I made my first presidential campaign contribution of the cycle, and I never would have expected it when this thing started up. As any reader of HLWT knows, I’m greatly upset about the erosion of constitutional rights, and lately, particularly by the failure of Obama or Clinton, who are in the Senate, to do anything, or take a leadership position on any of that, or Iraq, or anything… so obviously, Dodd’s “restore the Constitution” platform’s appealing, but I didn’t care enough.

Anyway, I watched this latest bill with dismay, unable to understand why you’d want to give blanket immunity to people who violated (at least) the privacy of their customers, and almost certainly their civil rights. That no one did anything to stop it made me wonder why I even cared about this stuff.

And today, Dodd threw a big wrench into the process, and at the very least, he’s prepared to pay a price for his opposition to this horrible legislation… and I realized that I need to support that. So I did.

Dodd 08.

DirecTV called. They were eager to let me know about all kinds of exciting offers — but they couldn’t, so I should contact them and take myself off their do-not-call list.

A ramble.

All credit cards numbers have to meet a certain check (mod-10) in order be be valid. I just wrote a little checker to make sure of this, but 10% of all randomly generated 16-digit numbers will pass a mod-10 check (funny how that works out, huh). I’ll probably find out I messed up.

Okay, so there are 16 digits in a credit card, 10 possibilities per, so 10^16 possible numbers. But if only 10% are valid, and you can know that in advance, a list of all possible, valid credit card numbers would contain 10^15. That’s a petabyte of storage, and would cost you a fair (but not astronomical) amount of money to put together. Back when I started working on credit cards and fraud stuff, it was essentially impractical for someone operating on their own to pull that off.

The actual number, though, isn’t even 10^15. It’s much, much smaller, because the first digit or two are card identifiers, then you’ve got four digits of your card identify the issuing bank and whatnot. So the first six digits aren’t actually random at all, and that dramatically contains the number space you’re working with. It’s a whole ANSI standard and everything.

So it’s actually…. 4*some limited number I could work out if I had enough time*10^10. Now we’re getting down to something you can pretty easily stash.

Anyway, there are two things I’m going to gloss over: encryption and hashing. Encryption, you use a key to take a piece of text and turn it into something you can bring back using the same key. In hashing, you put a chunk of whatever through a mathematical function and out the back end comes some crazy number. You can’t derive the original from that number, even knowing the function. (standard caveats apply)

This is used for all kinds of cool stuff, like signatures for files. If I publish an document along with the hash you can verify, and as long as I use a decent method, it’s essentially impossible for someone else to modify that document and get the same hash number to come out the end.

But let’s say you get a list of hashed passwords. You know that all passwords are eight letters long, lowercase. You can generate all 8^26 possibilities, run that same mathematical function on them, and then compare the results to what you have. Tada! You have everyone’s password.

Which is a great argument for long, complicated passwords (I’ve ranted about that before, though) — you should make your password as complicated as you can at every place that requires one.

I know you won’t. It’s okay.

Ah, so anyway, here’s the thing — what if, for whatever reason, someone uses your credit card number for verification purposes? And they store… a hash to do the compare with?

Unless they’re doing something called salting (and the attacker doesn’t figure that out), you’re toast. Same attack: the guy with the huge list of valid numbers can go through and say “for each of these potentially valid numbers, run them through a function and go see if there are any matches in this list I’ve got here.”

Whirr…. running that hash function on 10^15 (or whatever the actual number turns out to be) takes a while, but not as long as you might think, and then… tada! All the credit card numbers.

And after you’ve got those, it’s open season.

Now, this is still a pretty tough attack to make, and it’s almost certain that if an attacker can get that far, there will be more lucrative means of getting card numbers. And it’s also true that an attacker sophisticated enough to make this attack is almost certainly going to have many, many more lucrative targets that aren’t as secure.

But I kept thinking about this today: how many companies can look up your payment or account history based on your credit card number? Either they’re storing the number unencrypted to do lookups, they’re doing something clever, or… they’re using hashes. And if they’re using hashes, it might be clever, or pretty much as good as plaintext.

If you’re a customer of the companies I’ve worked at, you will be happy to know that they’ve all been clever.

If you’ve worked at a large company, where all kinds of ridiculous and bizarre decisions get made, decisions that are indefensible almost at once, how unlikely does it seem that there’s someone out there doing this?

(where “international” seems to means “mostly Korean and Japanese”).

When I was w/o car there for a while, I had to get some ingredients for my mom’s birthday dinner, so I hiked down to the market a couple blocks (it’s about a 10m walk) to buy my stuff. It was initially disorienting, because it’s not laid out in standard grocery store form, and doesn’t have nearly the same stuff: the meat selection, for instance, wildly, wildly different from your local Kroger-owned store.

But that’s not what I’m ranting about. I was shocked at how cheap everything I needed was. I understand the pricing’s going to be different, but on items that you can buy at QFC or Safeway compared to the same item, the difference was astonishing.

For instance: I found an item that sells at my normal grocery store for $3.59 for $.99. That’s not a joke. It wasn’t on sale or anything. No matter how you figure it, it means that the nationally supplied grocery chain’s profit on that item was at least $2.60 — and I’ve paid that $3.59 before. That’s crazy! Noodles! Fish sauce! The list went on and on, and the only thing I saw that was comparably priced was bean sprouts.

This is likely not news to anyone, and I’ve bored you already. But it’s the why that fascinates me.

I thought of a couple ways to look at this, but it keeps derailing.

Say that the normal grocery store knows that people who shop there have no idea how much to pay for fish sauce, so they do some market testing and find that if they put it out at $5, they sell to their normal client base and lose the people willing to go to the international market, for a total profit of $tons.

But then why doesn’t the international market sell it for, say, $4 instead of $1? Why hasn’t that price gap collapsed? Is there a different market force operating between this market and the other international ones?

