Professional cycling, however, is a very different story. Combining the commercialism of motorsport racing with athletic demands exceeding almost any other sport, the pressure on riders to perform is tremendous. Good performance not only makes careers, but it pleases sponsors and significantly impacts their economic standing. Sponsoring a winning Tour de France team brings in tremendous revenue for a company in Europe. Continuous defeat, on the other hand, can have devastating consequences. As such, riders must reach for the leader board not only to meet their own expectations of success and competition, but simply to remain employed.

For years, dopers and anti-doping agencies have played much the same cat-and-mouse game that security researchers play with crackers. Riders use performance enhancers; researchers create tests to detect them; riders find new drugs to use, and so on and so forth. Doping was present in cycling long ago already, but it was the 1998 expulsion of the entire Festina team from that year’s Tour de France that signaled the beginning of the “doping era.” Since that year, every “grand tour” (the class defined by the Tour de France, the Giro d’Italia, and the Vuelta a España) has been plagued by expulsions, positive tests, litigations and scandals. In order to restore honor and fairness to the sport, many are crusading against the use of performance enhancing drugs. Until recently, the fervor of athlete and corporate lust for success seemed unbeatable.

According to an article by Juliet Macur in the February 28^th, 2009 edition of the New York Times, the anti-doping community has developed a new methodology for detecting cheating. Rather than attempting to detect traces of illicit chemicals in riders’ bloodstreams, drug testers are attempting to develop a “biological passport” for each rider. By comparing a rider’s current blood work against earlier tests, it is now possible to detect telltale signs of substance abuse via the changes observed in that rider’s blood. Legal action has already been brought against several riders with this biological passport as evidence.

Assets

• Riders don’t want to suffer in the ranks as a result of their competition using performance enhancing drugs
• Sponsors and team owners don’t want the cheating of other riders to reduce the acclaim, visibility, or overall performance of their respective teams.
• Race officials and fans want to see respectable racing, not battle-of-the-druggies. Cycling has been tainted in recent years by the proliferation of doping scandals.
• Every non-adversary wants final rankings to be representative of rider athleticism and effort.

Potential Adversaries

• Riders whose competitive spirit may drive them to seek “help” in order to win.
• Riders who suffer from excessive pressure from sponsors to perform.
• Sponsors, team owners, or team managers wishing for more team/product/brand visibility thanks to front-running riders.
• Doctors and researchers developing new doping methods.

Potential Weaknesses:

• Though I don’t claim to understand the biology, and while I can’t imagine that an attack this simple would be possible against the “latest and greatest” in anti-doping technology, I see one fundamental flaw in this approach. If detection of substance abuse relies on change between two test dates, the test is vulnerable to a rider who is never tested prior to adopting a doping habit. Because blood may not change once routine doping is adopted, there might not be a difference between old tests and current tests either.

Potential Defenses:

• In addition to using these “biological passports,” parallel research should continue into discovery and detection of new doping techniques. These detection methods should be applied in addition to any delta-comparison between bloodtests.
• If it is possible, attempt to correlate blood of dopers, as well as the blood of likely non-dopers (very poor performers, amateurs, etc.). It may be feasible to derive a model that can detect riders for whom an accurate “clean” sample is unavailable.

]]> http://cubist.cs.washington.edu/Security/2009/03/13/security-review-new-weapons-in-the-fight-against-doping/feed/ 0 http://cubist.cs.washington.edu/Security/2009/03/13/security-review-helios-online-voting/ http://cubist.cs.washington.edu/Security/2009/03/13/security-review-helios-online-voting/#comments Sat, 14 Mar 2009 05:55:23 +0000 Orion http://cubist.cs.washington.edu/Security/?p=1285 The Technology

The technology being evaluated is the Helios Online Voting Booth, usable at http://www.heliosvoting.org and outlined in the 2008 Usenix Secuirty paper available at the same site. The election system does not create novel cryptographic tools or algorithms, rather it provides a protocol for using existing cryptography to make an election that is universally verifiable and provides ballot casting assurance as well as voter secrecy. The general outline of the system is as follows:

• The voter fills out a ballot and then “seals” it by essentially encrypting it with the election’s public key so that only the election administrators can decrypt it.
• The voter then has the option of verifying that the sealed ballot contains her same choices, if chosen requires the voter to “reseal” it with new randomness.
• The voter is then authenticated and, if allowed to participate in the election, their ballot is “cast” to the server and the voter receives a copy of their sealed ballot.
• Upon receipt, the server publicly publishes the voter’s name and sealed ballot so the voter can verify that the sealed ballot is the same as the one cast.
• Upon election conclusion, the server downloads all sealed ballots from the previously mentioned public place and scrambles and re-encrypts them with a mixnet.
• The server then decrypts all ballots and tallies the totals, providing proof of correctness.

