EKR: March 2006 Archives


March 31, 2006

Mrs. Guesswork and I walked through the Canmore Museum today and spent some time watching their video on "Voices of Canmore". One of the major themes was how Canmore was changing from a sleepy mining community into more of a tourist center and how unhappy a lot of the older residents were about it. In my experience it's fairly unusual that a town wants to present itself that way in an attraction that's at least partly targetted at tourists. One of those interviewed expressed the concern would get built up like Banff. Two things are weird about this, at least for an American. First, Canmore is actually about 50% bigger than Banff in terms of population (though perhaps less touristy). Second, Canmore's population is about 15,000. Palo Alto's population is over 60,000.

Obligatory reference to Canadian Cult Classic (Highway 61): "I knew right away you were from the big city." "The big city?" "Thunder Bay." [Population 109,016]. (from memory, so no guarantees about transcription accuracy).


March 30, 2006

CNN reports that a large study of intercessory prayer has produced a negative result:
Dr. Herbert Benson of Harvard Medical School and other scientists tested the effect of having three Christian groups pray for particular patients, starting the night before surgery and continuing for two weeks. The volunteers prayed for "a successful surgery with a quick, healthy recovery and no complications" for specific patients, for whom they were given the first name and first initial of the last name.

The patients, meanwhile, were split into three groups of about 600 apiece: those who knew they were being prayed for, those who were prayed for but only knew it was a possibility, and those who weren't prayed for but were told it was a possibility.

The researchers did not ask patients or their families and friends to alter any plans they had for prayer, saying such a step would have been unethical and impractical.

The study looked for any complications within 30 days of the surgery. Results showed no effect of prayer on complication-free recovery. But 59 percent of the patients who knew they were being prayed for developed a complication, versus 52 percent of those who were told it was just a possibility.

It seems to me that we're missing three control groups:

  1. People who knew they weren't being prayed for.
  2. People who thought they weren't being prayed for but were.
  3. People who thought they were being prayed for but weren't.

Kind of hard to get the last two through the human subjects committee, but it would be interesting to know if the third group had the same complication rate as people who knew they were being prayed for (unfortunately, CNN doesn't tell us if the difference is statistically significant).

Dr. Harold G. Koenig, director of the Center for Spirituality, Theology and Health at the Duke University Medical Center, who did not take part in the study, said the results did not surprise him.

"There are no scientific grounds to expect a result and there are no real theological grounds to expect a result either," he said.

The whole concept of this kind of disinterested intercessory prayer strikes me as fairly problematic. God was going to let person X die but because person Y (who doesn't know person X from Adam) prays for person X he's going to heal them? It's pretty hard to find an attractive theory of divine motivation that would be consistent with that set of behaviors. Why exactly would this sort of prayer be worthy of reward? Actually, now that I mention it, the whole notion of prayer-based healing is a bit tricky. Deciding who should be healed based on how hard they pray rather than, say, how virtuous they are or how hard they believe seems awfully... transactional. Of course, you could argue that if you're a strong believer you'll pray a lot, but that's confusing cause and effect. Surely any reasonable deity already knows how much you believe. (Sort of related: Nozick's treatment of Medical Newcomb Problems.)


March 29, 2006

Each urinal has a little flat screen TV above it... And it's showing hockey. Interestingly, Mrs. Guesswork informs me that the women's bathroomswashrooms have no hockey-viewing accomodations.

March 28, 2006

The topic of "net neutrality" has been coming up quite a bit lately (see Ed Felten's excellent posts for important background). The basic principle is that some ISPs would like to treat different types of customer traffic differently, generally in the interest of revenue enhancement. The bottom line is that it's relatively easy for network providers to discriminate against at least some classes of applications. VoIP and other other real-time multimedia apps are particularly relevant here for three reasons:
  • They're easy to disrupt.
  • It's very difficult to describe exactly what forms of differential packet treatment are acceptable (are there no reasonable applications for QoS?)
  • There are existing carriers extracting quasi-monopoly rents on them.
  • In many cases those same carriers are the people who control the Internet connection to your house (i.e., the local exchange carriers).

The last point is particularly relevant because it gets at the heart of the problem, which isn't differential treatment--that's just a technique for price discrimination--but rather the monopoly itself. Your average Internet customer has at best two options for broadband (cable and DSL) and many have only one (I can't get DSL and have to settle for ISDN). It's extraordinarily expensive to run new cables to people's houses (people hate having their streets dug up), so this is a sort of stable situation. Given the monopoly/duopoly, it's completely unsurprising that the providers will attempt to extract monopoly rents and that generally means price discrimination.

Remember that price discrimination is only really practical in a non-competitive market. There's no reason that Internet service provision can't be competitive: it's just the market for last mile service that's inherently difficult to have competition for. The natural fix, rather than having a bunch of complicated rules about packet handling, is to separate the provision of the wires from the provision of Internet service so that we can have competition for packet carriage. Unfortunately, we're moving in the opposite direction. For a while, the local telco carriers were required to provide equal access to their lines to other Internet service providers (though there was always a lot of complaining that you got better service if you used their captive ISP rather than an independent ISP) but now that's not even required.


March 27, 2006

Northwest is starting a program where they reserve certain aisle seats for people who pay an extra $15 fee:
Flying - which once included a meal, a pillow, a little leg room and a bit of mystique - has been increasingly foodless, pillowless, cramped and joyless for some time. Now airlines are figuring out ways to make a buck from their customers' discomfort.

They're adding back "amenities" - we use this term loosely - but for a fee.

Northwest Airlines put a new twist on the trend this month, announcing that it would sell some of its aisle and exit-row seats for $15 per flight. Depending on the plane's configuration, an inch of legroom can cost from $1.15 to $2.50.

It's a fee that only an economist could love, but it's easy to see how Northwest got there.

I guess I think too much like an economist, but this sounds like a fine idea to me. It's long been the case that if you were savvy and asked for an Exit Row you could get a lot more legroom with a cheap economy ticket, and while I've used that trick many times it's not surprising that the airlines would want to monetize it. United--where I do most of my flying--has pursued a hybrid strategy. You can get an Economy Plus seat either by being an elite flyer or by just paying for Economy Plus access. Similarly, while you can sometimes get Exit Row at the airport, now that Premier Executive and above can reserve it at ticket purchase time it's gotten much harder. Obviously, it's not desirable if you're low-status and used to the way things are before, but it hardly seems unfair.

I've been wondering for a while if there's some way for the airline to charge you for each marginal inch of leg room. The problem, of course, is that each plane will have a different set of passenger preferences so any fixed seating configuration will be fairly inefficient. Maybe if there were some way to quickly move rows around an inch at a time..


March 26, 2006

I got back from IETF to find John Barnes's The Armies of Memory waiting from me from Amazon, thus pretty much guaranteeing no work would be done yesterday. The Armies of Memory is the fourth and allegedly final in the Giraut Leones series which contained A Million Open Doors, Earth Made of Glass, and The Merchants of Souls, but manages to feel quite different. I'm not going to give away plot details below, but I will talk about the themes some and that inevitable leaks some information. You have been warned.

March 25, 2006

A man in Afghanistan is being tried for apostasy and could potentially be executed. I bet he's glad that we got rid of that mean old fanatical Islamist Taliban and brought freedom to Afghanistan.

March 24, 2006

Here are the slides from last night's IETF Plenary talk on Distributed Hash Tables.

March 22, 2006

Disclaimer: I was only there for the first 90 minutes of the meeting
because I was in AVT for the last bit.

Summary: Highly confused.

It's not entirely clear what this is about, but I'm going to explain
what I think this is about. Obviously, people are constantly having to
authenticate themselves to a variety of services. It's obviously
attractive to avoid having pairwise authentication credentials between
each user/service pair. We already have a bunch of "single signon"
protocols which are designed to let you do this. The classic example
is Kerberos. Most successful versions of these protocols really only
work well in an enterprise setting, rather than in settings where the
communicating parties are distributed over different enterprises.

A related issue is that the claims that people want to make to
services often involve information other than identity. A common
example of this is wanting to establish that you're over 21.
Currently, the systems we have for establishing this type of claim in
the Internet setting are clumsy at best. (cf.  Age Verification
Systems where you use your credit card to "establish" that you're over

These two desires have created a lot of interest in Internet-scale
single signon-type services. The idea here is that you establish a
relationship with some authentication provider and then you can
somehow authenticate once to that authentication provider and then
they somehow assist you in authenticating to the services you want to
use. I'm being deliberately vague here because there are a zillion
ways of doing this, ranging from them issuing a certificate, being
involved in your connection, etc. There are a bunch of
technologies/players in this space. Keywords here are Passport, SAML,
Infocard, ... There's a sense that a lot of people have that
deployment of these systems has been less than would be desirable, but
the field is quite crowded.

The motivating factor for this BOF is that Sxip Identity has a
particular protocol which does some of this stuff
(draft-merrels-dix-01) and they want it considered in IETF.  There's
also been a bunch of other initiatives to discuss this stuff (see, for
instance Kim Cameron's "Laws of Identity")

The BOF itself was a mess. The BOF organizers seemed mostly 
unable to answer the following key questions:

       1. What are you trying to accomplish?
       2. What's wrong with the current approaches people are
	  trying on this front?

