Sorry that statement was me forwarding my thoughts in a way that I thought was logical since I was going with assumptions that weren't explicitly stated while writing it and I should have reread it.
You're right in that in a battle or an invasion though tanks aren't as good as in open ground, they are still very useful.
What I should have said was that tanks have never been useful in pacifying a large town let alone a city. The problem with them is that it's very hard to know who's friend and who's foe with a tank in a revolt, yet it doesn't carry visa versa. Everyone on the other side knows that the tanks are bad. In the gulf war that was an invasion, a battle - everyone on the other side could have been bad - just shoot at the people shooting at your infantry. When noone's shooting at your infantry until it's too late to do anything about it you are stuffed - urban environments are great for ambushes.
What I meant was sort of like what the differences are in Iraq between the invasion and now. It's quite a bit harder now with unrest than it is with defence.
2) to defend against a corrupt government, to create a balance of power in the people. today that's not relevant since the gov has MUCH bigger guns. they have nukes, for crissakes! there is ZERO chance any group of people will be able to 'control the gov' with guns. just not gonna happen anymore. if you even try, you will find yourself dead or locked up anyway. you can't fight 'the man' this way.
Actually that's quite wrong. The difference is that you're for some reason expecting the populous to be fighting a traditional war against the government (so they'll pick a nice green field to have it all out). Obviously the people with tanks and nukes will win and everything will go back to normal.
The problem is that this is a revolution. There's a couple of differences. Firstly, there's no battlefield - the people you're against are *everywhere*. Tanks can't do shit against a revolution, missiles even less. Tanks are only useful in a battlefield, they've *never* been useful in a town let alone a city where they're just sitting ducks for the first person with a good enough mine, bazooka or bomb. Modern tanks are less vulnerable to this, but it doesn't counter the fact that if they can't see the enemy or shoot at the enemy then they're fucked. Now with that put forward how do you think the government's going to use missiles when the target is spread across an entire nation? Do you really think that the government is going to nuke its own citizens?
Secondly, revolutions tend to have first strike capability. A government can't really defend itself if the parliment's already been swarmed and the top ministers shot.
Thirdly, if an entire nation is revolting against itself, chances are at least some of the military are with them. How long do you think the tanks and missiles are going to stay in the government's hands?
Forthly (and the last of my points), people in a revolution are more likely to use "dirty" tactics like sniping and guerrilla warefare, suicide bombs etc. That's sort of hard to defend against.
When modern technology is having so much trouble in Iraq against people with a lot less resources than the people of the US, do you really think that the government is going to win in a full scale revolt?
Anyone else think it's funny that there are more posts here talking about how everyone will post to install linux then there are posts saying to install linux?
(OK, and Diebold also has security issues - but that is a side issue, everyone has security issues. These are the guys making ATMs, for goodness sake. A voting machine that is as secure as an ATM is probably good enough. You can't stop human fraud via a machine - humans win every time.)
There's even more money and power in cracking elections then there is in cracking ATMs, so no it's not good enough.
You obviously haven't done any sort of cryptography. (And yes, I have and do do cryptography and cryptoanalysis.)
I'll address the second and third paragraphs first of all since it's more on topic before refuting the first paragraph.
I never said that a closed source software has to be inherently less secure than open source software. Whether the source is open or not doesn't have any direct implications on the security of the software. I said or implied that closed alrogithms are inherently less trustworthy than closed algorithms. Peer revue is an old and very well tested notion that lays the foundation for modern cryptography, and it is more than "look at the source and find flaws". I'll quickly outline the reasons for it here.
On Corey Doctorow's excellent speech on DRM he slyly called this Schneider's Law: "any person can invent a security system so clever that she or he can't think of how to break it". In other words if you thought of it then you probably only see its benifits without seeing its flaws. For someone to see the flaws they have to be able to think differently; not necessarily be smarter than you, just be able to think differently from you. The chances of getting someone to be able to do this in a small organisation is slim. Even sending it out to technical officers only increases the chances of it being found slightly.
The next reason more specific to this situation comes when you look at the likely attackers of the system. When looking at the voting machine you tend to think of politicians to be the most likely to compromise security. You might also have major corporations with a political adgenda, foreign governments, even private citizens. In other words, everyone. Not many people actually realise that this includes the programmers themselves!
Do you trust every person in Diabold? I don't even know them - who the fuck are they to have control over my vote? (Luckily I'm not American so they don't have control over my vote) If the code is secret then they not only have the means but they also have the ability to do it without getting caught! If you personally don't have access to the code you are simply giving your vote to the programmers and trusting them to do the right thing. I'm not saying that they're necessarily bad people, but there's a lot of money in the US elections, and everyone has a price.
