November 2006 Archives


November 29, 2006

A lot has been written about Kathryn Johnston, an elderly woman who was killed when an Atlanta SWAT team conducted a raid on her house last week. One of the interesting sub-issues was the observation by Orin Kerr that the judge's signatures on the warrants and affidavits look very similar. See here for a comparison. The explanation seems to be that they use an electronic warrant system where the judge "signs" online. It seems like these systems come in two varieties. In the first, the judge actually signs on some signature capture pad (like you do in a lot of credit card capture applications) and the digitized signature is attached to the relevant documents. In the second, the judge just clicks on some web form and then some pre-scanned signature is cut-and-pasted into the document.

In either case, this sort of manipulation of a digitized signature is kind of weird. In ordinary paper warrants, the signature is an indicator to the relying party (i.e., the person who's supposed to be examining it) that the judge approved the search and that he authorized a warrant with some set of particulars. However, a digitized signature on a document can be easily cut-and-pasted and so attests to no such thing. Certainly, the relying party has no way of knowing that the police (or whoever is presenting the document) didn't just perform this kind of cut-and-pasting. Of course, you can certainly argue that this kind of fraud would be dangerous because there are penalties if you get caught, but the signature doesn't change that one way or the other. Just having the document unsigned would be just as effective.

That said, in settings like credit card processing where a single verifier processes a large number of signatures, digitized signatures do offer some value in detecting replay attacks—since every signature is slightly different. If there was some situation where there was a question about whether a judge signed a given warrant and you could access all the warrants a judge had ever signed, then this might have some value, but that doesn't seem like a very likely case.

More likely the real reason why warrants have these kind of signatures is that old-style paper warrants had signatures and so people expect them despite the fact that they don't have much security value. If you showed up with an unsigned warrant people would probably ask you where the signature was.


November 27, 2006

Xerox has developed what looks like a fairly cool piece of technology: self-erasing photocopies:
Of the 1,200 pages the average office worker prints per month, 44.5 percent are for daily use assignments, drafts or e-mail. In her research, scouring the waste produced by office workers, she found that 21 percent of black-and-white copier documents were returned to the recycling bin on the same day they were produced.

We were surprised by our results, she said. Nobody looks at the ephemeral information going through peoples waste baskets.

Her research is part of a three-year-old technology development effort to design an add-on system for an office copier to produce transient documents that can be easily reused. The researchers now have a prototype system that will produce documents on a specially coated paper with a light yellow tint. Currently, the process works without toner and produces a low-resolution document that appears to be printed with purple ink.


The company said the precise nature of the technology was proprietary and that Xerox had applied for a number of related patents covering the invention. The researchers describe the invention as being based on compounds that can change color when they absorb a certain wavelength of light, but can then gradually revert to their original appearance. The compounds currently self-erase in about 16 to 24 hours, or can be erased immediately when heated.

Two initial thoughts here. First, the reason I print stuff out is usually so that I can edit it, which means that I'm writing on it in pen. This technology would only be useful for that kind of application if the pen marks are erasable too. I suppose you could use some kind of pen with a laser diode to mark the paper, but you'd also need it to be a color that contrasted with the printing.

Second, just because the printing isn't visible doesn't mean that it's not detectable via analytic techniques. If this technology ever gets deployed, employees will have to be taught that sensitive material needs to be shredded, not reused.


November 25, 2006

The Times has a review of Sony's new Sony Reader. The bottom line seems to be that the underlying e-ink technology actually works but that the UI needs some work. I haven't seen the gizmo, but if that's true it's actually good news, since the UI seems primarily to be a usability engineering issue, which is something that's pretty well understood, especially by comparison to the e-ink stuff, which was never totally clear could be made good enough for prime time. It's actually a little surprising that the reviewer doesn't complain about screen resolution, which is 170 dpi, far less than on a printed page.

November 24, 2006

The Times reports on a study indicating (unsurprisingly) that distance runners are at increased risk for skin cancer:
Sun exposure may not be the only risk factor that distance runners face. The authors write that although there is no question that regular exercise is important to good health, there is good evidence that high-intensity training and excessive exercise can lead to suppressed immune function.

