Educated Guesswork

I noticed the other day that if I'm driving my car on the freeway and close the sunroof my ears pop. After a bit of thinking, I concluded that what was going on was the Bernoulli effect: the air flowing over the sunroof lowers the pressure of the interior of the car. Then when you close it you get a sudden pressure change back to ambient pressure.

Initial experiments confirm this: my Polar 625SX has a built-in barometric altimeter. I repeatedly opened and closed the sunroof and watched the altimeter and readings seemed to consistently differ by about 75 feet. Obviously, there's some uncertainty here because the road isn't totally flat; if you wanted to be really sure you'd go over the same sections of the road again and again with the sunroof open and closed and measure the difference. Still, since I'm not exactly publishing this in Nature, it seems good enough for now.

The standard first-line opioid painkillers, Vicodin and Percocet, are actually both combination medications containing an opioid (hydrocodone for Vicodin and oxycodone for Percocet) with acetaminophen. The theoretical advantage here is supposed to be that you get better pain suppression with the combination than with either alone. The disadvantage here is that acetaminophen has a relatively narrow therapeutic index, and overdoses cause acute liver damage. [I suppose there's an argument that this is an advantage, since it makes it hard to get enough opioid to get high without risking liver damage.] According to Wikipedia, acetaminophen poisoning is the most common cause of acute liver failure [*].

Because of concerns over liver damage, the FDA's Advisory Panel has recommended eliminating them:

The two drugs combine a narcotic with acetaminophen, the ingredient found in popular over-the-counter products like Tylenol and Excedrin. High doses of acetaminophen are a leading cause of liver damage, and the panel noted that patients who take Percocet and Vicodin for long periods often need higher and higher doses to achieve the same effect.

Acetaminophen is combined with different narcotics in at least seven other prescription drugs, and all of these combination pills will be banned if the Food and Drug Administration heeds the advice of its experts. Vicodin and its generic equivalents alone are prescribed more than 100 million times a year in the United States.

Laureen Cassidy, a spokeswoman for Abbott Laboratories, which makes Vicodin, said, "The F.D.A. will make a final determination and Abbott will follow the agency's guidance."

The question I have is what will replace these meds in common use. There appear to be a number of combination hydrocodone formulations (with aspirin, ibuprofen, chlorpheniramine, ...), but with the first two you need to worry about allergies and chlorpheniramine doesn't have any painkilling effect so you just have to accept the unnecessary antihistamine side effects. I'm not sure if there are any hydrocodone-only formulations—I've never been prescribed one. While there are oxycodone-only formulations, doctors typically start with vicodin and then move up to percocet if that doesn't work, so it's not clear what this does to the front line. Moreover, as I said earlier, if you prescribe non-combination formulations you need to worry more about abuse, since there's nothing stopping the patient from just upping the dosage.

Obviously, preventing people from overdosing is an important consideration, but we also need to make sure we have a solution for pain that doesn't respond to OTC medications (NSAIDs and acetaminophen).

The Canadian Press reports that Elections Canada is pushing to move to "Internet Voting". The underlying report is here. More precisely, they want to do online voter registration and explore online voting. This isn't surprising, really. The 2007 Strategic Plan for 2008-2013 includes the following goals:

• research and monitor technological trials and innovations in other jurisdictions, both in Canada and internationally
• implement a registration process that allows electors to register in person, by mail, telephone or Internet anytime and anywhere
• with the prior approval of Parliament, test a secure voting process during a by-election that allows electors to vote by telephone or Internet

The motivation for online registration seems obvious: people expect to be able to do a wide variety of tasks online, and it seems at least plausible that one could build a secure online registration system. (see here for previous comments on this topic.)

The general motivation seems to be the same as in the US—absentee and especially overseas voters have a lousy election experience, with the requirement to get your ballot, fill it out, and then return it all within the usual fairly short window between ballot finalization and the election (based on the report, a 36 day window is common here). Here's the bottom line:

In view of the number of Canadians who are interested in accessing electoral services on-line, our efforts to put e-registration in place and to test e-voting are well aligned to their needs. At the same time, we are aware that many Canadians, and candidates in particular, are still uncertain about electoral services over the Internet, especially when it comes to on-line voting. We will continue our consultations as we move forward with these services, and will ensure that future voter services meet the high standards of integrity and security that Canadians have come to expect from their electoral processes. We will also return to Parliament with recommendations for legislative change that would allow us to fully implement on-line registration.

