November 2010 Archives

I haven't managed to wade through any significant fraction of the latest Wikileaks dump, but my initial impression (and it seems others as well) is, "duh". the headline disclosures—that the US spies on its allies (including trying to gather personally identifying information on foreign officials), that its foreign service officers think various world leaders are morons or jerks (and that in some cases they actually are jerks in ways we didn't already know), and that it generally throws its weight around—aren't surprising in general, even if they are in a few cases surprising in detail (frequent flyer numbers? really?). What they are, of course, is embarassing, because these are things that everyone knows even if they don't generally get admitted to publicly. I don't know if this leak will cause Hillary Clinton to resign, as Jack Shafer argues, but I certainly wouldn't be surprised to see some people get fired. It's not like that's going to change the macro-level behavior though. You just need some turnover so that we can all pretend that there were a few bad apples and that of course the US won't be doing that bad stuff in the future.

Lie To Me is of course absurd (think House except with Tim Roth instead of Hugh Laurie and him being an expert in deception instead of a doctor, but otherwise pretty much the same). Anyway, in one episode we learn that Tim Roth has beeen banned from Vegas because he's too good at poker.

So, first it's important to realize that unlike basically every other casino game, with poker the house has no interest in whether you win or lose. Typically they take a fixed rake on every pot though sometimes it's a percentage of the pot up to a small cap. In either case, the casino doesn't care much whether you win or lose. To the extent to which they care at all about how the game proceeds (and poker isn't that big a money maker) it's mostly about play velocity.

Now, Lie To Me does get this sort of right: according to Mrs. G. the objection was that Roth was pissing off the casino's best customers by winning too much. This sounds plausible but it doesn't really make sense either. First, the house primarily cares about having poker players be happy to the extent to which they don't leave the casino. If they just stop playing poker and play some other game, that's actually gravy. Second, for many poker players—especially many of the big money players that are most profitable—it's actually desirable to play against the best players, even if you're likely to lose (think Andy Beal). It doesn't speak to me, but apparently there's excitement in playing against the best. And of course there's nothing stopping any player from just changing tables.

Acknowledgement: Thanks to Terence Spies for his help with this post.

Some of my recent non-blog material:

• My submission to the IAB/W3C/ISOC privacy workshop. Not a very optimistic take.
• My submission to the IETF Real-Time Web workshop, a survey of design options.
• Slides from the P2PSIP working group meeting, IETF 79 in Beijing; RELOAD status and open issues.

Other links of potential interest:

• Jimmy Wales every web site.
• Chicken chicken chicken.

Perhaps you've heard that the the Combating Online Infringement and Counterfeits Act (COICA) has made it out of committee in the Senate. This bill seems to be the latest attempt by the government to develop a strategy for preventing Internet access to cites they consider objectionable, in this case, copyrighted or trademark infringing material. In short, what it would provide for is that the Attorney General could get a court order to declare a domain name/site as bad (my term, not theirs).

Once a site is declared bad, the following blocks can be put in place:

1. The registrar/registry is required to suspends and lock the domain name.
2. ISPs are required to attempt to block resolution of the domain name.
3. Advertising networks are forbidden to serve ads on the site.

It's not entirely clear to me from the bill how much of this happens for each site, but for now I'm just going to assume that all of these actions happen more or less automatically (i.e., the notifications/orders go out) as soon as a domain is declared "bad". And of course, all this stuff is obviously contingent on the relevant entities being located in the US, or at least doing enough business in the US that USG has leverage over them. For the rest of this analysis I'm going to assume that only the US is doing this sort of thing. If the rest of the world follows suit, the problem gets much harder, though still not impossible.

When I read stuff like this—or almost anything, for that matter—my thoughts immediately turn to how to attack it, or in this case how to circumvent the blocking. We need to consider two threat models from the blocker's perspective:

• Static users, who won't adapt their behavior at all.
• Adaptive users, who will attempt to actively circumvent blocking.

The history of file sharing suggests that many users in fact fall into the second category, as they have shifted from Napster to Limewire to BitTorrent, etc., but we should still consider both cases.