This is quite well established, Dr. Ambros-Rudolph said. Many alterations in immune cell function have been noted at the cellular level in marathon runners.

For example, there is the association between excessive exercise and immunosuppression reflected in the increased incidence and severity of upper respiratory tract infections in marathon runners after races.

The exact mechanism is unknown, but there is evidence that trauma sustained during extreme exercise can induce the release of cytokines, proteins that can stimulate the growth and activity of various immune cells and that may limit the ability of the immune system to fight potential cancers.

Clinical examination by dermatologists showed that none of the participants had lesions that suggested malignant melanoma. But 24 of the marathon group and 14 of the control group were referred for surgical treatment of lesions that appeared to be basal or squamous cell carcinomas or the precancerous lesions called actinic keratoses. Follow-up reports on these patients were not available because of the limits in Austrian laws on personal privacy.

About a third of the marathoners ran up to 25 miles a week, and nearly half ran 25 to 45 miles. Almost 15 percent ran more than 45 miles a week. Those who trained the most intensively had the highest rates of skin lesions.

This isn't a particularly surprising result, especially as the researchers report (and my experience confirms), many athletes don't wear sunscreen. And there's certainly plenty of anecdotal experience that high training loads lead to immune suppression—it's one of the major outcomes of overtraining.

This next bit is weird, though:

Physical exercise on sunny days can be more harmful to the skin than other kinds of sun exposure, the authors suggest, because sweating may significantly increase the sensitivity of the skin to ultraviolet radiation, making sunburn more likely. Moisture on the skin reduces the UV light to shorter wavelengths that are more easily absorbed and decreases their reflection and dispersion.

This doesn't sound right physically. Remember that the shorter the wavelength the higher the frequency (and thus the higher the energy of the photons). In general, when photons interact with some compound they shift it to lower energy, not higher; think fluorescent lights where the original emission is in the UV but it's absorbed by the coating and reemitted in the visible.

Anyway, that's not actually what's going on here. Rather, the water is changing the absorption spectrum of your skin. Here's the text from the paper:

They also showed that sweating because of physical ex- ercise may significantly contribute to UV-related skin dam- age, because it increases the photosensitivity of the skin, facilitating the risk of sunburns.14 These effects are pre- sumably due to hydration of the horny layer, which leads to a shift in the stratum corneum UV absorption spectrum, to shorter wavelengths, and to a decrease in reflection and dispersion.

That does make sense.


November 23, 2006

One of the gyms I climb at has this article up on the wall:
Todd Skinner's hands were cut up and he was tired after a hard day of climbing, but he was a happy man standing high above Yosemite Valley on what is known as Leaning Tower.


They talked about their plans for the next day, then Skinner began rappelling down from a ledge part way up the 2,000-foot face. Five minutes later, he was dead.

Skinner, a 47-year-old former rodeo cowboy and world-renowned rock climber, fell more than 500 feet to his death Monday after the nylon loop used to attach the climbing rope to his harness broke. The accident has sent shock waves through the climbing community, where Skinner's outgoing nature was almost as legendary as his courage and skill on some of the world's most dangerous rock faces.


The part that broke, called the belay loop, is designed to be the strongest part of the climbing harness, but Hewett, 34, said Skinner's harness was old.

"It was actually very worn," Hewett said. "I'd noted it a few days before, and he was aware it was something to be concerned about." Friends of Skinner said he had ordered several new harnesses but they hadn't yet arrived in the mail.

On Monday's climb, Hewett said the belay loop snapped while Skinner was hanging in midair underneath an overhanging ledge.

For those who don't climb, a little explanation may be in order. Your basic climbing setup is that you've got two guys, one climbing and one belaying. They're both wearing harnesses and are attached to each other by a safety rope. The idea here is that the belayer leaves a relatively small amount of slack in the rope so that if the climber falls, he only falls a short distance.

