Re: Debian Project Leader Election 2003 Results
On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> Like Sam, I see no particular need for salt beyond the username.
Uh.. Sam who? I saw no email. The username is insufficient salt; the
secretary has a list of all debian usernames and has at least a year to
attempt to construct collisions.
> However, I did notice a potential anonymity attack: the presence of
> consistent partial voter lists and dummy tally sheets leaked some
> information about which voters could have which hashes. (Batching
> obviously alleviated this, but there were probably hours when very few
> initial votes came in.)
> One remedy would be not to post the list of who had voted until after
> the election.
Yes, that's true. Or add a significanlty longer batching period; maybe
one day is enough.
"It's not Hollywood. War is real, war is primarily not about defeat or
victory, it is about death. I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk