2010 08 08

From TheCommandLineWiki

Jump to: navigation, search

Contents

News Cast for 2010-08-08

(00:17) Intro

  • Thanks to listener Mike for his donation this week
  • Quick review of The Osiris Ritual
    • I reviewed George Mann's first novel, The Affinity Bridge
    • I received an uncorrected proof of the sequel and read it at that time
    • I thought I'd share a few thoughts now that the book is out
      • And available for purchase
    • http://www.amazon.com/gp/product/0765323214?ie=UTF8&tag=thecommandl0a-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0765323214
    • The 2nd book in the series felt more focused
    • If I were to compare Mann's books to the X-Files
      • Which I think is a good comparison, actually
      • Then the first book was more of a monster of the week story
    • This book was more about the mythology of the characters
    • A thread at the very tail end of the first book
      • Becomes the main part of this installment
    • The characters remained just as enjoyable
      • And the mystery had me guessing at one or two points
    • It felt like the story got to unfold a bit more
      • Now that we know everyone and the setting
    • The retro-futurism is still nicely tucked into the background of the story
    • Even though magic is more of a focus in this book
      • Like the first one, it is still delightfully ambiguous
      • A scientific explanation for the titular ritual is just as likely as a truly occult one
    • Again, this is not a kid friendly book
      • With about as much gore as the Affinity Bridge
    • The subtle classist elements are pretty much gone
      • Though I hope as the series goes on that they might be explored more fully
    • In sum, I'd say this is a solid representation
      • And I hope it does well so that we might see at least a few more books
        • In this particular take on a Steampunk England
        • With these two particular fun and well written sleuths

(03:54) Security alerts

(04:13) RFIDs provably can be read at over 60 meters

  • http://www.theregister.co.uk/2010/08/02/long_range_rfid/
  • It has been a while since I've seen anything interesting about RFIDs
  • The Register points to some research from Chris Paget
  • He recently presented at Defcon, demonstrating how to eavesdrop
    • On GSM cell phones using a fake cell tower
  • In this case, he's been looking at 2nd generation RFID tags
  • They don't rely on magnetic induction, an effect caused by the readers
    • Which emit a strong enough field to activate the older chips
    • But only at a distance measured in feet
  • Paget's research likens the newer chips to radar systems
  • Readers push out a pulse in a frequency range comparable to wireless phone handsets
  • They then look for a return for a passive target
  • The idea is that you can simply pump more power into the reader
    • To get that pulse to travel further
  • Paget has tested up to a little over 200 feet
  • He reasons though that with enough power and the right equipment
    • The newer tags can be read at a distance of miles
  • The protocols for them does have some time limits
    • In practice, that probably caps being able to read a chip
    • At about ten miles
  • As the article suggests, this is still plenty enough
    • For thieves to potentially sweep neighborhoods
    • Looking for tags used for inventorying items, trying to spot high price goods
  • It makes a good case for removing tags after purchase
  • I also think it reminds us that tags should have an on-off switch
    • One that defaults to off where possible
    • Requiring the owner of say a US passport which uses these newer chips
      • To explicitly enable the chip, regardless of the distances involved
  • Doing so would eliminate much of the concern over passive sensing
    • For reasons other than the original inventory control or identification applications

(06:43) reCAPTCHA now vulnerable to algorithmic attack

  • You've no doubt seen CAPTCHAs, the distorted numbers and letters
    • You need to recognize and enter correctly to prove you are a human not a spambot
      • When registering for an online account somewhere
  • They were invented by Luis von Ahn and others at CMU
  • The word stands for Completely Automated Public Turing test to tell Computers and Humans Apart
  • They take advantage of the disparity in ability between people and machines
    • In correctly recognizing letters despite errors
  • von Ahn more recently launched reCAPTCHA
    • A project inspired by the sheer volume of wasted human time spent on CAPTCHAs
  • It uses words that failed optical character recognition software in book digitization projects
  • There are some controls for gaming and it relies on more than one person identifying a word
    • To increase the quality of the results
  • Ultimately, it supplements digitization with human effort
    • And where scammers are able to write programs to break CAPTCHAs
    • It can directly harness the benefit of those programs, even if the security aspect fails
  • http://it.slashdot.org/story/10/08/05/2054247/ReCAPTCHAnet-Now-Vulnerable-to-Algorithmic-Attack
  • What Slashdot links to is research presented at Defcon by Chad Houck
  • The original research was able to solve one in ten CAPTCHAs specifically from reCAPTCHA
  • Changes just before Defcon meant he had to re-work his approach
    • But in doing so increased his success rate to 30%
  • Some of what he explains are the allowances for errors that reCAPTCHA uses
  • Their goal isn't to make solving these so hard regular people cannot do it
  • The three techniques the research attacks are additional distortions
    • That reCAPTCHA adds on top of words that did poorly with traditional OCR
  • It isn't clear to me whether the techniques described
    • Would improve on traditional OCR
    • Or even if they differ from approaches OCR already uses
  • The conclusion that their is no CAPTCHA scheme that cannot be cracked
    • Seems to stem from the speed at which this technique runs
  • Even with the modest success rate, running the attack throttled
    • To prevent lock out from too frequent failures
    • I guess suggests a still high enough return on compute time
    • To make this attack worth pursuing even if not wildly successful
  • I don't think the conclusion is warranted that anything a human can read
    • A program can be built to read follows, even with the 30% figure
  • Rather I think the economics work out that even a small success rate
    • Is enough incentive to keep attackers working at ways past even the best CAPTCHAs

(09:45) News

(09:58) Algorithm to improve energy efficiency of mesh networks

  • http://arstechnica.com/science/news/2010/08/researchers-craft-algorithm-to-turn-mesh-networking-green.ars
  • Not surprisingly, power consumption is a concern for networking
    • As well as standalone computers
  • John Timmer at Ars discusses new research published
    • In the Journal of Lightwave Technology
  • Specifically, the researchers looked at the power utilization
    • Of a wireless mesh network
  • In this case they are proposing this kind of network as an alternative
    • To fiber to the home for the last mile connection
  • In a mesh, all of the nodes act more as peers
  • Rather than having dedicated routers to which everything connects
    • And marshals data around through a hub and spoke topology
    • The nodes in a mesh all coordinate to pass traffic and optimize routing
  • Lowering the need for specialized appliances in the network
    • Is advantageous when you want to keep costs down
  • One of the highest profile uses of a mesh was OLPC
  • The original plan for these cheap laptops was to use their wireless
    • To form adhoc meshes that could carry data over long hauls
  • One one or a few nodes in the network need to have internet access
  • The goal of routing data through such systems
    • Is to keep the number of hops through it to a minimum
    • And to balance the network load throughout the mesh
  • Ideally both of these require the meshes to be pretty constant
  • If some of the members dropped out, say to save power when they are otherwise idle
    • Then a traditional mesh cannot as easily optimize routes and spread traffic evenly
  • In this paper they are looking at ways to reduce power consumption
    • By dealing better with nodes spinning down when idle to save power
  • Instead of spreading traffic evenly throughout, even when traffic is middling to low
    • Their algorithm tries to saturate fewer routes with more traffic
  • This frees up many members of the mesh to power down if not needed
  • The heuristic used was high and low watermarks
  • Nodes are gauged for when they are typically at high utilization
    • To avoid pushing them too much harder, beyond their capacity
    • And conversely when they drop down below a certain threshold and may be off
  • Clearly this approach requires a known set of nodes that don't change over time
  • It is less likely to be applicable to ad hoc meshes like OLPC
  • Timmer notes that the algorithm also doesn't scale very well
  • Not surprisingly, the cost to compute increases geometrically with each node added
  • This is actually a pretty common scaling aspect of peer to peer networks
  • As the article mentions, some of the energy savings may be lost
    • To the NP-hard and hence costly calculations to make this approach work
  • Despite the challenges, they modeled a network in Davis California
  • It included a mixture of academic systems, businesses and residences
  • The result was a improvement of dozens of Watts throughout the entire day
    • Without any loss of network performance
  • Timmer is skeptical a wireless mesh will make sense for last mile connections
  • I wonder if this is more broadly applicable
  • Using historical data, it should be possible to build similar models
    • And develop ways to at lease eke out modest power efficiency gains
    • For all kinds of networks that have any kind of peer relationships in them

(13:38) Supposed viligante citizen group monitoring ISPs, reporting to the Fed

  • http://www.salon.com/news/opinion/glenn_greenwald/2010/08/02/privacy
  • My friend Paul Fischer sent me a link to this Salon article
    • And asked what my thoughts were on the story
  • It starts off discussing the story of Brad Manning's supposed leak
    • Of many classified documents to WikiLeaks
  • And his subsequent betrayal by convicted hacker, Adrian Lamo
  • As the article explains, at least part of the reason Lamo turned Manning in
    • Was at the prompting of Chet Uber
    • With whom Lamo worked as a volunteer analyst on a citizen monitoring group
  • The rest of the article is spent exploring Uber's role at Project Vigilante
    • And what that group is and does
  • I have to be honest, reading about it made my stomach churn
  • Supposedly, the group is made up of any number of experts
    • In the field of network management and security
  • They collect data from a dozen regional ISPs and perform analysis
  • The results are then given to the federal government
  • The group claims to have been in operation pretty much since 9/11
  • It strikes me as a way of working around the sort of oversight and accountability
    • That prevents federal law enforcement agencies for doing this kind of monitoring
  • A private group would not need to get a warrant
    • Or even necessarily have to comply with privacy standards
    • Beyond those in effect at the ISPs from which they collect data
  • I am sure there are examples of this sort of public-private partnerships
    • And even in the more specific realm of law enforcement
  • One saving grace is that it isn't active surveillance like some ill fated NSA programs
    • Rather the group takes advantage of some ISPs including the ability
    • In their EULAs to share subscriber information with third parties
  • I doubt that such agreements stipulate exactly what kind of third parties
    • So this is possible, maybe even likely
  • It still concerns me exactly for the lack of any kind of responsibility
    • To the public for what they collect and report
  • That actually makes me start to doubt the veracity of Uber's claims
  • Anyone working in this space as many of the supposed members do and have
    • Would be well aware of the liability issues that could arise
    • From operating without adequate oversight
  • On the other hand, as the author, Glenn Greenwald, suggests
    • This is very consistent with the explosive growth in this sort of work
    • Ever since the terrorist attacks on 9/11
  • It does resonate with a recent series at the Washington Post
    • About the immense and convoluted world of contractors, consultants and others
    • Working with many federal agencies in this space
  • He concludes that the real concern over WikiLeaks is that it is exposing
    • The lack of transparency for those surveilling us
    • And their coincident demand for us to give up any privacy online
  • This is a much older conflict, an imbalance in power
    • When it comes to the question of privacy online
    • That others, especially Bruce Schneier, have tried to address
  • http://www.salon.com/news/opinion/glenn_greenwald/2010/08/05/surveillance/index.html
  • Greenwald has a follow up that clarifies
    • That Project Vigilant is probably not as big a deal as previously suggested
  • Sure, it may exist, but its reach and impact is probably far more limited
  • It certainly fits in with the feeling of high drama
    • Around the story of Manning and Lamo from the start
  • He does still feel the larger issue of eroding privacy
    • Without commensurate accountability is real and worthy of concern
  • I think we need to push harder on adequate transparency and oversight
  • WikiLeaks should be an opportunity to build focus, momentum around doing so
  • For efforts like Project Vigilant, any agency receiving citizen data
    • Should apply the standards under which they operate
    • To any and all private partners
  • The ability to legally act as law enforcers should always carry the same burden
    • Of meeting standards like probable cause
    • Regardless of where intelligence originates

(17:49) Google ends development on Wave

  • http://googleblog.blogspot.com/2010/08/update-on-google-wave.html
  • Google made the announcement on Wednesday
    • That they would be ending development of Wave
  • The reason stated is poor user adoption
  • They will continue to run their servers through the end of the year
  • Anyone who implemented their own server using the Wave specifications
    • Undoubtedly can keep doing so
  • Much of the key code to the more interesting features is already open source
  • Google is also committed to helping users liberate their information
    • No one's project or communications will have to vanish with the servers going down
  • It is curious that Google describes Wave as an incubator in this post
  • They talk about all the pieces and parts that were novel
  • At one point they imply Wave's purpose really was to push the envelope of web applications
  • This is all consistent with their claims
    • That the technology in Wave will live on in other Google projects
  • That's a little gruesome, if you think about it
  • Wave is dead and the other project teams will be picking it over for parts
  • I clearly remember a lot of rhetoric when Wave launched
    • That in some way it was an evolution of email
  • Not necessarily all kinds of email but specifically in business environments
  • The leads were very up on the idea of Wave re-inventing
    • The way business people currently collaborate by sending documents back and forth through email
  • If I recall correctly, that language was much more confident
    • Than a speculative project just incubating or toying with technology would warrant
  • I have to give Google credit for recognizing Wave's failure as a popular tool
  • Not every company handles this circumstance very well
    • Often grinding projects into the ground or trying to re-invent them
      • In hopes of finding any kind of success even if far afield from the original idea
  • This is consistent with an interview with Google's head of research Peter Norvig
    • To which I linked this past week
  • Google in general seems to have a good handle on allowing projects to fail
    • And learning whatever they can when they do
    • Rather than trying to deny they ever make mistakes or misjudgements
  • There is a good CNet piece with plenty of quotes from Eric Schmidt
  • So it isn't just let to use to infer from this one instance, of one project failing
  • I will say that I wish they were a bit more expansive
    • On the failure of the Nexus One though that is probably more a case
      • Of insuperable hurdles in dealing with the carriers than any user facing issues like Wave
  • A lot of folks are blaming Wave's complexity
  • For me it was more a case of not quite enough flexibility despite the open model
  • It was easy to throw together free form information
    • But difficult to harvest that after the fact into anything more structured
      • Like an easy to read historical version of a conversation
      • Or a more traditional document or even outline for sharing the results of collaboration
  • Google Docs lacked some of the power but its constraints
    • I think make it easier to distill down a collaboration into something more concrete and useful
  • Kirkpatrick also reminds us that very recently Google was making more commitments to Wave
  • Not only did they only just open it up to the public from a previously invite only beta
  • But they also pulled in more engineering resources to work on it
  • The timing, then, is a bit odd as understandable as the failure may be