I haven't really gone through that thoroughly and I think I've missed more than a few things but I don't really have that much time free. I'll get onto the first paragraph now. Firstly, gathering an algorithm without source from a binary is pretty trivial and as I said before the people most likely to attack these machines will have access to the machines themselves and thus have access to the binaries. Even without this, perhaps not knowing the algorithm is a disadvantage to a cryptoanalysist but even then many algorithms have identifiers in their output giving clues as to which algorithm it is. It's definitely not infinitely more useful to know the algorithm when determining what the message says. Even so if you're relying on an algorithm's secrecy to ensure security in your communications then as soon as the algorithm is released (and it most often is in more serious situations) then your communications are compromised. Yes you said all things being equal but the thing is the algorithm isn't supposed to be the secret, the key is.
If the attackers can use the source code to attack the machines then the machines aren't secure and probably wouldn't withstand an attack from someone who had access to the machine even without source code.
Having numerous copies floating around is a good thing if disclosure of security holes is encouraged, and the fact that Diabold are implying that the security of their systems rely on people not having access to the source code is a very bad thing.
Lets look at things logically. The only people who would rig the election using those machines would have to have physical access to the machines, and if they did they wouldn't need the source code to highlight security holes. If the source code was released then the people who would be advantaged would be the people who would responsibly disclose security holes.
I'm not sure that Forbes really should be going for the same level of journalistic integrity as internet blogs... That specific author has given quite bad misinformation on the SCO case and as far as I know Forbes is supposed to be a respected magazine.
Don't be silly. Just sticking a photocopy on it wouldn't get past this hugely complicated computerised system. No you had to lick it first. That was a hilarious episode.
. . . That hole doesn't allow them to go back through IE's history until it finds a bank url it recognises. All it does is allow the "attacker" to see a web site as if the victim's web browser were viewing it, maybe possibly recovering some information. This might be useful to attack a specific person or group of people but lets face it there are better ways of doing so and this hole is a lot of effort for not really getting very much out of it.
For what purpose though? The only thing I could think of that would be useful with this hole is targetting a specific person trying to look at his gmail account maybe. I'm not sure how this hole could be used by malicious web sites targetting random people. It's no more useful than the firefox holes.
That was his point. Those are really trivial security holes that they haven't patched because they're pretty well unfeasable to actually attack, kind of like this IE hole.
But the Firefox RCs are actual release candidates so they are released within a few days of one another. IE7 and Vista RCs are just Betas by another name which are released weeks or months apart.
Bullshit. Their ideas of governments was to *ensure* freedom and, if we started to get to the situation that we are getting to now what the people are meant to do is get our arms and overthrow the government. Doesn't sound all that secure to me.
I think their idea was actually the opposite - having a government is supposed to be a way of ensuring freedoms, but a risky one. Without a government you can easily infringe on someone else's freedoms. You can simply chain them up - without a government who's going to stop you? Without laws you have every freedom in the world but everyone in the world has the ability to destroy even totally your freedom. The problem is governments it seems to be in their nature to slowly corrupt itself so that you're not facing single people or families trying to destroy your freedoms anymore but an entire army and there's always the risk that this could happen. The American founding fathers saw this so they tried to put provisions in the American constitution to allow revolutions to happen, something they saw as necessary. This has already happened once in America's history.
And you know what, the majority would agree. You don't like it? Go live in fundamentalist/survivalist camp and then decide who is the kooky one.
Personally, I think that the one who is the kooky one is the one who thinks that disagreeing with censorship is equivalent to being a fundamentalist. That's just my opinion though...
Here's a decent definition of censorship: The practice of suppressing a text or part of a text that is considered objectionable according to certain standards.
This is censorship. They aren't self-governing rules - they are striking specific sites simply because they find the name morally objectionable. This is a government, not a simple administrator. This is governmental censorship. Look at the argument. You can now form your opinion and feel free to disagree or agree, but definitions of words are definitions of words.
While we're getting to the definition of words, I didn't know that the majority would agree. I'm not sure you know either - you should probably write "guess".
Now I'm still not sure what the fuck having sex with a watermelon has to do with this issue...
A hattrick (yes that term is originally from Cricket), though I'm sure a cricketing hattrick is much rarer. According to wikipedia there's been just 36 of them in the recorded history of international test cricket.
Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.
There's a sub sandwich shop here that gives away free sandwich coupons every couple of months-- use as many as you want as often as you want. If you get addicted, you'll end up being their customer when it's no longer free.
Slashdot Mirror
Sorry that statement was me forwarding my thoughts in a way that I thought was logical since I was going with assumptions that weren't explicitly stated while writing it and I should have reread it.
You're right in that in a battle or an invasion though tanks aren't as good as in open ground, they are still very useful.
