Author Archives: dleppik

Sleep and kids

I have an appointment at a sleep clinic in a few months. I strongly suspect I have sleep apnea, although I also strongly suspect that I can eliminate it by sleeping on my side. The problem is that side sleeping seems to be bad for my carpal tunnel syndrome. (Long story short: I’ve been in treatment for nearly a year and a half, physical therapy for four months, and I just had an MRI scan of my neck which ruled out a herniated disk as part of the problem. I’ve got muscle tension all up and down the areas where those nerves run from the brain to the hands, all of which contributes in some way.)

One reason I haven’t done anything about my sleep apnea suspicions is that there are so many things that affect a good night’s sleep. In particular, it was just this spring that the kids have stopped treating our bedroom as a late-night Grand Central Station. And there’s been some backtracking there.

Most nights Sylvia will come into our room, having just had a nightmare, and ask me to help her think of good dreams. I don’t like being roused from my bed, but in moderation this is one of the joys of parenthood.

We tend to get happier as we get older, and I believe that the main reason is that over time we learn to live with our bodies and our brains. We learn tricks to get around our nagging limitations and develop habits which suit our idiosyncrasies. I am particularly enjoying opportunities to teach these tricks to Sylvia. It’s not something I remember anyone ever doing for me (although I’m sure I just wasn’t aware of it) and it’s something that only I can offer her— and which only someone of my temperament will value. There is nothing more personal than dreams, and perhaps she will inherit my lucid, self-referential dreams in which I know I am dreaming but can only affect the dream within the bounds of dreamland rules. When I give her dream ideas, I am passing a bit of my imagination to her, and helping her to form habits that will let her use her imagination to improve her life.

I’m so proud of my other kids, too

I’m one of the teachers for the senior high class at church. This year, the whole curriculum is one long service project. They could have chosen to count whales in the Pacific. Or they could have spent spring break in Louisiana. Instead, they realized that what was needed most–and where they had the most to offer– is comprehensive sex education right here in Minnesota. That’s one of the things our denomination does best, and they’re organizing a day-long event on May 17th. They won’t be instructing it– but it wasn’t hard to find highly qualified instructors.

Is friendship commutative?

Recently I joined Facebook in order to coordinate a project with the high school kids at church. Facebook really isn’t designed for this sort of thing; Yahoo Groups might be more appropriate, except that communicating with teenagers is hard. They all have email, but most of them never check it. Some of them check Facebook several times a day. (Others refuse to sign up.)

Ever since then, I’ve been getting “friend” requests. For the most part, I’ve been pleasantly surprised with how many of these are people I know quite well. But I occasionally get one from someone I barely remember– but who might have good cause to remember me.

I went through the same thing with Friendster when it was popular. I’m a minor celebrity at Opus (and only at Opus), so after I got home from Opus one year, I got 50 friend requests. Mind you, I’m sure I had meaningful conversations with most of those people, but my brain is terrible with names and faces.

In everyday life, we assume that friendship is commutative. That is, if I am your friend then you must be mine. That’s absolutely not the case with social networks, where friendship is linked to one’s access another person’s information. A celebrity who wants people to know what he or she is doing needs to approve everyone as a friend.

Twitter has a more natural model. Signing up to follow one person’s tweets doesn’t imply that that person needs to follow yours. As does Slashdot, which lets you declare “fans” and “foes.”

Social networking sites need to forget friends and just have fans. The interface on Facebook wouldn’t need to change much. (Although the underlying data model would need to be significantly revamped.) When you sign up as someone’s fan, that person could be given the chance to deny you access. (In practice, that probably wouldn’t stop a committed stalker.) You’d also be given a chance to be that person’s fan.

In real life, friendship isn’t as commutative as people pretend it is. How close one really feels to another is often a guarded secret or an unspoken assumption. Doctors regularly feign familiarity with their regular patients, whom they see far too infrequently to remember. As do ministers and a host of other people in a variety of professions.

How to handle a debt collector

Sylvia got class photos at school a while ago. The photo company, rather than asking up front which pictures people wanted, printed a kitchen sink portfolio and sent it home with the kids. The parents were instructed to return any unwanted photos along with payment for the rest.

Jordan dutifully took a few photos out and returned the rest with her credit card information. In theory, that should have been the end of it. (Her credit card was just fine.)

