Wednesday, April 23, 2014

What’s the liberal equivalent of climate denial?

Ezra Klein follows up the discussion his first post on Vox started, What’s the liberal equivalent of climate denial?.

"Does politics make Republicans dumber than Democrats? Paul Krugman thinks so. "Can anyone point to a liberal equivalent of conservative denial of climate change, or the ‘unskewing' mania late in the 2012 campaign, or the frantic efforts to deny that Obamacare is in fact covering a lot of previously uninsured Americans?" He asks. Jonathan Chait mostly agrees. "In American politics," he writes, "reliance on empiricism is an ideology" — and, to be more specific, that ideology is liberalism."

"No one can personally investigate the vast array of issues facing the country. In terms of getting the right answers, the most important decision people make is choosing whom to trust. In politics, that typically means choosing a party, or at least a political coalition. If one party is systematically better at assessing the evidence than the other that's a huge deal."

He doesn't answer the question, he just asks it again.

10 historical software bugs with extreme consequences

Stumbled across this article from 2009, 10 historical software bugs with extreme consequences.

Tuesday, April 22, 2014

Movie Review: The Case Against 8

The Case Against 8 is playing this weekend as part of IFFBoston. Conveniently it had a screening tonight at Harvard Law School, so I got to extend to IFF by a day and avoid a conflict or two in scheduling.

The movie tells the story of the legal battle to overturn California's Proposition 8 which was passed in 2008 and defined marriage as between one man and one woman. The battle to overturn it started with someone having lunch with Rob Reiner (really) who mentioned that a brother-in-law of someone (his? his wife?) knew lawyer Ted Olson and he might be interested in the case. Olson was a non-obvious choice being one of the most prominent conservative lawyers in the country; a founding member of The Federalist Society and infamously winning Bush v. Gore. More surprisingly he teaming up with his Bush v. Gore opponent David Boies to take the case.

It started with them searching for plaintiffs. They found two couples one gay and one lesbian living in California who wanted to marry to represent. They were picked to be perfect plaintiffs, nothing wrong in the background, good families, etc. The movie follows as they prepare for and argue the case before the US District Court and then the appeal of the ruling to the US Supreme Court.

If you follow the news at all you know what happens. They win. (I really don't think that's a spoiler). So the question is how does the movie decide to tell the story. It turns out they knew this was going to be an important case for history and decided to film it from the beginning. They were a little hampered by the decision of the court to now allow the District Court trial to be broadcast (though it was apparently filmed and the film is now under seal for no great reason). So it's a legal story but it's also an emotional one so they follow the plaintiffs as they prepare for the trial, and are nervous the night before, and happy at winning and then getting married immediately after the Supreme Court decision.

Now I'm probably in the minority in this but I wish there was more law in this film and less personal drama. I'm already on the plaintiffs side and don't need to be convinced that "they're just like ordinary people" or that "letting them marry won't hurt anyone else" or that they've experienced discrimination in their lives. At 109 mins this isn't a short movie, there's lots scenes of lawyers typing and looking seriously at big stacks of paper and milling in and out of offices and cars, all to deliberately passed serious sounding music. The legal stuff is covered but there are two parts that sounded fascinating and are just mentioned.

It seems David Boies is a genius cross-examiner. At one point in the film Olson says that Perry Mason moments only happen on television and when Boies is cross-examining and it happened in this trial. The defense called several witnesses but they weren't that impressive. Their last was David Blankenhorn, a vocal advocate against same-sex marriage but not an actual expert in much. Boies apparently asked him a series of questions, and Blankenhorn gave a series of answers and by the end he was saying that the plaintiffs should be allowed to marry. The film interviews him and he says he'd answer them the same today. He's since come out in support of gay marriage. I wish the movie covered this more, in some cases they read briefly from the transcript but not much if any from this.

The other was Olson's closing statement. Boies says it's the best argument he's ever heard in a court, but we don't get to hear any of it. Now both of these happened at the District Court, after this we follow them to the Supreme Court which ends up the deciding the case on standing. That is a technicality in whether the plaintiffs of that case can show harm that happened to them giving them the basis to sue. The court decided in an unusual 5-4 grouping, Roberts, Scalia, Ginsburg, Breyer, and Kagan for and Kennedy, Thomas, Alito, and Sotomayor against. The film doesn't cover that at all and doesn't address the issue that this wouldn't change any minds on the merits of the case as the District Court ruling details might.

