EKR: April 2010 Archives


April 30, 2010

India, as is often noted, is the world's largest democracy. However, in that democracy, people vote on relatively primitive "electronic voting machines": electronic DREs mated to nonprogrammable control devices. Yesterday, Prasad et al. (together with electronic voting machine scourge Alex Halderman) reported that the electronic machines (EVMs) used in India are no more secure than American DREs. They describe two attacks:
  • They show how to replace the 7-segment LED display on the control device with their own display. The replacement can be remotely controlled to show any result they choose.
  • They show how to rewrite the memory of any voting device to store a result of their choice.

My initial reaction is that these results aren't really that surprising. The machines are computers, after all, and so if you replace components you can get them to do more or less whatever you want. The attacks require a fair amount of physical access, either to replace components which are at least in theory inspectable or to rewrite memory in a substantial fraction of the million-plus deployed machines with every election. Nevertheless, just because the attacks are unsurprising doesn't mean they're not bad.

The demonstration video the authors produced also features one of the Indian government's experts arguing that the fact that the voting machine binaries are stored in unreadable ROM is a feature since nobody can modify it. Of course, as the authors observe, this also precludes any real examination of the software on the chips, which means that an attacker who has physical access could at least in theory replace them. [Note that there are "trusted computing" mechanisms for building systems without this property, but the Indian devices don't employ them.] Even more interesting is the authors report that at least offers to cheat the machines if not actual fraud happen somewhat regularly:

These reports are extensively surveyed by Rao [49]. For instance, in the 2009 parliamentary election, he relates that there were reported EVM malfunctions in more than 15 parliamentary constituencies across the country. Especially troubling are reports that when the voter pressed a button for one candidate, a light would flash for another, which could be explained by a simple attack on the EVM cable [49, p.45] . Rao also relates reports from prominent politicians that engineers approached them in 2009 offering to fix elections through this method [49, pp.60-61].


We have had direct experience with attempted fraud. Hari Prasad, a coauthor of this report, was approached in October 2009 by representatives of a prominent regional party who offered to pay for his technical assistance fixing elections. They were promptly and sternly refused.

The technical paper is: here.


April 18, 2010

I eventually did buy a new motorcycle (background here), which means a trip to AAA to do the title transfer (sane people avoided the CA DMV, even before the furloughs made them grumpy and short staffed). Two trips, actually, because the seller had lost the title and apparently in its absence you need not only form REG-227 (Application for Duplicate Title), but also REG-262 (the odometer mileage statement). I only had REG-227 so I got to pay for the transfer but had to go back to the seller for REG-262. I finally got it from them and went back last week to finish the transaction.

Anyway, I get there and the AAA clerk types for a while, looks baffled, and then types some more and finally tells me that I have a $153 overpayment. We still don't know what this was for, but she doesn't look happy when she says this, which is my first clue something is wrong. She then proceeded to explain that AAA can only arrange for a refund of up to $99 and if I want all of it I have to go to the DMV. I could immediately see where this was going and you probably can too, but I figured I might as well try, so I asked if maybe I could apply this to next year's DMV fees, or my wife's car or something. Anyway, the answer was no, so I finally gave up and said what I knew I would have to say all along "Can you just cut the refund down to $99." It took me a while to get this point across, but eventually she got it and spent the next 10-20 minutes trying to figure out what combination of fees would get me below the magic $99 threshold. I still have no idea what got tacked on but eventually she says "I can do $98". That sounded good for me (I've now spent almost as much time as I would have at the DMV) so I took my registration sticker and made a break for it. Apparently I get my refund in 4-6 weeks, or whenever they get around to sending it.


April 11, 2010

I've written before about return policies for running shoes. These vary a lot, ranging from unused (Zombie runner) to unlimited (REI). I'd generally assumed that this was mostly feature of the kind of store. For instance, the two big mountaineering co-ops, REI MEC, offer unlimited warranties: you can return any item for any reason at any time. This includes items which are so badly used they can't possibly be resold. Interestingly, however, there's a huge amount of variation between companies in the same category. Take some of the big outdoor gear manufacturers (I buy a lot of outdoor gear). Here's what they offer in terms of warranty/return policy.

Patagonia Unlimited: repair or replace. Nominally they repair at a reasonable cost, but since it's satisfaction guaranteed at any time, this is really unlimited.
North FaceOne year for any reason. Lifetime for defects.
Mountain Hardwear Lifetime warranty for defects. No general returns at all.
Black DiamondOne year warranty for defects.
OspreyWill repair any pack for any kind of functional (non-cosmetic) damage or replace if it can't be repaired. No sign of replacement for dissatisfaction. (this policy seems to be new as of Jan 2009).
Arc'TeryxRepair during the "practical lifetime" of the product.
MarmotLifetime for defects.

I'm not sure what to make of this much variation. It doesn't seem to be correlated in any way to quality or price: Black Diamond and Arc'Teryx have only so-so return policies but make good gear, and Arc'Teryx is legendarily expensive. It does make me want to buy Patagonia when I have a choice, though...


April 10, 2010

One of the great things about C++ is that it turns simple typographical errors into an exercise in language hermeneutics. Consider, for example, the following code fragment:
1  #include <boost/shared_ptr.hpp>

3  class Clazz {
4  public:
5    int member_;
6  };

9  void bar(void)
10 {
11   boost::shared_ptr < Clazz > cl(Clazz());

13   cl->member_ = 9;
14 }

This code doesn't compile, however; you get the following error (reformatted a bit for presentation)

/tmp/cpp.cpp: In function 'void bar()':
/tmp/cpp.cpp:13: error: request for member 'member_' in 'cl', which is
of non-class type 'boost::shared_ptr ()(Clazz (*)())'

Now, I've cleaned this code up so that it isolates the error. The original code had the error buried in a sea of boost::variant and boost::bind error messages that took up about half a page. Even so, when I showed this code to a very experienced C++ and Boost programmer, he had the same reaction I (and one of my other colleagues had when we looked at the original code), namely, WTF. The problem with the code is that I've forgotten the new when constructing the object on line 11, but the compiler accepts that line just fine. However, the compiler chokes on line 13, not 11. Anyway, all three of us have the same reaction: sure line 11 is broken and the compiler should have complained, but given that it accepted it, how can this possibly screw up the perfectly unobjectionable reference to the member variable member_ in the class Clazz, indirected through a boost::shared_ptr.

At this point, we were seriously considering the possibility that it was a compiler bug, but after about 20 minutes of headscratching and trying different variants of the code, we finally paid attention to the error message that g++ was spitting out, which, when you actually look at it, is kind of clear. Despite appearances, this isn't a misinitialized boost::shared_ptr to Clazz. Instead, it's a shared function pointer to a function which takes a function pointer to a function returning Clazz (I think... I don't have a copy of c++decl handy).

As I said, this error appeared in some of my real code. It's probably not that common a mistake, but I've been working in Python as well as C++ and in Python you don't use new with constructors. In my experience this kind of error is a pretty common consequence of flipping back and forth between languages—my Python code is riddled with spurious (and luckily harmless) semicolons. And of course, C's (and by extension C++'s) inside-out syntax for function pointer declarations turns line 11 into legal, albeit obscure, syntax, letting the error trickle down to line 13, instead of just reporting a syntax error at the point where I actually made the mistake.

UPDATE: fixed various things in <> that render funny. Thanks to Hovav Shacham for pointing out the HTML errors. Grr.


April 3, 2010

How's this for cognitive dissonance? Keeper Springs is a brand of bottled water which donates all of its profits to environmental causes:
Welcome to Keeper Springs Fresh Mountain Spring Water-where all our after-tax profits are donated to the environment.

Keeper Springs is fresh mountain spring water bottled right here in the United States from a sustainable spring.

While our company encourages investment in public water supplies and minimizing the use of plastic bottles - and of course, maximizing recycling - we believe that bottled water is a permanent fact of our society and that ours is among the best. Our unique business proposition is, along with proudly selling great spring water, we will donate all of our profits toward providing our children with a clean and safe world to inherit.

Bottled water, of course, is a product which trades off a nontrivial environmental cost for a benefit which is mostly a matter of convenience (bottled water is in general no healthier than tap water). So there's an odd irony in a bottled water company which is devoted to helping clean up the environment. The rationale here seems to be that if you're going to drink bottled water, you might as well drink one made by an environmentally friendly company rather than some faceless megacorp. It's even possible that if the profits are spent properly, they will do more good than the environmental damage that drinking bottled water causes, though of course this is very hard to assess.

That's fine as far as it goes, but consider a counterargument: the guilt you feel over buying bottled water (you do feel some, right?) acts as a weak quasi-Pigouvian tax on bottled water. With that tax removed, you might buy more bottled water, which negates the argument that you were going to buy something anyway. I would also observe that Keeper Springs is spring water, not tap water. The people who make KS claim that their method of bottling is sustainable, but wouldn't it be even more environmentally friendly to just bottle purified tap the way that Dasani does.

UPDATE: Replaced the environmental cost link. The video was catchy, but, uh... tendentious.