EKR: October 2008 Archives

 

October 29, 2008

Mrs. G has been bugging me for weeks to get her an iPhone, so I checked out the Apple prepurchasing process. What a lose! One of the great things about the old iPhone was that you just bought the box and could activate it from home. Unfortunately, that was just too easy, so now you can do the initial steps at home but then you need to go into the store to show them your credit card, ID, etc. and pick up the phone. This is dramatically less convenient, especially because you don't get a complete rundown on your order from home—which makes life irritating for Mrs. G when she heads over to Apple. Also, they let you make an appointment but since you haven't selected your phone model, there's no guarantee that it will be in stock when you get there.

The rationale for the new policy has never been entirely clear to me, but my impression is that it was intended to stop you from buying the phone and then jailbreaking it without ever signing a contract with AT&T. Still, it's not clear to me why. Couldn't they just charge you one price for an unactivated (though still SIM-locked) phone ($400 is the nominal price + the early termination fee) and then a rebate when you sign up for an AT&T account? This would have much the same security properties, but be a lot more convenient for the user.

 

October 28, 2008

Another year, another set complaints about recording errors from DREs (ES&S, Hart). The general situation here is that voters report they tried to vote for candidate X and the machine reported a vote for candidate Y. Wallach's analysis of the Hart machines suggests that the machines are functioning as designed but that users are finding the UI confusing. The ES&S is a touchscreen machine and the alleged source of the problem is calibration errors. there's no inherent connection between the displays on the DREs and the sensors used to register your vote (see this article by Doug Jones) and they can get out of sync, registering the wrong votes.

Note that these aren't security issues: they're pure systems design issues, but that doesn't mean they don't present a problem. The calibration issues with ES&S machines present a particular difficulty, because the touchscreen can drift after it leaves election central, and then it relies on pollworkers or voters to notice the problem. Given how confusing these interfaces can be (cf. Wallach's post about Hart), it's an open question how many voters just assume it's their own fault and back up and correct their votes. This is especially likely if the machine is just slightly miscalibrated, since a slightly off-center press may register incorrectly, but a more careful on-center press will register correctly, leading the voter to attribute any problems to user error.

Assuming there's no easy software fix for the calibration drift (which I suspect there isn't) it's not exactly clear what to do. Potentially you could recalibrate for every user, but that adds time to the voting experience and is potentially another thing to confuse them. I've heard suggestions for bigger buttons, but that video looks to be off by inches (which actually makes me worry it's not a calibration issue but some other kind of bug), so that wouldn't fix it.

 
Tech lawyer Jennifer Granick's 2008 Election slate card is up. I'm a little puzzled by her argument against Prop 6:
PROPOSITION 6: Police and Law Enforcement Funding. Criminal Penalties and Laws: No
Shall of minimum of $965,000,000 of state funding be required each year for police and local law enforcement?

This proposition and Prop 9 are put on the ballot to (1) build more prisons and (2) send more people there. Incarceration is expensive and wasteful. Plus, here's what the Bay Guardian says about the main proponent of Props 6 and 9:

One man is largely responsible for both the misguided "tough on crime" propositions on this year's ballot: billionaire Broadcom Corp. cofounder Henry Nicholas, who has poured millions into the two campaigns. But a funny thing happened to Nicholas on the way to becoming California's poster boy for law and order. In June, he was indicted on numerous counts of securities fraud and drug violations (including spiking the drinks of technology executives with ecstasy and operating a "sex cave" staffed with prostitutes under his house).

Sex cave.

Isn't this an argument for prop 6? I guess not if you're not invited to the sex cave? Actually, WTF is a "sex cave"?

 

October 26, 2008

With the imminent destruction of Bloglines, I'm thinking of switching to Google Reader (I would really prefer to use NNW, but it crashes whenever I start it up on my Mac. Obviously, I could maybe fix this with enough tweaking but it seems like a bad sign.) Anyway, when I added EG to my test Google Reader feed, it seems to be missing about 90% of my posts. That seems troubling whatever RSS reader I happen to use. Obviously, if you're using GR, you may not see this, but if you do, I had posts on October 13, 15, 16, 17, 18, 29, 20 21, 23 and 24. What do you see? Actually, I'd be curious if people using any RSS reader saw something different. Also, if you know something about debugging GR and why it might not be picking up all my posts, please contact me, either in comments or at ekr@rtfm.com

UPDATE: The problem seems to only be with the Atom feed. But I'm getting that directly from MT and it looks fine to visual inspection, so that's kind of odd.

 

October 24, 2008

Put in your Etymotics (what? you don't have Etymotics? Get some), put on Peter Gabriel's Here Comes The Flood, close your eyes, and listen. Your ears will thank me.
 

October 23, 2008

Problem Statement
Once upon a time I had an old hard drive based iPod upon which I loaded my music collection. At some later time, I bought an iPhone which I loaded with some (though not all) of my music. At some even later date, the machine I was using to sync with went defunct, but that was OK because my music was still on my iPhone and it stayed there even after started syncing with my MacBook Air. Stayed, that is, until I installed iPhone release 2 which decided to blow away my entire collection as part of the install process, leaving me with no music. The good news is that I still had that music on my old iPod (those hard drives are tough). Your mission, should you choose to accept it: resurrect the collection.

Complicating Factors

  • The battery on the iPod is dead, so you can only get about 5 minutes of runtime without a power supply.
  • That generation of iPod can't be powered from USB.
  • The Air does not have Firewire.
  • iTunes doesn't want to let you suck data off an iPod anyway.