The movie is good. I'm sure most people will be very moved by the personal journey of the two couples. At 109 minutes I think there's a fair amount of filler (and random scenes with Rob Reiner in the background) and I wish there was a little more in it that would actually convince someone that this is a real civil rights issue and is about treating people equally and fairly. The film had the opportunity, David Blankenhorn was convinced (and he is interviewed in the film) but didn't dive into it. As I read about the case on wikipedia I see there's a play called 8 that might be more to my liking.

Apple - Environmental Responsibility

I guess Apple is going all out for Earth Day. Their site has a section Apple - Environmental Responsibility that describes all their efforts to make products that are better for the environment. It's also very beautifully designed.

Also, Steven Levy has an article in Wired, Apple Aims to Shrink Its Carbon Footprint With New Data Centers. He toured an Apple data center with Apple VP of Environmental Initiatives (and former head of the EPA) Lisa Jackson. It's powered 100% by renewable energy sources.

Heartbleed as Metaphor

Dan Geer writes in Lawfare Heartbleed as Metaphor and people should read it.

Only monocultures enable Internet-scale failure; all other failures are merely local tragedies. For policymakers, the only aspect of monoculture that matters is that monocultures are the sine qua non of mass exploitation. In the language of statistics, this is “common mode failure,” and it is caused by underappreciated mutual dependence. Here is the National Institute of Standards and Technology (NIST):

A common-mode failure results from a single fault (or fault set). Computer systems are vulnerable to common-mode resource failures if they rely on a single source of power, cooling, or I/O. A more insidious source of common-mode failures is a design fault that causes redundant copies of the same software process to fail under identical conditions.

That last part — that “[a] more insidious source of common-mode failures is a design fault that causes redundant copies of the same software process to fail under identical conditions” — is exactly what monoculture invites and exactly what can be masked by complexity. Why? Because complexity ensures hidden levels of mutual dependence. In an Internet crowded with important parts of daily life, the chance of common mode failure is no idle worry — it is the sum of all worries.

Autism and the Agitator

Frank Bruni has a nice op-ed rant against Autism and the Agitator Jenny McCarthy (and the people that gave her a platform).

20 MRI Scans of Fruits and Vegetables

20 MRI Scans of Fruits and Vegetables.. ""

Navigate News With The Upshot

The New York Times has started their own data journalism site. Navigate News With The Upshot

One of our highest priorities will be unearthing data sets — and analyzing existing ones — in ways that illuminate and explain the news. Our first day of material, both political and economic, should give you a sense of what we hope to do with data. As with our written articles, we aspire to present our data in the clearest, most engaging way possible. A graphic can often accomplish that goal better than prose. Luckily, we work alongside The Times’s graphics department, some of the most talented data-visualization specialists in the country. It’s no accident that the same people who created the interactive dialect quiz, the deficit puzzle and the rent-vs-buy calculator will be working on The Upshot.

Perhaps most important, we want The Upshot to feel like a collaboration between journalists and readers. We will often publish the details behind our reporting — such as the data for our inequality project or the computer code for our Senate forecasting model — and we hope that readers will find angles we did not. We also want to get story assignments from you: Tell us what data you think deserves exploration. Tell us which parts of the news you do not understand as well as you’d like."

Their first big story, Who Will Win The Senate?. "According to our statistical election-forecasting machine, it’s a tossup. The Democrats have about a 51% chance of retaining a majority." Lots of very pretty graphs.

Monday, April 21, 2014

2014 Hugo Award Nominees

io9 is Announcing the 2014 Hugo Award Nominees "The nominees for the 2014 Hugo Awards have been announced! This year's nominating ballot saw a record-shattering 1,923 valid nominations. The winners will be announced on Sunday, August 17, during the Hugo Awards Ceremony at Loncon 3. "

Saturday, April 19, 2014

Everything you need to know about economics in 297 words

Ezra Klein writes This graduation speech teaches you everything you need to know about economics in 297 words. "In 2011, Thomas Sargent won the Nobel prize in economics. But in 2007, he gave a graduation speech to Berkeley undergraduates that still stands as one of the greatest, shortest introductions to economics — and to life."

This is why Valve’s business model is so totally brilliant

Ars reveals Steam’s most popular games. "Right now, I can tell you that about 37 percent of the roughly 781 million games registered to various Steam accounts haven’t even been loaded a single time. I can tell you that Steam users have put an aggregate of about 3.8 billion hours into Dota 2. I can tell you that Steam users tend to put nearly 600 percent more time into the multiplayer mode on Modern Warfare 2 than the single player mode." Lots of graphs, assumptions and caveats as they look at what games are popular via bought, players and hours played. They issued this update, Steam Gauge: Addressing your questions and concerns.

I saw this via Brian Fung's article, This is why Valve’s business model is so totally brilliant. "Valve is one of the most successful game companies on the planet. It helped usher in the idea of digital distribution. The company's version of an online app store, Steam, is known for selling games made by third parties, such as Skyrim and Call of Duty. But Steam's real value lies in the way it gives independent publishers equal footing against big corporate game makers."

Towards the end he linked to this interview from 2011 which I found really fascinating, How Valve experiments with the economics of video games

What Does Sound Look Like?

There Really Are So Many More Twins Now

Alexis C. Madrigal writes in The Atlantic There Really Are So Many More Twins Now

"From about 1915, when the statistical record begins, until 1980, about one in every 50 babies born was a twin, a rate of 2 percent.  Then, the rate began to increase: by 1995, it was 2.5 percent. The rate surpassed 3 percent in 2001 and hit 3.3 percent in 2010. Now, one out of every 30 babies born is a twin."

"Older women tend to have more twins than younger women—and older women are having more of the nation's babies. The researchers found this demographic phenomenon accounted for one-third of the increase. They attributed the rest of it to the increase in infertility treatments, specifically in-vitro fertilization and "ovulation stimulation medications." "

How Americans Die

Bloomerberg's How Americans Die is a really interesting graphic. By that I mean it's (1) very pretty, (2) very well laid out and (3) really interesting in how it uses several graphs each with text to slowly make a point about a complex subject.

Nevertheless, I'm not sure what that point is. It shifts between charts of mortality and number of deaths but doesn't always seem to take into account changes in population size (particularly when it concentrates on specific age ranges). But wow, it includes this fact "about a third of all deaths are people 85 and older". That's way higher than I would have expected.

How to Convince People Of Non-Obvious Things

Breast cancer screening is a serious subject that a lot of people have profound personal experiences with. It's also true that Bayes' theorem is often counterintuitive.

This article in the NEJM, Abolishing Mammography Screening Programs? A View from the Swiss Medical Board, makes the case for less mammogram screening. It includes this great graphic:

NEJM1 500x419

A Car on Mars

The HiRISE orbiter took a picture of Curiosity Ready to Drill for Gold at the Kimberley. Click the photo below for a bigger image showing it's tracks in the sand (seen from orbit!)

Screen Shot 2014 04 19 at 2 56 21 PM

Mission-critical satellite communications wide open to malicious hacking

Ars reports Mission-critical satellite communications wide open to malicious hacking.

"Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday."

"Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did."

British Pathé releases 85,000 films on YouTube

British Pathé releases 85,000 films on YouTube | The British Pathé Archive Blog "Newsreel archive British Pathé has uploaded its entire collection of 85,000 historic films, in high resolution, to its YouTube channel. This unprecedented release of vintage news reports and cinemagazines is part of a drive to make the archive more accessible to viewers all over the world."

Friday, April 18, 2014

HeartBleed in the Wild

SucuriBlog reports on HeartBleed in the Wild

"After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.

The results were interesting:

  • Top 1,000 sites: 0 sites vulnerable (all of them patched)
  • Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
  • Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
  • Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)

We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better."

Seems pretty good to me.

Tuesday, April 15, 2014

Scenes of Spring

In Focus shows Scenes of Spring "Temperatures in the northern hemisphere are finally warming, flowers are blooming, and the sunshine beckons us outside once again. On a nice spring day like today, I thought I'd share some recent colorful images of the season from Germany, Japan, Scotland, the United States, and more. [28 photos]"

S21 RTR3K0ZS 500

2014 Pulitzer Prize Winners

Here are the 2014 Pulitzer Prize Winners. Obviously the big ones are the coverage of the Snowden leak and the Boston Marathon Bombings by the Boston Globe. Check out the others too.

