July 31, 2003

Medical care and McDonalds

In his reply to me, Chris Rangel writes
Creative and open scheduling plans can only do so much to alleviate the problem. There are too many uncertainties in the practice of medicine to deliver regular service on the order of a MacDonalds.

Actually, I think the parallels are closer than Rangel thinks. If you've ever been to a McDonalds, you'll notice that there are times when the line is out the door and times when there are people standing around waiting. This is happening for the same reason that patients wait for a long time for doctors: there's a lot of variance in the offered load and so it's hard to get just enough staffing to serve the load. McDonalds could certainly have enough staff to make sure that noone ever waited, but if they did so those people would mostly be idle and it would cost a lot. Instead, they compromise and have busy times and idle times.

I don't actually think that the load variance is that different between doctors and McDonalds. The transaction time at McDonalds is probably more constant but the number of customers varies wildly (although probably rather more periodically than with patients). However, I suspect the real difference is that McDonalds has decided to set their staffing level comparatively higher and accept more idleness in return for faster customer service. This probably has something to do with the fact that if you get tired of waiting at McDonalds, you can always just hop over to In and Out. Changing doctors isn't quite so easy.

Posted by ekr at 10:56 PM | Comments (11) | TrackBack

More on doctor scheduling

Chris Rangel replies to my response to him on suing your doctor for being late.
The problem is that there is a disconnect in the mind of the public at large and with many patients that the business of health care should be like any other business with regard to exact scheduling and service. But with so many demands on the physician's time and the uncertainties inherent in health care this just simply cannot be like a trip to McDonald's. Add this to the fact that many physicians are under pressure to schedule as many patients as possible to make up for falling insurance reimbursement rates and you have the potential for some significant delays.

Every patient seen by a physician has the potential to become much more than a routine 15 minute office visit. Let's say that a patient is scheduled to see his physician for a short and routine follow up visit. The patient tells the physician that he had some severe chest pain the morning of the visit. The physician orders an EKG in the office and it turns out that the patient is in the middle of having an acute myocardial infarction. Shortly after the EKG the patient suffers more severe chest pain and his blood pressure falls dangerously low. 911 is called and the physician and office staff are engaged in starting IVs, administering medication and trying to stabilize the patient prior to being transported to the ER. A "routine" visit turns into a hour long emergency and the entire schedule must be pushed back.

There's an important point here. The more uncertainty there is about how longer each visit will take the harder it is to get efficient scheduling. If the variance is very wide then someone's time will get wasted. However, that time still doesn't have to be the patient's time. For instance, if 99% of visits take <60 min, then scheduling on 60 minute intervals will minimize patient waiting time (while maximizing doctor waiting time).

Let's take Rangel's example. Assume (as a simplifying assumption) that all visits are 15 minutes, except for 1 out of 25, which is an emergency and requires an hour. This gives us a mean treatment time of 16.8 minutes. If the doctor schedules appointments on 20 minute intervals, then he'll have 24 appointments a day. On average, he'll have 1 emergency a day. Just for convenience, assume that his first patient, at 8:00 is an emergency. This gives us the following timeline:

Patient # Scheduled Time Seen Time

So, the doctor's schedule is back on track by 11:00 and there's no time when it was more than 40 minutes out of whack. Now, it's of course possible that there will be another emergency, but only 1/625 days will have two emergencies and even then the maximum patient waiting time will only be 80 minutes (if the two emergencies are consecutive).

The point here is that while high variance in treatment time means that there will be a lot of waiting, there's no requirement that that waiting be imposed on the patient. The reason that patients wait a lot is that doctors have decided that they'd rather have patients wait than be idle. (In the schedule above, the doctor would have been idle about 120 minutes in any day when there are no emergencies). That's a perfectly rational response to incentives, but it's not inevitable that things be that way. If doctors were heavily incentivized not to make patients wait, this would of course reduce waiting times (while probably driving up medical fees).

Posted by ekr at 10:47 PM | Comments (10) | TrackBack

I'm sorry I'm late, please don't sue!

Chris Rangel comments on the case of Aristotelis Belavilas. Belavilis just won $250 in small claims court after his doctor was four hours late for their appointment. Rangel writes:
Actually the physician's "excuse" that he was very busy at four other offices that day is not a "cheap" excuse. It's a problem that everyone in the medical profession faces. I don't know the specifics but maybe this physician had other procedures that ended up taking longer than expected further pushing back his schedule. Maybe there was an emergency or two that the physician had to take care of and patients with chronic pain get lower priority in the schedule. Maybe the physician was covering for partners or other physicians who were on vacation and so his case load was doubled. Then again maybe this physician is just plain greedy and schedules too many patients than he should per day?

This is actually a generic problem in customer service situations. There is always some unpredictability in how long things are going to take and that leads to conflicts as to whose time is important. Knowing how many patients a doctor "should" schedule is quite tricky.

This is probably easiest to understand by looking at a simplified model. Let's say that there are two kinds of patient visits: Long and Short. Long visits take 40 minutes. Short visits take 20 minutes. On average, 80% of visits are Short and 20% are long. So, the average treatment time is 24 minutes.

How should he schedule the appointments? The obvious answer to this question is that he should schedule them every 24 minutes. But consider that that if the first two patients are Long (probability=.04), then the third patient will be waiting for 32 minutes, which will no doubt make him grumpy. On the other hand, if the first two patients are Short (probability .64) then he's 8 minutes early for the third patient [0] and has to wait for him.

Thus, there's a tradeoff between doctor and patient waiting time. There's not really any right "should" value. The doctor can minimize patient waiting time but only by increasing his own. His incentives are to do the opposite: make patients wait. It's true that that's "greedy", but that's the kind of greedy behavior I expect pretty much everyone to engage in. On the other hand, as a patient I want to incentivize my doctor for valuing my time. I'm not sure that lawsuits are the best way to do it, though. That likely creates too strong an incentive pressure to underbook. Maybe doctors could offer "service in an hour or your money back" guarantees like tire installers do...

[0] We're assuming that the patients don't arrive early. If the patients arrive early then you can just think of this as their appointments being earlier, so it doesn't really effect waiting time.

Posted by ekr at 08:55 AM | Comments (10) | TrackBack

A better laptop

Recently, my long-suffering Sony Vaio went down for what, if not the count, is at least a standing 8 count. While in the Toronto airport I managed to knock out the power plug, thus cracking the power jack in the laptop. A laptop which can't be charged isn't exactly that useful and since my laptop has sustained quite a bit of damage over the past couple of years, I started thinking that maybe it was time to replace it.

So, I'm in the market for something new. When I bought my Vaio back in 1998 it was pretty much uniquely better than any other laptop on the market: small, light, relatively fast. Laptops had already been on a downward weight trend but Sony's big idea was to strip pretty much everything out of the laptop and put it in external devices, thus reducing weight down to 3 lbs.

You'd think that in 5 years things would have gotten better. As you'd expect from Moore's law, laptops have gotten faster and a bit lighter, but basically it's a wilderness of Vaio clones out there. In fact, when I first started shopping the available machines were so unattractive that I got a lot more interested in saving my Vaio--the leading option being considered is to cannibalize another Vaio's power connector.

Three companies are showing some creativity:

  • Sharp's Actius MM10 is going for the massively portable market. It's got about the same power as my Vaio but is 2.1 lbs and half an inch thick. Not a bad choice, actually, but I want something a little more powerful. Surprising, really, since until I saw this machine, I really thought that I wanted the lightest thing on the market, but the Sharp just doesn't excite me.
  • Sony's TR1A went the other direction. It's 3.1 lbs but they put the CD drive back in. A pretty nice machine, actually, but the screen is pretty tiny and I don't like the funny aspect ratio.
  • Panasonic's Toughbook W2 keeps the Vaio form factor but cleverly sticks a CD drive right under the keyboard. It weighs in at 2.8 lbs.

The Sharp is clever and the Sony is cute, but for my money at least the dominant option is pretty clearly the Panasonic. It's lighter than the Sony and I like the form factor better. Moreover, it's engineered to be especially durable--including a shock mounted hard drive. The remaining problem is to get my hands on one so that I can test FreeBSD before forking over my $2k. (I already discovered that FreeBSD doesn't boot on the TR1A, so I don't want to take any chances).

One thing I do wonder: why aren't Panasonic's machines being marketed better? The W2 really vastly better than all the commodity laptops out there. So why haven't I ever heard of it? And for that matter, why is it called "Toughbook W2" and not "Best laptop ever"?

Posted by ekr at 07:20 AM | Comments (14) | TrackBack

July 30, 2003

Is it too easy to get a rape conviction or not?

I'm pretty confused by Dahlia Lithwick's article in Slate on rape law. Early in the article she says:
The answer has little to do with this specific case and everything to do with our national hysteria over rape law--a hysteria that rape accusations are now easier than ever to make and easier than ever to prove, that rape convictions can now be based on the barest assertions, that punishment for rape is harsher than for anything save murder.

But towards the end:

Ironically, empirical evidence shows that all these reforms have not significantly increased the incidences of reporting, prosecution, or conviction for rape.

Have I missed something here? If it's easier than ever to make a rape accusation and get a conviction, then why aren't rates of accusations and convictions going up? I suppose it's possible that overall rates of rape are going down in parallel, so while it's getting easier to prosecute the total number is going down, keeping the reporting and conviction rate constant, but that should be easy to disentangle with enough measurements.

A little research confuses me even further. The rape victimization rate has steadily declined from 1972 to 2000, much faster than say assault or murder. By contrast, the number of reported rapes is way up from 1973 (though roughly constant between 1980 and 2001.) Since the victimization rate is declining and the number of reports is going up, it certainly appears that the reporting rate is going up as well. (There's some inconclusive evidence of that here. Similarly, I'm not sure why Lithwick claims that conviction rates haven't gone up. In the US, at least, the rate of convictions went from about 100/1000 to 180/1000 between 1981 and 1995.

I'd be interested in the data that Lithwick is using to say that there's no significant change. If anyone is familiar with the literature on this topic, I'd love to hear about it.

Posted by ekr at 10:01 PM | Comments (22) | TrackBack

Risk management and HIV

Just read this article (via Medpundit) about how the rate of new AIDS cases seems to be going up again, particularly among gay men:
"Our biggest concern is what appears to be a resurgent epidemic in gay men," said Harold Jaffe, director of the CDC's National Center for HIV, STD and TB Prevention.

In fact, data from 25 states show the number of new HIV diagnoses among gay and bisexual men increased 7.1 percent from 2001 to 2002, marking the third consecutive year that infections have risen in that high-risk group. HIV diagnoses among gay and bisexual men have increased by 17.7 percent since they hit an all-time low in 1999.

"I don't think there is any one explanation," Jaffe said in a telephone interview. "Some of it may be related to treatment optimism: 'So what if you get infected? You can get treated.' Some of it may be related to the belief that if you are in treatment you may not transmit the virus. Some may be epidemic fatigue -- being tired of hearing about it."

"I think the most compelling reason is that people aren't scared any more. If you were a gay man in the 1980s you were scared. You had a lot of friends who were sick and dying. If you are a gay man today you don't have a lot of sick peers," Jaffe said.

This, of course, is exactly what you would expect. When AIDS was basically a death sentence, people were naturally relatively careful not to get it. Now that you have a reasonable chance of surviving--albeit with a really unpleasant treatment regime--people are being less careful and the case rate is going up. I'm not sure that we should find this disturbing or of concern. If AIDS is less bad, it's perfectly rational for people to want to take more risk. Remember, the major objective is to stop peeople from suffering and dying from HIV, not to bring the case rate down to zero. Of course, it would be nice to have the AIDS rate be zero, just as it would be nice to have the flu rate be zero, but that's not the first priority.

Of course, if it turns out that people are misestimating the risk and AIDS isn't actually manageable, then we would want to educate them about the risk. However, I don't know of any evidence that that's the case, at least in this country.

Posted by ekr at 05:04 PM | Comments (92) | TrackBack

Back on the backup wagon

Backups are important. If you work with computers, you will eventually delete some file you really need or have a hard drive crash. At that point you'll either
  • Be really glad you ran backups.
  • Be really unhappy that you didn't.

Ideally you want to run backups every day. Of course, this doesn't guaranteee that you'll never lose data, but it keeps the scope of the loss down under control, since if all goes well you won't lose more than a day's worth of work. The problem, of course, is that you have to remember. Most people's remembering isn't very good.

