Sunday, February 26, 2006
After the 2000 election, a lot of people were convinced that if only a complete recount were allowed, Gore would have beaten Bush. My response to them is that there is simply no way to know. Different recounts performed by the same group of media came up with different results. Votes that were never cast or lost in various ways could never be recovered. And, the prospect of election workers attempting to figure out “voter intent” by examining incorrectly punched ballots is just asking for a biased result. If the margin of victory were large, using this type of procedure wouldn't effect the result. Given that the error in the voting process was systematic, the only way to solve the problem would have been to have the entire state recast its ballots. Of course, a recount of the disputed counties was blocked and Bush was declared victorious by approximately 500 votes.
Now, fast forward to 2004. Democratic partisans like to point out that electronic voting machines were used in the 2004 election in Ohio, the state that swung the election towards Bush. The machines were made by Diebold, a company whose owner was “committed to helping Ohio deliver its electoral votes to the president”1. The difference here was that the margin of victory in Ohio was greater than the number of disputed votes. Even if all the disputed votes were cast for Kerry, Bush would have won the state. Votes that were never cast, of course, cannot be recounted. So, the only possibility (I know of) that could have swung the election was tampering with the ballots themselves. This is a situation where no recounts would ever solve the problem. If the ballots were cast incorrectly, and there is no voter-verifiable paper trail, they are lost forever.
The possibility that the voting machines could be manipulated was well known, but whether it had actually happened was conjecture until Black Box Voting2 sued to obtain the logs from Palm Beach County, Florida voting machines (made by Sequoia, not Diebold). They report that the logs contain date discrepancies in recorded votes (specifically, votes recorded on dates other than election day on machines that were only used on election day), and a number of strange errors. While there is no evidence yet that any votes were changed, there is mounting evidence that the machines are not doing their jobs correctly, and that some votes were lost (when the mechines were powered down on election day).
A democracy requires an elections system that is trusted by all its citizens. The American system is on the verge of losing this trust (if it hasn't already). The two advantages of voting machine technology over paper ballots are increased handicapped accessibility and rapid, accurate counting. The disadvantages are that the votes have no real existence, and, in a badly designed system, are subject to unverifiable manipulation.
The technological problems with the machines can be fixed. Taxpayers are paying for the machines. They should not have to sue to obtain the records, and there should be no claims that any databases used in the administration of elections are owned by the voting machine company.3 In the best case, voting machines should be:
- open source, such that any competent citizen-hacker can find sloppy programming and security glitches before the machines are used
- voter-verifiable, with a paper backup of the cast ballot being printed and no vote being recorded until the voter verifies that what is written on the paper is the same as his/her vote.
- tested, both before and after election day. The machines should all be tested for accuracy before being used, and some machines' results should be checked against the paper ballots and other records to assure that the machine actually recorded in code what it wrote on the paper.
- backed up on election day. The machines should have a continuous, encrypted and authenticated feed to a central location where the votes are stored or tabulated, such that the central location's records could be compared to the individual machine's, and any problems with one machine would not cause any votes to be lost.
All of these technologies are used regularly in other fields. Banks regularly and securely process large amounts of data from far-away local machines. Votes should be treated with equal or greater importance.
1 Of course, as a citizen, the owner of a voting machine-maker has equal free speech rights to support whatever candidate he chooses. But, given how much actual control he and his company have over the process of the elections, an extra amount of transparency in the machines would go a long way to quieting conspiracy theorists. Diebold has been anything but transparent.
2 Engineers use the term “black box” to refer to any equipment that they don't know how it works. A car with its hood welded shut would be a black box, in this sense. It can be interacted with through the controls that the driver is allowed to see (the steering wheel, pedals, transmission stick), but it can't be determined what those controls do internally.
3 Brad Blog documents the shenanigans to date in trying to gain access to the voting records from the 2004 elections in Alaska. First, the state refused to release them, on the grounds that their contract with Diebold stated that they were property of the company. Second, the company and state reached an agreement where the records would be released, but only if the company could manipulate them first. Now, the state has blocked their release on the grounds that the public having the voting records would pose a threat to the state's security.
Technorati tags: security, voting+machines
Monday, February 20, 2006
Followup: Birthright application (In)security
Anyone who has ever called any company they have a personal account with, from a bank to a cable company, knows that the following information is sufficient to verify their identity:
- Name (on application)
- Birthdate (on application)
- Address and/or telephone number (not on first page, but I assume it will be asked for elsewhere in the application)
- Last four digits of the social security number
Secondly, any of that information combined with the whole social security number will certainly be able to be used for identity theft. Can a whole nine digit SSN be reconstructed with only the last four digits? To figure that out, you need to know how a social security number is constructed. The first three digits are an area number. All that someone would need to know to figure that out is my place of birth. Given my real name, it's not that hard to figure out from Google or other public records. The middle two digits, the group number, are a bit harder to figure out, but they're issued in a regular pattern. Anyone who has figured out the pattern (like a sophisticated identity thief or a sophisticated identity thief's customer) could know them. The last four digits are the only ones that are truly random! So, by giving them away, I could effectively be giving away all nine digits, or minimally, seven of them, reducing the probability of randomly guessing it from an unreasonably high number slightly above one in a billion to a doable number slightly above one in a hundred.1
It is true, (as far as I can tell) that if the only information a nefarious man-in-the-middle had were the last four digits of a social security number, then, he cannot steal an identity. Here, that is not the case. All the other information that's transmitted (or the password to which are transmitted) with it do give enough information to be a serious identity theft risk.
