[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Project Leader Election 2003 Results

Like Sam, I see no particular need for salt beyond the username.
However, I did notice a potential anonymity attack: the presence of
consistent partial voter lists and dummy tally sheets leaked some
information about which voters could have which hashes.  (Batching
obviously alleviated this, but there were probably hours when very few
initial votes came in.)

One remedy would be not to post the list of who had voted until after
the election.

Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger amu@monk.mit.edu (NOT a valid e-mail address) for more info.

Reply to: