“Americans stream to Canada for flu shots”

With a US shortage caused by contaminated vaccine and flu season approaching, business has been brisk at Canadian clinics and doctors’ offices along the border from British Columbia to as far east as New Brunswick.

A Canadian Internet pharmacy is working with a half-dozen physicians in Montreal to offer weekend flu-shot tours to New Yorkers. The price is $75 for a medical exam and inoculation. Lodging and meals, which can be arranged by a travel agency working with the pharmacy, are extra.

It’s a sad day when the United States has to rely on the entrepreneurial spirit of Canadians to fix a regulated market dysfunction.

(From Boston.com, Business brisk as Americans stream to Canada for flu shots.)

Piscitello on Bugtraq

My frustration level with bug-traq increases in direct proportion to the frequency at which wannabes report vulnerabilities on software that has limited consumption and little business on a business network. I finally contacted some of the wannabes. I probed each for more specifics than the original bug disclosure:

I think that Dave has a valid point here, but not all interesting security bugs are on corporate networks. A no-credential overflow in the new Doom, for example, would create tens of thousands of new zombie machines, and is broadly relevant. (Not to mention the number of work machines used for blowing off steam after hours. In violation of policy of course.)

I’m curious: If we want these bug hunters to be more useful to us, how can we encourage them to find better bugs?

[Update: More in response to Pete Lindstrom’s comments in a Nov 13 post.]

The Curve of Binding Energy

Is the story of Ted Taylor, one of the cleverest of the very clever men who designed nuclear bombs. He designed the largest bomb ever set off by the US, and the smallest. He once used a nuclear bomb to light a cigarette. And in the early 1970s, he was very concerned that terrorists could build a nuclear bomb.

He talked about this topic to anyone who would listen, and one of the people who listened was John McPhee. McPhee is one of the best wordsmiths out there. When he wrote for the New Yorker, it was always good, and frequently awe-inspiring.

The Curve of Binding Energy, available at fine bookstores everywhere, challenged the idea that building a nuclear device would take another Manhattan Project. Fortunately, to date, Taylor has been shown to be pessimistic, but you would be too, if you knew what he knew.

Sixth Circuit Reverses Lexmark

One of the worse bits of law to come out of the Clinton years was the “Digital Millennium Copyright Act,” (DMCA). The law made it a crime to break any copy protection scheme, even if the data it was protecting was subject to some form of fair use. The law had lots of nasty chilling effects on research, but Lexmark also claimed that it prevented companies from making toner cartridges that would work in their printers.

The won the first round, only to be roundly smacked down in the second. (Three good links at Copyfight.)

As Cory says: Neener, neener, neener. That’s about the right maturity level for responding to Lexmark’s insistence that it could use copyright to control the physical world.

Some explosives links

But the real issue is that the explosives can be used against civilians and soldiers in Iraq and around the world. Consider that only five grams of RDX, for example, is enough to kill a person when used in an anti-personnel land mine. When 1,000 pounds of explosives were set off by a suicide bomber in Baghdad last January, 24 people were killed. The Irish Republican Army used about 900 pounds of explosives to set off 22 bombs that killed nine and injured 130 people seriously on “Bloody Sunday” in 1972. (From RatcliffeBlog)

In contrast, Eric Rescorla claims that:

Your industry standard M18 Claymore (with a killing range of 50-100m) contains a pound and a half of C-4. A garden variety Improvised Explosive Device (enough to take out a HumVee) looks to be substantially less than a pound.

Which is a 3 order of magnitude difference in how ugly this theft is. So I was going to go and do some research, and shed light. But it’s late, and I’ve found some lovely ratholes to scurry around in.

  • Lawrence Livermore’s use of big computers to model small amounts of HMX explosive.
  • HMX and RDX are crystaline, but usually embedded in plastics for use.
  • These compounds get sold in a variety of ways.
  • HMX explodes scary fast (9160m/s) vs TNT (6940m/s) or ANFO (4560m/s). Search on “velocity” since that’s a text document.

My guess is that more of it will be used in very small chunks to make small, effective IEDs, rather than building into car bombs. The math of explosive destruction is somewhat complicated, but however much increase in destructive power comes from using pure HDX or RDX vs ANFO has to be weighed against the possibility that the bomb will go off in the wrong place, and you’ve used up 1000 IED worth of explosives.

But then, maybe the analysis changes when you’re swimming in 350 tons of it. I suppose that theres real questions of who stole it, do they consider it a long-term or short-term resource, and how much will they smuggle out of Iraq?

(Jon Lebowsky pointed to RatcliffeBlog, leading me on a merry chase.)

Mistakes, Incompetence, and Coverup Beyond Fevered Imaginings

Michael Froomkin has a long post on the 350 tons of stolen high explosives, which I’m excerpting at length:

If all that matters is our safety and security, then today’s news makes it clear beyond peradventure that the Bush administration is horribly dangerous to our national security.

