EKR: January 2005 Archives


January 31, 2005

Mark A.R. Kleiman writes:
The egregious tax loophole is the non-taxability of the imputed rental income on owner-occupied housing. A renter has to pay income tax on the money he earns to pay the rent, but a homeowner pays no tax on the money he saves by owning.

If we eliminate the mortgage interest deduction, we make owner-occupied housing more expensive for those who have to borrow to buy it, but not for those who can pay cash or who bought a house on a mortgage and have now paid it off.

There's a case to be made for giving less favorable tax treatment to homeownership, but if we're going to do that we might as well do it right, rather than just making life harder for people with decent incomes but little wealth who live in cities with big real estate prices.

I agree with the sentiment here, but it's worth noting that just because you can pay cash for your house doesn't mean you have to. You can always leave your money in your S&P 500 fund, take out a mortgage, and take the deduction just like people without substantial savings.

Newsweek's article about the insurgency in Iraq says that the Iraqis were preparing to fight a guerilla war before the US invaded:

By July 2002, Saddam had distributed a circular to his top leadership, warning that if and when the United States attacked, "Iraq will be defeated militarily due to the imbalance in forces," but could prevail by "dragging the U.S. military into Iraqi cities, villages and the desert and resorting to resistance tactics." By December of that year, one of his key intelligence chiefs, Gen. Taher Jalil Habush al-Tikriti, was bragging, "We'll be angry if the Americans don't come." (Al-Tikriti is now a leader of the insurgency.) A memo distributed to Saddam's secret police in January 2003, and later obtained by NEWSWEEK, assigned a series of tasks to the organized resistance, including looting and burning government buildings and sabotaging electricity and water stations.

I don't really remember hearing anything about this prior to the war, which I don't get: sure, it's great to get the US bogged down, but that doesn't mean you're eventually going to win. It would be a lot more effective to convince the US in advance that invading was too expensive. Why didn't the Iraqis publicize their resistance plans when the US was gearing up to invade? Or did they and I just missed it?

People like me spend a lot of time designing security protocols and systems, but operations is where the rubber meets the road. This week is NANOG (agenda here. (þ Leslie Daigle). Particularly interesting are:

Unfortunately, I'm not there and not all the talks have slides up. If anyone wants to send me a pointer to Paul Tatarsky's talk I would appreciate it.

I knew about the 3/5 compromose, but John Steele Gordon's An Empire of Wealth points out something I don't remember learning in American Civics. Article I, Section 9, Clause 1 prohibits banning the slave trade until 1808:
The Migration or Importation of such Persons as any of the States now existing shall think proper to admit, shall not be prohibited by the Congress prior to the Year one thousand eight hundred and eight, but a Tax or duty may be imposed on such Importation, not exceeding ten dollars for each Person.

But here's the really amazing part. Check out Article V:
The Congress, whenever two thirds of both Houses shall deem it necessary, shall propose Amendments to this Constitution, or, on the Application of the Legislatures of two thirds of the several States, shall call a Convention for proposing Amendments, which, in either Case, shall be valid to all Intents and Purposes, as Part of this Constitution, when ratified by the Legislatures of three fourths of the several States, or by Conventions in three fourths thereof, as the one or the other Mode of Ratification may be proposed by the Congress; Provided that no Amendment which may be made prior to the Year One thousand eight hundred and eight shall in any Manner affect the first and fourth Clauses in the Ninth Section of the first Article; and that no State, without its Consent, shall be deprived of its equal Suffrage in the Senate. (emphasis mine))

For reference, the fourth Clause is the prohition on income taxes.


January 30, 2005

The Times has an article about the famous Alexander Shulgin. Shulgin has synthesized and tried some amazing number of psychedelics and written about them in Pihkal and Tihkal. The article is fairly interesting and moderately positive, despite the author's fixation on the negative effects of psychedelics (suggesting that they've damaged Shulgin's memory (the guy is 80), focusing on the really small number of people who have died from psychedelics, etc.)

Mark A.R. Kleiman makes an appearance, too:

With the F.D.A.'s approval of the Harvard cancer-patient study on Dec. 17, all that's still needed is a D.E.A. license for MDMA. John Halpern, the psychiatrist heading the study, anticipates that happening in the next couple of months. At the same time, he cautions against making too much of his ''small pilot study'': eight subjects undergoing a course of MDMA therapy, with another four receiving a placebo. The Charleston study is similarly modest, with 20 subjects.

Still, according to Mark A.R. Kleiman, director of the Drug Policy Analysis Program at U.C.L.A., ''there's obviously been a significant shift at the regulatory agencies and the Institutional Review Boards. There are studies being approved that wouldn't have been approved 10 years ago. And there are studies being proposed that wouldn't have been proposed 10 years ago.''

The DEA's attitude towards psychedelic research does seem to have changed, which is good. It's not like millions of ravers are suddenly going to start taking X under cover of doing research into the therapeutic uses of glowsticks and techno music.

Windows XP SP2 is built with some memory protection features to prevent the exploitation of buffer overflows. Definitely a good idea, but unfortunately, they're not perfect and the guys at Maxpatrol have figured out how to bypass them them:
And the second weak spot the manipulation of the lookaside lists doesn`t assume any header sanity checking, there isn`t even a simple cookie check there. Which, theoretically, results in possibility to overwrite up to 1016 bytes in an arbitrary memory location.

The exploitation scenario could proceed as follows:
if, during the overflow the concidental memory block is free and is residing in the lookaside list, then it becomes possible to replace the Flink pointer with an arbitrary value.
Then, if the memory allocation of this block happens, the replaced Flink pointer will be copied into the header of the lookaside list and during the next allocation HeapAlloc() will return this fake pointer.

The prerequisite for successful exploitation is existence of a free block in lookaside list which neighbors with the buffer we overflow.

I'm not an expert on this kind of memory exploit, but it looks to me like this is a simple implementation error on Microsoft's part. It should be relatively straightforward for them to fix, and since it's clear that they're trying to do the right thing, I'd expect them to fix it in some future SP.

The interesting question is what the working envelope of the bypass is. Does it totally defeat SP2's heap protection or are there a substantial number of vulnerabilities which can't be exploited this way? As I read this disclosure, the bug requires that the overflowable buffer be next to some block on the lookaside list, which requires a very specific allocation and freeing order. This suggests that only some fraction of programs will be vulnerable to this bypass technique.


January 29, 2005

Microsoft has decided not to provide patches to unauthorized users of Windows. Obviously, Microsoft's intention here is to disincentivize people from using pirated versions of Windows. The interesting question for me is what the false positive rate is here: what percentage of legitimate Windows installations will be refused patches? If there are any significant number of false positives, Microsoft could easily end up spending more money in support costs for those users as they make from people who decide to buy legitimate versions.

January 28, 2005

Amazon's new restaurant service has menus, directions, and customer reviews for restaurants in 6 major metropolitan areas. Not as many areas as Zagat, but I expect that will change fairly soon.

Even cooler, A9 yellow pages lets you virtually walk up and down the streets of your favorite shopping district. The How we did it is pretty cool too. They drove up and down the streets with GPS and video camera equipped trucks. (þ Nagendra Modadugu.)


January 27, 2005

Except in Afghanistan:
But officials concede that sheepherders in Afghanistan often don't understand the value of $25 million, and they are looking into offering other forms of compensation. For his part, bin Laden, citing authority from the Koran, promises his followers who die in attacks on westerners a stable of virgins. Counters one official, "We can't come up with 70 virgins, but we can come up with goats."

Credit: Title is from David Mamet's Heist.

According to Reuters, North Korea has purchased a complete nuclear weapon from Pakistan or a FSR. Outstanding!

I wonder what a fully functional nuclear weapon costs on the open market. The lack of a nuclear weapons capability is pretty much the only thing stopping me from declaring my house the fully independent Republic of Rescorlastan.