I don't know how to read Canadian bureaucrat-speak, but this sure looks like Elections Canada thinks that Internet voting is something they should do and that in principle one can get it right, perhaps after some trial and error. I wonder whether they've consulted with any security experts.

Panasonic is improving their cameras to prevent you from installing third-party battery packs:

Panasonic Digital Cameras now include a technology that can identify a genuine Panasonic battery. For the protection of our customers Panasonic developed this technology after it was discovered that some aftermarket 3rd party batteries do not meet the rigid safety standards Panasonic uses.

Some of these aftermarket batteries are not equipped with internal protective devices to guard against overcharging, internal heating and short circuit. If these aftermarket battery packs were used, it could lead to an accident causing damage to your camera or personal injury.

Panasonic's Digital Camera firmware has been updated on this website to detect these aftermarket 3rd party batteries so such serious safety issues can be avoided.

Protecting the customer is basically the standard rationale that manufacturers use for this kind of lockin technology. However, one can't help noticing that the third party batteries are dramatically cheaper than the Panasonic standard batteries, so I think you could be forgiven for thinking that they might have a bit of another interest here. [See Rescorla, Savage, Shacham and Spies from the CRYPTO 2008 Rump Session for another example of this.] And of course, if you want whatever bug fixes, improvements, etc. Panasonic added to the new firmware, you have to take the DRM as well.

A few questions seem worth asking:

• Does Panasonic consider any third party batteries safe or can you only use Panasonic brand?
• Does Panasonic give you some mechanism for overriding the the firmware and using a "dangerous" battery if you want to?

If the answer to these questions is "yes", then this looks like a genuine case of consumer protection. Otherwise, you should at least suspect monopoly maintenance.

UPDATE: Fixed citation. I had the wrong rump session talk.

Clear Registered Traveler is shutting down. Born out of post-9/11 paranoia, as I've mentioned before, Clear never added much security value, and eventually it became not much more than a way to pay $200 to avoid having to wait in line with everyone else (remember: you eventually went through the same security controls). Of course, that didn't necessarily mean that it wasn't worth it, but seeing as anyone who travels enough to really benefit from bypassing the security line probably has elite status and can bypass a lot of lines anyway. In all the times I went through SFO, I don't think I ever saw anyone use the Clear line.

I haven't been closely tracking the discussions over whether the Iranian elections were subject to fraud or not, but I am able to comment on one issue I saw raised: the speed of the results. For instance, here's Karim Sadjadpour (þ "Mrs. Polly" on Obsidian Wings):

Another Iran expert Karim Sadjadpour agreed, saying he believed this was "a stolen election." Watch Sadjadpour explain why election was "stolen"

"There are a lot of signs there were major improprieties. First of all there were 40 million votes cast and just two hours after the polls had closed they announced Ahmadinejad's victory: and these votes are hand counted in Iran...

It's easy to run the numbers here. Hand counting paper ballots via the sort-and-stack method takes about 6 seconds per ballot/contest pair. This means a team (1-3 people, typically) can do about 10 ballots/min or 600 ballots/hour. If we have two hours, then each team can count 1200 ballots, so we need about 33,000 teams. This is a lot of people but isn't totally outside the realm of of possibility. If you started earlier, such as by having ballots returned in mid-day, then you could obviously get away with fewer teams.

Moreover, you don't need to count all the ballots in order to have a high level of confidence in the result—elections are routinely called with only partial counts available. Loosely speaking the more random your sampling strategy, the fewer ballots you need to count in order to have a high level of accuracy: if you just pulled random individual ballots you could probably get away with only a few thousand in an election with a reasonable margin of victory. If you're working through boxes one at a time but choosing boxes randomly, then you need more samples, and if the boxes are being counted in order then you may need to count a lot more. I have no idea what strategy Iran used, but if I wanted to run a central count system and have accurate estimates of who had won in short order it wouldn't be that difficult.

William Kelleher has been publicizing a paper entitled "Internet Voting: The Great Security Scare". Here's his thesis:

This paper will present a social science paradigm for critically evaluating the security concerns most often expressed by opponents of Internet voting. In 2003, these concerns were so effectively expressed that they resulted in the US government ceasing all efforts to even experiment with voting from overseas via the new technology. However, when examined within a context of social scientific reasoning, the arguments that stopped the progress of Internet voting in the US appear as mere appeals to fear, bereft of rationality.

First, the problem of how to think about e-crime in general will be discussed. Secondly, the framework that emerges from that discussion will be applied to the arguments against Internet voting. The conclusion will suggest that Internet voting can be conducted with a degree of security similar to an online purchase, a million dollar bank transfer, or a secret military communication. As shown in the essay, the technology already exists, and has been honed over many years of use. While there are differences between the military uses of the Internet, e-commerce, and Internet voting, this paper will argue that the degree of security for each need not vary significantly.

