Educated Guesswork

MPAA closes one source of leaks

One of the little known facts about file sharing of movies is that insiders are major source of movies for piracy is leaks from insiders. So, it's interesting to see that the MPAA will be forbidding the sending out of "screener copies" of movies for Oscar voters. [*]

Asthma and antibiotics

Now, here's something interesting. Children who are given antibiotics as children are significantly more likely to develop asthma: [*]

Overall, children given antibiotics in their first half-year were 2.6 times more likely to develop allergic asthma, the team told a meeting of the European Respiratory Society on Tuesday. With broad-spectrum antibiotics, which kill a wide range of bacteria, the risk was far higher: children were 8.9 times more likely to suffer from asthma.

The New Scientist article doesn't have a link to the primary source, but just based on the summary, this looks like solid work. And the New Scientist reporter does a good job of bringing out the primary objection: that it's infections which cause asthma and that children who get infections naturally get antibiotics more often. These two explanations are obviously tough to disentangle.

What kind of system is United using?

I did a lot of flying in July. One of those trips was to Vienna on some assortment of United partner airlines:

• San Francisco to Frankfurt on Lufthansa
• Frankfurt to Vienna on Austrian
• Vienna to Toronto on Austrian
• Toronto to San Francisco on Air Canada

Foolishly, I failed to give them my frequent flyer number, so I had to send them copies of my ticket stubs in order to get credit.

I just checked my United Mileage Plus status and somehow they've managed to credit me with the Frankfurt to Vienna flight but no others. Now, I understand that they have to check with the partner airline, so I can understand that not all the credits come at the same time, but the Vienna to Toronto flight was also on Austrian, so why didn't I get credit for that as well.

I guess one possibility is that "International" flights are handled differently from "domestic" and inside EU is domestic. Whatever it is, it's strange.

Surprise, PATRIOT powers used for general law enforcement

Kevin Dick pointed me to this article in the Times about how the Justice department is using the new powers it was granted under the PATRIOT act for general crime fighting purposes. Unsurprisingly, there's a lot of complaining about it, including a bunch of "that's not what we had in mind" from Patrick Leahy

Senator Patrick J. Leahy of Vermont, the ranking Democrat on the Judiciary Committee, said members of Congress expected some of the new powers granted to law enforcement to be used for nonterrorism investigations. But he said the Justice Department's secrecy and lack of cooperation in putting the legislation into effect made him question whether "the government is taking shortcuts around the criminal laws" by invoking intelligence powers -- with differing standards of evidence -- to conduct surveillance operations and demand access to records.

"We did not intend for the government to shed the traditional tools of criminal investigation, such as grand jury subpoenas governed by well-established precedent and wiretaps strictly monitored" by federal judges, he said.

This strikes me as fairly disingenuous. I didn't know that Justice was doing this but I can't say I'm surprised. What else would you expect?

Look, prosecutors basically have an incentive to prosecute people by whatever means necessary. They don't have much of an incentive to hold back out of some concern for the balance between civil liberties and law enforcement. If Joe Prosecutor is in a position where he can either let some probable scumbag walk or use the expanded PATRIOT powers against him, why would he ever not do that? If Leahy wants that not to happen, then he should have made sure that the law forbid it, not count on prosecutorial discretion.

I guess it's back to wearing long sleeves and hats

So, some researchers in the UK have discovered [*] that sunbscreens don't do as good a job of blocking UVA (the kind of UV light thought to cause melanoma) as UVB (the kind of UV which causes most sunburn). Typical SPF 30 sunscreens (which block about 97% of UVB) only block about 50% of UVA.

This is fairly bad news for athlets, who spend a lot of time out in the sun and can't practically wear long sleeves. Traditionally, I've worn a lot of sunscreen, which has done a pretty good job of protecting me from burns, but I guess hasn't done that good a job of protecting me from skin cancer. Decoupling sunburn from cancer risk actually makes things worse in some sense, since it means you no longer have a visible marker for when you're at risk.

iPod + Beetle

Check it out [*]. Apple and VW have joined up. Now when you buy a Beetle, you get an iPod with it. These do seem like two cultures that have a lot in common. Check out the commercial.

Tergat beaks marathon WR

Paul Tergat just broke the marathon WR by 43 seconds, bringing it below 2:05 for the first time. [*]. The race sounds like it was really interesting. Sammy Korir was supposed to pace Tergat but ended up going for the win himself, finishing only 1s behind Tergat.

Statistics

Chris Bertram points out that doctor's don't seem to be able to handle the kind of statistics you need to estimate risk. [*] This could be one reason why doctors would mistrust evidence-based medicine--they don't understand it.

What good is evidence-based medicine if you ignore the evidence?

Kevin Dick pointed me to a pretty disturbing article in today's Wall Street Journal. Go here and look for "Failing to Reap Benefits of Great Research". There's a lot of good work going on in evidence-based medicine--studies designed to determine which treatments really work and which do not--but that research is often not getting translated into actual physician practice. A large part of the problem seems to be resistance by doctors to changing their behavior based on this kind of research.

Some of this resistance is natural. If you've been doing things a certain way for a long time and they seem to work, it's hard to just abandon those procedures based on studies of other people's patients. People have a terrible time accepting statistical results that contradict the evidence of their experience. It's particularly difficult when some treatment seems like it ought to work but the data says that it doesn't, as in the case of arthroscopic surgery for osteoarthritis. [*]. However, the case described below falls more under the category of turf defense.

One infamous case, though, makes you wonder how many doctors even believe in science-based care. In the mid-1990s, a federal group now known as the Agency for Healthcare Research and Quality issued a clinical guideline for lower back pain, concluding that surgery (spinal fusion) usually does no good. Orthopedic surgeons did the modern equivalent of grabbing pitchforks and storming the castle: They lobbied congressmen to punish the agency and crippled for years the very idea of evidence-based medicine.

Makes you wonder indeed.

More caveman DRM

I was surfing the Web [*] and accidentally hit the right-click button only to be greeted with a dialog that read "Copyright protected ER Headquarters". A little sniffing around revealed that the page had been equipped with a little Javascript program that activated on right click, thus stopping you from cutting and pasting the contents--at least using the right mouse button.

This has to be one of the most useless pieces of DRM I've ever seen. It's laughably easy to circumvent. First, you can use the "Save Page" menu option to just save the entire file. Second, you can cut and paste using a menu bar pick or a hot key. Third, Mozilla Firebird on UNIX doesn't even respect the override anyway. Finally, if you really wanted to steal all the content on the site you'd just use a mass copying tool, not a browser. if you're going to do something this useless, why bother with anything at all.

Segway recall

Segway is recalling their scooters. [*]. Apparently, when the batteries get low riders can fall off [*].

Under certain operating conditions, particularly when the batteries are near the end of charge, some Segway HTs may not deliver enough power, allowing the rider to fall. This can happen if the rider speeds up abruptly, encounters an obstacle, or continues to ride after receiving a low-battery alert.

As far as I can figure it, here's what's going on: Segways are basically unstable. They depend on being actively stabilized under control of the onboard computer. If there's not enough power, the software doesn't handle it properly and you can fall off. Segway is delivering a new software release to fix the problem.

Computerized control systems are quickly replacing simple mechanical systems in all sorts of applications. This allows the designers to do all sorts of things that they couldn't do otherwise. In your car alone, computer control has enabled cool features like antilock braking, traction control, and electronic fuel injection. The problem, of course, is that all this software is complex and as we all know, software has bugs. The trick is designing that software so that when it fails, it fails in such a way that it's not dangerous. Looks like Segway isn't quite there yet.

I've forgotten all my calculus

It's amazing how utterly you can lose stuff when you don't use it. I once knew calculus--as in really knew it. Unfortunately, that was 15 years ago and I've pretty much forgotten how to do anything but the simplest polynomial integration. Worse yet, I took calc in high school and in my HS we didn't buy our textbooks. Accordingly, unlike the classes I took in college, I don't even have an old book to refer to.

The good news is that technology has advanced quite a bit and so it's a lot less important to know how to integrate by hand. Most of the time you can just use R to numerically integrate whatever function I'm interested in. If you need symbolic integration, there's always Maxima.

Why do we put up with OPEC?

Ok, so OPEC has cut production and prices are going up again. [*]. Why is it again that the United States allows OPEC countries to collude to control oil prices? If OPEC were a bunch of American companies rather than a bunch of third world countries, Justice would be all over them for antitrust violations.

You want to see something amazing? Look at their rationale for their behavior:

All eleven Members are developing countries, whose economies rely on oil export revenues. One of OPEC's primary missions is to achieve stable oil prices, which are fair and reasonable for oil producers and consumers.

Hmm... The members of OPEC are Algeria, Indonesia, Iran, Iraq, Kuwait, Libya, Nigeria, Qatar, Saudi Arabia, United Arab Emirates and Venezuela.

This is only true if we really stretch the definition of "developing" Qatar and UAE have per capita GDPs higher than Spain! Saudi Arabia's per capita GDP is about half that of Spain and higher than that of Russia! Now, it's true that a few of these countries (Algeria, Nigeria, Iraq) really are a mess, but most of the OPEC counties are raking in money hand over fist. If they're still "developing", it's because they've wasted the money rather than using it to develop. Why exactly should I feel obligated to pay higher gas prices so they can waste more of it?

UPDATE:
Michael Kinsley has a pretty negative piece about Iraq rejoining OPEC.

Provigil for everyone

Kevin Dick pointed me to the news that the FDA is considering broadening the indications for Provigil. [*]. Provigil is a drug originally developed for narcolepsy, but it turns out to dramatically decrease symptoms of sleepiness even in normal people. However, unlike caffeine or amphetamines, it's not really a stimulant and doesn't make you jittery. It just keeps you alert.

I've taken Provigil a few times and it certainly does seem to dramatically improve alertness. It's not perfect. I still got somewhat tired, but it seemed to be a lot better than nothing or just caffeine. I do kind of worry about the long term effects of sleep deprivation. Sure, I didn't feel sleepy, but that doesn't mean that the rest of my body didn't need sleep. Still, it sure is nice to be able to put it off a little bit when you have something to do.

HP indemnifies Linux users

Here we go. HP has said that they will indemnify [*] Linux users from being sued by SCO. Anyone want to bet that IBM will be following suit shortly?

95% Confidence Interval

If there's nothing special about the 95% confidence interval, why is it so ubiquitous? My guess is that it's the result of the coincidence of two factors:

• If your data is normally distributed, then 95% of the measurements will fall within 1.96 standard deviations of the mean. Obviously, 2 standard deviations is a special number and 1.96 is close enough to 2 standard deviations that 95% feels special too.
• A 95% confidence interval means that you're wrong 1 time out of 20, which is about the kind of error rate people are willing to live with.

These two factors make 95% very psychologically compelling. The other commonly used confidence interval, 99%, has a similar argument going for it: it's one error out of 100.

Confidence and line drawing

One classic case where essentially arbitrary lines have to be drawn is the confidence interval. Say your job is to estimate some quantity. For convenience, let's say that we're interested in estimating the number of voters who will vote for Arnold Schwarzenneger. As I discussed previously [*] our measurements always have some error associated with them.

It's customary in science to quote what's called a 95% confidence interval. Say, we measure Arnold's support at 40% and the 95% confidence interval is 37-43%. means that if we repeated the measurement 100 times, we would expect that 95 of those times the result would be between 37% and 40% and the rest of the measurements would be larger or smaller. However, there's nothing really special about 95%. One could just as well quote a 90% confidence interval or a 99% confidence interval. As with voting machine error rates, you have to draw the line somewhere and 95% is where it's customary to draw it. There are fields where much tighter confidence bounds (99% or 99.9%) are common as well.

Drawing the line

I caught some of the oral argument in the 9th Circuit's en banc hearing of the California Recall case yesterday. One thing that struck me was how Judge Kozinski kept pressing Charles Diamond to say how high the error rate had to be before he would admit that there was a problem. Here's Slate's summary [*]:

And Kozinski, who dominates the argument today the way Scalia tends to do in the high court, similarly razzes Charles Diamond, who represents Ted Costa, the man who initiated the recall ballot initiative. Pressing Diamond on what kind of government-tampering with voting would represent an equal protection violation, he asks what would happen if Los Angeles County officials just decided to count every other vote. Later he asks what happens if they toss nine out of every 10 ballots, quipping, "I feel like Abraham here." High Holy Day humor that's lost on much of the crowd.

I'm not a lawyer, but it sure looked to me like everyone in the room understood that--like in many negotiations--being the first guy to name a number was a bad idea. You can just imagine the conversation:

Diamond: 5% error rate
Kozinski: Really? So, what about 4.9? That's ok. How do you distinguish those two.
Diamind: Uh...

Despite the seeming effectiveness of this line of argument, I don't think it holds water. The fact is that there's a continuum between "perfect" and "worthless" and there's really nothing special about any point along the continuum other than the end points. Nevertheless, there has to be some standard for how bad error rates are before we say "that's too much". Wherever we draw the line is arbitrary, but that doesn't change the fact that the line has to be drawn. Pretending that it doesn't is just a rhetorical trick.

Didn't I tell you not to reinvent SSL?

Peter Gutmann has a nice post to the cryptography mailing list where he analyzes a number of Linux VPN packages and finds amateurish cryptographic errors. This won't come as much of a surprise to anyone who has ever looked at home-grown protocols. Such protocols nearly always contain simple mistakes. It's hard to get things right. If you can possibly reuse something preexisting (typically SSL or SSH), then you should.

Peter quite properly nails the excuse that such people almost always have for reinventing the wheel:

For all of these VPN apps, the authors state that they were motivated to create them as a reaction to the perceived complexity of protocols like SSL, SSH, and IPsec. The means of reducing the complexity was to strip out all those nasty security features that made the protocols complex (and secure). Now if you're Bruce Schneier or Niels Ferguson, you're allowed to reinvent SSL ("Practical Cryptography", John Wiley & Sons, 2003). Unfortunately the people who created these programs are no Bruce or Niels. The results are predictable.

In my experience, most of the complexity is in certificate handling. You can safely punt that (if you know what you're doing). After that, you have to be really careful what you cut because you're likely to cut something important. This isn't to say that SSL is perfect--it's not. It's just that the amount of complexity reduction you can achieve (after removing certs) while retaining security is actually quite small.

UPDATE: If you dare, scroll to the bottom of the link above for Peter's rather graphic suggestion for the appropriate punishment for people who try to reinvent SSL/SSH.

A missing intellectual property right

If you have a TiVo you've probably noticed that it doesn't have a commercial skipping feature. This is technically possible, in fact the ReplayTV used to do it. However, following their court case, ReplayTV is apparently taking it out. [*].

Now, I don't know whether commercial skipping is copyright infringement [*] as Richard Posner has argued. [*], but I do think there's a high probability that an effort to get it declared fair use--either by court decision or legislative action--would eventually prevail. There are lots of big players in the digital video recorder business and this would obvious be an attractive feature to customers, so why hasn't this been done.

One potential answer is that there is a missing intellectual property right here. Being the only company who has commercial skip is indeed a competitive advantage, but it's not one that's protectable. Say that TiVo puts commercial skip in their product and fights the court case and eventually wins. Well, nothing stops ReplayTV (or Microsoft or whoever) from turning around and putting the feature in their product and then the advantage is gone. So, none of the companies has any incentive to be the test case and we get the usual free rider situation.

Maybe we need a new kind of patent for this litigous age: the first company to establish the right to do something gets a temporary monopoly.

Should RU-486 have been approved?

Medpundit argues that RU-486 should not have been approved on safety grounds. [*]:

But, in the case of mifepristone, it isn't at all clear that the benefits exceed the risks. There's already a safer alternative to the drug. It's called surgical abortion (complication rate less than one percent in the first trimester compared to 4 to 8% for mifepristone).

Imagine if there was a drug that could treat gallstones, but 4-8% of users required surgery to treat its complications, which include death. Is there any doubt that the FDA would deny it approval? They would correctly point out that gallbladder surgery is a safer alternative. But then, there is no National Right to Life Without Gallstones to pressure the FDA for approval.

Huh?

According to Medpundit, 4-8% of the people who take RU-486 will have to experience surgical abortion, whereas 100% of people who choose to have a surgical abortion will have to have one. And Medpundit says that makes RU-486 worse. I'm having a lot of time following this cost/benefit analysis.

Now, it could be that her argument is that the cumulative death rate for RU-486 is higher as well, but that's not what the numbers she's quoting demonstrate.

Recommendation: Wil McCarthy's "The Collapsium" and "The Wellstone"

Lately I finished reading Wil McCarthy's The Collapsium and The Wellstone. They're the first two books of a really interesting hard science fiction series.

Like Robert Forward, McCarthy is really interested in the implications of hypertechnology. Unlike Forward, McCarthy actually can write. McCarthy introduces a whole bunch of technological concepts, including:

• Matter transmission/duplication by scanning and reassembly ("faxing")--including teleportation of humans.
• Immortality (by correction during faxing)
• "Semi-safe" black holes
• Programmable matter that changes shape and chemical composition.

"The Collapsium" is pretty much a straight adventure story exploring the implications of the technology. The Wellstone is more an exploration of what it's like to be young in a world where you know your parent are never going to grow old and get out of the way--where all the respected positions in society are already filled.

McCarthy claims that this hypertechnology is technically possible and provides an appendix describing how semi-safe black holes and programmable matter might conceivably work. I don't understand the physics well enough to assess the semi-safe black holes, but the programmable matter doesn't sound totally insane. It certainly would be incredibly cool if it worked.

Cheap beer means more drinking

Some researchers in Boston are reporting [*] that alcohol consumption is elastic.

The cheaper the beer and the larger the volume available, the more students reported drinking. When retail outlets sold discounted beer, the average number of drinks students consumed rose. The same was true when stores sold 24-pack, 36-pack, kegs and party balls, a form of mini-keg holding 2,5 cases.

Mark Kleiman [*] call your office [*].

Mercury or viruses or what?

The funny thing about the vaccine-autism hypothesis is that it wasn't initially about mercury. The initial fuss about vaccines and autism was started by a British doctor named Andrew Wakefield [*], and it wasn't about vaccines in general but about a particular vaccine called MMR (Measles-Mumps-Rubella). Moreover, Wakefield's argument didn't have anything to do with mercury but was rather that the live measles virus in MMR was causing autism. Like the claim about mercury, this wasn't entirely crazy, but doesn't seem to be true either. [*].

Now, here's the point at which something fascinating happens, and I wish I knew exactly when it did, because instead of people concluding that vaccination was ok, the fear of live virus and MMR transferred itself to thimerosal and vaccines as a group, despite the fact that the only real connection between the two hypothesis is that they link vaccines and autism.

I'm speculating now, but here's what I think happened: humans are incredibly bad at accepting that some things are just coincidence. Since there appeared to be a temporal link between vaccines and autism, they figured there must also be a causal link. Since it wasn't the virus, they looked for another culprit and mercury is what stuck out.

The problem, of course, is that this isn't good science. There are any number of conceivable ways in which vaccination--or just about anything else in an infant's life--could autism. If there was a really clear epidemiological connection between the two, then it would be worth doing research to figure out what the biological cause actually was. As it is, though, the epidemiological link is, at best, inconclusive, so there's no particular reason to single out vaccines for study--unless, of course, you're mainly interested in finding someone to blame.

What's it going to take to kill the vaccine-autism hypothesis?

Last week's Science magazine has an article about two epidemiological studies on the relationship between autism and vaccine administration. [*]. The relationship? There doesn't seem to be any.

For those of you who mercifully haven't been paying attention, vaccines used to contain a mercury-based preservative called thimerosal. Mercury is a known neurotoxin in high doses and so it has been suggested that it mercury load was a cause of autism. However, in recent years countries have started to phase out thimerosal without finding and reduction in autism.

(From Science)

Naturally, the proponents of a vaccine-autism link have a bunch of criticisms [*] of this Danish work. Some of these criticisms are valid and some are kind of silly. A lot of the criticisms are of the precise methods the researchers used to aggregate their data. I'm somewhat concerned by that but it would require a lot of investigation to know how seriously to take these arguments. When you're working from public records rather than gathering your own data, things are almost always pretty messy.

What's important to remember here, however, is that the evidence being presented by the Danish researchers is vastly more convincing than that presented by their opponents, which is to say effectively none. A read of Bernard et al's paper [*] reveals that the anti-vaccine argument is incredibly weak. Basically, it consists of the following four points:

• Mercury is a known neurotoxin and in some respects autism looks like mercury poisoning.
• The amount of thimerosal being delivered to children in vaccines exceeds the "safe" level.
• Autism comes on at about the same time as the vaccine load is high.
• Autism rates have been going up over the past 50 years or so, as has the number of vaccines children get.

However, what the authors don't mention is:

• Mercury poisoning pretty much generally screws up your brain in a variety of ways, and so pretty much any symptoms of autism would be consistent with some form of mercury poisoning.
• The instantaneous mercury loads are very high (because you get a single shot) but it's now known how that compares to what's considered safe as a cumulative load. Also, thimerosal is a different form of mercury from that for which the safety levels were derived and the exact form of mercury matters quite a bit.
• 12-18 months is also when children do a lot of neurological development, so you'd expect autism to start showing up here no matter what.
• The rise in autism also coincides with the rise in the stock market, but we're not blaming Richard Grasso

The bottom line is that it wasn't insane to think that autism was related to mercury, and it's probably not insane to remove mercury from vaccines--which has pretty much already happened in the US. However, the actual evidence for a connection is at best suggestive. Moreover, despite a couple years of research it hasn't gotten any stronger. On the contrary, the studies that have been done, though not perfect, point in the other direction. While we certainly haven't proved beyond all doubt that autism isn't caused by vaccines, there's really no good reason to think that it is, either.

Prilosec OTC

I didn't see any news announcements, but it looks like Prilosec has finally gone over the counter (shipping September 29th) [*]. It's cheap, too. $19.99 for a month's supply. This is less than a quarter the price of even the generic prescription version. I wonder how long it will be before there's an even cheaper generic OTC.

What was that PGP key again

So, I thought I'd install the new version of OpenSSH, 3.7.1, to fix the aforementioned buffer overflow. [*]. Naturally, I want to verify the PGP signature to make sure that the distribution hasn't been tampered with. No problem, I've got GPG. Unfortunately, I don't know the guy who signed the distribution, and his key isn't signed by anyone I know.

This is the problem with PGP, of course. It's incredibly flexible but actually building a chain of trust to someone you personally trust can be incredibly complicated. Effectively you need to do a recursive tree search. There may be some way to get GPG to do this automatically, but if there is I don't know it. And even if there is, chasing down all the links could be arbitrarily computationally expensive. In the worst case one could have to traverse the entire database of keys in order to find out that you couldn't build a chain.

Oldsters to the rescue

Yesterday's Slate has an interesting article about conflict between public pension funds and VCs. Basically, what's going on here is that the VCs want to keep detailed information about their financials secret and the pension funds are insisting they be made public. I imagine that eventually the pension funds will win--they're the ones with the money.

"I'm not going to quit"

I see that Richard Grasso has resigned [*] from the chairmanship of the NYSE. Now, I have no idea whether Grasso was jumped or was pushed, but I see that only yesterday, he was saying that he would not resign [*]. Does this kind of ritual denial have any informational content whatsoever? I'm having trouble thinking of any public figure who resigned after public pressure who didn't initially claim that he would not.

Oh, no, not again

Well, apparently OpenSSH 3.7 (just released today) also has a buffer management problem [*] Excuse me while I go hide under my bed.

What's wrong with OpenSSH

For the cognoscenti, here's a pointer [*] to the patch for this OpenSSH problem, as represented in FreeBSD's source tree. Here's the broken code.

/* Increase the size of the buffer and retry. */
buffer->alloc += len + 32768;
if (buffer->alloc > 0xa00000)
        fatal("buffer_append_space: alloc %u not supported",
	  buffer->alloc);

The problem appears to be that fatal() does a bunch of cleanup stuff and this may include using the value of buffer->alloc, which no longer accurately reflects the size of the buffer.

Oh, this is good

So, there's another remotely exploitable hole in OpenSSH. [*]. Details are slowly trickling out into the public community. Most of the advisories don't seem to have been released and we're already starting to see rumors of exploits. I've disconnected SSH until an update is available. Apparently, there are copies of the new OpenSSH 3.7 release that fixes this out there, but everything is so jammed up with people trying to figure out what's up that it's hard to make forward progress.

UPDATE:
OpenSSH 3.7 was just released, as well as a patch for the problem.

UPDATE:
My sources tell me that this bug has actually been circulating for a while in the underground community. Doh!

Doing the math on voting error rates

The UPI article on the California recall election case [*] quotes Mark Rosenbaum of the ACLU saying:

"The other side has to answer the question, 'How can you hold an election when you know going in that because of the unacceptability of the machine, poor people and people of color are going to have a half or third of a chance of having their votes counted as white or more affluent individuals,'" Rosenbaum demanded to know. "That's a principle that every court ... has subscribed to."

If the information in the article is correct, this isn't an accurate characterization. It's true that the error rate of punch cards is twice that of other voting systems, but even that error rate is only 3%. An accurate characterization would be to say that "poor people and people of color are going to have a 98% of a chance of having their votes counted as white or more affluent individuals". Doesn't sound quite as serious that way, does it?

Did punch-cards suddenly get worse?

Ok, so the 9th district court of appeals just delayed the recall election. [*]. I haven't had a chance to read the decision, but apparently the issues is that some California counties use less accurate punch card voting.