The bottom line here is that copying the data directly onto the Air seems impractical

Solution
Eventually I ended up plugging the iPod into my FreeBSD machine, which has a Firewire port. I used gtkpod to copy the music onto my hard drive (~10 GB). I then went to Frys and bought an 8GB flash drive ($29.99 + $15 mail in rebate, so a lot cheaper than a 16 GB) and copied half my collection onto the drive, then loaded it onto my Mac. Rinse, repeat. Elapsed time start to finish... Actually, I don't know cause I'm still copying the second half onto the flash drive; FreeBSD's USB drivers aren't very good. But it's taken me about 10 hours so far. Probably would have been faster to use the network.

One more thing: If you want to keep your files in an ordinary directory—which I do—you need to frob the "Keep iTunes Music Folder organized" and "Copy files to iTunes Music folder when adding library" toggles in the iTunes advanced preferences when you add the music to your library. Otherwise, you end up with two copies, the one you started with and the one iTunes makes.

 

October 21, 2008

One of the things I noticed in my review of OAuth was a pretty confusing section about entropy depletion:

The OAuth protocol has a number of features which may make resource exhaustion attacks against Service Providers possible. For example, if a Service Provider includes a nontrivial amount of entropy in Token Secrets as recommended above, then an attacker may be able to exhaust the Service Provider's entropy pool very quickly by repeatedly obtaining Request Tokens from the Service Provider.

...

Resource Exhaustion attacks are by no means specific to OAuth. However, OAuth implementors should be careful to consider the additional avenues of attack that OAuth exposes, and design their implementations accordingly. For example, entropy starvation typically results in either a complete denial of service while the system waits for new entropy or else in weak (easily guessable) secrets. When implementing OAuth, Service Providers should consider which of these presents a more serious risk for their application and design accordingly.

One hears concerns of entropy exhaustion occasionally in discussions of PRNGs, but it's sort of conceptually confused. Let's say we have some relatively slow source of true randomness, e.g., radioactive decay or Johnson noise. One way to use something like this is to take the input and shove it in a buffer (typically a FIFO). Then whenever a process asks for a random value, you read out of the buffer. If the rate of entropy consumption exceeds the rate of entropy input, elementary queueing theory tells you that eventually the buffer will empty and you'll have to block and wait for more entropy. That's approximately the problem that this document is talking about, though the randomness pools that systems actually use aren't this simple.

For this reason, among others1, you don't want to use this method for generating random numbers for protocols. As I mentioned previously, standard procedure isn't to use this data directly, but rather to feed it to a PRNG as seed input. This way you can extract an arbitrary number of bits without worrying about emptying the buffer. Obviously, this is only safe as long as there is a reasonable amount of seed data, but once the PRNG is seeded, you don't need to match the input to the output. It should be clear, of course, that this is information theoretically imperfect. If you have 100 bits of input entropy and you extract 200 bits of output, clearly an attacker with unlimited computational resources can determine the seed values and thus future values. However, if your PRNG is well designed, this should require 2^{n} effort where n is the size of the seed input, which quickly becomes impractical. Note that most PRNGs have a fixed internal state size (a few hundred to a thousand bits), so feeding in entropy beyond this doesn't buy you as much as you might think.

So, a well written application uses a PRNG seeded from some source of high quality randomness. However, likely some applications don't do this, and it's not helped by the fact that the random number devices on common UNIXen aren't consistent. E.g., on FreeBSD, /dev/random is a PRNG fed by kernel randomness, but on Linux /dev/random tries to track the amount of entropy input and will block when you read too many bytes whereas /dev/urandom is the PRNG which is seeded off the "true" randomness pool and doesn't block no matter how many bytes are read.

1. Another reason is that it's quite hard to get randomness sources where every bit of the measurement is random. Consider, for instance, a coin flip. There's a lot of randomness there, but most coins aren't completely balanced. However, a good PRNG can be fed only semi-random data and still make use of the entropy.

Acknowledgement: Thanks to Hovav Shacham for discussion about this post.

 

October 20, 2008

Newswire reports on a Korean claim that they can produce hydrogen from water vapor dramatically more efficiently than current processes:
He said "Our laboratory tests show that CO2, CH4, or N2O was dissociated by low energy. We also confirmed that hydrogen (H2) and vapor(H2O) was dissociated with similar efficiency (90% or more). Traditionally hydrogen is made by electrolysis. The electrolytic method uses 4-4.5 kwh energy for getting 1 cubic meter of hydrogen. Our method uses 0.1 kwh for the same volume of hydrogen. As known the high cost of electrolytic H2 does not allow to use it as a fuel.

I'm skeptical of this for two reasons. First, the standard method of hydrogen production isn't electrolysis, it's "steam reforming", which Wikipedia claims has an 80% efficiency. Second, the efficiency of electrolysis appears to hover around 50% (wikipedia again).Given this, it's hard to see how you can get an improvement of over an order of magnitude.

Even if we ignore these issues, the energetics seem problematic. The formation of H20 (gas) via the reaction of oxygen and hydrogen produces around 240 kJ of heat/mole of hydrogen. Running the reaction in reverse, we expect to consume around 240 kJ of energy/mole of H2, which gives us the thermodynamic limit for the amount of energy required to produce hydrogen from water. The article quotes .1 kwh/cubic meter of hydrogen. Assuming that's at STP, then that's about 50 moles of hydrogen (a mole of gas has a volume of about is 20 liters). So, if we divide by 50, we get .002 kwh/of hydrogen per mole. 1 kwh is 3.6x10^6 J, so if we multiply out (.002*3.6x10^6) we get an energy input of 7.2x10^3 J (7.2 kJ). So, unless I've totally forgotten my thermodynamics or I've screwed up my math somewhere (both are possible, I suppose), then I don't see how this result can be correct.

