Educated Guesswork

For some reason, the silly idea of universal personal authentication for Internet users seems to have an undue appeal on tech executives. Here's Barbara Kiviat reporting on Microsoft's Craig Mundie:

What Mundie is proposing is to impose authentication. He draws an analogy to automobile use. If you want to drive a car, you have to have a license (not to mention an inspection, insurance, etc). If you do something bad with that car, like break a law, there is the chance that you will lose your license and be prevented from driving in the future. In other words, there is a legal and social process for imposing discipline. Mundie imagines three tiers of Internet ID: one for people, one for machines and one for programs (which often act as proxies for the other two).

...

Mundie pointed out that in the physical world we are implicitly comfortable with the notion that there are certain places we're not allowed to go without identifying ourselves. Are you allowed to walk down the street with no one knowing who you are? Absolutely. Are you allowed to walk into a bank vault and still not give your name? Hardly.

This is one of those ideas that comes up so often and initially seems like a natural analogy, but on closer inspection just starts to look confused.

First, a drivers license isn't principally a form of general purpose authentication but rather a permit from the state to drive. It has a biometric component in order to permit the police to determine that you're the actual holder of the permit and not someone who just has their license. Of course, because the license is so ubiquitous, it's widely used as a form of general ID, but if you do something to lose your license, the state will still issue you an identification card; indeed you can generally get an id card even if you're ineligible to drive. (Here's what California has to say). So, on the one hand Mundie says you don't have a right to complete anonymity (which I at least sort of agree with) and that his proposed Internet driver's license would serve as a form of ID and on the other hand, he suggests that you could lose your right to use the Internet for some unspecified set of misbehaviors. So, which is it, a permit or a form of ID?

Second, if it's a permit, under what conditions might it be revoked? Having your machine compromised? Failure to keep your software updated? If it's just for bad system hygiene then you're going to see a huge number of revocations. If it's for actual malfeasance then aren't you just going to revoke the licenses of people who would be in serious legal jeopardy in any case? Internet security problems come from two kinds of users: those who are genuinely malicious and those who are just careless. The problem with the first is finding them, not punishing them once you've done so. As for the second, revoking their right to use the Internet seems rather excessive.

On the other hand, if the idea is to just have a form of ID, then I don't really see why we need something government sponsored. Can't sites decide for themselves whether to to try to authenticate you?

My friend Terence just got written up in the Stranger as the first purchaser of Caleb Larsen's A Tool to Deceive and Slaughter (hereafter ATtDaS). Briefly, ATtDaS is a black cube with some electronics inside that, when connected to the Internet, attempts to sell itself on eBay. (Current auction here). The purchaser is (allegedly) required to provide an Internet connection (semi-absurd EULA can be found at the auction site. sample quote: "Any failure to follow these terms without prior consent of Artist will forfeit the status of the Artwork as a legitimate work of art. The item will no longer be considered a genuine work by the Artist and any value associated with it will be reduced to its value as a material object and not a work of art.") and has to kick back 15% of the profits from the sale to Larsen.

Terence paid a stupefying $6400 for the privilege of not-really owning this object. Here's what he has to say for himself:

It sort of uniformly falls into two categories: either, That's an enormously appealing, thought-provoking piece of art, or the other thing is, That's the most foolish thing I've ever seen. They're really defensive about it.

I hang out with a bunch of computer security people because I'm a computer security person myself, so they want to know, are you going to hack the box? Is there some way to put it behind a firewall to slow it down so it can't sell itself? Which really adds a whole other dimension because you buy the box and the box immediately starts trying to escape from you. So part of the impulse is, is there a way I can subvert the process of it trying to escape from me? By doing that, you'd in some ways be removing the reason it's interesting.