The fix, of course, is to use an automated backup system. I use one called Amanda. backs up to magnetic tape (I use 8mm exabyte tape). The problem is that you need to change the tape every day. [0] I'm not very good about that. If you don't change the tape, Amanda will use a "holding disk" to store the backups. This protects you well from mistakes but not so well from crashes. And, of course eventually the disk fills up so eventually you want to flush it to tape.

Last night I noticed that I hadn't flushed the holding disk in a long long time. We're talking 5 months here. The disk had long since filled up and so no backups were being done. So, today is being spent flushing the disk to tape. After that, it will take a couple of days for Amanda to get all my disks copied onto tape and we'll be back in business.

Of course, this whole thing is just tempting fate. Murphy's tells us that now would be a perfect time for me to make some catastrophic mistake that would destroy all my data, so I have to be ultra-careful over the next few days until things settle down. If I escape this little incident without any damage I'll consider myself lucky.

[0] You might wonder why you need a new tape every day. The answer is that the Amanda people consider it good backup hygiene. Tapes fail too and this limits your damage. So, Amanda basically only works that way. You can cheat a little bit by intentionally spooling to backup disk and then dumping to tape, but then you get out of the tape changing habit and oops...

Update 13:19:
Old backups now dumped to tape. Running new backups. If things are going to fail, now would be the time prescribed by Murphy's Law.

Posted by ekr at 11:34 AM | Comments (61) | TrackBack

More on Black Ice

In case you were wondering what Gatorade Black Ice looks like, here is a picture of it in all its dark icy glory.
Posted by ekr at 10:07 AM | Comments (25) | TrackBack

July 29, 2003

The Mac killed my inner child

I guess this is old but I'd never seen it before. If you haven't seen this hilarious rant about the Macintosh you should go view it now. The popup dock drives me crazy, just like it does this guy.
Posted by ekr at 10:39 PM | Comments (15) | TrackBack

Is it terrorism if you're bluffing?

Dan Simon responds to me and Mark A. R. Kleiman about this whole issue of the U.S. Military capturing an Iraqi general by detaining his family and leaving a note demanding his surrender. Dan's argument seems to be, that "we were bluffing so it's ok":
They all seem to be missing a key element of the report, though. In fact, the colonel in command justified the action as "an intelligence operation with detainees," and explained that the fugitive's family "would have been released in due course," regardless. In other words, he asserts that the threatening note was nothing but a bluff, to get the Iraqi general's imagination working overtime.

It's possible, of course, that the colonel was just covering his posterior, and really had, in effect, taken the Iraqi family hostage--or has at least ventured out on a slippery slope that will inevitably end in his (or another commander's) doing so. (After all, such bluffs are only effective until the first time one of them is called, and there will be an inevitable temptation at that point to "up the ante".) But while I understand the concerns of Kleiman et al., I'd personally be much more careful about jumping to conclusions before blithely asserting that a war crime had just taken place.

I don't find this analysis that convincing. It seems to me that there are two major claims being made:

  1. The detention of the general's family was inherently legitimate on intelligence grounds.
  2. The American commander was bluffing (or a least says he is) and that makes it ok.

For the moment, let's stipulate point (1) and assume that the colonel was in fact bluffing. Does that make this acceptable? Suppose that I hijack a plane waving a pistol which I happen to know that I won't actually fire at anyone. It seems to me that most people would call this terrorism anyway. Similarly, if we threatened the Iraqi general's family, whether or not we intended to carry it out, that seems to me to be reprehensible. [0]

It's also worth considering the question of whether we were bluffing. I suppose that depends on what you think the threat was. If it was torture or murder, I'm willing to stipulate that we wouldn't have done that. On the other hand, I'm quite willing to believe that we would have detained his family more or less indefinitely. The colonel Dan cite says "in due course" but that could be anything. Certainly, we held material witnesses inside the US for months at a time, so I would think that due course could easily extend that long. That seems like a pretty serious kind of threat in and of itself.

[0] One could argue, of course, that we weren't actually threatening his family, since we didn't actually say we would harm them or hold them indefinitely, but that strikes me as a pretty disingenuous argument and Dan doesn't make it.

Posted by ekr at 09:14 AM | Comments (58) | TrackBack

Nuclear disarmament?

I came back from dinner last night to find a flyer in my door from California Peace Action for Hands Around the Lab. People who leave flyers in my door automatically become potential targets for ridicule here on EG and these guys are no exception. Check this out:
We believe in a future where wealthy countries no longer profit from the suffering of others through an obscene arms trade. We believe in a future free from the constant threat of nuclear annihilation. We believe in a future where we no longer squander billions of dollars every year on unnecessary and menacing weapons. Our vision is not built on wishful thinking.

Sure sounds like wishful thinking to me. As a statement of a sophisticated view of the world this is about one step up from "war is not healthy for children and other living things". I would think that if the past 20 years had proven anything about this topic it was that the strategic logic of nuclear weapons pretty inevitably leads to more rather than less proliferation. Maybe I'm just not a creative thinker, but I can't see any even vaguely realistic scenario in which there aren't nuclear weapons. The whole point of nukes is that they give you a really dominant position over your non-nuclear adversaries. Thus, even if one somehow had a disarmament agreement the temptation to defect and hold out a few weapons and some plutonium is enormous.

I'd be a lot more well-disposed towards these guys if their position didn't seem so naive.

Posted by ekr at 07:49 AM | Comments (14) | TrackBack

July 28, 2003

Now we're taking hostages?

Mark A. R. Kleiman points to this Washington Post article describing some of the new tactics that we're using in Iraq. Here's the key paragraph:
Col. David Hogg, commander of the 2nd Brigade of the 4th Infantry Division, said tougher methods are being used to gather the intelligence. On Wednesday night, he said, his troops picked up the wife and daughter of an Iraqi lieutenant general. They left a note: "If you want your family released, turn yourself in." Such tactics are justified, he said, because, "It's an intelligence operation with detainees, and these people have info." They would have been released in due course, he added later.

The tactic worked. On Friday, Hogg said, the lieutenant general appeared at the front gate of the U.S. base and surrendered.

Isn't making war on women and children pretty much the definition of terrorism? I guess you could argue that we're not actually making war on them. We're just, detaining them, you know, for their protection. Until their families do what we want. Unspeakable.

Posted by ekr at 07:11 PM | Comments (20) | TrackBack

Pollan on economics

I just complained about Michael Pollan's sloppy biological thinking. His economics isn't much better. Talking about potato growing, he writes:
Leaving aside the health and environmental costs, the economic cost of all this control is daunting. A potato farmer in Idaho spends roughly $1,950 an acre (mainly on chemicals, electricity, and water) to grow a crop that in a good year will earn him maybe $2,000. That's how much a french fry processor will pay for the twenty tons of potatoes a single Idaho acre can yield.

Huh? First, why should it be surprising that profit margins are thin? Potatoes are a commodity and one of the first lessons of Microeconomics is that the price of commodities falls until it's at the marginal cost of production. If it only cost $950 an acre to grow potatoes, you can bet that the price would drop to around $1000 (modulo farm subsidies)--and consumers would be better off for it.

Moreover, is the price really "daunting"? Let's do the math. $2,000/20 tons is $100/ton or $.05/lb. A large potato weighs a little less than a pound and has approximately 250 calories. Thus, 8 large potatoes (wholesale cost $.40) can provide your entire caloric intake for a day. I wouldn't call that price "daunting". In fact, I'd call it "insanely cheap".

Just to put these numbers in perspective, realize that when you buy your potatoes at the supermarket, you pay something like $.19/lb. In other words, the vast majority of the cost of the potato to a consumer is markup after production, not the cost of production itself. For reference, the federal minimum wage is $5.15/hr, so you could pay for your entire daily caloric intake with potatoes in 18 minutes of work.

Posted by ekr at 01:08 PM | Comments (16) | TrackBack

Evolution, plants, and science writing

Finished reading The Botany of Desire the other day. There are some good bits in it but I can't recommend it wholeheartedly. Frankly, I was really hoping for more biology and less meditation on the "meaning of it all". Passages like
Looked at from this angle, planting seeds instead of clones was an extraordinary act of faith in the American land, a vote in favor of the new and unpredictable as against the familiar and European. In this Chapman was making the pioneers' classic wager, betting on the fresh possibilities that might grow from seeds planted in the redemptive American ground.
really drive me up the wall.

Pollan seems to be unable to admit that evolution just is. He keeps wanting to anthropomorphize it:

Yet for reasons we don't completely understand, distinct species do exist in nature, and they exhibit a certain genetic integrity--sex between them, when it does occur, doesn't produce fertile offspring. Nature presumably has some reason for erecting these walls, even if they are permeable on occasion. Perhaps, as some biologists believe, the purpose of keeping species spearate is to put barriers in the path of pathogens, to contain their damage so that a single germ can't wipe out life on Earth as a stroke.

What's really annoying about this kind of writing is that it represents sloppy thinking. There's a way to express the idea that Pollan is going after here in a rational way without talking about some nonexistent "Nature's plan" but Pollan would apparently rather wax rhapsodic than actually do some intellectual work or make his readers think. Contrast this to someone like Dawkins, who'd rather you understand, even if that means you have to think a bit. Whenever I write about scientific or technical topics, I try to be more like Dawkins and less like Pollan.

Posted by ekr at 12:52 PM | Comments (24) | TrackBack

July 27, 2003

What's with porn spam?

I just got the following spam:
Delivery-Date: Sun Jul 27 21:43:03 2003
Delivered-To: ekr@rtfm.com
From: Annnas@yahoo.com
Subject: hello...
Content-Transfer-Encoding: text/plain
Date: Mon, 28 Jul 2003 00:36:20 -0700
X-Priority: 3
X-Library: Indy 10.00.14-B
X-Mailer: eGroups Message Poster

 I'm 22 years old female and my name is Anna.  I saw your profile on the net and found to be ^^^^
 interesting.. email me back at Sharon_373_Shoppers@hotmail.com if you want to exchange pictures or whatever.. 

Hugs, later...

Now, my question is: what's the objective of this spam? I understand the ones advertising pornographic web sites. They want me to pay to check out their porn. But what's going to happen if I respond to this e-mail? "She" is going to ask for bank account? Arrange to meet me and then mug me? Any EG readers have any clues?

Posted by ekr at 09:41 PM | Comments (155) | TrackBack

Inadvertantly GPLing code?

In response to SCO IBM is claiming that SCO has freed their code for distribution by Linux (including its own copyrighted material, presumably) under the Free Software Foundation's General Public License (GPL), which is what Linux is covered under. Now, it's true that had SCO intentionally released their code under GPL they would have had that effect, but surely, if SCO didn't know that their code was in the Linux distributions they were releasing that can't have voided their rights. Any other result would create a general way to transfer people's copyrights into the GPL world by getting them to distribute some other package that secretly contained their copyrighted code. That doesn't seem right.
Posted by ekr at 08:09 PM | Comments (32) | TrackBack

SCO Insurance?

Time for me to catch up on my SCO coverage. The following InfoWorld article pretty much summarizes the state of play. SCO is basically threatening end-users with being sued for using Linux unless they pay SCO a licensing fee, which they imply will be on the order of $700 US.

"Nice computer you've got there... shame if anything was to happen to it..."

Posted by ekr at 08:06 PM | Comments (23) | TrackBack

Vote revocation

One thing that's always puzzled me about any voting system is vote revocation. Last time I voted, the poll workers didn't check my ID--they just asked for my name and address and crossed me off a list. This leaves open the following attack:
  1. Bob comes into the polling place and announces "I'm Charlie".'
  2. The poll workers cross Charlie off the list and Bob votes.
  3. Charlie comes in and says "I'm Charlie".
  4. The poll workers say "You've already voted".
  5. Charlie shows them ID proving that he is in fact Charlie and the previous voter must be an imposter.

The way I see it there are only three ways to deal with such a situation:

  1. Discard the entire election in that precinct.
  2. Allow Charlie to vote.
  3. Somehow remove Bob's vote.

All of these approaches have problems. (1) Allows easy invalidation of all the votes in a given area. That's no good since it could be used by a member of party A to invalide all the votes in a party B heavy area. (2) is a problem since it allows multiple voting. (3) is a problem since it requires that your votes aren't really secret.