 

October 19, 2008

Joe Hall has a followup on the Kentucky domain names case (see here for background).
What's the upshot of all of this? To me, it's pretty scary: A state government moved to order seizure of domain names that it found were illegal "devices" and a judge issued an order demanding the transfer of these domain names before any hearing or opportunity to protest. The state has so far successfully argued that domain names are property and devices used for illegal gambling within Kentucky and that the 141 Domain Names defendants must identify themselves to have standing to contest the seizure and forfeiture. The last shoe to drop is that Judge Wingate, as part of his order from yesterday, ordered the state to rescind any forfeiture for gambling sites that block Kentucky gamers using geographical blocking methods (the wording was, essentially: Defendants who install a "software or device [...] which has the capability to block and deny access to [the defendant's] online gambling sites [...] from any users or consumers within the [...] Commonwealth [of Kentucky] and reasonably establishes to the [state] or this Court that such geographical blocks are operational, shall be relieved from the effects of the Seizure Order and from any further proceedings [in this action.]").

I'm no lawyer, but I find this whole thing really puzzling. I've got a simple question, though: is it in general true that courts in State X can serve orders on an entity located in State Y and actually have them enforced? As an example, say I'm a gambling outfit located in Nevada and I use a mail drop (non-government for simplicity) located in California, could a court in Kentucky force the mail drop to redirect all my mail to Kentucky?

 

October 18, 2008

Most of my running socks are Wigwam Ironman Ultralites, but I recently tried some of the Injinji Tetrasoks, which seem to be the preferred choice of a lot of the ultra guys. The Tetrasoks are more like gloves for your feet than socks: each toe is in an individual pocket, thus at least theoretically preventing blisters between the toes. Takes a little getting used to, but they're pretty comfortable, actually.

Anyway, this creates a new problem in terms of laundry: ordinarily, any pair of socks the same color make a pair, but tetrasoks are chiral, so if you just pick a random pair of socks you have a 50% chance of having two lefts or two rights, neither of which is very useful. So, with ordinary socks it's likely optimal to have all your socks the same because that minimizes your search cost (no matter what your laundry strategy is). However, the situation with tetrasoks is more complicated. Let's say that you have a pile of laundry and you pull items out one at a time. If a sock matches a sock you've already seen you pair it up. If not, you put it aside waiting for a match. If it takes time X to figure out what color each sock is, and tiem Y to tell whether it's a left or right sock, then if X > Y, then you want to get all socks the same color: you just have a working pile of socks (either left or right). When a sock comes in it's either the other side, in which case you pull a sock off the stack and put the pair away. If it's the same side, you put it on the stack.

On the other hand, if Y > X, it's a little trickier. You need to maintain a separate pile for each color. If you only have one of each color, then you only ever incur X, since the second of each color must be its match. On the other hand, if you have more than one of each color, then you incur Y + X because you need to know both which pile to look in and whether a sock is a match or just more of the same (this can be partially optimized when you've already paired up all but one pair of a given color, at which point you go back to incurring X for that color). So, the breakeven point here depends on how many different colors of socks the manufacturer makes. Injinji only makes three colors of this sock (white, black, tan) so it probably makes the most sense to buy all one color.

Extra Credit: Is the situation the same if you just throw all your socks in the drawer and then try to pick out socks later? Scanning for colors isn't the same as deciding what color something is...

UPDATE: Apparently this is a problem many others are concerned with as well.

 
In the comments, "Student: writes
I have never understood the deal with voter registration. It seems very odd to me.

The state is supposed to know who are allowed to vote. If the state can't even keep track of this you are bound to have cheating. So, why not just register everybody who are allowed to vote and tell them where they are supposed to vote. Works perfectly in Sweden. Unless you vote by mail you get the place where you are supposed to vote assigned to you (usually within a reasonable distance of where you live). Everybody votes on paper. The votes are counted by hand in each district several times and the results from 99% of the districts are in the same evening.

How does America manage to make voting such a hard problem?

I'm not going to defend the registration thing, but I get the impression a lot of non-Americans don't understand how different the American political system is and how it changes the dynamics of voting. In a typical foreign election, there may be one or two contests (my Swedish sources tell me it's often one). Americans vote on everything. My absentee ballot for the November general election (I'm working the polls so they recommended I vote absentee) has 24 separate contests (President, Senator, US Representative, State Senator, State Assembly, Superior Court Judge, County School Board, 12 state-wide propositions, 1 county proposition, 3 district propositions, and 1 local proposition). This isn't that unusual in California, and Joe Hall's thesis says that some counties can have up to 200 contests. So, the required level of effort in the us is between one and two orders of magnitude greater than in many other countries.

Experience with hand counting ballots in New Hampshire, which still does a fair amount of hand counting gives an estimate of about 6 seconds per contest/ballot pair in teams of 3 with the sort-and-stack method (reference from Joe Hall). If we assume 5 seconds for convenience, that gives 15 man-seconds per contest/ballot pair. If Palo Alto were to do a hand count of this election, then you would need about 6 man-minutes/voter and your team of 3 does about 30 ballots/hour. Looked at another way, if you want to get results in 3 hours on election night, you need 7 teams of 3 each for a precinct of about 1000 registered voters (this assumes about 2/3 turnout). For reference, in the 2004 General Election, Santa Clara had about 600,000 votes cast. In order to get results that night (which the current electronic systems do) you would have needed approximately 3,000 counters at a cost of about $1.39/ballot (estimate from Anthony Stevens of New Hampshire). As a reference point, California polling places can be staffed by around 5 people (and Stevens's numbers assume that the counters haven't spent the past 15 hours watching people vote), so you're probably looking at increasing the total number of people the County needs by a factor of 3-5.1

This isn't to say that voting in the US is somehow perfect, but for politico-structural reasons that have nothing to do with the technology employed, the scale of the election is quite different than in many other countries, so you can't really draw comparisons without adjusting for that.

Thanks to Joe Hall for helpful discussions about this post.

1.Hall reports that the Los Angeles County 1% manual recount can take weeks.

