In the last week or two links to external sites on Slashdot generally don't seem to work unless I click several times. This only appears to happen on Firefox... Chrome is unaffected. I haven't tried IE, Safari, or any other browser. Finally fed up with it, I decided to look through the javascript to see if there was anything funky going on. Looks like there's a script being included from leads.demandbase.com that defines some kind of click tracker. Here's a snippet:
So if you find you've oddly had to click a few times to RTFA, it's not your mouse button dying. Open up adblock and disable everything from leads.demandbase.com and it will be fixed. Links clicked once in Firefox will properly load as they used to. Thanks Slashdot for using an external company for tracking my click behavior. Though perhaps implementing this poorly is Taco's way of giving us a heads-up. Much like the "Idle" section, his overlords may have mandated the addition of this awesomeness to the site and by making it break it alerts us to what we need to block. In which case, a non-sarcastic thanks is due.
I also found this wonderful gem:
Unless my javascript is really rusty, won't this report 99% of cases?
Anyway, pass this information on so everyone can RTFA without the hassle.
Permission is hereby granted to distribute modified or unmodified copies of this content far and wide. I, the author, do request though do not require that the link to the New York Times story is preserved in any redistribution, however.
(Copyright (c) 2010, Chris Travers)
The New York Times has reported today that the Obama Administration is seeking legislation to require backdoors into encryption software that could be used for wiretapping. I believe this is deeply problematic for both technical and social reasons, but the technical reasons are probably the worst. Because this area is not well covered in the existing articles, I figure it's worth giving a quick primer here.
Types of Encryption
The simplest form of encryption is what's called symmetric encryption. It comes in various forms, some simpler than others, but the basic process is conceptually simple. Two parties share a secret. One party takes the message and encodes that message with the shared secret, and the other party decodes it using that same shared secret. This encryption is reversible and the key is the same on both sides.
A trivial example might include what we think of as ROT-13 (used for obfuscation) where every letter is rotated 13 places forward. So "this is a sample message" becomes "guvf vf n fnzcyr zrffntr." Of course such a cypher is easily broken, but there are very good quality symmetric cyphers available, such as AES.
The real problem with symmetric cyphers is that they require that both sides knows the same key before encrypted communication begins. If you are communicating with a lot of third parties, you would find you'd either have to publish the key (making sure everyone else could decrypt the same messages!) or find some way of getting the keys to the other parties in advance. This obviously renders this form of encryption useless for initiating secure communications with individuals one has never met.
To solve this problem, public key encryption was designed. Public key encryption uses two keys, called a public key and a private key. Knowledge of the public key is not sufficient to derive the private key through any sort of feasible process, and these keys are usually very long (AES may be 256 or even 512 bits long, but public/private key pairs are often 1024, 2048, or 4096 bits long per key), making brute force even harder (since the public key is expected to be publicly available).
The public key is then published and the private key is retained. A user can then look up a public key, encrypt a message with it, and only the holder of the private key can decrypt it. Similarly a private key holder can sign a cryptographic hash of a message and anyone with the public key can validate this "digital signature." (A cryptographic hash is another form of encryption with is one-way, and is used in document validation, tamper-proofing, and password checking.)
Public key encryption depends on the idea that ONLY the appropriate party has the private key. When you make a secure purchase on, say, Amazon.com, Amazon sends you their public key, and you and them use this to negotiate a symmetric cypher (probably using AES or RC4). In this way you know the key was properly exchanged and eavesdropping on this sale by criminals is not possible. When you enter your credit card data is not intercepted by criminals. Protection of the private key is very, very important to this process, but even knowing the private key does not enable you to eavesdrop on a conversation in process since that's done with a symmetric cypher.
SSL, PGP, IPSec Opportunistic Encryption, and related technologies all use asymmetric encryption, but the differences tend to be in how keys are published and who is vouching for them. SSL is designed so that you know who you are talking to because a third party (like Verisign) is vouching for the identity of the server.
Problems with Backdoors in Public Key Encryption
To effectively wiretap public-key-based communications, you have to have access to the private key, or you have to tap them post-decryption. Tapping post-decryption works fine in some contexts, such as what you are purchasing at Amazon.com. However, it does not properly work when trying to capture the content of encrypted emails, since these are usually encoded with the recipient's private key. Communications encrypted in this way are not generally vulnerable to interception in the middle. Moreover, communication itself could include encrypted files as attachments and such which could be handled entirely outside the flow of the program (I can encrypt a file and then attach it and my email program doesn't care if it is encrypted).
There isn't a real way to retrofit peer to peer communications programs to allow this sort of interception without compromising the core of how encryption works. A company may maintain their own certificate authority and use it to publish keys for internal company communications. A person taking a company laptop home may then use those certificates to encrypt emails. There is no way to intercept the content of these communications without requiring that the company keep copies of all private keys, thus compromising their own security. Similarly, if I email out an OpenPGP key or an OpenSSH key, these are not sufficient to wiretap the communications that would be encrypted using those keys. The only way out would be to require the makers of the software to include a facility sending the private key to some sort of escrow service which could then provide the key to law enforcement, but this compromises the basic integrity of the software, and any attempt on open source programs could be easily circumvented.
Consequently, this doesn't actually affect the sorts of technologies an organized crime ring is likely to use. Instead it makes each of us more vulnerable to government spying, and it makes key data, such as credit card data, far more accessible to criminals.
Such a law would thus benefit organized crime at the expense of the average consumer. It's an unbelievably bad idea no matter how you look at it.
But only after "socio-economic parity" has been achieved.....
It's amazing how people try to rationalize away the phrase "I could care less", much in the same way that Star Wars apologists try to rationalize the use of parsecs when talking about the Kessel Run. Maybe there are black holes to navigate around, and minimizing the distance is the sign of a good pilot, or maybe this, or maybe that... or maybe George Lucas just made a mistake, you know?
So when it comes to people rationalizing away "I could care less" as being some nonchalant way of saying "yeah, I could but I'm not going to bother" I just don't buy it. It's a misquote of the perfectly unambiguous phrase "I couldn't care less". So when I stumbled across a rationalization of that, my mind wandered upon what I think is a pretty damned good analogy of why it doesn't make sense: I could eat more.
Many commentators seem to believe that the Tea Party represents a net minus for the GOP because of the split between them and the existing establishment. This criticism seems oddly familiar to me. Many people predicted that the drawn out fight between Hillary and Obama would be the death of the Democrats in 2008. As it turned out, that extended fight kept them in the news for months and built up the ground networks that helped Obama carry the day in states that normally be out of reach for a Democrat. Take Indiana, where Obama carried the state by ~28k votes. Does that happen without the ground operation built for the primary and the name recognition/publicity gained from it? Impossible to say, but I think it's clear that the intra-party squabbling was a net positive for the Democrats in the end.
It seems likely to me that the Tea Party will have the same impact on the GOP. They may well prove to be a net minus in selected races (Delaware) but the enthusiasm they've generated and the new people they've brought into the political process will more than balance that out come November.
Worked the NYS primary election today. We had higher turnout for this mid-term primary than I've ever seen -- more than we did for the Presidential Primary in 2008. I'm only one poll worker in a single district but I've never seen this kind of enthusiasm for a primary before. We had 44% turnout for our GOP voters and 30% for the Democrats.
Paladino looks to have crushed Rick Lazio. I called this race at 10pm -- Paladino ran up a much higher margin (93% in Erie and Niagara counties, all districts reporting) with his base than Lazio did with his (60-65% in Suffolk and Nassau counties, 60% of districts reporting) . Paladino beat Lazio in some downstate counties (Dutchess and Orange) that should have been more familiar with Lazio. He looks to have edged him out with 50-55% of the vote in most other upstate counties, though we'll have to wait for tomorrow for the final numbers.
With this kind of turn out for a primary I'm betting that November is going to be huge. It wouldn't surprise me if we beat our numbers for 2008 -- we had a 60% turnout that year.
I have had a great laugh doing some research online (various sites) to try to figure out why this year's whooping cough epidemic is happening in California. It is amazing the amount of misinformation I have found. Pro-vaccine people are blaming it on anti-vaccine people (false, see below), and Anti-vaccine people are blaming it on the vaccine (also wrong). Some people are even blaming it on illegal immigration. As best as I can tell this is because the whooping cough vaccine is different from the vaccines of, say, Polio or Measles, and people try desperately hard to fit it into their agenda even when it doesn't fit. In my reading I have learned a lot about a type of vaccines I never really paid attention to. I figure it's time to set everyone straight.
The NPR article above is particularly laughable (really, NPR does enough good reporting they should know better) because they say whooping cough was once "wiped out." Not so, says the CDC.
Most vaccines against serious illnesses are called "live attenuated virus" vaccines. These include MMR and Polio, and and basically the idea is you give the body a weak version of the virus so it develops an immune response against a stronger version. Usually with appropriate doses, these provide permanent immunity, but there are rare cases where the virus can revert, so it is possible to get full-blown measles from the MMR vaccine, though once again this is rare. These are the vaccines which produce herd immunity.
It turns out that whooping cough vaccine is a different kind of vaccine altogether and in fact individuals are not actually vaccinated against the bacteria that cause the disease at all. Instead, the vaccine is against a toxin that is excreted by the bacteria, and that toxin, called an exotoxin, is what causes respiratory damage. The theory is that this way if you get the illness, your body will have a head start at damage control (by attacking and neutralizing the exotoxin) and so you won't get very sick. So the vaccine is a dose of denatured bacterial exotoxins, called toxoids, that your body can develop antibodies to. Other toxoid vaccines include tetanus and diphtheria. While it is possible to be allergic to an acellular toxoid vaccine like this one, it is entirely impossible to get the disease from it because there are no live (or even dead) microbes in the vaccine itself. Whooping cough, or pertussis, vaccine is usually given with diphtheria and tetanus toxoid vaccines together either as a DTaP or a Tdap depending on age of the individual, but adult vaccinations are rare.
One interesting feature about toxoid vaccines is that they don't actually provide direct immunity against the disease at all because the targets of antibody production aren't on the envelope of the microbe. Instead they work by reducing the severity (and length) of the illness. In short, they don't keep you from getting sick. They just keep you from getting extremely sick. Consequently most people reading this could still get diphtheria this winter, or whooping cough, and could even spread it, but you probably wouldn't know you were carrying a serious illness. In short these vaccines provide absolutely no herd immunity at all, though they may provide some epidemiological benefits in terms of reducing the number of individuals infected by a single person (the downside of course is that it makes diagnosis and monitoring much harder--- we simply don't have any idea, for example, how many minor cases of whooping cough or diphtheria actually occur every year. We just know they don't get sick enough to be diagnosed).
Yet the news media and many "experts" still talk about herd immunity from this vaccine. Indeed while the CDC recommends adults be vaccinated, they state clearly that herd immunity is not a direct factor and that it's not a simple choice.
And while it is not believed that whooping cough has an asymptomatic carrier state, diphtheria is shown to have one, particularly in vaccinated adults. (One possibility worth considering is that asymptomatic means just that, so even mild symptoms, such as those resembling the common cold could be a symptomatic carrier state.)
So the picture that emerges is that whooping cough vaccine prevents death and long, tiring illnesses in children, but doesn't stop the bug from circulating. So it's probably a good thing for kids to have. However, whooping cough is also very much out of control and not just this year, as the CDC admits.
Furthermore I have come to realize that a few times in the last decade I've gotten this cough which lasts a few weeks and then mostly goes away, except for periodic, very heavy coughing, and with no symptoms in between. In these cases, sometimes I have been diagnosed with asthma but the inhalers don't seem to help much (so I go back to using an herbal remedy which seems to work very well, but it is rather non-standard). This lasts a few more months, and then goes away. My current thinking is that my son probably picked up whooping cough at school and I picked it up from him. Since he was vaccinated, he only seemed to have the common cold, but I got something a bit worse.
This specific vaccine isn't about herd immunity, but rather reducing the severity of a serious childhood illness. It doesn't contain microbes, live or otherwise, and while it may reduce the spread of the illness there isn't sufficient data to know the extent of this. This particular vaccine is almost certainly worth giving to most kids. However, there is no benefit that non-vaccinated individuals get from those who are vaccinated in this case.
Whooping cough cycles come and go every few years. This is no different. While hospitalizations may be preventable with the vaccine, it's spread is probably not.
I just received mail notification that a fellow user has bought me a gift subscription to slashdot. I'm already friends/fans with the person but his email address isn't visible so I can't thank the person off-/. (wimp, change your privacy settings and deal with the spam!
Not sure what I did to deserve it, but I thank you!
Well, I got my Droid-X. Imagine my surprise when my $550 phone failed to properly communicate with my employer's Exchange server. Turns out the Droid-X has some software glitches relating to Exchange. Push e-mail will not work at all with Exchange 2003 and only works intermittently with 2007 and 2010. Polling e-mail may work but there are also issues with the notification system. Your phone might download messages off Exchange but fail to notify you about them until some time has passed.
Motorola is providing a free license for a third party app called TouchDown to anyone who writes in and complains about this issue. This app normally goes for $20. It is without a doubt the best mobile Exchange client that I've ever seen. It offers features above and beyond the stock Motorola application. I would encourage anybody who needs to use Exchange to get this application -- even if you aren't dealing with the push e-mail/notification bugs. It would be worth paying for, IMHO. Getting it for free because Motorola couldn't run their Exchange application past QA before launching the Droid-X is an added bonus.
They didn't teach me this in my concealed carry class! Only in America......
The only reason I haven't yet gotten a smartphone is because of Verizon's nickel and diming. I primarily want one for the usual smartphone functionality but I'd also like the ability to tether for some lightweight usage. Not looking to use tethering as a replacement for my home internet connection or even for web surfing. My desire is to be able to ssh and/or rdp into the office when I'm in the field. It seems kind of absurd that I should have to pay $30/mo extra for the ability to do something I could easily accomplish with a POTS line and modem. It's also absurd that Verizon expects you to pay more for the privilege of talking to an Exchange server. I guess the data packets from Exchange weigh more than the packets from a pop3 server or some such.
I've been told that the Exchange data requirement isn't actually enforced for non-Blackberry devices. Found a few posts on various forums where people claimed to successfully sync with Exchange on the $30 data plan. I've also been told that you can tether Android devices using third party applications such as PDAnet without paying Verizon's additional $30 fee. It's against their TOS but they won't find out about it unless you consume an "excessive" amount of bandwidth. Not real worried about doing that with the occasional ssh/rdp session. Can anyone confirm these two points? If they are indeed true then I'll probably be ordering the Droid-X soon.
New op-ed, titled McChrystal had to go. Will makes some pretty compelling arguments against our strategy in Afghanistan. Some highlights:
It may be said that McChrystal's defect is only a deficit of political acumen. Only? Again, the mission in Afghanistan is much more political than military. Counterinsurgency, as defined by McChrystal's successor, Gen. David Petraeus, and tepidly embraced by Barack Obama for a year or so, does not just involve nation-building, it is nation-building.
This does not require just political acumen; it requires the wisdom of Aristotle, the leadership skills of George Washington and the analytic sophistication of de Tocqueville. But, then, the grinding paradox of nation-building is this: No one with the aptitudes necessary for it would be rash or delusional enough to try it.
The McChrystal debacle comes as America's longest war is entering a surreal stage: The military is charged with a staggeringly complex task, the completion of which -- if completion can even be envisioned -- must involve many years. But when given the task, the military was told to begin bringing it to a close in a matter of 18 months.
It's a pity that we weren't smart enough to avoid this whole mess back in 2001. We ought to have used our own troops (along with the aerial mines that Bush and Rumsfeld refused to approve) at Tora Bora, captured or killed OBL, left the keys to the country by the door on our way out along with a note that said "If you host terrorist organizations again we'll come back and mess you up again." It should never have been our mission to try and spread our system of government or moral values to a region of the world that's effectively living in the Middle Ages.
BTW, I believe that the President handled the McChrystal mess effectively. He clearly had to go. I also think that Petraeus is the best man for the job though I'm in agreement with George Will's assessment of it as a fool's errand. Petraeus was successful in Iraq because the Iraqi people decided that bombing their country back into the Middle Ages was not an effective long term strategy. The Taliban leadership seems to desire such an outcome. It remains to be seen if the American people or our President have the stomach to stay there long enough to find out if the foot soldiers of the Taliban desire the same outcome.
You know what the mainstream media think about guns and our freedom to carry them.
Pierre Thomas of ABC: "When someone gets angry or when they snap, they are going to be able to have access to weapons."
Chris Matthews of MSNBC: "I wonder if in a free society violence is always going to be a part of it if guns are available."
Keith Olbermann, who usually can't be topped for absurdity: "Organizations like the NRA
Of course he's right about the mainstream media. It is exceedingly rare to find someone on one of the major networks with a positive view of civilian firearms ownership. The ABC news show 20/20 went so far as to rig a scenario to demonstrate that concealed carry won't save you -- they pitted a trained firearms instructor against untrained individuals whom had never handled a firearm before. They further rigged the test by telling the "attacker" in advance whom had the concealed weapon out of a room of a dozen or more people. In spite of this stacked deck one of the simulated concealed carriers managed to "wound" him before "dying". Naturally ABC dismissed this result by claiming that the wound would not have been sufficient to stop a shooting rampage. I suppose the staff of 20/20 are also experts in terminal ballistics and the psychology of pain.
In Canada and Britain, both with tough gun-control laws, almost half of all burglaries occur when residents are home. But in the United States, where many households contain guns, only 13 percent of burglaries happen when someone's at home.
This is a statistic that's often overlooked but I think it's very relevant. I would regard home invasions as one of the biggest violations of the person, short of rape, kidnapping or murder. Thankfully they are relatively rare in the United States. I suppose the prospect of dying over that big screen TV is an effective deterrent for most criminals. It's my understanding that in the UK the self-defense laws won't permit you to defend your home if it is broken into while you are present. Of course even if the law permitted you to do so it would rather difficult in a society that requires one to jump through bureaucratic hoops before being able to obtain a single shot rifle or shotgun.
I was somewhat surprised to see Canada included in that figure. I always thought they were a little bit more sensible than the Mother Country. I looked into obtaining a Canadian firearms license so I could legally transport my handgun through Canada when taking trips to Detroit (because really, who wants to go to Detroit unarmed?) and the process didn't seem particularly complicated or burdensome. Perhaps one of my Canadian friends could enlighten me as to Canadian laws regarding self-defense in the home? Are you allowed to defend your home against a home invasion?
An authority is a person who can tell you more about something than you really care to know.