The climber typically has the rope tied directly onto his harness, since it's a fixed point. Your classic harness is just a waist belt with some leg loops and you tie in through both of them. Simple.

However, since the distance between the climber and the belayer keeps changing, the connection at the belayer's end is more complicated. The rope is threaded through a belay device which is a gizmo that lets the belayer apply a lot of friction to the rope without much force. The idea here is that while the climber is climbing the belayer can adjust the length of the rope but of the climber falls the belayer can lock the rope.

The belay device and the safety rope are attached to the belayer's harness by a carabiner (a metal ring with a gate one one side to let you open and close it). For a variety of reasons, people are concerned about having the carabiner through the waist belt and the leg loops (a lot of people argue that this cross-loads the carabiner thus increasing the chance of failure--this isn't an issue for the climber because rope is flexible). In order to avoid this, most modern harnesses have a belay loop. This is just a sewn nylon (or spectralink) loop that goes through the waist belt and leg loops (right where the rope would go). You clip the carabiner for the belay device into the belay loop. In the picture below, the belay loop is the green thing.

If the climber falls, you suddenly have a lot of force on the rope connecting the climber and the belayer. This force is on the climber's harness at the tie in point and on the belayer's harness at the belay loop--and of course on the waist and leg loops because the belay loop goes through those. Thus, the belay loop creates an additional point of failure, but this typically isn't a problem because they're enormously strong--Black Diamond rates theirs at 15 kN (3372 lbs).

What appears to have happened in this case (see this article) is that Skinner had been using a daisy chain—more webbing—through his belay loop and that the rubbing of the two pieces of webbing had abraded the belay loop. This can also happen if you tie in via your belay loop, which is why it's recommended that you tie in directly through the waist and leg loops, which have abrasion resistant material on the outside, which the belay loop does not. Note that this isn't an issue with belaying since the carabiner causes less abrasion of the belay loop.

One thing that's weird here is that belay loops are massively overbuilt. According to the article I pointed to above, even if you remove 90% of the material in a BD belay loop, the breaking strength is 777 pounds. If you're rapelling, or hanging as this article suggests, the total force is merely your own body weight and most rock climbers weigh far less than 700 lbs. Either the belay loop was truly damaged, which is something you would expect to be so obvious that you wouldn't use it at all or we need to account for some other source of failure.

One more observation: as I said earlier you attach the belay device through your belay loop and the force of the fall is transmitted to the belay loop through the belay device. A fall from a reasonable height will load the belay loop substantially more than just the body weight of the climber. Given that Skinner and Hewett were at the top of the climb, it seems likely that Skinner was belaying off that same loop, a practice that would have left even less margin of error than we now know was already inadequate.


November 22, 2006

A couple of readers have written in to complain about their comments being blocked. It appears that in a moment of incompetence I added to the comment blacklist. It should be fixed now. Sorry about that.

November 21, 2006

Some highly disruptive technology has recently come to virtual world Second Life. As documented by Ed Felten (here and here), someone has written a piece of software that lets you copy the form (though not necessarily the internal functionality) of any object.

Of course, the no-copying restriction in Second Life is a purely artificial restriction designed to make Second Life more closely resemble the real world where copying is hard. This kind of rule is clearly necessary in a game (ever play Quake in "God Mode" where you can't be killed and can walk through walls? It's incredibly boring) but Second Life seems to have aspirations to be more than a game, in which case part of the attraction would seem to be to be liberated from the annoying restrictions of physics. Indeed, this kind of free form copying is exactly what you'd expect in the most optimistic (or maybe pessimistic) predictions for nanotechnology, and as Felten observes, the impact on the real economy would be dramatic, to say the least.

Universal copying isn't the only nanotech feature which has an analog in Second Life. Someone has written a self-replicator, what Drexler called grey goo when applied to nanotech (indeed, the Second Life people call it grey goo as well). I don't know enough about Second Life to know if the grey goo uses the same kind of mechanisms as molecular assemblers. Probably not, since Second Life physics doesn't really resemble real-world physics that well, but it sounds like the concept is the same.

