[ale] hack challenge for electronic [v]oting system
Jonathan Rickman
jonathan at xcorps.net
Sat Aug 23 18:11:35 EDT 2003
On Saturday 23 August 2003 16:37, Jeff Hubbs wrote:
> I'm going to set forth here what I think would be meaningful ground
> rules and goals for such a "hacking demonstration."
I don't think this kind of thing should be handled this way at all, upon
further reflection. These systems need to be accredited just like any
sensitive government computer. After giving it much thought, I feel that
the TCSEC B1 level is the minimum that should be allowed. The reference
(Orange Book) is available in HTML format here:
http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html#HDR3.1
...or if you prefer an offline copy in original format, you can get it at my
site: http://xcorps.net/ftp/pub/papers/government/rainbow/5200.28-STD.pdf
While the TCSEC has mostly been sidelined in favor of CCEVS
(http://niap.nist.gov/cc-scheme/index.html), I find it more useful in a
setting such as this. It certainly is applicable and it should be used to
ensure system integrity. This will help mitigate the risks involved with
giving every potential attacker (insiders included) physical access to the
machine, which we all know is a bad thing. I'm not certain that access to
the source code is required for accreditation at the B level, but complete
documentation of all system features is required, and backed up by a court
order to ensure that the process has teeth...it might suffice.
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list