>> On Mon, 31 Mar 2003 19:28:57 +0100,
>> Matthew Wilcox <[EMAIL PROTECTED]> said:
> On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
>> Sam Hartman <[EMAIL PROTECTED]>, in
>> <[EMAIL PROTECTED]> (which seems to have gone
>> only to the list).
> Well, that was fucking stupid.
>> On Mon, 31 Mar 2003 19:28:57 +0100,
>> Matthew Wilcox <[EMAIL PROTECTED]> said:
> On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
>> Sam Hartman <[EMAIL PROTECTED]>, in
>> <[EMAIL PROTECTED]> (which seems to have gone
>> only to the list).
> Well, that was fucking stupid.
On Mon, Mar 31, 2003 at 07:28:57PM +0100, Matthew Wilcox wrote:
> Let's try using some numbers. An md5sum is 16 bytes -- 128 bits.
> On average, you need 2^64 samples to find a collision. So you need around
> 600 million samples per second to find one collision in a year (assuming
> you're going
On Mon, Mar 31, 2003 at 07:28:57PM +0100, Matthew Wilcox wrote:
> Let's try using some numbers. An md5sum is 16 bytes -- 128 bits.
> On average, you need 2^64 samples to find a collision. So you need around
> 600 million samples per second to find one collision in a year (assuming
> you're going
On Mon, 2003-03-31 at 20:28, Matthew Wilcox wrote:
> On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
> It's an accomplishment, but it's affordable. Voters supplying a salt
> makes it non-doable.
What about using the Message-ID ? Or are those to short?
Everyone can compare the Mes
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> Have you actually tried this? the dummy tally sheet is
When I originally voted (in the first few hours), my md5sum appeared
in the dummy tally sheet.
> The dummy tally sheet, is just that, a dummy.
Ah, so it is. My apologies for not
Manoj Srivastava wrote:
On Mon, 31 Mar 2003 15:35:15 +0100,
Matthew Wilcox <[EMAIL PROTECTED]> said:
> I believe the method for choosing the hash that allows one to
> identify one's vote is flawed. Since all components of the string
> to be fed to md5sum are chosen by the secretary or kno
On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
> Sam Hartman <[EMAIL PROTECTED]>, in <[EMAIL PROTECTED]>
> (which seems to have gone only to the list).
Well, that was fucking stupid.
> True, though I think even finding collisions on that timescale would
> be an accomplishment.
Le
Matthew Wilcox wrote:
> On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> > Like Sam, I see no particular need for salt beyond the username.
>
> Uh.. Sam who? I saw no email.
Sam Hartman:
http://lists.debian.org/debian-vote/2003/debian-vote-200303/msg00115.html
Matthew Wilcox <[EMAIL PROTECTED]> writes:
> On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> > Like Sam, I see no particular need for salt beyond the username.
>
> Uh.. Sam who? I saw no email. The username is insufficient salt; the
Sam Hartman <[EMAIL PROTECTED]>, in <[EMAIL
>> On Mon, 31 Mar 2003 15:35:15 +0100,
>> Matthew Wilcox <[EMAIL PROTECTED]> said:
> I believe the method for choosing the hash that allows one to
> identify one's vote is flawed. Since all components of the string
> to be fed to md5sum are chosen by the secretary or known well in
> advance,
>> On 31 Mar 2003 12:02:14 -0500,
>> Aaron M Ucko <[EMAIL PROTECTED]> said:
> Like Sam, I see no particular need for salt beyond the
> username. However, I did notice a potential anonymity attack: the
> presence of consistent partial voter lists and dummy tally sheets
> leaked some informatio
On Mon, 2003-03-31 at 20:28, Matthew Wilcox wrote:
> On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
> It's an accomplishment, but it's affordable. Voters supplying a salt
> makes it non-doable.
What about using the Message-ID ? Or are those to short?
Everyone can compare the Mes
On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> Like Sam, I see no particular need for salt beyond the username.
Uh.. Sam who? I saw no email. The username is insufficient salt; the
secretary has a list of all debian usernames and has at least a year to
attempt to construct coll
Manoj Srivastava <[EMAIL PROTECTED]> writes:
> Have you actually tried this? the dummy tally sheet is
When I originally voted (in the first few hours), my md5sum appeared
in the dummy tally sheet.
