Sunday, April 26, 2009

you know; you can't go home

Now here's something. Remember British Gulf International? The first, founding mob in the Viktor Bout story. Still, as late as last year, by far the biggest source of dubious aircraft movements through the UAE, almost all going to markets in the War on Trrr. The data speaks for itself; between the Viktorfeed going live and Friday, November 7, 2008, they sent off 1,093 flights from Dubai and Sharjah and none of them were going anywhere even vaguely normal. When I reanalysed the flights with no destination, it was even worse.

A problem with the Viktorfeed is that it's hard to keep it in mind; it dumps a hundred or so movements into my RSS reader daily, even with improvements to the filtering process. So I'm late to spot that BGIA is gone. Something like this was overdue, after the official Antonov-12 ban; we monitored 150 outbounds and practically no inbound in a very short space of time, but the system kept turning. And BGIA kept going.

We were speculating about where the scene might move to. Where is the Hoxton to the UAE's Camden? Rather, the UAE was already that. Before that there was Ostend and South Africa. Ajay reckoned Conakry or Asmara were top options. However, the Vitebsk Popular News had already given us a clue.
The crew S9-SAO was pilot of Vitebsk from the same regiment, which Bout.
http://news.vitebsk.cc/2008/11/15/v-irake-pogib-vitebskiy-letchik/

That might be the 339th. Now, the last ever BGIA flight from the UAE seems to have occurred on the 27th of February, at 2339Z, heading for Kandahar with the callsign BGI1522. Since then, nothing. Nada. But where did they go? The answer seems to be "home"; in particular, Mogilev in Belarus. Here's a photo; apparently, the sleepy airfield among the birches is suddenly full of An-12s since the UAE ban was announced.

More, when I get a moment to mung some SQL; I have a vague impression that most of the BGIA movements are now under Phoenix/AVE's new 2E callsign, but I need to run the numbers.

those dangerous four words: "I've had an idea"

My heart sank when I saw these words: Firefox user interface guru. And yes, he's had an idea. A suggestion: rather than a fancy new UI, how about having a crack at stability? FF 3, and the later FF 2s, were and are crashy, hangy, and inconsistent. It regularly (daily) gets its knickers in a twist and either fails to blit the screen, hangs, reads from the keyboard buffer extremely slowly, or just crashes without error messages, warnings, logs or anything else. And the "Save and Quit" function doesn't work, which is probably connected with the fact that most crashes at least let you restore the tabs, but some lose even that.

If they want a new idea, what about having a crack at whatever is to Firefox as Firefox was to Mozilla, a lightweight, fast, rugged cut-down version of the bloated original? They could keep only the rendering engine and things like SSL, and make everything else an extension. Personally, I'd use Konqueror if it had equivalents for the various extensions I use. Anyway, Mozilla thinks Firefox is an operating system. And the thing about operating systems is that stability, security, and affordances for applications are the first and indeed only things that matter. Fancy user interfaces can be applied later.

cool

RepRap made circuits.

HOWTO be a Cyberwar Expert

F-Secure Labs' blog points to Cyberwar is Bullshit. I say yes! And I point you to Evgeny Morozov's cracking 10-step guide to cyberwar fearmongering. Follow his simple plan and you'll be able to spread arrant drivel to the underbriefed with the best of them. I especially like:
2. Begin the story in Estonia, with a reference to its 2007 attacks; make sure to play up the “E-stonia” tune and how the entire country was under online siege for a month (never mention that rioting in the Estonian streets was much more devastating and that the actual online siege lasted for twenty minutes at best). Setting the story in Estonia would also help to play up the Soviet threat that never really left the country. Blame NATO's impotence, praise Skype's genius, quote non-existent local Web entrepreneurs who lost all their savings in the 2007cyber-attacks.
See here.

5. Find and quote industry experts with the biggest possible conflicts of interest – preferably those who make their living thanks to the public paranoia about cybersecurity. Make sure you give them enough space to quote their latest anti-virus solutions and consulting services. Since nobody important would talk to you on the record anyway, nobody expects your quotes to add any value to the article. Remember: it's all about the metaphors. Ideally, find "unbiased" experts who have never been to Estonia or Georgia, don't know the language, have gathered no data of their own, but who think that cyberwar is going to destroy us all (unless their firm is selected to help us save us from the evil hackers).


Again with the vendors.

Never mention any connectivity statistics for the countries you are writing about: you don't want readers to start doubting that someone might be interested in launching a cyberwar on countries that couldn't care less about the Internet.


Beijing: the world's most hacked city.

The big prize is alluding to a secretive summer camp on cyberwarfare, where hackers from Russia, China, Iran, and Israel get together to share tricks.


The Dr. Evil theory, a significant net contributor to global stupidity.

Update: Try the simple plan on this story.

Chalabi: a place in history

Interesting to see Ahmed Chalabi admit essentially everything I suspected of him back in 2004. This must surely count in the top ten intelligence triumphs of history, along with ULTRA, VENONA, the Rote Kapelle and the Normandy deception plan.

Jordan Barab

I'm late to the party with this; but this is fantastic. Jordan Barab of Confined Space, the workplace health & safety blog, is now going to be the US government minister in charge of just that. He was one of the very first people ever to link to this blog back in 2003; he was one of the people I wrote to on election night 2004.

Sunday, April 12, 2009

powerpoint tank watch

I don't know what the cancellation of FCS, the US Army's whizzy all-things-to-all-men, fancy wheeled vehicles, robots, computers etc supergig, will mean for the UK's FRES, which is a scaled-down version of a very similar vision - lighter, highly mobile wheeled armoured vehicles, heavily networked, using fancy sensors and precision indirect fire rather than heavy armour plate, heavier tracks, and big turret guns.

We've sort-of chosen the underlying vehicle, but unfortunately we down-selected (as they say) the one that fit in a C-130 as required in the RFP, so it might fit in an A400M, but it doesn't look like those are ever likely to fly. If you recall, the MOD managed to spend £192 million without one actual vehicle resulting, whereas during Lord Drayson's tenure as MinDP they managed to buy hundreds of actual Viking, Mastiff, and MWMIK vehicles for less money than those powerpoint presentations cost.

Part of the problem was that BAE bought up the company which was meant to be the independent advisor, and then their main competitor in the US too. This last bit worries me, as I suspect US contracts funded a lot of work on FRES. You ask the French.

the science of drivel

The impact of terrorism; new research demonstrates that people who survive terrorist attacks think more highly of themselves. Terrorism causes arrogance.

Meanwhile, I enjoyed this Bartholomew's Notes post, in which a self-made terrorism expert who is currently doing the Nazi-memorabilia circuit with his Barack Obama-is-a-foreigner act turns out to have been a pusher of 1990s Satanic-cult drivel to audiences of policemen. I've long thought that there should be a science of drivel; bullshitology, perhaps.

One of its primary research concerns would have to be the way in which the same people, ideas, and networks reappear in different contexts. The DDT-tobacco-climate change lobbyist career-path is the Rosetta stone of this study, and the neo-conservative movement is getting close. But it really is fascinating to see that the same guy pushed three successive baseless or semi-baseless panics in succession.

artefact = ideology, again

Speaking of industrial innovation, which we sort of were, Sadly, No finds Mark Steyn being even stupider than I thought possible. He is arguing with every appearance of seriousness that a) General Motors should invest in bigger cars and b) that otherwise family sizes in the US will shrink and TEH NIGRAS!!! Seriously; he's got a classically 1920s-racist Kakogenik theory monocausally based on automotive styling. J.G. Ballard would be delighted, even if Harley Earl originated the three box saloon rather than the Humvee.

I, however, feel forced to point out that those awful Europeans invented the first MPV, the Renault Espace in 1984 and it's been in mass production ever since. Unlike the US "minivan", those aren't frame-rail construction, V8 powered truck derived gas guzzlers either.

Not that I am surprised by Steyn's idiocy, of course; it's just rare that the proof of it is actually rolling off French production lines and driving around the M25.

the Harrowell option

A lot of other countries who are small economies compared to the USA or China, industrialised, and heavily dependent on foreign trade have a government policy of keeping a substantial local ownership stake in important businesses or important technologies. This may or may not be held by the State. Examples of such so-called "core investor strategies"; Austria, France.

If the post-Thatcher game of running a permanent and large current account deficit reintermediated through a huge financial sector, which is then expected to export financial services derived from this task, really is over, should the UK be doing something similar, and what would be your strategy for making such decisions? I recall Dominique Strauss-Kahn (I think) saying that he couldn't understand why the British had let the DNA sequencer activities of Amersham International, at the time the market leader, be sold to the US; I've also read somewhere that the French general staff consider sovereignty to be a function of R&D spending.

I reckon that if we start disbursing cash to industry (and the European Investment Bank loan to Jaguar-Land Rover shows that's happened), we ought to take equity stakes in the companies in question, so as to build up a base of interesting technologies. Yes, this makes me an unreconstructed social democrat; I think that's a feature.

But even if you object to capital being allocated by the State, you can hardly suggest that it shouldn't be allocated at all. And, as I said back in October, with no financial sector there's only one game in town. And further, what else are we going to do? So that's the Harrowell option.

I think it's fair to say that Foxtons won't be on anybody's list. I have a plan for them as well. A tower of redundant fake-graffitied fake-Minis, in Trafalgar Square, toppled by a screaming mob beating them with their shoes. The Harrowell option remains open!

definition

CCTV Camera: a device that detects police misconduct and informs its operator by turning the screen black.

the local rag

Ironic to think of it now, but before the police were filmed beating the shit out of Ian Tomlinson and assorted members of the public, there was some sort of media push on against "citizen journalists", the Internet, Google, etc, and in favour of Good Old Local Newspapers. Well, there must be some explanation for every Lloyds-rated columnist taking up the theme at once. Surely the producer of Wire doesn't have quite that degree of journalistic influence?

That statement now seems to have become inoperative, as they say. I thought this article of Stephen Moss's was one of the least objectionable and most contentful of the genre, even if he does seem to blame bloggers for "lost relatives" at one point.

A couple of points. To start with, it's worth trying at least to distinguish individual phenomena from general ones. Essentially, the newspapers (mostly US ones) that have bitten the dust did so for one simple reason; too much leverage.

It's arguable that we've lived through an era which can be most simply characterised as the Leverage Jihad; anything that could be levered-up with more debt was leveraged, and then quite frequently again, and sometimes again, to the greater profit of the owners of the sliver of actual equity capital involved and the greater risk of society in general, notably through the banks who were lending the vast amounts of Other People's Money required. Leverage always has two effects; increased return on capital, and increased operational gearing. Any hit to cashflow can kill; any hit to valuation can wipe out the owners and leave the bank sitting on a huge paper loss as well. This is actually far less unique in financial history than I make it sound; J. K. Galbraith remarked that in every era some men discover leverage and decide that they possess financial genius.

So we shouldn't assume there was something terribly wrong with newspapers, when in fact it may have been the model of ownership and mode of financing that is the problem, just as it was for property, banking, and retail. Note that literally every failure Moss discusses decided to save money by doing less reporting; they did this in order to help service the debts their owners took out to become levered-up newspaper tycoons. That in turn should suggest some options about how to fix shaky papers. It's worth remembering that the current model of a newspaper grew up in a world where the expensive bit was production; now it's turning into one where the assets walk out of the door.

Another one is that the spread of big city papers into places that weren't usually served by them was a consequence of the property binge, and hence of the Leverage Jihad. Everywhere with a railway line that could, on the best possible day, with the most charitable assumptions, get you to London in 90 minutes developed a building or ten like this one near the station. Again, this is self-limiting.

(If you think that's grim, check out the details.)

But what I would like to know is what, precisely, was achieved by shooting down the BBC's plans for a major expansion of local news? A source who was familiar with it claims the newspapers' lobby didn't like it because it was so good. At the most, this seems to have delayed the crisis by a couple of months; with so many papers stretched to the bone by leverage and puffed up with temporary property-boom ad money, the crunch had to come sooner or later. So now, we face the prospect of neither newspapers, nor BBC Local.

it is now absolutely certain that the national ID card will be compromised

Self-satirising ID card madness. So they've actually got as far as issuing some significant contracts. We'll begin by noting that one of them has gone to CSC, last seen introducing the joy of Cerner software to the NHS National Programme for IT. But much more to the point, what is this talk about using the Chip-and-PIN infrastructure?

This is an insanely stupid idea, and is probably explained by the fact that someone has realised that there are no biometric readers, nobody wants them, there are no plans for how to deploy them, and the totality of Government thinking on the subject can be summed up as "private sector ponies!"

We already know that the system, although more secure than the old one, is quite fallible and has been successfully attacked. We further know that there are even merchant terminals in circulation with unauthorised GSM radios in them that send messages to numbers in Pakistan. It is also true that the UK version of EMV doesn't provide two-factor authentication because the PIN is stored on the card. This means that someone preparing a fake card who could steal bank card PINs could also steal National ID ones and make the card work in a reader.

The importance of this cannot be overstated. The primary mechanism of authentication is not the one the makers say is the primary one, it's the one that gets used the most. There are currently several million EMV terminals; there are zero biometric ones. Further, the biometric technologies involved have high failure rates; EMV has well over 99 per cent uptime and even higher exactitude. Therefore it will be used and the biometrics won't, so a rational attacker won't worry about the biometrics unless they really have to.

In fact, because of the false positive issue, the biometrics will be gainsaid by the EMV. Think about it. As a checker, you will with mathematical certainty encounter regular false positives. (You'll also encounter false negatives, but you won't know about them.) However, you will only very rarely encounter a real positive. Therefore, if a biometric check doesn't match, you will believe it to be a false alarm, and you will very probably ask the person presenting it to enter their PIN.

Also, the government seems to have abandoned the idea of doing direct biometric-to-database checks and instead wants to authenticate a biometric held on the card to the user, like looking at the photograph on a passport. This means that it is much easier to fool anyway, because the card can be altered to match the user. But adding an additional "check" which is in fact easier to fake means that this is more likely to work.

A fundamental problem with EMV is that there is no out-of-band verification of the transactions. You have to trust the card reader, and there is no obvious way of verifying it. Personally, I always turn it over and look under it because all the hardware attacks I've read about involve drilling a hole through the back, but if the remote management interface has been left with the password set to "password" this won't help me at all.

Various efforts to improve this exist; there are systems that send an encrypted message to an application on your mobile phone to get your authorisation, so that if someone else is trying to spend your money, you'll get unsolicited authorisation requests, and if a card reader is actually a fake you *won't* get an authorisation request and your bank won't pay.

But this doesn't exist in the UK, so the government is suggesting integrating what it thinks is the gold standard of identification into a significantly weaker security system; it's in the nature of security that the weakest link determines the strength of the whole.

Now here's the self satirising bit. As before with the old bank card system, the banks have been trying to pretend that EMV is infallible and that anyone who loses money is a fraud. The test case that will probably end this madness is coming right up, at the same time as the government wants to use the system for ID cards!

Friday, April 10, 2009

The Conservative Party in six links

I note that no-one has yet anonymously accused Ian Tomlinson of an indictable offence in a national newspaper. Are our standards in truly shameful, underhand, repellent duplicity slipping?

However, a lot of Tories who were OUTRAGED about Sir Ian Blair's term as Commissioner of the Metropolitan Police seem to be...how can I put this? frit about criticising the police now that The Chief is essentially a Tory appointee.

In fact, they seem desperate to defend Sir Paul Stephenson come what may. Observe:
Ian Tomlinson says: April 8, 2009 at 10:32 am. I fought the law and the law won
Post title: Guess What Happened Next. Stay classy, Paul.

I suspect that informing a group of people that someone has died at the hands of the police is an effective field diagnostic test of psychological authoritarianism. But even so, it's more than telling to look at some of those links and see the degree of fake concern about Jean Charles de Menezes that gets switched off like a tap with the change of partisan allegiance, to be replaced by a horrible victim-bashing rhetoric full of class-symbols (Millwall! Too many kids! Booze!).

HOWNOTTO be caught as a student terrorist

The thing that pisses me off about Al-Qa'ida is that they insist on egging the government on. That said, I can't think of anything more ridiculous than Phil Woolas wanting to have reports of any foreign student who misses ten lectures. I can't think of many things more ridiculous and contemptible than Phil Woolas anyway, but this drowns the fish.

I should point out that he was on Radio 4 earlier today claiming that "biometric visas" were our first line of defence, because the visas were checked against a watchlist. He didn't say, mark, that the biometrics were; after all, if they haven't caught the guy yet, they don't have his dabs.

Let's think about it sensibly. I doubt there is a single student in the world who hasn't accumulated 10 hours of non-attendance during their course of study; even if you reset the limit after every academic year, there will still be an absurd number of false positives. There are 330,000 foreign students in the UK. How many might miss 10 hours of classes in a given year? For some courses, you'd only need a couple of days off sick. An outbreak of freshers' flu at the right schools could stage a denial-of-service attack on the whole gig. How many reports are they prepared to follow up, to what degree of thoroughness?

