Flight safety

Emerson driving the boat

Those who were amused by Tyler’s discussion of airline safety in the excellent film Fight Club may enjoy a leader article (what the Brits call an editorial) from this week’s Economist. It purports to be an accurate version of the spiel you get every time you board an aircraft. It confirms what I have already heard, read, and believed and I am pretty sure they did their homework. It is also fairly funny:

Your life-jacket can be found under your seat, but please do not remove it now. In fact, do not bother to look for it at all. In the event of a landing on water, an unprecedented miracle will have occurred, because in the history of aviation the number of wide-bodied aircraft that have made successful landings on water is zero. This aircraft is equipped with inflatable slides that detach to form life rafts, not that it makes any difference. Please remove high-heeled shoes before using the slides. We might as well add that space helmets and anti-gravity belts should also be removed, since even to mention the use of the slides as rafts is to enter the realm of science fiction.

Please switch off all mobile phones, since they can interfere with the aircraft’s navigation systems. At least, that’s what you’ve always been told. The real reason to switch them off is because they interfere with mobile networks on the ground, but somehow that doesn’t sound quite so good.

The bit about water landings is, of course, especially dire. Just think about what would happen when a huge jetliner landed on water. It would either stall before hitting the water and fall more or less straight downward, or plow at a rate above stall speed forward into the water, in which those huge jet engines would rapidly cause the plane to slow. Passengers would be thrown forward with enormous violence. Far better to have seats facing backwards like in military transport planes, but who wants to pay $1000 for a ticket and then be reminded that you may end your flight as part of a mile-long trail or debris or cloud of polluted seawater?

All that said, flying is still definitely the safest way to travel long distances, and considerably less risky than failing to exercise and maintain a healthy diet, in terms of the risk of getting killed.

PS. Please note that these pictures have nothing to do with the posts in which they are embedded. They are just nice portraits from CF2 that I wanted to include in the blog. The very best photos will appear on Photo.net once I get my lovely Mac back.

Building utopias or avoiding disasters

Neal Lantela in a lifejacket

In the car, on the way back from Tristan’s cabin, a discussion arose about the problem of racism. As usual, I rapidly found myself unable to comprehend the terminology of philosophical devotees. I have never seen abstract theorizing as a particularly good way of effecting positive change in the world, or even identifying means by which to do so. Regardless, an interesting possibility arose from the conversation. At first, consideration was being given – by some – to mechanisms through which revolution could be used to generate a kind of ideal society. Personally, I found many of the characteristics of the postulated society despicable, but that is less interesting than the very phenomenon of trying to create utopias through the application of human reasoning and abilities. This is a vice to which those farthest from the political mainstream have always been particularly vulnerable: hoping to roll over the whole elephant of society so that their ideas end up on top.

From what I know of history and political philosophy, those who try to built utopias always fail: either for themselves or for those who are meant to live in their perfect society. Perhaps the big lesson of history is that people should focus on avoiding disaster, rather than perfecting the styles of interaction between people. Of course, that leaves the issue of deciding what constitutes a disaster. Was the internment of Japanese Canadians during the Second World War a moral disaster? What about the execution of an innocent person? What about the supposed decline of traditional family values?

The answer, perhaps, is a kind of pragmatic reverse utilitarianism which seeks to reduce violence in society to the minimum possible level, in lieu of trying to maximize utility. Utility or happiness is, after all, a fairly woolly concept and one open to flying accusations that there are ‘higher’ or ‘lower’ forms of happiness for reasons founded in morals or aesthetics. Violence, by comparison, is pretty clear cut. No doubt the idea is rife with problems – both logical and pragmatic – but it is something that seems worthy of consideration.

PS. Please note that these pictures have nothing to do with the posts in which they are embedded. They are just nice portraits from CF2 that I wanted to include in the blog. The very best photos will appear on Photo.net once I get my lovely Mac back.

