Feeds

Identity, voting and missing fingers

With added nuclear zing

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Letters There is a bit of a fingerprinted theme to today's letters page, but we have plenty of other stuff too, so let's get started.

The government, having consulted with as many agreeable people as it could find, decided that it has a plan for dealing with our nuclear waste. Simple, and ingenious, we're sure you'll agree. Let's bury it! The idea's been popular before...

The channel tunnel! Bury it in the tunnel!

Can I have my finders fee now please?

Tom


"... because people are strangely resistant to the idea of living on top of a smouldering pile of depleted fuel rods ..."

Well such unnecessary language does little to help matters. "Smouldering pile" is not a very good description, and it has to be pointed out that many people in already live on top of a pile of radioactive material - especially those in Edinburgh and the surrounding area. The radioactive material is more commonly called 'granite'.

Simon


I wonder what would happen if a local authority within the M25 applied?

Would the government suddenly discover special reasons to exclude them?

(Personally I think that "burying" this stuff is probably the stupidest scheme. When something does go wrong it will cost billions to fix it. Much better to keep the stuff on the surface when problems are both obvious and easily fixable.)

Geoff


Ireland's e-voting scheme looks a little shaky to our newly-Ireland-based Thomas C Greene. So let's get that debate going. Pass the popcorn:

I disagree with Thomas Greene's assessment of the e-voting debacle in Ireland.

The combination of electronic machines with a paper record...can only be useful if the design is secure. Still, it's the /least/ desirable alternative because it introduces needless complexity, and tremendous uncertainty when results are in dispute. How do you know which record, the electronic or the paper, is valid? Either component can be attacked, can fail, or can simply be designed badly.

This is a common misconception. The paper ballots are the ones verified by the voters. So, if there is any uncertainty, then the paper takes precedence. It's a matter of system design to ensure that in practice, there is no discrepancy between the electronic and paper versions. There may be better solutions than voter verified paper ballots (VVPB), but the least desirable system is not VVPB. It is unverifiable electronic voting machines.

When confronted by news that a voting machine had been compromised, Ahern noted that "the anti-electronic voting campaign group in the Netherlands physically hacked into a machine to demonstrate security flaws. If one hacked into a ballot box one could do that too".

It's a sensible observation, but it doesn't help.

It is not a sensible observation. Ballot boxes are prepared for use in the presence of candidates and their agents. Everyone can ensure that there are no ballots already present. At the end of polling, they are sealed under a similar level of scrutiny.

They are opened under similar secure conditions at counting centres, under full public gaze. Unveriable voting machines simply do not have this level of transparency. There is no escaping the fact that we are required to blindly trust whatever software happens to be running on the machine.

There are certainly risks associated with paper ballot elections. But every objective assessment shows they are far more trustworthy than unverifiable electronic voting machines.

For secure, trustworthy e-voting, one needs hardware validated by an independent (and competent) testing agency, and a system to ensure that only validated hardware is used (ie, no post-validation equipment changes of any sort, and fragile seals to indicate tampering visibly).

Wrong. We don't need ballot boxes to be tested by any "independent testing agency". So, we demand the same level of assurance from electronic voting, which is a system that can be verified by the users, ie. the voters, and does not require us to trust any independent testing agency.

The experience in Ireland has been that once a government chooses a system to use, the testing simply becomes a rubber stamping exercise. One can see this in the Irish case, where for example, the testing performed by the PTB institute in Germany, was not testing at all, rather it was a form of inspection and observation. Unfortunately, few people read the test reports, and even fewer actually understand the implications of the (lack of) actual testing done.

Next, one needs software validated by an independent testing agency, and a mechanism to ensure that only validated software can be installed. This would involve the compiler, all source code, libraries, encryption software, etc. It doesn't have to be /open source/, but the validating agency has got to have access to every single bit. It would then build all of the software and issue approved copies. This can be verified cryptographically, cheaply, and easily.

Wrong again. Exactly the same argument applies as for the hardware.

Of course, there must not be any mechanism for remote IP access or switched telephone access to the machines or the database. Leased lines only.

There also needs to be a validated auditing mechanism to show every instance of access to the machines and the database.

Internal audit trails produced by the software which we don't want or need to trust, are worthless.

All the best,

Michael

Now, don protective gloves and click on the link for the next page...

Security for virtualized datacentres

More from The Register

next story
Boffins who stare at goats: I do believe they’re SHRINKING
Alpine chamois being squashed by global warming
Space exploration is just so lame. NEW APPS are mankind's future
We feel obliged to point out the headline statement is total, utter cobblers
Down-under record: Australian gets $140k for pussy
'Tiffany' closes deal - 'it's more common to offer your wife', says agent
Internet finally ready to replace answering machine cassette tape
It's a simple message and I'm leaving out the whistles and bells
FedEx helps deliver THOUSANDS of spam messages DIRECT to its Blighty customers
Don't worry Wilson, I'll do all the paddling. You just hang on
The iPAD launch BEFORE it happened: SPECULATIVE GUFF ahead of actual event
Nerve-shattering run-up to the pre-planned known event
Win a year’s supply of chocolate (no tech knowledge required)
Over £200 worth of the good stuff up for grabs
STONER SHEEP get the MUNCHIES after feasting on £4k worth of cannabis plants
Baaaaaa! Fanny's Farm's woolly flock is high, maaaaaan
Adorkable overshare of words like photobomb in this year's dictionaries
And hipsters are finally defined as self-loathing. Sort of
Not a loyal follower of @BritishMonarchy? You missed The QUEEN*'s first Tweet
Her Maj opens 'Information Age' at the Science Museum
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.