There were a couple of interesting e-voting-related items in the news this week.
The state of Massachusetts decided to purchase a large number of e-voting machines, and they solicited bids in order to select a vendor. They ended up choosing AutoMARK, a competitor of Diebold. Diebold, annoyed at losing a $9 million contract, is suing the state of Massachusetts. The term 'sore losers 'comes to mind.
The state of California is looking at imposing a very strict set of requirements for e-voting machines. These requirements are in fact so strict that no e-voting vendor may be able to meet them in time for the presidential primary in February 2008 (which is about four months earlier than in previous elections), which might mean that the election will be conducted with paper ballots.
The articles state that both decisions (Massachusetts' AutoMARK selection and California's interest in tougher standards) were motivated at least in part by legislation requiring voting facilities for voters with certain types of disabilities.
In a somewhat related story, the New York Review of Books published an article which contains some interesting speculation about the outcome of the 2000 presidential election had Florida prisoners been allowed to vote. This is a fairly long article, but it's one of the most thought-provoking things I've read in a while.
31 March 2007
25 March 2007
Batman on Film
Last night I rented Batman Forever (1995, 'BF' hereafter, w/ Val Kilmer as Batman) and Batman & Robin (1997, 'BnR' hereafter, w/ George Clooney as Batman). I don't think I'd seen either (not in their entirety) since each came out. I vaguely remembered that neither was a particularly good film.
Turns out that my memory was quite accurate, if somewhat understated. Ewwww.
However, each had a couple of nice surprises that I didn't remember. BF has a pair of pretty good songs by U2 and Seal, although you have to slog through to the end credits to hear them. And Drew Barrymore and Debi Mazar make for pretty sexy window dressing as Sugar and Spice in BF. BnR has fun (albeit brief) performances by Vivica A. Fox and John Glover (he's Lionel Luthor in "Smallville"). And Uma Thurman is a very provacative Poison Ivy.
Otherwise, they're both pretty grim, and they don't hold a candle to Batman Begins (2006, w/ Christian Bale as Batman). I'm really looking forward to The Dark Knight (supposedly 2008, w/ Bale again).
Turns out that my memory was quite accurate, if somewhat understated. Ewwww.
However, each had a couple of nice surprises that I didn't remember. BF has a pair of pretty good songs by U2 and Seal, although you have to slog through to the end credits to hear them. And Drew Barrymore and Debi Mazar make for pretty sexy window dressing as Sugar and Spice in BF. BnR has fun (albeit brief) performances by Vivica A. Fox and John Glover (he's Lionel Luthor in "Smallville"). And Uma Thurman is a very provacative Poison Ivy.
Otherwise, they're both pretty grim, and they don't hold a candle to Batman Begins (2006, w/ Christian Bale as Batman). I'm really looking forward to The Dark Knight (supposedly 2008, w/ Bale again).
Recent Reading
I've recently finished reading a couple of pretty good books. I just (a few minutes ago) finished The KILL BILL Diary: The Making of a Tarantino Classic as Seen Through the Eyes of a Screen Legend by David Carradine. Carradine turns out to be a pretty good writer. If you enjoyed the movies, you'll like this book. It has some interesting observations into the making of the films (which were evidently originally intended to be released as a single film).
And a few days ago I finished Weapons of Choice by John Birmingham. The premise is that a multinational naval armada from 2021 is zapped back in time to June 1942. This disrupts the battle of Midway, and the multinational fleet's presence begins to alter history. This is the first part of a trilogy. I liked it so much that I bought the other two books even before I finished reading the first (which ends with a pretty cool cliffhanger).
And a few days ago I finished Weapons of Choice by John Birmingham. The premise is that a multinational naval armada from 2021 is zapped back in time to June 1942. This disrupts the battle of Midway, and the multinational fleet's presence begins to alter history. This is the first part of a trilogy. I liked it so much that I bought the other two books even before I finished reading the first (which ends with a pretty cool cliffhanger).
10 March 2007
More on passports and e-voting
A recent article from The Register describes some passport-cloning research (these are UK passports). These people were able to read and clone the RFID data while the passport was being mailed to the owner, before he/she even had the chance to take possession of it.