Given the risk, it is inconceivable why anyone would design a website that transmits such information in clear text, or even that uses any part of a social security number as an internal identifier. Why not simply assign the application a number in the order it's received?
1 The reason the probabilities are "slightly above" the values that would be suggested by the number of digits are because certain SSN's are publically known to be invalid.
Technorati tags: computer+security, social+security+number, website+design
Software freedom matters: The case of Skype
Recently, Intel and Skype have reached a deal where Skype's product, the popular Voice over Internet Protocol (VoIP) software, will be crippled on machines running older Intel processors and competing equipment made by rival AMD. Skype's new version will be (is?) capable of facilitating conference calls. They intend to limit its conference call capability to 5 callers, except on the newest Intel processors, where the limit will be 10. The newest Intel processors do not contain any instructions related to voice-over-Internet capabilities. From the reporting, it seems that the only processor-specific function being used here will be the return value of the CPUID instruction, a code that identifies the make, model and capabilities of the processor. The software would then be crippled based on the results. There is no evidence that the AMD processors (or even older Intel processors, for that matter) are incapable of performing the operations necessary for the software to function. One report even indicates that the AMD processors benchmark better than their Intel-made counterparts.
As of now, the only processor feature being used is the CPUID instruction, which has been around since the days of the 486. Having it in the toolkit is usually a good thing. If a programmer wants to use a feature only available on some processors, it introduces a quick and easy way to determine an individual machine's capabilities. But, one must ask where this is all going. Now, one may simply decide to use (or become) one of Skype's competitors' services if one does not want to be limited by this deal. With the coming era of "trusted computing", hardware makers (possibly in collusion with software makers) will be able to hardware-encode what software a machine can run. Collusion between sufficiently powerful companies could create artificial incompatibilities between systems in order to force consumers to buy both companies products together. Imagine a world where you need an Intel-based machine to run office software, and an AMD-based machine to run your favorite game. Both machines could be technically capable, but the software and/or hardware prevent the program from running on competitors' machines. I would even venture to predict that most users will just blindly accept things as the way they are and pay even higher prices1 for the crippled products.
The alternative to this kind of proprietary world is the free software world. In the free software world, source code is always available, so any attempts by the original programmers to cripple the software's functionality could quickly be removed by someone else at the source code level. The free software community relies on the continued ability of all computers (of the same architecture) to run the same software. But now, what if the hardware itself were encoded to only allow certain signed ("blessed") software to run on the machine? The continued availability of free software is not guaranteed.
Technorati tags: free+software, Intel, Skype
1 Consider, for example, that the complexity of both Microsoft Office and microprocessors have increased. The prices of consumer editions of the Intel chips have gone down, but the prices of consumer editions of Office software have increased or stagnated, see this column, for the detailed argument presented by another not-quite-unbiased source. :-)
Sunday, February 19, 2006
Technorati tags: computer+security, website+design
Sunday, February 12, 2006
A Massachusetts Marriage Penalty
In Massachusetts, half of the rent paid during the year is tax deductible up to $3000, as you can see if you look at Massachusetts Form 1 (the basic income tax form, the rough equivalent of a Federal 1040). If you are married, filing separately, each partner can only deduct $1500. If you are single, you can deduct the full $3000. Rent in the Boston area is well over $6000 per year, even for the smallest hole in the ground. The cheapest studios in the area go for ~$1000/month ($12000/yr). The least expensive roommate situations are usually around $500/person/month ($6000/yr).
Two single roommates can take the full rental deduction ($6000), but a married couple in a similarly sized apartment with similar rent can only take on $3000 deduction. Assuming no other complications, that's an additional $159.00 tax burden for being a married renter in the inflated Boston-area real-estate market.
Technorati tags: Massachusetts, taxes
Sunday, February 05, 2006
A Tale of Two Virus Warnings
Subject: Vulnerability notification
We're writing to let you know that there is an email worm that is spreading and is very dangerous. If your computer is infected with this worm, it will delete files like Word documents from your computer on the 3rd of every month, beginning this Friday, February 3rd.
Computers that are running up-to-date antivirus software should catch this worm and prevent it from installing on your computer. [Our] version of McAfee Antivirus (available from the Computer Services website) updates automatically every day. However, we strongly encourage all faculty and staff members to take time today to check their antivirus software, make sure it is updated, and run an antivirus scan of their computer.
