In the conclusion of the "Overview of Red Team Reports"
(http://www.sos.ca.gov/elections/voting_systems/ttbr/red_overview.pdf ) Matt
Bishop wrote,
...judging the vulnerability of a system requires
understanding both the nature and the implementation
of the policies and procedures under which it is
used. A system that has 10 vulnerabilities that can
be remediated by proper, realistic procedures can
meet a set of requirements better than a system with
only one vulnerability that cannot be remediated by
realistic procedures. As the red teams ignored
compensating controls and mitigations, the raw counts
of successful, unsuccessful, and untried attacks do
not indicate which would still be successful in the
face of compensating controls -- and how realistic
those compensating controls would be.
Okay.
In the comment I submitted
(http://gnosis.python-hosting.com/voting-project/March.2007/0080.html ) to
the SoS on March 29, I said,
> We are concerned that your proposed review focuses
> too narrowly on the equipment. Administrative factors
> have a lot to do with whether or not current systems
> can be used in a satisfactory manner. ...
>
Sorry, I was trying to save space.
Alan D.
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Tue Jul 31 23:17:06 2007
This archive was generated by hypermail 2.1.8 : Tue Jul 31 2007 - 23:17:08 CDT