The ACLU, a lead plaintiff in the case, contended that the six counties still switching over to electronic voting were among the most populated in the state and were home to a large number of minority voters. The lawsuit argued that going ahead with the Oct. 7 election would risk the votes of an estimated 40,000 voters based on an error rate of 3 percent for punch-card ballots; the new electronic devises have an error rate or 1.0 percent to 1.5 percent.

Ok, so punch-card ballots suck. But aren't they the same sucky punch-card ballots that we've been using for years. It's not like we suddenly discovered this stuff. How have things changed that we now can't hold an election using them?

The marginal value of Britney Spears

As I've argued before, Britney Spears is obviously very popular, there are likely to be lots of other people who are very nearly as good. [*] If Britney were hit by a bus tomorrow, it wouldn't be that hard for her label to produce another star. To the extent that that's true in general then the vast majority of the value add in the production of an album is provided by the label--presumably in the form of marketing of various kinds. In that case, not only would one expect that the record companies would extract almost all the surplus[*], but it's quite arguable that that's the fair outcome.

What is it that will make Sun rise again?

Sun Micrososystems has placed a number of billboards on 101 that read "Show the world what you showed me in your office in December, and Sun will rise again." The quote is by Rich Karlgaard from Forbes. [*] So, what is this brilliant product that Karlgaard is talking about and is going to save the company? It turns out to be the Sun Ray, Sun's insane thin client.

I don't know whether to laugh or cry.

How much should musicians make?

Tyler Cowen points to Steve Albini's rant about how musicians get screwed by the label. It's sufficiently illuminating that you should probably read it yourself, but the executive summary is that the band ends up paying all their production expenses--though the label fronts them their expenses in the form of an advance. At the end of the day, they're lucky to make back the expenses.

Now, what's interesting here is that the technical book publication process is totally different. When you write a book, the publisher pays all the production expenses--sometimes they'll even buy you the word processing software you need--and you start making royalties with the first copy sold. As a consequence, despite the fact that SSL and TLS sold a lot less than the 250,000 copies in Albini's example, I actually came out substantially in the black on the project.

Why the difference? Finding decent authors for books, especially technical books, is quite difficult, and the publishers believe that having a good author matters for having sales. Most of the people capable of writing your book have other things they want to do. [0] By contrast, there are any number of young bands falling all over themselves to sign with a major label. No doubt many of them are just as talented as the current crop of signed artists. Some of them would probably record for free just to get the fame and fortune. Why would you expect the labels to ever pay more than the market price?

Incidentally, book royalty rates are generally regarded as pretty meager. As far as I can tell, most people who write technical books do it for the fame, not the royalties. Perhaps that's why musicians do it as well.

An accidental AIDS vaccine?

Is it really possible that vaccinating people against smallpox could protect them from AIDS? [*] If you'd asked me a week ago I would have said it was unlikely, but a team at GMU is reporting that it does. Their explanation for why this might work doesn't sound entirely implausible:

A study published in 1999 showed that a relative of smallpox, called the myxoma poxvirus, uses the same cellular doorway -- the CCR5 receptor -- to infect a cell as AIDS does.

And studies have noted that people with certain mutations in CCR5 are resistant to HIV infection.

I'm not enough of a virologist to know if this makes sense or not. As I understand it, vaccines work by sensitizing the body to particular antigens on the viral coat. If HIV and vaccinia use the same cellular receptor they must have one protein on their coat that's sort of similar (the one that docks with that receptor). It would be pretty lucky if the smallpox vaccine triggered an antibody that matched that common antigen.

Anti-Spam Authentication + Spam Viruses = Mess

I've been doing some more thinking about the use of sender authentication to stop spam [*] I said previously that I didn't think it would work, but there's actually a problem I didn't mention. Say you've got one of these systems in place. The basic elements are:

1. All senders must authenticate.
2. Senders caught sending spam get blacklisted somehow.

Now, consider what happens when you introduce a SoBig-style spam virus into the mix. Remember that SoBig takes over the machines of legitimate users, so it's going to be able to send mail as them. Following rule 2, we add all those users to the blacklist. Now, Joe CEO, who's not a spammer but just the owner of a badly maintained machine, can no longer send email. Considering the number of people infected with SoBig, there are going to be a lot of these "innocent" victims on the blacklist. Now, you could imagine some procedure for removing them from the blacklist, but you'd presumably want to at least make sure they weren't infected first. How happy do you think Joe CEO is going to be to be told he can't send mail for 4 hours--or 4 days--while he waits for the admin to disinfect his machine and get him off the blacklist. It's hard for me to see a system like this surviving the first such mass infection.

GWB and the board of Carlyle

Brad De Long quotes [*] Suzan Mazur about how George Bush got his position on Carlyle Group's Board:

Carlyle Group Director David Rubenstein: ...But when we were putting the board together, somebody [Fred Malek] came to me and said, look there is a guy who would like to be on the board. He's kind of down on his luck a bit. Needs a job. Needs a board position. Needs some board positions. Could you put him on the board? Pay him a salary and he'll be a good board member and be a loyal vote for the management and so forth.

I said well we're not usually in that business. But okay, let me meet the guy. I met the guy. I said I don't think he adds that much value. We'll put him on the board because - you know - we'll do a favor for this guy; he's done a favor for us.

Now, De Long's point is that Bush got a job which he clearly wasn't competent for on the basis of his connections. I don't like that much, but what really annoys me is that part of the pitch was that Bush would be a "loyal vote for the management". The board's loyalty shouldn't be to management but to the stockholders-- it's their job to oversee the management! How is it that so few people in business can't remember this?

Programming language inventor or serial killer

Programmers should check out the Programming Language Inventor or Serial Killer quiz. I got 7 out of 10. Mostly I was guessing, but I definitely recognized one of them as John Backus, inventor of FORTRAN. Unfortunately, for me, it actually turned out to be serial killer Ed Gein.

Backus	Gein

As you can see, it was a mistake anyone could have made.

Recreational ultrasound

In a nice example of medical technology going mainstream, companies are offering to give you a DVD recording of a 3-D ultrasound of your fetus, somplete with soundtrack. [*]. Officially, of course, these services aren't being advertised as a medical service, just a memento, but of course people are using them as a sort of secondary medical service:

Some doctors say, however, that the 3-D images have another value -- reassuring nervous parents that their child is all right.

Though Angie's second, two-dimensional ultrasound showed no problems, the Kruses said they weren't 100 percent sure things would be all right until they visited Sneak Peek.

"I could see she had a good chin and her hands were not clenched. It was for peace of mind," Barry Kruse said.

I know, it seems silly, but I can see the appeal here of being able to double check, especially if you know there's some better technique than the one that's been used on you. Moreover, it sure sounds like--unlike hospitals--the private services are making some attempt to actually give the customer what they want:

But the private services are selling more than just a better image of the fetus. Unlike with most hospital-provided ultrasounds, private businesses hold sessions in comfortable offices with dimmed lighting and smoothing music playing. Extended family members are invited to view exams. Angie Kruse's mother, Julie Erhart, was by her side. And while diagnostic exams usually last about 30 minutes, private sessions can be twice as

Though this does make me wonder why hospitals don't do some of the same things to make women comfortable. Is it too expensive or that it somehow feels new agey and unscientific?

Anyway, there's noone in this story that comes out smelling that great. There's a lot of tut tutting from the medical professionals about how it "shouldn't be used as a substitute for seeing a doctor" and it might hurt the fetus, despite the fact that ob/gyns use ultrasound like it's going out of style and there's never been any reports of ultrasound hurting a fetus. On the other hand, the people offering these services appear to be painfully naive about how medical risk works:

"We had heard that there may be some risk with additional ultrasounds -- to use them as necessary," said Barry Kruse, a business consultant. "But we had a friend who had complications during her pregnancy who had 10 ultrasounds with her child, and the child is fine."

In this particular, case, it seems quite likely that the procedure is harmless and that the naysaying by doctors is just the usual reflex behavior, but some day there might be some other procedure that wasn't quite as harmless and it would be nice to get some sense that the kind of people who would offer it had a better idea of how to determine what was safe.

In the paper of record

Someone just pointed me to this New York Times article on worms. If you turn to page 2, there's a paragraph about my study on fixes in response to disclosed vulnerabilities in OpenSSL. I wasn't contacted for this article, so I'm as surprised as anyone that I get mentioned--pleased, but surprised.

Mark Kleiman on the MDMA study

Mark Kleiman has added his more informed take on this issue. [*].

Yet it appears that the researchers failed to investigate the causes of those deaths. Moreover, they went on to draw inferences about the effects of MDMA on humans from the observed damage to the brains of the remaining animals. That didn't seem to trouble the reviewers for Science or the administrators at the National Institute on Drug Abuse who trumpeted the findings as evidence of the dangers of MDMA. (Science is published by the AAAS, whose president, Alan Leshner, was the Director of NIDA when the grant in question was awarded; he made MDMA his particular crusade.)

It is hard to escape the thought that many of the people involved were less cautious than they might have been because the results seemed to support their already strongly-held beliefs.

I hadn't realized (though I should have) that there were such strong incentives to get any particular result in this case--as opposed to the usual scientific incentives to get the most surprising and interesting result. Given that, this kind of work probably needs to be examined carefully.

Why is there another hole in my street?

When last we checked in, Palo Alto had just completely resurfaced my street. Well, the Palo Alto construction gnomes are back and there's a big hole in the asphalt. Apparently they're "installing water blowoff valves"--or rather trying to. The construction gnome I just talked to tells me that they're having trouble finding the pipe. Here's my question: why didn't they install the valves before they repaved the street?

Update:
Did I mention that this water construction project seems to involve turning off my water?

Airline boarding color codes?!?!?!

Let me see if I have this right. We're going to forbid 1% of the population of the US from flying?!?! [*].

According to the Washington Post, passengers will be assigned one of three codes, based in part on their travel plans, traveling companions and the date the ticket was purchased. Sources say those coded "green" will easily pass through security checkpoints. Others will be coded "yellow" and face additional screening. An estimated 1 to 2 percent who get "red" coding will be barred from boarding and face police questioning. They may be arrested.

Now, there are more or less two possibilities here:

1. These will be people who have done something else and the government is just using the airline checkpoint as a convenient place to screen for known offendors.
2. 1-2% of travelers are going to be denied boarding and questioned by police because some risk profiling system flags them.

I'm not sure which of these alternatives I find more disturbing.