The paper contains a few proposed improvements to current weaknesses, but I still felt it reasonable to discuss those weaknesses. More information on the broader implications of this system was presented in a Current Events article published earlier today.

Assets and Security Goals

• The election system needs to provide ballot casting assurance. The voter needs to be able to verify that his/her ballot was received, and received correctly in order for him/her to deem the election valid. The makes sure that the voting system cannot change or destroy a voter’s ballot without the voter being able to find out.
• The election system needs to provide universal verifiability. Anyone must be able to independently and externally verify that all votes that were received were, in fact, counted and counted correctly in order for the election to be known to be valid. This, with the above, makes sure that not even the election administrators can tamper with the election.
• The election system needs to provide voter secrecy. It should be impossible for anyone to link a voter and his/her vote in order for voters to be free to vote for whomever he/she wants without fear of punishment.

Adversaries and Threats

• Anyone (including the election administrators) wishing to fix an election for monetary, religious, or political gain may try to change or destroy ballots or tamper with ballot counting without being discovered.
• Anyone wishing to discover who voted for whom may try to link individual voters and ballots, either during or after voting.

Potential Weaknesses

• It is possible, just after the voter casts his/her ballot, for a corrupt router to intercept the ballot en route to the Helios server and send the user a fake Helios server success code, causing the “voting booth” to immediately display a false success message and clear the ballot from memory. At worst, the voter fails to later check that their ballot was recorded on the server before the end of the election and his/her ballot is never counted. At best, the voter realizes their vote was not counted and has to cast a new ballot.
• As it currently exists, if the election administrator allows Helios to administrate the election (as it seems they suggest doing), it is possible for a corrupt Helios server to create new, fake voters and cast ballots on their behalf without easily being discovered. Since the system relies upon voters validating their votes, it would be difficult to distinguish between actual voters who didn’t validate their vote and server-generated voters.
• As the client-side code utilizes jQuery, LiveConnect, and Java BigInteger libraries, any vulnerabilities or cryptographic insecurities in that code could potentially be exploited to tamper with the election.
• As currently implemented, the election administrator (who has the power to add voters and freeze the election) is authenticated through Google Accounts. Any vulnerability in the login (weak password, easily guessed security questions, etc.) could allow an attacker to end the election prematurely or add additional voters (potentially multiple accounts for the same voter).

Potential Defenses

• The main defense the Helios system uses to prevent the sort of ballot manipulation or rejection described in the first weakness is to provide open-source tools for the user to verify that the ballot they have created (but not yet cast) does indeed contain the desired voting preferences. This seems to be the best-possible solution short of forcing the user to verify their ballot because it should be inherently impossible to validate the values in a ballot after it has been cast (otherwise others could view the values as well).
• The Helios defense against a corrupt Helios administering a server and creating fake voters is to provide means for other election administrators to acquire and store the election’s private key necessary for decrypting the votes.

Risks and the Big Picture

• The risks associated with this sort of system are nothing less that selling democracy to the highest bidder, or at least the one with the most computing power. If this sort of system were eventually used for a governmental election, the key lengths (currently 1024) would need to be significantly larger because the stake is so much higher. All of a sudden the researchers with 10,000 PS3 cells, or the BBC with a botnet of 10,000 computers might be able to crack encryption keys and tamper with ballots or fake election results. Since this system is based upon computational security, it needs to be implemented in such a way that even the best of the FBI cannot affect the results. Otherwise the currently established government could control all subsequent election results.
• Most of the risks can be alleviated through complete voter validation of their ballots in combination with auditing of the election results given the provided proofs of correctness which are part of the system. If many voters do not do this, however, then it is possible for many security flaws to go unnoticed.

Conclusion

The general idea is that here is finally a system which seems to hint that it may be possible to design an electronic voting system that is secure and transparent. The details have obviously not been ironed out, and may not be for some time, but the spirit of the system is enough to provide some hope in this era where Diebold Premier Election Solutions voting booths are still being used in US elections. The Helios system is not the solution, but it is a step in the right direction, if for no other reason than Kerckhoffs would be rolling in his grave if he knew how we trusted Diebold’s secret code to run this democracy. When not even the government in charge of an election can alter its outcome without the public being able to check, elections may finally be able to be trusted.

