From Tim Greene’s “Black Hat set to expose new attacks” (Network World: 27 July 2009):

Black Hat USA 2009, considered a premier venue for publicizing new exploits with an eye toward neutralizing them, is expected to draw thousands to hear presentations from academics, vendors and private crackers.

For instance, one talk will demonstrate that if attackers can plug into an electrical socket near a computer or draw a bead on it with a laser they can steal whatever is being typed in. How to execute this attack will be demonstrated by Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path.

Attackers grab keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say.

Attackers extend the ground of a nearby power socket and attach to it two probes separated by a resistor. The voltage difference and the fluctuations in that difference – the keyboard signals – are captured from both ends of the resistor and converted to letters.

This method would not work if the computer were unplugged from the wall, such as a laptop running on its battery. A second attack can prove effective in this case, Bianco’s and Barisani’s paper says.

Attackers point a cheap laser at a shiny part of a laptop or even an object on the table with the laptop. A receiver is aligned to capture the reflected light beam and the modulations that are caused by the vibrations resulting from striking the keys.

Analyzing the sequences of individual keys that are struck and the spacing between words, the attacker can figure out what message has been typed. Knowing what language is being typed is a big help, they say.

From Robert McMillan’s “Security certificate warnings don’t work, researchers say” (IDG News Service: 27 July 2009):

In a laboratory experiment, researchers found that between 55 percent and 100 percent of participants ignored certificate security warnings, depending on which browser they were using (different browsers use different language to warn their users).

…

The researchers first conducted an online survey of more than 400 Web surfers, to learn what they thought about certificate warnings. They then brought 100 people into a lab and studied how they surf the Web.

They found that people often had a mixed-up understanding of certificate warnings. For example, many thought they could ignore the messages when visiting a site they trust, but that they should be more wary at less-trustworthy sites.

…

In the Firefox 3 browser, Mozilla tried to use simpler language and better warnings for bad certificates. And the browser makes it harder to ignore a bad certificate warning. In the Carnegie Mellon lab, Firefox 3 users were the least likely to click through after being shown a warning.

The researchers experimented with several redesigned security warnings they’d written themselves, which appeared to be even more effective.…

Still, Sunshine believes that better warnings will help only so much. Instead of warnings, browsers should use systems that can analyze the error messages. “If those systems decide this is likely to be an attack, they should just block the user altogether,” he said.

photo credit: Oude School

From John Cloud’s “Why Girls Have BFFs and Boys Hang Out in Packs” (TIME: 17 July 2009):

For the better part of the past half-century, feminists, their opponents and armies of academics have debated the differences between men and women. Only in the past few years have scientists been able to use imaging technology to look inside men’s and women’s heads to investigate whether those stereotypical gender differences have roots in the brain. No concrete results have emerged from these studies yet, but now a new functional magnetic resonance imaging (fMRI) study of children offers at least one explanation for some common tween social behaviors: girls are hardwired to care about one-on-one relationships with their BFFs (best friends forever), while the brains of boys are more attuned to group dynamics and competition with other boys.

The study, conducted by researchers at the National Institute of Mental Health (NIMH) and Georgia State University, begins with a premise that every parent of a tween knows: as kids emerge into puberty, their focus changes dramatically. They care less about their families and more about their peers.

So what’s actually going on inside these young brains?

…

The results suggest that as girls progress from early puberty to late adolescence, certain regions of their brains become more active when they face a potential social interaction. Specifically, when an older girl anticipates meeting someone new — someone she believes will be interested in her — her nucleus accumbens (which is associated with reward and motivation), hypothalamus (associated with hormone secretion), hippocampus (associated with social learning) and insula (associated with subjective feelings) all become more active. By contrast, boys in the same situation show no such increase in activity in these areas. In fact, the activity in their insula actually declines.

Boys, it seems, aren’t as interested in one-on-one interactions as girls are. Previous research has shown that male adolescents instead become more focused on competition within larger groups (like between sports teams). Perhaps it’s evidence that evolution has programmed boys to compete within large groups, so they can learn to eliminate rivals for women — and that girls have been programmed to judge, one-on-one, who would be the most protective father for offspring.

