Until such time as ISP's are able to uniquely identify WHO did it and not just "well this guy owns the house where the service is terminated", the other folks in the area can get their own internet access.
Until such time as ISP's are able to uniquely identify WHO did it and not just "well this guy owns the house where the service is terminated", prosecutors and plaintiffs should not be able to meet their burden of proof on such offences.
There. FYP.
Obligatory IANAL
Now, hmmm. Consider 2 situations:
Situation A - Bad guy cracks your WPA / WEP key and uses your network to download copyrighted material. - You are sued (civil case), and the burden of proof required is preponderence of the evidence / balance of probabilities. - You live in a densely populated area where there are a large number of computer-unsophisticated users who regularly use somebody else's network because they left it open - It is introduced into evidence that you secured your network to try to ensure that only you could use your network - The only question of fact at trial is the identity of the infringer - your defense is that somebody else may have used your network to commit the act in question
Situation B - Bad guy uses your open wireless network to download copyrighted material. - You are sued (civil case), and the burden of proof required is preponderence of the evidence / balance of probabilities. - You live in a densely populated area where there are a large number of computer-unsophisticated users who regularly use your network because you left it open - The only question of fact at trial is the identity of the infringer - your defense is that somebody else may have used your network to commit the act in question
Do you feel that it is more likely that your defense (somebody else did it) is correct under Situation A or Situation B? In a civil case, where allegations do not have to be proven beyond reasonable doubt, how do you feel this impacts a balance of probabilities test?
"Securing" your network could put you in a worse situation. DUCY?
The people running dns servers are probably 0.000001% of internet users....
ummm... Okay... Only that's not what the story was talking about. The story was talking about a user using a different resolver from comcast, rather than their resolver. This has nothing to do with running a dns server. There are a number of reasons to want to use another resolver, including:
Security - Switching resolvers to OpenDNS was one of the suggested protection methods for Kaminsky's DNS flaw.
Avoid NXDOMAIN hijacking / forgery - All the net is not the web, and NXDOMAIN hijacking breaks everything except the web (and sometimes even breaks the web too).
Avoid outages - Outages that are caused by the provider's inability to achieve a simple task - keeping their caching name-servers up, while connectivity is still there, shouldn't cause an outage of your net access
Alternative DNS roots
the rest are probably just infected machines... is it simply to try to get a handle on worms and malware... If the cost from malware
Sorry... what does using a different resolver have to do with malware? Yeah. I thought so.
The question is *why* do they care about filtering DNS traffic?
The reasons I've heard advanced most frequently to encourage the use of the ISP's caching nameserver are:
Bandwidth - Though this will not impose a significant increase in bandwidth on the ISP, it can impose a somewhat larger load on the roots and TLDs. Though with the larger caching nameservers like OpenDNS this should not appreciably increase load
Ad revenue - See above on NXDOMAIN hijacking / forgery. This is an inappropriate business practice that breaks everything except web and often breaks the web too
This detracts from their profitability only one one of their lines of business - the one where you are the product.
In short, it's just some random operator on the 'net whose only real credential is they paid the fee needed to register a domain name (or SSL certificate).
I see. You are under the illusion that an SSL cert (ought to) assert(s) meatspace identity (or identity other than "one who controls domain xxx.com." Perhaps that identity assertions other than those contained in cn or altSubjectName ought to have some meaning. Kinda what EV intends to do... for corp's.
The real problem here is that "trust" is just a very hard problem. It's labor-intensive to establish trust. What should want? Two forms of ID? Credit references? Notarized forms? Personal appearance? Background check investigations?
You are mixing / begging the question on a few concepts here, including: - granularity of identification - strength of identification verification - reputation
Perhaps if these concepts were dealt with in an orderly, separate manner, the question of trust would be more easy to quantify and address.
Now we're trusting a company -- whose interests aren't necessarily coincident with ours -- to authenticate others for us.
Trust but verify. They publish a statement with respect to the policies and procedures that they follow. They are audited to ensure they follow those policies and procedures. It is up to us (and the browser makers [?]) to ensure that those policies are sufficient for our purposes.
Please name such a CA which "happily hand over valid certs to anyone with a credit card" and does not "take reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" and which is trusted by the major browsers.
And then, perhaps, explain why you feel this is in _any_ way relevant to a discussion on DNSSEC.
Though, I suppose, this is Slashdot. Why post based on relevant facts rather than baseless, off-topic innuendo?
The basic idea is valid, but the implementation sucks
Umm... Perhaps, but probably not in quite the way you suggest. The current implementation doesn't allow the user to distinguish between certs issued by CAs with smart, rigorous CPS's (you do know what that is right), and certs issued by CAs that only check e-mail to admin@ postmaster@,...
(and can probably only be made to not suck in a closed environment). Some CAs being diligent isn't enough, they all (well, all the ones trusted by any major browser) have to be diligent for the system to work at all.
Yeah. Which is why the major browsers require that the CAs be audited (and if they delegate to resellers the resellers too) to verify that they actually comply with what they say they'll do (their CPS), and that their CPS meets a minimal set of standards.
It seems your argument really boils down to: there has been a race to the bottom on the documented signing policies in order to minimize costs because higher cost, more rigorous validation mechanisms can't be used to differentiate a cert in the marketplace. (Except EV, but that's a whole other story)
My choosing the best CA out there doesn't matter a bit, because they can't do anything to stop the worst from handing a phisher a cert for my domain.