None of this is particular surprising, of course. Much of the point of nanotech is to bring the programmability of software to the physical world, so when we have a programmable virtual world, we get all the stuff nanotech boosters have been predicting. Maybe if we manage to get our hands around how to handle this stuff when it's just bits we'll have a better idea of what to do if we ever get to the point where we can replicate diamonds and HDTVs.


November 20, 2006

Back in February, the Chicago Lawyers Committee for Civil Rights Under Law (CLC) dismissed. Amusingly, the law under which the law was dismissed was the Communications Decency Act, which was widely despised by net libertarians. The relevant section here is the safe harbor provision of Section 230: (c) Protection for "Good Samaritan" blocking and screening of offensive material
(1) Treatment of publisher or speaker

No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.

(2) Civil liability No provider or user of an interactive computer service shall be held liable on account of—

(A) any action voluntarily taken in good faith to restrict access to or availability of material that the provider or user considers to be obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable, whether or not such material is constitutionally protected; or

(B) any action taken to enable or make available to information content providers or others the technical means to restrict access to material described in paragraph (1).

The ruling makes interesting reading. As I understand the issues (IANAL, etc.), the safe harbor provision is a grant of immunity from civil action under some conditions, which are disputed. There seem to be two views:

  • This is a broad grant of immunity from civil suit if you don't source the content. See the 4th Circuit decision in Zeran v. America Online, which addresses but doesn't displose of the issue.
  • This is a narrow grant of immunity for things you do when you do some filtering.

This section clearly isn't very well written and S 1 seems to conflict with 2(A) and 2(B).) Even in Zeran, the court recognizes that something is messy here in that Congress clearly wanted to encourage filtering but that the blanket immunity grant would discourage it (always easier to do nothing). This ruling appears to endorse the second theory but dismisses the CLC lawsuit on the grounds that the FHA creates liability for publishers and that S 1 clearly indicates that Craiglist shouldn't be treated as a publisher since they just distributed third party material. This seems like the right outcome but also to leave open the possibility that Craigslist would be liable under some theory that didn't require them to be a "publisher".

This issue, like the issues of pornography, falls into the generic question of the status of sites which are basically caches for third-party content. People are used to thinking of Web sites as something like books or newspapers that's actually produced by the operator 1. But that intuition doesn't apply to sites like Craigslist or YouTube, which are just a big Web server (or servers) attached to a data store and a fat pipe. The only reason it's possible to run sites like that is that no actual manpower is required to manage each individual piece of content. Any rule which creates significant affirmative duties on the operator which scale with the number of items posted is likely to make the cost of running such a site prohibitive.

1. Though if you have any familiarity with book publishing you know that the publisher only has a modest amount of contact with the actual content.

Universal is now suing MySpace for copyright infringement:
Universal contends that much of the media posted by users of MySpace is not user-generated at all, but actually music and videos stolen from copyright owners.

"MySpace is a willing partner in that theft," the lawsuit claims.

In the complaint, Universal singles out features on the Web site that enable users to save copies of videos to their profile pages or share them with others on the site. Universal Music also claims the MySpace Video and MySpace Music services also enable users to access copyright material without permission.


In response to the lawsuit, MySpace issued a statement saying it is in full compliance with copyright laws and is confident it will prevail in court.


Earlier Friday, MySpace said it was testing technology aimed at enabling copyright holders to flag user-posted videos on the site that they find contain unauthorized copyright material. The flagged content is then removed by MySpace. The company expects to roll out the feature in a few weeks.

Currently, MySpace takes down content from its users' pages when it receives a notice from a copyright holder.

Last month, MySpace began using "audio fingerprinting" technology to block users from uploading copyright music to the site. That technology works by checking audio files against a music database from Gracenote Inc.