Monday, April 14, 2014

Scale Model WWII Craft Takes Flight with Fuel From the Sea Concept

The US Navy announced Scale Model WWII Craft Takes Flight with Fuel From the Sea Concept

Navy researchers at the U.S. Naval Research Laboratory (NRL), Materials Science and Technology Division, demonstrated proof-of-concept of novel NRL technologies developed for the recovery of carbon dioxide (CO2) and hydrogen (H2) from seawater and conversion to a liquid hydrocarbon fuel.

Fueled by a liquid hydrocarbon - a component of NRL's novel gas-to-liquid (GTL) process that uses CO2 and H2 as feedstock - the research team demonstrated sustained flight of a radio-controlled (RC) P-51 replica of the legendary Red Tail Squadron, powered by an off-the-shelf (OTS) and unmodified two-stroke internal combustion engine.

Using an innovative and proprietary NRL electrolytic cation exchange module (E-CEM), both dissolved and bound CO2 are removed from seawater at 92 percent efficiency by re-equilibrating carbonate and bicarbonate to CO2 and simultaneously producing H2. The gases are then converted to liquid hydrocarbons by a metal catalyst in a reactor system.

I'm not sure what the climate effects, if any, of this are but it's pretty amazing.

Sunday, April 13, 2014

'The Simpsons' Launches On FXX With Longest Continuous Marathon Ever

'The Simpsons' Launches On FXX With Longest Continuous Marathon Ever "This summer, the FXX network will launch 'The Simpsons' in style with a 12 day marathon, showing all 552 episodes consecutively. The marathon will start August 21st and continue through Labor Day. '“It will be the longest continuous marathon in the history of television.'"

No I will not watch it all. Thankfully it's in the summer and not during winter hibernation.

Saturday, April 12, 2014

Heartbleed

TLS and its predecessor SSL are the protocols used to encrypt Internet traffic and verify the identity of servers. It's the "S" in "HTTPS" and it's what makes the little padlock appear next to the URL in your browser. OpenSSL is an open source package that implements them and is widely used (because it's free and security programming is hard). There are other implementations that are widely used too.

Last week a bug in OpenSSL was announced. It's known as the Heartbleed bug. It's in a new feature of TLS known as a heartbeat. Since setting up a secure connection is an involved process, if one is going to be reused, it's better to keep it open. Once a connection is set up, a client sends a ping to a server and asks for a response to know it's still alive and to know to keep the connection open.

The heartbeat request includes a string of text for the server to return so the client knows it's a current response. It's kind of like kidnapping victims posing in photos with today's newspaper. Dealing with strings can be tricky with computers, the request includes the number of characters in the string. The bug is that the server doesn't verify the stated length compared to the actual string length. An attacker, can send a malformed request and get random memory from the server. This memory can have anything in it. xkcd explains the bug really well:

So how bad is this? It's pretty bad but maybe not for you. It's in code that runs on servers, so unless you run a web server, there isn't any software for you to upgrade.

It's also a little difficult for an attacker to exploit. An attacker can send a malformed message whenever they want, but each time they'll get back random stuff in the server's memory and they'll have to figure out what that is. It's not like they hacked in and stole the password file and can then work at cracking passwords. I've seen differing reports about what information is potentially in the vulnerable portions of a server's memory, but the latest I've seen is that it can be a lot of sensitive stuff, virtually anything.

To be on the safe side, vulnerable sites are telling their users to change their passwords, but I think there are some issues with that blanket statement.

First, it's hard to know if web sites you use have been susceptible. The Heartbleed Hit List: The Passwords You Need to Change Right Now is a list of popular sites and whether they're affected. It turns out a lot of sites I use weren't affected, like Apple, Amazon, Twitter, LinkedIn, and most banks. Google was affected but says you don't need to change your password, but it's probably a good idea. I use Google's two-factor authentication so I'm not particularly concerned (I haven't lost my phone).

Another report says that about 37,400 of the top million sites are still affected as of April 9th. To put some of that in perspective Ars said, "The top domain vulnerable to the Heartbleed bug is Kaskus, an Indonesian social media site" which I've never heard of (the web is big, and not just in English speaking countries). Of course the reason a site is not affected could be good or bad. Maybe they don't use OpenSSL, maybe they're just using an old version (opening them up to other bugs which isn't a pleasant thought). Here's a list of the top 10,000 sites as of April 8th and their vulnerability, lots of popular sites are (were) vulnerable.