I'm (of course) one of the people who suggested that it be firewalled off. Obviously, just firewalling it off would be cheating and arguably violate the license agreement (not that I'm convinced it's actually binding). But the natural security guy reaction is to try to find some way to stop ATtDaS from selling itself in some way that complies with the agreement. My suggestion was to firewall off eBay alone, or just forge TCP RST packets. This seems to me the qualify with the relevant term:

Collector agrees that the Artwork will remain connected to a live Internet connection at all times, with disconnections allowed only for the transportation of the work from one venue to another.

Option 2 seems to be to "transport" it from its current venue in Seattle to a venue somewhere in the Himalayas via yak, Sherpa, or the like.

I tried to explain to Terence that this wasn't removing the interesting part but rather going taking an allegedly subversive piece and going meta-subversive, but he didn't bite. Some people just don't appreciate art.

A fair bit has been written about Google's "new approach to China"

Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

...

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

...

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

I don't really see the connection between this incident and Google's decision to stop offering filtered access to search queries in China, at least in terms of protecting Google from future attacks. Let's say for the sake of argument that not only were the attacks originated in China but also that (and as far as I know, this is unproven), they were directly sponsored by the Chinese government. How does refusing to offer filtered searches help? It's not like the hackers (allegedly) used some vulnerability in the filtering software as their attack vector. Similarly, even if Google were to pull out of China, or even cut off all access to Chinese IP addresses, Chinese hackers aren't restricted to using IP addresses in Chinese address ranges; they can perfectly well use machines which are located in the US, either by using legitimately purchased accounts as stepping stones, or by using compromised American hosts, of which there are plenty.

I don't have any inside information, but it seems to me like a more plausible story (see this Slate article for an alternate view) is that Google thinks the Chinese government is behind these incidents and this is a way of retaliating against China, under the assumption that China would prefer to have some Google than none. I have no idea whether or not this is something China cares about, however. [Mrs. Guesswork observes that another theory is that Google was previously cooperating with China's surveillance efforts and feels like China overstepped their agreement.]

On a different note, it has been fairly widely reported that an IE 0-day was used in the attack, but Bruce Schneier claims that the hackers exploited a Google-created backdoor intended for lawful intercept (though he doesn't provide any sources):

(CNN) -- Google made headlines when it went public with the fact that Chinese hackers had penetrated some of its services, such as Gmail, in a politically motivated attempt at intelligence gathering. The news here isn't that Chinese hackers engage in these activities or that their attempts are technically sophisticated -- we knew that already -- it's that the U.S. government inadvertently aided the hackers.

In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

Of course, both of these can be true. Even if Google built a surveillance tool for the purpose of lawful intercept, presumably it wasn't something you could just connect to without authorization, so I would imagine that you would need to do some hacking to get access to it (unless, of course, the password is "1234").

The NYT reports that NASA has cut the price of used space shuttles to $28.8 million, plus what I imagine is some rather expensive transportation. I'm also having some trouble figuring out how you're going to get it to the Space Shuttle shop to be checked out by their mechanic.

The main engines on the other hand, are a different story:

As for the space shuttle main engines, those are now free. NASA advertised them in December 2008 for $400,000 to $800,000 each, but no one expressed interest. So now the engines are available, along with other shuttle artifacts, for the cost of transportation and handling.

Space shuttle main engines appear to be relatively compact, around 5'x15' and 7000 lb, so about the size/mass of a Cadillac Escalade, but with exponentially worse gas mileage. Seems like you could get one onto a flatbed and have it shipped to your house for around $1000. Not sure what you'd do with it, though; maybe speed up your 4th of July BBQ.

I'm in the market for a new motorcycle and have been looking at the BMW R1150GS/R1200GS. Like cars, motorcycles have a lot of depreciation the minute they pull off the lot, and because you're fairly likely to drop your bike anyway, most people I know figure you might as well buy pre-dropped and look for a used model. But once you're buying used you have the problem of figuring out how much you should pay. KBB motorcycles isn't much help here because the market is small and the mileage varies a lot.

An alternate approach is to mine the available data on what people are offering vehicles for and use this to build an analytical model for predicting prices; this lets us figure out what the appropriate asking (which isn't the same as fair; more on this later) price for a new vehicle is and identify outliers in either direction.

