02 October 2003 Blog Home : October 2003 : Permalink
When one looks at the web browsers in use today the overwhelming majority are capable of performing significant local processing, however the majority of web sites make little if any use of this capability. This is something that irritates me intensely. One of the biggest uses of the web is to serve up families of static pages; that is to say pages where some of the content is different but much od the page is shared - headers, sidebars etc. The classic example of this is a weblog or message board where each article has different content but the links along the side are the same. At present most weblog software creates static pages on the server based on a template or, in the case of message board software, each message is stored in a database and the message content is dynamically added to the template when the page is requested by a viewer using something like SSI or PHP.
Moreover it is wasteful of resources, since the viewer's browser and computer can almost certainly handle the construction of the page given the parts as well. Not to mention the fact that modern browsers use CSS and Javascript in a consistent, standards based way and have done so for some years now. In the late 1990s we saw much innovation in HTML and the like, but the pace of innovation, as far as standard browser technology is concerned, has practically ground to a halt in the last few years. While there are undoubtedly bugs and quirks in various browser's capability ot handle the more esoteric sorts of Javascript or CSS, the core is common to all.
While CSS, which separates display and layout information from content is deployed to some extent, very few sites make constructive use of Javascript, which has found itself in a niche used mainly by advertisers and those of malicious intent.
This weblog uses the user's browser to dynamically generate the required page from a simple HTML template page and a number of Javascript files that contain the content. The files used are as follows:
As well as reducing the load on the server and probably the load on the network between viewer and server, this approach makes the publishing process comparitively simple, since adding an entry merely means that a new value must be placed at the top of the entries array in mane.js and the entry itself uploaded. Both these actions are trivially easy to perform in perl and both can performed simultaneously in the same script. By uploading the content file first and only uploading the new mane.js once this file has been verified to have been uploaded. As and when comments are permitted the same applies, each comment is simply appended to the comment array within the relevant entry .js file.
Share and Enjoy
Permalink03 October 2003 Blog Home : October 2003 : Permalink
How many times have you hear the expression - "he can't even boil an egg"? Has it applied to you? Would you like to prove your critics wrong?
I for one have most certainly been accused of this level of culinary aptitude and, being a stubborn engineering kind of person I determined to rectify the lack and prove my critics wrong. Over the last decade and a half I have been conducting experiments to determine the optimum method for boiling an egg and I am pleased to share the results of my endeavours with my readers. Follow these instructions and your fame will spread far and wide as the breakfast chef sans pareil
The key to boiling an egg is the time you cook it and the temperature you cook it at.
It is critical to ensure that the water is boiling for the entire time the eggs are immersed and it is equally critical to remove the eggs from the heat promptly to stop cooking once the critical time has been reached.
The most common errors are not noticing the time or attmepting to save time by adding the eggs before the water has come to the boil. In either case the usual result is that you are unable to correctly identify the moment when the eggs are properly cooked. Although the time required does vary slightly for different eggs, between 5 and 6 minutes seems to be the sweet-spot for all eggs.
Share and Enjoy
*Cracking: sometimes eggs already have cracks in them - when you add them to the water this becomes noticeable. There is nothing you can do about this except examine your eggs, however by adding the eggs to the boiling water gently you reduce the likelihood of producing new cracks
Permalink24 October 2003 Blog Home : October 2003 : Permalink
This doesn't affect me since I can't vote in the US but if I could it would concern me a lot.
Diebold, the maker of new voting machines that are supposed to replace the chad ones such as in Florida, seems to have a major problem with them. But rather than come clean and fix the problem it seems it would prefer to spin and try to get its critics silenced.
From this Salon article (http://www.salon.com/tech/feature/2003/09/23/bev_harris/index_np.html )
But according to Bev Harris, a writer who has spent more than a year investigating the shadowy world of the elections equipment industry, the replacement technologies the court cited may be worse -- much worse -- than the zany punch-card systems it finds so abhorrent. Specifically, Harris' research into Diebold, one of the largest providers of the new touch-screen systems, ought to give elections officials pause about mandating an all-electronic vote.
Harris has found critical flaws in Diebold's voting software, and she's uncovered internal Diebold memos in which employees seem to suggest that the vulnerabilities are no big deal. The memos appear to be authentic -- Diebold even sent Harris a notice warning her that by posting the documents on the Web, she was infringing upon the company's intellectual property. Diebold did not return several calls for comment.
...
Tell me about the flaw you uncovered in the Diebold system.
Well, we uncovered a few problems in the memos, but the first one that we published specifically supported the flaw that I wrote about in July of 2003. And to my surprise these memos admitted they were aware of the flaw, and it was actually brought to their attention by Ciber labs � which is a certifier � in October 2001, and they made a decision not to fix it.
So it was brought to their attention two years ago?
Right.
So what was the flaw?
