EKR: February 2010 Archives

A persistent problem at races is long lines for the portapotties. I've actually missed the start of races because I was waiting in line. I've often wished that races would sell some sort of premier access where you would pay a little extra on your race fee and get to use special portapotties. (This is effectively Odzlyko's Paris Metro Pricing idea applied to a different kind of uh, resource.) Actually, what I would probably prefer would be a guarantee that the race would have an extra premier toilet for each X racers that paid for premier access.

Anyway, the New Orleans Rock and Roll Marathon seems to have implemented a more elaborate version of this:

To get your race off to the best possible start, we'll have comfortable, climate-controlled restroom trailers set up at the starting line. Running water, flushing toilets, and some Run Happy® surprises await.

To access this pre-race luxury, you'll need to snag a Brooks VIP Porta Potty pass in one of two easy ways:

1. Head to Varsity Sports between 2/1 and 2/27 and purchase $50 in Brooks or Moving Comfort apparel or Brooks shoes. Offer valid at both Varsity Sports locations.

OR

2. Come to the Rock 'n' Roll Mardi Gras Marathon™ & 1/2 Marathon Health and Fitness Expo on Friday 2/26, or Saturday 2/27, and purchase $150 in official Rock 'n' Roll Marathon merchandise, Brooks apparel or shoes, or Moving Comfort apparel.

Either way, you'll receive a sticker for your race bib. The sticker is your race-day pass to Brooks' VIP Porta Potty, to be expertly staffed by Varsity Sports volunteers and Brooks employees,

It's hard to figure out how much this really costs: I don't wear Brooks shoes, but presumably I could find some Brooks gear that would be comfortable, so figure like 20% of the amount you're expected to spend, which isn't so bad. Anyway, I've got no objection to emptying my bladder in comfort, of course—and the portapotties at races can get pretty bad—but really my priority is being able to go without having to wait. I'd be interested to hear from anyone who was at this event and used this service how long the line was.

OpenDNS (a free DNS service) has decided to adopt DNSCurve to secure its traffic. Some background might be helpful here: DNS, of course, is susceptible to a variety of forgery attacks, which is why the IETF has spent approximately 10 trillion man hours developing DNSSEC. There's a fair amount of dissatisfaction with DNSSEC (I'm not that thrilled with it either) and Dan Bernstein has developed an alternative called DNSCurve.

At a very high level, the approaches stack up like this:

• DNSSEC is an object security system. Each DNS zone has an asymmetric (public/private) key pair which is used to sign the records in the zone.
• DNSCurve is a channel security system. Each DNS server has a Diffie-Hellman (actually ECDH) key pair. When a client connects to the server, it does an ECDH key exchange and the shared key is used to authenticate traffic between the client and server.

The primary argument for DNSCurve seems to be performance: DNSCurve has better performance than DNSSEC in two respects: the packets are smaller and under certain conditions the load on the server is lower. These properties are related but not identical. The packets are smaller partly because DNSSEC replaces the digital signature with a symmetric integrity check. These can be a lot smaller than digital signatures using RSA (and a fair bit smaller than even the smallest digital signatures). Second, because DNSCurve uses elliptic curve cryptography, the keys that need to be carried in packets are smaller. (This is mostly relevant in packets which carry the key for a zone rather than packets which carry other data).

The packet size argument is straightforward. The load argument is more complicated. As I noted above, DNSCurve uses elliptic curve cryptography, which is faster and has smaller keys than RSA (the basic algorithm used by by DNSEC). This means that it's inherently faster to set up a DNSCurve association than it is to sign a DNSSEC record using RSA. In addition, DNSCurve has a mechanism for the client and server to cache the DH shared secret. The upshot of this is that it's substantially cheaper to authenticate a new DNS record with DNSCurve than it is with DNSSEC. In the worst case, it involves an ECDH operation. In the best case, it just involves a symmetric crypto operation. So, in this respect the performance of DNSCurve is superior.

However, this isn't really a heads-up comparison: in the DNSSEC model, you sign the zone once whenever it changes (possibly using a key thats kept offline) and then just send copies of it to any requester, so no cryptographic operations are needed after the initial signature. By contrast, because DNSCurve uses a symmetric, rather than asymmetric, integrity mechanism, the DNS server needs to compute that integrity check for each new request. This means that while DNSCurve is faster if you change your DNS data frequently and don't serve that many requests, it's slower if you don't change it often but serve a lot of requests. In addition, it means that while DNSSEC signing can be done offline with a key that is never on an Internet accessible machine, DNSCurve requires that the private key to the zone be kept on the DNS server, thus potentially exposing it to theft if the server is compromised. By contrast, if DNSSEC is used in an offline signing mode, then compromise of the server does not enable forgery attacks. Where DNSCurve has a major advantage is if your server provides dynamic responses (e.g., for DNS load balancing), in which case offline signing isn't that useful and the performance advantage of DNSCurve is most significant.