Dangerous Afghan skies

I was talking with Edwina today about the possibility that the British Hawker-Siddeley Nimrod MR2 reconnaissance aircraft that crashed in Afghanistan recently was shot down by a FIM-92 Stinger missile, as Taliban representatives claimed. Fourteen British airmen were killed in the crash: the largest single day loss of British military personnel since the Falklands War. Given the ongoing presence of the Canadian Forces in Afghanistan and the famous provision of about 500 of these surface-to-air missiles to the Mujaheddin by the CIA during the Soviet invasion of Afghanistan, it is a question with contemporary relevance for Canadians.

Under construction since 1981 by the Raytheon Corporation (which also makes the washers and dryers used in residences at the University of British Columbia), the Stinger missile has a range of about 4800 metres and a maximum altitude of about 3800 – well below the cruising altitude of commercial aircraft. The Stinger seeks targets using an infrared homing system and is propelled using a two-stage chemical rocket. The homing system is thus vulnerable to flares used as decoy heat signatures, as well as to the reduction of an aircraft’s thermal profile through mechanisms like the internally mounted turbofan engines on vehicles like the B-2 Spirit Bomber, not that the Canadian Forces will or should get any of those.

Most of the reporting on the crash says that it was the result of a technical fault. This is the position that has been taken officially by NATO and the RAF, while the Taliban has claimed that it shot the plane down. There were Taliban fighters in the area, as evidenced by the rapidity with which the British Special Air Service (SAS) commandos were dispatched to destroy any secret electronic equipment that survived the malfunction and subsequent crash. Of course, it would be especially embarrassing to have a £100 million plane shot down and fourteen British soldiers killed by a $26,000 missile that was given to your enemies by the country with whom the Blair government is so loyally and controversially allied. As with the earlier discussion on conspiracy theories, we are left with little means for analyzing the official reports aside from our own intuition about which sources are trustworthy and which explanations are credible.

Whether the crash was an accident (as seems most plausible) or the result of enemy action, the dangers of continued military operations in Afghanistan are demonstrated. Even with complete air superiority, powerful allies, and all the other advantages of being in a superpower coalition, Canadian, British, and American soldiers will continue to die in Afghanistan until such a time as we decide to leave that country to the government and warlords who effectively control it today.

On conspiracy theories

Kasbar, Cowley Road, Oxford

Partly prompted by a Penn and Teller episode, and partly by a post written by my friend Tristan, I have been thinking about conspiracy theories today. On what basis can we as individuals accept or refute them? Let’s take some examples that Penn and Teller raise: the reality of the moon landings, the nature of the JFK assassination, and the nature of the September 11th attacks. It should be noted that this is the worst episode of theirs I have ever seen. It relies largely upon arguments based on emotion, backed by the testimony of people to whom Penn and Teller accord expert status, rather than a logical or empirical demonstration of why these theories should be considered false.

Normally, our understanding of such phenomena is mediated through experts. When someone credible makes a statement about the nature of what took place, it provides some evidence for believing it. Penn and Teller amply demonstrate that there are lots of crazy and disreputable people who believe that the moon landing was faked, some strange conspiracy led to the death of JFK, and CIA controlled drones and explosives were used to carry out the September 11th attacks. That said, it hardly disproves those things. Plenty of certifiably insane people believe that the universe is expanding, that humans and viruses have a common biological ancestor, and that any whole number can be generated by adding powers of two (365 = 2^8 + 2^6 + 2^5 + 2^3 +2^2 + 2^0). That doesn’t make any of those things false.

We really have three mechanisms to work with:

  1. Empirical evidence
  2. Logical reasoning
  3. Heuristic methods

As individuals confronted with questions like those above, we almost always use the third. While those with a powerful telescope and the right coordinates could pick out all the junk we left on the moon, most people lack the means. Likewise, those with a rifle, a melon, and some time can learn the physics behind why Kennedy moved the way he did when he was shot, despite Oliver Stone‘s theories to the contrary. Finally, someone with some steel beams, jet fuel, and mathematical and engineering knowledge can model the collapse of the twin towers as induced by heat related weakening of steel to their heart’s content. Normally, however, we must rely upon experts to make these kinds of judgements for us, whether on the basis of sound technique or not.