And it looks like Diebold is thinking of getting out of the e-voting business. I guess they think that all the bad press about security problems in their electronic voting machines has damaged their image. So rather than trying to improve the technology, they'd rather just dump the whole thing. So scads of expensive e-voting machines would remain in service (because municipalities blew their budgets buying them in the first place, and may not be able to replace them for a while), with a big question mark over the prospect of future support and updates. Classy.
And it looks like Diebold is thinking of getting out of the e-voting business. I guess they think that all the bad press about security problems in their electronic voting machines has damaged their image. So rather than trying to improve the technology, they'd rather just dump the whole thing. So scads of expensive e-voting machines would remain in service (because municipalities blew their budgets buying them in the first place, and may not be able to replace them for a while), with a big question mark over the prospect of future support and updates. Classy.
25 February 2007
Tiny RFID tags
The BBC has an article about recent innovations in the miniaturization of RFID technology. The image at the top of the article is particularly astounding: these RFID chips are smaller than the width of a human hair. The very image suggests the possibilty of putting RFID tags in someone's hair gel and using the tags to track that person. That statement no doubt sounds paranoid, and maybe it is. But the fact that these things are getting so small means that surreptitiously distributing these devices is getting easier.
better-than-wholesale e-voting machines
Wired has an article describing a method one computer science researcher is using to acquire e-voting machines for security analysis: he bought them cheap off eBay. No background check, no non-disclosure agreement, nothing. And by cheap I mean he paid $82 for $25,000 worth of Sequoia e-voting equipment (that's a 99.672% markdown).
Although the Wired article claims that the research finds these machines to be more secure than products from competing companies, the researcher's Web page about his evaluation paints a dimmer picture.
Although the Wired article claims that the research finds these machines to be more secure than products from competing companies, the researcher's Web page about his evaluation paints a dimmer picture.
17 February 2007
Media collection software
linux.com has had articles about a couple of media collection programs called gcstar and data crow. They're similar in concept: both are databases for your CDs, DVDs, books and such. Each allows you to enter your collections with searches of amazon.com, imdb.com, etc. So if you have a copy of X2 on DVD, you can type 'X2' in the search field and it'll retrieve the cast list, cover art, plot summary, and other stuff.
gcstar is built on Perl and gtk2, and data crow is built on Java. So both are more-or-less cross-platform (they run on Linux, Windows, and probably OS X).
Both also allow the user to add loaning information to records. If you loan your copy of X2 to someone, you can make a notation of that as part of the X2 record. And both let you import and export your data (gcstar seems more flexible in this regard, in that it supports a fairly wide variety of formats).
I've tried both, and I'm finding gcstar to be more reliable. data crow is pretty crashy, and I gave up on it.
Some drawbacks to gcstar are that you can only select one item from the results of a search. If you have several Star Trek DVDs and you run a search for 'star trek', you can only select one of the search results to add it to your collection (you have to run a separate search for each Star Trek DVD you own). It would be nice if you could do Ctrl-click to pick Wrath of Khan and The Undiscovered Country if they both show up in the search results (data crow actually lets you do this).
And gcstar also has gtk tooltips which pop up when you mouse over the items in your search results. These tooltips sometimes make it hard to click on the search result that you want.
And it seems that the current version of gcstar (v1.1.1) is less than completely compatible with the version of the Gtk2 Perl module currently available in CPAN (v1.142, 21 January 2007). To make it work, you have to comment out the set_row_separator_func() and set_focus_on_click() calls in a couple of gcstar modules. Lame.
I actually prefer the data crow interface, but it kept hitting out-of-memory errors. I had to restart the application pretty frequently. That was beyond annoying. So for now I'm using gcstar.
gcstar is built on Perl and gtk2, and data crow is built on Java. So both are more-or-less cross-platform (they run on Linux, Windows, and probably OS X).
Both also allow the user to add loaning information to records. If you loan your copy of X2 to someone, you can make a notation of that as part of the X2 record. And both let you import and export your data (gcstar seems more flexible in this regard, in that it supports a fairly wide variety of formats).
I've tried both, and I'm finding gcstar to be more reliable. data crow is pretty crashy, and I gave up on it.