The other night, a debt collector called. They claimed to own the debt. They didn’t know much about it, not even Jordan’s address. So they said they could not send her a bill.

And they wanted her to pay not only the amount owed (which seemed excessive) plus an $8 handling fee for paying over the phone. Jordan asked for an address. The caller provided one with an incomplete zip code, then hunted around for a different address.

Neither Jordan nor I knew how to handle a call from a debt collector. For the record, the law you need to know about is the Fair Debt Collection Practices Act. In short, if you get a call from someone claiming to be a debt collector, you should:

  1. Not reveal too much information about yourself or any potential debt. In particular, don’t say anything that would confirm or deny any debts. Keep in mind, the caller could be anyone. Plus, they will use any information against you. If it’s a scammer or identity thief, any random information makes it easier to impersonate you.
  2. Request that all communications be in writing. Don’t tell them your address (see above). If you really owe them money, they should have or be willing to find your address.
  3. Tell them to send you a description of the debt in writing.
  4. If they balk, you may politely remind them that failure to comply results in a $1000 fine.
  5. And, of course, do not accept any “convenience charge.”
  6. When you get the statement, which they are required to send within five days no matter what, it shoud say that you have 30 days to pay or contest it. If you don’t respond in time, that is not evidence of debt, but it will complicate matters if you really do owe them.

The relevant section here is on page 5 of the FDCPA.

Why there’s so little malware for the Mac

Recently, Mac expert John Gruber has been asking why there is effectively no malware [malicious software] for the Mac. So far, the theories people have offered don’t match what I see as the reason.

In a nutshell, it’s because malware is no longer a hobby. It’s big business, with all that entails: economies of scale, industry consolidation, and standardization. All of which make it cheaper to target Windows and abandon the Mac.

There are lots of ways you can make money from controlling someone else’s computer. You can steal information (bank account numbers and passwords), or you can do things you wouldn’t want traced back to you, such as sending spam.

It turns out that if you want to get information, it’s often easier to ask people than to search their computers. Just send out email that looks like it came from the bank, using some scary pretense to urge them to log onto the bank website through a phony link provided in the email. This is known as a phishing attack. (Banks make this easier by regularly sending email that looks less legitimate than the phishing attacks.)

Much of what criminals want to do with random people’s computers involves sending spam. And the rest is similar enough that for the sake of argument, I’ll just focus on spam.

Back in 1997, there were plenty of unprotected mail-forwarding computers (“open relays”) so you needed only a little technical skill to send all the untraceable email you wanted. By 2000, the open relays had been closed, but security was still lax enough that you could hire someone to break into enough computers to send your spam. If you (or the person you hired) were a Windows expert, you’d break into a Windows computer. Otherwise you might target Mac or Unix machines.

We’ve come a long way, security-wise. These days, all the really dumb mistakes have been fixed. As a result, you can’t just hire a smart kid off the street and start spamming. You have to hire someone who’s got some specialized skills.

But why pay $80,000 to hire an unscrupulous professional, when you can rent all the compromised computers you want at a reasonable price? That’s the value proposition of a botnet. The best and the brightest criminal minds write malware (such as the Storm worm) to take over millions of computers. Then they resell computer time at a price that maximizes their profits: low enough to attract as many customers as possible, but as high as those customers are willing to pay.

The costs of running a botnet are something like:

  • The cost of developing the software to recruit computers, which is an ongoing expense as exploited computers get cleaned off or retired, and as security holes get closed.
  • The incremental cost of adding one more computer to the network. Practically zilch.
  • The cost of developing and maintaining the software used to access the botnet.
  • General business expenses: sales, marketing, etc. For a business this big, organized crime is probably involved.

Like so many software businesses, there are virtually no incremental costs. A virus that is good enough to spread to 100 computers will likely spread to 10,000 computers. And if you have enough of the compromised computer market, you can hire a whole team of people to keep you one step ahead of the security experts.

The economics favor taking over more computers than you need and using each one as little as possible, since people aren’t likely to fix their computers if the malware never becomes a nuisance.

So let’s say you have a big botnet, and you want to make it bigger. Which is the cheapest way to grow it by 5%? (A) Have your existing staff (plus maybe a few new hires) make your existing malware 5% more effective, or (B) hire some Mac or Linux experts, and capture a comparable portion of those computers?