Logical reasoning is great, but when applied strictly cannot get us very far. Most of what people call ‘logic’ is actually probabalistic reasoning. Strict logic can tell us about things that are necessary and things that are impossible. If every senior member of the American administration is controlled by an alien slug entity, and all alien slug entitites compel their hosts to sing “Irish Eyes are Smiling” once a day, we can logically conclude that all members of the American administration sing “Irish Eyes are Smiling” every day. Likewise, if all bats are bugs, all non-bugs must be non-bats. Entirely logically valid, but not too useful.

A heuristic reasoning device says something along the lines of: “In the more forty years or so since the moon landing, nobody has brought forward credible evidence that they were faked. As such, it is likely that they were not.” Occam’s razor works on the same kind of principle. This is often the best kind of analysis we can manage as individuals, and it is exactly this that makes conspiracy theories so difficult to dislodge. Once you adopt a different logic of probability, for instance one where certain people will stop at nothing to keep the truth hidden, your probabilistic reasoning gets thrown out of whack.

How, then, should we deal with competing testimony from ‘experts’ of various sorts, and with the fallout of our imperfect ability to access and understand the world as individuals? If there was a pat and easy answer to this question, it would be enormously valuable. Alas, there is not, and we are left to try and reach judgments on the basis of our own, imperfect, capabilities.

PS. For the record, I believe that the moon was almost certainly walked upon by humans, that Oswald quite probably shot John F. Kennedy on his own initiative, and that the airplanes listed in the 9/11 report as having crashed where they did actually did so. My reasons for believing these things are almost entirely heuristic.

Policy proportionality

Amnesty International display at Blackwell's

I know it’s a theme I have raised many times, but it remains puzzling to me: why are democratic societies so uniquely incapable of accepting the costs associated with terrorism? If you try to circumscribe any kind of dangerous activity, from smoking to extreme sports, you will find plenty of people ready to wave the banner of liberty and claim that the deaths and injuries are worth the costs of the freedom.

If you add up the casualties of all the terrorist attacks worldwide since the end of the Cold War, you arrive at a number that is a small fraction of the number of deaths from alcohol poisoning, from AIDS, from obesity related illness, or from automobile accidents. Heart disease killed 696,947 Americans in 2002, while cancer killed 557,271. About 400,000 died from tobacco usage, while alcohol killed 100,000. And yet there is no call to reorganize society to deal with these horrific threats. We make that choice not because societal re-organization could not eliminate these problems, but because the costs of doing so (or trying to do so) exceed those we are collectively willing to bear to achieve these ends.

In response to a failed two-man terrorist plot in Germany, The Economist claimed that Germany is “immune no more” and that terrorism is sure to “leap up the list” of people’s concerns. Even if the attack had succeeded, it would still be only a blip in the passing into and out of life of the mass of people who we describe as Germany. The same is true of every terrorist plot in history. Yet they have, by contrast, generated shifts in law and power out of all proportion to their lethality or the amount of harm they cause.

Just as terrorists are adept at exploiting the physical infrastructure of modernity to generate and amplify their attacks – coordinating attacks on aircraft over the internet – they exploit the psychology of modernity to generate an emotional impact out of all proportion to the harm caused. The sane response, it seems, is to accept the hundreds or thousands of deaths as a cost we may have to pay in order to continue to live in a free society – just as we accept the deaths from automobile accidents or fatty foods. The point isn’t that we cannot or shouldn’t take precautions (whether we are discussing terrorism or car crashes), but that we should consider them sensibly and in keeping with the actual seriousness and scope of both the threats that exist, and the entities that we may choose to create or empower to deal with them.

Major vulnerability of mechanical locks

Open pin and tumbler lock, from Wikimedia

To those who retain faith in mechanical pin and tumbler locks, a bit of information on the bump key as a means of picking them may unsettle you. It’s a hot topic on many of the news aggregation sites online at the moment (Metafilter and Engadget 1 and 2, for instance), but those who don’t frequent such sites may find it helpful to know. Perhaps the biggest issue is that this technique does not produce signs of forced entry, which may cause problems when making insurance claims.

This Dutch television segment shows how absurdly easy it is to open even quite expensive locks using a key cut in a particular way, an object to whack it with, and no skill whatsoever. Definitely enough to make a person fearful for their laptop, music equipment, etc. That is especially true in an area that has as high a burglary rate as North Oxford. Just last night, Emily saw someone trying to get into her flat. Thankfully, the front door of our flat uses horizontally-oriented “dimple” keys (Mul-T-Lock brand), that are somewhat less vulnerable to this attack (see the last PDF linked at the bottom of this post). Even so, our internal doors, as well as basically all the ones in Wadham College, use the pin and tumbler design vulnerable to bumping. Here is another video on how to make and use a bump-key. Apparantly, anyone with a file, a reasonably steady hand, and a bit of time can make their own.

The alternatives generally advanced to get around such vulnerabilities are other sorts of mechanical locks, electronic access control systems, or systems that use both mechanical and electronic elements (a system used increasingly often in cars). While they do have problems of their own, electronic access control systems do have many appealing features. In particular, if one were to use low-cost RFID tags or simple swipe-cards with a pre-set code as an authentication token, it would be easy to maintain a database of allowed and disallowed keys. If you lost your keys, you could disable that one and issue yourself a new one. Likewise, temporary keys could be issued to people, and restrictions could be placed upon the hours at which certain keys could be used. Features like these are what make keycard based systems so appealing, as well as common in commercial settings.

The first downside of such conversion is cost: replacing locks is expensive. Secondly, such systems are open to other kinds of attacks that people may not understand as easily. Thirdly, if an electronic lock fails in a profound way (no longer responds to authentication tokens), you have little choice but to break down the door or saw through the frame and bolt. Once again, the nature of security as a perpetual trade-off is demonstrated.

More detailed information (PDF) on key bumping is available from Security.org. Also, from The Open Organization of Lockpickers (TOOOL) (PDF).

On risk and decision making

In a complex world, understanding risk and responding to it properly is an essential human skill. Every kind of important decision involves it: from making choices about where to get electrical power to deciding whether to walk home through a dark city or let your children use the internet.

The manipulation of risk-related thinking is an increasingly obvious trend, with two major facets. The first is manipulation of the data upon which people base their decisions. The media, for instance, grossly exaggerates many risks. Rare phenomena, by definition, are news. Things that happen all the time (car crashes, domestic abuse) are not. As such, we worry about serial killers and terrorist attacks, when there is a vanishingly small chance either will ever harm us. Even worse, some campaigns actively deceive so as to try and achieve political ends; one particularly harmful example is education systems that misrepresent the effectiveness of contraceptives in hopes of encouraging teenagers to refrain from sex. Such campaigns are both unacceptably patronizing and quite obviously harmful. Another obvious example is the cultivation and exploitation of fear, on the part of governments, as a mechanism for securing increased power and freedom from oversight and criticism.

Such campaigns blend into the second trend: a denial that risk-related decisions must be made at the level of individuals. A natural trend of those in charge is to strip people of their ability to choose, for any of a number of reasons. There are times at which it is reasonable to force people to take certain precautions. Requiring people to have car insurance is a good example. Such cases, however, must be evaluated through public legal and political scrutiny, and justified on the basis of arguments that are critiqued and data that are legitimate and verified.

The intelligent solution is to teach good risk-related thinking. That means learning how to identify the agendas of those providing information. It means having tools to make reasonable assessments of logical arguments, as well as supporting data. That means not keeping people ignorant or keeping essential information secret. And it means teaching a perspective of individual empowerment, where the reality of trade-offs between different risks is acknowledged. Alas, it seems unlikely that such an approach is likely to be widely adopted.

More security, less freedom

While we can all be very glad this alleged plot was foiled, the new rules on carry-on baggage are going to make travelling long distances by plane truly hellish. Without more information, it is impossible to evaluate how justified they are, but they certainly appear to be quite onerous. No water; no books, magazines, or newspapers; no portable electronics of any kind. Of course, either the restrictions or all duty-free shopping will eventually have to go.

It also seems that all EasyJet flights out of all London airports are cancelled. With my EasyJet flight to Dublin in six days, I wonder what is going to happen. They seem to be offering refunds on tickets. Maybe I should take it, then pay the cancellation fee from the hostel.