Alex Tabarrok points to James Surowiecki's New Yorker article about how people perceive cost benefit analysis. Here's the key graph:
While that kind of weighing of risk and benefit may be medically rational, in the legal arena its poison. Nothing infuriates juries like finding out that companies knew about dangers and then "balanced" them away. In fact, any kind of risk-benefit analysis, honest or not, is likely to get you in trouble with juries. In 1999, for instance, jurors in California ordered General Motors to pay $4.8 billion to people who were injured when the gas tank in their 1979 Chevrolet Malibu caught fire. The jurors made it plain that they did so because G.M. engineers had calculated how much it would cost to move the gas tank (which might have made the car safer). Viscusi has shown that people are inclined to award heftier punitive damages against a company that had performed a risk analysis before selling a product than a company that didnt bother to. Even if the company puts a very high value on each life, the fact that it has weighed costs against benefits is, in itself, reprehensible. "We're just numbers, I feel, to them" is how a juror in the G.M. case put it. "Statistics. Thats something that is wrong."

If you've seen Fight Club, you may recall that the job that the character played by Edward Norton had that was the symbol of his utter soullessness was to go to car accidents, determine what defect caused them, calculate whether the benefit of saving them would exceed the cost to the company. Obviously, to the extent to which we'd like companies to run good cost/benefit analyses, we might want to find some way to counter this effect.

UPDATE: Fixed title to match the quote in the article.


January 26, 2005

According to this article, the San Francisco Environment Department claims that the US uses 12 million barrels of oil to make the 30 billion plastic bags each year. That's disputed, but let's say it's so. That's .0004 barrels of oil per plastic bag. Now, a single barrel of oil (42 gallons) produces 19.7 gallons of gasoline (as well as a bunch of other stuff. Let's say for the sake of argument that gasoline is the only product and so should bear the full externalized cost, so a gallon of gasoline represents .05 barrels of oil, or 125 plastic bags.

It's a bit hard to estimate the environmental impact of gasoline consumption because a lot of the cost is carbon emissions, which don't necessarily apply to garbage bags since the carbon is locked up in the bags, but estimates of the total externality hover around $.50. Let's overestimate and say it's $2.00. Since a gallon of gas is equivalent to 125 plastic bags, we can compute the appropriate tax on plastic bags is $2.00/125 or 1.6 cents. Put another way, if we believe that the externalities for plastic bags are associated mostly with production, in order to justify a $.17 tax on bags you'd need a $21 gas tax to match.

Of course, I don't really believe that the major externality from use of plastic bags is associated with production, but then I'm not the one asking for a big tax on plastic bags either.

According to MSNBC, San Francisco is considering putting a $.17 tax on plastic grocery bags:
SAN FRANCISCO - City officials are considering a proposal to slap a 17-cent surcharge on paper or plastic shopping bags, a debate sure to be watched as a bellwether for other communities across the United States.

While no other U.S. city imposes a shopping bag tax, such a strategy has been successfully employed in the nations of Ireland, South Africa, Bangladesh, Australia, Shanghai and Taiwan.


Environmentalists say plastic bags jam machinery, pollute waterways, suffocate wildlife, use up finite supplies of fossil fuels and often end up as eyesores in trees or bushes.


The environment commission says the 17-cent figure represents an estimate of the costs to the city to clean up and dispose of each plastic bag.

We would be setting a trend, certainly, of a city of our size to be issuing this kind of supplantation of plastic bags for an alternative, something more environmentally friendly, Mirkarimi said.

The first question we need to ask is: what does "successfully employed" mean? Presumably what they mean is that it's reduced the number of people using plastic garbage bags--or of plastic garbage bags littered--but let's take a step back: there's got to be some right number of plastic bags used. Now, it's quite possible that the people writing this ordinance think the number is zero, but obviously that's not the intention of that ordinance, since then you would simply make them illegal. So, in order to know whether this is being successfully employed we first need to know what the right number is. The Irish example that's being positively cited here is claimed to have produced a 95% reduction in plastic bag use. If that's the right number, wouldn't it be simpler to ban them entirely?

The size of the tax makes it pretty clear what the intention is here: it's set to be the claimed price of cleaning up the bags. Clearly, then, this is intended to be some sort of primitive Pigouvian tax where the cost is set to match the externalities. If you're using this strategy, then the appropriate metric is that the efficient number of bags being used. I wonder if anyone involved has any idea what an efficient number is.

In principle, of course, an appropriate Pigouvian tax should produce an efficient result. The only problem is, this particular Pigouvian tax is being executed in a fairly incompetent fashion: if you're going to have a tax like this, you want it to disincentivize the behavior you don't like, which in this case is presumably littering. The problem here is that everyone who uses plastic bags is paying, even if they don't litter, so it's not a very efficient incentive. What would be an efficient incentive would be a deposit. A deposit is superior in two respects. First, it incentivizes people not to litter. Second, it incentivizes other people to pick them up, just as currently happens with cans and bottles.

What a tax of this kind does is disincentivize all use of plastic bags. Now, that makes sense if you think that the primary negative externality with plastic bags is the environmental cost of producing them. I'm fairly skeptical that that's the case but even if it were, they're far from the only kind of plastic that's widely used, and I suspect they all have similar environmental impacts per barrel of oil used, so why not simply tax the use of fossil fuels for plastic production in general?

Credit: Kevin Dick alerted me to this story.


January 25, 2005

HP has filed for a patent on a remote shutdown for digital cameras:
At least that's the way it might work if technology described by Hewlett-Packard makes it to market. A recent patent application from the computing giant describes a system in which digital cameras would be equipped with circuits that could be remotely triggered to blur the face in any images captured by the camera.

U.S. patent application 20040202382, filed in April 2003 and published in October 2004, describes a system in which an image captured by a camera could be automatically modified based on commands sent by a remote device.

In short, anyone who doesn't want their photo taken at a particular time could hit a clicker to ensure that any cameras or camera-equipped gadgets in range got only a fuzzy outline of their face.


An HP representative said the company had no current plans to commercialize the technology, which would require widespread adoption by camera makers and possibly government mandates to be financially practical.

Indeed. This kind of proposal basically depends on people not being able to control the software in their cameras. I can't see that happening without legislation to make it mandatory.


January 24, 2005

21st Century Locks is offering hard drives and flash drives that feature biometric (thumbprint) authentication. Here's the press release.
(PRWEB) January 21, 2005 -- With the workforce becoming increasingly mobile there is a large amount of confidential business, customer and personal information being stored on laptops. The loss, or theft, of a laptop containing confidential business, customer or personal information can leave you open to loss of critical business information, identify theft and possible legal action by your customers. With the implementation of increased regulatory requirements, HIPPA, Sarbanes-Oxley etc there is also the possibility of action being taken under those acts.


"The ClipDrive Bio Fingerprint USB Flash Drive and Outbacker Fingerprint USB Hard Disk Drives provide the most secure and efficient portable data storage available," said Rob van Gils - VP Sales & Marketing, 21st Century Locks, Ltd. "The devices are non-operational until a validated fingerprint is received. Once the device is activated it functions just like another drive on your PC. The drives have both public and private sectors, the public sector is available to all registered users and each user can have their own private sector which requires a password to access," he said.

"Because all biometric and fingerprint templates are saved in hardware and not storage media unauthorized users cannot access the device should it be lost or stolen."

Maintaining confidentiality for stolen laptops and hard drives is a very serious problem, but it's not clear that biometrics add a lot of value.

The major tool for providing security for hard drives is to encrypt the data on the drive (this applies to laptops too, since the important information in the laptop is generally on the hard drive.) The key issue is how to manage the encryption keys. Part of this is a well understood problem: the hard drive has a single master key which is used to generate sub-encryption keys for individual files or sectors. The tricky question is how to manage the master key.

Password-Based Encryption
The straightforward strategy is to use a password. The master key is generated from the password using a key generation function such as PKCS#5 (Technically speaking, you typically randomly generate the master key and then encrypt it with the password, but it really doesn't make much of a difference right now.)

There is a real problem with this scheme, which is that it's susceptible to dictionary attack. People tend to choose lousy passwords, such as their names, birthdays, words that are in the dictionary, etc. It's easy to attack the system by simply trying common candidate password in turn. You take each password and generate its corresponding encryption key, and try to decrypt the data on the disk. If you get plausible looking data--as opposed to random garbage--you've almost certainly found the right password.

Hardware Security Modules
Dictionary attack is very difficult to counter in this kind system as long as its purely in software. You can try to get people to choose better passwords, but history shows that that they use bad passwords anyway. You can make the software check for bad passwords when people choose them, but then people just write them on Post-Its and stick them to the laptop.

The standard fix for this is to use hardware rather than software. The way this works is that the master key is stored encrypted in a hardware security module (HSM). When you key in the password the Operating System (OS) puts it into the HSM which decrypts the master key and returns it to the OS. Now, so far this isn't any better than before, but the hardware lets you add a critical element--a limited-try capability. The HSM only lets you enter some finite number (typically 5-10) of wrong passwords in a row. If you make more than that many errors then the HSM zeroizes (erases) the master secret. This effectively stops dictionary attack.

Now, of course the attacker still has physical possession of the laptop, so they can try to open up the HSM and extract the encrypted master key directly. This already requires a lot more tooling and effort than doing a dictionary attack, but it's fairly common to design the HSM so that any attempt to tamper with it causes it to zeroize the master secret. It's possible to bypass this too, but now you're talking about an attacker with some serious capabilities, which most people who find or steal your laptop won't have.

Note that if you have an HSM you can use very weak passwords. a 4-8 digit numeric PIN is plenty good because the number of candidate passwords the attacker can try is so limited.

We are now prepared to address the question of biometrics. The general principle is that the laptop or hard drive has a biometric reader (in this case a fingerprint reader). The user presses their finger on the reader instead of typing the password.

There are two ways to implement a biometric authentication scheme for hard drive encryption. The easy way to do it is for the device to store a copy of the biometric. It compares the scanned biometric to the copy and if they match it outputs the master key. The obvious problem here is that it requires the system to know the plaintext version of the master key, so if you break into it, you can decrypt all the data on the hard drive. This isn't that desirable so you probably want the biometric reader to have some sort of automatic zeroization capability, at which point you're back to HSMs and passwords start to look more attractive.

The second alternative is to directly derive the encryption master key from the biometric. The idea here is that the biometric has more entropy (is harder to guess than the password). The problem with this theory is that the biometric doesn't scan exactly the same way every time so you need some method for generating the encryption key that is insensitive to this kind of error while still being sensitive to the variation between different people's fingers. There are techniques for this (the general name is fuzzy extractors) but it's not clear that once you've compensated for them that password still have enough entropy--though it seems possible that iris codes will.1

An even more serious problem is that as anyone who watches CSI knows, your laptop is covered with your fingerprints. In particular, the fingerprint pad which you've been using to authenticate for weeks is almost certainly covered with your fingerprints! It's actually quite easy to make fake fingers from residual fingerprints that will fool fingerprint readers. So, unless you obsessively wipe down your computer, I wouldn't be too confident that someone can't replicate your fingerprint and gain access.

Given these problems, the primary value of biometric authentication--at least using fingerprints--for things like laptops is that it's marginally more convenient than passwords. However, it doesn't really make things more secure and quite likely makes them less secure.

1. Most of the work on fingerprint recognition (e.g., this paper by Clancy and Lin focuses on false positive rates (they claim 2^-69 chance of a false positive with 30% false negatives)), but that provides an upper bound on how difficult it is to guess a plausible biometric, since there's probably some correlation between different fingerprint minutiae.

UPDATE: In the comments Dan Simon mentions that you can use a removable token that contains the master key. This is a popular approach, but you need to force people to store the token and the laptop separately rather than just leaving the token in the laptop 24/7. I'm not sure how well that works in practice.

OK, so the Catholic church doesn't want you to use condoms because they're a form of birth control. So, what if they're not birth control? Is it OK for gay men to use them to prevent HIV? How about if heterosexuals use them for oral sex?

January 23, 2005

On Mail Call they're talking about helicopters:
To give you a comparison, an infantryman in World War II, with four years involvement, maybe had 40 days of actual combat. In Viet Nam, an infantryman with a one year tour experienced 240 days of combat, which really says that the helicopter took the fighting man to where he was needed.

The general impression one gets from the mass media is that Post Traumatic Stress Disorder is a lot worse for Viet Nam veterans than for WWII veterans, I don't know if that's actually true, but if it is, this might be one reason. An employee in an average company works maybe 240 days a year, and most people's jobs don't involve being shot at.

John Holbo links to Paul Ford's My Three Favorite Games of 2004:
  • America's Army Special Ops: Abu Ghraib
  • Will Oldham's Adventure
  • Cat Ball Shaver

From his description of ASO: AG

You and your teammates are given a group of "detainees" that you must discipline. The thing that makes this game different is that the detainees can't fight back, and they're in chains or locked in cells. At first it was a little confusing, and I killed a lot of detainees expecting them to fight back, but I got used to it and found it to be a refreshingly different approach from most RPGs.

The choice of weapons is really interesting, too. You start out with a crate, a cattle prod, and a Bible, and by using them in different ways you get more weapons to use. For instance, after you beat a detainee with a Bible, you get pork and bananas, which you can either (spoiler alert) feed to the detainees or insert into their rectums, or both. But it's not as easy as it sounds! The detainees will eat the bananas, but they'll get really angry if they have to eat pork.

I'm sure they do!


January 22, 2005

If you've ever had an MRI scan, you know that you have to stay very still in order to get a clean scan. This NYT article describes a new motion correction technique called Propellor which lets you get a sharp scan even when the subject is moving. Nice.

January 21, 2005

I swung by Fry's today and checked out the Sony T-160. Nice machine, but the keycaps seem to be about 10-20% smaller than with my Vaio 505--and just a little too small for me to type on comfortably.

January 20, 2005

This laptop hard drive problem kind of suggests that it's really time to replace my laptop. I'm still lusting after the Panasonic W-2 (Kevin Dick has one), but I've never heard that anyone has successfully gotten it to work with FreeBSD. Does anyone have ultralight laptop recommendations that definitely work with FreeBSD?
Let's say that you want to do a survey where you ask people questions they might not want to reveal their answers to, e.g. "Have you ever taken illegal drugs?"

Here's the problem. Let's assume that we just simply ask the question and population fraction π has the attribute you're interested in measuring (e.g., they've smoked pot or whatever). Unfortunately, only fraction λ of those people are willing to admit it. So, when you do your survey, πλ answers "Yes". Say this value is F. This doesn't help you much: you now know that at least F people have the attribute, but you have no way of measuring the upper bound. All you know is that the true value of π is somewhere between F (if λ=1) and 1 (if λ=F). Obviously, this technique works well if you have a good estimate of λ, but poorly if you don't.

The standard methodology for removing this kind of error is called a Randomized Response survey, which uses secret randomness to mask the response. The basic method looks like this:

  1. Interviewer asks question. E.g. "Have you ever smoked marijuana?". We'll assume that "Yes" is the sensitive answer here.
  2. Subject flips a coin.
  3. If the coin comes up heads, the subject answers "Yes".
  4. If the coin comes up tails, the subject answers the question truthfully.

The results can be summarized in the following contingency table:

Coin flip result
Heads (.5)Tails (.5)
Smoker (π)YesYes
Non-smoker (1-π)YesNo

In this survey, the only people who will answer "No" will be people who both flipped a tails and haven't smoked marijuana. Because these two are independently distributed, the fraction of No answerers will be approximately (1-π)/2. This makes it very easy to estimate π. We simply take the No response rate, N, and compute 1-2N, which gives us our estimate of π.

Now, obviously the above assumes that people answer truthfully, which we don't know that they'll do. We need to ask whether it's reasonable for people to answer truthfully. Without randomization, the reason that people don't answer truthfully is that it reveals information about them. I.e., if you say "Yes" then the interviewer knows you're a smoker. With a randomized response design, the interviewer gets some information: if you say No you definitely are not a smoker, but if you say Yes you might or might not be.

