Philip Greenspun’s Christmas Present to Barack Obama

One of those offers one cannot refuse.

I would like to make an offer of a Christmas present: unlimited helicopter transportation for him and his family, at no cost to him or the U.S. taxpayer, through the end of his reign.

Background: the U.S. military has spent the last 10 years or so trying to buy some replacement helicopters for presidential transport. They settled on a huge $30 million Eurocopter with three screaming jet engines that put out a big welcome mat for a cheap heat-seeking missile, such as the Stingers that U.S. tax dollars purchased for the Taliban during the 1980s. By the time our military and Lockheed Martin added some anti-missile defenses and some U.S. manufacturing, the cost of each 14-passenger helicopter went up to about $400 million, far in excess of what airlines pay for the 853-passenger Airbus A-380. The program was shut down, in theory, but recently Congress authorized a $100 million gift to Lockheed Martin to keep the program alive (source). Does the U.S. really need to spend $15 billion on a handful of helicopters that will be used mostly for 10-minute hops? And should we buy helicopters that are so heavy that it will require several C-5 cargo planes to get them to foreign destinations (the president of the U.S. always travels with his own helicopters rather than borrowing local ones)?

Running the existing helicopter fleet is not cheap. There are literally 800 pilots, mechanics, and administrators, all paid federal salaries and pensions that are more than double their private-sector counterparts (source). Jet fuel is purchased in prodigious quantities.

I happen to own two nearly brand-new four-seat Robinson R44 helicopters. Powered by efficient Lycoming piston engines, these burn less fuel in a 130 mph cruise than each Eurocopter engine would burn at idle. Currently we use these for flight training at East Coast Aero Club, but in the interest of sparing the taxpayer from further ruin, I would be willing to move them down to Washington, D.C. I will also move myself down and one or two additional instructor-pilots from East Coast Aero Club. All of us have more than 1000 hours of helicopter experience. All are U.S. citizens and one of us is an Army veteran (given the recent tragedy in Texas involving a continuously promoted and decorated Army officer, it may be necessary to clarify that, to the best of our knowledge, he was not simultaneously serving in the U.S. Army and waging jihad on behalf of Al-Qaeda).

Footnote: Phil Greenspun founded ArsDigita and teaches web application programming at MIT. He writes an entertaining blog.

The Apple Catch 22

My son needed to book an appointment with a ‘genius’ at the local Apple Store to find out what’s wrong with his MacBook. So he went online to www.apple.com/uk/retail/ to book an appointment. The reservation system took him through the various steps and accepts a reservation for 09.20 tomorrow. But then the Apple system pops up an “Oops, there was an error” window. So we phone the phone number listed for the store (01223 253600) to check that the reservation actually got made and get the usual “For [this] press 1, for [that] press 2…” rigmarole. It then helpfully tells us that Apple “regrets” that it unable to discuss reservations on the phone. To do that we are advised to log into www.apple.com/uk/retail. Bah!

LATER: In the interests of fairness, I should report that (1) the system had registered the appointment, and (2) that the ‘genius’ was admirably efficient, courteous and helpful. The hard drive had scrambled itself and the machine was repaired under warranty within the hour.

STILL LATER: Kevin Cryan pointed me at this nice essay by Clive James on dealing with computer systems and automated call services.

How secure is the cloud?

Not as secure as the vendors might like to think — at least according to this useful and informative piece by David Talbot.

Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.

In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it. They hired some virtual machines to serve as targets and others to serve as attackers–and tried to get both groups hosted on the same servers at Amazon’s data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars. While they didn’t actually steal data, the researchers said that such theft was theoretically possible. And they demonstrated how the very advantages of cloud computing–ease of access, affordability, centralization, and flexibility–could give rise to new kinds of insecurity. Amazon stressed that nobody has successfully attacked EC2 in this manner and that the company has now prevented that specific kind of assault (though, understandably, it wouldn’t specify how). But what Amazon hasn’t solved–what nobody has yet solved–is the security problem inherent in the size and structure of clouds.

Good article, worth reading in full. Also includes an interesting animation of how the exploit was carried out.

Computational science

From this morning’s Observer column.

One of the diseases studied was lung cancer. The research revealed 23,000 mutations that were exclusive to the diseased cells. Almost all were caused by the 60 or so chemicals in cigarette smoke that stick to DNA and deform it. “We can say that one mutation is fixed in the genome for every 15 cigarettes smoked,” said Peter Campbell, the scientist who led the lung cancer part of the study. “That is frightening because many people smoke a packet of 20 a day.”

Although these stories are reports about medical research, they are really about computing – in the sense that neither would have been possible without the application of serious computer power to masses of data. In that way they reflect a new – but so far unacknowledged – reality; that in many important fields leading-edge scientific research cannot be done without access to vast computational and data-handling facilities, with sophisticated software for analysing huge data-sets.

In many significant areas, advanced research is no longer done by individuals looking through microscopes or telescopes, but by computers enabling investigators to collate, visualise and analyse the torrents of data produced by arrays of instruments…

Googling for Sociopaths

I’m currently reading Ken Auletta’s forthcoming book about Google and was struck by something that Aaron Schwartz has written about it.

