Educated Guesswork tag:www.educatedguesswork.org,2008-09-13://1 2010-03-11T09:08:02Z Movable Type 4.23-en No, RSA is not catastrophically broken tag:www.educatedguesswork.org,2010://1.1495 2010-03-11T09:03:39Z 2010-03-11T09:08:02Z This paper on a new fault-based attack on RSA has been making the rounds (Pellegrini, Bertacco, and Austin, "Fault-Based Attack of RSA Authentication). The general idea here is that you have a system that is doing RSA signatures (e.g., an... EKR paper on a new fault-based attack on RSA has been making the rounds (Pellegrini, Bertacco, and Austin, "Fault-Based Attack of RSA Authentication). The general idea here is that you have a system that is doing RSA signatures (e.g., an SSL/TLS Web Server). You induce faults in the signature computation by reducing the power to the processor, which causes the process to produce invalid signatures which can then be analyzed by the attacker to recover the private key. They demonstrate this attack on OpenSSL.

Theoretically, this is interesting, but I'm not sure how much practical impact it has: in order to mount this attack, you need direct physical access to the machine in order to control the input voltage supply. Unless you're working with a computer that is fairly heavily secured, physical access generally translates into being able to take control of the device and extract the private key in any case. Second, the attack as implemented was performed on a FPGA-based SPARC implementation, and the researchers seem to have directly controlled the input power to the processor. In most computers (though DC-based datacenters may be different) the power to the chip is pretty heavily controlled by the power supply, and so it's at least an open question if you would be able to get good control over the chip input voltage by manipulating the AC line voltage. So, it's not like there are a huge number of environments in which this attack would be feasible.

Based on my reading of this paper, because the attack relies on invalid signatures, the simple countermeasure is just to check signatures before you emit them, which OpenSSL doesn't currently do (I'm not sure I agree wih the authors call OpenSSL's failure to do this a "serious vulnerability", but I'm not sure I agree with this characterization, since my understanding is that it's pretty standard practice not to do so). Because RSA signature verification is about 20x faster than RSA signature generation, adding this additional check would not cause significant performance overhead. However, even without this countermeasure, this doesn't seem like a significant risk to most uses of RSA.]]> Paris metro pricing for portapotties tag:www.educatedguesswork.org,2010://1.1494 2010-03-01T05:29:29Z 2010-03-01T05:29:56Z

A persistent problem at races is long lines for the portapotties. I've actually missed the start of races because I was waiting in line. I've often wished that races would sell some sort of premier access where you would pay... EKR Paris Metro Pricing idea applied to a different kind of uh, resource.) Actually, what I would probably prefer would be a guarantee that the race would have an extra premier toilet for each X racers that paid for premier access.

Anyway, the New Orleans Rock and Roll Marathon seems to have implemented a more elaborate version of this:

To get your race off to the best possible start, we'll have comfortable, climate-controlled restroom trailers set up at the starting line. Running water, flushing toilets, and some Run Happy® surprises await.

To access this pre-race luxury, you'll need to snag a Brooks VIP Porta Potty pass in one of two easy ways:

1. Head to Varsity Sports between 2/1 and 2/27 and purchase $50 in Brooks or Moving Comfort apparel or Brooks shoes. Offer valid at both Varsity Sports locations.

OR

2. Come to the Rock 'n' Roll Mardi Gras Marathon™ & 1/2 Marathon Health and Fitness Expo on Friday 2/26, or Saturday 2/27, and purchase $150 in official Rock 'n' Roll Marathon merchandise, Brooks apparel or shoes, or Moving Comfort apparel.

