Bears and the convenience/security tradeoff

Bruce Schneier points out a problem at Yosemite National Park--how to make garbage cans that resist the ability of bears to get into them, yet are not so complicated that tourists can't figure out how to put their trash into them. Best quote, from a park ranger: "There is considerable overlap between the intelligence of the smartest bears and the dumbest tourists."

There are some great comments on the thread--e.g., Saxon:

How long before the bears start lurking near the cans, waiting for a human to open one so the bear can "mug" the human and get at the contents (rather like an ATM mugger)? Based on my experiences with the black bears in New England, this would not be beyond a bear's reasoning capacity.

and Mike Sherwood:

The party putting stuff into the trash is willing to spend about 10 seconds on the activity, whereas the party getting stuff out has no time limit. In order to cater to the lazy and stupid, someone has to do more work.

The configuration given doesn't work because it has the traditional open and closed configurations, while making the switch between those configurations needlessly complex. In this case, they need a recepticle that fails secure.

A mailbox like solution seems pretty obvious and rational to me. A cylinder with a horizontal axis has to be rotated to a position where it is accessable only from the outside in order to put trash in, then it rolls back to the position where the contents drop into a storage bin. A simple lock on the bin would keep everyone but the trash collector out of the bin, but allow everyone to deposit their trash in a designated location.

However, the trash can design could have been someone's thesis paper to prove that bears are pretty smart and a lot of humans are dumber than paste.

Attacks on a plane

Ed Felten raises some very interesting points about the recent terrorist threat against planes and our response:

Just as interesting as the attackers’ plans is the government response of beefing up airport security. The immediate security changes made sense in the short run, on the theory that the situation was uncertain and the arrests might trigger immediate attacks by unarrested co-conspirators. But it seems likely that at least some of the new restrictions will continue indefinitely, even though they’re mostly just security theater.

Which suggests another reason the bad guys wanted to attack planes: perhaps it was because planes are so intensively secured; perhaps they wanted to send the message that nowhere is safe. Let’s assume, just for the sake of argument, that this speculation is right, and that visible security measures actually invite attacks. If this is right, then we’re playing a very unusual security game. Should we reduce airport security theater, on the theory that it may be making air travel riskier? Or should we beef it up even more, to draw attacks away from more vulnerable points? Fortunately (for me) I don’t have space here to suggest answers to these questions. (And don’t get me started on the flaws in our current airport screening system.)

The bad guys’ decision to attack planes tells us something interesting about them. And our decision to exhaustively defend planes tells us something interesting about ourselves.

Massachusetts State Police arrest man for linking website to arrest video

Paul Pechonis was arrested at his home for allegedly threatening the life of a police officer on his website. This was a police officer who allegedly threatened to hold a gun to the head of his son. That arrest was videotaped with the consent of all parties except the police, by a camera in Pechonis' home. The video was placed online by Mary Jean, who has been threatened with felony charges for posting it. A federal judge issued an injunction supporting Jean, which the Attorney General has appealed. Jean has the support of the ACLU of Massachusetts and the lawfirm of Choate, Hall & Stewart.

Jean is the webmaster of conte2006.com, a website critical of Worcester County district attorney John Conte, which is where the video is hosted.

You can also find the video on YouTube. Although the video has been described by some as showing an "invasive search" without a warrant, the officers say they are just checking the home to see if anyone else is present. They are not shown moving or opening anything on camera, and the search is very brief (just a few minutes)--I don't see any evidence of an "invasive search."

Now prosecutors have threatened Pechonis, issuing a cease and desist order for merely linking to the video of his arrest from his own website.

Good job, prosecutors--you've just ensured that there will be much more attention to this video and Pechonis' case.

(Hat tip to The Agitator.)

Is it worth shutting down botnet controllers?

Gadi Evron has now suggested, following Paul Vixie, that it's a waste of time to fight botnets by shutting down botnet controllers. Here's what I wrote to some colleagues when I read Vixie's statement that stomping out botnets is not only a waste of time, but counter-productive because it causes botherders to change their behavior and find new malicious techniques:

1. If you don't stomp them they are *still* going to develop new ways of doing things as a result of internal competition. It may happen more slowly, but it will still happen. There's no getting around an arms race. Even taking his analogy seriously, he wouldn't recommend that we stop using antibiotics.

2. Waiting on law enforcement to start effectively prosecuting will take a long time, and I don't think I'll be happy with what it will take for them to do it (I'm already unhappy with the new CALEA draft bill that's circulating). Criminal prosecution will likely never target more than a minority of offenders--mostly the high-profile cases.

3. Taking action raises their costs, which applies more broadly the same economic effect as prosecution does in a narrower and stronger manner. Again, if we take the antibiotic analogy seriously, a diversity of approaches is better than relying on a single approach.

4. Our experience seems to indicate a drop in botnet controller activity when we hit them consistently. If the bulk of miscreants follow the path of least resistance, putting up a fight will tend to push them to environs where people aren't putting up a fight.

Shutting down botnet controllers does have positive effects--and it's much quicker and reliable than law enforcement prosecution. I think a diversity of defensive actions is important, and we need to continue developing more of them--as I said above, it is a continuing arms race.

Richard Bejtlich has also commented on this subject at his TaoSecurity blog, and there's some good discussion in the comments. David Bianco has offered a suggestion at the InfoSecPotpourri blog. Bianco's suggestion is to modify the botnet C&C traffic, which in order to be most effective would have to occur at either large consumer ISPs (where 99+% of the bots are located) or at a small number of high-volume, low-cost webhosting companies (where 75+% of the botnet controllers are located).

There are a number of approaches that are being developed, which I won't describe in any detail here, but I agree that new approaches need to go more strongly after the bots themselves rather than just the botnet controllers. Those approaches need to use Netflow, and they need to use DNS. We also need to provide incentives for consumers with old, unpatched, vulnerable systems to protect themselves and to be protected by their ISPs--that's where the biggest bang for the buck will occur.

W. Virginia water bottle's explosive residue turns out to be makeup

Yesterday there were numerous news reports about a woman's water bottle testing positive, twice, for explosive residue and being identified as problematic by a bomb-sniffing dog. She was allegedly taken for questioning by the FBI. Today, there seems to be little followup about the fact that it was actually makeup that triggered false positives.

Nick Carr's bogus criticism of the blogosphere

Nick Carr writes of the blogosphere:

What we tell ourselves about the blogosphere - that it's open and democratic and egalitarian, that it stands in contrast and in opposition to the controlled and controlling mass media - is an innocent fraud.

What's the fraud? Carr claims that the top-ranked blogs have established a hierarchy of control over the entire blogosphere:

The best way, by far, to get a link from an A List blogger is to provide a link to the A List blogger. As the blogophere has become more rigidly hierarchical, not by design but as a natural consequence of hyperlinking patterns, filtering algorithms, aggregation engines, and subscription and syndication technologies, not to mention human nature, it has turned into a grand system of patronage operated - with the best of intentions, mind you - by a tiny, self-perpetuating elite.

But Carr is not only ignoring the facts of a comparison between the blogosphere and the mass media (the point of his initial comparison), he's ignoring mobility of rank and the specifics of the audiences of lower-ranked blogs. I've seen my blog get visits from all sorts of interesting places, by people I would not ordinarily be able to speak to.

John Koetsier at bizhack (who I've only come across because of this topic) says it very well when he points out the role of luck in getting a mass audience:

This is real life
This isn’t the movies. And this isn’t the crazy-stupid-brilliant flash-in-the-pan that you hear about from time to time, and wonder why you didn’t think of.

Anything worth doing is hard. Doing anything well is hard. It takes time. It takes effort. It takes talent. It takes skill.

But sorry, that’s not enough.

The L factor
Here’s the hardest part for any of us to accept: It takes luck.

We’d have it a lot easier if there was a clear-cut algorithm for success. Do X amount of work for Y number of days with Z degree of skill, and you’ll be successful.

Sorry. I wish it was true. But it’s not.

Some weird magic happens in the world.

• Some wacked-out left-field idea like Snakes on a Plane just comes out of nowhere and hits a home run.
• Some odd idea like getting people to write secrets on postcards and send them to you so you can post them on a website results in a top ten blog and a successful book.
• Some 18-year-old kid creates a piece of software that others start contributing to that turns out to be really good and amazingly popular.
• Some slightly-shady entrepreneurs take an old idea and a lousy site and sell it for over half a billion.
• Some crazy geniuses create the best hardware/software combination the market has ever seen and spend decades struggling to get to 5% market share.
• Some other crazy geniuses with duct-taped glasses buy a piece of junk software, land a distribution deal with a clueless giant, and become the most profitable company in the world.

• 
  

He goes on to point out some numbers:

The reality is, the blogosphere is a big place. Lots happens. Conversations abound. Blogs proliferate. Attention is limited. Blogs shoot up, blogs tumble down. Enough churn occurs to make me believe that success is still possible.

But you are already more successful thank you know. Think about it: there are now 52 million blogs. 52 million!

Let’s say your blog is ranked 39,756 (coincidentally, just like the one you’re reading right now.) How lucky are you?

Let’s break it down:

• If you’re in the top 5 million, you’re 1 out of 10
• If in the top 500,000, you’re 1 out of 100
• In the top 50,000, you’re 1 out of 1000
• just for fun, let’s continue …
• Top 5000? 1 out of 10,000
• Top 500? 1 out of 100,000
• And top 50? 1 out of 1,000,000

See the point? Even being in the top 100,000 is an accomplishment! (Of course, for all of us who are serious about this blogging journey, it may not be enough. It may not satisfy.)

He's spot on.

Tim Lee at the Technological Liberation Front makes some of the same points, first about rankings and quality of who you get to interact with:

Seth gives the impression that he toils in obscurity, with maybe 20 or 30 people reading what he writes on a good day. Yet Alexa ranks Seth’s site #84,819 among all web sites, with a “reach” of 24 readers per million web users. In contrast, TLF is ranked #295,434, and we have a “reach” of 4 per million. Technorati tells a similar story: TLF is ranked #7076 among all blogs with inbound links from 294 sites. Seth’s blog is ranked #5443, with inbound links from 365 blogs.

