January 2006 Archives

Congressional staffers have been caught changing representatives entries in Wikipedia:

The latest episode appeared last week in the form of a report that aides to Rep. Marty Meehan, a Massachusetts Democrat, deleted references to his broken term-limits pledge and massive campaign war chest on Wikipedia.

Then the trusty editors at Wikipedia got together and compiled a list of over 1,000 edits made by Internet addresses allocated to the U.S. Senate and House of Representatives. The IP address subsequently was blocked and unblocked.

Obviously, the initial impression one has is that Wikipedia is extremely vulnerable to this kind of attack. On the other hand, it's pretty clear that they managed to contain the damage quite quickly. True, this was only possible because the staffers did such an incompetent job of covering their tracks, but after all that's the kind of attack you mostly expect. There's a story beneath this, though: it's a sign of how important Wikipedia has become that the staffers feel the need to go around altering entries. I just wish they cared enough to complain about stuff I write on EG...

Here are some slides that I've been working on as an introduction to Distributed Hash Tables (DHTs) and DHT security. In case you care.

Note: none of this is my original work. It's just a summary of other people's work. In a future edition I hope to do a better job of identifying the papers I'm referencing.

EFF reports more action on the Broadcast Flag front. The broadcast flag, if you don't know, is control information attached to audio or video that tells compliant devices whether it can save, copy, etc. Such devices will of course be forbidden from exporting protected content in non-protected form or sending it to non-compliant devices. So, for instance, your HDTV tuner wouldn't be able to send decoded copies of broadcast-flagged data to a general purpose computer for processing. Think of it as a roach motel for data.

It's obvious why the broadcasters want this: they want to extract monopoly rents by selling off each individual use of their content rather than giving people the kind of blanket capability that they have now. Consider a TV show that you've taped off the air: you can make as many copies as you want, send them to your friend, whatever. The networks would clearly prefer to charge you for each viewing and definitely don't want you making long-term copies and giving them to friends. Ignore for the moment the question of whether this sort of price discrimination is a valuable thing. Ask instead why this means you need the broadcast flag.

There are two big problems with the broadcast flag as specified: First, it's not very secure. Consider the security properties of the broadcast flag system. It creates a closed environment of machines all of which supposedly enforce correct security policies. As long as none of the machines are compromised, then this all works fine. But consider what happens if a single machine--or more likely class of machines--is compromised. Anyone who owns one of those machines can export any content he receives in plaintext form. Allan Schiffman used to call this type of system a "distributed single point of failure" (he was talking about thinnet).

Of course, you don't need to have a compromised device in order to bring about this scenario: it's fairly easy to build an HDTV-capable device that doesn't respect the broadcast flag. Indeed, that's the situation with the HDTV-tuners you buy today. So, if pirates (for instance) want to record HDTV signals off the airwaves and then burn them to DVD, they won't have any problem doing it. The only people who are going to be seriously inconvenienced here are consumers.

This brings us to the second big problem: the broadcast flag is horribly inconvenient for consumers. This inconvenience comes in three flavors. The first is intentional: all sorts of things you'd want to do with the content--and that you can currently do--such as time-shifting, space-shifting, etc. will be prohibited by the broadcast flag. That's the point, after all. The second two inconveniences are collateral damage. It gets much harder to write generic content (image/audio/video) processing applications because they need to keep the content from being exported. This brings us into the whole Trusted Computing mess.

Finally, because the content is actually being transmitted in the clear, in order for the system to work it needs to be illegal to make non-broadcast-flag decoders. This is essentially fatal to software-defined radio type systems unless they themselves run on trusted computers, which means that you won't be able to make SDRs that run on Open Source operating systems. This doesn't sound like a big deal right not, but it precludes a lot of really cool applications of SDR that are likely to be around the corner as processors get faster.

Consider the following alternative design:

1. The networks broadcast their traffic in encrypted form along with signed access control restrictions.
2. The encryption keys are restricted to devices which obey the access control restrictions on content.
3. Compliant devices never export plaintext but rather re- export ciphertext to any device. They can also re-encrypt to other compliant devices, for instance if they transform the data before export.

From the perspective of both security and convenience, this design dominates the broadcast flag. It's more secure because a generic RF-receiver can't receive the content. You actually need the keying material. This means you need to compromise a legitimate unit, which puts at least a modest barrier in the way of piracy. I don't want to overstate the case here: this kind of technology is used for pay satellite television and it gets broken pretty regularly, but the networks have managed to impose pretty substantial costs on the pirates and do a pretty good job of protecting their revenue stream.

A cryptography-based design is superior from a convenience perspective as well, since it means that there's no need to impose legal restrictions on receiving technology. The networks can simply impose restrictions on receivers that can decode their signals--just like the situation with DVDs. Now, it's certainly true that this may end up with everyone having a "secure content"-enabled unit, but maybe not. And in any case it wouldn't get in the way of people developing new, cool applications on spectrum not dominated by the radio and TV networks. And of course it's possible--though not guaranteed--that there would be enough content broadcast without restrictions that you could make a good business selling products that just didn't play secure content.

It's obvious why the networks don't want to go this route, of course. It's a pain in the ass to manage this kind of cryptographic infrastructure and it's certainly much easier to just have the FCC impose the costs on consumers. However, seeing as the entire purpose of this scheme is increased revenue extraction, it's hard to see why consumers should be legally required to bear the costs when a workable alternative exists.

So, say you're in charge of a small Middle Eastern country and one of your neighbors starts shelling across across the border, openly sponsoring agents infiltrating across the border, etc. What's appropriate behavior here? After all, this is basically an act of war, and standard practice would be to retaliate, probably at least by bombing government installations and quite possibly civilian ones as well. After all, that's what you do in a war.

The reason I ask is that this is exactly how Hamas has historically behaved. When Fatah ran Palestine, they could--and did--argue that they couldn't control Hamas so Israel had to give them some space. However, if the bombings and shellings continue, there's not really much room for plausible deniability here, nor, it would seem, for outrage if/when Israel retaliates.

