Side Channels

This is the fourth anniversary of the weblog. If you look a couple of posts down you’ll see one about “year three”, meaning that I have not written much in the interim. Maybe my life’s boring, or maybe I lost the drive to share. Maybe I’m too busy, or not busy enough.

It’s the time of the PhD when people ask me what I plan to do next (as if the PhD is in the bag, which it isn’t). I say that I don’t know. This is the truth, not an attempt to weasel out of a lengthy discussion. The world is in the gutter, and who knows what will it look like in six months. Regarding my own short term future, I suppose that the best answer I can give is that I’ll go where the best opportunity is. (OK, I am weaseling here, because I’m not defining what kind of opportunity I’m after… I’ll leave it for some other time, though those who know me can probably guess ;)

As per tradition, I provide you with a picture of myself to cheer everyone up. This time I’m squinting and smirking at the Tatra mountains in Zakopane, Poland.

All the best to us all.

Today at Tesco I was walking towards a woman carrying bottles of wine between her arms, close to the chest. A few steps between us, one bottle slipped over her arm. I remember this in slow motion… I look at the bottle falling, then her face, she cringes. Then I go back to the bottle and it bounces once, then hits the linoleum again and shatters in a surprisingly small footprint. While I am observing this, I take a couple steps back so nothing hits me. We both look at each other, and the people around us, turn, and vanish into an aisle.

I went and got my own bottle of wine, and then at the till the oddest thing happened. I got carded.

Till (old) man: Can’t let you buy the wine without ID*.
Me: Wow. I’m 33.
Lady (packing) in front of me: You should take it as a compliment.
Me (to till man): Thanks. But I don’t carry ID**. I’m 33, really.
Till man: OK, you’ve got white hair, so I’ll let you have it <wink>.
Me (to myself): Now you’ve ruined it.

* Legal drinking/purchase of alcohol in the UK is 18!

** This will change soon. As a foreigner in this country I’m being used as a test subject for their new and pointless ID card effort. That’s another story, though, so I’ll leave it for now.

I break a near year-long silence for a rant. The restaurant was dimly-lit; a bit too dark, but manageable. Then, a group of about fifty thousand people came in to occupy the reserved table next to us; shoved a baby stroller next to me; prevented the waitress from accessing our table; and, finally, commenced to light up the place with their camera flashes.

The first ten flashes — each multiplied by plenty of mirrors it seemed — were tolerable. I was paying attention though, all ten were repeats because the picture just did not come out perfect enough. They were over doing it with the next ten I thought. So I asked one of the guys if they could stop it with the flashes… “b-b-but we’re having a party”… and I said “but you also need to be considerate to other people”.

Obviously, I wasn’t popular with that crowd but I don’t care… people who do not respect other people’s space should be told to tone it down when they overdo it.

“Side Channels” is three years old! It has been an interesting year, albeit with little blogging. One of the highlights of the past year was my four week trip to Brazil in April. Good food, weather, people. I visited Rio de Janeiro (Ilha Grande, Rio), Pernambuco (компютриландшафтRecife, Ilha de Itamaracá, Porto de Galinhas), and Rio Grande do Sul (Porto Alegre, and the great town of Vacaria).

In Recife there is a very long beach stretch along a neighborhood called Boa Viagem. It is a popular destination, but used to be more so until in the early 1990s when ecosystem disruption due to development has driven sharks to Boa Viagem beaches. Shark attacks on humans have then become much more frequent. I found this sign interesting as one rarely sees this kind of language on signs, and it was unexpected there in Brazil’s Northeast. Note that the Portuguese portion doesn’t evoke statistics and simply says “Danger: area susceptible to shark attacks.” (Presumably because it is common knowledge over there and the risks are well known).

In 1992, when I was 17, I traveled with my father to the US for a few weeks. We had a family friend living in Huston, whom we wanted to visit. He was away and due back a day of so after we arrived so he gave my father the alarm access-code so we can help ourselves in. We arrived at the house late at night, something went wrong with entering the code, and the alarm went off. Almost instinctively my dad rushed me to the car and we drove off to check into a motel for the night. My dad explained that we were likely to end up in jail if the police got to the house, regardless of our explanation. Back then I thought it was a bit extreme; surely we can reason our way out of it, like we would be able to back in Israel. Looking back at it, it was probably a reasonable choice given the circumstances.

Today, if we were caught, in addition to being arrested we would surely be additionally tased for bad measure. The near-daily news of people being tased for no good reason reminded me of my story above. Some taser cases and videos can be found on top hits from reddit on the topic; Andrew Meyer coined the “don’t tase me, bro” catch phrase while being tased after making a bit of a fuss asking John Kerry some questions; here’s the comic. Some people die after being tased, though the marketing says that the tool is supposed to be non-lethal. But when you give people a “non-lethal” alternative to verbally or physically dealing with other people, it is a natural outcome that it turns from an alternative to a norm. This is the situation today, with cops tasing without much thought and it seems as though the chances of being tased is largely random, mostly depending on how the cop feels at the moment. With the general sense of paranoia and justification that anything is permissible in the name of security and anti-terrorism, all you have to do is act out of the ordinary, like being slow to hand a cop your proof of insurance; Schneier calls this “The War on the Unexpected“.

This arbitrary taser treatment given by trigger happy cops is scary, and certainly does not contribute to a general feeling of security it was meant to promote. The long term effect is the continuous erosion of trust in police and the “system” — not that it is in any good shape currently — which will be difficult to recover from even if tighter controls are placed on taser use. When this happens the unintended consequence would be that police lost the “touch” of actually dealing with people, and even worse, they would use their lethal weapons (guns) more casually than before. I wouldn’t be surprised to hear in the near future of a case where a cop claims that he/she reached for the taser, but instead shot the poor speeder in the chest with a lethal bullet.

Recently, I needed to carry a small suitcase with my bike. I always have a some bungee cords attached to my bike for when I do grocery shopping. So instead of walking with both suitcase and bike in each hand, I did the following:

You’ll need the suitcase’s wheels to be robust, so I would expect that this only work with quality brands; I went quite fast with mine without a problem. Another issue to be aware of is that the cords should be a bit loose in order for the rigid handle poles not to break; this also helps while turning.

I guess I am un-cool, trying to purchase a pair of jeans that are NOT “pre-washed”, “pre-patterned”, and “pre-torn” (George Carlin comes to mind with all this excessive use of pre-whatever).

I have just returned from a 10 day trip to Boston, where I attended a conference and presented a paper (which won “Best Student Paper“!) One of the items on my shopping list was a new pair of jeans, as my previous ones are torn, patterned, washed from real-life events. I wasn’t prepared to how difficult this would be.

Essentially, most jeans today come “pre-cooled”, which means that they have patterns on them that emulate heavy use and have torn bits which are “pre-patched”. When I confront “sale associates” with this issue they are a bit dazzled but soon realize that indeed, I am in a bit of a “situation” as non of the jeans they have on offer answer to my unique requirements: jeans that look new! (Some “associates” said that that is the first time they ever thought of this.)

I finally found a pair at Macy’s; it was not exactly the figure I was looking for, but I figured that if I want new jeans that looked new, my options are incredibly limited.

Good news: some nice days in Cambridge.

Bad news: I’m balding.

(By guest blogger Philip)