And they can't do anything to stop the best from handing a phisher a cert. However, the browser producers require an audit (which serves as a detective and preventive control) to verify that appropriate and sufficient processes are in place to ensure that a) the CPS is followed and b) the CPS meets a (minimal) set of rules.
Now, all this means that when (as a user) you're presented with a cert [that is not EV], you can be strongly assured that at some point, that cert was issued to someone who could read and respond to mail at an administrative email account for that domain. Is this sufficient for the user? Maybe. If it's a forum site, or a blog site, then probably. If it's an eCommerce or online banking site, probably not.
The browser makers need to allow: a) Certs with differing validation methods to be differentiated (on a finer granularity than EV / not EV) b) Client-side policy to be implemented on the basis of that differentiation
In order to arrest this race for the bottom and competition solely on price by the CAs.
Incidentally, both of these can be achieved within the current CA infrastructure...
"Unless your going to pay the auditors to run a compliance check after every change you make"
Not relevant to the case at hand, but:
1.1.1 A formal process for approving and testing all network connections and changes to the firewall and router configurations...
6.3.1 Testing of all security patches, and system and software configuration changes before deployment, including but not limited to the following: 6.3.1.1 Validation of all input (to prevent cross-site scripting, injection flaws, malicious file execution, etc.) 6.3.1.2 Validation of proper error handling 6.3.1.3 Validation of secure cryptographic storage 6.3.1.4 Validation of secure communications 6.3.1.5 Validation of proper rolebased access control (RBAC)... 6.4 Follow change control procedures for all changes to system components. The procedures must include the following: 6.4.1 Documentation of impact 6.4.2 Management sign-off by appropriate parties 6.4.3 Testing of operational functionality 6.4.4 Back-out procedures... 6.6 For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: - Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes - Installing a web-application firewall in front of public-facing web applications... 11.2 Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the companyâ(TM)s internal staff. 11.3 Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a subnetwork added to the environment, or a web server added to the environment). These penetration tests must include the following: 11.3.1 Network-layer penetration tests 11.3.2 Application-layer penetration tests
They knew the processor had previously failed an audit because of storage of unencrypted PANs and non-compliant firewalls.
They provided an audit report that said "fully compliant" with CISP.
In the aftermath of the breach, it was discovered that the processor still had non-compliant firewalls and was still storing unencrypted PANs.
It appears that Savvis did not do their job. This will not be the big question at the trial, though.
Merrick was not in contractual privity with Savvis. Savvis was contracted by CardSystems, not Merrick. The issue at trial will likely be whether Savvis owed a duty of care to others that relied on their report (rather than just their client).
I would suggest that if an audit scheme is to have any benefit at all, it must accrue to those that rely on the audit findings. If 3rd parties cannot rely on the audit findings, then there is no reason to conduct the audit in the first place.
Apparently the bar associations and judges overseeing disciplinary hearings are no longer buying the "country bumpkin lawyer" defense. Or, at least, so said a lawyer who ought to know at a session at RSA last year (this _is_ Slashdot, so I'm too lazy to pull up the presentation from the Windows only USB stick they gave us as swag). There is starting to be a recognition that if you don't have the capacity to protect your clients' data, that you need to find somebody who does.
Online Etymology Dictionary - Cite This Source - Share This vet (1) 1862, shortened form of veterinarian. The verb "to submit (an animal) to veterinary care" is attested from 1891; the colloquial sense of "subject to careful examination" (as of an animal by a veterinarian, especially of a horse before a race) is first attested 1904, in Kipling.
If the alternative is the guy sitting next to you, who is a faith healer, then yes, you do have something to add to the discussion through your understanding of the scientific method, research methodology and critical analysis of evidence.
Why the heck would anyone in their right mind want to get rid of the perfect foil?
Maybe because he's also serving as the perfect foil for "moderate" Republicans. Why do you think Lugar et al are rolling on Bush now? Do you think the strategy for '08 Republicans may be "we're not all the same as W - see look - a few of our most senior senators have come out against Bush's war, and they're not even running this time"?
Running against Bush in '08 will guarantee a Democratic defeat.
Electronic vote collection and counting reduces the margin of error to a level below the margin between recent candidates.
Curious. There is a significant amount of evidence that the manual counting system used in Canada has an error rate well less than %0.1. There is also significant evidence that e-voting machines (DRE and OpScan) have error rates well in excess of %2.
It demeans the real challenges faced by individuals with handicaps to suggest that we need to diminish the reliability of our electoral system in order to encourage their participation.
2. Printing costs.
Costs for paper / pencil only systems are significantly less than for electronic systems, particularly when election administration is centralized (see Canadian electoral system costs). This is even before you consider that electronic voting equipment is being amortized over an absurdly long period of time (far longer than their estimated useful life. I would bet there will be a lot of counties writing off systems after the next cycle that still have significant unamortized book value).
3. Storage costs. Storage costs are increased with electoral equipment. The equipment itself needs to be stored and takes more room than paper ballots. Further, the equipment typically has more stringent environmental requirements (temperature, humidity, etc. control) for the storage facility than paper ballots. Paper ballots need to be stored for less time than equipment. Paper ballots can be destroyed once disputes relating to them have been settled, and only have a useful life of at most one electoral cycle. Equipment must be stored throughout its useful life.
