For the second day of GoGaRuCo, my fellow Pivots David Stevenson, Zach Brock, and Ryan Dy are helping out with the live-blogging duties (Tom Sawyer says live blogging is SOO FUN!).
We are ALL writing the blog posts collaboratively, using the Coda editor which is based on the SubEthaEngine:
Links
What OSDV means to me personally
I personally am really excited about this talk. I worked on the OSDV prototype at Pivotal last year, when we made a small prototype in a few weeks. This was subsequently presented to congress. It was an incredible experience. As a programmer, you write a lot of code which isn't that exciting, counting beans or Yet Another Social Networking Website.
OSDV, however, is something that is REALLY important. It has the potential to revolutionize the way Democracy works, and really change the world for the better.
Here goes the talk, with Matthew Douglass running the slides and Gregory Miller talking.
Intro Video
First is a video about how democracy used to work, when we trusted the outcome of votes. Now, after the 2000 Presedential Election, people lost confidence.
Now, states are getting funding to update their voting system. However, now that we are past the "Hanging Chad", we are seeing MORE, not fewer problems. The companies that make proprietary digital voting do not make the required investment to make their machines trustworthy, and rely on PC technology and proprietary code.
Shouldn't we be able to say "I count"? We should not expect the Government or Private Sector to fix this. It must be a Grass-roots movement, something big. We need to completely rethink the lifecycle of our ballots.
We have to shift away from companies guarding proprietary, black box voting to a world of "glass-box" voting. Blueprints and designs are freely available.
We need the Open Source Digital Voting Foundation.
it is not just another thinktank or group of lobbyists. It is technology professionals teaming up with volunteers. Everyone can see, touch, and try it out.
This is a digital public works project, calling people from all over the country and world to help out, take a hands-on approach, and do something.
We are the real stakeholders in our Democracy. We can all make our votes count. The time to begin is NOW.
Pop Quiz
Q: Federal guidleines for how votes are counted? A: FALSE
Q: California's absentee ballots always counted? A: FALSE
Q: Major voting vendors system rely on commodity Hardware/Software A: Sort Of. They use "Windows 95".
He then shows "Clippy" helpfully offering to finish your vote for you...
A "Free Markets" Failure
- No Competition
- High Barriers to Entry
- No Incentive to Innovate
Horribly dysfunctional market. There are FOUR vendors of voting systems in the US, there may be two by the end of year
Very high barriers to entry, hard to get it approved and legal.
When you have no competition and barriers to entry, there is no incentive to innovate. You end up with closed proprietary systems with inconsistencies and irregularities. There is a natural conflict of interest between shareholder interest and public interest.
Guess who wins every time when shareholder interest meets public interest?
Critical Democracy Infrastructure
The pillar of democracy is transparency, and the substance of the pillar is technology.
"Sunlight is the best disinfectant"
This stuff is so imperative and essential to our Democracy, it needs to be lifted up to the level of a public works project.
Why not commercial sector? They will do as little as possible, and have conflict of interest
Why not the government? Slow, and at risk of losing funding.
Our Solution
Bringing together two approaches - fault tolerance and high-availability computing, with the dynamics of open source community.
Rather than being a think tank, they have a group of people in Silicon Valley making things that we can see and touch.
Development Process
- Core team
- partner with Mozilla Foundation.
- RFC (Request For Comments) Service
- Send out requests for comment to community
- Design Congress
- A virtual community to help drive requirements, so they know there is a possibility of adoption
- Federally certified
Public Technology Repository - State and local govt, Fed govt, Commercial Vendors, test suites, dynamic continuous testing, everyone is giddy!
Two commercial vendors who are deploying with a commercial deployment license, and are being delivered open source solutions based on draft standards that the consortium is building.
Major work areas
- Digital Voter Registration System
- Ballot Design Studio
- Ballot Casting and Counting Systems
- Election Management Services
- Operating System Platform
Rails is a major part of their work. They are assembling a great core team.
It has been below the radar, but it will be more public in the future.
Questions
Q: How do we advance or improve the system? A: Yes, look over the horizon at what the future looks like - Instant runoff, etc. However, there is another half of the question. They DON'T want to build the 'perfect' system, and have it be a relic. They have to be driven by real requirements and real adoption. They have to take the EXISTING processes, and make them better. That will get their attention, and drive adoption.
Q: Are the Hardware and Interface designs open source? A: Absolutely everything is open. Everything will be transparent and funneled through the RFC process. The goal is to build an entire software ecosystem that runs against a known, virgin, commodity hardware system. Then they will examine on a device-by-device basis to plug in new parts. "Open Source Hardware" has never been done, but they will try.
Q: What are the obstacles (e.g. politicians) A: Lots of them, but their position is that they are technologists, making the best solutions. Senator Patrick Leahy said "please don't waste time trying to change systems, make things that people can touch and try".
There are "horrifying" ways the system is designed to preserve incumbency. If this works, it really changes the landscape in a big way.
Q: What percentage of elections are corrupt? A: They have been doing due diligence, and have found "remarkable" inconsistencies, some of which have resulted in criminal elections. We may think that Obama got elected, things are great, but we dodged a bullet. We are 170 days into the congressional session, and no senator from Minnesota is seated. Politicians will no longer be able to hide and say "the box did it".
