27Jan2010 (UTC +8) 2009/7/15 Pablo Manalastas <[email protected]>: > --- On Wed, 7/15/09, fooler mail <[email protected]> wrote: [...] >> digital signature can test the authenticity of the original >> program... > I am thinking of something even more primitive: SHA256 checksum. > If the checksum of the original approved program is given to all > watchers, then anytime during election, the checksum of the running > can be computed and compared with the original.
I asked Smartmatic about that too. They use SHA256 (not MD5 nor SHA1) to verify hash sums of files. Additionally, AES is used for bulk encryption, not 3DES. > I do not trust > the digital signature of Smartmatic. Smartmatic may have several > versions of the election programs running on the 82,200 computers, > some of which can cheat, and still Smartmatic can digitally sign > all the different versions. The only thing that Smartmatic's > signature means is that the program came from them. But there > may be several different programs. [Note: Just passing this info along, and would love to confirm it myself.] As I understand from Smartmatic, Systest Lab people will be here on February 4 (Thursday, next week; don't know what time nor where yet), will deliver the binaries they (yup!) compiled from Smartmatic's source code, and install it in the AES machines, under the observation of all political parties. They will soon come up with the documentation for all parties on how the entire process is supposed to be done. Drexx Laggui -- CISA, CISSP, CFE Associate, ISO27001 LA, CCSI, CSA http://www.laggui.com ( Singapore / Manila / California ) Computer forensics; Penetration testing; QMS & ISMS developers; K-Transfer PGP fingerprint = 6E62 A089 E3EA 1B93 BFB4 8363 FFEC 3976 FF31 8A4E _________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List http://lists.linux.org.ph/mailman/listinfo/plug Searchable Archives: http://archives.free.net.ph