To target a Mac or Linux computer, you need to know some sophisticated details about how those operating systems work. And it’s a moving target: as exploits become known, they get fixed. You can’t just hire run-of-the-mill programmers. Plus you’ll need to rewrite your payload (the software used to access the botnet.) And the more software you have on target machines, the more information you’re providing to your adversaries. So you’d end up nearly doubling your development staff and end up with a software platform that’s harder to maintain and leaves you more exposed. It’s hard to imagine a scenario where that makes sense.

And that’s assuming that you even want to grow the botnet. Once you have enough computers to satisfy the demand, being more clever just gives your adversaries more bugs to fix–and more incentive to fix them.

Mr. Gruber asks what the situation would be like if the PC market were more evenly divided between Mac OS, Windows, and Linux. So long as there are enough PCs to satisfy the demand for zombies, there is no reason for the entrenched players to branch out into Windows or Linux. And the cost to develop a competing botnet would be big: software development, sales and marketing, law enforcement evasion, kneecap protection, etc. One could imagine a world where Windows computers are in the minority, but common enough to satisfy all of the demand. Indeed, it may be the case that a large percentage of the zombies today are running Windows 98.

In short, the notion that Macs should get 5% of the malware because they have 5% of the market is based on the notion that there are lots of independent malware writers. If there are a small number of big players, and Macs aren’t strictly needed, then it makes sense for there to be no malware to speak of for the Mac.

.

As a postscript, I’d like to mention that this discussion is just about malware. I mentioned phishing before, and that’s just one example of a cross-platform attack: persuasive ploys are just as effective against Mac users as Windows users. And computers have become hardened to the point that the Storm worm, responsible for the world’s largest (known) botnet, requires human intervention to spread.

Focusing too much on the OS misses the point: the weakest link in computer security is no longer the computer. We can debate whether the Mac’s “are you sure you want to install this?” warnings are better than Windows’ but at the end of the day, a sufficiently motivated user is going to bypass any security feature.

Carbon insurance

I don’t know if this is a great idea or a terrible idea, so I’ll just throw it out.

One of the problems with proprosed carbon cap-and-trade systems is the uncertainty of the real value of carbon credits. A carbon credit is where you buy, for example, solar panels for a factory in Bangalore to offset the carbon dioxide from your coal-fired power plant in Belgum. The overall goal is to reduce the greenhouse gasses entering the atmosphere, and it doesn’t matter where the reduction actually occurs.

There are a lot of moving parts to a carbon credit market, but the primary issue is this: we’re pulling ancient carbon out of the ground in the form of fossil fuels, then burning them to produce carbon dioxide. In a geological instant, we’re burning the remains which have collected over billions of years. We need to either stop burning ancient stuff, or start burying as much as we burn.

Unfortunately, we don’t have accounting rules that work in geological time. What a carbon market really needs to do is to guarantee that either a particular chunk of carbon is going to stay out of the atmosphere permanently. Or at least for the next fifty years.

What we have instead is a variety of dubious claims and half-claims based on expected results of the things that can be accounted for. So, for example, you can get carbon credits for planting trees, but there is no disencentive for burning existing old-growth rainforests. Thus you can get paid to burn down one forest and replace it with another. The system is full of these sorts of paradoxes.

There is one industry which is used to working on long time scales to manage risks and protect valuable resources. The insurance industry. So perhaps when a power company buys a carbon credit, it should also buy carbon insurance for that credit. If the credit turns out to be of questionable merit, or unforseen circumstances ruin its value (e.g. a forest fire), the insurance company buys another credit to replace the old one.

All of which brings up the question: what is renewable energy worth? If you replace a coal-fired power plant with solar or wind energy, there’s no guarantee that the coal won’t just get sold to someone else. In fact, supply-and-demand dictates that coal will just get cheaper until it’s no longer profitable to pull it out of the ground– with little or no impact on the actual amount of coal usage. (I have no idea whether that represents the actual dynamics of the coal industry, which is probably dominated by long-term contracts and razor-thin margins.)

