Security – Page 35 – a sibilant intake of breath

Contributing to Project Honeypot

Spammers are one of the most annoying natural enemies of the blogging community. They waste the time of site administrators who must install anti-spam systems and dig through suspicious comments to pick out real ones. They waste the time of users who are forced to jump through hoops like site registration and CAPCHAs.

One way to help fight spam is to participate in Project Honeypot. If you run a website, they will give you a script to add somewhere. Then, you add links to the script that robots will follow, but not people. This allows the project to catalogue the IP addresses of robots, as well as track the general spam problem globally. People who run websites but don’t control the hosting (for instance, people with blogs on Blogger.com or WordPress.com) can add ‘QuickLinks’ which serve a similar function.

People running WordPress blogs can also use the http:BL WordPress Plugin to take advantage of Project Honeypot’s data and block spammers and harvesters of email addresses.

Setting up a honeypot only takes a couple of minutes, and gives the satisfaction of knowing you are helping to make the internet a slightly more civil place. In addition to running a honeypot and using the http:BL plugin, this site has a wiki protected with Bad Behaviour, a blog protected with Akismet, and spam defences built into .htaccess.

Obama’s speech in Cairo

President Obama’s speech on the United States and the Muslim world, delivered in Cairo, is worth watching:

It covers the history of Islam, the United States, and the Muslim world. It also covers Afghanistan, Iraq, the Israeli-Palestinian conflict, Iran, nuclear proliferation, democracy, religious freedom, the rights of women, and economic development. Many translations are available. Climate change was not directly mentioned, despite its considerable importance for both Muslims and Americans.

At the very least, the speech demonstrates the change in tone between this administration and the last one. Whether it is the start of something more meaningful, time will tell. Slate has some commentary: relatively positive and more negative.

Hashing with Wolfram Alpha

Separately, I have discussed both the Wolfram Alpha computational knowledge engine and the practice of hashing information. The fact that WA allows anyone to do so easily has relevance for things like making bets online, in situations where players want to conceal their guesses until everyone else has put theirs up.

Here is an example. Say you want to place bets on who will win the next Republican presidential primary. You don’t want those who post later to have the advantage of knowing what others have already posted, so you do the following:

Choose a hash algorithm (MD5 should be fine, but SHA is more secure)
Have each participant put their guess into WA. Say I think it will be Sarah Palin. I would enter: “SHA “I think the primary winner will be Sarah Palin, though I fear what she will do with the country” into Wolfram Alpha, and it would spit out something like “f7ca 4adf 11c7 5b56 f355 1635 5b50 2eca 5950 5349”
Note that the supplementary text, in addition to the name, is vital. Otherwise, it would be trivially easy for the other players to check the hashes for likely guesses and learn what people have chosen. Incorporating a salt into the hashing algorithm would be ideal, but WA doesn’t seem to have that capability.
Have each participant post the hash of their response, saving the exact text somewhere secure to them.
When the outcome is known, those who guessed correctly can confirm that fact, by providing text that hashes into their original post.

A somewhat roundabout and nerdy solution to a relatively unimportant problem, perhaps, but it illustrates some of the ways hashes can be used to prove what you said earlier, without having the content of your earlier message immediately accessible – a general ability with many applications.

One more fact about salts: they are the most straightforward way to foil attacks using rainbow tables.

Deep packet inspection in Canada

The Office of the Privacy Commissioner has created a new website. In addition to the commissioner’s blog, there is now a website devoted to deep packet inspection, announced here.

Deep packet inspection is quite a profound modification of how the internet works. All information passed across the web goes through a number of machines. In the classic version of this arrangement, they just forward the information to the next link without giving it any consideration. With packet inspection, the datastream can be monitored by those intermediate machines, including the ones at a user’s internet service provider (ISP) between their computer and the rest of the internet. Given that the computers of your ISP see all your traffic, having them implement deep packet inspection raises some especially serious questions. That is especially true given that they may be vulnerable to attack by malicious actors, and may be willing to cooperate with requests from governments, even if those requests are illegal.

The technology could have good uses, like stopping viruses and worms. It could also have many malicious ones. Companies could use it to block competition, by making the internet discriminate against their existing rivals and new startups. It could also be used for data mining, eavesdropping, and censorship. Personally, I would prefer an internet without it, and I am glad to see that it’s something Canada’s official privacy official has been devoting a fair bit of attention towards.

Dark Sun

The whole technical and chilling history of atomic weapons is reviewed in Richard Rhodes’ Dark Sun: The Making of the Hydrogen Bomb. Released in 1995, it is based substantially on documents that became available after the end of the Cold War, documenting the development of nuclear and thermonuclear bombs in the United States and Soviet Union, as well as delving into issues of international politics, espionage, and delivery systems.

Most people are likely to find some aspects of the book tedious, while others are fascinating. For instance, I noted all the descriptions of design details of nuclear and thermonuclear issues with interest, but found a lot of the minute descriptions of espionage activities tedious (especially descriptions of nearly every meeting between the atomic spies and their contacts). That said, the book will certainly offer good rewards to anyone with an interest in some aspect of nuclear weapons or the Cold War.

The last few pages really ought to be read by everyone. They document the shocking behaviour of Curtis LeMay and the Strategic Air Command (SAC) in the period prior to the Cuban Missile Crisis, as well as during it. At the time, LeMay and some of his commanders could use nuclear weapons without presidential authority; they were also obsessed with striking first, and generally convinced that war with Russia was inevitable. Perhaps the most shocking actions detailed are LeMay’s strategy of flying nuclear-capable bombers over targets like Vladivostok, in the Soviet Union. They were running drills and taking photos, but it looked to the Russians exactly like an atomic attack. I don’t think Rhodes is wrong to suggest that, had the Soviets done something similar in America, the SAC would have launched an all-out attack against them. Rhodes marshals compelling evidence that LeMay did, at times, seek to provoke a nuclear war through initiatives like these flights and the provocative American ballistic missile test undertaken during the Cuban Missile Crisis.

The book’s closing also laments the enormous amounts of sacrifice made to build up these massive, threatening stocks of weapons. The Oak Ridge and Hanford complexes, producing fissile materials, used more energy than the Tennessee Valley Authority, Hoover, Grand Coulee, and Bonneville dams could produce together. One year of expanding the facilities required 11% of US nickel production and 34% of the output of stainless steel. All told, Rhodes estimates that the arms race cost America over $4 trillion, which could have otherwise been put to productive uses. On the Soviet side, the story is far more appalling: with thousands of slaves being terrorized and irradiated in the drive to match the American weapons complex. The irony is that, while generals and arms manufacturers clamoured for ever-more warheads, politicians on both sides of the Iron Curtain had already come to understand that the weapons could never be used. Indeed, Rhodes’ account provides a nice counter-argument to the view that all politicians are short-sighted and lacking in wisdom.

All told, Rhodes’ account is an excellent one: historically rigorous, but alive to the human issues raised inevitably by the subject matter. It’s a book that is deeply relevant in a world where US-Russian tensions are growing, weapons are proliferating, and a terrifying number of bombs are still deployed on 15-minute hair-trigger alerts.

Building fission bombs

As recommended by a fellow attendee at the unofficial summer ‘grill thrill’ barbecues, I am currently reading Richard Rhodes’ Dark Sun: The Making of the Hydrogen Bomb. While the book can be detailed to the point of exhaustion sometimes, it does contain a lot of interesting information, on everything from atomic bomb design to the differences in governmental structure and operation in the United States and Soviet Union.

One thing the book has definitely done is diminish my concerns about terrorists building nuclear weapons. Even the ‘simple’ gun-type configuration uranium bomb is a lot more complicated that many of the diagrams and descriptions I have seen would make you believe. A plutonium implosion device is far more complex still. Getting from a sufficient quantity of fissile material to a working bomb is an extremely complex undertaking, requiring a lot of equipment and expertise. It also requires a lot of exotic materials and manufacturing processes. It is certainly easier now than it was for the Russians in 1949 (largely because more information is available), but the degree may not be as great as most people think. Because of espionnage, the Russians actually had the plans for the American bombs while they were building their own. Even under intense pressure from Stalin and Beria and with considerable resources (including access to industrial facilities and thousands of forced labourers), it took the Soviets four years to copy them. That makes it seem unlikely that terrorists without significant support from a state, access to industrial facilities, and high degrees of technical knowledge could emulate them.

Another interesting topic covered in the book is the hasty abandonment of Los Alamos at the end of the war. It would make interesting reading for those who saw the advent of atomic weapons as an immediate sea change in warfare. As it happened, there was apparently a long period after the war where no usable weapons were assembled and available, and the teams of people who would be required to make them so were dispersed around the United States, doing other things. The first bombs definitely weren’t designed with simplicity or shelf-life as a top priority. As a consequence, most of the deterrent effect of the bombs in the immediate post-war period was based around faulty information.

I will write a full review of the book when I have finished it.

[Update: 12 April 2010] My full review was online quite a while ago: Dark Sun: The Making of the Hydrogen Bomb.

