Richard C. Johnson, Ph.D. Applications Architect Oracle Corporation 631-689-3736
As an analyst I helped define IBM MQSeries originally which clearly is mission critical in terms of guaranteed delivery and far different from Microsoft or open source e-mail which is also used for mission critical applications, so clearly the definition of mission critical depends on the context. In this case, for election software that is used only a few times a year and which is at risk to be hacked because such large sums of $ are spent to elect candidates, I think we want to adopt a more stringent definition of mission critical than may be the case for a drug store retail application.
While Microsoft is available for some tasks, it seems like there are vulnerabilities that are evident to even the casual observer. probably the most obvious difficulty is the constant upgrades to the system to close back doors. What may work is for a vendor to chose a version of Microsoft, go though some stringent testing at the Lab of their choice, and then put a hash on the version tested and make that what has to be used for the election. Then, to use an updated version of the OS, stringent testing has to happen again.
In this manner, the COTS can be controlled in some manner and the hash would need to be quadruple checked by outside observers.
6 Raymond Street
Lexington, MA 02421
Tel: (781) 863-5078
----- Original Message ----- From: "Andrew Berg" <email@example.com>
To: "Vincent J. Lipsio" <Vince@lipsio.com>; "Dick Johnson" <dick.johnson@Oracle.com>; "David L. Dill" <dill@CS.Stanford.edu>
Cc: <firstname.lastname@example.org>; <email@example.com>
Sent: Friday, December 03, 2004 7:10 PM
Subject: Re: [ieee] Re: Re: Quick Re: to Dick Johnson's Re: COTS scope
Perhaps this is another example of "IEEE 1583 Specific Terminology" but are we all working from the same definition of "mission critical" here? Who certifies systems (or even components) for "mission critical" use? Lots of people and orginizations do lots of things which are clearly critical to their success on Microsoft OSs.
In previous jobs, I have had to perform maintanence and troublshooting on a couple of Pont of Sale systems that were built on Microsoft OSs using Microsoft Visual Basic and Microsoft Access. These are pretty clearly mission critical to the stores that use them. Some kind of certification probably would not have hurt them, but then probably would not have helped all that much, either.
On Fri, 3 Dec 2004 13:01:48 -0500 (EST), Vincent J. Lipsio <Vince@LIPSIO.COM> wrote:
My best understanding (and I may be wrong) is that Diebold software runs
on Windows2000 and that its GEMS software uses Access. I intended the
"DRE" reference to be generic and to include the voting system and not
Fair enough; however, 1583 does not in any way apply to the GEMS or to anything else that is not at the polling place; therefore, it is simply irrelevant to the COTS scope we are discussing.
Inspection of Windows CE would indeed be a major chore. But without
Which is why it is not used in any mission critical system to the best
of my knowledge. There are commercial RTOSes that are used in such systems,
and their source code has been reviewed so that they could be used in those
systems, and I see RTOSes advertise that they are certified for use in
certain types of systems, but to the best of my knoweldge, no Microsoft
OS has ever been certified for any mission critical use.
inspection, how can we have any assurance that there aren't deliberate backdoors in the OS, for example?
Even in systems where malicious backdoors are not a concern, standards for critical systems require all source code to be reviewed.
If one of the requirements of the P1583 standard is to accommodate existing DRE designs, however flawed, we should say so explicitly in the document.
As with price considerations, as I argued earlier this year: If the
purpose is to cap development costs, and that concern may preempt the
purposes stated in the scope of 1583, then that, too, should be added to
Other industries are required to treat COTS as we are proposing and, unless we are indeed trying to accommodate existing flawed designs, we should also; else, we should say so, as Dave wrote, explicitly in the document.