Remember that the Yes response rate Y is given by 1-(1-π)/2 = .5 + π/2. Out of that set, Y, π will have actually smoked marijuana and .5-&pi/2; will have not, but will have answered yes because of the coin flip. (π/2 will have smoked marijuana but also flipped heads). Now, assume that the researcher has done the study and made his estimate of π. This means that his a priori estimate is that an arbitrary person he meets (who he hasn't asked the question of) has a π chance of having smoked marijuana. Now, if you answer "Yes" to the randomized question above, he can adjust his estimate: you now have a &pi/(.5 + &pi/2) chance of being a smoker.

How much does this improve his information? It depends on the value of π. If π is relatively small (e.g. .1), then .5 + π/2 is approximatley .5 and so the new estimate becomes 2*π--the survey question has caused the interviewer to double his estimate of your chance of being a smoker. On the other hand, if π is fairly high (e.g. .5) then .5 + π/2 starts to approach 1 and the interviewer gets less information about you in particular. In no case does this technique let the interviewer more than double1 his confidence of your positive status, so the amount of individual information leakage is fairly small.

Of course, this demonstration that not that much information is transmitted, while using only simple probability theory, is still somewhat involved, so it's not entirely clear that interviewees actually answer truthfully when this technique is used (see here for one analysis). Nevertheless, this general kind of survey design is very widely used to elicit answers to embarassing questions.

1. The limit at a factor of 2 is a result of the 50/50 nature of the coin flip. If we used a die roll so that people answered truthfully (say) 2/3 of the time the advantage would be larger.

For reasons that have never been clear to me, about 20% of the white boards I come across have one or more permanent markers mixed in with the dry erase markers that you're supposed to use. Obviously, this is a trap, because once you've unwittingly written something using a permanent marker it's pretty much there for good. Thus my distress on Monday when I realized that my diagram about porn downloading was going to be preserved forever.

Luckily, one of the people in the meeting with me showed me a cool trick: if you write over the permanent marker with a real dry erase marker you can often erase them both. Don't ask me why this works because I don't know, but it seems to. Just FYI.


January 19, 2005

Cory Doctorow is pretty unhappy about AA wanting to know who he's staying with in the US:
"I will be staying with a friend tonight, at a hotel near LAX tomorrow, and with a different friend in Tarzana for the rest of the week."

The security officer then handed me a blank piece of paper and said, "Please write down the names and addresses of everyone you're staying with in the USA."

I actually began to write this out when I was brought up short. "Wait a second -- since when does AA compile a written dossier on the names and addresses of my friends? Why are you asking me this? Do you have a privacy policy and a data-retention policy I can inspect prior to this?"

The security officer told me that this was a Transport Security Agency (TSA) regulation. I asked for the name or number of the regulation, its text, and the details of the data-retention and privacy practices in place at AA UK. The security officer wasn't able to answer my questions, and she went to get her supervisor.

After several minutes, her supervisor appeared and said, after introducing himself, "Sir, this is for your own protection."

I think it's pretty hard to argue that making passengers produce written dossiers on their friends' home addresses makes planes in the sky secure. I asked again if this was really a TSA regulation and what AA's privacy and data-retention policies are.

EG readers will know that I'm generally pretty unsympathetic to airline security and the "this is for your own protection" rationale, but this actually doesn't strike me as entirely stupid. The key thing is to stop thinking of this as data collection and start thinking of it as an interview.

When you interview for a job at Microsoft, they're apparently fond of asking you to solve puzzles. That's not because the interviewer cares how many stop lights there are in Minneapolis, but because he wants to use you're response to the question as a signal of whether you're smart. Similarly, when the security officer asks who you're staying with in the US, it's probably not because he actually cares but because he figures that someone who's going to blow the plane up in flight is less likely to have a good answer about where he's planning to stay in the US.

Obviously, this kind of technique only works well if the questions are a surprise, so it's hard to prepare in advance. One common technique for varying the questions is to listen to the interviewee's story and try to probe for holes. Based on Doctorow's post, it looks like that may have been what the interviewer was trying to do, since he only asked for this information after Doctorow told him he was staying with friends. (Though it's worth noting that this is the kind of question customs officers routinely ask.) Note that I'm not saying that AA's interviewing techniques actually do add much security--in my experience, this kind of interview is actually pretty easy to predict and prepare for--just that we can't tell from Doctorow's story that this kind of question is pointless.

Of course, this is a separate issue from what sort of data retention policy AA has, though they could of course just shred the paper afterward. Obviously, if they're keeping this sort of information in long-term storage he would have some basis for a complaint.


January 18, 2005

I'm down at the IEEE 802.11 meeting in Monterey and that means I'm working with my laptop. Normally, this would be fine, but last night when I booted the machine up, it generated a message that looked something like this:
WARNING: / was not properly dismounted
ad0s2g: hard error reading fsbn 14685439 of 4376928-4377055 (ad0s2 bn 14685439; 
cn 914 tn 32 sn 13) trying PIO mode
ad0s2g: hard error reading fsbn 14685439 of 4376928-4377055 (ad0s2 bn 14685439; 
cn 914 tn 32 sn 13) status=59 error=40
ad0: READ command timeout tag=0 serv=0 - resetting
ata0: resetting devices .. done
WARNING: R/W mount of /usr denied.  Filesystem is not clean - run fsck
WARNING: /usr was not properly dismounted

Now, the first message isn't a problem. That just means that the machine was shut down improperly. It's lines 2-6 that are the problem. These indicate that the hard drive is generating some serious hardware errors. The next line tells us to run fsck(8) to check the filesystem, which you do manually once the boot has failed. Unfortunately when I did that, I just got more hardware errors, so the fsck can't complete and so the situation doesn't improve much.

The good news is that it only appears to be a few bad blocks and none of them seem to affect data that I actually care about. The bad news is that you're not supposed to mount filesystems that haven't been checked. The OK news is that the 'mount -f' flag lets you bypass that little restriction--as long as you don't mind behavior being a little...unpredictable. So far so good, though.


January 17, 2005

Jennifer's cat, Pookah, has the Siamese trait and recently had to have his fur shaved to deal with an abscess. Because the trait is temperature sensitive, the shaved section grows in dark, so you can clearly see the path of the clippers in this picture:

For reference, here's a picture of the other hip:

UPDATE: By the way, the Siamese trait is actually the opposite of what it initially looks like. A Siamese is basically a dark cat with a gene that suppresses coloration in the warm areas, rather than a light cat with a gene that creates coloration in the cold areas. This is how tabbying works as well.


January 16, 2005

Panix's nameservice has been restored. Here's Bruce Tonkin's post from NANOG:
Melbourne IT restored the nameservers and contact details associated with this name first thing this morning (Monday in Melbourne, Australia).

We are arranging with the previous registrar (Dotster) to have the name transferred back.

We are also investigating the chain of events that led to the problem in the first place. This will take longer, due to the various timezones and parties involved. In this case one of the parties was an ISP in the United Kingdom, which is a reseller of Melbourne IT.

Bruce Tonkin
Chief Technology Officer
Melbourne IT

Of course, the bad news is that it's going to take up to a day for the caching name servers that have been contaminated with the bad records to time out. DNS has no revocation mechanism.

California lets you order a Kids License Plate. These license plates can include one of four symbols (heart, hand, star, plus). What I wonder is: how are these represented in the DMV computer, especially since heart and hand aren't standard 101-key characters, and star isn't really one--though using "*" seems obvious.

  1. The state has standard encodings for each symbol. Imagine what it must be like to modify every computer in the state to handle four new symbols!
  2. All four symbols are represented by a single character, such as "*".
  3. The symbol isn't actually part of the license plate number at all.

These possibilities can be distinguished by trying to order various license plate combinations. If the state will issue both XXX+XXX and XXX*XXX, then you know that it's a real symbol. If it will issue XXX+XXX and XXXXXX but not XXX*XXX as well, then it's likely to be a single symbol for all four. If it won't issue both XXX+XXX and XXXXXX, then it's likely not really part of the number. Here's some evidence that it's possibility (2): when you order the plate, you first choose your kids symbol and then you select "@" to represent the symbol.

