Educated Guesswork

Obesity and voting patterns

I happened to be doing some research and found the CDC's map of obesity in the US (the shading indicates the fraction of the population with BMI >= 30).

It kind of reminds me of those red state/blue state maps that were so popular after the 2001 election. Here for instance is Brad DeLong's map shaded between red and blue (blue is Gore):

Note that I'm not making any strong claim about significance. I haven't done any statistical testing. It just seemed to me that there was a visual similarity.

The Martian anthropologist goes to the movies

Lisa, Terence, Wendy, and I went to see a movie last night and I've got some questions:

1. My theater claims to ban all video recording devices. The sign includes a picture of a camera phone. Who are they kidding? Are they going to start strip searching me to take away my Treo 600?
2. Why do they tear your tickets? The obvious theory is that it's so that you can't give a ticket to someone else and let them reuse it, but think about it for a second. They let you use your torn ticket to get back into the theater. Seeing as they don't look at you as you exit the theater to go to the bathroom, it's not like this actually works as a security measure. Our best explanation, suggested by Terence, is that it's to force the ticket-taker to actually look at and handle the ticket, thus making it more likely they'll detect fake tickets.
3. At the AMC Shoreline that we go to, there are two kinds of seats: seats that recline and seats where the armrests go up. (The rows alternate). So, you have to choose between leaning back or putting your arm around your girlfriend. My theory is that this is intentional--making it uncomfortable to make out whichever row you choose.

Answers welcome.

The periodic table of Perl operators

When your language has so many operators that you can arrange them into a periodic table, it may be a sign that things have taken a seriously wrong turn somewhere.

P.S.A. testing

This article in the NYT is kind of disturbing. Apparently the current threshold for a positive prostate specific antigen (P.S.A.) test (used to detect prostate cancer) was pretty much chosen out of the air:

Unfazed, Dr. Catalona began his own P.S.A. study with the support of Hybritech, in which any test result over four nanograms was considered abnormal. But that cutoff, the same as in the Hybritech paper, was adopted "just sort of arbitrarily" he said.

The usual sort of study to validate a screening test would determine how likely the test is to miss a cancer that is there and how many times it points to cancer when none is present. But Dr. Catalona's test instead asked only how often cancers were found and how the men fared after treatment.

In 1991, his findings appeared in The New England Journal of Medicine. That, said Dr. Peter Albertsen, chief of urology at the University of Connecticut, convinced urologists. Four became the standard.

But some say it has resulted in way too much testing and way too many biopsies. Dr. H. Gilbert Welch, a professor of medicine at Darmouth College and at the Department of Veterans Affairs Medical Center in White River Junction, Vt., attributes the appeal of the number four to "digit preference." Doctors, he said, like whole numbers, they like clear results.

Unfortunately, he said, cancer, and prostate cancer in particular, is not like that. "If the P.S.A. gets very high, it is telling us something," he said. But lower levels, certainly levels below 10, lead to the discovery of microscopic cancers that no one understands. Most are harmless and will never grow. Some are dangerous, but there is no way of distinguishing between the two. "We just don't know what it means," Dr. Welch said.

Any testing procedure has this kind of problem, of course. You have to trade off false positives for false negatives. What's puzzling is that noone seems to have explicitly decided on what those numbers should be.

It's actually a pretty difficult problem in general to decide on such testing thresholds: a false negative means that you've failed to treat someone with cancer. They may die. A false positive means that you force some guy to undergo a biopsy and perhaps prostate removal. Not fun, but probably more fun than dying. So, you generally want to bias in favor of false positives instead of false negatives. But how many false positives is worth a single false negative? Doing that requires some model of the cost of each kind of mistake, which most people aren't prepared to explicitly assess (hence the controversy over mammography).

Important scientific results

Last week I conducted an extensive trial in airplane noise isolation. The subject, a 31 year old male, was confined on an airplane and placed 3 meters from a screaming infant (age 1.5 years, mean scream intensity 95 dBA, sigma=15 dbA). After 20 minutes, the subject filled out the standard Crom¹ aggression questionnaire and scored an urge-to-kill of 10.2. The subject was then provided with an Apple iPod (40 GB, white) and a pair of Etymotic ER-6s. After a 20 minute acclimatization period, the subject retook the questionnaire and scored 1.5, representing an 85% reduction in urge to kill (p = .02, 95% CI=.75-.95).

^1. Milius, J., and Schwarzenneger, A., Conan the Barbarian, Journal of Slaughter, 1982.

The Paradox of Choice at Bally's

I was in Washington DC for a meeting and needed to get some weight lifting in. There was a Bally's Total Fitness nearby and I figured on paying the drop-in fee of $15 or $20. No problem. When I got to the gym they informed me that the way things worked was that if I bought $15 worth of Bally's nutrition supplements I could work out for free.

There's only one problem: I didn't need any supplements and I'd just have to carry them home with me. $15 worth of protein powder comes in a tub about the size of a coffee can, which I'd have to stuff in my luggage. I asked the clerk whether I could buy a t-shirt instead. Nope, only supplements. Finally I settled on a couple of bottles of glucosamine ($7.49/each) and convinced the clerk to call it $15 and let me in.

But while rummaging through the jars of pills I started to get really annoyed. I'd come work out but that wasn't what I was doing. Instead, here I was trying to find some set of supplements that would cost me exactly $15. What a waste of my time!

But let's take a step back and think rationally: I'm sure I could have convinced them to just take $15, or in the worst case just bought $15 worth of stuff and thrown it away. When I walked in the door, I expect value proposition A:

A. I give them $15 and I work out.

Instead, I was offered value proposition B:

B. I give them $15, get some supplements, and work out.

Now, B pretty clearly dominates A, and as I just pointed out, I can turn B into A by just discarding the supplements. Yet here I was paralyzed by the decision of which supplements to buy to discharge this bogus obligation. I don't even have the excuse that I'm trying to avoid going over $15. I could easily have bought $15.50 or so worth of energy bars (which I eat anyway) and then only eaten a few. Unfortunately, some part of my brain seems to have completely bought into the sunk cost argument and won't let me just throw away the remainder. Outstanding.

That government turnover thing

Maybe I've missed something, but is the Bush Administration going to lay out the the plan for the new Iraqi government at some point? We're supposed to turn it over in <40 days, right? And there isn't a public draft of the plan? It takes a minimum of like 6 months for the IETF to go from a first public draft to your average 3-page standard defining some new MIME content type--and we're going to set up a full government in 40 days?

A roaring rampage of ripping

The first order of business once I got my iPod was to load music onto it. I'd already made a sort of cursory stab at ripping parts of my CD collection, but unfortunately I'd ripped most of it in Ogg format--don't ask me why; it was a moment of foolishness--and so I had to rerip it all in MP3, as the iPod doesn't understand Ogg. To make matters more intersting, I'm a FreeBSD user and so I can't use iTunes--iTunes doesn't run on FreeBSD.

That said, the actual ripping stage requires a lot of different tools but is pretty straightforward:

• dagrab to read the audio off the CD.
• lame to MP3-encode the data.
• id3v2 to tag the MP3s
• abcde to run the whole process.

So far so good. I've got the MP3s on my computer. Now to copy them onto the iPod. Here's where things start to get messy. I first tried gtkpod, which is a GTK-based iTunes clone. gtkpod is a classic piece of Open Source software in that it appears to have been written by someone who's seen screenshots of iTunes, but has never actually used the thing. The most annoying thing about gtkpod is that it doesn't seem to keep any local information about the state of your music collection or of the iPod. So, when you first start up, the first thing you have to do is load up all that information, which takes forever. We're talking tens of minutes here. Not acceptable. Now, maybe there's some way to cache this data on disk, so you don't have to load it up again, but it wasn't obvious how and it sure doesn't happen on it's own the way that iTunes does. GAAAH!!!

After giving up on gtkpod, I ended up using gnupod. Gnupod is Basically, it's a series of perl scripts that let you add songs to the iPod, delete them, etc. a great example of the annoying command-line aesthetic, but at least it mostly does the job. I've got three complaints about it, one trivial and two major. The trivial one is that it doesn't work directly on the iPod database. Instead, it's got some "open" XML database format and so you've got to translate that format back and forth--because despite the fact that it's "open" neither the standard tools nor the iPod itself know about it. The documentation contains the usual justifications for this design choice which are too silly to reproduce. (You can see for yourself here. What makes this choice doubly annoying is that you need to explicitly sync the databases. Why don't the gnupod tools do that automatically? I could write wrappers, of course, but I shouldn't have to.

The two major complaints about it are as follows. First, playlist support sucks. Believe it or not, gnupod playlists are XML files and you're somehow expected to add XML playlist entries like:

<playlist name="sweet">
 <add id="1" />
 <add id="2" />
</playlist>

Second, there's no apparent support for synchronizing your hard drive and the iPod. Given the crappy gnupod UI, the thing that's most obvious to do is maintain a mirror of all your music on your hard drive and just say "whenever I rip something new, copy it to the iPod". Instead you're reduced to doing

find . -name '*.mp3' -print | xargs gnupod_addsong.pl 

And don't forget to run mktunes.pl afterwards because if you don't the iPod won't know about all that stuff you just added!

Again, I could write tooling to do this job for me. It's almost trivially easy. And of course, in typical Open Source fashion out that there's some other script that will do it for me. Does it work with gnupod? Who knows?

To pre-empt a bunch of "it's free, so what are you complaining about" responses, yes I'm grateful that the people who took the time to write these tools, and they're certainly better than nothing. That doesn't mean they don't suck.

Yeah, yeah, I know. Get a Mac. Maybe someday, but not yet. Still too attached to the nice features of FreeBSD.

Impossible features

When I first started working in security, we used to regularly get requests for two features that people thought secure messaging (in those days this meant e-mail) systems ought to provide and didn't:

• Return receipts.
• Message self-destruction (you know, like in Get Smart).

Whenever someone would ask for one of these features we'd be force to nicely explain (well, as nicely as a 23-year-old knowitall can) that although these features sounded like great ideas we simply didn't know how to do them and strongly believed them to be impossible without major restructuring of the universe. Of course, the fact that something is impossible never stopped people from trying to do it, and over the years there have been a number of attempts to do each one.

The first thing you need to do is distinguish between "cooperative" and "mandatory" systems. It's relatively easy to design a system that provides this kind of feature as long as the recipient cooperates. What's difficult is to design a system that works if the user doesn't cooperate, and that's what systems like this typically falter on.

Return Receipts
The idea behind the Return Receipt feature is simple. You want to know if the recipient read your e-mail. Optimally you'd like a signed receipt indicating that they had. The obvious problem is: what stops them from just reading your message and not generating a receipt. In general, the answer is nothing. Sure, you can write a piece of software which always generates a receipt but there's nothing that requires the user to use that software and not some other to read your e-mail. Why would they want to do that? Plausible deniability. After all, a lot of the reason you want the receipt is to take away that deniability.

There are five basic responses to this observation:

1. Give up.
2. Denial--simply ignore the problem. Ed Felten has a nice writeup today of a system that took the denial strategy.
3. Acceptance--rescope the feature so that it's only for cooperative users.
4. Enforcement--require the user to run a particular version of software that always generates receipts. To do enforcement right, you need hardware enforcement (these days generally called Trusted Computing) on the user's computer. You also need to encrypt and authenticate every message to stop the user from just bypassing the hardware entirely and using a computer without the enforcement feature. The message needs to be encrypted only to a Trusted Computer.
5. Centralize--keep the mail on a single central server and just send the user a notification. Keep a record whenever the user accesses the mail. As an extension of the centralization feature, you can send the user an encrypted copy of the message and just keep the key on the central server. You can even design nice schemes that make it impossible for the central server to read your message. They just control your ability to read it.

As should be apparent, only Enforcement and Centralization really work and they unfortunately require rearchitecting most of the universe. Also, the Centralization approach only gets you a receipt the first time that someone reads the message. If you want a notification every time (as the system Ed describes tries to do), then you need Enforcement.

Self-Destructing Messages
The situation with self-destructing messages is much the same. It's perfectly easy to add a "please destroy" token to the message, but who says that the reader has to do it? Again, they may well want to save a copy of the message. How do you stop them?

The situation here is even worse than with receipts, because you can't solve the problem with crypto. Sure, it's possible to design crypto schemes which encrypt each message separately in such a way that your permanent keys don't let you read them. The idea here is that once you've read and deleted a message the government can't subpoena you and force you to decrypt their wiretapped copy. (This feature is called Perfect Forward Secrecy). But that's just a convenience to the reader to stop them from having to worry that the delete button doesn't really delete. If you have a recipient who wants to keep a copy there's nothing stopping them from doing so.

If that's the feature you actually want, then great. No problem. But if what you really want is to make it impossible (or at least very difficult) for the reader to not destroy the message, then you basically want digital rights management for your e-mail and that means Trusted Computing again.

The Bottom Line
At this point, you know everything important you need to know about this sort of problem. When you see a company claiming to offer one of these features, there's only one question you need to ask: "Do you have the kind of system that involves replacing all my infrastructure or the kind of system that doesn't work?"

More on Hubbert's Peak

The claim that we're going to run out of oil real soon now has been getting a lot of attention lately, a lot of of it fairly hysterical. The basic argument is that oil production follows a normal distribution (the Hubbert curve) and that the peak of the curve is happening real soon or has already happened. Fans of the Hubbert curve like to point out that Hubbert fairly accurately predicted the shape of the US oil production curve:

Lisa Dusseault trashed the Hubbert's Peak argument back in 2003. I just read an article Leonardo Maugeri from the Italian energy services company Eni S.p.A. along the same lines. I'm not saying that Maugeri is an objective observer, but he makes some interesting arguments including the following graph showing that Egypt didn't follow a Hubbert-style distribution.

Maugeri also argues out that estimates of the total available reserves have been continuously revised upwards, which kind of undercuts the argument that we're runing out of oil any time soon.

Don't steal music

The wrapper of the iPod I recently bought bears the legend "Don't steal music." in four languages. You know, I was going to go out and stea some music but now that Leader Jobs has put me back on the straight and narrow, I plan to be a solid citizen the rest of my days.

Can't anybody change my ticket?

As previously mentioned I was in Minneapolis last week. I bought my tickets from Expedia, who put me on Frontier going out and America West going back. The tickets were issued through Frontier. So, when I wanted to fly back Friday night instead of Saturday morning, I called Frontier to see how much it would cost to change my ticket. This initiated the following sequence of events:

1. Frontier tells me that I need to call Expedia.
2. Expedia tells me that I need to call Frontier.
3. Frontier tells me that since I have a paper ticket they can't help me and I need to go to the airport to get my ticket changed. I explain that I just want to know how much it will cost. They tell me to call America West.
4. I call America West and they tell me that because the ticket was issued through Frontier they can't give me a price.
5. I call Frontier and they tell me that because I have a paper ticket they can't change it. I explain again that I just want an estimate of how much it will cost. They tell me that they need to see the ticket. I offer to read the numbers off the ticket. They refuse. I ask to see a supervisor, who also refuses on the grounds that they might give me an incorrect quote.

Remind me to get an e-ticket next time.

Mitigating the effect of worms

I wanted to write something about Weaver and Paxson's WEIS 2004 Worst-case Worm paper. Based on some fairly good estimates of worm spread and some hand-waving estimates of the impact of various worm payloads, Weaver and Paxson estimate that a really bad worm could cause about $50 billion worth of damage. Their former co-author Stuard Staniford argues that they're systematically underestimating the loss and thinks it's closer to $140 billion. Either way, it's a crapload.

Now, of course these estimates are based on a completely flawed model and probably pretty far off--the authors say as much--but nevertheless there's something very interesting about them: the authors estimate that most of the damage is done by the loss of productivity when the affected machines are down for days or weeks. This suggests an obvious tactic. Rather than trying to protect our systems from worms--something we have very little idea how to do in practice--we might consider focusing on fast system recovery.

One particular approach comes to mind: a lot of the damage in the Weaver/Paxson model comes from the worm flashing the BIOS. There's almost no need for users to routinely flash the BIOS from software. So, what if we made systems so that the BIOS could only be reflashed within 5 minutes of a power cycle (not a reboot, since as Vern Paxson pointed out when I raised this idea, the virus can reboot the computer). I don't know if you could make this change with a BIOS upgrade (how much is the BIOS involved in BIOS reflashing?) but if you can, it might be worth doing.

What you can learn from tonight's boxing matches

When you go to throw your right hand, do not drop your left. If you do drop your left, you will quite likely be on the receiving end of your opponent's right and spend the next (and last) 10 seconds of the fight looking up from the ground.

How to tell that you're surrounded by yes men

Here's Mark Bowden, from Killing Pablo: The Hunt for the World's Greatest Outlaw:

To pass time, the inmates lifted weights, rode exercise bikes, and played soccer. Pablo would play for hours at a time. He always played center forward, even though he wasn't the quickest or most skilled player and had a bad knee. His men always let him win, sometimes arranging for him to kick the winning goal. If Pablo grew winded, which was often, he would wave in a replacement until he caught his breath, and then he'd plunge back in.

Whenever I read this kind of stuff I wonder whether the Great Man doesn't know that he's being humored or just doesn't care.

The holy city of whatever

Listening to the NPR coverage of Iraq, I keep hearing that there's fighting in or around the "holy city of Karbala" or the "holy city of Najaf". I can't think of the last time I heard someone refer to, say Rome, as a "holy city", despite it's clearly important status to Christianity. Whenever there's coverage like this, what I hear in my head is the nonjudgemental, vaguely condescending voice of the National Geographic announcer: "the natives believe that the city of Karbala is sacred to their god"--implicitly assuming that this is just some false belief held by the benighted natives. An appropriate object of study by anthropoligists, perhaps, but not something you'd actually take seriously as potentially true. Perhaps the announcers think of this sort of language as showing respect to other cultures, but to my mind respect means assuming that they're equally valid as one's own, rather than just some quaint local custom.

The effect of gas prices

Ok, so gas prices are really high, as shown by this nice graph provided by the State of California

Around here it's $2.50 or so for a gallon of premium (recommended for my Audi). This is almost twice the lowest, price in the past four years (it was about $1.30 in February 02). So, how much of a difference does that make? Let's do the math.

• The Audi gets about 18 mpg, according to the guages in the car.
• Let's say I drive the industry standard 12k miles/year, so in an average year I consume 667 gallons of gas.
• So, the difference between the 2002 and 2004 price levels is $1.20 * 667 = $800.

Now, $800 isn't chump change, but when you consider the size of my Palo Alto house payment, I don't think it's going to break the bank, either.

The French telephone system

From David Landes's The Wealth and Poverty of Nations:

European countries also had a consumption problem. Class structures and segmented tastes made it harder there to adopt standardized products. Even so, I would stress supply rather than demand, the attitude of producers rather than consumers. When Europeans belatedly adopted techniques of mass production, they had no trouble selling cheaper goods.

To get a sense of what was involved, look at the great European industrial spurt after World War II. This mirrored earlier American advances and implicitly testified to previous class-based failure. Europe had a pent-up demand for consumer durables, whetter by film images and the American presence. Few Europeans before had thought that just about everyone might want, even need, a car or a telephone. As late as the 1970s, many French people were still going to cafes or to the post office (but only during office hours) to make their phone calls, either because they could not afford a phone at home or were waiting two or three years to get a line. Getting a dial tone could take a half-hour and more. People still reserved ahead for international calls. Business suffered and the complaints mounted to heaven: no point directing them to human beings because the authorities were imperturbably indifferent. After all, telephones were part of the postal system and the post office thought them an extravagance, a plaything for rich people. What was wrong with writing letters and buying stamps.

And then, in a footnote:

The meanness of the French post office was notorious. Until the 1990s, airmail letters overseas paid a surcharge above a weight of 5 grams, stamps included. That means using especially thin and pricey paper--a boon to the stationary industry. Even so, the post office would not always have a single stamp for the postage required and would combine two or three to make the amount, and then those would tip the scale. One had to experience these exercises in petty tyranny to understand the retardative effects of bureaucratic constipation. Fortunately for the French, the European Community has imposed new standards.

