EKR: February 2007 Archives


February 26, 2007

This is Mrs. Guesswork posting on behalf of the mister, who is spending the evening (Monday only) constructing burritos at Burrito Real. The place is going to be under new ownership soon, but while it's still the crew we know from an estimated metric ton of burritos eaten over the past half-dozen years, Ekr asked if he could man the burrito counter for a shift. Do come by and order one custom-made tonight.

February 25, 2007

On the Skype/FCC thread on I-P, Brett Glass writes:
The key thing that one must understand -- and this is a bit technical -- is that Skype works by "robbing" bandwidth from its users and their ISPs. Skype does not buy enough bandwidth to route or connect all of the calls placed via its network. At any time, a Skype user who merely has the software running -- but is not making a call -- may be using bandwidth to connect a call that involves neither the user's ISP nor any of that ISP's customers. This is a moderate concern on a land-based network, but is of GREAT concern on wireless networks, which are severely constrained by tower capacity and the scarcity of radio spectrum.

If Skype, by operating on the wireless provider's network, would in effect be consuming the provider's valuable bandwidth and airtime without compensation (which really does seem to be the case), the cell phone company is perfectly justified in saying, "No." We operate a terrestrial broadband network (not a cell phone network), which has more capacity. Nonetheless, we do find that we're impacted by bandwidth-robbing applications and do find that it is necessary to rein them in (though we do not currently ban them).

OK, this is a little technical, but it's not too complicated to explain. VoIP media requires two-way communication flows over UDP. Unfortunately, your average firewall or NAT is not set up to conveniently allow such flows by default. Skype (like SIP VoIP stacks and other P2P applications) includes fairly extensive NAT traversal techniques to let you punch a hole in the NAT/firewall. Unfortunately, those techniques don't always work, especially when both sides are behind NATs. The last ditch approach in such situations is to tunnel all the traffic through a media relay, a publicy accessible machine which is not behind a NAT. In the IETF VoIP universe, it's generally expected that service providers (either ISPs or the voice service provider) will prove the media relay.

Skype has the unusual feature that not some of the clients themselves act as media relays. At least in theory, the system automatically detects that a client has a public IP address and has it advertise itself as a media relay.1 (Because the traffic is encrypted the people making the call aren't supposed to have to worry about this.) The advantage of this technique is that Skype Inc., doesn't need to use as many servers (or as much bandwidth) to operate their own media relays. Obviously, if you have a client which is acting as a media relay, it consumes bandwidth when you're not making a call, which is what Glass is referring to.

That said it's unlikely that a Skype client on a cellular network would end up being a media relay. A good media relay needs reliable high speed connectivity and unfiltered, public, Internet access. None of these really apply to cellular phones. So, while in principle Skype could chew up cellular radio capacity over and above that required to transmit to/from the calling stations, it seems unlikely in practice.

1. I say in theory because a friend of mine set up a Skype client with good connectivity and a public address and didn't get selected as a relay.

UPDATE: Rewrote the last graf for added clarity.

Skype has asked the FCC (þ Robert Berger via Interesting People) to require cellular providers to carry their VoIP traffic:
Skype yesterday petitioned the FCC to lay the smack down on wireless phone carriers who "limit subscribers' right to run software communications applications of their choosing" (read: Skype software). Skype wants the agency to more stringently apply the famous 1968 Carterfone decision that allowed consumers to hook any device up to the phone network, so long as it did not harm the network. In Skype's eyes, that means allowing any software or applications to run on any devices that access the network.

The reason for Skype's interest in the issue is obvious: they want to force network operators to allow Skype-enabled calling across their networks, something currently prohibited on wireless data plans. In its filing, Skype argues that this capability would offer "tremendous new sources of price competition provided by entities such as Skype," and that's exactly why wireless operators will fight the plan tooth and nail.

The standard perception here is that there's a generic network and the providers use QoS to block third-party VoIP applications. There's an element of truth here, especially for conventional wireline Internet services. But for cellular the situation isn't as simple as that.

So, the first thing you need to know is that older digital cellular networks (pretty much everything before 3GPP IP Multimedia Subsystem) aren't generic packet switch networks like the Internet. They're specialized voice channels. They do have some generic Internet functionality, but it's mostly an add-on overlay on the older voice network—the same way that you layer IP traffic over an old voice network with PPP (except that this is digital-on-digital).