That makes it pretty hard to discuss the technical details of
the BOF. In particular, the question of whether or not the
identity provider/authentication service is able to assert
"real-world" claims like (over 21) was never really adequately
addressed. Several attempts by Crocker, Lear, and myself to
get clarity on the objectives were unsuccessful.

The really big elephant in the room is the existing identity
management systems. It's entirely possible that these are
inadequate, but without understanding what the objective is,
it's hard to know whether that's true or not. 

Nowhere near ready for charter.

March 20, 2006

As I mentioned previously, when you go through one of the GE Entryscan explosive scanners, the pause between the start of the scan and the "green light" indicating you're OK is unnervingly long. Even more so since I saw someone--a pretty well-dressed businessman--actually trigger the detector the other day when I was going through SFO. I guess this must happen fairly frequently, since I was kind of expecting him to be hauled away and never seen again, but it looked like they just ran him through the old-stye person digging through your luggage check.

March 19, 2006

In Dallas for IETF. Current weather conditions:
Several areas of rain and embedded thunderstorms will continue to affect much of North Texas through 1100 PM. However...the strongest storms will affect locations along and south of a line from Comanche...to Hillsboro and Palestine...where a warm front is located. Large hail and damaging wind gusts will be possible with storms in this region. Otherwise...rainfall rates on the order of 1 to 1.5 inches per hour can be expected from embedded thunderstorms across the northern portion of North Texas...along with frequent cloud to ground lightning strikes. The heavy rainfall will result in rapid runoff...and will aggravate ongoing flooding problems across North Texas. Outside of rain areas...skies will remain mostly cloudy through late evening...with temperatures remaining nearly steady in the upper 40s and lower 50s.

The road to the hotel is flooded and intermittently closed. Many people (including hotel staff) can't get in and some of those who did had to wade through waist-deep water. Many people won't leave because they're afraid of getting trapped away from the conference. Making the situation even better, a lot of the hotel staff aren't in, so service in the restaurants is.... marginal. Dinner is Powerbars and beef jerky from the hotel convenience store eaten in the hotel bar. (Mrs. Guesswork: "Is a blue cheese martini nutritionally complete?") The fire alarms just went off. Dick Hardt asks "when will the drinks arive?"

UPDATE: More on this from Ben Campbell.


March 17, 2006

Reuters reports (well, reports that NBC News Reports) that GAO tests of explosive screening in airports were, uh, not encouraging (þ Shostack):
WASHINGTON (Reuters) - Security screeners at 21 U.S. airports failed to find bomb-making materials during recent government tests, NBC Nightly News reported on Thursday.

Federal agents carrying materials that could be used to make bombs escaped detection in airport screening during tests conducted between October and January, NBC said, citing government sources.

"In all 21 airports tested, no machine, no swab, no screener anywhere stopped the bomb materials from getting through. Even when investigators deliberately triggered extra screening of bags, no one stopped these materials," the report said.

NBC said, for security reasons, it would not name the airports nor the ingredients involved in the tests conducted by the Government Accountability Office (GAO), the watchdog arm of Congress.

So, assuming this is true (a more direct source would be nice), then there are a number of possibilities:

  1. The explosive detection devices don't work at all.
  2. The explosive detection devices work in the lab but you can't get a reliable sample off of people's bags in an aiport setting.
  3. The procedures being used by the TSA techs are broken somehow.
  4. The TSA techs running the machines are too incompetent to use them.

It's just wild speculation, but my guess is it's (3). It's hard to believe that (even) TSA would deploy something that didn't work at all, so I think that rules out (1) and probably (2), since surely they did some field testing. Incompetence is always a possibility, but it's similarly hard to believe that if they tested at 21 airports they couldn't find someone competent. So, my money is on a systematic procedure problem, and I've got one in mind: these desktop explosive sensors have really high false positive rates, on the order of a .1-2% percent. So, what I'm guessing (and that's all it is, but one of the nice things about it being a blog is you get to do that) is that the airport techs dial the sensitivity way down to avoid having to deal with false positives (which is surely what nearly all positive results they get are. Whatever the reason, it's pretty suboptimal if we can't even detect explosives in canned tests.


March 16, 2006

Slate has a really interesting article about the Irish Pub Company which manufactures and installs prefab Irish pubs:
IPCo's designers claim to have "developed ways of re-creating Irish pubs which would be successful, culturally and commercially, anywhere in the world." To wit, they offer five basic styles: The "Country Cottage," with its timber beams and stone floors, is supposed to resemble a rural house that gradually became a commercial establishment. The "Gaelic" design features rough-hewn doors and murals based on Irish folklore. You might, instead, choose the "Traditional Pub Shop," which includes a fake store (like an apothecary), or the "Brewery" style, which includes empty casks and other brewery detritus, or "Victorian Dublin," an upscale stained-glass joint. IPCo will assemble your chosen pub in Ireland. Then they'll bring the whole thing to your space and set it up. All you have to do is some basic prep, and voilĂ ! Ireland arrives in Dubai. (IPCo has built several pubs and a mock village there.)

