Tuesday, May 29, 2007
Lots of companies have a root-and-branches approach to Internet connectivity, too, thinking that each site (or the whole corporate intranet) needs only one gateway to the outside. It leverages a small investment in Internet connectivity for an entire organization. Put all your eggs in one basket, and watch the basket. For the family baked bean recipe confidentiality that's good, but for availability that's bad.
It takes a lot of effort to protect a single address against a distributed Denial of Service attack, in which thousands of virus-infected machines send relatively small amounts of traffic against a target. When that target is a single gateway for an organization, the connection leverage is used in reverse, causing a lot of disruption for a little effort.
The "right" way to do it is to have multiple redundant shared trunks with neighbors. That word "shared" is scary to network administrators (or rather, to their pencil-pushing mentors). It means they'll have to carry outside traffic on their pipes (that's a metaphor, Senator), and that has risks: it costs money, and it has the potential to allow someone to see inside the network.
It takes a lot more effort on the part of the bad guys to attack multiple addresses, and with a multi-trunked network, keeping one or two gateways up can keep the whole network working.
The rewards for sharing bandwidth are enormous: multiple ISPs mean allowing TCP/IP to do its job, routing traffic to avoid disasters like DOS attacks, hurricanes, and nuclear bombs. The ISPs and other bandwidth partners know they have an interest in helping to protect your network. The technical risks can be mitigated simply by routing and tunneling.
Is the above realistic? Nope. Not in a corporate environment, anyway. I'd be really surprised if anyone outside academia or pure ISP does shared trunking anymore.
But it can also happen at the leaf nodes: you and your neighbors share cable broadband and DSL connections, routing through wifi. That violates most subscriber agreements, but it's the way the protocols were designed to work. Your network should never be down.
Saturday, May 19, 2007
I don't bother to block text-only or small, unobtrusive ads, just the annoying popup, flashy banner, or other annoying disruptions to my online experience.
Sometimes I'll be browsing along and an explicit adult ad will show up. Adblock to the rescue!
You can export and import your Adblock list to or from a text file, to keep your list synchronized from computer to computer, or to import the filters to several computers, such as for a client installation.
You can also add someone else's filters to your own. For example, below is my Adblock filter list, which you can either cut and paste to a text file of your choice, or right-click this link to download.
In Firefox, choose Tools ->Adblock ->[Preferences].
After you have downloaded or created the filter file, from the Adblock Preferences box, choose Adblock Options ->Import, which will bring up a standard File Open box for your system. Select the file, and the filters will be added to your own.
Thursday, May 17, 2007
I have several different cleaning solutions and tools, depending on the type of grime in question. Apply the cleaning solution to the cloth or swab, not on the keyboard. Usually it works best to apply the cleaning solution to a set of keys, then come back along to clean that set of keys thoroughly.
- For typical grimy college student keyboards (when the keyboards are grimy, not the college or student), I use a vacuum cleaner followed by Windex and a cotton or microfiber cloth.
- For tobacco stains and other unfettered nastiness, I use a solution of alcohol (70% isopropyl) and "Arm & Hammer Baking Soda Washing Powder" on cotton swabs. You can substitute a mixture of any laundry soap and either baking soda (sodium bicarbonate) or washing soda (sodium carbonate). Use about a teaspoon of the powder for a half liter of the alcohol. The washing powder dissolves in the water rather than the alcohol, so it may be necessary to dilute with more water. The soda also has a mechanical cleaning feature if it isn't fully dissolved, but the trade off is more residue. Be sure to wipe thoroughly to remove any residue.
- I've also used Scope (20% alcohol with menthol and eucalyptus, I think) or Listerine (27% alcohol) instead of rubbing alcohol. The washing powder dissolves better, but there's not as much alcohol in the mix when mouthwash is used. This method leaves a clean, fresh scent.
- For some other icky types of pernicious goo, the pumice + citrus hand cleaners work great (but tend to wear away at the paint on the keycaps). Follow this with Windex, alcohol, or water to remove any residue.
Another approach is to flood the bottom of a shallow baking pan with some mild cleaning solution (so that only the tops of the keys on the keyboard will get wet) and carefully put the keyboard face down into it. After a few minutes, while keeping the keyboard face down, raise it out of the pan, shake it lightly and let it drain until drops stop falling, and pat out any excess cleaning solution using something absorbent, such as a cloth or damp sponge. Proceed as above, though your work should be easier.
