March 28, 2024

Woman Registers Dog to Vote, Demonstrates Ease of Fraud

A woman in Seattle registered her dog to vote, and submitted absentee ballots in three elections on the dog’s behalf, according to an AP story.

The woman, Jane Balogh, said she did this to demonstrate how easy it would be for a noncitizen to vote. She put her phone bill in her dog’s name (“Duncan M. MacDonald”) and then used the phone bill as evidence of residency. She submitted absentee ballots in Duncan’s name three times, each ballot “signed” with a paw print. She says the ballots did not designate any candidates and only had “void” written on them, so the elections were not affected.

Nevertheless, she broke the law and now faces charges.

This relates to an issue every applied security researcher has faced: how to demonstrate a security problem is real. People take a problem more seriously when they have seen a real, working demonstration of the problem – otherwise the problem will be dismissed as theoretical. Often there is a lawful way to demonstrate a problem, for example by “breaking in” to your own computer. But sometimes there is no way to demonstrate a problem without breaking the law. Careful researchers will stop and assess the legality of what they’re planning to do, and will hold back if the demo they’re considering breaks the law.

Ms. Balogh went ahead and broke the law. Beyond that (serious) misstep, she did everything right: admitting what she did, avoiding any side-effect on the elections by filing blank ballots, and leaving obvious clues like the paw prints.

Fortunately for her, the prosecutor decided not to charge her with a felony but instead offered to let her plead guilty to a misdemeanor, pay a $250 fine, and do ten hours of community service. She was lucky to get this and will apparently accept the deal.

Any readers considering such a stunt should think again. The next prosecutor may not be so forgiving.

You Can Own an Integer Too — Get Yours Here

Remember last week’s kerfuffle over whether the movie industry could own random 128-bit numbers? (If not, here’s some background: 1, 2, 3)

Now, thanks to our newly developed VirtualLandGrab technology, you can own a 128-bit integer of your very own.

Here’s how we do it. First, we generate a fresh pseudorandom integer, just for you. Then we use your integer to encrypt a copyrighted haiku, thereby transforming your integer into a circumvention device capable of decrypting the haiku without your permission. We then give you all of our rights to decrypt the haiku using your integer. The DMCA does the rest.

The haiku is copyright 2007 by Edward W. Felten:

We own integers,
Says AACS LA.
You can own one too.

Here is your very own 128-bit integer, which we hereby deed to you:

[can’t display integer]

If you’d like another integer, just hit Shift-Reload, and we’ll make a fresh one for you. Make as many as you want! Did we mention that a shiny new integer would make a perfect Mother’s Day gift?

If you like our service, you can upgrade for a low annual fee to VirtualLandGrab Gold – and claim thousands of integers with a single click!

Miracle Fruit: Tinkering with our Taste Buds

Miraculin, the extract of a West African fruit, is said to make sour foods taste sweet. It’s not sugary, but it’s said to trick your taste buds into misreporting the flavor of the food you’re eating. One of my students, Bill Zeller, bought some miraculin and a group of us tried it out. Here, in the interest of science, is my report.

Miraculin is a lumpy powder, dull red in color, that results from freeze-drying the flesh of the so-called miracle fruit. Here’s about twenty-five grams of miraculin, with a lime for size comparison.

Bill bought fifty grams of miraculin, which came by mail from Ghana. Both Ghana and the U.S. required customs paperwork before the fruit-based product could be shipped. Here’s the Republic of Ghana export permit.

I took a lump of miraculin, weighing a gram or two, and carefully ate it, pushing it around on my tongue as it dissolved.

It didn’t have much taste, and the texture was a bit gummy. Once it was all dissolved I waited a minute or so for the effect to kick in. The effect is said to wear off after about twenty minutes, so it was time for the taste test to begin.

As predicted, the miraculin made sour things taste sweet. Lemon wedges tasted like sweet lemonade. Lime wedges were sweet too. I could still sense the acidity of the fruit, and there was a detectable sour taste but it seemed to be covered over with a pleasant citrus sweetness. I could have eaten whole lemons or limes with no problem.

The grapefruit was stunning, perhaps the best-tasting fruit I have ever eaten. The ones we had were pretty sweet already as grapefruit go, but with miraculin they were distinctly but not overly sweet, and the underlying grapefruit flavor came through beautifully. I had to stop myself from wolfing down several grapefruit.

After the fruit I tried some other foods that were handy. Pizza tasted about the same as usual, though the tomato sauce had a slightly sweet tinge. Diet Dr. Pepper tasted normal. I tried some Indian food – samosas and curried chickpeas – and found the flavor unchanged except that the spiciness was intensified. The normally mild potato-based samosa filling had a spicy kick. Miraculin did nothing for a sweet dessert.

My verdict on miraculin? It’s pleasant and I’m glad I tried it, but it’s not a life-changing experience. I can imagine it becoming popular. It makes some healthy foods taste better, and it’s not too expensive. The amount I had would cost less than a dollar today if you bought in bulk, and there must be unexploited economies of scale.

Thanks to Bill Zeller for getting the miraculin,

to my co-investigators,

and Alex Halderman for taking the photos.

Is SafeMedia a Parody?

[UPDATE (Dec. 2011): I wrote the post below a few years ago. SafeMedia’s website and product offerings have changed since then. Please don’t interpret this post as a commentary on SafeMedia’s current products.]

Peter Eckersley at EFF wrote recently about a new network-filtering company called SafeMedia that claims it can block all copyrighted material in a network. We’ve seen companies like this before and they tend to have the warning signs of security snake oil.

But SafeMedia was new so I decided to look at their website. My reaction was: what a brilliant parody!

The biggest clue is that the company’s detection product is called Clouseau – named for a detective who is not only spectacularly incompetent but also fictional.

The next clue is the outlandish technical claims. Here’s an example:

Pirates are smart and innovative, and so is Clouseau. Our technology is dynamic, sees through all multi-layered encryptions, adaptively analyzes network patterns and constantly updates itself. Packet examinations are noninvasive and infallible. There are no false positives.

Sees through all encryption? Even our best intelligence agencies don’t make that claim. Perhaps that’s because the intelligence agencies know about provably unbreakable encryption.

Wait a minute, you may be saying. Perhaps SafeMedia was just making the usual exaggeration, implying that they can stop all bad traffic when what they really mean is that they can stop the most common, obvious kinds of bad traffic. Good guess – that’s the usual fallback position for companies like this – but SafeMedia doesn’t shrink from the most outlandish claims of infallibility:

What if illegal P2P no longer worked? What if, no matter how intelligent, devious, or well-funded an Internet pirate was, they absolutely could not transmit copyrighted material via P2P? SafeMedia’s goal was to create the technology that would achieve exactly this. And we succeeded.

Employing our new technology, Clouseau and Windows + Transport Control, makes illegal P2P transmission of copyrighted material impossible. IMPOSSIBLE. Not difficult and not improbable. IMPOSSIBLE!

The next clue that SafeMedia is a parody is the site’s blatant rent-seeking. There’s even a special page for lawmakers that starts with over-the-top rhetoric about P2P (“America is at war here at home within our own borders. And we are taking casualties. Women, men, and children.”) and ends by asking the U.S. government to act as SafeMedia’s marketing department:

We need the Congress to pass legislation appropriating funds for installing the technology on every Federally-supported computer network in the country, most importantly in educational institutions (schools, colleges, universities, libraries)…. We need the Department of Commerce to promote using the technology in all American businesses big and small, and to push for its international adoption. We need the Department of Education to insure that every educational institution in the USA, private and public, primary and secondary, college and university, is obeying the law.

You now have the right weapons. Let’s end the war!

Add up all this, plus the overdesigned home page that makes maddening fingers-on-a-blackboard noises when you mouse over its main menu area, and the verdict is clear: this is a parody.

Yet SafeMedia appears to be real. The CEO appears to be a real guy who has done a few e-commerce startups. The site has more detailed help-wanted ads than any parodist would bother with. According to the Internet Archive, the site has been around for a while. And most convincingly of all, an expensive DC law firm has registered as a lobbyist for SafeMedia.

So SafeMedia really exists and company management thought it a good idea to set up a parody-simulating website and name their product Clouseau. What an entertaining world we live in.

(Thanks to Peter Eckersley for sharing the results of his un-Clouseau-ish investigation of SafeMedia’s existence.)

Holiday Stories

It’s time for our holiday hiatus. See you back here in the new year.

As a small holiday gift, we’re pleased to offer updated versions of some classic Christmas stories.

How the Grinch Pwned Christmas: The Grinch, determined to stop Christmas, hacks into Amazon’s servers and cancels all deliveries to Who-ville. The Whos celebrate anyway, gathering in a virtual circle and exchanging user-generated content. When the Grinch sees this, his heart grows two sizes and he priority-ships replacement gifts to Who-ville.

Rudolph the Net-Nosed Reindeer: Rudolph is shunned by his reindeer peers for having a goofy WiFi-enabled nose. But he becomes a hero one foggy Christmas Eve by using the nose to access Google Maps, helping Santa navigate to the homes of good children.

Gift of the eMagi: Poor husband and wife find perfect gifts for each other and bid aggressively for them on eBay. Unbeknownst to them, they’re bidding against each other for the same gift. Determined to express their love by paying whatever it takes to get the gift, they bid themselves into bankruptcy.

NSA Claus is Coming to Town: He sees you when you’re sleeping. He knows when you’re awake. He knows if you’ve been bad or good, so be good or go to Gitmo.

The Little DRM-er Boy: A boy wants to share his recorded drum solo with Baby Jesus, but the file is tethered to a faraway computer. With the aid of three downloads from the East, he rips an MP3 and emails it the Mary and Joseph just in time for Christmas Night.

It’s a Wonderful Second Life: George Bailey believes that Second Life would have been better if he had never signed on at all. He jumps off a bridge … and floats slowly to the ground. Clarence Linden, George’s guardian avatar, restores the server backup from before George signed on, and watches with George while griefers run wild. George sees the error of his ways, and Clarence restores his account.

A Vista Carol: Ebenezer “Steve” Ballmer runs a coding shop in Merry Old Redmond. He forces programmer Bob Cratchit to work overtime on Christmas to meet the Vista ship date. At night, Ballmer is visited by three Ghost images: Windows Past, Windows Present, and Windows Future. [Fill in your own jokes here.] The next morning, Ballmer sends Bob home for Christmas, in exchange for a promise to keep his Blackberry on during dinner.

[Thanks to Alex Halderman and my family for help writing the stories.]