Sources

http://www.physorg.com/news155473407.html
Adida, B., Helios: Web-based Open-Audit Voting, Usenix Security 2008

This project rose out of the recognition that relatively recent advancements in cryptography and computer science have paved the way for the possibility of actually implementing election protocols that guarantee ballot casting assurance, universal verifiability, and voter secrecy. One issue that the developers of this system are facing is that the public is not really aware (or if they are, they fail to recognize the implications) of the lack of these properties in our current election system. Especially as absentee balloting is becoming more popular, there is little guarantee that 1) your vote is ever received, 2) that no one changed en route, 3) that it was counted at all, and 4) that is was counted correctly. The Helios system allows the user to verify 1, 2, and 3, and allows anyone to verify 4. The source for the Helios system is available for free under Creative Commons, and an online server is available for general use.

This new development is especially important given the recent Diebold debacle which emphasized the importance of Kerckhoffs’ principle in the development of important security systems. Entrusting something as important as democracy to some proprietary, secret code hacked up by some people under investigation for putting Trojans in ATMs is no way to go. It will be interesting whether or not this new style of election will ever be used in general governmental elections, but it hints that the day when we may actually be able to cast e-votes with confidence is drawing near. If you are interested in more details of the Helios system, a follow-up security review will be posted shortly.

There are a few assets that parking enforcement wants to protect. One is their revenue stream — making sure that they are receiving money for the parking that is available. Another is the availability of spaces, so that legitimate paying customers won’t be turned away at the door if the lots are oversold. In both cases, the adversary is the driver trying to cheat the system (aka, me).

One weakness of the system stems from having way more parking spots than there are parking enforcement officials. While this can work in an cheater’s favor in general, the longer one spends in the same spot, the more likely they are to be eventually ticketed. This might assume someone illegally parked would stay shorter — but then they have the added overhead of having to move their car frequently. One way that they can combat this is to deploy resources first towards the most high-traffic lots, and then check less frequently at satellite lots.

Another weakness of the system involves procedures for contesting tickets through the parking department. Any ticket can be contested through the office, and last checked, they had an average turnaround of 3-6 months, no doubt due to bureaucratic inefficiencies. If an adversary were to contest a ticket, they wouldn’t have to pay it for months, and would be likely to get it fined. One could also try sending in a longer letter to the department as to why they deserve to not get the ticket, in order to push it to the back of the queue for processing.

In the future, there might be an emphasis on more high-tech solutions (such as cameras) to quickly monitor parking lots and possibly detect cheaters. For the time being, however, there are some vulnerabilities in the parking system that allow attackers to get away with free campus parking undetected.

The Air Force Institute of Technology has a new method for passive BitTorrent tracking. The system attempts to read the header of BitTorrent packets, and compare the hash in the packet to a known set of bad hashes. If a bad hash is matched, then the system logs it for future investigation. The system uses programmable FPGAs, and sniffing capacity tops out at 100Mbps.

Recent developments in traffic shaping / packet analysis have been largely spurred by large ISPs’ desire to limit user’s consumption of high-bandwidth services such as BitTorrent. Complaints towards users of BitTorrent include high bandwidth usage, as well as accusations of illegally sharing copyrighted material.

However, packet inspection at any level raises a number of privacy concerns, as systems at the ISP level would definitively be reading the data that flows through their network from an end user’s machine. This can either be malicious or not — it really depends on how ISPs use it. It seems like ISPs are highly motivated to keep traffic down so that they can keep their networks from becoming congested. However, no ISP customer can ever exceed the maximum amount of bandwidth that they are advertised to get. It seems like the ISPs are not being forthcoming about the real amount of bandwidth that they want customers to use.

Bandwidth isn’t the only issue, with litigation being handed out to file sharers. It’s in the ISP’s best interest to stay out of any legal issues they can, which also provides a good motivator for packet shaping BitTorrent traffic. However, given millions of motivated BitTorrent users versus companies with relatively limited resources, they are fighting an uphill battle that will not end up in their favor. This Air Force sniffing technology can’t detect encrypted BitTorrent packets, which compromise 25% of the BT traffic out there. As well, with projects such as OneSwarm, people can set up much more anonymous sharing networks between friends. The only way for corporations to survive file sharing is to adapt, like the Norwegian state broadcasting company did when it started offering its broadcasts as full, unencrypted downloads on its own hosted BitTorrent tracker.