Tuesday, May 15, 2007
Why not just make products that work better?
Microsoft is a monster, the undrowned spawn of all that is wrong with Wall Street and all that is bad about commercial software development. Microsoft is forced by their ego-driven culture and the pressing expectations of unrealistic investors to deliver products that will sell for the highest profit rather than those which will operate the best.
I'm not against profit, even obscene profit. I think it's fine to develop software and sell it. But I don't like legal maneuvering to achieve the former because of a poor effort at the latter.
As fans of horror movies know, sooner or later, the monster always dies.
Monday, May 14, 2007
This is a fairly long treatment of the subject for a blog post, but is far from a complete one. First I will give some background on information systems and security, followed by some specific principles that affect electronic voting. I'll give what should be non-controversial, or at least apolitical, policy statements, and then combine all of that together to show what an acceptable voting system would look like.
To see why the things the bill addresses are important, we need to explore the basics of information security, as it applies to electronic voting. My goal is to introduce the topic to people who understand voting from a political or legal perspective, or that of a citizen, but who may have very little exposure to the technology at issue.
Electronic voting is an information system, a collection of processes arranged to transform, transmit, or store data. Information systems should be robust. A robust system is one which operates correctly and efficiently under a wide range of conditions, even under conditions for which it was not specifically designed. In particular, a robust system resists attempts to make it operate incorrectly.
In the subfield of information security, several principles are acknowledged by experts to help achieve robust and "secure" operation. "Secure" is in quotes there because it must be defined for each system. It has been noted that security is an emotion(†), which is an attribute of people, not of systems, but the feeling of security is engendered by some practices and endangered by others, and those practices can usually be analyzed without regard to why a certain result is desirable. A secure system is one about which the designers, implementers, and users feel confidence in its protection of their assets, within acceptable margins of risk. As in any risk analysis, the likelihood of a particular attack or failure must be balanced against the value of a given asset. It is meaningless to label a system secure without specifying the expected level and type of risk, and the assets to be protected against those risks.
While there is no perfect system, there are practices and principles which lead to secure operation. We try to anticipate problems and design to eliminate, or at least mitigate them. I'm going to get to the voting part soon, I promise.
The hallmarks of secure operation are generally recognizable by anyone familiar with the concepts:
- Economy of Mechanism - this means to keep things simple. Simpler processes are easier to understand and generally more robust.
- Fail Safe Design - Erroneous input should result in the least harmful action.
- Open Design - The reliability of the system should not depend on keeping its workings hidden.
- Complete Access Control (Mediation) - Access to assets should be allowed only to those authorized to access those assets.
- Least Privilege - Access to assets should be given only as required.
- Separation of Privilege - Access to assets should be based on multiple independent criteria.
- Least Common Mechanism - Shared means of operations should be minimized.
- Psychological Acceptability - If the perceived inconvenience associated with system safeguards is higher than the perceived value they allow, users will tend either to circumvent the safeguards or to bypass the system altogether, and use something less effective but more accessible.
- Input should be validated before it is used.
- Efficiency: when possible, the resources (typically time and space) used by a process should not grow faster than the size of the input.
- Special cases signal that a design can be improved.
- Hope is the enemy of "is".
There are two fundamental resources in voting, the physical ballot and the information contained on the ballot, the votes. The ballot is important as a physical record of the intention of the voter, but the information on the ballot is far more important to the process. A ballot may contain several votes, one per contest (except for multiple-choice board races, ballot initiatives, etc.).
Voting must be done in secret, or maintaining confidentiality.
Voting must be done with assured information integrity, so that no one can alter data or exert influence over the process itself in order to alter the outcome.
Voting must work, or be available. It is unacceptable for voters to be delayed longer by process failure as they are waiting to vote than it takes them to cast their ballots. Preliminary results must be known soon after the polls close in the last polling place (e.g., Hawaii).
