Re: Debian Project Leader Election 2003 Results
On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> Like Sam, I see no particular need for salt beyond the username.
Uh.. Sam who? I saw no email. The username is insufficient salt; the
secretary has a list of all debian usernames and has at least a year to
attempt to construct collisions.
> However, I did notice a potential anonymity attack: the presence of
> consistent partial voter lists and dummy tally sheets leaked some
> information about which voters could have which hashes. (Batching
> obviously alleviated this, but there were probably hours when very few
> initial votes came in.)
>
> One remedy would be not to post the list of who had voted until after
> the election.
Yes, that's true. Or add a significanlty longer batching period; maybe
one day is enough.
--
"It's not Hollywood. War is real, war is primarily not about defeat or
victory, it is about death. I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk
Reply to: