October 13, 2024

Posts Comments

Photo censorship vs. digital photography

June 3, 2009 by

On the 20th anniversary of the Tiananmen Square events (protests? uprising? insurrection? massacre?), the New York Times’ Lens Blog put up a great piece about the four different photographers who photographed the iconic “Tank Man”. Inevitably, half of the story concerns the technical details of being in the right place and having the right equipment configuration to capture the image (no small thing in the middle of a civil insurrection). The other half of the story, though, is about how the film got out of the camera and out to us. The story of Tank Man (NYT article, PBS Frontline piece) is quite amazing, by itself, but I want to focus on the photographers.

Tank Man, photo by Jeff Widener / AP

The most widely seen photo, by Jeff Widener, and all the other good coverage of Tank Man was all taken from one particular hotel, and the government security services were well aware of it. Our photographers had to get their images out. But how? Widener had a “long-haired college kid” assistant who smuggled several rolls of film in his underwear. Another photographer, Charlie Cole, wrote this:

After taking the picture of the showdown, I became concerned about the PSB’s surveillance of our activities on the balcony. I was down to three rolls of film, with two cameras. One roll held the tank encounter, while the other had other good pictures of crowd and PLA confrontations and of wounded civilians at a hospital.

I replaced the final unexposed roll into the one of the cameras, replacing the tank roll, and reluctantly left the other roll of the wounded in the other camera. I felt that if the PSB searched the room or caught me, they would look even harder if there was no film in the cameras.

I then placed the tank roll in a plastic film can and wrapped it in a plastic bag and attached it to the flush chain in the tank of the toilet. I hid my cameras as best I could in the room. Within an hour, the PSB forced their way in and started searching the room. After about five minutes, they discovered the cameras and ripped the film out of each, seemingly satisfied that they had neutralized the coverage. They then forced me to sign a confession that I had been photographing during martial law and confiscated my passport.

In both of these cases, the film was ultimately smuggled to the local bureau of the Associated Press who then processed, scanned, and transmitted the images. This leads me to wonder how this sort of thing would play out today, when photographers have digital cameras, where the bits are much easier to copy and transmit.

First, a few numbers. A “raw” image file from a modern Nikon D700 takes about 13MB and that already includes the (lossless) compression. Back in the film days, the biggest 35mm rolls could hold 36 images (maybe 38 if you were willing to push it on the edges), which tended to keep photographers’ desire to press the button in check. Today, when giant memory cards cost virtually nothing, it’s trivial for a photojournalist to generate tens of gigabytes of raw data in a day of work. So… how long does it take to transmit that much data? Let’s say a hotel’s Internet connection gives you a snappy 1.5 megabits of upstream bandwidth. That means it takes about 70 seconds to transmit one raw image.

If you fear the police will knock down your door at any moment, you don’t have time to send everything. That means that you, the photographer, have got to crunch your pictures through your laptop in a big hurry. If you’ve got the fastest cards and card reader, you’ll be able to copy the data to your hard drive at maybe three pictures per second. Got a thousand pictures on that memory card and you’re waiting a nerve-wracking six minutes to complete the copy.

At the point where you’re worried about somebody busting down the door, you’re not in the frame of mind to tweak with your exposure, color balance, and so forth. Pretty much all you’re thinking is “which one is the winner”, so you’re blasting through trying to select your favorites and then try to upload them.

Meanwhile, we need to consider the capabilities of the adversary. The PRC could well have prevented us from seeing Widener and Cole’s photos, simply by locking down the AP’s offices. (Two other photographers smuggled their raw film out of the country for external processing.) In the modern era, in a country like the PRC, they could just as well cut off the Internet altogether. (We already know that the PRC is cranking up the filtering of the Great Firewall to block Flickr, Twitter, and other services around the anniversary of the Tiananmen Square events, so it’s easy to imagine far more draconian policies.) This places our hypothetical digital photographer in much the same problematic space as the film photographers of twenty years ago. Now we need to smuggle the bits out by hand.

Traveling with film is a huge pain. Higher-speed film, and particularly black & white film, is annoyingly sensitive to airport x-ray scanners. It’s similarly sensitive to humidity and temperature. And, most important, you can’t see it or copy it until you process it, which isn’t really an option in a war zone. Instead, you’ve got the one roll with the one photo that you really want to get out. Alfred Hitchcock would call the film a MacGuffin and would spin a glorious tale around it.

Digital changes all that. Now, even if the Internet is down, the ability to copy bits is incredibly helpful to our photographer. An iPod, iPhone, or other such device will commonly have gigabytes of solid state storage within. That’s not enough room for everything, but it’s certainly enough room for the photographer to make copies of all the good stuff. Similarly, with memory cards getting so remarkably small (e.g., a Micro-SD card is 15mm x 11mm x 1mm), it’s easy to imagine smuggling them in a variety of places. Advantage to the photographer? Certainly so, but also very dependent on how much time and preparation was available before the police busted down the door. The CompactFlash cards used by most D-SLRs (43mm x 36mm x 3.3mm) are much harder to hide (e.g., you can’t just shove one into a crack in the floor).

There probably isn’t much point in trying to encrypt or hide the data. If the police are busting down your door, they’ll just take everything they can find and wipe everything before they give it back to you.

Filed Under: Censorship & Filtering Tagged With:

iPhone Apps: Apple Picks a Little, Talks a Little

May 27, 2009 by

Last week Apple, in an incident destined for the textbooks, rejected an iPhone app called Eucalyptus, which lets you download and read classic public-domain books from Project Gutenberg. The rejection meant that nobody could download or use the app (without jailbreaking their phone). Apple’s rationale? Some of the books, in Apple’s view, were inappropriate.

Apple’s behavior put me in mind of the Pick-a-Little Ladies from the classic musical The Music Man. These women, named for their signature song “Pick a Little, Talk a Little,” condemn Marian the Librarian for having inappropriate books in her library:

Maud: Professor, her kind of woman doesn’t belong on any committee. Of course, I shouldn’t tell you this but she advocates dirty books.

Harold: Dirty books?!

Alma: Chaucer!

Ethel: Rabelais!

Eulalie: Balzac!

This is pretty much the scene we saw last week, with the Eucalyptus app in the role of Marian — providing works by Chaucer, Rabelais, and Balzac — and Apple in the role of the Pick-a-Little Ladies. Visualize Steve Jobs, in his black turtleneck and jeans, transported back to 1912 Iowa and singing along with these frumpy busybodies.

Later in The Music Man, the Pick-a-Little Ladies decide that Marian is all right after all, and they praise her for offering great literature. (“The Professor told us to read those books, and we simply adored them all!”) In the same way, Apple, after the outcry over its muzzling of Eucalyptus, reverse course and un-rejected Eucalyptus. Now we can all get Chaucer! Rabelais! Balzac! on our iPhones.

But there is one important difference between Apple and the Pick-a-Little Ladies. Apple had the power to veto Eucalyptus, but the Ladies couldn’t stop Marian from offering dirty books. The Ladies were powerless because Old Man Mason had cleverly bequeathed the library building to the town but the books to Marian. In today’s terms, Mason had jailbroken the library.

All of this highlights the downside of Apple’s controlling strategy. It’s one thing to block apps that are fraudulent or malicious, but Apple has gone beyond this to set itself up as the arbiter of good taste in iPhone apps. If you were Apple, would you rather be the Pick-a-Little Ladies, pretending to sit in judgement over the town, or Old Man Mason, letting people make their own choices?

Filed Under: Uncategorized Tagged With: ,

NJ Voting-machine Trial: Defense Witnesses

May 22, 2009 by

I’ve previously summarized my own testimony and other plaintiffs’ witnesses’ testimony in the New Jersey voting machines trial, Gusciora v. Corzine.

The defendant is the State of New Jersey (Governor and Secretary of State). The defense case comprised the following witnesses:

Defense witness James Clayton, the Ocean County voting machine warehouse supervisor, is a well-intentioned official who tries to have good procedures to secure the Ocean County voting machines. Still, it became apparent in his testimony that there are security gaps regarding transport of the machines, keys to the machines, and security at polling places before and after election day.

Richard Woodbridge is a patent attorney who has chaired the NJ Voting Machine Examination Committee for more than 20 years. It’s not clear why the defendants called him as a witness, because they conducted only a 15-minute direct examination in which he didn’t say much. On cross-examination he confirmed that his committee does not conduct an independent analysis of software and does not consult with any computer security experts.

Robert Giles, Director of Elections of the State of New Jersey, testified about experimenting with different forms of seals and locks that New Jersey might apply to its AVC Advantage voting machines. On cross examination, it became clear that there is no rhyme or reason in how the State is choosing seals and other security measures; that they’re not getting expert advice on these matters. Also he admitted that there are no statewide control or even supervision of the procedures that counties use to safeguard the voting machines, the results cartridges, keys, and so on. He confirmed that several counties use the cartridges as the official tally, in preference to paper printouts witnessed and signed (at the close of the polls) by election workers.

Edwin Smith testified as an expert witness for the State defendants. Mr. Smith is vice-president and part owner of Sequoia Voting Systems. He stands to gain financially depending on the verdict in this trial: NJ represents 20% of Sequoia’s market, and his bonuses depend on sales. Mr. Smith testified to rebut my testimony about fake Z80 processors. (Wayne Wolf, who testified for plaintiffs about fake Z80s, testified after Mr. Smith, as a rebuttal witness.) Even though Mr. Smith repeatedly referred to replacement of Z80s as “science fiction”, he then offered lengthy testimony about methods to try to detect fake Z80s. This gave credence to the fact that fraudulent CPUs are not only a possibility but a real threat.

Mr. Smith also confirmed that it is a security risk to connect WinEds computers (that prepare electronic ballot definitions and tabulate results) to the Internet, and that those counties in NJ that do so are making a mistake.

Paul Terwilliger testified as a witness for the defense. Mr. Terwilliger is a longtime employee and/or contractor for Sequoia, who has had primary responsibility over the development of the AVC Advantage for the last 15 years. Mr. Terwilliger admitted that in 2003 the WIPO found that he’d acted in bad faith by cybersquatting on the Diebold.com domain name at the request of Sequoia. Mr. Terwilliger testified that it is indeed possible to program an FPGA to make a “fake Z80” that cheats in elections. But, he said, there are some methods for detecting FPGAs installed on AVC Advantage voting machines instead of the legitimate (Some of these methods are impractical, others are ineffective, others are speculative; see Wayne Wolf’s report.) This testimony had the effect of underscoring the seriousness of the fake-Z80 threat.

Originally the defendants were going to rely on Professor Michael Shamos of Carnegie Mellon University as their only expert witness. But the Court never recognized him as an expert witness. The Court ruled that he could not testify about the security and accuracy of the AVC Advantage, because he had not offered an opinion about security and accuracy in his expert report or his deposition.

The Court did permit him to testify in general terms. He said that in real life, we have no proof that a “hacked election” has ever occurred; and that in real life, such a hack would somehow come to light. He offered no studies that support this claim.

Professor Shamos attempted to cast doubt in the Court’s mind about the need for software independence, and disparaging precinct-based optical scan voting (PCOS). But he offered no concrete examples and no studies regarding PCOS.

On many issues, Professor Shamos agreed with the plaintiffs’ expert: it’s straightforward to replace a ROM chip, plastic-strap seals provide only a veneer of protection, the transformed machine can cheat, and pre-election logic-and-accuracy testing would be ineffective in detecting the fraud. He does not dispute many of the bugs and user-interface design flaws that we found, and recommends that those should be fixed.

Professor Shamos admitted that he is alone among computer scientists in his support of paperless DREs. He tried to claim that other computer scientists such as Ted Selker, Douglas W. Jones, Joseph Lorenzo Hall also supported paperless DREs by saying they supported parallel testing–implying that those scientists would consider paperless DREs to be secure enough with parallel testing–but during cross-examination he backed off a bit from this claim. (In fact, as I testified in my rebuttal testimony, Drs. Jones and Hall both consider PCOS to have substantially stronger security, and to be substantially better overall, than DREs with parallel testing.)

Parallel testing is Professor Shamos’s proposed method to detect fraudulent software in electronic voting machines. In order to catch software that cheats only on election day, Professor Shamos proposes to cordon off a machine and cast a known list of test votes on it all day. He said that no state has ever implemented a satisfactory parallel testing protocol, however.

Summary of the defendant’s case

One of the plaintiffs’ most important claims–which they demonstrated on video to the Court–is that one can replace the firmware of the AVC Advantage voting machine with fraudulent firmware that changes votes before the polls close. No defense witness contradicted this. To the extent that the defense put up a case, it hinged on proposed methods for detecting such fraudulent firmware, or on proposed methods for slowing down the attack by putting tamper-evident seals in the way. On both of these issues, defense witnesses contradicted each other, and plaintiffs presented rebuttal witnesses.