4. People.
It takes candidates' representatives and two officials from the authority conducting the election to count ballots in precinct. These are individuals who are already involved in the process, observing and administering (respectively) the conduct of the voting process of the election.
5. Quicker results. We know who our Prime Minister is before bed-time EST on election night. How about you? Vote counting is a highly parallelizable activity.
Regardless, is it appropriate to set cost and speed above accuracy and security in elections administration?
What confuses me about electronic voting is that we constantly do commerce daily through electronic means (ATMs, credit cards online, etc) yet we cannot hammer down a viable scheme for voting.
Red herring. Stop repeating this crap.
Maybe because the two problems have vastly different requirements? Maybe because e-commerce does not require anonymity or secrecy in the same way that voting does? Maybe because in the e-commerce problem, it is essential to prove that a given transaction occurred, and that it occurred between a particular set of parties, while in an election, it is essential that you not be able to prove this.
I am a programmer and very familiar with model view controller applications
So am I. So what. You are familiar with one class of solution that works well with a particular set of problems. Are you familiar with this particular problem domain? It appears not.
(with possible hardware verification methods*)... using a PCI card or even serial port dongle with specific hardware and firmware that verifies a machine as an untampered voting box.
Okay, so you're calling for the industry to invent a magic wand. Good luck with that.
then asked for people to input their SSN and vote, that could be sent to a controller that could provide this information to three or four third party vendors. The vendors would verify the SSN against a government data base through very secure lines. They then would accumulate the data from each client terminal and be able to privately verify their data against each others. The gain from this? Ability to use asymmetric encryption standards (which are already used by our browsers in online commerce) with redundant data sources (so someone would have to identically hack all third party systems in order to compromise the data). You have a PhD so I'm hoping this question isn't too technologically oriented for you but what's wrong with this approach?
It provides no auditability to ensure that the vote is faithfully transmitted by the terminal, only (marginal) protection of the vote once it leaves the terminal. It provides no accessible audit trail of the essential process (the translation of individual voters' intent into aggregated final results). It breaches secrecy of the ballot if it allows a voter to verify his ballot post facto. It imposes an authentication system that is not weakened by the lack of knowledge of the subjects being authenticated.
I've been in the count room as a scrutineer many times at every level of Canadian elections (municipal [in a municipality that was paper/pencil], provincial, federal). The keys to the system are transparency and simplicity.
For the count in precinct (technically called the unofficial count), the process is similar to the Australian process outlined in the other reply to this post. The ballot box is opened, and all ballots are removed from the box. The box is confirmed to be empty. The poll clerk and deputy returning officer then count and record all ballots in full view of all of the scrutineers. Scrutineers have an opportunity to raise objections to any ballot (on the basis of multiple marks, marks that may identify the voter, or ballots with no discernible intent). Number of unused ballots + number of counted ballots + number of spoiled ballots (returned by the voter b/c he made an error, clearly marked spoiled, voter given another ballot) are reconciled against number of ballots the precinct started with. Number of counted ballots is reconciled against number of entries in poll book. Ballots are then sealed in a number of envelopes (unused, spoiled, each candidate, disputed) and the DRO, PC and scrutineers sign across the flap of the envelopes. These envelopes are then sealed in the same manner inside a larger envelope. This envelope is placed inside the ballot box, which is then sealed with a numbered seal. The ballot box is then transported (always 2+ individuals with it) to the returning office, where it is stored in a physically secured location.
Shortly thereafter (1-2 days), the returning officer for the constituency, in a similar process, with scrutineers, conducts an official count of all ballots from all precincts. He then certifies the result to the chief electoral officer, and retains custody of all ballots in a physically secured location.
In some circumstances (particularly close elections, abnormally large numbers of disputed ballots,...) a judicial recount may be requested. In this instance, a judge and representatives of the candidates attend at a courthouse to count all or a portion of the ballots. The judge makes binding decisions as to the validity of disputed ballots.
As a result, we potentially have 3 independent counts of the ballots. Deviation among these counts should provide a good reflection of any random error introduced into the system by the method. In practice, I have seen results among these counts diverge by at most a dozen votes (of 50,000, for an error rate of %0.024). I have only seen one instance where variation between unofficial, official and judicial recounts have resulted in a flipped race (and this was in a race decided by 3 votes, and was not due to random error - it was due to different judgements about validity of ballots by the DRO, RO and judges). Contrast this with the error rates for electronic equipment (notably OpScan) documented in the academic research, and our manual vote system comes out looking pretty damn good.
The reason that manual recounts have not worked so well in the U.S. in the past is that the ballots were designed to be read by counting equipment, not humans. Punch cards were not designed to facilitate a manual recount. Many OpScan ballots suffer from similar problems. Well designed ballots and processes do not experience significant variances between counts.
No. It seems I end up responding to this argument every time a Diebold (or other voting) story comes up. Just to shake things up, I'll review your points from the bottom-up.
"An electronic voting system would be more secure then a paper trail with PEOPLE manually counting each vote."