I was just reading F.A. Hayek’s speech upon receiving the Nobel Prize for Economics in 1974 and he mentioned a book called Limits to Growth as a current (to 1974) mistake in the application of seemingly scientific method to complex economic phenomena. It led me to read about this book on Wikipedia and then, via Google, to a paper by Matthew R. Simmons called Club of Rome Revisited in which he attempts to rehabilitate the Club of Rome (widely panned in the years since) by showing how misguided its critics were and how correct its predictions were. I started to be more interested when I then browsed to Matthew Simmons’ site and found that he is a big proponent of Peak Oil. In fact he wrote a book I had heard plenty of but whose author’s name never stuck: Twilight in the Desert: The Coming Saudi Oil Shock and the World Economy. It is referenced a lot by a certain type of paranoiac on the market bear boards I frequent (don’t ask what that says about me).
It was crazy to read an intelligent man, Matthew Simmons, summarizing the gloom and doom predictions for the future and saying “jeez! they were right! look how good their math was!” When in fact, whether or not their predictions were right, what Hayek so eloquently debunked was their math. It was a bullet-proof debunking. They tried to apply simple math to complex social phenomena to get any sort of prediction. Can’t be done. Wait, I am wrong. It can and is done all the time. It can’t be done accurately or with any hope of scientific validity. Read Hayek’s paper if you want an eloquent explanation of why. What amazes me is that this man, Simmons, is not ignorant of Malthus. In the intro to his paper he strenuously distanced himself from the blindspots and errors of Malthus. He then did his best to channel Malthus. I’d say if his Peak Oil scam doesn’t work out he should set up a scam as a medium because I’d have been willing to believe he was communicating directly with the long-dead British doomsayer.
I suppose it is mean to call it a scam since he is a victim of the scam before he is a perpetrator. Malthus is already serving an eternal sentence in the Halls of Shame for popularizing it. But just because the Club of Rome used an early supercomputer to distance themselves from the bad math doesn’t make their results any less shamefully unscientific and inaccurate. And just because Simmons noted that their predictions of the world population in 2000 were pretty accurate doesn’t get him off the hook for failing to note that everything else they predicted was way off. But more importantly, the accuracy of their predictions does not in anyway validate the methods used to generate them! If an accurate prediction is based on flawed analysis is the prediction still correct? Only in the most useless sense or to your balance with your bookie. The limit of what is knowable regarding the state of mind of the (accurately predicted) billions of individual actors in the world prevent math from being a tool to accurately predict the future of the world. As a phenomenon of organized complexity (see complex systems in Wikipedia) it is immune to this treatment. The complexity of human genius has allowed us to make a mockery of Malthus’ predictions of doom and exhaustion (though not his population numbers) and further to laugh at the well-intentioned but blinded-by-misapplied-science Club of Rome and now I suspect that Peak Oil is the third act in Malthus’ original play “Oh My God We’re DOOMED! or How I Misapplied Science to Scare the Children.” It continues to embarass the Keynesian central banks of the world and force senseless double speak from politicians and economists as they explain why their policies fail, their predictions are useless, and the unintended consequences of their actions dominate the intended ones. It just isn’t that kind of science. In closing, I hate you John Maynard Keynes =) =p

studentuniverse.com sells cheap airline tickets for students. They also have a neat little bonus they give for free to every student who signs up!

That’s like me demanding a medal for my good social conduct because I don’t go around randomly punching people in the face.

Well, thank you very much studentuniverse.com for protecting me from yourself and for practicing restraint with regards to your right to spam me and sell my information! It is also much appreciated that you are using my private information only for the purpose I am providing it for. (link to page imaged above).

The Hamas has taken over Gaza and the Rafiah border control station between it and Egypt and took the time to stage one for a comic relief (or not):

(Reuters, source)

Yesterday, 84 year-old Shimon Peres was elected as the 9th president of Israel. He well deserves it (and so does Israel!), unlike his rapist predecessor, Moshe Katsav; a worthless imbecile who brought Israel only shame. Peres lost many of his political duels during his 65-year career as a politician, but he always kept on going, despite appearing pitiful; people commonly called him a “perpetual looser”. What’s better though, a person with an overly developed sense of pride, or someone who doesn’t give up fighting for what he believes?

Peres was always undervalued in Israel because intellect is not exactly seen as a pre-requisite for politicians there (and in many other places). Yossi Verter tells a joke about Peres:

So Shimon Peres comes out of a visit with the King of Thailand, according to the joke, and he goes to the local market and buys some elegant fabric. He takes it to a Thai tailor and asks him to make him a suit from it. The tailor looks at the fabric and says to him: I’m sorry - It’s only enough for a pair of pants, if that.

The next day he flies to London. He takes the fabric from Thailand to a top tailor. It’s enough for a sleeve at most, the tailor tells him.

That evening he’s in Paris and goes to see another tailor. Maybe I’ll be able to sew you a sock, the tailor says. Disappointed, Peres returns to Israel. On his way to party headquarters, he stops by his usual tailor on Lilienblum Street. Can you do something with this fabric, Peres asks. I’ll make you two suits, says the tailor. And an extra pair of pants.

Stupefied, Peres asks: How is it that abroad the fabric is hardly enough for anything while here you can sew me half a wardrobe out of it? That’s easy, replies the tailor, laughing. Abroad, you’re a giant.

So true.