Either way, you'll receive a sticker for your race bib. The sticker is your race-day pass to Brooks' VIP Porta Potty, to be expertly staffed by Varsity Sports volunteers and Brooks employees,

It's hard to figure out how much this really costs: I don't wear Brooks shoes, but presumably I could find some Brooks gear that would be comfortable, so figure like 20% of the amount you're expected to spend, which isn't so bad. Anyway, I've got no objection to emptying my bladder in comfort, of course—and the portapotties at races can get pretty bad—but really my priority is being able to go without having to wait. I'd be interested to hear from anyone who was at this event and used this service how long the line was. ]]> Some notes on DNSCurve tag:www.educatedguesswork.org,2010://1.1493 2010-02-26T04:59:09Z 2010-02-26T05:02:26Z

OpenDNS (a free DNS service) has decided to adopt DNSCurve to secure its traffic. Some background might be helpful here: DNS, of course, is susceptible to a variety of forgery attacks, which is why the IETF has spent approximately 10... EKR OpenDNS (a free DNS service) has decided to adopt DNSCurve to secure its traffic. Some background might be helpful here: DNS, of course, is susceptible to a variety of forgery attacks, which is why the IETF has spent approximately 10 trillion man hours developing DNSSEC. There's a fair amount of dissatisfaction with DNSSEC (I'm not that thrilled with it either) and Dan Bernstein has developed an alternative called DNSCurve.

At a very high level, the approaches stack up like this:

  • DNSSEC is an object security system. Each DNS zone has an asymmetric (public/private) key pair which is used to sign the records in the zone.
  • DNSCurve is a channel security system. Each DNS server has a Diffie-Hellman (actually ECDH) key pair. When a client connects to the server, it does an ECDH key exchange and the shared key is used to authenticate traffic between the client and server.

The primary argument for DNSCurve seems to be performance: DNSCurve has better performance than DNSSEC in two respects: the packets are smaller and under certain conditions the load on the server is lower. These properties are related but not identical. The packets are smaller partly because DNSSEC replaces the digital signature with a symmetric integrity check. These can be a lot smaller than digital signatures using RSA (and a fair bit smaller than even the smallest digital signatures). Second, because DNSCurve uses elliptic curve cryptography, the keys that need to be carried in packets are smaller. (This is mostly relevant in packets which carry the key for a zone rather than packets which carry other data).

The packet size argument is straightforward. The load argument is more complicated. As I noted above, DNSCurve uses elliptic curve cryptography, which is faster and has smaller keys than RSA (the basic algorithm used by by DNSEC). This means that it's inherently faster to set up a DNSCurve association than it is to sign a DNSSEC record using RSA. In addition, DNSCurve has a mechanism for the client and server to cache the DH shared secret. The upshot of this is that it's substantially cheaper to authenticate a new DNS record with DNSCurve than it is with DNSSEC. In the worst case, it involves an ECDH operation. In the best case, it just involves a symmetric crypto operation. So, in this respect the performance of DNSCurve is superior.

However, this isn't really a heads-up comparison: in the DNSSEC model, you sign the zone once whenever it changes (possibly using a key thats kept offline) and then just send copies of it to any requester, so no cryptographic operations are needed after the initial signature. By contrast, because DNSCurve uses a symmetric, rather than asymmetric, integrity mechanism, the DNS server needs to compute that integrity check for each new request. This means that while DNSCurve is faster if you change your DNS data frequently and don't serve that many requests, it's slower if you don't change it often but serve a lot of requests. In addition, it means that while DNSSEC signing can be done offline with a key that is never on an Internet accessible machine, DNSCurve requires that the private key to the zone be kept on the DNS server, thus potentially exposing it to theft if the server is compromised. By contrast, if DNSSEC is used in an offline signing mode, then compromise of the server does not enable forgery attacks. Where DNSCurve has a major advantage is if your server provides dynamic responses (e.g., for DNS load balancing), in which case offline signing isn't that useful and the performance advantage of DNSCurve is most significant.

It's also worth noting that the use of faster algorithms isn't an inherent advantage of DNSCurve. DNSSEC (like all relatively modern COMSEC protocols) supports multiple algorithms and there have been proposals to add ECC (see, for instance, draft-hoffman-dnssec-ecdsa). An ECDSA-enabled DNSSEC would still be slower than DNSCurve if run in a dynamic environment, but performance would be a lot closer and how much slower would depend on how many repeat requests you got from the same client; if each client only makes one request, then performance would be more or less equivalent. The packet size of ECC DNSSEC would be a little worse, but probably not enough worse to make a big difference.

