E-future cannot be built if we don't fix serious issues with software engineering. There is no guarantee of security. There is no assurance. We basically don't know how to build secure systems yet. As daily events show (from #fappening, #shellshock to Snowden's revelations), this is one of those "hard", unresolved problems...and not just from algorithmic (non-repudiation) perspective, but also from a practical engineering perspective (we are still dealing with buffer overflows).
“The software security industry today is at about the same stage as the auto industry was in 1930" ... "it looks fast, goes nice but in an accident you die.” ... "The major shortfall is absence of assurance (or safety) mechanisms in software. If my car crashed as often as my computer does, I would be dead by now.” -- Brian Snow, Former Technical Director of the NSA, We Need Assurance http://www.research.att.com/talks_and_events/2008_distinguis....
That analysis was done by a group of individuals with strong ties to the biggest opposition party in Estonia, whose voters are primarily those who are less likely to participate in e-voting; they've been anti-promoting the e-voting system ever since they went to opposition; prior to that, they'd been openly positive about it it.
The analysts themselves were invited to the country and to do the analysis by that opposition party (Centre Party/Keskerakond); they had participated in several Centre Party events prior to publishing the research. They were reimbursed for their expenses and most likely paid a fee for the analysis. The group had demands that the system be taken down; they however refused to publish details about the study which is uncommon and is not a sign of goodwill.
but saying "terribly insecure" is more than wrong. yeah, thare are many procedural things which could be better, but technologically estonian e-voting is secure. only serious threat is propaganda.
Are you saying it's resistant to penetration by Russian security services? Sorry if I don't take your word for it. They have just successfully hacked into several of the top financial institutions in the world: http://www.networkworld.com/article/2691902/security0/russia...
They got away with customer data and who-knows-what-else. I'm pretty sure JP Morgan has a bigger cyber-security budged than the whole state of Estonia, many times over. And then check the laundry list of these: http://cybercampaigns.net/
The basic truth is: we still don't quite know how to design digital information systems that can resist attacks from very persistent or nation state level actors. Even if these are air-gaped (as demonstrated by Stuxnet).
JP Morgan has ~$2.5 Trillion under management, annual revenues near $100B/year, and profits around $20B/year. Estonia's GDP is $25B and their annual tax receipts are about $4B/year. It's quite easy to assume that JP Morgan spends far more on security than the entire country of Estonia.
E-future cannot be built if we don't fix serious issues with software engineering. There is no guarantee of security. There is no assurance. We basically don't know how to build secure systems yet. As daily events show (from #fappening, #shellshock to Snowden's revelations), this is one of those "hard", unresolved problems...and not just from algorithmic (non-repudiation) perspective, but also from a practical engineering perspective (we are still dealing with buffer overflows).
“The software security industry today is at about the same stage as the auto industry was in 1930" ... "it looks fast, goes nice but in an accident you die.” ... "The major shortfall is absence of assurance (or safety) mechanisms in software. If my car crashed as often as my computer does, I would be dead by now.” -- Brian Snow, Former Technical Director of the NSA, We Need Assurance http://www.research.att.com/talks_and_events/2008_distinguis....