The MTTLR Blog

by Ryan Walden, MTTLR Associate Editor

Image I Voted? by Kenn Wilson. Used under a Creative Commons BY-NC 2.0 license.

Today’s voters are more likely than ever to read online blogs for political news and views, use candidate websites to examine their stances on the issues, and then make donations to their favored candidates online. Today’s voters are also more likely to cast their vote using an electronic voting machine, but not all consider that a welcome change. Just ask the plaintiffs in a New Jersey case challenging the use of electronic voting machines.

Last month, Andrew Appel, a computer science professor at Princeton, released a report of findings on the security of the Sequoia AVC Advantage voting machines (executive summary | pdf report). This report was submitted to the New Jersey Superior Court in support of the plaintiffs in Gusciora v. Corzine, a lawsuit alleging that the use of the AVC Advantage voting machines violates the state constitution’s guarantee to count every vote due to the possibility of fraud. The report finds that the machines, used in 18 of New Jersey’s 21 counties, can be hacked in as little as seven minutes by installing a new program into the computer to change vote totals. Appel demonstrates how the machines can be hacked in this (90 minute) video.

To combat possible fraud, Appel recommends voter verified paper trails, which would entail “an individual paper record of each vote cast, seen and verified by the voter at the time the vote is cast, collected in a ballot box so that it can be recounted by hand if necessary.” Voter verified paper trails is not a new idea – proposed legislation from Congressman Rush Holt (also of New Jersey) would mandate voter verified paper trails in federal elections. Even with voter verified paper trails, there must be a way to properly audit paper records to ensure no misconduct has occurred. The Brennan Center for Justice at NYU School of Law has released a report (pdf file) with recommendations for such audit mechanisms.

For their part, Sequoia Voting Systems, which makes the AVC Advantage voting machines, has rebutted the Appel report with a report of its own (pdf report | press release). Sequoia argues that the study was not conducted under real world settings, where detection of tampering is very likely. Sequoia also argues that the AVC Advantage machines were evaluated under “inappropriate standards” – noting that the Appel report’s assertion that the machines “must be correct in all circumstances” is an impossible standard to meet for any sort of voting system.

Ultimately, the arguments on both sides prompt the question: If we can’t have 100% accuracy, what level of inaccuracy is permissible? Sequoia is certainly right that no system will be correct in all circumstances, but if the Appel report is correct with regards to the sheer ease of changing votes, then that is not a sufficient rebuttal. Technology makes voting and counting votes easier, but it may also make voter fraud easier. Do the benefits outweigh the costs? A New York Times article notes that two-thirds of voters in the recent election were anticipated to vote by paper, with some states, including Florida, having switched back from electronic voting machines. Virginia and Maryland will switch back to paper ballots for the 2010 election. As for New Jersey? In light of this controversy, at least one Garden State political blogger suggests a decidedly un-21st century method of voting: through the U.S. Mail with an absentee ballot.

by: Sherri Nazarian, Associate Editor, MTTLR

Image Security by David Goehring. Used under a Creative Commons BY 2.0 license.

It has been over two decades since David Lightman, a scrawny Seattle high school boy, stole our hearts when he almost started World War III by hacking into the North American Aerospace Defense computer system in the 1983 movie Wargames. David Kernell, a modern day hacker, who allegedly broke into Sarah Palin’s personal Yahoo e-mail account certainly generated the same amount of attention, but he may not have elicited the same emotions.

The hacker impersonated Palin and used three pieces of readily available personal information in order to change the account’s password and get access to her e-mails. Palin’s e-mail contents, including some personal family pictures, went online overnight and in the process raised not only questions about internet security and personal privacy on the web, but also about whether Palin was deliberately attempting to hide public records by using a personal e-mail account to conduct state business.

This high-profile incident suggests it may be time to revisit the available legal tools to prosecute cyber crimes. The primary statute used to incriminate hackers is the Computer Fraud and Abuse Act (CFAA)—originally enacted in 1984. The statute makes it illegal for a person to “intentionally access[] a computer without authorization or exceed[] authorized access and thereby obtain[] … information from any protected computer ….” However, the statute does not make it easy for a prosecutor to charge Palin’s hacker with a felony, unless other conditions are met. Former Justice Department computer crime Prosecutor Mark Rasch anticipates that the hacker could be charged with as little as a misdemeanor and face “little, if any, jail time.” The statute calls for a felony charge if, inter alia, the value of the information the hacker obtains exceeds $5000, or if the hacking was “committed in furtherance of any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” It is not clear that Palin’s hacker falls under any of these categories.

According to computer experts, Palin’s hacker used a domestic proxy server in order to transmit the images to websites, which led to his arrest. One of the bigger problems stemming from advances in internet technology is the difficulty in tracking down hackers who leave little or no trace behind. One such dilemma results when a hacker cleverly uses a proxy server located in a foreign country, where potentially the United States has no jurisdiction (or means via a treaty) to subpoena the log entry. The need for more domestic and international protection remains a salient need of our society.

Even though Palin’s e-mail hacking incident is no inauguration of World War III, it is a wake up call to officials—who hopefully have checked their e-mail security by now—and legislators in charge of amending the laws. Today’s fast-paced technological society and the borderless world of the internet make us aware of the need for more protection against cyber criminals through broader statutes with provisions that cover not just hackers, but facilitators as well. The possibility of cyber crimes pushing countries into ratifying treaties like the Convention on Cybercrime, is, to say the least, a rational expectation.

by Nancy Sims, MTTLR Blog editor

“Void your warranty, violate a user agreement, fry a circuit, blow a fuse, poke your eye out…”

So exhorts a t-shirt on sale from Make magazine. They also sell shirts with slogans like “If you can’t open it, you don’t own it“, and “Permission to play“. Make is not remotely a unique phenomenon – Instructables, Evil Mad Scientist Laboratories, and a host of other sites provide how-tos and what-ifs for the growing population of hardware modders and hackers. Make’s sister publication, Craft, and sites like Etsy, and Craft Mafia, demonstrate that the sensibility isn’t limited purely to hardware. It’s remix culture applied to real-world, physical objects, and it’s a growing phenomenon.

Hacking, remixing, modifying – whatever you call it, messing with technology, even physical objects you own, raises a host of legal issues. First of all, just opening the case of most tech objects voids the warranty. It may also void other user agreements, and as more of the technology in our daily lives requires ongoing relationships with service providers, that can be a real problem. Physical or software hacks may also violate anti-hacking laws in various jurisdictions.

The DMCA’s Anti-Circumvention provisions may open tech remixers to civil or criminal liability if they bypass “access control devices” or “technological protection measures” to explore or modify their devices. While there is currently an administrative exception that allows individuals to modify cellphones to ensure compatibility with various service providers, the exception doesn’t cover telling other people how to make the same modifications. Similar worries about the “no telling people how to circumvent, either” provisions delayed publication of the book “Hacking the XBox”.

And yet, the community of hackers and modders continues to expand. The revolutionary, compelling, or just plain entertaining products that the maker/crafter/modder cultures produce, make it difficult to see how anyone could want to rein them in. A (very) few highlights:

• Physically “surfing” digital environments like Google Earth and World of Warcraft on the WiiFit Balance Board.
  
  Link from WiiFit Balance Board Blog
• Hacking Google to explore the first photos people take with their new cameras
• Adding LEDs to LEGO people
  
  (Image by Oskay)
• Gamer Cakes on Flickr – homemade cakes based on popular videogames and toys
• Chumby, a wi-fi device intended to be hacked and modified
  
  Chumby Bear, by miss_rogue
• For a slightly different definition of “hardware”, don’t miss Ikea Hacker!
• And, unquestionably the most exciting recent hacks, Johnny Lee’s low-cost WiiMote hacks to produce a $40 multi-touch digital whiteboard, and a personal 3D video display

To get a sense of the philosophies/worldviews of makers, hackers, crafters, and modders, take a look at:

• The Make Owner’s Manifesto/Maker’s Bill of Rights
• Free Software Foundation’s “Road to Hardware Free From Restrictions” paper
• Five Dangerous Things You Should Let Your Kids Do (video)

Explore the history of hacking:

• Homebrew Computer Club (Wikipedia entry)
• Tech Model Railroad Club (Wikipedia entry)
• The Story of Mel, from the Jargon File (note: detailed information about very early programming methods; may require some programming experience to enjoy)
• The MIT Gallery of Hacks (note: MIT has a local-culture definition of “hack” that only partially overlaps with more familiar meanings.)

So, what do you think? What are your favorite hacks and mods? What legal issues do you see?