Some drawbacks to gcstar are that you can only select one item from the results of a search. If you have several Star Trek DVDs and you run a search for 'star trek', you can only select one of the search results to add it to your collection (you have to run a separate search for each Star Trek DVD you own). It would be nice if you could do Ctrl-click to pick Wrath of Khan and The Undiscovered Country if they both show up in the search results (data crow actually lets you do this).
And gcstar also has gtk tooltips which pop up when you mouse over the items in your search results. These tooltips sometimes make it hard to click on the search result that you want.
And it seems that the current version of gcstar (v1.1.1) is less than completely compatible with the version of the Gtk2 Perl module currently available in CPAN (v1.142, 21 January 2007). To make it work, you have to comment out the set_row_separator_func() and set_focus_on_click() calls in a couple of gcstar modules. Lame.
I actually prefer the data crow interface, but it kept hitting out-of-memory errors. I had to restart the application pretty frequently. That was beyond annoying. So for now I'm using gcstar.
14 February 2007
RFID passport
My new passport arrived in the mail today, and it's got an RFID tag in it.
Crap.
(Here's my previous whining about passports.)
Crap.
(Here's my previous whining about passports.)
13 February 2007
Huge hole in the water
This is one of the coolest things I've seen in a while. You know that hole near the top of your bathroom sink which keeps it from overflowing? They put those in some reservoirs. I would love to see one of these in person.
ssh security features
ssh offers ssh keys as a nice alternative to password authentication, and putty is a pretty cool ssh client for Windows. There's a good tutorial on howtoforge which discusses many of the features of the putty suite including key generation (puttygen) and putty's ssh-agent (pagent).
And as the above article mentions, the PasswordAuthentication option in sshd_config can be cleared to force the use of ssh keys (password authentication will be disabled).
AllowUsers is another good sshd_config option. It can be used to provide a list of users who can connect via ssh. Any user not in this list can't connect by ssh. It's good for defeating ssh scans which try a few passwords against common account names (like root, guest, etc.). Another trick that might help dodge ssh scans is to run ssh on a port other than 22. The ListenAddress sshd_config option can be used to run ssh on some other (non-standard) port.
A nice trick for your ~/.ssh/authorized_keys file is to specify source hosts from which you can connect using certain keys. If you have the following in your authorized_keys file, then the key in question can only be used for connections from the hosts listed in the
Finally, the denyhosts project claims to be able to do dynamic edit to the tcpwrappers files (/etc/hosts.deny) when dictionary attacks are detected. It would probably be really useful for a server with lots of ssh users that need to log in from anywhere/everywhere.
And as the above article mentions, the PasswordAuthentication option in sshd_config can be cleared to force the use of ssh keys (password authentication will be disabled).
AllowUsers is another good sshd_config option. It can be used to provide a list of users who can connect via ssh. Any user not in this list can't connect by ssh. It's good for defeating ssh scans which try a few passwords against common account names (like root, guest, etc.). Another trick that might help dodge ssh scans is to run ssh on a port other than 22. The ListenAddress sshd_config option can be used to run ssh on some other (non-standard) port.
A nice trick for your ~/.ssh/authorized_keys file is to specify source hosts from which you can connect using certain keys. If you have the following in your authorized_keys file, then the key in question can only be used for connections from the hosts listed in the
from list:from="this_host,that_host" ssh-dss ...key data... USER@HOST(This is discussed in the 'AUTHORIZED_KEYS FILE FORMAT' section of the sshd man page.)
Finally, the denyhosts project claims to be able to do dynamic edit to the tcpwrappers files (/etc/hosts.deny) when dictionary attacks are detected. It would probably be really useful for a server with lots of ssh users that need to log in from anywhere/everywhere.
10 February 2007
Checksum verification of large downloads
When you download software, the vendor often provides a checksum or a digital signature. If you download the software and then compute the checksum (or verify the signature), you're reading through the download twice. If the download is large (like a Linux kernel source archive or an ISO image), it can take a long time. Here's a way to do both at once.