The District Court9th Circuit has ruled against John Gilmore in Gilmore v. Gonzales. I can't say I'm too surprised.

UPDATE Correction due to BobK.

Right now the beginning of this Wikipedia article on beavers (screen shot here) reads:

Beavers explosively attack people with their menacing teeth. They are the most deadly animals alive.

Who says you can't trust Wikipedia?

From BBC:

The survey was conducted by Ipsos MORI for the BBC's Horizon series.

Its latest programme, A War on Science, looks into the attempt to introduce intelligent design into science classes in the US.

Over 2000 participants took part in the survey, and were asked what best described their view of the origin and development of life:

• 22% chose creationism
• 17% opted for intelligent design
• 48% selected evolution theory

and the rest did not know.

Intelligent design is the concept that certain features of living things are so complex that their existence is better explained by an "intelligent process" than natural selection.

Andrew Cohen, editor of Horizon, commented: "I think that this poll represents our first introduction to the British public's views on this issue.

"Most people would have expected the public to go for evolution theory, but it seems there are lots of people who appear to believe in an alternative theory for life's origins."

When given a choice of three theories, people were asked which ones they would like to see taught in science lessons in British schools:

• 44% said creationism should be included
• 41% intelligent design
• 69% wanted evolution as part of the science curriculum.

Participants over 55 were less likely to choose evolution over other groups.

Outstanding!

The Times has an interesting reports that obesity levels in France are rising. What's interesting here is the claim that eating habits are changing dramatically:

There has also been a breakdown in the classical French tradition of mealtime as a family ritual so disciplined and honored that opening the refrigerator between meals for a child was a crime worthy of punishment. A side effect is a blame-the-mom syndrome, as fewer mothers have time to shop at markets every day or two for fresh foods and instead put more prepared dishes on the table.

Findus, the frozen food giant best known for its breaded, frozen fish filets, filmed French people eating over a period of time and was shocked by the results.

Contrary to the myth that the French spend hours sitting around the table savoring small portions of several courses, the films showed them eating in front of their television sets, while on the telephone and even alone. In fact, the average French meal, which 25 years ago lasted 88 minutes, is just 38 minutes today.

and Japanese obesity levels--to cite another example of a famously thin people--though low, are also way up. If French eating habits are really changing this much--then this suggests that the impact of technology and changing lifestyles is extremely strong and that the sort of broad lifestyle change that anti-obesity activists want to effect may be ultimately infeasible.

The hotel information for IETF 65 in Dallas is out. IETF hotels have a tendency to fill up real fast so if you're planning on attending now is a good time to make your reservation.

The Times reports that although restrictions on pseudoephedrine sales have cut down on availability of home-cooked methamphetamine, the void is being more than filled by imported Mexican meth of substantially higher purity:

In a survey of treatment professionals, 92 percent said they had seen as many or more methamphetamine addicts; the state treated 6,000 in 2005 and expects to treat more than 7,000 this year, based on current trends. Some health officials said abuse among women, typically the biggest users of methamphetamine, was rising particularly fast.

While seizures of powdered methamphetamine declined to 4,572 in 2005 from 6,488 in 2001, seizures of crystal methamphetamine increased, to 2,025 from one.

Federal drug agents tend to describe ice as methamphetamine that is at least 90 percent pure. Officials here say much of their crystal methamphetamine is less pure - "dirty ice," they call it. But either is far more potent than homemade powdered methamphetamine; a "good cook" yields a drug that is about 42 percent pure, but around 25 percent is more common. And in the first four months after the law took effect here, average purity went to 80 percent from 47 percent.

Next time I get a cold, maybe I can synthesize some sudafed from meth.

So, imagine that (1) Intelligent Design is right (ok, stop laughing) and that (2) we had some sort of machine where we could watch the entire history of the world. What would the historical record look like? If you're a young earth creationist, there's nothing confusing. 6000 years ago or so Adam and Eve just pop into existence. But many of the ID types accept the generally understood biological timeline (or at least claim to in public), so the situation is a bit more confusing.

In the ID "irreducible complexity" narrative, there are some features that are too complicated to evolve. So, here's my question. At some time T, there are no animals with feature F. At time T+1, there is (at least one) animal which has that feature. So, how did that animal get there? Did the unnamed Designer do some pre-historic gene therapy on an existing animal or did it just, you know, pop into existence? Just asking.

Transparent network taps like those made by NetOptics and VSS are a standard method for doing network monitoring. Unfortunately, when combined with an unhelpful operating system/NIC combination, they can produce some problematic artifacts. Here's a TCP trace from our testbed. I've replaced the IP addresses with and ports with C: for client and S: for server so it will fit on the page.

1 C: S 4198748444:4198748444(0) win 65535 <mss 1460,nop,nop,sackOK,nop,wscale 1,nop,nop,timestamp 1416746 0>
2 S: S 1678625628:1678625628(0) ack 4198748445 win 5792 <mss 1460,sackOK,timestamp 13870629 1416746,nop,wscale 2>
3 C: . ack 1 win 33304 <nop,nop,timestamp 1416746 13870629>
4 C: P 1:83(82) ack 1 win 33304 <nop,nop,timestamp 1416746 13870629>
5 S: . ack 83 win 1448 <nop,nop,timestamp 13870630 1416746>
6 S: P 1:123(122) ack 83 win 1448 <nop,nop,timestamp 13870630 1416746>
7 C: P 83:126(43) ack 123 win 33304 <nop,nop,timestamp 1416746 13870630>
8 S: . ack 126 win 1448 <nop,nop,timestamp 13870671 1416746>
9 S: . ack 223 win 1448 <nop,nop,timestamp 13870671 1416750>
10 S: . 123:1571(1448) ack 223 win 1448 <nop,nop,timestamp 13870672 1416750>
11 S: . 1571:3019(1448) ack 223 win 1448 <nop,nop,timestamp 13870672 1416750>
12 S: . 3019:4467(1448) ack 223 win 1448 <nop,nop,timestamp 13870672 1416750>
13 C: P 126:223(97) ack 123 win 33304 <nop,nop,timestamp 1416750 13870671>