Counting all votes should be a feature of any system, but there are several ways in which votes could fail to be counted properly:
- Individual ballots could be mangled, rejected, or lost by the voter or by the system
- Blocs of ballots could be mangled, rejected, or lost by the system
- Individual or blocs of votes could be unused or used multiple times by the system
- Fail Safe Design - All legal votes should be counted. It should be difficult to present erroneous input. It should be impossible to make one ballot choice that is counted for another ballot choice. Input on one ballot choice should not affect other choices.
- Complete Access Control - Only the voter should know what choices he made in the voting booth. The system should allow authorized voters to vote one time per election.
- Least Privilege - Individuals should be given only the access to ballots their role requires. For instance, those counting votes do not need to know which election they are counting.
- Separation of Privilege - Access to ballots, vote tallies, and control data should be based on multiple independent criteria.
- Least Common Mechanism - Votes and ballots should be separated as soon as possible. That is, the transmission of votes must not rely on shipping physical ballots.
- Economy of Mechanism - We should use the simplest system satisfying all of the requirements
- Open Design - A standard for voting machines should be produced, so that a machine from any manufacturer could be put through exact, reproducible tests. Security should not be used to justify hiding the operation of the system. The overall system must be documented clearly and simply enough for anyone to understand.
- Psychological Acceptability - The voting process should change as little as possible from the voter's perspective. The voting process should also be understandable to all voters, or at least should present no obstacle between the voter and voting. Safeguards should not appear to prospective legitimate voters to be more trouble than they are worth.
With policy statements in hand, we can now see what sort of system would meet the requirements of those policies.
If voting is seen to be difficult because of the security measures, the measures will be worked around, or people will simply not vote.
Only those authorized to access ballots that have been cast should be able to do so. There really should not be an argument against this, but some have demagogued this issue saying that identification is an attempt to exclude poor or minority voters, or that it is psychologically unacceptable as a security measure. As long as the difficulty of obtaining identification for purposes of voting is low, and the identification of who voted does not show how they voted, vote suppression is a red herring.
As quickly as possible, the information on the ballot should be copied from the physical ballot, or a physical ballot ("paper trail") created from an electronic ballot, and if possible the voter should verify a correct copy. Both the physical ballot and the electronic ballot should be transmitted to their secure destinations, by separate means. In no case should the public Internet be used as a means of transmitting official ballots, because this introduces too much shared mechanism: an Internet denial of service would jeopardize voting availability.
While some would step away from anonymous ballots or even away from the secret ballot altogether, the problem of voter intimidation is still a bigger enemy of democracy than voter anonymity. That is, balanced against the ability for others to punish or reward a particular vote, the secret ballot allows the potential of multiple votes per voter or ineligible people voting. Non-secret voting does not completely cure these problems, and introduces many others, besides. The secret ballot follows the principle of Least Privilege: no one but the voter knows how he voted.
The source code (what the programmers edit) for a voting machine really should be available for everyone to see. But companies are wedded to the idea that keeping their code hidden gives them a business advantage, and we must rely on businesses to produce the machines, or rely on the government to make them, a truly intolerable situation. H.R.811 addresses these concerns by mandating that source code be given to election officials, but it is not clear whether citizens "inspecting" the source code would be allowed to do anything useful with it, or merely inspect it visually on paper. Inspecting the code without being able to execute it in a debugging environment is an unacceptable half measure.
The principle of Open Design does not require that the source code be revealed, however. While hiding the source code makes the attacker's job more difficult, it also lowers overall confidence in the system. If the attacker cannot force the system to behave in an unauthorized way even with the source code, the system can be assumed to be more secure than an equivalent system with hidden code. Hiding the source therefore should not be relied upon as a security measure. Companies who hide their source code should assume that the attackers have somehow obtained it, and design their countermeasures accordingly.
An electronic voting system should validate entries before a physical ballot is created, to catch the error early and allow for a good ballot to be taken. Processing two votes should take only twice as long as one vote takes. There should be no special handling required for the elderly or those for whom typical voting procedures are physically difficult: it should be easy for everyone.
The above can be accomplished in two basic ways, each of which has advantages and disadvantages:
- Scanned Ballot: A voter fills out a human-readable form and drops it into a scanner. The scanning process can optionally allow the voter to confirm the ballot, or it can simply acknowledge that the ballot was read properly. The scanner tallies and transmits the votes.