I'd be interested in knowing what real-world voting systems do. I would have thought that your ID would be checked, but as I say that doesn't seem to be common practice, at least in some regions.

Posted by ekr at 07:38 PM | Comments (21) | TrackBack

Voting machine security

Like most security people, I'm very suspicious of computer-based voting. I therefore wasn't very surprised to read Kohno et. al's analysis of Diebold's electronic voting system, in which they conclude that:
Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes.

Diebold has posted a "Technical Response" to the study. After reading both the paper, I consider it relatively lame. This paragraph is fairly representative:

A prior version of Diebold's touch screen software was analyzed while it was running on a device on which it was never intended to run, on an operating system for which it was not designed, and with minimal knowledge of the overall structures and processes in which the terminal software is embedded. In addition, many of the weaknesses attributed to the operating system on which the software was tested are inapplicable to the embedded operating system actually used by Diebold. As a result, many of the conclusions drawn by the researchers are inaccurate or incomplete with respect to the security of this particular element of Diebold's voting system.

In other words, "our stuff is in hardware and so it's secure". This is always a dangerous position to take. It's very hard to compensate for bad systems design with physical security. Sometimes it's necessary, but it's never desirable. However, as far as I can make out, in this instance the physical protections do not afford adequate security.

The JHU researchers found a large number of vulnerabilities, but I'd like to focus on what I think is one of the most serious ones: multiple voting. According to the article the system uses smartcards to identify voters to the voting machines. However, multiple voting is prevented by having the machine tell the card to set an "I've already voted" bit. Accordingly, if you were able to make multiple copies of a smartcard or a smartcard that ignored that signal you could vote as many times as you wanted.

Diebold's argument is essentially that the physical security measures would make it hard to make your own cards:

Similarly, unlike the personal computer on which the analysis was performed, the card reader is an integrated portion of the terminal. This prevents the signal monitoring which, it was suggested, could easily be used to capture the data needed to create a "homebrew" voting card. Further, because the actual voting booths are not the enclosed structures the researchers may be used to, it was inaccurately suggested that it would be easy to use a readily available device to capture the data without detection. The data which would be needed to create voting cards varies from election to election, so creating voting cards would be difficult without access to such captured data.

I don't find this very convincing. Basically, all that stops you making your own cards is not knowing the machine to card protocol. The JHU paper suggests a number of ways to capture the machine to card communication, which would let you reverse engineer it. Moreover, techniques for analyzing smart cards are quite advanced. With a valid card in hand, it should be possible to make new cards. Since almost all of the security of the system depends on not being able to duplicate cards, this seems like a rather weak guarantee. What's particularly disturbing is that the system didn't have to be designed this way. Double-voting could and should be prevented by the terminal, not the smart cards.

The rest of the criticisms are also pretty bad. It's true that some of them require kinds of access that are hard to obtain, but there are a number of practical sounding attacks. Certainly, based on this article, if I were asked to review a system like this for a commercial customer I would recommend against its use. Elections should be held to a higher standard, not a lower one.

It's understandable that Diebold would want to put up a smokescreen but it's depressing [0] that election officials don't seem to care:

In response to the Hopkins report, Linda H. Lamone, the state election administrator, said yesterday that Maryland's experience in the 2002 election gave her "absolute confidence" in the Diebold touch-screen system, already deployed in several counties.

She said the machines not only met state and federal standards but "passed the one certification process that matters most - an election."

This is the wrong way to look at things. One of the main problems with designing security systems is that they can work fine under normal use but fail catastrophically against an adversary. Now that it's known how to compromise these systems, they're no longer safe, no matter how well they performed before this knowledge became available.

[0] Though understandable, I guess, since they were probably the ones who approved the systems in the first place.

Posted by ekr at 07:32 PM | Comments (15) | TrackBack

Should you care about credit card validation?

In responses to my post on credit card signature requirements, a number of people expressed dismay that merchants don't check signatures. I'm not sure that's exactly the reaction you want to have.

First, let's get the facts out of the way:

  1. There's no real reason for you to care whether your credit card number is stolen, at least if you live in the US. By law, the maximum liability you can incur from credit card theft is $50. In practice, most credit card companies will not even charge you for that amount. Capitol One, for instance, advertises their "no hassle" card, where they promise that you have zero fraud liability. Now, it's true that you incur some minor burden reporting the fraudulent charges and cooperating in the investigation, but generally that's quite minimal.
  2. The way that credit card companies make money is by taking a percentage of each transaction. Those percentages vary by industry, merchant, and time depending on the fraud rate. The merchants of course pass the costs on to their customers. Therefore, it's in your interest to have a low overall fraud rate.

Frequent EG readers will recognize this as the makings of a classic Free Rider situation. While it's in my interest to have credit card fraud rates be low--and therefore to have the merchants generally act to reduct fraud rates, even if that inconveniences customers--it's also in my interest not to be inconvenienced by merchants trying to prevent my card from being fraudulently used. Of course, the same logic applies to everyone else as well.

Now, I might prefer overall that merchants check everybody than check nobody. However, it's not clear to me that writing "ASK FOR ID" on the back of your card, as many people do, has much effect on the merchant's general behavior, as opposed to just their treatment of you. If that's true, then it's probably not in your best interest to do so.

Posted by ekr at 02:54 PM | Comments (133) | TrackBack

July 26, 2003

Natural vs. synthetic food

Chris Bertram argues for a preference for "natural" food over "synthetic" or "artificial" food. Dan Simon also comments on this topic. This whole distinction strikes me as pretty bogus. With the exception of raw fruits and vegetables, nothing that we eat can rightly be called natural. Indeed, the whole history of agriculture and cooking is figuring out how to artificially make natural food taste better.

One only has to read Cookwise to get an appreciation of just how much chemistry is involved in making food do what we want. Of course, the original chemistry was discovered by trial and error, but that doesn't make it any less artificial. The only thing that's different now is that we've discovered how to control things more directly. Indeed, a simple glance through Cookwise reveals an enormous number of ingredients which are subject to major and deliberate chemical processing, including bleached flour, corn starch, and chocolate.

Indeed, it's not even really right to call raw food natural, since nearly all the plants that we currently eat are heavily selected and massively different from their "natural" counterparts. Probably the most striking example is maize. The archological maize we find in Tehuacan ca 5000 BC had cob sizes of about 2 cm. By comparison, cob sizes now are about 20 cm. All of that difference is due to human selective pressure. For a visual representation, see the following picture by John Doebley which shows teosinte, maize, and their first generation hybrid (in the middle). The ancestor of maize is probably teosinte or something like it. The middle cob resembles the archeological specimens. So, what's natural about maize?

Update 23:21:
This post originally said that Dan Simon was arguing for a preference for natural food. In the comments section, Dan Simon says otherwise. I didn't get that from his post, but obviously he's the expert on what he meant. I've modified the text accordingly.

Posted by ekr at 05:43 PM | Comments (59) | TrackBack

Armstrong! Armstrong! Armstrong!

I just woke up this morning to check the tour and realized that the live audio feed of the final Tour de France time trial was on and tuned in in time to catch the final 5 kilometers or so. Armstrong finished third place in the stage and put another 11 seconds on Ullrich. This puts him over a minute ahead of Ullrich, which is enough to make the final stage to Paris just a parade.

Assuming nothing goes wrong tomorrow, Lance will be only the second man in history to win the tour 5 times in a row. (The first was Indurain).

I'm also incredibly impressed by Tyler Hamilton. He's got a broken collarbone. That's supposedly incredibly painful, and yet he's riding through it. Unbelievable.

Posted by ekr at 08:21 AM | Comments (37) | TrackBack

July 25, 2003

Are signatures no longer required for credit cards?

Twice in the past week I've run credit card transactions and been told by the merchant that I didn't need to sign the slip. Is this some new relaxation of the issuer rules? Since the two mechants were Quizmos and Jamba Juice, I'm thinking it was policy, not just some local initiative.
Posted by ekr at 12:55 PM | Comments (62) | TrackBack

Those suspicious shoes

Flew back in from Honolulu yesterday. Once again at the security checkpoint I declined to remove my shoes and once again they insisted on performing the secondary screening, even though I didn't set off the detectors. When I asked why, the first-line TSA guy called over his supervisor who made it quite clear that their policy was to screen anyone who didn't take off their shoes. I told him that this wasn't TSA policy, that I'd checked the Web site, etc., but he was intransingent. When I asked to speak to his supervisor, he said there wasn't anyone (which I find implausible) and then called over one of the armed local cops/security guys to "explain" things to me. At this point, I decided to comply, since I'd had quite enough of Hawaii.

So, one of three things is happening:

  1. Central policy hasn't propagated to individual airports.
  2. Individual airports are adopting more stringent policies despite seeing the central policy.
  3. Official TSA policy is that you don't have to take your shoes off but the unofficial (but still centrally imposed) policy is that everyone who doesn't take their shoes off gets screened. The official policy is for PR.

My plan at this point is to write to TSA. What I'm hoping to get from them is a letter from them explaining their policy which I can show airport checkpoint workers. As you can imagine I'd find this quite satisfying. I've also got the name of the TSA supervisor who I dealt with and if he happens to get in trouble (which I think pretty unlikely) I'm not going to cry either.

Posted by ekr at 07:11 AM | Comments (35) | TrackBack

July 24, 2003

The effectiveness of security checkpoints

As I mentioned in my post about United Airlines, I meant to check my bag but missed the baggage check window on my flight to Hawaii. Instead, I had to take it through security. Only later did I realize that it had my Leatherman Wave in it. So much for the X-ray machine.
Posted by ekr at 12:00 PM | Comments (56) | TrackBack

Where do you publish your papers?

Crooked Timber has an interesting discussion discussing the nature of academic publishing in various fields. It's lately struck me that there's something very funny about the way computer and information security (infosec) works (I'm not really familiar enough with other parts of computer science to say what they're like.)

Unlike most fields, almost all of the prestige publishing infosec is almost entirely at conferences. In security, the prestige venues are:

People do publish in journals, of course, but those publications are often expansions of conference papers or papers which didn't get accepted at any of the prestige conferences. This dependence on venues where people have to physically present seems extremely strange in a field which is fundamentally dependent on networking and where essentially all papers are published electronically. Moreover, papers are very often pre-published on the Internet months before the conference at which they "appear".

So, what's going on here? One possibility is that the information being presented can only be conveyed in person. I don't think this is correct. In my experience, this sort of material isn't very hard to understand from the papers and the talks at the conferences aren't really that much more informative than the paper.

I favor a different theory: It's precisely because Internet publication was so easy for CS types that conferences are more important than journals. Publication in journals and the network serves two purposes: dissemination of ideas and signalling that the work is important. However, if publication on the network is easy, then there is no need to publish in order to disseminate your work. Instead, publication serves purely as a signal that your work is worthwhile. Thus, the more selective the venue the more useful it being accepted is as a signal.

Journals generally publish once a month or at least once a quarter, whereas conferences meet once a year. Because there are fewer conference slots, they are inherently more selective and thus more attractive--which of course makes them get even more submissions and therefore more even more selective and attractive.

Some questions to test this theory:

  • Is all of CS like this or is it just security?
  • Are there other fields which publish mainly in conferences? Do they have a tradition of electronic publication?
  • Is there some special property of infosec papers that makes them inappropriate for journal publication?

Thanks to Paul Syverson who catalyzed this line of thinking by pointing out that people specifically submitted to busy conferences because they were more selective.

Posted by ekr at 02:01 AM | Comments (56) | TrackBack

July 23, 2003

Research idea

I'm at this DARPA Principal Investigator meeting and it's putting me in the mind to think up new research ideas. It occurred to me that the demo effect would be a good subject of research.

Pretty much the first thing that the US does when fighting a war is to destroy the enemy's electronic infrastructure: phone, Internet, banking, etc. This involves a lot of intensive bombing, anti-radiation missiles, commando raids, etc. However, the demo effect provides us with a way to disrupt such infrastructure in a far easier way. In the simplest scenario, we'd air drop a Microsoft Vice President on any key site. However, with a little research, we may be able to figure out how to harness the supressive field and project it even without the use of Vice Presidents.

Clearly, this is a worthy research project.

Posted by ekr at 04:21 PM | Comments (10) | TrackBack

July 22, 2003

The demo effect

So, here I am in the hotel conference room fixing my demo.

Every programmer knows about the Demo Effect. It's something we generally don't talk about to non-programmers because they think you're weird, but it happens just the same. Your program is running just fine in the lab. And then you go to show it someone else and voila, it crashes. Not always, of course, but very frequently.

There are of course rational-seeming explanations: you do things differently when you're demoing, or the person you're showing it to says "why don't you click this button", and that's a code path you haven't tested. And of course code that hasn't been tested doesn't work. That's what we tell ourselves. But deep down we know that those are rationalizations. The truth is that demos are bad mojo. [0]

And if demos fail more often than not under good conditions, imagine the situation when you're not that prepared, you haven't practiced your demo, and your code is just a prototype. Imagine and be afraid.

[0] Terence informs me of the related "VP Effect". No matter how much you test your code, the first time you give it to a Microsoft VP, it will crash.

Posted by ekr at 11:41 PM | Comments (49) | TrackBack

July 21, 2003

Arrow's theorem and the market

In his post on Public Choice economics, Henry Farrell claims that Arrow's theorem demonstrates that there's no way to achieve consistent social preferences under market conditions.
Nobel prizewinner Kenneth Arrow showed this in his "Impossibility Theorem," perhaps the single most important result in social choice and public choice theory. The theorem shows that no means of making social choices-democracy, market, or any reasonable alternative to either-can be perfect-they all necessarily involve important tradeoffs.

I don't believe that that's technically correct. Arrow's theorem assumes that all you have available is preference rankings. If you can express the value of each alternative in absolute units (dollars or utils) instead of as rankings, you can obtain consistent and unique orderings, basically by summing up the utilities.

Now, it's true that none of the aggregation techniques is perfect. Averaging and summing both produce a bunch of unpleasant outcomes in some pathological conditions. The particular problem from the Arrow's theorem perspective is that theoretically someone who is sufficiently rich can decide all questions. [0] You can remove this problem by normalizing all people's preferences but this allows strategic voting. However, this isn't strictly relevant to Arrow's theorem since Arrow's theorem assumes that you know people's true preferences anyway. Unless I've missed something, summation with utility normalization meets all of the Arrow's Theorem requirements.

That's not to say that utility maximization is perfect. Straight utilitarianism can lead to some pretty weird conclusions, however, I don't think that Arrow's theorem is the issue here.

[0] This is analogous to Nozick's Utility Monster and in practice about as plausible.

Posted by ekr at 08:20 PM | Comments (102) | TrackBack

Untied Airlines

I'm feeling extremely grumpy about United Airlines right now.

I arrived at SFO at 7:30 AM for my 9:00 flight. The self checkin was only open for people without checked baggage--which I was not one of. Instead, I ended up standing in this ridiculously long line. After a few minutes, it became pretty clear that I wasn't going to make the 45 minute pre-flight baggage cutoff, but I figured United would have to waive it, since there were lots of other people on the same flight in my line.

When I was about 60% of the way through the line, one of the United reps came by and suggested that we might go to the curbside check. I looked outside and there seemed to be a substantial line there as well. Based on the principle of line equalization [0], I decided to decline this offer. Instead, I asked the rep why they didn't open the self-checkin, leading to the following conversation:

Me: Why isn't the self-check open?
Rep: We're understaffed?.
Me: But it's faster, so why don't you open it?
Rep: What, for you?
Me: No, for everyone. It can handle more people.
Rep: We're doing the best we can.
Me: No, you're not.

The principle here--which I was apparently able to get across to this guy--is that the self-check is a labor-multiplier for gate agents. Thus, if you're understaffed, closing the self-checks just makes the problem worse.

To make a long story somewhat shorter, I got up to the counter at about 8:45 and the gate agent told me that I couldn't check my bag since I'd missed the cutoff. I offered to have my bag go on some other flight, but apparently the new policy is that now your bags have to fate-share with you. I was just outside the carryon limit so I figured I'd run to my flight and gate check my bag. Unfortunately, by the time I got to the gate they'd closed the plane and wouldn't let me on.

And that was just the start of the fun...

The gate agent told me and the other people who had missed the flight that we had to wait for the Service Director who would try to help us. The SD showed up and then proceeded to ignore us for about 5 minutes. Finally, he offered to book me on standby on the noon flight. I asked if there was some flight that I could get a real ticket on, as opposed to standby, but apparently not until the next morning.

Instead, I went to customer service and tried again. This time I was informed that I was at the highest standby priority for the noon flight and so I was likely to get on. Likely, apparently, but not certain, since I didn't get on that flight either, though a few people did. Another trip to customer service and another explanation of the situation ensued. This time they managed to book me an actual ticket on the 4:30 flight. Thus, I got to Hawaii about 7.5 hrs after I was originally supposed to arrive, having sat in the airport for most of my day.

As you can imagine, I'm pretty annoyed. I can sort of understand that United is in a bind--they were oversubscribed and couldn't really help me (although, as I said before, they could have improved matters substantially by being smarter about check-in). However, what really annoys me is that most of the people I dealt with seemed completely uninterested in actually helping me--or even pretending to. The Service Director I dealt with even told me that I should have gotten to the airport earlier because I had to be "prepared for any eventuality." A great customer service strategy if I ever saw one.

In typical whiny consumer fashion, I plan to write United a nasty letter. I'd boycott them entirely but if I refused to fly with every airline who'd ever screwed me over, I'd pretty much only be able to fly Southwest.

[0] If some line is obviously shorter, then people will move to that line. Thus, you'd expect all the lines to bne about the same length (in time). Since I was about 60% of the way through my line, it seemed likely that my position was better than the other line. However, in retrospect this may have been a mistake, since I did miss my plane.

Posted by ekr at 07:38 PM | Comments (61) | TrackBack

Hawaii Wireless Situation

Actually the situation here is looking pretty good. Hurrican Internet offers wireless service in my hotel and I'm getting unlimited service for $10.00 a day. It's not as good as being home but good enough that I can do what I need to.
Posted by ekr at 12:50 PM | Comments (24) | TrackBack

July 20, 2003

Miles, miles, miles

Despite the fact that I seem to fly fairly often, it's often on short haul carriers and so I don't actually collect that many miles. Thus, though I've got plenty of miles, I'm not an elite member of any of the frequent flyer plans. However, with two long round trips in the past two weeks, I appear to actually be within striking distance of the magic 25,000 mile number that gets you Premier on United.

Of course, I hate to fly. No travel at all would be just fine with me. It's just that a certain amount of travel is inevitable in my business and I want to be more comfortable when I do have to fly. Of course, being Premier still makes you a bit of a peon, but does get you slightly better treatment and lets you skirt checkin lines, which I hate. I understand it also increases your odds of getting exit row, which is pretty nice if you're tall and leggy, which I am.

Of course, all of this depends on actually getting credit for the miles you fly. I'm notoriously bad on this end, always forgetting my number and then failing to call in to get credit. However, in this case, even though I didn't register with my United Mileage Plus # when I bought my tickets to Vienna, I've amazingly got all the ticket stubs in one place and I'm feeling motivated. With any luck, I can even stop by customer service and get it all done this morning on my way to Hawaii.

I've got to tell you, though: the incentives really work. These two flights don't quite put me over the top. I'm already thinking about how I can schedule all future travel this year on United.

Posted by ekr at 06:37 AM | Comments (14) | TrackBack

July 19, 2003

HotSpot pricing

Interesting pricing story from from T-Mobile. When buying Wi-Fi access plans you have 4 choices, in descending order of commitment:
  • Annual unlimited service at $29.99/month.
  • Month-by-month unlimited service at $39.99/month, but with a $25.00 termination fee during the first year.
  • Buy 300 minutes for $50, which can be used in minimum chunks of 10 minutes.
  • Minute-by-minute for $.10, with minimum chunks of an hour.

None of these is really ideal for me, since what I want is unlimited service for 3-4 days. I suppose I'll probably go minute-by-minute, since I can't stomach paying $65 and my usage patterns tend to be more in the hour range than the minute range. Still, at those rates I doubt I'll use more than an hour a day ($6/day). By contrast, I suspect I would have paid about $10/day for unlimited service, and most likely only used an hour or so on average. I wonder how many other people are like me.

Posted by ekr at 11:36 PM | Comments (21) | TrackBack

I need my net fix

So, I'm off to Hawaii, after a whole one day at home--spent configuring computers, due to the unfortunate failure of my long-suffering Sony Vaio. Worse yet, my hotel's idea of Internet access seems to be to suggesting you dial in to your ISP. The good news, is that there's a Borders 1.5 miles from my hotel that's a T-Mobile Hotspot. For the low low price of $.10/minute (60 minute minimum) I can suck all the bits I want.

I didn't much enjoy IETF in Vienna, but I will say that the network coverage was superb, with wireless available everywhere. There's word that the meeting I'm attending will have some kind of Internet connectivity, but maybe only on Wednesday.

Posted by ekr at 11:17 PM | Comments (13) | TrackBack

July 18, 2003

Another innovative transportation idea

One of the irritations of living in the South Bay is that much of the partying goes on in San Francisco. However, Caltrain shuts down at around midnight and doesn't run on the weekend at all. Since bars shut down at 2:00, this means that you either find someone to crash with or have to get a designated driver. Neither is particularly straightforward.

After a few dobblebocks the other night, I came up with an elegant solution to this thorny problem: drunk driving lanes! After midnight, we allow drunks to drive, but only in the carpool lane, which we'd wall off to reduce the risk to non-drunk drivers. Drunk driving lanes will be one of my first initiatives when I am elected governor.

Posted by ekr at 10:10 PM | Comments (22) | TrackBack

July 17, 2003

Geschmack! Black Ice Gatorade

I was in the local convenience store buying some cookies and saw a bottle of Black Ice flavor Gatorade. As a connoisseur of disgusting tastes, I obviously needed to try some. Bad move.

Black Ice Gatorade is, amazingly enough, this jet black liquid. I was expecting licorice flavor, but in reality the taste is...indescribable. Where previous Gatorade flavors at least had some vague resemblance, to some actual fruit, Black Ice is fruity but non-specific. Tasters described it as:

  • Generic fruit flavor.
  • Like the flavoring they put in Robitussin.
  • I think it's supposed to be Blackberry.
  • Holy shit, that's awful.

Our current theory is that this drink was constructed by breaking down the flavorings of other fruits into their chemical constituents and then randomly picking some subset of the flavor components. I have no idea why it is colored black.

This product does not appear to be marketed in the US. After tasting it, it's not surprising. What I can't quite figure out is why it's marketed in Austria. For some reasons, the Germans and Austrians seem to have a fondness for sports drinks flavored like cough syrup. Still, it's vaguely understandable why someone would drink Red Bull--it only comes in one flavor and so if you want to experience the unique Red Bull stimulant buzz you need to suffer through the taste. But Gatorade comes in lots of flavors, all nutritionally equal. Bafflingly, there must actually be market demand for this stuff.

Note: The title comes from the fact that the label reads:
Black Ice
Geschmack * Gout * Smaak

Which mean "taste" in German, French, and, I believe, Dutch. "Geschmack" actually pretty well captures the sensation delivered by Black Ice. n

Posted by ekr at 10:59 PM | Comments (42) | TrackBack

Crazy German girlfriends

You owe it to yourself to check out Things My Girlfriend And I Have Argued About... but not if you have anything else to do for the next hour or two.
Posted by ekr at 04:59 AM | Comments (12) | TrackBack

Swimming in the Danube

Just got back from a short swim in the Danube. My hotel is about 10 minutes walk from the river, so I ran down and jumped into the water. I swam for about 25 minutes--down 10 minutes, across to the other side, and back to the other side. The water was a nice temperature, but pretty murky. You could just barely see your hand with your arm extended.

I'll say one thing for Austria: when I asked the hotel receptionist whether I could swim in the river, the answer was "But of course." In the States it would probably have been more like "We can't tell you and anyway you'd have to sign the following waiver." Kind of refreshing really. On the other hand, if I come down with some sort of massive case of e. coli tomorrow I may feel differently.

Update 20020718:
Fixed the substitution of "hotel" for "river" in the first paragraph. Thanks to Bill Fenner for pointing this out.

Posted by ekr at 04:48 AM | Comments (21) | TrackBack

July 16, 2003

Toilet brushes and ash trays

Most all of the toilet stalls in the Vienna convention center have two items not found in US toilets:
  1. An ash tray.
  2. A toilet brush.