Such is the power of terrorism: even when we win, we lose.

[Update: 6:52pm] Both of my current roommates have had to re-schedule flights over this: one to Austria and one to Barcelona. It seems likely that another friend’s trip to Madrid will not be happening, and that yet another friend’s flight to Canada tomorrow will be boring and uncomfortable.

[Update: 11 August] Flights from London to Dublin are back on schedule, according to EasyJet. My friend also made it to Madrid today, after all.

Something to try over the weekend: cryptography by hand

For about three and a half hours tonight, I awaited essays from next month’s tutorial students in the MCR. Having exhausted what scaps of newspaper were available, I fell back to reading a copy of Dan Brown’s Da Vinci Code, abandoned by some departed grad student.

Two hundred and sixty pages in, and unlikely to proceed enormously further, I note somewhat pedantically that there have been no codes presented. At best, there have been a series of riddles. The book would be interesting for its historical asides, if I could consider them credible.

Rather than go on about that, I thought I would write an incredibly brief primer on how to actually encrypt a message:

Crypto by hand

In the next few paragraphs, I will show you how to use a simple cryptographic device called a transposition cipher. If you really want to learn it, follow along with a pen and paper. As ciphers go, it is very weak – but it is easy to understand and learn. For starters, we need a secret message. The following is hardly secret, but it will do for a demonstration:

“DAN BROWN IS A DUBIOUS HISTORIAN”

Next, we need an encryption key. For this type of cipher, we need two or more English words that do not use any letter more than once. It is quicker if they have the same number of letters, but I will use two with different numbers of letters to demonstrate the process:

“DUBLIN PINT”

Write the first word of the key onto a piece of paper, with a bit of space between each letter and plenty of space below:

“D U B L I N”

Now, add numbers above the letters, corresponding to their order in the alphabet:

“2 6 1 4 3 5
D U B L I N”

Now, add your message (hereafter called the plaintext) in a block under. If necessary, fill out the box with garble or the alphabet in order:

“2 6 1 4 3 5
D U B L I N
D A N B R O
W N I S A D
U B I O U S
H I S T O R
I A N A B C”

Note how each word of the first keyword now has a column of text underneath it. Starting with the first column in the alphabetical ordering (B, in this case) copy out the column, starting at the top, as a string of text. Make sure you understand what is happening here before you go on. The first column, read downwards is:

NIISN

Now, add to that string the other columns, read from top to bottom, in alphabetical order. You can leave spaces to make it easier to check:

NIISN DWUHI RAUOB BSOTA ODSRC ANBIA

Clearly, each column section should have the same number of letters in it. Make sure you’ve got the transcription right before going on. Note that the string above is the same letters as are in the original message, just jumbled. As such, this system isn’t smart to use for very short messages. People will realize fairly quickly that “MKLLINAIL” could mean “KILL MILAN.”

Moving right along…

Take the strong you generated a moment ago, and put it into a block just like the one you made with the first keyword, except with the second keyword. This time, if you need letters to fill out the rectangle, make sure to use the alphabet in order. You will need to remove the excess letters when working backwards to decrypt, so you may as well make it easier.

“3 1 2 4
P I N T
N I I S
N D W U
H I R A
U O B B
S O T A
O D S R
C A N B
I A A B”

Now we have the message even more jumbled. The final encryption step is simply to copy each column in that grid out, from top to bottom, in alphabetical order according to the second keyword:

IDIOODAA IWRBTSNA NNHUSOCI SUABARBB

Note: the shorter the key, the longer each column will be. The above string is your encrypted text (called cyphertext). This final version is a jumble of the letters in the original message. Remove the spaces to make it harder to work out how long the last keyword is. If you like, you can use that put that string through a grid with another word. Each time you do that, you make the message somewhat harder to crack, though it obviously takes longer to either encode or decode.

To pass on the message, you need to give someone both the cyphertext and the key. This should be done by separate means, because anyone who has both can work out what kind of cipher you used and break your code. The mechanisms of key exchange and key security are critical parts of designing cryptographic systems – the weakest components of which are rarely the algorithms used to encrypt and decrypt.

