So I was just reading this interesting post about the Storm worm and it got me wondering a bit about cryptography. Since the best suggestion people had for tracking down such a worm was to track down computers the worm uses as command and control servers and turn them into honeypots to generate lists of infected machines and maybe track the thing back to it’s source.

Now a clever worm designer could put in some countermeasures like making sure that commands arrive at infected machines along many paths making it tough to figure out what is ‘upstream’ from the recipient. However, by timing the arrival of these messages you could probably defeat most simple schemes of this kind so I got to wondering if it was possible to create a really robust solution to this sort of problem.

Now there is some pretty interesting work on public key steganography. That is systems that let someone embed information in some apparently random noise using a public key so that just detecting the presence of an encoded message is computationally infeasible without the private key. For instance if you needed to pass secret messages to an agent working for another countries embassy you might embed his instructions into random information that accompanies routine communications between the embassies (say the low order bits of timestamps on emails¹) and without his private key his superiors won’t be able to detect that any extra message even existed. However, this isn’t really what you want to run a botnet. It might help avoid detection of control messages through network monitoring but if security researchers find an infected machine they can extract any private keys it contains and figure out what network connections contain secret instructions to the machine.

What would be ideal here is something like reverse public key steganography. That is a system that works as follows. Imagine you have n channels , C1..Cn, each carrying symbols randomly distributed with distribution D1…Dn and that k << n of these channels are controlled by colluding agents who know some private key S. What we want is the property that anyone who knows public key P can apply some operation Decode(C1..Cn, P) to (with very high probability) recover a message that the k agents colluded to send but that it is computationally infeasible for anyone without knowledge of S to determine which channels are being modified by the colluding agents. In other words anyone (knowing P) can figure out what message is being sent but no one can figure out who is sending it.

I kinda suspect that some system like this must have been devised already and I just don’t know how to search for it. In either case not only would it allow for the creation of a nearly perfect botnet control system (you embed control messages in the random information that accompanies DNS requests or TCP connections) but it would also have some interesting applications for P2P systems and anonymous hosting. Basically it would be useful for any situation where you want to let individuals announce things without revealing their identity. Of course it would be even better if k could be reduced to one or if the system would allow some m<

Anyway if anyone knows if such systems are possible I’m curious. It also raises the interesting question about how one would deal with botnets built by really savvy individuals like governments. If something like this works it could be almost impossible to even identify the infected computers or track down the creators using technology (normal police work like following the money would still work).

Looks like I was right. Steve Jobs is following my advice (I’m sure he reads my blog :-) ) and giving all us early iPhone customers a $100 gift certificate. I very much doubt that they planned to drop the price and then give back some of the money to the early adopters as well as eliminate the 4GB version

So apple today announced that they were fazing out the 4GB iPhone and dropping the price of the 8GB iPhone by 200 dollars. Now a fair bit of people are pretty pissed off at having paid substantially more for buying an early version. Now obviously I would like it if apple gave me some money or store credits as a result of their price drop but I’m not pissed off.

I would feel a bit different if I thought apple had planned this move. I wouldn’t mind apple charging a scarcity fee during initial distribution or even merely setting a price floor and letting the actual price float according to demand but given the way they did the sales there was the strong implication that the price was not an early adopter surcharge. However, I don’t think apple had any such intention for several reasons.

• The iphone product launch was a huge risk for apple. If it hadn’t generated enough buzz they would eat a very large cost. I’m not sure the extra margins would be enough to make up for the risk. Though on the other some things are more desirable when more expensive (Rolex).
• Dropping the price like this is very risky for future product launches. Next time Steve Jobs announces a fancy new product many people may choose to wait to see if the price drops and that could mean the whole thing flops.

Still on it’s own these aren’t that compelling. Certainly a plausible story one can tell is that apple initially planned to release the iPhone at the start of the summer and a pre-christmass price drop was always planned but the late release forced a compacted schedule. Now the party about the delay is likely true as apple pulled developers off Leopard to work on the iPhone but I don’t think (though I could be wrong) that the rest of the story is true. After all why wouldn’t they push back the price reduction back closer to the Christmas shopping season? However, what really convinces me this wasn’t planned is the following.

• Apple eliminated the 4GB iPhone from their lineup. If this was planned from the beginning why would they pay all the fixed costs to set up a separate manufacturing line and distribution channels?

I think a much more plausible story goes like this. Apple had no idea how successful the iPhone was going to be. Sure they had some bullish predictions but it was quite possible that the iPhone would undersell other smart phones or that people wouldn’t think it was worth even $400. Apple priced the iPhone so that they wouldn’t be losing money even if it turned out to be only a minor success but retail electronics is all about economies of scale so once they realized they had a hit on their hands they had to decide whether to keep raking in massive profit margins on the iPhone or try to and increase sales with a lower price and introduce the iPod touch. After all if they undercut the iPhone with the iPod touch that wouldn’t be any good (and might not be allowed by they AT&T contract). Still my confidence in this conclusion isn’t super high. I wouldn’t put $200 on it :-)

Now I think it is very much in apple’s interest to give people who bought the iPhone at $600 some kind of rebate. They could give them something like credits on iTunes or more nefariously credits for apple software, e.g., a free copy of iLife or a dotmac account. It wouldn’t be too hard for them to give customers something that cost apple virtually zero but would deter the perception that buying an apple product right after launch is a bad move. A perception that Steve Jobs particularly needs to avoid. But while I think failing to do that would be a bad move on their part I still think my phone is worth the money I spent so it seems silly to get all worked up about it.

A couple times recently I’ve noticed that my iphone battery was unexpectedly drained; surprising given that normal usage hadn’t yet reduced me even to half power. I was pretty worried that something was wrong with my new phone for a short while but after struggling with google I discovered apple’s inconspicuous warning that leaving your iphone plugged into a sleeping computer can drain the batteries. iTunes 7.3 adds the ‘feature’ of silently refusing to enter sleep mode with a connected iphone but this doesn’t help if you plug in your phone while the lid is closed. What I couldn’t find mentioned anywhere is the fact that the power brick will drain the battery as well if left unplugged. I figured I’d post a warning just so no one gets worried that their expensive new phone is (seriously) broken.

Personally I think this bug is a bit more annoying than the battery drain caused by a sleeping laptop. I didn’t have any particular reason to plug my phone into a closed laptop so it won’t be any difficulty to avoid doing so in the future. However, it’s quite common for people to unplug electronic devices to free up an outlet and those people might not always be me. I kinda doubt that this issue can be solved by a firmware update but hopefully apple can replace the power bricks with something that works around this problem. At the very least they should warn people about connecting an iphone to an unplugged power brick.

I still love my iphone and think it’s the most amazing handheld gadget I’ve ever seen but that’s no reason not to acknowledge its flaws. I really dislike the emotional fans who resist even the slightest suggestion that their favorite product isn’t perfect and I’m not going to become one no matter how cool the iphone may be.

Every once in awhile I see an article about women in IT linked from slashdot or on another site I browse. Now if such articles described real discrimination or genuine unfair practices they would be an important contribution toward gender equity. However, this article like most of those I run across describes the difficulty many women in CS/IT have with work life balance or the pressure they feel at being one of only a few women. Now I don’t know how much genuine discrimination persists in a field like IT but presenting what appears to be perfectly fair treatment as if it was gender discrimination trivializes any discrimination that might be occurring and makes sure that people see anti-discrimination efforts as pure political correctness.

(more…)

Has anyone else noticed that whenever the iPhone comes up on in an internet forum (e.g. slashdot) or in the media there is always someone who feels the need to rag on it and say it’s nothing special? I don’t mean the people who legitimately prefer having a physical keyboard or simply don’t like the design. I mean the people like the one in this slashdot story who say thing like:

After seeing the iPhone introduction, I was totally confused by how much excitement it generated in the US. It offered no features I could see beyond my Casio W41CA’s capabilities. I had a lot of apprehension towards the idea of a virtual keypad and the bare screen looked like a scratch magnet. Looks aren’t enough. Finally, the price is ridiculous. The device is an order of magnitude more expensive than my now year-old Keitai even with a two-year contract. After returning to the US from Japan, I’ve come to realize the horrible truth behind iPhone’s buzz. Over the year I was gone, US phones haven’t really done anything.

Amazingly this guy manages to rag on defects he hasn’t even seen. Now the iPhone only has a bit higher screen resolution than the phone he mentions but having 8 gigs to store movies and music seems like a big advantage over the W41CA’s 70 megabytes of memory. The iPhone’s interface and consistent UI is genuinely new (to the consumer) and warrants a big buzz while phones like the W41CA look and behave just like any other phone. You don’t have to like the iPhone but it just doesn’t make sense to pretend you don’t see it’s a big deal.

Apparently some people feel attacked by the introduction of popular new technology. Fifteen years ago you could certainly find people saying the same things about how their typewriters were just as good as a computer and I bet today you can hear people pretending that HDTV isn’t any better. But I still don’t understand it. Back when I thought I would keep my Treo and avoid the hefty iPhone price tag I was still planning to write this post and didn’t have any problem admitting that the iPhone would be nifty to own if I could afford it. So what is it that makes people feel the need to hate on new technology they don’t have?

In an entertaining turn of events four Brandeis alums have pitched in and created a searchable interface to Madam Palfrey‘s phone records. If you want to try a number for yourself head on over to dcphonelist.com and once you are bored of that the story in the Hill about the the project is worth a read. Apparently one lobbyist has already been outed through the site but given the difficulty. In case you aren’t familiar with the DC madam case so far I give a brief summary after the break.

Now some people seem to think that reporting on or distributing this information is immoral as the sex lives of politicians should remain private and others find this an unpalatable invasion of privacy. Presumably this is the reason that ABC refused to identify any of Palfrey’s non-politician clients. But this is mind bogglingly hypocritical. I mean jesus christ the men on this list are faced with potentially losing their job or being divorced. Ms. Palfrey is facing prison time. It’s insane to think that prostitution is bad enough to throw Palfrey in jail for it but not bad enough to cause some guys to be embarrassed. Unless the guys calling are on the record as supporting the legalization of prostitution I have no sympathy for their plight.

Every day the government takes away people’s freedom for no other reason than prudish moral disapproval¹. It is the people who don’t really believe prostitution (or drug use) is that bad (such as the johns) but stay silent out of ambition or fear of censure who are really guilty here not Madam Palfrey. None of us would defend the person who let an innocent man go to jail rather than reveal he was having an affair and tacitly supporting the criminalization of prostitution is even worse. You don’t even need to admit you have been to a prostitute to argue for it’s legalization. Just like homosexuals working for gay bashing senators these clients deserve to be punished for their hypocrisy if anyone does and more importantly we ought to discourage this sort of hypocritical behavior.

If we really knew the names of everyone who used drugs or visited prostitutes they would become legal within the week. I’m hopeful the loss of obscurity (aka privacy) that everyone complains about will bring us to a point where this sort of hypocritical moralizing is no longer possible.

(more…)

I recently ran across an article on slashdot discussing the payments that hotmail accepts from businesses to have their email whitelisted and (indirectly) links to editorials praising and denouncing the 2006 deal AOL and Yahoo struck with goodmail that allows businesses to pay a 1/4 cent fee per email to guarantee their email makes it past spam and volume filters. Now I’ve been vaguely aware of calls to combat spam with micropayments for some time but this prompted me to actually take a look at some of the more carefully designed proposals for email micropayments. These schemes actually manage to answer many of the common worries about email micropayments (if really implemented). However, while I’m generally a big fan of clever economic/incentive based solutions to social problems, it seems to me that micropayments for email are a fundamentally flawed non-solution to the problem of email spam. In fact it’s far from clear if they would reduce the total amount of junk mail at all and even if they did the trouble they cause and risks they pose outweigh any benefits.

(more…)

So the big financial story of the day is the revelation that John Mackey, the CEO of Whole Foods posted anonymously on the Yahoo finance site. Unsurprisingly he tended to say good things about his company (and his haircut) while dissing his competition (Wild Oats which Whole Foods is now trying to purchase). In short he behaved like every other fanboi on the internet, he just liked his own company rather than the one that made his computer CPU. But because he is the company CEO everyone is getting really worked up about this. Frankly I don’t see what the big deal is.

(more…)

So I’m listening to the Gonzales hearing and some senator has sidetracked the discussion onto the subject of internet gambling. He, with Gonzales’s agreement, asserted that it is vital to outlaw internet gambling because they functioning as unregulated banks and are thus perfect vehicles for money laundering, terrorist financing and tax evasion.

Now perhaps he just meant that given we outlaw internet banking it is important to shut down easy financial transactions with the companies. This seems to be a reasonable position. However, it’s an insoluble problem of our own creation. There are simply too many otherwise law-abiding US citizens who are and will continue to engage in internet gambling and their will always be offshore bank accounts and other means for them to do so. This flow of relatively innocuous money will disguise any genuinely criminal money being laundered or tax being evaded.

Of course we could easily eliminate the problem entirely by simply legalizing internet gambling for properly licensed companies. This would bring all those cash flows into a regulated system as well as allowing us to institute protections against problem gamblers, e.g., laws that require internet gambling entities to stop people from playing after they’ve lost too much money in a given time period or receive some sort of notification that this person is a problem gambler. Also it would bring us in line with the WTO guidelines.

But no, that would be far too rational for the US to ever do.