EKR: January 2007 Archives

 

January 27, 2007

Ed Felten and Alex Haldeman have a nice series of posts about AACS, the content control system on HD-DVD and Blu-Ray. You should really go read the posts, but here's what you need to know (somewhat simplified)
  • Each player has its own key (actually set of keys, more detail here).
  • Because of the way disks are manufactured you need to have the same content on each copy, or at least to produce large batches of identical disks. So, there are a lot of movies encrypted with the same key (what's called the title key).

Given the title key, BackupHDDVD can decrypt the content of a disk. If you can compromise a single player and recover its key, you can use that to recover title keys which, of course you can use to decrypt disks.

Where this all went wrong with CSS was there were only a small number of keys, so once you compromised one player and published the key the game was pretty much over. But with AACS each player has a unique set of keys and the AACS includes a scheme for revoking compromised players. When a player is revoked you stop encrypting disks under its key, so it's useless for all future disks, but all disks printed before that time are (at least potentially) compromised. So, if you compromise a player and publish its key, it has a finite window of usefulness.

However, if software players are widely available, the situation is different. There's a large population of keys already available to people and all the attacker needs to do is release a piece of software which extracts the player keys from a player or patches an authorized player to either disclose title keys or the unencrypted data on a disk (as Felten observes), WinDVD already more or less is such a player, but that's presumably a somewhat temporary situation). There are of course techniques you can use to make it harder to hack software, but as far as I can tell none of them stand up to dedicated attack.

It's of course possible for the manufacturers to revoke all the players by a particular manufacturer and force them to download a new player with better tamperproofing. This has two drawbacks. First, the cost is much higher than just revoking the compromised unit because you're not just inconveniencing the attacker but everyone who happens to have a vulnerable player and most of those people are totally innocent. Second, because it's comparatively easy to break the tamperproofing the attacker can force you to incur this cost more or less whenever he wants.

It's hard to see how the studios can really solve this problem as long as purely software players are allowed.

 

January 25, 2007

Schneier writes about the little lojacks they put on your baby in the hospital.
So why are hospitals bothering with RFID bracelets? I think they're primarily to reassure the mothers. Many times during my friends' stay at the hospital the doctors had to take the baby away for this or that test. Millions of years of evolution have forged a strong bond between new parents and new baby; the RFID bracelets are a low-cost way to ensure that the parents are more relaxed when their baby was out of their sight.

Security is both a reality and a feeling. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We know the infant abduction rates and how well the bracelets reduce those rates. We also know the cost of the bracelets, and can thus calculate whether they're a cost-effective security measure or not. But security is also a feeling, based on individual psychological reactions to both the risks and the countermeasures. And the two things are different: You can be secure even though you don't feel secure, and you can feel secure even though you're not really secure.

The RFID bracelets are what I've come to call security theater: security primarily designed to make you feel more secure. I've regularly maligned security theater as a waste, but it's not always, and not entirely, so.

I'm not saying that security theater isn't a lot of the reason for the RFID bracelets, but you do need some kind of tag for people's babies, which, after all, look pretty much alike. Tags let you ensure that you match the right mother with the right baby. Obviously, you could (and for many years people did) get away with old-style non-RFID plastic bracelets, but it's probably not that much more expensive to make them RFID, especially since it saves you the trouble of having more expensive security theater—guards at every exit. And of course having RFID tracking means that you can use the system to track where infants are even inside the hospital, which presumably is useful if/when you lose track of patients.

The leading systems seem to be made by VeriChip. They make infant protection gizmos, Hugs which had a cut-detecting band which triggers an alarm if it's tampered with and HALO which works with commodity bands but senses if it's attacked to skin. A related product is RoamAlert, a "wander prevention" solution designed to let you keep track of patients in nursing homes (and presumably mental hospitals).

 

January 24, 2007

At the SOTU last night, Bush called for an increase in the use of alternative fuels like ethanol. The claimed goal is to replace 15% of gasoline use with alternative fuels by 2017. There are two potential reasons you might want to do this:
  • To replace imported sources of automotive fuel (i.e., oil) with domestic sources.
  • To reduce the total level of global greenhouse gas emissions.

There's a lot of debate about the energy balance of corn ethanol (what's mostly produced in the US). The USDA's The Energy Balance of Corn Ethanol An Update, which is on the optimistic side of the range, estimates a 1.34 energy ratio (though a 6.34 liquid fuel ratio because you can use coal and natural gas to power a lot of the production process). So, you should expect that you'll get quite a bit of that 15% as a substitution of domestic energy sources for imported oi, but the overall reduction in GGG emission is going to be closer to 5% than 15%.

 

January 23, 2007

The Times is running an article on the challenge of HDTV for pornographic movies (also see this Slate article from 2003). The problem here is that the improved resolution of HD is a bit too revealing of flaws that were easier to hide in standard def.
They have discovered that the technology is sometimes not so sexy. The high-definition format is accentuating imperfections in the actors from a little extra cellulite on a leg to wrinkles around the eyes.

Hollywood is dealing with similar problems, but they are more pronounced for pornographers, who rely on close-ups and who, because of their quick adoption of the new format, are facing the issue more immediately than mainstream entertainment companies.

