Posted by Russell McOrmond-2 on May 06, 2006; 9:26pm
URL: http://civicaccess.416.s1.nabble.com/Canada-Census-on-line-tp525p566.html

Tracey P. Lauriault wrote:
> Russell can you help Richard out? Could you share on your knowledge on
> the list regarding this question?
>
> Russell is with - Getting Open Source Logic INto Governments (GOSLING)
> see his bio on the wiki - http://civicaccess.ca/wiki/RussellMcOrmond
>
> Do other people on the list work on this?


   This topic has been spread across many different forums.  I don't
think this is primarily a CivicAccess issue, so those interested in the
topic should be going elsewhere.  There are a variety of people involved
with GOSLING that have more details:

http://GOSLINGcommunity.org


   Here is where the CivicAccess part comes in:  A number of people have
been trying to do ATIP requests to get documentation on this process,
including a number of security students who obviously recognize that
security by obscurity is not security at all.   Their requests have been
denied, with the government claiming that the release of any
documentation on this process claiming proprietary third-party vendor
knowledge.

http://phbo.blogspot.com/


   This process involves the downloading of unverified/unauted and
non-ATIP'able software to the citizens home computer, circumventing all
security settings of that citizen.  Whatever theory was used to claim
that this system is "secure" is invalid from the perspective of the
security of the citizens computer given the only way to run this
application is to be insecure.

In this case the application is written in Java, but that is not
relevant:  It is not a "vulnerability" in a computing language that is
at issue, but the fact that an application that has no third party
auditing is being installed/executed on the persons computer.  Java is a
full featured language and can manipulate the same system files that a
program written in C or any other complete language could.

The "theory" behind this application may be sound, but the
implimentation is not.  The theory was to use encryption in a variety of
ways to ensure that the data was kept private and anonymous.  The
problem is that this type of theory can only be implimented "in the real
world" through open vendor-neutral standards and multiple
citizen-verifiable (IE: full source code available for open audit)
implimentations.  No matter what "theory" is being claimed to be
implimented, there is no way to verify that the code being installed on
the citizens computer remotely related to this "theory".

To understand the problem in more depth, read about the "code is law"
concept:

Speaking Notes from the SpeedGeek at Toronto Penguin Day on November 20,
2004.
http://www.flora.ca/documents/code-is-law-speedgeek.html



--
  Russell McOrmond, Internet Consultant: <http://www.flora.ca/>
  2415+ Canadians oppose Bill C-60 which protects antiquated Recording,
  Movie and "software manufacturing" industries from modernization.
  Send a letter to your Canadian MP! --> http://digital-copyright.ca/