EKR: May 2006 Archives

Poison Ivy grows faster as the amount of carbon dioxide in the atmosphere increases, according to a study conducted by researchers at Duke University. The researchers simulated what the environment of the earth might be like in 2050 if the levels of carbon dioxide continue to grow at the current trajectory. (Increasing CO2 and other greenhouse gases into the atmosphere raises the earth's temperature, according to most scientists).

Under the simulated conditions, the poison ivy plants grew 150 percent faster than plants in an ordinary environment. Other expected consequences of global warming include more severe dry spells in the western U.S. and lower temperatures in Northern Europe. [*].

Time to stock up on prednisone.

I'm at a meeting at the Morrison House hotel today. They claim to have wireless, but as is commonly the case, their APs seem to be flakey and of course the people working at the hotel are of minimal help ("well, sir, go to the start bar at the bottom of the screen and click on the wireless signal icon....", "yeah, FreeBSD doesn't have that"). The specific problem I'm having is that they have multiple APs (one per floor) but the signal is often weak and I keep getting de-associated and then re-associated almost immediately.

The first problem this creates is that if you just let FreeBSD pick its AP automatically ("ssid -"), when you re-associate you can get associated with a different AP than you were before and since that AP is working on a different subnet, you get a new address and all your connections break--if you're lucky. This problem is easily solved by telling FreeBSD to pick a particular AP (figuring out which one is best at any particular moment requires some trial and error).

The second problem is that when FreeBSD de-associates with the AP, it seems to abandon its opinion about its IP address, and when it re-associates, even with the same AP, it doesn't seem to want to re-run DHCP to get a new address. This may be a bug in FreeBSD or may just be some kind of configuration error I haven't worked out yet. Anyway, once I figured out what was going on, I was able to find a workaround. What you do is use DHCP to get a lease for your address and then manually configure the interface to have that address. Then when you get de-associated you don't lose your address. Of course, there's the usual concern that someone else might get the same address as you via DHCP, but the leases are long (about 12 hrs) so you just need to manually reconfigure it once a day or so.

Anyway, this is all pretty annoying, but it seems to work fine, since I've been using the network all day and am blogging from it now.

The FDA's advisory panel has recommended approval of Merck's HPV vaccine, which is effective against the HPV strains that cause around 70% of cervical cancer. Various conservative groups have been making noises about how the HPV vaccine would encourage promiscuity. As Arthur Allen points out, abstinence advocate rely on doubts about condom's effectiveness on HPV in order to promote abstinence: (see also Michelle Goldberg's Kingdom Coming:

Coburn, a family practice physician and a fierce opponent of abortion, subtly inserted the HPV message into the Breast and Cervical Cancer Treatment Act, a bill that passed by a 421-1 vote in the House of Representatives on May 9. The bill provides an estimated $250 million over the next five years to treat uninsured female cancer patients. But Coburn tacked on two controversial clauses, which went virtually unnoticed by the news media. The first orders the Food and Drug Administration to require condom labels to state that they do not protect against HPV. The second calls for the federal government to make HPV infection a reportable disease within two years.

While these don't at first glance seem like particularly insidious measures, many scientists and doctors who work on cervical cancer believe the requirements could lead to unfounded panic and loss of confidence in condoms, ultimately increasing the rate of sexually transmitted disease. The Coburn amendments, these critics say, manipulate the science to serve a poorly conceived idea.

"The subtext is that Coburn and his supporters don't want people to have sex," says a spokesman for the American College of Obstetricians and Gynecologists. "They're saying, 'Hey kids. Not only will you get AIDS. You'll get cancer, too!'"

That said, despite FDA's reliance on similar reasoning with respect to Plan B, I would be kind of surprised to see this vaccine actually being blocked. After all, lots of people want to get pregnant, but nobody really wants to get cervical cancer.

William Saletan argues that we should replace our current methods of producing meat with lab-grown meat:

With all the problems facing humanity\u2014war, terrorism, poverty, tyranny--you probably don't worry much about whether it's right or wrong to eat meat. That's understandable. Every society lives with two kinds of moral problems: the ones it's ready to face, and the ones that will become clear or compelling only in retrospect. Human sacrifice, slavery, the subjugation of women--every tradition seems normal and indispensable until we're ready, morally and economically, to move beyond it.

The case for eating meat is like the case for other traditions: It's natural, it's necessary, and there's nothing wrong with it. But sometimes, we're mistaken. We used to think we were the only creatures that could manipulate grammar, make sophisticated plans, or recognize names out of context. In the past month, we've discovered the same skills in birds and dolphins. In recent years, we've learned that crows fashion leaves and metal into tools. Pigeons deceive each other. Rats run mazes in their dreams. Dolphins teach their young to use sponges as protection. Chimps can pick locks. Parrots can work with numbers. Dogs can learn words from context. We thought animals weren't smart enough to deserve protection. It turns out we weren't smart enough to realize they do.

It's certainly true that our methods of meat production aren't exactly something that most people would want to be on the other end of, but that doesn't necessarily imply that the world would be better if we stopped them--even if you assume that vat-grown meat is equivalently attractive from every other perspective.

The thing to remember here is that most of those animals owe their existence to the fact that they're destined for slaughter. For comparison, there are about 100 million head cattle in the United States. By comparison, bison, which are much less commonly eaten, have a population of about 350,000. Given that most food animals are heavily bred for the semi-industrial production methods we use, it's doubtful that the population of chickens, pigs, cattle, etc. would be anywhere near as high as they are now if we weren't eating them.

This runs us smack into Parfit's repugnant conclusion:

For any possible population of at least ten billion people, all with a very high quality of life, there must be some much larger imaginable population whose existence, if other things are equal, would be better, even though its members have lives that are barely worth living.

Since it doesn't seem likely that if we stop growing animals for food, a lot of people are going to choose to keep cattle and pigs as pets, as a practical matter, we get to choose between two possible futures:

1. There are a very large number of animals which are treated quite poorly and eventually eaten.
2. There are a much smaller (near zero?) number of animals which are treated perhaps somewhat better and eventually die of more or less natural causes.

If you're a utilitarian, it's not entirely clear that (2) is preferable to (1).

There are a number of ways to get past this. First, you could just argue that the quality of life of the animals is below Parfit's "Bad Level". I.e., it's of negative utility to them and they would prefer not to live. We can't ask them, of course, but you can ask yourself how you would feel about it if you were in their position. Truth be told, I'm not sure how I would answer that question. Obviously, being bred as a meat animal wouldn't be a lot of fun, but compared to not existing at all.... The second is to deny the utilitarian analysis completely, but it's not clear that the same argument doesn't apply with other modes of analysis. Consider, for instance, the perspective from behind the veil of ignorance.

Of course, all this is rather complicated by the fact that while animals obviously do experience discomfort, they're clearly not people and so we can't ask them and can only imagine what their "preferences" would be. And my intuitive sense is indeed that the world would be better if we stopped raising animals for meat, but it would be nice to have an analytic framework that backed up that intuition.

AT&T has released a copy of their brief in the wiretapping case. Unfortunately, despite several well-known incidents with improper redaction, AT&T seems to have botched the job, just masking the sections with black bars, so you can cut and paste the text underneath. The redacted sections aren't really that interesting:

Plaintiffs' suggestion that they need only show that certain communications have been split off into a "secret room" strips multiple elements from the statutes on which their claims are based and glosses over numerous issues that would have to be explored if their claims were ever to be fully litigated.

...

Plaintiffs offer no evidence regarding what, if anything, actually happens to any data once it allegedly enters the alleged "secret room." Plaintiffs' purported expert provides merely "suggestive" configurations between unknown equipment in an AT&T facility. See Declaration of J. Scott Marcus In Support of Motion for Preliminary Injunction (Dkt. 32) ¶ 74. His strongest opinion, explicitly based "in terms of media claims" is conditioned entirely on a supposition: "if the government is in fact in communication with this infrastructure." Id. ¶ 39.

...

Without either confirming or denying the plaintiffs' assertions, AT&T notes that the facts recited by plaintiffs are entirely consistent with any number of legitimate Internet monitoring systems, such as those used to detect viruses and stop hackers. Although the plaintiffs ominously refer to the equipment as the "Surveillance Configuration," the same physical equipment could be utilized exclusively for other surveillance in full compliance with the terms of FISA ­ which even the plaintiffs themselves would not contend is unlawful. See id. ¶ 40 ("The SG3 Configurations could be used for a number of legitimate purposes."). The mere existence of these so-called configurations, even if plaintiffs' allegations were accurate, would not by itself be prima facie evidence of what ­ if any ­ information is intercepted or divulged or by whom. And it certainly is not prima facie evidence of any illegality. Plaintiffs fail to establish even a prima facie case that there has been an "interception" of "contents" within the meaning of 18 U.S.C. § 2510(4) & (8), whether there has been "electronic surveillance" within the meaning of 50 U.S.C. § 1801(f), and whether particular statutory exemptions do not apply, see, e.g., 18 U.S.C. § 2702(c). Certainly nothing compels the inference that the contents of communications of "millions of ordinary Americans," (Motion for Preliminary Injunction (Dkt. 30) at 11), have been divulged to the government, in contradiction of the government's statement that communications are intercepted only if the government has "a reasonable basis to conclude that one party to the communication is a member of al Qaeda," or otherwise affiliated with al Qaeda. Press Briefing by Attorney General Alberto Gonzales and General Michael Hayden, Plaintiffs' Request for Judicial Notice (Attachment 2) (Dkt. 20).

It's not clear why they felt the need to redact this. Basically, it's the same point I made earlier, namely that it's not that unusual to have network interception equipment and that it could have been used for some purpose other than the one Mr. Klein claims. Anyway, AT&T claims, that you can't demonstrate that the equipment was--or was not--being used for those purposes without disclosing information the government claims is covered under the state secret doctrine. Unless Mr. Klein--or someone else--has some more convincing documents that we haven't seen yet, then that's probably true. Though, as I've argued before, any sane terrorist surely assumes that they're being wiretapped at this point, so it's not clear how the revelation of such a program harms national security--except to the extent to which that revelation might cause enough public unhappiness that it would force an end to the program. (though that doesn't seem to be the way the public is reacting). It's not entirely clear to me that this what the state secrets doctrine is intended for.

Went to the new Planet Granite location location in Sunnyvale last night. It's a really dramatic improvement over both the Belmont and old Santa Clara locations. First, the facility is absolutely beautiful: airy and open. There's probably about twice as much wall space as in Santa Clara and yet they've clearly invested in plenty of holds because the bouldering area seems to have about twice the hold density of the old place, which is really nice for doing drills or working your own problems.

The big improvement, however, is that the walls are a lot higher, with the highest one claimed to be about 60 feet, which really forces you to focus on pacing and technique. They've also moved to a more consistent and detailed numbering system including letter grades above 5.10. The surface on the walls is a lot grittier than at the old location, which is nice from the perspective of being able to use the naturals but can be a little hard on your skin if you're not careful. Actually, the new surface is the only downside I see: they obviously just laid it down and so a couple times it seemed like sand was falling off the walls onto you, which is distracting and obviously would be bad if it got into your eyes. Also, in a few cases we found that the holds weren't screwed down tight enough, which may be a result of the surface being less smooth resulting in less good hold contact. However, these are minor complaints and I'd expect both to go away as it breaks in.

You can see pictures of it for yourself here.

Vonage IPOed this morning at 17 and then promptly started dropping, closing off 12.6%.

The predictable result was a bunch of handwringing about a disappointing IPO. Here's the Yahoo article:

The stock opened close to its IPO price, then quickly dipped, which panicked some investors, DeStefano said.

...

In an unusual move, the Holmdel, N.J., company had set aside up to 13.5 percent of the IPO shares for its customers, and promoted the offering to them via voice mail.

Anthony Sgroi of Bergen County, N.J., has had Vonage service for a year and half, and asked for 1,000 IPO shares. He received 300. Other Vonage customers on an online forum reported similar allocations, indicating strong interest from the group.

It wasn't the company's long-term prospects that attracted Sgroi to the deal, however.

"I'm not a big stock market guy ... when I got the option to buy the IPO, I figured it was a chance to make some quick cash," Sgroi said. "I was planning to sell within a week or so anyway."

He sold the stock Wednesday morning at a loss. Now, he plans to cancel his Vonage account and switch to the local cable company's competing service, which he said would save him $10 a month.

And Business Week:

What were they thinking? That's the question on the minds of skeptics watching the stock performance of Vonage on its first day as a publicly traded company. The closely watched and hotly debated initial public offering did get done Tuesday night at $17 a share -- valuing the Holmdel (N.J.) -based provider of voice phone calls over the Internet at almost $3 billion -- despite large and growing losses and deep concerns about rising competition.

When trading opened on the morning of May 24, there was no sign of the blind optimism that prevailed during last decade's tech bubble. Vonage VG shares sank like a stone in early trading, moving as low as $14.50. "I haven't spoken to any institutional investors who have a strong [positive] conviction about Vonage over the long term," says Soleil Securities analyst Todd Rethemeier.

What were who thinking? In case you've forgotten, from the perspective of the company the purpose of an IPO is to raise money for the company, money which apparently Vonage is going to spend on advertising. If your stock has a big price blip after the opening, that means that you've left money on the table. Conversely, if the stock goes down, you should be thanking your underwriters for getting you a good deal. As for the investors who thought they could flip the stock after the IPO, it serves them right. Even during the boom, that wasn't a sure way to make money.

Even from the perspective of making money for the investors, it's not clear what the problem is. They're down 12%, not 75%, so the value of the company is still pretty substantial (nearly 3 billion). If you were happy at 17, you should still be pretty happy at 14.5. And of course most of the original investors can't or won't sell right away, so it's the long term valuation that counts, and one imagines that the 400 million or so they raised would be an important contribution to one's long-term prospects.

That said, there is one sense in which this is disappointing: to the extent to which you think the market is efficient, you might have hoped that the market would like the company better. I.e., it's bad news about the prospects of the company. But you already had most of that information when you were out placing the original IPO, so it's not like today's drop tells you that much more.

Of course, none of this is should be taken as offering an opinion on Vonage's prospects. All I'm saying is that one shouldn't make too much of the drop in the first day of trading.

Wired has published Mark Klein's statement about AT&T's wiretapping plan together with some supporting documents. I've reviewed the material and I must say, I'm underwhelmed. Basically, the evidence Mr. Klein has presented indicates that

1. AT&T has secure rooms in one or more of their data centers.
2. These rooms are equipped with fiber taps and a bunch of fairly high-end networking equipment that's usable for traffic sniffing.
3. The taps seem to be on a bunch of circuits for major carriers.

Mr. Klein's asserts that this stuff is linked to the NSA but the papers don't show that, and this stuff could easily have a legitimate use. After all, AT&T is a big carrier and companies like Narus (the manufacturer of the traffic analysis gear that Klein cites as evidence that this is being used for surveillance) sells lots of product. It seems unlikely that everyone with a Narus is diverting traffic to the NSA.

Mr. Klein's statement contains a bunch of hand-waving about NSA and DARPA's TIA program. For instance:

Plans for the "secret room" were fully drawn up by December 2002, curiously only four months after Darpa started awarding contracts for TIA.

This doesn't seem very convincing. If it were four months before, then the implication would be that they had the plans ready for submission to DARPA. It's not like it was the next day.

The normal work force of unionized technicians in the office are forbidden to enter the "secret room," which has a special combination lock on the main door. The telltale sign of an illicit government spy operation is the fact that only people with security clearance from the National Security Agency can enter this room.

Well, the fact that it's locked up is a bit suspicious, on the other hand I could imagine if I had this kind of sniffing apparatus in place I might lock it up. The bit about people with security clearance from NSA doesn't impress me much. First, it's not documented anywhere in the paperwork we have, so we just have Mr. Klein's word on it. Second, "security clearance" isn't exactly specific. Lots of people have some kind of clearance: a program like this would most likely require a very high clearance level, like TS-SCI. Without that detail, one is left wondering exactly what the situation is.

Going through the document in more detail:

P. 1-5 are Mr. Klein's statement.
P. 6-9 are a description of the equipment in the secret room.
P. 11-13 are instructions for how to splice the fibers and which circuits to tap.
P. 14 is pictures of the door to the room.
P. 15-22 is a brochure from a conference Narus sponsored which has sessions on tapping networks.
P. 23 is an article on Narus.
P. 24-29 is a Narus press release.

None of this is very damning.

Note that I'm not saying that AT&T wasn't diverting Internet traffic to the NSA. That's certainly possible, and maybe there's more convincing evidence in the material still under seal. But from what we've seen so far isn't exactly a slam dunk.

Now that IBM's PC division is owned by Lenovo, some people are getting worried about their security:

Assistant Secretary of State Richard Griffin said the department would also alter its procurement process to ensure US information security was guaranteed.

His comments came after Rep Frank Wolf expressed national security concerns.

...

In a letter to Mr Wolf, Mr Griffin said government security experts had recommended the computers "be utilised on unclassified systems only".

He said the government was committed to ensuring the purchase would not "compromise our information and communication channels".

And he said the state department would change the way it buys its technology "in light of the changing ownership of IT equipment providers."

His letter did not refer to Mr Wolf's specific concern that at least 900 of the computers were to be used "as part of the classified network deployed in the United States and around the world in embassies and consulates".

Mr Wolf, Republican chairman of the committee that oversees the department's funds, told reporters that China's spying efforts were "frightening".

It was "no secret that the US is a principal target of Chinese intelligence services", he said, adding: "No American government agency should want to purchase from them".

Should you worry? Well, sort of.

The first thing you need to realize is that manufacturing PCs isn't like manufacturing cheese. Any real-world PC contains components from zillions of manufacturers. Let's take one of our servers which I happen to have open as an example:

Component	Manufacturer	Manufacturer Country	Country of Manufacture
Case	Chenbro	Taiwan	Unknown
Power supply	???	???	Taiwan
Motherboard	Tyan	Taiwan	Taiwan
CPU	Intel	USA	Unknown, but Intel fabs all over the world.
Memory	Samsung	Korea	Unknown
RAID Card	3Ware	USA	Unknown
Hard Drives	Seagate	USA	Singapore
Floppy Drive	Mitsumi	Japan	PRC
Operating System	Linux	-	All over the world

And this is just the components you buy separately. The motherboard is basically a bunch of components (memory, video chips, NICs, etc.) which are bought bought by the manufacturer and surface mounted onto the motherboard. These subsidiary components are manufactured all over the world and the PC manufacturer has basically no supervisory role over the manufacture. IBM/Lenovo may manufacture more of their components themselves but quick look at a typical IBM desktop offering suggests a similar mix-and-match situation.

