EKR: May 2005 Archives


May 31, 2005

Human Events's list of the most harmful books of the 19th and 20th centuries is making the rounds. Now, I realize that these guys are conservative and so it's not surprising to see the usual suspects: The Communist Manifesto, Mein Kampf, etc., but the list starts to get a little weird around number 4, The Kinsey Report, and 10, Keynes's General Theory of Employment, Interest and Money. But it's in the Honorable Mention section that things go totally off the rails: The Origin of The Species, The Descent of Man, On Liberty????
People forget their website passwords constantly, and having them talk to some customer support type is very expensive. As an aid to automatic password recovery, web sites have taken to recording "personal questions" that are semi-private but that you presumably already know the answer to (e.g., where did you go to school). Then, they can ask these questions when you ask for a password reset, which still doesn't require a human. Now, anyone who does much research about me knows that I attended the University of Lagos, but it (at least in theory) raises the bar for a casual attacker.

I recently had occasion to register for an Alaska Airlines online frequent-flyer account and was confronted with a form that demanded four personal questions. Aside from the obvious pain in the ass for users (you've just doubled the time it takes to fill in the form), there's an obvious privacy risk. If you actually fill in each of these questions truthfully, Alaska has a bunch of information about you they wouldn't otherwise have. Indeed, some of their questions (which come from a drop-down list so you can't input your own) include mother's maiden name, father's birthday, etc. You can, of course, lie, but this obviates the point of the personal questions since now you have to remember your lies (or write them down on the same post-it you wrote down the password).

To make matters worse, it potentially turns Alaska's security problems into your security problems. I might trust Alaska's privacy policies, but if someone breaks into their system and steals my questions and answers1, that's not a good thing, especially if people are stupid enough to actually give Alaska their mother's maiden name, which I'm sure they are.

And of course all of this is used to secure access to your frequent flyer account.

1. Yes, Alaska could hash the responses, but that makes it hard to deal with minor variations in case, punctuation, etc., so I doubt they do.


May 30, 2005

In February, the DoD released data indicating that discharges under the military's homosexual conduct ("Don't ask, don't tell") policy are way down. 653 servicemembers were discharged in 2004, down from 770 in 2003 and 1,227 in 2001. [*]. In some sense, this is unsurprising; the military is having enormous manpower problems. They're missing recruitment targets and having to forcibly extend people's enlistments. Obviously, the incentive is not to discharge gays if at all possible.

But the flip side of that is that the reason that the military is having such a big manpower problem is that the service environment has become much more hazardous. So, why aren't more service members choosing to opt out? Note that I'm not suggesting that people lie to avoid service. We have a military of about 1.4 million with roughly 200,000 personnel deployed in Iraq and Afghanistan. Even if we assume that only 1% are gay, that would still translate to over 2,000 discharges a year. Add that to the peacetime base rate of about 1000 discharges a year and you get about 3,000 discharges. So, we're missing about 2,000 discharges.

So, it appears that soldiers who could easily place themselves out of harm's way are choosing not to. Why? My best guess here is that it's for the most honorable reasons: loyalty to their comrades and commitment to getting the job done. Bravo.


May 29, 2005

The New York Times reports that the Department of Education wants to require universities to report information on all students (previously, information was only required on students who received federal funding):
The plan could be part of the spending bill for the Higher Education Act that the Senate will vote on next month. If included in the spending measure, the plan would radically change current practice by requiring schools to provide personal information on all students, not just those receiving federal aid.

Submissions would include every student's name and Social Security number, along with gender; date of birth; home address; race; ethnicity; names of every college course begun and completed; attendance records; and financial aid information.

Such detailed information is now provided only for students receiving federal aid, giving the department only a partial picture of higher education nationwide. The new approach, department officials say, would not only complete the picture but also help track students who take uncommon paths toward a degree.

"Forty percent of students now enroll in more than one institution at some point during their progress to a degree," said Grover Whitehurst, director of the department's Institute of Education Sciences, which devised the plan. "The only way to accurately account for students who stop out, drop out, graduate at a later date or transfer out is with a system that tracks individual students across and within post-secondary institutions."

I certainly understand why the DoE would want to gather this information. It's certainly much easier to study things when you have all the raw data in front of you. But DoE's convenience isn't the only issue here: under this plan they'll be collecting all sorts of personal information that students aren't necessarily willing to share. Indeed, the University is forbidden to release this information to ordinary third parties under 20 USC S. 1232g (b)(1). I would imagine that DoE could get most of the data that they want in ways that protects students privacy better (e.g., anonymization, aggregation, etc.) Of course, why bother to think about that when you can just order universities to give you the data you want?

Trader Joe's is now carrying Trader Joe's brand beers. A TJs tells me that they're made for TJs by Gordon Biersch, and if you look carefully you can see that the TJ beer logo is a takeoff of the Gordon Biersch logo. They seem to be basically the same as the GB beers... a pretty good deal at $4.99 a six pack.
Federal law enforcement is concerned about allowing cell phone use in flight because (I'm not making this up) terrorists might use it to coordinate. Let's take this point by point.
WASHINGTON (Reuters) - Allowing airline passengers to use personal cell phones during flights could help potential hijackers coordinate an attack or trigger a bomb smuggled on board, U.S. security officials have told regulators.

The U.S. Justice Department, Department of Homeland Security and Federal Bureau of Investigation late on Thursday outlined the potential dangers associated with allowing cell phone use during plane flights, as the Federal Communications Commission has proposed if safety issues can be resolved.

Yes, terrorists could use cell phones to communicate with the ground. But they could do that right now because people already use cell phones on planes. This only gets detected when the flight attendants actually hear you talking on the phone, but you can avoid that by using the phone in the lavatory or using SMS instead of voice. The bomb argument is even sillier because bombs can certainly be set off by SMS or even simple radio detonators. Even if you had some sort of cellular call detector in place--which as far as I know, planes do not--by the time you find out who's making the call, you've already been blown to pieces.

If wireless phones are to be allowed in-flight, the law enforcement agencies urged that users be required to register their location on a plane before placing a call and that officials have fast access to call identification data.

Uh, this would be half the people on the plane, right?

Security theater at work again...


May 28, 2005

Drivers are complaining that Danica Patrick has an advantage at the Indy 500 because she only weighs 100 lbs:
"The lighter the car, the faster it goes," Gordon said. "Do the math. Put her in the car at her weight, then put me or Tony Stewart in the car at 200 pounds and our car is at least 100 pounds heavier.

"I won't race against her until the IRL does something to take that advantage away."

The IndyCar Series does not consider the weight of the driver in its race specifications. The car has to weigh at least 1,525 pounds before the fuel and driver are added, and teams in Indy have estimated that Patrick will gain close to 1 mph in speed because of her small stature.

No doubt the weight advantage is real, but so what? Sports are full of situations in which one competitor has a physical advantage over another. Presumably, Gordon's current position is at least partly due to his good reflexes. Should he have to put some kind of damper on his steering wheel so that I have a shot against him?

Comments on draft-ietf-nntpext-tls-nntp (these comments are on the very similar -05 version, rather than the current -06 version):
Subject: Comments on draft-ietf-nntp-tls-nntp-05.txt
Cc: [Authors]
Date: Tue, 24 May 2005 08:22:57 -0700
From: EKR

I just reviewed draft-ietf-nntp-tls-nntp-05.txt. I see that it's
in Last Call Requested, so consider these some early LC

S reads:

     If the NNTP client decides that the level of authentication or
     privacy is not high enough for it to continue, it SHOULD issue a
     QUIT command immediately after the TLS negotiation is complete.  If
     the NNTP server decides that the level of authentication or privacy
     is not high enough for it to continue, it SHOULD either reject
     subsequent restricted NNTP commands from the client with a 483
     response code (possibly with a text string such as "Command refused
     due to lack of security"), or reject a command with a 400 response
     code (possibly with a text string such as "Connection closing due
     to lack of security") and close the connection.

I don't understand how this happens. TLS includes a negotiation mechanism.
Implementations shouldn't offer ciphersuites that they aren't willing to
accept when they complete. If you mean that you get a certificate
that you subsequently decide you don't like, that's a slightly 
different issue and I think deserves special discussion.

     o  The client MAY check that the identity presented in the server's
        certificate matches the intended server hostname or domain.
        This check is not required (and may fail in the absence of the
        TLS server_name extension [TLS-EXT], as described above), but if
        it is implemented and the match fails, the client SHOULD either
        request explicit user confirmation, or terminate the connection
        but allow the user to disable the check in the future.
     o  Generally an NNTP server would want to accept any verifiable
        certificate from a client, however authentication can be done
        using the client certificate (perhaps in combination with the
        SASL EXTERNAL mechanism [NNTP-AUTH], although an implementation
        supporting STARTTLS is not required to support SASL in general
        or that mechanism in particular).  The server MAY use
        information about the client certificate for identification of
        connections or posted articles (either in its logs or directly
        in posted articles).

I don't understand the underlying authentication model here. Roughly
speaking, there are two ways to use certificates:

    Certs are signed by some third-party CA. This is an attestation
    that the key in the cert corresponds to the named end-entity.
    If you're relying on the certificate in this way, then you
    must verify the peer identity or there's no point in verifying
    the cert at all, since any idiot can obtain one.

Key Carrier: 
    The certificate is unsigned and is just used as a way to carry
    the key. Variants of Key carrier include "fingerprint" where you
    check that the cert matches some externally exchanged fingerprint
    and leap-of-faith" where you check that the same cert is used
    every time. In all three of these environments, it doesn't make
    any real sense to verify the peer host name, except to detect

The text you have here doesn't seem to well match either model.

S 5:
     Both the NNTP client and server must check the result of the TLS
     negotiation to see whether an acceptable degree of authentication
     and privacy was achieved.  Ignoring this step completely
     invalidates using TLS for security.  The decision about whether
     acceptable authentication or privacy was achieved is made locally,
     is implementation-dependent, and is beyond the scope of this

As noted above, it's not really sensible to ask whether a sensible
level of privacy was achieved b/c that's inherent in TLS's 
handshake. The right question is about peer identity. As an implementation
note, most TLS stacks let you force the policy rules for peer
authentication into the handshake process, so you don't even
get to this stage if the peer's credentials aren't ok.

     The client and server should also be aware that the TLS protocol
     permits privacy and security capabilities to be renegotiated mid-
     connection (see section 7.4.1 of [TLS]).  For example, one of the
     parties may desire minimal encryption after any authentication
     steps have been performed.  This underscores the fact that security
     is not present simply because TLS has been negotiated; the nature
     of the established security layer must be considered.

Yes and no. 
     1. Peers *can* renegotiate, however, this very rarely happens
	because the semantics aren't well-defined. In particular,
	there are I/O deadlock issues unless you're fairly careful.

     2. Either peer can offer renegotiation, but the other peer
	can ignore the request. The consequences here are a little
	undefined (see above).

     3. Renegotiation can't be forced by any outsider.

     4. You can guarantee that your security properties can't 
	change by only offering/accepting the same ciphersuites
	post-renegotiation as before. This may result in a 
	connection loss, but not a failure. cf. My previous 
	comments about not TLS negotiating algorithms you don't

I wanted to note this sentence in particular:

     For example, one of the parties may desire minimal encryption after
     any authentication steps have been performed.

I hear this kind of thing a lot, usually for performance reasons.
Modern computers can encrypt at a truly tremendous rate. For

FreeBSD 5.3, P4, 3GHz,
RC4		123 MB/s
MD5		308 MB/s
SHA-1		115 MB/s
AES-128		 70 MB/s

So, in practice you can saturate a GigE line with SSL/TLS traffic without
too much effort. If we assume that you use the fastest algorithm: RC4/MD5,
you see a 4x performance improvement removing RC4. However, if you
are using SHA-1 (as is current recommended practice) you only get a
factor of 2, which isn't that impressive. I would generally avoid
encouraging WGs to advise people to turn off encryption for performance


UPDATE: You can find the discussion thread resulting from this comments here.

Tyler Cowen quotes (summarizes?) from a biography of Fischer Black:
He did almost all of his work in an outlining program called ThinkTank, which he used as a kind of external associative emmory to supplement his own. Everything he read, every conversation he had, every thought that occurred, everything got summarized and added to the data base that swelled eventually to 20 million bytes organized in 2000 alphabetical files...Reading, discussion and thinking that Fischer did outside the office was recorded on slips to paper to be entered into the database later. Reading, discussion, and thinking that took place inside the office was recorded directly. While he was on the phone, he was typing. While he was talking to you in person, he was typing. Sometimes he even typed while he was interviewing a prospective job candidate, looking at the screen not the candidate.

My memory is pretty good but about two years ago I had to give in and offload my scheduling memory to a PDA. I haven't tried offloading my actual memory yet. Any EG readers try something realy extensive like this and want to share the results?

The FTC has launched Operation Spam Zombie in an attempt to control spam. Here are the five recommendations they sent in their letter to 3000 ISPs:
  • block port 25 except for the outbound SMTP requirements of authenticated users of mail servers designed for client traffic. Explore implementing Authenticated SMTP on port 587 for clients who must operate outgoing mail servers.
  • apply rate-limiting controls for email relays
  • identify computers that are sending atypical amounts of email, and take steps to determine if the computer is acting as a spam zombie. When necessary, quarantine the affected computer until the source of the problem is removed.
  • give your customers plain-language advice on how to prevent their computers from being infected by worms, trojans, or other malware that turn PCs into spam zombies, and provide the appropriate tools and assistance.
  • provide, or point your customers to, easy-to-use tools to remove zombie code if their computers have been infected, and provide the appropriate assistance.

These actually seem like fairly sensible recommendations, with the possible exceptions of the first point. A lot of ISPs already implement port 25 blocking, but I'm not sure it really makes that much sense. After all, it's not like it's really that hard for a zombie program to connect to the ISP's SMTP server (get that information from the user's legitimate mail program), and I understand that some malware already does this. The chief benefit of blocking is that it provides a central control point, which makes rate limiting easier. But you could do much the same thing with either passive monitoring or transparent interception and gatewaying. (Phil Karn raises the same point here)

Most of the public attention has focused on the fourth point: that ISPs should actively shut off people's zombied PCs. Response has generally been fairly positive (see the NANOG thread here) and my intuition is that this is a good idea. To a great extent, spam is enabled by poor end-user system security and since the cost to the end-user of being a spam zombie is comparatively low, we have a classic public good sitution, with the public good, in this case being systems security, being underproduced. Giving users a reason to keep their systems secure (in order to keep being able to send mail) helps give them the proper incentives.


May 27, 2005

Wired News reports (unsurprisingly) that DHS expects international travel to require fingerprints or iris scans in the near future. If, like me, you're skeptical this will prevent terrorism, but concerned about privacy, you should probably prefer iris scanning to fingerprints. Iris scanning is a pure authentication technology with no real forensic uses: if the feds have your iris code, all they can do is determine whether a new scan matches the stored scan. By contrast, as everyone who watches CSI knows, you leave your fingerprints everywhere you go, so even if you're not scanned in real time, you're leaking personal information everywhere you go.

I try not to think about what it's going to be like when the feds want to use DNA-based biometrics.


May 26, 2005

Debugging end-user Internet failures is a big pain for consumers and ISPs alike. Typically when you call up your ISP, the first thing they want you to do is reboot your computer, turn off your firewall, etc. This consumes enormous amounts of end-user and help-desk time. Even if the problem ultimately turns out to be something totally out of the ISP's control (e.g. browser misconfiguration) it still costs the ISP quite a lot of money to determine that (I've heard numbers around $10/call). Worse yet, from the consumer's perspective, it can take hours and several escalations to convince the ISP that the problem is on their end (No, the net's not working. No, the D and B channel lights don't work. In fact, there's no tone at the MPOE, so it's pretty clearly your problem.)

Now, these debugging procedures made some sense in the days of modems, but if you have broadband, you almost certainly have some kind of modem/router/bridge, etc. Put an LED on the front labelled "Internet is working". The device monitors the status of the network in a bunch of ways:

  1. The status of the link (most devices do this already).
  2. The nameserver works (this is often configured in, but the device can determine it from which nameservers the user's computer uses).
  3. The first hop gateway is accessible.
  4. Some assortment of remote hosts (controlled by the device manufacturer) are reachable.
If everything is good, the LED is green. If it's not, the LED is red. If it's green, don't bother calling your ISP, because there's nothing they can do. If it's red, the ISP doesn't need you to reboot the computer, turn off their firewall, etc. because the problem's on their end.

Obviously, this works best if the ISP is purely in the packet carrying business. If they provide integrated service, e.g. E-mail, VoIP, etc., then those services can be broken even if the basic Internet connection is broken. Even in these environments, though, a system like this would speed up debugging, since you could eliminate network problems right away.


May 25, 2005

It appears to be standard practice for westerners travelling to Southeast Asia (and other places, for all I know) to be prescribed Cipro as a "just-in-case" measure, in particular for serious traveller's diarrhea. However, there are two obvious ways this can go wrong:

First, a large fraction of travellers get some kind of GI problem. Since you have the Cipro (and it expires relatively quickly), it's tempting to take it just to be sure. (Note that Cipro can of course cause its own GI problems, but people often don't know this). Of course, most people don't get bad traveller's diarrhea, so instead of taking the Cipro while on vacation, they just bring it back with them. That's not a problem if it just sits on the shelf, but it's very common for patients to pressure doctors for antibiotics in a futile attempt to cure colds, flu, etc. I wonder how they behave if they happen to have some Cipro lying around.