Further, and I know this is a pathetic argument long since raped by history, the idea of a university implies a commitment to intellectual freedom and a certain respect for the fact that the students are adults who attend of their free will.

But even if you forget everything else, as a security measure this is quite incredibly cretinous. The threat it is designed to mitigate is that terrorists will pose as students in order to infiltrate the country, or rather that they will actually become students in order to do so. Of course, they may also do this to prepare an attack on some other country. Anyway. If you have registered at a university in order to pose as a student, it's obviously part of your cover story that you go to lectures. Depending on what you are planning, you might even be hoping to get access to things you need for the attack - information, a good chemical or biological lab, perhaps time on a supercomputer - in which case you've got to go to the lab or the library regularly as well.

This is a security measure which is designed to miss anyone who matches the attack profile it's designed to detect. Further, the more serious, disciplined, and well-organised the attacker, and the more technical and demanding the subject they choose to study - in short, the more dangerous - they are, the less likely it is to detect them. It even provides them with an explicit target number of classes they must not miss. It is quite brilliant in a negative way.

It is especially hilarious that several ministers in the government spent much of their student years plotting, or imagining that they plotted, how to bring about the world revolution. Presumably, they did this between lectures. Or perhaps they didn't, and in fact they are basing their policy on their own experience; which would explain how little they seem to have learned.

Sunday, April 05, 2009

a remarkable number of Soviet celebrities

A little news from the rialto. We're seeing more and more movements using the name "Sky Cabs", with either Phoenix Aviation/AVE's call sign PHW or else 2E. Interestingly, the company of this identity was shut down in Colombo after a horrible accident back in 2000. The matching ICAO code was SCB; we've not seen that one. The original Sky Cabs' small fleet of Antonov-12s went to Silk Way, Santa Cruz Imperial, that Rosetta stone of Viktor Bout companies, or the fire dump.

We're also seeing something called Euro Atlantic, and Asia Wings; Asia Wings' ICAO code, AWA, is the call sign of "Atlantic Airlines" of the Gambia, before it was shut down and banned from the European Union. The only known aircraft from Atlantic is An-12 serial number 347109, known at ATI (Aerocom/Jet Line) as ER-ADG and currently S9-KHF at Transliz.

I don't have any interesting information about Airfreight Aviation, the Russian UAE firm involved in this case, except to say that a truly remarkable number of Russian celebrities are employed in the aviation business there, seeing as their contact is given as Oleg Borisov. A common name, sure, but it's truly remarkable if you look at all the others.

onwards and upwards

Telling. 29 (Commando) Light Regiment RA haul a 105mm gun by hand up a rock pinnacle in Afghanistan, to a feature called Roshan Tower. Yes, Roshan as in the mobile phone operator.

We can offer you 900MHz GSM service, and some things that go with it, but far from all of them, or we can offer you live artillery rounds; either one remains on offer for a strictly limited period of time, which has yet to be determined. On request, terms and conditions are as much a mystery to us and everyone else as they are to you.

Saturday, April 04, 2009

idiots round the world stand hand in hand...

Now I want you all to go and read this outstanding article on the Daily Telegraph's real role in world journalism.

Essentially, it's become a crucial link in the global bullshit cycle. Like the water, nitrogen, and carbon cycles, bullshit circulates around the planet; some actors are bullshit sources and others sinks. The Telegraph's role is to receive bullshit from the Republican/wingnut welfare world, which is rather like the depression in Chad whose windblown dust fertilises the Amazon in this model, and print it when other media won't because it's too bullshitty.

Once it's published in London, however, other media can quote it without taking responsibility for it, therefore recirculating surplus bullshit from the UK back into the (shudder) mainstream media. Hey presto, arrant drivel has been converted into serious news. Come to think of it, perhaps I should drop the ecological metaphor; it's much more like the process of securitising, repackaging, and marketing crappy mortgages.

Originally made in the boom markets of the US, places like Florida (a rich bullshit source if ever there was one) these documents were sold to major banks in London, who categorised them by their likelihood of default and prepared them for resale. To sell, however, they had to all have a top credit rating, which was achieved by assuming that the risk of default on each was independent of the other, and then stuffing in more collateral until the expected value after the average default rate was equal to the face value. The resulting loan sausage, 30% "meat" and the rest rusks, phosphates, and water, was then sold....right back to the banks who bought it in the first place, as it turned out.

Similarly, the Telegraph takes on dodgy news stories, chops them up with some of its reputation, an anonymous source, and a dose of sensationalism, and sells the resulting collateralised drivel obligation (CDO) back to US investors at a profit. Eventually, however, the value of news-style product sourced from people like Michael Ledeen crashed, leaving major US newspapers holding gigantic portfolios of worthless drivel, which eroded their reserves of credibility to the point at which many have gone out of business.

It is widely presumed that the Federal Government will feel obliged to support newspapers deemed systemic, like the New York Times...but one hopes they don't try buying and rediscounting old scare stories in an effort to resume normal reporting. After all, this was tried in 2002-2003 with catastrophic results.

free our data, I suppose

Following on from the last post, we're unlikely to have funding to dose every school kid in Britain with radioactive markers and fMRI-scan them a term later to see how their neurons are getting on any time soon, even if you could get that past the ethics committee and the Nuclear Dread. So unless someone comes up with a field-expedient diagnostic test, we'll need some other way of assessing the problem. Which means that this annoyed me.