I wonder if I have room to have have one of these installed in my house.


March 15, 2006

All the free mail providers have a problem with being used as a spam platform. If it's easy to sign up for accounts, then spammers sign up and use them for spam until they get cut off. The problem here is that the users don't have any real business relationship with the provider so it's very hard to determine whether they're legitimate or to stop someone from getting a large number of accounts.

The standard procedure here is to use some reverse turing test (e.g., CAPTCHAs) to (at least theoretically) stop the spammers from writing software to sign up for accounts. But if you're willing to have people just sit there and "solve" the test, then you can sign up for a large number of accounts. In addition, there has been a fair amount of work on attacking this kind of test.

I just noticed that Google has come up with quite a clever technique for rate limiting by tying your account to a real world identity. When you sign up for gmail you need to enter a code that they SMS to you. This way they know that you have access to that mobile phone and can limit the number of accounts given to any one phone user. The downside of this, of course, is that now Google knows your mobile phone number (or at least the number of someone you know), which isn't ideal if you want to be really anonymous, which is one reason that people use free e-mail providers.


March 13, 2006

Nasal spray is great stuff, but there's a real risk of rebound congestion, as I've written before. Check out this NYT article about people with a real problem:
Though it is not entirely clear why, the blood vessels in the nasal lining quickly become tolerant to the drugs' shrinking effects. With months of overuse, the sprays choke off blood flow to the nasal membranes and damage them. In some patients with severe cases, Dr. Bhattaharyya said, "the inside of their nose looks like a chemical burn."

Dr. Goldstein said he had seen patients with holes in the nasal septum -- the structure that separates the two breathing passages -- from abuse of the decongestants.


Simply stopping cold turkey will usually defuse the rebound cycle in a week or two, Dr. Goldstein said, but a lot of patients cannot resist the urge to spray in the meantime.

"What I do in such cases," he said, "is insist that they stop the nasal spray and put them on a five-day course of an oral steroid like prednisone" that will usually relieve the stuffiness until the rebound is gone.

"I always tell them, 'Don't start the steroids if it's a work week,' " he said. " 'Give me a time when you can get by without getting much sleep' " because of the lingering congestion.

And, sounding like an addiction counselor, Dr. Goldstein adds, "Make sure you throw out every nasal spray decongestant you have, or you won't be able to stop using it."

Prednisone, huh? You think rebound congestion is bad, check out the warnings and contraindications on this bad boy. Don't get me wrong, prednisone is reasonably safe if used for only a short period of time, but that's true of nasal spray too. The difference here is that since prednisone is prescription only, the doctor's self control can substitute for yours.


March 12, 2006

This draft describes a protocol and architecture for doing
"P2P SIP". What this means in practice is that registration
information is stored in a Distributed Hash Table, thus
in principle removing the need for centralized servers.


Use of SIP for DHT Functions
The protocol used in this draft uses SIP both for the usual
signalling functions and for DHT maintenance. This strikes
me as a poor design decision.

1. It means that while you will be able to use generic 
   DHT algorithms you won't be able to use a generic
   DHT service. There's nothing particularly special
   that this application requires from a DHT, so it seems
   like a classic architectural mistake to tie yourself
   to something specific.

2. It obscures what should be a clean architectural separation
   between lookup services (what the DHT is being used for)
   and signalling services (what SIP is used for now). This
   made some sense in the previous draft which actually 
   punned on the SIP messages (using INVITE to find the
   UA for the desired contact) but now that you're using
   REGISTER in order to explicitly separate these functions,
   there's really no value added here.

3. It's really confusing.


March 11, 2006

The State Department has started issuing RFID-based passports to members of the diplomatic corps[*]:
Amid continued doubts from experts, and with only one approved technology vendor, the State Department is pressing forward with its electronic passport program.

It started issuing e-passports to its diplomatic corps on Jan. 1 and by last week had distributed 299 of them, according to State spokeswoman Laura Tischler. The department plans to roll out the contactless chip technology for the general public this summer, officials said.

If you've been holding off getting a new passport and you want one without RFID, now's the time to take care of this.


March 10, 2006

One of the most depressing problems in public health is that lots of people in developing countries still die of diseases we know how to prevent. In that vein it's really good news that we're making progress on measles:
GENEVA (Reuters) - Worldwide measles deaths had dropped 48 percent in six years as immunization efforts reached more children in sub-Saharan Africa, the United Nations said on Friday.

The World Health Organization (WHO) and U.N. Children's Fund (UNICEF) said the fall in deaths to 454,000 in 2004 from 871,000 in 1999 was "an outstanding public health success story".

"If progress continues at this rate, the global goal to cut measles deaths by half (between 1999 and 2005) will have been achieved in time," said WHO Director-General Lee Jong-wook.

A safe, cheap and effective measles vaccine has been available since the 1960s, but the highly infectious disease is still a major killer of children in developing countries.

What I'd like to know is what we're suddenly doing differently.

A new vulnerability has been published in GPG. Kind of an interesting flaw, actually:
OpenPGP messages are made up of packets.  The signed data is a packet,
the actual signature is a packet and there are several control packets
as well.  For example:

   O + D + S 

This describes a standard signed message made made up of a control
packet (O for one-pass signature packet), the actual signed data (D)
and the actual signature packet (S).  gpg checks that the signature S
is valid over the data D.  This is actually easy if not OpenPGP and
GnuPG would have a long tradition of changing the fromats.  PGP 2
versions used a different way of composing these packets:

   S + D

and early versions of gpg, released before RFC2440, even created

   D + S

i.e. without the one-pass packet.  Still this would all be easy to
process properly but in an ill-advised attempt to make things easier,
gpg allowed the processing of multiple signatures per file, like

   O1 + D1 + S1 + O2 + D2 + S2

where two standard signatures are concatenated.  Now when combining
this with the other variants of signatures, things get really messy
and it is not always possible to assocciate the signature (S) with the
signed data (D).  gpg checked that this all works but unfortunately
these checks are not sufficient enough.  The attack is to change a
standard message to inject faked data (F).  A simple case is this:

   F + O + D + S 

gpg now happily skips F for verification and does a proper signature
verification of D and if this succeeds, prints a positive result.
However when asked to output the actual signed data it will output the
concatenation of F + D and thus create the impression that both are
covered by the signature.  Depending on how gpg is invoked (in a
pipeline or using --output) it may even output just F and not at all
D.  There are several variants of the attack in where to put the faked

The only correct solution to this problem is to get rid of the feature
to check concatenated signatures - this allows for strict checking of
valid packet composition.  This is what has been done in and
in the forthcoming 1.4.3rc2.  These versions accept signatures only if
they are composed of

  O + D + S
  S + D
Cleartext signatures are of course also supported, they are similiar
to the O+D+S case.

At some level, this is just a coding error and these things happen. But at another level this is a function of a protocol design that emphasizes flexibility and having multiple ways to do things. The more potential options at any point in the protocol the harder it is to get the implementation right and the more likely it is that you'll end up with security-relevant defects.


March 9, 2006

OK, this is just sweet. Literally.

One thing doesn't sound entirely right to me, though:

After fielding guesses about carbonation and evaporation rates, Dr. Jellinek explained: "You have an ice cube, and the ice cube is in contact with water or alcohol. The first thing to realize is the ice is melting because there is heat transfer from the water to the ice."

Colder water is denser, so water from a melting cube sinks, stirring up warmer water, which causes the ice cube to continue melting. Alcohol, however, is less dense than water, so the water from the cube sinks faster in the Scotch, stirring the water more vigorously and causing the ice cube to melt more quickly.

Dr. Jellinek then dropped two ice chips, roughly the same size, one into a cup of water, the other into Bell's Scotch Whiskey. "The main thing is what's coming off the bottom is superfast," Dr. Jellinek said, pointing to the ice and Scotch. "Just in the last 30 seconds, this guy is now 30 percent smaller than the one in the water."

Solutions exhibit a phenomenon called freezing point depression. The freezing point of a solution of alcohol and water is substantially lower than that of pure water. That's why you can keep vodka in your freezer without having it freeze. So, the effect of dropping an ice cube in whiskey is like putting salt on ice--you get fast melting. 1 It's not clear you need to invoke convection to explain this phenomenon.

1. Note that this is a general property of solutions, not one that depends on the freezing point of the solute. After all, NaCl is solid at room temperature but NaCl in water exhibits more freezing point depression than alcohol in water because the NaCl dissociates when dissolved, providing twice as many ions in the water.


March 8, 2006

The NYT reports on the not-very-edifying spectacle of patients having to beg the FDA to return a drug to the market. The drug in question, Tysabri, is substantially more effective than the other available drugs but also has been linked to a rare (and potentially fatal) brain infection
The testimony came on the first day of a two-day meeting of an F.D.A. advisory panel considering whether and how Tysabri might be returned to the market. At a time when the F.D.A. has been criticized for being lax on drug safety, the testimony underlined that there are patients with severe diseases who are willing to take risks and want to be able to decide for themselves.