One of the amazing things about cats is how much coloration variance there is. After all, your average human is pretty much the same color all over, but cats display all different kinds of patterning. I've been reading up on it lately and the science is really cool.
  • The Cat Colors FAQ has a really interesting section on how coat coloration works. Amazingly, all that variety is provided by two pigments eumelanin (blackish) and phaeomelanin (reddish), plus a bunch of genes that control pattern.

  • The first cloned cat, CC, has different coloration from her clone mother, Rainbow. CC is a a tiger tabby and Rainbow is a calico. The reason for this is what's called X-linked inactivation.:
    First of all, calicos are almost always female, which means they have two X-chromosomes (versus the male's XY). One of these X chromosomes contains a gene for orange coat color and the other contains a gene for black coat color (white patches are specified by a different set of genes which are not relevant here).

    For reasons which are not fully understood, as the embryo develops, a phenomenon called "X-linked inactivation" occurs, in which one or the other X-chromosome in every cell in the Calico embryo becomes randomly inactivated. If the specific X-chromosome containing the gene for orange coat color becomes inactivated, that cell will go on to produce black coat color (assuming it becomes a coat follicle cell). The inverse is true if the X-chromosome containing the gene for black coat color becomes inactivated.

    Given that the inactivation is random, one would expect a very fine distribution of orange and black hairs within the coat, but for reasons which are not germane here, the inactivation occurs in larger patches of orange and black.

    "Mosaicism" is the term for distribution of different cell types within a single organism. Mosaicism is three-dimensional, meaning that the inactivation of orange or black-producing genes occurs within cells throughout the calico's body regardless of whether the cells have anything to do with production of the animal's coat. Thus, even the specific cumulus cell used to clone CC would have been inactivated for either orange or black coat color.

    If the nuclear transfer process were to reset the inactivated X-chromosome the way it resets the nuclear differentiation, then one might expect to see a calico clone with a calico coat. On the other hand, if nuclear transfer does not reset X-activation then one would expect to see a clone with a black coat if the donor cell used had an orange coat gene on the inactivated X-chromosome, and conversely one would expect a clone with an orange coat if the donor cell used had an black coat gene on the inactivated X-chromosome.

    The fact that CC has no orange in her coat is consistent both with the theory that nuclear transfer does not reset X-activation, and also that the cumulus cell used had an orange coat gene on the inactivated X-chromosome.

  • Siamese trait (the dark pigment on the nose, ears, tail, and feet ["points"]) is temperature-sensitive. The points tend to be colder and so the hair grows out dark. According to Jennifer Gates, who first told me about this, if you shave the fur of a Siamese, the first resulting coat in the area will grow in dark.

Nan Hampton's slides on feline genetics are also a good resource. Interestingly, the wild type cat color, short hair black mackerel (tiger) striping is actually a pretty uncommon pattern in modern domestic cats.


January 15, 2005

Panix.com has been hijacked. If you're lucky enough to have the domain name cached, you get:
Panix's main domain name, panix.com, has been hijacked by parties unknown. The ownership of panix.com was moved to a company in Australia, the actual DNS records were moved to a company in the United Kingdom, and panix.com's mail has been redirected to yet another company in Canada. Panix staff are currently working around the clock to recover our domain, but this may take until Monday, due to the time differences and difficulties in reaching responsible parties over the weekend.

For most customers, accesses to Panix using the panix.com domain will not work or will end up at a false site.

As a temporary workaround, you can use the panix.net domain in place of panix.com. In other words, if you're trying to log onto "shell.panix.com" or see your mail at "mail.panix.com," use "shell.panix.net" or "mail.panix.net" instead. However, you should only change the names of hosts that you connect to or your return address: the name you use to login to our mail servers, username@panix.com, should stay the same


If not, you end up at an under construction site.

There's nothing complicated going on here. It just looks like basic fraud--taking advantage of the rather weak protections against domain slamming. Here's the start of the relevant thread on NANOG.

Sorry for the short outage... Dreamhost had a hardware problem. Hopefully it will be OK now. Posting will resume shortly.

January 14, 2005

This is really interesting. Evason, Huang, Yamben, Covey, and Kornfeld report that three anti-convulsants, ethosuximide, trimethadione, and 3,3-diethyl-2-pyrrolidinone increase life span in C. elegans. With trimethadione increasing mean life expectancy by 47%. This is good news if you're a roundworm, but the really interesting thing is that trimethadione is already approved for humans. It will be interesting to see if these results can be replicated in humans.

January 13, 2005

Here in the South Bay, Premium is down below $2.00, at least at the Arco. It's $2.03 at the Chevron. Has this affected my behavior? Not at all.

January 12, 2005

Decongestant nasal spray works incredibly well. That is all.
A federal judge has just ruled that the police don't need a warrant to attach a GPS tracker to your car:
Police suspected the lawyer of ties to a local Hells Angels Motorcycle Club that was selling methamphetamine, and they feared undercover officers would not be able to infiltrate the notoriously tight-knit group, which has hazing rituals that involve criminal activities. So investigators stuck a GPS, or Global Positioning System, bug on Moran's car, watched his movements, and arrested him on drug charges a month later.

A federal judge in New York ruled last week that police did not need court authorization when tracking Moran from afar. "Law enforcement personnel could have conducted a visual surveillance of the vehicle as it traveled on the public highways," U.S. District Judge David Hurd wrote. "Moran had no expectation of privacy in the whereabouts of his vehicle on a public roadway."

Now, I'm aware that "expectation of privacy" is a technical legal term, but let's go with its ordinary meaning for a second. It's always been the case that in principle the police could track where you were on a public roadway by following you around in a car. However, it was really expensive and so they couldn't do it on any large scale. So, you could reasonably expect that unless they thought you'd done something really bad, the police didn't know where you were.

However, in the past 10-20 years it's gotten increasingly cheap for the police to track you, to the point where they can do it with a gizmo that probably costs no more than $100, so the amount of tracking you can reasonably expect to be subject to has increased quite a bit. Now, certainly one can think that it's a good thing for the police to be able to mount better surveillance, but I don't think it's reasonable to act as if the fact that you could in principle have been followed around automatically implies that it's OK for the police to be able to plant a tracking device on your car. It's kind of like saying that I should be OK with my neighbor having an atomic bomb because in principle he could have clubbed me to death with piece of wood.

Acknowledgement: Kevin Dick originally made this point about cost and its relationship to the probability of surveillance.

SecurityFocus reports that a 21-year-old hacker in Oregon broke into T-Mobile's systems and had access to them for at least a year.
A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

The key thing to notice here is that he had access to e-mails and photos. Now, the idea with photos and e-mails is that they're sent between people's cell phones and/or computers. There's basically no reason that T-Mobile's systems need to have access to this data at all. It's not like T-Mobile employees need to be able to read it to provide you with decent customer support. All that T-Mobile's systems need to do is move the data from point A to point B.

A similar situation obtains with normal Internet mail systems. If someone breaks into your mail server, they can read all your un-downloaded e-mail1. In most cases your mail server doesn't have to have access to the e-mail contents either (the exception here is when your mail server does spam and virus filtering).

The problem isn't insoluble. We have the technology to encrypt messages between people's handsets and computers, though we're having a terrible time deploying it for a number of reasons. That said, it's worth noting that a lot of the reasons that it's difficult to deploy end-to-end encryption is that it's difficult to establish keys between people in two unrelated mail systems. However, that's not a problem when you're sending traffic from one T-Mobile handset to another. T-Mobile could arrange for end-to-end encryption between handsets fairly easily. Enough incidents like this and they may actually deploy it.

1. Technically speaking, it's like this. All the mail that you haven't downloaded lives on the server. Pretty much all IMAP clients as well as some POP clients leave all mail--even that you've already read--on the server.


January 11, 2005

The guys at Gizmodo pretty much have the Apple marketing strategy nailed.
In a long post about Social Security, Matthew Yglesias writes:
For some of us, the Social Security debate really is about what the president pretends it's about: How best to provide a dignified retirement for all Americans in a manner consistent with the continued growth of American prosperity.