My friend Kevin suspects that the second form of overuse isn't likely to be much of a problem: sure, people are likely to overuse something like amoxicillin, but Cipro seems high-powered and scary, so he argues that most people won't take it without direct instruction. I'm not so sure. As always, actual data is welcome.


May 24, 2005

Terence Spies pointed me to this article on a Wachovia/BofA security breach:
"We are getting calls from those who are concerned, which is understandable," she said. "When we tell them what we are doing, they are relieved."

Zisa has said Orazio Lembo Jr., 35, of Hackensack, made millions of dollars through the scheme but spent most of it on a fast-paced lifestyle.

Authorities discovered the plot after they executed a search warrant at Lembo's apartment in February as part of a separate investigation. They seized 13 computers which contained details about the plan, Zisa said.

Lembo received lists of people sought for debt collection and turned that information over to the seven bank workers, who would compare those names to their client lists. The bank workers were paid $10 for each account they turned over to Lembo, Zisa said.

This kind of thing is already old news, but this is the first time I've actually seen the price per account listed: $10. Of course, in a competitive market, the price of a commodity quickly declines to the marginal cost of production....

One of the things that's been puzzling infosec types for a long time is why malware is so lame. Typically it just propagates itself and any damage is purely collateral as a side-effect of spreading. It would be easy to do something destructive, so why doesn't it happen more. (Witty is the one well-known counterexample).

Thus, it comes as something of a relief to see some malware that actually mounts a sort-of-interesting attack:

Washington - Computer users already anxious about viruses and identity theft have a new reason to worry: hackers have found a way to lock up the electronic documents on your computer and then demand $200 (about R1 200) over the Internet to get them back.

Security researchers at the San Diego-based Websense uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.

A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.

Apparently in this case they managed to decrypt the data somehow, but it's merely a matter of time till the viruses get good enough to stop that (hint: public key cryptography).

As always, don't panic. This is just a particularly annoying kind of hard drive crash (actually better in some respects since you have the opportunity to get your data back for $200. The going rate for standard hard drive failures seems to be more like $300-400.) Anyway, the solution is the same: backup your computer.1

1 I've heard suggestions of malware that will contaminate your backups for weeks before finally destroying your data, but I wouldn't expect to see that any time soon. Still, a good reason to do test restores.


May 23, 2005

So, let me see if I have this right: in return for the Republicans "agreeing" not to use the nuclear option in return for the Democrats agreeing not to filibuster Brown, Owen, and Pryor. [*]. Maybe I'm missing something, but weren't Brown and Owen the nominees that the Democrats found most objectionable? The dignity of the senate aside, the purpose of the filibuster from the Democrat's perspective is to allow them to block senate action they don't like. There's not a lot of point in preserving the right to filibuster if you can't actually use it.

This would be a plausible-seeming compromise if the Democrats had extracted a real commitment but it doesn't seem to me that they have:

But Republicans said they are free to back a ban if they believe Democrats act in bad faith and filibuster a nominee whose credentials do not amount to an "extraordinary" circumstance. "We don't think we're going to get there," said Sen. Mike DeWine (R-Ohio), adding that he will not hesitate to vote to ban judicial filibusters if he concludes the Democrats are abusing the right.

How is this not complete capitulation by the Democrats?

Mrs. Guesswork just got an offer to:
join President Bush, Laura and the entire Republican Congressional leadership as they gather on the evening of June 14th here in Washington D.C.
For a small donation to the National Republican Senatorial Committee and the National Republican Congressional Committee of course... And will you allow all of us to recognize and honor the important role you have played over the years?

There's just one minor problem here. Mrs. Guesswork definitely hasn't played any important role in aiding President Bush, because.... Mrs. Guesswork isn't a U.S. Citizen or Permanent Resident and so couldn't donate any money to the the Republican National {Senatorial,Congressional} Committee even if she wanted to. If you're wondering how that guy on the terrorist watch list got hit up for money by the Republicans, you've pretty much got your answer: bad mailing list hygiene. On the other hand, isn't it kind of comforting that the Republicans don't have--or aren't using--your personal information to scrube their mailing list?

H. Allen Orr from U. Rochester has a very nice piece disassembling Intelligent Design. Also, check out his review of Behe's Darwin's Black Box.
Terence Spies pointed me to this article about the Creation Museum, devoted to countering "evolutionary indoctrination". Check out the Museum Walkthrough, including exhibits on the Garden of Eden, T. Rex menacing Adam and Eve, and Noah's Ark. Outstanding!

May 22, 2005

NYC has decided not to ban photography in the subway after all. Of course, they still "will continue to investigate and intercede if necessary, if the activity photo-related or not is suspicious." I'm not counting on the NYPD having that great a sense of what's suspicious, but this is still better than a total ban.
Watching Howard Dean on Meet The Press

Dean: Some of the things the president said on our way into Iraq. They just weren't true and I don't think that's right.
Russert: Such as?
Dean: Such as the weapons of mass destruction, which we have all known about.
Russert: You said there were weapons of mass destruction.
Dean: I said I wasn't sure, but I said I thought there probably were. But the thing that really bothered me the most, which the 9/11 commission said also wasn't true, is the insinuation the president continues to make to this day, that Osama bin Laden had something to do with supporting terrorists that attacked the United States. That is false. The 9/11 commission chaired by a Republican said it was false. It is wrong to send people to war without telling them the truth. And the truth was that Osama bin Laden was a very bad person who was doing terrible things, but that Iraq was never a threat to the United States. That is the truth. It was underlined by the 9/11 commission, headed again by a Republican--well respected group of people--I don't think you send American men and women to war, first of all without properly equipping them, and secondly without telling the truth to their parents about why it is you're asking [them] to make that sacrifice. So, those are the kinds of things that I think are very bad about the Republicans.

Russert doesn't seem to catch the error. Obviously this is just a verbal slip, but it kind of undercuts your message about Bush falsely accusing Saddam Hussein if you yourself can't keep him and Osama bin Laden separate.


May 21, 2005

Sit down and watch TV or even your average movie and notice how terrible most of the acting is. Obviously, there are a few great actors (De Niro, Brando, Hugh Laurie, etc.) who really seem to be the character they're playing, but most of the time it's acutely obvious that the actor is faking. (Mrs. Guesswork likes to watch Charmed where this feature is particularly in evidence.) Consider some potential theories for the low quality of acting:
  1. It's incredibly hard to actually fool other humans, so even the best actors aren't very convincing. So, while the market may be efficient, there just aren't enough good actors for all roles to be filled by convincing actors. I'm skeptical of this theory because people seem to get regularly fooled by all manner of con-men, fraudsters, etc. (Required reading: Influence: Science and Practice by Robert Cialdini.
  2. The market is efficient but it's selecting for some factor other than pure acting talent--being very attractive, for instance. If you watch a lot of evening TV (e.g. The WB) this seems like a plausible theory, but consider that the number of attractive people far exceeds the number of actors, so this really brings us back to option 1, there aren't enough attractive people who are also good actors.
  3. The market isn't efficient, but is mostly driven by factors other than actor quality, e.g., nepotism, ability to convince directors you are easy to work with, etc. So, unsurprisingly, you end up with a lot of bad actors who are well-connected. The fact that so children of actors often become actors themselves is sort-of evidence for this, but it could also be a result of those children being on average better actors than other people, so this isn't exactly what you'd call absolute proof.

Any other theories?


May 20, 2005

Radley Balko's been doing a good job of covering the DEA's war on pain specialistsnarcotics diversion. See here, here, and here. It seems pretty likely that the DEA's prosecution of pain specialists is causing chronic pain to be undertreated:
The charges against Deonarine and other deaths involving OxyContin have had a chilling effect on doctors who treat chronic pain patients, according to Dr. Pamela Sutton, a pain management specialist with the North Broward Hospital District. One doctor told Sutton that he would only give the drug to patients in the hospital, while another said he would not prescribe it to anybody.

The problem, of course, is that chronic pain patients tend to develop a tolerance for opioids and so will eventually require enormous doses, which would be consistent with abuse in normal users. So, it's very hard to tell purely from dosage whether appropriate levels of opioids are being prescribed. If the DES is going to second-guess doctors, this is naturally going to make them very unwilling to prescribe high-dose therapy, leaving some patients undertreated.

It probably goes without saying that I think that the whole idea of the DEA second-guessing the opioid prescriptions doctors write--indeed, the whole notion that doctors should be expected to distinguish between drug-seekers and people in genuine pain--is absurd. However, I despair of the United States getting over it's national hysteria over drugs any time soon, so it's time to think about harm reduction.

What we need is some procedure that would let doctors prescribe high doses while being reasonably sure they weren't going to be arrested. The obvious approach is to have some scheme where doctors get prior approval for prescriptions above a certain level, either from the DEA or from some panel of other doctors. Doctors who followed that procedure would be exempt from prosecution resulting from writing those prescriptions. If the DEA is really sincere about allowing appropriate pain therapy while stopping diversion, they should be willing to embrace such a scheme.