Static Users
Even if we only consider static users, a site can gain a fair amount of traction by moving as much of its dependencies outside the US as possible. In particular, they can register a domain name with a registrar/registry which is located outside the US. This is harder than it sounds since many of the allegedly foreign registries are actually run by US companies, but as far as I know it's not impossible. That solves the first type of blocking, leaving us with blocking by ISPs and ad networks. Obviously, if you don't serve ads you don't care about ad networks, so this may or may not be an issue and I don't know to what extent there are ad networks without substantial US operations you can use.

Getting around ISP blocking is more tricky. Many if not most people use their ISP's DNS server (they get it via DHCP) so if your customers are in the US then it's going to be trivial for the ISP to block requests to resolve your site. Basically, if your users aren't willing to do anything then you've pretty much lost your US audience.

Adaptive Users
If your users are willing to be a little adaptive then there are a bunch of progressively more aggressive measures they can take to evade this kind of DNS blocking. The easiest is that they can reconfigure their machines to use an external un-filtered DNS service. This doesn't help if ISPs are required to actively filter all DNS queries using some sort of deep packet inspection technology. It's not difficult to build a box which will capture DNS queries and rewrite them in flight, or alternately, to block DNS queries to any resolvers other than their own resolvers (note, many ISPs already block TCP port 25 for spam blocking, so it's not like this is particularly hard.) It's unclear to me that this particular bill would require ISPs to do this kind of filtering, since there is a specific safe harbor for the ISP to show that they do not "have the technical means to comply with this section", but obviously this is something that the government could require.

One natural response is to use Tor, which has the advantage of being available right now. The disadvantage is that Tor wants to tunnel all your traffic which means that performance isn't that great, and it's kind of antisocial (as well as slow) to be using Tor to transfer gigabytes of movies from place to place when all you want to do is get unfiltered name resolution.

What's really needed is a name resolution mechanism that resists filtering. One option would be to have an encrypted connection to your DNS resolver (Dan Bernstein, call your office) or some non-DNS service that acts as a DNS proxy, e.g., DNS over TLS. This requires pretty substantial work by users and client authors to deploy and the load on those resolvers would be significant. Note that you don't need to modify the operating system to do this; there are plenty of user-land DNS resolution libraries available that could be embedded into your client. Still, the amount of work here isn't totally insignificant.

Another option comes to mind, however. There's nothing wrong with the ordinary ISP-provided DNS for most resolutions. There aren't going to be that many domains on this block list and the government helpfully publishes a list of them. Someone could easily gather a list of the blocked domains and the IPs they had when blocked, or even maintain an emergency parallel update system to let the blocked domains update their records. All that's required is a way to retrieve that data, which could be easily fit into a single file. Moreover, the resulting file could be formatted as a /etc/hosts file which people could just install on their machines, at which point the standard operating system mechanisms will cause it to bypass DNS resolution. The result would be that you got ordinary DNS resolution most of the time but for blocked hosts you got the result from /etc/hosts. All that's required is some way to periodically update the bypass list, but that could be done manually or with a tiny program.

Of course, there are still plenty of blocking mechanisms available to the government: they could require IP-level blocking or attempt to block distribution of the bypass list, though that's probably small enough to make that impractical. However, I think this makes clear that just blocking DNS is not likely to be as effective as one would like if users are willing to put in a modest amount of effort.

Acknowledgement: This post benefited from substantial discussions with Cullen Jennings.

Like many employed Americans, I have had the dubious pleasure of experiencing a variety of health insurance plans over the years (whatever my employer thought was most attractive at the time.) I generally go for the PPO, and of course there's the usual thing where the insurance company only pays for a portion of your visit due to co-pay, partial coverage etc. My doctor doesn't take payment at the time of visit so a month or so after after you've seen them and gotten your prescription for 30 800mg tabs of ibuprofen you get a bill for $20 or whatever. Actually, you get two things: (1) a statement from {Blue Cross, Blue Shield, Aetna} explaining that your doctor billed them for $190, they paid $170, and your share is $20 and (2) a bill from your doctor for $20. And then of course I go to pick up my vitamin I and pay Safeway Pharmacy $10 (because it's generic) and AetnaCrossShield pays them $20 or whatever.

