawyers and plain english do not have the same language :-) But I think it is still pretty clear that regardless of the system's (or its components') licenses, the Commission has, under the law, the obligation to __ensure__ that anyone "interested" can have the source code (of the whole system) for review. If it's not a FOSS license, they can have the "interested" party sign an NDA, right? Oh, and yes, they can also not do it too :-) .. Is there anything on the law (RA bla bla bla) that specify penalties should the provisions be not followed? I haven't seen anyone cite something like that. Though in spite of that, history says that a lot of government people believe that they are exception to the laws anyway. > What I do not understand is why "computer security experts" like Mr. Mara and > others from the CyberSecurity groups do not want the political parties to do > a source code review. Why should reviewing the source code make the election > programs more susceptible to external attacks? Have they not seen the > experience of Linux and OpenOffice and GIMP and so many other programs that > are freely available on the Net? Their source codes are available for ANYONE > to download and review and modify to their hearts' content, and never have I > seen a report stating that the security of Linux or OpenOffice or GIMP has > been compromised as a result of these reviews. On the other hand, the source > code of Microsoft Windows XP and Vista, are not available for download > anywhere, and yet there are gazillions of viruses and vulnerabilities of > Windows. This is because opening up the source code for review allows more > people to study and to help correct the vulnerabilities. > These corrections for improvement can be accepted by COMELEC, if it wants > and rejected otherwise. It is still COMELEC's call. It is COMELEC's > acceptance or rejection of suggestions for improvements that will determine > the future quality of the election programs, not the source code review > itself. > Political parties can opt not to publish the "holes" they find. They can hire somebody to exploit the hole for them... Also, I don't think COMELEC really does FOSS. They'd feel that suggestions are just going to be complicated and hassle for them :-) I've seen a lot of times that FOSS is used just to gain automatic acceptance from the ignorant masses. > But Director Rafanan has already made his final word on the issue, and I > believe Director Rafanan's word is god's word. May God bless COMELEC, and > may I ask, like Jesus asked, to "Father forgive them, for they know not what > they do". > Don't expect too much... yet :-) > _________________________________________________ > Philippine Linux Users' Group (PLUG) Mailing List > http://lists.linux.org.ph/mailman/listinfo/plug > Searchable Archives: http://archives.free.net.ph > _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
