Archive for the ‘policy and law’ Category.

The evil CARB-compliant gas can

How Government Wrecked the Gas Can

“Hmmm, I just hate how slow these gas cans are these days,” he grumbled. “There’s no vent on them.”

That sound of frustration in this guy’s voice was strangely familiar, the grumble that comes when something that used to work but doesn’t work anymore, for some odd reason we can’t identify.

I’m pretty alert to such problems these days. Soap doesn’t work. Toilets don’t flush. Clothes washers don’t clean. Light bulbs don’t illuminate. Refrigerators break too soon. Paint discolors. Lawnmowers have to be hacked. It’s all caused by idiotic government regulations that are wrecking our lives one consumer product at a time, all in ways we hardly notice.

Vote but Verify

Local Rochester-area political blogger Thomas Belknap recently railed about HR 811, interpreting its requirement of a voter-verified durable paper ballot as a small-minded banning of an attractive future of modern networked reliable electronic voting machines. I could not resist posting my disagreement into the comments on his blog, and perhaps I am going to convince him, as he edited out my most provocative snide political shots and left in some of my more reasoned comments.

As a security person, I must point out that if machines do not produce a reliable auditable record, then all you have is a fait accompli fraud-blessing device. That’s the short version of the security argument.

I’m willing to go along with NIST that, as of today, all-electronic systems are an important research topic, not a settled present alternative:

The approach to software-independence used in op scan is based on voter-verified paper records, but some all-electronic paperless approaches have been proposed. It is a research topic currently as to whether software independence may be able to be accomplished via systems that would produce an all-electronic voter-verified, independent audit trail (known as software IV systems).

A durable paper ballot requirement is not a retrograde goof, nor a rejection of e-voting. It’s a reflection of current reality, that all-electronic e-voting implementations are asking for trouble. Codifying an allowance for all-electronic systems today would just open the door to arguments about what’s good enough cryptographically, arguments that will be settled by folks even less competent than our representatives. Codifying the well-understood voter-verified paper audit trail as a requirement puts an immediate crimp in the shopping spree for fancy-looking machines that are rotten inside – a shopping spree that will continue if this law isn’t passed, creating an ever-larger lump of sunk investment in pretty bad technology.

A paper audit trail today isn’t a rejection of e-voting, it is progress toward a more robust implementation that in the future will, no doubt, also include other alternative durable auditable records.

For credible background on the security geek consensus, see the above-quoted NIST draft, the US ACM policy recommendation, or Bruce Schneier (University of Rochester physics alumnus!). Or anything by Ed Felten or Avi Rubin on this subject. In this case, our representatives seem to be listening to informed advisers.

Regarding politics: All parties’ oxes have been gored at one time or another by voting fraud or rumors of fraud, so this does seem like an issue on which a consensus could form.

Tor onion router: social good or anti-social practice?

At Rose-Hulman Institute of Technology:

Earlier this week, a hacker infiltrated the website of a company in France, defacing the site and using it to send vulgar emails. The hacker was not a Rose-Hulman student. But through a router maintained by a Rose-Hulman student, the hacker was able to do this anonymously.

The student, senior computer science major David Yip, was maintaining a router on his computer called a Tor onion router.

There are many ways to describe this activity: exercise of freedom, negligence, lack of due diligence, accomplice or accessory to crime. Is it a social contribution or an anti-social practice? Drawing the lines is very difficult (as legislators trying to ban open access points will discover).
One example of how universities do tend to have a stricter social compact than, say, ISPs.

[via Justin Mason]

more Sarbanes-Oxley backlash

While discussing the current venture capital situation, Paul Graham points out

An experienced CFO I know said flatly: “I would not want to be CFO of a public company now.”


This law was created to prevent future Enrons, not to destroy the IPO market. Since the IPO market was practically dead when it passed, few saw what bad effects it would have. But now that technology has recovered from the last bust, we can see clearly what a bottleneck Sarbanes-Oxley has become.

As always, read the whole thing.

Policy Metaphors

  • Do not open the thermostat. Call Facilities to adjust. A mechanic will visit twice a year to adjust it, to secure the Allen screws, and to scold you about opening it. (Note: those unsolicited visits don’t happen any more.)
  • Wave arms periodically to turn lights back on. (Note: Many creative mobiles and lightweight origami figures have been invented, with the common feature of being light enough to catch ambient airflow.)

iPod Medical Imaging

Via Roland Piquepaille’s Technology Trends: iPod Imaging:

… several thousands of doctors are using the free OsiriX software to manage their medical images on their iPods and Macintoshes …

It’s an interesting route-around of the usual IT solutions (which offer not enough space and are less convenient). My cursory inspection of all the linked-to articles and software documentation shows zero discussion of privacy, security, and HIPAA — yet. Is sending a medical image via iChat secure enough?

Wayback Machine admissible in court

Via Stanford Center for Internet and Society:

Magistrate Judge Arlander Keys rejected Polska’s assertion of hearsay, holding that the archived copies were not themselves statements susceptible to hearsay exclusion, since they merely showed what Polska had previously posted on its site. He also noted that, since Polska was seeking to suppress evidence of its own previous statements, the snapshots would not be barred even if they were hearsay. Over Polska’s objection, Judge Keys accepted an affidavit from an Internet Archive employee as sufficient to authenticate the snapshots for admissibility.

Sir, you can’t use the Internet outside the library

  • This is an unhappy conversation on many many levels:


    The officer in question (whose conduct was entirely professional, firm, and calm behind those mirrored shades) solemnly assured me that in order to use the library’s open wireless signal, I had to be seated within the library. The officer then wandered on back to the nearby police station.

    ‘Maybe if you had permission it would be all right, but it’s a new law, sir; ‘theft of signal.’ It would be like if you stole someone’s cable TV connection.�

    ‘It’s a federal law, sir; a Secret Service agent came and explained it to us.’

    [via Blogos]

  • The comments on the article above include the useful link EFF: Best Practices for Online Service Providers that advocates minimizing legal problems by minimizing information collection.
  • Having had to dig hard to track down aggressive intruders, I also worry about lacking the ability to investigate attacks on infrastructure (mine or everybody’s). While this application of “theft of services” looks bogus, it is a tool that I’d like to have when somebody is really attacking my network or systems. Meanwhile, there is a permanent tension between knowing what’s happening on your network (say, if you’re an ISP tracking botnets) and maintaining ignorance as a legal defense.

Bad boilerplate

Jack Shafer in the Slate article
E-mail Confidential – Who’s afraid of Time Inc.’s legal disclaimer? has his attorney dissect an email disclaimer in detail.

This boilerplate proliferates because professionals
in the legal, auditing, and security consulting industries
feel compelled to recommend its use.
Unfortunately, the ratcheting ever-more-onerous language that
gets accreted by these things for cover-your-butt reasons results in most of them being statements that are intellectually ridiculous, legally dubious, and rude.

At this point, consulting professionals should be embarrassed to recommend this stuff.

[via Jeff Nolan via Techdirt]

Court supports gripe site

CircleID: Another Good Decision on Internet “Gripe Sites”:

Lucas Nursery and Landscaping v. Grosse, 2004 WL 403213 (6th Circuit March 5, 2004).
This case involves Lucas Nursery, a landscaping company in the suburbs of Detroit, Michigan, which apparently botched work done for Michelle Gross – or at least that was her opinion. But, when she established a web site to tell her story, Lucas sued her under the Anticybersquatting Consumer Protection Act (“ACPA”). She took the site down but Lucas persisted, taking her gesture as a sign of weaknesses and hoping to get some blood – or, perhaps, to send a message to other critics. But the trial judge decided she had not posted her web site with a bad faith intent to profit, and the United States Court of Appeals for the Sixth Circuit has now affirmed.

I sympathize with the plaintiff, though I like the predisposition toward freedom of speech.