Producers are taking steps to hide the imperfections. Some shots are lit differently, while some actors simply are not shot at certain angles, or are getting cosmetic surgery, or seeking expert grooming.

They may not be the only ones. Here's Neal Stephenson writing in 1995:

All of the politicians currently in power will be voted out of office and we will have a completely new power structure. Because high-definition television has a flat gamma curve and higher resolution, and people who look good on today's television will look bad on HDTV and voters will respond accordingly. Their oversized pores will be visible, the red veins in their noses from drinking too much, the artificiality of their TV-friendly hairdos will make them all look, on HDTV, like country-and-western singers. A new generation of politicians will take over and they will all look like movie stars, because HDTV will be a great deal like film, and movie stars know how to look good on film.

I haven't seen enough politicians in person to know if that's true...

 

January 22, 2007

Stumbled upon this morning: Find A Grave. You never know what you'll find on those darn Internets.
 

January 21, 2007

Gizmodo points to this site advertising the hyperbike, a new kind of human powered vehicle:

The designer makes a number of claims, including that:

  • It's safer than conventional bikes because it has three points of contact and so is more stable.
  • It's more efficient because of the large wheels, high gearing and because of whole body involvement rather than legs.

I'm quite prepared to believe that it's safer, not because it's more stable—bicycles are actually extremely stable at speed once you know how to balance them—but because the user is in a protective cage. It wouldn't be that hard to build a recumbent bike with similar properties if you wanted to.

I'm a lot more skeptical of the performance claims. I wonder if anybody has actually ridden this than that fast. Here's what the site says:

The Hyperbike will be the fastest & safest human powered vehicle on the road.

The circumference of an eight foot diameter wheel is roughly twenty-five feet and cadence, or the rate at which a person pedals, is most comfortable at a rate of 13 beats every 15 seconds. Gearing that allows an operator to rotate the wheels four times each pedal cycle, or at a 1:4 ratio while at the comfortable cadence rate will produce a speed upwards of 50mph.

Using the whole upper body, an operator, unobstructed by a seat and able to "throw" weight into each pedal thrust bouncing each stroke, like hill climbing on a conventional bike, will move the Hyperbike fast and effectively on all grades.

This is simply confused. The limiting factors in bicycle top speed have nothing whatsoever to do with the gearing of the bike. This is easy to see by doing some simple math.

Your average reasonable road bike has something like a 53/42 chainring combination on the front. That means that it's got 53 teeth on the big ring. It probably has an 11 or 12 tooth smallest cog on the back. For convenience, let's say it has a 52/13 for a 4:1 maximum gear ratio. The wheel itself is approximately 700mm in diameter, or 2.2 meters in circumference. So, every pedal revolution at the highest gear ratio moves you forward about 9 meters. A typical amateur cycling cadence is 80-100 rpm, which maps to 720-900 meters/minute or 27-34 mph. By the simple expedient of putting a readily available 11 tooth cog on the back and 55-tooth chainring on the front you can get to 41 mph at 100 rpm.

But these limits are purely theoretical because what's really important is power. Plugging these speeds into Analytic Cycling we can compute the power required to go at these speeds, which is 300, 561, and 947 watts respectively. For reference, few untrained cyclists can maintain 300 watts for more than a minute or two. Even elite cyclists have trouble maintaining 500+ watts for any length of time. To put this in miles per hour terms, maintaining 25 mph for an hour is doable by amateurs but quite hard. The hour record stands at around 31 miles.

At this point it should be obvious that the gearing isn't the limiting factor in the performance of a bicycle. But a bicycle only works the lower body whereas the hypercycle lets you recruit your upper body muscles as well, so maybe that helps. First, this isn't as big an advantage as you think. The upper body muscles are comparatively weaker than the lower body muscles, which is why racing wheelchairs are somewhat slower than standard bicycles despite having superior aerodynamics. So, all other things being equal, you might get 30-50% more power with the hyperbike but you'd be unlikely to get twice as much. Because the power/speed curve is cubic this might get you a speed improvement of 20%, but nowhere near doubling the speed.

But of course, all other things aren't equal because the vast majority of the energetic cost of riding a bicycle is wind resistance. The completely upright position of the hyperbike is vastly aerodynamically inferior to the partly upright position of a typical road bike (let alone a recumbent bike, which is why land speed records are always set on fully faired recumbent bikes). I would imagine that this increases the surface area by 50-100%, which would more than compensate for the somewhat increased power of recruiting the upper body muscles.

Just as a final check, if you plug 50 mph into Analytic Cycling's model, you come away with a required power output of 1695 watts, even with normal bicycle aerodynamics. If you can put out 1695 watts for more than a few seconds I'm pretty sure there are some people on the Olympic team who would like to talk to you.

UPDATE: The power/speed relationship is cubic, not quadratic. The air resistance/speed relationship is quadratic, but then you multiply by speed again.

 

January 20, 2007

A DNS configuration glitch in the transfer of my domain registration from OpenSRS to Dreamhost has temporarily hosed email to rtfm.com. I've fixed the problem, but not before a bunch of nameservers picked up the wrong data and stuffed it in their caches. It will take hours/days for everyone's cache to expire. I believe that mail sent to me will just be queued and eventually delivered, but if you experience an error, try again on Monday.
 