> The dummy tally sheet, is just that, a dummy.
Ah, so it is. My apologies for not
Like Sam, I see no particular need for salt beyond the username.
However, I did notice a potential anonymity attack: the presence of
consistent partial voter lists and dummy tally sheets leaked some
information about which voters could have which hashes. (Batching
obviously alleviated this, but th
Manoj Srivastava wrote:
On Mon, 31 Mar 2003 15:35:15 +0100,
Matthew Wilcox <[EMAIL PROTECTED]> said:
> I believe the method for choosing the hash that allows one to
> identify one's vote is flawed. Since all components of the string
> to be fed to md5sum are chosen by the secretary or known
> "Matthew" == Matthew Wilcox <[EMAIL PROTECTED]> writes:
Matthew> I believe the method for choosing the hash that allows
Matthew> one to identify one's vote is flawed. Since all
Matthew> components of the string to be fed to md5sum are chosen
Matthew> by the secretary or know
On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
> Sam Hartman <[EMAIL PROTECTED]>, in <[EMAIL PROTECTED]>
> (which seems to have gone only to the list).
Well, that was fucking stupid.
> True, though I think even finding collisions on that timescale would
> be an accomplishment.
Le
Matthew Wilcox wrote:
> On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> > Like Sam, I see no particular need for salt beyond the username.
>
> Uh.. Sam who? I saw no email.
Sam Hartman:
http://lists.debian.org/debian-vote/2003/debian-vote-200303/msg00115.html
--
To UNSUBSCR
Matthew Wilcox <[EMAIL PROTECTED]> writes:
> On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> > Like Sam, I see no particular need for salt beyond the username.
>
> Uh.. Sam who? I saw no email. The username is insufficient salt; the
Sam Hartman <[EMAIL PROTECTED]>, in <[EMAIL
>> On Mon, 31 Mar 2003 15:35:15 +0100,
>> Matthew Wilcox <[EMAIL PROTECTED]> said:
> I believe the method for choosing the hash that allows one to
> identify one's vote is flawed. Since all components of the string
> to be fed to md5sum are chosen by the secretary or known well in
> advance,
>> On 31 Mar 2003 12:02:14 -0500,
>> Aaron M Ucko <[EMAIL PROTECTED]> said:
> Like Sam, I see no particular need for salt beyond the
> username. However, I did notice a potential anonymity attack: the
> presence of consistent partial voter lists and dummy tally sheets
> leaked some informatio
On Mon, Mar 31, 2003 at 12:02:14PM -0500, Aaron M. Ucko wrote:
> Like Sam, I see no particular need for salt beyond the username.
Uh.. Sam who? I saw no email. The username is insufficient salt; the
secretary has a list of all debian usernames and has at least a year to
attempt to construct coll
Like Sam, I see no particular need for salt beyond the username.
However, I did notice a potential anonymity attack: the presence of
consistent partial voter lists and dummy tally sheets leaked some
information about which voters could have which hashes. (Batching
obviously alleviated this, but th
On Sat, Mar 29, 2003 at 06:08:43PM -0600, The Debian Project Secretary wrote:
> The results were the same from both set of algorithms. The
> details are presented below. As stated earlier, people can verify
> details by looking at:
> a) list of people voting:
>http://master.debi
> "Matthew" == Matthew Wilcox <[EMAIL PROTECTED]> writes:
Matthew> I believe the method for choosing the hash that allows
Matthew> one to identify one's vote is flawed. Since all
Matthew> components of the string to be fed to md5sum are chosen
Matthew> by the secretary or know
On Sat, Mar 29, 2003 at 06:08:43PM -0600, The Debian Project Secretary wrote:
> The results were the same from both set of algorithms. The
> details are presented below. As stated earlier, people can verify
> details by looking at:
> a) list of people voting:
>http://master.debi
Hi,
The winner of the election is Martin Michlmayr.
I would like to thank Moshe Zadka, Branden Robinson and
Bdale Garbee for their service to the project, for standing for the
post of project leader, and for offering the developers a strong and
viable group of candidates.
Hi,
The winner of the election is Martin Michlmayr.
I would like to thank Moshe Zadka, Branden Robinson and
Bdale Garbee for their service to the project, for standing for the
post of project leader, and for offering the developers a strong and
viable group of candidates.
30 matches
Mail list logo