With that in mind, let's ask what the threat model is. It seems to me that there are two basic threats to be concerned by. The first is that the computer will be built with some kind of trojan horse so that an attacker can take control remotely to get access to or copies of your data. This requires somehow having access to some reasonably central part of the computer (i.e., probably not the floppy drive) but if you can write to the memory or PCI bus, you're most likely good to go there. And of course if you control the Operating System or the BIOS, you're totally set. Did I mention that lots of PCI cards have access to the BIOS for things like RAID configuration and network booting? And, of course, Microsoft (which is what State presumably runs) has a zillion programmers who produce a large number of unintentional security holes. It wouldn't exactly be hard to hide an intentional one. You could even make it look unintentional to cover your tracks.

That's all most people have to worry about (to the extent they need to worry at all) but intelligence agencies need to worry about another attack: some sort of extra component like a keylogger that provides a side channel into the computer. Anyone who has access to any part of the computer at pretty much any point in the assembly process can install something like this.

So, the situation is really bad in that if you buy pretty much any off-the-shelf computer and the attacker knows what model of computer you buy, they can almost certainly bribe someone in the production process to insert some kind of trojan/key-logger, etc. Hardware and software are simply so brittle that it's not possible to have any level of confidence that your system is secure if you're up against an attacker with that level of sophistication (read Reflections on Trusting Trust for just how bad the situation can be). But that said, it's not clear why one should be any more concerned about equipment manufactured by Lenovo than anyone else. Sure, they're owned (partly) by the PRC, but the stuff assembled in the US, so it's probably not any easier for the PRC to compromise Lenovo's machines than someone else's.

The real issue here is protection against what Schneier calls the "New York Times Attack". You have to buy some computers and there's some chance they'll be compromised. No matter what the real risk profiles, when that happens it's going to look a lot better to say you bought them from Dell than from the Communist Chinese Government.

I've been meaning to write up more stuff about net neutrality, but work has been pretty hectic. In the meantime, check out Ask A Ninja's take.

As I've mentioned previously, a heart rate monitor is an essential training tool for endurance athletes. After I lost one HRM in the ocean in Bali and another died on me, I finally decided it was time to buy something new, so I sprung for the Polar S625X.

The S625X is a pretty nice unit with a lot of advanced features including:

• Five programmable training modes with multiple heart rate limits and interval timers.
• Polar's new softer and more comfortable wearlink transmitter.
• Infrared computer interface.
• Barometric altimeter.
• Foot-mounted speed sensor.
• Some automatic fitness detection features that I haven't really tried out yet.

I've had the HRM for a week or so and so far I'm pretty pleased with it. The heart rate feature seems to track better than any unit I've had before (I've seen others that would periodically freak out and read 239 bpm or so and this one hasn't yet). The altimeter is a pretty nice feature. I didn't expect to like it, but it's pretty nice when you're climbing on the bike and want to get an idea how much further it is to the top of the hill.

The big new feature in this unit is the foot pod, which I have mixed feelings about: Either I screwed up calibrating it or I'm running about 5% slower than I thought I was, which is certainly possible but a bit surprising since I've run on timed courses before and generally thought I had a good sense of pace. Even assuming it is accurate, I'm not sure it's really that important to get exact distances, since I generally train by time anyway.

The altimeter makes the watch/receiver pretty thick, but once you have it on you don't really notice it. Same thing with the footpod, which I had originally expected to be annoying but you get used to it fast. You do have to be a little careful how you tie it onto your shoe cause otherwise it can poke into the top of your foot. The other alternative for getting distance measurements is to buy a GPS-based unit like the Garmin 305. I considered the Garmin, but the receiver seems even bigger and clunkier than the Polar (mine weighs 60g versus the 77g reported weight on the Garmin 305) and I worried about having it on my wrist.

The big surprise for me is the UI: traditionally the Polar UIs have been pretty bad, but despite the really large number of features, once you get the general idiom the controls on S625X seem pretty obvious. All-in-all I'm pretty happy with this unit, especially considering I was able to use my 20% off coupon at REI when I bought it (somewhat annoyingly REI doesn't let you use those coupons on GPS units).

My local burrito place (Burrito Real in Mountain View) has one of those frequent buyer card programs: they have these cards which they punch whenever you buy a burrito. Buy 10 and you get your next one free. We just filled our most recent card and when we went to get another one they told us they didn't have any. There's a bit of a language barrier, but it didn't seem like they were just out but rather that they had stopped handing the cards out--though they'll still stamp them and let you redeem them. Nothing unusual about that, of course, but in the 10 years or so I've been going there, they've discontinued the program at least once before and then brought it back, and I got the impression from the cashier that they were planning to bring the program back next year. The question is: why? If you're going to have a program like this, why not run it all the time?

The initial (and not very good) answer I came up with is that they're worried about the size of their outstanding liabilities in terms of free burritos. Since they don't track how full people's cards are, and lots of people probably get a card but then lose it or forget about it, the size of this liability is going to tend to increase rather than stay in a steady state. So, you could imagine them wanting to stop giving out cards until enough have been filled out and redeemed. Still, this seems like pretty sophisticated accounting for your average taqueria.

My second theory is that they figure that the marginal value of the program in terms of pulling business decays pretty rapidly, but the costs continue to go up, so it's a compromise between advertising and cost control. But since they don't actively advertise the existence of the program unless they're actually giving out cards, you'd expect the the PR value to decay pretty rapidly during the off-months, so I'm not sure this makes sense either. Anyone got any better explanations?

Oh, one more point: given that they still honor the cards even when they're not giving them out, it's pretty easy to just get a new card every time you go until you have a whole pile and then you're covered the whole year round.

It's pledge time at my local radio station, and after hearing the exhortations to dial 1-800-937-8850 (it's stuck in my memory, you see) I started to wonder about how things work out, in particular the challenge grants they're so fond of hawking. Here's how they work:

During a KQED on-air pledge drive, businesses promise a donation (e.g. $1000) to KQED if it is matched by contributions from individual listeners or viewers.

KQED announces the challenge from company ABC and urges listeners or viewers to call in with their pledge.

