EKR: January 2010 Archives


January 24, 2010

A fair bit has been written about Google's "new approach to China"
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.


Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.


These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

I don't really see the connection between this incident and Google's decision to stop offering filtered access to search queries in China, at least in terms of protecting Google from future attacks. Let's say for the sake of argument that not only were the attacks originated in China but also that (and as far as I know, this is unproven), they were directly sponsored by the Chinese government. How does refusing to offer filtered searches help? It's not like the hackers (allegedly) used some vulnerability in the filtering software as their attack vector. Similarly, even if Google were to pull out of China, or even cut off all access to Chinese IP addresses, Chinese hackers aren't restricted to using IP addresses in Chinese address ranges; they can perfectly well use machines which are located in the US, either by using legitimately purchased accounts as stepping stones, or by using compromised American hosts, of which there are plenty.

I don't have any inside information, but it seems to me like a more plausible story (see this Slate article for an alternate view) is that Google thinks the Chinese government is behind these incidents and this is a way of retaliating against China, under the assumption that China would prefer to have some Google than none. I have no idea whether or not this is something China cares about, however. [Mrs. Guesswork observes that another theory is that Google was previously cooperating with China's surveillance efforts and feels like China overstepped their agreement.]

On a different note, it has been fairly widely reported that an IE 0-day was used in the attack, but Bruce Schneier claims that the hackers exploited a Google-created backdoor intended for lawful intercept (though he doesn't provide any sources):

(CNN) -- Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Of course, both of these can be true. Even if Google built a surveillance tool for the purpose of lawful intercept, presumably it wasn't something you could just connect to without authorization, so I would imagine that you would need to do some hacking to get access to it (unless, of course, the password is "1234").


January 17, 2010

The NYT reports that NASA has cut the price of used space shuttles to $28.8 million, plus what I imagine is some rather expensive transportation. I'm also having some trouble figuring out how you're going to get it to the Space Shuttle shop to be checked out by their mechanic.

The main engines on the other hand, are a different story:

As for the space shuttle main engines, those are now free. NASA advertised them in December 2008 for $400,000 to $800,000 each, but no one expressed interest. So now the engines are available, along with other shuttle artifacts, for the cost of transportation and handling.

Space shuttle main engines appear to be relatively compact, around 5'x15' and 7000 lb, so about the size/mass of a Cadillac Escalade, but with exponentially worse gas mileage. Seems like you could get one onto a flatbed and have it shipped to your house for around $1000. Not sure what you'd do with it, though; maybe speed up your 4th of July BBQ.


January 9, 2010

I'm in the market for a new motorcycle and have been looking at the BMW R1150GS/R1200GS. Like cars, motorcycles have a lot of depreciation the minute they pull off the lot, and because you're fairly likely to drop your bike anyway, most people I know figure you might as well buy pre-dropped and look for a used model. But once you're buying used you have the problem of figuring out how much you should pay. KBB motorcycles isn't much help here because the market is small and the mileage varies a lot.

An alternate approach is to mine the available data on what people are offering vehicles for and use this to build an analytical model for predicting prices; this lets us figure out what the appropriate asking (which isn't the same as fair; more on this later) price for a new vehicle is and identify outliers in either direction.

Below, you can find the list of the relevant bikes on sale on CL for the past week or so:

Asking Model Year Mileage
1 7650 1150GS 2002 25000
2 7900 1150GS 2001 54000
3 14500 1200GSA 2006 3700
4 8500 1200GS 2005 54000
5 13700 1200GS 2007 3658
6 7400 1150GSA 2004 60000
7 5500 1100GS 1996 23000
8 11500 1200GS 2005 12000
9 7200 1150GS 2002 40000
10 11950 1200GS 2008 29000
11 9600 1200GS 2005 39000

I used a simple OLS regression model to fit this data, using the model year and mileage for the bike. The result is:


lm(formula = d2$Asking ~ d2$Year + d2$Mileage)

      Min        1Q    Median        3Q       Max 
-1360.040  -353.520  -150.358     2.140  1708.510 

              Estimate Std. Error t value Pr(>|t|)    
(Intercept) -1.201e+06  1.889e+05  -6.359 0.000218 ***
d2$Year      6.056e+02  9.423e+01   6.426 0.000203 ***
d2$Mileage  -7.631e-02  1.578e-02  -4.836 0.001294 ** 
Signif. codes:  0 '***' 0.001 '**' 0.01 '*' 0.05 '.' 0.1 ' ' 1 

