close
The Wayback Machine - https://web.archive.org/web/20101016161341/http://staringatemptypages.blogspot.com/

Saturday, October 16, 2010

.

Why do people carry a cell phone and a BlackBerry?

Back in the early days of BlackBerry devices, when they were basically enhanced pagers that could get your email, they didn’t function as phones. I used to carry a mobile phone and a BlackBerry, using the phone for voice calls and the BlackBerry for email.

But then they put a mobile phone — a good one — into the BlackBerry. My address book and calendar are synchronized with the BlackBerry, and it’s great to have everything on one device. I haven’t had a separate phone since then.

I can’t tell you, though, how often I see someone looking something up in his BlackBerry, and then pulling out his cell phone and calling someone on it. Why? What possible advantage is there to carrying both?

Friday, October 15, 2010

.

New meaning of “touch screen”

Interesting research from Nokia:

Nokia has developed a prototype of its N900 smartphone that lets you feel the texture of icons on the screen — a technology that would add a whole new dimension to touchscreen apps.

This week, Nokia researcher Piers Andrew showed how the technology could give each icon its own feel or add surface texture to photographs. The idea is to have everything on a touchscreen give tactile feedback, Andrew says.

The technology is based on an effect called electrovibration, in which touch receptors in the skin can be fooled into perceiving texture when you swipe a fingertip across an insulating layer above a metal surface carrying an alternating voltage. The higher the frequency of that alternating voltage, the smoother the texture feels.

[...]

The effect is thought to be due to the varying electrostatic attraction between the metal and the deeper, liquid-rich conducting layers of the skin — an effect which changes the perceived friction level.

To mimic this is in a touchscreen phone, Nokia placed two thin layers above the LCD display: the first a transparent conductor, indium tin oxide, and the second a transparent insulator, hafnium oxide. When the user cradles the phone in one hand and touches the screen with the fingers of their other hand, they effectively create a closed circuit. If the indium tin oxide is excited at frequencies between 50 and 200 hertz, the finger above the touchscreen is attracted towards the screen with varying strength, generating the textured effect.

They acknowledge that it’s not ready for production yet, and This is not necessarily the most attractive sensation for some people.

Still, it sounds very interesting.

Wednesday, October 13, 2010

.

On the right to DNA testing: Skinner v. Switzer

Our criminal justice system is sometimes arrogant.

We believe — at least, as the written code tells it — that our juries are infallible, or that their fallibility is an acceptable ill. And we must do so in order to keep the system working, to keep the problems contained. Most of the time, I agree with the acceptable ill attitude. But we often cling to that belief too doggedly, refusing to reconsider convictions when we should.

At no time is our responsibility to reconsider greater than when we decide to execute someone. Before we impose an irreversible sentence, we must take every opportunity we can to correct any possible mistake. We shouldn’t stand on process when someone’s life is at stake.

It would be wrong to refuse to hear a death-row appeal because the paperwork was filed a week late.

It would be wrong to refuse to consider new evidence that had surfaced after the jury made its decision.

And it would be wrong not to allow examination of evidence that existed but that had not been examined.

Yet that last is the concern of a case that the U.S. Supreme Court will hear tomorrow, the case of Hank Skinner (click through, then search for skinner):

The Texas state and federal courts — hearing Skinner’s habeas corpus pleas — refused to allow post-conviction testing of biological evidence, including blood, hair, fingernail clippings and vaginal swabs. The courts held that, under Texas law, a convict must prove, by a preponderance of the evidence, that he or she would not have been prosecuted or convicted had DNA testing been performed. To get DNA testing, a Texas inmate must also demonstrate that his failure to seek such testing at trial was not a strategic decision.

The law shifts the burden onto the defendant, who must show not just that doing the DNA testing would be reasonable, not just that the DNA testing might exonerate him, but that by a preponderance of the evidence, the state would have let him go without even going to trial if they’d done the tests then. And he has to do that just to get the testing done. Then to top that, he also has to explain away the procedural aspects of why this hadn’t been requested earlier.

Now, I’m as curious as the next guy, and I certainly want to ask why his defense team didn’t deal with this before. But I can’t imagine my decision on the testing hinging on that aspect. And I don’t want him to prove anything in order to get the biological evidence tested. The fact is that it’s available and it wasn’t tested, for whatever reasons, and, here: they’re going to kill Mr Skinner; they owe him an assurance that they did everything they could to be sure they’re right about that.