So, how significant are the challenge grants? Pledge week runs roughly 2 weeks and they typically want to raise about 1.5 million, so that's roughly $100K/day. Assume that there's one pledge break an hour, so roughly $4K/day. The challenge grants are typically $500-$1000, so they represent maybe 1/8-1/4 of the total take on any given pledge break. Since this is a matching kind of situation, I'm not sure how much of a challenge it is in most situations. On the other hand, it seems like a pretty good deal for the granter. For $500-$1000, You get your name mentioned about a zillion times during the pledge break, which actually sounds like a pretty good deal.

The Bush administration is planning to station 6000 National Guard troops along the Mexican border. It's worth getting some perspective on the problem. Some reports which are useful for getting a handle on the issue are the 2003 USCIS report report and the Pew report here

Relevant points:

• The number of illegals is at what's probably an all-time high of 11 million or so.
• The total foreign-born population is order 37 million.
• The rate of illegal immigration has accelerated somewhat in the last 10 years or so, but the increase is fairly gradual, say 20-30%, so if there's a crisis--and I'm not saying there is--the important difference is in absolute numbers not changes in the rate.
• INS enforcement is practically worthless: in 1999, only 63,000 (less than 10% of the total entries and less than 15% of the total increase) were removed by the INS.
• The "problem" is overwhelmingly concentrated in a small number of states. In 2000, over 50% of illegal immigrants were in just three states: California, Texas, and New York (27% of the total US population collectively).

The thing I'm having the most trouble getting out of these reports is why this has suddenly become such a big national issue. I suspect it's more of a public psychology issue in response to the war and a bad economy than it is a rational response to changing conditions, but it could just be that I'm missing something.

Although the rest of the world has gone metric, metrification in the US isn't really taking off. Perhaps it's due to the valiant efforts of the Americans for Customary Weight & Measure.

Obviously, changing to a new system of measurement is disruptive, but arguments about how "customary units" are more natural seem sort of weird:

Metrication results in huge numbers on food packaging (185g, 375g, 425g, 440g, etc). This vast increase in the size of numbers occurs because metric units are much smaller than customary units; 28 grams to one ounce, over 450 grams to one pound, 568 millilitres to one pint, and so forth.

This is sort of true for grams and ml which really are quite a bit smaller than ounces/fluid ounces, but even there most of the problem is that we have pre-existing packaging which comes in odd sizes when measured in metric. That's not surprising, since the packaging was designed to be an even multiple of customary units. It's straightforward to redesign things to be even multiples of metric units. For instance, .5 liters isn't any more unwieldy than 16 oz/one pint/one pound. So, this is basically a transition problem.

Metric units are derived from the geometry of the earth and have no frame of reference relating to foods, packaged or otherwise. This means that the number of grams or millilitres needed to represent a product is necessarily arbitrary, unlike traditional units that revolve around quantities typically dealt with.

This is just silly. There's nothing particularly natural about, say, inches and feet, and of course some English units are famously inconveniently structured (Fahrenheit degrees is the classic example here). Moreover, in cases where you need to use smaller units than the natural unit, metric is obviously better.

Metric fails to produce consistent or easily understood sizing scales. Unlike the 16oz pound that is geared to multiples of two, the kilogram cannot comfortably accommodate successive halving. Thus, while some metric packaging builds up as 100g, 200g, 400g, etc, this will not integrate with one kilogram meaning that other packaging progresses as 125g, 250g, 500g, etc. Other packaging uses 75g, 150g, 300g, etc while others still use 110g, 220g, 330g, 440g, etc. A large variety of packaged foods has no identifiable sizing scale at all, for example, tomato ketchup and brown sauce.

It's hard to see how the situation is any better here with customary than metric, especially in cases like ketchup and brown sauce where--as they point out--there's no natural scale anyway.

As I noted previously, most of these issues are about transitioning Metric units seem unnatural because we in the US aren't used to them and a lot of the things we encounter on a daily basis are scaled to be even-sized in customary units. If we lived in a country that had transitioned to metric, those units would feel just as natural. To give you just on example, I think about my weight and the weight of objects I encounter on a daily basis in pounds and ounces, but when I was in science lab I had no trouble thinking in grams and kilograms. Now, maybe the transition costs are too high, but it's not because customary units are more natural.

All that said, the two major advantages of metric are:

1. The relationship between various units (grams and cubic centimeters, for instance).
2. Decimalization.

The first property is built into metric, but isn't that useful in most non-scientific contexts. The second property is fairly easily adopted even if your base units aren't metric: for instance, in machining contexts it's common to work in thousandths of an inch and you'll often hear telco types talk about "kilofeet". Unfortunately, there are far too many cases where you need to intermix units that have no natural relationship between them.

California has been trying to institute a high school exit exam, which students need to pass to graduate. Unfortunately, about 1/10 are failing. This being America, their response is to sue, and Judge Robert B. Freedman just ruled in their favor.

I see four basic objections to the exit exam:

1. It's unfair because poor and minority students get an inferior education.
2. It's unfair because people have been passing their classes but now can't pass the exit exam.
3. It's actually a bad measure of competence (this is in some sense a variant of argument (2)).
4. It's unfair because it puts California students at a disadvantage to students from other states.

Obviously argument (1) is correct in some sense. Poor and minority students generally get a lousy education and it's obviously especially hard to get a good education in this country if you don't speak English well (about 40% of the people who failed the exam are classified as "limited English learners"). But that doesn't answer the question of whether or not it's unfair to denym a high school diploma. It's unfair that they got a bad education, but that doesn't make it any less true that they didn't. To the extent to which you think a high school diploma is supposed to be a certificate of competence at some set of skills, then it's not clear that it's unfair to deny it to those who really aren't competent, regardless of how they got that way.

A similar objection obtains to argument (2). If people have been passing their classes but they actually haven't mastered the skills the exams are supposed to test, then the schools are indeed failing them (or the test is a lousy measure, see argument (3) below), which, as previously noted, is probably unfair. But again, to the extent to which a diploma is supposed to be a signal of competence, rather than one of an attendance it's not clear that it's fairer to issue it anyway.

Next we have argument (3), that the test is a bad instrument. Of course, any test is only a proxy for some set of knowledge/skills, and I don't know whether this test is a good proxy or it isn't (all the complaining about "teaching the test" is basically an argument that it's a bad one). On the other hand, grades are a proxy as well, and since it's arguable that the whole thing is an exercise in signalling--employers and colleges care about talent and drive more than any particular skillset--it's quite plausible that one's ability to pass a specific test that you know well about in advance is a better signal than your grades.