This isn't to say that there aren't other factors to consider (see the DNSCurve site for the other arguments in favor of DNSCurve). However, the performance argument doesn't seem to me to be dispositive, since which solution is faster depends on your deployment model and assumptions about the client environment.]]> Please put your hands in the gas plasma tag:www.educatedguesswork.org,2010://1.1492 2010-02-15T05:38:37Z 2010-02-15T05:39:00Z

OK, so I thought that the Dyson Blade dryer was scary, but check this out: gas plasma-based hand sanitizers. Plasmas engineered to zap microorganisms aren't new. During the last decade, they have come into use to sterilize some medical instruments.... EKR Dyson Blade dryer was scary, but check this out: gas plasma-based hand sanitizers.
Plasmas engineered to zap microorganisms aren't new. During the last decade, they have come into use to sterilize some medical instruments. But using them on human tissue is another matter, said Mark Kushner, director of the Michigan Institute for Plasma Science and Engineering and a professor at the University of Michigan in Ann Arbor. "Many thousands of volts drive the generation of plasma," he said, "and normally one doesn't want to touch thousands of volts." But the design of the new hand sanitizers, he said, protects people from doing so. Reassured by that design, about five years ago he put his naked thumb into a jet of microbe-destroying plasma at the lab of another plasma researcher.

...

The plasma cleaners make their antibacterial cocktails by running electrical current through air, said David B. Graves, a professor of chemical engineering at the University of California, Berkeley, who has worked on low-temperature plasma applications for 25 years.

Professor Graves is doing computer simulations of the chemical reactions that occur in the Morfill plasmas. The electric current ionizes the oxygen, nitrogen and water vapor in the air, he said, eventually creating the nitric oxide, hydrogen peroxide and particles that are so effective against bacteria, viruses and fungi.

OK, so I'm sold that it probably won't burn my hand off, but that doesn't necessarily mean that it's something I want to expose my hands to. Nitric oxide, for instance, is not very good for you:

Nitric oxide vapors are a strong irritant to the pulmonary tract. At high concentrations initial symptoms of inhalation may be moderate and include irritation to the throat, tightness of the chest, headache, nausea and gradual loss of strength. Severe symptoms may be delayed (possible for several hours) and include cyanosis, increased difficulty in breathing, irregular respiration, lassitude and possible eventual death due to pulmonary edema in untreated cases.

That sure sounds like fun!

Seriously, the relevant question here is how wide the difference is between the level at which the relevant chemicals deactivate bacteria, viruses, etc. and the level at which they cause side effects in humans. If there's a wide gap, then great, but if not, then we have to worrry about how well the plasma generator is calibrated. In addition, there's the question of the effect of regular exposure (e.g., for health care workers). I'll be interested to see what safety studies show. ]]> EVT/WOTE Call For Papers tag:www.educatedguesswork.org,2010://1.1491 2010-02-15T04:37:34Z 2010-02-15T04:40:26Z

The EVT/WOTE 2010 Call For Papers is http://www.usenix.org/events/evtwote10/cfp/ out. This year, Doug Jones, Jean-Jacques Quisquater, and I are co-PC chairs (can you have three co-chairs?) Submit early, submit often... EKR http://www.usenix.org/events/evtwote10/cfp/ out. This year, Doug Jones, Jean-Jacques Quisquater, and I are co-PC chairs (can you have three co-chairs?) Submit early, submit often ]]> Half full/half hosed tag:www.educatedguesswork.org,2010://1.1490 2010-02-09T04:58:01Z 2010-02-09T04:58:48Z I recently had occasion to rent a car from Enterprise (long story). As I picked up the car and prepared to drive away, I noticed that the tank was only half full. I pointed this out to the customer service... EKR With the old policy, life was simple: you found a gas station close to the car return, filled up the tank, maybe grabbed a receipt, and dropped the car off. By contrast, what happens here is that you drive around, filling up the tank if necessary, and at some point you need to return the car. If you're over 1/2 full then you just end up gifting the remainder to Enterprise (who can just fill up the tank completely and require the next customer to return it full). (What, you were going to drive the car around until you had burned up the gas? Or maybe you were going to siphon it out into some empty Gatorade bottles...) You could, of course, never fill the tank above 1/2 way, but this is a huge pain. Even if you're lucky enough to be at less than 1/2 full when you need to return the car, you're unlikely to be exactly at 1/2, in which case you need to put some gas in. You're reasonably likely to overshoot (again, taking gas out of the tank isn't easy.), in which case Enterprise again gets some free gas.

