Saturday, August 28, 2010

Towards EVMsecure :)

Among the security community, even among those who argue in favor of security through obscurity, the consensus is that security through obscurity should never be used as a primary security measure. It is, at best, a secondary measure; and disclosure of the obscurity should not result in a compromise.
- "Security by Obscurity." Wikipedia, The Free Encyclopedia. Wikimedia Foundation, Inc. 12 August 2010 at 17:13 Web. 28 Aug. 2010.
However,the Election Commission seems to have followed this as a primary measure for the EVMs. Its open challenge in 2009 seems to clearly reflect this mindset. This position made the EVMs a lightning rod for independent security researchers/cryptanalysts to investigate whether the EVMs are truly as secure as claimed. Their paper, videos ( website should be viewed in this light.
While Gonggrijp and Professor Haldman have echoed a global consensus about electronic voting machines being inherently insecure and hence requiring an paper audit, what must be kept in perspective is the reality of the huge gains in efficiency and relative safety that the machines have achieved in India since their deployment!!
Rather than responding in the typically bureaucratic knee jerk manner to the disclosure, could not the Indian institutions have persuaded the cryptanalysts to become ethical hackers(whitehats)? I certainly hope  a team comprised of the cryptanalysts and experts drawn from various stakeholders in India (such as election commission, embedded system experts, security researchers) is being formed as I write to perform a comprehensive security audit on the device and come up with EVMsecure :). A By-election could serve as a pilot project to test its real world efficacy.
What an exciting and awesome challenge for this team - to retain faith in the election process of the world's largest democracy!!

1 comment:

  1. Latest antic from the extraordinarily mediocre and regressive section of the Indian bureaucracy.

    They are blindly shooting the messenger, a reputed researcher who discovered and reported technical flaws of the device and is not a rabble rouser that they seem to believe him to be.

    Hmm..can someone clarify how this is different from the way China treats independent intellectuals?