OK, I have to admit that the Not Yet Released Device Potentially To Be Known As The iPhone (NYRDPTBKATi) looks pretty sweet, but the level of lockin significantly detracts from the overall coolness. There are actually two issues here, one bogus and one real.

DRM
The bogus one, raised by Randall Stross in the Times is the FairPlay DRM:

Here is how FairPlay works: When you buy songs at the iTunes Music Store, you can play them on one and only one line of portable player, the iPod. And when you buy an iPod, you can play copy-protected songs bought from one and only one online music store, the iTunes Music Store.

The only legal way around this built-in limitation is to strip out the copy protection by burning a CD with the tracks, then uploading the music back to the computer. If youre willing to go to that trouble, you can play the music where and how you choose the equivalent to rights that would have been granted automatically at the cash register if you had bought the same music on a CD in the first place.

This is, of course true, but sort of irrelevant. First, you're quite free to buy physical CDs and rip them yourself. iTunes will even rip them for you. At least with the iPod and presumably with the NYRDPTBKATi, there won't be any copy protection on them at all. It's true that the iPod file format obfuscates the locations of the files on the disk, but they're all there and you can get 3rd party programs which know how to read the format. The vast majority of music gets into iPods by being ripped, not downloaded.

Second, the issue isn't the iPod or NYRDPTBKATi, but rather iTMS, which imposes the DRM on the way out the door. Stross says this in the article but some misses the implication:

This claim requires willful blindness to the presence of online music stores that eschew copy protection. For example, one online store, eMusic, offers two million tracks from independent labels that represent about 30 percent of worldwide music sales.

Unlike the four major labels Universal, Warner Music Group, EMI and Sony BMG the independents provide eMusic with permission to distribute the music in plain MP3 format. There is no copy protection, no customer lock-in, no restrictions on what kind of music player or media center a customer chooses to use the MP3 standard is accommodated by all players.

In other words, it's quite possible to play non-DRMed files (what else is a podcast, after all?), it's just that (1) the music users want isn't available (2) the users don't know where to get it or (3) the UIs for getting it are too annoying. if it's really true that the major labels are willing to go non-DRM than this sounds like a great marketing opportunity for someone to make a really good non-DRM online music store. In any case, Stross's quarrel isn't with the iPod but with iTMS.

Programmability
This brings us to the real issue: programmability. According to this article the NYRDPTBKATi isn't going to be an open platform. I.e., you won't be able to load your own applications onto it. Apple has advanced two major arguments for why this is OK: protecting the network from rogue applications and protecting the stability of the device.

Here's Jobs advancing the first reason:

But its not like the walled garden has gone away. You dont want your phone to be an open platform, meaning that anyone can write applications for it and potentially gum up the provider's network, says Jobs. You need it to work when you need it to work. Cingular doesnt want to see their West Coast network go down because some application messed up.

Look, this is mostly nonsense. Yes, it's true that programmable computers can do damage to the Internet (cf. zombies, spam, DDoS, etc.) but this isn't primarily an issue of people installing the wrong third party software but rather of their machine being remotely compromised via vulnerabilities in the existing software—primarily stuff installed by the OS manufacturer. I should mention that Apple isn't giving out SDKs for the iPhone, so it's going to be harder for malware authors to program to it than (say) Windows, but that's only a temporary obstacle if it becomes an attractive attack target. There are of course ways to stop third-party malware from being loaded on at all (e.g., signed code) but the level of defense that Apple employs on the iPod doesn't suggest that they're too likely to have done anything like that here. I'd imagine they're just hiding the specs and the SDK and maybe churning the API/ABI occasionally to make it more inconvenient to write a real product.

More importantly, the danger in rogue applications isn't primarily to the access network but rather to machines other places on the Internet. It's actually very easy for Cingular to detect when a device is doing something dangerous to their network and shut it down. And to the extent to which it's not easy, Cingular has much bigger problems since they're already quite willing to sell you Windows Mobile and Palm smartphnes, which are programmable.

The second argument Apple is advancing is that letting end-users run arbitrary third-party apps will potentially destabilize the handset, contributing to a bad user experience.

We define everything that is on the phone, he said. You dont want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesnt work anymore. These are more like iPods than they are like computers.

The iPhone, he insisted, would not look like the rest of the wireless industry.

These are devices that need to work, and you cant do that if you load any software on them, he said. That doesnt mean theres not going to be software to buy that you can load on them coming from us. It doesnt mean we have to write it all, but it means it has to be more of a controlled environment.

So, this is vaguely more reasonable, especially considering Apple's well-known fetish for the providing the optimal UI experience. Still, it's not particularly convincing. I've loaded several 3rd party apps on my Treo and haven't noticed it destabilizing the phone functionality. A modern O/S like OSX should be quite capable of protecting applications from each other—that kind of process isolation is one of the major functions of the OS. I haven't noticed any of the 3rd-party apps I run on my OS/X boxes being a source of massive instability.