What you need to note here is that packets 9-12 from the server contain ACKs for byte 223 from the client. But that byte hasn't been seen on the wire yet. It's not seen until packet 13, which, as you can see, contains an ACK for byte 123 from the server, which was delivered back in packet 6. This is a clear causality violation because an ACK for a packet can't precede the packet it's ACKing. The problem here is that the tap (a NetOptics 96298) delivers the data on two different interfaces, one for the client to server direction and one for the server to client direction (this lets you tap full duplex GigE). Either the tap or the host computer (we suspect the host computer and/or NICs) is buffering packet 13 until after its already delivered packets 9-12, so the application gets them in the wrong order. Note that this problem is especially bad in testbed type situations because the host computers and the network between them is so fast that actual data packets can get easily reordered.

The naive thing to do here is to ignore this problem and just deliver the data whenever you get it. This is good enough for simple processing but doesn't get the job done if you're really trying to process the connection. In this case, it leads to the HTTP request preceding the HTTP response, which isn't really acceptable. The right thing to do is to reorder (or rather de-reorder) the packets. If you assume that A must precede ACK(A) then you can hold any packet with ACK(A) (and all TCP packets contain ACKs) until A arrives. This requires a bit more buffering but does mostly work. The bad news is that the logic for doing this is fairly hairy (especially when you consider that TCP stacks are already quite hairy).

The other two alternatives are to use a spanning port (only works well with fairly expensive switches and requires reconfiguration) or to get a tap that only delivers on a single interface and so should be order preserving. We just got one of these. Word from the tech who delivered it is that it is order-preserving, but but we don't have it working at all yet, so I can't report on that.

UPDATE: I should mention that you don't actually need things to arrive strictly in order, as long as the timestamps on the packets represent their actual arrival time. You can buffer and sort. Unfortunately, our timestamps aren't lining up either.

At this point it seems fairly likely that Iran is going to have nuclear weapons some time in the next 5-10 years. The advantages of being a nuclear state in terms of prestige and deterrence are simply undeniable, and unless the US is willing to go to war--or at least tacitly support the Israelis doing so--there's not much we can do to stop it. On the other hand, that doesn't mean that we can't arrange for Iran to have nuclear weapons on terms more favorable to us.

There are two major ways that Iran could use nuclear weapons:

1. Directly attack us our our allies (either pre-emptively or as a response).
2. Sell/give/loan them to terrorists who would attack us covertly.

To a great degree, the direct approach is foreclosed by our own nuclear deterrent. Yes, yes, I know that Ahmadinejad is waiting for the 12th Imam, but one would still expect the prospect of a full-scale retaliatory strike on Tehran to provide some deterrent effect. More likely he'll use nukes the way the DPRK is now, as a lever with which to extract concessions from the West. So, the real concern with Iran (as with the DPRK, incidentally) is that they'll sell/give/loan them to terrorists. If someone uses a boat to smuggle a nuke into Baltimore harbor, it's not clear who we're going to retaliate against. I imagine the US has some technology for characterizing the origin of nuclear weapons, but it's probably not perfect, especially with plutonium-based weapons, which can be made essentially chemically pure. You can't go around mounting a retaliatory strike against every nuclear power with weak command and control systems.

So, my half-baked idea is to sell (well, give) Iran nuclear weapons of our own construction that are specifically tagged it means that we have one less source of nuclear attack to worry about. It's to Iran's benefit because they don't have to worry about misplaced retaliation. Also, they get nukes more or less now without having to spend a lot of money on infrastructure. And they still have a perfectly usable deterrent--it's just not usable for a covert first strike. Students of economics will recognize this approach as a form of credible commitment.

There are some obvious practical problems here, but I know how to overcome at least some of them. For instance, the Iranians can prove to themselves that some of the weapons work via the usual cut-and-choose technique (pointed out by Kevin Dick). We'd obviously have to ensure that the Iranians didn't take our weapons and remove the tagging, but it shouldn't be that hard to make it very expensive to separate the tag from the fissile material, e.g., by using uranium bombs with a specific isotope ratio, plus an advanced design (to minimize the amount of fissile material) with specific fallout characteristics. The weapons could also be periodically inspected for integrity.

Today's NYT contains an article questioning the value of the NSA's post-9/11 wiretaps. It's mostly a bunch of un-sourced quotes from people at FBI who clearly resented getting context-free tips from NSA:

F.B.I. field agents, who were not told of the domestic surveillance programs, complained that they often were given no information about why names or numbers had come under suspicion. A former senior prosecutor who was familiar with the eavesdropping programs said intelligence officials turning over the tips "would always say that we had information whose source we can't share, but it indicates that this person has been communicating with a suspected Qaeda operative." He said, "I would always wonder, what does 'suspected' mean?"

"The information was so thin," he said, "and the connections were so remote, that they never led to anything, and I never heard any follow-up."

...

In response to the F.B.I. complaints, the N.S.A. eventually began ranking its tips on a three-point scale, with 3 being the highest priority and 1 the lowest, the officials said. Some tips were considered so hot that they were carried by hand to top F.B.I. officials. But in bureau field offices, the N.S.A. material continued to be viewed as unproductive, prompting agents to joke that a new bunch of tips meant more "calls to Pizza Hut," one official, who supervised field agents, said

...

Aside from the director, F.B.I. officials did not question the legal status of the tips, assuming that N.S.A. lawyers had approved. They were more concerned about the quality and quantity of the material, which produced "mountains of paperwork" often more like raw data than conventional investigative leads.

"It affected the F.B.I. in the sense that they had to devote so many resources to tracking every single one of these leads, and, in my experience, they were all dry leads," the former senior prosecutor said. "A trained investigator never would have devoted the resources to take those leads to the next level, but after 9/11, you had to."