Below, you can find the list of the relevant bikes on sale on CL for the past week or so:

	Asking	Model	Year	Mileage
1	7650	1150GS	2002	25000
2	7900	1150GS	2001	54000
3	14500	1200GSA	2006	3700
4	8500	1200GS	2005	54000
5	13700	1200GS	2007	3658
6	7400	1150GSA	2004	60000
7	5500	1100GS	1996	23000
8	11500	1200GS	2005	12000
9	7200	1150GS	2002	40000
10	11950	1200GS	2008	29000
11	9600	1200GS	2005	39000

I used a simple OLS regression model to fit this data, using the model year and mileage for the bike. The result is:

summary(fit2)

Call:
lm(formula = d2$Asking ~ d2$Year + d2$Mileage)

Residuals:
      Min        1Q    Median        3Q       Max 
-1360.040  -353.520  -150.358     2.140  1708.510 

Coefficients:
              Estimate Std. Error t value Pr(>|t|)    
(Intercept) -1.201e+06  1.889e+05  -6.359 0.000218 ***
d2$Year      6.056e+02  9.423e+01   6.426 0.000203 ***
d2$Mileage  -7.631e-02  1.578e-02  -4.836 0.001294 ** 
---
Signif. codes:  0 '***' 0.001 '**' 0.01 '*' 0.05 '.' 0.1 ' ' 1 

Residual standard error: 975.1 on 8 degrees of freedom
Multiple R-squared: 0.9108,	Adjusted R-squared: 0.8885 
F-statistic: 40.84 on 2 and 8 DF,  p-value: 6.335e-05 

Our model predicts that each year the bike is on the road it loses about $600 in value and that it loses about $76 for each 1000 miles it has. [Note that I'm treating mileage and age as independent variables; it might make more sense to try to estimate "excess" mileage over some base value, but I don't have the baseline data I would need.] In any case, we're doing pretty well here: with only two predictors we are accounting for around 90% of the price variation. We can see this visually by plotting the price points against the best fit plane, as below:

s3d <- scatterplot3d(d2$Asking~d2$Year+d2$Mileage,xlab="Year",ylab="Mileage",zlab="Asking")
orig <- s3d$xyz.convert(d2$Year,d2$Mileage,d2$Asking)
plane <- s3d$xyz.convert(d2$Year,d2$Mileage,fitted(fit))
i.negpos <- 1 + (resid(fit)>0)
segments(orig$x,orig$y, plane$x,plane$y, col=c("blue","red")[i.negpos],lty=(2:1)[i.negpos])
s3d$plane3d(fit)

(code ripped off from here).

Points above the plane (shown with red lines) are likely too expensive and points below (with blue lines) are worth checking out to see if they're good deals.

Obviously, we're excluding a lot of variables here. We haven't captured the condition of the bike, how desperate/motivated the seller is to get rid of it, what accessories it has, etc. Looking more closely at the data, the two most comparatively expensive bikes seem to come with a few more accessories, so this may have led the owners to think they could extract more money (I don't think this is really true, however, since often those items are valuable only to the original owner). For the purposes of selecting good deals, we would also like to know how flexible the seller's price is. It's possible that someone lowballing the price will also be less flexible because they've already built that discount into their price. On the other hand, they could be more motivated, so that could cut in the other direction. It would be interested to get secondary data on how much these bikes actually sell for [you could get some of that information by seeing if repeated postings have lower prices], but while that data is available for houses I don't think it is for bikes.

Jennifer Leigh sent me a pointer to this article suggesting that running shoes put more stress on your legs.

Sixty-eight healthy young adult runners (37 women), who run in typical, currently available running shoes, were selected from the general population. None had any history of musculoskeletal injury and each ran at least 15 miles per week. A running shoe, selected for its neutral classification and design characteristics typical of most running footwear, was provided to all runners. Using a treadmill and a motion analysis system, each subject was observed running barefoot and with shoes. Data were collected at each runner's comfortable running pace after a warm-up period.

