Technology

Ed Felten announces the release of his paper and an accompanying video about major security issues with Diebold AccuVote-TS voting machines.

The Technology Liberation Front is a blog I’ve been reading for a few months for its quality contributions on issues involving technology, regulation, copyright, digital rights management (DRM), network neutrality, and so on. It covers a lot of the same topics as Ed Felten’s excellent Freedom-to-Tinker blog, with a strong libertarian bent. What a disappointment it was to see that the newest contributor, Hance Haney, comes from the Technology & Democracy Project at the Discovery Institute. While Haney is in Washington D.C. and is not affiliated with the intelligent design wing (the Center for Science and Culture), crackpot George Gilder is a senior fellow of the TDP. I commented to this effect at the Technology Liberation Front, which prompted a response from Lewis Baumstark: As I have no previous knowledge of Hance or the Discovery Institute, I prefer to allow him to live or die here on the merits of his debate and analysis, not on his link to a pro-ID institution.Lewis should remedy his ignorance of the Discovery Institute before coming to a conclusion about whether such an association taints Hance’s reputation and credibility–surely he would not have said the same if Hance was a representative of the (in some ways more honest) Institute for Creation Research or International Flat Earth Society. As readers of this blog know well, the Discovery Institute has a long history of dishonest and deceptive public statements and attempts to influence public opinion, public policy, and educational standards. Do a Google search for “Discovery Institute site:lippard.blogspot.com” or “Dembski site:lippard.blogspot.com” for numerous examples at this blog; many more can be found at scienceblogs.com (especially Dispatches from the Culture Wars and Pharyngula) or The Panda’s Thumb. Jim Harper of TLF responded to Lewis’s comment by writing “And the winner is . . . Lewis Baumstark! Curious. Courteous. Way to go, Lewis!” How odd that he would declare Lewis the “winner” when Lewis claimed ignorance of the Discovery Institute, or call him “curious” when his comment betrayed no interest in rectifying that ignorance. “Courteous,” I’ll grant. I agree with the comment at TLF from Cog (of the Abstract Factory blog): ...

AT&T has filed a lawsuit against 25 unnamed data brokers for using “pretexting” to obtain customer call data records. These data brokers would pose as the legitimate customers in order to obtain billing records for third parties for a fee. Data brokers selling this data over the Internet got some negative public attention last summer and in January of this year, but Congress has not made pretexting illegal for phone records the way it is for financial records. It came out in June of this year that law enforcement and federal agencies were active customers of these data brokers, using them to obtain data without having to go through the process of getting warrants. The Electronic Privacy Information Center already filed an FTC complaint against one data broker, Bestpeoplesearch.com. ...

Gadi Evron has now suggested, following Paul Vixie, that it’s a waste of time to fight botnets by shutting down botnet controllers. Here’s what I wrote to some colleagues when I read Vixie’s statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques: 1. If you don’t stomp them they are still going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There’s no getting around an arms race. Even taking his analogy seriously, he wouldn’t recommend that we stop using antibiotics. 2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don’t think I’ll be happy with what it will take for them to do it (I’m already unhappy with the new CALEA draft bill that’s circulating). Criminal prosecution will likely never target more than a minority of offenders–mostly the high-profile cases. 3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach. 4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren’t putting up a fight.Shutting down botnet controllers does have positive effects–and it’s much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them–as I said above, it is a continuing arms race. Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there’s some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco’s suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located). There are a number of approaches that are being developed, which I won’t describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs–that’s where the biggest bang for the buck will occur.

Nick Carr writes of the blogosphere: What we tell ourselves about the blogosphere - that it’s open and democratic and egalitarian, that it stands in contrast and in opposition to the controlled and controlling mass media - is an innocent fraud.What’s the fraud? Carr claims that the top-ranked blogs have established a hierarchy of control over the entire blogosphere: The best way, by far, to get a link from an A List blogger is to provide a link to the A List blogger. As the blogophere has become more rigidly hierarchical, not by design but as a natural consequence of hyperlinking patterns, filtering algorithms, aggregation engines, and subscription and syndication technologies, not to mention human nature, it has turned into a grand system of patronage operated - with the best of intentions, mind you - by a tiny, self-perpetuating elite.But Carr is not only ignoring the facts of a comparison between the blogosphere and the mass media (the point of his initial comparison), he’s ignoring mobility of rank and the specifics of the audiences of lower-ranked blogs. I’ve seen my blog get visits from all sorts of interesting places, by people I would not ordinarily be able to speak to. John Koetsier at bizhack (who I’ve only come across because of this topic) says it very well when he points out the role of luck in getting a mass audience: ...

