How thorough is this testing and review process? Am I understanding this correctly that they only review portions of the code, on top of function & security testing?
(elections.ny.gov)
from Gates9@sh.itjust.works to programming@programming.dev on 15 Jul 15:48
https://sh.itjust.works/post/42202683
from Gates9@sh.itjust.works to programming@programming.dev on 15 Jul 15:48
https://sh.itjust.works/post/42202683
cross-posted from: sh.itjust.works/post/42201485
threaded - newest
This is how I read it:
They did a review of some of the tests, but ran all.
The source code was reviewed in its entirety.
They found vulnerabilities, but because “[…] these potential vulnerabilities would be exploitable only by a vendor insider attack.
No open issues remain for this area of review.”
Problems and discrepancies they found are in an attachment to another report and in jira, both of which are confidential.
Any issues with transparency there? I always heard these voting machine companies fight tooth and nail to protect their IP…when I hear “confidential” it doesn’t inspire a great deal of confidence (no pun intended), but I’m admittedly paranoid and not very familiar with this subject.
Its probably the usual closed source, but maybe not, I can’t take more of the abbreviation soup.
The other big danger is a attacker from the inside, and unless they have a amazing solution in their confidential jira, they just declared it not a problem.