Now, TLF obviously isn’t an “A List” blog. We’re probably not even a “B List” blog. But if our traffic stats are to be believed, about 1500 unique individuals visit our site (or at least download our content to their RSS aggregators) each day. Extrapolating, I think it’s safe to say that Seth gets at least a few hundred, and probably several thousand, daily readers. Even if we assume that many of those are people who never actually read the sites their aggregators download, it’s safe to say that Seth gets more than “a few dozen” daily readers.

Personally, I think TLF’s readership—even if it’s only a couple hundred people—is fantastic. I feel extraordinarily fortunate that I get to write about whatever strikes my fancy and have several hundred people read it and give me feedback. A decade ago, it would have been extraordinarily difficult to achieve that without getting a job as a full-time journalist.

...

The far more important motivation is that I enjoy discussing ideas. I think it’s fantastic that I sometimes get to interact with prominent tech policy experts like Ed Felten and Randy Picker. I love the fact that I can post half-baked policy arguments and get virtually instantaneous feedback from people who possess much deeper technical knowledge than me. And most fundamentally, I enjoy the process of writing itself, when it’s about a subject I’m currently interested in. I think the intellectual questions related to technology policy are fascinating, and I find writing to be a form of intellectual exploration: sometimes I’ll finish a post (or series of them) in a different place than I expected to be when I started.

And about mobility within the rankings:

Carr is equally wrong to portray the elites of the blogosphere as some kind of closed, self-perpetuating club. The blogosphere is only about 5 years old. Even if it were true that the same bloggers have dominated the elite ranks since the blogosphere’s inception, that wouldn’t prove very much—the elite newspapers have dominated the national debate for decades. But Carr’s caricature isn’t even accurate. As just one exampleompare Instapundit, which ruled the blogospheric roost in 2002-04 to Daily Kos, a site that was obscure at the start of 2003, surpassed Instapundit in mid-2004, and today (according to Alexa) gets more than double the traffic. Sure doesn’t look like a closed elite to me.

So, good job to Carr for getting the attention of some new people through this topic--but perhaps he's done so with the strategy of saying something obviously false or outrageous designed to stir up the blogosphere and thereby increase his rank? It seems to be a relatively common and effective tactic--we could call it the Ann Coulter method. When pro-life blogger Pete wrote a post about an article in The Onion as though it were factual, he not only got hundreds of blog comments, links, and trackbacks, he got written about in a feature story on Salon.com!

41st Skeptic's Circle

The 41st Skeptic's Circle is now out at Interverbal, in the form of an Awards Night presentation.

Judge grants injunction against warrantless wiretapping

Although the ACLU's lawsuit against AT&T in Illinois was thrown out, a separate case in Michigan filed on January 17 of this year against the NSA for warrantless wiretapping without approval of the FISA Court has resulted in a ruling by U.S. District Judge Anna Diggs Taylor that the practice is unconstitutional and must stop immediately. This is not the final decision in the case, but the granting of an injunction for the plaintiff.

The Electronic Frontier Foundation's lawsuit against AT&T also continues.

Forbes' Best Places for Business

Phoenix cracked the top ten for the first time in Forbes magazine's best metropolitan areas for business (at #6); Arizona is down at #15 in the list of best states for business. Tucson ranks #77.

Phoenix scored high for colleges, cost of doing business, culture and leisure, job growth, and net migration; it scored poorly for cost of living, and crime rate, and was somewhere in the middle on educational attainment, cost of doing business, and income growth. Tucson scores better than Phoenix on educational attainment and income growth, but is worse on every other measure.

Arizona was ranked highly for labor costs (#7), economic climate (#1), and growth prospects (#13), poorly for regulatory environment (#36) and quality of life (#43), and in the middle for business costs (#24).

Arizona has four billionaires--John Sperling and his son Peter of the Apollo Group (and University of Phoenix and Kronos Group), Campbell Soup heir Bennett Dorrance, and Arturo Moreno of Outdoor Systems.

An interesting point in the summary is that the United States now has the highest corporate taxes of any OECD nation.

UPDATE (March 9, 2007): Forbes has updated its billionaire list for 2007, and there are no changes for Arizona--the same four Arizonans are billionaires, with none dropping off the list and no new ones showing up. Bennett Dorrance is at #432, Arturo Moreno, John Sperling, and Peter Sperling are all tied at #799. Last year the list was much smaller--Bennett Dorrance was at #153, John and Peter Sperling were tied at #297, and Arturo Moreno was at #354.

Skepticism about the UK liquid bomb plot

Former UK ambassador to Uzbekistan Craig Murray raises some questions about the UK liquid bomb plot. Bruce Schneier points to a similarly critical discussion by Perry Metzger on Dave Farber's interesting people list.