No doubt by now you've heard the Quran-in-the-toilet Newsweek article. Now, stories about US interrogators exploiting Islamic taboos are old news, but there's something sort of interesting about this particular one. Most of the stories center on forcing prisoners to personally violate religious prohibitions, such as contact with pork, menstrual blood, etc. Note in particular that a number of these trigger disgust reactions.

But in this case, what's happening is that the prisoner is being forced to observe someone else desecrating the Quran, not being forced to do it themselves. This isn't a simple matter of taboo violation: you wouldn't expect prisoners to react that badly if the interrogator walked in eating a ham sandwich. Rather, I think the point here is that the interrogator is showing disrespect for Islam.

This technique also seems to rely for effect on the interrogator/torturer not being muslim; what's enraging about the desecration of the Quran is that it's an expression of contempt for Islam by the interrogator. and that effect is lost or at least weakened if the interrogator is known to be muslim, since then the desecration is purely a matter of violating a taboo, not really expressing contempt--except maybe fake contempt.

OpenSSL has just released OpenSSL 0.9.8beta1, which includes support for Datagram TLS, thanks to Nagendra Modadugu and Ben Laurie.

May 19, 2005

Yet another vulnerability in TCP implmenetations has been published. Like the previous two, this allows a blind attacker to shut down a given TCP connection. As before, this really only affects long-lived protocols like BGP. So, while this could, I suppose crash the Internet (though there are by far easier ways to do so) it's probably not something you personally have to worry about.

May 18, 2005

Mark A.R. Kleiman says that NSA captures pretty pretty much all voice traffic and then sifts through some of it later:
The only rational explanation I can invent is that the NSA's habit of catching everything that flies, while an open secret, is still officially a secret. And the practice, however legitimate, is almost certainly technically illegal.

The wiretapping laws treat a conversation as having been "intercepted" (and, if it's a conversation between U.S. persons and no Title III warrant has issued, illegally intercepted) when the conversation is recorded, not when the record is transcribed. So if, as widely reported, the NSA records everything but only transcribes the international traffic it's legally entitled to listen in on, it's probably violating the letter of the law every day. I'm told that there is, as a technical matter, no way to intercept only conversations that cross national boundaries. Maybe Title III needs to be amended.

If you're a networking type, the obvious question is how practical this is.

First, we need to estimate the total amount of data involved here. I'm having trouble finding statistics on total wireline minutes (the FCC's stats are here but they only have minutes for InterLATA calls), so let's start with wireless, for which we can get good statistics):

Mobile Wireless Telephone Subscribers (June 2003)147.6 million
Average Monthly Wireless Minutes of Use (Dec. 2002)427

This works out to about 5,000 cell minutes per year.

  • At a typical data rate of 10 kilobits/second half-duplex, this works out to 4*108 bytes per person per year.
  • At current hard drive prices of approximately $1/GB, this works out to about $0.32/person-year, or about $50 million/year for all the storage.
  • Magnetic tape is more like $0.10/GB, so we're looking at more like $0.03/person-year.

So, the storage cost is extremely practical, but let's ask what the cost of the recording equipment is.

  • 5,000 cell minutes/year/person and 150 million subscribers is 7*1011 total minutes used per year.
  • At 500,000ish minutes per year, that's 1.3 million simultaneous calls.
  • At 10 kbits/second per call, this gives us about 1010 bits/second of aggregate traffic.
  • Antonelli et al. (2002) describe how to build a capture system that will run at about 100 Mbps. The equipment they use (dual PIII 866s) is fairly slow by modern standards, and I expect you could build a similar system for order $1k today. To capture all wireless traffic, you'd need about 100 such systems for a total cost of around $100,000. Pocket change.
  • I'm not counting tape drives here, which run about $4000/unit, but even so we're talking about a million, even with some overhead for peak capacity.

Obviously these are back of the envelope estimates:

  • We're only counting wireless calls. So, multiply by 2-5.
  • We're assuming constant data flow, whereas real phone calls contain a lot of silence
  • We're not counting the equipment to actually capture the traffic. If these are network connections, it's just simple network sniffing equipment, so figure a few thousand per unit. Of course, that means that you have the cooperation of the providers. If you don't and you're capturing the traffic out of the air, figure some additional fixed cost for the actual radio receivers. This might bring your fixed cost up to $10-$50,000 per unit. Even so, we're probably talking less than $100 million in fixed costs.

Bottom line, you should be able to tap all voice traffic in the US for order $100 million in fixed costs and maybe another $100 million in recurring equipment costs. The NSA's budget is reportedly around 3.6 billion.

UPDATE: Richard Akers is skeptical that the NSA actually records all voice traffic (see the comments section). I'm not saying they do, since I have no independent information here. I'm just saying that as a pure matter of cost it's fairly doable.


May 17, 2005

If you can, try to avoid having a root canal. If you must have a root canal, try to avoid having it in a molar at the very back of your mouth. Trust me on this one.

May 16, 2005

Yahoo news reports that
The Army, faced with a severe and growing shortage of recruits, began offering 15-month active-duty enlistments nationwide Thursday, the shortest tours ever.

The typical enlistment lasts three or four years; the previous shortest enlistment was two years.

Maj. Gen. Michael Rochelle, the head of the Army Recruiting Command, said 2006 could be even worse than this year, a continuation of "the toughest recruiting climate ever faced by the all-volunteer Army."

Recruits in the new 15-month program could serve in 59 of the more than 150 jobs in the Army, including the combat infantry, and then serve two years in the Reserve or National Guard.

They would finish their eight-year military obligation in the Guard or Reserve, volunteer programs such as AmeriCorps or the Peace Corps, or the Individual Ready Reserve, a pool of former active-duty troops who can still be called to duty but aren't affiliated with any military unit.

Wait, isn't the army already extending people's enlistments? In order for a reduced enlistment to be attractive, it seems they would need to be able to credibly commit not to extending the terms of these new enlistments.

Matthew Yglesias argues on tactical grounds that liberals should concede some minor issues to the religious right:
Now the poll doesn't directly state what about the Christian right is well regarded if its stance on abortion isn't. It does, however, provide at least two examples of Christian right caucus that, unlike abortion restrictions, really are popular. One is letting public schools teach creationism along with evolution. Another -- and this one, unlike the evolution thing, is really wildly popular -- is putting the ten commandments up in public buildings. You should look at the data yourself and see exactly how popular this is, because I think a lot of readers will have trouble believing it. Public support is totally overwhelming, opposition is very much a marginal view. But opposition is highly concentrated in a single politico-demographic group that Pew rather unhelpfully labels "liberals." These liberals don't exhaust what we normally think of as the category of liberals. Rather, it's people like me -- white, reasonably prosperous, highly educated, secular folks. That describes me, the vast majority of people I know, and probably describes the vast majority of my readers and the vast majority of the people we know. Our views on lots of stuff are perfectly mainstream and, even where not always held by most people are at least broadly present in America. But not about the ten commandments. It's just us. Other sorts of Democrats are against us. Swing people are against us. Republicans are against us. Overwhelmingly.

If you ask me this and related issues would be fruitful areas for compromise. I wouldn't say posting ten commandments on public buildings is a good idea. It strikes me as slightly silly, mildly wasteful, and vaguely offensive. But it's honestly not a big deal. Abortion and reproductive rights matter. A lot. So does trying to maintain forward motion on the gay rights front. So do the basic economic issues, so does foreign policy. Ten commandments? "Under God" in the pledge of allegiance? Taxpayer dollars financing Christmas displays in the town square? That stuff doesn't really matter. I'd be happier were it otherwise, but if that kind of token gesture toward the concept that this is a Christian (or, as they say, "Judeo-Christian," whatever that means) country is what it takes to get support for a progressive political agenda, then sign me up. And I think most liberals will agree with me on that. The location of stone slabs is, like the precise number of bullets you can put in your ammo clip, not something that's worth losing elections over. Now where I'll probably lose your support is when I say that I don't even really care about the school prayer question, but speaking from experience I was forced to engage in sectarian Christian prayer in my (non-public) school and it was fine.

Now, it's perfectly clear from the Pew data that Matt cites that there's a lot of support (75%) for posting the 10 commandments and I'm willing to concede that whether the 10 commandments are posted in school is relatively small beer (though I don't think I agree about creationism), but the argument that this is a good idea depends on the assumption that moving a little bit towards the religious right will pick up that much support for Matt's progressive agenda. This seems to me to sort of implicitly assumes that there's a vaguely bell-shaped curve with the median centered somewhere around the question of whether the 10 commandments should be displayed, so that changing one's position would let you pick up a substantial number of votes.

But if it's for instance, bimodal, with 75% of the population wanting to have mandatory prayer in schools and the other 25% being against any religious displays. In that case, budging a little bit on the 10 commandments isn't going to gain liberals any significant amount of support at all. With this distribution, unless you're willing to concede on mandatory school prayer, which I doubt most liberals are, there's no set of moves along this axis that buy you much. Now, I'm not saying that I know which distribution this country has. Unfortunately, the Pew data doesn't really let us distinguish them. But wouldn't you want to know before making this kind of tactical compromise?