Either way, this is likely to be a win for Enterprise and a lose for you. ]]> More silliness on Internet credentials tag:www.educatedguesswork.org,2010://1.1489 2010-02-07T05:24:56Z 2010-02-07T05:25:19Z

For some reason, the silly idea of universal personal authentication for Internet users seems to have an undue appeal on tech executives. Here's Barbara Kiviat reporting on Microsoft's Craig Mundie: What Mundie is proposing is to impose authentication. He draws... EKR Here's Barbara Kiviat reporting on Microsoft's Craig Mundie:
What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

...

Mundie pointed out that in the physical world we are implicitly comfortable with the notion that there are certain places we're not allowed to go without identifying ourselves. Are you allowed to walk down the street with no one knowing who you are? Absolutely. Are you allowed to walk into a bank vault and still not give your name? Hardly.

This is one of those ideas that comes up so often and initially seems like a natural analogy, but on closer inspection just starts to look confused.

First, a drivers license isn't principally a form of general purpose authentication but rather a permit from the state to drive. It has a biometric component in order to permit the police to determine that you're the actual holder of the permit and not someone who just has their license. Of course, because the license is so ubiquitous, it's widely used as a form of general ID, but if you do something to lose your license, the state will still issue you an identification card; indeed you can generally get an id card even if you're ineligible to drive. (Here's what California has to say). So, on the one hand Mundie says you don't have a right to complete anonymity (which I at least sort of agree with) and that his proposed Internet driver's license would serve as a form of ID and on the other hand, he suggests that you could lose your right to use the Internet for some unspecified set of misbehaviors. So, which is it, a permit or a form of ID?

Second, if it's a permit, under what conditions might it be revoked? Having your machine compromised? Failure to keep your software updated? If it's just for bad system hygiene then you're going to see a huge number of revocations. If it's for actual malfeasance then aren't you just going to revoke the licenses of people who would be in serious legal jeopardy in any case? Internet security problems come from two kinds of users: those who are genuinely malicious and those who are just careless. The problem with the first is finding them, not punishing them once you've done so. As for the second, revoking their right to use the Internet seems rather excessive.

On the other hand, if the idea is to just have a form of ID, then I don't really see why we need something government sponsored. Can't sites decide for themselves whether to to try to authenticate you? ]]> Stop me before I sell myself again tag:www.educatedguesswork.org,2010://1.1488 2010-02-03T05:22:48Z 2010-02-03T05:23:10Z

My friend Terence just got written up in the Stranger as the first purchaser of Caleb Larsen's A Tool to Deceive and Slaughter (hereafter ATtDaS). Briefly, ATtDaS is a black cube with some electronics inside that, when connected to the... EKR written up in the Stranger as the first purchaser of Caleb Larsen's A Tool to Deceive and Slaughter (hereafter ATtDaS). Briefly, ATtDaS is a black cube with some electronics inside that, when connected to the Internet, attempts to sell itself on eBay. (Current auction here). The purchaser is (allegedly) required to provide an Internet connection (semi-absurd EULA can be found at the auction site. sample quote: "Any failure to follow these terms without prior consent of Artist will forfeit the status of the Artwork as a legitimate work of art. The item will no longer be considered a genuine work by the Artist and any value associated with it will be reduced to its value as a material object and not a work of art.") and has to kick back 15% of the profits from the sale to Larsen.

Terence paid a stupefying $6400 for the privilege of not-really owning this object. Here's what he has to say for himself:

It sort of uniformly falls into two categories: either, That's an enormously appealing, thought-provoking piece of art, or the other thing is, That's the most foolish thing I've ever seen. They're really defensive about it.