(4) Many opportunities (jobs, college admissions, etc.) are gated specifically on the acquisition of a diploma. If exit exams were universally adopted, these requirements would re-equilibriate, but if students in California who fail the exit exam are denied diplomas when they would get them in other states, then the California students are obviously at a disadvantage, and the employers/colleges might not feel the need to readjust their standards specifically for Californians.

One compromise I've heard suggested is to keep the same standards for diplomas but to issue an additional credential that indicates that students have passed the exam. Then those who care about the exam would be able to check for that credential whereas those who don't could just use the diploma. This has sort of the opposite problem of denying diplomas to students who don't pass the exam: if employers/colleges/etc. don't readjust their standards then California students who fail the exam won't be at a disadvantage. But if they do readjust their standards then the failing students will be at a disadvantage. And of course even if all states were to adopt such exit exams, poor and minority students would still be at a disadvantage because of point (1) abo e. The only real way to avoid some chance of their being disadvantaged is to suppress the test results entirely.

UPDATE: Fixed failure rate to read 1/10 rather than the typod 1/109.

As we all know now, NSA has been compiling a database of people's phone call records. Among the explanations of why this is OK you'll hear are:

The records only contain phone numbers, not names.
Unfortunately for this argument it's absolutely trivial to map from people's phone numbers to their names. Try it yourself.

It's not an invasion of your privacy because it doesn't contain any of the actual voice
Well, maybe. Consider whether you want it publicly known you called that phone sex line. Similarly, many an affair has been undone by looking at people's cell phone logs. Moreover, it's pretty disingenuous of the Bush Administration to argue that this kind of traffic analysis isn't secret when they've fought not to disclose records of how often Jack Abramoff visited the White House and who he met with. The truth is that this kind of who-contacted-who information is incredibly revealing, which is why people want to keep it sensitive. Of course, it's possible you have absolutely nothing you don't want anyone else to know about, but I doubt that on reflection most people really do.

It's necessary for the security of the US
So little is really known about the NSA's surveillance activities in this are that it's pretty difficult to say anything definitively here one way or the other. But given all the various intrusions that are justified in the name of security which are in fact nothing of the sort (with airport security screening being exhibit A), I'm not exactly inclined to take that argument very seriously. The government could of course commission a study on the importance of this kind of surveillance, but given that on related issues they've chosen to stonewall...

The DoJ can't investigate the NSA's surveillance program because it can't get the right clearances.

Brian Roehrkasse:

Brian Roehrkasse, a Justice Department spokesman, said that the N.S.A. program was "highly classified and exceptionally sensitive" and that "only those involved in national security with a specific need to know are provided details about this classified program." He said the legality of the eavesdropping program had been reviewed by other Justice Department offices and by the N.S.A. inspector general.

Sir. Humphrey Appleby:

The Official Secrets Act is not to protect secrets, it is to protect officials.

Due to the apparently extreme danger of teenagers actually being able to talk to adults without some Fed present, Pennsylvania Rep. Michael G. Fitzpatrick wants to ban them entirely from social networking sites.

A Pennsylvania congressman has introduced legislation that would ban minors from accessing social networking websites such as MySpace, and forbid libraries from making such access available.

The bill, known as the "Deleting Online Predators Act of 2006," was introduced Wednesday in the House by Michael G. Fitzpatrick (R-Penn), a first-term representative. The bill has also been labeled as H.R. 5319, a Fitzpatrick representative said Thursday.

However, the bill uses extremely broad language to define a "social networking" site, which would theoretically eliminate several Ziff-Davis websites, as well as other highly-trafficked Web sites across the Internet.

"Sites like Myspace and Facebook have opened the door to a new online community of social networks between friends, students and colleagues," Fitzpatrick said in a statement posted to his web site. "However, this new technology has become a feeding ground for child predators that use these sites as just another way to do our children harm."

Most likely this won't go anywhere, but that doesn't mean it's not worth making fun of....

I'm sure the language is overbroad, but it's pretty hard to see how one would define "social networking" in a way that didn't basically include any interactive site. That's OK, I'm sure that there's no legitimate reason for people under 25 to use the Internet.

Wired reports that ICANN has decided not to create .xxx TLD for pornography:

Anti-porn advocates, however, countered that sites would be free to keep their current ".com" addresses, in effect making porn more easily accessible by creating yet another channel to house it.

And they say such a domain name would legitimize adults sites, which two in five internet users visit each month, according to tracking by comScore Media Metrix.

Many porn sites also objected, fearing that such a domain would pave the way for governments -- the United States or repressive regimes abroad -- or even private industry to filter speech that is protected here under the First Amendment.

Democratic Sens. Max Baucus of Montana and Mark Pryor of Arkansas have introduced legislation that would create a mandatory ".xxx."

The porn industry trade group Free Speech Coalition believes a domain name for kid-friendly sites would be more appropriate.

The whole notion of a segregated domain for .xxx--as if this was somehow a 1-bit question that could be decided on a global basis--has always been fairly silly. On the other hand, it's equally silly to think that somehow creating a separate domain makes porn "more accessible". Domain names aren't like TV channels: having an extra domain name doesn't somehow give you twice as much bandwidth or customer demand. And it's really hard to see how it would "legitimize" porn by labelling it as such. On the third hand, while mandatory labelling of porn would make it easier to censor, there are lots of ways to do that kind of labelling, and it's the mandatoriness that makes it easier, not the existence of the technology for labelling. At the end of the day, it's pretty hard for me to care one way or the other about whether .xxx gets created.

One of my main bike rides requires crossing one of the major Palo Alto commute routes (University Ave from 101), with a stop sign in my direction. If you pick the wrong time to go (like rush hour) then it can be very hard to find a lull in traffic to get across. On a bike, that is... Turns out that there's a crosswalk right at the intersection and so if you walk across the crosswalk, cars have to stop for you. On the other hand, as I understand it if you ride across and there's traffic then you're effectively running the stop sign. So, instead I get off my bike and walk it across the intersection--which isn't fast when you're wearing cycling shoes with Speedplay cleats. We'd all be better off--at least in this scenario--if we treated bikes in crosswalks as walking: cars because they didn't have to wait as long and I because I don't have to get off my bike and mess up my shoes. I suppose it's arguable that in other settings we don't want bikes and pedestrians mixing in crosswalks, though.