Ordinarily, I don't bother to engage with this weak an argument, but Dr. Kelleher is starting to get some publicity and so I thought it was worth giving it a read. I didn't find it very convincing, but rather than make a point by point rebuttal, I want to focus on what I think is generally agreed to be the most serious obstacle to any Internet voting system: the security of voter's computers. As I've mentioned before, malware on the user's computer has the opportunity to totally compromise his vote, and writing that kind of malware isn't particularly difficult.

Kelleher's discussion of these issues is mostly framed as a rebuttal to the SERVE report, which discussed the security of a particular proposed Internet voting system. The SERVE authors were quite concerned about this sort of malware and discussed a number of vectors by which it might get on a user's computer, including backdoors on installed system software, viruses/worms, and booby-trapped websites. Kelleher's paper takes each of these on in sequence. Let's take a look at just one example, the material about backdoors (the dismissive tone is fairly typical).

This statement suggests that a company favoring Republicans could program all the computers with its software to vote Republican, even if the voter thinks he or she is voting for a Democrat or Independent. A Socialist-favoring company could jigger the vote its way, etc.

Here, the Super Sleuths think they have uncovered the potential for a massive conspiracy by software makers to control US elections by selling people loaded software. But, what would be necessary to carry out such a scheme, and what risks would the perpetrators be taking? First, such a scheme could only affect an Internet-based election in our country if the company sells tens of thousands of loaded product. But, the more they sell, the greater the risk of being caught. Someone who is wary of just such a scheme, whether a citizen computer scientist, or a law enforcement official, is going to examine the code in every type of voting-related product and discover the trick.

Once caught, the executives, and all who conspired with them, risk having to pay huge fines, being sentenced to prison, and losing their livelihood. After they do their time, no software company would hire them, because customers would become suspicious of the company's product. These convicted felons would be lucky to find jobs as taxi drivers, or doormen. How many people who are intelligent enough to run a software manufacturing business are going to be stupid enough to risk these consequences in the forlorn hope of changing some votes to favor their own political party or candidate?

First, this seriously misrepresents the SERVE report, which doesn't at all contemplate that the company would insert the backdoor. In fact, it quite clearly implies the contrary: "Today's computers come loaded with software developed by many different entities; any employee at any of those companies could conceivably leave a backdoor that attacks SERVE." Modern software is generally developed by large teams and controls on the code that authors check in is generally fairly lax. In many environments it wouldn't be at all difficult for an attacker to inject arbitrary code without being detected, especailly if they made some effort to hide it. (More on this in a bit.)

Second, the suggestion that outsiders would actually review all the code in your average computer and detect this kind of attack is, let's say, extremely problematic. As the SERVE authors correctly observe, any software on your machine could have a backdoor in it, not just the voting software. This means that on your average machine you need to audit all of Windows, Office, IE, Firefox, etc. Estimates I've heard of the number of lines of code in Windows alone run into the tens of millions, and the cooldifficult thing about a backdoor is that it can be anywhere in the code base. Auditing this sort of system is a massive (read: totally impractical) project. When we did the Top-To-Bottom Review, we had our hands full just looking for unintentional vulnerabilities in a code base about 1% as large, we didn't even try to look for backdoors. And of course, we had the advantage of the source code, which vendors generally regard as pretty secret. Your average reviewer is not going to have the source code for Windows.

Moreover, there's no reason to inject something as obvious as a program to change votes. All you need is a remotely exploitable vulnerability known only to you, and this can be as simple as a missing array bounds check, integer overflow check, etc. Then when you're ready to install your malware you exploit the vulnerability and there doesn't need to be any voting specific code to find at all. This has two advantages: (1) it's hard to find because it's a small error and (2) even if you get caught you can plead incompetence. Given the number of vulnerabilities found in your average program, it's extremely improbable that you would suffer any consequences—certainly none of the existing voting vendors have been arrested for vulnerabilities found in their systems. [To be totally fair, the SERVE report doesn't make this point quite as clearly as one might like]

I don't propose to go through the rest of the paper point by point. Suffice to say that overall it betrays a fairly shallow understanding of the state of computer security and mostly depends on the ever-popular "argument from incredulity". In particular, Kelleher is incredulous that there could ever be widely deployed malware that infects a large number of computers. As it happens, however, not only is this possible, we already have several worked examples in the form of large botnets. It's not hard to envision repurposing that sort of software to mount attacks on voting systems. Actually it's in some respects easier because you don't need any command and control, you just deliver the attack payload; it waits till election day and then activates. Far from being incredible, then, this attack seems fairly practical.