I hang out with a bunch of computer security people because I'm a computer security person myself, so they want to know, are you going to hack the box? Is there some way to put it behind a firewall to slow it down so it can't sell itself? Which really adds a whole other dimension because you buy the box and the box immediately starts trying to escape from you. So part of the impulse is, is there a way I can subvert the process of it trying to escape from me? By doing that, you'd in some ways be removing the reason it's interesting.

I'm (of course) one of the people who suggested that it be firewalled off. Obviously, just firewalling it off would be cheating and arguably violate the license agreement (not that I'm convinced it's actually binding). But the natural security guy reaction is to try to find some way to stop ATtDaS from selling itself in some way that complies with the agreement. My suggestion was to firewall off eBay alone, or just forge TCP RST packets. This seems to me the qualify with the relevant term:

Collector agrees that the Artwork will remain connected to a live Internet connection at all times, with disconnections allowed only for the transportation of the work from one venue to another.

Option 2 seems to be to "transport" it from its current venue in Seattle to a venue somewhere in the Himalayas via yak, Sherpa, or the like.

I tried to explain to Terence that this wasn't removing the interesting part but rather going taking an allegedly subversive piece and going meta-subversive, but he didn't bite. Some people just don't appreciate art. ]]> Google and China tag:www.educatedguesswork.org,2010://1.1487 2010-01-25T05:13:59Z 2010-01-25T05:14:15Z

A fair bit has been written about Google's "new approach to China" Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our... EKR new approach to China"
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

...

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

...

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

I don't really see the connection between this incident and Google's decision to stop offering filtered access to search queries in China, at least in terms of protecting Google from future attacks. Let's say for the sake of argument that not only were the attacks originated in China but also that (and as far as I know, this is unproven), they were directly sponsored by the Chinese government. How does refusing to offer filtered searches help? It's not like the hackers (allegedly) used some vulnerability in the filtering software as their attack vector. Similarly, even if Google were to pull out of China, or even cut off all access to Chinese IP addresses, Chinese hackers aren't restricted to using IP addresses in Chinese address ranges; they can perfectly well use machines which are located in the US, either by using legitimately purchased accounts as stepping stones, or by using compromised American hosts, of which there are plenty.

I don't have any inside information, but it seems to me like a more plausible story (see this Slate article for an alternate view) is that Google thinks the Chinese government is behind these incidents and this is a way of retaliating against China, under the assumption that China would prefer to have some Google than none. I have no idea whether or not this is something China cares about, however. [Mrs. Guesswork observes that another theory is that Google was previously cooperating with China's surveillance efforts and feels like China overstepped their agreement.]

On a different note, it has been fairly widely reported that an IE 0-day was used in the attack, but Bruce Schneier claims that the hackers exploited a Google-created backdoor intended for lawful intercept (though he doesn't provide any sources):

(CNN) -- Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Of course, both of these can be true. Even if Google built a surveillance tool for the purpose of lawful intercept, presumably it wasn't something you could just connect to without authorization, so I would imagine that you would need to do some hacking to get access to it (unless, of course, the password is "1234"). ]]> Free space shuttle engine tag:www.educatedguesswork.org,2010://1.1485 2010-01-18T06:46:38Z 2010-01-18T06:47:36Z

The NYT reports that NASA has cut the price of used space shuttles to $28.8 million, plus what I imagine is some rather expensive transportation. I'm also having some trouble figuring out how you're going to get it to the... EKR reports that NASA has cut the price of used space shuttles to $28.8 million, plus what I imagine is some rather expensive transportation. I'm also having some trouble figuring out how you're going to get it to the Space Shuttle shop to be checked out by their mechanic.

The main engines on the other hand, are a different story:

As for the space shuttle main engines, those are now free. NASA advertised them in December 2008 for $400,000 to $800,000 each, but no one expressed interest. So now the engines are available, along with other shuttle artifacts, for the cost of transportation and handling.