Filed Under: Other Topics Tagged With:

NJ Voting-machine trial: Plaintiffs' witnesses

May 21, 2009 by

Both sides in the NJ voting-machines lawsuit, Gusciora v. Corzine, have finished presenting their witnesses. Briefs (in which each side presents proposed conclusions) are due June 15 (plaintiffs) and July 15 (defendants), then the Court will eventually issue a decision.

In summary, the plaintiffs argue that New Jersey’s voting machines (Sequoia AVC Advantage) can’t be trusted to count the votes, because they’re so easily hacked to make them cheat. Thus, using them is unconstitutional (under the NJ state constitution), and the machines must be abandoned in favor of a method that provides software independence, for example precinct-count optical-scan voting.

The plaintiffs’s first witness was Stephanie Harris, who testified for half an hour about her experience voting on an AVC Advantage where the pollworker asked her to go back and recast her ballot for a total of three or four times, because the pollworker wasn’t sure that it registered. Ms. Harris testified that to this day she’s not sure whether her vote registered 0 times, or 1, or 2, or 3, or 4.

I testified second, as I’ve described. I testified about many things, but the most important is that you can easily replace the firmware of an AVC Advantage voting machine to make it cheat in elections (but not cheat when it’s being tested outside of elections).

The third witness was Ed Felten, who testified for about an hour that on several different occasions he found unattended voting machines in Princeton, on weekends before elections, and he took pictures. (Of course, as the Court was well aware by this time in the trial, a hacker could take advantage of an unattended voting machine to install vote-stealing firmware.) Ed wrote about this on Freedom-to-Tinker here, here, and here; he brought all those pictures with him to show the Court.

Next were Elisa Gentile, Hudson County voting machine warehouse supervisor, and Daryl Mahoney, Bergen County voting machine warehouse supervisor. Mr. Mahoney also serves on the NJ Voting Machine Examination committee (which recommends certification of voting machines for use in NJ). These witnesses were originally proposed by the defense, but in their depositions before trial, they said things so helpful to the plaintiffs that the plaintiffs called them instead! They testified about lax security with regard to transport and storage of voting machines, lax handling of keys to the voting machines, and no security at polling places where the machines are delivered several days before the election. They didn’t seem to have a clue about information security and how it affects the integrity of elections conducted using computers.

Next the plaintiffs called County Clerk of Union County, Joanne Rajoppi, who had the sophistication to notice a discrepancy in the results report by AVC Advantage voting machine, the integrity to alert the newspapers and the public, and the courage to testify about all the things that have been going wrong with AVC Advantage voting machines in her county. Ms. Rajoppi testified about (among other things):

  • Soon after the February 5, 2008 Super Tuesday presidential primary, she noticed inconsistencies in AVC Advantage results-reports printouts (and cartridge data): the number of votes in some primaries was higher than the number of voters. (See Section 56 of my report, or Ed Felten’s analysis on Freedom-to-Tinker)
  • She brought this to the attention of State election officials, but the State officials made no move at all to investigate the problem. She arranged for Professor Felten of Princeton University to examine the Union County voting machines, but she stopped when she was threatened with a lawsuit by Edwin Smith, vice president of Sequoia Voting Systems.
  • In a different election, the Sequoia AVC voting system refused to accept a candidate’s name with a tilde over the ñ. Sequoia technicians produced a hand-edited ballot definition file; she was uneasy about turning control of the ballot definition file over to Sequoia.
  • Results Cartridges get locked in the machines sometimes (when pollworkers forget to bring them back from the polling places for tabulation). (During this time they are vulnerable to vote-changing manipulation; see Section 40 of my report.)
  • Union County considers the vote data in the cartridges to be the official election results, not the vote data printed out at the close of the polls (and then signed by witnesses). (This is unwise for several reasons; see Sections 40 and 57 of my report.)

The defendant (the State of New Jersey) presented several witnesses. I’ll summarize them in my next post. After the defense witnesses, the plaintiffs called rebuttal witnesses.