"We understand the risks of using experimental drugs," Pamela Clark of Salt Lake City told the committee, "but we also understand the risks of doing nothing." She said Tysabri had allowed her to walk to a duck pond with her two 5-year-old sons and stand up long enough to cook dinner.

Tysabri, developed by Biogen Idec and Elan, is considered a significant advance in the treatment of multiple sclerosis, a neurological disease that affects about 400,000 Americans and can cause paralysis, fatigue, blurred vision and cognitive problems.

But in Febuary 2005, three months after its approval, it was withdrawn from the market because of a link to progressive multifocal leukoencephalopathy, or P.M.L., a rare but deadly viral brain disease. It was found that three people who took the drug in clinical trials, one in 1,000, developed P.M.L.; two of them died and the third was severely disabled.

To their credit, the panel has recommended that Tysabri be returned to the market, but it could certainly have gone the other way. In general, its not clear to me that the FDA should be in the business of making this kind of cost/benefit decision. Once it's been established that a drug works and the risks are clear--or clearish--it seems that it would be appropriate to allow those who have demonstrated informed consent to be able to make their own risk/reward tradeoff rather than having the decision be centralized.


March 7, 2006

Mark Kleiman makes an interesting point about the effect of aggressive drug enforcement (read it, really):
In the long run, drug enforcement may, in fact, tend to decrease prices by creating a class of retail drug dealers with felony records who therefore can't find lawful employment. That group then bids down dealing wages. (Crack dealers, who were making $30/hr. in Washington D.C. in the late 1980s, were making less than the minimum wage in Chicago in the late 1990s.) Since retail dealers' wages are an important element of the cost structure of the illicit drug industry, falling retail wages translate into falling retail prices.

This isn't the only thing that could cause prices to fall, but it's certainly an intriguing one.


March 6, 2006

My United Mileage Plus Visa has just been taken over by Chase. In order to let me use their online site they want me to agree to the usual onerous terms, including:
1. Scope of Communications to Be Provided in Electronic Form. When you use a product or service to which this Disclosure applies, you agree that we may provide you with any Communications in electronic format, and that we may discontinue sending paper Communications to you, unless and until you withdraw your consent as described below. Your consent to receive electronic communications and transactions includes, but is not limited to:

* All legal and regulatory disclosures and communications associated with the product or service available through the Online Service for your Account
* Notices or disclosures about a change in the terms of your Account or associated payment feature and responses to claims
* Privacy policies and notices

2. Method of Providing Communications to You in Electronic Form. All Communications that we provide to you in electronic form will be provided either (1) via e-mail, (2) by access to a web site that we will designate in an e-mail notice we send to you at the time the information is available, or (3) to the extent permissible by law, by access to a web site that we will generally designate in advance for such purpose.

Now, this seems extraordinarily undesirable. Like many other people, I have heavy-duty spam filtering, which is why I prefer my notifications in paper form. That way I'm sure I get it. Unfortunately, Chase doesn't seem to want to give me that option.

Also, did you catch that clever bit about "a web site that we will designate in an e-mail notice we send to you at the time the information is available". So, basically, I'm just to read some e-mail that's supposedly from Chase and then go to a Web site where I key in my login information to get access to this alleged communication? Outstanding!

UPDATE: I just spoke to Susan ***** from Chase on the phone, and indeed there's no way to opt out of this feature. If you want to use the site you need to agree to these terms. I mentioned the phishing concern and she says "phishing e-mails are easy to spot" because they ask you to type in your information--not at all like what happens when I dereference the link that Chase gives me in their e-mail. When I do that they only ask for my username and password.


March 5, 2006

A while ago I wondered if you could construct a language with a faster data rate than spoken language--at least a language that people could actually speak and understand. Recently, I ran across ithkuil, which is a constructed language which is supposed to be a lot more phonetically dense than natural languages and have a much higher information rate. Unfortunately, there doesn't appear to be anyone who actually speaks Ithkuil, so this doesn't answer the question of whether a language like this is actually usable,
Today's NYT has an article about the now common practice of freeloading off other people's insecure wireless networks. Unfortunately, they don't do that great a job of explaining why you would or would not want people using your wireless network. For instance:
Martha Liliana Ramirez, who lives in Miami, said she had not thought much about securing her $100-a-month Internet connection until recently. Last August, Ms. Ramirez, 31, a real estate agent, discovered a man camped outside her condominium with a laptop pointed at her building.

When Ms. Ramirez asked the man what he was doing, he said he was stealing a wireless Internet connection because he did not have one at home. She was amused but later had an unsettling thought: "Oh my God. He could be stealing my signal."

What the heck does stealing your signal mean? The first thing you need to realize is that almost everyone's Internet connection pricing is flat rate. So, if someone else is using your Internet connection it doesn't cost you money at all. This is quite different from (say) your cell phone, which is probably charged by the minute.