Space shuttle main engines appear to be relatively compact, around 5'x15' and 7000 lb, so about the size/mass of a Cadillac Escalade, but with exponentially worse gas mileage. Seems like you could get one onto a flatbed and have it shipped to your house for around $1000. Not sure what you'd do with it, though; maybe speed up your 4th of July BBQ. ]]> Predicting motorcycle prices tag:www.educatedguesswork.org,2010://1.1484 2010-01-09T16:19:14Z 2010-01-09T16:23:59Z

I'm in the market for a new motorcycle and have been looking at the BMW R1150GS/R1200GS. Like cars, motorcycles have a lot of depreciation the minute they pull off the lot, and because you're fairly likely to drop your bike... EKR motorcycles isn't much help here because the market is small and the mileage varies a lot.

An alternate approach is to mine the available data on what people are offering vehicles for and use this to build an analytical model for predicting prices; this lets us figure out what the appropriate asking (which isn't the same as fair; more on this later) price for a new vehicle is and identify outliers in either direction.

Below, you can find the list of the relevant bikes on sale on CL for the past week or so:

Asking Model Year Mileage
1 7650 1150GS 2002 25000
2 7900 1150GS 2001 54000
3 14500 1200GSA 2006 3700
4 8500 1200GS 2005 54000
5 13700 1200GS 2007 3658
6 7400 1150GSA 2004 60000
7 5500 1100GS 1996 23000
8 11500 1200GS 2005 12000
9 7200 1150GS 2002 40000
10 11950 1200GS 2008 29000
11 9600 1200GS 2005 39000

I used a simple OLS regression model to fit this data, using the model year and mileage for the bike. The result is: 

summary(fit2)

Call:
lm(formula = d2$Asking ~ d2$Year + d2$Mileage)

Residuals:
      Min        1Q    Median        3Q       Max 
-1360.040  -353.520  -150.358     2.140  1708.510 

Coefficients:
              Estimate Std. Error t value Pr(>|t|)    
(Intercept) -1.201e+06  1.889e+05  -6.359 0.000218 ***
d2$Year      6.056e+02  9.423e+01   6.426 0.000203 ***
d2$Mileage  -7.631e-02  1.578e-02  -4.836 0.001294 ** 
---
Signif. codes:  0 '***' 0.001 '**' 0.01 '*' 0.05 '.' 0.1 ' ' 1 

Residual standard error: 975.1 on 8 degrees of freedom
Multiple R-squared: 0.9108,	Adjusted R-squared: 0.8885 
F-statistic: 40.84 on 2 and 8 DF,  p-value: 6.335e-05

Our model predicts that each year the bike is on the road it loses about $600 in value and that it loses about $76 for each 1000 miles it has. [Note that I'm treating mileage and age as independent variables; it might make more sense to try to estimate "excess" mileage over some base value, but I don't have the baseline data I would need.] In any case, we're doing pretty well here: with only two predictors we are accounting for around 90% of the price variation. We can see this visually by plotting the price points against the best fit plane, as below: 

s3d <- scatterplot3d(d2$Asking~d2$Year+d2$Mileage,xlab="Year",ylab="Mileage",zlab="Asking")
orig <- s3d$xyz.convert(d2$Year,d2$Mileage,d2$Asking)
plane <- s3d$xyz.convert(d2$Year,d2$Mileage,fitted(fit))
i.negpos <- 1 + (resid(fit)>0)
segments(orig$x,orig$y, plane$x,plane$y, col=c("blue","red")[i.negpos],lty=(2:1)[i.negpos])
s3d$plane3d(fit)
(code ripped off from here).

Points above the plane (shown with red lines) are likely too expensive and points below (with blue lines) are worth checking out to see if they're good deals.

Obviously, we're excluding a lot of variables here. We haven't captured the condition of the bike, how desperate/motivated the seller is to get rid of it, what accessories it has, etc. Looking more closely at the data, the two most comparatively expensive bikes seem to come with a few more accessories, so this may have led the owners to think they could extract more money (I don't think this is really true, however, since often those items are valuable only to the original owner). For the purposes of selecting good deals, we would also like to know how flexible the seller's price is. It's possible that someone lowballing the price will also be less flexible because they've already built that discount into their price. On the other hand, they could be more motivated, so that could cut in the other direction. It would be interested to get secondary data on how much these bikes actually sell for [you could get some of that information by seeing if repeated postings have lower prices], but while that data is available for houses I don't think it is for bikes. ]]> New data on running shoes tag:www.educatedguesswork.org,2010://1.1483 2010-01-09T05:14:13Z 2010-01-09T05:14:37Z