So some firm decided to try analysing the primary school SAT results better. They broke down the UK into much smaller units than Local Education Authorities or even schools - neighbourhoods of 300 people on average. They then classified them into 24 groups based on demographic and socio-economic indicators, looked at the average results for each group, and arrived at an expected score for each school based on the distribution of those groups in the school's intake. They then compared the actual results to see which schools were really doing better or worse.

And they got quite a lot of criticism for not using a database of pupils that...wait for it...the government won't let them use. This is a pity. Ever since Pierre Bourdieu, we've been well aware that there is much more to class than money. With all that data, we could do a lot of interesting things; we could, for example, use principal components analysis to establish objectively defined groups and see how well schools are doing that way. We could benchmark them against the Flynn effect, and I suspect quite a lot of schools would turn out just to be tracking the gradual uplift overall. But if we can't see the data we can't do anything.

insane in the membrane, insane in the brain!

Is neurogenesis perhaps the most interesting scientific discovery of the times? I rather think it is. The government minister's version: until quite recently, we thought that once you passed a certain early age, that was it for your supply of neurons, and you would only lose them. Paradoxically, that wasn't incompatible with learning, as ones you use more are preferentially conserved, and a sort of evolutionary process might therefore be at work. I remember being taught this at school in the early 1990s.

The City of Bradford Metropolitan Council can probably be forgiven this; the theory that adult brains do not regenerate was only decisively falsified in 1989. We now know that new brain cells are created throughout life at a surprisingly high rate, and in fact your brain is constantly being replaced. It's a top field of research, and new discoveries are frequent. For example, we know that neurogenesis is somehow associated with the olfactory system (new neurons crawl along blood vessels to the olfactory bulb, then move on to their new roles elsewhere in the brain, a bit like geeks flocking into the one interesting session at the conference), that its regulation is involved in depression and Alzheimer's disease, both of which seem to involve abnormally low levels of it, and that various external factors influence it.

Learning new things, socialising, taking physical exercise, and falling in love (or lust) all increase the rate at which new neurons are produced. More medically, neurons are produced from stem cells, which opens up the possibility of acting directly on the process. We don't know yet what the consequences of overdoing it would be; science fiction is, however, working on it.

Lab monkeys demonstrate unusually, indeed pathologically, low levels of neurogenesis, which is believed to be caused by a sterile and boring environment; in fact, Elizabeth Gould, the discoverer of neurogenesis, had to redesign the lab in order to verify that this was so.

Fascinatingly, childhood poverty reduces neurogenesis, and it does this by increasing levels of chronic stress. Transient stress seems to regulate neurogenesis up - hardly surprising, given that this is how we often learn - but permanent insecurity makes you stupid, depressed, and vulnerable to dementia.

At the moment, the government is terribly keen on "happiness" and especially on administering cognitive-behavioural therapy to the poor. Unfortunately, the hard scientific facts seem to suggest that they would be much better advised to concentrate on a sort of Attleean agenda of economic security and broadening culture, of whatever kind. Over the last 30 or so years, we've had a rash of economists (mostly) claiming to offer tough, quantitative answers to society's questions, in opposition to a Left that deals in vague generalities or rabble-rousing. But the answers from science - real science, with radiation and monkeys and scalpels - are diametrically opposed to the ones from half-science.

Economics, in academia, is coping reasonably well with its own scientific revolution, the onslaught of Tversky and Kahnemann; its policy-advising function is largely a failure, hopelessly trapped by a dead weight of hacks and ideologues. But there is now a second wave of intellectual disruption heading for it from the life sciences. I was discussing the cognitive-bias revolution on a mailing list recently, and there was talk about what a new school of thought aiming to incorporate the new insights should call itself. It's not a trivial issue; the Friedmanites' triumph had much to do with their marketing, "Free to Choose", "rational expectations", "economic rationalism" in Australia. My suggestion was "realistic economics". Nobody wants to be on the side of unrealism, after all, which is what pre-Kahnemann economics offers.

contacts, again

Minor triumph. Hacker News dropped 2,095 hits on this post yesterday, which just shows you what a bit of well-directed whining can achieve; the fleeting attention of one million social-network Skinner-box pigeons. But yes. Anyway, Reggie makes a very good point in comments - why can't I subscribe to somebody's contact details and have them updated automatically? Amen! (He'll like that, according to his blog he's some sort of missionary.)

This shouldn't be difficult; you need only to specify a URI for updates as a field in the vCard, and have the client application check it (on start-up; every so often; whatever), or perhaps we could use XMPP, which would permit changes to be pushed out in real time. In fact, if the client was at all sensibly specified, if it found a URI without any contact information, it would fill in the fields from the data source it specified, so you could just hand round cards with www.example.com/firstnamelastname on.

Of course you might want to restrict subscriptions to your contacts, or provide both public and private versions, and certainly be able to revoke access to them; OAuth or similar is fine. I'm surprised nobody's done this yet. There are closed solutions, but it would be a pity to lock up all the data in a monopoly. In fact, perhaps the best way to deploy it would be to extend OpenID, associating a contact record with an identity URL and only divulging it with user permission. However, it would be nice to aggregate the information so that clients could register lists of contacts, and get a batch response ("No changes in your contacts" or a multi-vCard file of updates), especially as one of the affordances of such a system would be easy synchronisation between devices. In fact, it would obviate synchronisation as we currently know and hate it. (There's another desperately awful application.)

By the way, if you've just landed from HN, you might want to check out ORGANISE, my project for a Stafford Beer-inspired organising tool, and the specification v0.5, to say nothing of the Viktor Bout RSS feed and map.

Friday, April 03, 2009

command-line rapidshare upload

If you want to upload something to rapidshare.com, quickly, and you only have command-line access, what do you do? This script was promising, but failed on line 30 because a regular expression didn't match on something that turned out to be an empty (NoneType) object.