Performance of these systems isn't that great. First, the bandwidth is really inconsistent (even when you nominally get 14.4k it's bursty). Second, it consumes a lot of power. The reason for this is a but subtle: voice transmission is extremely predictable and the phones and networks are able to make a bunch of channel control optimizations (slotted scheduling and variable-width channels being big ones) to minimize power consumption. This sort of tight control requires having the part of the system close to the radio having a lot of knowledge of the network dynamics of the protocols being run over top. In my Treo, for instance, you get 3+ days in voice mode and less than a day in Internet mode, even if you're sending and receiving almost no data.

IMS is a little different, but the problems are similar. In principle 3G phones have more or less generic IP service and provide it to the applications on the phone. IMS is VoIP (SIP + RTP + some custom IMS stuff) and runs over that service. That's true, but in order to make this work efficiently there's actually tight integration between the VoIP system and the IP stack in order to efficiently make use of the air interface. While there is a lot of QoS on 3G networks, it's not solely for the purpose of blocking 3rd party applications, but also for making the native applications work well. So, while in principle you could run generic VoIP over the IP network, it's not clear how well it would really work.

So, if all this is right and Skype wouldn't work well anyway over a neutral channel, what's Skype really want? That's not clear. One possible theory is that it's negotiating leverage. Of the four major wireless carriers, Cingular/ATT and Verizon both operate wireline Internet service and T-Mobile operates a network of hotspots. Requiring neutrality through those networks would be valuable and asking for a lot more might be a way to get it.

Ackowledgement: Thanks to Cullen Jennings for discussions and explanations of some of the issues in this post.


February 23, 2007

Reader Paul Hoffman writes:
Women athletes are supposed to compare more favorably against men in sports that do not require as much upper-body strength. Women also face barriers in team sports where there is expected to be lots of locker-room camaraderie. So why are there essentially no professional women bicyclists?

There are actually several issues here. Women do compare more favorably against men in sports that don't require upper body strength. For example, the gap between men and women in the clean and jerk, even for comparable weight classes, is order 20-25% (see the figure below):

By contrast, the world record gap for running hovers around 10%. But more favorably doesn't mean favorably and the 10% gap in endurance sports is fairly persistent. Cycling actually is mostly a team sport so it's fairly hard to get individual performance numbers, but if you look at the cycling part of triathlons it becomes clear that the gender gap is fairly persistent there as well. The best men's bike time at Ironman Hawaii 2006 was 4:18:23. The best women's time was 4.52:11 by a woman who dropped out on the run. The best woman's time by a finisher was 4:59:04.1. So, it should be clear that there's no practical way that women cyclists can compete along with elite men. That said, there are professional women bicyclists. They just compete in their the own races, which (of course) get less money and less press attention so you don't hear about them.

1 It's actually surprising that the gap is larger here because wind resistance is such an important factor in cycling performance and power goes up as a cubic function of speed, whereas in running power goes up much more linearly with speed. I don't have a great explanation here. Perhaps that body mass is a more important factor in running and that women tend to have lower power/mass ratios?


February 22, 2007

The title of this Reuters article on an NIDA report about changes in smoker's brains is "Smoking Changes Brain the Same Way as Drugs: Study". Here's the result:
Feb 20, 2007 -- WASHINGTON (Reuters) - Smoking causes long-lasting changes in the brain similar to changes seen in animals when they are given cocaine, heroin and other addictive drugs, U.S. researchers said on Tuesday.

A study of the brain tissue of smokers and nonsmokers who had died showed that smokers had the changes, even if they had quit years before, the team at the National Institute on Drug Abuse reported.

"The data show that there are long-lasting chemical changes in the brains of humans," said Michael Kuhar of Emory University in Atlanta, who was not involved in the study.


Hope said other studies had seen the same thing in animals given cocaine and heroin \u2014 and it was clear that the drugs were causing the effects.

What a shock to discover that nicotine is a drug! Before this new result I was under the impression that smoking was totally innocuous and that that the gum smokers chewed while trying to quit was just some singularly foul breath mint. Do you think maybe it was intended to help them withdraw from something they were addicted to?