I think you can imagine two types of accusations against MySpace. First, you could say that they're not doing enough technically. I'm not convinced that's true. MySpace (and YouTube, etc.) are basically big, semi-structured file sharing sites. Users upload content and MySpace (or YouTube) distributes it. As I observed about YouTube, there's no really practical way for MySpace to determine that a given piece of content is unauthorized or not—though of course there are not-very-good ways to determine whether it matches some subset of the very popular stuff for which databases sort of exist. Based on what MySpace claims to be doing, it sounds like the techniques they're using are more or less the state of the art. It's just that the state of the art isn't very good. The only real way to stop widespread sharing of unauthorized content is to block all content by default.

That leaves us with the second accusation, namely that MySpace is profiting from the posting of unauthorized copyrighted content, and perhaps tacitly encouraging it. Certainly, any generic filesharing service is usable for sharing such content and it's no doubt a fair part of MySpace's value proposition, as it has been for YouTube. However, it's also clear that there's a real demand for distributing user-generated content and many of the net-fad YouTube videos (The Evolution of Dance, Ask a Ninja, Will it Blend?, etc.) appear to be completely original. So, this isn't a situation like Napster where it's clear that the primary reason for the system is to pirate content, but that doesn't mean that they're not deriving value from unauthorized copying.

MySpace is different from YouTube in one important respect; it's owned by a media organization. So, does it do a better job of protecting its own content than it does of other people's content? If so, this would be evidence for UMG's case. If not, that seems like a pretty good argument that they've reached a reasonable balance point.


November 17, 2006

The Guardian is running an article by Steve Boggan about how he and Adam Laurie managed to access the new British electronic passports. The short story here is that access to the RFID tag is cryptographically protected but using a predictable key derived from your personal information:
Fatally, however, the ICAO suggested that the key needed to access the data on the chips should be comprised of, in the following order, the passport number, the holder's date of birth and the passport expiry date, all of which are contained on the printed page of the passport on a "machine readable zone." When an immigration official swipes the passport through a reader, this feeds in the key, which allows a microchip reader to communicate with the RFID chip. The data this contains, including the holder's picture, is then displayed on the official's screen. The assumption at this stage is that this document is as authentic as it is super-secure. And, as we shall see later, this could be highly significant.

So, what Boggan and Laurie do is take a passport that they have physical access to (and hence can read the MRZ), extract the personal information, and talk to the passport:

"I was amazed that they made it so easy," Laurie says. "The information contained in the chip is not encrypted, but to access it you have to start up an encrypted conversation between the reader and the RFID chip in the passport.

"The reader - I bought one for £250 - has to say hello to the chip and tell it that it is authorised to make contact. The key to that is in the date of birth, etc. Once they communicate, the conversation is encrypted, but I wrote some software in about 48 hours that made sense of it.

"The Home Office has adopted a very high encryption technology called 3DES1 - that is, to a military-level data-encryption standard times three. So they are using strong cryptography to prevent conversations between the passport and the reader being eavesdropped, but they are then breaking one of the fundamental principles of encryption by using non-secret information actually published in the passport to create a 'secret key'. That is the equivalent of installing a solid steel front door to your house and then putting the key under the mat."

It's important to take a step back and be clear about the threat model. There are two ways to look at the purpose of RFID passports. One is that you're simply trying to produce an object with the same privacy properties as a standard non-RFID passport but with more storage, convenient reading, and harder to forge. The basic security property of a standard passport is that anyone who has access to the passport can read all the data. If that's what you want, then it's perfectly reasonable to make remote access contingent on physical access, which is what printing the key in the MRZ does (more later on how the key is generated). And since the data is digitally signed, it is more forgery resistant than a physical passport--though still clonable.

On the other hand, your goal might be to have it have significantly better privacy properties than physical passports. In that case, you need some form of access control that limits access to authorized readers. This is harder than it sounds, though still partly doable. However, I don't get any sense that this was a design goal for RFID passports, so I'm not sure that this complaint about leaving the key under the mat is really fair. Certainly, it's been known for quite some time that this was the general design, so it's not like it's a big surprise that you can read passports if you have physical access.

