Public hacker test on Swiss Post’s e-voting system
Public Intrusion Test (PIT) Swiss Post will be carrying out resilience testing, also known as a public intrusion test (PIT), on its e-voting system between 25 February and 24 March 2019. During the test, hackers and other independent IT specialists can challenge the Swiss Post e-voting system with deliberate attacks. [...] Why is Swiss Post performing an intrusion test on its e-voting system? Swiss Post believes that only a transparent e-voting solution can be successful in the long term. By opening it up to an intrusion test, it is exposing its system to the intelligence and skill of sophisticated hackers to identify whether, when and how its e-voting system can be compromised. It will incorporate the results of the intrusion test into the development of its e-voting system. Swiss Post will identify and rectify any vulnerabilities that may be found. Last but not least, the intrusion test should also establish hard facts and thereby contribute to a fact-based discussion of e-voting. Intrusion tests are an established procedure within the IT field and are a standard part of developing many IT systems. https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s...
C'è un ottima risposta e considerazione da parte degli hacker del CCC Svizzero, sul fatto che questa sia una grande "marchetta": https://medium.com/@simonexxx83/perch%C3%A9-il-voto-via-internet-di-ghiringh... Fabio On 11/02/2019 10:51, Giacomo Tesio wrote:
Public Intrusion Test (PIT)
Swiss Post will be carrying out resilience testing, also known as a public intrusion test (PIT), on its e-voting system between 25 February and 24 March 2019. During the test, hackers and other independent IT specialists can challenge the Swiss Post e-voting system with deliberate attacks.
[...]
Why is Swiss Post performing an intrusion test on its e-voting system?
Swiss Post believes that only a transparent e-voting solution can be successful in the long term. By opening it up to an intrusion test, it is exposing its system to the intelligence and skill of sophisticated hackers to identify whether, when and how its e-voting system can be compromised.
It will incorporate the results of the intrusion test into the development of its e-voting system. Swiss Post will identify and rectify any vulnerabilities that may be found.
Last but not least, the intrusion test should also establish hard facts and thereby contribute to a fact-based discussion of e-voting.
Intrusion tests are an established procedure within the IT field and are a standard part of developing many IT systems.
https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s... _______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
On Wed, 13 Feb 2019 at 11:24, Fabio Pietrosanti (naif) - lists <lists@infosecurity.ch> wrote:
C'è un ottima risposta e considerazione da parte degli hacker del CCC Svizzero, sul fatto che questa sia una grande "marchetta":
Naturalmente. Ma la notizia è interessante per diverse ragioni. Per esempio, supponiamo che venga trovata una vulnerabilità grave: che garanzia può dare la società che l'ha introdotta di saperla correggere senza introdurne una peggiore? Rifacciamo il concorso ogni sprint fin tanto che non ne emergono di nuove? E poi quanto può valere sul mercato una vulnerabilità nel sistema di voto Svizzero?
https://medium.com/@simonexxx83/perch%C3%A9-il-voto-via-internet-di-ghiringh...
:-D Giacomo
Bella lezione! Experts Find Serious Problems With Switzerland's Online Voting System Before Public Penetration Test Even Begins The public penetration test doesn’t begin until next week, but experts who examined leaked code for the Swiss internet voting system say it’s poorly designed and makes it difficult to audit the code for security and configure it to operate securely. <https://motherboard.vice.com/en_us/article/vbwz94/experts-find-serious-probl...> Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly. “It is simply not the standard we would expect." “Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.” She said the system uses cryptographic solutions that are fairly new to the field and that have to be implemented in very specific ways to make the system auditable, but the design the programmers chose thwarts this. “It is simply not the standard we would expect,” she told Motherboard. [...] On 13/02/2019 11:50, Giacomo Tesio wrote:
On Wed, 13 Feb 2019 at 11:24, Fabio Pietrosanti (naif) - lists <lists@infosecurity.ch> wrote:
C'è un ottima risposta e considerazione da parte degli hacker del CCC Svizzero, sul fatto che questa sia una grande "marchetta": Naturalmente.
Ma la notizia è interessante per diverse ragioni.
Per esempio, supponiamo che venga trovata una vulnerabilità grave: che garanzia può dare la società che l'ha introdotta di saperla correggere senza introdurne una peggiore? Rifacciamo il concorso ogni sprint fin tanto che non ne emergono di nuove? E poi quanto può valere sul mercato una vulnerabilità nel sistema di voto Svizzero?
https://medium.com/@simonexxx83/perch%C3%A9-il-voto-via-internet-di-ghiringh... :-D
Giacomo _______________________________________________ nexa mailing list nexa@server-nexa.polito.it https://server-nexa.polito.it/cgi-bin/mailman/listinfo/nexa
participants (3)
-
Alberto Cammozzo -
Fabio Pietrosanti (naif) - lists -
Giacomo Tesio