 

October 17, 2008

The Supreme Court has ruled for Ohio Secretary of State Jennifer Brunner. The background here is that there were a lot of new voter registrations in Ohio and the Republican party was trying to challenge many of those registrations on the basis of mismatches between the registrations and other databases (e.g., driverse license records). The Supremes ruled for Ohio on technical grounds, namely that HAVA doesn't provide a private right of action that the Republicans can sue under.

I don't have an opinion on who should have won this lawsuit—that's a question for lawyers—but it certainly seems likely that many of thee discrepancies are innocuous, as suggested by the Times:

Voting experts and state election officials have raised concerns about treating flagged voters differently because the databases used to check registrations are prone to errors. Most non-matches are the result of typographical errors by government officials, computer errors and use of nicknames or middle initials, not voter ineligibility, they said.

In one audit of match failures in 2004 by New York City election officials, more than 80 percent of the failures were found to have resulted from errors by government officials; most of the remaining failures were because of immaterial discrepancies between the two records.

For example, I generally don't use my middle name on official forms. My driver's license doesn't have my middle name on it, but my passport does, so what do I put on my voter registration? And when I move, do I have to remember what I had last time? That said, it's not clear how to resolve these issues in a system like the one we have now, where a lot of people don't register and we don't have any universal system of identification.

 

October 16, 2008

Prior to last night's debate there was a lot of talk about how McCain should "take the gloves off". This is actually kind of a confusing metaphor. If you punch someone with your bare hand, you have to be quite careful where you strike;if you hit someone square on on the skull, you have a pretty high probability of breaking some of the bones in your fingers. On the other hand, if you wrap your hands in gauze/hand wraps and then put on boxing gloves, you can strike directly at pretty much any part of your opponents body without too much fear of breaking your hand (which isn't to say that it doesn't hurt, by the way). The gloves don't really improve the situation that much for your opponent, who I can assure you, experiences a quite substantial impact. Of course, if you really want to "take the gloves off" you could dip your hands in broken glass (see also putting on the foil, coach).
 

October 15, 2008

John McCain has been having some trouble with people sending DMCA takedowns to YouTube for his videos. His campaign wrote to YouTube but they were uh, unsympathetic:
On a final note, we hope that as a content uploader you have gained a sense of some of the challenged we face everyday in operating YouTube. We look forward to working with Senator (or President) McCain on ways to combat abuse of the DMCA takedown process on YouTube, including, by way of example, strengthening the fair use doctrine, so that intermediaries like us can rely on this important doctrine with a measure of business certainty.

Lessig argues that political ads should be privileged:

Chris Soghoian of Berkman has a nice post about McCain/Palin's call on YouTube to review takedowns from campaigns before taking them down. He criticizes it as "special rules."

True enough, it is a special rule. But isn't it appropriate? For here's the new game for politics in the YouTube age: complain enough to get an account shut down (according to YouTube testimony, 3 complaints gets an account shut down (pg 17 near the bottom), and ideally, do it at the critical time just before an election.

Of course, no one should be subject to this arbitrary game. But especially a campaign. Let's start here and begin to build out from a clear example of bad incentives.

This strikes me as exactly backwards: unlike you and I, McCain is actually in a position to do something about DMCA abuse: he can introduce legislation to amend the DMCA to make takedowns a lot harder to send. Why should he be allowed to avoid the consequences of laws like this, as opposed to having his incentives aligned with mine?

Incidentally, I don't really understand why presidential candidates need YouTube. YouTube is providing three services here: (1) conversion to FLV (2) advertising and (3) bandwidth. You can get your own FLV converters and it's not like the McCain campaign really needs YouTube's mechanisms to help people find their videos, so this leaves bandwidth. Obviously, it's cheaper to have someone else host your data, but with FLV chewing up about .5 Meg/minute and bandwidth running at << $.10/GB (my not especially cheap hosting service provider will sell you a flat rate 100 Mbps port for $6500/month), it's not out of the question to just host it yourself either. This has obvious advantages including not having to deal with YouTube legal.

 

October 13, 2008

Senate Bill 381, signed by Governor Schwarzenegger, on October 1st, provides for online voter registration. Here's the statement from SoS Debra Bowen.
"Californians can pay bills and file their taxes online. Being able to register to vote online is the next logical step in making it easier for Californians to participate fully in their democracy," said Secretary of State Debra Bowen, California's chief elections officer. "This measure prevents fraud by limiting online voter registration to people who confirm their identity in a secure manner."

The online registration system will require registrants to provide their birth dates, the last four digits of their Social Security numbers, and the numbers from either a valid California driver's license or identification card. The Secretary of State may require additional information if it's necessary to establish a registrant's identity.

Registrants will be able to complete voter registration online using their digitized signatures that are already on file with the California Department of Motor Vehicles.

Unsurprisingly, there are some security concerns about a system of this type. I would break the major issues down as follows:

  • Authentication of voter registrations.
  • Corruption of the voter registration database via intrusions.
  • Privacy of voter data.

Let's take these in turn.

Authentication of Voter Registration
The first question to ask is whether the authentication here will be acceptably strong. I.e., will I be able to pretend to be you and reregister you to vote in King City, with the effect that when you go to your usual polling place you can't vote? I'm not talking about compromising the registration site, just lying on the form. Currently in order to register to vote in California you need to know your address, SSN or DL # and your birthday, plus you need to sign the form. The online site requires both the last four digits of your SSN and your DL #, plus the other information, but there's no need for you to sign your form. They just take your digitized signature off your drivers license.

Arguably, then, the online scheme is less secure: in the paper-based scheme, the SoS can compare the signature on your form to whatever signature they have on file for you (assuming they have one) and this presumably presents some barrier to forging registrations. That said, though, I suspect they don't do a very good job of verifying signatures on registration forms (actually, I don't know that they do any; credit card companies don't), and anyone who knows your SSN and DL #, probably has a good enough idea of what your signature looks like and they only need to get close enough for casual inspection.