- Printed Ballot: The voter interacts with a machine to make his ballot choices. The machine prints out the ballot for the voter's inspection. The voter confirms his choices for the machine, and then drops the ballot into the ballot box. The machine tallies and transmits the votes.
The Scanned Ballot method is simpler and more familiar to voters, and can be mimicked with a purely manual method and minimal communication infrastructure. The Printed Ballot method has better error detection and correction, and removes any doubt about what a ballot actually says, which is sometimes a problem in recounts.
In either case if there is a serious discrepancy between the official and unofficial results, an audit can be performed to uncover the problem, but the physical ballots should be considered authoritative unless there is sufficient evidence of tampering. By gathering and transmitting the unofficial and official results separately, errors (whether accidental or intentional) become very unlikely to affect the result of the election.
Thanks for reading. Those wanting to know more could do worse than to start with Bruce Schneier, who also blogs about squid on Fridays.
(†)I first heard that thought expressed at SANS'99 by a presenter from gnu.org, and I'm sorry I don't have a better cite than that.
Common tasks for Unix system administrators often require working with all of the files in a directory tree and selectively doing something with some of them: copying, deleting, renaming, or moving them, or simply getting a list of files matching certain characteristics.
Sometimes we want to do something from the Unix command line with files that have spaces in their names. Let's see what we can do with our friends find(1), sed(1), and xargs(1).
Find looks for entries in some directory matching its arguments, typically sending a list of them to the standard output. Sed is the Stream EDitor, and applies a series of commands to transform its input into its output. Xargs supplies its input to the command line of any program.
First, let's set up our little foobox:
$ cd /tmp
$ mkdir foo
$ touch 'foo/file with spaces'
$ touch 'foo/bar'
$ touch 'foo/another file with spaces'
$ ls -1 foo
another file with spaces
file with spaces
Now lets's do a simple find:
/tmp $ find foo -type f
foo/file with spaces
foo/another file with spaces
Now let's do something with those files. Let's just list them:
/tmp $ find foo -type f | xargs ls
foo/file: No such file or directory
spaces: No such file or directory
foo/another: No such file or directory
file: No such file or directory
with: No such file or directory
spaces: No such file or directory
What happened? Xargs delivered its input to the command line of ls(1), which interpreted the spaces in the filenames as new filenames. We need to escape the spaces inside the names for ls, but leave the spaces surrounding the filenames. That's just the sort of thing sed likes to do:
/tmp $ find foo -type f | sed 's, ,\\&,g'| xargs ls -ltr
-rw-r--r-- 1 user group 0 May 11 12:12 foo/file with spaces
-rw-r--r-- 1 user group 0 May 11 12:12 foo/bar
-rw-r--r-- 1 user group 0 May 11 12:12 foo/another file with spaces
In the dorky sed command between the single quotes, the "s" means to substitute for the text matched by the pattern between the first and second delimiter the text between the second and third delimiters. I like to use commas as delimiters instead of slashes, though any character will do. Slashes often appear in path names, and by habitually using commas I avoid errors when I fail to escape the slashes.
The pattern, called a regular expression, in this case says to look for a space, and replace it with a backslash followed by the text we just found. This is sed-ese for "prepend a backlash".
A slightly more general approach is to wrap each filename with single quotes. You still run into a problem with filenames which have single quotes in them, but you shouldn't put quotes in filenames:
$ find foo -type f | sed -e "s,[^.],\'&," -e "s,\$,\',"
'foo/file with spaces'
'foo/another file with spaces'
$ find foo -type f | \
sed -e "s,[^.],\'&," \
-e "s,\$,\'," | \
foo/another file with spaces
foo/file with spaces
Sharp reader Nic Ivy has noted a far simpler way to deal with spaces in filenames for find(1) and xargs(1), which also deals with other special characters like quotes and greater-than or less-than symbols:
$ find foo -type f -print0 | xargs -0 ls
foo/another file with spaces
foo/file with spaces
From the Unixhelp xargs(1) man page:
Input items are terminated by a null character instead of by
whitespace, and the quotes and backslash are not special (every
character is taken literally). Disables the end of file string,
which is treated like any other argument. Useful when input
items might contain white space, quote marks, or backslashes.
