Misc: May 2009 Archives


May 22, 2009

The NYT reports on a foiled terrorist plot to bomb some synagogues in New York City:

The men, all of whom live in Newburgh, about 60 miles north of New York City, were arrested around 9 p.m. after planting what they believed to be bombs in cars outside the Riverdale Temple and the nearby Riverdale Jewish Center, officials said. But the men did not know the bombs, obtained with the help of an informant for the Federal Bureau of Investigation, were fake.

Maybe it's just me, but if I were going to blow some stuff up, I would think I would want to test my gear beforehand. How hard can it be to find some unobtrusive place to make sure your detonators work, explosives are good, etc.? This seems like good practice even if you're not worried about someone giving you fake explosives. I mean, your average two man open source software project does regression testing before they release; you'd think if your project was killing a bunch of people you'd want to take a similar level of care.

Of course, since it's not exactly a secret that the FBI likes to run this kind of operation, an extra level of caution seems appropriate. For instance, you could pick a random sample out of the explosives, detonators, etc. test it, and then you have some kind of handle on the quality of the product. Your average movie drug dealer knows about this kind of cut and choose. Don't terrorists watch TV?


May 12, 2009

Joseph Hall models one of the t-shirts I made for participants in the California Top-To-Bottom Review.

For those who don't recognize it, here's the inspiration.

In other news, apparently I'm now a security guru.


May 5, 2009

After catching The Incredibly Hulk the other night, I wonder if we're starting to exhaust whatever vitality is left in the mainstream comic book movie (I still hope Watchmen will be good). Sure, Liv Tyler looks really good and a lot of stuff gets blown up and, but mostly it's just an incoherent mishmash of overacting, CGI, cameos (Bill Bixby, Lou Ferrigno, Stan Lee, and Rickson Gracie all make appearances) and in-jokes ("you wouldn't like me when I'm hungry"). Is this really the best 150 big ones can do? I hear Iron Man is good, though...

Wired sums up 10 confusing plots in a single page. Spoilers, naturally.

The Downfall remix meme reaches it's probably Zenith with Hitler's discovery that his Tesla will be delayed. Not safe for work.


May 4, 2009

Craig asks:
You also need your testing to include whatever tricks are used by the highway patrol administering the test in order to "trick" it into giving false positives. Maybe it's more likely to FP if you leave the device in front of the outlet of you car's heater or AC? Maybe it's more likely to FP if you hold it upside-down for 60 seconds before the guy blows into it? Analysis of the source code would be the simplest way of determining if any process-manipulation could result in more false positives, and then you could investigate in your defense whether or not any of those manipulations were in fact occurring in the field.

It's like voting machines. You can run a ton of lab test where you feed it fake votes and lo! it reports what you fed in. But when you have someone deleting batches of votes in the field in some odd way and it nukes some other batch... You discover that by accident, but then once discovered it's open to deliberate manipulation.

It's important to distinguish between accidental errors and deliberate malfeasance by the police. No matter how much effort we put into engineering the breathalyzer, I'm not particularly sanguine that we'll be able to build a system that is immune to tampering by the police. Even if the device always gives the right result for a given input, what stops the officer from just lying about the results? OK, so the device has some sort of digitally signed timestamp on each reading; the officer arranges to feed an alcohol-doped sample to the device. Maybe we can come up with some countermeasure to make sure that someone actually is breathing into it, but then maybe the police can find someone else who is drunk to take a sample from. Technical controls are good, but fundamentally the system assumes that the police are honest; remember that in traffic stops it's just your word versus the officer's. DUI arrests have technical evidence if they use a breathalyzer, but that evidence isn't designed to be proof against police tampering. If you're trying to stop that, you need a much stronger set of procedural controls, starting with videotape of the entire operation, the right to an independent test, etc.

With regard to the utility of source code, cerainly that will let you discover some kinds of errors, but only in the software portion of the system. This doesn't help you if the errors are in the sensors, or, worse yet, the sensor readings don't correlate tightly enough with the variable you're really trying to measure (namely BAC). I tend to be more inclined to do some kind of black box study, as Kevin suggests, comparing breathalyzer measurements to direct blood measurements.