To decode it, just make grids based on your keywords and fill them in by reversing the transcription process described above. I am not going to go through it step by step, because it is exactly the same, only backwards.

If anyone finds out about the credibility of Mr. Brown’s historical credentials, it won’t be my fault.

One word of warning: this system will not keep your secrets secure from the CIA, Mossad, or even Audrey Tautou. This cipher is more about teaching the basics of cryptography. If you want something enormously more durable that can still be done by hand, have a look at the Vignere Cipher.

PS. It is rumored that this very blog may contain a tool that automates one form of Vignere encryption and decryption. Not that it is linked in the sidebar or anything…

[Update: 27 July] Those who think they have learned the above ciper can try decrypting the following message:

BNTAFREEHOOI-LTOSIRISOTWD-FTNWAOEYSOXT-ERASEAAAKGVE

The segment breaks should make it a bit easier. The key is:

SCOTLAND HIKE

Good luck, and please don’t post the plaintext as a comment. Let others who want to figure it out do so.

On password security

I was talking with Kelly today about passwords, and how they are a fundamentally weak form of security. Supposedly, we are all meant to have different passwords for every site, so that one database being compromised by an external hacker or malicious insider won’t lead to our email and other sites being at risk. Also, we are supposed to use long and complex passwords with case-changes, numbers, punctuation, etc. (Think ‘e4!Xy59NoI2’) Together, these two requirements far exceed the capability of most human beings.

The real solution is to back up passwords with something else, so that they don’t need to be so strong. This is called two-factor authentication, and it could include something like a smart card that people carry and slot into computers along with a password so as to authenticate themselves. This is already used in cars. Inside the key or newer cars is a little chip with a radio antenna. When you try to use the key to start the car, a radio message is broadcast by the car. The chip detects it, does a bit of thinking to generate a response that authenticates the key, and re-broadcasts it. Using both the physical profile of the key and the radio challenge-response authentication system, attacks based on picking locks or freezing and cracking the cylinder inside them can be circumvented. The system obviously isn’t impossible to foil, but it is substantially more difficult in relation to the additional cost.

In the computer context, such two-factor authentication could take other forms: for instance, a little card that listens to a series of tones from an external source (over the phone, or from a computer), passes them through an algorithm and emits a series of tones in response to authenticate. This is just doing with audio what a smart card does with electricity. Ideally, the second factor would be like a credit card, in that you could have it cancelled and re-issued in the event that it is lost or stolen, immediately disabling the missing unit.

Until such a system emerges, it seems sensible to have tiers of passwords. I have two really weak passwords for things that I sometimes share with close friends. Then, I have a password for low-risk sites where there is no real harm that can come from my account being compromised. Then, I have a cascade of ever-stronger passwords. Something like LiveJournal has a pretty strong password, because it would be a pain if somebody took it over. The general vulnerabilities of passwords are:

  1. Someone could guess it (either manually or with a brute force attack)
  2. Someone could watch you type it in
  3. Someone could install a hardware or software keystroke logger on a machine where you enter it
  4. Someone could break into a database that contains it, then try using it on other sites you use
  5. Someone could extract it from a program on your computer that stores them in an insecure way (like Windows screen-saver passwords, which can be learned using a simple program)

Most of these require physical access to a machine that you use. I would guess that the most common of these is number four. Given that most people use the same password for everything, some underhanded employee at your ISP or webmail provider could probably grab it pretty easily, as well as information on other sites you use. (Hashing algorithms are one way this risk can be mitigated, on the server side, but that’s a discussion for another day).

At the top level, there are things that demand a really strong password: for instance, webmaster control accounts or anything connected to money. For these, I use random alphanumeric strings of the maximum permitted length, never re-using one and changing them every month or so.

Obviously, I cannot remember these for several banks and websites. As such, I write them down and guard them. I am much better at guarding little bits of paper than at remembering random strings of data. I regularly carry around little bits of paper worth tens of Pounds, and little bits of plastic worth thousands of Pounds, if only until disabled. Indeed, I have been guarding bits of paper for well over a decade.