Maybe I'm just particularly callous, but the reason why we as a community should be interested in providing old people with a dignified retirement rather escapes me. It's certainly true that old people are often sick and therefore unable to work, but that's an entirely different issue from just being old. We've already got programs that provide support for sick and poor people regardless of age. The purpose of Social Security is to find people who just happen to be old.

Sure, it's attractive to be able to slack off a bit after working your whole life, but on the other hand it's attractive to be able to slack off while you're young before settling into a life of work, but the government didn't write me a check every month after I graduated college.1 Now, it's true that the people retiring now have been paying into social security their entire lives and they're entitled to get something back. I'm sympathetic to that argument, but that doesn't explain why we need to continue the program in perpetuity, but merely says that we can't just cut them off cold turkey and need to find some way to close out the system in some gradual kind of way.

1.During college, of course, I slacked off at the expense of my parents, but the government wasn't really responsible for that..


January 10, 2005

Adam Shostack is bothered by the Truro MA's effort to solve a crime using large-scale DNA sampling:
The city of Truro, Massachusetts is trying to collect DNA from all 790 residents to solve a crime, reports the New York Times. Its not clear why they believe that residents are more likely to be the criminal than non-residents, and it is clear that they don't get the 4th amendment, against dragnet searches, or the 5th, against self-incrimination:
Sgt. David Perry of the Truro Police Department and other law enforcement authorities here say that the program is voluntary but that they will pay close attention to those who refuse to provide DNA.
There are numerous crimes which could be solved by door-to-door searches. We don't allow them, and we shouldn't allow this, either.

Note the section Adam quotes about how "the program is voluntary but that they will pay close attention to those who refuse to provide DNA". This has some interesting implications.

Let's assume for the moment that we have some population of size N and we know that includes the perpetrator. Let's start with a premise I think we can all agree with: no sane perpetrator is going to hand over his DNA voluntarily, since it's sure to convict him. Now, of the remainder of the population, some fraction will agree to hand over their DNA (call these people Compliant and denote their number as N_c) and some won't (call them Noncompliant and denote their number as N_n).

Assume for the moment that the police have no information about who the perpetrator is other than that he's a member of the population (yes, I know this isn't true, but it's useful for illustrative purposes). So, any given person has a 1/N chance of being the perp. Now, once they've done the testing, they've narrowed the set down to the Noncompliant, and any Noncompliant person has a 1/N_n chance of being the perp. The higher a fraction of compliance that the police can get, the more information they get from the fact that someone isn't compliant. In the limit, if everybody but the perp complies than the probability that the single Noncompliant person is the perp is unity.

This effect is enhanced by the fact that compliance and noncompliance aren't randomly distributed. It's true that some people will refuse to comply on principle, but a substantial fraction of the Noncompliant probably have less noble reasons. Even if they're not the perp, they may have other reasons not to have their DNA collected--for instance they've committed another crime that their DNA might match to. (The police say they're only going to use the information for this particular crime, but criminals don't typically trust the police). From this perspective it makes sense for the police to single out the Noncompliant for extra scrutiny.

There's a positive feedback loop here. If the fact that someone doesn't comply increases the probability that they're a bad guy, and singles you out for extra scrutiny, it becomes pretty unattractive to refuse to comply. Only the people who have a real reason to refuse will do so, which means that Noncompliance is an even stronger signal, increasing the incentive to comply. Similarly, this gives the police a real incentive to hassle the Noncompliant in order to increase the strength of the signal. If they're successful, the only people who won't comply are criminals and a few privacy nuts, who can be hassled pretty much at will.

The converse of this is that if enough people value their privacy and refuse to comply, the value of Noncompliance as a signal diminishes drastically and the police will find it very hard to lean on the Noncompliant. If you don't like this kind of search, your best bet is to convince other people to refuse.

Acknowledgement: This post came out of extensive discussions with Kevin Dick.


January 9, 2005

Here's an interesting SJ Mercury article about how schools are using breathalyzers on their students:
School officials say they've turned to breathalyzers to curb periodic alcohol-related problems at campus events, from students vomiting or passing out, to teens becoming contentious when confronted with their drunken behavior.

``Students would show up drunk at the dance,'' said Nikolai Kaestner, student activities director at Palo Alto's Gunn High School. ``It would take an hour before the kid would admit to it. Now we don't discuss it with them. We just breathalyze them immediately.''

Gunn began using the devices at dances last school year. To bypass potential legal challenges and community concerns about students' civil rights, Gunn -- like most area campuses -- tests students only if there's reason to suspect they've been drinking. The penalty for a positive result is a five-day suspension, which is reduced to three days if the student agrees to attend counseling provided by the school.

Schools can already require drug tests for participation in pretty much any after school activity. People respond to incentives, so I wonder if this kind of enforcement is going to result in a secondary market for extracurricular activities like sports and dances. Ordinarily, I would imagine it would, but the kids aren't generally the ones paying and lots of parents are happy to see their kids drug tested...

Reader Aaron Falk pointed me to this article on rules for how to act in the gym. I work out at a gym that's mostly empty, but in your average Golds Gym or 24 Hour, there's a lot of contention for the equipment and knowing how to share is pretty important.

January 8, 2005

My friend Nagendra has moved to San Francisco and asks me what to wear for running in the cold. Obviously, this is something you need to experiment with, but here are some guidelines and some clothes suggestions.

Basic principles
The first thing you have to do is avoid wearing too much. Running warms you up quite a bit, so you definitely don't want to be wearing something that would be comfortable if you were just walking around. If you're not a bit cold when you start out, you're pretty much guaranteed to overheat inside the first 10 minutes or so. The usual guideline is that you should be wearing something that would be comfortable if if were 10°F warmer than it actually is. It often helps to wear stuff that can be worn several ways (e.g. sleeves that can be rolled up or shirts that can be unzipped) so you can cool down once you've been working out for a while.

The second issue is that you warm up very unevenly. Because you're running, you're legs are going to heat up first and your chest second. Your arms don't warm up that much and your hands actually seem to get colder as blood gets drawn away to other parts of your body. Your ears and nose are likely to get cold. Remember that the only reason you're staying warm is because you're exercising and while your legs may be working, your ears aren't.

Finally, you need to consider moisture management. If you're running in shorts and a t-shirt, it doesn't much matter what you wear unless it's really hot or humid. True, your shirt will get wet and a many people prefer technical fabrics like CoolMax, but most people can get along OK with cotton, too. In winter, the situation is different. You're going to sweat and since you're probably wearing long sleeves, you're going to end up soaked unless your clothes do a good job of wicking the moisture away from your skin. This is an even bigger problem in the rain because you've got water coming down on you at the same time as you're trying to get it off your skin.

Pretty much all the clothing you'll be looking for is some sort of synthetic technical fabric, mostly various kinds of polyester, often blended with Lycra or some other stretch fabric to make it conform to the body. These fabrics come in a variety of weights appropriate for different temperature ranges.

For temperatures just cold enough to want to wear long sleeves, you probably want to go with something fairly lightweight. You can get long-sleeve shirts made out of the same moisture management fabrics that people typically use for hot weather running, such as Coolmax, (these are listed in rough order of warmth). I have RaceReady's CoolMax long sleeve shirt which is quite comfortable: soft, light, and breathable. One downside is that it's a bit short in the torso, so it can gap a bit in the lower back. There are lots of other CoolMax shirts out there and you can pick based on your aesthetic taste.

The next step up from CoolMax is a variety of middle-weight fabrics designed for fall conditions, such as ThermaStat or PolarTec PowerDry. These fabrics are a bit heavier than CoolMax but are still basically summer or fall weight fabrics. I have one of the RaceReady ThermaStat tops, which is also quite nice. It's got a half turtleneck which is nice for a little extra warmth but means you're kind of committed to a single temperature range.