I remembered a story from my undergraduate days… one of those things you recall and can’t imagine doing again. I took a mandatory “technical writing” class in my junior year. I absolutely hated the professor (Tara M.), who seemed to hate anyone of my gender and was not afraid to show it by preferential treatment. The first words out of her mouth in the first day of class were “I am god, and you will do as I say.” “Yeah, that’s going to go well,” I remember thinking.

Towards the end of the term we had to give a 5 minute presentation on any topic we chose. This is peace-lovin’, hippie, lovey-dovey Santa Cruz, remember. I decided to give a presentation on types of hand grenades, how to throw them, and what to do if a fragmentation kind comes flying your way. I’m sure she (and possibly others) didn’t like me any better after that, but I was satisfied ;) I got a ‘B’ for the class and some respect from gamers. But I think that I learned the most from writing a three page formal complaint to the head of the department about her skills as a teacher. I’m not sure if that had anything to do with her leaving UCSC a couple of years later; google doesn’t show her teaching elsewhere. I suppose that “god” retired from teaching.

Some of the readers of this weblog can vouch for the accuracy of this story (some proof-read my letter ;) Now I am going to see if I still have it and the presentation somewhere.

Willis.

For me, he just stepped out of the festering Hollywood swamp by saying something intelligent about his own, and fellow actors’, intelligence and cerebral capacity.

BRUCE WILLIS is fed up with listening to outspoken actors - and believes their opinion shouldn’t mean “jack shit” to the general public. The Die Hard star understands some of his colleagues want to do good for various causes, but wishes others would keep their thoughts to themselves. He says, “I don’t think my opinion means jack shit, because I’m an actor. “Why do actors think their opinions mean more because you act? You just caught a break as an actor. There are hundreds - thousands - of actors who are just as good as I am, and probably better. “Have you heard anything useful come out of an actor’s mouth lately?” He adds, “Although I liked George Clooney’s documentary on Darfur.”

(emphasis mine)

I should add that acting is not exactly a prerequisite for, or the strong side of, the “actors” Willis is talking about; you just have to be good looking and know who to sleep with, and when… which, I suppose, requires some talent, I’ll give them that.

Damn it, I love starting my day with a good rant! ;)

Last night I happened to watch Rambo: First Blood. Of course, this is not the first time I’ve seen it, but it has been a while. The cruelty these vets suffered from the population upon their return always struck a chord with me. For the record, Rambo I is a good movie; it has what we would call today “moderate violence” and a decent message and dialog (unlike its successors). I dare say that even the acting was good. These were the times where they (Hollywood) had to produce a good script because they couldn’t distract the audience with visual effects like they do today.

Anyway, I remembered that as a child and young teenager, I was convinced that the Vietnam War was invented by the movie industry as a ruse to produce war movies. I think I had the notion of this “fake” war because I only heard about it in the movies. Then I grew up and found out the sad truth. In Israel, they didn’t teach us about these wars; we had plenty of our own.

The first patent I submitted while I was at Xilinx was finally awarded. It was frustrating to wait nearly four years for the system to process it, though. The patent system is kind of broken and bad patents do manage to go through, but this one was actually useful. We’ll see how the other five I have in the pipeline take to be approved ;)

“Method of measuring the performance of a transceiver in a programmable logic device” (USPTO, PDF)

Adobe does not like people using their product names as verbs, specifically, “photoshopping” is not allowed.

Trademarks are not verbs.
CORRECT: The image was enhanced using Adobe® Photoshop® software.
INCORRECT: The image was photoshopped.

(emphasis not mine)

Over the years I’ve grown to hate the bloated, often-crashing, slow going, Acrobat Reader. When my system (or browser) is slow, or not responding, the first thing I try is to kill the Acrobat process. That usually does the trick. It’s a poor product, to say the least.

So it occurred to me that as a response to their prohibition of the verbing of their product names, I’ll start using “Acrobat” in all sorts of new ways, like so:

“This product is a piece of Acrobat®!”
“I just Acrobatted myself. Acrobat®!”
“This plum tastes like Acrobat®.”
“He’s got Acrobats® for a brains.”
“Get out of here, you Acrobatting® piece of Acrobat®”
“I Acrobat® you not!”

Got some more?

