[ISN] Crypto stars sound off on e-voting, digital rights management

From: InfoSec News (isn@private)
Date: Wed Feb 25 2004 - 23:16:21 PST

  • Next message: InfoSec News: "[ISN] Cyber-terror drama skates on thin Black Ice"

    http://www.computerworld.com/securitytopics/security/story/0,10801,90486,00.html
    
    By Paul Roberts
    FEBRUARY 25, 2004
    
    SAN FRANCISCO -- A panel of distinguished cryptographers at the RSA
    Conference here weighed in on a variety of hot button issues,
    including electronic voting and rights management for digital media.
    
    Speaking at the annual Cryptographers Panel on Tuesday, Ronald Rivest,
    co-creator of the RSA encryption algorithm, backed calls for paper
    ballots to supplement insecure electronic voting technology, while
    fellow luminaries Paul Kocher and Whitfield Diffie predicted heated
    battles between privacy advocates and intellectual property owners
    over the issue of digital rights management.
    
    Rivest cited recent analysis of Diebold Inc. electronic voting systems
    after a leak of the source code for those systems as evidence that
    such systems were inadequate to ensure the authenticity of votes cast.
    
    Analysis of the Diebold source code showed that the company's
    programmers failed to use accepted authentication methods to secure
    voting data and cast doubt on the ability of Diebold or other
    companies to patch the code in time to guarantee the results of
    approaching elections, including this year's presidential elections,
    he said.
    
    To ensure the outcome of elections where electronic voting kiosks are
    used, municipalities should implement voter verifiable technology that
    would produce a paper copy of each ballot that is cast, Rivest said.
    
    Speaking to an audience of fellow cryptographers and security experts,
    Rivest cautioned against the "digitizing" of votes. "We know only too
    well the difficulties of securing complex electronic systems," Rivest
    said. Technology companies and municipalities should "go slow," and
    "keep it simple," relying on paper ballots and audit trails to verify
    the data collected by electronic voting kiosks, he said.
    
    Speaking after Rivest, Kocher, president and chief scientist of
    Cryptography Research Inc. cited "failed economies" in a number of
    areas of technology adoption that are causing pain for corporations
    and ordinary computer users.
    
    The inability of entertainment companies to control the technology
    used to play their products -- music and movies -- has resulted in a
    flood of piracy that's hurting those companies, Kocher said.  
    Similarly, the way e-mail is sent and received makes it easy for
    spammers to flood users' inboxes with unsolicited messages, he said.  
    The technology community and the private sector need to address those
    issues if they want to solve problems like piracy and spam. Failing
    that, government regulation may be needed to mandate security
    standards, he said.
    
    Concerns about piracy and terrorism may spell the end of computers and
    computer networks that are entirely controlled by their owners, said
    Diffie, chief security officer at Sun Microsystems Inc. The ongoing
    battle between entertainment companies and their customers over
    digital duplication of songs and videos and the federal government's
    desire to tap into data sent over voice over Internet Protocol
    networks may yield to built-in surveillance features that report on
    how computers are being used, Diffie said.
    
    The panel of cryptography experts was also critical of Microsoft
    Corp., weighing in on a variety of issues, including the company's
    security plans and revelations that its Windows source code was
    recently leaked onto the Internet. Speaking shortly after Microsoft
    Chairman and Chief Software Architect Bill Gates addressed the
    conference, Adi Shamir of the Weizmann Institute of Science in Israel,
    another RSA algorithm creator, said that the release of the
    proprietary source code probably would not pose a security risk to
    Windows users, but showed that Microsoft wasn't in control of its
    code.
    
    If the company had fingerprinted its released code, it would have
    quickly been able to say where the leaked code came from. The fact
    that the company initially appeared confused about the source of the
    leak showed that even simple security measures are sometimes ignored
    by powerful companies, he said. The leak of the source code posed
    ethical problems for legitimate security researchers, who risk
    violating the law in analyzing the code - a problem that virus writers
    and online criminals don't have, Kocher said. Microsoft should
    officially release the leaked code passages for analysis and enable
    security researchers to legally examine it, he said.
    
    Kocher was also critical of the security measures Gates outlined in
    his speech, noting that none of the company's proposed measures
    involved simplifying Windows, but instead required more additions to
    the already massive code base. In a statement that elicited loud
    applause from the audience, Kocher said that Microsoft should look for
    ways to make Windows less and not more complex.
    
    "As a species, we're not smart enough to handle the complexity of this
    stuff. You have to get the complexity out of there," he said.
    
     
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 26 2004 - 02:16:26 PST