On the other hand, because the online attacker needs both the DL # and the last four digits of the SSN, it's perhaps more difficult to impersonate a valid registration—though not very much so—than the paper-based system where only one of these is required. So, overall, this doesn't seem like a huge security hit from going to an online system.

Corruption of the Voter Registration Database
No matter what mechanism is used for authenticating users, any online system brings the risk that attackers could remotely compromise the registration site and corrupt the database correctly. Compromise of single voter registrations is already possible by simpler mechanisms (see above), but an attacker who had direct access to the database could do significantly more damage, for instance massively corrupting the database. Obviously, this creates a new opportunity for a major DoS on the election, especially if it went undetected before election day.

There are a number of mechanisms that could in principle be used to mitigate this kind of attack. The simplest is to have an airgap between the website and the database. For instance, you could have the server print out registration forms which are entered into the database in the usual way. Obviously, this removes a bunch of the efficiencies of having an online system, so it's not really attractive from that perspective. Alternatively, you could have some sort of frequent backups coupled with rate limiting of the number of changes allowed per day, but these checks themselves depend on the software doing the checks being uncompromised, which is hard to guarantee (though defense in depth is possible).

Compromise of Voter Privacy
If the voter database is directly connected to the registration site, then an attacker who compromised the site could potentially get a complete copy of the database. If the database contains sensitive information (the last four digits of your SSN qualifies here), then this is a potential vector for information disclosure. Again, this could be mitigated by having an airgap between the site and the database. Other potential mechanisms include encrypting the sensitive mechanisms in the database (this seems to be specified in the CalVote specification). [Technical note: you probably have to use public key cryptography here so that the site can encrypt the sensitive information before storing it in the database but even an attacker who has completely compromised the system can't decrypt the data.]

Bottom Line
The mass compromise issue seems to be the difficult issue here, both because it's so serious and because it's so different from the current situation. Superficially, it's a fairly standard computer security problem and it may be possible to mitigate it via the usual mechanisms, but the scale of elections and the time pressure under which they are conducted make it especially challenging.

 

October 11, 2008

After doing the Skyline-to-the-Sea 50K, several people encouraged me to do a 50 miler and I ended up selecting the Dick Collins Firetrails 50. Unfortunately, this event didn't go so well and I ended up DNFing. The problems started well before the race, my right patellar tendon was quite sore after Skyline-to-the-Sea and it wasn't helped by doing a 3-day backpacking trip at Desolation Wilderness. However, that was just an issue of soreness and I figured that in the worst case scenario I could just pop a bunch of ibuprofen and suck it up. Still, it was worrisome. Then, on Tuesday with 3 days to go, I managed to pull something in my back and spent the next three days sucking down vicodin and trying to avoid moving. I managed to get a massage on Thursday night which mostly cleared up my back, though it was still a bit tender. Then, on Friday, I finally managed to get in an easy run, and the interior part of my right knee started to hurt. After all this, I was fairly concerned that one if not all of these injuries would flare up today and take me out of the race.

The first few miles of this morning's race everything seemed to be going well and then, right on schedule around mile 4, my patellar tendon started to hurt. I figured I could deal with that and pressed and and then the interior of the right knee started to hurt. Again, it was just an ache so I figured I'd ignore it, until my left ITB started to hurt. This worried me for three reasons. First, it was a new injury—I've had ITBS before, but on the other knee, and not for years. Second, my last experience with ITBS wasn't fun and you can easily get to the point where it's so painful it essentially precludes running. Third, for some reason ITBS seems especially bad when running downhill, a serious problem in an out-and-back course with 7800 feet of climbing (and thus extension). I pressed on to the 10 mile aid station where I asked one of the workers whether if I had to drop out I would be able to get a ride back to the start or whether I'd be stranded (for obvious reasons I didn't want to get further and further away if I definitely had to run back). They said I could probably get a ride back eventually though I might have to wait a while, so I pressed on.

The next 7 miles actually went pretty well. There was an easy descent and then a bunch of flat trail and the pain in both knees started to subside. It may also have helped that I got stung by some bees (again!) and this took my attention off my knee. Things seemed to be going well: I was walking the hills but doing a solid 10 min/mile and feeling very strong up till the 18 mile aid station which was in the middle of a long descent. My left knee started to hurt again on the way to the aid station and immediately afterward the pain became acute. I stretched a bit and tried to walk it off but nothing seemed to help and after a few more tentative strides it became clear I probably had to drop out. I started limping up the quarter mile walk back up to the aid station [Incidentally, people kept asking me if I was OK as I was walking back. Nice sentiment (I suspect reflexive) but I'm pretty clearly not OK. OTOH, it seemed like I was being a jerk if I said "no" since I didn't need any help. I finally settled for saying "I can make it back to the aid station.] About 100 ft away I wasn't in quite as much pain and decided maybe I should keep going. I tried running a few tentative strides uphill and the pain in my knee was so sharp it basically buckled and I almost tripped. This seemed like a good signal I should stop.

I made it up to the aid station to learn that "eventually" was indeed a while, but it turned out that another runner had twisted his ankle and had called his wife. About an hour later, she came to pick him up and I hitched a ride back to the start and headed home. I spent that hour walking around and never got past the point where the range of pain-free motion in my knee was more than about 45 degrees, so it seems pretty likely it would have gotten a lot worse had I chosen to keep going. Even now, I only have about 100 degrees before it's painful and that's probably because I've been sitting around rather than running. That said, it's always a bummer to DNF, and after the usual rest/ice rehab, I expect to make a try at another 50 miler.

