headers
Michael Goetze | 1 Apr 2003 01:24

Re: Debian Project Leader Election 2003 Results

On Mon, Mar 31, 2003 at 07:28:57PM +0100, Matthew Wilcox wrote:
> Let's try using some numbers.  An md5sum is 16 bytes -- 128 bits.
> On average, you need 2^64 samples to find a collision.  So you need around
> 600 million samples per second to find one collision in a year (assuming
> you're going for a brute-force attack and you're not exploiting some
> of the weaknesses of md5).  Let's assume your 3GHz processor takes 1000
> cycles to calculate an md5sum (I don't know what it really is.. a real
> number wouldn't hurt at this point..), so it can do 3 million samples/s.
> 200 of them will do it.
> 
> It's an accomplishment, but it's affordable.  Voters supplying a salt
> makes it non-doable.

Excuse me, maybe I am missing something, but as far as I understand it,
it's not sufficient to just find *any* collision; rather, you have to
find a collision that actually makes sense (that is, starts with a valid
debian login id). There are 2^128 possible 128-bit md5 hashes and, given
1000 eligible voters and 16-digit hexadecimal tokens, 1000*16^16
possible strings. According to bc(1), that gives a probability of
.00000000000000005421 that a valid collision exists for any given
secret. By adding some random noise in the form of a salt, you are
increasing the feasibility of actually doing this.

I have no clue whatsoever about this, really, so just ignore me if I'm
wrong.

- Michael

--

-- 
Sometimes I worry about being a success in a mediocre world.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Matthew Wilcox | 1 Apr 2003 16:42
Picon
Favicon

ccing messages


if you didn't cc me, you don't get a response.

--

-- 
"It's not Hollywood.  War is real, war is primarily not about defeat or
victory, it is about death.  I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk
Permalink | Reply | 4 comments |
headers
Daniel Jacobowitz | 1 Apr 2003 22:44
Picon
Favicon

Re: ccing messages

On Tue, Apr 01, 2003 at 03:42:18PM +0100, Matthew Wilcox wrote:
> 
> if you didn't cc me, you don't get a response.

Use a mailer that announces your preference, or cope with whatever
people feel like doing, just like the rest of us.

--

-- 
Daniel Jacobowitz
MontaVista Software                         Debian GNU/Linux Developer
Permalink | Reply | 3 comments |
headers
Matthew Wilcox | 1 Apr 2003 22:50
Picon
Favicon

Re: ccing messages

On Tue, Apr 01, 2003 at 03:44:51PM -0500, Daniel Jacobowitz wrote:
> On Tue, Apr 01, 2003 at 03:42:18PM +0100, Matthew Wilcox wrote:
> > 
> > if you didn't cc me, you don't get a response.
> 
> Use a mailer that announces your preference, or cope with whatever
> people feel like doing, just like the rest of us.

Uh?  No followup-to header indicates you want to be cc'd in the rest of
the universe.  It's just debian that's broken.

--

-- 
"It's not Hollywood.  War is real, war is primarily not about defeat or
victory, it is about death.  I've seen thousands and thousands of dead bodies.
Do you think I want to have an academic debate on this subject?" -- Robert Fisk
Permalink | Reply | 2 comments |
headers
Manoj Srivastava | 2 Apr 2003 04:21
X-Face
Picon
Favicon

Re: Voting on voting systems amendment

>> On Mon, 31 Mar 2003 15:30:37 -0500 (EST),
>> Sam Hartman <hartmans <at> debian.org> said: 

 > I seem to recall that Manoj started a discussion period for the
 > voting fixes GR.  There seemed to be some discussion but no
 > significant proposed changes and the points raised during the
 > discussion seem from my standpoint to have been answered.  What
 > needs to happen now so we can actually vote on that GR?