Many books have been written about Google, even though we’re all pretty familiar with the company to begin with, but what makes Ken Auletta’s Googled interesting is that it’s a history of the company as told by the incumbent sociopaths. These are the people Auletta has spent his life covering: the media moguls who tried to acquire and conquer their own empires of content and delivery. And to them what’s most shocking and galling about Google’s incredibly rapid rise is that instead of being engineered by a fellow sociopath, it was largely done by normal, decent people plainly applying the forces of new technology.

If you’re wondering what a sociopath is, then think Rupert Murdoch or the RIAA. Aaron has accurately nailed the sociopathic mentality:

It’s almost impossible to imagine life without Googling for something, checking your Gmail, or watching videos on YouTube — but sociopaths aren’t used to doing things that create value for people. They’re just interested in conquering more and taking control. When Disney bought ABC for $19 billion, it didn’t improve most people’s lives in any real way, but it did let Michael Eisner regain control of the company he once ran.

So naturally the sociopaths are outraged that their control is being taken away. Newspapers, book publishers, television companies, ad agencies — their businesses are all failing, while Google’s is on the rise. The sociopaths may be outraged, but this is exactly what’s supposed to happen. Most people don’t have a vested interest in whether ABC does well or even continues to exist. What they want are good television shows at a reasonable price, and if they can get those from Apple and Google instead of their local cable company, then bully for Apple and Google.

The thing that’s hard for the sociopaths to get their head around is that this isn’t because one of their rivals has outsmarted them — it’s just the march of technology…

Lovely stuff. Worth reading in full.

UK snow

Ben Marsh has come up with a really neat use of Twitter. If it’s snowing in your area, tweet the first part of your postcode followed by a score out of 10 for density of snow. So the tweet “#uksnow CB3 0/10” indicates that it’s not currently snowing in my part of Cambridge.

Regularly-updated UK map here.

Lovely idea. It’ll probably be used by the railway companies to justify pre-emptive cancelling of trains, though.

Learning from scam victims

Frank Stajano and Paul Wilson have written an intriguing paper on learning from scams. The abstract reads:

The success of many attacks on computer systems can be traced back to the security engineers not understanding the psychology of the system users they meant to protect. We examine a variety of scams and “short cons” that were investigated, documented and recreated for the BBC TV programme The Real Hustle and we extract from them some general principles about the recurring behavioural patterns of victims that hustlers have learnt to exploit.

We argue that an understanding of these inherent “human factors” vulnerabilities, and the necessity to take them into account during design rather than naïvely shifting the blame onto the “gullible users”, is a fundamental paradigm shift for the security engineer which, if adopted, will lead to stronger and more resilient systems security.

They give a detailed description of each scam scenario they studied. They’re all fascinating and repellent in equal measure. For example:

Jess identifies a young and wealthy mark in a café and descends on him with her charms. Once the mark
believes he’s making an impression on the pretty girl, Alex turns up, posing as a Bulgarian builder who
knows Jess. He has a lottery ticket which has won a prize of £2,800 but he can’t cash it because the
winner must show some ID and he, as an illegal alien, fears he will be deported if he shows his. So he
asks Jess to cash it in for him: in fact, he’ll let her keep all the winnings if she just gives him £1,000
cash. Alex leaves temporarily and, while he is away, Jess phones the National Lottery helpline to check
whether (or rather to prove to the mark that) it’s actually a winning ticket. It turns out that not only it is
but, thanks to the “bonus number”, it has actually won not just a couple of thousand but over a hundred
thousand pounds! And Alex doesn’t know! Poor Jess doesn’t have the thousand pounds cash that Alex
wants in exchange for the winning ticket, but perhaps her new friend the mark is interested in a piece of
the action? They’d pay Alex the thousand pounds he asked for and pocket the huge difference! Yes, the
mark is quite willing to side with Jess in defrauding Alex. Jess and the mark each pay Alex one half of
what he asked for and he gives them the winning ticket. Jess is happy for the mark to cash the ticket and
give her her share of the money later because it’s actually a worthless fake that Paul made earlier on his
inkjet printer after the winning numbers had been announced on TV.

Bruce Schneier (who provided the link to the paper) summarises the scenarios in his monthly newsletter (which is itself required reading IMHO).

1. The distraction principle. While you are distracted by what retains your interest, hustlers can do anything to you and you won’t notice.

2. The social compliance principle. Society trains people not to question authority. Hustlers exploit this “suspension of suspiciousness” to make you do what they want.

3. The herd principle. Even suspicious marks will let their guard down when everyone next to them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against you.

4. The dishonesty principle. Anything illegal you do will be used against you by the fraudster, making it harder for you to seek help once you realize you’ve been had.

5. The deception principle. Things and people are not what they seem. Hustlers know how to manipulate you to make you believe that they are.

6. The need and greed principle. Your needs and desires make you vulnerable. Once hustlers know what you really want, they can easily manipulate you.

Inexplicably, Bruce misses out the seventh ‘principle’:

7. The Time principle

When you are under time pressure to make an important choice, you use a different decision strategy.
Hustlers steer you towards a strategy involving less reasoning.

As it happens, I know (and admire) Frank Stajano. He’s smart and charming and — if I remember rightly — an expert in martial arts. But he keeps such odd company!