What I should have said was that tanks have never been useful in pacifying a large town let alone a city. The problem with them is that it's very hard to know who's friend and who's foe with a tank in a revolt, yet it doesn't carry visa versa. Everyone on the other side knows that the tanks are bad. In the gulf war that was an invasion, a battle - everyone on the other side could have been bad - just shoot at the people shooting at your infantry. When noone's shooting at your infantry until it's too late to do anything about it you are stuffed - urban environments are great for ambushes.
What I meant was sort of like what the differences are in Iraq between the invasion and now. It's quite a bit harder now with unrest than it is with defence.
Hopefully that came out right!
2) to defend against a corrupt government, to create a balance of power in the people. today that's not relevant since the gov has MUCH bigger guns. they have nukes, for crissakes! there is ZERO chance any group of people will be able to 'control the gov' with guns. just not gonna happen anymore. if you even try, you will find yourself dead or locked up anyway. you can't fight 'the man' this way.
Actually that's quite wrong. The difference is that you're for some reason expecting the populous to be fighting a traditional war against the government (so they'll pick a nice green field to have it all out). Obviously the people with tanks and nukes will win and everything will go back to normal.
The problem is that this is a revolution. There's a couple of differences. Firstly, there's no battlefield - the people you're against are *everywhere*. Tanks can't do shit against a revolution, missiles even less. Tanks are only useful in a battlefield, they've *never* been useful in a town let alone a city where they're just sitting ducks for the first person with a good enough mine, bazooka or bomb. Modern tanks are less vulnerable to this, but it doesn't counter the fact that if they can't see the enemy or shoot at the enemy then they're fucked. Now with that put forward how do you think the government's going to use missiles when the target is spread across an entire nation? Do you really think that the government is going to nuke its own citizens?
Secondly, revolutions tend to have first strike capability. A government can't really defend itself if the parliment's already been swarmed and the top ministers shot.
Thirdly, if an entire nation is revolting against itself, chances are at least some of the military are with them. How long do you think the tanks and missiles are going to stay in the government's hands?
Forthly (and the last of my points), people in a revolution are more likely to use "dirty" tactics like sniping and guerrilla warefare, suicide bombs etc. That's sort of hard to defend against.
When modern technology is having so much trouble in Iraq against people with a lot less resources than the people of the US, do you really think that the government is going to win in a full scale revolt?
Not all Anonymous Cowards have humour
I never know what grits are.
Anyone else think it's funny that there are more posts here talking about how everyone will post to install linux then there are posts saying to install linux?
He's currently living in the US though (in San Francisco, according to Wikipedia), so it could very quickly apply to him.
From Wikipedia: He now works in the United States as a software engineer.
(OK, and Diebold also has security issues - but that is a side issue, everyone has security issues. These are the guys making ATMs, for goodness sake. A voting machine that is as secure as an ATM is probably good enough. You can't stop human fraud via a machine - humans win every time.)
There's even more money and power in cracking elections then there is in cracking ATMs, so no it's not good enough.
You obviously haven't done any sort of cryptography. (And yes, I have and do do cryptography and cryptoanalysis.)
I'll address the second and third paragraphs first of all since it's more on topic before refuting the first paragraph.
I never said that a closed source software has to be inherently less secure than open source software. Whether the source is open or not doesn't have any direct implications on the security of the software. I said or implied that closed alrogithms are inherently less trustworthy than closed algorithms. Peer revue is an old and very well tested notion that lays the foundation for modern cryptography, and it is more than "look at the source and find flaws". I'll quickly outline the reasons for it here.
On Corey Doctorow's excellent speech on DRM he slyly called this Schneider's Law: "any person can invent a security system so clever that she or he can't think of how to break it". In other words if you thought of it then you probably only see its benifits without seeing its flaws. For someone to see the flaws they have to be able to think differently; not necessarily be smarter than you, just be able to think differently from you. The chances of getting someone to be able to do this in a small organisation is slim. Even sending it out to technical officers only increases the chances of it being found slightly.
The next reason more specific to this situation comes when you look at the likely attackers of the system. When looking at the voting machine you tend to think of politicians to be the most likely to compromise security. You might also have major corporations with a political adgenda, foreign governments, even private citizens. In other words, everyone. Not many people actually realise that this includes the programmers themselves!
Do you trust every person in Diabold? I don't even know them - who the fuck are they to have control over my vote? (Luckily I'm not American so they don't have control over my vote) If the code is secret then they not only have the means but they also have the ability to do it without getting caught! If you personally don't have access to the code you are simply giving your vote to the programmers and trusting them to do the right thing. I'm not saying that they're necessarily bad people, but there's a lot of money in the US elections, and everyone has a price.
