Browser Privacy & Fingerprinting

Ivan Szekely writes in email:

A team of young researchers – my colleagues – at the Budapest University of Technology and Economics developed a cross-browser fingerprinting system in order to demonstrate the weaknesses of the most popular browsers. Taking Panopticlick’s idea as a starting point, they developed a new, browser-independent fingerprinting algorithm and started to build a system-fingerprint database for further analysis. The description of the method and the analysis of the fingerprints can be read at (thesite is tri-lingual, if other language articles appear on your screen, click on the English flag)

By now the team has developed a new version of the fingerprinting system and is working on an effective method to prevent fingerprinting. In order to fine-tune the defense against fingerprinting, my colleagues need your feedback. Please click on, make a few tests and share your comments and suggestions with the developers.

Please take a second to visit and help them and us understand browser fingerprinting.

And there may be many others but they haven’t been discovered

Three newly discovered elements were given names on Friday by the General Assembly of the International Union of Pure and Applied Physics at a meeting in London.

They are Darmstadtium, or Ds, which has 110 protons in its nucleus and was named after the town in which it was discovered; Roentgenium, or Rg, with 111 protons, named after the discoverer of X-rays Wilhelm Conrad Roentgen; and Copernicium, or Cn, which has 112 protons and is named after the Polish astronomer Copernicus, who disrupted the view that the Earth was the center of the universe.

Goodbye, Rinderpest, we’re probably better off without you

On Tuesday in a ceremony in Rome, the United Nations is officially declaring that for only the second time in history, a disease has been wiped off the face of the earth.

The disease is rinderpest.

Everyone has heard of smallpox. Very few have heard of the runner-up.

That’s because rinderpest is an epizootic, an animal disease. The name means “cattle plague” in German, and it is a relative of the measles virus that infects cloven-hoofed beasts, including cattle, buffaloes, large antelopes and deer, pigs and warthogs, even giraffes and wildebeests. The most virulent strains killed 95 percent of the herds they attacked.

But rinderpest is hardly irrelevant to humans. It has been blamed for speeding the fall of the Roman Empire, aiding the conquests of Genghis Khan and hindering those of Charlemagne, opening the way for the French and Russian Revolutions, and subjugating East Africa to colonization.

(“Rinderpest, Scourge of Cattle, Is Vanquished,” New York Times)

The full article is fascinating, and worth reading.

Copyrighted Science

In “Shaking Down Science,” Matt Blaze takes issue with academic copyright policies. This is something I’ve been meaning to write about since Elsevier, a “reputable scientific publisher,” was caught publishing a full line of fake journals.

Matt concludes:

So from now on, I’m adopting my own copyright policies. In a perfect world, I’d simply refuse to publish in IEEE or ACM venues, but that stance is complicated by my obligations to my student co-authors, who need a wide range of publishing options if they are to succeed in their budding careers. So instead, I will no longer serve as a program chair, program committee member, editorial board member, referee or reviewer for any conference or journal that does not make its papers freely available on the web or at least allow authors to do so themselves.

Please join me. If enough scholars refuse their services as volunteer organizers and reviewers, the quality and prestige of these closed publications will diminish and with it their coercive copyright power over the authors of new and innovative research. Or, better yet, they will adapt and once again promote, rather than inhibit, progress.

I already consider copyright as a factor when selecting a venue for my (sparse) academic work. However, there’s always other factors involved in that choice, and I don’t expect them to go away. Like Matt, my world is not perfect, and in particular, I’m on the steering committee of the Privacy Enhancing Technologies Symposium, and we publish with Springer-Verlag. I regularly raise the copyright question with the board, which has decided to stay with Springer for now [and Springer does allow authors to post final papers].

There’s obviously a need for a business model for the folks who archive and make available the work, but when many webmail providers give away nearly infinite storage and support it with ads, $30 per 200K PDF is way too high for work that was most likely done on a government grant to improve public knowledge.

I’m not sure what the right balance will be for me, but I’d like to raise one issue which I don’t usually see raised. That is, what to do about citing to these journals? I sometimes do security research on my own, or with friends outside the academic establishment. As a non-academic, I don’t have easy access to ACM or IEEE papers. Sometimes, I’ll pick up copies at work, but that’s perhaps not an appropriate use of corporate resources. Other times, I’ll ask the authors or friends for copies. We need to understand what’s been done to avoid re-inventing the wheel.

If our goal is to ensure that scientific work paid for by the public is not handed over to someone who puts it behind a paywall, perhaps the next step is to apply pressure by only reviewing open access journals and conferences? When I first thought about that, I recoiled from the idea. But the process of looking for previous and related work is a process which must be bounded. There’s simply too many published papers out there for anyone to really be aware of all of it, and so everyone limits what they search. In fact, there are already computer security journals, including Phrack and Uninformed, which are high quality work but rarely cited by academics.

So I’m interested. Does being behind a paywall suffice as a reason to not cite work? If you answer, “no, it’s not sufficient,” how much time or money do you think you or I should reasonably spend investigating possibly related work?