February 20, 2007

I was in SFO short-term parking today and as I pulled up to get my ticket, I saw something interesting:
  • The ticket machine runs Windows.
  • It was running a virus scanner
  • It was displaying a window indicating that it had detected a virus.

Regrettably I bungled my cell phone camera and was unable to get a photo.

Obviously, I'm unsurprised that these machines run Windows (though I wouldn't have been surprised with Linux or QNX). I'm a little surprised that they're networked since a lot of this kind of industrial automation tech was manufactured and installed before ubiquitous local networking command and control. However, given that they are running Windows and are networked, we shouldn't be surprised if they get infected. I guess the next question is: what could you do with a zombied parking ticket machine?


February 19, 2007

The Amgen Tour of California started yesterday. Am I the only one who finds it a bit ironic that the name sponsor of the race is the company that makes EPO?.

February 15, 2007

Mordaxus argues that we should stop using cutesy names for attacks on information systems:
This is the term that has set me off on the present rant. The person who just used it in a meeting I'm in said "pharming" and then screwed up his face when he perceived a blank look or three and said, "Well, pharming is a name for a number of attacks, which are all DNS spoofing attacks." I bit my tongue and did not say, "Then why didn't you say 'DNS attacks'?" and then sat down to this rant.

Pharming has both of the faults Orwell mentions. It's stale (being a back-formation from phishing) and imprecise. It's so imprecise that one can't imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.

I'm not fond of "phishing" or "pharming", but the ones that bug me are wardialing and friends. Wardialing is using an automatic dialer to scan for open modems. According to Wikipedia, the name comes from the use of the technique in the movie Wargames, so while it's a stupid name at least you can see where it came from. Then we got "wardriving", driving around looking for an open wireless access point, which is bad enough, but then (and I'm not making this up), warchalking, marking the area where there's an open AP. Is there any human who can the say the word "warchalking" unironically and not feel like a complete fool? And that's not all. There's also warbiking, warwalking, and warspying. I'd write more but it's late and time for me to do some warsleeping.


February 13, 2007

A bunch of Belgian publishers just won suit aginst Google News. What's going on here is kind of interesting. The newspapers allow free access to the articles for a limited time and then move them to a paid archive. Google News indexed (and cached parts of) the articles when they were free, and the cache is still accessible even after free access is ended.

Google has responded by not even indexing (let alone caching) the relevant sites That's not really a win for Google or the publishers. A better compromise would be for the cache to expire at the same time as the article went subscription only. This could be done manually on a per-site basis or with some new HTTP/HTML indicator that told Google when to remove the cache entry (as far as I know, the current HTTP caching technology doesn't really support this, though I suppose you could repeatedly probe the site to see when permission was revoked).

Most of the common asthma medications (albuterol, Flovent, ...) are packaged in aerosol inhalers for delivery right to the lungs. Like any other aerosol, there's a medication suspended in a compressed gas propellant. As one of the last steps in the great CFC phaseout, these inhalers are being reformulated with hydrofluoroalkanes (HFA).1 In general, this is a pretty transparent process for consumers (except for the patent extensions being granted to the manufacturers for the propellant transition) but GSK actually decided to add some value here.

Asthma inhalers are what's called a metered dose inhaler, which is designed to emit a constant amount of medication per puff. Each inhaler is rated for a certain number of doses, but it can be pretty hard to determine when you've used up the rated capacity of the inhaler, especially since there's still propellant and drug in the inhaler afterward. Unfortunately, once you've used up the rated capacity you start to get inconsistent doses with each press and unlike aerosol deodorant it's kind of important to get the right amount of drug and it's not just a simple matter of holding the button down longer.

In what is no doubt the result of decades of research, GSK added one of those gizmos that conductors use to count the number of people on the train to their new Ventolin HFA inhaler, letting you know how many doses you have left. Pretty snazzy, huh?

1. So, what's the total amount of CFC emitted? Your typical inhaler is about 15 grams, so if you go through one inhaler a month, which is pretty typical for a moderate asthmatic, you're looking at 200g of CFC/person-year. Asthma incidence in the industrialized world is aroung 5%, so assume we're looking at something around 108 inhaler users, or about 20 million kg (20 kilotons) of CFC emitted. For comparison, the 2000 emissions of CFC-11 (the propellant used in albuterol) were order 75 kt. So, we're looking at a significant fraction of current emissions.