From Robert Darnton’s “Google & the Future of Books” (The New York Review of Books: 12 February 2009):

As the Enlightenment faded in the early nineteenth century, professionalization set in. You can follow the process by comparing the Encyclopédie of Diderot, which organized knowledge into an organic whole dominated by the faculty of reason, with its successor from the end of the eighteenth century, the Encyclopédie méthodique, which divided knowledge into fields that we can recognize today: chemistry, physics, history, mathematics, and the rest. In the nineteenth century, those fields turned into professions, certified by Ph.D.s and guarded by professional associations. They metamorphosed into departments of universities, and by the twentieth century they had left their mark on campuses…

Along the way, professional journals sprouted throughout the fields, subfields, and sub-subfields. The learned societies produced them, and the libraries bought them. This system worked well for about a hundred years. Then commercial publishers discovered that they could make a fortune by selling subscriptions to the journals. Once a university library subscribed, the students and professors came to expect an uninterrupted flow of issues. The price could be ratcheted up without causing cancellations, because the libraries paid for the subscriptions and the professors did not. Best of all, the professors provided free or nearly free labor. They wrote the articles, refereed submissions, and served on editorial boards, partly to spread knowledge in the Enlightenment fashion, but mainly to advance their own careers.

The result stands out on the acquisitions budget of every research library: the Journal of Comparative Neurology now costs $25,910 for a year’s subscription; Tetrahedron costs $17,969 (or $39,739, if bundled with related publications as a Tetrahedron package); the average price of a chemistry journal is $3,490; and the ripple effects have damaged intellectual life throughout the world of learning. Owing to the skyrocketing cost of serials, libraries that used to spend 50 percent of their acquisitions budget on monographs now spend 25 percent or less. University presses, which depend on sales to libraries, cannot cover their costs by publishing monographs. And young scholars who depend on publishing to advance their careers are now in danger of perishing.

…

The eighteenth-century Republic of Letters had been transformed into a professional Republic of Learning, and it is now open to amateurs—amateurs in the best sense of the word, lovers of learning among the general citizenry. Openness is operating everywhere, thanks to “open access” repositories of digitized articles available free of charge, the Open Content Alliance, the Open Knowledge Commons, OpenCourseWare, the Internet Archive, and openly amateur enterprises like Wikipedia. The democratization of knowledge now seems to be at our fingertips. We can make the Enlightenment ideal come to life in reality.

…

What provoked these jeremianic- utopian reflections? Google. Four years ago, Google began digitizing books from research libraries, providing full-text searching and making books in the public domain available on the Internet at no cost to the viewer. For example, it is now possible for anyone, anywhere to view and download a digital copy of the 1871 first edition of Middlemarch that is in the collection of the Bodleian Library at Oxford. Everyone profited, including Google, which collected revenue from some discreet advertising attached to the service, Google Book Search. Google also digitized an ever-increasing number of library books that were protected by copyright in order to provide search services that displayed small snippets of the text. In September and October 2005, a group of authors and publishers brought a class action suit against Google, alleging violation of copyright. Last October 28, after lengthy negotiations, the opposing parties announced agreement on a settlement, which is subject to approval by the US District Court for the Southern District of New York.[2]

The settlement creates an enterprise known as the Book Rights Registry to represent the interests of the copyright holders. Google will sell access to a gigantic data bank composed primarily of copyrighted, out-of-print books digitized from the research libraries. Colleges, universities, and other organizations will be able to subscribe by paying for an “institutional license” providing access to the data bank. A “public access license” will make this material available to public libraries, where Google will provide free viewing of the digitized books on one computer terminal. And individuals also will be able to access and print out digitized versions of the books by purchasing a “consumer license” from Google, which will cooperate with the registry for the distribution of all the revenue to copyright holders. Google will retain 37 percent, and the registry will distribute 63 percent among the rightsholders.

Meanwhile, Google will continue to make books in the public domain available for users to read, download, and print, free of charge. Of the seven million books that Google reportedly had digitized by November 2008, one million are works in the public domain; one million are in copyright and in print; and five million are in copyright but out of print. It is this last category that will furnish the bulk of the books to be made available through the institutional license.

Many of the in-copyright and in-print books will not be available in the data bank unless the copyright owners opt to include them. They will continue to be sold in the normal fashion as printed books and also could be marketed to individual customers as digitized copies, accessible through the consumer license for downloading and reading, perhaps eventually on e-book readers such as Amazon’s Kindle.

After reading the settlement and letting its terms sink in—no easy task, as it runs to 134 pages and 15 appendices of legalese—one is likely to be dumbfounded: here is a proposal that could result in the world’s largest library. It would, to be sure, be a digital library, but it could dwarf the Library of Congress and all the national libraries of Europe. Moreover, in pursuing the terms of the settlement with the authors and publishers, Google could also become the world’s largest book business—not a chain of stores but an electronic supply service that could out-Amazon Amazon.

An enterprise on such a scale is bound to elicit reactions of the two kinds that I have been discussing: on the one hand, utopian enthusiasm; on the other, jeremiads about the danger of concentrating power to control access to information.

…

Google is not a guild, and it did not set out to create a monopoly. On the contrary, it has pursued a laudable goal: promoting access to information. But the class action character of the settlement makes Google invulnerable to competition. Most book authors and publishers who own US copyrights are automatically covered by the settlement. They can opt out of it; but whatever they do, no new digitizing enterprise can get off the ground without winning their assent one by one, a practical impossibility, or without becoming mired down in another class action suit. If approved by the court—a process that could take as much as two years—the settlement will give Google control over the digitizing of virtually all books covered by copyright in the United States.

…

Google alone has the wealth to digitize on a massive scale. And having settled with the authors and publishers, it can exploit its financial power from within a protective legal barrier; for the class action suit covers the entire class of authors and publishers. No new entrepreneurs will be able to digitize books within that fenced-off territory, even if they could afford it, because they would have to fight the copyright battles all over again. If the settlement is upheld by the court, only Google will be protected from copyright liability.

Google’s record suggests that it will not abuse its double-barreled fiscal-legal power. But what will happen if its current leaders sell the company or retire? The public will discover the answer from the prices that the future Google charges, especially the price of the institutional subscription licenses. The settlement leaves Google free to negotiate deals with each of its clients, although it announces two guiding principles: “(1) the realization of revenue at market rates for each Book and license on behalf of the Rightsholders and (2) the realization of broad access to the Books by the public, including institutions of higher education.”

What will happen if Google favors profitability over access? Nothing, if I read the terms of the settlement correctly. Only the registry, acting for the copyright holders, has the power to force a change in the subscription prices charged by Google, and there is no reason to expect the registry to object if the prices are too high. Google may choose to be generous in it pricing, and I have reason to hope it may do so; but it could also employ a strategy comparable to the one that proved to be so effective in pushing up the price of scholarly journals: first, entice subscribers with low initial rates, and then, once they are hooked, ratchet up the rates as high as the traffic will bear.

From Timothy Noah’s “Why No More 9/11s?: An interactive inquiry about why America hasn’t been attacked again” (Slate: 5 March 2009):

… I spent the Obama transition asking various terrorism experts why the dire predictions of a 9/11 sequel proved untrue and reviewing the literature on this question. The answers boiled down to eight prevailing theories whose implications range from fairly reassuring to deeply worrying.

…

I. The Terrorists-Are-Dumb Theory

…

“Acts of terrorism almost never appear to accomplish anything politically significant,” prominent game theorist Thomas C. Schelling observed nearly two decades ago. Max Abrahms, a pre-doctoral fellow at Stanford’s Center for International Security and Cooperation, reaffirmed that conclusion in a 2006 paper for International Security titled, “Why Terrorism Does Not Work.” Abrahms researched 28 groups designated “foreign terrorist organizations” by the U.S. State Department since 2001, identifying among them a total of 42 objectives. The groups achieved those objectives only 7 percent of the time, Abrahms concluded, and the key variable for success was whether they targeted civilians. Groups that attacked civilian targets more often than military ones “systematically failed to achieve their policy objectives.”

In a 2008 follow-up essay, “What Terrorists Really Want,” Abrahms explained that terrorist groups are typically incapable of maintaining a consistent set of strategic goals, much less achieving them. Then why do they become terrorists? To “develop strong affective ties with fellow terrorists.” It’s fraternal bonds they want, not territory, nor influence, nor even, in most cases, to affirm religious beliefs. If a terrorist group’s demands tend to sound improvised, that’s because they are improvised; what really matters to its members—even its leaders—is that they are a band of brothers. Marc Sageman, a forensic psychiatrist and former Central Intelligence Agency case officer in Afghanistan, collected the biographies of 400 terrorists who’d targeted the United States. He found that fully 88 percent became terrorists not because they wanted to change the world but because they had “friendship/family bonds to the jihad.” Among the 400, Sageman found only four who had “any hint of a [psychological] disorder,” a lower incidence than in the general population. Think the Elks, only more lethal. Cut off from al-Qaida’s top leadership, they are plenty dangerous, but not nearly as task-oriented as we imagine them to be.