Jennifer Leigh sent me a pointer to this article suggesting that running shoes put more stress on your legs. Sixty-eight healthy young adult runners (37 women), who run in typical, currently available running shoes, were selected from the general population.... EKR this article suggesting that running shoes put more stress on your legs.
Sixty-eight healthy young adult runners (37 women), who run in typical, currently available running shoes, were selected from the general population. None had any history of musculoskeletal injury and each ran at least 15 miles per week. A running shoe, selected for its neutral classification and design characteristics typical of most running footwear, was provided to all runners. Using a treadmill and a motion analysis system, each subject was observed running barefoot and with shoes. Data were collected at each runner's comfortable running pace after a warm-up period.

The researchers observed increased joint torques at the hip, knee and ankle with running shoes compared with running barefoot. Disproportionately large increases were observed in the hip internal rotation torque and in the knee flexion and knee varus torques. An average 54% increase in the hip internal rotation torque, a 36% increase in knee flexion torque, and a 38% increase in knee varus torque were measured when running in running shoes compared with barefoot.

Seeing as hip, knee, and ankle are major running injury sites— in fact, practically every major running injury I've ever had has been either at the knee or the ankle—this seems like it's something to pay attention to. The authors recommend that "Reducing joint torques with footwear completely to that of barefoot running, while providing meaningful footwear functions, especially compliance, should be the goal of new footwear designs." I already wear a relatively compliant shoe, the Inov-8 295, and while I don't have any data, it seems to have had a positive impact on a persistent ankle injury that has plagued me for years. I'd be interested to see this study repeated with a shoe deliberately designed to be as barefoot-like as possible like the Inov-8.

I do have a pair of the Vibram FiveFingers shoes, and while the advertising literature clearly suggests that you can run in them, I haven't really been brave enough to try it. There seem to me to be two issues here: First, the soles provide some protection but they're pretty flexible; I'm not sure that if you stepped directly on a rock it wouldn't be unpleasant. So, it seems like you would have to be a bit careful on trails. By contrast, asphalt is so unforgiving you would really need to have ideal form in order to avoid having some pretty serious impact forces. I'm still planning to go for a short run on a trail at some point, but I figure on taking it slow. ]]> Airport Arrival Cameras tag:www.educatedguesswork.org,2010://1.1482 2010-01-06T07:17:48Z 2010-01-06T07:31:27Z

Check out this picture of the arrival escalator at SFO: I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator... EKR

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.]]> Fastener of the decade tag:www.educatedguesswork.org,2009://1.1481 2010-01-01T06:45:33Z 2010-01-01T06:46:57Z

This decade retrospective post is in conformance with Section 123(a)(1)(j)(ii)(c) of the American Recovery and Reinvestment Act of 2009. During this decade, I had the opportunity to use many great fasteners, but in my opinion the best of these was... EKR American Recovery and Reinvestment Act of 2009.

During this decade, I had the opportunity to use many great fasteners, but in my opinion the best of these was the 10-24 rack mount screw—Allen head, of course, superior to the #2 Phillips (too finicky), and the Robertson (too Canadian). Other excellent choices include the zip tie, 5 minute epoxy, and duct tape.]]> Making sense of the NYT on water safety tag:www.educatedguesswork.org,2009://1.1480 2010-01-01T04:12:23Z 2010-01-01T04:12:57Z

EKR article on water safety. (þ Melanie Schoenberg). While there's certainly some stuff here one might be distressed about, the article is written in such a way that it's pretty hard to evaluate how serious the issue actually is.