Plaintiffs’ rebuttal witness Roger Johnston is an expert on physical security at the U.S. government’s Argonne National Laboratory (testifying as a pro bono expert on his own behalf, not representing the views of the U.S. government). Dr. Johnston testified that supposedly tamper-evident seals and tape can be defeated; that it does no good to have seals without a rigorous protocol for inspecting them (which NJ does not have); that such a protocol (and the training it requires) would be very expensive to implement and execute; that AVC Advantage’s design makes it impractical to really secure using seals; and that in general New Jersey’s “security culture” and its proposed methods for securing these voting machines are incoherent and dysfunctional. He demonstrated for the Court one defeat of each seal, and testified about other defeats of these kinds of seals.

The last plaintiffs’ witness was Wayne Wolf, professor of Electrical Engineering at Georgia Tech. Professor Wolf testified (and wrote in his expert report) that it’s straightforward to build a fake computer processor chip and install it to replace the Z80 computer chip in the AVC Advantage voting machine. (See also Section 12 of my report.) This fake chip could (from time to time) ignore the instructions in the AVC Advantage ROM memory about how to add up votes, and instead transfer votes from one candidate to another. It can cheat just like the ROM-replacement hack that I testified about, but it can’t be detected by examining the ROM chips. Professor Wolf also testified about the difficulty (or impossibility) of detecting fake Z80 chips by some of the methods proposed by defense witnesses.

Filed Under: Other Topics

European Antitrust Fines Against Intel: Possibly Justified

May 19, 2009 by

Last week the European Commission competition authorities charged Intel with anticompetitive behavior in the market for microprocessor chips, and levied a €1.06 billion ($1.45 billion) fine on the company. Some commentators attacked the ruling as ridiculous on its face. I disagree. Let me explain why the European action, though not conclusively justified at this point, is at least plausible.

The starting point of any competition analysis is to recall the purpose of competition law: not to protect rival firms (such as AMD in this case), but to protect competition for the benefit of consumers. The key is to understand what is fair competition and what is not. If a firm dominates a market, and even drives other firms out, but does so by producing better products at better prices, they deserve applause. If a dominant firm takes steps that are aimed more at undermining competition than at serving customers, then they may be crossing the line into anticompetitive behavior.

To do even a superficial analysis in a single blog post, we’re going to have to make some assumptions. First, for the sake of this post let’s accept as true the EC’s claims about Intel’s specific actions. Second, let’s set aside the details of European law and instead ask whether Intel’s actions were fair and justified. Third, let’s assume that there is a single market for processor chips, in the sense that any processor chip can be used in any system. A serious analysis would have to consider carefully all of these factors, but these assumptions will help us get started.

With all that in mind, does the EC have a plausible case against Intel?

First we have to ask whether Intel has monopoly power. Economists define monopoly power as the ability to raise prices above the competitive level without losing money as a result. We know that Intel has high market share, but that by itself does not imply monopoly power. Presumably the EC will argue that there is a significant barrier to entry which keeps new firms out of the microprocessor market, and that this barrier to entry plus Intel’s high market share adds up to monopoly power. This is at least plausible, and there isn’t space here to dissect that argument in detail, so let’s accept it for the sake of our analysis.

Now: having monopoly power, did Intel abuse that power by acting anticompetitively?

The EC accused Intel of two anticompetitive strategies. First, the EC says that Intel gave PC makers discounts if they agreed to ship Intel chips in 100% of their systems, or 80% of their systems. Is this anticompetitive? It’s hard to say. Volume discounts are common in many industries, but this is not a typical volume discount. The price goes down when the customer buys more Intel chips — that’s a typical volume discount — but the price of Intel chips also goes up when the customer buys more competing chips — which is unusual and might have anticompetitive effects. Whether Intel has a competitive justification for this remains to be seen.

Second, and more troubling, the EC says that “Intel awarded computer manufacturers payments – unrelated to any particular purchases from Intel – on condition that these computer manufacturers postponed or cancelled the launch of specific AMD-based products and/or put restrictions on the distribution of specific AMD-based products.” This one seems hard for Intel to justify. A firm with monopoly power, spending money to block competitor’s distribution channels, is a classic anticompetitive strategy.

None of this establishes conclusively that Intel broke the law, or that the EC’s fine is justified. We made a lot of assumptions along the way, and we would have to reconsider each of them carefully, before we could conclude that the EC’s argument is correct. We would also need to give Intel a chance to offer pro-competitive justifications for their behavior. But despite all of these caveats, I think we can conclude that although it is far from proven at this point, the EC’s case should be taken seriously.

Filed Under: Uncategorized Tagged With: ,