Does it matter?
I'm probably unusual in that I'd actually like to be able to do some development on a handheld device, which would obviously be a problem if there's no SDK. That would be a big motivator for getting something based on a real operating system rather than PalmOS. But even ordinary users may find this kind of lockin inconvenient. I don't know what applications Apple intends to provide on the NYRDPTBKATi, and the truth is that they provide a pretty reasonable set on your Mac, but even so I've installed Firefox, MS Office, the Palm software suite, and Windows Media Player. Apple offers their own versions of some of this stuff and it will be interesting to see if they decide you should have to run Safari instead of Firefox or Keynote instead of PowerPoint. One of the nice things about having a general purpose computer is that you get to make these decisions for yourself rather than having Steve Jobsa make them for you.

 

January 19, 2007

A perennial problem with any athletic event is designing a fair reward structure. Say you're organizing an amateur mass-market athetic event like a road race. What divisions can people win in? The obvious and natural thing to do is to simply have everyone in the same division; the first X people across the line are winners and everyone else.... isn't. The problem here is that this restricts the pool of potential winners to a fairly small group, say men between 20 and 40. There's practically no athletic event at which even the best women are competitive with the top rank of men and there's a fairly sharp performance peak around 30-35 (depending a bit on what the sport is).

Now there's nothing necessarily wrong with just giving awards to those people but it's clearly a turnoff for people to be "competing" against others whom they have no actual chance at beating. And turning competitors off isn't a good way to get more people to enter your event. So, there's a lot of incentive to find some reward structure that gives a broader class of people a chance to win something. This even crosses over into professional sports where it feels unfair to force people to compete against others who are clearly qualitatively different—though it's worth noting that within gender (the most common division) variation greatly exceeds between gender variation and yet nobody thinks it unfair that I have to compete against men with 2:30 marathon times.

The three most common divisions that are used to partition up contestants are gender, age, and weight. All of these have the advantage that they seem superficially fair because they're either uncontrollable (age and except for edge-cases gender) or only marginally controllable (weight), which gives the appearance of fairness. In my experience the next most common division is "local contestants", which is also not really controllable and clearly arbitrary.1 All of these divisions also have the advantage of being (mostly) readily verifiable.

This sort of division works well for some sports but not as well for others. In martial arts, for instance, weight matters and there are often weight classes, but there's enormous skill variation between athletes. If you let white belts compete against black belts what you get is less a match than a rout. In martial arts with strict ranking systems you can just pair up people of the same rank (or maybe one-up or one down) against each other. 2. In less formal sports, sometimes how long you've been training is used as a proxy. Since most dojos don't keep particularly good records of when people have trained or what rank they have attained, and those records aren't centralized, it's pretty easy to sandbag. The theory here is that it's better to be a winner in the beginner's division than be a loser in the advanced division, so you claim you're a beginner.

One way of countering sandbagging is to turn it into a repeated game. Bicycle racing is divided into 5 "categories". The way you move up from one category to another is by winning races. If you're too dominating in a category you get promoted to the next one. What makes this work is that people tend to race each other repeatedly, so they tend to find their own level. Obviously you can sandbag a little bit, but you can't win very often because you'll eventually get moved up.

This doesn't work as well in non-iterated situations. An interesting case I ran into recently is rock climbing. A typical bouldering competition involves a bunch of problems of various difficulties, with harder problems being worth more points. Because climbing is so skill-based, it makes sense to have divisions, but it's so hard to compare people's skills that the competitions I've heard of (note: I've never done one but I've spoken to people who have worked them) have competitors self-sort into divisions. Obviously, this is incredibly susceptible to sandbagging. Competitions deal with this by promoting people who look too good into the next division.

Unfortunately, this strategy is inherently unstable because it's precisely the people you would expect to win (the best people in the division) who are most likely to get bumped out for being too good. A related problem is that there's a lot of variation in experienced difficulty for problems that are nominally the same grade, so it's precisely when you're having a good day and the problems seem to be easy for you that you have to worry about being declared too good. And of course you can still sandbag some by figuring out where the line is and climbing right up to it. What mostly seems to suppress this sort of thing is that it's considered unsporting. This works in a small community, but in my experience once the stakes get big (or even not so big) people seem to lose their sense of sportsmanship. Do any readers who've done comps have a read on how much people try to game the rules?

1. It's also interesting to look at the evolution of sports, which seem to accrete finer divisions. For example, the Ultimate Fighting Championship used to be totally open but later weight classes were added. A while back triathlon introduced the "clydesdale" division for heavier athletes (the female version is called Athena). Clearly, heavier athletes are at a disadvantage but it seems to me that this division is still regarded with a bit of suspicion.
2. A related problem in martial arts is that you need to keep the divisions fairly small because otherwise the tournament requires two many matches to converge on a single winner.

 

January 16, 2007

Ann Applebaum has an article in Slate proposing more or less the EG opium price support plan for Afghanistan:
As a result, in 1974, the Turks, with U.S. and U.N. support, tried a different tactic. They began licensing poppy cultivation for the purpose of producing morphine, codeine, and other legal opiates. Legal factories were built to replace the illegal ones. Farmers registered to grow poppies, and they paid taxes. You wouldn't necessarily know this from the latest White House drug strategy report which devotes several pages to Afghanistan but doesn't mention Turke ybut the U.S. government still supports the Turkish program, even requiring U.S. drug companies to purchase 80 percent of what the legal documents euphemistically refer to as "narcotic raw materials" from the two traditional producers, Turkey and India.

Why not add Afghanistan to this list?