It's also worth noting that the use of faster algorithms isn't an inherent advantage of DNSCurve. DNSSEC (like all relatively modern COMSEC protocols) supports multiple algorithms and there have been proposals to add ECC (see, for instance, draft-hoffman-dnssec-ecdsa). An ECDSA-enabled DNSSEC would still be slower than DNSCurve if run in a dynamic environment, but performance would be a lot closer and how much slower would depend on how many repeat requests you got from the same client; if each client only makes one request, then performance would be more or less equivalent. The packet size of ECC DNSSEC would be a little worse, but probably not enough worse to make a big difference.

This isn't to say that there aren't other factors to consider (see the DNSCurve site for the other arguments in favor of DNSCurve). However, the performance argument doesn't seem to me to be dispositive, since which solution is faster depends on your deployment model and assumptions about the client environment.

OK, so I thought that the Dyson Blade dryer was scary, but check this out: gas plasma-based hand sanitizers.

Plasmas engineered to zap microorganisms aren't new. During the last decade, they have come into use to sterilize some medical instruments. But using them on human tissue is another matter, said Mark Kushner, director of the Michigan Institute for Plasma Science and Engineering and a professor at the University of Michigan in Ann Arbor. "Many thousands of volts drive the generation of plasma," he said, "and normally one doesn't want to touch thousands of volts." But the design of the new hand sanitizers, he said, protects people from doing so. Reassured by that design, about five years ago he put his naked thumb into a jet of microbe-destroying plasma at the lab of another plasma researcher.

...

The plasma cleaners make their antibacterial cocktails by running electrical current through air, said David B. Graves, a professor of chemical engineering at the University of California, Berkeley, who has worked on low-temperature plasma applications for 25 years.

Professor Graves is doing computer simulations of the chemical reactions that occur in the Morfill plasmas. The electric current ionizes the oxygen, nitrogen and water vapor in the air, he said, eventually creating the nitric oxide, hydrogen peroxide and particles that are so effective against bacteria, viruses and fungi.

OK, so I'm sold that it probably won't burn my hand off, but that doesn't necessarily mean that it's something I want to expose my hands to. Nitric oxide, for instance, is not very good for you:

Nitric oxide vapors are a strong irritant to the pulmonary tract. At high concentrations initial symptoms of inhalation may be moderate and include irritation to the throat, tightness of the chest, headache, nausea and gradual loss of strength. Severe symptoms may be delayed (possible for several hours) and include cyanosis, increased difficulty in breathing, irregular respiration, lassitude and possible eventual death due to pulmonary edema in untreated cases.

That sure sounds like fun!

Seriously, the relevant question here is how wide the difference is between the level at which the relevant chemicals deactivate bacteria, viruses, etc. and the level at which they cause side effects in humans. If there's a wide gap, then great, but if not, then we have to worrry about how well the plasma generator is calibrated. In addition, there's the question of the effect of regular exposure (e.g., for health care workers). I'll be interested to see what safety studies show.

The EVT/WOTE 2010 Call For Papers is http://www.usenix.org/events/evtwote10/cfp/ out. This year, Doug Jones, Jean-Jacques Quisquater, and I are co-PC chairs (can you have three co-chairs?) Submit early, submit often

I recently had occasion to rent a car from Enterprise (long story). As I picked up the car and prepared to drive away, I noticed that the tank was only half full. I pointed this out to the customer service guy and he informed me that this was part of their new "half full/half empty policy", i.e., ordinarily you get the car full and you bring it back full. Here, they give it to you half full and you bring it back half full. I couldn't quite tell if this was what Enterprise always does now or just something they sometimes do, but while it seems superficially the same as the original policy, it's actually quite a bit worse for the renter.

With the old policy, life was simple: you found a gas station close to the car return, filled up the tank, maybe grabbed a receipt, and dropped the car off. By contrast, what happens here is that you drive around, filling up the tank if necessary, and at some point you need to return the car. If you're over 1/2 full then you just end up gifting the remainder to Enterprise (who can just fill up the tank completely and require the next customer to return it full). (What, you were going to drive the car around until you had burned up the gas? Or maybe you were going to siphon it out into some empty Gatorade bottles...) You could, of course, never fill the tank above 1/2 way, but this is a huge pain. Even if you're lucky enough to be at less than 1/2 full when you need to return the car, you're unlikely to be exactly at 1/2, in which case you need to put some gas in. You're reasonably likely to overshoot (again, taking gas out of the tank isn't easy.), in which case Enterprise again gets some free gas.