I replaced this code:
def upload(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("rapidshare.com", 80))

sock.send('GET /cgi-bin/rsapi.cgi?sub=nextuploadserver_v1 HTTP/1.0\r\n\r\n')
uploadserver = re.search('\r\n\r\n(\d+)', sock.recv(1000000000))
uploadserver = uploadserver.group().lstrip()
sock.close()


with this: def upload(self):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("rapidshare.com", 80))

uls = sock.send('GET /cgi-bin/rsapi.cgi?sub=nextuploadserver_v1 HTTP/1.0\r\n\r\n')
uploadserver = str(uls)
sock.close()

and it worked.

Update: Get it here.

music

So people wanted to know what my rational method for assessing obscure bands turned up. Here goes with the tracklisting, and brief reflections on each.

2020Soundsystem - Shiver

Remember Robert Miles, "Children"? Sure ya do. Similar mood, vaguely krautrock underpinnings. But slightly average. Are we sure about this project?


Bloodgroup - Chuck

Ah, this is more like. Icelandic electronic fuzz, with inescapable dancemaking qualities. And the intro sounds like a news broadcast, with bassline synths; a similar idea to a public service announcement with guitars. Slightly too fast, as well. Considered FUN.


Ceci Bastida - Cuando Vueltas a Caer

Bright, Spanish, vaguely funky, rather good. Six words!


DJ Chicken George - Overthrowed!

DJ Shadow-ish, atmospheric, soulful horns, big urban spaces. But very "if you liked Shadow (or St Germain) you'll like this"


FOUND - Some Fracas of a Sissy

Silly title, silly song. Sample-collage, wilfully eccentric, great if you like that sort of thing. Big atmospherics, again. Skating along the rail that separates fantastic and annoying.


Hypernova - Somewhere Far Away

Dark indie-dance, slightly too fast, depressing political lyrics. Another band with a serious echo habit. "Panic on the edge, thinking about tomorrow, I close my eyes and realise that all my life I was being lied to be the ones I so adored!" If that isn't the zeitgeist I don't know what is.


J-Boogie - Revolution

Wonky horns, quiet rappers, girl rappers, demanding revolution, probably coming to a cafe full of wankers near you. Which is a pity, because this is good.


Japanther - Um But Your Smile Is Totally Ruling Me Right Now

Title problem. Try to ignore it - this is an overcoming bias project after all. Noisy, cheerful lofi punk, bounce, yell about vandalising Clear Channel-owned advertisements.


Josh Martinez - Responsibility

Portentous loverman R&B, which people who like that will like a lot. What is it with echo effects? Another that sounds like it was recorded in a giant Korean shipyard drydock at dead of night. But there's certainly some cross-prior appeal here. "My tolerance for low intelligence is almost all gone!" Well, that's bang on the money at least.


Kamikaze Queens - Voluptuous Panic

Oscillates between brilliant and dire. It's very much a 1 or a 5. Weimar nostalgia kitsch is a cliche, but the sudden punk eruption is fun. Probably works better live under the right conditions. But at time of writing it's annoying me. Next!


Le Le - Breakfast

Well used sample, good tension, can't save it from being routine misogynist rapper bollocks.


Los Pirata - La Telepatia

Described as Brazilian surf-pop. Does what it says on the tin. Pleasantly silly.


Kap Bambino - Red Sign

French electronic punk, as the Prodigy would put it. Loud. Fast. Messy. Singer sounds probably incredible live, but there's always a chance they're a couple of geeks who can only hit it surrounded by laptops. Music for demonstrations.


Lady Dottie and the Diamonds - I Ain't Mad At Ya

Oh really? Big. Crashing. Drums. Too fast, again. Combination of too fast, drums, and Hammond fills, however, is a cocktail that fits me well.


Meliss FX - Love Is Your Attention

A DJ tool. Designed for purpose, shiny, drop-forged, chrome-vanadium steel, likely to give you a bad head if someone uses it on you.


Polly Mackey and the Pleasure Principle - Seriously

Heavyish indie rockers with big Welsh voice and a touch of intensity. Darker Catatonia. From Wrexham, perhaps more conventional than they think. Like Daniel Davies.


Popular Damage - Everybody got young in 2001

Bad title. Germans pretending to be from South London for some bizarre reason. Reminds me of Republica, if you remember them; electronic backing more interesting, but the German Lily Allen stylings are like being stuck in a bag of cats. Probably coming to a taxpayer-funded youth TV project. Or a shoe shop.


Skavengah - El Ritmo de la Vida

Frantic optimistic ska pop eruption. "Let's go back a little time ago when the pace of life was a little more slow" is perhaps the most inappropriate lyric ever, as this is like eating coffee by the spoonful.


Skibunny - Up Down

Slickish electronic dramatics, but doesn't get away from standard jingle jangle indie band (that listens to the La's too much) structure down in the mix. I can see this one on Match of the Day. A well deserved break from all the speed, though.


Sky Larkin - Fossil, I

Turbulent indie band from Yorkshire, with that northern band up-on-the-hillside howling wind and grey skies thing - like the Verve, or the Manics (if you count Wales as the North). Vocals considered suitable, good dynamics as well. Keeps cranking up the tension.


Thao With The Get Down Stay Down - Bag Of Hammers

Typical American whimsical indie, works very hard at being eccentric but terribly, terribly neat. Puts the star in Starbucks. Mannered. Needs to see the band name doctor, as well.


The Ettes - No Home

Fuzzy, dark punkpop. Driving around dark urban corners to feel like you're doing something. Likely to be too fashionable for any useful purpose in short order.


The Kominas - Sharia Law In The USA!

Paranoia! Cold War nuclear attack warnings and propaganda films! Made me grin. Just imagine how, say, Michelle Malkin would hate this.


