A correspondent suggests that people who read this blog via RSS may not have noticed
that it's moved. So, here you go. The new EG site is http://www.educatedguesswork.org
After a bunch of hacking, I've managed to get a partially operative version of EG at http://www.educatedguesswork.org/wordpress. It's not totally working yet, but good enough to complain about. I'll be fixing some of the problems and transitioning the site over the next week or so. If the site gives you problems, post a comment or let me know via e-mail.
John Stasak from NSA gave a talk at IETF on their ECC licenses from Certicom, for which they paid around $25 million.
Slides here. List of patents covered is here.
UPDATE: Re-explained the terms. According to Russ Housley, FIPS 140-2 evaluation alone is enough. So, even if your software has no national security applications, you can still take advantage of this. This is a big deal.
Summary: Strangely demand for products is a lot higher when owning them
is mandatory.
Background: end-users don't have certificates. People think this is bad. Is there some say to make this easier? That's the point of this BoF.
First talk is by Jeff Schiller, about the MIT cert infrastructure. The way this works is that they have their own CA and the certs are to a first order only used for browser client auth. They skirt the enrollment issue by using the Kerberos account to authenticate the cert request.
Second talk is by Bob Stahl from Johnson & Johnson. They've got a big corporate PKI. The important point is that it's unbelievably complicated to use this thing, but people do it anyway.
Third presentation from Sandy Roddy from DoD. They have a PKI too, which people in the military are required to use.
The take home point of these talks seems to me to be that it's a lot easier to get PKI working if the potential users have absolutely no choice but to use it. In all three cases, it seems to be basically impossible to do anything at all in the environment without a certificate, and in the military, it appears that you're basically ordered to get one.
The central fact of the failure of PKI deployment is the lack of voluntary user uptake in distributed non command and control organizations. No doubt it's interesting to hear about how to make it easier to for such large command and control organizations to deploy PKI, but that doesn't really move the ball forward in terms of getting global deployment. As long as having a third-party certificate doesn't actually buy you anything, it's hard to see the activation energy barrier getting low enough for people to want them.
In that context, this session was largely like hearing a series of talks about technology for laminating ID cards. Obviously, it's a lot better when cards are laminated and perhaps it's possible that some kinds of plastic are better than others, and that's no doubt a topic of great interest to lamination wonks, but it's not like the world is full of people saying "I'd love to have an ID card if only I could figure out how to laminate it."
Jon Peterson:
I used to get really baked and sit around eating these.(While eating Tastykakes).
Anonymous:
My mom buys her pot from a friend of mine.
Pete Resnick:
I was interviewing for a clearance and the interviewer asks me:Have you ever been convicted of a felony?
No.
Could you pass a drug test?
[I think about my answer]
If you had time to study?
Yes, I think I could
In answer to e-mailed questions, names used by consent.
I spent a while talking to Bill Woodcock from Packet Clearing House last night and he pointed me to this presentation which describes his banana theory of Internet economics: "Banana farms are where bananas are made. Internet exchanges is where bits are made..."
Report from the IETF Better Than Nothing Security BOF.
The background here is the TCP RST vulnerabilities published earlier this year. The obvious defense against those vulnerabilities is to use IPsec but people obviously aren't using that.
The rationale for this WG comes from an observation and two claims:
What is being proposed is two things:
There was a lot of support for (1) but mixed support for (2). In particular, there's skepticism about whether the perf problem addressed by (2) is real. A number of people seemed to want to not undertake (2) at all, unless they had data. The discussion there was very contentious. Michael Richardson called it a "premature optimization".
A hum was strongly in favor of (1) and strongly against (2).
My take:
It's worth doing (1), which is very easy. It's not really even a technical change. You just legalize a common practice of using self-signed certs. Joe seems to want to write an extended policy document about how to handle self-signed certs, but seeing as IKE certificate handling is kind of witchcraft anyway, maybe this should just go into pki4ipsec.
I don't buy the performance argument and would want to see some real data supporting the claim that it is a problem, before we embark on this path. Michael Richardson made an interesting argument on this point: It's true that IPsec processing is very slow but the problem is the need to decide what kind of processing to apply to the packet--which is often done via very inefficient algorithms--rather than the actual crypto. I don't know if this is correct or not.
I'm currently at the DC IETF. Formal meetings start at 9 AM and run through 10 PM. If you're on the IAB/IESG, things get going at 8 and run through 10. Informal meetings start earlier and end later. The combination of long hours and jet lag means that an extraordinary amount of caffeine is consumed.
As is the American norm, almost all this caffeine is consumed in the form of coffee or soda. This can actually be a problem because the coffee in the hotel is apparently subpar--not to mention the expense of purchasing your fourth latte of the day. And yet as far as I can tell, not one of these people has seriously considered replacing their beverage with caffeine pills, which are cheaper and more convenient. A few people I mentioned this to said they liked the taste of coffee, but the general sense seemed to be that taking it explicitly in pill form would be crossing some line between consuming food and taking drugs, as if you're only a few all-nighters away from being a full-on speed freak. I guess "Just Say No" worked after all.
Check out Microsoft's new Digital Joy. I can't see anything on the inside cause it's Flash-only and I'm not Flash enabled here, but if you just look inside, you can find the evil Dr. Zaius residents/dr-zaius.php from Planet of the Apes experiencing Digital Joy.
I recently caught a West Wing episode that got me thinking. The basic plot is that the White House is trying to pass a Family Wellness Act. Senator Stackhouse stages a filibuster to try to force them to put in a $47 million provision for autism research. He's been up at the podium for hours and is clearly fading fast. Everyone's annoyed until a staffer works out that the Senator's grandchild is autistic, at which point everyone's attitude changes. The West Wing staff arranges for some other Senators to spell him, effectively scuttling its own bill, with the implication that they'll revisit it later with the autism provision. Heartwarming, right?
Well, not really. Let's get rid of the autism angle and just look at the form of the transaction. Say the White House is trying to pass an energy bill and a Senator mounts a filibuster to force the White House to add a $47 million program for research into geothermal power. It's discovered that one of his grandchildren owns a geothermal power company. Heartwarming? Not really. The word that comes to mind is corrupt.
The situation isn't any different in the autism case. The Senator is using his political position to force a policy change that benefits one of his relatives--a change that wouldn't be made without him using his influence. Why should personal motives be acceptable in one case and not the other?
So, two people in Virginia have been convicted of spamming. One of them has been sentenced to 9 years in prison. The big question here is what effect this will have on the big spam picture. Obviously, being thrown into prison for 9 years isn't fun, but it's only a big deterrent if there's a reasonable probability of being caught and prosecuted and that depends on the spam demographics, which I don't understand that well. It's certainly known that a lot of spam comes from compromised servers and/or from outside the US, but that actually doesn't matter if the people contracting for the spam are in the US and therefore prosecutable. I don't have a good sense of the fraction of spam to which that applies and so it's hard to assess the impact of this development.
I've had to disable the comments system, due to some serious comments spam problems. My ISP says that I had like 60 running comments processes. Ouch! I'll probably be moving the blog to some other server and quite possibly changing my blog software. Readers who have comments or suggestions should email me at ekr@rtfm.com.
OK, so George Bush looks to have won the election. I'm already hearing people say they don't want to live in the US any more. The obvious choice here is Canada.
Everyone already knows about Canada. It's that big cold thing just North of Minnesota States. But if you were watching those handy red/blue maps on TV last night you would have notied that Canada isn't a State! It's actually it's own country, or Dominion or whatever. Anyway, it's a popular destination for people fleeing the US since, the 1960s. Actually, since 1776 if you want to get picky.
Less than 95% or so of Canada is a frozen wasteland. The rest (the section within 200 miles or so of the American border) is perfectly nice if a bit chilly. It's actually quite a bit like the US, but there are a few small differences:
Once you get those four things down it's pretty easy to adjust. It also turns out to be pretty easy to get in. Canada has three major ways for you to immigrate:
Skilled workers
The easiest one for most readers of this site is to qualify as a skilled worker. Now, you might think that you're not a skilled worker but it pretty much turns out that if you can find your ass with both hands you qualify. The list of skilled workers includes Comedians, Grain Elevator Operators and Legislators. You also need to demonstrate that you have enough money to support your family (or that you have a job), but the minimum amount of money for a family of 4 is $17,727 Canadian, so we're not exactly talking Donald Trump here.
Canadian Immigration provides a helpful test to assess whether you pass as a skilled worker. The current passing score is 67. If you have a college degree, speak English proficiently, are between 21-49 and have four years of experience, you've got 69 points and you're good to go. Welcome to Canuckistan.
Business Immigrants
Option two is to immigrate as a business immigrant. There are actually three choices here. The easiest is to be an "Investor". If you have business experience (2 years worth of experience as a principal in a modest-sized business) an $800,000 CDN net worth and you make a $400,000 CDN investment in a Canadian business, they just let you in. This is a funny kind of investment because it's actually a 5-year zero-interest loan, which you're allowed to finance, so you're effectively giving Canada the interest. At today's interest rates of <<5%, we're talking something on the order of $50-80,000 CDN. What a deal.