They might, however, be stealing your performance. Your home Internet connection--like the Internet in general--operates on the principle of statistical multiplexing. Say you have a typical 1.5 Mbps DSL line. In principle, you could be moving 1.5 Mbps worth of data at all times but in practice you're not. Most of the time you're not using the Internet at all and even when you are, mostly you're doing fairly bursty stuff. For instance, when you click on a Web page there's a burst of activity while it downloads and then nothing while you're reading it. Even if you're doing something real-time like VoIP, you're only talking some fraction of the time and your softphone can do silence suppression and not send send any data if you're not talking.

Pretty much the only applications that load your Internet connection continuously are bulk data transfers like file downloads. Even then, the limiting factor is often the bandwidth of the site you're downloading from rather than your home line. If the offered load from the site is only 500 kbps, then you have 1 Mbps that is available for other applications. The point here is that most people's network connections have lots of spare capacity, so that you mostly don't notice if a few other people are using your network. And remember that their traffic is bursty too, so the only time you'll see a slowdown is if you're trying to use a lot of bandwidth at the same time they are--or if there are so many freeloaders that they generate a high average load.

Of course, that's not the end of the story, because your ISP uses the same principle to size their network. Say you're an ISP with 1000 customers each of which has a 1.5 Mbps line. In principle, you need a 1.5 Gbps line to the rest of the Internet in order to serve all of them simultaneously, but in practice they never all demand full bandwidth simultaneously so you can get away with a much smaller line. The degree to which an ISP can underprovision their network is mostly governed by the actual fraction of their connections that their customers use. If customers do a lot of high volume data transfers then the ISPs need to buy more uplink capacity. Similarly, if a bunch of people are sharing your connection, then the overall load on your connection increases and so does the amount of bandwidth the ISP has to allocate to service you.

The ISP's pricing model is premised on certain assumptions about how you're going to use your Internet connection. One of those assumption is that the connection will only be used by the people in an individual household. If that assumption is wrong, then, the ISPs pricing model is also wrong.

Of course, at some level this is the ISP's problem, not yours. On the other hand, this is a classic public good problem: if there's a high rate of freeloading--and if the freeloaders don't buy their own lines--then this drives up ISP's costs and eventually the costs to the people who do pay for their Internet connection. But like many such public good problems, the effect of your behavior (allowing freeloading or not) on your costs (in this case the cost of your Internet connection) is near zero, so you have very little incentive to stop freeloading as long as your performance is acceptable.1 Note that ISPs generally often prohibit this kind of connection sharing if it's intentional but it's not entirely clear that just having an open network qualifies, and given how common they are, it's not like the ISP has much recourse except to threaten to cut you off.

I'm kind of skeptical that this kind of connection sharing has become a major problem for the ISPs, but if it does, they'll need to find some way to incentivize consumers not to share their connections. Among the possible approaches would be:

  • Offer customers free wireless routers that have security turned on by default. The reason that its so easy to use other people's connections is that most Access Points (APs) ship open by default. Just having security on by default would make this a lot harder.
  • Try to detect when connections are being shared and penalize the customer. This is harder than it sounds because typical APs make all the computers behind them look like a single computer. However, there are techniques that would give you some leverage here.
  • Metered pricing Most people have flat-fee charging which is why they don't care about freeloaders. If they paid by the byte moved they would immediately have an incentive to stop other people from using they connection. Historically consumers have been very resistant to non-flat-rate pricing, so this would probably be difficult to impose.

Of course yet another alternative would be to spread a bunch of FUD about how unsafe it is to let people use your wireless network. One of the most common variants of this is that you might get falsely accused of downloading contraband material that your neighbors were responsible. On the other hand, demonstrating that you're running an open AP seems like a pretty good defense on this score. Indeed, it's a potential defense even if you were the one at fault.

1. Yes, I'm quite aware that there are security arguments for why you should secure your wireless connection in order to protect your own computer. I'm not sure I find this that convincing--if you're connecting your computer to the Internet you need to secure it, whether or not you have an open wireless AP--but in any case they're a bit off topic for this post.


March 4, 2006

In the comments section, James Wetterau writes:
Not addressing your other points, I have a minor quibble with your point about mythology.

"Mythology" means a body of traditional stories, typically serving as an explanation of origins (of a people, or the world), history, and otherwise inexplicable phenomena.

Since myths are created and passed down by telling or perhaps writing stories, and not through careful scientific or historical research, we expect them to contain a lot that is not true. However, a particular myth may be true (or partly true) and still be correctly called a myth. For example, a myth may recount an otherwise unverifiable event of ancient history (a particular battle, say) in a manner which is correct in broad general outline. Due to the decay of any evidence it may be impossible to verify the myth through independent confirmation; in that case it is an unverifiable myth that happens to be true. (But we would need a reliable oracle or time travel to find out that it's true.)