I guess I shouldn't complain that I can't get DSL here in Palo Alto.

Can proof of work be made to work?

Ben Laurie and Richard Clayton arguing had a paper at WEIS 2004 arguing that proof of work (aka puzzles) doesn't work for stopping spam. The idea, recall, is that you require everyone sending you mail to burn a certain amount of computational power (often by solving a puzzle). This is intended to deter spammers by increasing their costs and thus decreasing their profits, without having the inconvenience of actual money changing hands. There has been a fair amount of work in the cryptographic literature on the design of these schemes, which it's not necessary to go into here.

Laurie and Clayton's argument is simple: the upper bound on the amount of work that a sender can be required to do is set by the resources available to legitimate e-mail senders with lousy, slow, computers. They then make some partially handwaving, but not implausible, arguments that spammers could afford to spend this much computational power per message and still make a profit spamming.

This argument isn't entirely persuasive, on two fronts. First, it's not an all or nothing proposition. As far as I know, generally companies pay spamming companies to promote their products. If the market is competitive, we'd expect that the fees that those companies charge would have been pushed down to approximately the cost of production (i.e. the cost to the actual spam company of doing the spamming). If that cost goes up, then spamming will be less attractive and we ought to see less of it, even if it's not eliminated completely. On the other hand, if there's less spam from the low-end advertisers, then that makes the remaining advertiser's messages stand out better, so it's not clear how much reduction the end-user would actually see.

More importantly, Laurie and Clayton's argument implicitly assumes that the only anti-spam mechanism being used is proof of work and that therefore every message will need proof of work attached. But that's not necessarily true. In general, most people's mail traffic is mostly to/from people they already know. So, what you do is combine proof of work with whitelists:

1. Anyone on your whitelist can send you a message without a proof of work.
2. Anyone not on your whitelist must send you a proof of work.
3. Your mail software automatically maintains your whitelist, as follows: Any mail marked as spam gets the sender removed from your whitelist. Any mail that you read and don't mark as spam gets the sender added to the whitelist. In a scheme like this, most of the mails you send would not need a proof of work, thus sparing the people with poor computers. And as you would only need to generate proofs of work occasionally--when you write to someone new--they can be made much more computationally expensive, thus deterring spammers more.

   Note that I'm not saying that this hybrid solution is a definite fix to the spam problem. There are still the obvious problems of spam zombies and making the transition. The transition problem is always particularly tricky. (People often bring up the forgery problem but that's easy to solve by associating self-signed certs with each sender and then signing the messages. It's just a software problem). However, I do think you need a more sophisticated argument than Laurie and Clayton have made to show that it can't work.

   Posted by ekr at 08:31 AM | Comments (6) | TrackBack

The end-to-end argument goes meta

Ok, so everyone hates having to wade through their mailbox deleting the spam. But that's just wasted time. Spam has two more serious side effects. The first problem is false positives: when you get hundreds of spams a day you pretty much need to use some kind of spam filter. Those filters have false positives--legitimate messages that get tagged as spam. This causes you to miss those messages, which might be important. To avoid this, a lot of people have their filter drop suspected spam into a junk folder, and then periodically go through the folder to look for any false positives and read them. Unfortunately, going through this folder is a big chore and since almost all the stuff in the folder is spam, it's easy to miss the false positives.

To make matters worse, when a message is filed as spam, it's silent, so the sender has no way of knowing that the false positive happened. Not that it would matter, though, because the second problem with spam is that bounces get masked. Back in the old days, when you sent an e-mail to an address that didn't exist, you'd get a "bounce message" which told you about it. Unfortunately, modern spammers often forge sender addresses. And when someone forges your address on a spam and it bounces, you're the one who gets the bounce message. As a consequence, your mailbox fills up with fake bounces and the bounces from the messages you actually sent get lost in the noise.

If you want your message to get through, then, you can't treat e-mail as reliable, you need to keep re-sending it until you get the expected answer. Back in 1981, Saltzer and Clark wrote a classic paper arguing that if you wanted to reliably transfer data from point A to point B you couldn't trust the network to do it for you--if only they'd known how right they were.

Update on the free toothbrushes

Here are two hotels that do offer free toiletries:

Radisson Metrodome Minneapolis: $99/night.
Days Inn Minneapolis: $79/night.

On the other hand, the Marriott that I paid $149 for didn't. Interesting...

Norton Vulnerability Announced

Nick Weaver just got up in front of the room at WEIS and told us that eEye has announced a serious vulnerability in Norton Internet Firewall. The vulnerability is a buffer overflow in the DNS parser that lets an attacker send a single UDP packet to take over your machine:

eEye Digital Security has discovered a critical remote vulnerability within the Symantec firewall product line. A buffer overflow exists within a core driver component that handles the processing of DNS (Domain Name Service) requests and responses. By sending a DNS Resource Record with an overly long canonical name, a traditional stack-based buffer overflow is triggered. Successful exploitation of this flaw yields remote KERNEL access to the system.