A well-designed manually counted paper system (yes, you do need design in manual processes too), like implemented in Canada, can significantly improve both accuracy and security. Secondarily, it allows the resolution of contentious races more quickly. A well designed system (paper or electronic) does not rely on trust of any individual. The entire process is observed by individuals who have diametrically opposed interests (with respect to the outcome of the election) - namely representatives of each of the candidates. The artifacts of the vote (the ballots) are readily observable without intermediaries. The physical and information characteristics of all tools used are well understood by most people (i.e. We can make assertions like "A solid box with a slot on the top was confirmed in public to be empty, and immediately sealed. The box was in public view from the point of sealing to the point of unsealing. Thus, no ballots could have been added or removed without being observed"). Standards for what constitutes a vote are well established in statute and in case law.
The key is that the process is transparent.
"when you vote you're given a ticket with a number, anyone can go online and see how everyone voted but only you are able to tell which vote was yours by the corresponding ticket number."
Which provides you the ability to prove your vote, which introduces coercion and provable vote-selling into the system, neither of which have been deemed desirable.
"Source code is 100% open to find exploits and bugs"
Read Thompson's "Reflections on Trusting Trust" Turing award lecture (http://www.acm.org/classics/sep95/) for an explanation of why this is inadequate.
"I don't understand why an open voting system wouldn't work"
Because without a voter-verifiable paper trail, such a system is unauditable.
In what way are users under duress when opting to install software?
I suspect the phrase he was looking for was contract of adhesion. Or here, though I am reluctant to push Wikipedia because of their inaccuracy in other areas of this discussion. That said, this doesn't support his argument. Contracts of adhesion are generally enforceable, though there is more scrutiny applied to them and the party with limited freedom of negotiation gets the benefit of the doubt with some terms...
FWIW, Bob and Todd Urosevich's companies, (Diebold Elections Systems and ES&S) account for over %80 of the elections equipment in the U.S. So, while Sequoia (the company owned by Smartmatic, which the Venezuelan government in turn owns a minority stake) is a player, they are not at the scale they've been made out to be in the last few months.
Either way, there's one way to make sure these machines are auditable and to provide the possibility of recovery from a rigged election. That's a voter-verified paper audit trail (and the procedures to actually routinely use the VVPAT to conduct an audit). Surprisingly enough, it was the evil Venezuelan company - Sequoia - that was one of the first to introduce machines with VVPAT.
"1. The election officials don't believe that they can re-gear the process in time for the general election, which is only 6 weeks away. I certainly don't think they can pull it off, given their record so far."
I'm sick of this _crap_ argument. This discussion isn't new since the primaries. This discussion has been going on (in one form or another, and in one state or another) since well before the 2004 election. All we've gotten is "we don't have time to fix this before... (the primaries|the general|the frickin' dog-catcher election), please don't (call for a fix|release vulnerability information|undermine voter confidence)." The system has to have a way to incorporate improvements, and we can't keep putting it off because of an election in the offing.
"2. The Democratic leadership is convinced that Republican Gov. Erlich is trying to suppress the vote in this majority Democratic state by raising fears about the process."
Yup, and if they don't do it this way, they'll find another way to suppress turnout.
Methods used have included: - "Felon" purges - Late polling location changes - False notices of polling location changes - Threatening phone calls ("You'd better hope you have no (warrants|traffic tickets|outstanding child support payments) if you intend to vote. - Private investigators videotaping black voters entering / leaving the polls - Caging lists (send registered mail to address of record of residents of minority communities, challenge the right to vote of any whose mail came back. This regularly catches many members of the armed forces and students)... All of which are far more effective at suppressing turnout than "undermining confidence." Further, these methods can be directed at your opposition more reliably, so that you don't kill your own turnout as well.
The public _should_ have fears about the process. If anybody is causing suppression through this mechanism, it's the people that are fighting to keep an untrustable process in place. This is a circular argument. If Erlich is calling for paper, and the Dems accede to the request, then Erlich's call has resulted in a more trustable system, and thus hasn't suppressed turnout. If, on the other hand, the Dems oppose paper, they allow Erlich to keep calling the process untrustable (because it is) and thus suppress turnout by the mechanism you describe.
If Erlich is calling the process untrustworthy because he wants to suppress the vote (rather than fix the problem), then by refusing to fix the process, the Dems are achieving Erlich's goal for him.
"They have good reason to believe this, as he has consistently fought efforts to make it easier for people to vote. Yesterday he urged everyone to use absentee ballots, yet last year he fought efforts to make it easier for people to use those ballots. He also vetoed a bill to allow early voting, which is popular in working districts (mostly Democratic) because some people have trouble getting to the polls on Election Day. When the legislature overrode his veto, he fought the law in court and won."
A history of voter suppression that focusses particularly on the working class... So?...
"So as much as I hate and distrust the machines (I'm applying for an absentee ballot myself)"
Jeez. I always get a kick out of people who say "I don't trust the machines, so I'm going to (get an absentee ballot|insist on a provisional ballot)." Chain-of-custody (and privacy in many jurisdictions) is _worse_ and the process is probably more manipulable with an absentee than with the machines. Provisionals are highly unlikely to get counted in the first place.
I think part of the argument here is that research is conducted differently on the Net than with dead-trees. It is precisely the sophisticated search technologies that change the nature of the work. It makes your resource materials more random access. This approach significantly narrows the focus of the research, meaning that you don't get the material on the edges of the topic. Because you can easily zero-in on a narrow scope of materials, you don't get the depth and breadth of knowledge that you do with less accurate dead-tree searching methods. It means that you don't gain as much experience narrowing the focus of your writing from the broad collection of information you have gathered. It also means that you don't gain the same general breadth of knowledge as you would have by cutting through repeated wide swaths of information.