This event arises from the current security concerns of DHS, and their mandate to catch terrorists at the various entrances to the United States. It seems that the methods employed in profiling are faulty, and need revisiting. As a counter-example to this article, the Israeli airports employ racial profiling to great success in ensuring security, and haven’t had an incident since 1986 — however, they combine these profiling methods with other forms of security measures.

However, there are larger issues in having such broad-sweeping racial profiling in the US. Applying racial targeting to minorities at checkpoints would cause a fair amount of backlash, considering the historical implications. As well, all the racial groups that are on profiling lists also are likely not adversarial threats, and are certainly as legitimate of citizens as people that aren’t on the list. Also, it seems like  relying heavily on profiling means that defeating it is simply a matter of not fitting the current terrorist profile.

While there has been some success stories in racial profiling with regards to border security, the idea leaves a bad taste in my mouth. There are inarguably a number of things that DHS can do to improve security at checkpoints (hire competent TSA employees comes to mind), without going down the dangerous path of racial profiling — profiling that has been shown in this recent study to be mostly ineffective given how it is currently applied.

Original Article: http://arstechnica.com/science/news/2009/02/study-racial-profiling-no-more-effective-than-random-screen.ars

In Italy, public officials have been abusing their authority to make more money from the public by making reds come earlier than they are supposed to (a shorter duration yellow than legally allowed).   This means that, since they use cameras to automatically give tickets to people running red lights (see security review of automated traffic cameras for a different look at that aspect of it), they can make money off residents who are given inadequate time to come to a stop, and thus must run a red.

Who Was Hurt By It

Drivers have been economically affected, with 1439 people caught over two months (the fine is 150 Euros, or roughly $190 at current exchange rate).  Prior to that, at most 900 people would have been expected to be caught assuming the maximum number of tickets normally given were given out per day (this means a 50% increase over a value previously considered unrealistic to obtain!).

The public has also suffered a reduced amount of trust in the transparency and honesty of their government–a system which was out of their control and which they were mostly powerless to oppose or investigate was found to have been compromised in such a way that people were labelled as both criminals and charged unfair money.

Who Did It

109 officials are being investigated with regards to it, although the programmer himself is the current person taking most of the blame in the news.  Also involved were: police, local government officials, and the heads of seven different companies. Roughly 300 municipalities and a host of different companies were profiting from this scheme.

What’s Being Done

Currently a criminal case is being pursued against those responsible.  However, this does not really address the problem–the faulty systems are still in use, and ultimately fixing them should be the first priority.  Although the programmer responsible has a lawyer proclaiming his innocence, ultimately a review of the cameras themselves will need to be done.

Long Term View

This adds yet another complaint against automated traffic cameras.  Many object on privacy reasons, but this also adds concerns about faulty software, either maliciously or through incompetence.  Although it is unlikely that Italy will suddenly abandon automated traffic cameras, it may cause them to take a second look at them, at the least, and hopefully be more open in the future.  In all likelihood, however, they will continue to use a closed source solution, and will merely (hopefully) patch this problem.

Finally, this also adds another potential weakness to the list in the security review–corrupt officials who view it as a way of making more money.

Source: http://arstechnica.com/tech-policy/news/2009/02/italian-red-light-cameras-rigged-with-shorter-yellow-lights.ars

See also: http://cubist.cs.washington.edu/Security/2009/02/05/security-review-automated-traffic-enforcement

This is big news both for host sites that may gain revenue from their ads, as well as the companies trying to sell a product. For host sites, it means their pages are sticky; visitors no longer leave the for a 3rd party site when they see a product they like. Instead, they can just purchase it and continue to view the content. For the company selling the product, it means their returns are much greater than previous click-through counting methods as the results they are in the form of actual sales and revenue.

But what does this mean for the online consumer? Of course, it means they can now make purchases through ads without having to go to another site, but it also means they have to be smarter. Adgregate claims in their press release that “Through ShopAds, Adregate Markets enables consumers to securely purchase products entirely within the confines of the ad unit, without being redirected away from the publisher’s site.” However, a problem arises when a ShopAds widget is placed on a web page that uses HTTP instead of HTTPS. Since the page itself is transmitted HTTP, the content of the page is in plaintext. Additionally there is no way to verify that widget came from any particular location. For example, a malicious router launching a man-in-the-middle attack could replace the widget on a page with their own widget that appears to be legitimate. Visitors to the web page may then interact with it assuming it is the company it says it is. Although ShopAds are flash-based, and thus can establish secure connections, this only has meaning if the source of the ad itself can be verified.