As if that weren’t enough, we have the heads of the justice departments of twenty-two states giving another crazy reason we should deny the request: they say that the states should get to decide this, and the federal government should keep out of it. If they’re short on money and personnel for testing, condemned prisoners will just have to accept their fates.

At least 22 states told the justices that granting Skinner DNA testing through a civil rights suit would undermine their individual statutes, which spell out when an inmate is entitled to it.

To allow this type of procedural legerdemain would both diminish the sovereign interests of the states and at the same time impose a significant burden on the states’ limited law enforcement resources, attorneys general from the 22 states wrote.

That sort of callousness seems enough of a reason, in itself, to demand that they take a step back and think. If it were your child standing accused, how would you want it to be handled? That couldn’t happen? Don’t count on that; sure, it could.

This should never have gotten to the Supreme Court, but now that it has, the court should require the testing. I’m not very confident that it will, though, with Justices Scalia, Thomas, Alito, and Roberts sure to vote against it. The outcome will likely rest on how Justice Kennedy votes, as I suspect this will be a five-to-four decision.

Haven’t there been enough people set free because DNA evidence showed that their convictions had been wrong? Can’t we see that this testing only makes sense from every just perspective? The only reason to refuse such a request is to stand with an arrogance that says, We did everything according to the law, and it’s too bad for you. If you think Mr Skinner is just a low-life who just isn’t worth keeping around, line up on that side.

But if you want to be more certain that the right man is being executed, do the tests.

Tuesday, October 12, 2010

.

Abusive, misleading paper-mail spam

I got something in the mail last week that I found interesting, in a sleazy way. The return address said United Airlines Awards Processing Center, and emblazoned on the envelope was this:

URGENT NOTICE:

Your Mileage Plus® Miles
are expiring. Use by
October 19, 2010.

Looks alarming, with urgent in bold, red letters, no? Well, but the return address used a P.O. box in Utah, and the postage payment area showed a pre-sort permit. Bulk mail.

Inside were the following:

  1. An envelope, pre-addressed to Processing Center (another bulk-mail flag), with the same Utah P.O. box number.
  2. A yellow sheet telling me that I can get faster service by making my redemption online. But not at united.com nor mileageplus.com; the URL is at magsformiles.com, and includes a code that will let them track the specific mailing.
  3. A letter, repeating the URGENT NOTICE, and bearing a date of 24 September — two weeks before I received this.

The letter is, in fact, a solicitation for me to use my miles to buy magazine subscriptions, and does not come from the United Mileage Plus program, but from a vendor (Synapse Group, Inc, in Stamford, CT) that wants my purchase for absolutely no cash cost.

United has a policy that if you have no transactions on your account for 18 months, your miles expire. But as long as you have at least one transaction, however small, within 18 months, you keep your miles forever. This promotion is presented as a way to use small transactions (a few hundred miles) to buy magazine subscriptions, thus keeping tens of thousands of miles from expiring.

The sleazy part is that it’s meant to make me think that my miles will expire next week if I don’t do something quickly. And that’s not true at all: my miles won’t be expiring any time soon, and there’s no reason for me to worry about it (though I did check, just to be sure).

Scumbag business practices are everywhere, and the spam isn’t just online.

Now to go to United’s web page and see if there’s some new we may share your address bit that I haven’t (yet) opted out of.

Monday, October 11, 2010

.

Search engines and their responsibility

A French court has just decided a case that will likely have a great deal of effect on online search engines if the decision is upheld after appeals. A French man had been accused of crimes relating to the corruption of a minor, ultimately resulting in a suspended sentence. He found that Google search results snagged the news items about his case, putting them at the top of search results on his name:

Given extensive press coverage of the alleged crime at the time, querying the man’s name on the popular search engine returns web pages from news publications that suggested he was a rapist, among other non-favorable descriptions.

The man argues that the statements in the online articles still available today adversely characterize him, which puts him in a disadvantageous social position when meeting new people and applying for jobs, among other situations and opportunities.

The man previously contacted Google directly to remove the defamatory articles from its search index, but the company did not do so arguing its proprietary algorithms simply return web pages in its index related to the keywords searched, that is, there is no direct human manipulation of top search results.

The result from the court was this:

The French court sided with the plaintiff, agreeing that those representations were defamatory, and ruled Google could have mitigated costs to the plaintiff by removing the pages.

The ruling ordered Google to pay €100,000, and to reimburse €5,000 in litigation costs incurred by the plaintiff. The ruling also ordered the company to disassociate the man’s name from the defamatory characterizations in Google Suggest, which suggests popular phrases while a person enters search terms in the Google search-box prior to completing a search. Additionally, for every single day the defamatory information remains in the company’s search results, Google would be fined an additional €5,000.

This decision will be disastrous for search engines and other Internet services if it stands. Moreover, it’s just horribly wrong on the surface. It makes no sense to hold indexing services responsible for the information they index, unless it can clearly be shown that they preferentially indexed certain material with a goal of creating a biased view.

Research facilities have, long before the widespread availability of Internet search tools, helped people find news items and other public information that we might rather they didn’t point to, including false information and stories that have since been debunked. We’ve always considered it the responsibility of the researcher to winnow the data.

The difference now, of course, is that the researchers are friends, neighbours, potential romantic partners, and prospective employers... and the information is much more readily available than it ever was. It’s tempting to try to make the search engines let go of obsolete information and only find the current stuff.

The problems with that idea, though, are several. It’s essentially impossible to sort out in any automated way what’s appropriate and what’s not. Even if they prefer legitimate news outlets to other sources of information, and prefer newer articles to older ones, the amount of cross-linking, re-summarizing, and background information will still show searchers plenty of nasty stuff. And who decides what the legitimate news outlets are? The search engines shouldn’t be making those filtering decisions for us.

Any mechanism that isn’t entirely automated doesn’t scale. With the untold millions upon millions of web pages that Google and other search engines have to index every day, there would be no way to respond to individual requests — or demands backed by court mandates — to unlink or otherwise remove specific information.

If this should stand, I can see that Google might have to cease operations in France. If it should spread, it might easily deprive all of us of easy searching on the Internet. That would be a far greater disaster than having a guy in Paris have to explain away unflattering news stories about a false or exaggerated accusation.

Clearing one’s name has always been a difficult challenge, and it’s only been made harder — perhaps, ultimately, impossible — on the Internet. I have a great deal of sympathy for anyone who finds himself relentlessly pursued by his past, especially when that past contains errors that weren’t his.

But this can’t be an answer to that. It just comes with too much collateral damage.

Sunday, October 10, 2010

.

Beer and penitence

I was sitting at a sidewalk table the other day, having a beer. At the next table were three women in their forties, speaking with southern accents. Why is it that southern accents seem so often to mean Christian? As I sipped, I overheard fragments, here and there, of their conversation, and every fragment had something to do with God, praying, or being Christian.

Every day I get up, and I ask God to forgive me for anything I did yesterday.

My first thought on hearing that was to wonder what value there would be — to God or to a real person — in such a series of generic apologies. Whatever I might have done, I’m sorry. No, that doesn’t cut it. Be specific. Acknowledge what you did, and apologize specifically for it. And then don’t do it again.

That ties into this one, of course:

If you’re Christian, even if you make a mistake, every day’s new.

If you’re Jewish or Muslim or Buddhist... or, of course, and especially, atheist... you’re screwed. You make a mistake, and that’s it. Christian, though, well, just get up every morning and tell God you’re sorry, and everything resets.

On the other hand, the Jews, who just went through this process the other week on Yom Kippur, batch it all up for once a year. Spend a day fasting and gathering in prayer, asking generic forgiveness for all the bad things that you’ve all, collectively done over the past year. But feel guilty from day to day; it’s good for the soul.

Later in the conversation, as they talked about their children, one said this:

I pray that I won’t pass down to them all of my dysfunction.

But she is, of course: she’s undoubtedly teaching them her silly superstitions, and showing them how to be dysfunctional and yet start over every day.

10:10:10 10/10/10

Ten.

Just sayin’

Saturday, October 09, 2010

.

70

All we are saying
Is Give peace a chance.

 John Lennon

Holly holy

Barking Pumpkin Records logoThe image to the right was the logo of Barking Pumpkin Records, a record label created by Frank Zappa in the early 1980s. The logo shows a pumpkin barking at a cat, and the cat exclaiming two Chinese syllables in response.

Let’s look at the Chinese characters here: 聖糞

A friend once asked a Chinese-speaking colleague what those two syllables mean, and the colleague hesitated, then responded, somewhat embarrassed, They mean... sacred... dung.

Or, in more idiomatic colloquial English: Holy shit!

The other day, I read a blog post (or perhaps it was a comment to a post), in which the writer typed Holly shit! With two ls. After shaking my head and saying, Moron, I wondered whether the guy might have more company in Morontown than we’d like to think. And so I asked Google...

...and I saw almost 85,000 hits (along with a suggestion for the better way to spell it). 85,000 web references that think holy has two ls. Sample text: HOLLY SHIT!!!! The Hippie movement was created by CIA.

Checking further, I found almost 31,000 references to wholly shit (sample, Wholly Shit They Found A Nuke In Iraq). But take heart: I see only about 7,000 references to holey shit (sample, Holey shit the achievements are so easy to obtain.), so there are limits, after all.

Friday, October 08, 2010

.

What was that you said?

I’ve just had a trip to Washington, DC, for some meetings. I always like visiting DC, and get there at least once or twice a year. I don’t really consider it much in the way of travel, and I generally take Amtrak — not cheap, but no more expensive than flying, and much less hassle.

At the DC end, I also use the trains: the Metro system, their subway. It’s clean, it’s efficient, and it’s nice to use. It’s a bit more expensive than New York’s subway — New York still has a fixed fare, currently $2.25, to go anywhere in the system; DC uses a farecard system that charges your card based on how far you went, and during peak periods a trip downtown from the outskirts can cost $5 or more.

The train operators announce the stops as they go, making their announcements live each time, as the trains go back and forth. You might hear, for example, something like this:

Ness stah Huntuhn lass stahna yell-lie dorsopanna righ.

Elocutions such as that are intelligible only to locals (and I’m sort of a local, as a former resident, though I haven’t lived there for 22 years). Here’s the translation:

Next stop, Huntington, last stop on the Yellow Line. Doors opening on the right.

The thing is, the locals mostly don’t need the announcements, and the visitors have little hope of understanding them. And it’s not because the audio system is bad, but that when human operators have to repeat the same things over and over, they tend to get less than enthusiastic about enunciating it. Also, they may have accents that make it hard to understand them. And we won’t even mention how they tend to pronounce L’Enfant Plaza.

I’ve always wondered why they don’t get someone to record all the regular station announcements, and then just have them play at the appropriate times. The human operator can kick off the playback, or the system can even do that automatically, as happens in many other local transit systems. It seems that it would be clearer and easier for everyone, and would save the operators’ voices.

If the operators really wanted to talk to the passengers, they could certainly do, say, extemporaneous comedy in between the recorded announcements.

Thursday, October 07, 2010

.

Least common denominator

For another comment about something a recent speaker said, we look at the guy yesterday who made a reference to least common denominator, and included a graphic that showed the fraction 9 / 12, then displayed it as 3*3 / 4*3, and concluded with 3 / 4. There are two problems with the graphic.

One is that it’s gratuitous. It has nothing to do with the colloquial meaning of least common denominator, which doesn’t relate to fractions or mathematics at all. In English rhetoric, it refers to a common kernel that can serve or satisfy everyone involved. Alternatively, it can be used disparagingly to refer to someone or something from which every distinguishing and distinguished characteristic has been removed, leaving only a common bit that’s dull and useless.

Some presenters seem to like sticking graphics on every Powerpoint slide they show — sometimes several per slide — whether or not the graphics add anything to the understanding of the slides. Presenters who do that think the graphics make their presentations snazzier.

They don’t.

But the other problem with the graphic is from a mathematical point of view: it’s not illustrating the concept of least common denominator at all. It’s an illustration of greatest common factor. When we reduce a fraction, as in the graphic, we find the greatest common factor of the numerator (the top of the fraction) and the denominator (the bottom) — the largest number we can find that goes evenly into both numbers, that divides both numbers with a remainder of zero. When we cancel that greatest common factor out, what’s left is the fully reduced fraction.

We use the least common denominator to compare (or add or subtract) two or more fractions.

Which is greater?: 5 / 12 ... or ... 9 / 20 ?

To answer that using fractions, we need to convert them into fractions with a common denominator, and we customarily use the least common denominator — the smallest number that is a multiple of both denominators. In this case, 12 = 4 * 3, and 20 = 4 * 5, so the least common denominator would be 4 * 3 * 5 = 60. Multiply both the numerator and denominator by the same amount, and we get 5 / 12 = 25 / 60, and 9 / 20 = 27 / 60. And, so, because 25 is less than 27, 5 / 12 is less than 9 / 20. And the difference between the two is (27 - 25) / 60 = 2 / 60 = 1 / 30 (which we reduced by finding the greatest common factor of 2 and 60).

I have no quibble with the colloquial use of least common denominator as a language idiom, with a meaning that doesn’t relate to the mathematical one (though I do think the usage is trite). But when you bring mathematics into it, please get the maths right.

Wednesday, October 06, 2010

.

Implicit license

A speaker the other day said something curious, and he repeated it. Several times throughout his talk, he said that most of the information he was giving us is available free of charge on our web site. It’s curious, because his need to say it strays from the model we’ve developed of the worldwide web. That he said it — and not once, but several times — made him seem old fashioned, almost as thought he’d told us to send a self-addressed stamped envelope to get a copy of his presentation.

The part that’s out of place is free of charge, because we assume that now. Of course it’s free of charge: it’s on your web site. The web is a place full of free information, and we take that as the default situation.

Not everything there is free, to be sure. Lots of journals put the papers they publish behind paywalls, and some magazines and newspapers demand subscriptions for ready access to their material. But we mention that when it shows up, because paying is now the exception. We assume information on the web is free unless we’re told otherwise.

On the other hand, we do expect that the information remains the property of those we got it from, unless they say otherwise, at least some of us do. We wouldn’t use someone else’s words without attribution, someone else’s research, someone else’s design, without permission. We might even expect to pay for the use, depending upon what it is we’re using, and for what purpose. And we have lots of discussions about fair use in the process.

But what, exactly, is our fair use of material that’s provided free?

It’s a difficult question, and one with no clear answer. The U.S. fair use doctrine isn’t well defined, and courts take it to mean different things in different situations and at different times. Even cases that are obvious might not be so, depending upon who’s making the judgment. Associated Press tried, to derision and laughter from many professional and amateur bloggers, to limit fair use of their material to fewer than five words. They later said that wasn’t what they’d meant, maybe.

Righthaven, on the other hand, decided not to make any definitions. They just made lawsuits:

In a strategic campaign that is attracting growing interest nationwide in legal and media circles, Righthaven — without warning — has sued at least 86 website owners in federal court in Las Vegas since March for copyright infringement.

[...]

But from the get-go, Righthaven hits copyright violators with lawsuits seeking $75,000 in damages and forfeiture of their website domain names.

Righthaven’s legal initiative has critics calling it a frivolous-lawsuit-and-shakedown campaign aimed not at gaining justice for Righthaven, but at putting money in its pockets — charges denied by Righthaven and its entrepreneurial CEO, Las Vegas attorney Steven Gibson.

[...]

Righthaven’s procedure has been to troll to find an infringement of an R-J copyright to a specific story. It then buys the copyright for that story from the R-J’s owner, Stephens Media LLC, and afterward sues the infringer.

Buying the copyright is an important step because it allows Righthaven to seek statutory damages. (Some of the defendants are arguing that Righthaven lacks standing to sue them because Righthaven didn’t own the copyrights at the time of the initial infringement.)

These are clearly predatory tactics: a good-faith approach, if one really thinks a non-commercial user such as a blogger has overstepped the fair-use line, would be to ask them to take down the offending material. Starting with a large lawsuit is clearly just a way to monetize things.

Now the Electronic Frontier Foundation is calling them on it, having filed a countersuit that claims copyright fraud:

The owner of the Las Vegas Review-Journal has for the first time been hit with a counterclaim over its online copyright infringement lawsuit campaign, with attorneys for the Electronic Frontier Foundation accusing the newspaper of entering a sham relationship with the Review-Journal’s copyright enforcement partner Righthaven LLC — and accusing Righthaven of copyright fraud.

[...]

The Electronic Frontier Foundation (EFF) says the lawsuit campaign threatens freedom of speech on the Internet as Righthaven generally sues without first asking that infringing material be removed from websites or be replaced with links as is the standard practice in the U.S. newspaper industry.

A couple of weeks ago, Groklaw published an interesting analysis of one of the cases, where a defendant got a default judgment set aside and will be allowed to plead his case. It’s particularly interesting because this particular defendant has a situation where an entire column from the newspaper was copied — something that clearly ought to go beyond fair use. Yet the judge, in setting aside the default judgment, ruled that the planned defense is sufficiently reasonable to be heard.

The reasonability of it rests on a few points:

  1. The article in question is informational, rather than creative or artistic.
  2. The use was non-commercial.
  3. The article was available for free from the newspaper’s web site, so financial loss to the newspaper could not be great (there might be loss of advertising revenue, resulting from fewer visits to the paper’s web site).
  4. The defense claims that the newspaper gave an implicit license to use the article, by posting it freely on their web site. The judge quotes John S. Sieman, from his paper Using the Implied License to Inject Common Sense into Digital Copyright:
    As the internet has developed into more of an opt-out system, the argument has been made that only the act of sharing information from websites that actively choose to be removed from participating in the system is generally recognized as unacceptable, despite the Copyright Act being an opt-in system.

It’s that last point that’s the most interesting one, and we should follow this case to see where it goes. The defendant has only won the right to argue his case, and he could still lose in the end.

Tuesday, October 05, 2010

.

What’s cooking?

Gourmet dinner menu last night, at a meeting. The theme was Re-imagining American Food.

MUNCHIES
LIQUID OLIVE
BAGELS & LOX
    R.H. COUTIER Ambonnay
Champagne, France N.V.
FLAVORS & TEXTURES
ORGANIZED CAESAR SALAD
OYSTER & UNI
    ABBAZIA DI NOVACELLA Kerner
Alto Adige, Italy 2009
SCALLOP
CIGALAS EN BRIOCHE
    JEAN-CLAUDE BACHELET
Les Macherelles Chassagne
Montrachet, France 2007
PHILLY CHEESESTEAK
VEAL CHEEK TZATZIKI
    ROBERT GROFFIER
Les Hauts Doix, Chambolle Musigny
France 2007
DESSERT
RUM CAKE    EL DORADO Rum 15 yr, Guyana
SWEET SURPRISES
SAFFRON GUMDROP
BACON AND CHOCOLATE
     

I don’t know what the liquid olive was, but it was a soft, squishy ball, olive coloured and tasting like an olive, served in a spoon.

The bagels & lox was a tiny, thin crêpe rolled into a cone filled with dill crème and salmon eggs, served in a small cup full of poppy and sesame seeds.

The organized Caesar salad was romaine, dressing, and shaved cheese rolled sushi-roll style in slices of jicama, served with a crêpe-like crouton with a quail-egg yolk nestled in it.

The scallop was pan-seared and served with a slice of roasted cauliflower and an aioli, and the cigalas en brioche was a piece of langustino in a coating of a flourless brioche, which amounted to an egg-white coating.

The Philly cheesesteak was a very small baguette filled with a tasty brie-like cheese, with slices of cured beef arranged on top.

The veal cheeks, we were told, were braised for 72 hours (um, that’s three days, isn’t it?

The run cake was relatively normal, and the bacon and chocolate was just what you might think: chocolate-covered bacon strips.

A very unusual and interesting meal.

Monday, October 04, 2010

.

A couple of things about Stuxnet

There’s a relatively newly discovered (within the last few months) computer worm called Stuxnet, which exploits several Windows vulnerabilities (some of which were patched some time ago) as it installs itself on people’s computers. It largely replicates through USB memory sticks, and not so much over the Internet (though it can replicate through storage devices shared over networks). And it’s something of an odd bird. Its main target isn’t (at least for now) the computers it’s compromised, and it’s not trying to enslave the computers to send spam, collect credit card numbers, or mount attacks on web sites.

It’s specifically designed to attack one particular industrial automation system by Siemens, and it’s made headlines because of how extensive and sophisticated it is. People suspect it’s the product of a government, aimed at industrial sabotage — very serious stuff.

The folks at F-Secure have a good Q&A blog post about it.

There are two aspects of Stuxnet that I want to talk about here. The first is one of the Windows vulnerabilities that it exploits: a vulnerability in .lnk files that kicks in simply by having an infected Windows shortcut show its icon:

This security update resolves a publicly disclosed vulnerability in Windows Shell. The vulnerability could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Think about that. You plug in an infected USB stick, and you look at it with Windows Explorer. You don’t click on the icon, you don’t run anything, you don’t try to copy it to your disk... nothing. Simply by looking at the contents of the memory stick (or network drive, or CD, or whatever), as you look at its icon and say, Hm, I wonder what that is. I’d better not click on it, it’s already infecting your computer. And since most Windows users prior to Windows 7 ran with administrator rights, the worm could get access to anything on the system.

You need to make sure this security update is on your Windows systems.

The other aspect is interesting from a security point of view. From the F-Secure Q&A:

Q: Why is Stuxnet considered to be so complex?
A: It uses multiple vulnerabilities and drops its own driver to the system.

Q: How can it install its own driver? Shouldn’t drivers be signed for them to work in Windows?
A: Stuxnet driver was signed with a certificate stolen from Realtek Semiconductor Corp.