The Krayolas and the West Side Horns - Twelve Heads in a Bag

Mariachi horns...and narco beheadings...da da dum...how many bands remind you of John Robb's Global Guerrillas? Even if things have moved on, there's no John Nagl Rockers yet, so this will have to do.


The Pepperpots - Lucky Girl

Instant sunshine. The British armed forces use the phrase as a nickname for a nuclear weapon. And this is the bomb. 2-tone glee, at a reasonably sensible pace, with good horns; sounds like a sunny day in Victoria Park with French people. If this gets on the radio they're going to play it until the CIA start using it for interrogations, so listen to it while you still can without vomiting.


The Twelves - Works For Me

Nicely paced dance track; "I want to be in your pictures from last night". A relief from some of the others here, which are more like "I want to be in your CCTV database".


NASA featuring a whole long list of folk starting with MIA - Whatchadoin? (Villains Remix)

This is the only one I actually knew. Another dance tool, shining in the rack, clean, bright, and lightly oiled. Smells of hit.


Wave Machines - I Go I Go I Go

80s-influenced, danceable band...could enjoy this, even if it's vaguely Prefab Sprout at some points.


Wild Beasts - Brave Bulging Buoyant Clairvoyant

Falsetto Yorkshire testifyin' white soulman. Tension and contrast. The Associates are an influence here. Cracking.


Wine and Revolution - Eager to Sail

Whatever other qualities they may have, the entire music of this song is...how can I put this...plagiarised from a 1980s British songwriter who I can't fucking remember right now. Elvis Costello? No doubt someone will tell me.


Woodhands - Dancer

Turn the crazy back up. This is a great slab of noise, with hips, and someone being repeatedly interrupted by a crude yelling voice shouting "YOU A VERY GOOD DANCER! WHAT IS YOUR NAME? WHAT IS YOUR NAME?" like the crown prince of Brunei on a bad night. Yes.
You can download the lot in a monster ZIP archive from rapidshare, here. Update: New, stabler link!

polite computers

Thinking about contacts, and also reading this, it struck me that if there is anything in computing that needs a manifesto it's Polite Software.

As in: it behaves helpfully towards others, by exporting and importing data in standard formats correctly (and if there is a common incorrect way of doing something, it should provide the option of doing it that way - like KDE does with "Microsoft-style" groupware notifications), it doesn't get in the way (so if it's doing something, it doesn't interrupt you doing something else by grabbing the UI thread, and it segregates any process involving an external process so it doesn't hang on a network connection), it never loses other people's work, it doesn't make you repeat yourself (so if you have to go back one step, all the values you entered are preserved, which most Web applications fail to do), it tells the truth (error messages are descriptive and don't say you did something that you didn't, and logs are kept and are easily available).

contacts considered crappy

Why is contact management implemented so poorly in every software package I've ever encountered? It's almost as bad as the all-time worst application, voicemail. Outlook, Gmail, KDE Kontact, MS Entourage, Mozilla Thunderbird; they've all been carefully pessimised to incorporate every possible pain in the arse. For a start, file formats and vendor lock-in. There is a perfectly good, easy to parse, free standard accepted the world over: the vCard.

But still, so often, it doesn't bloody work. Most Microsoft products will only import them one at a time from individual files, which is useless if you have any number of contacts. I recently finished digitising and re-checking a huge pile of business cards accumulated from my journo days, and I finished up with 348 contacts classified as "business". Now, Kontact will happily export them as a vCard file of version 2.1 or 3.0; but Nokia devices will only read the first contact.

And the killer detail? They store the contacts files as a multi-contact vCard! But this is an implementation detail. I have never seen any contacts app that doesn't have a horribly ugly user interface, that doesn't organise your contacts in hierarchical directories - because people are always part of zero or one groups, right? - and that doesn't imagine that friends are alphabetical.

Social network sites are no solution. I hate them with a passion. They are closed-minded data sinks, whose business model is either "spam the buggers with ads" or "sell the company and all the data to someone who will spam the buggers with ads". And I have yet to see one that doesn't have most of the antifeatures I just described. And I want one copy of the data to be on my local machine, thank you.

Now, I think part of the problem is that all the applications I named are either e-mail clients or they incorporate an e-mail client. Perhaps we ought to disassociate the ideas of "contacts" and "e-mail"? Perhaps a contacts app should handle all the possible means of communicating with the contacts?

And too many of them confuse the task of searching through the contacts with displaying the details of each one. Search is good, but why is there no visual interface for contacts? Can't we display them in a way that lets you see relationships between them? This relates to the organisation issue; I don't want to select categories, I'd rather give a list of tags, or perhaps have both groups and tagging, or maybe tags and related names, and let the groups emerge.

That implies that the backend will have to be a database, rather than a flat file or a directory of vCards. SQLite would do perfectly well (Apple uses it for your messages in Mail.app). I'm aware that KDE is working on a common database backend (Akonadi) for these things, but at the moment it's a waste of space, and the related project Nepomuk has the dread word "semantic" in it (i.e. a lot of stuff which we're not really able to define in a meaningful fashion let alone implement).

The UI? I like the idea of plotting the contacts by their similarity or difference, maybe on a half sphere centred on the user, so their relationships become apparent. In KDE you could make this a .part for Kontact, so you could flip between the detail view and the graphical overview.

Afghanistan the Doonesbury way

Doonesbury, 2nd April 2009

There is more truth about Afghanistan, counter-insurgency, insurgents and empires in this cartoon than in the vast pile of thinktank and military-academic reports on my local hard disk.

(Today's is pretty good, too.)

Wednesday, April 01, 2009

spybreak!