The researchers observed increased joint torques at the hip, knee and ankle with running shoes compared with running barefoot. Disproportionately large increases were observed in the hip internal rotation torque and in the knee flexion and knee varus torques. An average 54% increase in the hip internal rotation torque, a 36% increase in knee flexion torque, and a 38% increase in knee varus torque were measured when running in running shoes compared with barefoot.

Seeing as hip, knee, and ankle are major running injury sites— in fact, practically every major running injury I've ever had has been either at the knee or the ankle—this seems like it's something to pay attention to. The authors recommend that "Reducing joint torques with footwear completely to that of barefoot running, while providing meaningful footwear functions, especially compliance, should be the goal of new footwear designs." I already wear a relatively compliant shoe, the Inov-8 295, and while I don't have any data, it seems to have had a positive impact on a persistent ankle injury that has plagued me for years. I'd be interested to see this study repeated with a shoe deliberately designed to be as barefoot-like as possible like the Inov-8.

I do have a pair of the Vibram FiveFingers shoes, and while the advertising literature clearly suggests that you can run in them, I haven't really been brave enough to try it. There seem to me to be two issues here: First, the soles provide some protection but they're pretty flexible; I'm not sure that if you stepped directly on a rock it wouldn't be unpleasant. So, it seems like you would have to be a bit careful on trails. By contrast, asphalt is so unforgiving you would really need to have ideal form in order to avoid having some pretty serious impact forces. I'm still planning to go for a short run on a trail at some point, but I figure on taking it slow.

Check out this picture of the arrival escalator at SFO:

I'm not sure exactly what all these gizmos are, but they seem to be some sort of cameras. and one flashed at me as I was coming down the escalator to baggage claim. Note that even though I was coming in from Canada, these are positioned in domestic arrivals, so it's not just a matter of recording people entering the country. On the other hand, I didn't see any cameras on other levels, but maybe I just missed them.

P.S. Have you noticed how the new security measures that seem to be inevitably introduced after attacks, while perhaps not particularly effective, seem to line up pretty well with what the airlines wanted anyway? The rationale for the post-9/11 physical identification requirements is to support the no-fly list, but it also makes tickets non-transferable, which is good for airline revenues. Similarly, the airlines would prefer that people stayed in their seats (this makes beverage service, etc. easier) and brought less carryon, and tada, TSA delivers. OK, that's overstating things a bit; I don't really think TSA is deliberately designing security procedures to accomodate the airlines, but their policies, which are generally restrict passenger choices, have acted in a way that shifts the balance of power between the airlines and their customers in a way that the customers probably wouldn't have accepted if those policies weren't presented as security measures.

This decade retrospective post is in conformance with Section 123(a)(1)(j)(ii)(c) of the American Recovery and Reinvestment Act of 2009.

During this decade, I had the opportunity to use many great fasteners, but in my opinion the best of these was the 10-24 rack mount screw—Allen head, of course, superior to the #2 Phillips (too finicky), and the Robertson (too Canadian). Other excellent choices include the zip tie, 5 minute epoxy, and duct tape.

I'm probably late to the party here but I wanted to make note of the NYT's recent article on water safety. (þ Melanie Schoenberg). While there's certainly some stuff here one might be distressed about, the article is written in such a way that it's pretty hard to evaluate how serious the issue actually is.

The article seems to make three major factual claims:

• The Safe Water Drinking Act only regulates a small fraction of the potentially hazardous chemicals potentially found in drinking water.
• Many municipal water systems contain chemicals at levels which, while legal, may be unsafe (e.g., are above EPA safe levels).
• People are getting sick from this.