Very high levels of false positives are of course what you would expect from the kind of program that it sounds like NSA was running. And it's not clear that just because the agents on the ground feel frustrated that it's not worth doing. The key question, of course, is what an acceptable overall level of efficiency is. Unfortunately, it's hard to have this discussion without any good data on how effective the whole thing is. To whit:

By the administration's account, the N.S.A. eavesdropping helped lead investigators to Iyman Faris, an Ohio truck driver and friend of Khalid Shaikh Mohammed, who is believed to be the mastermind of the Sept. 11 attacks. Mr. Faris spoke of toppling the Brooklyn Bridge by taking a torch to its suspension cables, but concluded that it would not work. He is now serving a 20-year sentence in a federal prison.

But as in the London fertilizer bomb case, some officials with direct knowledge of the Faris case dispute that the N.S.A. information played a significant role.

By contrast, different officials agree that the N.S.A.'s domestic operations played a role in the arrest of an imam and another man in Albany in August 2004 as part of an F.B.I. counterterrorism sting investigation. The men, Yassin Aref, 35, and Mohammed Hossain, 49, are awaiting trial on charges that they attempted to engineer the sale of missile launchers to an F.B.I. undercover informant.

In addition, government officials said the N.S.A. eavesdropping program might have assisted in the investigations of people with suspected Qaeda ties in Portland and Minneapolis. In the Minneapolis case, charges of supporting terrorism were filed in 2004 against Mohammed Abdullah Warsame, a Canadian citizen. Six people in the Portland case were convicted of crimes that included money laundering and conspiracy to wage war against the United States.

If this is all they got, then the ROI doesn't look very good. On the other hand, maybe it's just the tip of the iceberg. The problem is that we don't have hard data either way and organizations are really bad at judging the effectiveness of their own processes. Clearly we're badly in need of having some mechanism for making these evaluations without revealing a lot of classified (even if misclassified) information to the public. Any suggestions?

Mark Kleiman doesn't like Alito's claim that the president can violate unconstitutional statutes.

If the President can violate a statute, secretly, any time he deems in his sole discretion that the statute contravenes some "inherent power" of the Presidency, then his powers are limited only by his will (and his political judgment about what he can get away with) not by the law.

Of course "the Constitution trumps a statute." And the Constitution gives to the Congress, not the President, the authority "To make rules for the government and regulation of the land and naval forces." So if spying is an incident of warfare -- which seems reasonable -- then regulating how that spying takes place is squarely within the Constitutional ambit of the Congress.

Now that Judge Alito has finally come out of the closet as a royalist, the Senate Democrats have two choices: (1) filibuster to prevent his confirmation or (2) admit that their huffing and puffing about warrantless wiretapping wasn't really serious in the first place.

I think it's a little trickier than that. Consider what Alito said (copied from Kleiman's post so no link):

If Congress has "explicit authority under the Constitution to pass a law, and we pass that law, is the president bound by that law or does his plenary authority supersede that law?" Feinstein asked Alito.

"The president, like everybody else, is bound by statutes that are enacted by Congress," Alito said.

But he said a president could violate a statute "if statutes are unconstitutional because the Constitution takes precedence over a statute."

The first thing to note here is that Alito's answer here is evasive, since Feinstein clearly asked about cases where Congress has clear authority under the Constitution and Alito answered the question about where the statute violated the Constitution. Come to think of it, a lot of Alito's answers were like that.

But I think there's an interesting question hiding here. Say that Congress passes a law that's clearly unconstitutional, for instance a requirement forbidding Muslims from serving in public office (in clear violation of Article 6.). Say further that it was done over the President's veto. What should the President do?

Logically, it seems to me that the President can do one of three things:

1. Obey the law.
2. Challenge it in the courts as unconstitutional (it sounds crazy for the government to be suing itself, but see here)
3. Simply violate it (e.g., by hiring a Muslim).

It seems to me that (1) is clearly problematic, since that means abiding by an unconstitutional law. That leaves us with (2) and (3), but I'm not convinced that (3), simply violating it, is the wrong answer here. It can take years to wind through the courts and in the meantime there's an unconstitutional law on the books. Is this consistent with the President's oath to "preserve, protect and defend the Constitution of the United States"? (As an aside, note that the President's primary duty is to defend the Constitution, not the country).

Of course, if the President does indeed violate the law, then what? Remember that unlike a private citizen the President cannot be directly tried for any crime. Congress impeaches? That seems fairly problematic as well since it means that there's no way to resolve questions about the constitutionality without risking a total government meltdown. An alternative would be to prosecute the specific executive branch agents who violate the law, but who would file those charges, since the DOJ works for the president? So, this alternative seems a bit problematic.

Obviously, even if you believe that the president should violate laws that are unconstitutional, the current case should be troubling because it was done in secret, thus rendering even the above (admittedly problematic) process nearly impossible. On the other hand, consider the alternative: if you accept the argument that the methods that the Administration wanted to use needed to be secret for national security reasons rather than political cover reasons, then there should be some way to settle the constitutional question in secret. Are the FISA courts set up to make this kind of constitutional determination in secret? Who would make the opposing argument?

We're so used to our 1-1 sex ratio, that it's actually easy to forget that it's sort of counterintuitive. After all, any given male can impregnate many different females, so from a sort of top-down efficiency perspective, it would be a lot more efficient to have a small number of males with big harems. But, of course, evolution isn't a matter of top down planning. Here's Dawkins's explanation from The Selfish Gene:

In mammals, sex is determined genetically as follows. All eggs are capable of developing into either a male or a female. It is the sperms that carry the sex-determining chromosomes. Half the sperms produced by a man are female-producing, or X-sperms, and half are male-producing, or Y-sperms. The two sorts of sperms look alike. They differ with respect to one chromosome only. A gene for making a father have nothing but daughters could achieve its object by making him manufacture nothing but X-sperms. A gene for making a mother have nothing but daughters could work by makin her secrete a selective spermicide, or by making her abort male embryos. What we seek is something equivalent to an evolutionary stable strategy (ESS) although here, even more than in the chapter on aggression, strategy is just a figure of speech. An individual cannot literally choose the sex of his children. But genes for tending to have children of one sex or the other are possible. If we suppose that such genes, favouring unequal sex ratios exists, are any of them likely to become more numerous in the gene pool than their rival alleles, which favor an equal sex ratio?