I assume the story with the ash tray is that Austrians smoke all the time, even on the bowl. They do certainly seem to smoke incessently. When running the other day I saw a girl who looked about 12 smoking. As for the toilet brush, I guess that you're expected to clean off the inspection shelf.

Posted by ekr at 05:03 PM | Comments (23) | TrackBack

July 15, 2003

File sharers respond to incentives?

This article in CNET claims that the file sharing volume is down about 15%. Their interpretation is that this is a result of RIAA's threats to sue individual file sharing users. As I argued earlier, we would expect these threats to have some impact on file sharing. However, one would expect them to be more on the people serving files than the people downloading them. It would be interesting to know if the decline is a result of fewer servers or fewer downloaders.
Posted by ekr at 10:15 AM | Comments (24) | TrackBack

July 14, 2003

I am the ugly American

Gah! One of the IETF's traditions is to have one conference a year outside North America. About half of these non-American IETFs are in the Pacific Rim and about half are in Europe. Currently, we're in Vienna, which is the first European IETF that I've been to since Oslo in July 1999.

I'm sure I'm going to come off as a bad sport here, but after having been to Munich in 1997 and Vienna now, I'd be perfectly happy never to do a conference in a German-speaking country again. Noone's tried to kill me or anything, but the minor inconveniences add up:

  • No water. Austrians don't seem to drink water except for mineral water. If you ask for tap water at a restaurant they look at you like you're a mutant. There aren't any water fountains. Try sitting in some hot meeting room for 3 hrs and then not being able to get a drink.
  • Lousy food. Breakfast this morning was some sort of scary uncooked scrambled eggs along with some sort of lunch meat and cheese. Normally, the 3:00 break is cookies. Today it was lunch meat again. What is it with the Austrians and lunch meat?
  • The toilet paper problem. The toilet paper here is this brown crinkly paper towel-type stuff. Haven't these guys ever heard of Charmin?
  • The beer! I thought Austria and Germany were supposed to be the home of good beer. So far all I've been able to get is this weak pilsner swill and a bottle of Guinness. It's like being in the US circa 1980, when all you could get was Bud.

More complaining as other things happen that annoy me.

Posted by ekr at 10:15 AM | Comments (60) | TrackBack

Yeah, we're a committee!

I'm at the IETF conference in Vienna this week. Basically, it's a long series of "working meetings" where people give presentations about the state of their work and there's discussion of the open issues. Is there any less effective way to design systems than have 150 people in a big room "working" collectively in a mostly uncoordinated group?
Posted by ekr at 12:35 AM | Comments (28) | TrackBack

July 13, 2003

Those are some pretty suspicious looking shoes, buddy

So, I'm in the security line at SFO and everyone else is taking their shoes off. I'm wearing running shoes which won't set off the metal detector, so I decide to leave mine off. When I get to the front of the line, the TSA employee asks me if I want to take my shoes off. I say "no" and she says "you'll have to go through secondary screening". At this point, I'm curious so I say "Whatever".

I walk through the detector, which doesn't go off, and then I step to the secondary search point and get the usual wand-down and they make me take off my shoes and run them through the X-ray machine. After about 5 minutes of this crap, they let me go. When I challenged the TSA flaks, they were pretty mealy-mouthed, saying that "no, you don't have to take off your shoes", but that you may be subject to secondary screening.

When I got to Vienna I checked the TSA's web site. Here is their policy.

  • TSA does NOT require that passengers remove their shoes prior to proceeding through the security checkpoint.
  • However, any person that alerts while proceeding through the checkpoint will be subject to a secondary screening to determine the source of the alarm.
  • TSA screeners have also been trained to look for suspicious footwear that may require secondary screening regardless of whether the metal detectors alarm.

However, neither I, nor the guy behind me in secondary screening had set off the detector, and the woman running the belt made pretty clear that just wearing shoes was enough to target you for secondary screening. Apparently, "suspicious footwear" means "still on your feet".

I don't know if this is the TSA's actual policy, or just the particular people I ran into at SFO. However, if they're going to screen anyone who doesn't take off their shoes as a matter of secret policy they should just be open about it rather than pretending that it's somehow discretionary.

Posted by ekr at 11:37 PM | Comments (48) | TrackBack

Black radio?

Passed through Frankfurt airport this morning on the way to Vienna. Saw a poster advertising JAM FM, a "Black Music" radio station. You'd never see an ad like this in the US. I wonder if that's a sign that the US is more or less racist than Germany.
Posted by ekr at 10:20 AM | Comments (20) | TrackBack

July 12, 2003

What Mel Brooks can teach you about the WTO

If you've seen the Mel Brooks movie Blazing Saddles, then you probably remember the scene where the black sheriff holds off the people who want to kill him by holding a gun to his own head and threatening "Nobody move or the nigger gets it". I'm reminded of this scene when reading the about the steel tariffs case. If the Europeans win, their "reward" is that they get to impose sanctions on American imports. Yes, you heard that right. In order to punish the American government for doing something that hurts European producers and American consumers, the Europeans will be allowed to hurt American producers and European consumers. Brilliant.

Now, if things were working properly, this might work anyway. I see the WTO as a sort of anti-suicide pact between governments. Governments are under enormous pressure from industries in their own countries to adopt trade barriers and the public is in general far too economically ignorant to actually push much in the opposite direction (the fact that news organizations don't properly cover these issues doesn't help). However, if well-meaning governments got together and agreed to have free trade, then when when industries come seeking protection, they can say "Sorry, we're not allowed. Our hands are tied". In some extreme cases where the political pressure got too much, they could pass the tariffs and then "lose" the case at the WTO and be "forced" to recall the tariffs. Unfortunately, since the WTO mainly has the ridiculously damaging enforcement mechanism I just described, the system only works if the government in question is actually in favor of free trade and is therefore playing to lose. I'm not at all sure that the Bush administration sees things that way.

Posted by ekr at 06:51 AM | Comments (64) | TrackBack

US vs. Europe on Steel Tariffs?

Most of the news coverage of the WTO decision over the US steel tariffs seems to be taking the attitude that this is an issue of the US vs the EU. That's not right at all. Rather, it's the rent-seeking US steel companies and the Bush administration against everyone else in the world, including American consumers. Remember that what's going on here is that the US steel companies can't compete and so they just want the US government to give them a monopoly so that they can overcharge the consumer. On this one, at least, I'm on the side of the Europeans.
Posted by ekr at 06:32 AM | Comments (23) | TrackBack

July 11, 2003

The obligations of medical monopoly

As EG readers will know, one of my common themes is doctors privileging their own judgement over that of their patients and thereby denying their patients the treatment they desire. Of course, another, somewhat less common, theme is that the government should stay out of the market's operation to the greatest extent possible. How to reconcile these two positions?

Actually, two things are happening here.

  1. I'm exhorting doctors to adopt a view of the world that would them to be more receptive to the patient's wishes.
  2. I'm endorsing intervention in the market to make doctors behave differently.

A different worldview
The worldview I would like to see doctors adopt is something more akin to that of other service professionals. If you ask your car mechanic to do something he thinks is stupid, he's likely to tell you, but ultimately he's pretty likely to do as you ask unless it's clearly totally unsafe. He's restricted from doing things in the latter category because it's not possible for you to totally waive all liability. However, obviously this still leaves a lot of room for action since all sorts of bizarre and probably dangerous car modifications are available.

I don't think there's anything contradictory about exhorting doctors to adopt this worldview. Auto mechanics are free to adopt the worldview that doctors have, they just don't.

A market intervention
Suggesting that we interfere in the market is a different matter entirely, however, seemingly at odds with the "minimal intervention" principle I endorsed above. However, in this case I think it's justified because doctors are a government regulated monopoly.

Well, maybe not a monopoly--a cartel. But look, it's not an open market. If I want to go into medicine, I can't just hang out a shingle, I've got to go to med school and take tests and stuff. And if I don't do that, the police come and arrest me for practicing medicine for practicing medicine without a license. So, it's not just a monopoly but one that's endorsed by the state. Now, one very common characteristic of such monopolies is that they're required to serve all comers. If I don't want to take your security work, I just tell you "no". But if PG&E doesn't want to sell you electricity, too bad. They still have to.

Moreover, PG&E isn't allowed to ask what you're doing with the electricity. If I decide to start using the juice they're selling me to do fusion power research or electrocute rats in my basement, the City of Palo Alto might care but it's none of PG&E's business. [0] What I'm proposing is that a similar principle be applied to doctors. Within narrowly prescribed limits, doctors should be required to perform pretty much any procedure a patient wants. Now, I don't insist that any individual doctor do it. If the AMA wants to draw lots among qualified doctors, that's fine too. I just think that the cartel as a whole should be required to do it.

Now, I can understand that doctors wouldn't like this position, as it would cause them to do things they find distasteful. However, it's my view--though obviously not the majority view--that this obligation should come with their use of the power of the state to protect their monopoly. [1] If, on the other hand, they'd prefer to compete in a free market, then I'll be more than happy to defend their right to refuse service to anyone they like.

[0] Incidentally, this can be very liberating. For instance, it's considered very desirable for Internet companies to have "common carrier" status and therefore be able to refuse on principle any suggestion that they look at customer's traffic.

[1] Note that none of this requires that insurance companies pay for such procedures. However, if people are willing to pay...

Posted by ekr at 08:08 AM | Comments (77) | TrackBack

Optimal medical punishment levels

DB quite fairly points out that I just made fun of his suggestion that doctors should punish doctors, rather than actually criticizing it. He writes:
Well this represents an excellent use of sarcasm, however one cannot really classify these statement as criticism. Physicians do want to see high quality care. State medical boards do censure other physicians regularly. While we may do a great job of self-policing, we are improving. I believe (as a physician) that we could develop a system which would protect patients.

A good point and it deserves a real response.

The problem here is that doctors have a conflict of interest. They want to see good medical care but they also want to not personally be punished. The distorts their incentives.

Imagine that you're some society designer. You want to set doctor's incentives (including malpractice damages) properly. (see Milgrom and Roberts) for more on this general problem.) So, you settle on some system with a given set of incentives and punishments. This system is designed to produce some nonzero rate of errors and malpractice claims because reducing them to zero is too expensive. Rather, you try to set the number of errors to some efficient level.

Now, imagine that you were a doctor. You have two additional incentives:

  • You wish the perception of medical care to be high quality so that you will get business. (This is as opposed to the interest everyone has in having high quality medical care).
  • You wish to have your risk level be lower.

The first incentive is probably quite small, since even the current system enforces a fairly high quality of care and people seem pretty willing to use it.

The second incentive, however, is obviously quite large, as evidenced by the fact that doctors are making such a fuss over their current risk of being sued. Therefore we would expect that if you were designing such a system and you were a doctor you would set the punishment levels inefficiently low.

Now, of course, in DB's system doctors wouldn't be explicitly setting the punishment level too low, but since they would control the decision procedure, they have the opportunity to set it wherever they want. Thus, it is likely to drift towards an inefficient value.

But let's take a step back and address the more general issue. The basic form of DB's argument is that only doctors are qualified to make these decisions:

Physicians have the knowledge to review the chart, interview the patient and the physician. They will less likely succumb to legalese. They will less likely provide a "verdict" based on sympathy for the "victim". I truly believe that non-physicians would have great difficulty judging patient care decisions. It takes medical school, residency and continuing practice to understand many intricacies of patient care.

I'm not actually convinced this is true, but let's say that it is. That doesn't mean that doctors have to actually make the punishment decisions but merely that we need to have some way to access their specialized knowledge. In the comments section of my previous post, Kevin Dick described a path to a far superior solution, quoted in full here:

I think it's just a matter of setting up a system that gives them the right incentives. There are really two issues here, determining whether a doctor has made a mistake and then figuring out how much he should pay. Now all this is off the cuff and I haven't analyzed it too carefully, but here is an example of the type of system I'm talking about.

Assume that there's a council of reviewers. These doctors receive interactive simulations of an actual medical situation encoutered by a doctor and the council members record what they would have done in his or her shoes. If a majority describe something that appears different from what was actually done, then the doctors with a different opinion rate whether the actual course of treatment was better or worse than their proposed course of treatment. You then tally up the opinions according to the weighting scheme outlined below to determine if a mistake was made.