If the vendor provides an MD5 checksum, try this:
The
You can do the same trick for an SHA-1 checksum (or any other digest supported by openssl):
If the vendor provides a detached signature, you can do a similar trick. As an example, let's use the bzip'ed 2.6.0 patch file for the Linux kernel and the corresponding signature file. First grab the signature file, then the patch file:
In this case, you're piping the download into gpg, telling it to verify the data coming in on standard input (the '-' at the end) against the detached signature file. The
If the vendor provides an MD5 checksum, try this:
wget -O - http://www.example.com/large_file.tar.bz2 |\
tee huge.tar.bz2 | md5sum
The
-O - option tells wget to write the download to standard output, rather than to a file. Piping that to tee writes the download to a local file (huge.tar.bz2) and to standard output, and this is piped to md5sum: the checksum is printed to the screen.You can do the same trick for an SHA-1 checksum (or any other digest supported by openssl):
wget -O - http://www.example.com/large_file.tar.bz2 |\
tee huge.tar.bz2 | openssl dgst -sha1
If the vendor provides a detached signature, you can do a similar trick. As an example, let's use the bzip'ed 2.6.0 patch file for the Linux kernel and the corresponding signature file. First grab the signature file, then the patch file:
wget http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.0.bz2.sign
wget -O - http://www.kernel.org/pub/linux/kernel/v2.6/patch-2.6.0.bz2 |\
tee patch-2.6.0.bz2 |\
gpg --keyserver pgp.mit.edu \
--keyserver-options auto-key-retrieve \
--verify patch-2.6.0.bz2.sign -
In this case, you're piping the download into gpg, telling it to verify the data coming in on standard input (the '-' at the end) against the detached signature file. The
--keyserver and --keyserver-options items tell gpg to fetch and import the key if necessary (this example uses pgp.mit.edu as the keyserver, but there are lots: type 'keyserver' into a search engine).
09 February 2007
Norah Jones' new album
If you get a chance, go pick up a copy of Not Too Late by Norah Jones. As much as I like her first two studio albums, I think I like this one even more.
31 January 2007
destroying democracy the easy way
A recent slashdot post caught my eye. It involves two of my favorite topics: e-voting and lockpicking. According to the slashdot article, Diebold (a company which makes e-voting machines) recently posted, on their own freaking Web site, high-quality images of the key which can be used to unlock the access panels on their e-voting machines. The images were apparently good enough that it was possible for someone to make a quick trip to Home Depot, buy a metal file and a few blanks of the right kind of key, file the keys to the correct shape, and start unlocking Diebold machines.
Word to the wise: next time you feel like photographing your keys (and let's face it, who doesn't love photographing their keys?), put the pictures in a scrapbook on your bookshelf, not the Internet.
Word to the wise: next time you feel like photographing your keys (and let's face it, who doesn't love photographing their keys?), put the pictures in a scrapbook on your bookshelf, not the Internet.
flickr: more 'screw the users!' from yahoo
Yesterday photo-sharing Web site Flickr (owned by yahoo) announced some changes which have angered lots of their users. Each flickr user will have to start signing in with his/her yahoo account username/password (lots of users currently log in with a flickr username/password, so they'll have to change), and there are some new limits being imposed on flickr data (there will soon be a limit of 3000 contacts and a limit of 75 tags per image).
I only recenty started using flickr, and have used my yahoo account for all of that time. And the new limits don't affect me. So this isn't too big a deal for me personally. But it's another example of arbitrary changes imposed with little or no warning or user involvment, much like the recent utter ruination of yahoo TV. Not everything they do is horrible: I like the new yahoo mail (beta). But if they keep alienating their users, they may find that their shiny new upgrades aren't that good for business.
I only recenty started using flickr, and have used my yahoo account for all of that time. And the new limits don't affect me. So this isn't too big a deal for me personally. But it's another example of arbitrary changes imposed with little or no warning or user involvment, much like the recent utter ruination of yahoo TV. Not everything they do is horrible: I like the new yahoo mail (beta). But if they keep alienating their users, they may find that their shiny new upgrades aren't that good for business.
Image inputs in MSIE7 -- revisited
My previous post was a whinefest about image inputs in MSIE 7. This problem turns out to be worse than I thought. In that post, I said that the problem could be circumvented by taking either of two measures, one of which was changing to a submit-type input element. Today I found out that this solution is inadequate, because the name/value pair are still not sent in the POST data if you hit return rather than clicking the submit button.