I've (obviously) got no problem with legitimizing opiate production in Afghanistan, but clearly there's an upper limit to how much opium we can turn into legal opiate products. In the US at least, the demand for opiates isn't limited by price (pharmaceutical opioids are already incredibly; 90 vicodin go for $24 at drugstore.com) but rather by the willingness of doctors to prescribe opioids to their patients (which is partly limited by the DEA's rather aggressive efforts to punish doctors for what they perceive as overzealous painkiller prescribing).

Given that the demand for legal pharmaceutical opioids is fairly inelastic and we're not going to start burning them in our cars or something (though that would make rush hour traffic more interesting), we're presumably fairly close to the upper limit of opium we're going to consume. If we're already buying 80% of our raw materials from Turkey and India, then there isn't likely to be much room to add Afghan production. So, at some point this strategy turns into just buying up opium and stockpiling it (there's room in Fort Knox, right?) or destroying it. Not that there's anything wrong with that.

 

January 15, 2007

Mrs. Guesswork and I are watching The Seventh Voyage of Sinbad, starring the distinctly un-Arab-looking Kerwin Mathews as the Iraqi Sinbad. I got to thinking about who you typically see getting generic "swarthy guy" roles:

ActorActual EthnicityEthnicities Played
Art MalikPakistaniIndian (Booty Call), Arab (True Lies), Greek (Year of the Comet)
Tony ShalhoubLebaneseLebanese (The Siege), Italian (Big Night)
Ricardo MontalbanMexicanHispanic (Spy Kids and others), Japanese (Sayonara), Indian (Star Trek: The Wrath of Khan) (thanks to Wikipedia)

I'm not sure how much of an improvement this is over the days when you could have Charleton Heston playing a Mexican.

 

January 12, 2007

The NYT reports that a lot of users forward their corporate e-mail to external Webmail accounts:
A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

...

Corporate networks, which typically have several layers of defenses against hackers, can require special software and multiple passwords for access. Some companies use systems that give employees a security code that changes every 60 seconds; this must be read from the display screen of a small card and typed quickly.

That is too much for some employees, especially when their computers can store the passwords for their Web-based mail, allowing them to get right down to business.

I'm sure annoying authentication schemes are part of the problem—though most of the organizations I know about only require you to use your SecureID card to make a VPN connection. Not that that's not annoying enough...

In my experience, the problem isn't security but rather usability. Probably the most important factor is remote access. People want to read their e-mail on their Blackberries and the companies often haven't been that good about installing the connecting software that the employees would need to do that. So, the employees install their own connectors on their desktop. Actually, remote access in general is a problem. Webmail is super-convenient and lots of companies don't or won't offer it. But you can help yourself by just forwarding your e-mail to Gmail.

Finally, there's the usability issue. Many enterprises run Exchange and expect their employees to use the matching MS e-mail clients. The reports I've heard from people who've tried are not exactly encouraging. On the other hand, Gmail's interface is actually pretty good, and you can also use Gmail with more or less any e-mail client of your choice.

Lawyers in particular wring their hands over employees using outside e-mail services. They encourage companies to keep messages for as long as necessary and then erase them to keep them out of the reach of legal foes. Companies have no control over the life span of e-mail messages in employees Web accounts.
This is absolutely a real concern, but it's a mistake to focus on e-mail here. It's actually incredibly difficult to avoid creating archival copies of sensitive information. First, many (most?) e-mail systems make copies to the local disk to enable offline work. At this point, it tends to end up in scheduled backups. Even if you manage to suppress this by forcing everyone to work offline or implementing local expire, employees routinely save data to disk and then it gets backed up onto permanent backups. Creating access control and retention policies that stick with the data through this kind of transformation is nigh-impossible with any operating system in common use (there's a close relationship between this problem and multi-level security, by the way). And this is if you control the systems people use. It's of course massively harder when you don't.1

"If employees are just forwarding to their Web e-mail, we have no way to know what they are doing on the other end," said Joe Fantuzzi, chief executive of the information security firm Workshare. "They could do anything they want. They could be giving secrets to the K.G.B."
OK, but this doesn't make any sense. First, if your employees want to give your secrets to the KGB , what they need isn't e-mail, it's a time machine. Second, if they want to give out your secrets, they're not going to forward them to Gmail, they'll bring a flash drive to work and copy all their data onto it. It makes some sense to be concerned about inadvertant information disclosure by employees, but once you assume that you're in an adversarial relationship then you've pretty much lost.

Paul Kocher, president of the security firm Cryptography Research, said the real issue for companies was trust. "If you can't trust employees enough to use services like Gmail, they probably shouldn't be working for you," he said.

I certainly agree that if you can't trust your employees not to intentionally give out your confidential information you're in big trouble, but I don't think it's right to extend this to whether you can trust them to comply with all your corporate IT policies. Just from reading this article (and from my personal experience) it's clear that if you followed that policy you'd have to fire a lot of your employees, including good ones—people who are at least to some extent trying to act in the best interests of the company by working more efficiently.

At a higher level, the relationship between corporate IT departments and individual users is often quite adversarial. The IT departments want to standardize everyone on a particular set of software and services and the users want to use software and services of their choice. When the official IT offerings become too restrictive (in the minds of the users) they often resort to self-help, as in this case.