Now here's the rub. Only some of the simulations are of malpractice cases. The rest are cases that were treated by one of the doctors in the council. This allows you to create a rating of doctors in the council who are "better" or "worse" according to their peers on the council. The better doctors get paid more for their services and their opinion carries more weight for real malpractice evaluations. Of course, there's a masssive penalty for a doctor recommending a different course of action for a case that was actually his.

Determining damages is even easier. There are 3 or more independent evaluators or groups of evaluators. Each of them "bids" the amount of damages. The lowest bid wins but the winning evaluator or group gets a fraction around 10-30 percent of the damages. The bidding incents them to estimate low and the sharing incents them to rate high. With proper tuning, you could probably get outcomes in some "fair" range.

The key to this scheme is that you're using the doctor's specialized knowledge as a test instrument, but you're not letting them directly decide on the amount of incentive pressure, thus avoiding the conflict of interest. I'm not sure how happy I am with the second half of his scheme (the damage determining) but I think that the key insight to separate the two issues and the first half of the scheme are definitely on the right track.

Posted by ekr at 07:15 AM | Comments (61) | TrackBack

July 10, 2003

How about you just do what I ask, huh?

In another example of the kind of medical arrogance that drives me nuts, SF Gate reports that patients are so desperate to get stomach-stapling surgery that they are gaining weight in order to be fat enough to qualify.

The guidelines come into play in two ways. First, the insurance companies won't pay unless it's medically indicated. I've got no problem with this. This is a contracting issue. If patients want a lower threshold they can pay for it in high premiums. That said, if I were an insurance company I'd have some sort of graduated scale to avoid this kind of weird thresholding effect.

Second, doctors are refusing to do the surgery even if people pay for it themselves.

If a patient doesn't meet the guidelines, insurers won't pay for surgery and most doctors won't operate even if the patient offers to pay for it themselves.

The guidelines, the result of a 1991 National Institutes of Health consensus conference, are strict because the surgery isn't without risk. About 1 percent of patients will die from complications. And because the most common form of the surgery limits the body's ability to absorb food, patients can suffer malnutrition, requiring a lifetime of nutritional supplements and follow-up care. In addition, patients must adjust to never again eating more than a minuscule portion at a sitting, or they'll vomit.

So, what's the response of the doctors being interviewed? That they should lower the guidelines, of course:

"We're asking, should we lower the BMI so these people who have risk from their disease of obesity can be better served with surgery," says current ASBS President Alan C. Wittgrove, the San Diego surgeon who performed Carnie Wilson's surgery. "The problem with this group is there's really nothing available for them right now."

Does it even occur to these people that maybe the problem is that they're trying to make rules rather than letting the patients decide for themselves what they want? Apparently not.

Posted by ekr at 04:54 PM | Comments (27) | TrackBack

Doctors punishing doctors?

DB of DB's Medrants argues that a panel of doctors should decide on punitive damages for malpractice:
The accused physician should have his records and other evidence judged by a panel of peer physicians (perhaps from another state to decrease conflicts of interest). That panel could best judge whether the physician made errors. They could then authorize appropriate payments. We all agree with the payment of legitimate damages. Physicians want a cap on punitive damages only.

Yeah, what a great idea. It's not like there would be any conflict of interest in having doctors judge other doctors. They wouldn't circle the wagons or anything like that. That would never happen.

Posted by ekr at 04:45 PM | Comments (51) | TrackBack

Health insurance purchasing decisions

Arnold Kling points points to an interesting article by Helen Levy and Thomas DeLeire on the spending habits of people who don't buy health insurance. Here's the abstract:
Using data from the 1994 through 1998 Consumer Expenditure Surveys, we compare household spending on 16 different goods (food at home, food away from home, housing, transportation, alcohol and tobacco, interest, furniture and appliances, home maintenance, clothing, utilities, medical care, health insurance, entertainment, personal care, education, and other) for insured versus uninsured households, controlling for total expenditures and demographic characteristics. The analysis shows that the uninsured in the lowest quartile of the distribution of total expenditures spend more on housing, food at home, alcohol and tobacco, and education than do the insured. In contrast, households in the top quartile of the distribution of total expenditures spend more on transportation and furniture and appliances than do comparable insured households. These results are consistent with the idea that poor uninsured households face higher housing prices than do poor insured households. Further research is necessary to determine whether high housing prices can help explain why some households do not have insurance.

The obvious way to look at this result, as Levy and DeLeire point out, is that housing consumption is inelastic and thus the uninsured actually have less disposable income to spend on health insurance. In that case, it might be easier to just think of them as poorer and give them a simple transfer payment that they could use to buy insurance on the open market--provided, of course, that you can prevent the obvious adverse selection problems.

Posted by ekr at 08:20 AM | Comments (11) | TrackBack

July 09, 2003

Stalin versus Hitler

This comic was done in 2000 but I've never seen it before. It's essentially superhero comic with Stalin verus Hitler. Completely surreal. Thanks to Lisa Dusseault for the pointer.
Posted by ekr at 03:03 PM | Comments (22) | TrackBack

Even more bad news for Canada

Peter Jennings, long-time ABC anchor Peter Jennings has become a US citizen. The Canadians seem to be taking this pretty hard (scroll down to the comments section).

On a more serious note, check out the following section from the canada.com article:

Mr. Jennings said the strong cultural nationalism of his parents had prevented him from giving serious thought to dual citizenship before their deaths. His father, Charles, was a pioneering CBC broadcaster and his mother, Elizabeth, who died in 1992, was a prominent supporter of the National Ballet of Canada and the Canadian Opera Company.

"I clearly was never going to be really active about it while my mom was alive. I think she would have been surprised, to say the least. My mom was very, very, very deeply Canadian, and to some extent quite anti-American."

I must say, this is one aspect of the Canadian character that I've always found a little strange: the conflation of Canadian pride with being anti-American. Canadian national culture seems to be largely defined by being not-American. That can't be healthy.

Posted by ekr at 07:37 AM | Comments (41) | TrackBack

July 08, 2003

One-way bullet resistant windows

This is one of the coolest things I have ever seen: plastic that is bullet resistant in one direction but not in the other direction. This means that you can have bulletproof windows in your car but still shoot out. Think of all the uses!
Posted by ekr at 10:58 PM | Comments (36) | TrackBack

That's so Canadian!

Once again, EG brings you news from the cutting edge of pop culture. One of my informants reports that he just heard a kid use "Canadian" as a synonym for "lame" or "weak". Hilarious.
Posted by ekr at 10:14 AM | Comments (22) | TrackBack

Important safety tip

When you get back from a triathlon, it's very important to take your wetsuit out of the plastic transition bag they gave you. Best is to rinse it off right away but at least you need to put it in the vented pocket of your tri bag (you do have a DeSoto Sport transition bag, right?) or better yet hang it up. If you don't do this, well, the results are likely to be a bit unpleasant. I only noticed that I hadn't unpacked my wetsuit because Hans Blix came nosing around looking for biological weapons.
Posted by ekr at 07:58 AM | Comments (55) | TrackBack

July 07, 2003

What's with this IBE stuff?

A bunch of my friends work for a Palo Alto startup, Voltage Security, which just popped out of stealth mode in a big way with coverage in the New York Times and the a Wall Street Journal. Voltage's product is based on a new piece of cryptographic technology called Identity Based Encryption (IBE). To understand it, you first have to understand how things work now. (Full Disclosure: I'm on the Voltage Technical Advisory Board and the principals are all friends of mine, and at least one of them did kind of suggest that I might mention them on EG. However, I think that this is an interesting topic in its own right, so I'll talk about it anyway. I'll try to stick to the facts as much as possible, but keep my biases in mind as you read on.)

For the past 10 years or so, most communications security systems that people designed have used Public Key Cryptography (PKC) for key management. With PKC, each party generates a "key pair", one public and one private. The public key is known to everyone (e.g. published on the Internet) and the private is known only to the key owner. So, if you wanted to send a message securely to someone you'd just encrypt under their public key. [0]

Unfortunately, while this is an incredibly clever idea it's really only a partial solution to the problem. What stops me from posting a whole bunch of keys that I claim are yours and getting your secure email? It turns out that PKC has a solution to this as well. It's possible to sign a message with your public key so that it can be verified with your public key. By verified I mean that the verifier can ensure that (1) you or at least someone who had your private key wrote it and (2) it hasn't been tampered with. So, instead of just posting my public key, I post a signed document by someone else who you might trust saying "Key X belongs to EKR". This document is generally called a certificate. The process of getting the certificate is called enrollment.

But wait, how do you get that trusted person's key? Isn't that just turtles all the way down? For this to work properly, you really need at least one person or company who everyone trusts. That company's public key is compiled into everyone's software. In practice, there are a large number of these Certification Authorities (CAs) of which VeriSign is the most famous. All of this apparatus (certificates, CAs, etc.) is collectively referred to as Public Key Infrastructure (PKI).

In the PKI world, there are two ways to get someone's certificate.

  1. They give it to you. If you're using a protocol like SSL or IPsec, exchange of certificates is part of the protocol. But this requires you to be online, which is fine for Web browsing but isn't very convenient for a lot of applications, such as e-mail.
  2. You get it from a directory. When PKI was initially designed it was assumed that everyone would get their certificates from a global X.500 directory (generally just called "The Directory".). Needless to say, there is no global X.500 directory This didn't happen, needless to say. In fact, you can pretty much tell that you're dealing with an old-time networking guy by the fact that he starts laughing his ass off if you say "The Directory".

So, choice (1) only works well if you're online and choice (2) doesn't work well for anything other than intra-organizational e-mail, and not very well for that either. And of course, none of it works unless the person you're trying to send to already has a certificate, which of course most people don't.

Identity Based Encryption
IBE turns PKI on its head. Instead of having certificates, everyone's public key is their identity (like their e-mail address). Instead of a CA, there's a central authority called Key Server (KS) that issues you your private key. The way that enrollment works is this: You prove to the KS that you are entitled to your identity and it gives you the private key that corresponds to that identity.

With IBE, because you can predict what someone's identity is in advance, you don't need to find their certificate in a directory. As long as you know the KS's public parameters (these would be published the same way as CA keys are now), you can encrypt a message to anyone. Note that this all works best if there's only one central KS. Otherwise life gets a little complicated, which I'll get to in a minute.

In fact, in an IBE system you can send someone an encrypted message even if they haven't enrolled yet. Then, once they've received the message they can enroll and read it. Call this process post-enrollment to contrast it to PKI, where you have to enroll first.

As an obvious corollary, the KS is able to generate any user's private key at any time. This is useful for roaming applications. With PKI, you have to somehow arrange to copy your private key from machine to machine, or use some central key service such as that being defined by the IETF's SACRED working group. This sort of technology isn't very well standardized. Since post-enrollment is an essential feature of IBE, when you move to a new platform or machine you just re-enroll and it's automatically enabled with your key.

The flip side of post-enrollment is that if someone takes control of the KS, they can read anyone's messages. In the crypto community, this property is called escrow. Whether escrow is a good thing or not depends a lot on your perspective. Individual users are often pretty concerned about some third party being able to decrypt their communications--hence the big kerfuffle about the Clipper Chip back in the 90s. By contrast, Corporate users--well, the companies who buy the software, at least--are generally not that worried about their employee's privacy but are concerned about some employee quitting (or dying) and leaving a bunch of encrypted data around that the company can't read, so for them some escrow capability is a good thing.

Escrow is pretty much inherent in IBE systems. There are some schemes being developed to remove escrow, but they generally also mean limiting post-enrollment in some way. For instance, you could implement the KS in a trusted hardware platform (this is a good idea in any case) and have it remember which keys it had issued and not reissue them. However, this would have the disadvantage the roaming access would no longer work properly.

Hybrid Systems
However, even corporate users don't want some central KS as a single point of vulnerability. That just requires trusting whoever runs the key server way too much. Instead, Voltage uses a hybrid system. Each enterprise their own key server which only issues keys for entities known to the enterprise. Thus, if I run company Foo, I would get a key server that was only used to issue keys for "foo.com". So, if you work for company Bar, you would just look up the parameters for foo.com and then you can encrypt to any employee at foo.com.

This hybrid scheme has a number of advantages over a simple centralized IBE scheme:

  • Companies can run their own key servers with their own policies, as opposed to having to use someone's global policies.
  • There's no centralized KS to be compromised so there's no global escrow feature.
  • Enterprises can still get at encrypted data if they absolutely need to. As I mentioned, this kind of enterprise key escrow is pretty attractive to most companies.