Lately, I am increasingly annoyed with people assuming that a lack of an answer means a “no” when they are invited to do something. Well, it isn’t! A lack of an answer means (surprise!) a lack of an answer. I’d much rather hear a “no, I won’t come to your lousy party even if you served the last drink on earth” than a silenced cop-out. At least I know where I stand.

People are embarrassed/shy/uncomfortable saying “no” in general, for some odd reason. Delaying a “no”, or not giving it at all, hoping that everything will just magically go away — like kids closing their eyes assuming no one can see them anymore — is disrespectful for the other person’s time and effort. Yes, I believe that saying “no” is a sign of respect only second to a “yes”, of course (unless it is a “courtesy invite”, but that’s another matter), while non-answer is, you guessed it, insulting.

I don’t require a reason. I don’t care. Why do people feel obliged to give an, often made-up and unimaginative, excuse to weasel out of something they don’t want to do? I long for the day where I can comfortably say “Nah, don’t feel like it” (those who know me already know that I often do it anyway, but it is socially unaccepted and considered impolite, especially around relative strangers, and I end up looking like a weirdo).

So, for those of you that interact with me… say “no” without the excuse and I promise to never-ever-ever-ever be insulted or ask why. But for goodness sake, do it quick.

The Times is a pretty popular newspaper here (I always have to ask the locals, since there are so many). A couple of weeks ago, subsequennt to our Chip & PIN relay attack, I got a call from a journalist regarding the use of Chip & PIN cards in petrol (gas!) stations (there has been a surge of fraud lately, particularly in these shops). This is the resulting article with my quote below:

Saar Drimer, a security expert and researcher at Cambridge University, also said he had stopped using his cards at petrol stations. “The more we look into the ways that you could be defrauded, the more worrying it becomes. Cash is always better to use because there is no record and you’re not giving away any of your secrets,” he said.

After talking to the guy I learned that he first called Steven, who refused to spoon feed him the quote that he was after. Namely, “I recommend people not use Chip & PIN cards at petrol stations.” Then, he called me, the media novice. I told him many things, among them that I don’t own a car and therefore, I don’t use petrol stations. He then massaged the questions such that I gave him the above (general) quote, which he wrapped in an untrue preamble. Ah, well, I should have known.

One of the things I told him was that I wouldn’t use those stand-alone ATMs because they are easier to manipulate (attachements or complete fakes, etc.); a point he wanted me to elaborate on. However, that may have put him in a bind because his point was that people should use cash in stations, but where would they get it? From the station’s ATM…

Anyway, next time a journalist type calls I’ll cut the bullshit and ask him what exact quote he is after and see if I am comfortable saying it. Someone suggested that next time I should write it down for him so there are no mistakes, and that’s what press releases are for. Lesson learnt ;)

A few weeks ago Steven J. Murdoch and I released a video of a Chip & PIN terminal playing Tetris (YouTube version). Back then, I alluded to the fact that this is just a small part of something grander. We were working on an experiment that showed a particular vulnerability Chip & PIN is prone to. This is important because banks now maintain that if the PIN was used, then the customers must prove they were not negligent, which is impossible (given that they do not have access to the evidence and no way to show that no one has been looking over their shoulder, for example). Therefore, due to at least one way of defrauding customers who clearly have not been negligent with their PIN, they should be reimbursed.

Anyway, there is a somewhat of a technical article on ZDNet, with more info here, and Steven dissecting an insulting response from the Financial Ombudsman Service to a customer who seeks to know on what grounds he has been refused a refund.

What was missing from the media hype over this is what is included in the academic paper. In it, not only do we describe the attack in detail, including background, we also describe and implement a defense against it called “distance bounding”, which is the main contribution.

In addition, we spilled the beans on prime-time TV here on the island’s BBC1, in a program called “Watchdog“, which is a popular and long running consumer-watch program. This was quite an experience and I learned a lot from it. We spent about 11 hours with the crew, with the outcome of about 2 minutes of us appearing and a not-so-clear representation of the attack. Sigh. Before all this, I thought TV was evil; let’s just say I have not changed my mind.

I cannot post the video publicly (it would probably infringe on someone’s rights) but if you’d like to see yours truly say the line in the heading of this post on TV, email me at <first name><last name>@gmail.com.

UPDATE: Someone has posted the segment on YouTube, here. If you want a better quality version, email me.