 

October 10, 2008

This Wired blog post covers the election for a Palm County Floria Circuit Court judge seat. Summary: the race was close and when officials went to do the legally required recount they couldn't find almost 3500 ballots (the election was run on optically scanned ballots). The resulting recount flipped the result of the election. Then when they searched for them they found them and an extra 200 ballots. When those ballots were counted, the result flipped back. In races this close, officials are required to examine rejected paper ballots, but then a review of the ballots indicated that 159 other ballots may never have been tabulated, potentially due to scanner discrepancies. Note that only the last of these is even arguably a failure of the voting hardware itself; the rest is just procedural failures.
 

October 8, 2008

I somehow pulled something in my back last night so forgive whatever writing comes through the Vitamin V. Anyway, I've been wanting to write about interpreting arguments through the filter of confirmation bias. Let me give you an example: someone is trying to convince you that eating meat is unethical. Halfway through the argument they also tell you that eating meat is correlated with a higher rate of heart attacks. How should you interpret this? On the one hand, this is an additional argument in favor of going vegetarian—presumably you wish to stay alive and so maybe if it's healthier you'd stop. Even if health isn't enough reason for you to switch, maybe the ethical argument had some impact but wasn't quite enough to push you over the edge, but combined with the health argument it's sufficiently convincing.

Here's the problem, though: whether eating meat is ethical has no bearing at all on whether eating meat is healthy (and mostly the other direction too, though of course if eating meat is unhealthy then there is a utilitarian argument against it being ethical). And yet people who believe eating meat is unethical are going to be a lot more likely to believe that eating meat is unhealthy (I would call this a form of confirmation bias). So, you immediately need to heavily discount the claim that eating meat is unsafe. Now, obviously, you can evaluate the arguments for yourself, but in real discussions you don't have time to completely evaluate every argument, so to some extent you rely on the fact that the person you're talking to has evaluated them and found at least the minimal factual assertions to be correct. Worse yet, you should consider discounting the claim that it's unethical: maybe there's some third reason that your interlocutor really has for being vegetarian and their ethical commitments are also the result of confirmation bias, so perhaps you should discount both their arguments, as well as any other arguments they happen to offer.

To give another example, Mrs. G recently had a conversation with a friend who's planning to vote Republican and one of the reasons he gave was some alleged political scandal involving Obama. I'm deliberately not naming it because it's irrelevant; it could just as well have been an alleged scandal involving McCain, and that's the point. Anyone who has been in the public sector for a while is going to have done some things that are questionable, or at least can be questioned. So, when tou an argument that Politician X's behavior was bad and therefore you shouldn't vote for them, it's important to figure out whether the argument is being used for support or ilumination. One test here is whether the person offering the argument thinks that any of X's primary opponents aren't corrupt. If they answer is "no", then this is suggestive (though not conclusive) of confirmation bias. What's more likely, that all of party X is corrupt or that you're the victim of confirmation bias and treating the sins of people you don't agree with more seriously than the sins of people you don't? And again, when someone offers me a lame reason for voting against X, it makes me discount their entire argument.

So, when someone offers me a bunch of logically independent reasons for policy X, my response isn't to treat them as additive, but rather that they're just throwing arguments at the wall to see what will stick, and I take them less seriously, not moreso. It's like resistors in an electrical circuit: multiple resistors in parallel have less resistance than any of the components, not more.

 
American Airlines has announced that it's going to filter pornography on it's in-flight Internet service:

FORT WORTH (AP) -- American Airlines says it will filter an in-flight Internet service to block pornography sites, reversing course after complaints from flight attendants and passengers. American said Tuesday it was working with technology provider Aircell to allow filtering of its nascent Internet service.

American, the nation's largest carrier, said it hasn't gotten reports of passengers viewing "inappropriate content" on the Gogo in-flight service but said filtering was "an appropriate measure to take."

The airline launched Internet service in August on some of its Boeing 767 jets that fly between New York and San Francisco, Los Angeles and Miami in a six-month trial.

This seems like a bit of an overreaction. First, downloading it while in the air is hardly the only way in which passengers could gain access to pornography. First, they could buy (or download) it prior to boarding. Some airport stores even sell skin magazines (which has always seemed odd to me). So, if you're really concerned about passengers viewing porn in flight, didn't you already have this problem? Is there any evidence that Internet access will make it dramatically worse? Moreover, now you have all the usual problems associated with filtering, especially deciding which sites are porn and false positives. Do you really want to be the flight attendant who explains to the customer who just paid $12.95 to access the Internet that American has decided to block his access to Mother Jones? And of course, it's relatively easy to circumvent this kind of blocking anyway.

 

October 6, 2008

I was down at the Santa Clara Registrar of Voters today they seem to be pretty interested in having you vote by mail, what with all the signs offering you to sign up for permanent vote by mail status. There was a chart on the wall, which I forgot to take a picture of that indicated their target of 400,000 v-b-m voters by the general election (there were ~600,000 votes in Santa Clara in the 2004 election). The clerk who I talked to tells me that it used to be really hard to sign up for v-b-m (you had to demonstrate serious hardship for in-person voting) but that now it was really easy. In any case, if we get to the point where a really large fraction of voters vote by mail rather than in person, then we may need to seriously adjust the threat model to match.

In particular, one of the issues that often gets a lot of airtime in discussions of new voting systems is how to prevent vote-buying (or coercion) attacks, including those where the voter cooperates with the attacker. But in vote-by-mail scenarios, it's pretty easy for the attacker to have you give them a copy of the ballot and then fill it in and mail it themselves (especially if voters aren't allowed to change their vote after the ballot is submitted, but I doubt that even if you can revise your ballot most people will bother to in order to cheat.)

Oh, i should mention: if you plan to work the polls, they recommend you vote early or by mail because you probably will be assigned somewhere else than your own precinct and so won't have time to vote yourself on election day.