February 10, 2007

If you want to have an opinion about capital punishment in this country you need to read this NYT article about the sorry state of the procedures used for administering lethal injections:
Over the course of Doerhoff's testimony, Anders uncovered many significant details similar to those uncovered in other states. For instance, Doerhoff testified that executions in Missouri have taken place in the dark, an execution team working by flashlight, and that the execution team routinely consists of "nonmedical people." For most, the day of the execution is "the first time probably in their life they have picked up a syringe . . . so it's a little stressful for them to be doing this." Doerhoff stated that he determined if an inmate being executed had been adequately anesthetized by observing the condemned's face through a window, which others noted was obscured by partly opened blinds. He also told the court that he reduced by half the five grams of anesthetic he had been using after the pharmaceutical company supplying it started packaging it in smaller bottles, which made it tricky to get the five grams in a single syringe. When Anders asked if he used calculations to determine the quantities of drugs to administer, he replied, "Heavens, no."

Later Anders asked, "Is any part of the execution procedure written down?"

"I've never seen it."

"There's no guide that you follow as you're doing it?"

"Absolutely not."

As background, the procedure involves three drugs:

  • Sodium pentothol to sedate the prisoner.
  • Pancuronium bromide (Pavulon) to paralyze him.
  • Potassium chloride to stop his heart.

These are all delivered through an IV. Unfortunately, if you screw up the IV, you might not get some or all of the meds. So, for instance you might be paralyzed but not sedated, which is no doubt terrifying and then quite painful when the KCl is injected. Now, you may be of the opinion that it's a good thing for those who are being executed to be in pain and terrified (I'm not) but surely that should be done intentionally, not just because we don't have competent procedures. However, in practice the procedures seem to be almost entirely ad hoc. Here's Chapman, who designed the Texas procedure:

It never occurred to me when we set this up that we'd have complete idiots administering the drugs.
The rest of the article is equally disturbing.

February 8, 2007

On Tuesday, some hackers mounted a pretty significant distributed denial of service attack on several of the root DNS servers (the ones who serve the records for the top level domains). You can see the attack pretty dramaticall in the following figure which shows unanswered queries for the past seven days on G:

According to this report the attackers managed to seriously degrade service on three of the roots:

WASHINGTON — Hackers briefly overwhelmed at least three of the 13 computers that help manage global computer traffic Tuesday in one of the most significant attacks against the Internet since 2002.

Experts said the unusually powerful attacks lasted as long as 12 hours but passed largely unnoticed by most computer users, a testament to the resiliency of the Internet. Behind the scenes, computer scientists worldwide raced to cope with enormous volumes of data that threatened to saturate some of the Internet's most vital pipelines.

A few points are worth mentioning here. First, there are actually significantly more than 13 servers because a substantial number of them are anycasted, meaning that you talk to a different server (with the same IP address) depending on where you are in the network. So, you need to DoS more than 13 machines in order to actually bring down all DNS service.

Second, despite losing a significant fraction of the root server capacity, most people didn't really notice. There are two main reasons for this. The first is that DNS uses a lot of caching. The roots only hand out the addresses of the servers for the TLDs (e.g., com, org, etc.) and resolving nameservers cache. Since most domain names are drawn from a relatively small number of TLDs, your resolving nameserver will have the TLD servers in cache and so doesn't need to get to the root. So, even if the roots were totally down, people would mostly continue to get service until their caches started to expire which takes hours to days. The second reason is that all the roots are interchangeable and the resolving servers will keep trying until one works, so the end result is really more a slowdown than a loss of service. This sort of slowdown gets lost in the ordinary net hiccups people experience and just tolerate.


February 7, 2007

For reasons that have never been entirely clear to me, the DMV seems to be fairly inefficient about sending me registration renewals for my motorcycle but extremely efficient about sending the Franchise Tax Board Vehicle Registration Collections my name so they can threaten me. As far as I can tell, they have the right address (I get the threatening letters) and they are perfectly good at sending me renewals for my car, but not the motorcycle. Anyway, I recently received one such letter threatening to suck the money out of my bank account and/or garnish my wages if I didn't pay up. You can't pay this over the phone via credit card and if you mail in a check it takes 4-6 weeks to process, by which time they've probably garnished your wages—you have to go to the DMV to pay up.