You can find the slides from my talk at the Information Security Decision Conference in Chicago: "What can the evidence tell us about information security?" here.

May 15, 2005

I spent some time cruising the Intelligent Design Network site. The last few grafs of William Harris and John Calvert of the Intelligent Design Networks's Intelligent Design: The Scientific Alternative to Evolution provide a clue to the quality of the reasoning and what the IDN thinks the stakes are:
Did God create us or did we create God? Do we have inherent purpose or are we free to define our own purpose? The answers to these questions are key to any discussion of ethics. The late Professor William Provine helps us understand the deeper implications of a naturalistic, materialistic, and Darwinian worldview.
First, modern science directly implies that the world is organized strictly in accordance with mechanistic principles. There are no purposive principles whatsoever in nature. There are no gods and no designing forces that are rationally detectable. Second, modern science directly implies that there are no inherent moral or ethical laws, no absolute guiding principles for human society&. The conflict between science and religion is to the extent that persons who manage to retain religious beliefs while accepting evolutionary biology have to check their brains at the church-house door.71
Is Provine right or wrong? If one takes for granted that natural phenomena are not designed, he is logically correct. That is because purpose only derives from a mind that has the capacity to arrange future events for a purpose. Law and chance simply do not have the capacity to contemplate the future and aim at a goal.

Accordingly, a Darwinian or evolutionary worldview has profound ethical implications that are diametrically opposed to those flowing from a theistic worldview. Ethical decisions dramatically depend on whether we are or are not designed for a purpose. For example, we have a natural reluctance to act contrary to the plans and purposes of another mind absent a rational and reasonable justification. A land developer who discovers an ordered assemblage of stones in a field that appears to be an ancient graveyard would pause and reflect before he moved them. He would at least consider the implications before he violated the clear intentions and purposes of an ancient civilization. But if the stones were simply strewn willy-nilly across the field due to a flood or avalanche, he would without a thought bulldoze them into a ditch.

Similarly, if life is an accident, why not alter it to suits our needs? If we can, why not make human clones? Why not abort unwanted children? Why not euthanize the "useless" Why not end a challenging marriage? Why not cheat on our taxes? Why not "steal, kill, and destroy?" Ordinary people intuitively recognize that with no overarching, inherent purpose in life, anything that is consistent with the purposes created in our own minds is acceptable. "If there is no God, all things are permissible."72 However, if (and there is no bigger if) life is not just an accident or occurrence, but is something that has been designed and made, then life must have an inherent purpose. If purpose pervades life, then we pursue actions contrary to that purpose at our peril. Manipulating our genes to produce "designer humans" may conflict with an intended but currently unknown purpose of standard procreation and may result in disasters unimaginable. How extensively should we tinker with life when we do not know its intended purpose?

The bioethical implications of ID are clear, not only for individuals, but for culture as well. Who will tell us whether we should clone humans, traffic in human organs, inflict capital punishment? Who will sit at the head of the cultural table? Who is even allowed at the table? Naturalistic science tells us that it will provide the "facts," and it will tolerate theologians and philosophers as they opine about purpose and meaning. But materialistic science has already concluded that there is no inherent purpose in life, so what true role remains for religion? Why give any credence to individuals who have deluded themselves into the false notion that life has purpose? They are like the couple that must be invited to the party for political reasons but whose quaint views are ignored. What if life really is designed and truly has purpose? What then for science? If so, then religion not only deserves a place at the table, it may deserve to be at the head.

71William Provine, "Evolution and the Foundation of Ethics," MBL Science 3.1 (1998); 25-29
72Fyodor Dostoevsky, The Brothers Karamazov (Cutchogue, NY; Buccaneer Books, 1996).

Winston Smith does a pretty good job of demolishing the claim that God is needed to provide morality (the Divine Command Theory) here (read the whole thing):

Though there's no time now for me to go through the failings of the DCT in detail, let me just end on this note: The DCT is simply moral subjectivism writ large. The DCT proper is merely divine subjectivism (or an individualistic version of divine relativism, if you prefer). According to the pure form of the DCT, right acts are right and wrong acts are wrong merely because God says that they are. There is no rhyme or reason to morality, no objective reason that murder is wrong, no reason that God cannot change his mind tomorrow and make genocide and rape not only permissible but obligatory.


So no sensible theist is a divine command theorist. But if a theist is not a divine command theorist, then he has no philosophical advantage over anyone else. A theist who is not a divine command theorist believes that right acts are right for some reason other than God's commanding them. Consequently, such a theist still faces the task of understanding and explaining why right acts are right. If God's commanding them doesn't make them right, then something else does--and the theist is in no better position to figure out what that is than the rest of us are.

Actually, the situation is rather worse for Intelligent Design because ID doesn't get you all the way to belief in God as the proximal cause of our existence. Even if you accept the basic principle of ID, namely that our existence (and the existence of all the extant species on Earth) is so improbable that it can't have occurred by evolution but must rather have been designed, that only demonstrates that there must have been some designer, not that that designer is God. And even if you subscribe to the DCT, that doesn't mean that that theory necessarily extends to any arbitrary designer.

To sharpen this point, consider the following thought experiment. Suppose we finish processing the entire human genome and somewhere in the junk DNA on chromosome 15 is the sequence "Designed on Alpha Centauri by Genomic Systems, Ltd., All Rights Reserved." Moreover, the genomes of every other species we sequence contain similar copyright notices. So, it's pretty clear that we were designed by some bug-eyed monster living on Alpha Centauri. So far so good, except that said bug-eyed monster shows up and informs us that we were designed to serve as a cheap source of food for Alpha Centaurans, who love the taste of human flesh (it's a cookbook!!!!).

So, we know what our purpose was... to be a tasty source of protein. The DCT theory (and that espoused by Harris and Calvert and the IDN) indicates that we ought to go along with this purpose and offer ourselves up for fricasseeing. This doesn't seem like a very attractive outcome, and I rather doubt that Harris and Calvert would be the first in line to the slaughterhouse.

You can try to bypass this fairly disturbing conclusion by arguing that the Centaurans themselves must himself have been designed by some designer (ID arguments again), that that designer was God, and that having humans served as tasty appetizers is contrary to God's purposes. I.e., it's not the proximal designer's purposes that matter but that of the original designer (God). There are (at least) two problems here:

  1. We don't know that ID arguments actually apply to the Centaurans. The current ID arguments rely fairly heavily on the current structure of Earth-based life forms, the fossil record, etc. Maybe the Centaurans are constructed in such a way that these arguments don't work and so they weren't actually designed. After all, the ID argument depends on God not having being designed in order to avoid infinite recursion.
  2. Even if the Centaurans were themselves designed, it's not obvious that they were designed by God. Maybe they were designed by some other kind of aliens, who were themselves designed by aliens, etc. How many levels of indirection do we have to have before its the purposes of the proximal designer that count rather than the original designer? And how, exactly, are we to access the purposes of the nth-order designer when all of our contact is with the Centaurans, who, as mentioned before, want to turn us into appetizers?

So, even if ID is correct (and as far as I can tell it's more or less without merit), it isn't sufficient to demonstrate any reasonable kind of more principles.

Creationists are fond of arguing that we've never observed speciation and that this casts doubt on evolution. For instance:
Darwinism's claim that new species arose from very gradual changes from older species is not observable either because the process is so slow that no one can live long enough to see it happen or because we have yet to fully understand the biochemistry which actually is the source of change. Accordingly, both theories rely upon indirect evidence.

Actually, there's a simple example of a single mutation which simultaneously renders the new organism unable to interbreed with the wild type (a common definition of species) and confers enormous reproductive advantage: navel oranges. Navel oranges are generally seedless and so can't easily breed with ordinary oranges. Navel orange trees are propagated by grafting (actually, most oranges are propagated by grafting, though in principle non-seedless oranges can be bred).

There's a natural tendency to argue that this doesn't really count because it's not natural. But there are lots of species which can't reproduce without the help of other species, either voluntarily (plant pollination by insects) or involuntarily (malaria). This is just a case where the organism has convinced humans rather than some other animal to assist in its reproductive strategy.


May 14, 2005

News.com reports that the MPAA is preparing a bill to give the FCC the authority to impose the broadcast flag:
The draft bill says, simply, that the FCC will "have authority to adopt regulations governing digital television apparatus necessary to control the indiscriminate redistribution of digital television broadcast content over digital networks." The District of Columbia Circuit nixed the flag on the grounds that the FCC didn't have the authority. This language would clear that up.



May 13, 2005

Savannah cats aren't the only exotic breed. The Exotic Cat Network has a list. Toygers are probably the coolest. They're cats designed to look like miniature tigers. The story of their development makes quite interesting reading.