Animals and Engineers

It’s been hard to miss the story on cat tongues (“For Cats, a Big Gulp With a Touch of the Tongue:)”

Writing in the Thursday issue of Science, the four engineers report that the cat’s lapping method depends on its instinctive ability to calculate the balance between opposing gravitational and inertial forces.

…After calculating things like the Froude number and the aspect ratio, they were able to figure out how fast a cat should lap to get the greatest amount of water into its mouth. The cats, it turns out, were way ahead of them — they lap at just that speed…The engineers worked out a formula: the lapping frequency should be the weight of the cat species, raised to the power of minus one-sixth and multiplied by 4.6. They then made friends with a curator at Zoo New England, the nonprofit group that operates the Franklin Park Zoo in Boston and the Stone Zoo in Stoneham, Mass., who let them videotape his big cats. Lions, leopards, jaguars and ocelots turned out to lap at the speeds predicted by the engineers.

I was also listening to the Quirks and Quarks story on “Wet Dogs Rule,” in which the researchers have used high speed photography figured out that dogs (and other animals) shake water out at a precisely optimal rate for energy invested versus surface tension and other factors that keep the water in their fur.

What’s surprising to me is the surprise that … “they lap at just that speed.” As anyone who’s ever read Darwin knows, any animal that expends extra energy on something, be it drying off or drinking water, will be disadvantaged compared to one that spends less energy for the same benefit. And over time, the animal that spends its energy more efficiently will have more energy to reproduce. To the extent that such strategies are influenced by genes, those genes that drive better strategies will spread. So I’m surprised that engineers are surprised that they can’t improve on millions of years of evolution.

Incidentally, congratulations to the CBC for being a news site that clearly links to the real academic work and researchers web sites.

Ambrose Bierce Punks Richard Feynman

Via Boing Boing, where Maggie Koerth-Baker gave a delightful pointer to this film of Feynman explaining for seven-and-a-half minutes why he can’t really explain why magnets repel each other. Or attract, either.

And trumping him in time and space, Bierce gave us this in 1906:

Something acted upon by magnetism.

Something acting upon a magnet.

The two definitions immediately foregoing are condensed from the works of one thousand eminent scientists, who have illuminated the subject with a great white light, to the inexpressible advancement of human knowledge.

Collective Smarts: Diversity Emerges

Researchers in the United States have found that putting individual geniuses together into a team doesn’t add up to one intelligent whole. Instead, they found, group intelligence is linked to social skills, taking turns, and the proportion of women in the group.
“We didn’t expect that the proportion of women would be a significant influence, but we found that it was,” Prof. Woolley, an organizational psychologist, said in an interview. “The effect was linear, meaning the more women, the better.”

The Globe and Mail, “If you want collective smarts…” In her interview with Quarks and Quirks, Woolley was careful to say that it wasn’t gender per se, but social awareness, but that such awareness correlates strongly with gender.

6502 Visual Simulator

In 6502 visual simulator, Bunnie Huang writes:

It makes my head spin to think that the CPU from the first real computer I used, the Apple II, is now simulateable at the mask level as a browser plug-in. Nothing to install, and it’s Open-licensed. How far we have come…a little more than a decade ago, completing a project like this would have resulted in a couple PhDs being awarded, or regarded as trade secret by some big EDA vendor. This is just unreal…but very cool!’, via Justin Mason

Quantum Crypto is Quantum Backdoored, But It’s Not a Problem

Nature reports that Quantum Cryptography has been completely broken in “Hackers blind quantum cryptographers.” Researcher Vadim Makarov of the Norwegian University of Science and Technology

constructed an attack on a quantum cryptography system that “gave 100% knowledge of the key, with zero disturbance to the system,” as Makarov put it.

There have been other attacks on quantum cryptography, but this is the first in which there is no indication that the key has been stolen. In those attacks, the operator of the system would see the transmission error rate go up, but in Makarov’s attack, the operator sees nothing. In short, they are completely, utterly defeated. The attacker gets everything with impunity.

As usual, the quantum crypto crowd doesn’t see that a 100% loss of key with no inkling of the loss is a problem. Makarov himself said to Nature, “If you want state-of-the-art security, quantum cryptography is still the best place to go.”

Perhaps the kicker is this in Nature’s article:

Ribordy [CEO of ID Quantique] and Zavriyev [Director of R&D at MagiQ] stress that the open versions of their systems that are sold to university researchers are not the same as those sold for security purposes, which contain extra layers of protection. For instance, the fully commercial versions of IDQ’s system also use classical cryptographic techniques as a safety net, says Ribordy.

Huh? We can trust commercial versions of quantum crypto because it uses classical crypto as a safety net? That’s saying that the quantum coolness is really just icing over a VPN. Isn’t it? Am I missing something?

Now it’s time for a rant. Quantum cryptography is really, really cool technology, but the whole point of it is, well, security, and if the state of the art is that the system is breakable, then the art is in a sorry state. It’s a state of being a research toy, not a real security system.