Well, Given that the major example of this clause (the GPU project) has reverted to the straight GPL, and there appears to be no support at the FSF for including this, even as an optional addition to the GPL.
FWIW, the offending terms were:
"The Program and its derivative work will neither be modified or executed to harm any human being nor through inaction permit any human being to be harmed."
While it would make the work non-free (by limiting Freedom-0), it is a far cry from "no use by the military."
Slashdot Mirror
Until such time as ISP's are able to uniquely identify WHO did it and not just "well this guy owns the house where the service is terminated", the other folks in the area can get their own internet access.
Until such time as ISP's are able to uniquely identify WHO did it and not just "well this guy owns the house where the service is terminated", prosecutors and plaintiffs should not be able to meet their burden of proof on such offences.
There. FYP.
Obligatory IANAL
Now, hmmm. Consider 2 situations:
Situation A
- Bad guy cracks your WPA / WEP key and uses your network to download copyrighted material.
- You are sued (civil case), and the burden of proof required is preponderence of the evidence / balance of probabilities.
- You live in a densely populated area where there are a large number of computer-unsophisticated users who regularly use somebody else's network because they left it open
- It is introduced into evidence that you secured your network to try to ensure that only you could use your network
- The only question of fact at trial is the identity of the infringer - your defense is that somebody else may have used your network to commit the act in question
Situation B
- Bad guy uses your open wireless network to download copyrighted material.
- You are sued (civil case), and the burden of proof required is preponderence of the evidence / balance of probabilities.
- You live in a densely populated area where there are a large number of computer-unsophisticated users who regularly use your network because you left it open
- The only question of fact at trial is the identity of the infringer - your defense is that somebody else may have used your network to commit the act in question
Do you feel that it is more likely that your defense (somebody else did it) is correct under Situation A or Situation B?
In a civil case, where allegations do not have to be proven beyond reasonable doubt, how do you feel this impacts a balance of probabilities test?
"Securing" your network could put you in a worse situation. DUCY?
Yes. Because the Internet has reduced the friction of communication to the point where it is impossible to make a profit selling snake oil.
The people running dns servers are probably 0.000001% of internet users....
ummm... Okay... Only that's not what the story was talking about. The story was talking about a user using a different resolver from comcast, rather than their resolver. This has nothing to do with running a dns server. There are a number of reasons to want to use another resolver, including:
the rest are probably just infected machines... is it simply to try to get a handle on worms and malware... If the cost from malware
Sorry... what does using a different resolver have to do with malware? Yeah. I thought so.
The question is *why* do they care about filtering DNS traffic?
The reasons I've heard advanced most frequently to encourage the use of the ISP's caching nameserver are:
This detracts from their profitability only one one of their lines of business - the one where you are the product.
In short, it's just some random operator on the 'net whose only real credential is they paid the fee needed to register a domain name (or SSL certificate).
I see. You are under the illusion that an SSL cert (ought to) assert(s) meatspace identity (or identity other than "one who controls domain xxx.com." Perhaps that identity assertions other than those contained in cn or altSubjectName ought to have some meaning. Kinda what EV intends to do... for corp's.
The real problem here is that "trust" is just a very hard problem. It's labor-intensive to establish trust. What should want? Two forms of ID? Credit references? Notarized forms? Personal appearance? Background check investigations?
You are mixing / begging the question on a few concepts here, including:
- granularity of identification
- strength of identification verification
- reputation
Perhaps if these concepts were dealt with in an orderly, separate manner, the question of trust would be more easy to quantify and address.
Now we're trusting a company -- whose interests aren't necessarily coincident with ours -- to authenticate others for us.
Trust but verify. They publish a statement with respect to the policies and procedures that they follow. They are audited to ensure they follow those policies and procedures. It is up to us (and the browser makers [?]) to ensure that those policies are sufficient for our purposes.
Please name such a CA which "happily hand over valid certs to anyone with a credit card" and does not "take reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf" and which is trusted by the major browsers.
And then, perhaps, explain why you feel this is in _any_ way relevant to a discussion on DNSSEC.
Though, I suppose, this is Slashdot. Why post based on relevant facts rather than baseless, off-topic innuendo?
The basic idea is valid, but the implementation sucks
Umm... Perhaps, but probably not in quite the way you suggest. The current implementation doesn't allow the user to distinguish between certs issued by CAs with smart, rigorous CPS's (you do know what that is right), and certs issued by CAs that only check e-mail to admin@ postmaster@,...
(and can probably only be made to not suck in a closed environment). Some CAs being diligent isn't enough, they all (well, all the ones trusted by any major browser) have to be diligent for the system to work at all.
Yeah. Which is why the major browsers require that the CAs be audited (and if they delegate to resellers the resellers too) to verify that they actually comply with what they say they'll do (their CPS), and that their CPS meets a minimal set of standards.
It seems your argument really boils down to: there has been a race to the bottom on the documented signing policies in order to minimize costs because higher cost, more rigorous validation mechanisms can't be used to differentiate a cert in the marketplace. (Except EV, but that's a whole other story)
My choosing the best CA out there doesn't matter a bit, because they can't do anything to stop the worst from handing a phisher a cert for my domain.