With the ability to freely execute code at the Ring 0 privilege level, there are literally no boundaries for an attacker.

It should also be noted, that due to a separate design flaw in the firewalls handling of incoming packets, this attack can be successfully performed with all ports filtered, and all intrusion rules set.

Helpfully, eEye provides a complete description of the vulnerability, which, as Nick points out, should enable any programmer with an IQ higher than their shoe size to craft an exploit in a matter of hours. Outstanding!

A patch is available for this vulnerability. If you're running Norton Firewall I advise you to apply it.

Is computer security efficient?

In his talk at WEIS today, Dan Geer suggests that the endgame for computer security is end-user liability for breaches of their machines. This isn't silly at all. There are two kinds of costs to not securing your computer:

• Internal costs: the costs to you of having your own machine broken into.
• External costs: the costs to others of having your machine being broken into, primarily your machine being used as a platform for other attacks.

Currently, the only incentive you currently have is the internal costs. That incentive clearly isn't that strong, as lots of people don't upgrade their systems. The point of liability is to get you to also bear the external costs, which helps give you the right incentive to secure your systems.

That said, it's still not clear that people will secure their systems. Security is still expensive and it may be still be more expensive to secure your system than to bear the risk of a breach. We need to be prepared for the situation in which people bear the full external risk of intrusions on their own systems and still don't secure their systems--and that may be the right thing!

Just following orders

Just caught Lynddie England on TV. Amazing. She kept saying that she was instructed to behave as she did by "persons of higher rank". Don't they tell people in the US Army that just following orders isn't an excuse? I'm not informed enough to know whether England in fact behaved correctly, but I do know that if she didn't "just following orders" doesn't get her off the hook.

Not completely crazy

Cory Doctorow over at BoingBoing scoffs at the MPAA's suggestion that DVD copying is bad:

Fritz Attaway, the MPAA's vice president who shows up at all the DRM meetings, explains to the press how the world works in Bizarroland, where being able to make a backup of your DVDs is bad for you.

"There is no right in the copyright law to make backup copies of motion pictures, so the whole argument that people should have the right to make backup copies of DVDs has no legal support whatsoever," said Fritz Attaway, executive vice president of the MPAA.

"It's against consumers' interests to permit devices that make backup copies," he added, "because there is no way that a device can distinguish between a backup copy for personal use and making a copy for friends, family acquaintances or even selling on the street corner."

It's a pity that Doctorow decided to scoff rather than to try to engage Attaway's argument, which isn't crazy at all, and in fact is at the core of the debate about copyright. Consider the following thought experiment of a future not too unlike the present:

1. It costs $5000 to produce an album.
2. There are 1001 customers, each willing to pay $5.01 for the album.
3. Everyone is rational.

Now, in this situation, the prospective artist can make the album, sell it for $5.00 each, and come out $5.00 ahead. Each consumer comes out $.01 ahead, for a total surplus of $55 ($50 for the consumers and $5 for the producer.)

Now, imagine a world which is otherwise identical, except that as soon as the first consumer gets a copy they start selling it for $2.50 and all the other consumers (being rational) download it for half-price. In this case, the producer stands to sell only one copy (for $5), thus losing $4995. Clearly, no rational producer will take this deal, with the result that the album isn't produced. This leaves everyone poorer, the producer having foregone $5 and each consumer having foregone $.01. In other words, this situation is Pareto-dominated by the one in which the album isn't duplicated.

It should be apparent at this point that if there were some way to be sure that noone would duplicate the album, then it would again be efficient for the producer to make albums, thus improving everyone's life. Now, I suppose that all the consumers could promise not to make copies, but you can't necessarily trust them. This is especially true if they can sell discount copies for $1.50 or so. So, how can they promise? One easy way is to make copying illegal. It's even easier if you make the equipment necessary for copying illegal. Since, as Mr. Attaway points out, it's hard to make equipment that can be used for backups but not piracy, this probably means all copying equipment. In other words, it can be in the consumer's interest to stop them from making backup copies.

Now, this is obviously a contrived example. In particular, we've assumed that there's only one content producer, that all consumers are willing to pay one price, and that once an album is copied once noone will buy it. None of these things are true, and taking these factors into account makes the analysis a lot more complicated. However, the general principle adduced by Mr. Attaway isn't necessarily wrong: widespread copying of content potentiallly dramatically reduces the revenues received by the content provider. Any reduction in their potential revenus reduces their incentive to produce new content, which is bad for consumers as well. Now, it may well be that the ability to make backup copies and get cheap copies of the content that's still available more than offsets the foregone value of content but that's not something we know to be true by any means.

In other words, we don't know that Mr. Attaway is right, but we don't know he's wrong, either, and what he said certainly isn't crazy. Yes, it's counterintuitive that you can improve your situation by restricting your choices but that doesn't mean it's not true. In fact, the ability to make credible commitments to behave against your short-term interest is essential to serving your long-term interests. For not understanding this important point, Mr. Doctorow is hereby sentenced to buy and read Schelling's Strategy of Conflict.