My question about this is why. Not why there's a co-pay, I understand about moral hazard, incentive alignment, etc. My question is why I'm getting two pieces of paper and why my doctor is getting two checks. It seems like it would be a lot easier if AetnaCrossShield just paid all the bills in full, then consolidated all the co-pays or whatever in the month, and sent me a single bill. That would be a lot more convenient for me, and certainly would be for the providers. That's doubly true if your employer does the high deductible plan/HSA thing, since you end up doing a lot of your payments out of the HSA. It would be a lot more convenient (again, for me) for the insurance company to just bill the HSA directly (perhaps billing me for any overage) than for me to have to dig out my HSA credit card every time I want anything.

The best answer I have is that the insurance company wants me to directly experience some annoyance every time I go for service as part of their general co-pay service deterrence strategy. It's not really working in my case, though, since I pay out for prescriptions with my credit card, which is easy, and pay my other co-pays weeks to months later, so it doesn't really affect my behavior.

You may have heard that the TSA is moving to ubiquitous use of whole body scanners for security screening. They won't actually make you go through the scanner, but as Jeff Goldberg reports, patdown they're offering isn't a lot of fun:

At BWI, I told the officer who directed me to the back-scatter that I preferred a pat-down. I did this in order to see how effective the manual search would be. When I made this request, a number of TSA officers, to my surprise, began laughing. I asked why. One of them -- the one who would eventually conduct my pat-down -- said that the rules were changing shortly, and that I would soon understand why the back-scatter was preferable to the manual search. I asked him if the new guidelines included a cavity search. "No way. You think Congress would allow that?"

I answered, "If you're a terrorist, you're going to hide your weapons n your anus or your vagina." He blushed when I said "vagina."

"Yes, but starting tomorrow, we're going to start searching your crotchal area" -- this is the word he used, "crotchal" -- and you're not going to like it."

"What am I not going to like?" I asked.

"We have to search up your thighs and between your legs until we meet resistance," he explained.

"Resistance?" I asked.

"Your testicles," he explained.

'That's funny," I said, "because 'The Resistance' is the actual name I've given to my testicles."

One gets the impression from his report that it's being made less fun than strictly necessary. After all, once you've paid a zillion dollars for a bunch of gee whiz technology you want to use it.

I was planning to opt for the patdown next time I went through security anyway, but then I read this letter from UCSF (þ SF Citizen). You should read the whole thing, but this is the really scary part:

Unlike other scanners, these new devices operate at relatively low beam energies (28keV). The majority of their energy is delivered to the skin and the underlying tissue. Thus, while the dose would be safe if it were distributed throughout the volume of the entire body, the dose to the skin may be dangerously high.

The X-ray dose from these devices has often been compared in the media to the cosmic ray exposure inherent to airplane travel or that of a chest X-ray. However, this comparison is very misleading: both the air travel cosmic ray exposure and chest X- rays have much higher X-ray energies and the health consequences are appropriately understood in terms of the whole body volume dose. In contrast, these new airport scanners are largely depositing their energy into the skin and immediately adjacent tissue, and since this is such a small fraction of body weight/vol, possibly by one to two orders of magnitude, the real dose to the skin is now high.

In addition, it appears that real independent safety data do not exist. A search, ultimately finding top FDA radiation physics staff, suggests that the relevant radiation quantity, the Flux [photons per unit area and time (because this is a scanning device)] has not been characterized. Instead an indirect test (Air Kerma) was made that emphasized the whole body exposure value, and thus it appears that the danger is low when compared to cosmic rays during airplane travel and a chest X-ray dose.

In summary, if the key data (flux-integrated photons per unit values) were available, it would be straightforward to accurately model the dose being deposited in the skin and adjacent tissues using available computer codes, which would resolve the potential concerns over radiation damage.