And they can't do anything to stop the best from handing a phisher a cert. However, the browser producers require an audit (which serves as a detective and preventive control) to verify that appropriate and sufficient processes are in place to ensure that a) the CPS is followed and b) the CPS meets a (minimal) set of rules.
Now, all this means that when (as a user) you're presented with a cert [that is not EV], you can be strongly assured that at some point, that cert was issued to someone who could read and respond to mail at an administrative email account for that domain. Is this sufficient for the user? Maybe. If it's a forum site, or a blog site, then probably. If it's an eCommerce or online banking site, probably not.
The browser makers need to allow:
a) Certs with differing validation methods to be differentiated (on a finer granularity than EV / not EV)
b) Client-side policy to be implemented on the basis of that differentiation
In order to arrest this race for the bottom and competition solely on price by the CAs.
Incidentally, both of these can be achieved within the current CA infrastructure...
"Unless your going to pay the auditors to run a compliance check after every change you make"
Not relevant to the case at hand, but:
"If the banks [sic] implementation followed PCI-DSS and the auditor did its job with a generally accepted level of precision"
It did not and they did not. Unencrypted storage of PANs, for which a previous audit had failed.
And they failed to do that.
They knew the processor had previously failed an audit because of storage of unencrypted PANs and non-compliant firewalls.
They provided an audit report that said "fully compliant" with CISP.
In the aftermath of the breach, it was discovered that the processor still had non-compliant firewalls and was still storing unencrypted PANs.
It appears that Savvis did not do their job. This will not be the big question at the trial, though.
Merrick was not in contractual privity with Savvis. Savvis was contracted by CardSystems, not Merrick. The issue at trial will likely be whether Savvis owed a duty of care to others that relied on their report (rather than just their client).
I would suggest that if an audit scheme is to have any benefit at all, it must accrue to those that rely on the audit findings. If 3rd parties cannot rely on the audit findings, then there is no reason to conduct the audit in the first place.
Apparently the bar associations and judges overseeing disciplinary hearings are no longer buying the "country bumpkin lawyer" defense. Or, at least, so said a lawyer who ought to know at a session at RSA last year (this _is_ Slashdot, so I'm too lazy to pull up the presentation from the Windows only USB stick they gave us as swag). There is starting to be a recognition that if you don't have the capacity to protect your clients' data, that you need to find somebody who does.
I like your nickname so much that I'm going out for a smoke now.
Online Etymology Dictionary - Cite This Source - Share This
vet (1)
1862, shortened form of veterinarian. The verb "to submit (an animal) to veterinary care" is attested from 1891; the colloquial sense of "subject to careful examination" (as of an animal by a veterinarian, especially of a horse before a race) is first attested 1904, in Kipling.
If the alternative is the guy sitting next to you, who is a faith healer, then yes, you do have something to add to the discussion through your understanding of the scientific method, research methodology and critical analysis of evidence.
Why the heck would anyone in their right mind want to get rid of the perfect foil?
Maybe because he's also serving as the perfect foil for "moderate" Republicans. Why do you think Lugar et al are rolling on Bush now? Do you think the strategy for '08 Republicans may be "we're not all the same as W - see look - a few of our most senior senators have come out against Bush's war, and they're not even running this time"?
Running against Bush in '08 will guarantee a Democratic defeat.
Electronic vote collection and counting reduces the margin of error to a level below the margin between recent candidates.
Curious. There is a significant amount of evidence that the manual counting system used in Canada has an error rate well less than %0.1. There is also significant evidence that e-voting machines (DRE and OpScan) have error rates well in excess of %2.
1. Handicapped access.
It demeans the real challenges faced by individuals with handicaps to suggest that we need to diminish the reliability of our electoral system in order to encourage their participation.
2. Printing costs.
Costs for paper / pencil only systems are significantly less than for electronic systems, particularly when election administration is centralized (see Canadian electoral system costs). This is even before you consider that electronic voting equipment is being amortized over an absurdly long period of time (far longer than their estimated useful life. I would bet there will be a lot of counties writing off systems after the next cycle that still have significant unamortized book value).
3. Storage costs.
Storage costs are increased with electoral equipment. The equipment itself needs to be stored and takes more room than paper ballots. Further, the equipment typically has more stringent environmental requirements (temperature, humidity, etc. control) for the storage facility than paper ballots. Paper ballots need to be stored for less time than equipment. Paper ballots can be destroyed once disputes relating to them have been settled, and only have a useful life of at most one electoral cycle. Equipment must be stored throughout its useful life.
4. People.
It takes candidates' representatives and two officials from the authority conducting the election to count ballots in precinct. These are individuals who are already involved in the process, observing and administering (respectively) the conduct of the voting process of the election.
5. Quicker results.
We know who our Prime Minister is before bed-time EST on election night. How about you? Vote counting is a highly parallelizable activity.
Regardless, is it appropriate to set cost and speed above accuracy and security in elections administration?
What confuses me about electronic voting is that we constantly do commerce daily through electronic means (ATMs, credit cards online, etc) yet we cannot hammer down a viable scheme for voting.
Red herring. Stop repeating this crap.
