EKR: November 2004 Archives


November 30, 2004

I'm sure glad that the Bush Administration is protecting me from the serious threat of cheap shrimp.

November 29, 2004

A couple weeks ago I lost my first generation Pearl iZumi windproof jacket when I left it on the flight back from IETF. It seemed like a good time to replace it with a soft shell and I duly looked at the Marmot and Arc'teryx but Eu-Jin Goh pointed me to BeyondFleece, which makes semi-custom gear for substantially less than the equivalent off-the-rack stuff. You pick your basic jacket, can independently choose from an array of additional features (pockets, zippers, etc.) give them your measurements, and you get the stuff in about two weeks. The basic jacket I got (the Cold Fusion) starts at $159 and after I finished customizing it came up to $229, still substantially less than the competition. I'll report back once I have the jacket.

November 27, 2004

Looks like street prices of drugs in the UK are dropping:
DrugPrice in 1994Price in 2003
Marijuana14/eighth10/eighth (2004)

It's also kind of interesting to check out the quotes that the Independent has chosen to illustrate the effects of each drug:


Jane, 33, started taking cocaine regularly five years ago

Jane didn't like cocaine the first time she tried it. But five years later she met a new partner whose friends were regular users.

"That time I loved it," she says. " I'd been to the pub for a birthday. I had quite a lot and we talked and talked and I had the best evening."

For about a year Jane took cocaine every weekend, spending £60 a time. "It isn't glamorous," she says. "Some of the places you snort it can be quite disgusting. But I had a brilliant time dancing all night. Then I split up with my partner and stopped seeing those people, and gradually stopped using cocaine. But I'd never say never.


Website post from a 17-year-old student turned prostitute:

Yesterday i saw my councellor (2 get off crack) finished college, did coursework. i then went to the area worked my arse off. some man let me into his house i stole 2 mobiles and a jewlery box filled with indian gold. i WALKED out, sold it and smoked all the riches of it. Was out until 6.30am, tooting. got home washed and went to college. getting picked up at 5 and gonna do the whole thing again. i just have not got the willpower to stop. i justify being a prostitute and smoking white with the fact im in college and i see a councellor. i dont wanna stop and yet i knowall the effects of this bullshit. someone please man. please.

Not too hard to figure out where they stand.


November 26, 2004

There's been a lot of pressure from HIV/AIDS activism groups for anti-HIV drug manufacturers to waive their patents (or to nationalize them) thus enabling the production of cheap generics for the Third World market. [*] [*].

The manufacturers, of course, are against it, not because they're evil, but because they're greedy. People in the Third World aren't a big market now, so it's not like the availability of cheap generics there would cut into the drug company's profits. What the manufacturers are primarily concerned about is the generics cutting into the current Western market, either through standards creep (what's the poorest country where you should be able to buy cheap generics?) or illegal diversion and reimportation.

What the manufacturers want to do, of course, is segment the market so that people in rich countries buy the expensive drugs rather than the cheap generics. In the current regime, they do this legally by patent and customs enforcement, but that's not the only kind of price discrimination. If the manufacturer can find a property that divides the poor and the rich, they can engage in Third Degree price discrimination. In this case, the property is simple: willingness to pay for health.

So, here's the modest (and, admittedly, pretty cold-blooded) proposal: dope the generics with some low-grade carcinogen. The idea is to choose a dosage that only modestly increases the risk of cancer, say by order 1%. This is a pretty small additional risk to bear if your alternative is to die of AIDS. On the other hand, if your alternative is to pay full price for your drugs, the additional cancer risk starts to look markedly less attractive, thus neatly separating the classes of customer based on willingness to pay.


November 25, 2004

... is that I don't have to eat turkey (which I hate) today. Here at EG central we'll be having Jamaican Jerk Chicken instead.

November 24, 2004

I just noticed that 10/100 Ethernet hubs are actually more expensive than 10/100 switches. For instance, at Amazon:

Netgear DS104 4 port hub38.95
Netgear FS105 5 port switch35.95
Linksys EFAH05W 5 port hub31.84
Linksys EZXS55W 5 port switch25.99

Some guesses:

  • They just sell more switches than hubs so it's an economy of scale thing.
  • It's economy of scale but because the 10/100 switch is the same platform internally as the 10/100/1000 switches (GigE normally only comes in switch form) they sell a lot of that platform and so they're cheaper.
  • It's market segmentation: people who need hubs need them for some reason (like they want to sniff traffic) and can't make do with switches (both taps and switches with port mirroring are a lot more expensive) to the manufacturers take the opportunity to charge them more.
Anyone know enough about the low-end networking hardware business to know for sure?
Though rabies is easy to prevent through vaccination, once symptoms set in it's almost 100% fatal. According to Medical News Today (link via Medpundit) a 15 year old girl in Wisconsin has survived without vaccination:
Her doctors induced a coma in order to stop the spread of the infection. They then started administering a cocktail of drugs. A spinal tap after treatment showed that her immune system was effectively fighting off the virus. She was kept in coma for a week.

Dr Rodnay Willoughty, Wisconsin's Children's Hospital, said "No one had really done this before, even in animals. None of the drugs are fancy. If this works it can be done in a lot of countries."


Rabies is a fairly big killer - about 100 people a day die from it (worldwide).

This is obviously a great result if it can be replicated, but I'm a little skeptical of how big an impact it will have. First, because vaccination is so readily available (40,000 or so people in the US receive rabies post-exposure prophylaxis each year, according to CDC), most people who get exposed already get vaccinated. My guess is that most rabies deaths occur in areas where medical care is lousy and vaccination is unavailable, making a week of fully supportive care a little problematic.

The second question is what shape the patient is in now. Rabies attacks the nervous system and I seem to remember reading that the people who have survived in the past had some fairly serious sequelae. So, is she just alive or did she make a full reovery? We'll need to wait for the journal article, I guess.

Even if this treatment works perfectly, it's going to be a pretty poor second best to vaccination. Vaccines have come a long way since Pasteur and the current series is 5 shots in the arm (rather than the belly), and side effects are minimal, so it's still the treatment of choice in cases of suspected rabies exposure.


November 23, 2004

Ed Felten's done some thinking about the various ways one could implement serial number embedding in color printouts and the privacy implications of the various techniques:
Do they use encryption, and if so, how? Even if we can find the dots and read out the digital bits they represent, we may not be able to tell what information those bits are encoding. They might be putting the model and serial number onto the page in such a way that we can learn to read them. Or perhaps they are encrypting the information so that we can't read out the identifying information but we can at least recognize whether two pages were printed on the same printer. Or perhaps they encrypt the information so that we can't tell anything without having some secret key.

If there is a secret key, who knows it? The key might be disclosed to the government so that they can extract the model and serial number from a page at will. (And if the U.S. government has the key, which other governments do?) Or the key might be known only to the printer vendor, so that the government needs the vendor's help to decode the dots. If they use public-key cryptography, then the decoding key might be known only to the government and not to the printer vendor.

Do they try to track who buys each printer? If they can extract the serial number, they might want to know who has that printer. They could try to track the passage of each individual printer through the supply chain, to get an idea of who might have bought it. They might also build a database of information gleaned through service calls and warranty registrations.

I don't have any detailed information about how this is implemented, but my intuition is that it's going to be something simple that doesn't do much to protect your privacy. Why? Because the system was almost certainly designed by the printer manufacturers at the request of the government (ours and those of other countries) and kept secret from us. With those incentives, we should expect that:

  1. It will provide the government with the maximal amount of forensic capabilities.
  2. It won't do anything complicated to protect our privacy, because that's not the core competency of printer manufacturers.

Given that, I'd be very surprised if the only capability offered was to be able to match a printout to a printer if the printer was in your possession, for two reasons. First, it's probably in general a lot harder to track down counterfeiters than it is to prosecute them. Second, it's likely already possible to link a given printer to a given printout due to slight imperfections in the printing process.

I'd be somewhat surprised if encryption were used, but if it is it's likely to be something like a symmetric key held by the manufacturer. This is relatively efficient, both in computational complexity and ciphertext size, and doesn't require too much heavy thinking.


November 22, 2004

John Kelsey responds to this news story on the cryptography mailing list:
>Currently, the federal government shares parts of the list with airlines,
>which are responsible for making sure suspected terrorists don't get on
>planes. People within the commercial aviation industry say the lists have
>the names of more than 100,000 people on them.

This is a goofy number. If there were 100,000 likely terrorists walking the
streets, we'd have buildings and planes and bus stops and restaurants blowing
up every day of the week. I'll bet you're risking your career if you ever take
someone off the watchlist who isn't a congressman or a member of the Saudi
royal family, but that it costs you nothing to add someone to the list. In
fact, I'll bet there are people whose performance evaluations note how many
people they added to the watchlist. This is what often seems to make
watchlists useless--eventually, your list of threats has expanded to include
Elvis Presley and John Lennon, and at that point, you're spending almost all
your time keeping an eye on (or harassing) random harmless bozos.

The point about incentives here is really important. A general problem with security systems is that the people responsible for providing security don't bear much of the cost of the security measures, but they tend to get hammered when a breach occurred (although come to think of it, nobody important seems to have lost their job over 9/11), so it's hard to get an efficient amount of security. You see this a lot in corporate IT environments, where the admins find it easier to just deny as many services as possible and claim "security".

That said, it's not entirely clear (at least to me) that an efficient system wouldn't mostly involve harassing a bunch of innocent people. The question is what the right balance of false positives and false negatives is. If each false positive costs you $.01 and each false negative costs you $3 billion, it's definitely worth erring on the false positive side...

Say you want to host multiple web sites on the same server. For instance, you want to have http://www.educatedguesswork.org/ go to this blog and http://www.ignorantcertainty.org/ go to its evil twin. Now, it's obviously easy to do if you have two machines, but that's not very efficient, especially if the web sites are fairly low traffic. What you want is virtual hosting--the appearance of having two servers on one physical machine.

There are two basic ways to make this work1. The first is to give the machine two IP addresses. You then have one virtual server listen on one IP and the other on the other (the exact implementation details don't matter). This is called IP-Based Virtual Hosting (IPBVH) and is the old-style way of doing things. The problem, of course, is that IP addresses are a scarce resource and so it's antisocial (and also kind of expensive) to grab enough IP addresses for every virtual host.

The modern way to do things is with Name-Based Virtual Hosting (NBVH). The way that this works is that the Web client provides the server's hostname in its HTTP request, like so:

GET / HTTP/1.1
Host: www.educatedguesswork.org:8080
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20041118 Firefox/1.0
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

Name-Based Virtual Hosting has two problems. The first is that it requires cooperation from the browser. That's not a big deal now because all browsers have done it for years. The second, larger, problem is that it doesn't work with SSL. The problem is that the SSL handshake happens before the first HTTP request is made, so the server doesn't know which certificate to use in its handshake. Because the certificate contains the host name (otherwise how would you know if you were talking to the right host?) this means that the hostname and cert generally won't match, which tends to freak users out. There is an update to SSL that puts the hostname in the SSL handshake (client cooperation again, naturally), but since it requires changes to the client it will be years before there's enough deployment to let you confidently use NBVH with SSL for most commercial applications.

There is, however, one situation in which NBVH with SSL works just fine--if you don't need the certificate to match the host. The most common situation where this applies is when you're using self-signed certificates rather than third-party certificates. In this environment, you either don't worry about active attack and don't have the users verify the certificate or have them verify the cert fingerprint manually and then trust it from there on (as in SSH). Even if you don't verify the certs at all, it's still better than not having SSL, and there's nothing wrong with the fingerprint method except that it's inconvenient.

In this mode, the server uses the same certificate for all requests, but then does virtual hosting for the HTTP portion. This works fine technically but it's a little hard to set up and the Apache documentation doesn't help much. However, Rob Austein and I got it working and here's an example of the relevant section of the httpd.conf file, with the comments removed:

AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl


SSLPassPhraseDialog  builtin
SSLSessionCache         dbm:/users/ekr/tmp/apache/logs/ssl_scache
SSLSessionCacheTimeout  300
SSLMutex  file:/users/ekr/tmp/apache/logs/ssl_mutex
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLLog      /users/ekr/tmp/apache/logs/ssl_engine_log
SSLLogLevel info
SSLCertificateFile /users/ekr/tmp/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /users/ekr/tmp/apache/conf/ssl.key/server.key

## SSL Virtual Host Context

#  General setup for the virtual host
DocumentRoot "/users/ekr/tmp/apache/htdocs/lh1"
SSLEngine on

#  General setup for the virtual host
DocumentRoot "/users/ekr/tmp/apache/htdocs/lh2"
SSLEngine on

There are two keys to making this work:

  1. The NameVirtualHost directive which lets you use name-based virtual hosts at all.
  2. Putting SSLEngineOn in the virtual host directives.

Acknowledgements: Rob Austein and I worked on this together. I figured out how to make it work but I duplicated all of the SSL config directives in each VirtualHost clause. Rob figured out that you could move them to the main IfModule section, thus cleaning things up substantially.

1. There's actually a third way to make this work: use a separate port for each host. The problem with that is that it requires users to remember the port as well as the hostname, which is pretty unattractive.

Holy crap! Amazon is now selling Automatic External Defibrillators (AEDs) for $1500. You may have seen these gizmos in airplanes, but now you can get one for your home use. Heck, at these prices you can afford one for every room in your house. Never be out of reach of life-saving electrical shocks again!

Seriously, though, this is pretty cool. Defibrillators + CPR are really much better than CPR alone. And from what I understand the modern AEDs are pretty easy to use even with no training.


November 21, 2004

Last night Lisa and I watched Shaolin Soccer. It's almost indescribable, but highly entertaining. Sing (Stephen Chow, who also directed) is a Shaolin monk on a crusade to bring Shaolin Kung-Fu to the masses. Fung is a drunk former soccer player. They team up with Sing's Shaolin brothers to enter the big soccer championship and make it all the way to the finals against "Team Evil", led by Fung's nemesis and former teammate.

Each teammate on the Shaolin team seems to have mastered a single Shaolin technique (Mighty Leg of Steel, Iron Head, etc.) which the adapt to soccer. Sing, for instance, has mastered the Mighty Leg of Steel which lets him kick the ball at what appears to be supersonic speeds. In one great kick the ball progressively gets hotter and hotter until it glows, catches fire, and then literally turns into a large cat (jaguar, cheetah, whatever...) and launches itself at the opposing goalie.

Chow has obviously seen plenty of American and Hong Kong action flicks (especially the Matrix) and apes them mercilessly. The appallingly low quality of the computer animation "now it's live action, now it's computer, now it's live action again" only adds to the absurdity. There's even singing, complete with a scientific explanation of the production number effect: "Your beauty lights a fire in me and then I must burst out into song or explode. My singing lights a fire in someone else (complete with video of a fireball growing in my eye) and they must burst into song, and it's like a chain reaction.

Not for everyone, but the people who will like this movie know who you are.

In case you haven't heard, Rep. Ernest Istook managed to get language inserted into the omnibus spending bill that allows the Chairmen of the House and Senate appropriations committees to review your and my tax returns:
"Hereinafter, notwithstanding any other provision of law governing the disclosure of income tax returns or return information, upon written request of the Chairman of the House or Senate Committee on Appropriations, the Commissioner of the Internal Revenue Service shall allow agents designated by such Chairman access to Internal Revenue Service facilities and any tax returns or return information contained therein."

The Senate has already passed a resolution repealing the clause and the House is supposed to do the same on Wednesday, so it looks like this won't actually ever come into effect.

I've got conflicting reactions here. On the one hand, it's a pretty clear illustration of why privacy types don't want the government collecting a bunch of additional information from you (e.g., your airplane flight data). On the other hand, it's a reminder that the government already collects an enormous amount of information about you, and the controls that keep that stuff secret are pretty prone to catastrophic failure.