(21:12) What exactly happened between Google and Verizon?

  • Network neutrality is a difficult enough issue to understand
  • One aspect is that ISPs would clearly like to expand their rent seeking
  • Charing customers for different network speeds is simple profit seeking
  • All of the sites a customer accesses are uniformly affected
    • By whatever teir of access they can afford today
  • If ISPs could, they would also want to charge content and service providers
  • The idea is that larger companies, like Google
    • Could better afford to buy into a fast lane from them to consumers
  • This would lead to a difficult to understand network experience
    • For the typical user where their access speed is no longer the main variable
  • In addition to the organic kinds of latency from heavy traffic to popular sites
    • With discriminatory pricing it would be difficult to tell
    • If issues of latency stem from an inability for a service to pay a premium
  • It really does brush up against Free Speech rights in the sense
    • That access to speech is as much a part of those rights
    • As the ability to speak in the first place
  • ISPs keep their network management practices under wraps
    • And we lack good, broadly applicable tools for measuring why network connections slow down
  • Network neutrality is a lofty goal in principle
    • But very difficult to approach in practice
  • It was shocking then when news that Verizon, Google made some sort of net neutrality pact
    • This past week according to sources
  • http://voices.washingtonpost.com/posttech/2010/08/google_and_verizon_have_come.html
  • A lot of other outlets covering this story say the NYT first broke it
    • But I think Cecilia Kang at the Washington Post was pretty close
  • She describes negotiations between Verizon and Google
    • As part of the closed door talks the FCC was hosting
    • Trying to strike some accord between carriers and service and site operators
  • As her article explains, the supposed deal would have been pretty mixed
  • In some case, it would have limited network prioritization
    • A goal seemingly compatible with the general idea of network neutrality
  • However, other aspects of the deal would seem to have provided for priority access
    • To some of Google's services like YouTube
  • That kind of prioritization on the publisher end breaches the very idea of neutrality
  • Google was quick to deny making deal with Verizon
  • http://www.pcmag.com/article2/0,2817,2367436,00.asp
  • HT Matt
  • Google claims it was not negotiation to pay Verizon for carriage
    • And that it remains committed to an open internet
  • The PC Magazine article also has a quote from Verizon
    • From a post on their public policy blog
  • They don't deny any kind of talks but do their purposes
  • Verizon claims it is committed to working with the FCC
    • And honoring obligations for transparency and accountability
  • I didn't see a post on Google's public policy blog
  • http://arstechnica.com/tech-policy/news/2010/08/google-verizon-deny-net-neutrality-rumors-but-still-meeting.ars
  • Matthew Lasar at Ars Technica clarifies what I inferred
    • That the two companies may be talking
  • Their denials are very specific to suggested outcomes of talks
  • What may be going on is some discussion around how to introduce self regulation
  • This is a common defensive tactic in industry to avoid or lighten the burden of new laws
  • Given that the FCC also seems to be struggling
    • One could charitably see discussions from two of the biggest players on each side
    • As a way for them to step into the gap that the FCC isn't filling very well
  • http://www.wired.com/epicenter/2010/08/google-verizon-deny-deal/
  • Wired points out the NYT is sticking by its story
  • They claim the denials weren't of the particular facts they were reporting
  • Comments from CEO Eric Schmidt do make clear that Google is open
    • To prioritizing network traffic by class of application
    • For instance voice or video
    • But never based on the end points
  • This is a compromise that has been suggested before in the debate
    • And makes a certain amount of sense in terms of how voice, video
      • Are much less resistance to latency and slow down
  • I think the risk here is that even this seemingly reasonable priotization
    • Further muddies waters that are already next to impossible to see through
  • Under the cover of application-wide discrimination or prioritization
    • Who could tell if an ISP were favoring its own services
    • Over a competitor with an offering in the same class?
  • http://www.nytimes.com/2010/08/08/opinion/08cringeley.html?_r=2
  • Cringely has probably the sanest interpretation of the story
  • Google has already brokered peerage and transit deals for YouTube
    • That practically eliminate its bandwidth costs for the video service
  • In that spririt, he suggests Google may be in talks with Verizon
    • To co-locate portions of its already widely distributed data center
    • At favorable sites within Verizon's network
  • This isn't so different from services that use content delivery networks
    • That already have set up such distribution of their servers
    • That minimizes distance and time to end users spread around the globe
  • The end effect would be faster traffic to Google
    • But not necessarily because other services are de-prioritized
  • I am not sure why, but this doesn't bother me as much as other models
    • Probably because it is more likely Google seeking advantage and profit
    • Rather than Verizon seeking rent on top of its existing profits