That said, I'm not particularly enamored of using someone's personal information as the cryptographic key. As Laurie points out, this is sort-of-guessable, although I don't think the attack he suggests (your mailman taking your passport home and remote-scanning it through the envelope) is really plausible. Far better would be to have a random key that you print in the MRZ. The problem with the current design is that it lets anyone with this information (which they might be able to obtain independently of the passport, since, for instance, you fill it in various forms) build a scanner that can look for your particular passport. That seems undesirable.

1. As a card-carrying member of the COMSEC community I'm obliged by guild rules to throw a hissy fit whenever anybody calls anything "military-level" encryption, but at least I've confined it to a footnote. DES isn't military-level anything and is generally regarded as dangerously weak (well-designed but with a too small key-length).


November 15, 2006

Like everyone else, is covering the recent DOJ study on the prevalence of pornography on the Internet. Unlike everyone els,e they provide links to the original study. The key findings seem to be:
  • Approximately 1.1% of the sites in Google and MSN's indexes are sexually explicit.
  • A little under half of the sexually explicit websites are domestic (US).
  • Almost 40% of the "most popular" queries retrieved a sexually explicit website.
  • Approximately 6% of queries return a sexually explicit website.
  • There's a tradeoff between filter sensitivity and specificity, but basically none of the tested filters had reasonable type I and type II error rates.

It's not entirely clear what the implications of this data are for policy. We have to be concerned with two ways in which children would access pornography:

  • Intentionally looking for it.
  • Accidentally running into it in the course of ordinary searches.

It should be pretty clear at this point that if someone is intentionally looking for pornography, they'll be able to find it, but that's certainly not news to anyone who's paying attention. Whether the fraction of pornographic web sites is 1.1% or .11%, all it takes is 30 seconds of Google searching (or checking out Fark) to convince yourself that there's plenty of it and it's easy to find. It's also clear that filters don't do a very good job of blocking pornography, but that's not really news either.

That leaves us with children accidentally running into pornography. I don't see that this study tells us much about that at all. I'm quite prepared to believe that the the most popular searches turn up pornography, but that doesn't tell us anything about whether those searches were explicitly for pornography--of which I imagine there's quite a bit--or searches that just accidentally turned up pornography. To answer this question you'd need to examine the search terms that people were using and try to make some judgement about their intentions. Without doing that, it's hard to estimate the likelihood that someone who wasn't looking for porn would run into it anyway, which is what's relevant here.


November 14, 2006

I've got a bunch of friends who are currently in the car-shopping business. I spent a while reading reviews and ran into The Truth About Cars, a car review site which is clearly written by insane gearheads but is much more entertaining than your typical car review. Here's the review of the new Audi RS4, a vehicle which bears the same relationship to my Audi S4 as the S4 bears to the old boring A4, and which the voices in my head are now commanding me to buy:

Buy a Toyota Prius and you get a backup camera, keyless ignition, iPod integration and travel over 50 miles for every gallon of gas poured therein. Buy an Audi RS4 and you don't even get self-dimming mirrors, and you can only drive 11 miles per gallon of dead dinos (EPA notwithstanding). The Prius will set you back $25k. The RS4 costs three Prii. At freeway speeds, the Toyota is a near silent and comfortable cruiser, whereas the Audi sounds and feels like a volcano making love to an avalanche. I only tell you this because the moment I saw the RS4 a Toyota angel appeared on my left shoulder and an Audi demon manifested itself on my right. And then I drove the RS4 and the demon kicked the snot out of the angel.


Audi used every trick in the playbook to get the RS4 — with 58% of its weight over the front wheels — to handle near-on perfectly. Credit the DRC (Dynamic Ride Control) which hydraulically links the diagonal suspension bits to each other. As the front wheels read the road, the rear shocks preemptively (and correctly) react. This setup works so well the WRC just banned it. The engineers also made sure every body panel in front of the doors is composed of kilogram saving aluminum. And the 19" Pirellis are fantastic. While the initial turn in isn't as effortless and eager as say an EVO, this two-ton all-wheel driver can safely carry more speed through a corner than you can handle. After the apex, the RS4 can blast sideways with such force that you will swear you are piloting violence.

