No Paper for Md. Anti-Touchscreen Voters
<http://www.telegram.com/apps/pbcs.dll/article?Date=20040914&Category=APA&ArtNo=409141037&SectionCat=&Template=printart> Article published Sep 14, 2004 No Paper for Md. Anti-Touchscreen Voters By TOM STUCKEY Associated Press Writer Maryland's highest court Tuesday rejected demands for additional safeguards for touchscreen voting machines, saying elections officials have done everything necessary to ensure the paperless devices are accurate and secure. The Court of Appeals also rejected a call to allow citizens who do not trust touchscreen voting to use paper ballots in the Nov. 2 general election. The decision came in a two-paragraph order issued less than three hours after the judges heard arguments on a suit brought by TrueVoteMD. The citizens group alleges the electronic machines, used statewide for the first time in March, are vulnerable to fraud and that the state cannot guarantee fair and accurate election results. Lead plaintiff Linda Schade said that although the decision was not a surprise, it means voters "are going to be forced to vote on an insecure system." Schade said the state delayed the suit so long that "judges found themselves challenged to find a remedy for this upcoming election that could be implemented in time." Linda Lamone, state election laws administrator, said outside the courtroom that making significant changes in the voting system at this late date would have created chaos on Election Day. Asked about the security of the state's 16,000 Diebold AccuVote-TS electronic machines, Lamone said, "I'm very confident they are accurate and secure." TrueVoteMD wants the state to equip all electronic machines with printers that would make a copy of each vote, although it acknowledged in court that it was too late to do that for the November election. For the upcoming vote, the group had sought paper ballots for voters who mistrust the computer voting system, as well as additional security measures, such as installing Microsoft Windows software patches on the computers used to tabulate votes. The group contends paper records would ensure that votes were properly recorded and could be used for recounts. "We're basically playing Russian roulette," TrueVoteMD lawyer Ryan Phair said as he listed potential problems with electronic machines. "We know there is vulnerability. It is just a matter of time until it happens." Assistant Attorney General Michael Berman said more than 20 successful elections have been held in Maryland using the Diebold machines with no evidence of fraud or allegations of inaccurate vote counts. Phair mentioned allegations of glitches with computerized systems in other states, but said it might be impossible to detect widespread fraud such as rewriting of software to skew election results. Phair said TrueVoteMD will continue its legal battle to force the state to use printers on electronic machines in future elections. Also Tuesday, a local election judge was ordered to return to the Montgomery County elections board an electronic voting machine that U.S. Sen. Barbara Mikulski, D-Md., had trouble using in a weekend demonstration. The machine marked the wrong vote when Mikulski's hand brushed against the screen, and it took her several attempts to correct the vote. The election judge, Stan Boyd, had tests performed on the machine, but would not elaborate on the tests or any findings. Kevin Karpinski, an attorney for the county board, said any problems testing might uncover could be misleading because the machine was only for demonstration purposes and does not have updated software that will be used in the November election. -- - R. A. Hettinga The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
On Tue, Sep 14, 2004 at 10:31:11AM +0200, Eugen Leitl wrote: > > I'm looking for (cheap, PCI/USB) hardware to store secrets (private > key) and support crypto primitives (signing, cert generation). It > doesn't have to be fast, but to support loading/copying of secrets > in physically secure environments, and not generate nonextractable > secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg. Since your environment includes GPG, then I think the OpenPGP smartcard meets pretty well what you are requesting. Combine it it with a USB smartcard reader, and the card becomes USB, too ;) http://www.silicon-trust.com/pdf/secure_8/48_ppc.pdf http://www.g10code.de/p-card.html David - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)
