Digital Squirrel

This is my web site. When I have something to say, this is usually where I will say it.

I really wish I could bring more people around to support Approval Voting, especially people like this guy who has such a bully pulpit.

I refer you to the section where he talks about Instant Runoff Voting. The main argument is that Ted Stevens would have won his Senate race in Alaska were it not for the 12,000 votes that went to spoiler candidate Bob Bird. Bird is with the Alaska Independance Party which is even further to the right than the Republican Stevens. Eliminate Bird, the thinking goes, and most of those votes would have gone for Stevens, erasing the few thousand vote margin that cost him the election. It's the same reasoning that says Nader in 2000 pulled away crucial votes from Al Gore that would have tipped Florida in Gore's favor. Or that Perot spoiled the 1992 election for Bush Senior. This is taken to be an inherent shortcoming of the one-person-one-vote plurality voting system most of America uses today.

Which brings us to instant runoff voting, a way to "fix" this shortcoming by automatically eliminating candidates who didn't have enough first-choice votes to win and redirecting those votes to a more viable candidate. In an IRV system you don't just put one mark next to one name, instead voters rank their preferences with a 1, 2, 3, etc.

Anyone see a problem here? Don't we already have enough trouble designing a voting machine that can handle a simple checkbox? Now try to imagine how much worse the problem gets when you have to rank multiple choices instead of just marking a single box. Now add the time needed to explain the new system to everyone, the time taken arguing by voters who made mistakes, and the inevitable litigation about how best to interpret the less-than-perfect ballots.

Don't get me wrong, I would love to see the USA adopt a new voting system. And I agree that if the only measure of quality in an election was how clearly it determined the will of the voters, IRV might have a better case. But you can't ignore the logistical problems of actually managing an election. The potential logistical problems of IRV are vast compared to the elegance of plurality voting. Simplicity is a huge advantage in a system that deals with a hundred million votes and any new system needs to hang on to that advantage as much as possible.

Approval voting is just like the system we use now except that you can vote for as many candidates as you want. The winner is still the person with the most votes overall. You no longer have "spoilers" that pull support away from each other because you can support all of the candidates you like without having to pick the "best". As a bonus, you can also show support for a minor-party candidate without having to worry about "wasting" your vote.

Sometimes I think the advocates of alternative voting just enjoy the mental exercise of designing a neat system. The problem with building a better mousetrap is that most of the world doesn't actually care if your mousetrap is "better" because they're happy with the one they've got. Any new system that hopes to replace a well-entrenched existing system digs itself a deep hole when it tries to change too many things at once.

Life is too short to get upset about bad grammar on the Internet. That said, it really does drive me absolutely batshit loco when I come across language blunders in a so-called "news article". I'm not talking about arcane mistakes like the comma splice, or trivial stuff like mixing up fewer and less. Neither am I a member of the League of Internet Language Assholes who have turned "beg the question" into a holy crusade. I can sympathize with those who freak out about mis-use of "literally", but I don't count myself among them.

No, what makes me truly insane are the people who should know better seeking out decorative words and phrases and then getting them wrong.

When I say, "people who should know better," I'm specifically referring to the journalists (I use that term loosely) who write for the estimated 7.5 hojillion blogs, mags, rags, blags and glurps that float among the detritus of the Intertubes. Let me be clear: It's one thing to make mistakes when writing informally, say, when posting on a forum. You won't hear a word about that from me. It's another thing entirely to dignify your ramblings as an "article" or to annoint yourself with the title of "online journalist". It exposes you to certain expectations, the first of which is that you will craft the fucking language correctly.

For example:

To "pore over" something

Definition: pore (v) 1. To read or study carefully and attentively. 2. To gaze intently, stare. 3. To meditate deeply; ponder. The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004.

Correct: "He would often pore over the classified ads in search of a new job."

WRONG: "Once Google delivers the terabytes worth of data, you and your minions can pour over it looking for copyrighted content and those who watched it." PCMAG.COM: Viacom Has Gone Too Far, 2008-07-07

A "moot point" or "moot question"

Definition: moot (adj) 1. Subject to debate; arguable. 2a. Law - Without legal significance, through having been previously decided or settled. 2b. Of no practical importance; irrelevant. The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004.

Correct: "I told him that the rush-hour traffic would be terrible, but the car wouldn't start, so that made it a moot point."

WRONG: "Changes to those rules are already in progress so that is really a mute point." Rightside Advisors: Hell Is Freezing Over, 2008-06-25

Exception: You can actually gain points here by correctly executing the "moo point" joke: "It's like a cow's opinion. It doesn't matter. It's 'moo'."

To "wale on" something

Definition: wale (v) 1. To raise marks on (the skin), as by whipping. The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004.

Correct: "I just want to wale on that guy who stole my car."

WRONG: "I've always maintained that there's no better way to endear a main protagonist to its audience than to have said character wail on a couple of Nazis." IGN: Atomic Robo - TPB Vol. 1 Review, 2008-06-10

Exception: You can get away with using "wail" instead of "wale", but only if you're talking about music or something that makes an actual wailing sound: "Dude, listen to him wail on that guitar solo."

JESUS CHRIST, JUST PLAIN WRONG: "The long-gone Independence Day boxing matches were an opportunity for the bold and inebriated to whale on one another..." Ouray News: 21st Amendment Celebreation, 2008-07-02

Idioms are tricky things. If you use them well, you can sound quirky and cool. If you use them wrong, you're just a dork. Don't be a dork.

Matasano Chargen: Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

I don't know much about crytographic hash functions, but I do know just enough to understand that storing unsalted MD5-hashed passwords in a user database is a really, deeply bad idea. And yet, smart people who should know better still code very popular web applications that do exactly this. I guess the line of thinking is that your "JoeBlog3000" script that you wrote during spring break won't be used for anything truly important, so even if its password database gets stolen and cracked there's no real harm done. Too bad for me though if I had an account on JoeBlog3000 and my password gets owned. Now the attacker can cruise other systems trying out my password on other accounts that might be mine. This could be moderately inconvenient if I end up losing some message board accounts, or it could be devastating if the owned password happens to be the same one I use to access my bank account. So now I'm forced to remember several different passwords, sorted by how sensitive are the accounts protected by each. That sucks.

I want to write web applications, but I don't want to be part of this problem. So how do I securely store user passwords? The problem is that secure password storage is closely related to cryptography, and cryptography is hard. Really hard. So hard that it is difficult to find information about it that is both reliable and accessible to non-experts. Most of what you'll find in a Google search is well-intentioned but almost totally useless for all the questions it leaves unanswered. Does double-hashing makes your passwords significantly more secure? How about triple- or quad-? Does the length of the salt matter? What about doing weird string scrambling tricks on the password before hashing it?

The short answer, from the Matasano Chargen link above, is you should never write your own password system, ever. In hindsight I feel silly for not realizing this after having already absorbed the lessons of "never write your own input validators, ever" and "never write your own database abstraction layer, ever". Basically by 2008 almost any problem you could ever have in web development has already been had by lots of other people, solved by a few very smart people, made available for free, and picked over by hundreds of other smart people. Favoring your own solution over this depth of experience looks like hubris, and it just begs for one clever attacker to exploit a single bug that you alone failed to find.