I haven't really gone through that thoroughly and I think I've missed more than a few things but I don't really have that much time free. I'll get onto the first paragraph now. Firstly, gathering an algorithm without source from a binary is pretty trivial and as I said before the people most likely to attack these machines will have access to the machines themselves and thus have access to the binaries. Even without this, perhaps not knowing the algorithm is a disadvantage to a cryptoanalysist but even then many algorithms have identifiers in their output giving clues as to which algorithm it is. It's definitely not infinitely more useful to know the algorithm when determining what the message says. Even so if you're relying on an algorithm's secrecy to ensure security in your communications then as soon as the algorithm is released (and it most often is in more serious situations) then your communications are compromised. Yes you said all things being equal but the thing is the algorithm isn't supposed to be the secret, the key is.
Now that was a long rant.
If the attackers can use the source code to attack the machines then the machines aren't secure and probably wouldn't withstand an attack from someone who had access to the machine even without source code.
Having numerous copies floating around is a good thing if disclosure of security holes is encouraged, and the fact that Diabold are implying that the security of their systems rely on people not having access to the source code is a very bad thing.
Lets look at things logically. The only people who would rig the election using those machines would have to have physical access to the machines, and if they did they wouldn't need the source code to highlight security holes. If the source code was released then the people who would be advantaged would be the people who would responsibly disclose security holes.
I'm not sure that Forbes really should be going for the same level of journalistic integrity as internet blogs... That specific author has given quite bad misinformation on the SCO case and as far as I know Forbes is supposed to be a respected magazine.
Don't be silly. Just sticking a photocopy on it wouldn't get past this hugely complicated computerised system. No you had to lick it first. That was a hilarious episode.
Pity - I kind of like your way better.
. . . That hole doesn't allow them to go back through IE's history until it finds a bank url it recognises. All it does is allow the "attacker" to see a web site as if the victim's web browser were viewing it, maybe possibly recovering some information. This might be useful to attack a specific person or group of people but lets face it there are better ways of doing so and this hole is a lot of effort for not really getting very much out of it.
For what purpose though? The only thing I could think of that would be useful with this hole is targetting a specific person trying to look at his gmail account maybe. I'm not sure how this hole could be used by malicious web sites targetting random people. It's no more useful than the firefox holes.
That was his point. Those are really trivial security holes that they haven't patched because they're pretty well unfeasable to actually attack, kind of like this IE hole.
But the Firefox RCs are actual release candidates so they are released within a few days of one another. IE7 and Vista RCs are just Betas by another name which are released weeks or months apart.
Bullshit. Their ideas of governments was to *ensure* freedom and, if we started to get to the situation that we are getting to now what the people are meant to do is get our arms and overthrow the government. Doesn't sound all that secure to me.
I think their idea was actually the opposite - having a government is supposed to be a way of ensuring freedoms, but a risky one. Without a government you can easily infringe on someone else's freedoms. You can simply chain them up - without a government who's going to stop you? Without laws you have every freedom in the world but everyone in the world has the ability to destroy even totally your freedom. The problem is governments it seems to be in their nature to slowly corrupt itself so that you're not facing single people or families trying to destroy your freedoms anymore but an entire army and there's always the risk that this could happen. The American founding fathers saw this so they tried to put provisions in the American constitution to allow revolutions to happen, something they saw as necessary. This has already happened once in America's history.
And you know what, the majority would agree. You don't like it? Go live in fundamentalist/survivalist camp and then decide who is the kooky one.
Personally, I think that the one who is the kooky one is the one who thinks that disagreeing with censorship is equivalent to being a fundamentalist. That's just my opinion though...
Here's a decent definition of censorship: The practice of suppressing a text or part of a text that is considered objectionable according to certain standards.
This is censorship. They aren't self-governing rules - they are striking specific sites simply because they find the name morally objectionable. This is a government, not a simple administrator. This is governmental censorship. Look at the argument. You can now form your opinion and feel free to disagree or agree, but definitions of words are definitions of words.
While we're getting to the definition of words, I didn't know that the majority would agree. I'm not sure you know either - you should probably write "guess".
Now I'm still not sure what the fuck having sex with a watermelon has to do with this issue...
A hattrick (yes that term is originally from Cricket), though I'm sure a cricketing hattrick is much rarer. According to wikipedia there's been just 36 of them in the recorded history of international test cricket.
I think that the slashdot editors can be forgiven for posting a link to an article on a similar topic a year and a half later...
That article is btw referenced in this one.
Isn't the point of open source that anyone can fix the programs? If it can be used by attackers it can also be used by developers. This is a pretty pointless article anyway as it's not that easy to find security holes in programs - if it was that easy then the developers would have patched up the holes already.
Pity, someone else made the joke before me.
Of course it can be both. If it couldn't be the submitter would have used XOR.
There's a sub sandwich shop here that gives away free sandwich coupons every couple of months-- use as many as you want as often as you want. If you get addicted, you'll end up being their customer when it's no longer free.
The heroin they put in their sandwiches helps.