Assets and Security Goals:

• Purchase Orders – The purchase made by a visitor/customer must be accurate when it is received by the merchant company.
• Consumer Identities – Identifying information, such as credit card numbers, should not.
• Merchant Identities – It should be possible for a consumer to know for sure that they are buying from a particular merchant.  In other words, it should not be possible for an adversary to pretend to be a Macy’s ad.

Potential Adversaries or Threats

• Eavesdroppers – It could be possible to collect customer information by sniffing packets
• Copy Cats -  By replacing ShopAds widgets with a malicious flash ad, one could pretend to be a company that they are not.
• Modifiers – By modifying the information being exchanged, it may be possible to alter the purchase order itself (such as the quantity of certain items) or change where it is being shipped to.

Potential Weaknesses

• HTTP Pages – Pages using HTTP cannot guarantee the origin of the content displayed on the page, including the ShopAds widget, and would be vulnerable to man-in-the-middle attacks.  Additionally, information is sent over plaintext.
• HTTPS Pages – Even on an HTTPS page, you would have to trust the hosting (publishing) website you were visiting.  HTTPS only verifies that the site is who they say they are. So, visiting https://www.evil.com and conducting a business transaction through one of their evil ads is still dangerous.
• ShopAds Widget – If the widget does not take advantage of  the features in flash to establish secure connections, information may be sent over plaintext.

Potential Defenses

• HTTPS Pages – HTTPS pages can at least guarantee that the page is who they say they are and that the data is not sent over plaintext.  If a customer trusts the hosting/publishing site, and they trust the company who owns the ad, they could trust the transaction.  However, this would require every page with a ShopAds widget to use HTTPS…
• Flash Security – Make sure to take advantage of features to establish secure connections to prevent transaction information from being transmitted in plaintext, even if the widget is properly placed on a trusted HTTP page that has not been maliciously modified.
• Ad/Merchant Verification – Having the potential for a consumer to verify that the ad belongs to a particular consumer would help guarantee online shoppers do not buy from copy-cats.  Ideally, this would be done in the widget as well so as to keep to the nature of this new technology.

The largest problem here is that consumers may have no idea about the threats posed by these types of ads.  Many customers may not even know why HTTPS is important, let alone how it affects the security of shopping through an ad. Furthermore, it is unlikely that every page that will be sporting the ShopAds widgets will start using HTTPS, so shoppers will learn to have trust in these very dangerous situations. Even if the publishing site can be trusted, if the widget is not on an HTTPS page, it cannot be trusted.

If the ShopAds widget is to become the next best thing in advertisement and online shopping, these security concerns will have to be addressed.  In the same way that an online banker would not (hopefully!) enter their bank account number and password on an insecure page, neither should an online shopper provide their credit card or other identifying information.  It will also be necessary for shoppers to be more aware of where and how they are making purchases.  To help out visitors to the site, some of the responsibility may rest with the publishing website to make sure the ads they are providing do not compromise the identities of its visitors.  If this does catch on, it may become necessary in the future for browsers to be able to verify the origin of chunks of content, such as the ShopAds widget, to guarantee the security of its users.

This change was proposed to combat vandalism. As it is now, a user could maliciously and instantaneously change the content of any article in an arbitrary way. For example, the article announcing the proposed change noted an instance of vandalism where a Wikipedia user vandalized Senator Ted Kennedy’s article to say that he had died after President Obama’s inauguration. According to Wikipedia’s page on Vandalism, the current method of dealing with vandalism is to delete the changes, and possibly take action against the user who posted the changes. A user believed to have vandalized an article could be given a warning, or blocked from making any further edits by an administrator. This current policy still allows the flawed article to be seen (and possibly taken as fact). The flagged revision system would mean that malicious edits might never be seen at all.

Another way to discourage vandalism might be to impose more draconian penalties on users thought to be maliciously altering articles, such as banning both the user and the computer from accessing Wikipedia in the future. This would be too harsh, since foolish edits could possibly be innocent mistakes, and there could be more than one person using a given computer. Another alternative would be to only allow users who are already considered trustworthy to make edits. This would be too restrictive, and does not allow for as broad a community of editors as Wikipedia has currently. The only methods that seem to allow for a reasonable amount of freedom for users are the current reactive system, and the flagged revision proposal.