The major disadvantage is that senders can no longer know the static KS parameters and encrypt to everyone. Instead, they have to look up the parameters for every domain they want to encrypt to. On the other hand, once you have the foo.com parameters they are the same for every address that ends in @foo.com, so you don't have to look up alice@foo.com and bob@foo.com separately. Moreover, this means that enterprises can make a global decision to install a key server without enrolling anyone. Then, when people actually get encrypted messages they can post-enroll--at which point they'll presumably have more incentive to do so, since they will want to read the message.

If you're familiar with crypto, you're probably thinking something like "I know how to do this, and without any of that crypto rocket science stuff". The standard approach is for senders to encrypt the message with a random session key (you would want to do this anyway, see footnote [0]) and then encrypt the random session key under the KS's public key along with an indication of who is supposed to receive the message. Then, when the receiver gets the message they present the encrypted key to the KS along with proof that they are the correct recipient (it's a little tricky to tie the recipient's identity to the encrypted key, but it's quite possible). The KS then decrypts the session key and gives it back to the receiver.

The major problem with this approach is that the KS then has to be involved whenever someone wants to read a message. By contrast, with an IBE system, once the receiver has obtained their private key, they can cache it and read messages offline.

We can improve this emulation approach somewhat by having the KS also be a CA. When the sender wants to send a message they contact the KS/CA and see if the receiver has a certificate. If they do, then the sender uses that. Otherwise, they fall back the KS/CA public key. That reduces the burden on the receiver but increases it on the sender and KS/CA. Now, the KS/CA has to act as a certificate directory and the sender has to look up people's certificates. Also, this scheme has the advantage (or disadvantage, depending on your perspective) that once the users key is issued then any data encrypted with the user-specific public key is not escrowed.

However, a hybrid KS/CA can lead to some strange behaviors. Consider the following sequence of events:

  1. Sender 1 sends a message to the receiver. Since the receiver doesn't have a key he uses the KS/CA key and caches that.
  2. The receiver reads the message and registers for a key.
  3. Sender 2 sends a message to the receiver. He contacts the KS/CA, sees that the receiver has a certificate, and uses that.
  4. Sender 1 sends a message, but is offline when he encrypts it. Since he has the KS/CA's key cached this is possible, but he has to encrypt under the KS/CA key.
  5. The receiver picks up his mail and goes offline to read it. Now, he can read Sender 2's message (because it was encrypted under his key) but not Sender 1's message (because it was encrypted under the KS/CA key).
This situation is likely to be very confusing to receivers, who already find security quite confusing.

Bottom line, while it is possible to some extent to emulate IBE using conventional cryptography, if IBE-type functionality is what you want, IBE does a better job of it than the emulations do. If you're really worried about escrow you could build a hybrid IBE KS/CA system that would operate more cleanly than this emulation would.

Where is this useful?
Where I'd expect to see IBE used most is in for messaging applications such as e-mail and IM. These are appplications where people are talking to other people and therefore the limitations of conventional PKI are most obvious--and not coincidentally where security has been slow to be deployed. For applications like Web-based e-commerce (which currently uses SSL/TLS), IBE isn't that big a win since both peers have to be online anyway and so they have an opportunity to exchange certificates. I wouldn't expect IBE to be in wide use for SSL any time soon.

It's not surprising, then that Voltage's initial target market is secure e-mail. Their current product offering includes plugins for the major mail clients to let them send and receive IBE-encrypted e-mail as well as Enterprise key servers that can be installed locally. As I understand it, they're also going to give away a toolkit which lets developers integrate IBE into their own applications.

[0] Actually, this isn't quite true. For performance reasons, one usually generates a random session key and encrypts that with the recipient's public key. The actual message is encrypted with the session key. However, this is a technical detail that doesn't change the key management issues at all.

Update 21:08:
Added the point that the emulated KS/CA scheme would not have escrow once certs were issued and the related point about hybrid IBE KS/CA schemes.

Posted by ekr at 08:02 PM | Comments (22) | TrackBack

We're number 7!

The Canadian news media is all aflutter over the new UN Human Development Index. After 9 years on top, Canada slipped to #3 behind Norway and Sweden in 2001 and now it's down to 8th. The worst part, for Canadians at least, is that the US is seventh. Don't get me wrong here. I know these statistics are completely bogus. On the other hand, it's less reason for self-satisfied Canadians to lecture me about how much better Canada is than the US and how we would be much better off if we just adopted whatever Canadian innovation they're pushing. So, forgive me if I indulge in a little schadenfreude.

Anyway, here's the official UN list of all the countries that are better than Canada:

  • Norway
  • Iceland ?!?!?!
  • Sweden
  • Australia
  • the Netherlands
  • Belgium
  • The United States
Just in time for my trip to Canada in August, too.

Update 2003/07/09 07:49:
Colby Cosh weighs in on this topic, pointing out that the index is totally bogus. Of course it is, which just makes it more delicious that the Canadians who took it seriously for so long are now stuck between admitting that they were beaten or that their previous success was false.

Posted by ekr at 06:20 PM | Comments (19) | TrackBack

High tech

I just got the following spam:


We need a vendor who can offer immediate supply. I'm offering $5,000 US dollars just for referring a vender which is (Actually RELIABLE in providing the below equipment) Contact details of vendor required, including name and phone #. If they turn out to be reliable in supplying the below equipment I'll immediately pay you $5,000. We prefer to work with vendor in the Boston/New York area.

1. The mind warper generation 4 Dimensional Warp Generator # 52 4350a series wrist watch with z80 or better memory adapter. If in stock the AMD Dimensional Warp Generator module containing the GRC79 induction motor, two I80200 warp stabilizers, 256GB of SRAM, and two Analog Devices isolinear modules, This unit also has a menu driven GUI accessible on the front panel XID display. All in 1 units would be great if reliable models are available

2. The special 23200 or Acme 5X24 series time transducing capacitor with built in temporal displacement. Needed with complete jumper/auxiliary system

3. A reliable crystal Ionizor with unlimited memory backup.

4. I will also pay for Schematics, layouts, and designs directly from the manufature which can be used to build this equipment from readily available parts.

If your vendor turns out to be reliable, I owe you $5,000.

Email his details to me at: info@federalfundingprogram.com

Please do not reply directly back to this email as it will only be bounced back to you.

weagapnuiggwjvyetm myndd ghw

4 dimensional warp generators? I think Frys has those over in aisle 5 next to the MRI machines.

If I had to guess, I'd say that this is some kind of virus, since I can't see why a commercial spammer would want to send this message out.

Posted by ekr at 02:42 PM | Comments (59) | TrackBack

I guess the housing bubble isn't over

I bought my house in Palo Alto in the summer of 2000, everyone was talking about how the Palo Alto housing market was a bubble and had to crash soon. However, 2 years later inventories still seem low and prices are still high. The other day, I got some confirmation that it's still a seller's market in the form of a flier that said:


We represent 3 qualified families needing to buy homes in the neighborhoods served by the DUVENECK and ADDISON SCHOOLS. If you are interested in selling your home, please have your Realtor contact us or call us directly.

Good news for me, since my house is in the Duveneck area. Not planning to sell but nice to know we have options.

Posted by ekr at 07:15 AM | Comments (39) | TrackBack

July 06, 2003

Bathroom etiquette

At the Aquathlon today, there was a reversal of the usual bathroom problem. The line for the women's bathroom was very short and the line for the men's very long. There's nothing mysterious here: the men's bathroom had 2 urinals and one stall and the women's had 4 stalls. Combined with the fact that only about 10-20% of the competitors were women, this meant men did a lot of waiting. It's a little tricky to figure out the etiquette here. In the reverse situation, it's pretty common to see women just get in the men's line, but the men seemed a lot more nervous about going in the women's side.

The system that evolved seemed to be the following: men would go in the women's bathroom but only if someone told them that there was an opening and that it was ok (i.e. women weren't changing or anything). Men wouldn't stand in the women's line if there was one. It was only ok to use the women's bathroom if it was actually idle. Unsurprisingly, once one enterprising soul had made the switch, the precedent was established and people were pretty willing to change--until the women's bathroom filled up and the pattern was broken.

It's hard to know what's fair in situations like this. After all, the provisioning was clearly unfair. On the other hand, women put up with that kind of unfair provisioning all the time and only change lines when the disparity is quite large. On the gripping hand, I didn't hear any women complaining, so I guess this met their sense of fairness as well.

Posted by ekr at 03:11 PM | Comments (24) | TrackBack

Escaping from Alcatraz must have been cold

Just finished the Alcatraz Aquathlon. Basically, they take you out on a boat to about 100 meters from Alcatraz and you swim back, then run over the Golden Gate Bridge. On my way out in the boat, the sage words of my friend Mark Schertler were in my mind "Isn't the whole point of having a prison on Alcatraz that you can't swim to shore?" It turns out to be doable, at least with support, but rather cold.

There are two major obstacles, the current and the cold. The situation with the current is that it's going about 2 mph towards the bridge. So, if you navigate as you usually do, aiming towards where you want to go, you end up getting pulled out under the bridge--or more likely picked up by a kayak. Since the swim finish is a couple of miles West of Alcatraz, you can swim more or less due South and the current will pull you to the finish. The race directors gave us landmarks to sight on, but it was really foggy and choppy and so I couldn't sight well. Like many other people I went way off course and ended up having to swim against the current a fair bit. I heard from a fair number of people that this was one of the worse years.

Now fo the cold. The water is about 59 degrees. Like all sane people, I was wearing a swimming wetsuit--maybe 10% of the people were not. A wetsuit makes the difference between being just cold and being extremely cold. Still, it's cold on the boat going out and then when you hit the water your hands, feet, and face go instantly numb and it takes a while to get warm again. I suspect I was a bit hypothermic when I got to the finish because my run transition was terrible. What can I say about the run? The bridge was fogged in so you couldn't see much of anything. I felt pretty good running once I got warm, so that was promising. This wasn't any kind of big race for me so I didn't really have any expectations.

In the end, I think Mark was right. I'm no expert but I've done my share of open water swims and I was wearing a wetsuit. I wasn't ever worried I couldn't finish though I did worry for a few minutes that I was so off course they'd pick me up in a kayak. I wouldn't much like my chances of swimming from Alcatraz to shore at night (don't want those boats to pick you up) with no real opportunity to train and without a wetsuit.

Update 15:58:
Kyle Welch points out that prisoners also probably didn't have tide charts, which makes it pretty difficult to figure out when a good time to go is.

Posted by ekr at 02:39 PM | Comments (24) | TrackBack

July 05, 2003

Why aren't computer viruses more destructive?

Last night Dan Simon expressed his concern that high-grade biotechnology will lead to really serious virus attacks, making the analogy to computer viruses.
Now, I don't know much about molecular biology, and I don't know if the analogy is accurate, but this scenario sounds an awful lot like one I'm familiar with: computer hacking. In both cases, a system full of vulnerabilities is subject to scrutiny by thousands of imaginative (or simply persistent) attackers. But the worst computer hackers can do is destroy data, and perhaps disrupt communications and other infrastructure. Bio-hackers can potentially kill millions.

This analogy raises an interesting question: why are computer viruses so lame? Most modern viruses and worms don't really do anything to the infected computer. Even Code Red, only damaged the web server it infected. It's easy to think of ways to really trash a machine that you've infected: corrupt the data, erase all the data, flash the BIOS, whatever. So, why doesn't the commonly available malware do this? Sure, not all malware authors are malicious, but it's amazing that none of them are.

Second, why isn't malware designed to spread more quietly. The current trend seems to be towards more rather than less rapid infection, to the point where the amount of infection traffic has a noticeable effect on network load. If you want to infect a lot of machines quietly, this is not how you do the job.

I've asked this question to a few malware researchers and noone seems to have a really good answer. Everyone sort of expects something really bad to come along, but is a little puzzled that it's taken so long.