Suppose that in the elephant seals mentioned above, a mutant gene arose that tended to make parents have mostly daughters. Since there is no shortage of males in the population, the daughters would have no trouble finding mates, and the daughter-manufacturing gene could spread. The sex ratio in the population might then start to shift towards a surplus of females. From the point of view of the good of the species, this would be all right, because just a few males are quite capable of providing all the sperms needed for even a huge surplus of females, as we have seen. Superficially, therefore, we might expect the daughter-producing gene to go on spreading until the sex ratio was so unbalanced that the few remaining males, working flat out, could just manage. But now, think what an enormous genetic advantage is enjoyed by those few parents who have sons. Anyone who invests in a son has a very good chance of being the grandparent of hundreds of selas. Those who are producing nothing but daughters are assured of a safe few grandchildren but this is nothing compared to the glorious genetic possibilities that open up before anyone specializing in sons. Therefore, genes for producing sons will tend to become more numerous and hte pendulum will swing back.

For simplicity, I have talked in terms of a pendulum swing. In practice, the pendulum would never have been allowed to swing that far in the direction of female domination, because the pressure to have sons would have started to push it back as soon as the sex ratio became unequal. The strategy of producing equal numbers of sons and daughters is an evolutionarily stable strategy, in the sense that any gene departing from it makes a net loss.

The result, then, is that we get an even sex ratio. This applies even in massively polygamous situations where the result (as in seals) is that a few males have a big harem whereas the rest get nothing at all.

The Lancet has a new article (unfortunately blocked by pay wall so I'm working from the summaries) about the question of missing women in India:

Researchers based in Canada and India looked through data from a national survey, conducted among 1.1 million households in 1998, and at information about 133,738 births that took place in 1997.

They found that in cases where the preceding child was a girl, the gender ratio for a second birth was just 759 girls to 1,000 boys.

And when the two previous children were girls, this ratio fell even further, to 719 girls to 1,000 boys.

On the other hand, when the preceding child or children were male, the gender ratio among successive births was about the same.

Based on the natural sex ratio in other countries, around 13.6-13.8 million girls should have been born in India in 1997 -- but the actual number was 13.1 million.

The implication, of course, is that women are using ultrasound for sex determination followed by selective abortion. This data is pretty suggestive, particularly as the effect seems to get stronger after two previous female children, which is the opposite of what you would expect if biased birth ratios were the result of some systematic bias in the women's physiology, like, say Emily Oster's hepatitis theory. The other piece of suggestive evidence is the fact that the effect is stronger from educated women, who presumably have more access to ultrasound and abortions.

Over in the comments, Barry Leiba complains about Patrick Leahy's windbaggery:

And consider Senator Leahy, who appeared on NPR in this segment on Wednesday, in which Robert Siegel spoke with him and Senator Sessions. In case you don't feel like listening to it, allow me to summarize:

NPR: Senator Leahy, what do you think of Judge Alito's stand on the limits of presidential authority?
Leahy: The president can't pick and choose which laws he abides by and which he does not.
NPR: On another question, has Judge Alito satisfied you with his answer about Roe vs Wade?
Leahy: The president can't pick and choose which laws he abides by and which he does not.
NPR: Is it important to you what Judge Alito says about his membership in the Princeton alumni organization?
Leahy: The president can't pick and choose which laws he abides by and which he does not.
NPR: And, Senator Leahy, what about the "torture memo"?
Leahy: The president can't pick and choose which laws he abides by and which he does not.
NPR: It seems that you've asked Judge Alito all your questions; what's the point of another round of questions?
Leahy: The president can't pick and choose which laws he abides by and which he does not, and I'll keep asking the question until I get an answer.

Would that NPR had kept asking their questions until they got answers. Anyway, it's very clear, here, that Senator Leahy was there to get as much air time for his one point as he possibly could. Looks pretty wind-baggy to me, I'm afraid.

Far be it from me to say that Leahy isn't a windbag, but in this particular case, it seems like this is intended less to serve his own purposes--which would probably be better served by actually bloviating for a while about his own political views--than those of the party. I.e., it's a case of message discipline rather than simple windbaggery.

As I noted previously, the reason that employers don't tightly monitor performance of (say) software engineers isn't because the software companies are somehow nicer but because there aren't any good metrics because we haven't figured out how to systematize programming to the extent that we can systematize (say) machining. Imagine if things were different:

Having got that out of the way, she dives into work. She is an applications programmer for the Feds. In the old days, she would have written computer programs for a living. Nowadays she writes fragments of computer programs. These programs are designed by Marietta and Marietta's superiors in massive week-long meetings on the top floor. Once they get the design down, they start breaking up the problem into tinier and tinier segments, assigning them to group managers, who break them down even more and feed little bits of work to the individual programmers. In order to keep the work done by the individual coders from colliding, it all has to be done according to a set of rules even bigger and more fluid than the Government procedure manual.

So the first thing Y.T.'s mother does, having read the new subchapter on bathroom tissue pools, is to sign on to a subsystem of the main computer system that handles the particular programming project she's working on. She doesn't know what the project is--that's classified--or what it's called. It's just her project. She shares it with a few hundred other programmers, she's not sure exactly who. And every day when she signs on to it, there's a stack of memos waiting for her, containing new regulations and changes to the rules that they all have to follow when writing code for the project. These regulations make the business with the bathroom tissue seem as simple and elegant as the Ten Commandments.

So, she spends until about eleven A.M. reading, rereading, and understanding the new changes in the Project. There are many of these, because this is a Monday morning and Marietta and her higher-ups spent the whole weekend closeted on the top floor, having a cat fight about this Project, changing everything.

