Hi, First congratulations to Ed and his team for surviving a baptism of hacker fire ;-) I would like to just stir the pot a little though: +Firstly the attacks might have been greater in number and sophistication if the information and invitation had been offered for longer than they were (it did seem that only very short notice was given). +I am confused as to what this whole Swedish hullabaloo is about... yes electronic voting has a lot of issues to deal with regarding security and public confidence but I don't see how Ed's statement is a contradiction in any way. Further to the CyberVote project; their security approach indicates a total lack of understanding. I quote from their press release "As this goal cannot be achieved by a simple combination off-the-shelf cryptographic primitives, special-purpose cryptographic protocols will be used to implement this unique set of security properties." Very rarely is there the need to create totally new cryptographic algorithms. And as Bruce Schneier often points out, implementors of systems should steer well clear of creating their own algorithms - cryptography is a very different ball game. Maybe CyberVote should implement cryptographic systems in a novel way, but I feel they are falling for the usual European governmental "big project" syndrome where they believe they need to build everything from scratch because nobody has what they need. Time and again this approach has been disproved and has resulted in disaster, I could name about 5 examples in the UK alone. To be frank, IMHO any IS project for e-voting that aims to have its first large scale test in 2003 and doesn't even exist yet is definitely sailing against the wind. +SafeVote and DOS or DDOS attacks. This article http://technocrat.net/973229523/index_html got me thinking, I asked Bruce Perens for his thoughts on the matter. I haven't asked permission to post his email here so let me just say that I believe he had two valid points: 1) Patenting this system is foolhardy as 95% of patents are unenforceable (though of course everyone thinks their's is the exception). Whatever the rights and wrongs of software patenting, I must say that it does seem to contradict any commitment to the Free Software paradigm. Patents let you look how it works but not change them, having access to fix the code is a fundamental part of Free Software. Patents also inherently restricts the freedom of the code. That said I don't want to overly chastise SafeVote as compared to Election.com and VoteHere.net they have been positively promiscuous in sharing their information! 2) On a less philosophical note, protecting the clients from denial of service attacks (with a very effective system if I may say so) does seem a little perverse. Surely it would be far more likely that attackers would go for a bigger target that would effect many more voters... attacking clients would take a huge amount of effort to prevent only a couple of people from voting. Thus attacks are more likely on servers and/or intermediate nodes. This makes defense much harder as the servers' IP addresses need to be known to the DNS system otherwise no clients can connect to them. Hope this helps to further the discussion, apologies for splurging so much into one post! regards, Jason -- the FREE e-democracy project =========================== http://www.thecouch.org/free/ =========================== secure, private & reliable free software