Maybe because the two problems have vastly different requirements? Maybe because e-commerce does not require anonymity or secrecy in the same way that voting does? Maybe because in the e-commerce problem, it is essential to prove that a given transaction occurred, and that it occurred between a particular set of parties, while in an election, it is essential that you not be able to prove this.
I am a programmer and very familiar with model view controller applications
So am I. So what. You are familiar with one class of solution that works well with a particular set of problems. Are you familiar with this particular problem domain? It appears not.
(with possible hardware verification methods*)... using a PCI card or even serial port dongle with specific hardware and firmware that verifies a machine as an untampered voting box.
Okay, so you're calling for the industry to invent a magic wand. Good luck with that.
then asked for people to input their SSN and vote, that could be sent to a controller that could provide this information to three or four third party vendors. The vendors would verify the SSN against a government data base through very secure lines. They then would accumulate the data from each client terminal and be able to privately verify their data against each others. The gain from this? Ability to use asymmetric encryption standards (which are already used by our browsers in online commerce) with redundant data sources (so someone would have to identically hack all third party systems in order to compromise the data). You have a PhD so I'm hoping this question isn't too technologically oriented for you but what's wrong with this approach?
It provides no auditability to ensure that the vote is faithfully transmitted by the terminal, only (marginal) protection of the vote once it leaves the terminal. It provides no accessible audit trail of the essential process (the translation of individual voters' intent into aggregated final results). It breaches secrecy of the ballot if it allows a voter to verify his ballot post facto. It imposes an authentication system that is not weakened by the lack of knowledge of the subjects being authenticated.
I've been in the count room as a scrutineer many times at every level of Canadian elections (municipal [in a municipality that was paper/pencil], provincial, federal). The keys to the system are transparency and simplicity.
For the count in precinct (technically called the unofficial count), the process is similar to the Australian process outlined in the other reply to this post. The ballot box is opened, and all ballots are removed from the box. The box is confirmed to be empty. The poll clerk and deputy returning officer then count and record all ballots in full view of all of the scrutineers. Scrutineers have an opportunity to raise objections to any ballot (on the basis of multiple marks, marks that may identify the voter, or ballots with no discernible intent). Number of unused ballots + number of counted ballots + number of spoiled ballots (returned by the voter b/c he made an error, clearly marked spoiled, voter given another ballot) are reconciled against number of ballots the precinct started with. Number of counted ballots is reconciled against number of entries in poll book. Ballots are then sealed in a number of envelopes (unused, spoiled, each candidate, disputed) and the DRO, PC and scrutineers sign across the flap of the envelopes. These envelopes are then sealed in the same manner inside a larger envelope. This envelope is placed inside the ballot box, which is then sealed with a numbered seal. The ballot box is then transported (always 2+ individuals with it) to the returning office, where it is stored in a physically secured location.
Shortly thereafter (1-2 days), the returning officer for the constituency, in a similar process, with scrutineers, conducts an official count of all ballots from all precincts. He then certifies the result to the chief electoral officer, and retains custody of all ballots in a physically secured location.
In some circumstances (particularly close elections, abnormally large numbers of disputed ballots,...) a judicial recount may be requested. In this instance, a judge and representatives of the candidates attend at a courthouse to count all or a portion of the ballots. The judge makes binding decisions as to the validity of disputed ballots.
As a result, we potentially have 3 independent counts of the ballots. Deviation among these counts should provide a good reflection of any random error introduced into the system by the method. In practice, I have seen results among these counts diverge by at most a dozen votes (of 50,000, for an error rate of %0.024). I have only seen one instance where variation between unofficial, official and judicial recounts have resulted in a flipped race (and this was in a race decided by 3 votes, and was not due to random error - it was due to different judgements about validity of ballots by the DRO, RO and judges). Contrast this with the error rates for electronic equipment (notably OpScan) documented in the academic research, and our manual vote system comes out looking pretty damn good.
The reason that manual recounts have not worked so well in the U.S. in the past is that the ballots were designed to be read by counting equipment, not humans. Punch cards were not designed to facilitate a manual recount. Many OpScan ballots suffer from similar problems. Well designed ballots and processes do not experience significant variances between counts.
"No?"
No. It seems I end up responding to this argument every time a Diebold (or other voting) story comes up. Just to shake things up, I'll review your points from the bottom-up.
"An electronic voting system would be more secure then a paper trail with PEOPLE manually counting each vote."
A well-designed manually counted paper system (yes, you do need design in manual processes too), like implemented in Canada, can significantly improve both accuracy and security. Secondarily, it allows the resolution of contentious races more quickly. A well designed system (paper or electronic) does not rely on trust of any individual. The entire process is observed by individuals who have diametrically opposed interests (with respect to the outcome of the election) - namely representatives of each of the candidates. The artifacts of the vote (the ballots) are readily observable without intermediaries. The physical and information characteristics of all tools used are well understood by most people (i.e. We can make assertions like "A solid box with a slot on the top was confirmed in public to be empty, and immediately sealed. The box was in public view from the point of sealing to the point of unsealing. Thus, no ballots could have been added or removed without being observed"). Standards for what constitutes a vote are well established in statute and in case law.
The key is that the process is transparent.
"when you vote you're given a ticket with a number, anyone can go online and see how everyone voted but only you are able to tell which vote was yours by the corresponding ticket number."