Specifically the flaw was that you can get at the central vote-counting database through Microsoft Access. They have the security disabled. And when you get in that way, you are able to overwrite the audit log, which is supposed to log the transactions, and this [audit log] is one of the key things they cite as a security measure when they sell the system.
So you can break in and then hide your tracks.
You don't even need to break in. It will open right up and in you go. You can change the votes and you can overwrite the audit trail. It doesn't keep any record of anything in the audit trail when you're in this back door, but let's say you went in the front door and you didn't want to have anything you did there appear anywhere � you can then go in the backdoor and erase what you did.
Who would have access to this? Are we talking about elections officials?
A couple situations. Obviously anybody who has access to the computer, whether that's the election supervisor, their assistants, the IT people, the janitor � anybody who has access to the computer can get into it.
Where is this computer � is there one per county?
Yes, there's one per county.
The other situation would be supposing someone gets in by either hacking the telephone system or by going backwards in through the Internet, because the Internet does connect to these GEMS computers, even though they deny it. A lot of the press watches election results come in on the Web and what they're watching is actually being uploaded directly off the GEMS computer.
These computers in the counties are connected to the Internet, and someone can go through the Internet �
� and just go into it, correct. It would be as the results are uploading. You see, they make a big point of the fact that there's no Internet connection to the voting machine, but that's sort of parsing the issue. That's true, in the polling places there's no Internet connection, but the voting machines connect into the GEMS machine through modem. And the GEMS machine then connects to the Internet, and that's what the press watches.
A gentleman in California - Jim Marsh - has a site whence it is possible to download the GEMS software in a format such that it can be installed in on computers running a wide variety of Microsoft Windows OSes.
In fact the more I read about this the more I wonder just "what were they thinking?". Essentially they seem to be relying on misdirection and security through obscurity as a way to evade what would probably be a large and expensive recall of the machines. In my opinion trust in the democratic process is more important that the financial costs of a bungling corporation. More critically I believe this demonstrates potentially criminal negligence
Using Microsoft Access was inappropriate for security reasons. Using multiple sets of books, and/or altering vote totals to include new data, is improper for accounting reasons. And, as a member of slashdot.org commented, "This is not a bug, it's a feature."
From http://www.scoop.co.nz/mason/stories/HL0307/S00065.htm
I am not in anyway endorsing the various "Electronic Civil Disobedience" steps being taken by some of the "anti-Dieblod" lobby (see http://www.kuro5hin.org/story/2003/10/21/2367/2543 and various other places) but it does seem to me that Diebold is going about this the wrong way.
More links:
http://www.jerrypournelle.com/mail/mail266.html#vote
http://www.theinquirer.net/?article=12180
http://www.theinquirer.net/?article=12243
http://www.theinquirer.net/?article=12261
http://www.wired.com/news/print/0,1294,60927,00.html
http://why-war.com/features/2003/10/diebold.html
(extracts from the latter below)
�I have become increasingly concerned about the apparent lack of concern over the practice of writing contracts to provide products and services which do not exist and then attempting to build these items on an unreasonable timetable with no written plan, little to no time for testing, and minimal resources. It also seems to be an accepted practice to exaggerate our progress and functionality to our customers and ourselves then make excuses at delivery time when these products and services do not meet expectations.� [source]
�I feel that over the next year, if the current management team stays in place, the Global [Election Management System] working environment will continue to be a chaotic mess. Global management has and will be doing the best to keep their jobs at the expense of employees. Unrealistic goals will be placed on current employees, they will fail to achieve them. If Diebold wants to keep things the same for the time being, this will only compound an already dysfunctional company. Due to the lack of leadership, vision, and self-preserving nature of the current management, the future growth of this company will continue to stagnate until change comes.� [source]
�I need some answers! Our department is being audited by the County. I have been waiting for someone to give me an explanation as to why Precinct 216 gave Al Gore a minus 16022 when it was uploaded. Will someone please explain this so that I have the information to give the auditor instead of standing here "looking dumb".�
The article from the UK newspaper "The Independant" reproduced here at this page below has some hints at a republican conspiracy theory that I do not think are accurate, however the description of the faults in the Diebold voting systems seem consistent with what is available elsewhere
In case someone feels like doing their own verification the source documentation is in this Gzipped TAR
What concerns me most is that voting software would seem to be a case where public oversight and validation is of primary importance and yet the entire process is being hidden behind claims of commercial confidentiality. Even with about 5 minutes study I can even suggest some fixes. They all boil down to
"What part of MD5 checksum do you not understand?"
If you don't want to write your own system go borrow someone else's. This is not rocket science, its basic security/authentication 101 and there are endless systems such as PGP that allow people to cryptographically sign emails to remove the chance of tampering. I know bugger all about how to make voting machines work but I grok checksums and I also grok the one-wayness of MD5 and the fact that with 128 bits its next to impossble to get doubles by mistake.