Josh Marshall’s blog today runs an extensive quote from the Nelson Report regarding a staggering disaster which occurred in the early days of the US occupation of Iraq: someone stole 350 tons of RDX and HDX, highly specialized explosives. These materials are so powerful that only a few pounds suffices for a roadside bomb; do the math (2000 lbs to the ton) and that means the ‘insurgents’ in Iraq have got enough bomb power to carry them on basically forever.

But that’s not the really bad news.

Continue reading

Marginal Revolution: Democracy: Theory and Practice

Steven Landsburg makes a very entertaining point about democracy:

…It is worth observing that if you really believe in democracy, and if the election is close, then it doesn’t much matter who wins. The theory of democracy (stripped down to bare essentials, and omitting all sorts of caveats that I could list but won’t) is that the guy who gets more votes is the better guy. Surely, then, it follows that the guy who gets only slightly more votes is only the slightly better guy. And if one guy’s only slightly better than the other, then a miscount is no great tragedy.

… Surely there’s not much difference between a world where Bush gets 3 more votes than Kerry and a world where Kerry gets 3 more votes than Bush. If Bush is the rightful president in one of those worlds, he’s got to be darn close to rightful in the other.

So the natural follow-on question, is, how close does it need to be before this logic breaks?

The process that’s followed is what gives the results legitimacy. Really, the vote counters could declare whatever they want, and most of us wouldn’t be the wiser. Most of us don’t check the vote counts, trusting that the candidates send observers to keep cheaters in check. And we’re willing to accept that whoever we’re told won, did, and give them great power.

The numbers aren’t the point–the President doesn’t get extra (legal) powers if he wins a crushing victory or wins by one vote. But either victory, if clear, gives the candidate the legal and societal support to be the President. So, a known miscount is a tragedy because it reduces our acceptance and the legitimacy of whoever is in office.

(Via Marginal Revolution: Democracy: Theory and Practice.)

The Security/Security Tradeoff

People trying to infringe our privacy often claim that they’re making a tradeoff between security and privacy. Sometimes they’re even right. But I think today, we’re trading security for “security,” giving up real protection for an illusion.

For example, the TSA is spending lots of money to build and connect databases all about travelers. For example, some reports on CAPPSII have suggested that airlines would collect passenger names, home addresses, dates of birth and social security numbers, and hand them over to TSA.

With your name, address, date of birth and social security number, I can get credit cards in your name. I can take out loans in your name. It’s scary. And if the TSA has its way, your data will be in the databases of every airline you fly.

There’s a long article in yesterday’s New York Times on identity theft. It says that almost 10 million cases were reported to the FTC in the last 12 months.

Pushing for identity cards everywhere, social security numbers everywhere, and no liability for those who collect the data, is going to make the problem worse.

So here we have a tradeoff between the very real threat of terrorism, and the very real threat of identity theft. I’m not claiming that the damage done by id theft is worse than being killed. But the security theater that TSA is engaging in won’t prevent terrorist attacks. It will put millions of Americans at greater risk of having their identities stolen and credit ruined.

I wonder what this means?

I’m trying to submit my comments on Secure Flight.

When I try to upload my file to http://dmses.dot.gov/submit/ProcessES.cfm, I’m told:

An error occured while attempting to upload your comment
[Microsoft][ODBC driver for Oracle][Oracle]ORA-01401: inserted value too large for column

I’ve submitted a request for help via the provided link.

TSA Wastes More of Your Money

WASHINGTON — The Transportation Security Administration was lax in overseeing a $1.2 billion contract to install and maintain explosives-detection machines at U.S. airports, resulting in excess profit of about $49 million for Boeing Co., a Department of Homeland Security review found.

(From a Wall St Journal article, October 19th. (Sorry, subscriber-only link.)

Nielsen on Security

Jacob Nielsen has a very good analysis of security, followed by a not-so-great set of suggestions.

He is spot on in saying that 1) it doesn’t work, 2) it puts the burden in the wrong place, and 3) this has nasty side effects. (I’d reverse 1 & 2, as the economics predict #1, but thats a nit.

His suggestions include:

  • Polish security features’ usability: This is a very valuable suggestion. We could, for example, try to ensure that questions are always asked in a form like “Allow others to share my printers?” rather than “Prevent others from sharing my printers (Yes/No?)” the latter form is hard to parse, and requires a double negative for the `secure’ position.
  • Automate all updates: I think he gets this wrong. Automated updates break things, and adding places where the computer ‘just stopped working’ is not helpful.
  • Turn on all security settings by default: He correctly points out that this requires making it easy to make exceptions.

He doesn’t mention a great feature that the Mac has, which is that to install software for all users, you need to (either) be in the admin group, or type your password. This would break a lot of malware installs by drawing attention to the installation activity. A bit of sandboxing around the browser would go a long way

(Via Cory @ BoingBoing.)