Please do not download that report

Time has published a Pentagon memo telling personnel not to download copies of the report on the abuses at Abu Ghraib:

Fox News and other media outlets are distributing the Tugabe report (spelling is approximate for reasons which will become obvious momentarily). Someone has given the news media classified information and they are distributing it. THE INFORMATION CONTAINED IN THIS REPORT IS CLASSIFIED. ALL ISD CUSTOMERS SHOULD:

1) NOT GO TO FOX NEWS TO READ OR OBTAIN A COPY
2) NOT comment on this to anyone, friends, family etc.
3) NOT delete the file if you receive it via e-mail, but
4) CALL THE ISD HELPDESK AT 602-2627 IMMEDIATELY

This leakage will be investigated for criminal prosecution. If you don't have the document and have never had legitimate access, please do not complicate the investigative processes by seeking information. Again, THE INFORMATION CONTAINED IN THIS REPORT IS CLASSIFIED; DO NOT GO TO FOX NEWS TO READ OR OBTAIN A COPY.

In other words: we're investigating who leaked this classified and embarassing memo. Anyone who has a copy of the report is a suspect in the leak investigation.

At this point you should ask yourself:

1. Given the wide dissemination of this report, how likely is it really that knowing someone has a copy of the report on their computer is going to help trace the leaker?
2. Even if we find the leaker, should he be punished, which is the apparent intent here?

That's what I thought.

So this is SOP

It's worth taking a look at this Washington Post article on the interrogation techniques the DoD approved for Guantanamo. It's really fascinating to see the fine distinctions being drawn:

In April 2003, the Defense Department approved interrogation techniques for use at the Guantanamo Bay prison that permit reversing the normal sleep patterns of detainees and exposing them to heat, cold and "sensory assault," including loud music and bright lights, according to defense officials.

...

According to two defense officials, prisoners could be made to disrobe for interrogation if they were are alone in their cells. But Col. David McWilliams, a spokesman for the U.S. Southern Command, said stripping prisoners was not part of the permitted interrogation techniques. "We have no protocol that allows us to disrobe a detainee whatsoever," he said. Prisoners may be disrobed in order to clean them and administer medical treatment, he said.

Several officials interviewed for this article, including two lawyers who helped formulate the guidelines, declined to be identified because the subject matter is so sensitive.

With the proper permission, the guidelines allow detainees to be subjected to psychological techniques meant to open them up, disorient or put them under stress. These include "invoking feelings of futility" and using female interrogators to question male detainees.

Some prisoners could be made to stand for four hours at a time. Questioning a prisoner without clothes is permitted if he is alone in his cell. Ruled out were techniques such as physical contact -- even poking a finger in the chest -- and the "washboard technique" of smothering a detainee with towels to threaten suffocation. Placing electrodes on detainees' bodies "wasn't even evaluated -- it was such a no-go," said one of the officials involved in drawing up the list.

Ah, I get it now. Sleep disruption and being stripped naked: OK. Smothering and electrodes: not OK. I'm glad we got that cleared that up.

Low-level score at the 7/11

Went by the 7/11 for a Slurpee today, but they were out of 28 oz Slurpee cups, so I ended up using a 32 oz Big Gulp cups and discovered something mildly interesting:

• The 28 oz Slurpee is $1.19.
• The 32 oz Big Gulp is $1.09.
• 7/11 uses bar codes on the cups to check you out.
• 7/11 clerks are generally too lazy to change the price even when you tell them that it's a Slurpee in the cup.

As a consequence of this, I ended up getting an extra four ounces of Slurpee and paying $.10 less. Plus, the Big Gulp cup fits better in my cupholder. Bonus!

Another great child safety innovation

A lot of medications are sold in blister packs where each pill is in its own plastic bubble and you push them through the backing. The backing is typically foil and you just push on the plastic to push the pill through. However, lately I've noticed that a lot of the blister pack meds (e.g. Prilosec OTC or Claritin) also have some sort of paper backing that you have to peel off before you can push the pill through. If you try to just push the pill through the paper it doesn't work and you end up breaking the pill. Unfortunately, if your hands are wet or you're not careful you can end up screwing up the peel-back and then getting the pill out means a knife. Not convenient.

It turns out that this is some sort of child-safety precaution. [*]. Unfortunately, it's also EKR-proof. Outstanding.

All Of MP3

Just checked out AllOfMP3, which, if you haven't heard, is this Russian site with an enormous catalog of cheap downloadable music, priced at $5/500 MB. I haven't been brave enough to give them my credit card number yet. Has any EG reader done so and what was the result?

I am not a chimp

Mark Fraunfelder over at BoingBoing speculates about the destruction of the FAA 9/11 air traffic control tapes:

A New York Times article reports that a tape recording made on 9/11/01 containing statements from "at least six air traffic controllers who dealt with two of the hijacked airliners .. was destroyed by a supervisor without anyone making a transcript or even listening to it."

The quality-assurance manager was said to have "crushed the cassette in his hand," before disposing of it.

I just tried to crush a cassette in my hand. I couldn't do it. I know my upper body strength isn't what it ought to be, but I don't see how any normal human could crush a cassette in his or her bare hand.