I suspect that renewable energy is not as valuable as demand for renewable energy. If there’s money to be made, research and development gets done until you get to the point where renewables really are cheaper than fossil fuels. Which, if it works, makes them far more valuable than a carbon market.

New anti-spam measures

I’ve implemented a new system for avoiding comment spam. When you submit a comment, you must answer a simple question that anyone who speaks English fluently will be able to answer, and anyone who isn’t fluent should be able to google. The question never changes.

I’m relying on security through obscurity, that is, I’m assuming that no spammer will try to outwit it. Security by obscurity is usually derided by security professionals since it’s useless against a dedicated attacker. If I were Google or FaceBook, this would be an issue. But as long as there are thousands of less secure blogs, it’s not worth a spammer’s time to spend a minute or two to add a custom rule for my site.

For now, comments still need to be approved before they show up. If I don’t get any new comment spam in a while, I’ll change that rule.

In case you’re wondering, it took me about an hour to write the WordPress plug-in. That included reading the documentation, then looking at a few published plug-ins (one of which probably doesn’t really work) because the documentation is incomplete or misleading. I was inspired by this blog post. (The author uses a fixed image for his CAPTCHA. Based on his experience, I figured I could make one that’s accesible to the blind.)

Visiting the Apple store

My new laptop has a sticky mouse button, so I went to the Apple Store at Ridgedale for repairs. A few thoughts:

  • The window display is a pair of mock iPhones made of of HDTVs on their side, which gives the impression of an impossibly high resolution display. If only real iPhones had that many pixels. Then again, it makes me wonder how they came up with the demo; the easy thing to do if you’re an Apple developer is to use a development version of the OS which supports that resolution. Then again, the marketing department might not be able to do that. But this is Apple, so you never know; The Steve might have personally commissioned the demo.
  • Tech support is at the so-called Genius Bar, with a young, hip employee who looks different from the other employees because his T-shirt says “genius” on it.
  • They had a 2-hour wait to get to the Genius Bar, but you can’t tell, because you sign up online. This was on a random Tuesday at a small Apple Store in a modest suburban mall.
  • It didn’t pay to show up a few minutes early for my appointment.
  • It does pay to wait in “standby,” especially if you have a quick question. Two people without reservations managed to squeeze in front of me, even though they were running late.
  • To verify that my mouse clicks smoothly, they needed a username and password, which is printed on your reciept and stored in their database. Fortunately, they were willing to take my guest account, even though the reciept says “admin.”

Taking back corporate America

There was a time when companies were owned by people, and they existed not just to make money but to represent the values of their owners. Today, companies are still owned by people, but with so much indirection that they end up being faceless profit-making machines.

Most corporations are owned largely by mutual funds, which in turn are owned by most Americans as part of their retirement funds. Although these individuals have strong opinions about corporate America, this indirection causes these opinions to be summarized as “make as much money as possible.” Especially with index funds, which are managed essentially by an algorithm, there is no mechanism to get the real opinions of the shareholders to the corporations.

If you own stocks individually, on the other hand, you can get the attention of corporate management through shareholder proposals which are voted on at the company’s annual meeting. (By and large, they are non-binding. But electing a board of directors is binding, so the Board ignores these proposals at their peril.)

If you can’t attend the annual meeting in person, you send in a proxy vote. That is, an absentee ballot. It is called a proxy vote, because the ballot is given to a person, a proxy for you, who is instructed to vote with your shares according to your preferences. (I’m not sure that it actually works this way in this age of computer tallies, but that’s the theory.)

Here’s my idea: everyone who buys a mutual fund should be allowed to designate a proxy. Since the fund may include hundreds or thousands of companies, it would be unwieldy to actually fill out all those ballots for your proxy (much less read about what you’re voting for and try to understand all the issues.) However, if you tend to agree with Warren Buffett, or your union, or GreenPeace, or Bill O’Reilly, and if they agreed to vote your shares for lots of companies, it would be better that they get the vote than the mutual fund manager.

More specifically, people or organizations could register as designated proxy voters and list the companies they plan to vote for. You could then supply your mutual fund with the list of designated proxy voters. This is the sort of thing which was unweildy before computers, but should be easy these days.

The reason the proxy voters should be registered is both to make it easy for computers to track which votes go where, and so that the regulators and companies would know in advance if, for example, the ACLU has enough votes to stage a coup.