Credit: Pointer by Terence Spies.

Eu-Jin Goh pointed me to this NYT Article about the growing popularity of Savannah Cats: a cross between an African serval wildcat and domestic house cats (list of breeders here) that is about twice as big as an ordinary domestic housecat:

Savannahs (like many other wild animal crossbreeds) are illegal in a lot of places, but for reasons that aren't entirely clear. There's a fear that they're dangerous (servals, of course, are) though there aren't any known cases of Savannahs attacking people. The following passage gives you some of the flavor of the controversy:

That's not the way State Senator Carl L. Marcellino of Syosset, N.Y., sees it. Mr. Marcellino, the Senate sponsor of the state's exotic pet law, objects to the Savannah cat as something alien to the animal universe.

"Breeders are creating animals for commercial purposes that would never exist in the natural world," he said. "These hybrid species are threats to the environment and potentially to the families who think they are buying a family pet and could be purchasing a wild animal."

The Savannah cat has caused a stir about what makes an acceptable pet even among the largest and best known cat enthusiast groups.

"I'm told they're very loving, but I'm not sure I believe it," said Carol Barbee, the president of the American Cat Fanciers Association, which does not recognize the Savannah in its official registry. "We do not want to support designer breeds for the fad pet market."

Some Savannah owners are fighting for their rights with ammunition from another group, the International Cat Association, which does recognize the Savannah as a breed.

"They are the sweetest most gorgeous things you've ever seen," said Leslie Bowers, the association's business manager. Dr. Carolyn McDaniel, a consultant with the Cornell Feline Health Center, said that while Savannahs are popular across the country, she has noticed that they have become particularly alluring to city dwellers. "It's amazing to me that apartment dwellers are frequently the owners of these large semiwild cats," she said.

"I think they're beautiful," Dr. McDaniel added, but "I'll watch them on the nature channel."

In the face of all this talk about how unnatural Savannahs are, it's easy to forget that modern domestic animals don't really exist in nature either. I don't know too much about the direct ancestors of domestic cats, but dogs, descend from wolves, which you wouldn't want to keep as any kind of pet. Yet, there are plenty of dogs with very sweet dispositions (and of course others which are vicious). This isn't to say that Savannahs aren't dangerous--I've heard some negative things about wolf hybrids, for instance--but that's a question to be answered empirically. The mere fact that they're a hybrid doesn't really tell you much at all.


May 12, 2005

NISCC has published a vulnerability which could allow the disclosure of information in IPsec. The attack works when data is encrypted but not authenticated. The attacker intercepts an encrypted message, damages it,1 and forwards it to the recipient. When the recipient receives the damaged packet, it responds with an ICMP message containing the beginning of the decrypted (but damaged) packet.

This only works under two conditions:

  1. When the IPsec implementation is configured not to encrypt ICMP messages.
  2. When authentication isn't being used.
The key point is the second. When authentication/message integrity is used, the IPsec stack is supposed to discard damaged packets without generating an ICMP message, in order to protect against exactly this kind of attack (this is a classic crypto error).

One of the general rules of thumb in designing communication security protocols is that you should always use authentication when you use encryption. It's not that there is no safe way to use encryption without authentication/integrity, but just that there are a number of ways it can go wrong, so it's better to be safe. IPsec doesn't require you to use authentication/message integrity, but it's recommended practice.

That said, it's not clear how great the impact of this attack is. All IPsec stacks should let you turn on authentication/integrity and in my experience most people do use it. So, I wouldn't expect this to be a big source of disclosure of secret information.

1. Damaging it correctly turns out to be kind of tricky.


May 11, 2005

After reading Nick Weaver's post about export regulations for supercomputer use, you might ask yourself "How does the BXA decide what a supercomputer is, and why are they export controlled anyway?" As I understand the situation, there are certain design processes--chiefly those for advanced nuclear weapons, but also hydrodynamic simulations such as are used for propulsion screws--which require large amounts of computational power. Denying bad guys this kind of computing power makes it more difficult for them to design nukes, propellers, etc.

As computers's get faster, the level of computing power that qualifies a device as a supercomputer keeps going up. Back in 1994, it was 1,500 \ MTOPS (easily achievably by modern desktop computers). Now, it's 190,000 MTOP\ S. This is obviously necessary because otherwise we'd have the situation where Dell couldn't export their standard desktop machines. But here's the problem with this: just because computers are getting faster doesn't mean that the problems that we're trying to prevent bad guys from solving are getting any harder; the fact that a machine which was suitable for designing nukes in 1996 is now obsolete doesn't make it substantially less usable for designing nukes today. So, what are the important defense applications that require greater than 190,000 MTOPS?


May 9, 2005

In the process of complaining that PSP binaries are signed, Wonderland delivers this gem:
Open and/or free always bests closed and/or expensive. Sony should have learned this when they chose ATRAC over mp3 - and look how much that cost them: far more than pirates ever could have. I guess this means no homebrew games running off the sticks then. *pout*

No kidding? I guess that explains why Linux and OpenOffice are the dominant office productivity systems and Windows and Office are relegated to the sidelines.


May 8, 2005

I recently had some cause to research leading causes of death and found the excellent CDC WISQARS system. This includes nifty tools for exploring

Here are some interesting data points:

Top 5 causes of death overall (US, 2002)
Heart Disease (696,947)
Malignant Neoplasms (557,271)
Cerebrovascular (162,672)
Chronic Low Respiratory Disease (124,816)
Unintentional Injury (106,742)

Top 5 causes of death ages 25-34 (US, 2002)
Unintentional Injury (15,412)
Suicide (5,219)
Homicide (4,489)
Malignant Neoplasms (3,872)
Heart Disease (3,165)

Top 6 causes of death by years of potential life before age 65 (US, 2002)
Unintentional Injury (2,159,266)
Malignant Neoplasms (1,903,274)
Heart Disease (1,434,511)
Perinatal Period (924,364)
Suicide (666,398)
Homicide (579,268)

Over 50% (1,166,780) of the years lost due to Unintentional Injury are due to motor vehicle injuries. If we counted it as a separate category it alone would be the third leading cause of death. Drive carefully, folks.

Congress is poised to pass the RealID Act real soon now. Basically RealID requires the states to produce a standardized drivers license and to positively identify you (including your SSN) before they issue it to you. The driver's license will have some sort of machine readable portion though what kind is uncertain: DHS will be setting the details, so it could be magstripe, bar code, or RFID. Finally, the states will ahve to link up their databases.

Like many of my colleagues, I'm not super-excited about this. I hate having to show ID and proving my SSN doesn't sound like fun--I don't even know where my social security card is. The RFID feature could be a real mess (see previous comments about RFID passports), and I don't see how this is really going to protect us against terrorists. On the other hand, I don't really see that this is the disaster that some people claim.

For instance, here's the list of complaints from Bill Scannell's UnrealID.com site.

1. Dead Cops.

The Real ID Act requires that you give your permanent home address: no PO boxes; no exceptions. What about judges, police, and undercover cops? Oops!!! Hey Senators, let's endanger our police and judges!!!

I'm pretty skeptical of this argument. Maybe that's what the law literally requires, but laws aren't software. If the states really want to issue false IDs, there will be a way to do it. Either (1) this is actually permissible under RealID (2) they'll ignore the law or (3) the law will get fixed. There's no constituency in favor of making it difficult for undercover police to operate. That said, I'm not particularly in favor of judges or police (other than undercover police) having an easier time lying about their address than I do.

2. Stolen Identities.

Our new IDs will have to make their data available through a "common machine-readable technology". That will make it easy for anybody in private industry to snap up the data on these IDs. Bars swiping licenses to collect personal data on customers will be just the tip of the iceberg as every convenience store learns to grab that data and sell it to Big Data for a nickel. It won't matter whether the states and federal government protect the data - it will be harvested by the private sector, which will keep it in a parallel database not subject even to the limited privacy rules in effect for the government.

If business really want to swip the personal data off of your driver's license, there's nothing really stopping them from doing it now. There are only 50 states and each has a standardized license. An OCR scanner that read the data off the license would really be quite easy to construct--certainly much easier than a business card scanner. Better yet, many states already have machine readable licenses. California, for instance, has a mag stripe. Sure, having less diversity would help, but given the wide availability of mag stripe readers and bar code readers, I can't imagine that a universal scanner would cost more than about $1000--hardly enough to break the bank at most businesses. Sure, it would be easier if things were uniform, but I doubt that that would make enough of a difference to allow universal data collection. This argument would make some sense if RealID requires more information on the card than is on current drivers licenses, but as far as I can tell, that's not true.

3. Government Spying.

Real ID requires the states to link their databases together for the mutual sharing of data from these IDs. This is, in effect, a single seamless national database, available to all the states and to the federal government.