The whole point of quantum crypto is that it isn’t even really crypto. It’s communications that can’t be eavesdropped on. It’s a magical tour-de-force of science and technology. But if it can be silently thwarted, it’s no good. If there is no way that it can be tested to be good, it’s no good. Moreover, the latter is more important than anything else.

For quantum crypto to be viable and trusted, we have to have some way that we know that the boxes were designed and manufactured in such a way that we can be confident that there’s no silent quantum backdoor in the box, then it has no value. You might as well just get a VPN router from the usual suspects and be done with it. If you’re really paranoid, just lay down some glass fiber and put it in a conduit.

Quantum information science as a discipline needs to start taking security seriously. It can’t just brush off a break of this magnitude, and remain credible. Come on, at least admit this is serious and has to be reflected in the manufacturing and testing. Come up with countermeasures, something.

Lady Ada books opening May 11

Ada’s Technical Books is Seattle’s only technical book store located in the Capitol Hill neighborhood of Seattle, Washington. Ada’s specifically carries new, used, & rare books on Computers, Electronics, Physics, Math, and Science as well as hand-picked inspirational and leisure reading, puzzles, brain teasers, and gadgets geared toward the technically minded customer.

From the store’s blog, “Grand Opening: June 11th

I’ve been helping David and Danielle a little with book selection because they’re good folks and I love great bookstores. I encourage Seattle readers to stop by.



Today will be remembered along with the landing on the moon and the creation of the internet:

Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a modified Mycoplasma mycoides genome. The synthetic cell is called Mycoplasma mycoides JCVI-syn1.0 and is the proof of principle that genomes can be designed in the computer, chemically made in the laboratory and transplanted into a recipient cell to produce a new self-replicating cell controlled only by the synthetic genome.

Press release, or read more in Science or the Economist. (Whose image I borrowed.)

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes:

Blanching fries does a lot for you – such as:

  • killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying.
  • gelatinizing the starch. During frying, pre-cooked fries form a crust faster than raw ones, and they can be cooked at higher oil temperatures than raw fries – which is easier for workflow.
  • pre-salting the interior of the fries. We blanched two batches of fries, one in boiling 3% salt water, one in boiling plain water. The plain-water fries tasted like crap next to the salt-water ones. All subsequent tests fries were blanched in a 3% salt solution.

It’s easy to think of science as just being good for building computers and the internet, extending average lifespans, giving us goretex, nylon and vulcanized rubber. Some people may worry that it’s in the weeds when worrying about string theory. But science is an approach to problems. The testing of ideas to see how well they work, rather than loving the idea.

And Dave Arnold, along with Harold McGee and others, and driving the intersection of science and cooking. And while they’re likely to skewer quite a few cows along the way, the results are worth it.

It’s Hard to Nudge

There’s a notion that government can ‘nudge’ people to do the right thing. Big examples include letting people opt-out of organ donorship, rather than opting in (rates of organ donorship go from 10-20% to 80-90%, which is pretty clearly a better thing than putting those organs in the ground or crematoria). Another classic example was participation in 401k retirement accounts, but somehow after the market meltdown, that’s getting less press.

A smaller example is how telling people they’re using more power than others, their power consumption declined. Awesomeness, right? Conservation is the easiest, freest power you can get. Remember that a 150 watt lightbulb consumes twice as much power as your laptop. And most of that goes to waste heat, but I digress. Let’s go back to that nudge study, described in this Slate article:

In a study evaluating the program’s effectiveness, Opower researchers compared power use before and after the HERs began arriving, and further compared this change with a group of control households that never received the reports. On average, the HER households reduced their consumption in the months that followed by a little less than 2 percent. Not bad, but probably not enough to save the planet.

and also:

One problem with this approach is that we all define “better” differently, as a new study emphasizes. UCLA economists Dora Costa and Matthew Kahn analyzed the impact of an energy-conservation program in California that informed households about how their energy use compared with that of their neighbors. While the program succeeded in encouraging Democrats and environmentalists to lower their consumption, Republicans had the opposite reaction. When told of their relative thrift, they started cranking up the thermostat and leaving the lights on more often. … One explanation is that many conservatives don’t believe that burning energy harms the planet, so when they learn that they’re better than average, they become less vigilant about turning the lights off. That is, they’re simply moving closer to what they now know is the norm.

People are complex. It’s hard to know what matters to people, and it’s hard to know what additional information will do to a market. As Hayek pointed out, this is why central planning fails. The planners can’t know all.

And when we start nudging people, lots more chaos will emerge. Planners don’t become better by giving people opt-outs from their planning. And while nudging is better than authoritarianism, it’s still worse than a government which does only what it needs to do.

In the case of energy consumption, a market is emerging to help people see what drives their energy consumption and environmental impact. Better to let a thousand startups bloom, and let the creativity of engineers and those who care deeply help people drive down their electricity use. Everyone else will pay for their long-burning lights, and if electricity is fairly priced, then that’s their choice.

The paper is at “Energy Conservation “Nudges” and Environmentalist Ideology: Evidence from a Randomized Residential Electricity Field Experiment,” National Bureau of Economic Research.