 

October 5, 2008

Recently there was an extensive discussion going on on the Cryptography mailing list about how to build cheap hardware based random number generators. For those of you who aren't crypto or comsec specialists, the background goes something like this: most cryptographic protocols require a reliable source of numbers which are unpredictable to your adversary 1. For instance, in SSL/TLS the client (your browser) generates a random cryptographic key and sends it to the server encrypted under the server's public key. If the attacker can predict that random key, then he can decrypt the connection, as was famously shown by Wagner and Goldberg. So, having good randomness is important.

As I mentioned previously, standard procedure in comsec applications is to use a cryptographically secure PRNG which is seeded with data which is unpredictable to the attacker. But this still leaves us with the question of how we're going to seed the PRNG. The most common thing to do is to seed it with system events (network packets, drive timings, etc.). In principle, of course, this isn't entirely unpredictable: if you were on the same network as the target machine you could observer packets; if you knew the layout of the drive, you might be able to predict how long things would take, etc. (and older PRNGs that weren't wired into the OS used fewer sources of randomness). In any case, these sources aren't physically random the way that, say, radioactive decay is. There's a nontrivial contingent of the security community which is extremely interested (some would say obsessed) in physical/hardware random sources of randomness. [This goes back at least to von Neumann's famous statement about those who consider arithmetical methods of producing random numbers being in a state of sin.] The thread I'm pointing to above has a variety of suggestions for cheap external hardware randomness sources.

My general intuition is that while this sort of thing doesn't do any harm, it's not really necessary either. The amount of entropy you actually need to have a secure system is surprisingly small: 80-128 bits is enough in most situations, and most systems gather that kind of entropy in the normal course of business. For instance, in a system with a GUI, just collecting the low order (odd/even) bit of each mouse click coordinate gets you to 128 bits in 64 clicks, which isn't much. Even on unattended systems, there's probably enough timing randomness in hard drive behavior to get you to 128 bits relatively randomly. Even in cases where there aren't any unobservable behaviors and the PRNG is basically broken, the effort to reverse engineer the state of the PRNG becomes near prohibitive very quickly, as is the case with the Debian PRNG and DHE vs. RSA [*]. I'm not aware of any evidence that well-designed OS-based PRNGs like /dev/random are vulnerable because of insufficient entropy gathering.

1. Technical note: not as many as you'd think, though. Many protocols use random numbers in contexts where only unique numbers are required. For instance, in SSL/TLS and IKE it's standard practice to use cryptographically random nonces (called "Random" in TLS). However, the security guarantees of the protocol apply as long as the numbers are unique—you could probably just use a counter. The advantage of using long random numbers is that you don't need to store counter state to ensure uniqueness.

 

October 4, 2008

An acquaintance recently brought me a homework problem which asked roughly "True or false: If you had x-ray vision you could read a book without opening it." Phrased like this, I'm reasonably confident the answer is "False", but it's a bit complicated to analyze.

First, we have to ask what x-ray vision is. It's natural to think of it as being like ordinary vision, i.e., your eyes are sensitive to x-rays. This doesn't make any sense, though: ordinary vision works because there is ambient light in the visible spectrum (from the sun, indoor lights, etc.) and it reflects off ordinary objects. What you're seeing is that reflected light. But there's next to no ambient x-ray radiation in the ordinary environment, so even if you could detect x-rays, it would be like trying to see in the dark.

So, in order for some sort of x-ray vision to work, you'd presumably need to be emitting some sort of radiation to illuminate the subject. Assuming that the source is attached to you, then x-ray absorption/transmission measurements (like with medical or dental x-rays) won't work, but x-ray reflection or x-ray fluorescence (XRF) will. The other possibility is that you're emitting some other sort of radition that the subject absorbs and then fluoresces in the x-ray region (really, it could be in any region, but remember we're calling it x-ray vision, not hard radiation fluorescing in the visible vision).

There are actually at least two aspects to this question:

  1. Can you use x-rays to distinguish ink from paper?
  2. Can you resolve the letters on individual pages?

I suspect that the answer to (1) is "Yes". Older inks, at least, often contained metals (e.g., iron gall ink), and so should have fairly different spectra from paper. In fact, this article describes the use of just such a technique: XRF to find iron gall inks in the Archimedes Palimpsest. It's less clear how modern inks would respond. I've seen some articles suggesting that x-ray fluorescence spectra of modern inks also are distinguishable from the background paper spectrum (see this article on cyan ink and this paper that mentions the use of XRF on postmark inks).

This only answers half the question, because books aren't just one page: they're a bunch of pages on top of each other and so even if the ink does fluoresce differently from the paper, you still need to read the book. There are a bunch of possible problems here: first, if you're using XRF possible your fluorescence isn't in the x-ray, it may get blocked by the paper on top of it. But let's assume you're irradiating in the hard x-ray and your fluorescence is in the soft x-ray and makes it out of the paper; we still have to ask whether you can spatially resolve the letters. This partly depends on the characteristics of your x-ray source.

If it's an uncollimated point source like a lightbulb, then you'll irradiate the whole book and each letter will be an independent emissions source, each of which will also be radially symmetrical, plus all the background noise from each sheet of paper. It's not at all clear you can disambiguate these sources. If you have a collimated source, the situation may be a little better, since then you just get a bunch of point sources along the line the beam is taking through the book). That's probably still not enough though, since the fluorescence from multiple radially symmetrical point sources still overlap on your eyes, and you need to distinguish light which is coming from incredibly small angular displacements (the thickness of a piece of paper apart at a distance of 10s of centimeters away). If you were able to take measurements from multiple independent angles like in a CT scanner, then you would have enough information to resolve things, though with an extremely large amount of computation. There are also multiple beam techniques like four-wave mixing, but that also seems biologically unlikely.

Bottom line, then, I think the answer is "False". I.e., it probably is possible to spectroscopically read books without opening them, but I doubt you could do it with any plausible (or even implausible) biological process.