Now we're getting somewhere. I'm definitely not in favor of the states having their databases linked but I'm afraid the ship has already sailed on that one. That's something that's in the states interest anyway, whether it's nationally mandated or not. And of course the feds already have lots of national databases, such as those maintained by the IRS and the SSA.

4. Papers, Please. If Real ID passes the Senate, our nation will join the ranks of the old Soviet Union, Communist China, and Vietnam by issuing its citizens a national ID card. The Machine Readable Zone may come in the form of a 2-dimensional bar code - but the Department of Homeland Security, which will be crafting the regulations implementing Real ID, has made clear that it would prefer to see a remotely readable RFID chip. That would make private-sector access and systematic tracking even more easy and likely.

This national ID card will make observation of citizens easy but won't do much about terrorism. The fact is, identity-based security is not an effective way to stop terrorism. ID documents do not reveal anything about evil intent - and even if they did, determined terrorists will always be able to obtain fraudulent documents

This is a reasonable point. I certainly agree that this will do nothing about terrorism and that RFID licenses would be bad. Unfortunately, since that's at the discretion of DHS, I don't think that it's a very strong argument against RealID proper.

5. Unsafe Roads.

Once upon a time, a driver's license was a license to drive a motor vehicle. Turning driver's licenses into national identity cards will actually make our roads more dangerous: by barring illegal immigrants from getting a driver's license, Real ID means more illegal immigrants will now drive without any training or certification. Your insurance company is certain to be understanding.

I don't see how anyone who has ever actually taken a driver's test can make this argument with a straight face. I find it extremely unlikely that denying illegal immigrants driver's licenses will substantially reduce the quality of their driving. I've seen plenty of terrible drivers who nevertheless seem to have driver's licenses.

Don't get me wrong; I'm not particularly in favor of RealID. It seems to me like it's a waste of money with some potentially dangerous privacy consequences. However, I don't think it's a serious enough privacy threat to justify all the outrage that seems to be being heaped upon it. Sure, it's a national ID card, and sure that's kind of yucky in some abstract sense. I just don't see that it's that bad either. However, I'm open to being convinced. if someone has a strong argument about why I should be concerned, I'd love to hear it.


May 7, 2005

Westerners travelling to Southeast Asia have to worry about a number of different diseases that aren't common in the US and Europe. You can get vaccinated against yellow fever and take prophylactic antimalarial drugs, but there's one mosquito-borne disease that we can't do much about: dengue fever. If you're going to an area where dengue is endemic the best advice is to cover up and wear high DEET percentage insect repellent.

The reason we don't have a vaccine for dengue is rather interesting. There are four different dengue strains: DEN-1 through DEN-4. There's some evidence that if you are infected with one serotype and recover and then are infected with a second serotype, the infection is worse. As a result, a candidate vaccine needs to protect against all four serotypes. This turns out to be harder to make than a vaccine against just one serotype, though Acambis has a vaccine in development.

Credit: Linda Zadik alerted me to this issue.

I'm looking at California Interscholastic Federation bylaw 22.B.12, just passed May 6. It reads:
An athletic director, sports coach, school official or employee or booster club/support group member may provide only nonmuscle-building nutritional supplements to a studentathlete at any time for the purpose of providing additional calories and electrolytes. A school may only accept a sponsorship or donation from a supplement manufacturer that offer only nonmuscle-building nutritional supplements in their product line. Permissible nonmuscle-building nutritional supplements are identified according to the following classes: Carbohydrate/electrolyte drinks, energy bars, carbohydrate boosters and vitamins and minerals.

Forget about whether you think it's appropriate for the CIF to be trying to stop people from providing student-athletes with creatine. Doesn't this list exclude protein supplements, which are a standard training procedure and extremely safe (i.e., they're food!)?


May 6, 2005

Nicholas Weaver reports that the Commerce Department has proposed changing the export control rules in ways that would make it very difficult for non-US-born citizens in the United States to use powerful computers--including the kind of computing clusters that are fairly common in academic settings.
The Kansas Department of Education is holding hearings to consider proposed changes to the biology curriculum to discuss "challenges" to evolution. Following typical creationist tactics, the anti-evolutionists don't really specify what their alternative is. The Times hints that it's Intelligent Design but the witnesses appear to be creationists:
But the debate was as much about religion and politics as science and education, with Mr. Irigonegaray pressing witnesses to find mentions of the theories they were denouncing, like humanism and naturalism, in the standards, and asking whether they believed all scientists were atheists. He largely ignored their detailed briefings to ask each man if he believed Homo sapiens descended from pre-hominids (most said no) and how old he thought earth was (most agreed on 4.5 billion years.)

So, as I'd always understood things, the whole value proposition of Intelligent Design--the way in which it's not supposed to be simple creationism--is that it accepts evolution but denies natural selection (or at least says it's not enough) and therefore posits a creator guiding the process. The reason that this is an attractive position is that it doesn't require denying the fairly extensive fossil and biochemical evidence. The position that these witnesses appear to be arguing, that the earth is really old but that humans don't descend from pre-hominids is pretty weird.

This implies that they believe a third, intermediate, position:

  1. The earth is really old.
  2. The fossil record indicates that there are lots of species which appear to have common inheritance.
  3. The lines of apparent descent are arranged in a fairly clear chronological order (determined via radioactive and geological dating).
  4. These species aren't actually related but rather were individually created and then destroyed.

I would call this "old earth" creationism rather than "young earth" creationism, but it's still creationism--it denies evolution in favor of separate creation. It's not quite as silly as "young earth" creationism because it doesn't require disbelieving the physics, but you really have to ask yourself why the hypothetical creator would do such a thing. Was the problem that it couldn't figure out how to make a human so it had to experiment with homo habilis first?

Anyway, it seems like this is what at least some of the Intelligent Design people really believe, as shown by their proposed changes to the Kansas curriculum, endorsed by William Harris from the Intelligent Design Network.

TOPIC 1: Darwin's Tree of Life
CURRENT STANDARDS: The "descent with modification of different lineages of organisms from common ancestors... [is] documented in the fossil record."

ADDED IN PROPOSED STANDARDS: 'The view that living things... are modified descendants of a common ancestor (described in the pattern of a branching tree) has been challenged in recent years by .. (a) discrepancies in the molecular evidence previously thought to support that view; (b) a fossil record that shows sudden bursts of increased complexity (the Cambrian Explosion), long periods of stasis and the absence of transitional forms rather than steady gradual increases in complexity, and (c) studies that show animals follow different rather than identical early stages of embryological development."

TOPIC 2: Microevolution and Macroevolution
CURRENT STANDARDS: "Biologists use evolutionary theory to explain Earth's present day biodiversity... [and] recognize that the primary mechanisms of evolution are natural selection and genetic drift."

ADDED IN PROPOSED STANDARDS: "Natural selection and other processes can cause populations to change from one generation to the next, a process called 'microevolution'... Whether microevolution can be extrapolated to explain macroevolutionary changes (such as new complex organs or body plans...) is not clear. These kinds of macroevolutionary explanations generally are not based on direct observations and are historical narratives based on inferences from indirect or circumstantial evidence."

Sounds like creationism to me, with the same disadvantage that it requires denying the fossil and biochemical evidence and without the virtue that it closely follows Genesis.

From David S. Landes's The Unbound Prometheus:
No field saw greater gains in this respect than metalworking and engineering. Not only were machine tools more powerful and convenient, but the development of hard steel alloys put in the hands of the workman cutting edges worthy of the mechanical force at his disposal. The earliest of these special materials was simple high-carbon steel; it could work economically at cutting speeds of about 40 feet a minute. In the 1850's and 1860's, Koeller in Austria and Mushet in England developed tungsten, vanadium, and manganese alloys that were self-cooling, outlasted regular tool steel five or six times, and could cut 60 feet a minute. This, moreover, was under unfavourable circumstances: machines of the day were not strong enough to support the speed that the steel made possible. The discrepancy was quickly corrected, however, and by the 1890's tools had been developed that could cut 150 feet of mild steel a minute without lubricants. Finally, in 1900 F.W. Taylor and Maunsel White demonstrated their high-speed chromium-tungsten steel at the Paris Exhibition. The metal ran red-hot, yet did not soften or dull. Again, it was the machine that lagged, and heavier models had to be built, four to six times as powerful as those using carbon steel, before the possibiliites of the new metal could be exploited. By the First World War, speeds of 300 and 400 feet per minute had been achieved on light cuts, and it was common for a single tool to remove twenty pounds of waste a minute. Little wonder now, this innovation was one of the wonders of its day. One senses, reading contemporary acounts, the near incredulity of observers at seeing steel pierced and cut like butter.

In an era where practically every product you buy depends on the ability to machine precise components, it's easy to forget that modern machine tools are less than two hundred years old.

The DC Circuit Court of Appeals has ruled that the FCC exceeded its statutory authority when it required that digital TV manufacturers support the "broadcast flag" by July of 2005. Looks like you'll be able to have a digital tuner that isn't horribly crippled for a while longer at least.