II. The Near-Enemy Theory

…

Jihadis speak of the “near enemy” (apostate regimes in and around the Middle East) and the “far enemy” (the United States and the West generally). The man credited with coining these terms, Mohammed Abd al-Salam Faraj, did so largely to emphasize that it was much more important to attack the near enemy, a principle he upheld by organizing the 1981 assassination of Egyptian President Anwar Sadat. (The Egyptian government affirmed the same principle in executing Faraj.) In 1993, a militant Egyptian group called al-Gama’a al-Islamiyya (”the Islamic Group”), which had extensive ties to al-Qaida, broke with the “near enemy” strategy and bombed the World Trade Center. In 1996, al-Qaida followed suit and formally turned its attention to the far enemy. But according to Fawaz A. Gerges, an international affairs professor at Sarah Lawrence and author of The Far Enemy: Why Jihad Went Global, other jihadist groups around the world never really bought into this shift in priorities. Even al-Gama’a al-Islamiyya had by late 1999 declared a cease-fire, a move that outraged its incarcerated spiritual leader, Omar Abdel-Rahman (”the blind sheikh”) and caused the group to splinter. With the 9/11 attacks, Bin Laden hoped to rally jihadis outside al-Qaida’s orbit to join the battle against the far enemy. Instead, he scared them off.

III. The Melting-Pot Theory

In the absence of other evidence, we must conclude that inside the United States, homegrown, al-Qaida-inspired terrorist conspiracy-mongering seldom advances very far.

That record stands in stark contrast to that of the United Kingdom, which since 9/11 has incubated several very serious terrorism plots inspired or directed by al-Qaida. … Even when it isn’t linked directly to terrorism, Muslim radicalism seems more prevalent—and certainly more visible—inside the United Kingdom, and in Western Europe generally, than it is inside the United States.

Why the difference? Economics may be one reason. American Muslims are better-educated and wealthier than the average American. In Europe, they are poorer and less well-educated than the rest of the population—in Germany, only about 10 percent of the Turkish population attends college. The United States has assimilated Muslims into its society more successfully than Western Europe—and over a longer period. Arabs began migrating to the United States in great numbers during the second half of the 19th century. Western Europe’s Arab migration didn’t start until after World War II, when many arrived as guest workers. In Germany and France, a great many Muslims live in housing projects segregated from the rest of the population. In the United States, Muslims are dispersed more widely. An exception would be Detroit, which has a large Muslim community but not an impoverished one.

…

The relative dearth of Islamist radicalism in the United States is at least as much a function of American demographics as it is of American exceptionalism. Muslims simply loom smaller in the U.S. population than they do in the populations of many Western European countries. Muslims account for roughly 3 percent of the population in the United Kingdom, 4 percent in Germany, and 9 percent in France. In the United States, they’re closer to 1 percent and are spread over a much larger geographic area. As both immigrants and descendants of immigrants, Muslims are far outnumbered in the United States by Latinos. It’s quite different in Western Europe. Muslims represent the largest single immigrant group in France, Germany, Belgium, the Netherlands (where they constitute a majority of all immigrants), and the United Kingdom (where they constitute a plurality of all immigrants).

Somewhere between one-quarter to one-half of U.S. Muslims are African-American. Historically, American-born black Muslims have felt little kinship with Arab and foreign-born Muslims, and while al-Qaida has sought to recruit black Muslims, “there’s no sign” they’ve met with any success, according to Laurence. … Among foreign-born Muslims in the United States, nearly one-quarter are Shiite—many of them refugees from the 1979 Iranian revolution—and therefore harbor little sympathy for al-Qaida’s Sunni following. Europe’s Muslim population, by contrast, is overwhelmingly Sunni, hailing typically in France from Algeria and Morocco; in Germany from Turkey; and in the United Kingdom from Pakistan and the subcontinent.

…

All right, then. American Muslims are disinclined to commit acts of terror inside the United States. Why don’t American non-Muslims pick up the slack?