Crime fighting with DNA ‘family searches’

Over at Slate, there is an interesting and somewhat frightening article about the use of DNA in law enforcement in the United States. As in the UK, the US is now collecting DNA from many people who have been arrested, and retaining the samples even from those never charged or convicted. The next step along this path of DNA surveillance seems to be ‘family searches.’ Here, police look for near matches between crime scene DNA and people in their database. When they find a near match, they investigate that person’s family members.

This is worrisome for many reasons. As the article explains, “courts could well be troubled by the open-ended idea that once you’re arrested and cleared, the state can subject you and future generations of your family members to permanent genetic surveillance.” It is quite shocking really. These days, people are getting arrested for such trivialities as taking photos of major landmarks. The idea that this would then subject their entire family to future police DNA surveillance seems deeply illiberal. The article also makes the point that the DNA kept on file may be re-examined later to test for other traits: for instance, if genes that predispose people to committing rape or murder are discovered. Finally, the article mentions some of the major racial implications of the policy: given the high rates of arrest and incarceration in the African American community, members of that ethnic group are unusually likely to be subject to police surveillance via family searches.

Maintaining a functioning justice system in an era of rapidly changing technologies is a huge challenge. Arguably, search and surveillance are the most worrisome new issues. The automation of both means that huge databases can be maintained tracking emails, cell phone locations, DNA, and much else besides. These databases will inevitably be accidentally leaked and intentionally abused. Just another reason why governments are far more dangerous than terrorists.

Given the popularity of being ‘tough on crime,’ it is easy to see why many people favour a system that sacrifices privacy in exchange to a higher chance of catching criminals. There are certainly arguments on both sides. DNA can help to free the wrongfully convicted, as well as increase the conviction rate for crimes like rape, when the justice system generally does a rotten job of catching perpetrators. Arguably, the fairest system would be to put everyone’s DNA on file. At least that way people would be receiving equal treatment. Of course, that requires putting even more trust and power in the hands of governments and security services that have too often abused it in the past.

Legalizing drugs

In a recent leader and briefing, The Economist has reiterated its support for worldwide drug legalization. They argue that, while legalization will certainly bring problems of its own, it is better than another century of failed attempts at prohibition. All told, the case is a very strong one. Legalization could bring with it government control: tax revenues, funds to treat addicts, quality control of products, and public information. Legalization would bring the problem into the open, as well as allow the billions of dollars spent on anti-drug policing and prisons to be put to better uses. In their leader, the magazine makes the surprising suggestion that the participation of legitimate drug companies in the development and improvement of recreational drugs could make them safer.

Legalization could also undercut organized crime, the body that probably benefits most from the current arrangement. That, in turn, would cut down on the crime associated with an illegal trade. Legalization would also suspend the situation in which governments criminalize large segments of their own population. The point is made that Barack Obama could easily have ended up in prison for his youthful experiments with cocaine. Certainly, prison sentences for drug use have the capacity to ruin what would otherwise be excellent lives by stigmatizing those who receive them and exposing them to one of the most intolerable social environments that exist within secure states.

An interesting rebuttal is offered to the idea that looser drug laws turn more people into drug users and addicts. Comparisons of otherwise similar states (harsh Sweden and laxer Norway, for instance) suggest that laws have little impact on the level of drug-taking in society. Under a legal regime, there would also be an opportunity to dispel misinformation about drugs. Certainly, the arguments that politicians have sometimes made about the ‘extreme’ danger of marijuana undermine their credibility when talking about substances that are genuinely far more dangerous.

In short, drug legalization does seem to offer the prospect of weakening the connections between many different harmful phenomenon: from the way in which poppy eradication is undermining peacemaking efforts in Afghanistan to the way in which the poor are more likely to go to jail for drug offences than their richer fellow citizens. While it would be asking too much for governments to take the plunge and legalize everything instantly, it may not be too much to hope for gradual progress in that direction, with a growing emphasis on harm prevention and a more evidence-based approach to policing, lawmaking, and judicial decisions.

Threats from war and climate change

Some threats to society strike people as so severe they justify employing large numbers of people, at taxpayer expense, to mitigate them. Chief among these is probably the danger that foreigners will try to kill us. Largely to combat this, Canadians pay for 65,251 active military personnel and 24,300 reservists. We also contribute a bit more than 1% of our gross domestic product.

At best, the operation of these institutions will leave us as well off as we are now. The money spent on bombs and military vehicles is primarily expended so as to minimize the risks associated with being attacked (though domestic industry and humanitarian concern are also factors).