With the proposed system, Wikipedia is trying to ensure the correctness of the content of its articles. Vandalism could potentially hurt users by spreading false information. This is especially troublesome for people such as this author, who generally trusts Wikipedia to be accurate. Vandalism also harms Wikipedia’s reputation for accuracy, perhaps deterring potential users from using the website at all.

The flagged revision idea does seem to be a good way to prevent vandalism, assuming there is a reasonable system for selecting which users are considered “trusted.” However, it also reduces the freedom of the Wikipedia users to make edits. Also, since all changes are subject to the perceptions of the trusted users, it is possible for those trusted users to exercise censorship against other users. In addition, the proposed system would place a very large burden on the trusted users to inspect others edits so that they can be added to the article within a reasonable amount of time. It would limit the ability of Wikipedia’s editors to modify articles to keep up with current events, something that has been a useful feature. Despite the flaws of the current more permissive system, it might be better for Wikipedia to leave it as it is.

Last night we had a tech talk given by Palantir Technologies, a very promising-looking company that aims to transform the way people work with large data sets by making it easier to discover and visualizing trends and connections in the ever-accumulating mountains of data generated by our modern technological culture. They had a great sales pitch, a fascinating presentation, tons of free swag (hyperbole here, but it was really a lot), and quality free frood from Taco del Mar. And at the end of the evening they planned to raffle off an iPod touch. Not everyone stayed for the whole event, but as it wound down the time for the raffle finally came.

Normally everyone attending a tech talk who is interested in participating in a raffle writes their name on a piece of paper, folds it in half, and places it in a box/hat/whatever. Palantir had all the entries in a black beanie, and built up the suspense before reaching into the hat and pulling out a name. Drat, not me again. I could tell by the size and shape of the paper that some other student was the lucky recipient. But who? The Palantir rep unfolded the paper and read it aloud in stentorian tones: “John Smith!” (That’s not really his name, but that’s not the point of this story. We’ll call him “John Smith.”) I looked around for John, but couldn’t see him. “He’s not here!” I called, joined by several other voices. Maybe I’d have a chance to win this after all! “Not here?” asked the rep. “Well, we’ll just draw again.” He tossed the forfeited entry aside and reached into the hat again. Suspense built as he pulled out a piece of paper, unfolded it, and read aloud once again…. “John Smith!” The atrium was silent for a few seconds. After a moment or two had passed I said “Well, that explains a few things.”

I’d always attributed to luck the fact that some people just seem to win more often in raffles like that. Naively you might expect not to see repeat winners (after all, it has to be spread around, right?), but a little bit of probabilistic reasoning tells you that runs or repeats may be improbable in any specific case but in general are to be expected. Now I suddenly admitted the possibility that while there was something chancey going on here, it wasn’t chance. And why not, right? If you’re having a one-item raffle there’s no reason not to put your name in more than once. No one’s going to go looking through the entries afterwards, and if you win you win. Unless, of course, you’re not there and you win. Twice.

It’s possible that I’ve misunderstood all these years the unwritten rules that these raffle are run by, or perhaps more properly the unwritten rules that these raffles are won by. After all, there are many raffles, sweepstakes, etc. where multiple entries are accepted. But if not, well, that’s a different story.

Obviously no one was hurt here, no bones broken and no innocents harmed (though perhaps some innocence was lost). But these sort of events should be treated seriously. Real things are at stake. I’ll list just some of the things I’ve seen go at tech talk raffles recently:

• iPod touch: at least $229
• Xbox 360: $300 or so
• Adobe Design suites: $… a whole lot
• Integrity? Priceless

I guess in the broader context you’re not stealing anything by stuffing a raffle hat. Not from me anyway. But how far is it from there to stuffing ballot boxes? Bank accounts? Money is all just bits now anyway. A little extra here and there wouldn’t really hurt the economy. Should we be comfortable with this sort of attitude being held by the same people who may write the software that handles your bank account? I don’t think so. A paper-cut is a little thing, once. But this way of thinking, when carried to its natural conclusion, is not just one paper cut. It’s many. And that’s not sustainable.  I used to think that around here we just didn’t have to worry about that sort of thing.

I wish I could have kept thinking it, if just for a little longer.