I don't doubt that the first of these is true: according to the article, 60,000 plus chemicals are used within the US (I'm actually surprised it's this low, since the PDR has over 4000 drugs and MSDS.COM claims to have 3.5 million data sheets), and it's not clear how you would plausibly analyze all of these, let alone determine permissible levels for each of these. I'm not saying this is desirable, but it's not necessarily a disaster either. Ultimately, you can either have an "default accept" or "default deny" policy here; given how sensitive modern analytic techniques are, if your policy is "default deny" you're going to spend a lot of time removing trace concentrations of harmless chemicals from your water supply. On the other hand if it's "default accept" you're going to end up with a lot of chemicals in your water that you don't really know are safe.

Given the first point, the second isn't surprising either. With that said, I'm not sure that the Times is really representing the situation that accurately. For instance, here's the report for Palo Alto, where I live. The Times reports "1 contaminant below legal limits, but above health guidelines", with the contaminant being alpha particle activity at a mean rate of 4.56 pCi/L. Let's see if we can put this in perspective. Assume humans are made entirely of water and rescale into kg, so we have 4e-12 Ci/kg of human body mass. A Ci is 37e+9 disintegrations/s so multiplying out we have .148 disintegrations/kg/s. If we assume that all the alpha particles are from U-238, and the alpha particles are being emitted at 4.270 MeV (~ 7e-13 J), then we get 1e-13 J/kg/s. If we assume that all of these are absorbed (not crazy since alpha particles have a very short path in the body) then we're getting 1e-13 Grays/s or 2e-12 Sv/s (multiply by the 20 Q factor for alpha particles) or .03 mSv/year. For comparison, the background level of radiation is 2.4 mSv/year. Obviously this isn't something you should be that thrilled about, but it's not clear to me that a 1% increase in your radiation dose is that bad either.

Given that, why does the NYT list this as above the health level? The answer seems to be that their safe value for alpha particles is zero (the legal limit is 15 pCi/L): the maximum level of alpha particle activity in neighboring Mountain View is 2.56 pCi/L, but it's still listed as having 5 "above health" samples (Chicago had one reading of .88 pCi/L and is also listed as a positive). This all makes me wonder if something is wrong here and the NYT is showing false positives. Of course, when you're processing a lot of data it's easy to make mistakes—assuming this is a mistake. It could be that I'm confused or that it's just the alpha particle threshold that's too low. I e-mailed the times to ask them for a copy of the raw data, but I haven't heard anything yet.

This brings us to the final point: the Times writes:

All told, more than 62 million Americans have been exposed since 2004 to drinking water that did not meet at least one commonly used government health guideline intended to help protect people from cancer or serious disease, according to an analysis by The Times of more than 19 million drinking-water test results from the District of Columbia and the 45 states that made data available.

...

And independent studies in such journals as Reviews of Environmental Contamination and Toxicology; Environmental Health Perspectives; American Journal of Public Health; and Archives of Environmental and Occupational Health, as well as reports published by the National Academy of Sciences, suggest that millions of Americans become sick each year from drinking contaminated water, with maladies from upset stomachs to cancer and birth defects.

This seems to conflate a bunch of issues. There seems to be a lot of variance in the data, with some tests showing positive results and some negative results (or low levels) for the same toxin even in the same area. It's very different to drink water with a toxin in it once than it is to drink it ever day for 10 years. I spent a couple days in Boston in 2007, but I'm not overly concerned about the fact that I might have been exposed to twice the legal limit of haloacetic acids in the two to four liters of water I drank while I was there. More generally, while one positive test may qualify as an exposure, it's not clear what that means as far as the real level of risk people are incurring. And of course there's a difference between cumulative toxins (e.g., arsenic) and acute toxins (e.g., e. coli). Speaking of e. coli, "maladies from upset stomachs to cancer and birth defects" covers a lot of territory; it's one thing if a sewer system occasionally fails to remove all the bacteria from the water supply (not that that's good) and another if it delivers hot and cold running cyanide from the tap.

Obviously, when you read this article you're supposed to be scared, but the way the article is written (and the opaque data presentation) doesn't make me feel like I have enough data to know if I should be or not.

