---------- Forwarded message ---------- From: Contact Xnet <[email protected]> Date: Sun, Oct 8, 2017 at 1:18 AM Subject: [xnet-news] About the manipulated information regarding the data protection of the census during the #CatalanReferendum To: [email protected]
[sorry, english must be improved] https://xnet-x.net/en/en-about-manipulated-information- data-protection-census-catalanreferendum/ Recently, articles have been published by Xataca <https://www.xataka.com/seguridad/los-datos-de-los-votantes-en-el-referendum-catalan-en-riesgo-cualquiera-puede-hackearlos> and El Pais <https://elpais.com/tecnologia/2017/10/05/actualidad/1507196018_140173.html> on an alleged security vulnerability that exposes Catalan census data to anyone with a little free time and bad intentions. A week earlier, a few days before the referendum vote, the Catalan Government surprised by using a encrypted and distributed technology <https://medium.com/@josepot/is-sensitive-voter-data-being-exposed-by-the-catalan-government-af9d8a909482> approach to overcome digital repression <https://xnet-x.net/en/digital-repression-and-resistance-catalan-referendum/> from the central government, allowing citizens to consult the polling stations where they should vote. The articles quoted question the safety of this system and alarmed that the data of citizens is already exposed because of this system. Xnet has studied the question and in we have to say: – To begin with, like any computer expert knows, one hundred percent security does not exist, anything could be hacked with sufficient resources. With the data we have now, we can say that the security of the census is very good especially in comparison with the censuses of the central government that, for example, in electoral period is often given to the political parties. – In the case of the Catalan census, the security measures applied have been optimal regarding the value of the data at risk: DNI (truncated, only the last 5 figures), postal code and date of birth. Data that could be collected much more easily with brute-force attacks or other attacks on other registers. Thus, the strategy of the Generalitat has been a risky but a functional and sufficiently secure emergency solution <https://blogs.elconfidencial.com/tecnologia/homepage/2017-10-06/mitos-verdades-y-manipulaciones-por-que-hackear-el-censo-catalan-no-es-tan-sencillo_1456148/> . – Xnet has contacted other experts in cryptography to investigate the matter. Here is the feedback received: *“The cryptographic algorithm used is secure and in line with the ISO/IEC 18033-1:2015 and 18033-3:2010 standards. It uses a CBC encryption block that is also used in military environments and 256-bit AAS Hashing compatible. In this case, it is normal not to using “SALT” because the database had to be distributed and the decryption had to be carried out in each client. This would have required to expose the “SALT”. The criticism of not using SALT evidences a lack of knowledge in the matter and/or not having taken into account all the elements of the case. Thus, according to our professional opinion, the authors have not endangered the personal data of the Catalan census since the encryption procedure followed is in line with the standard in this matters. Although the brute-force attack scenario may be plausible, the relationship between the data obtained with respect to the investment in economic technology required is not profitable.”* – The alleged leak of data El País speaks about in its alarmist headline boils down to: with enough free time and knowing the last 5 digits of someone’s ID, some bad data thief could guess… his age and his neighborhood. Something quite inefficient for that data thief taking into account that the Public Administration and its poor management of our private data has left for years other better ways for massively obtaining more detailed citizen data. – We want to ask Xataka, a technology medium that we follow and respect, not to fall into the temptation to publish information not sufficiently corroborated in the form of “doubts for debate” as they contribute to a false debate that wants to reconstruct a symmetry in the a conflict that is not such and in reality a situation in which one of the only objective and over the parts data that we have is a constant violation of the rights on the Internet and civil liberties by the Spanish State. Doing this without enough precautions allows a technical issue to be used politically by propaganda and the creation of fake news. Regarding EL País, which in fact includes it in his serial fiction on “the network of Russian interference” that is behind everything that happens in Catalonia, as if it were not a historical political conflict with a broad social base; we simply ask them to stop publishing fakenewsand hysterical news stories about what is happening in Catalonia. We especially condemn its deliberate intention to criminalize distribution strategies and encryption technologies since they are opening the future doors to an improvement of the democratic quality and its criminalization entails a permanent state of authoritarian exception in our life in the digital space. ----- XNET https://xnet-x.net/en/ https://twitter.com/X_net_ https://www.facebook.com/RedX.Net ----- If you do not want to receive more email from this list please click the next link and send the email letting the subject or body untouched. UNSUBSCRIBE: mailto:[email protected]?subject=signoff%[email protected] &body=signoff%[email protected] Sorry for any inconvenience. -- Check out the Commons Transition Plan here at: http://commonstransition.org P2P Foundation: http://p2pfoundation.net - http://blog.p2pfoundation.net <http://lists.ourproject.org/cgi-bin/mailman/listinfo/p2p-foundation>Updates: http://twitter.com/mbauwens; http://www.facebook.com/mbauwens #82 on the (En)Rich list: http://enrichlist.org/the-complete-list/
----- XNET https://xnet-x.net/en/ https://twitter.com/X_net_ https://www.facebook.com/RedX.Net ----- If you do not want to receive more email from this list please click the next link and send the email letting the subject or body untouched. UNSUBSCRIBE: mailto:[email protected]?subject=signoff%[email protected]&body=signoff%[email protected] Sorry for any inconvenience.
_______________________________________________ P2P Foundation - Mailing list Blog - http://www.blog.p2pfoundation.net Wiki - http://www.p2pfoundation.net Show some love and help us maintain and update our knowledge commons by making a donation. Thank you for your support. https://blog.p2pfoundation.net/donation https://lists.ourproject.org/cgi-bin/mailman/listinfo/p2p-foundation
