Saturday, April 19, 2014

Everything you need to know about economics in 297 words

Ezra Klein writes This graduation speech teaches you everything you need to know about economics in 297 words. "In 2011, Thomas Sargent won the Nobel prize in economics. But in 2007, he gave a graduation speech to Berkeley undergraduates that still stands as one of the greatest, shortest introductions to economics — and to life."

This is why Valve’s business model is so totally brilliant

Ars reveals Steam’s most popular games. "Right now, I can tell you that about 37 percent of the roughly 781 million games registered to various Steam accounts haven’t even been loaded a single time. I can tell you that Steam users have put an aggregate of about 3.8 billion hours into Dota 2. I can tell you that Steam users tend to put nearly 600 percent more time into the multiplayer mode on Modern Warfare 2 than the single player mode." Lots of graphs, assumptions and caveats as they look at what games are popular via bought, players and hours played. They issued this update, Steam Gauge: Addressing your questions and concerns.

I saw this via Brian Fung's article, This is why Valve’s business model is so totally brilliant. "Valve is one of the most successful game companies on the planet. It helped usher in the idea of digital distribution. The company's version of an online app store, Steam, is known for selling games made by third parties, such as Skyrim and Call of Duty. But Steam's real value lies in the way it gives independent publishers equal footing against big corporate game makers."

Towards the end he linked to this interview from 2011 which I found really fascinating, How Valve experiments with the economics of video games

What Does Sound Look Like?

There Really Are So Many More Twins Now

Alexis C. Madrigal writes in The Atlantic There Really Are So Many More Twins Now

"From about 1915, when the statistical record begins, until 1980, about one in every 50 babies born was a twin, a rate of 2 percent.  Then, the rate began to increase: by 1995, it was 2.5 percent. The rate surpassed 3 percent in 2001 and hit 3.3 percent in 2010. Now, one out of every 30 babies born is a twin."

"Older women tend to have more twins than younger women—and older women are having more of the nation's babies. The researchers found this demographic phenomenon accounted for one-third of the increase. They attributed the rest of it to the increase in infertility treatments, specifically in-vitro fertilization and "ovulation stimulation medications." "

How Americans Die

Bloomerberg's How Americans Die is a really interesting graphic. By that I mean it's (1) very pretty, (2) very well laid out and (3) really interesting in how it uses several graphs each with text to slowly make a point about a complex subject.

Nevertheless, I'm not sure what that point is. It shifts between charts of mortality and number of deaths but doesn't always seem to take into account changes in population size (particularly when it concentrates on specific age ranges). But wow, it includes this fact "about a third of all deaths are people 85 and older". That's way higher than I would have expected.

How to Convince People Of Non-Obvious Things

Breast cancer screening is a serious subject that a lot of people have profound personal experiences with. It's also true that Bayes' theorem is often counterintuitive.

This article in the NEJM, Abolishing Mammography Screening Programs? A View from the Swiss Medical Board, makes the case for less mammogram screening. It includes this great graphic:

NEJM1 500x419

A Car on Mars

The HiRISE orbiter took a picture of Curiosity Ready to Drill for Gold at the Kimberley. Click the photo below for a bigger image showing it's tracks in the sand (seen from orbit!)

Screen Shot 2014 04 19 at 2 56 21 PM

Mission-critical satellite communications wide open to malicious hacking

Ars reports Mission-critical satellite communications wide open to malicious hacking.

"Mission-critical satellite communications relied on by Western militaries and international aeronautics and maritime systems are susceptible to interception, tampering, or blocking by attackers who exploit easy-to-find backdoors, software bugs, and similar high-risk vulnerabilities, a researcher warned Thursday."

"Santamarta said that every single one of the terminals he audited contained one or more weaknesses that hackers could exploit to gain remote access. When he completed his review in December, he worked with the CERT Coordination Center to alert each manufacturer to the security holes he discovered and suggested improvements to close them. To date, Santamarta said, the only company to respond was Iridium. To his knowledge, the remainder have not yet addressed the weaknesses. He called on the manufacturers to immediately remove all publicly accessible copies of device firmware from their websites to prevent malicious hackers from reverse engineering the code and uncovering the same vulnerabilities he did."

British Pathé releases 85,000 films on YouTube

British Pathé releases 85,000 films on YouTube | The British Pathé Archive Blog "Newsreel archive British Pathé has uploaded its entire collection of 85,000 historic films, in high resolution, to its YouTube channel. This unprecedented release of vintage news reports and cinemagazines is part of a drive to make the archive more accessible to viewers all over the world."