The next step up is midweight fabrics that are a bit thicker and warmer than the t-shirt weight fabrics listed above. These are typically a bit stretchy with a smooth exterior surface and a brushed interior surface. I've seen this kind of fabric under the names DryLete (Hind) and Dryline (Brooks, RaceReady). I've got a pair of Brooks Dryline shirts that I like quite a bit. They've got a medium length zipper which lets you adjust to a surprisingly wide range of temperatures. The Dryline fabric is fairly wind resistant and keeps you warm even when it's soaking wet, which is nice in the rainy California winter weather.

Once you get outside the range where the above stuff will keep you warm, you've got two major choices. The first is to start layering. So, in medium-cold situations I'll wear a short-sleeve CooLmax t-shirt underneath one of the dryline tops. This keeps your torso warm and your arms can more or less fend for themselves. An alternative I've recently discovered is Sporthill's 3SP fabric, which seems to be good down to about 20-25°F. 3SP is also, wind resistant up to about 35 MPH, which is nice.

Below 25°F or so, you're pretty much going to have to layer. I recommend some sort of lightweight Polarfleece or softshell jacket or vest. If you can, get one that's got a windproof layer. I own a windproof Pearl iZumi vest that's served me very well in cold conditions.

It's tempting to try to keep the wind--and especially the rain--off with some kind of shell. There are a large number of different shells you can buy, ranging from simple nylon (moderately breathable) to Gore-Tex and Pro-Pore (less breathable but more-or-less waterproof). The basic problem with any kind of shell is that it's not that breathable and if you're working out hard you tend to end up wet inside the shell. Modern synthetics will keep you warm even when wet, and I've converted almost entirely to non-waterproof gear. Sure, you get wet, but you were going to get wet anyway, and at least you don't collect a puddle inside your rainjacket.

Because your legs are what's doing the work, you can get away with surprisingly little in terms of leg covering. When I was a kid, a lot of people used to wear sweats, but cotton's a terrible fabric for exercising in. These days there are basically three choices: windproof nylon, microfiber or Gore-Tex pants, semi-stretchy close-fitting pants, and lycra tights.

The idea behind windproof pants is that they don't provide much insulation but they keep the wind chill factor down. These were real popular when I was a kid, back when they were made of nylon, but they've sort of gone out of fashion a bit, for the reasons I mentioned above. Now they're mostly made of something like microfiber or Gore-Tex. Still, they can be useful in windy or wet situations.

What's most popular now for men is semi-stretchy close-fitting pants like the Hind Munich pant. These pants are made of a fairly thick, stretchy fabric that's somewhere in between CoolMax and Dryline and are tighter than sweats but looser than tights. This kind of pants are good down to about 25 degrees or so.

The final alternative is lycra tights. These are extremely close-fitting and quite warm, but generally out of favor with men--runners, at least, they're popular with cyclists--but are still reasonably popular with women, who don't seem quite as concerned about sporting the ballet dancer look. They can also be worn underneath a pair of pants in really cold conditions.

If it's at all cold, you'll probably want something to keep your hands warm. The standard thing is lightweight synthetic knit gloves. All of the major manufacturers (Hind, Pearl iZumi, New Balance, Brooks, etc.) make them and they're all more or less interchangeable. The nice thing about these gloves is that they pack down tight so you can shove them in a pocket or tuck them in your pants. In a pinch, you can wear a pair of socks on your hands like mittens. This looks a little stupid, but it's actually quite warm and since you surely have lots of pairs of socks, it's generally easy to find a clean pair. If it's really cold, case you'll want something that's windproof, but you generally want something that's got a fabric outer rather than nylon. Most people's noses run in the cold and soft gloves are good for wiping with.

The second thing you'll want is some sort of hat. Typically these are either knit or made of Polarfleece. Your standard beanie will do just fine, but I advise picking something that can cover your ears, for two reasons. First, your ears tend to get cold when you're running, and pulling your hat over them helps. Second, keeping your ears covered makes a big difference (at least for me) in your overall level of warmth.

Running in the rain
At least in California, the big challenge in winter running is that it rains a lot. The key thing here is to resign yourself to getting wet and wear clothing that will keep you warm when it is wet. All of the gear I've recommended should do a pretty good job, but you'll have to experiment a bit to see what's most comfortable for you. Good luck!

Check out what's sure to be the newest women's fitness craze: stripping and pole dancing. I want to go on record as saying I'm shocked, shocked, that women would... oh the heck with it.

January 7, 2005

A U.S. District Judge has ruled that Listerine can't keep running their ads saying that Listerine is as good as flossing:

U.S. District Judge Denny Chin said in a decision made public Friday that he will order Pfizer, the maker of Listerine, to stop the advertising campaign. The lawsuit was brought by a Johnson & Johnson company that makes dental floss.

"Dentists and hygienists have been telling their patients for decades to floss daily," Chin wrote. "They have been doing so for good reason. The benefits of flossing are real -- they are not a 'myth.' Pfizer's implicit message that Listerine can replace floss is false and misleading."

The judge ruled after McNeil-PPC Inc., a Johnson & Johnson subsidiary, filed a lawsuit saying that false claims in the advertising campaign that began last June posed an unfair threat against its sales of dental floss.

Pfizer in print ads had featured a Listerine bottle balanced equally on a scale opposite a floss container with the words: "Listerine antiseptic is clinically proven to be as effective as floss at reducing plaque and gingivitis between the teeth."

The campaign also featured a television commercial titled the "Big Bang." In it, the commercial announces that Listerine is as effective as floss and that clinical tests prove it, though it does add that there is no replacement for flossing.

The judge said "substantial evidence" demonstrates that flossing is important in reducing tooth decay and gum disease and that it cannot be replaced by rinsing with a mouthwash.

The judge also noted that the authors of articles on which Pfizer based its ad campaign had emphasized that dental professionals should continue to recommend daily flossing and cautioned that they were not suggesting that mouthrinse be used instead of floss.

Here's the thing, though:

  1. Pfizer never claimed that flossing wasn't good or that people shouldn't floss.
  2. They did claim that studies show that Listerine is as good as flossing. However, this claim is true.

So, what exactly is the problem?


January 5, 2005

I'm writing something in LaTeX and decided that I didn't want to type in the BibTeX entries for all the RFCs I wanted to cite. The RFC Editor maintains an XML index of all the RFCs so it was a fairly short matter to write a script to convert that index to BibTeX format. If you're interested, you can find a copy here. Unfortunately, there doesn't seem to be an XML version of the Internet Drafts index and I haven't written a parser for the vaguely idiosyncratic format yet.
Here's a simple problem with kind of a surprising answer. Say you have a group of people playing some game that's played in pairs (like doubles tennis). How many games does it take to determine who the best player is?

We'll start by making some simplifying assumptions:

  1. Players skills are purely linear and denoted by integers >= 0.
  2. The outcome of any game is deterministic: the team with the highest total skill wins. This implies that the game isn't positional the way that say bridge or foosball is.

I generally like to work problems like this trying to work the simplest possible version, which in this case is four players. We'll call them A, B, C, and D. This allows us to potentially play three games:

  1. A,B vs. C,D
  2. A,C vs. B,D
  3. A,D vs. B,C

Say that A,B wins game 1, A,C wins game 2, and B,C wins game 3. This gives us three equations:

  1. A + B > C + D
  2. A + C > B + D
  3. B + C > A + D

Putting equations (1) and (2) together, we can determine that A>D (because A can beat D with either B or C on his side). Similarly, if we put equations (1) and (3) together, we can determine that B>D. Finally, if we put equations (2) and (3) together, we can determine that B>D. Unfortunately, this doesn't tell us whether A, B, or C is the best.