And that's before you push the innocuous little button marked "S." Normally, the RS4 is faster than whatever car you are driving next to, sounds bonkers and has a devastatingly punishing ride. Push the button though, and three things happen. First, the throttle control is remapped so that the rev-happy mill will crank faster with less input. Second, valves open in the mufflers changing the sound from Howard Dean's scream to Gunnery Sgt. Hartman showing Joker his war face. Lastly, the shocks get firmer and the ride goes from mercilessly painful to f-you. I absolutely love it. Forget violence, you are now driving war.

Unfortunately, by the time I finished reading this review, Mrs. Guesswork had hidden my checkbook.

Bruce Schneier posts about a plan to require everyone who rents a car to provide fingerprints:
Getting your fingerprints taken would once have meant only one thing. You were helping the police with their inquiries. Now such "biometric" identification is entering the mainstream of every day life.

If you want to hire a car at Stansted Airport, you now need to give a fingerprint.

The scheme being tested by Essex police and car hire firms, is not voluntary. Every car rental customer must take part.

These are stored by the hire firms - and will be handed over to the police if the car is stolen or used for another crime.

Detective Sergeant Vic Murphy, from the CID team at Stansted Airport, says it's a response to criminal gangs targeting airport car hire firms - where cars are driven away using false passports, false licences and false credit cards.

"It's not intrusive really. It's different - and people need to adjust to it. It's not Big Brother, it's about protecting people's identities. The police will never see these thumbprints unless a crime is committed."

Note the penultimate paragraph: They're using false IDs and credit cards. If you're a car rental company, what you really want from your customers is an ironclad assertion that if anything (loss, theft, damage), you won't be out the value. As a practical matter, the information they typically collect doesn't guarantee that:

  • The credit card provides an indication of the ability to pay and a direct way for the rental car company to recoup some of their expenses (though not all, if for no other reason than that credit card limits are typically smaller than the price of the car).
  • The driver's license provides (1) an indication that you're able to drive and thus presumably somewhat less likely to crash the car (2) a way to tie you to your credit card and (3) your name so that they can hunt you down if you don't come back.
  • A passport provides (2) and (3).

So, it's perfectly possible for you to to rent a car, even with completely valid credentials and then steal or damage it and have the company be unable to recoup the value of the car. Indeed, short of you handing them a warrant for the value of the car when you rent it, it's hard to see how this could happen. However, they at least know who you are and can investigate and potentially sue or prosecute you, which is better than nothing.

So, where does capturing fingerprints fit into the picture? They can be used in two ways. The first is forensic: they use them to try to figure out who you are and to prosecute you. The second is that you could use them to build a blacklist of people who you didn't want to rent to, with the idea that it would massively increase the overhead of running a theft ring since you'd need to keep finding new patsies to rent the cars.

If you had unforgeable ID--which we know how to do--this would take you most of the way there. You'd still be able to run a blacklist, though it would be slightly easier to evade since the attacker could steal the ID of someone who looked like them rather than get a new thumb. It would provide a better basis for initial forensic investigation since you'd actually have someone's name (even if their ID had been stolen) rather than a fingerprint that might or might not have been registered (assume that people who already have their fingerprints in the system aren't going to let you fingerprint them before they steal your car). It would be slightly less useful for prosecution since you'd have to rely on the agent's testimony that they checked your ID rather than a direct fingerprint match.

One further note: a lot of modern drivers licenses are bound to some non-face biometric. California, for instance, requires the collection of a thumbprint, though it's not on the magstripe). One possible alternative to capturing your fingerprint would be to compare it to the stored one (which hopefully would be masked in some way) and then throw away the capture. Would that be worse or better? Discuss.