(everybody is on the mailing list; why all the CC's?) Adam Back writes: > Will it be enough -- we don't know yet, but if widely deployed it > would make spammers adapt. We just don't yet know how they will > adapt. Cryptography is not about math; it's not about secrets; it's not about security. It's about economics. I'd really like to see people NOT talk about the security of cryptography, but instead of about the cost of it. If the cost of breaking a system exceeds the value of an identifiable message, nobody will bother breaking it. If the cost of using a system exceeds the value of the system, nobody will bother using it. So, in this context, Ben & Richards paper is not so much that "hashcash won't work" but instead "the value of using hashcash is exceeded by the cost of using it." -- --My blog is at angry-economist.russnelson.com | Violence never solves Crynwr sells support for free software | PGPok | problems, it just changes 521 Pleasant Valley Rd. | +1 212-202-2318 voice | them into more subtle Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | problems. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation)
>From: Adam Back <[EMAIL PROTECTED]> >Sent: Sep 13, 2004 4:43 PM >To: Adam Shostack <[EMAIL PROTECTED]> >Cc: Ben Laurie <[EMAIL PROTECTED]>, bear <[EMAIL PROTECTED]>, > Hadmut Danisch <[EMAIL PROTECTED]>, > "R. A. Hettinga" <[EMAIL PROTECTED]>, [EMAIL PROTECTED], > Eric Johansson <[EMAIL PROTECTED]>, Adam Back <[EMAIL PROTECTED]> >Subject: Re: will spammers early adopt hashcash? (Re: Spam Spotlight on Reputation) ... >Essentially whatever resources spammers do have, hashcash is going to >slow them down because the balance of CPU power vs bandwidth is such >that 20-bit hashcahs with current hardware is likely to slow down the >output of a typical consumer destkop+DSL line down by afact or 10-100x >less spam. It sure seems like one other impact of this is going to be that zombie machines can't do much spamming in the background, while letting the user of the machine think he still is in control of it. I don't know whether they do that now, though. --John - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: potential new IETF WG on anonymous IPSec
On Mon, Sep 13, 2004 at 02:41:21PM -0400, Sam Hartman wrote: > > >> No. opportunistic encryption means I have retrieved a key or > >> cert for the other party, but do not know whether it is > >> actually the right cert. > > Tim> If the key is retrieved from the other end of a TCP > Tim> connection (like vanilla ssh works the first time), is that > Tim> included within the definition of "opportunistic encryption"? > > Yes. Be careful. I believe that this is not as simple. It depends on what you use the key for. If it is used for encryption, then something like "opportunistic encryption" exists. After all, using an unverified key for encryption is not yet worse than using no encryption. So even if the key might be the attacker's one, nothing is lost compared to plain communication. But avoiding faked TCP resets is also a matter of authenticity. Does 'opportunistic authentication' exist? regards Hadmut - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
pci hardware for secure crypto storage (OpenSSL/OpenBSD)
I'm looking for (cheap, PCI/USB) hardware to store secrets (private key) and support crypto primitives (signing, cert generation). It doesn't have to be fast, but to support loading/copying of secrets in physically secure environments, and not generate nonextractable secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg. Any suggestions? -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpFez8InSggV.pgp Description: PGP signature
Re: Looking for Source of AES code
Damien O'Rourke wrote:
Hi,
I have some AES code here in C and I am trying to find it's author and
source. I can't find
it on the Internet so I figure it was taken from a book. Now I don't want
to send the entire
code to the list for obvious reasons however I was hoping you could help me
from the following
small snippet. Maybe the use of " _fastcall " might jog someone's memory.
If there is
code that appears similar to this but is not exactly the same I would
appreciate the source
of that also.
void _fastcall encrypt(FILE *Encryption_File, FILE *Encrypted_File, unsigned
*expkey)
{
uchar in[16], out[16];
unsigned state[NumberOfBytes], rnd, i;
while (!feof(Encryption_File))
{
uchar k=0;
fread(in,sizeof(uchar),16,Encryption_File);/
*(state+0)= *(in+0)<<24 | *(in+1)<< 16 | *(in+2)<<8 | *(in+3);
*(state+1)= *(in+4)<<24 | *(in+5)<< 16 | *(in+6)<<8 | *(in+7) ;
*(state+2)= *(in+8)<<24 | *(in+9)<< 16 | *(in+10)<<8 | *(in+11) ;
*(state+3)= *(in+1)<<24 | *(in+3)<< 16 | *(in+14)<<8 | *(in+15) ;
I don't know whose code it is but it has bugs in it.
The line above should be:
*(state+3)= *(in+12)<<24 | *(in+13)<< 16 | *(in+14)<<8 | *(in+15);
I doubt that this is the only problem in this code either.
[snip]
Brian Gladman
-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
