Secure Voting software

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • PiedmontBiz

    Secure Voting software

    Listening to National Public Radio while reading comp.lang.pytho n. What a life!

    I just heard a piece on NPR about the security failures of an electronic voting
    system being developed. I know a voting system could be developed in python. I
    am working on a simulator myself to run via the web (a personal project only)

    Are there any features which would make python a viable alternative to develop
    a real voting system for use in the US? Why or why not?

    What things must I keep in mind when I design a python application to be
    secure?

    Since python is developed using C, can python be free from the buffer overrun
    problems which plague other C programs?

    allen



  • Skip Montanaro

    #2
    Re: Secure Voting software


    allen> Listening to National Public Radio while reading
    allen> comp.lang.pytho n. What a life! I just heard a piece on NPR about
    allen> the security failures of an electronic voting system being
    allen> developed. I know a voting system could be developed in python. I
    allen> am working on a simulator myself to run via the web (a personal
    allen> project only)

    allen> Are there any features which would make python a viable
    allen> alternative to develop a real voting system for use in the US?
    allen> Why or why not?

    allen> What things must I keep in mind when I design a python
    allen> application to be secure?

    allen> Since python is developed using C, can python be free from the
    allen> buffer overrun problems which plague other C programs?

    Yes, to a great extent, because you need to find buffer overrun
    possibilities in the Python interpreter, but not in every Python
    application.

    As for voting projects, check out:



    Python is the development language I believe. I haven't followed it in a
    couple months.

    Skip

    Comment

    • Paul Rubin

      #3
      Re: Secure Voting software

      piedmontbiz@aol .com (PiedmontBiz) writes:[color=blue]
      > What things must I keep in mind when I design a python application to be
      > secure?
      >
      > Since python is developed using C, can python be free from the
      > buffer overrun problems which plague other C programs?[/color]

      Buffer overruns are just one narrow type of security failure.
      Security is really a hard subject and even systems built by experts
      often have security holes. There are various books written on how to
      write secure software, and also some HOWTO's. For systems like voting
      machines, there are a lot of non-software issues you have to deal with too.

      The book "Security Engineering" by Ross Anderson is a good place to start
      reading if you're interested in the subject.

      Comment

      • Mark Jackson

        #4
        Re: Secure Voting software

        Paul Rubin <http://phr.cx@NOSPAM.i nvalid> writes:[color=blue]
        > piedmontbiz@aol .com (PiedmontBiz) writes:[color=green]
        > > What things must I keep in mind when I design a python application to be
        > > secure?
        > >
        > > Since python is developed using C, can python be free from the
        > > buffer overrun problems which plague other C programs?[/color]
        >
        > Buffer overruns are just one narrow type of security failure.
        > Security is really a hard subject and even systems built by experts
        > often have security holes. There are various books written on how to
        > write secure software, and also some HOWTO's. For systems like voting
        > machines, there are a lot of non-software issues you have to deal with too.
        >
        > The book "Security Engineering" by Ross Anderson is a good place to start
        > reading if you're interested in the subject.[/color]

        Many of the issues have been discussed on comp.risks over the years,
        and the archives of same contain some useful pointers to in-depth
        analyses. A searchable archive is found at http://www.risks.org.

        --
        Mark Jackson - http://www.alumni.caltech.edu/~mjackson
        No *good* model ever accounted for *all* the facts, since
        some data was bound to be misleading if not plain wrong.
        - James D. Watson


        Comment

        • Kirk Strauser

          #5
          Re: Secure Voting software

          -----BEGIN PGP SIGNED MESSAGE-----
          Hash: SHA1

          At 2004-01-22T01:35:01Z, Paul Rubin <http://phr.cx@NOSPAM.i nvalid> writes:
          [color=blue]
          > The book "Security Engineering" by Ross Anderson is a good place to start
          > reading if you're interested in the subject.[/color]

          I just finished "Practical Cryptography" by Niels Ferguson and Bruce
          Schneier. It was almost enough to make me not want to bother trying. :-/
          - --
          Kirk Strauser
          The Strauser Group
          Open. Solutions. Simple.