Actually, they do. In April 1995 Timothy McVeigh and Terry Nichols bombed a federal building in Oklahoma City, killing 168 people and injuring 500 more. In April 1996, Ted Kaczynski, the “Unabomber,” was arrested for killing three people and wounding 22 others. In July 1996, a former Army explosives expert named Eric Rudolph set off a bomb at the Olympics in Atlanta, killing one person and injuring 11; later, he set off bombs at two abortion clinics and a nightclub frequented by gay men and women, killing a security guard* and injuring 12 others. In September and October 2001, somebody sent anthrax spores to media outlets and government offices, killing five people. The FBI believes it was an Army scientist named Bruce Ivins who killed himself as the investigation closed in on him. These are just the incidents everybody’s heard of. The point is that domestic terrorism inside the United States is fairly routine. The FBI counted 24 terror incidents inside the United States between 2002 and 2005; all but one were committed by American citizens.

…

IV. The Burden-Of-Success Theory

…

In fact, the likelihood of nuclear terrorism isn’t that great. Mueller points out that Russian “suitcase bombs,” which figure prominently in discussions about “loose nukes,” were all built before 1991 and ceased being operable after three years. Enriched uranium is extremely difficult to acquire; over the past decade, Mueller argues, there were only 10 known thefts. The material stolen weighed a combined 16 pounds, which was nowhere near the amount needed to build a bomb. Once the uranium is acquired, building the weapon is simple in theory (anti-nuclear activist Howard Morland published a famous 1979 article about this in the Progressive) but quite difficult in practice, which is why entire countries have had to work decades to acquire the bomb, only sometimes meeting with success. (Plutonium, another fissile material, is sufficiently dangerous and difficult to transport that nonproliferation experts seldom discuss it.)

…

V. The Flypaper Theory

The 9/11 attacks led to a U.S. invasion of Afghanistan, whose Taliban regime was sheltering al-Qaida. That made sense. Then it led to a U.S. invasion of Iraq. That made no sense. The Bush administration claimed that Iraq’s Saddam Hussein had close ties to al-Qaida. This was based on:

a) allegations made by an American Enterprise Institute scholar named Laurie Mylroie, later discredited;

b) an al-Qaida captive’s confession under threat of torture to Egyptian authorities, later retracted;

c) a false report from Czech intelligence about a Prague meeting between the lead 9/11 hijacker, Mohamed Atta, and an Iraqi intelligence agent;

d) Defense Secretary Donald Rumsfeld’s zany complaint at a Sept. 12, 2001, White House meeting that “there aren’t any good targets in Afghanistan, and there are lots of good targets in Iraq”;

and

e) certain Oedipal preoccupations of President George W. Bush.

…

VI. The He-Kept-Us-Safe Theory

…

A White House fact sheet specifies six terror plots “prevented in the United States” on Bush’s watch:

• an attempt to bomb fuel tanks at JFK airport,
• a plot to blow up airliners bound for the East Coast,
• a plan to destroy the tallest skyscraper in Los Angeles,
• a plot by six al-Qaida-inspired individuals to kill soldiers at Fort Dix Army Base in New Jersey,
• a plan to attack a Chicago-area shopping mall using grenades,
• a plot to attack the Sears Tower in Chicago.

The Bush administration deserves at least some credit in each of these instances, but a few qualifications are in order. The most serious terror plot listed was the scheme to blow up airliners headed for the East Coast. That conspiracy, halted in its advanced stages, is why you aren’t allowed to carry liquids and gels onto a plane. As noted in “The Melting-Pot Theory,” it originated in the United Kingdom, which took the lead in the investigation. (The undercover agent who infiltrated the terror group was British.) We also learned in “The Melting-Pot Theory” that the plan to bring down the Sears Tower was termed by the Federal Bureau of Investigation’s deputy director “more aspirational than operational” and that the prosecution ended in a mistrial.

The JFK plot was unrelated to al-Qaida and so technically infeasible that the New York Times, the airport’s hometown newspaper, buried the story on Page A37. The attack on the Library Tower in Los Angeles was planned in October 2001 by 9/11’s architect, Khalid Sheikh Mohammed, who recruited volunteers from South Asia to fly a commercial jetliner into the building. But Michael Scheuer, a veteran al-Qaida expert who was working at the Central Intelligence Agency in 2002, when the arrests were made, told the Voice of America that he never heard about them, and a U.S. government official told the Los Angeles Times that the plot never approached the operational stage. Moreover, as the story of United Flight 93 demonstrated, the tactic of flying passenger planes into buildings—which depended on passengers not conceiving of that possibility—didn’t remain viable even through the morning of 9/11 (”Let’s roll”).