For more information about this worm, see
[link to slightly more information]
For assistance with your antivirus software:
[Our] faculty and staff: please contact the [Our] Help Desk at [phone number] or by email at [email address].
Students and residential affiliates: please contact the Student Help Desk at [phone number] or by email at [email address].
The good: The email contained a link to a page that contained a link to enough information to figure out what this was all about.
- The subject line. It looks too much like the kind of subject line that would be in a hoax virus email
- No information about who is vulnerable. The warning says "your computer." Computers are not affected by viruses and worms. Computer software is. In this case, the target was Microsoft Windows. Users with Macs and Linux PC's were unaffected.
- The incredible damage claim. The more incredible the damage claim (deletes important files), the more likely I am to disbelieve a warning. It's a tactic used by hoaxsters all the time. So, in order to set aside my disbelief, I would want more information.
- No indication of how it was spread. The warning calls it an "email worm." It does not specify whether it was spread by a vulnerability in the operating system (in which case, everyone with the same OS is vulnerable), or a specific email program. In reality, it was a social engineering attack! I don't even know whether I would consider it a "worm," but that seemed to be the standard terminology the anti-virus people were using. This one only spread by highly insecure email clients that automatically run attachments and by stupid people who open and run all attachments they get.
And, here's the one from the department (Institution and department name both redacted):
Subject: Please read: Important Windows security information
Some of you may have seen the message from [Faculty] regarding a malicious Windows worm that is set to turn on tomorrow. ([Another faculty] may have sent something similar, as well) This infection is already present on thousands of un-protected Windows computers and is programmed to switch on tomorrow, Feb. 3rd. Once started, the worm will begin over-writing or erasing Word documents, PDF files, Excel files and several other file types on both the local drive _and any connected network share_.
There is some debate over how wide-spread this threat will actually turn out to be, but there is one inescapable agreement: If you have it on an unprotected machine, it will attempt to destroy data and spread itself. Please consider this ounce of prevention, as the pound of cure is much more expensive.
I urge faculty, undergrad and research users (as well laptop users, home PC users) who are using Windows to make certain they are running anti-virus software on their machines and that it is set to update automatically. Current anti-virus definition should stop and remove this worm when found.
[Faculty] provides McAfee VirusScan on its computing site:
[Download website] (Listed as 'VirusScan')
[Department] administrative staff computers as well as machines in the grad student commons (1st & 2nd year) are under strict control and users of those machines do not need to take any additional steps today. We will be surveying them behind the scenes and possibly by visiting your desk. You are, however, reminded that your personal laptop or home machine could be infected and you should take all necessary steps to insure that your personal machine is protected, especially if you intend to interface with [Institution]'s network in any way (Dial-up, VPN, etc.).
* Machines found to be attempting to spread this (or any other) threat may be disconnected from the network by [Faculty] without warning.
* This virus has no bearing on MacOS/OSX and Linux users (except those rare users who use Windows emulation software such as VirtualPC or VMware - please insure your virtual Windows machine, if you use one, is running anti-virus software).
* If your Windows workstation was provided by us and requires you to log onto the [Department] domain (you have a Z:\ drive) and you do not have administrative privileges, then [Department] Computer Services is responsible for this machine. All other machines are the responsibility of their owner.
* If you are interested in learning more about this worm (which goes by various names - KamaSutra, Blackworm, Nyxem-D and W32.blackmail.e) visit: http://www.lurhq.com/blackworm.html
* If you are concerned that you may have this worm or think you may have recently opened a suspicious attachment, I will be providing CD containing F-Secure's F-Force utility (and latest updates file) which you can use to help clean the infection from your machine. I will leave several copies at the reception desk at [Building and Room number]. Please view the "readme" file on the CD for instructions on running it.
Systems Administrator - [Institution] [Department]
Notice how much more information was given. The email was written in a much calmer, less alarmist tone, which is uncommon for virus hoaxes, making it more believable. It also specifies all the information a user would need to know to determine whether his/her machine was vulnerable, and what to do to ensure it wasn't. This is a good example of how to write a real virus warning.
Technorati tags: computers, virus+warnings, worm
Thursday, February 02, 2006
This poll is particularly important, because Novell spokespeople have made statements like this:
The end result is that we will be contacting the vendors of these applications, asking them to partner with Novell to port their software to Linux.
This poll does not just represent a list of unattainable wishes.
The results have already shown some interesting trends. The current top requested applications are Photoshop and AutoCAD. There is currently an incomplete, free replacement for Photoshop (the GIMP), but, it is not yet filling the proprietary application's role for many users. There is not yet any free replacement for 3D computer-aided design software. Mutimedia development applications and financial applications are also at the top of the list. It is not surprising that applications for basic computer and Internet use (eg, e-mail and web browsing) aren't there. There are already a number of free software applications that run on GNU/Linux [and Windows!] to fill those niches. Also not present in the ten 10 requests are any of the Microsoft Office products, possibly indicating that the free office suites, such as OpenOffice.org, are capable of replacing it.
To participate in the survey, simply fill out the form here
Technorati tags: Linux