That's sure encouraging. And of course that's just assuming that the machines are functioning as designed. The authors of the letter go on:

Moreover, there are a number of 'red flags' related to the hardware itself. Because this device can scan a human in a few seconds, the X-ray beam is very intense. Any glitch in power at any point in the hardware (or more importantly in software) that stops the device could cause an intense radiation dose to a single spot on the skin. Who will oversee problems with overall dose after repair or software problems?

Surely that could never happen.

Flying With Fish reports that the TSA will be restricting toner cartridges (þ Matthew Kaufman):

This coming Monday, the 8th of November, the Transportation Security Administration (TSA) expects to announce that it will prohibit airline passengers from flying with printer ink and toner cartridges, sized at 16oz by volume or larger. This will be Security Directive (SD) 1554-10-05.

As of this evening, the TSA appears to be working on the exact wording of prohibiting these items, however prohibiting printer cartridges poses a few challenges ... mainly that generally printer cartridges do not have their ink or toner volume readily listed on the cartridge its self.

This feels like classic fighting the last war. As far as I can tell there's not much special about printer cartridges. Here's FWF's source:

Now that the global security community is aware of printer cartridges as a potential way to conceal explosives anyone seeking to stay out of the line of sight of security forces will move onto a new item to conceal their weapons. If I was on the front line of aviation security I would suggest seriously looking at desktop hard drives, portable DVD players or home video game consoles. These are all items with enough internal space to pack an explosive in addition to providing the ability to camouflage the trigger wiring harness. Under normal circumstances these items may not catch a second glance, but you have to wonder what kind of person checks a desktop hard drive, portable DVD player or home video game console given the likelihood of damage or theft.

Moreover, if you're going to carry the bomb in carry-on, there's no requirement that the explosive and the triggering mechanism even be in the same package, since you can assemble them in place. All you need is the ability to pack the explosives into something that will pass the x-ray machine (or alternately you can probably walk them through the magnetometer; ever see a "wine rack"?) and then some other place to conceal the triggering mechanism. It seems like it shouldn't be too hard to make it look like some other piece of consumer electronics. Note that since you can separate the trigger mechanism from the explosive, you can have two different people bring them through security, thus arousing even less suspicion (and potentially bearing more scrutiny if you get secondary screening).

It's possible, of course, that for some reason printer toner is really hard to distinguish from explosives using the kind of detection apparatus we have available. In that case, it might possibly make sense to restrict toner (whether in cartridge form or not). However, printer toner is a carbon/plastic compound, so it seems like it would probably show up a lot like any other kind of plastic under X-ray, nitrogen scanning, etc. Even if toner is hard to distinguish from explosives, it doesn't make much sense to restrict it unless it's somehow uniquely hard to distinguish.

Assuming this report is correct, it will be interesting to see what rationale TSA provides.

2010 General:

• How do I know how to vote without a Granick Slate Card
• For some reason, Santa Clara County keeps moving my polling place around and I somehow lost my voter pamphlet telling me where to go, so I cruised over to the polling place on Middlefield to look at their map. It wasn't my polling place, but I still could have gotten vaccinated:

  

• Provisional ballot handling seemed a little clunky at this polling place. The way you vote a central count optical scan provisional ballot in Santa Clara is to fill out the ballot and then stuff it in an envelope with your information. You seal the envelope and then if election central determines that you're entitled to vote, they open the envelope and scan the ballot. (Santa Clara doesn't know use a double envelope system). But you are supposed to seal the envelope, not let the poll workers do it, since otherwise they see how you're going to vote. Anyway, when I saw a provisional voter vote, they tried to pass the whole mess to the pollworker, who looked about to put it all in the envelope but eventually let the voter do it.
• Santa Clara does have Sequoia DREs, but after the TTBR California restricted these to one per polling place, and so there was one lonely Sequoia AVC Edge, but the poll workers by default give you a paper ballot. When I showed up around 11 AM the poll workers told me that nobody had used it yet. It's kind of a pain to shut the machine down, so the poll workers generally prefer to have everyone vote opscan.