Either way, this is likely to be a win for Enterprise and a lose for you.

For some reason, the silly idea of universal personal authentication for Internet users seems to have an undue appeal on tech executives. Here's Barbara Kiviat reporting on Microsoft's Craig Mundie:

What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

...

Mundie pointed out that in the physical world we are implicitly comfortable with the notion that there are certain places we're not allowed to go without identifying ourselves. Are you allowed to walk down the street with no one knowing who you are? Absolutely. Are you allowed to walk into a bank vault and still not give your name? Hardly.

This is one of those ideas that comes up so often and initially seems like a natural analogy, but on closer inspection just starts to look confused.

First, a drivers license isn't principally a form of general purpose authentication but rather a permit from the state to drive. It has a biometric component in order to permit the police to determine that you're the actual holder of the permit and not someone who just has their license. Of course, because the license is so ubiquitous, it's widely used as a form of general ID, but if you do something to lose your license, the state will still issue you an identification card; indeed you can generally get an id card even if you're ineligible to drive. (Here's what California has to say). So, on the one hand Mundie says you don't have a right to complete anonymity (which I at least sort of agree with) and that his proposed Internet driver's license would serve as a form of ID and on the other hand, he suggests that you could lose your right to use the Internet for some unspecified set of misbehaviors. So, which is it, a permit or a form of ID?

Second, if it's a permit, under what conditions might it be revoked? Having your machine compromised? Failure to keep your software updated? If it's just for bad system hygiene then you're going to see a huge number of revocations. If it's for actual malfeasance then aren't you just going to revoke the licenses of people who would be in serious legal jeopardy in any case? Internet security problems come from two kinds of users: those who are genuinely malicious and those who are just careless. The problem with the first is finding them, not punishing them once you've done so. As for the second, revoking their right to use the Internet seems rather excessive.

On the other hand, if the idea is to just have a form of ID, then I don't really see why we need something government sponsored. Can't sites decide for themselves whether to to try to authenticate you?

My friend Terence just got written up in the Stranger as the first purchaser of Caleb Larsen's A Tool to Deceive and Slaughter (hereafter ATtDaS). Briefly, ATtDaS is a black cube with some electronics inside that, when connected to the Internet, attempts to sell itself on eBay. (Current auction here). The purchaser is (allegedly) required to provide an Internet connection (semi-absurd EULA can be found at the auction site. sample quote: "Any failure to follow these terms without prior consent of Artist will forfeit the status of the Artwork as a legitimate work of art. The item will no longer be considered a genuine work by the Artist and any value associated with it will be reduced to its value as a material object and not a work of art.") and has to kick back 15% of the profits from the sale to Larsen.

Terence paid a stupefying $6400 for the privilege of not-really owning this object. Here's what he has to say for himself:

It sort of uniformly falls into two categories: either, That's an enormously appealing, thought-provoking piece of art, or the other thing is, That's the most foolish thing I've ever seen. They're really defensive about it.

I hang out with a bunch of computer security people because I'm a computer security person myself, so they want to know, are you going to hack the box? Is there some way to put it behind a firewall to slow it down so it can't sell itself? Which really adds a whole other dimension because you buy the box and the box immediately starts trying to escape from you. So part of the impulse is, is there a way I can subvert the process of it trying to escape from me? By doing that, you'd in some ways be removing the reason it's interesting.

I'm (of course) one of the people who suggested that it be firewalled off. Obviously, just firewalling it off would be cheating and arguably violate the license agreement (not that I'm convinced it's actually binding). But the natural security guy reaction is to try to find some way to stop ATtDaS from selling itself in some way that complies with the agreement. My suggestion was to firewall off eBay alone, or just forge TCP RST packets. This seems to me the qualify with the relevant term:

Collector agrees that the Artwork will remain connected to a live Internet connection at all times, with disconnections allowed only for the transportation of the work from one venue to another.

Option 2 seems to be to "transport" it from its current venue in Seattle to a venue somewhere in the Himalayas via yak, Sherpa, or the like.

I tried to explain to Terence that this wasn't removing the interesting part but rather going taking an allegedly subversive piece and going meta-subversive, but he didn't bite. Some people just don't appreciate art.