Mrs. Guesswork and I are watching Open Range. Spoilers below the fold.

I'm generally pretty in favor of open immigration (insert usual libertarian-style economic arguments here) but if we're absolutely insistent on stopping Mexicans from picking our fruit, we can do a lot better than building a wall--a strategy which is pretty much the opposite of defense in depth. A 700 mile wall is relatively easy to bypass and hard to patrol, not to mention unsightly. Moreover, there's a whole bunch of badly patrolled coastline just North of the border. Are we going to wall off our beaches too?

The important thing to remember is that this is about economics--Mexicans want jobs and are welling to work cheap--so we should be able to create a different set of incentives. It's distinctly different from the situation in Israel, where the good being supplied by the Palestinians isn't really one the Israelis are interested in. You'll of course hear a lot of people tell you that the immigration issue in the US is about terrorism, but given the length of the American coastline and the US/Canada border, it's pretty hard to believe that any amount of protection along the US/Mexico border will make it significantly more difficult for terrorists enter the US.

Accordingly, I hereby present the EG half-baked two-point plan for controlling illegal immigration:

1. Large fines for employers who hire illegal immigrants--whether they do so knowingly or not. This provides them with an incentive to really check people's papers rather than just pretend to--which is what they seem to do now. The fines should be set high enough that they balance out the economic benefit of hiring illegals.
2. Amnesty for illegals who turn in employers who hire illegals. In the current situation, illegals cooperate with employers to hide their status and it's easy to exploit them because they fear being deported. Providing amnesty would reverse the incentive and make it extremely dangerous to hire illegals.

As I said above, this plan is half-baked, so I'm sure there are a lot of things wrong with it. The obvious problem is that if it really works we'll probably need a way to allow some controlled immigration for agricultural and domestic workers. But there are a variety of approaches (auctions, quotas, lotteries,...) that ought to be usable for that. My main point here is just that if we're fixated on making it difficult for people to come and work in the US we should at least go about it intelligently.

Just watched Grizzly Man, the story of Timothy Treadwell a bear lover who spent 13 years in Alaska living with and filming grizzlys. Unsurprisingly, eventually one of the bears killed him and his girlfriend. The movie (directed by Werner Herzog) is based largely on footage shot by Treadwell in Alaska.

Watching this movie is a highly dissonant experience. On the one hand you watch Treadwell treating bears like big housecats, baby talking to them, calling them his friends, and talking about how as long as he doesn't show fear he'll be OK and think "this guy is nuts". On the other hand, the video he captures is just amazing. If nothing else, watch the fight around 55 minutes in. Check it out.

Randall Stross writes about the TV industry's desire to make you watch commercials:

But limiting remote controls is a possibility that could be realized in a new technical standard M.H.P., for multimedia home standard that the television industry is contemplating for the future. Neither broadcasters nor television manufacturers, whose joint cooperation would be necessary, have yet to adopt the standard. If the television industry embraced M.H.P., broadcasters could insert special signals to immobilize the remote control during commercials. If this came to pass, Mr. Peters said the Philips technology would "give consumers the freedom of choice" "freedom" defined as exercising the option to pay a fee in order to regain the use of the remote control.

I hate commercials as much as anyone, but look on the bright side: forget about the remote control. If your DVR is able to let you pay in order to skip commercials, it's just as able to skip them for you automatically. Obviously, I'd prefer to have free TV without commercials, but since the commercials are what subsidize the program, we can't all do that because then commercials are worthless (Well, mostly. There are two other major alternative models here: embedded advertising/product placement and low-quality versions that push sales of the full product). Certainly, having the choice of watching the commercials or paying not to is better than you had before the VCR when you just had to watch the commercials. And of course if you don't want to watch TV, nobody is making you.

In yesterday's post on VoIP wiretapping, I observed that you could sometimes detect MITM attacks via checking for changes in your peer's public key. In the comments, Hal Finney suggests another alternative:

Another way Skype could enable its users to detect MITM attacks would be for the client to display a hash of the shared AES key. In a MITM attack, each side has a different key, so if the users read their hashes to each other, they will detect the difference.

Well, sometimes. In the classic MITM attack on Diffie-Hellman, the attacker ends up with a different pairwise key with each communicating party (though sometimes you can use a subgroup confinement attack to get around this.) Even with RSA-based systems, where the attacker can force the shared secret is the same you typically get different traffic keys because each side contributes a nonce which gets mixed in with the shared secret.

The way that you exploit this fact to detect attacks is simple: each side reads a hash of the shared secret over the voice channel. If the hashes don't match, then you know there's a problem. In theory, of course, the attacker could remove the hash you're reading and substitute himself reading it. If he could imitate your voice well enough, that might actually work, especially if the hashes are rendered as hex digits, since you only need to capture 16 digits in order to imitate any string, and you can capture those digits just by calling the victims and authenticating them. Nobody knows how hard this is for sure because there haven't been any real studies on how hard it is to attack systems this way.

Of course, this particular technique relies on the shared keys being different under a MITM attack. While I believe which is true for Skype, it's not true for every VoIP encryption system. For instance, two of the key management schemes which can be used for SRTP (MIKEY-RSA and SDescriptions) can be used in modes where one side generates the key and gives it to the other side. In these modes the traffic keys would be the same on each side and so an MITM attack wouldn't be detectable this way. In some cases, though (MIKEY-RSA at least) you can detect MITM attacks by exchanging hashes of the public keys rather than of the session keys. Otherwise, the technique is basically the same.

The FCC has decided that they are going to require "facilities-based broadband Internet access and interconnected VoIP services" to provide CALEA access by May 14, 2007:

The current CALEA proceeding was initiated in response to a Joint Petition filed by the Department of Justice, Federal Bureau of Investigation, and Drug Enforcement Administration in March 2004. These parties asked the Commission to address several issues so that industry and Law Enforcement would have clear guidance as CALEA implementation moves forward. The First Report and Order in this proceeding concluded that facilities-based broadband Internet access and interconnected VOIP providers were covered by CALEA. This Order addresses remaining issues raised in this proceeding and provides certainty that will help achieve CALEA compliance, particularly for packet-mode technologies.