Then she starts going back over all the code she has previously written for the Project and making a list of all the stuff that will have to be rewritten in order to make it compatible with the new specifications. Basically, she's going to have to rewrite all of her material from the ground up. For the third time in as many months.

But hey, it's a job.

The major reason that things aren't that way isn't this way isn't that programmers are cool and creative--though of course they can be--but because we haven't figured out how to turn programming into a job that can be done by drones. If you're a programmer, you should be giving thanks for the sorry, disorganized state of software "engineering".

Guido Appenzeller pointed me to Harrah's plan to RFID tag their employees:

In what it refers to as a "pilot program," the casino is using the Radio Frequency Identification (RFID) tags, which send out signals that are tracked through readers installed at various locations. Harrah's has placed the readers on tables and bars in the beverage and gaming areas to determine how long it takes cocktail waitresses to serve customers, Harrah's Entertainment Chief Information Officer Tim Stanley said. "It just looks at the cycle time between service," he explained.

"We are taking some of that technology and attaching it to the beverage servers on the casino floor," Stanley added. "We at Harrah's are zealous about customer service. We know if customers have to wait too long for a drink or a coffee, they get upset." The program, he said, was designed to cut down on wait times for the casino's "best customers."

Guido's not thrilled with this plan:

Harrah's Casino is RFID tagging their waitresses to "improve service". This registers as at least 500 milli-Orwell on my Big Brother Scale.

I certainly agree it's no fun to be monitored all the time, but one thing that's hard for people in White Collar jobs like the tech industry to remember is that in most highly repetitive jobs (of which waitressing is one) management closely monitors your performance. When I was a teenager, I worked in a mail order operation in both the picking (taking items off the shelf) and packing (putting them in boxes) operations and in both cases the number of items we handled was monitored and used to compute incentives. (As a side note, it was truly humbling how much difference there was between me and the people who were really good). So, it's not clear to me that this scheme is any more Big Brotherish then monitoring how many items I shove in boxes every day. The reason they don't monitor your performance as (say) a computer programmer this way is that there aren't any really good metrics (SLOC, for instance, is a joke.)

The more interesting question from my perspective is why Harrahs is choosing this particular monitoring scheme, as opposed to (say) monitoring how many drinks they serve. My intuition is that there are two reasons.

First, unlike an ordinary restaurant or bar, Harrah's derives their revenue primarily from gambling, not from beverage sales. So, their incentive isn't to push the maximum amount of alcohol on people but rather to align the quality of service to the amount of gambling that a particular gambler is doing. This makes metrics like total drinks served less useful than they would be in a bar. A related issue is that because drinks are generally subsidized, it's probably easier than usual for a waitress to pump up the amount of drinks she serves merely by picking out the people consuming a lot of alcohol.

The second issue is that the agency issues are probably harder in this environment than in an ordinary bar. In your average bar, tips are roughly correlated with the amount of drinks served and while there are big and small tippers, variance is not that high. My impression is that in casinos there's an enormous amount of tip variance and that the high tippers may or may not be the big gamblers. And of course the casino knows who the big gamblers are directly so they can incentivize more accurately.

One more thing that's worth noting if you think this system is objectionable: casinos have been doing fine-grained monitoring of exactly how much money customers gamble for years, in some cases manually and in some cases automatically with those affinity cards that they love to hand out. That's how they decide how much to comp you.

Consider the following:

1. Tradesports has Alito's confirmation trading at around $.95.
2. Our senators are a bunch of windbags.
3. The "questioning" of Alito seems to mostly consist of speechifying by the Senators.
4. Alito (like all nominees) gives predictably vague evasive responses.
5. Most everyone I know who's listened to the hearings has come to mostly negative views of the Senators in question.

I think that points (2-3) pretty much rule out the theories that the Senators are actually trying to discern Alito's views. Despite this, Senators continue to do this every time there is a Supreme Court vacancy. Some potential theories:

The Senators are trying to influence each other's views: The purpose of speechifying rather than questioning is to convince other Senators to act in a particular way. This strkes me as pretty unlikely, in view of the Tradesports data above and the fact that based on the speeches people's positions appear to be fairly hardened.

The Senators think this plays well at home: This is a free opportunity for them to get national TV time. The downside is that they look like windbags. So, the question is whether they look like windbags to their constituents? Of course, maybe they do but they don't know it.

They're making credible commitments: This is subtly different from the previous theory. The idea isn't for the Senators to actually play to their constituents but to publicly commit themselves to a particular position (e.g., about abortion or executive power) thus gaining favor with lobbyists and big donors.

The problem with all of the outer-directed theories is that you routinely see this kind of behavior in closed committees where everyone knows what the answer is going to be but yet they spend hours discussing it. So, maybe it's just that people can't get comfortable with a decision unless they've publicly agonized over it first.

One of the exciting new features of Verizon's new digital music download functionality is that it breaks MP3s:

The company's new song download service, announced at the Consumer Electronics Show in Las Vegas, is being built around Microsoft's digital media technology. As part of that service, Verizon decided to eliminate the phones' previous ability to play MP3 files, hoping to keep the phones' music features simple, a company spokesman said.

A reasonable idea, I suppose. After all, it would no doubt be too difficult to create a piece of software that could play multiple media formats with the same transparent UI.

In most cases, customers can still transfer their own music to the phones, and many may not even notice a difference. Microsoft's Windows Media 10 software will automatically make a copy of MP3 songs on a computer's hard drive and load them onto the phone in the correct Microsoft-based format, leaving the original unchanged.

This sounds fine, of course, but it's important to remember that these are lossy formats, and every time you transcode between them you degrade the quality. But it sure will be simple!

In pretty much the worst case demo scenario, Microsoft and Toshiba's HD/DVD demo totally flopped:

LAS VEGAS (AP) - It was supposed to be the grand unveiling of a new generation in home entertainment when Kevin Collins of Microsoft Corp. popped an HD DVD disc into a Toshiba production model and hit "play."