The article seems to make three major factual claims:

  • The Safe Water Drinking Act only regulates a small fraction of the potentially hazardous chemicals potentially found in drinking water.
  • Many municipal water systems contain chemicals at levels which, while legal, may be unsafe (e.g., are above EPA safe levels).
  • People are getting sick from this.
I don't doubt that the first of these is true: according to the article, 60,000 plus chemicals are used within the US (I'm actually surprised it's this low, since the PDR has over 4000 drugs and MSDS.COM claims to have 3.5 million data sheets), and it's not clear how you would plausibly analyze all of these, let alone determine permissible levels for each of these. I'm not saying this is desirable, but it's not necessarily a disaster either. Ultimately, you can either have an "default accept" or "default deny" policy here; given how sensitive modern analytic techniques are, if your policy is "default deny" you're going to spend a lot of time removing trace concentrations of harmless chemicals from your water supply. On the other hand if it's "default accept" you're going to end up with a lot of chemicals in your water that you don't really know are safe.

Given the first point, the second isn't surprising either. With that said, I'm not sure that the Times is really representing the situation that accurately. For instance, here's the report for Palo Alto, where I live. The Times reports "1 contaminant below legal limits, but above health guidelines", with the contaminant being alpha particle activity at a mean rate of 4.56 pCi/L. Let's see if we can put this in perspective. Assume humans are made entirely of water and rescale into kg, so we have 4e-12 Ci/kg of human body mass. A Ci is 37e+9 disintegrations/s so multiplying out we have .148 disintegrations/kg/s. If we assume that all the alpha particles are from U-238, and the alpha particles are being emitted at 4.270 MeV (~ 7e-13 J), then we get 1e-13 J/kg/s. If we assume that all of these are absorbed (not crazy since alpha particles have a very short path in the body) then we're getting 1e-13 Grays/s or 2e-12 Sv/s (multiply by the 20 Q factor for alpha particles) or .03 mSv/year. For comparison, the background level of radiation is 2.4 mSv/year. Obviously this isn't something you should be that thrilled about, but it's not clear to me that a 1% increase in your radiation dose is that bad either.

Given that, why does the NYT list this as above the health level? The answer seems to be that their safe value for alpha particles is zero (the legal limit is 15 pCi/L): the maximum level of alpha particle activity in neighboring Mountain View is 2.56 pCi/L, but it's still listed as having 5 "above health" samples (Chicago had one reading of .88 pCi/L and is also listed as a positive). This all makes me wonder if something is wrong here and the NYT is showing false positives. Of course, when you're processing a lot of data it's easy to make mistakes—assuming this is a mistake. It could be that I'm confused or that it's just the alpha particle threshold that's too low. I e-mailed the times to ask them for a copy of the raw data, but I haven't heard anything yet.

This brings us to the final point: the Times writes:

All told, more than 62 million Americans have been exposed since 2004 to drinking water that did not meet at least one commonly used government health guideline intended to help protect people from cancer or serious disease, according to an analysis by The Times of more than 19 million drinking-water test results from the District of Columbia and the 45 states that made data available.

...

And independent studies in such journals as Reviews of Environmental Contamination and Toxicology; Environmental Health Perspectives; American Journal of Public Health; and Archives of Environmental and Occupational Health, as well as reports published by the National Academy of Sciences, suggest that millions of Americans become sick each year from drinking contaminated water, with maladies from upset stomachs to cancer and birth defects.

This seems to conflate a bunch of issues. There seems to be a lot of variance in the data, with some tests showing positive results and some negative results (or low levels) for the same toxin even in the same area. It's very different to drink water with a toxin in it once than it is to drink it ever day for 10 years. I spent a couple days in Boston in 2007, but I'm not overly concerned about the fact that I might have been exposed to twice the legal limit of haloacetic acids in the two to four liters of water I drank while I was there. More generally, while one positive test may qualify as an exposure, it's not clear what that means as far as the real level of risk people are incurring. And of course there's a difference between cumulative toxins (e.g., arsenic) and acute toxins (e.g., e. coli). Speaking of e. coli, "maladies from upset stomachs to cancer and birth defects" covers a lot of territory; it's one thing if a sewer system occasionally fails to remove all the bacteria from the water supply (not that that's good) and another if it delivers hot and cold running cyanide from the tap.

Obviously, when you read this article you're supposed to be scared, but the way the article is written (and the opaque data presentation) doesn't make me feel like I have enough data to know if I should be or not.

P.S. San Francisco really does have great water. Almost good enough to make up for destroying Hetch Hetchy.. ]]>