For some reason, I'm a big fan of radical summarization. In that vein, check out:

• F*cking short versions of The Big Lebowski, Jay and Silent Bob Strike Back, and Casino (in case it's not obvious, massive swearing alert).
• Thirty Second Bunny Theatre: movies distilled down to their 30-60 seconds and played by cartoon bunnies. Especially check out Highlander, Pulp Fiction, and Pirates of the Caribbean

Best of all, however, is ShrinkLits: Seventy of the World's Towering Classics Cut Down to Size. Here, for instance, is Beowulf.

In response to concerns about H5N1, there have been proposals to adopt (and some adoptions) of body temperature scanners to detect people with the flu. Apparently they're not difficult to defeat:

HANOI (Reuters) - Many sick passengers who flew to Ho Chi Minh City in southern Vietnam took fever reducers to cheat temperature scanners at the airport, leading to the discovery of several infected cases later, state media reported at the weekend.

Nguyen Van Chau, head of Ho Chi Minh City's Health Department, was quoted in state-run Tien Phong (Vanguard) daily as saying "a series of passengers" took fever reducers three hours before arrival.

"That's why when they passed through the airport, the body temperature scanners skipped them," Chau said.

Why does this not surprise me?

Congress is reported to be concerned about cell phone exclusivity agreements between manufacturers and carriers. For instance, in the US, the iPhone is only available with AT&T:

"We ask that you examine this issue carefully and act expeditiously should you find that exclusivity agreements unfairly restrict consumer choice or adversely impact competition in the commercial wireless marketplace," the Committee wrote.

Senator John Kerry (D-MA), the Committee chair, also said he would convene a hearing on Wednesday to explore whether the marketplace for mobile is best served with or without exclusive contracts.

"Today, we've got a wireless marketplace where four companies account for more than 85 percent of all subscribers," Kerry wrote on SaveTheInternet.com's blog. "In fact, nine of the most popular ten phones are locked in a deal with one of these big wireless carriers, and are only available through one network."

It's certainly true that handsets are often locked to manufacturers, but there's a technical obstacle as well: the US, unlike Europe, has multiple cellular standards. In particular, the iPhone is GSM-only, so as far as I know it couldn't be used with either Sprint or Verizon even if it were unlocked. Apple could of course completely reengineer the phone, but it's not just an arbitrary matter of vendor lockin. If you want to run the iPhone on a non-AT&T carrier in the US, pretty much you're looking at T-Mobile. I guess some choice is better than none, and I'm not exactly thrilled with AT&T's network, but my impression is T-Mo is even worse.

It's important not to confused subsidized handsets and long-term contracts with exclusivity arrangements. In the US, handsets are sold at a discount but you need to sign a long-term contract to get the discount. Clearly, if the manufacturer is going to give you a big discount, they need to ensure that you don't take the discounted phone and go to a different carrier: but this doesn't require any kind of technical lock-in, they just need to penalize you for cancelling your contract early, which, in fact, they do.

By contrast, locking the phone to a carrier provides the carrier with a competitive advantage: if you want a cool phone, you have to go with the exclusive carrier. This would work fine even with no vendor subsidy. In fact, the first generation iPhones phones weren't really subsidized, but you still couldn't use it with any US carrier besides AT&T. I have one, and even once my two year contract runs out, I'd still need to jailbreak my phone if I wanted to use it with T-Mo.

Fans of the ultra-popular iPhone have been complaining to ConsumerAffairs.com and elsewhere that AT&T -- the exclusive carrier of the iPhone -- cripples the phone's functionality and has made upgrading to the new 3GS model too confusing.

"I purchased an iPhone on May 4th and they are not allowing me to exchange my 3G iphone to a 3Gs when it comes out," wrote Anthony of Lawrenceville, New Jersey. "I have discussed my problem with Apple, who has agreed AT&T is engaging in poor business practices."

I don't really have a position on whether this is a poor business practice or not. On the one hand, AT&T did subsidize the phone and people's two-year contracts aren't up. On the other hand, in the past when I've upgraded phones before the end of my contract, the carrier has just extended the contract for an additional X years and given me the subsidized price. Also, it's not like it was a huge secret that Apple was likely to announce a new iPhone at WWDC. So, I'm not sure it was the wisest decision to buy one of the 3G models a month before then.