Nothing happened.

The failed product demo at this week's International Consumer Electronics Show was hardly an auspicious start for the HD DVD camp in what's promising to be a nasty format war similar to the Betamax/VHS video tape battle.

The "demo effect" is of course well known in tech circles. No matter how many times you test some piece of technology, it's almost certainly going to fail the first time you show it to anyone else. The demo effect is almost impossible to defeat, but there are a few things you can do:

Get used to the idea that it's a sham. The hardest idea for engineers to get their heads around is that demos are fake. You're not trying to actually show your product, just give people an idea of what your product would do if it actually worked. The good part of this is that you have enormous freedom to fake things up. The bad part of this is that the things you show have to work and that if it essentially works but the cosmetics are hosed, it goes over badly.

Rigorously program your demos. You have limited testing time, so it's almost impossible to make sure that everything works. The best you can do is make sure that you do the same thing every time: start it up the same way, show the features in exactly the same order. Don't let the machine go to sleep, etc. None of this guarantees that the system will work when it's shown for real, but if you go off the fairway, the chance that something will break is almost 100%. A corollary to this is to--if at all possible--avoid demos that rely on the Internet. There are all sorts of ways that Internet flakiness can screw up your demo. If you do need to show something that involves networking, you're better off bringing some local machine that can act as the server. Remember, it's OK to have it be fake!

Test, test, and test again. Once you've got your demo planned, you need to test it obsessively. I said before that you needed to rigorously program your demo, but you also need to test all the ways that your marketing/demo person is likely to screw up in action.

Once you get it working, don't screw with it. Engineers always want to put the bleeding-edge code on the demo machine. Don't let them. It's much better to have the old code that really works rather than the newest code. This goes hand-in-hand with the first point about things being fake. What I've done in the past is to maintain a machine that's not used for anything but demos and only install new code once you're really confident. An additional advantage of this is that it lets marketing do independent demos without involving engineering.

Work your way up. This last piece of advice is pure voodoo. If you go right from your home lab to a big demo, Murphy's Law will instantly kick in and your demo won't work. My hand-waving explanation here is that in "live" situations and under stress you behave a bit differently. In any case, it's essential to start with small audiences and work your way up.

So, what's amazing about this HD-DVD failure is that surely Toshiba and Microsoft's people know all this stuff, and it sounds like this is the simplest possible demo. Quite surprising it didn't work, really.

BBQ is one of the great world cuisines, but unfortunately it's pretty hard to make at home. Sure, it's easy to grill at home, but real BBQ requires long-term smoking, which isn't easy to do with your average backyard grill (though the best choice of the semi-fast cooking grilling methods here is probably a Weber kettle.). But who has time to smoke things for 10+ hours?

Today I discovered a good second choice. My friends Terence and Wendy were down in Austin and brought me a pre-smoked brisket from the Salt Lick. They smoke the meat and then chill and vacuum pack it. It'll keep for a week in your fridge and then you can slap it on the grill (or, I suppose, in the oven) and in an hour you've got a ready-to-eat brisket which is probably better than most anything you can get at a local restaurant. They have ribs and sausage, too, but I can't vouch for them yet.

Had the fun of installing Apache on OS/X today, only to discover that it puts files in some rather surprising places (unless you override it):

Use the --with-layout=[F:]ID option to select a particular installation path base-layout. There are many layouts pre-defined in the file config.layout. Except on MacOS(X) configure defaults to the `Apache' classical path layout. You can get an overview of the existing layouts by using the command:

Especially annoyingly, the default layout partially ignores the --prefix argument, and seems to put a bunch of stuff in /Library. Outstanding!

Terence Spies pointed me to the rather entertaining Dr. McNinja:

Going to the doctor would be a lot more interesting if my primary care physician were a ninja. They'd probably do a better job of dealing with the insurance company, too...

This Wired article talks about two new technologies that are intended to detect when people are lying. Both technologies operate on the theory that lying involves different sections of the brain than telling the truth. So, by measuring the level of activity (via blood flow) to various parts of the brain, you may be able to tell when people are lying.

The technology that's been getting most of the detection here is functional magnetic resonance imaging. fMRI lets you detect the level of oxygenation of the blood in various parts of the brain, and at least in theory oxygen consumption is related to the level of activity. fMRI is already being fairly widely used in all sorts of neuro-psychological studies and I started hearing about its potential for lie detection a few years ago. fMRI, like all NMR-based imaging techniques, has two major drawbacks. The first is that you have to hold still or it doesn't work well (though motion compensation is getting better every year). The second is that because it involves very strong magnetic fields it's not safe if you have any substantial amount of ferromagnetic material in your body or on your person.

Another line of research is being pursued by Britton Chance at UPenn. The idea is blood flow again, but instead of using MRI, they're measuring blood flow using optical (near-infrared) spectroscopy. The upside is that you don't have to hold still and there's no metal concern. The downside is that you can only measure blood flow close to the surface of the skull, which may involve some loss of resolution. They're claiming a sensitivity of 95%, but it's not clear what the false positive rate is.

It seems like there are a bunch of open questions here. For starters, it's not clear what the error rate is. Given the low base rate of malfeasance, if you're going to use deception detection in screening settings, then even a low false positive rate will cause most of the positives to be false positives. One also needs to be concerned about the false negative rate. When people want to beat polygraphs, one thing they do is biofeedback training to see how to avoid generating the signals. Obviously, there are theoretical reasons why one might think it would be harder to beat a direct brain scan, but I haven't heard of anybody making a concerted effort to beat one, so we can't say for sure that it's impossible.