True myths are not logically precluded. I agree, however, that the ancient greek gods did not actually exist and therefore did not inspire the oracle. :-)

It seems to me that this is a pretty fair description of at least the Bible. You may believe that it was divinely inspired, but the Old Testament at least was handed down as part of an oral tradition long before it was written down. It recounts many events (the burning bush, parting of the sea, etc.) which can't be independently confirmed and in many cases can't even be verified in broad outline. Despite that, you almost never hear anyone--even non-believers--refer to the Bible as mythology unless they're trying to start a fight. So, I don't agree that "mythology" is as neutral a term as Wetterau suggests.

Another example here is the term "cult". When I took religious studies in college, it was standard practice to refer to all religions as cults, e.g., "the Jesus Cult". This was obviously intended as neutral language, but of course in ordinary speaking the word "cult" is incredibly pejorative. It's one of those irregular verbs: I'm a believer, you belong to a fringe religion, he's a member of a cult.

UPDATE: Fixed the URL. Thanks to Pete Lindstrom for pointing this out.


March 3, 2006

The location for IETF 66 (July 10-14) has just been announced. It's Montreal.
Strange piece by William J. Broad in the NYT on the relationship between science and religion. Broad echoes Gould's famous non-overlapping magisteria argument (though Gould wasn't the first to make it) but the particular example he chooses is... unusual:
The recent discoveries of a renegade four-member team of scientists illustrate how the two realms are quite independent. They found the truth behind the Oracle of Delphi's legendary powers, showing how the most influential figure of ancient Greece prepared for ecstatic union with Apollo. The scientists, analyzing the Delphi region and the god's temple, discovered tons of bituminous limestone down below, its layers rich in intoxicating gases. [by de Boer et al--EKR]

They also found two faults that crisscross beneath the shrine to form a geologic pathway to the surface. They even measured traces of intoxicants still bubbling up today. This and other evidence suggest that the Oracle inhaled a mist of potent gases that could promote trancelike states and aloof euphoria, helping send her into mystic ecstasies.

The scientists' triumph, however, did little to pierce the Oracle's veil, as the scientists were quick to acknowledge. They claimed no insights into how her utterances stood for ages as monuments of wisdom. They had no explanation for how the priestess inspired Socrates, or the seeming reliability of her visionary pronouncements. In short, the scientists, while solving a major riddle of antiquity, wisely left other mysteries untouched.

I don't get this argument. Does Robertson seriously believe that the Oracle of Delphi's visions were somehow inspired by Apollo? Of course not, and neither do you. Even the most tolerant people don't seriously believe that millenia-dead mythologies like this have any epistemic validity. A good sign of this is when this stuff gets taught in schools it's called "mythology", not religion, and nobody even pretends that it's anything else. Contrast this to the way that, for instance, Islam gets treated--though no doubt nearly every American teacher believes it's false.1

The research Broad cites provides a reasonable natural explanation of the origin of the visions and their supposed "accuracy" doesn't need explanation any more than does the accuracy of horoscopes or divination by entrails. All three cases are adequately explained by a simple combination of coincidence and wishful thinking--which is no doubt why de Boer et al. didn't bother to address them in the particular case of the Oracle of Delphi. So, how exactly does this serve as an example that there are some things science shouldn't investigate?

1. In a similar vein, here's Dennett on tribal religions:

I should emphasize this, to keep well-meaning but misguided multiculturalists at bay: the theoretical entities in which these tribal people frankly believe--the gods and other spirits--don't exist. These people are mistaken and you know it as well as I do. It is possible for highly intelligent people to have a very useful but mistaken theory, and we don't have to pretend otherwise in order to show respect for these people and their ways.

March 1, 2006

Troubling article in the February 10th issue of Science about teaching evolution to college students.
  • About 30% of Cornell introductory biology students believe that God created humans within the past 10,000 years.
  • Only slightly over half the introductory biology students at Minnesota have been taught evolution in high school.
  • Worst of all, college classes don't seem to make much of a difference. Before an intro bio class at WVU Parkersburg, 37% of students didn't accept common ancestry of humans and apes. Afterward, 29% didn't. (see below).

According to this article the big sticking point is the evolution of humans. It's easy to see why this is counterintuitive--it's just hard to visualize how something as complicated as humans could have evolved. Still, it's disappointing that the overwhelming evidence for evolution isn't more effective at getting people past that intuitive barrier. It's also a problem for many on religious grounds--the Adam and Eve story is obviously a key part of many people's theology--but plenty of religious people have managed to integrate evolution into their belief structure so this obviously isn't an insuperable obstacle.