Bella lezione! Experts Find Serious Problems With Switzerland's Online Voting System Before Public Penetration Test Even Begins The public penetration test doesn’t begin until next week, but experts who examined leaked code for the Swiss internet voting system say it’s poorly designed and makes it difficult to audit the code for security and configure it to operate securely. <https://motherboard.vice.com/en_us/article/vbwz94/experts-find-serious-probl...> Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly. “It is simply not the standard we would expect." “Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “It is simply not the standard we would expect,” she told Motherboard. [...] On 13/02/2019 11:50, Giacomo Tesio wrote:
On Wed, 13 Feb 2019 at 11:24, Fabio Pietrosanti (naif) - lists <lists@infosecurity.ch> wrote:
C'è un ottima risposta e considerazione da parte degli hacker del CCC Svizzero, sul fatto che questa sia una grande "marchetta": Naturalmente.
Ma la notizia è interessante per diverse ragioni.
Per esempio, supponiamo che venga trovata una vulnerabilità grave: che garanzia può dare la società che l'ha introdotta di saperla correggere senza introdurne una peggiore? Rifacciamo il concorso ogni sprint fin tanto che non ne emergono di nuove? E poi quanto può valere sul mercato una vulnerabilità nel sistema di voto Svizzero?
https://medium.com/@simonexxx83/perch%C3%A9-il-voto-via-internet-di-ghiringh... :-D
Giacomo _______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa