Out of Cheese

I’m in Philadelphia for the weekend, visiting my parents for the first time in about a year. Every time I come in I do a little bit of computer maintenance for them — basically just keeping their system running well. Last year I installed Windows XP, for example.

This year I’m sort of floored by the problems their system has. They have some weird “eAccelerator” spyware program installed, and Ad-Aware doesn’t seem to remove it. I can’t figure out how to delete it. Their system is completely out of date with regard to Windows updates — I went to Microsoft’s update site and found more than 25 “critical” updates for their system, including a number of extremely important security fixes. Why aren’t these more obvious, so regular computer users like my parents can install them (and understand what they’re installing)? And on top of that, I have to deal with popup ads in IE.

Why do people put up with this stuff? I’ve made sure that my parents know that my computer doesn’t have a risk of spyware, it rarely has security updates (and they’re easy and obvious to install), and I never see popup ads. Their next computer will almost certainly be a Mac. How does the rest of the Windows-using world cope with such an awful computing experience? No wonder so many people can’t stand computers.

Apparently Nick wasn’t just a figment of my imagination. I thought he might be real when I met him in Redmond for the Microsoft intern Game a couple weeks back, but I wasn’t convinced until he actually posted to his weblog tonight. Welcome back, Nick!

Thanks much to Brent Simmons for reporting a memory leak in WebKit. I can’t speak for the Safari team, of course, but external bug reports — particularly ones with reproducible simple test cases, like this one — are always appreciated.

In the comments on Brent’s message, Mike Zornek said this:

I report bugs when I can but the biggest thing I want is a Cocoa app to do it in. I mean reentering the same info, bug after bug is so tedious. (Let me save the info on my hardware so I don’t have to reenter it every time!)

Yep; it’s tedious, and that’s a shame. That’s why I used to keep a saved System Profiler report around — I’d just paste it into the web site and be done with it. I also started to write an app to provide a more usable front end to Apple’s bug reporter once upon a time but stopped when I couldn’t find a good way to do HTTPS. There are much better APIs for that these days, so writing something like that shouldn’t be too hard any more. I don’t know what Apple management would think, but I’m sure a lot of developers would find an app like that useful if someone were to write one.

California’s ridiculous recall election is just a bit over two months away. The recall consists of two questions. The first is whether Gray Davis should be recalled. The second is if he’s recalled, who should replace him?

To get on the list for the second question, all anyone needs is 65 signatures and $3500. That’s easy. I could do that and be one of the few Democrats on the ballot. That alone might be enough to win. Eric for Governor, anyone? In an election with such absurdly low filing requirements and no restriction on the number of candidates, anyone could win.

Last week, some researchers from Johns Hopkins published a paper [PDF] detailing numerous flaws in the source code for a Diebold electronic voting system. The mainstream press picked up on this and wrote a number of articles about it. The reaction from both Diebold and election officials was extremely disappointing. The Washington Post, for example, talked to a number of officials in the state of Maryland, which just signed a statewide contract for Diebold election machines after using a number of Diebold systems in selected counties in last year’s election. Among the comments from Maryland officials:

• The last election went well, so the machines are fine.
• Voters feel like they’re using modern voting machines, so electronic machines are an improvement.
• The state has a hundred years of data from its precincts, so if results change unexpectedly they’ll notice.

These comments are at best naive and at worst indicative of a willful ignorance of basic principles of elections and information security. If a computer system works once, that’s no proof that it will continue to be secure in the future. Voters may be happy because the machines look prettier, but they’ll certainly be far less happy if their votes aren’t counted correctly. And as anyone who has analyzed election returns knows, individual precincts can swing elections by fluctuating by small amounts. Additionally, any significant swing in a single precinct can be (and is) explained away as long as it’s plausibly correct.

Election fraud is a time-honored American tradition. We counter that, though, with persistent investigation of any signs of fraud and a system that’s designed to make cheating as difficult as possible. Somewhere in the transition to electronic voting machines we lost sight of that goal. When you read the Hopkins report, you see that the number of holes in the Diebold system is simply mind-boggling. Unfortunately, there’s no reason to think that Diebold is uniquely bad and its competitors are any better. Instead, with the politicians ignoring their technical advisers (who almost always advise against electronic systems), the manufacturers of voting systems have little incentive to produce machines with independently verifiable security designs. I wonder what it’ll take for political decision-makers to learn the fundamentals of computer security…and whether that’ll happen before the first election is stolen.

Larry Lessig pointed today to a New York Times article about “the creativity possible when control is relaxed”. I didn’t find that aspect of it nearly as interesting as the random connections to my life I unexpectedly found in the piece. One of the puppeteers mentioned (and pictured), John Tartaglia, was in some of my middle school and high school classes. He didn’t come to our five-year reunion so I haven’t seen him in a very long time. I’m glad to hear he’s doing well. And the article’s author, Jake Tapper, was the press secretary for a Congressional campaign I worked on in high school. He’s since gone on to write for Salon and briefly date Monica Lewinsky after her, uh, encounter with Bill Clinton. While I’m not surprised to see him writing for the New York Times, it’s quite odd to see him writing articles on theater. I wonder if he’s had his fill of politics and decided to move on to other things.

The Philadelphia Eagles recently announced that fans attending their new stadium, Lincoln Financial Field, won’t be allowed to bring food into the stadium. Although annoying, that’s nothing new — about half the teams in the NFL prohibit food from the outside. What’s new is that the Eagles claimed that the food ban was for security reasons. Perhaps they were worried that exactly the right combination of mayonnaise, deli meat, and bread would cause an explosion. Or something like that.

In an attempt to validate the Eagles’ claims, today’s Philadelphia Inquirer contains a front page story concerning an investigation into the security risks of hoagies. (To the non-Philadelphians out there, a hoagie is what the rest of y’all call a “sub sandwich”.) A fleet of reporters brought various types of hoagies into Philadelphia’s City Hall, within 30 yards of President Bush on his visit to Philadelphia, to the White House, to the U.S. Capitol, and through the security check at Philadelphia’s airport. Shockingly, not a single one of these dangerous sandwiches resulted in a building evacuation or even a beep of the metal detector, although a few security guards were briefly distracted as they expressed their hope that the hoagie carrier enjoyed his lunch. Perhaps that’s the threat the Eagles were worried about. I suppose I’ll have to give them the benefit of the doubt.

Congratulations to Buzz Andersen, who announced today that he’s going to join Apple in a couple of weeks. Congrats as well to the Software Update Integration team, since they’ll be getting a good engineer. It’s great to see Apple continue to hire good people for its openings — we have a lot of talented young engineers who’ll help keep the company doing well five or ten years from now.

Welcome aboard, Buzz! I hope you have a great time at Apple and in California.

Our TiVo has Season Passes for a Telemundo telenovella for Ruby and the Simpsons and Futurama for me. I’ve commented previously that this results in some interesting recommendations, since the TiVo doesn’t really know what to do with the combination of Spanish soap operas and animated American comedies. A few days ago it seems to have settled on something — it started recording Futurama in Spanish. Hmph. Maybe I should just be happy that it doesn’t record American soap operas.

Various parts of the Mac web are abuzz with the news of a way to crash the ScreenSaverEngine process on Mac OS X by typing far too many characters in the screen saver’s password dialog and then hitting return.

What’s disappointing is that in all of the “it’s a huge bug!” “no it isn’t!” “yes it is!” “your momma’s a huge bug!” yelling, nobody’s actually taken the time to figure out what causes the crash. I’ve seen one person post a backtrace, but that’s it. I can’t speak for Apple, of course, but one of the reasons why companies post source code is so good developers can provide bug reports that point to specific lines of code. In this case, the backtrace points to a routine that’s in one of Apple’s open source packages. As long as that backtrace is valid, any competent programmer with a few free minutes should be able to figure out what’s going on.