Also it doesn't help to change your password until you know the site is fixed. You can check specific sites yourself with this tool. Just enter the site name and it will tell you if it's okay or not.

The Heartbleed bug was introduced into code on Dec 31, 2011 and released in OpenSSL 1.0.1 on March 14, 2012. So sites might have been affected for as long as two years. Or less, it depends when they upgraded to version 1.0.1. My sense is that if information was compromised two years ago, you probably would have seen some effect by now. If you haven't, then you're probably ok. Of course now that the bug is public, if a site hasn't been fixed in the last week it's more likely that someone is using this attack. But if you haven't logged in it's unlikely your information is in the server's memory to be retrieved.

Here's another problem and it's one reason the tech community has been so upset about Heartbleed. It turns out that Heartbleed can allow an attacker to steal a server's private key. The way a user has a password, a server has a private key. As much of a pain as it is for users to change all their passwords, for a server to change its one password it must get it signed by a certificate authority. It turns out that just four companies verify the certificates of 90% of the Internet. They're very busy right now and getting a highly secure certificate involves real world verification that the server is who it says it is (kinda like getting a bank loan and verifying all the details of your employment) and can be expensive.

With a compromised private key, some evil site could impersonate a real site, which means instead of telling the real site information like your password and shipping address, you could be telling a thief that information. Unfortunately there's no easy way to know if a site you use has updated it's certificate since Heartbleed. Your browser can show you the certificate (in Safari you click on the padlock icon) but mine just shows the certificate's expiration date, not the issue date. And remember, more secure certificates take longer to get. You might make some guesses, looking now at Facebook's certificate I see it expires in exactly 1 year, I'm guessing they just got a new one that's good for a year.

Unfortunately it gets even worse. It turns out some networking devices like VPN and switch products are vulnerable to the bug. Juniper and Cisco have issued advisories. I don't really understand the extent of this news. I know that to fix some of these devices people need to buy new hardware. I don't know if network hardware between you and a destination server could be affected and expose your information and if you could tell (though I'm guessing not).

So here's what I'm doing.

  • I checked my commonly used site on the list and found I'm not too exposed. If you are, you should proceed more quickly.
  • I'll wait a little bit (another week or so) and then change all my passwords following the advice I wrote two years ago in Web Passwords. I'm not sure it's needed but it's good password hygiene to change them every once in a while, and it's been two years for me.
  • I'm not opening new accounts on unfamiliar (or small) web sites in the near future. Certainly not without checking their Heartbleed exposure with this tool.
  • I'm not logging into sites I have accounts at until I check their vulnerability. If I haven't logged in in a year, my info isn't in the server's memory to be stolen.
  • I'll go through this list and enable two-factor authentication on as many accounts as I can. I already do it for Google and Apple and it works great and isn't a big annoyance at all.
  • Make sure your browsers are setup to verify certificates. On a Mac that means open Keychain Access and go to its preferences and make the third tab look like this: Screen Shot 2014 04 12 at 3 15 16 PM

A couple of articles I've found interesting...

This seems a pretty level headed description of what it means for the average person on the Internet. Heartbleed and passwords: don’t panic.

This stackexchange posting offers a few views of what to do, Should I change all my passwords due to heartbleed.

This incident makes the case that we need to change how we fund (or currently don't fund) projects providing critical infrastructure of the Internet. How Heartbleed Broke the Internet — And Why It Can Happen Again.

While Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately, Bloomberg reports NSA Said to Exploit Heartbleed Bug for Intelligence for Years. "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said." I note the "two people" appear to be anonymous. However, the NSA denies it knew about Heartbleed, Statement on Bloomberg News story that NSA knew...

I'm guessing the bug was a pure accident and that the NSA probably knew about it before last week.

Here's a slightly fluffy piece, Behind the Scenes: The Crazy 72 Hours Leading Up to the Heartbleed Discovery and a nice first hand account of an affected web service, When servers bleed

And for fun, Why The Security Bug Heartbleed Has A Catchy Logo

Newly Released Color Films Show The Utter Devastation Wrought By WW2

io9 shows Newly Released Color Films Show The Utter Devastation Wrought By WW2 "The Hoover Institution has just release five reels of recently restored color films taken by lieutenant colonel William P. Miller from 1943 to 1945. They provide a rare and disturbingly real glimpse into the era, including shots of the battle-scarred cities at the center of the conflict."