1. There was some interest for a while in using various kinds of cryptographic techniques for this, but it never really took off and was still hard to get right.

 

January 8, 2007

The Supremes have declined to hear Gilmore v. Gonzales. I can't say I'm too surprised; Americans seem in general pretty inured to airport searches, in part due to an exaggerated sense of the danger of air travel (both due to accidents and terrorism).
 

January 7, 2007

The Free Speech Association 1 reports that ICANN is re-considering the creation of the .xxx domain. As I've said before, I don't much care whether .xxx gets created or not, but it's worth checking out the proposed terms, which include all kinds of obligations for the operator to enforce content restrictions, including:

Registry Operator will prohibit child pornography, including practices that appeal to pedophiles or suggest the presence of child pornography on the site.
This seems pretty vague. The definition of what child pornography is varies quite a bit depending on which country (and even within states in the US). What set of rules are to be applied? Even within the set of things which clearly aren't child pornography, what does "practices that appeal to pedophiles". Does that include "barely-legal" type material?" If it turns out that pedophiles like kittens, will cuteoverload.xxx be out of bounds?

Registry Operator/IFFOR will impose and enforce best practices obligations including standards to:
a. Prohibit misuse of personal information
b. Require accurate meta-tagging
c. Ensure clear and accurate consumer disclosures
d. Protect IP rights
e. Prohibit use of malicious codes and technologies (i.e. spoofing)
f. Prohibit fraudulent, anonymous, or unsolicited commercial emails
g. Prohibit use of malicious redialers, credit card fraud, and/or unauthenticated use of credit cards
Section (d) is particularly interesting. If I use my .xxx domain name to download stuff from then ICM might take away my .xxx domain name?

3. Registry Operator will (i) promote the principles set forth in the United Nations Declaration of Human Rights related to free expression and (ii) prohibit child pornography as defined in the United Nations Convention on the Rights of the Child ("UNCRC")
For references, here's what the UNDHR says about free expression:
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.
What exactly is ICM expected to do to promote these principles? Give money to the ACLU?

The whole thing is pretty long on principles and short on details.Not really surprising, since that's a pretty good description otf the notion that you can divide the Internet into adult content on one side and non-adult on the other.

1 The trade association of the adult film industry. Nice euphemism, eh?

 

January 6, 2007

Via Interesting People, I see that TSA is starting a pilot program to show ads during security screening:
"TSA plans to launch a one-year pilot program where airport operators may enter into an agreement with vendors, who will provide divestiture bins, divestiture and composure tables, and metal-free bin return carts at no cost to TSA," said spokeswoman Amy Kudwa. "In return for the equipment, TSA will allow airport operator-approved advertisements to be displayed on the bottom of the inside of the bins."

Your average security checkpoint looks to me to have about 100 plastic bins. Comparable bins go for about $11 retail. They also have maybe 5-10 plastic tables, something like this, which goes for $150 retail. I haven't specced out the little bins you put your keys in, but let's assume they're $11/too. So, assuming we're just talking storage and not expensive stuff like metal detectors, you should be able to outfit your TSA checkpoint for under $5000. A big airport like SFO might have 10 security checkpoints, so you're looking at $50,000 one time cost (with maybe 20%/year for breakage, though these plastic tubs look pretty indestructible). That's a trivial part of the cost of running airport security. So, if vendors are really getting advertising for the cost of providing free hardware they're getting a great deal. The airports should want revenue sharing.

This brings me to my second point: incentives. The longer you spend standing around the TSA checkpoint and the more crap you have to take out of your pockets and put in separate bins the more advertising you get exposed to. The airports and TSA have some control over this, so to the extent they make money from advertising, their interests aren't really aligned with yours, which include getting through the checkpoint as fast as possible. See the clear program for another example of such an incentive conflict.

Most importantly, with all the pulling stuff out of your bag and stuffing it back in, it's pretty easy to leave things at the checkpoint, say at the bottom of your bin. In order to minimize this, you want the bottom of the bins and the tops of the tables to be as uncluttered a visual field as possible and one that is most likely to contrast with people's belongings. I'm not sure exactly what that would look like (though I'd imagine bright white, though the grey seems not terrible), but since the whole purpose of advertising is to attract people's attention to the ad, I suspect it's probably going to be pretty bad for having you notice that you left stuff in the bin. I'd much rather that TSA and the airports optimize for me not leaving my valuables at the security checkpoint than for extracting an extra few million a year from advertisers.

 

January 3, 2007

DOJ has refused a request by Senator Leahy, Chairman of the Senate Judiciary Committee to turn over the CIA General Counsel's opinion about what interrogation techniques are permissible.
In his address to the Nation, the President acknowledged the existence of the CIA program, but there are many details about the program that he did not, and could not, share publicly. One example is the specific interrogation techniques that were authorized for use on these high-value terrorists. As the President explained, to disclose that sensitive operational information would be to "help the terrorists learn how to resist questioning, and to keep information from us that we need to prevent new attacks on our country," Id. Al Qaeda seeks information on our interrogation techniques—their methods and their limits&mdsah;and trains its operatives to resist them. We must avoid assisting their effort.