The Fort Dix plot was inspired by, but not directed by, al-Qaida. The five Muslim conspirators from New Jersey, convicted on conspiracy charges in December, watched jihadi videos. They were then foolish enough not only to make one of their own but to bring the tape to Circuit City for transfer to DVD. A teenage clerk tipped off the FBI, which infiltrated the group, sold them automatic weapons, and busted them. The attempted grenade attack on the CherryVale Mall in suburban Chicago was similarly inspired but not directed by al-Qaida. In this instance, the conspirators numbered only two, one of whom was an FBI informant. The other guy was arrested when an undercover FBI agent accepted his offer to trade two stereo speakers for four grenades and a gun. He is now serving a life sentence.

…

VIII. The Time-Space Theory

The RAND Corp. is headquartered in a blindingly white temple of reason a few blocks from the Pacific Ocean in Santa Monica, Calif. It was here—or rather, next door, in the boxy international-style offices it inhabited for half a century before moving four years ago into a new $100 million structure—that America’s Cold War nuclear strategy of “mutual assured destruction” was dreamed up. Also, the Internet. Created by the Air Force in 1948, the nonprofit RAND would “invent a whole new language in [its] quest for rationality,” Slate’s Fred Kaplan wrote in his 1983 book The Wizards of Armageddon.

RAND is the cradle of rational-choice theory, a rigorously utilitarian mode of thought with applications to virtually every field of social science. Under rational-choice theory, belief systems, historical circumstances, cultural influences, and other nonrational filigree must be removed from consideration in calculating the dynamics of human behavior. There exists only the rational and orderly pursuit of self-interest. It is the religion that governs RAND. …

Lakdawalla and RAND economist Claude Berrebi are co-authors of “How Does Terrorism Risk Vary Across Space and Time?” a 2007 paper.

…

One goal inherent in the 9/11 attacks was to do harm to the United States. In “The Terrorists-Are-Dumb Theory” and “The Melting-Pot Theory,” we reviewed the considerable harm that the furious U.S. response to 9/11 caused al-Qaida. But that response harmed the United States, too. Nearly 5,000 U.S. troops have died in Iraq and Afghanistan, and more than 15,000 have come home wounded. More than 90,000 Iraqi civilians have been killed and perhaps as many as 10,000 Afghan civilians; in Afghanistan, where fighting has intensified, more than 2,000 civilians died just in the past year. “In Muslim nations, the wars in Afghanistan and particularly Iraq have driven negative ratings [of the United States] nearly off the charts,” the Pew Global Attitudes Project reported in December. Gallup polls conducted between 2006 and 2008 found approval ratings for the U.S. government at 15 percent in the Middle East, 23 percent in Europe, and 34 percent in Asia. To be sure, civilian casualties have harmed al-Qaida’s standing, too, as I noted in “The Terrorists-Are-Dumb Theory.” But to whatever extent al-Qaida hoped to reduce the United States’ standing in the world, and especially in the Middle East: Mission accomplished.

…

Rational-choice theory is most at home with economics, and here the costs are more straightforward. In March 2008, the Nobel Prize-winning economist Joseph Stiglitz, and Linda Bilmes of Harvard’s Kennedy School of Government, put the Iraq war’s cost at $3 trillion. In October 2008, the Congressional Research Service calculated, more conservatively, an additional $107 billion for the Afghanistan war and another $28 billion for enhanced homeland security since 9/11. According to CRS, for every soldier the United States deploys in Iraq or Afghanistan, the taxpayer spends $390,000. Let me put that another way. Sending a single soldier to Iraq or Afghanistan costs the United States nearly as much as the estimated $500,000 it cost al-Qaida to conduct the entire 9/11 operation. Not a bad return on Bin Laden’s investment, Berrebi says. President Bush left office with a budget deficit of nearly $500 billion, and that’s before most of the deficit spending that most economists think will be required to avoid another Great Depression even begins.