(27:45) Following Up

(28:04) EFF offers help to targets of mass infringement campaign

  • http://www.eff.org/press/archives/2010/08/03
  • I've written repeatedly about this new trend
    • Of third party law firms looking to profit off of copyright infringement
  • They send masses of letters to file sharers
    • Threatening them with massive potential statutory damages
  • The goal is to get targets to settle for less than the possible damages
    • But for sums that are still large enough to generate worthwhile profits
  • One of the earliest examples is the US Copyright Group
    • But the practice has expand from music, which they target
    • To newspapers, with the RightHaven story I discussed a while back
  • That form buys the copyright to news stories
    • Then pursues a similar strategy against aggregation sites
    • That post all or most of the stories in question
  • The EFF has put together a page for targets specifically of USCG
  • It includes a list of attorneys and an FAQ
  • This new strategy relies on fear, uncertainty and doubt
  • Putting forward good information is one way to combat it
  • As the post at EFF points out, one non-commercial download
    • Is very unlikely to trigger the maximum $150K damage award
  • Many people undoubtedly don't know that so see an offer of settlement
    • As a pretty good deal compared to what USCG is threatening
  • The EFF has also filed briefs in the suits USCG has leveled
    • In order to get ISP information in the first place
  • They've tried to pursue a single John Doe case against 14K individuals
    • To get their identities and hence be able to send demand letters
  • I am glad the EFF is working against this horrid practice
  • You can help by both arming yourself with information
    • And by donating to support the efforts of the EFF

(29:52) FCC ends closed door negotiations over net neutrality

  • http://voices.washingtonpost.com/posttech/2010/08/fcc_stops_closed-door_internet.html?wprss=posttech
  • For some of the work around the FCC's approach to network neutrality
    • It acted well to include comment from all, private companies and the public alike
  • One the plan to compromise by partially re-classifying telcos as common carriers was announced
    • News started circulating of closed discussions between the commission
      • And some companies, from both the telecoms and technology industries
  • Understandably, public interest groups cried foul
  • Any compromise hammered out between these parties
    • Would be less likely take into account consumer rights
  • Around the time the discussion of a negotiation between Google and Verizon was happening
    • The FCC announced it would stop the closed door meetings
  • According to Cecilia Kang at the Washington Post
    • This move was not in response to the massive criticisms of the practice
  • Rather, the meetings are stopping because they failed to accomplish anything
  • It would have been better if the FCC was responsive to criticism
  • Concerns over network neutrality are at least partially based on
    • Both regulatory capture and market failure
  • Turning over the discussion to those parties most likely to game or abuse the system
    • Shows a profound ignorance of or lack of regard for how poorly the market has done
      • In preserving the public's interest in our shared communications infrastructure
  • In short, there is no evidence that the FCC won't try such an ill advised move again

(31:33) Outro

Retrieved from "http://www.thecommandline.net/wiki/2010_08_08"
Personal tools