(Via Josh Marshall)


November 20, 2004

Anne Applebaum has an editorial in WaPo arguing that we shouldn't worry about electronic voting, explicitly comparing it to ATM transactions:
When the ATM asks whether I want a receipt, I usually say no. When a Web site wants my credit card number, I usually say yes. When I pay bills online, there is no paper record of the transaction. In my failure to demand physical evidence when money changes hands, I am not very unusual. Most Americans now conduct at least some of their financial transactions without paper, or at least sleep happily knowing that others do. Yet when it comes to voting -- a far simpler and more straightforward activity than electronic bank transfers -- we suddenly become positively 19th century in our need for a physical record.

In fact, she might be better off asking for a receipt. Here's scourge of the UK banking system Ross Anderson in Security Engineering (pp. 203-204):

John Munden was one of our local police constables, based in Bottisham, Cambridgeshire; his beat included the village of Lode where I lived at the time. He came home from holiday in September 1992 to find his bank account empty. He asked for a statement, found six unexpected withdrawals for a total of £460 (then about $700), and complained. His bank responded by having him prosecuted for attempting to obtain money by deception. It came out during the trial that the bank system had been implemented and managed in a ramshackle way; the disputed transactions had not been properly investigated; and all sorts of wild claims were made by the bank, such as that its ATM system couldn't suffer from bugs as its software was written in Assembler. Nonetheless, it was basically the constable's word against the bank's. He was convicted in February 1994 and fired from the police force.

This miscarriage of justice was overturned on appeal, and in an interesting way. Just before the appeal was due to be heard, the prosecution served up a fat report from the bank's auditors claiming that the system was secure. The defense demanded equal access to the bank's systems for its own expert. The bank refused, and the court therefore disallowed all the bank's computer evidence--including its bank statements. The appeal succeeded and Munden got reinstated. But this was only in July 1996--he'd spend the better part of four years in limbo, and his family had suffered terrible stress. Had the incident happened in California, he could have won enormous punitive damages, a point bankers should ponder as their systems become global and their customers can be anywhere.

These routine denials should sound awfully familiar--they're the same thing you heard from the voting machine manufacturers.

On the flight to IETF, I watched the recent Will Smith movie I, Robot 95% of the movie is the usual absurd Will Smith action vehicle, but the ending somehow manages to capture the essence of Asimov's groundbreaking book.

Spoilers below (for the book, not the movie).


November 19, 2004

According to Wired, the Senate is holding hearings on pornography:
Mary Anne Layden, co-director of the Sexual Trauma and Psychopathology Program at the University of Pennsylvania's Center for Cognitive Therapy, called porn the "most concerning thing to psychological health that I know of existing today."

"The internet is a perfect drug delivery system because you are anonymous, aroused and have role models for these behaviors," Layden said. "To have drug pumped into your house 24/7, free, and children know how to use it better than grown-ups know how to use it -- it's a perfect delivery system if we want to have a whole generation of young addicts who will never have the drug out of their mind."

Maybe I've missed something, but isn't thinking about sex all the time pretty much par for the course for teenagers, even before easy access to Internet porn?

Jeffrey Satinover, a psychiatrist and advisor to the National Association for Research and Therapy of Homosexuality echoed Layden's concern about the internet and the somatic effects of pornography.

"Pornography really does, unlike other addictions, biologically cause direct release of the most perfect addictive substance," Satinover said. "That is, it causes masturbation, which causes release of the naturally occurring opioids. It does what heroin can't do, in effect."

I'm not sure I'd say that pornography causes masturbation. It's an aid to masturbation, kind of like K-Y jelly. I have no idea what this stuff about naturally occurring opioids is about. Sure, sex causes the release of opioids, but then so does exercise, and I don't see the Senate holding hearings on the need to stamp out runner's high. Moreover, just because the opioids are natural doesn't mean that they're particularly strong or addictive. There are lots of drugs that bind more strongly than their natural counterparts to the corresponding receptors. Indeed, it's precisely because opiates, cocaine, etc. present such an out-of-the-ordinary pleasure stimulus that they're such attractive abuse targets.

BTW, it's worth noting that the NARTH describes itself as "a non-profit, educational organization dedicated to affirming a complementary, male-female model of gender and sexuality." Outstanding.

OK. I've totally given up on WordPress. The current (and hopefully future) EG runs on MovableType 3. Now maybe I can stop screwing with my tools and start blogging again.