Secure Voting software

P

PiedmontBiz

Listening to National Public Radio while reading comp.lang.python. What a life!

I just heard a piece on NPR about the security failures of an electronic voting
system being developed. I know a voting system could be developed in python. I
am working on a simulator myself to run via the web (a personal project only)

Are there any features which would make python a viable alternative to develop
a real voting system for use in the US? Why or why not?

What things must I keep in mind when I design a python application to be
secure?

Since python is developed using C, can python be free from the buffer overrun
problems which plague other C programs?

allen
 
S

Skip Montanaro

allen> Listening to National Public Radio while reading
allen> comp.lang.python. What a life! I just heard a piece on NPR about
allen> the security failures of an electronic voting system being
allen> developed. I know a voting system could be developed in python. I
allen> am working on a simulator myself to run via the web (a personal
allen> project only)

allen> Are there any features which would make python a viable
allen> alternative to develop a real voting system for use in the US?
allen> Why or why not?

allen> What things must I keep in mind when I design a python
allen> application to be secure?

allen> Since python is developed using C, can python be free from the
allen> buffer overrun problems which plague other C programs?

Yes, to a great extent, because you need to find buffer overrun
possibilities in the Python interpreter, but not in every Python
application.

As for voting projects, check out:

http://gnosis.python-hosting.com/voting-project/

Python is the development language I believe. I haven't followed it in a
couple months.

Skip
 
P

Paul Rubin

What things must I keep in mind when I design a python application to be
secure?

Since python is developed using C, can python be free from the
buffer overrun problems which plague other C programs?

Buffer overruns are just one narrow type of security failure.
Security is really a hard subject and even systems built by experts
often have security holes. There are various books written on how to
write secure software, and also some HOWTO's. For systems like voting
machines, there are a lot of non-software issues you have to deal with too.

The book "Security Engineering" by Ross Anderson is a good place to start
reading if you're interested in the subject.
 
M

Mark Jackson

Paul Rubin said:
Buffer overruns are just one narrow type of security failure.
Security is really a hard subject and even systems built by experts
often have security holes. There are various books written on how to
write secure software, and also some HOWTO's. For systems like voting
machines, there are a lot of non-software issues you have to deal with too.

The book "Security Engineering" by Ross Anderson is a good place to start
reading if you're interested in the subject.

Many of the issues have been discussed on comp.risks over the years,
and the archives of same contain some useful pointers to in-depth
analyses. A searchable archive is found at http://www.risks.org.
 
K

Kirk Strauser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 2004-01-22T01:35:01Z said:
The book "Security Engineering" by Ross Anderson is a good place to start
reading if you're interested in the subject.

I just finished "Practical Cryptography" by Niels Ferguson and Bruce
Schneier. It was almost enough to make me not want to bother trying. :-/
- --
Kirk Strauser
The Strauser Group
Open. Solutions. Simple.
http://www.strausergroup.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAD1Ke5sRg+Y0CpvERAlquAKCSi28drKEVE3fPC1F9c8SWRBEwWwCdH5pO
3eAxJDSQ3ViaBDmQG7ZWV+w=
=sjqt
-----END PGP SIGNATURE-----
 
B

Ben Finney

I just finished "Practical Cryptography" by Niels Ferguson and Bruce
Schneier. It was almost enough to make me not want to bother trying.
:-/

Security is much more than just cryptography. Program reliability,
protection from bad input, protection from other misbehaving programs;
mitigation of *any* kind of risk or threat is the realm of security.
 
P

PiedmontBiz

I just finished "Practical Cryptography" by Niels Ferguson and Bruce
Schneier. It was almost enough to make me not want to bother trying. :-/
=2D --=20
Kirk Strauser
The Strauser Group
Open. Solutions. Simple.
http://www.strausergroup.com/


I checked out the site: http://gnosis.python-hosting.com/voting-project/

This is a huge and important project. I suppose the programming language is
really not that important. The issue is trustworthy system development
(applications, operating systems, drivers, libraries, hardware, etc.), and
developing ways to validate software.

A completely different programming paradigm will need to be developed.

allen
 
P

Paul Rubin

K

Kirk Strauser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

At 2004-01-22T04:36:55Z said:
Security is much more than just cryptography.

I wasn't implying otherwise. However, being exposed to the level of
engineering required to get that one small part of the system right is
humbling.
- --
Kirk Strauser
The Strauser Group
Open. Solutions. Simple.
http://www.strausergroup.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD4DBQFAD+Xq5sRg+Y0CpvERAv3iAKCHyQEMaKj8a8CJQorrEsHj6DPZ+ACVF5uv
ZTfsNz29lr8FBE1vUSyZ4A==
=ePzg
-----END PGP SIGNATURE-----
 
C

Cameron Laird

.
.
.
Buffer overruns are just one narrow type of security failure.
.
.
.
Yes and no. Yes, a security audit needs to consider at least hundreds
of distinct categories of technical hazards, and buffer overruns are
just one of these, and arguably not the riskiest. HOWEVER, we make up
for that with the frequency with which we do them; that is, although
all the analysis buffer overruns require was available at least twenty
years ago, it remains, in my experience, much the most frequent
identifiable security-pertinent fault our industry writes in, day
after day. We sure look dumb.

'Course, that's certainly not the fault of Python folk.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,483
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top