The other setting that people seem to be interested in using this technology is for interrogation. The idea seems to be that you would be able to tell when subjects are lying to you. That does seem useful, but it's important to remember that even if the technique works, it's only useful if people are actually trying to convince you they're telling the truth. That's probably true in criminal investigations but one of the problems our interrogators are having in Guantanamo, Afghanistan, and Iraq is that the subjects don't seem to care. Here's Chris Mackey and Greg Miller in The Interrogators:

When prisoners were questioned, everyone's name had been "lost" to fragile memory. There were no identifying features, no addresses, no telephone numbers. In the recesses of our minds where logic ruled, we knew it was impossible to have forgotten so much. But we were confounded by the utter directness of the lies. It wasn't a kind of cocktail party fib, easily seen through, easily peeled away. It was a mindless refutation of the obvious. And forbidden from punishing anyone for noncooperation, we couldn't do a damned thing about it. We could only gaze in disbelief and do our best to follow the school mantra: interrogators feign emotions, we never betray them.

I've also done some thinking about countermeasures, and I think that with some preparation—and one of the complaints from US interrogators is that their subjects have hasresistance training—you may be able to partially protect yourself against the fMRI technique. Remember that you can't use MRI on people who have metal implants, etc. This is a serious concern. I've had an MRI and when they found out I'd worked in a machine shop, they insisted on X-ray my eyes on the odd chance that I had metal slivers in them. It shouldn't be that hard to arrange for a few, thus requiring someone to perform (presumably nonconsensual) surgery before they can use this technique on you. Obviously, your captors could do the surgery, but that's a much bigger deal than just sticking your head in an MRI machine, especially if the implants are placed so that they're hard to remove without injuring the subject. This presumably isn't a problem with Chance's technique, and I haven't had time to think of any good countermeasures for that yet. Putting an IR-opaque plate in your skull would probably work, but I'm skeptical that it's practical on a large scale.

Noted bear (and EG reader) Dan Simon buys a house.

It's well known that a lot of the homeless are substance abusers, and it's common practice to try to get them un-addicted. A Canadian harm reduction program tried a different approach:

TORONTO (Reuters) - Giving homeless alcoholics a regular supply of booze may improve their health and their behavior, the Canadian Medical Association Journal said in a study published on Tuesday.

Seventeen homeless adults, all with long and chronic histories of alcohol abuse, were allowed up to 15 glasses of wine or sherry a day -- a glass an hour from 7 a.m. to 10 p.m. -- in the Ottawa-based program, which started in 2002 and is continuing.

After an average of 16 months, the number of times participants got in trouble with the law had fallen 51 percent from the three years before they joined the program, and hospital emergency room visits were down 36 percent.

"Once we give a 'small amount' of alcohol and stabilize the addiction, we are able to provide health services that lead to a reduction in the unnecessary health services they were getting before," said Dr. Jeff Turnbull, one of the authors of the report.

"The alcohol gets them in, builds the trust and then we have the opportunity to treat other medical diseases... It's about improving the quality of life."

Assuming these results hold up, this is probably worthwhile doing, but I wonder how palatable a program of providing free alcohol is going to be to the public and their elected representatives.

Traditional TLS authentication was pretty much completely tied to old-style PKI. When you wanted to stand up your server, you went to one of the well-known CAs (typically VeriSign) and got a certificate that contained the name of your server, e.g. www.educatedguesswork.org. The standard reference here is RFC 2818 and of course RFC 3280.

Lately, though, I've been starting to see a lot more interest in more flexible (or at least non-PKI-based) models. The two big ones are:

• Exchanging fingerprints in some out of band channel. See, for example, draft-ietf-mmusic-comedia-tls.
• Using SSH-style "leap of faith" authentication where you just trust the first certificate you see from a given server and then check to see if it changes.

When you're using these models, you still use a certificate (that's what everyone who uses TLS is set up to use) it's just not signed by one of the universally accepted CAs. It might be accepted by an unknown CA or perhaps self-signed. However, despite the fact that a certificate is used, the underlying authentication model is totally different. In a PKI-based system, the certificate is an attestation about the binding between this name and a key. In these systems, it's just a convenient carrier for the public key and the authentication comes from somewhere else.

This raises the obvious question of what identity (either Distinguished Name or subjectAltName) should appear in the certificate. It's tempting to just stick with the RFC 2818 rules. This lets you do consistent name checking without regard to how the certificate got validated. But as a protocol designer or an implementor it's important to realize here that the name doesn't have any real security implication. It's just a placeholder and you can't trust it. The downside of following the 2818 rules is that they're a bit complicated and since the name is meaningless, if the server operator happens to get it wrong you're going to get a bunch of false security warnings, which is irritating at best and a source of interoperability failure at worst.

Consider, for instance, what happens if you have a self-signed certificate for "server.educatedguesswork.org". You then make a CNAME record (an alias) for "www.educatedguesswork.org" that points to "server.educatedguesswork.org". If someone tries to connect to "www.educatedguesswork.org" they'll get a name mismatch error of some kind, even if they are checking the fingerprint. That's obviously bad. Sure, you could make a new self-signed cert, but that's a pain, especially if the person controlling the DNS is the same as the person controlling the server's cert.

It's obviously not critically important which way you do things, but my intuition here is that having a consistent code path between the PKI and non-PKI cases is actually a bug here because it obscures the nature of the interaction. So, when I design or review protocols, I've been encouraging people to omit the checking in this case.

Wired reports that some German hackers have figured out how to monitor the government surveillance cameras:

BERLIN -- When the Austrian government passed a law this year allowing police to install closed-circuit surveillance cameras in public spaces without a court order, the Austrian civil liberties group Quintessenz vowed to watch the watchers.

Members of the organization worked out a way to intercept the camera images with an inexpensive, 1-GHz satellite receiver. The signal could then be descrambled using hardware designed to enhance copy-protected video as it's transferred from DVD to VHS tape.

The Quintessenz activists then began figuring out how to blind the cameras with balloons, lasers and infrared devices.

And, just for fun, the group created an anonymous surveillance system that uses face-recognition software to place a black stripe over the eyes of people whose images are recorded.

Just what I always wanted; surveillance by people who can't be bothered—or don't know how—to secure their feeds. Outstanding!