The good news is that once you get to the DMV they're amazingly efficient. The queue is short—less than 10 minutes—and they have a take-a-number system that lets you sit rather than standing in line. And once I got up there the clerk discovered that the original renewal notice had been returned in the mail and didn't charge me the late penalty. Start to finish time was less than 15 minutes. Too bad they couldn't have done the first part a bit faster.


February 4, 2007

Back in '04, EG covered the use of mouthwash as an intoxicant. The advantage of mouthwash is that it's cheap and available even to minors and when liquor stores are closed. The disadvantage is that it's, well, gross and doesn't have a particularly high alcohol content (15-25% ethanol.) According to this article, the rise of ethanol-based hand sanitizer has provided an alternative:
WASHINGTON -- The 49-year-old Maryland inmate seemed seriously sick after he drank from a gallon container of hand sanitizer. Described as "loony," "red-eyed" and "combative," officials whisked him to a nearby hospital for treatment.

But they quickly discovered he wasn't ill -- just very, very drunk on Purell. The October incident, detailed this past week in the New England Journal of Medicine as one of the first documented cases of its kind, has raised questions about the potential abuse of alcohol-based hand sanitizers.

"The widespread use of hand sanitizer is fraught with a great deal of danger," said Suzanne Doyon, medical director of the Maryland Poison Center, who co-authored a letter in the journal about the case. "From an infection control perspective, they are excellent. But there is this risk involved."

Purell, which is 70 percent alcohol, is far more potent than beer (5 percent), wine (10 percent) or hard liquor (40 percent). Doyon said the nonalcohol ingredients in hand sanitizer don't pose a health risk if ingested.

So, the good news is that the alcohol concentration is pretty high so it's a convenient form factor, and it apparently won't kill you much faster than ordinary booze. The bad news is that it tastes bad. As one of my friends put it "here i was expecting minty freshness, and instead it tastes like fermented ass." While writing this article, I had an opportunity to taste sanitizer and I can vouch for this description.


February 3, 2007

Julie Amero, a substitute teacher in Norwich CT, has been convicted of "four counts of risk of injury to a minor, or impairing the morals of a child" and faces up to 40 years in prison. The facts of the case seem to be this (this post has a bunch of useful links):
  • While teaching a class Ms. Amero's computer went into some pop-up loop showing a bunch of pornographic images, some of which were visible to students in her seventh-grade class.
  • Ms. Norwich didn't do the sensible thing and unplug her computer.
  • It's claimed did attempt to push one of the student's away from the monitor. Of course, this cuts both ways because it indicates that she knew the computer was showing inappropriate material.
  • The prosecution didn't scan her computer for malware. The defense claims that the computeras infested with pornographic malware. The school's anti-malware software was not up to date.
  • The prosecution claims that analysis of her computer indicates visits to pornographic web sites and that these must have been actually manually visited.

So, let's take a step back here. It seems to me that this set of facts is consistent with three theories from most to least innocuous.

Her machine was (innocuously) infected with malware and she froze.
This certainly is possible. It's certainly not hard to get your machine infected with malware and pornographic websites do try to trap you with popups so that you can't leave. Turning off your computer of course solves the problem, but it's easy to imagine someone computer illiterate, especially as Amero was reportedly told not to turn off her computer. Clearly, in retrospect this would have been pretty stupid, but then people in shock sometimes freeze.

The prosecution's argument against this theory appears to be that links to inappropriate websites were highlighted by the browser, presumably indicating that she had visited them. This could of course be a result of her doing so intentionally, but as far as I know browsers record visits, not mouse clicks, so if you really were infected with malware intended to redirect you to this kind of site it could create this kind of trail. There's also the possibility that someone else was using the computer and went to such sites.

She was visiting inappropriate web sites, got stuck in a popup loop, and then froze.
If you believe the previous theory, then certainly you ought to believe this one. It's possible to get infected during ordinary web sites, but it's even easier to get infected visiting porn sites which aren't notoriously safe. And when confronted with the frankly embarassing evidence of your malfeasance you would probably want to hide it by shutting off the computer, but again it's not crazy to believe that she would freeze.