The GNU find -print0 option produces input suitable for this
Man pages courtesy UnixHelp.
Tuesday, May 08, 2007
Completeness is more than thoroughly doing a job, it's doing the job so well that you know, without looking, that every part of it is done. Completeness is examining and addressing the hidden and parts of a task and those which adjoin it in order to know that all visible and assigned parts of the task are completed.
US Marines learn "attention to detail" in boot camp, and then should practice it every moment of their lives thereafter. For the Marine, that means acquiring the habit of going beyond what is merely necessary, and covering the parts of the mission or duty that do not show, whether that means removing old residue before swabbing a deck or checking the closets and attic when clearing a building of hostile combatants.
Completeness is not just practicing a maneuver over and over again until everyone gets it right. That's proficiency. Completeness is knowing all of the roles that make up the mission, and being ready to take up the slack for a buddy who for whatever reason doesn't complete his part. To the Marine, completeness means looking for trouble before it finds him. That's why he joined in the first place.
For anyone who does household chores, completeness means moving all of the furniture to clean underneath it, so that there will be no surprises should a guest come calling, and no chance that pests or children will find dirt to put to the various uses they would put it.
For a graduate student, completeness means studying things that are tangential to his field, and becoming proficient or even expert at things in his field which have become commodity knowledge. For instance, a computer science doctoral conferee should:
- Have basic scientific literacy
- Understand basic electric wiring, and use it in his studies
- Have designed integrated circuits
- Have designed electronic circuits using commodity chips
- Assemble computers from commodity parts
- Install and secure a variety of operating systems
- Perform basic tasks using a variety of operating systems
- Program in a variety of languages, including machine code
Completeness for the blogger means approaching an argument with precision and depth, rather than simply to convince the convinced. The importance of sound logic cannot be overstressed. Citing sources for every fact and attributing every quote is not enough; that is mere proficiency. Completeness means fact-checking all statements, and verifying the authority and authenticity of every source, and taking on the burden of proof for every assertion and unstated premise. By going beyond the visible to the hidden and adjoining places, the work is made stronger and less likely to fall apart in an embarrassing mess.
I believe I have now identified my basic failing.
Monday, May 07, 2007
I bought a dog dish once that claimed to keep the ants out, but you had to place it just so, and it didn't keep the ants away.
But the principle on which it claimed to work is good: ants won't go very far in the wrong direction. We just have to make them think they're lost.
- Drill a hole about 1 inch deep into the center of one face of the block of wood just big enough to receive the dowel.
- Put some glue into the bottom of the hole in the wood. Insert the dowel into the hole. Turn it over and pound one nail into the dowel rod through the block of wood. Turn it back over, so that the dowel is pointing up. Apply glue, if needed, to make a watertight seal between the dowel and the block.
- Round in the rim of the can, leaving the open end of the can bigger than the diameter of your dowel by several times the length of your local ants.
- Cover the top of the dowel with glue. Put some glue in the can, in center of the bottom (use the dowel as an applicator). Put the can on top of the dowel (insert the dowel into the can).
- With the hammer and a nail, punch a hole in the center of the bottom of the can and into the center of the dowel. At this point, make sure the dowel is centered in the can, with an ant-proof air gap around the dowel.
- Pound the nail in the rest of the way. You now have an Ant-Free Dog Dish Stand.
- Place the dog dish upside down on the drying surface.
- Apply glue liberally to the top of the can and the center of the bottom of the dog dish.
- Invert the Ant-Free Dog Dish Stand on top of the upside down dish, and level the stand.
- Allow glue to dry and cure.
- To allow rainwater to drain out of the dog dish, drill one or more small holes into the bottom near the edge, where water tends to puddle
- Use a beer or soft drink can, (requires cutting the top off of the can)
- Use screws instead of nails
- Use a carriage bolt running from the center of the dish through the dowel to the bottom of the base, countersinking a nut into the base; in this case, you can use rubber gaskets instead of glue
- Paint the can and wooden parts
- Install feet on the wooden block, so ants don't make a colony under it
- Sprinkle borax on top of the base if you notice ants on it
- Coat the inside walls of the can with used motor oil and dust with borax, or stuff a dryer sheet inside
- Seek help -- you're starting to obsess