It may help at this point to try a small numerical example. The results above are consistent with the following skill values:


These predict the outcomes we expect:

  1. A(10) + B(9) > C(6) + D(1)
  2. A(10) + C(6) > B(9) + D(1)
  3. B(9) + C(6) > A(10) + D(1)

However, they're also consistent with swapping A and B's skills:


These predict exactly the same outcomes:

  1. A(9) + B(10) > C(6) + D(1)
  2. A(9) + C(6) > B(10) + D(1)
  3. B(10) + C(6) > A(9) + D(1)
Finally, if we swap A and C, we get:
  1. A(6) + B(9) > C(10) + D(1)
  2. A(6) + C(10) > B(9) + D(1)
  3. B(9) + C(10) > A(6) + D(1)

Notice, however, that we were able to determine the worst player: it's D, because he causes whoever he's paired with to consistently lose. This suggests that there must be some set of circumstances in which we can determine the best player, and indeed there are. If we reverse the outcome of game 3 so that A and D win, this gives us the following set of equations:

  1. A + B > C + D
  2. A + C > B + D
  3. A + D > B + C

As before, we can put these equations to determine that A>D, A>C, and A>B. So, now we can determine that A is the best player but not distinguish B, C, and D. In a four-person group, you can always tell who either the best player or the worst player is, but not both.

The intuition for the general case you want to have here is about resolution. If the difference between the best player and the second best player is less than the difference between another disjoint pair of players, then there's no way to distinguish them. No matter how many players you have, there will always be some pair of players who are the closest and there will be no way to distinguish them, no matter how many matches you play.

Acknowledgements: I originally worked this problem with Lisa Dusseault.


January 4, 2005

Adam Shostack writes:
Adam Laurie and company continue to not release code for their Bluetooth attacks, and vendors continue not to fix them. Are we better off, with millions more Bluetooth devices out there? Do we expect that there will be no release of code, and that without POC code, we're safe? Bluetooth is different from internet vulns, in that you need to be nearby to exploit them. That may well tip the balance against disclosure, but as someone who travels to lots of security conferences attended by hackers and elite attackers, I wish my phone was secure.

I haven't paid much attention to these attacks because el Treo 600 isn't Bluetooth capable (and come to think of it, neither is my computer), but that's not going to stop me from weighing in.

If you're going to engage in this sort of partial disclosure, the general idea is to:

  1. To explain to people whether they're likely to be vulnerable.
  2. To tell them how to protect themselves.

The trick, of course, is to accomplish these goals without giving attackers too much leverage to reproduce the attack. Did Laurie succeed? I guess that depends on whether independent code to exploit the flaws appears before they're generally fixed. Of course, the fact that no POC code is available provides the manufacturers with less incentive to roll-out fixes...


January 3, 2005

TiVo is introducing a new feature that will let you move shows from the TiVo to your PC and later to DVDs. That is, unless they're DRM-infected:
No longer confined to TiVo digital video recorders in the living room or bedroom, subscribers will be able to transfer their recorded shows to PCs or laptops and take them on the road -- as long as the shows are not specially tagged with copy restrictions. That's also the case for pay-per-view or on-demand movies, and some premium paid programming.

Can anyone who's got a Series 2 TiVo let me know what fraction of shows are tagged uncopyable?


January 2, 2005

Lisa and I are watching Return of the King, and I wanted to mention the one thing that's bugged me throughout the whole series. Gandalf is portrayed as an amazingly powerful wizard yet pretty much the only way you ever see him fight is with his staff or sword. Wouldn't a sorcerous attack be far more effective?

UPDATE: Nick Weaver notes in the comments thread that the extended edition has some magic-on-magic conflict, but that actually makes things even more puzzling. Wouldn't some sort of magical cluster bomb have a pretty devastating effect on your average orc army? Andrew McGregor observes that Gandalf's main powers were in people magic. Still, those fireworks he made for Bilbo's birthday looked pretty destructive (you can tell I haven't read the books in years and years).

It's worth mentioning that while some of the alternatives to patdowns, such as whole-body x-ray screening, are less obviously invasive, people complain about them too:
American Science and Engineering in Billerica, Mass., says its "BodySearch" system reveals plastic guns and ceramic knives. Instead of simply sounding an alarm if it detects a metal object, it shows an X-ray image of the person on a computer screen. A company marketing photo shows that its scanning device reveals items hidden under clothing, such as plastic guns, ceramic knives, even drugs. But it also shows the man's buttocks and a blurry image of his genitals.

A system from Rapiscan Security Products, a Hawthorne, Calif., company, uses a similar technology. The company's promotional photos show a man with a Glock 17 pistol tucked into his pants. They also explicitly show the overweight man's body.

The American Civil Liberties Union opposes the idea of using body-scanning devices on all passengers.

"These devices are electronic strip searches," said Jay Stanley, a spokesman for the ACLU. "To board an airplane, people shouldn't have to submit to strip searches and reveal intimate and potentially embarrassing details about their bodies."

Would you rather be groped by strangers or have them stare at x-rays of your genitals? Tough call.

The ACLU has been collecting people's comments about their treatment at the hands of the TSA, and I've seen some comments on Interesting People. In general, people seem to feel that the screeners are insensitive, rude, or were being... overenthusiastic while frisking them (these complaints typically come from women).

From the ACLU page:

A September 2004 TSA directive granting airport security screeners broad leeway to conduct "pat-down" searches has led to numerous reports of sexual harassment and abuse.

Victims are reporting that they are not being offered private searches or searches by screeners of the same sex, and that "private" searches are being conducted behind screens that provide no privacy. Passengers are reporting rough, rude, and humiliating manhandling and groping of their breasts and crotch areas, demeaning sexual comments, and being forced to remove business jackets in full view of crowds, despite the fact that it is a widespread convention in our society for women to wear only bras or other undergarments underneath such jackets.

I generally think that airline searches are not that valuable, but I'm a little curious what people expect. The complaints I hear sound like the generic kind of complaints I hear about people's encounters with authority, whether the authority is police, customs agents, security guards or whatever. When you give humans significant power over others and fairly wide latitude to exercise it, you're going to get people feeling like they've been abused.

As a simplification, imgagine that we rank behavior on a linear scale with totally appropriate (but ineffective) as a 0 and totally inappropriate (but effective) as a 10. Now, if we tell the screeners to behave with an appropriateness value of 5, there's actually going to be some dispersion in terms of their behavior. In particular, about .25% of searches will actually be at appropriateness level 8. When you factor in people's varying opinions about what's appropriate, you're going to get people who feel they've been abused.

There are two basic approaches to this problem:

  1. Reduce the overall intensity of the search, say to a 3.
  2. Reduce the variation in search intensity by promulgating stricter guidelines, better training etc.

Unfortunately, there's only so much you can do to reduce the variation, because people are imperfect and there's a limited amount of training you can afford to give, especially when you have a very large number of screeners, as TSA does, and enormous number of passengers s being searched. The situation is actually much worse here than I suggest above, because the screening being used--a pat down search--is probably on the very borderline of what people consider appropriate, so even a small amount of variation leads to people feeling aggrieved.

Certainly it's legitimate to complain that the enforcement "quality control" isn't good enough and we need better policies to control the variation, and there's obviously some room for improvement. (In particular, the rule that people should be offered private searches should be something that can be enforced unambiguously), but as long as the TSA officials are in the business of patting people down, some people are going to feel that they were groped. As a society, we need to decide whether that's a price we're willing to pay, but we shouldn't have any illusions that it's going to somehow go away just by the TSA becoming more diligent and professional.

Apparently, the Pentagon and CIA want to have permanent detention for suspected terrorists without trial:
Administration officials are preparing long-range plans for indefinitely imprisoning suspected terrorists whom they do not want to set free or turn over to courts in the United States or other countries, according to intelligence, defense and diplomatic officials.

The Pentagon and the CIA have asked the White House to decide on a more permanent approach for potentially lifetime detentions, including for hundreds of people now in military and CIA custody whom the government does not have enough evidence to charge in courts. The outcome of the review, which also involves the State Department, would also affect those expected to be captured in the course of future counterterrorism operations.

So, exactly what controls are we going to have on this? We're just going to let the CIA pick up random people and hold them indefinitely? I'm not naive enough to think we never do that in extreme situations, but it's now going to be official policy?


January 1, 2005

Worldwide textile quotas expire today as part of country's WTO obligations. Most of the coverage is about how bad this is for the domestic textile industry (which just lost a bid to get "temporary safeguards" to extend them) and just mentions in passing that it's good for US consumers and textile manufacturers in poor countries. Before you cry for the US textile workers, remember that the US still imposes an average 16% duty on imported textiles.