There are two ways in which this argument could make sense. The first is that there are some techniques which we use that Al Qaeda doesn't know about. If they did know about them, they could potentially train their operatives to resist them. The second way is that knowing that we don't use technique X would allow Al Qaeda to save training effort by not training their operatives to resist X. I don't find this second theory very strong: even assuming there's some set of officially off-limits techniques if I were an Al Qaeda planner I wouldn't want to count on some American interrogator not exceeding those limits.

This leaves us with the possibility that there are some secret techniques which we'll stipulate can be resisted if you're trained for it. If there are techniques which can't be resisted there's not too much point in keeping them secret (though it might be useful to keep the fact that you had irresistible technques secret if you thought that the enemy would assume otherwise and continue with plans known to people you'd captured).

In any case, there can't be an unlimited number of these techniques, which creates the question of what you do once you've applied them. It only takes one released victim of technique X to tell everyone in Al Qaeda that you're using X. You don't even have to release him; if you let him come in contact with other prisoners and he tells them about X, then they can tell others if they're eventually released. At the end of the day, this logic leads to keeping anyone you use X on in solitary confinement more or less for the rest of their lives. As I understand the current state of the law, even suspected "high-value terrorists" are entitled to some review of their status. What happens if they're determined to be innocent?

 
Ross Bernstein's The Code: The Unwritten Rules Of Fighting And Retaliation In The NHL provides these 10 reasons why hockey fights start:
  1. Retaliation and retribution.
  2. Swinging the momentum
  3. Intimidation
  4. Sending a message
  5. Trying to draw a reaction penalty
  6. Deterrence
  7. Job security
  8. Protection
  9. Prison justice
  10. Bad blood

There's a bit of redundancy here, but it's striking the extent to which fighting has been integrated into game strategy. For instance, here's reason 2:

The second reason for fighting is to provide a spark or catalyst to wake up your team. Fighters will challenge opponents when their team is down for the sole purpose of winning the fight and thus swinging the momentum of the game. If a player battles like a warrior and wins, the crowd gets pumped up and the players get a shot of adrenaline to inspire them to work harder. It is all about gaining a mental edge or psychological advantage in hockey and a good scrap can achieve that in a heartbeat.

Here's Marty McSorley:

The code can be completely different for guys when they are playing on a bad team. When you are an enforcer on a bad team it is your job to go out and try to turn the game around. A tough guy knows that he can swing the momentum 180 degrees from a dull, boring game to one the fans are totally into, and the players respond to that. That guys knows when he has to use his shift to try and stir it up out there in order to get his teammates and his fans back into it. That is a tough job, I have been there. It is particularly tough when you are playing on the road and an opposing team's home ice. It goes against who you are as a person and as a player to go out and start something when nothing is going on. But hey, it is the nature of the beast with this role.

I would also add that when that situation arises, it means even more to be able to do it with respect and honesty. What I mean by that is if it was my responsibility to go out and sti something up, then I would go up to their tough guy and bring it up with him directly. ... I would talk to him directly and put him in a position to address me out on the ice, with respect.

Now that tough guy knows the code and knows that he needs to match you, because that is your job. ... Even if he is tired or sore, he knows that he needs to face you and give you your shot to turn your team's momentum around that night. It is a battle, one on one, and we both know our roles. A victory will spark your team's emotions and foce them to play harder, while a loss can do just the opposite. It is a tough job, but a true fighter relishes that momentum out there and fights for his teammates.

Another notable point is that many of the former players interviewed by Bernstein (admittedly most of them enforcers) believe that fighting is a critical part of keeping the game orderly, because it gives players an informal way of keeping other players in line for behavior that the refs don't notice (or that might not be explicitly illegal). The "instigator rule" which gives extra penalty time to whoever starts a fight comes in for particular criticism on the theory that it interferes with informal dispute resolution resulting in more aggressive play, more injuries, and more heated fights when they happen. I don't know if it's true, but it seems clear that if the NHL really cracked down on fighting effectively, it would dramatically change the strategiy shape of the game.

 

January 2, 2007

DallasFood.org's 10-part expose of NoKA Chocolate is making the rounds. For those of you not familiar with this story, NoKA is a hyperexpensive luxury chocolate, coming in at between $309/lb and $2,080/lb (other high-end chocolates come in under $100/lb). Aside from a flashy box, the NoKA branding comes with a number of claims about the high quality of their chocolate. Here's the relevant FAQ section:
What is Single-Origin Chocolate?
Each NOKA truffle or chocolate contains dark chocolate made of the finest cacao from select plantations in a specific origin. For example, our Vivienté truffle is made from the finest Venezuelan dark chocolate (min. 75% cacao): from the luxurious ganache (center of the truffle) to the thinly enrobed shell and delicate shavings that decorate its exterior - only pure Venezuelan dark chocolate is used. By using only a single- origin chocolate it enables the tasting of the terroir or "true essence of the origin". A fitting analogy to our single-origin chocolate is to that of tasting fine wine - for example, a bottle of Californian Merlot will have a different flavor profile than a French Merlot - the resulting differences are due to a number of factors including soil and climate. The same is true with the finest single-origin chocolate.

How is your chocolate different than other dark chocolate?
Regular dark chocolate contains a blend of cacao from a variety of different origins. Most regular chocolate also contains vanilla, added to round out quality imperfections and create a consistent flavor. We focus solely on the highest quality single-origin dark chocolate and as such there is no vanilla in any of our chocolate. Our passion is tasting real chocolate, in its rarest and purest form, unadulterated by vanilla and any other flavorings.