Choice two is to be an "Entrepreneur". Again, you need some business experience, a net worth of $300,000 CDN, and promise to create a business that will hire at least one Canadian. Of course, given how little you have to pay people in CAnada, you can just hire a Canuck to follow you around and kiss your ass all day, so this basically amounts to paying a tax of about $20k CDN a year. Also a pretty good deal.
Choice 3 is to be a "Self-Employed Individual". Basically, this means you're a world class artist or athlete, or be willing to become a Canadian farmer. Welcome to Alberta. Hope you like wheat.
Provincial Nomination
The final option is a provincial nomination. This is basically a provincial version of the above-mentioned process, where you get to move to specific provinces which may have specific requirements. I haven't gone through all of them, and some of the provinces (BC and Alberta, at least) are quite nice. However, based on the rest of the list, I kind of suspect that your best chance is to get in as a moose-skinner in Manitoba or a igloo safety inspector in Northern Saskatchewan.
Now things have swung the other way:
Swings like this make it pretty difficult to use markets of this type for prediction. At best, you can use them to aggregate the poll information, but it's not even clear how well that works.
Looks like the street thinks Kerry is going to win:
Credit to Robin Hanson for pointing out the big swing.
I's been known for years that tall people make more money than short people (about 2% per inch of height), even when you control for other observable quality factors. However, it's not entirely clear why. The natural response is to think that it's the market at work and ask why tall people are more attractive to employers than short people. A new study in JPE suggests that this is the wrong question.
Nicola Persico, Andrew Postlewaite, and Dan Silverman analyzed longitudinal surveys from the US and the UK and discovered something interesting: it's not your current height that matters but rather your height when you are a teenager (age 16). Indeed, when you control for teenage height, adult height doesn't matter. Interestingly, height at younger ages doesn't matter at all.
What appears to be going on is that being tall in adolescence provides some lasting benefit, perhaps by improving your confidence, teamwork, or simply your connections (networking). One piece of the result that bears this out is that when you control for participation in teen social activities, the height effect mostly vanishes. The obvious interpretation (though not the only one) is that being tall makes these activities more attractive--or you more attractive to them--and that you learn (unobserved) skills there that pay off later in life. This explanation is especially plausible in the case of sports, where being big generally does pay off and it's clear that people forge longlived connections there.
Upon hearing about the height effect, it's tempting for parents to consider an intervention. The authors calculate that if you expect your child to earn more than $105,500, then HGH treatment would potentially be a good investment (ignoring the general equilibrium effects, of course).
Oracle has just announced an increase in its offer price for PeopleSoft to $24 from $21. At this point, it kind of looks like the PeopleSoft stock price is dominated by the status of the Oracle deal:
If PeopleSoft's board rejects the offer, it's reasonable to suspect that the sock price is not going to respond favorably.
Some of the errors in voting machines appear to be unbiased in the sense that which way the error goes depends on the exact layout of the ballot, the user's behavior, etc. That doesn't mean, however, that the effect of those errors isn't biased. Consider the following simple model:
In this situation, the recorded votes will be:
| Alice | A(1-e) + Be |
| Bob | B(1-e) + Ae |
Now, clearly if e=0 we get a correct count, but as e increases this tends to drive the result towards the center. For instance, if support for Alice is 40% and Bob is 60%, if e=.11, then the actual recorded votes will be:
| Alice | 42% |
| Bob | 58% |
In other words, unbiased errors benefit the losing candidate. Of course, unless the error rate gets ridiculously high (>50%) it can't turn a loser into a winner locally, but that doesn't mean that it doesn't make a difference, because the presidential electoral votes are decided on a winner-take-all state-by-state basis. So, what happens if Bob holds a slight statewide lead but the pro-Alice precincts have perfect machines but the pro-Bob precincts have inaccurate machines? This obviously benefits Alice and could potentially shift the outcome to Alice. And the distribution of voting machines is definitely not unbiased.
A related issue is that although the machine may make unbiased errors in the sense that it doesn't prefer Alice or Bob, that doesn't mean that there can't be a statewide bias in the way the machine works. Consider the touchscreen errors noted by Ed Felten. If you subscribe to the "errant finger" theory, then it's quite likely that people preferentially place their errant thumb at the top or bottom of the monitor. Because the registered press is shifted towards the second press, this tends to move the votes up or down on the screen. Whichever candidate's checkbox is more in that direction gets a small edge.
Of course, this kind of effect exists even in human-only voting systems in that people aren't unbiased in the way they select from a list, so it's probably an advantage to be first or last or whatever. As I understand it, in the CA recall election they had a complicated scheme to randomize the ballots on a per-District basis to nullify this effect. I don't know if that happens for generic presidential ballots.
1 This sounds ridiculously high but the estimates for error rates are in the 2-8% range, so 10% isn't actually crazy.