Friday, April 18, 2014

HeartBleed in the Wild

SucuriBlog reports on HeartBleed in the Wild

"After 10 days of massive coverage, we expected to see every server out there patched against it. To confirm our expectations, we scanned every web site listed in the Alexa top 1 million rank. Yes, we scanned the top web sites in the world to see how many were still infected.

The results were interesting:

  • Top 1,000 sites: 0 sites vulnerable (all of them patched)
  • Top 10,000 sites: 53 sites vulnerable (only 0.53% vulnerable)
  • Top 100,000 sites: 1595 sites vulnerable (1.5% still vulnerable)
  • Top 1,000,000 sites: 20320 sites vulnerable (2% still vulnerable)

We were glad to see that the top 1,000 sites in the world were all properly patched, and that just 0.53% of the top 10k still had issues. However, as we went to less popular (and smaller) sites, the number of unpatched servers grew to 2%. That is not surprising, but we expected better."

Seems pretty good to me.

Tuesday, April 15, 2014

Scenes of Spring

In Focus shows Scenes of Spring "Temperatures in the northern hemisphere are finally warming, flowers are blooming, and the sunshine beckons us outside once again. On a nice spring day like today, I thought I'd share some recent colorful images of the season from Germany, Japan, Scotland, the United States, and more. [28 photos]"

S21 RTR3K0ZS 500

2014 Pulitzer Prize Winners

Here are the 2014 Pulitzer Prize Winners. Obviously the big ones are the coverage of the Snowden leak and the Boston Marathon Bombings by the Boston Globe. Check out the others too.

Monday, April 14, 2014

Scale Model WWII Craft Takes Flight with Fuel From the Sea Concept

The US Navy announced Scale Model WWII Craft Takes Flight with Fuel From the Sea Concept

Navy researchers at the U.S. Naval Research Laboratory (NRL), Materials Science and Technology Division, demonstrated proof-of-concept of novel NRL technologies developed for the recovery of carbon dioxide (CO2) and hydrogen (H2) from seawater and conversion to a liquid hydrocarbon fuel.

Fueled by a liquid hydrocarbon - a component of NRL's novel gas-to-liquid (GTL) process that uses CO2 and H2 as feedstock - the research team demonstrated sustained flight of a radio-controlled (RC) P-51 replica of the legendary Red Tail Squadron, powered by an off-the-shelf (OTS) and unmodified two-stroke internal combustion engine.

Using an innovative and proprietary NRL electrolytic cation exchange module (E-CEM), both dissolved and bound CO2 are removed from seawater at 92 percent efficiency by re-equilibrating carbonate and bicarbonate to CO2 and simultaneously producing H2. The gases are then converted to liquid hydrocarbons by a metal catalyst in a reactor system.

I'm not sure what the climate effects, if any, of this are but it's pretty amazing.

Sunday, April 13, 2014

'The Simpsons' Launches On FXX With Longest Continuous Marathon Ever

'The Simpsons' Launches On FXX With Longest Continuous Marathon Ever "This summer, the FXX network will launch 'The Simpsons' in style with a 12 day marathon, showing all 552 episodes consecutively. The marathon will start August 21st and continue through Labor Day. '“It will be the longest continuous marathon in the history of television.'"

No I will not watch it all. Thankfully it's in the summer and not during winter hibernation.

Saturday, April 12, 2014

Heartbleed

TLS and its predecessor SSL are the protocols used to encrypt Internet traffic and verify the identity of servers. It's the "S" in "HTTPS" and it's what makes the little padlock appear next to the URL in your browser. OpenSSL is an open source package that implements them and is widely used (because it's free and security programming is hard). There are other implementations that are widely used too.

Last week a bug in OpenSSL was announced. It's known as the Heartbleed bug. It's in a new feature of TLS known as a heartbeat. Since setting up a secure connection is an involved process, if one is going to be reused, it's better to keep it open. Once a connection is set up, a client sends a ping to a server and asks for a response to know it's still alive and to know to keep the connection open.

The heartbeat request includes a string of text for the server to return so the client knows it's a current response. It's kind of like kidnapping victims posing in photos with today's newspaper. Dealing with strings can be tricky with computers, the request includes the number of characters in the string. The bug is that the server doesn't verify the stated length compared to the actual string length. An attacker, can send a malformed request and get random memory from the server. This memory can have anything in it. xkcd explains the bug really well:

So how bad is this? It's pretty bad but maybe not for you. It's in code that runs on servers, so unless you run a web server, there isn't any software for you to upgrade.