November 13, 2006

Security Pro News reports that according to Spamhaus 80% of spam is sourced by 10 spammers:
The Spamhaus list of the world's worst hardcore spammers include people who push porn, pharmaceuticals, and stock scams into inboxes everywhere. Spamhaus estimated that as much as 80 percent of all the junk coming to inboxes starts with one of the top ten.

A multi-aliased spammer known variously as Alex or Alexey operating out of the Ukraine tops the list. Spamhaus believes he works with a Russian spam gang called Pavka/Artofit, which utilizes a vast number of zombied PCs to churn out the junk mail.


Four of the top ten spammers are from Russia, and one from the Ukraine works with the Russians. Two are from the US, with the others from Israel, Hong Kong, and Canada. The Russian government could make a big impact on global spam if they attacked their home-based offenders more aggressively, but years of spam coming from Russian addresses has shown they have little interest in doing so.

It's sort of surprising that there are so few spammers serving what's obviously a hot market with fairly low barriers to entry. This raises the obvious question of why. One possibility—especially for Russian-based spammers—is that they're tied into organized crime, which enforces the (pseudo)monopoly. If that's true, actually arresting those guys probably wouldn't have much of an impact, since it wouldn't be that hard to build up a new operation with a different front man.


November 2, 2006

While sitting around last night waiting to give away free candy I had the opportunity to think about the Halloween coordination problem. 70% of the time Halloween falls on a school night, which is obviously inconvenient for taking kids out for trick or treating. Halloween is actually uniquely bad in this respect, for three reasons:
  • It's tied to a specific date rather than to a specific day in the week like Thanksgiving is.
  • It's not an official holiday so you don't get a day off afterward, unlike the 4th of July and New Year's.
  • It's kid oriented but also tied to things being dark. That happens around 6 here, so it's already getting towards a lot of kids' bedtimes.

Obviously, it would be better for everyone if we agreed to celebrate Halloween on a Friday or Saturday night (it's not like the particular date is significant to even one person in ten these days) but since everyone has to do it one the same night (also uniquely bad, by the way) for it to be a success, the coordination problem is insurmountable. A government law "moving" Halloween would be weird, but we could certainly make Nov 1 a day off, like we do with New Year's Day.


November 1, 2006

In the comments to my post on federally funded research, Peter Harsha writes:
The National Academies' Computer Science and Telecommunications Board: (CSTB) put together a nifty (if complex) chart tracing the development of 19 billion-dollar segments of the IT industry -- from the emergence of the first research, to the introduction of the first product, to the time that product became a billion-dollar industry. You can find a copy of the chart (called the "tire tracks" chart, for reasons that should be apparent when you see it) here. It's a little dense, but worth some time to figure out.

Listed on the left are the various technologies (Timesharing, Client/server computing, Graphics, etc). Each technology has three separate lines plotted on a timeline -- a red line showing when work was taking place in universities (almost all supported by federal research dollars), a blue line showing work in industrial labs, a black dotted line showing when the first product appeared, and a green line noting when that technology became a billion dollar industry. The arrows between the lines and between the various technologies show the flow of people and ideas. So, the chart shows, for example, that work in universities on timesharing prior to 1970 in helped lead to developments in the early 1970's in research that would lead to the Internet.

The chart makes a lot of the points that those of us who advocate for more federal research for basic research try to emphasize in our arguments:

  • There's a complex and rich interplay between federally supported research in universities and industrial R&D. In some cases (RISC and RAID, for example) the initial ideas came from industry, but gov't sponsored research in universities was needed to advance the technology. In other cases (the Internet, GUIs, timesharing), the ideas originated in universities long before they matured to a point where subsequent research by industry moved the tech towards commercialization. University and industrial research is complementary -- with different goals (university = long term, fundamental questions; industry = short term, development-oriented), one doesn't supplant the other.
  • The IT R&D ecosystem is very interdependent.
  • There's often a long incubation period between the the time a technology was first conceived and the time it arrived in the market as a commercial product.
  • University research produces people -- researchers and practitioners -- as well as ideas.
Essentially every aspect of information technology we rely upon today bears the stamp of federally supported research.

Extremely cool.