Wednesday, September 15, 2010

Keep Momentum .. from Haystack to eVoting Machines

The internet is abuzz about Haystack Network.  Their product was a network anonymizing system that promised to undetectably pierce Great Firewalls, and obfuscate the location of internet-connected dissidents.  Haystack's abilities were trumpeted as a victory for free speech -- and since the buzz coincided with Iran blocking internet sites during its elections, it enjoyed bi-partisan praise from both John McCain (R) and Hillary Clinton (D).

It turned out to be snakeoil.  Like its metaphorical counterpart, Haystack contained inneffective ingredients at best, and poison at worst.  Not only did it fail to leap firewalls or protect the location of users, it announced itself on the network and was easily hijacked!  (It also does not cure bilious humors.  Don't ask how I know.)

The problem with snakeoil is the "secret ingredients."  Haystack refused to tell anyone how the app worked its magic -- claiming that to do so would allow attackers to foil it.  This is "security through obscurity" and it should give you the heebies.  Cypherpunks cite Kerckhoffs' principle and tell you that a truly secure system remains secure even after the enemy figures out how it works.  Otherwise, you're only buying time.

So here's my thought.  This tale runs directly parallel to that of electronic voting systems.  Yes, we're excited to have a system that avoids dangling chads and ballot stuffing.  And we're told that the systems we're buying are secure.  But we're told that if the general public knew how they work, they'd be instantly prone to foul play.[needs citation]  "Cures what ails ya?"  Shenanigans!  And research suggests the same.

Haystack Network's vaporware was celebrated on both sides of the aisle -- so backlash and embarrassment should be bi-partisan as well, right?  (Or swept under the rug twice as fast.) Can we take the momentum from this lesson learned and apply it to the electronic voting systems that are being peddled to us?  These things need to be secured, publicly proven, beat up and disassembled -- even if it's not cost effective for the suppliers.  Let's demand it!

Also, tin-foil hats for everyone.

No comments:

Post a Comment