Here are two news stories whose contrast should tell you a lot, via Charlie Stross. Spy chiefs fear Chinese cyber attack:
INTELLIGENCE chiefs have warned that China may have gained the capability to shut down Britain by crippling its telecoms and utilities.

They have told ministers of their fears that equipment installed by Huawei, the Chinese telecoms giant, in BT’s new communications network could be used to halt critical services such as power, food and water supplies.
And here's F-Secure's take on the big story that supposedly-Chinese hackers created a botnet of compromised Windows machines in Tibetan and Chinese-dissident organisations that let them remotely activate and monitor webcams and microphones.

The first thing is that the Times story is a classic of the discourse of "cyberwar". Threats are by definition from state actors, Dr Evil is behind everything, and the solution turns out to be indistinguishable from giving lots of money to favoured military-industrial vendors. And there is no sign of any engineers anywhere near the story - just that very British product, the intelligence-administrative complex, telling itself stories.

But surely there is a risk from Teh Huawei? Well. First of all, what are we trying to protect? "Security" isn't an answer. There are, as far as I can see, essentially three things an attacker could do in the BT core network - crash the whole thing (denial of service), spy on somebody's traffic, or spoof a network entity, to pose as one in order to misroute traffic for some sinister aim. The horrors described in the article are presumably thought to be possible consequences of a massive denial of service attack.

How would they go about attacking it? Well, the whole point here is that they can attack from the public Internet. (If they can attack from within BT, it doesn't matter whose routers we buy...) Physical layer attacks are much less dangerous because you would need to do much more work for every unit of trouble caused - you'd need to physically tap wires and find ways of backhauling the traffic you tapped.

So we're concerned about a breach of Internet security, which implies that the crucial element in our defence will be to prevent malicious traffic getting access to the system's administrative features. For our purposes, a secret backdoor is essentially the same as an administrator interface.

Well, that's good news - this would be absolutely no different if the equipment came from Cisco Systems, Alcatel, Marconi as was, Nokia, ZTE, Motorola, NEC or anyone else, and the security solutions involved are applicable across them all, being essentially good internetworking practice. And 21CN's architecture actually makes an attack from the IP layer rather difficult. It's probably worth opening the Wikipedia page in another tab to follow this bit.

21CN is made up of Multi-Service Access Nodes (MSANs), which replace the old local exchanges, terminate the copper wires from your house, and switch different kinds of traffic into appropriate pipes - steam voice gets converted to VoIP at this point as well, metro-nodes, which are the gateway routers to the core network, core nodes, which are really big MPLS routers, and iNodes, which are voice softswitches and which will control calls, video sessions etc. Huawei's bit is the MSAN, plus some of the optical splitters, repeaters and such.

Importantly, the MSAN isn't an Internet entity; it is a Layer 2 Ethernet device, which talks to the metronode it's connected to. In 21CN, both other ISPs and BT Retail are sold wholesale service in the form of Ethernet links, and the MSAN is responsible for putting the traffic into the right link, but the metronode is the first element to actually route Internet packets. Therefore, even if the Chinese were to secretly control all the MSANs, they would have to create a new Wholesale Broadband Connect Ethernet pipe from each one in order to get the traffic out to the Internet. And to control it, they would have to first of all get in, then break out of the encapsulation to access the MSAN itself.

And most of the IP layer equipment, including the big routers that link the whole thing to the Internet, is made by Alcatel, Cisco, or Juniper Networks; in fact, 21CN has a fair amount of diversity, which is usually good from a security standpoint. So I would suggest that this is a classic movie plot threat. Like most of them, of course, it taps deep political assumptions and vested interests; there is no evidence of Huawei's equipment being secretly controllable by the Chinese intelligence service whatsoever, but there are a lot of rightwing congressmen who just know it, and they receive contributions of funds from competing vendors with unstartling regularity.

And more to the point, what is the evidence that Huawei is any more likely to be spying on its customers than the alternatives? If the equipment came from Cisco Systems, as some of it does, shouldn't we worry that the Americans have secretly fiddled with it? If from Alcatel, as some of it does, what about the French? (Don't laugh, they're building a Total Info Awareness clone.) The Swedish government wants to run absolutely all Internet traffic on its territory through the facilities of the FRA, its national signals-intelligence agency, so obviously Ericsson (and Juniper, which is an Ericsson division) can be ruled right out.

However, we don't have a single documented case of any of these things happening. In fact, the best documented telco core-network hack, the Vodafone Greece case, involved an Ericsson AXE10 switch and specifically the lawful-interception system, which is really a nonsecret backdoor into the switch for the cops and spooks to listen in. (And the iNodes in 21CN? They're AXE10s. ) So it's quite possible that the security bureaucrats might be the cause of the security threat.

After all, they have Windows PCs in their offices. And they get hacked. By the Chinese. And they *do* have back-door access. Now, no-one knows who was behind the Vodafone Greece case, but we do know who is behind the vast majority of real information security breaches: non-state actors. But for some reason, there is a strange kind of cognitive bias against accepting the reality and agency of non-state actors. Just as a certain kind of government official cannot believe that guerrillas or terrorists can exist without the Dr Evil figure (Iran! Syria! Cuba! Canada!), they can't believe that their computers might get hacked by hackers. I've had to come back to this again and again and again.

The problem is, of course, that it involves believing that the little people have agency, intelligence, and skill. Here's some evidence from F-Secure; the malware used in the Tibetan spying operation is maintained by a group of hackers and is openly on sale (and some people say it's Swedish - didn't I tell you we can't trust those terrible Vikings?). Accepting that is an important political act, and it is absolutely necessary, both for effective security and in general to move beyond fear.

(Update: China Mobile isn't worried and trusts the French. And there is a metal band called Beyond Fear, which is almost as cool as Bruce Schneier.)

kostenloser Counter