From Adam St. Patrick’s “Chop Chop Square: Inside Saudi Arabia’s brutal justice system” (The Walrus: May 2009):

This is Saudi Arabia, one of the last places on earth where capital punishment is a public spectacle. Decapitation awaits murderers, but the death penalty also applies to many other crimes, such as armed robbery, rape, adultery, drug use and trafficking, and renouncing Islam. There’s a woman on death row now for witchcraft, and the charge is based partly on a man’s accusation that her spell made him impotent. Saudi Arabia executed some 1,750 convicts between 1985 and 2008, yet reliable information about the practice is scarce. In Riyadh, beheadings happen at 9 a.m. any given day of the week, and there is no advance notice. There is also no written penal code, so questions of illegality depend on the on-the-spot interpretations of police and judges.

… The Saudi interpretation of the Koran discourages all forms of evidence other than confessions and eyewitness accounts in capital trials, on the theory that doing otherwise would leave too much discretion to the judge. But at any time until the sword strikes, a victim’s family can pardon the condemned — usually for a cash settlement of at least two million riyals ($690,000 or so) from the convict or his family.

…

Many who live to recount their experience in the Saudi justice system report that police promised freedom in exchange for a confession — or tortured them to get one.

In Riyadh, beheadings take place in a downtown public square equipped with a drain the size of a pizza box in its centre. Expatriates call it Chop Chop Square. … The job is a coveted one, often passed from father to son. In a Lebanese TV clip now on YouTube, a Saudi executioner shows off his swords and describes his approach: “If the heart is compassionate, the hand fails.”

From David Becker’s “Hitachi Develops RFID Powder” (Wired: 15 February 2007):

[Hitachi] recently showed a prototype of an RFID chip measuring a .05 millimeters square and 5 microns thick, about the size of a grain of sand. They expect to have ‘em on the market in two or three years.

The chips are packed with 128 bits of static memory, enough to hold a 38-digit ID number.

The size make the new chips ideal for embedding in paper, where they could verify the legitimacy of currency or event tickets. Implantation under the skin would be trivial…

photo credit: sleepymyf

2005

From Brian Krebs’ “Leaving Las Vegas: So Long DefCon and Blackhat” (The Washington Post: 1 August 2005):

DefCon 13 also was notable for being the location where two new world records were set — both involved shooting certain electronic signals unprecedented distances. Los Angeles-based Flexilis set the world record for transmitting data to and from a “passive” radio frequency identification (RFID) card — covering a distance of more than 69 feet. (Active RFID — the kind being integrated into foreign passports, for example — differs from passive RFID in that it emits its own magnetic signal and can only be detected from a much shorter distance.)

…

The second record set this year at DefCon was pulled off by some teens from Cincinnati, who broke the world record they set last year by building a device capable of maintaining an unamplified, 11-megabit 802.11b wireless Internet connection over a distance of 125 miles (the network actually spanned from Utah into Nevada).

From Andrew Brandt’s “Black Hat, Lynn Settle with Cisco, ISS” (PC World: 29 July 2005):

Security researcher Kevin Mahaffey makes a final adjustment to a series of radio antennas; Mahaffey used the directional antennas in a demonstration during his presentation, “Long Range RFID and its Security Implications.” Mahaffey and two of his colleagues demonstrated how he could increase the “read range” of radio frequency identification (RF) tags from the typical four to six inches to approximately 50 feet. Mahaffey said the tags could be read at a longer distance, but he wanted to perform the demonstration in the room where he gave the presentation, and that was the greatest distance within the room that he could demonstrate. RFID tags such as the one Mahaffey tested will begin to appear in U.S. passports later this year or next year.

2006

From Joris Evers and Declan McCullagh’s “Researchers: E-passports pose security risk” (CNET: 5 August 2006):

At a pair of security conferences here, researchers demonstrated that passports equipped with radio frequency identification (RFID) tags can be cloned with a laptop equipped with a $200 RFID reader and a similarly inexpensive smart card writer. In addition, they suggested that RFID tags embedded in travel documents could identify U.S. passports from a distance, possibly letting terrorists use them as a trigger for explosives.

At the Black Hat conference, Lukas Grunwald, a researcher with DN-Systems in Hildesheim, Germany, demonstrated that he could copy data stored in an RFID tag from his passport and write the data to a smart card equipped with an RFID chip.