Residual standard error: 975.1 on 8 degrees of freedom
Multiple R-squared: 0.9108,	Adjusted R-squared: 0.8885 
F-statistic: 40.84 on 2 and 8 DF,  p-value: 6.335e-05 

Our model predicts that each year the bike is on the road it loses about $600 in value and that it loses about $76 for each 1000 miles it has. [Note that I'm treating mileage and age as independent variables; it might make more sense to try to estimate "excess" mileage over some base value, but I don't have the baseline data I would need.] In any case, we're doing pretty well here: with only two predictors we are accounting for around 90% of the price variation. We can see this visually by plotting the price points against the best fit plane, as below:

s3d <- scatterplot3d(d2$Asking~d2$Year+d2$Mileage,xlab="Year",ylab="Mileage",zlab="Asking")
orig <- s3d$xyz.convert(d2$Year,d2$Mileage,d2$Asking)
plane <- s3d$xyz.convert(d2$Year,d2$Mileage,fitted(fit))
i.negpos <- 1 + (resid(fit)>0)
segments(orig$x,orig$y, plane$x,plane$y, col=c("blue","red")[i.negpos],lty=(2:1)[i.negpos])
(code ripped off from here).

Points above the plane (shown with red lines) are likely too expensive and points below (with blue lines) are worth checking out to see if they're good deals.

Obviously, we're excluding a lot of variables here. We haven't captured the condition of the bike, how desperate/motivated the seller is to get rid of it, what accessories it has, etc. Looking more closely at the data, the two most comparatively expensive bikes seem to come with a few more accessories, so this may have led the owners to think they could extract more money (I don't think this is really true, however, since often those items are valuable only to the original owner). For the purposes of selecting good deals, we would also like to know how flexible the seller's price is. It's possible that someone lowballing the price will also be less flexible because they've already built that discount into their price. On the other hand, they could be more motivated, so that could cut in the other direction. It would be interested to get secondary data on how much these bikes actually sell for [you could get some of that information by seeing if repeated postings have lower prices], but while that data is available for houses I don't think it is for bikes.


January 8, 2010

Jennifer Leigh sent me a pointer to this article suggesting that running shoes put more stress on your legs.
Sixty-eight healthy young adult runners (37 women), who run in typical, currently available running shoes, were selected from the general population. None had any history of musculoskeletal injury and each ran at least 15 miles per week. A running shoe, selected for its neutral classification and design characteristics typical of most running footwear, was provided to all runners. Using a treadmill and a motion analysis system, each subject was observed running barefoot and with shoes. Data were collected at each runner's comfortable running pace after a warm-up period.

The researchers observed increased joint torques at the hip, knee and ankle with running shoes compared with running barefoot. Disproportionately large increases were observed in the hip internal rotation torque and in the knee flexion and knee varus torques. An average 54% increase in the hip internal rotation torque, a 36% increase in knee flexion torque, and a 38% increase in knee varus torque were measured when running in running shoes compared with barefoot.

Seeing as hip, knee, and ankle are major running injury sites— in fact, practically every major running injury I've ever had has been either at the knee or the ankle—this seems like it's something to pay attention to. The authors recommend that "Reducing joint torques with footwear completely to that of barefoot running, while providing meaningful footwear functions, especially compliance, should be the goal of new footwear designs." I already wear a relatively compliant shoe, the Inov-8 295, and while I don't have any data, it seems to have had a positive impact on a persistent ankle injury that has plagued me for years. I'd be interested to see this study repeated with a shoe deliberately designed to be as barefoot-like as possible like the Inov-8.

I do have a pair of the Vibram FiveFingers shoes, and while the advertising literature clearly suggests that you can run in them, I haven't really been brave enough to try it. There seem to me to be two issues here: First, the soles provide some protection but they're pretty flexible; I'm not sure that if you stepped directly on a rock it wouldn't be unpleasant. So, it seems like you would have to be a bit careful on trails. By contrast, asphalt is so unforgiving you would really need to have ideal form in order to avoid having some pretty serious impact forces. I'm still planning to go for a short run on a trail at some point, but I figure on taking it slow.


January 5, 2010

Check out this picture of the arrival escalator at SFO:

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.