        Actually, looking over me records, I _talked_ about it, but
 never got around to actually formally starting the 2 week GR
 discussion period. I am away from my gpg key until Friday, but I'll
 be happy to start the discussion then, unless Raul or AJ want to do
 it now.

        manoj

--

-- 
A quarrel is quickly settled when deserted by one party; there is no
battle unless there be two. Seneca
Manoj Srivastava     <srivasta <at> acm.org>    <http://www.golden-gryphon.com/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Permalink | Reply | 0 comments |
headers
Manoj Srivastava | 2 Apr 2003 04:20
X-Face
Picon
Favicon

Re: Debian Project Leader Election 2003 Results

>> On Mon, 31 Mar 2003 19:28:57 +0100,
>> Matthew Wilcox <willy <at> debian.org> said: 

 > On Mon, Mar 31, 2003 at 01:10:33PM -0500, Aaron M. Ucko wrote:
 >> Sam Hartman <hartmans <at> d.o>, in
 >> <tslfzp3jye6.fsf <at> konishi-polis.mit.edu> (which seems to have gone
 >> only to the list).

 > Well, that was fucking stupid.

 >> True, though I think even finding collisions on that timescale
 >> would be an accomplishment.

 > Let's try using some numbers.  An md5sum is 16 bytes -- 128
 > bits. On average, you need 2^64 samples to find a collision.  So
 > you need around 600 million samples per second to find one
 > collision in a year (assuming you're going for a brute-force attack
 > and you're not exploiting some of the weaknesses of md5).  Let's
 > assume your 3GHz processor takes 1000 cycles to calculate an md5sum
 > (I don't know what it really is.. a real number wouldn't hurt at
 > this point..), so it can do 3 million samples/s. 200 of them will
 > do it.

 > It's an accomplishment, but it's affordable.  Voters supplying a
 > salt makes it non-doable.

        Right. And now make that collision be the login id of another
 debian developer who has voted the same way as the first developer.

        Frankly, there are more important things to be done on devotee
(Continue reading)

Permalink | Reply | 0 comments |
headers
Davi Leal | 3 Apr 2003 00:10

Voting System Requirements

Hi,

Maybe you would like to look at this document (Page 6): "Voting System 
Requirements", http://www.thebell.net/papers/vote-req.pdf 

Could you supply me any documentation of the Debian Project e-Voting system?.

Disclaimer:
    I am not a Debian developer.
    I am very busy.

Regards,
Davi

P.S.:  Is the anonymity feature main to avoid ... ?
Permalink | Reply | 5 comments |
headers
Davi Leal | 3 Apr 2003 00:31
Picon
Favicon

Voting System Requirements

Hi,

Maybe you would like to look at this document (Page 6): "Voting System 
Requirements", http://www.thebell.net/papers/vote-req.pdf 

Could you supply me any documentation of the Debian Project e-Voting system?.

Disclaimer:
    I am not a Debian developer.
    I am very busy.

Regards,
Davi

P.S.:  Is the anonymity feature main to avoid ... ?
Permalink | Reply | 0 comments |
headers
Jochen Voss | 3 Apr 2003 08:36
Picon

Re: Voting System Requirements

Hello,

On Thu, Apr 03, 2003 at 12:10:27AM +0200, Davi Leal wrote:
> Could you supply me any documentation of the Debian Project e-Voting system?.
I collected information and references about the Debian voting system at

    http://www.mathematik.uni-kl.de/~wwwstoch/voss/comp/vote.html

If you think there is something missing which I should add,
please tell me.

Jochen
--

-- 
                                         Omm
                                      (0)-(0)
http://www.mathematik.uni-kl.de/~wwwstoch/voss/index.html
Permalink | Reply | 4 comments |
headers
Manoj Srivastava | 3 Apr 2003 17:48
X-Face
Picon
Favicon

Re: ccing messages

>> On Tue, 1 Apr 2003 21:50:22 +0100,
>> Matthew Wilcox <willy <at> debian.org> said: 

 > Uh?  No followup-to header indicates you want to be cc'd in the
 > rest of the universe.  It's just debian that's broken.

	I see you have not read the Debian mailing list policy.

	manoj
--

-- 
 Mirrors should reflect a little before throwing back images. Jean
 Cocteau
Manoj Srivastava   <srivasta <at> debian.org>  <http://www.debian.org/%7Esrivasta/>
1024R/C7261095 print CB D9 F4 12 68 07 E4 05  CC 2D 27 12 1D F5 E8 6E
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C
Permalink | Reply | 1 comment |

Gmane