From Kim Zetter’s “Hackers Clone E-Passports” (Wired: 3 August 2006):

In a demonstration for Wired News, Grunwald placed his passport on top of an official passport-inspection RFID reader used for border control. He obtained the reader by ordering it from the maker — Walluf, Germany-based ACG Identification Technologies — but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

He then launched a program that border patrol stations use to read the passports — called Golden Reader Tool and made by secunet Security Networks — and within four seconds, the data from the passport chip appeared on screen in the Golden Reader template.

Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.

As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.

The result was a blank document that looks, to electronic passport readers, like the original passport.

Although he can clone the tag, Grunwald says it’s not possible, as far as he can tell, to change data on the chip, such as the name or birth date, without being detected. That’s because the passport uses cryptographic hashes to authenticate the data.

…

Grunwald’s technique requires a counterfeiter to have physical possession of the original passport for a time. A forger could not surreptitiously clone a passport in a traveler’s pocket or purse because of a built-in privacy feature called Basic Access Control that requires officials to unlock a passport’s RFID chip before reading it. The chip can only be unlocked with a unique key derived from the machine-readable data printed on the passport’s page.

To produce a clone, Grunwald has to program his copycat chip to answer to the key printed on the new passport. Alternatively, he can program the clone to dispense with Basic Access Control, which is an optional feature in the specification.

…

As planned, U.S. e-passports will contain a web of metal fiber embedded in the front cover of the documents to shield them from unauthorized readers. Though Basic Access Control would keep the chip from yielding useful information to attackers, it would still announce its presence to anyone with the right equipment. The government added the shielding after privacy activists expressed worries that a terrorist could simply point a reader at a crowd and identify foreign travelers.

In theory, with metal fibers in the front cover, nobody can sniff out the presence of an e-passport that’s closed. But [Kevin Mahaffey and John Hering of Flexilis] demonstrated in their video how even if a passport opens only half an inch — such as it might if placed in a purse or backpack — it can reveal itself to a reader at least two feet away.

…

In addition to cloning passport chips, Grunwald has been able to clone RFID ticket cards used by students at universities to buy cafeteria meals and add money to the balance on the cards.

He and his partners were also able to crash RFID-enabled alarm systems designed to sound when an intruder breaks a window or door to gain entry. Such systems require workers to pass an RFID card over a reader to turn the system on and off. Grunwald found that by manipulating data on the RFID chip he could crash the system, opening the way for a thief to break into the building through a window or door.

And they were able to clone and manipulate RFID tags used in hotel room key cards and corporate access cards and create a master key card to open every room in a hotel, office or other facility. He was able, for example, to clone Mifare, the most commonly used key-access system, designed by Philips Electronics. To create a master key he simply needed two or three key cards for different rooms to determine the structure of the cards. Of the 10 different types of RFID systems he examined that were being used in hotels, none used encryption.

Many of the card systems that did use encryption failed to change the default key that manufacturers program into the access card system before shipping, or they used sample keys that the manufacturer includes in instructions sent with the cards. Grunwald and his partners created a dictionary database of all the sample keys they found in such literature (much of which they found accidentally published on purchasers’ websites) to conduct what’s known as a dictionary attack. When attacking a new access card system, their RFDump program would search the list until it found the key that unlocked a card’s encryption.

“I was really surprised we were able to open about 75 percent of all the cards we collected,” he says.

2009

From Thomas Ricker’s “Video: Hacker war drives San Francisco cloning RFID passports” (Engadget: 2 February 2009):

Using a $250 Motorola RFID reader and antenna connected to his laptop, Chris recently drove around San Francisco reading RFID tags from passports, driver licenses, and other identity documents. In just 20 minutes, he found and cloned the passports of two very unaware US citizens.

Luxury goods are needlessly expensive. By needlessly, I mean that the price is not related to performance. The price is related to scarcity, brand and storytelling. Luxury goods are organized waste. …

That doesn’t mean they are senseless expenditures. Sending a signal is valuable if that signal is important to you.

Premium goods, on the other hand, are expensive variants of commodity goods. Pay more, get more. … They’re happy to pay more because they believe they get more.

…

Plenty of brands are in trouble right now because they’re not sure which one they represent.

Michael Chabon, in an elegiac essay in the new edition of the New York Review of Books, rues the loss of the “Wilderness of Childhood” – the unparented, unfenced, only partially mapped territory that was once the scene of youth.

…

Huck Finn, now fully under the thumb of Miss Watson and the Widow Douglas, spends his unscheduled time wandering the fabricated landscapes of World of Warcraft, seeking adventure.