Here’s a gadget Harold Edgerton would have appreciated–Nate True built a little device that pumps dyed water through a tube, drops at a time, with strobe lights that illuminate individual drops as they fall. You can adjust the frequency of the strobe lights so that the drops appear to change in speed, freeze in place, or move backwards. He calls it a “time fountain."

The AOL user identified as 4417749 in the recently released three months of AOL search data has been found by the New York Times. She’s Thelma Arnold, a 62-year-old widow in Georgia who has often done searches about medical conditions for her friends, as well as about such things as how to deal with her dog’s urination problem. The article includes a photo of her diaper-wearing dog, Dudley. The article points out both how the search results can be used to identify the real-world user as well as how they can be misleading. She says at the end of the article that she plans to cancel her account.

AOL has published logs showing web activity data for 650,000 users–it’s 20 million searches in about 800MB. Although the AOL screen names were converted to random numbers, the numbers are consistent across an individual user’s activity and in many cases is no doubt sufficient to identify the individual based on ego surfing and other activity. As Tech Crunch points out: The most serious problem is the fact that many people often search on their own name, or those of their friends and family, to see what information is available about them on the net. Combine these ego searches with porn queries and you have a serious embarrassment. Combine them with “buy ecstasy” and you have evidence of a crime. Combine it with an address, social security number, etc., and you have an identity theft waiting to happen. The possibilities are endless.The Paradigm Shift blog notes an instance of an AOL user who appears to be plotting to kill his wife (though there are, of course, possible innocent explanations). Commenters note that over 100 users used search terms which included references to child porn. There is no doubt that this will be used to argue for greater release of data to the government with fewer safeguards against misuse; commenters have already made the claim that “if you don’t do anything wrong, then you have nothing to be afraid of - even if people can view your search history.” Commenter Robert follows up with a good response: Do you ever search for your SSN#, phone number and/or name on line to see if it was posted without your consent? Do you ever worry your day care provider might be a child molester so you search for child molestation and the care takers name or their business name? Do you ever want to find ways to explain sex to your teen age daughter? Gee I wonder what those search terms might look like? Are you famous? Imagine if you type in the name of restaurant you want to go to and the word paparazzi to see if they are known to hang there. Let’s hope they do not see that? Oh, do you have a rare disease or maybe you are pregnant and are looking for clinic in your area so you type in your zip code? In a rural areas that might leave oh 1-30 people it could be? Oh, maybe you think your son is gay? I wonder what you would search for then? Do you have any fetishes or other unusual hobby that might be embarrassing for people to know about but is not illegal. Remember that rural issue again? Getting it yet, because I could go on and on. This is an personal invasion at its most basic level. Not only does it expose personal details of peoples lives, but it is open to wild misinterpretations. Take the wife killing search. Has anyone thought they were simply looking for news they had heard of on the topic, looking for a good book they had heard about with that topic whose title they could not remember, were a wife worried their husband was thinking about this, or maybe that it was exactly what they were looking for but it was only a private fantasy that let them cool off one day after an angry argument? Without context any term can seem scandalous or even criminal. Finally, there is the greater issue. When you start taking away more and more privacy. Each time you chip away at the greater fundamental concept that you deserve this right at all.Releasing this data to the general public was sheer idiocy on AOL’s part (and apparently a mistake), and demonstrates that an AOL account is not a good idea even when it’s free. The data has been downloaded hundreds of times and is now being redistributed on other websites. UPDATE August 8, 2006: AOL has admitted and apologized for its mistake. News.com has an article which gives some more examples of the kind of information that can be gleaned from the search records. ...

A study by Brix Networks, which runs TestYourVoip.com, shows that the quality of VoIP calls has degraded over the last 18 months. Their tests of VoIP connections show that 20 percent of calls have unacceptable quality, up from 15% 18 months ago. Brix’s CTO says that the cause is competition for network resources–i.e., congestion. The solution is, of course, prioritization–putting voice and other latency and jitter-sensitive traffic in a higher class of service with QoS (quality of service). Thanks to Matt Sherman for the link. Further comments on the subject may be found at Richard Bennett’s Original Blog and by James Gattuso at the Technology Liberation Front.

This is a very interesting presentation at Google by the folks at Gapminder, a Swedish nonprofit that is trying to provide better, visual ways of representing information about the state of the world. These are the same people who put together this set of excellent animated interactive presentations on human development trends (income levels, life expectancy, etc.) for the United Nations Development Program. (Via Patri Friedman at Catallarchy.) Historical Comments Einzige (2006-12-09): Fascinating! ...