<* input type="submit" name="ick" value="gakkk" />
If you actually click the submit button in a form (in MSIE 7) containing the above code, then the ick/gakkk pair will be included in the POST data. But if you just hit the return key in the form (which is how I typically submit forms), the ick/gakkk pair won't be sent.
So, I'll have to stick with the other corrective measure and put the ick/gakkk pair in a hidden input, replacing the above HTML with this:
<* input type="hidden" name="ick" value="gakkk" />
<* input type="submit" value="MSIE 7 blows" />
Crap.
<* input type="submit" name="ick" value="gakkk" />
If you actually click the submit button in a form (in MSIE 7) containing the above code, then the ick/gakkk pair will be included in the POST data. But if you just hit the return key in the form (which is how I typically submit forms), the ick/gakkk pair won't be sent.
So, I'll have to stick with the other corrective measure and put the ick/gakkk pair in a hidden input, replacing the above HTML with this:
<* input type="hidden" name="ick" value="gakkk" />
<* input type="submit" value="MSIE 7 blows" />
Crap.
09 January 2007
Image inputs in MSIE7
I saw a post in the last couple of days saying that <* input type="image"> doesn't work in MSIE7. I've recently been working on a project which happens to have one of these elements. I tested it in MSIE7 today, and sure enough, it doesn't work. But it's broken in a very subtle way.
The element in my project looks like this...
<* input type="image" name="ick" value="gakkk" src="button.jpg" />
...and the interface to which this form POSTs looks for the ick field. Looks to me like MSIE7 just doesn't send any name/value data in one of these elements when the form is submitted. All the other form fields make it into the POST data, just not the ick/gakkk pair.
Either of the following seemed to make it work as expected:
*sigh* Just one more stupid thing I have to remember when designing Web applications.
The element in my project looks like this...
<* input type="image" name="ick" value="gakkk" src="button.jpg" />
...and the interface to which this form POSTs looks for the ick field. Looks to me like MSIE7 just doesn't send any name/value data in one of these elements when the form is submitted. All the other form fields make it into the POST data, just not the ick/gakkk pair.
Either of the following seemed to make it work as expected:
- turning the input element into a normal type="submit"
- moving the ick/gakkk name/value pair into a hidden input element in the form
*sigh* Just one more stupid thing I have to remember when designing Web applications.
07 January 2007
Ice storm aftermath
Pictures taken after an ice storm in Versoix, Switzerland. The icicles on the trees are pretty amazing.
This was posted on digg.com, where several of the commentors said that since the ice blew in off Lake Geneva, it's not really an ice storm. Whatever. It's a lot of ice.
Brrrrr.
This was posted on digg.com, where several of the commentors said that since the ice blew in off Lake Geneva, it's not really an ice storm. Whatever. It's a lot of ice.
Brrrrr.
30 December 2006
superhero/supervillain quiz
There's a pretty cool quiz at http://www.thesuperheroquiz.com/ which tells you which superhero you most resemble. I turned out to be the Hulk (70% likeness). This puzzled me until I remembered answering "all the way YES" to "do you anger quickly/easily?".
After you take that quiz, there's a link to find out which supervillain you most resemble. Looks like I have an 86% correspondence to Dr. Doom: "Blessed with smarts and power but burdened by vanity." (That latter part might sting if it were less accurate.)
After you take that quiz, there's a link to find out which supervillain you most resemble. Looks like I have an 86% correspondence to Dr. Doom: "Blessed with smarts and power but burdened by vanity." (That latter part might sting if it were less accurate.)
28 December 2006
gmail backup
Today there was a report of some data loss for 60 gmail users. They lost all their mail, their address books, etc. Lame.
This prompted me to look into methods of backing up my gmail account. Looks like it's a simple as changing a gmail setting (enabling POP3) and setting up a POP3 account in your favorite mailer (Thunderbird, Outlook, ...). It's a straightforward procedure. It takes a while to download all your mail the first time, and thereafter it just downloads new messages. It probably wouldn't allow a user to restore a mangled gmail account, but it would at least provide an external backup of all the messages. Unfortunately, it doesn't look like this process preserves message labels.
And it looks like you can export your address book, too: click 'contacts' (left-hand panel) and then click 'export' in the upper-right.
