Re: CRIME Security experts nix Internet voting plan

From: Crispin Cowan (crispin@private)
Date: Sun Jan 25 2004 - 02:57:44 PST

  • Next message: Brian Varine: "Re: CRIME Security experts nix Internet voting plan"

    Andrew Plato wrote:
    
    >>Beyond that, I can't really discuss any technical details of the system
    >>    
    >>
    >>for obvious security reasons.
    >>
    >>That is not obvious. There is a lot of evidence that open systems are 
    >>more secure than closed systems. OTOH, "... can't really discuss any 
    >>technical details of the system for obvious *proprietary* reasons"  is
    >>    
    >>
    >>obvious :)
    >>    
    >>
    >
    >Crispin, we're not talking about a word processing program or an open
    >source version of Everquest here. This is a government system for
    >elections. It's a little more important than some open source project.
    >
    That is a bogus argument: "open" either improves security, or it does 
    not. If you want to argue that opening a design or implementation 
    somehow harms security, make your case, but the "this is important ..." 
    argument is a distraction from the issue. If it is important, then it is 
    even *more* vital that it be open.
    
    >And the state is doing something to ensure security. It mandated
    >
    Good. But that's not the issue.
    
    >I also respect the scientific process. It's the core element of my
    >company's methodology (see our web page.) The scientific process demands
    >collaboration with peers. So at some point, Anitian probably will call
    >upon the community for input and advice.
    >
    That is very good to hear.
    
    > I don't know the level of that
    >involvement, I'll have to clear that with the state. But, suffice to
    >say, we're not doing this in a vacuum. Many of the ideas discussed right
    >here are getting into the design meetings because I recognize their
    >importance.
    >
    That also is good to hear.
    
    But I still question the "secret for obvious reasons" assertion. The 
    reasons are far from obvious. "Importance" doesn't cut it at all. Who is 
    mandating the secrecy? The State, Sabre, or Anitian? Whoever it is needs 
    to get some better advice.
    
    >Consider the alternative...this project could be done by some huge out
    >of state company who has no investment in Oregon at all. 
    >
    True, this is an upgrade over Maryland. Congratulations again to Anitian 
    for being awarded a piece of this work. But if the implementation stays 
    closed, then it is only a modest upgrade.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.  http://immunix.com/~crispin/
    CTO, Immunix          http://immunix.com
    Immunix 7.3           http://www.immunix.com/shop/
    



    This archive was generated by hypermail 2b30 : Sun Jan 25 2004 - 03:56:10 PST