Posted by ekr at 08:49 AM | Comments (224) | TrackBack

July 04, 2003

Things to think about on July Fourth

I don't ordinarily think of myself as particularly patriotic. I love living in the U.S. but I don't think of myself as "proud to be an American" or believe in "my country right or wrong". That said, I've spent much of the last year reading about some places in the world where it's much less attractive to live then the U.S. So, on this Fourth of July, I'd like to remember and remind other Americans of just how lucky we are:
  • To be able to live where we want.
  • To work when and where we want.
  • To be able to say more or less whatever pops into our heads without fear of persecution.
  • Not to be a woman living in effective slavery because some religious idealogue decided I didn't deserve equal rights.
  • Not to have to worry about being arrested in the middle of the night and sent to a forced labor camp.
  • Not to be tortured by police trying to extract a "confession".
  • Not to be shot, gassed, or hacked apart with machetes for being from the wrong tribe or religion.
  • Not to be starved to death by our leaders.

I'm well aware that the U.S. is far from perfect and that we're not the only country where people are able to live as they please. Nevertheless, just being able to live mostly free from fear and tyranny is something that only a very lucky few have been able to enjoy and here and now is one of the very best places to be. Today is a good day to remember that.

Posted by ekr at 08:55 AM | Comments (43) | TrackBack

News flash: restricting competition hurts consumers

It's not exactly news that forbidding Internet wine sales reduces wine drinkers' selections and increases prices, but it's good that the FTC has finally taken notice.
Posted by ekr at 06:31 AM | Comments (25) | TrackBack

July 03, 2003

Put down the remote and step away from the TV

Ed Felten points out that this little gem in the Aimster decision.
The third use, commercial skipping, amounted to creating a derivative work, see WGN Contintental Broadcasting Co. vs United Video, Inc., 693 F.2d 622, 625 7th Cir. 1982); Gilliam v. American Broadcasting Cos., 528 F.2d 14, 17-19, 23 (2d Cir. 1976); cf. Ty, Inc. v. GMA Accessories, Inc., 132 F.3d 1167, 1173 (7th Cir. 1997), namely a commercial-free copy that would reduce the copyright owner's income from his original program, since "free" televison programs are financed by the purchase of commercials by advertisers.

In other words, not only does Posner think that commercial skipping is illegal, he thinks it's been illegal for 20 years.

Now, I'm no lawyer, so I have no idea whether Posner is right as a matter of law. Posner's a smart guy so I'm assuming that he likely is. However, as a matter of public policy, this is insane. Pretty much anyone who records things off the air uses the fast forward button to skip commercials. Moreover, this is one of the major uses of a TiVo. Don't get me wrong, I understand that commercial skipping reduces the value that the content provider can provide to the advertiser--but so does my getting up to use the bathroom during commercials, but there's no legal requirement that I be tied to my chair with my eyes propped open like Malcom McDowell in A Clockwork Orange.

As Ed Felten and Larry Lessig have pointed out repeatedly, one of the major problems faced by the copyright industry is that their customers have a very different view of what's reasonable use of copyrighted material than they do. When the public is reminded of this disconnect, their reaction isn't to say "oh, let's behave ourselves" but rather to wonder whether it's time for a revolution. If the law really bans commercial skipping, that revolution may be long overdue.

Posted by ekr at 10:30 PM | Comments (97) | TrackBack

I predict larger breasts

So, lately I've been trying to think some more about the big, important questions in life. Take women's breast size, for instance. It's pretty clear that lots of women would prefer to have larger breasts. According to the American Society of Plastic Surgeons, 236,888 women got breast augmentation in 2002. Only 101,526 women got breast reduction. Both these numbers are way up from 1994 when there were 39,247 and 36,074 augmentations and reductions annually.

It's pretty clear that we're entering a new era of widespread modification of breast size. I think it's also pretty clear that the trend is towards larger breasts, particularly in view of the fact that today's implants are still pretty clumsy instruments which don't produce breasts that are entirely natural looking or feeling. Check out any number of threads knocking breast implants on for instance Fark (not for the easily offended.) As implant technology gets better, and the surgery gets more acceptable, expect to see a lot more implants.

Clearly this can't go on forever, though. After all, breasts can't get infinitely large. Basically, we're dealing with two countervailing forces here:

  • Larger breasts are more desirable--not to everyone, I hasten, to add, but obviously to a large number of people, since they're willing to get augmentation.
  • Being different is more desirable.

As the average size goes up, the marginal value of having larger breasts should start to decline, and I'd expect to see an equilibrium reached. However, this situation is complicated enough that it's certainly possible that there's no stable state at all. However, even if there is no equilibrium, and sizes shift, I suspect that the average will in the future be larger than it is now.

If I get some time and feel like slacking, I may try to work up a game theoretic model for. The problem is superficially like sexual selection but I think actually demands a different treatment.

Posted by ekr at 08:14 AM | Comments (11) | TrackBack

Dude, I forgot about Canada day

July 1st was Canada day. That's the day that something happened in, around, or about Canada, and we now remember it or something. So, grab a two-fer [0] and celebrate, eh?

[0] A case of beer.

Posted by ekr at 07:01 AM | Comments (57) | TrackBack

Hemp and drug testing

Mark Kleiman observes that one reason to ban any hemp-containing food is that they might provide an excuse for testing positive for cannabis:
But there's another issue here. Since the products contain traces of THC, having eaten them would serve as a convenient excuse for testing positive for cannabis in a drug test. Apparently that's not a real issue at a technical level; you just couldn't eat enough to actually trigger a positive result. But it's still one more issue that drug testers would have to contend with; even if the excuse doesn't work, lots of people might be persuaded that it would work, and thus think they could drug-test-proof themselves by just laying in a supply of hemp energy bars.

This is an interesting argument, but I think it takes us into dangerous territory. Imagine there was some otherwise legal--and non drug-containing--food that as a side effect produced a false positive on drug tests. Would the DEA be allowed to ban it on the grounds of protecting testing? This example isn't as silly as it sounds, since drug tests often measure not the drug itself but rather metabolites (though I believe the THC test actually measures THC) and sometimes more than one chemical produces the same metabolites. If we think that the DEA shouldn't ban such foods, why should they be allowed to ban THC-containing foods which clearly have no direct drug-related purpose? (By allowed, I mean not constitutionally, since clearly Congress does this kind of thing all the time, but rather, is it part of their writ as DEA.)

Posted by ekr at 06:38 AM | Comments (22) | TrackBack

July 02, 2003

A lot harder than it looks

I always thought I could tell Chinese, Japanese, and Koreans apart, but apparently not. I just took the test at http://www.alllooksame.com/ and only got 8 out of 18. Not significantly better than chance. You can't argue with the data. I guess they do all look the same to me.
Posted by ekr at 02:55 PM | Comments (39) | TrackBack

Measuring intimacy levels?

It's a slow news day so that means that it's time for some not so good piece of research to get beat up on. Check out this article in Reuters health.
In their study, Novak, along with Adelphi psychologist Dr. Janice Steil and fellow doctoral student Allison Newman, conducted anonymous online surveys with 50 young, well-educated couples engaged to be married.

The researchers had both partners in the relationship fill out the survey in a separate, confidential fashion. Participants answered standard psychological questionnaires rating perceived and expected levels of intimacy in the relationship.

The result? Across almost all categories of intimacy, "women reported their current relationships as more intimate than men," the authors report.

How, exactly, do we calibrate one person's "intimacy scale" against another's? If my intimacy level is 15 quatloos and yours is 6 frobnozzles do I think we're more or less intimate than you do? Who knows? As far as I know there's not a good way to answer this question even in principle. Certainly philosophers have struggled with the related but probably easier question of interpersonal utility comparison with relatively little success.

Posted by ekr at 07:24 AM | Comments (87) | TrackBack

July 01, 2003

Waiting time at In and Out

Just got back from a late night burger at In and Out burger. Funny thing about In & Out: the time from entry into the line to burger acquisition seems to generally be faster at rush hour than at off hours, even though the line is generally longer at rush hour. It's not clear exactly why this is, but I've got some guesses:
  • At rush hour they need a lot of employees to keep ahead of the game. This means that they're able to finely calibrate exactly how many people they need and respond to rushes quickly. At off hours, there are fewer employees and so if they get a backlog it can take a long time to clear.
  • At rush hour, there are a number of other food options. On the other hand, at off-peak hours, people may be more desperate.
  • Employees work harder at 6:00 than 11:00.
  • The wait times are actually the same but I'm just in more of a hurry at 11:00 than 6:00.

Or maybe it's none of these. Any EG readers ever work graveyard shift at a fast food place?

Posted by ekr at 11:40 PM | Comments (57) | TrackBack

Medical treatment summaries: a modest proposal

Every time I get my car worked on, they give me a nice little printout describing what was done and why. Something like this:
Left front door squeaking. Lubricated

Changed oil/filter. 10W30

Yet, when I go to see the doctor, they generally do whatever treatment they do and send me home. Now, surely it's more important for me to know what my doctor did and what I need to do for followup care than it is for me to know what weight of oil they used in my car. Given that this information has to go in my medical records anyway, is there some reason that I shouldn't get a copy to take home with me?

Posted by ekr at 01:48 PM | Comments (20) | TrackBack

Drafting enforcement and triathlon

In his article about Ironman, Steve over at PM Style writes:
The age groupers fail to do it with style. The age groupers run pace lines, dangerously block other competitors from passing, ride on the wrong side of the road, and have their non-competing spouses clog up the run course to provide outside assistance (whether it is pacing or the passing of food). Don't get me wrong -- both age groupers and pros are guilty of breaking the rules, but it really was disheartening to listen to the age groupers whine about getting caught or that having rules sucks. Worst of all, some of the competitors argued that racing by the rules puts one in a significant disadvantage in comparison to other competitors.

Unfortunately, I think I have to agree with the people who complain that racing according to the rules puts one at a disadvantage to other competitors. But only if the competitor's goal is to be the best in the age division or win a Kona slot.

As it happens, I was just thinking about this the other day. In my view, the drafting rules are unenforceable. (Full disclosure: I've received a drafting penalty once. I claim I was passing.)

Here's the problem: The drafting rules require that you be 7 meters back from other cyclists. That means that the absolute maximum density of cyclists is 228/mile. That sounds like a lot, but consider that nearly all of the decent age group swimmers will come out of the water between 50 and 70 minutes. This means that at the start of the cycling portion of the race, the density is something like 50 cyclists/minute. At a pace of 20 mph, that's 150 cyclists/mile. At densities like this, drafting is essentially inevitable.

To make the situation worse, USAT's drafting rules require one to fall back once passed. Consider what happens when you're passed by the head of a column of people 1/4 mile long spaced out at 7 m intervals. You now have to fall back behind all those people, which really kills your time and noone noone wants to do it. Even then, the time you spend being passed looks a lot like some kind of drafting if the official isn't paying close attention.

The consensus among pretty much all the competitive triathletes I know is that the drafting rules are a joke. Reports of being busted when one wasn't drafting (at least in the athlete's opinion) are quite common. Reports of people blatantly drafting and not being caught are nearly universal.

I do like the idea of drafting rules. I don't want to be in a real bicycle race with lots of drafting and team tactics. However, I think the USAT needs to take a hard look at what's practical to enforce. Very likely this means reducing the size of the races so that the density is lower. Quite possibly it means some sort of stagger start instead of mass starts. A good first step would be to actually measure (like with transponders) the amount of drafting that goes on. Then at least we'd have enough data to work from.

Posted by ekr at 01:07 PM | Comments (60) | TrackBack

Finishing an Ironman

Steve over at PM Style is back from finished officiating Ironman Couer D'Alene and has been doing some posting. I disagree with some of his comments:
After watching the race from end-to-end, I was pretty convinced that it is very possible for me to finish an Ironman in 17 hours on just about any random day of the year. While it is clearly a significant mental and physical effort for the average American to complete, if you are a triathlete and you manage your inputs and outputs then it is very possible to finish.

It sure looks a lot easier when you're watching it from a motorcycle. There's an enormous difference between being able to do a short course race and being able to do an Ironman. You can get by on short course if you never train more than 20 miles on the bike and 5 on the run. If you try to do this and then go out on the Ironman course you're likely to be just completely fried by the time you hit mile 15 of the run. You have to train distance to do distance.

I do agree, however, that anyone who is in reasonable shape can train up to the point where they could do an Ironman. Even then, though, it's not a slam dunk. I've seen fit people who just wanted to do the distance drop out because of hydration or other problems. I've also seen people bust their humps training and still only pull out 14 1/2 hrs.

Posted by ekr at 12:39 PM | Comments (55) | TrackBack