Even if you figure that the international market is pricing at, say, cost + markup, it’s hard to believe that they haven’t walked up the street to where the other two grocery stores are to take a look at their pricing.

I feel compelled to go take some economics classes.

I should put another steadily rising line in there for “desire to purchase a new Prius or something”.

To all developers, everywhere:

Unless the message you’re displaying is “you’re in incredible danger” there is no excuse, ever, to steal focus from my current application. I don’t care if you’re updating virus definitions, or if you want to check for software updates. It’s less important than me actually working. If I’m writing full-tilt and something pops up, I:
– almost certainly key input to that dialogue that does something unintentionally
– lose ~10-15 words of whatever I was writing
– lose my concentration
which leads to
– losing my shit

I, no joke, uninstall programs that can’t be quiet. If your objective was to be noticed, you succeeded, and now I don’t use your app at all. Congratulations.

Windows should – easily – allow me to disable that operation entirely. There’s no reason a user shouldn’t be able to control whether they’re interrupted by messages like that.

There’s a Bay Area band called Worker Bee (myspace page here) that I totally, totally recommend. They’ve got a 5-song record out called “Divorce Your Legs” which you pretty much can’t find anywhere, but they’re ridiculously good. The best way I figured out to describe them is “If you like Explosions in the Sky, they’re like all the things you like about them”. Roger Waters once wrote an essay in Newsweek that recommended the best way to rebel against the Boomers was to find music that was complicated, subtle, and built on itself until it burned a hole in your head, and unfortunately, we didn’t have Mogwai and Explosions in the Sky and all those other great band then, but I waited, and I love them, and that’s Worker Bee.

I don’t even know how to encourage people to check them out, except to look at their MySpace page, which has two songs you can listen to, or check them out if you can get to one of their shows. They’re not even on eMusic (!). I would bet you can find their CD on all the finer P2P networks, too, though obviously, I don’t want to encourage that. I wish I could point people to an online purchase option. I’m sure I’ll be pimping their album if it ever comes out.

I was reading this fine Jim Emerson post on Scanners about Edward Copeland’s cool project to vote on the best non-English films (post, the 122 nominees who made it, link to the final ballot)

So, in the spirit of things, I worked up a list, but it went way over. When I cut it down to one film per director, I had twenty, and that seemed a reasonable list. (I cut a bunch of other Woo/Kieslowski/Miyazaki films). My tastes run to the enjoyable craziness of a Kung Fu Hustle over the Seventh Sign, which is clearly a sign that I’m a dork.

In rough order of awesomeness:

Red, Kieslowski
Seven Samurai, Kurosawa
Kiki’s Delivery Service, Miyazaki
Drunken Master 2, Chia-Liang Liu
The Killer, Woo
Crouching Tiger, Hidden Dragon, Lee
Battle of Algiers, Pontecorvo
Run Lola Run, Tykwer
La Femme Nikita, Besson
Fucking Amal (or “Show Me Love”), Moodysson
Kung Fu Hustle, Chow
Das Boot, Petersen
Man on the Train, Laconte
Running Out of Time, Zahn
Raise the Red Lantern, Zhang
Metropolis, Lang
The 400 Blows, Truffaut
Intacto, Fresnadillo
Battleship Potemkin, Eisenstein
Battle Royale, Fukasaki

Yes, Battle Royale’s on there.

(Red is, btw, the best movie I’ve ever seen in my life.)

As Rated by Space Taken After Ripping from My CD Library*
—
1. Sonic Youth (906 MB)
2. Mogwai (800 MB)
3. They Might Be Giants (591 MB)
4. Modest Mouse (554 MB)

It’s interesting to think about — I think much of the ranking is how well they compress. I am, as you might guess, extremely particular about how I rip my CDs. It’s all high-bitrate-ceiling VBR, and it looks like Sonic Youth/Mogwai are chock-full of information that requires a lot of information to convey, as well as having long songs.

(spurred by seeing these things all over the place in San Jose)

I don’t understand why Apple made the iPhone deal with AT&T, since AT&T is – and I’m just going to say this the company rightly most notorious for giving the worst people in the federal government an extra-legal spinal tap into our communications systems as part of project so massively unconstitutional and, almost certainly, abused, that lawsuits by the ACLU and EFF can’t even penetrate the protective layers of paranoia that protect it from disclosure.

I don’t understand how good people, especially good techies who are aware of the EFF’s existence and know the massive implications of this whole thing, would let this happen — that the massed distaste of Apple’s employees wouldn’t have managed to derail it. I’ve worked at places where managerial “let’s spam people!” projects are ruthlessly undermined by people with integrity, and I thought more of individual action.

Maybe they were afraid. It’s a statement on our times that that could even be a valid explanation… but there it is.

Which brings me to the other thing: the success of the iPhone is a massive error of forgiveness:
If you utterly screw us over, we as techies will forgive you if the object swung before us is shiny enough.

Just pondering this makes my stomach do flips, and I start to feel like I want to throw up.

I’m a nerd that spent years in cellular, and I love what Apple’s doing. I’m fascinated seeing someone finally put together a phone interface that doesn’t suck, that melds different functionality in a way that at last makes sense. But I won’t buy an iPhone.

AT&T won’t see another dollar in my life unless it’s drawn involuntarily from me. But I’m obviously not in good company. How many people have contributed to EFF and bought an iPhone? How can the early adopters, the people how are most eager to see the future, see the beauty in the gadget and not the ugliness inherent in their purchase? How can people camp out, looking forward to a product that won’t happen, and not see what happens when privacy comes at only at the discretion of the least ethical credentialed federal agent? How can you spend money to be guaranteed that your every communication through that device is being monitored?

I don’t understand.