Now consider climate change: probably the greatest threat facing humanity in the foreseeable future. I can’t tell you exactly how many taxpayer-funded agents are working on the problem, but it is certainly a very small fraction of the armed forces total. Should that number not be increased, so as to bring the allocation of resources more closely in line with the suite of threats we face? The case becomes even stronger when you recognize that climate change workers (say, people performing free building retrofits) have all the advantages of soldiers, plus additional benefits. Climate change mitigation is a humanitarian activity – the faster we bring emissions down to a sustainable level, the less suffering will occur in future generations worldwide due to the effects of climate change. Climate change mitigation and adaptation can have domestic economic benefits: not only do efficient buildings have lower year-on-year costs for heating, cooling, and lighting but they may also make those who live and work in them happier and more productive.

The idea of employing, say, 10% as many people to fight climate change as to fight foreigners is not entirely unproblematic. Providing free retrofits might undercut the businesses that perform such operations for profit now. That being said, I am sure careful policy design could minimize such problems. The biggest hurdle to overcome is the psychological block between facing the threat of climate change and employing people to combat it. Actually, rather than a block it might be more accurately referred to as the absence of a connection, between where our likely societal problems lie and where our societal resources are being directed.

Admittedly, you could achieve many of the same outcomes through market liberal climate strategies, such as carbon taxes and cap-and-trade schemes. The potential advantage of doing it through government labour is that the market liberal policies are hard to implement: firms often oppose them tooth-and-nail and convince voters that they will cause economic harm to them personally. Given the strength of entrenched interests, it would take remarkable political will to deploy the kind of market mechanism that would produce the required change at an acceptable pace.

Some outstanding questions jump to mind. Would a public climate change service be sensible or useful? What would such a service do? How could unfair competition with the private sector be addressed? Is there a politically feasible way to achieve the same outcomes with fewer problems or lower costs? All of these seem worth debating.

Note also that if you extend the 10% logic to the United States and China, you are talking about huge numbers of mitigation workers. The American armed forces comprise about 1.5 million people, with that many again in reserves. The US spends more than 4% of GDP on them. China has 2.25 million active personnel and 800,000 reservists. They spend about 1.7% of their GDP on them.

Monbiot now conditionally supporting nuclear

In his book Heat, George Monbiot rejects nuclear fission as a low-carbon source of electricity: arguing that it is unacceptably dangerous, and that we could make do without it. In a recent column on his website, he makes it clear that he has joined the ranks of those willing to reluctantly consider nuclear, on the simple grounds that he is so deeply concerned about climate change.

He does, however, have some conditions:

Its total emissions – from mine to dump – are taken into account
We know exactly how and where the waste is to be buried
We know how much this will cost and who will pay
There is a legal guarantee that no civil nuclear materials will be diverted for military purposes.

The first of these is important, but a fairly low hurdle. If there wasn’t good evidence that the life cycle emissions of nuclear are low (though they are not zero), it wouldn’t be getting the kind of attention it has been. The second matter is mostly a matter of not-in-my-backyard (NIMBY) syndrome. Nobody wants a nuclear waste dump in their area, though everyone knows that a safe dump will basically resemble: a deep and well-sealed hole in some very geologically stable rock. The fourth requirement may be a reasonable bar for states with pre-existing nuclear weapons capability, but it is a bit much to expect from states that lack that capacity and face threatening neighbours. In all likelihood, more civilian nuclear power will mean more states with nuclear weapons, a few decades out.

The third issue is the most uncertain: the cost of nuclear power. Regrettably, no government out there actually has the spine to make polluters pay the true cost of their carbon dioxide emissions. Likewise, no government seems to be willing to forego the political opportunities involved in subsidizing technologies like nuclear fission and carbon capture and storage. In all probability, more nuclear will result in taxpayers and electricity consumers subsidizing the mistakes of governments and energy utilities. It may also produce a clunky, dangerous, and expensive infrastructure that was slower to come online and less effective than focusing on conservation, efficiency, and renewables would have been. All that being said, the inevitable costs may be justified as a precaution. If it does become brilliantly clear to the public that climate change requires urgent action – to the extent that people are willing to accept the rapid decommissioning of coal plants – having nuclear as an option might be an important way to facilitate the route forward. Given the risks of climate change, its low-carbon status may also be worth the inevitable accidents and contamination.

I admit that this is an issue where my thoughts remain divided. That being said, barring some big unforeseen change, I think we can definitely expect to see Canada’s nuclear reactors replaced with new ones, during the next few decades, at the very least. The post later today will provide some further thinking on the issue.