P.S. San Francisco really does have great water. Almost good enough to make up for destroying Hetch Hetchy..

I flew back from Soviet Canuckistan last night and got to experience the new security measures firsthand. The high order bit is that nearly all carry-on baggage is banned. They make exceptions for a few things like women's purses, medicine, baby stuff, cameras, and laptops (allegedly no chargers but we saw exceptions) but even then you can't carry them in a significant bag: the security lines were full of people carrying their naked laptops. Luckily, Mrs. Guesswork was carrying some stuffable cloth bags which we were able to use as for our laptops, paperwork, a book, etc. My co-worker Derek wasn't as lucky, but the airline customer service rep did provide him with a substitute:

After you've checked all your valuable stuff, you get to go through security. The magnetometer and the bag x-ray are the same, but once you get through that, they hand-search all your stuff as well as giving you an extremely thorough pat-down, said pat-down extending to going through your wallet, presumably in order to verify that your money won't explode. All this was still quite a bit slower than the ordinary security screening, however. As reported previously, the FAs required you to stay in your seat for the last hour of the flight, but didn't try to stop you from having what remained of your stuff in your lap during that time.

As usual, TSA is being pretty uncommunicative about the rationale for the new restrictions. My impression based on Transport Canada's statement is that TSA required a whole bunch of new security restrictions including the hand searches and pat downs and that this created really long wait times at Canadian airports. So while restricting carry-on doesn't serve any real security purpose it does reduce the amount of searching that has to be done and therefore somewhat ameliorates the waiting time problem.

Obviously, keeping you in your seat for the last hour of the flight is pretty pointless. Even if terrorists can't blow themselves up from their seats, nothing stops them from detonating a bomb 61 minutes before landing. This just seems like fighting the last war.

On the other hand, doing really extensive searches of people probably does add some security value. This isn't to say that there's no way for someone to smuggle explosives onto the plane with the current level of screening, but this presumably does increase the required level of sophistication. On the other hand, it's a huge hassle for travelers—I never travel with checked luggage if I can avoid it, but the new restrictions more or less require you to check bags. As I said earlier, the cost/benefit analysis hasn't really changed since before the attempted attack. If it wasn't worth doing this level of searching a month ago, it isn't worth doing it now just because we're freaked out that someone finally tried the attack we knew would eventually come. And if it is worth doing now, then it was worth doing before so why weren't we doing it?

I can't see any reason to have different levels of screening for domestic and international flights. It's not like it's that much easier to lay your hands on explosives in Canada or Europe than in the US, so what stops a terrorist from flying to the US without any weapons or anything, getting explosives and then boarding a plane in the US? The added security is particularly silly on flights which originate in Vancouver and Toronto; ordinarily you clear customs and immigration in the US, so at least in theory terrorists might board the plane in say Frankfurt and not be apprehended until they arrive in San Francisco, at which point it's too late (of course, if the no-fly list actually worked, this would be less of an issue, but since it's actually pretty lame...). However, in many Canadian airports, including YVR and YYZ you clear immigration and customs in Canada (and this is done by TSA agents so there's no concern about not trusting foreigners) and when you land you just get off the plane. For flights from those airports, there's no meaningful distinction between domestic and international flights even if there would have been otherwise.

Ideally, in a week or two the panic response will die down, TSA will relax their restrictions and we'll go back to when we thought just having to take your shoes off was annoying. Reading the tea leaves, though (see, for instance, William Saletan's post here), I suspect that instead this will accelerate the deployment of whole body scanners as an alternative to the pat-downs. Ironically, Wikipedia reports that the first airport deployment of whole body scanners was in Schiphol, the airport where Umar Abdulmutallab (thanks to Wikipedia for the name) boarded; it would be interesting to know if he went through the scanners. Of course whole-body scanners don't let you scan carry-on luggage any faster, so it's hard to see how anything other than a lower level of paranoia will improve that.