It's also a little difficult for an attacker to exploit. An attacker can send a malformed message whenever they want, but each time they'll get back random stuff in the server's memory and they'll have to figure out what that is. It's not like they hacked in and stole the password file and can then work at cracking passwords. I've seen differing reports about what information is potentially in the vulnerable portions of a server's memory, but the latest I've seen is that it can be a lot of sensitive stuff, virtually anything.

To be on the safe side, vulnerable sites are telling their users to change their passwords, but I think there are some issues with that blanket statement.

First, it's hard to know if web sites you use have been susceptible. The Heartbleed Hit List: The Passwords You Need to Change Right Now is a list of popular sites and whether they're affected. It turns out a lot of sites I use weren't affected, like Apple, Amazon, Twitter, LinkedIn, and most banks. Google was affected but says you don't need to change your password, but it's probably a good idea. I use Google's two-factor authentication so I'm not particularly concerned (I haven't lost my phone).

Another report says that about 37,400 of the top million sites are still affected as of April 9th. To put some of that in perspective Ars said, "The top domain vulnerable to the Heartbleed bug is Kaskus, an Indonesian social media site" which I've never heard of (the web is big, and not just in English speaking countries). Of course the reason a site is not affected could be good or bad. Maybe they don't use OpenSSL, maybe they're just using an old version (opening them up to other bugs which isn't a pleasant thought). Here's a list of the top 10,000 sites as of April 8th and their vulnerability, lots of popular sites are (were) vulnerable.

Also it doesn't help to change your password until you know the site is fixed. You can check specific sites yourself with this tool. Just enter the site name and it will tell you if it's okay or not.

The Heartbleed bug was introduced into code on Dec 31, 2011 and released in OpenSSL 1.0.1 on March 14, 2012. So sites might have been affected for as long as two years. Or less, it depends when they upgraded to version 1.0.1. My sense is that if information was compromised two years ago, you probably would have seen some effect by now. If you haven't, then you're probably ok. Of course now that the bug is public, if a site hasn't been fixed in the last week it's more likely that someone is using this attack. But if you haven't logged in it's unlikely your information is in the server's memory to be retrieved.

Here's another problem and it's one reason the tech community has been so upset about Heartbleed. It turns out that Heartbleed can allow an attacker to steal a server's private key. The way a user has a password, a server has a private key. As much of a pain as it is for users to change all their passwords, for a server to change its one password it must get it signed by a certificate authority. It turns out that just four companies verify the certificates of 90% of the Internet. They're very busy right now and getting a highly secure certificate involves real world verification that the server is who it says it is (kinda like getting a bank loan and verifying all the details of your employment) and can be expensive.

With a compromised private key, some evil site could impersonate a real site, which means instead of telling the real site information like your password and shipping address, you could be telling a thief that information. Unfortunately there's no easy way to know if a site you use has updated it's certificate since Heartbleed. Your browser can show you the certificate (in Safari you click on the padlock icon) but mine just shows the certificate's expiration date, not the issue date. And remember, more secure certificates take longer to get. You might make some guesses, looking now at Facebook's certificate I see it expires in exactly 1 year, I'm guessing they just got a new one that's good for a year.

Unfortunately it gets even worse. It turns out some networking devices like VPN and switch products are vulnerable to the bug. Juniper and Cisco have issued advisories. I don't really understand the extent of this news. I know that to fix some of these devices people need to buy new hardware. I don't know if network hardware between you and a destination server could be affected and expose your information and if you could tell (though I'm guessing not).

So here's what I'm doing.

  • I checked my commonly used site on the list and found I'm not too exposed. If you are, you should proceed more quickly.
  • I'll wait a little bit (another week or so) and then change all my passwords following the advice I wrote two years ago in Web Passwords. I'm not sure it's needed but it's good password hygiene to change them every once in a while, and it's been two years for me.
  • I'm not opening new accounts on unfamiliar (or small) web sites in the near future. Certainly not without checking their Heartbleed exposure with this tool.
  • I'm not logging into sites I have accounts at until I check their vulnerability. If I haven't logged in in a year, my info isn't in the server's memory to be stolen.
  • I'll go through this list and enable two-factor authentication on as many accounts as I can. I already do it for Google and Apple and it works great and isn't a big annoyance at all.
  • Make sure your browsers are setup to verify certificates. On a Mac that means open Keychain Access and go to its preferences and make the third tab look like this: Screen Shot 2014 04 12 at 3 15 16 PM

A couple of articles I've found interesting...

This seems a pretty level headed description of what it means for the average person on the Internet. Heartbleed and passwords: don’t panic.

This stackexchange posting offers a few views of what to do, Should I change all my passwords due to heartbleed.

This incident makes the case that we need to change how we fund (or currently don't fund) projects providing critical infrastructure of the Internet. How Heartbleed Broke the Internet — And Why It Can Happen Again.

While Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately, Bloomberg reports NSA Said to Exploit Heartbleed Bug for Intelligence for Years. "The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said." I note the "two people" appear to be anonymous. However, the NSA denies it knew about Heartbleed, Statement on Bloomberg News story that NSA knew...

I'm guessing the bug was a pure accident and that the NSA probably knew about it before last week.

Here's a slightly fluffy piece, Behind the Scenes: The Crazy 72 Hours Leading Up to the Heartbleed Discovery and a nice first hand account of an affected web service, When servers bleed

And for fun, Why The Security Bug Heartbleed Has A Catchy Logo

Newly Released Color Films Show The Utter Devastation Wrought By WW2

io9 shows Newly Released Color Films Show The Utter Devastation Wrought By WW2 "The Hoover Institution has just release five reels of recently restored color films taken by lieutenant colonel William P. Miller from 1943 to 1945. They provide a rare and disturbingly real glimpse into the era, including shots of the battle-scarred cities at the center of the conflict."

Friday, April 11, 2014

Senate Report on CIA Torture Leaked

McClatchy got a leaked copy of the Senate Torture Report, CIA’s use of harsh interrogation went beyond legal authority, Senate report says.

Spencer Ackerman covers the politics of it, CIA and White House under pressure after Senate torture report leaks.

If this were a West Wing episode, The White House would already being to take the lead in this.

The SEC's just been caught colluding with the banks it's supposed to regulate

Matthew Yglesias wrote in Vox, The SEC's just been caught colluding with the banks it's supposed to regulate

"Reuters finance blogger Felix Salmon had a post earlier this week headlined 'Yes, the SEC was colluding with banks on CDO prosecutions.' This ought to be huge news. The Securities and Exchange Commission is one of the main agencies that's supposed to be regulating Wall Street. But they've been essentially caught red handed working together with Goldman Sachs to make it look like Goldman was paying a huge fine when really they're paying a small one. Sadly, though, the story probably won't get much attention from the general public because the CDO prosecution issue is a little obscure and it hasn't really been in the news for years."

"What is now looking clearer and clearer is that the settlements were not as advertised. The banks paid money — in Goldman Sachs' case $550 million — not to settle one CDO suit, but to settle all the CDO suits. So rather than Goldman paying $550 million for wrongdoing around the Abacus CDO and then facing 10 more charges related to 10 other suspicious CDOs, it was paying a price of $55 million per CDO to settle all 11 cases. Except the SEC didn't want to look like it was letting the banks get away with a slap on the wrist, so it worked out an arrangement whereby both sides would publicly act as if only one case had been settled while agreeing under the table that all claims were now resolved."

Sparkly Mints May Help Explain Puzzling “Earthquake Lights”

Sparkly Mints May Help Explain Puzzling “Earthquake Lights”.

In a recent study by scientists at Rutgers University, researchers found that clumps of granular particles can spontaneously generate electrical voltages just before they break apart into smaller clumps. They first demonstrated the effect by grinding up Tylenol into a fine powder and putting the grains in a slowly spinning cylinder. As the powder stuck to the sides, clumped, and spun, it would reach a certain height and then break up in a mini-avalanche back down to the bottom of the cylinder. Each time it did, it briefly generated 100 volts. That voltage spike sometimes happened as many as five seconds before the actual avalanche occurred. They then showed something even stranger: that the effect worked with a huge range of insulating materials, from plastic disks to glass beads to baking flour. This, they argue, could be what’s causing the lights that people see just before earthquakes.

The authors of the paper acknowledge that this is a very strange effect. “If you take a Tupperware container filled with flour and tip the container, when the flour shifts, voltages of around 100 volts inexplicably appear,” lead researcher Troy Shinbrot told Charles Choi at Our Amazing Planet. “Except for the fact that we cannot get these voltages to go away, I would call this ‘crackpot physics,’ and even as it is, I wish I could hedge my bets, but the voltages are very repeatable, and we have so far failed to account for a spurious influence that might cause them.”

What Do the Koch Brothers Want?

Senator Bernie Sanders of Vermont posted What Do the Koch Brothers Want?. "In 1980, David Koch ran as the Libertarian Party’s vice-presidential candidate in 1980." He's posted the 1980 Libertarian Party platform which is the quite the read. In short they want to abolish:

  • Federal campaign finance laws
  • Medicare, Medicaid and all regulations of medical insurance
  • Social Security
  • Welfare and all "aid to the poor programs"
  • all income taxes (personal and corporate)
  • minimum wage laws
  • all public schools and compulsory education laws
  • all taxes on private schools
  • the FEC, EPA, DoE, DoT, FAA, FDA, CPSC, USPS
  • public roads, highways, inland waterways

Sanders says "And because of the disastrous Citizens United Supreme Court decision, they now have the power to spend an unlimited amount of money to buy the House of Representatives, the Senate, and the next President of the United States."

Now John Roberts would say, that's fine, they can want these things and they can make their case to the public as much as they want and in elections people can decide for themselves if they want these things too. But I wonder, if money equals speech and they have $80 billion speech-bucks, who's going to speak up against them? Who can?

Thursday, April 10, 2014

The DATA Act just passed the Senate. Here’s why that matters.

The Switch reports The DATA Act just passed the Senate. Here’s why that matters.

"'The DATA Act takes a structured data model that has delivered unprecedented accountability in stimulus expenditures and applies it across all domains of federal spending,' says Data Transparency Coalition Executive Director Hudson Hollister, who drafted the initial version of the DATA Act in 2011. 'The DATA Act will turn federal spending information into open spending data – a valuable new public resource that strengthens democratic accountability and spurs innovation.'"

"The final language also requires everything the federal government spends at the appropriations account level to be published on USASpending.gov, with the exception of classified material and information that wouldn't be revealed in response to a Freedom of Information Request. One amendment, added earlier Thursday, gives the Department of Defense the option to request extensions on its implementation of the bill's requirements."

2012 Saw More Babies Named Khaleesi Than Betsy or Nadine

Vox reports Before Game of Thrones, no one named babies "Khaleesi." In 2012, it beat the name "Betsy."

"According to data from the Social Security Administration, were 21 newborns in 2012 named 'Daenerys,' which was never used enough in previous years to show up in official counts (for privacy reasons, the SSA only releases numbers for names used five or more times in a given year).

But wee baby Daeneryses were dramatically outnumbered by newborns named 'Khaleesi' — the title Targaryen earned when she married Dothraki leader (or 'Khal') Drogo. 146 'Khaleesi's were born in 2012, making it more popular as a full name than 'Betsy' or 'Nadine':"

LHC makes clear identification of a weird particle made of four quarks

Ars Technica reports LHC makes clear identification of a weird particle made of four quarks "With that much data, physicists were able to determine the composition of the Z(4430)-: it consists of a charm quark, a charm anti-quark, a down quark, and an up antiquark. The '4430' part of the name indicates its mass: 4,430 million electron-volts, which a little more than four times the mass of a proton (938 million electron volts). The combination of quarks gives the Z(4430)- a negative electric charge, hence the '-' in the label. The particle is highly unstable, so none of them are expected to be seen in nature."

Smithsonian Magazine's 2013 Photo Contest

Smithsonian Magazine's 2013 Photo Contest - In Focus - The Atlantic "The editors of Smithsonian magazine have just announced the 60 finalists in their 11th annual photo contest. They've kindly allowed me to share several of these images here, including some great shots from each of the competition's six categories: The Natural World, Travel, People, Americana, Altered Images and Mobile, a new category this year. Be sure to visit the contest page at Smithsonian.com to see all the finalists, and vote in the Reader's Choice Awards as well. [16 photos]"

I don't know how people will pick, they're all amazing in different ways.

S02 uigi2222 500

Wednesday, April 09, 2014

Beth Israel to use Google Glass throughout emergency room

The Boston Globe writes Beth Israel to use Google Glass throughout emergency room

"A patient with bleeding in the brain told Horng he was allergic to certain blood pressure drugs — which the doctor needed to slow the hemorrhage — but didn’t know which ones. Horng had little time to leaf through the man’s medical files or search for records on a computer, but with Google Glass, he didn’t have to. Instead he quickly called up the patient’s information on the device’s tiny screen and saved his life with the correct medication."

"Beth Israel has begun posting QR codes on the doorways to patients’ rooms. Each code is unique to that patient, linked to his records that are stored on the hospital’s electronic database. Before entering the room, the Beth Israel doctor can scan the QR code with his Glass, and the patient’s information is promptly displayed on the screen."

Sounds pretty cool if it can in fact display enough info to be useful and can be used while having a natural conversation with the patient or while performing treatments. Both things the article says they've practiced for a few months and are perfecting.