First, the Order affirms that the CALEA compliance deadline for facilities-based broadband Internet access and interconnected VoIP services will be May 14, 2007, as established by the First Report and Order in this proceeding. The Order concludes that this deadline gives providers of these services sufficient time to develop compliance solutions, and notes that standards developments for these services are already well underway.

I think "facilities-based broadband Internet access" means "ISPs" and "interconnected VoIP services" seems to mean VoIP providers which connect to the PSTN. As I've mentioned before, tapping VoIP calls where they gateway to the PSTN is straightforward, since the encryption obviously has to end at the PSTN boundary. So, the real question for me is whether VoIP providers which do gateway to the PSTN (like Skype) are going to be required to provide CALEA access to calls which never go through the PSTN. If the protocols have been designed properly--which is to say end-to-end encryption between the clients, then this should be pretty difficult.

In the particular case of Skype, because they (1) control the CA and (2) control the clients, they can mount a man-in-the-middle attack on the connections, and the FCC could require them to be able to do so. Such an attack is theoretically detectable in some circumstances (if you've talked to the other person before you can cache their public key) but one could imagine the feds requiring Skype's software not to do this. None of this applies to open VoIP systems which let you use your own software, since it's not clear that the FCC has jurisdiction to require manufacturers who aren't service providers to do anything.

Salary.com is touting a "study" which claims to show that the equivalent salary for a stay-at-home mother is $134,121/year. Just. can't. help. myself.

First, a brief description of their methodology: they surveyed mothers for the top 10 equivalent jobs and then pro-rated their salaries by the number of hours the mothers reported doing the equivalent jobs. This gives you the following table:

The Stay-at-Home Mom's Salary
Mom Job Title	Mom's Work Week (hours)	Mom's Salary (dollars)
Housekeeper	22.1	$10,980
Day Care Center Teacher	15.7	$10,817
Cook	13.6	$10,862
Computer Operator	9.1	$7,151
Laundry Machine Operator	6.7	$3,133
Janitor	6.3	$3,713
Facilities manager	5.8	$11,508
Van Driver	4.2	$3,334
CEO	4.2	$35,971
Psychologist	3.9	$7,176

So, the first thing you should notice is that some of the equivalences here are deeply silly. Probably the worst is "CEO". To the extent that a mother's role in the household is like a CEO's role in a company, it's a very small company. Prorating $35K/year at 4.2 hours to a 40 hour workweek gives you an annual salary of $350K or so, which is a lot more than the CEO of your average 4-person company makes. Facilities manager and psychologist are pretty lame too. There's a big difference between seeing patients in a professional capacity and consoling your children when their boyfriends break up with them. This point is important because these three jobs alone account for less than 16% of the hours that stay-at-home mothers are claimed to work but over 50% of the total imputed salary, so if you use more comparable positions the numbers drop quite a bit.

Even with this fudging of the numbers, the imputed salary is only $105k. To get up to $134k, they have to count "overtime" (time and a half) for the hours worked over 40 hours a week. But of course most jobs that pay well (e.g., CEO) are salaried, exempt, positions, so you don't get paid overtime. Nice bit of double-counting there.

The final problem is that this whole notion of equivalent salaries that includes domestic work is kind of problematic as a comparative notion, unless you also remember to add it into the imputed salaries of the people comparing against. I.e., I make $X/year but I do $Y/year worth of housework, so we have to remember that when we compare against the Stay-at-Home-Mom's imputed salary. We all do lots of stuff for ourselves (or others) that we could pay somebody else to do, so just adding that stuff into the Mom's calculation to compare it against people's actual monetary salaries is quite misleading. Just because you changed a lightbulb doesn't mean you get to claim that you're working as an electrician.

None of this is to dispute that mothers, whether Stay-At-Home or Working (yeah, yeah, every mother is a working mother, but you know what I mean) work hard. I know a number of them and clearly they do. However, the computation Salary.com offers doesn't really advance our understanding of that in any way, though it does appear to have accomplished the more important goal of getting them news coverage.

It's well known among endurance athletes and mountain climbers that the low oxygen concentrations at high altitudes can cause extreme distress. It's also well known that by spending significant amounts of time at altitude, you can acclimate substantially--mostly by increasing your red blood cell count. This effect is used by climbers to work their way up gradually to higher altitudes and by endurance athletes in an attempt to improve their performance at low altitudes (see altitude training). As it happens, there are a number of populations who live normally at very high altitudes. What about them?

It turns out that there are three major areas where humans have been living at high altitude (~ 4000 m) for long enough to show an evolutionary adaptive response: the Andes, the Tibetan Plateau, and the Ethiopian Highlands. Each such population appears to have some adaptation, but what's really interesting is that the adaptations seem to be different:

• Andeans appear to have adapted more or less the same way that your average person of European ancestry would: they have higher red blood cell counts. This to some extent ameliorates the effect of altitude, but they end up with lower oxygen saturation (how much of the hemoglobin is carrying oxygen) at high altitudes, but because of their high hemoglobin concentration, they actually have higher total blood oxygen levels than normal sea level values.
• Tibetans have a much weaker response in terms of hemoglobin concentration and also experience lower oxygen saturation (about 10% below normal values). They appear to have exhibited some selection toward higher saturation values. I'm actually finding this a big puzzling since it almost seems like they've adapted to live with lower oxygen delivery. I'm not clear how that works. I could be misreading the literature here, though.
• The Ethiopian case is the most interesting. Beall's data indicates that at ~3530, Ethiopians have normal looking hemoglobin concentrations but also oxygen saturations nearly as good as those seen at sea level, as seen in the figure below.

Figure from Beall 2002. [this used to read "after Beall". corrected 2006-05-02, EKR]

Unfortunately, we don't yet know biochemically how these adaptations work. It would be particularly interesting to understand the nature of the Ethiopian adaptation, which seems like it might involve better oxygen transport into the blood rather than better oxygen carrying capacity in the blood. That's potentially a useful adaptation even at low altitude.

A lot of the interesting work in this field seems to be being done by Cynthia Beall at Case Western. This post is mostly based on her fascinating review in Integrative and Comparative Biology (behind pay wall, abstract here). She also has an extensive interview here which I haven't had a chance to listen to yet.