What Warren Zevon really died of

I very much liked Zevon's music and even though I knew it was coming, I was sorry to hear that he had died. Coincidentally, I'd just ordered a copy of The Wind. Like everyone else, I'd heard he died of lung cancer and figured that it was all those years of smoking. But Colby Cosh is really on the case here. It turns out that Zevon didn't die of lung cancer but rather mesothelioma--which is asbestos related, not smoking related. [*].

Uniform non-unisex bathrooms

Ever been to a restaurant that has two single-occupant bathroom, one labelled "Men" and one labelled "Women". Ever found that the bathrom for your gender was full and with a slightly guilty feeling popped into the one for the other gender--and noticed that it was exactly the same?

But if they're the same, what's the advantage of labelling them for individual genders? There's certainly a real disadvantage: increased average wait time. Let's assume for convenience that men and women use the bathroom] equally frequently and that it takes them equal amounts of time to use the facilities. Consider what happens when two people arrive simultaneously. There's a 50% chance that they'll be the same gender and therefore one will have to wait. If the bathrooms weren't gender segregated then then there would be no waiting in this case.

In real life the segregated arrangement is harder on women then men, since women generally take longer in the bathroom than men. Nevertheless, except in situations where there really aren't enough bathrooms anyway it's probably a net lose for both sexes, since men end up waiting at times when the women's bathroom is empty.

Does anyone have any idea why places--especially restaurants--do this? It's not universal, but it is quite common.

Crank not that bad for you either

If you read my previous article on the great MDMA/crank mixup, you're probably thinking "I better stay away from methamphetamine". The truth is that even methamphetamine isn't as insanely toxic as you might have guessed either. Actually, it's available by prescription as Desoxyn, and occasionally used for ADD treatment (though other stimulants such as Adderall and Ritalin are more common.)

My guess would be that the reason that Ricaurte et al. observed so much toxicity in their experiment is that they were giving the monkeys some enormous dose of methamphetamine. Typical doses of MDMA are on the order of 150mg for a human. Typical doses of methamphetamine are on the order of 5mg. The supplier, RTI, doesn't have their catalog but if the concentration of the methamphetamine solution was anything close to that of the MDMA solution then those poor squirrel monkeys would have been getting a pretty heavy load of methamphetamine.

The great MDMA/crank mixup

Last year, there was a paper in Science reporting that MDMA (Ecstacy, X, etc.) damaged the dopamine system in primates, thus potentially leading to Parkinson's disease. It turns out that there was a mixup with the labels and they were actually giving the animals methamphetamine (known on the street as "crank"). [*]

There's one thing that is a little confusing about all this, though. They gave five monkeys the drug and one died and another started to have serious Parkinsons-type problems right away other. Now, clearly MDMA doesn't have this kind of immediate impact on humans. The authors make a stab at answering this question in the original paper:

In light of the present findings, and given the fact that MDMA use is widespread and increasing, one might ask why more cases of MDMA-induced Parkinsonism (33) have not been reported. There are multiple potential explanations, but only two will be mentioned. First, Parkinsonism does not generally become clinically apparent until more than 70 to 80% of brain dopamine has been depleted. Therefore, substantial MDMA-induced dopaminergic neurotoxicity could occur yet remain occult until unmasked by other processes (such as drug-induced interference with dopaminergic neurotransmission or decline in brain dopamine with advancing age). Second, until now, the potential for MDMA to damage brain dopamine neurons in primates has not been appreciated and, therefore, MDMA neurotoxicity has not been considered in the differential diagnosis of Parkinsonism in young adults. It is possible that some of the more recent cases of suspected young-onset Parkinson's disease might be related to MDMA exposure but that this link has not been recognized.

Still, you'd think that if MDMA were this toxic, we'd be seeing a lot more reports of death by MDMA. The fact that we don't was always kind of suspicious. To tell you the truth, I feel for these guys. It's great to get some really surprising result and think "I've got this fantastic paper" but at least for me, that elation also comes with a nagging voice in the back of my head that says "maybe it's all wrong and you've made some obvious mistake". I've never had that voice be right yet, but I'm always worried that if I don't listen to it, it will be.

Don't import your drugs from Nebraska

Tech Central Station is carrying an article by Conrad F. Meier that argues that buying drugs via Internet isn't safe. What's confusing here is that Meier sems to think that this is an argument against reimportation of drugs from Canada:

The Food and Drug Administration (FDA) warns re-imported drugs raise serious safety concerns since they could be counterfeit, contaminated, expired, or mislabeled. They won't vouch for the quality of re-imported foreign drugs or those sold over the Internet since there is no way to tell the origin of the drugs, their quality, their effectiveness, or if they endanger our health.

He then goes on to list a bunch of examples of counterfeit drugs being sold in various locales, such as Turkey, Haiti, and Lebanon. This list would be a lot more convincing if it didn't also include Kansas City, Florida, and Nebraska. Moreover--at least as Meier describes it--none of the scams seem to have relied on the Internet at all.

As far as I know, there's no reason to believe that buying drugs over the Internet from any reputable provider is any less safe than buying them from your local drug store. Frankly, I trust Amazon.com more than I trust my local Longs Drugs. Similarly, I don't know of any evidence that drugs reimported from Canada are any less safe than those originaly sold in the US. If Mr. Meier knows of any such evidence, he should raise it. If not, he should stop spreading FUD.