Which provides you the ability to prove your vote, which introduces coercion and provable vote-selling into the system, neither of which have been deemed desirable.
"Source code is 100% open to find exploits and bugs"
Read Thompson's "Reflections on Trusting Trust" Turing award lecture (http://www.acm.org/classics/sep95/) for an explanation of why this is inadequate.
"I don't understand why an open voting system wouldn't work"
Because without a voter-verifiable paper trail, such a system is unauditable.
I suspect the phrase he was looking for was contract of adhesion . Or here, though I am reluctant to push Wikipedia because of their inaccuracy in other areas of this discussion. That said, this doesn't support his argument. Contracts of adhesion are generally enforceable, though there is more scrutiny applied to them and the party with limited freedom of negotiation gets the benefit of the doubt with some terms...
FWIW, Bob and Todd Urosevich's companies, (Diebold Elections Systems and ES&S) account for over %80 of the elections equipment in the U.S. So, while Sequoia (the company owned by Smartmatic, which the Venezuelan government in turn owns a minority stake) is a player, they are not at the scale they've been made out to be in the last few months.
Either way, there's one way to make sure these machines are auditable and to provide the possibility of recovery from a rigged election. That's a voter-verified paper audit trail (and the procedures to actually routinely use the VVPAT to conduct an audit). Surprisingly enough, it was the evil Venezuelan company - Sequoia - that was one of the first to introduce machines with VVPAT.
"1. The election officials don't believe that they can re-gear the process in time for the general election, which is only 6 weeks away. I certainly don't think they can pull it off, given their record so far."
...
I'm sick of this _crap_ argument. This discussion isn't new since the primaries. This discussion has been going on (in one form or another, and in one state or another) since well before the 2004 election. All we've gotten is "we don't have time to fix this before... (the primaries|the general|the frickin' dog-catcher election), please don't (call for a fix|release vulnerability information|undermine voter confidence)." The system has to have a way to incorporate improvements, and we can't keep putting it off because of an election in the offing.
"2. The Democratic leadership is convinced that Republican Gov. Erlich is trying to suppress the vote in this majority Democratic state by raising fears about the process."
Yup, and if they don't do it this way, they'll find another way to suppress turnout.
Methods used have included:
- "Felon" purges
- Late polling location changes
- False notices of polling location changes
- Threatening phone calls ("You'd better hope you have no (warrants|traffic tickets|outstanding child support payments) if you intend to vote.
- Private investigators videotaping black voters entering / leaving the polls
- Caging lists (send registered mail to address of record of residents of minority communities, challenge the right to vote of any whose mail came back. This regularly catches many members of the armed forces and students)
All of which are far more effective at suppressing turnout than "undermining confidence." Further, these methods can be directed at your opposition more reliably, so that you don't kill your own turnout as well.
The public _should_ have fears about the process. If anybody is causing suppression through this mechanism, it's the people that are fighting to keep an untrustable process in place. This is a circular argument. If Erlich is calling for paper, and the Dems accede to the request, then Erlich's call has resulted in a more trustable system, and thus hasn't suppressed turnout. If, on the other hand, the Dems oppose paper, they allow Erlich to keep calling the process untrustable (because it is) and thus suppress turnout by the mechanism you describe.
If Erlich is calling the process untrustworthy because he wants to suppress the vote (rather than fix the problem), then by refusing to fix the process, the Dems are achieving Erlich's goal for him.
"They have good reason to believe this, as he has consistently fought efforts to make it easier for people to vote. Yesterday he urged everyone to use absentee ballots, yet last year he fought efforts to make it easier for people to use those ballots. He also vetoed a bill to allow early voting, which is popular in working districts (mostly Democratic) because some people have trouble getting to the polls on Election Day. When the legislature overrode his veto, he fought the law in court and won."
A history of voter suppression that focusses particularly on the working class... So?...
"So as much as I hate and distrust the machines (I'm applying for an absentee ballot myself)"
Jeez. I always get a kick out of people who say "I don't trust the machines, so I'm going to (get an absentee ballot|insist on a provisional ballot)." Chain-of-custody (and privacy in many jurisdictions) is _worse_ and the process is probably more manipulable with an absentee than with the machines. Provisionals are highly unlikely to get counted in the first place.
I think part of the argument here is that research is conducted differently on the Net than with dead-trees. It is precisely the sophisticated search technologies that change the nature of the work. It makes your resource materials more random access. This approach significantly narrows the focus of the research, meaning that you don't get the material on the edges of the topic. Because you can easily zero-in on a narrow scope of materials, you don't get the depth and breadth of knowledge that you do with less accurate dead-tree searching methods. It means that you don't gain as much experience narrowing the focus of your writing from the broad collection of information you have gathered. It also means that you don't gain the same general breadth of knowledge as you would have by cutting through repeated wide swaths of information.
Curious what you use for fire suppression that you're so comfortable with not having an off-site backup solution...
Well, Given that the major example of this clause (the GPU project) has reverted to the straight GPL, and there appears to be no support at the FSF for including this, even as an optional addition to the GPL.
FWIW, the offending terms were:
"The Program and its derivative work will neither be modified or executed to harm any human being nor through inaction permit any human being to be harmed."
While it would make the work non-free (by limiting Freedom-0), it is a far cry from "no use by the military."