Q: It seems like a huge complex problem to solve, shouldn't it be bite-sized? A: They thought about componentizing it, but the only way to do it right is to start with a clean slate. Forget incumbency, and legacy. We need open data and open processes. They are partitioning the process to different buckets, and have different teams working on them. They are laying the foundation for a pluggable, XML-based framework. They are going in a procedural fashion, and really focusing on the 2010 election.
Rapid prototyping, Agile Development approaches with Structured Approaches.
HUGE APPLAUSE AND WHISTLES!
Playing With Fire: Running Uploaded Ruby Code in a Sandbox - David Stevenson
Intro
It is still new, but we will get a chance to interact with it live. There will be a competition to see who can compromise the sandbox first.
The prize is a Cupcake, but he has not bought it yet, because he doesn't think anyone will break out.
Rules are you must break out of the sandbox itself, not compromise his box or the OS.
Why allow user code?
Say you want to make a decision about which folder to use for a user's mail? You can write a bunch of complex rules, or you could allow your users to upload code to do it.
He makes a reference to the Neal Stephenson book about the Metaverse, where everyone uploads code.
Second Live also has a C metalanguage which allows players to create their own code and three-dimensional objects. In this type of game, the sky is the limit.
Google's AppEngine is another example. Users can write their own code and run it in a sandbox, but Google handles all the scalability and hidden bits.
Why not allow user code?
Dangerous operations: Code could have errors, or not finish. Someone will upload an infinite loop almost immediately, you need to deal with it.
Knowledge: Are users programmers? Maybe they don't want to learn a language, even one as easy and nice as Ruby.
API Manipulation: Maybe there are ways that users could manipulate your API in ways you have not even thought of yet...
What is a sandbox
- Limited functionality
- Can't break out
- Separate code space
- There need to be separate code spaces - the user's space is the "Jungle"
- Bounded execution time
Implementations
Freaky-freaky sandbox gem (MRI ruby): By why the lucky stiff with some contributions from David, written in C. It is a big hack, a bit of a disaster, but it works. We'll get to play with it.
JavaSand gem (JRuby): Same API as Freaky-freaky, but not as much of a hack. JRuby provides more hooks into the internals, so you can do some of the same things that Freaky-freaky does, but without as much hackery and violation of internals.
Rubinius in the future? - Sub-virtual-machines could be used to create a sandbox, maybe even 20 lines of Rubinius. The C implementation is about 2000 lines.
Lets try it out
Expression Evaluator: 2+2 -> 4, etc.
He is creating the rails application from scratch, hopefully the bandwidth holds up. He's not using Sinatra, because he doesn't know how to get something scaffolded fast enough in the time constraints of a presentation.
Some dangerous things are NOT accessible in the sandbox, such as File and Kernel.
require 'test_helper'
require 'redgreen'
class ExprTest < ActiveSupport::TestCase
test "two plus to equals four" do
assert_equal 4, Expr.new(:expr => "2 + 2").value
end
end
class Expr < ActiveRecord::Base
def value
Sandbox.safe.eval(expr)
end
end
He then goes on to implement exception handling (test driven, of course), and also implements code to prevent infinite loops with a timeout.
He then wraps up the coding of the initial app, and he is exposing it to the audience. He has to do the standard rails stuff to make a new app work, delete index.html, set up routes, etc.
Now, the fun begins. Here's some examples that are showing up within a minute:
Listing exprs
Expr
open testfile
return
`ls`
context.freeze
Dir.entries('.')
while true; end
`ls`
self.instance_eval{while true; end}
1/0
`rm -rf ./'
arr = ['a'] * 0xFFFFFFFFFFFFFFFFFFFFF
ObjectSpace.count_objects
p=lambda { 'yo' }; p.call
`sudo reboot`
a = 2; a+3
4*4
%x[tail log/production.log]
File.new
$*
"HELLO GOGARUCO. YOUR ZIPPER IS DOWN. YES YOU. YEAH, ON THE RIGHT"
while true; puts 'are we there yet'; end
New expr
David is now discussing the restricted set of objects in the sandbox. The problem is that you need to reference things like Net::HTTP, but that is not in the set of restricted objects.
The solution is to reference some classes into the sandbox, and copy others. It runs the unsafe things "outside" of the sandbox, but users still cannot access these restricted classes.
Gem Support
- acts_as_wrapped_class
- acts_as_runnable_code
- Set up the sandbox easily with referenced classes
- Pass in top level binding and execute code
A Game! Hangman
http://hangman.sandbox.flouri.sh/
# API methods def word def guesses def guess!(char) def all_words
There is a cron job. Every minute, all the algorithms run, and everyone can make a guess.
Reviewing the attempts to break out of the sandbox
Sorry, no backtick:
Expr: `rm -rf ./` Value: "#Sandbox::Exception: SyntaxError: (eval):3:in `_eval': compile error\n(eval):3: unterminated string meets end of file"
He then ask if anyone has broken out of the sandbox. NO hands go up. Win! Everyone claps. Great preso!