Q: Has the stolen certificate been revoked?
A: Yes. Verisign revoked it on 16th of July. A modified variant signed with a certificate stolen from JMicron Technology Corporation was found on 17th of July.

I’ve talked about digital signatures before, at some length. When the private keys are kept private, digital signatures that use current cryptographic suites are, indeed, secure. But...

...anyone who has the private key can create a spoofed signature, and if the private keys are compromised the whole system is compromised. When one gets a signing certificate, the certificate file has both private and public keys in it. Typically, one installs the certificate, then exports a version that only contains the public key, and that certificate is made public. The original certificate, containing the private key, has to be kept close.

But it’s just a file, and anyone with access to it can give it to someone else. Shouldn’t, but can. If you can compromise an employee with the right level of access, you can snag the private key and made unauthorized authorized signatures.

In most cases, it’s far easier to find corruptible (or unsophisticated) people than it is to break the crypto. And if the stakes are high enough, finding corruptible people isn’t hard at all. The Stuxnet people may well have a host of other stolen certs in their pockets.

Sunday, October 03, 2010

.

Quote of the week

From The Tenth Inning, we have Barry Bonds telling reporters that he didn’t care about being booed as he was close to breaking Hank Aaron’s career home-run record:

You gotta have a lot of talent to have 50,000 people shout that you suck.

He does have a point there. They booed him, but they came to see it anyway.

[Paraphrased, because I didn’t write it down soon enough to remember it exactly.]

Saturday, October 02, 2010

.

Who is talking about heart health?

On yesterday’s Brian Lehrer Show, a talk show on the local public radio station:

Joy Behar on Heart Health
Friday, October 01, 2010

Joy Behar, comedienne and co-host of The View, discusses heart health and the Mom’s Second Chance campaign.

That’s nice. But, here: a comedienne/host of a fluffy morning TV talk show... discusses heart health. Serious credentials, there, wot?

How ’bout we get, oh, I don’t know, maybe a cardiologist to come on and discuss heart health? Yes, that sounds better.

Friday, October 01, 2010

.

On compression and sound quality

Actor and filmmaker Adrian Grenier was on a local radio talk show the other day. As an addendum to the show, they posted a brief Q&A on the web, in which he says this:

Q: What are you listening to right now?

A: I just reunited with my record collection. Records sound better than MP3’s. I was just listening to Toots and the Maytals on vinyl.

Now, there’s certainly been a lot of debate about whether analogue sounds better than digital, when it comes to recorded music. When you hear live music, the vibrations reach your ears, your ears pick them up and send them to your brain through your nerves, and you hear exactly what someone sitting at that spot (and with your hearing capabilities) will hear. It’s perfect, in the sense that you can’t get more like really being there than... really being there.

Any recording provides a different experience, and whether that experience is better than the live one depends upon a lot of things, including where you were sitting and where the microphones were, how much extraneous stuff was heard by each (you and the microphones), and so on... along with the social experience and energy of being there to see it.

That said, there have always been those who say that digital recordings sound digital, changing the sound in unpleasant ways. Music is recorded on a CD, for example, by sampling the actual sound at frequent intervals (about 44,000 times a second), and by encoding the sampled sounds as numerical values (16-bit numbers, for CDs). The choice of the frequency of the sampling and the number of values (number of bits) used in the encoding affects the maximum quality of the sound.

I’m not going to get into the debate, here, and I’ll only note that since CDs have given way to other ways of listening, we’ve increased both the sampling rate and the number of bits per sample in some recordings. Whether or not CDs sound good, there’s better digital source material out there.

MP3 files, though, are not original source material: they’re compressed from the original, and their quality can vary greatly. Let’s look at why.

Broadly, there are two kinds of compression: lossless, and lossy. We use lossless compression in computer work all the time, such as when we make ZIP files. To do compression losslessly, we take advantage of redundancies, repetitions, and nearness that show up naturally in data, use alternative representations for common sequences, and that sort of thing. Any lossless compression algorithm works best on the kind of data its designed for, and doesn’t work well on certain other kinds.

Here, for instance, is a lossless algorithm I’m making up as I type this, designed for compressing English text, text consisting of letters, numbers, and a few punctuation marks and symbols:

In normal English text (US-ASCII), each character is represented by one byte. We know that the most common 11 letters in English are, in order, e, t, a, o, i, n, s, h, r, d, and l. So we’re going to represent each of those, plus the space character, with a half-byte instead of a full byte (shown here in binary, for clarity):

0000 = (space), 0001 = e, 0010 = t, 0011 = a, 0100 = o, 0101 = i,
0110 = n, 0111 = s, 1000 = h, 1001 = r, 1010 = d, 1011 = l

That leaves 15 lower-case letters, 26 upper-case letters, and 10 numerals to be represented, and we can introduce one-byte patterns with a half-byte of the form 11xx, unused above. We’ll reserve 1100 0000 for now, and assign the remaining one-byte patterns (11xx xxxx, where the x’s are not all zeroes) arbitrarily to those characters and two the 12 most common punctuation marks:

1101 0000 = b, 1101 0001 = c, 1101 0010 = f, 1101 0011 = g, ...,
1100 1111 = z, 1101 0000 = A, 1101 0001 = B, 1101 0010 = C, ...,
1110 1001 = Z, 1110 1010 = 0, 1110 1011 = 1, 1110 1100 = 2, ...,
1111 0011 = 9, 1111 0100 = (comma), 1111 0101 = (period), .....

Finally, we’ll represent anything else by using our reserved 1100 0000 as an escape, so that the byte immediately following it represents its normal US-ASCII value:

1100 0000 0010 0100 = (dollar), 1100 0000 0010 0101 = (percent),
1100 0000 0010 0110 = (ampersand), ....

Therefore, our system represents the space and the eleven most common letters in half the normal number of bits (4), and the remaining letters and numerals, along with twelve punctuation marks, in the normal number of bits (8)... but takes twice the number of bits (16) to represent anything else. It would be horrible for music files, which are made up of arbitrary binary data and which would get much bigger if put through this compression. But for plain English text, here’s an example, using hexadecimal notation to be more concise:

Original: This is a compressed string.

US-ASCII: 54 68 69 73 20 69 73 20 61 20 63 6F 6D 70 72 65 73 73 65 64 20 73 74 72 69 6E 67 2E

Our algorithm: E3 85 70 57 03 0C 24 C7 C8 91 77 1A 07 29 56 C4 F5

We’ve reduced the string from 28 bytes to 17, and it’s fully reversible (once we’ve dealt with padding needed when we end in the middle of a byte, but that’s easy enough and we don’t need to get into that here).

OK, that was fun to play with, but what about compressing music?

We can’t rely on common byte values for music, because the value of a given sample can be anything — silent, super-loud, or somewhere in between. But we can rely on the fact that in normal music, sounds don’t come in and go out instantaneously, and, therefore, adjacent samples are most likely to be relatively close to one another. If we optimize the algorithm for aspects like that, we can get fairly efficient compression. We can even get lossless compression to a point.

For example, suppose we’re using 32-bit samples, but we say that if we have a 32-bit sample and the next sample is within 15 bits of that one, we can instead use a 16-bit value that represents plus (first bit 0) or minus (first bit 1) from the reference sample. The next sample could similarly be coded as a delta from the second, and so on. We’d have to do some futzing around to signal that we’d gone back to a full 32-bit sample again, and we’d probably want to do that periodically, whether we need to or not, to set up resync points in case something goes wrong with the data streaming. But this is not an ideal nor complete mechanism... just the beginnings of an example.

But for the high levels of compression that we need to use to turn music or video into tolerably sized files, we need to go for lossy compression methods. That means that we can’t turn the compressed file back into the full version, because some information has been lost in the process. And information loss means quality loss — the compressed file is no longer a faithful copy of the original, and any playback is measurably different from the original.

But is it noticeably different from the original?

That, of course, depends upon how sensitive one is. Still, while the difference between CDs and vinyl records could be (and was) hotly debated, this one’s pretty straightforward: the difference is, in general, discernible on good equipment. There are a lot of compromises on the way from ten megabytes or more per minute to one megabyte or less per minute. That heavy compression is what makes it possible for us to put entire music collections in our pockets, so it’s worth it to many.

And when we’re putting the music in our pockets and listening to it with ear buds as we ride the subway and walk down noisy streets, we’re not noticing the digital and compression artifacts, the reduced frequency range, the lower sound quality. It’s entertaining us and keeping the world of chatty commuters and jackhammers and car horns way.

With docking stations, though, we’ve brought that model into our living rooms, and we’re often listening to MP3 files at home, through loudspeakers the size of a paperback book. Where we used to show off audiophile equipment stacked up on shelves and massive speakers that dominated the room and rattled the walls with great sound, we’re now boasting about how compact it all is.

It’s compact, though, at the cost of sound quality, and Adrian Grenier is going back to vinyl.