          -----BEGIN PGP SIGNATURE-----
          Version: GnuPG v1.2.4 (GNU/Linux)

          iD8DBQFAD1Ke5sR g+Y0CpvERAlquAK CSi28drKEVE3fPC 1F9c8SWRBEwWwCd H5pO
          3eAxJDSQ3ViaBDm QG7ZWV+w=
          =sjqt
          -----END PGP SIGNATURE-----

          Comment

          • Ben Finney

            #6
            Re: Secure Voting software

            On Thu, 22 Jan 2004 04:35:07 GMT, Kirk Strauser wrote:[color=blue]
            > At 2004-01-22T01:35:01Z, Paul Rubin <http://phr.cx@NOSPAM.i nvalid> writes:[color=green]
            >> The book "Security Engineering" by Ross Anderson is a good place to start
            >> reading if you're interested in the subject.[/color]
            >
            > I just finished "Practical Cryptography" by Niels Ferguson and Bruce
            > Schneier. It was almost enough to make me not want to bother trying.
            > :-/[/color]

            Security is much more than just cryptography. Program reliability,
            protection from bad input, protection from other misbehaving programs;
            mitigation of *any* kind of risk or threat is the realm of security.

            --
            \ "Last year I went fishing with Salvador Dali. He was using a |
            `\ dotted line. He caught every other fish." -- Steven Wright |
            _o__) |
            Ben Finney <http://bignose.squidly .org/>

            Comment

            • PiedmontBiz

              #7
              Re: Secure Voting software







              [color=blue]
              >At 2004-01-22T01:35:01Z, Paul Rubin <http://phr.cx@NOSPAM.i nvalid> writes:
              >[color=green]
              >> The book "Security Engineering" by Ross Anderson is a good place to start
              >> reading if you're interested in the subject.[/color]
              >
              >I just finished "Practical Cryptography" by Niels Ferguson and Bruce
              >Schneier. It was almost enough to make me not want to bother trying. :-/
              >=2D --=20
              >Kirk Strauser
              >The Strauser Group
              >Open. Solutions. Simple.
              >http://www.strausergroup.com/[/color]


              I checked out the site: http://gnosis.python-hosting.com/voting-project/

              This is a huge and important project. I suppose the programming language is
              really not that important. The issue is trustworthy system development
              (applications, operating systems, drivers, libraries, hardware, etc.), and
              developing ways to validate software.

              A completely different programming paradigm will need to be developed.

              allen

              Comment

              • Paul Rubin

                #8
                Re: Secure Voting software

                piedmontbiz@aol .com (PiedmontBiz) writes:[color=blue]
                > I checked out the site: http://gnosis.python-hosting.com/voting-project/
                >
                > This is a huge and important project. I suppose the programming
                > language is really not that important. The issue is trustworthy
                > system development (applications, operating systems, drivers,
                > libraries, hardware, etc.), and developing ways to validate
                > software.[/color]

                There's bigger problems than any software can solve. See
                http://www.blackboxvoting.com a view of some of them.

                Comment

                • Kirk Strauser

                  #9
                  Re: Secure Voting software

                  -----BEGIN PGP SIGNED MESSAGE-----
                  Hash: SHA1

                  At 2004-01-22T04:36:55Z, Ben Finney <bignose-hates-spam@and-benfinney-does-too.id.au> writes:
                  [color=blue]
                  > Security is much more than just cryptography.[/color]

                  I wasn't implying otherwise. However, being exposed to the level of
                  engineering required to get that one small part of the system right is
                  humbling.
                  - --
                  Kirk Strauser
                  The Strauser Group
                  Open. Solutions. Simple.

                  -----BEGIN PGP SIGNATURE-----
                  Version: GnuPG v1.2.4 (GNU/Linux)

                  iD4DBQFAD+Xq5sR g+Y0CpvERAv3iAK CHyQEMaKj8a8CJQ orrEsHj6DPZ+ACV F5uv
                  ZTfsNz29lr8FBE1 vUSyZ4A==
                  =ePzg
                  -----END PGP SIGNATURE-----

                  Comment

                  • Cameron Laird

                    #10
                    Buffer overruns (was: Secure Voting software)

                    In article <7xvfn4lq9m.fsf @ruckus.brouhah a.com>,
                    Paul Rubin <http://phr.cx@NOSPAM.i nvalid> wrote:

                    Comment

                    Working...