Extra Reading: Man of Steel, Woman of Kleenex

 

October 2, 2008

I'm one of these people that runs cold (even more true now that I have no hair), so I tend to get cold on camping trips, especially as I tend to get up ahead of my backpacking partners and have to sit around outside the tent waiting for them to wake up. After a pair of trips last fall and this spring where I made the mistake of underestimating how could it would be—and in the spring trip failing to let me tent ventilate enough leading to condensation soaking into my down bag—I decided to get serious about staying warm and buy a heavier jacket and a high-end sleeping back to replace my REI sub-kilo. After a bunch of research, I bought a Patagonia Lightweight R4 jacket and a Western Mountaineering Versalite bag.

Patagonia Lightweight R4
The lightweight R4 is a stripped down version of Patagonia's super-warm R4 windproof fleece. It's got a layer of windproof material sandwiched between two layers of fleece/insulator. I got the lightweight R4 instead of the regular R4 both because it's lighter (270 g less) and a little less warm and I was informed by the Patagonia salesman that I would be too hot in anything besides winter camping with the regular R4. Worn with a long sleeve capilene 3 shirt, the LR4 seemed warm enough for sitting around in the low-mid 40s, but I did find I needed a hat (bald, remember) and in one case long-johns underneath my lightweight camping pants. This is right on the edge for me, since I wasn't overwarm. On the other hand, I'm not sure the jacket was the limiting factor and I did have a couple more layers of clothing I could have put on. I think for a winter trip I'd also bring my R1 hoody. The LR4 does take up a fair amount of room (2 liters?) in my pack, which is a lot when you're carrying a big bear bin, but I was able to get everything in. It also makes a good pillow when stuffed into your pillowcase—much better than my usual "stuff the next day's clothes and your laundry in" theory.

Western Mountaineering VersaLite
In terms of staying really warm, a sleeping bag really is the most important backpacking item. After a bunch of research I decided on the Western Mountaineering VersaLite which is a 2 lb 20°ree; mummy bag. In terms of warmth, the VL seems like a big improvement over the sub-kilo. I haven't been cold since using it. I'm a little skeptical of the 20°ree; rating, but that's solely based on never having overheated while using it, even though I was fully zipped up (though not really tucked into the hood). On the other hand, if I'm really camping in the winter I should have plenty of long underwear and the like so I should be able to stay warm even if the rating is a bit aggressive. I have two minor negative comments. First, it would be nice if it came with loops on the outside so I could use straps to attach it to my pad. I'm getting better at not rolling off but this would still help. Second, it comes with a pretty lame stuff sack that's quite large and isn't a compression sack. After confirming with WM that it wouldn't damage the bag, I went out and bought a Sea to Summit Small silnylon compression sack which I use instead. This crams the bag down pretty substantially—with work I can get the straps tightened all the way. It's not that the compression sacks are expensive, but for a premium bag it would be nice to have one included; this would also let you know that it was OK to use it without having to call the company.

 

October 1, 2008

Monday night Brian Korver and I got back from a backpacking trip to the Desolation Wilderness, mostly on the PCT:

Trip Summary: (map, pics) Echo Lake to Lake Aloha on the PCT. Over Mosquito pass to Clyde Lake. North to Velma Lakes Trail. Over to the PCT at Middle Velma Lake. South back to Echo Lake trailhead. Two days of hiking (Spread over 3 days), 30 miles, 5+ kft. [Note: statistics from TopoUSA. The Tom Harrison Maps think this was a few more miles.]

This trip has been delayed twice now (since May!). The first time I was sick, the second time Brian was sick. But we finally managed to get out the door last Saturday.

On the first day (about 3 PM) we started at Echo Lake and went north on the PCT. This part of the PCT is really busy this time of year (other people are just as capable of doing the math about how it's close as we are) and we spent the first stretch up to about Lake Aloha dodging people on the trail. We actually saw a ranger who wanted to see our trail permit—first time that's ever happened to me—though he thanked us profusely for getting one (even though it's required). One wonders how many people don't. Much of this section was over scree and talus and the footing was tricky and very tiring. By the time we reached the top of Mosquito Pass our feet (and my right knee) were quite sore and we were glad to see the turnoff to Clyde Lake. Unfortunately, Clyde is actually pretty far down the hill from the turn and we had trouble finding a good site near the rocky lake, especially as it was getting dark. We ended up camping at a small flat spot right off the trail which turned out to be super-comfortable and pleasant ((pic)), except for the long walk to the water. I tend to get up early but there was a great rock where I could turn my thermarest into chair and get some reading done (pic).

The second day was our long day (~14 miles) and we knew we really had to make Gilmore Lake or it was going to be a long Monday. The trail was a mix of wooded dirt and wide open, unshaded talus and by the time we reached Fontinillis Lake and the climb up to Dick's Pass it was threatening to rain, so we had to push hard to make Gilmore Lake before it got dark or we got rained on. Early on in the day we thought we'd seen signs of bear (if you know how to identify bear scat check it out here and let me know) but we never actually saw anything bigger than a woodchuck. We got to Gilmore Lake, which is a small, flat, round lake nestled in some cliffs (pic) around 6, and saw the first people we'd run into all day who had already camped. We camped a bit away from the lake nestled in some trees.

The next day we headed back to Lake Aloha and to the trailhead. This was mostly downhill but over a lot of talus. The rain that had been threatening the day before finally showed up a bit and it intermittently drizzled on us all the way down. Really, we were incredibly lucky because it never actually rained seriously and we never got really wet, but the rocks got pretty slippery towards the end. Finish time ~3:10 PM.

Overall, I'd recommend Desolation for a weekend trip. While the terrain is as empty as the name suggests, due to proximity with the Bay Area (about 3 hrs away), the hiker population is pretty high. Weather was generally good and there weren't any bugs. If I had time, though, I'd probably rather go somewhere a bit further away and less popular.