Anyway, Scott at DallasFood.org did a bunch of background research on NoKA. First, NoKA doesn't actually make the chocolate. Rather, they buy pre-made chocolate (called couverture), temper it and pour it into molds. They don't hide this fact, but Scott makes the case that they imply that they have a larger part in the production process than they do (in particular referring to couverture as "semi-refined" when it's the finished product). Second, the claims that NoKA makes about their chocolate aren't that unusual (and not necessarily benefits). A number of chocolatiers can make similar claims. Finally, Scott uses the descriptions of each of the offerings plus taste testing to make a very persuasive argument that Noka's chocolate is simply couverture bought from Bonnat—which chocolate can be bought far cheaper directly from Bonnat (though without the shiny box).

Naturally, this revelation has provoked a fair amount of anger and feeling that NoKA misrepresented their product. I suppose that's true, but say they hadn't. Say they were actually manufacturing the product themselves or had outsourced production to Bonnat with some custom recipe of their own design. You'd still be paying an outrageous price for the product, but you wouldn't have the option of buying it cheaper under a different name. Presumably that's what NoKA customers thought they were getting, right? So, what's the problem?

Here's another way to look at things. Say you're in the market to buy some high-end chocolate. Presumably you buy some small quantities and taste it and then buy whatever you like the best. If after you've followed this procedure you still end up buying NoKA, then either your background research failed (you didn't try Bonnat) or your taste isn't very good.

 

January 1, 2007

The other day I caught PRI's "The World" segment on "Open Source" Beer. The web site is here or maybe here. The uh, developers have a good line of patter going on about how they have the "the world's first open source beer!", but it's hard to see what's going on here that's special.

First, you can't copyright recipes (at least in the US), so the whole notion of their being an Open Source beer recipe is kind of silly. At that level, all recipes—at least those published in the US—are Open Source. Unless the European laws are substantially different, which I doubt, then the restrictions that the designers are trying to levy "you are free to earn money from Our Beer, but you have to publish the recipe under the same license (e.g. on your website or on our forum) and credit our work" are unenforceable. Note that they could potentially copyright a particular expression of their recipe, but if you look at their page, it's just the ingredient list along with relatively standard brewing directions.

One could imagine that they've filed for a patent, but that would require that there be something inventive. Let's take a look at the recipe:

  • 6 kg pilsner malt
  • 4 kg m√ľnsner malt
  • 1 kg caramel malt
  • 1 kg lager malt
  • 60 g Tetnang bitter hops
  • 50 g Hallertaver aroma hops
  • 300 g Guarana beans
  • 4 kg sugar
And here's the boiling instructions:
The malt extact is brought to a boil in a large pot with the hops and approx. 70 ltr. of water.

After half an hour, the Guarana beans and sugar is added.

The mixture simmers for about an hour, and is then filtered and cooled in a sealed container.

This is a pretty typical beer recipe, with fairly standard ingredients. If anything it's underspecified. For instance, the Beer Recipator lists three different varieties of Hallertauer hops, but we're not told which one to use. This kind of stuff matters. There are only two unusual (and I use the term loosely) features of this recipe. The first is the addition of the mild stimulant Guarana. It's not clear why anyone would want this in their beer, but Guarana is a standard ingredient of energy drinks, so there's not much use here. The second is the use of 5 kg of sugar (by the way, it would be nice if the authors told us whether they meant sucrose or corn sugar; again, details matter). This is a not uncommon element but there's some controversy over whether it leads to off flavors. Oh, yeah, one more unusual element: there are two uses of hops in beer. The first is for "bittering" and bittering hops are bolled with the wort (the malt extract and water). The second is for aroma and aroma hops are only added towards the end. The recipe here only seems to use bittering hops, which is a bit unusual in my experience, though might be appropriate depending on the style of beer this is supposed to be (they don't say).

So, as we've seen there's nothing unusual about this recipe. But maybe it's hard to find recipes? Actually, not so much. The Beer Recipator has something like 5,000 recipes listed. There's also the Cat's Meow, which has a zillion recipes. So, there's no shortage of perfectly good, much clearer, beer recipes. Absent some Cooks Illustrated style research, there's no reason to believe that this recipe is any better than any other (and given the broad variety of beer styles, it's not like there's one best recipe anyway).

Most importantly, beer isn't at all like software in that the informational component of production is very small. Given that you have the source code for a piece of software and a platform reasonably similar to that where the software was developed you'll get pretty much the same binary as the authors did. By contrast, with beer, even if you have a good recipe and reliable ingredients, you still need quite good technique to get solid results. Back when I was homebrewing, I lost several batches because they were infected due to improper technique. The problem is even worse if you're a commercial brewer because you not only need to turn out decent beer but you need to turn out beer that tastes the same batch after batch (as an aside, I've heard it said that this the real proof of the skill of Budweiser's brewmasters that their consistency and quality control is so good. You may not like their product but it's the one they intend to make and every can is near-identical) even in the face of inconsistency in the ingredients. Having a good recipe is only the very first step and one that's not at all hard to take without help from a bunch of Scandinavian students.