This prompted me to look into methods of backing up my gmail account. Looks like it's a simple as changing a gmail setting (enabling POP3) and setting up a POP3 account in your favorite mailer (Thunderbird, Outlook, ...). It's a straightforward procedure. It takes a while to download all your mail the first time, and thereafter it just downloads new messages. It probably wouldn't allow a user to restore a mangled gmail account, but it would at least provide an external backup of all the messages. Unfortunately, it doesn't look like this process preserves message labels.
And it looks like you can export your address book, too: click 'contacts' (left-hand panel) and then click 'export' in the upper-right.
18 December 2006
vmmouse for Linux VMWare guest
I decided to give Ubuntu a try to see what all the fuss is about. But I wasn't ready to install it on my laptop (I'm in the middle of a project in which I rely quite a bit on the laptop), so I decided to try Ubuntu in VMWare server on my desktop. Ubuntu installed OK, but the mouse didn't work well: I had to click in the VMWare window to make the mouse work in Ubuntu, and then I had to press Ctrl-Alt for VMWare to release the mouse (to use it anywhere outside the VMWare window). It was doing this even after I installed VMWare-tools.
That's a real drag, all the more so since that doesn't happen when running Windows XP in VMWare (the mouse 'just works': you can just roll the cursor in and out of the VMWare window and it works as it should).
The trick is to install the 'vmmouse' driver (which comes with VMWare-tools) in X.org in the Linux guest. (This solution comes mostly from a post by 'zaroff' on the Ubuntu Forums.)
After installing Linux in VMWare server, click VM->Install VMWare Tools... on the VMWare menu. This makes Linux think you've just mounted a CD with a couple of files on it (the 'CD' will probably show up on the desktop). Unpack the .tar.gz file, cd into the vmware-tools-distrib directory, and run the vmware-install.pl installer.
When I did this, I found that when the installer re-wrote /etc/X11/xorg.conf, it didn't put in a DefaultDepth directive in the "Screen" section, and I had to add a DefaultDepth 24 line to that section.
Next you need to install the vmmouse driver. A good start is to run the following inside the vmware-tools-distrib directory:
You need to copy the correct vmmouse driver (depending on what version of X.org your Linux guest is running) into the X.org input modules directory. For an Ubuntu 6.10 Linux guest, I needed to copy the XOrg/7.0/vmmouse_drv.so to /usr/lib/xorg/modules/input. (A friend was having the same trouble running a CentOS 4.4 guest: he needed to copy XOrg/6.8.x/vmmouse_drv.o to /usr/X11R6/lib/modules/input/.)
Next you need to make 2 changes to /etc/X11/xorg.conf:
That's a real drag, all the more so since that doesn't happen when running Windows XP in VMWare (the mouse 'just works': you can just roll the cursor in and out of the VMWare window and it works as it should).
The trick is to install the 'vmmouse' driver (which comes with VMWare-tools) in X.org in the Linux guest. (This solution comes mostly from a post by 'zaroff' on the Ubuntu Forums.)
After installing Linux in VMWare server, click VM->Install VMWare Tools... on the VMWare menu. This makes Linux think you've just mounted a CD with a couple of files on it (the 'CD' will probably show up on the desktop). Unpack the .tar.gz file, cd into the vmware-tools-distrib directory, and run the vmware-install.pl installer.
When I did this, I found that when the installer re-wrote /etc/X11/xorg.conf, it didn't put in a DefaultDepth directive in the "Screen" section, and I had to add a DefaultDepth 24 line to that section.
Next you need to install the vmmouse driver. A good start is to run the following inside the vmware-tools-distrib directory:
find . -type f -name 'vmmouse*'
You need to copy the correct vmmouse driver (depending on what version of X.org your Linux guest is running) into the X.org input modules directory. For an Ubuntu 6.10 Linux guest, I needed to copy the XOrg/7.0/vmmouse_drv.so to /usr/lib/xorg/modules/input. (A friend was having the same trouble running a CentOS 4.4 guest: he needed to copy XOrg/6.8.x/vmmouse_drv.o to /usr/X11R6/lib/modules/input/.)
Next you need to make 2 changes to /etc/X11/xorg.conf:
- add Load "vmmouse" to the "Module" section
- change Driver "mouse" to Driver "vmmouse" in the "InputDevice" section
Subscribe to:
Comments (Atom)