May 5, 2005

Tyler Cowen raises the question of how to avoid getting tortured assuming you're willing to give up a goods. A dual of this problem that has been considered in cryptography is how to pretend to give up your key.

The context here is that you've been captured by people who have your encrypted communications. All they want is for you to provide your key so they can decrypt them. You've got to provide something (you're under subpoena or they're going to torture you.) The idea in this situation is to convince them that you've cooperated without actually giving up the goods.

There are two basic strategies here:
Throw the steering wheel out the window1: Make it manifestly impossible for you to provide the key that they seek. They can still jail you for contempt or torture you but they can't actually get the information, so anything they do to you is purely a matter of revenge or deterring the next guy.

Pretend to cooperate: Provide some fake key that nevertheless produces a plausible decryption of they ciphertext.

The throw the steering wheel out the window scheme is actually used in a number of communications security contexts, where it goes by the name Perfect Forward Secrecy. The idea is that you generate a fresh Diffie-Hellman key for each communication and destroy it after the communication is over. Your long-term key is used only for authentication so even if you give it up it doesn't do the attacker any good--and the attacker can verify this by just looking at the structure of the communication protocol.

The major disadvantage of PFS is that because both parties need to generate fresh keys, it only works well in interactive contexts like Web or telephony. In a non-interactive context like e-mail you really need to have access to the recipient's long-term key, which makes PFS fairly difficult. This is even a bigger problem with had drive encryption, where you obviously need to be able to have archival access to the data.

If you want to have encryption for non-interactive or archival data you pretty much have to have some long-term key, which you must somehow destroy if you're captured. The state of the art here, as far as I know, is to have that key in some tamper-resistant container which you can cause to zeroize, either by positive action (e.g., pressing some switch) or negative action (failing to type in your PIN at some pre-programmed interval). 2. This approach sort of works, but has a number of obvious problems:

  1. Putting your key in hardware makes it harder to move around. This is more of a problem for e-mail than for hard drive encryption, where you're already stuck moving around the hard drive.
  2. It's incredibly brittle. The same properties that make it easy to destroy the key intentionally also make it easy to accidentally destroy it, in which case you're hosed.
  3. It's not fail-safe. If you're taken by surprise, you may not have time to zeroize the key and they may force you to hand over your PIN before the module times out and zeroizes.

The above-mentioned problems have created some interest in alternative solutions for non-interactive communications. The basic idea is to design an encryption system/protocol that produces multiple plausible outputs for a single ciphertext depending on the key.

So, say we have some ciphertext C, you'll have some set of keys K_1 ... K_n such that:

D(K_1,C) = M_1
D(K_2,C) = M_2

So, for concreteness and simplicity, say you have some real key K and then a fake key F. To decrypt things normally you use K but when you're forced to give up your key you provide F. D(F,C) is your grocery list whereas D(K,C) is the plans for your nuclear attack on Washington.

It's technically possible to build a system like this (the easy way to do it is simply to individually encrypt each plaintext and concatenate the results with a bunch of randomness so that you can claim that the fake plaintext you decrypted is the real one and that the rest of the file is randomness) but as far as I know no existing e-mail or file encryption system actually works that way. But even if you had something like this, I'm not sure it would help. Imagine yourself tied to a chair Guantanamo cell (or if you'd rather be a good guy, you've been captured by Al Qaeda) and the interrogators tell you to decrypt some file. You give them F and they decrypt your grocery list. Now, they know there's a possibility that the message contains some other plaintext 3 and they know they're not interested in your grocery list, so what's the downside to beating you up some more to see if you'll give up another key.

As I recall, when this kind of technique was discussed on Cypherpunks, the general idea was that you would have some series of progressively more sensitive plaintexts you would reveal--and that the attacker couldn't tell how many total messages there were--and that eventually the attacker would decide they'd gotten the real one. That sort of plausible deniability might work if you've been subpoenad, but I'm skeptical that it's going to work if people are willing to torture you anyway.

1. After Hermann Kahn's famous observation that the way to win at chicken is to throw your steering wheel out the window.
2. You can of course imagine social versions of this mechanism--e.g., there's some key server somehere that tries to figure out if you're giving up your key under duress, but then you've just moved the problem. This service has to be highly available and so they can presumably be captured or subpoenad.
3. One way they can tell is that the minimum size (taking compression into account) of a ciphertext that contains multiple messages must be greater than the minimum size of one which contains only a single message. Now, of course, you could have just padded out the ciphertext (say with zeros or other innocuous messages) but AFAICT there's no way of proving that until you've given up every single message. Even if it weren't possible to deterine when multiple message techniques were in use, the mere fact of there existence gives the attacker incentive to continue torturing you.


May 4, 2005

Like many chili-heads, I've long believed that capsaicin's greater solubility in alcohol than water meant that you should drink beer to help you deal with the pain of spicy food. Harold McGee says no:
What about quenching the burn once the mouth is already on fire? The two surest remedies--though they're only temporary--are to get something ice-cold into the mouth or something solid and rough, rice or crackers or a spoonful of sugar. Cold liquid or ice cools the receptors down below the temperature at which they are activated, and the rough food distracts the nerves with a different kind of signal. Though capsaicin is more soluble in alcohol and oil than it is in water, alcoholic drinks and fatty foods appear to be no more ffective than cold or sweetened water at relieving the burn (carbonation adds to the irritation). If all else fails, take comfort in the fact that capsaicin pain generally fades within 15 minutes.

This and this appear to be the relevant citations. Unfortunately, these are only abstracts; see here for a review article.

When complaining about the ChoicePoint, Lexis-Nexis, and Time-Warner privacy debacles, it's important to be clear on what kind of damage is being done. There are two basic things that can go wrong when databases of people's personal information are too easily accessible:
  • Some of your personal information can be used to impersonate you (identity theft).
  • Some of your personal information you just don't want known (simple privacy violation).

As I've observed before, the identity theft problem is largely due to the conflation of authenticating information (such as your SSN) which is used to prove your identity and reputational information (such as your credit rating) which is used to verify if you're a trustworthy person. Separating those types of information so that people could verify your reputation without getting authenticating information would go a long way towards making identity theft more difficult.

Unfortunately, it's harder to find a structural fix for leakage of reputational information. Because so many business decisions depend on this kind of information, it is inherently widely available. Now, just because your prospective landlord wants to know if you're a good credit risk doesn't mean they need to see all your personal information: Equifax (or ChoicePoint or whatever) could just give them a yes/no answer or a score with no additional information. But that has downsides too: can you trust them to make that decision in this kind of non-transparent fashion?

Today's WSJ article1 on ChoicePoint gets closer to the source of the problem than most previous media coverage I've seen.
For a time last year, one could even buy ChoicePoint background-check kits at Sam's Club for $39.99, though ChoicePoint says it required buyers to prove valid business purposes for using them. It pulled the product after a few months, saying it had just been a test.

The massive data theft at ChoicePoint wasn't the result of crafty computer hackers using a sophisticated technology. An imposter defeated the defenses with rudimentary means: simply claiming over the phone and on written forms to be somebody he wasn't.


Beyond the problem of wrong data is that of wrong client. A former ChoicePoint marketing manager says her colleagues often discussed how hard it was to verify someone claiming to be a private investigator eligible to access data. But the former executive, Mimi Bright Ribotsky, isn't sure the company sufficiently appreciated the problem. "I didn't think people realized what could happen as far as information getting into the wrong hands," says Ms. Ribotsky, who says she let in 2002 to attend to her family and remains a ChoicePoint admirer.

It's common to use "Information Security" to mean "Information Technology Security", but this is an Information Security problem that's not an IT Security problem. It's purely a matter of IT making a pre-existing social attack much easier. It's always been possible to lie about your identity to get credit information but thanks to computers once you have access you can easily obtain a large number of records.

It's not just a matter of authentication, either. True, the fraudsters lied about their identity, but that's not the basic problem: the number of businesses which have legitimate" access to your personal data is incredibly large. Consider that every time you rent an apartment the landlord wants to run a credit check. It's not exactly difficult to pretend to be a small-time landlord or even a PI, at which point you're in the door. There's no bright line between legitimate and illegitimate access to people's personal data—at least not in any way that ChoicePoint is equipped to determine. Given the way the system is currently set up—and by this I mean our entire credit and background checking program, not ChoicePoint— if we want small business to be able to check people out, fraudsters will be able to do so as well.

1. Warning: I read this article in the Asian WSJ. I don't subscribe to WSJ Online, but this looks to be the same article.

Amazon's "search inside the book" is a spectacularly useful research tool. What's really great is that Amazon lets you search books printed before modern electronic typesetting and indexing techniques—which often have fairly bad indexes.

May 3, 2005

2005/05/03 23:20:30 ZULU

Currently en route back from the undisclosed location, but here's something to think about:

  • The more expensive the hotel the more you pay for drinks.
  • If you fly first or business class you get free drinks.

For discussion: why?