She deliberately displayed porn to her class.
In this theory either her computer started to display porn for one of the previous two reasons and she decided to let it play it for her class or she intentionally put the computer in a state where it played porn for them. Obviously this is possible at some technical level, but it seems pretty implausible to me. Certainly teachers occasionally do inappropriate things (telling your students that if they don't accept Jesus they'll go to hell, for instance) but it's hard to understand what Amero's motivation for showing porn to her students in public would be. Even if we assume that for some unfathomable reason she wanted to "corrupt" them wouldn't it be smarter to do it in some setting where she was less likely to get caught, fired, and prosecuted? Absent some explanation (for instance that she's completely crazy) this strikes me as a fairly implausible explanation.

So, at the end of the day it seems to me that we have two plausible explanations: a completely innocent woman froze or someone who had been misusing school computers in a way that people misuse their employer's computers (I'm not making a moral judgement here, but most employers do prohibit use of their computers and network for viewing porn so this is technically misuse) every day got caught. In either case, it's pretty hard to see how this merits a 40 year prison sentence. I don't know of any evidence that this caused any of the children any long term harm, but even if it did, consider that in CT if you got in your car drunk and killed somebody, the sentence would be more like 10 years.


February 1, 2007

Mark Kleiman has a generally sensible article on improved drug policy. One of the recommendations strikes me as a bit off, though:
Full commercial legalization of cannabis, on the model now applied to alcohol, would vastly increase the cannabis-abuse problem by giving the marketing geniuses who have done such a fine job persuading children to smoke tobacco, drink to excess and supersize themselves with junk food another vice to foster. However, if current laws were changed to make it illegal to sell cannabis or to exchange it for anything of value, but not to grow it, possess it, use it or give it away, the costs of the current control regime could be sharply reduced without greatly increasing the size of the marijuana consumption problem. Such a law could not effectively prevent private sales any more than a ban on gambling can prevent private poker games. Its goal would be to prevent mass marketing.

In the short-to-medium term such a policy would have only a slight impact on use. The biggest effect would be on those who now cease marijuana use as they enter the workforce but might instead keep using the drug. In the long term, there would probably be modest growth in cannabis use due to decreased social stigma and employment risk; how much of that growth in use would be among people who subsequently got into trouble with the drug is harder to guess.

I suppose it depends on what you mean by "medium term", but I'm not sure that this is right. Most of what keeps cannabis illegal is its general social unacceptability; if you go to a party at someone's house they're quite likely to offer you a drink. Indeed, a party where no alcohol is being served is considered kind of odd. This is true of cannabis in some circles but not most. As a consequence, as was true for many years with gays, many people don't know (or rather don't know that they know) anyone who uses cannabis and so rather than having the correct issue which is that it's fairly harmless—and almost certainly less harmful than alcohol—think of it as drugs. This thinking is of course encouraged by the way that drug education and propaganda in this country treats all drugs as more or less the same.

So, What if home cannabis production and use was legal? Well, I would foresee two effects. First, cannabis would get a lot more available. Cannabis production is basically gardening and fairly low-volume gardening at that. A single cannabis plant yields around .75-1.25 pounds of usable product. A casual daily user might go through an ounce of marijuana in a year. A very heavy user might go through an ounce of marijuana a month. Given that gardeners typically grow a lot more than one of any kind of plant, it would be easy for any grower to produce plenty to supply most of their friends full-time. My point here isn't that everyone would but simply that there wouldn't be any logistical barrier to doing so and so as a practical matter anyone who wanted to get marijuana would be able to.

The second effect is that you would would expect semi-public marijuana use to become a lot more common, even if the total amount of marijuana use went down, since people would not feel the need to hide from their friends. I have friends who don't drink but they know I do and I don't feel uncomfortable cracking open a beer when they're in the room. If marijuana use were legal, one would expect to see people behave similarly (with the current social disapproval of smoking applying counterpressure here.)

Those are short to short-medium term effects. In the longer term, frequent contact between users and non-users is likely to lead them to the the non-users drawing the (proper) conclusion that it's quite possible to use marijuana without being an unemployed Phish-listening deadbeat who lives in your parents' basement. Doesn't it seem likely that this will produce a ratchet effect whereby marijuana laws get progressively looser and use gets a lot more common? I'm not saying that that's a bad thing, but it seems like a likely result of what Kleiman proposes.