I therefore conclude that the manager is not human. He is probably a very smart, shaved, and clothed chimp. Supporting evidence: In 1924, the Bronx Zoo tested the grip strength of people and chimpanzees using a dynamometer. A 160-pound male human had a grip strength of 210 pounds. But a 135-pound female chimp had a grip strength of 1260 pounds. Anybody have a pet chimp so we can test this out? I'll pay for the cassette. Link

I'm no chimp, but I just broke an audio cassette by hand. First, I squeeezed it with one hand and got some flex but wasn't able to get it to actually break. However, I was able to fairly easily break it in half using both hands. I don't have unusual grip strength, though: I can almost do the Captains of Crush Number 1 (140 lbs). They go up to Number 4 (365 lbs), which is supposedly incredibly hard (I can barely move the Number 2 (195 lbs). I wouldn't be surprised if an ordinary human who had worked their grip a bit could break a cassette one-handed.

FDA rejects Plan B: not safe for toddlers!

This is seriously screwed up: the FDA has decided not to approve Plan B for OTC status:

In a letter to Barr Laboratories, the agency said yesterday that the application was denied because only 29 of the 585 women studied by the company were younger than 16 -- a sample that was too small to assess safety.

The agency held out the possibility of a future approval if the company could prove the drug is safe for young girls or devise a plan that would keep Plan B on by-prescription-only status for girls younger than 16. In its letter, the FDA said keeping the drug prescription-only for adolescents had been discussed with the company, but that not enough information was provided on how that might be accomplished.

Let me see if we have this right:

1. Plan B is safe enough to be sold by prescription, even to girls under 16.
2. Tylenol, which is incredibly toxic in high doses, is safe enough to be sold OTC.
3. The FDA's review panel overwhelming thought making Plan B OTC was a good idea.
4. Despite all that, some FDA administrator decided it wasn't safe to approve Plan B.

Outstanding. Of course, it's just a coincidence that the Bush administration was being heavily lobbied by a bunch of conservative groups. I don't know why we even bother having expert review panels. Let's just let Karl Rove make all drug review decisions.

Should I get free toiletries?

I'm staying in a Marriott in Anaheim and I forgot my toothbrush and toothpaste. When I asked the front desk they told me I could buy it at the gift shop--though at least the gift shop didn't gouge me.

Initial outraged consumer response: I'm paying $150/night, can't I get a free toothbrush? I've certainly had hotels for which I was paying less give me free toiletries like this.

More rational economic response: Wait a minute. That stuff isn't free. It's prepaid. It's just built into the cost of the hotel (assuming it's a competitive market) Since the free stuff typically isn't very good and isn't any cheaper than the stuff at the drugstore, I'd be better off buying it myself.

Rational self-interest response: I probably forget my toiletries more often than the average person, so even if it's prepaid, I probably have an expected value higher than the premium that's built into my hotel price.

Academic economist's response: Does the cost of toiletries really get built into the price? Practically nobody knows in advance when picking a hotel whether it will give you free stuff like this. I suspect that each chain has a uniform policy, but even though I travel a lot, I don't really know which ones are which and even if I did, 90% of my hotel decisions are driven by what's close to whatever event I'm attending. And the kind of people who travel enough to keep track of this kind of thing are probably precisely the kind of people who are organized enough not to need free toiletries.

Educated outraged consumer response: Sure, most people probably don't predicate any of their hotel-staying decisions on whether they get free toiletries, there probably isn't a competitive market in toiletry provision at all. What there may be is a a competitive market in hospitality in the general sense. And people certainly do choose hotels based on that sort of thing (Marriott vs. Best Western, for instance). When I chose a Marriott, I thought part of the implicit value proposition was good hospitality and they let me down. So where the heck is my free toothbrush?!?!

What did you expect, Club Med?

I totally agree that the stories of abuse at Abu Ghraib are terrible, appalling, etc., but they're hardly surprising to anyone who's read Newjack or knows about Zimbardo's prison experiment (you really should check out the prison experiment site... above). Whenever you give one group of people total control over the lives of another group of people, abuses become likely. Given the number of imprisoned Iraqis, something like this was probably inevitable.

The question, actually, is what we can do to avoid this kind of behavior. The incentives of the situation are generally to be more rather than less brutal, especially if, as it seems, the soldiers had an unofficial mandate to soften the prisoners up for interrogation. Without some pretty explicit controls--stronger than those used in US prisons--we're just going to get more of the same.

Quick UNIX hack of the day I

Say you've got two lists of things, which we'll call old and new. You want to know which things are in new but not old. It's easy to find out which things are in only one file. Do:

cat old new | sort | uniq -u

This gives us every line that appears only once, which means every line that appears in only one of the files. But this also tells you about things that are in old but not new. So, we we want to suppress those. That's easily done, just do:

cat old old new | sort | uniq -u

Now every line that's in old appears at least twice and every line that's in new appears once (if it's in new but not old) or three times if it's in both). As uniq -u gives us every line that only appears once, this pipe gives us the result we want.

Oh look, another worm

How nice.