My bud Hans and I tonight tested out encrypted VoIP with ZRTP. I noticed a while back that Twinkle supports it and have wanted to test it out, but none of my desk phones support ZRTP.

It was fun. When the call terminated, Twinkle displayed a cute message about verifying the SAS (short authentication string). It was 4 character (hprj, if you're curious) that represented our encryption key. It's the way ZRTP verifies that a man-in-the-middle attack is not underway. There was a padlock icon which we both clicked to verify that the SAS was correct. I'm not sure what if anything happened because of that, except that we both verified that our SIP phones have not been tapped by the feds.

In the SDP, ZRTP is advertised with "a=zrtp". It's not a separate protocol per se. The actual codec was selected through the normal means (we used speex/16000). Looking at the RTP data, I see a whole bunch of "AES256", "SHA256" and "DH4096". Presumably that's part of the ZRTP negotiation. I didn't delve further. What I see though is that the encrypted data is simply represented as Speex RTP, but the actual data has been scrambled so it would be meaningless to a passerby.

Based on this testing, I predict good things for ZRTP. It was quite painless to use as a caller. As long as it's enabled by default in the phone, there's really nothing else that a user has to do to use it. The SAS is short and you only have to verify it if you care. Phil Zimmerman says that you don't even have to verify the SAS every time. Just once in a while is good enough. And obviously anytime you're conducting private business (which is not the same thing as illegal business). The simple fact that ZRTP is used every time means that you can't tell whether a call is valuable or not just based on it being encrypted.

The one possible failure of ZRTP is that it doesn't hide any of the signalling data, so a spy would be able to see who you were calling. That problem would be quite hard to solve. I'm not sure of the benefit either as the cost to mask that information is much higher. You pretty much have to know all the routing information ahead of time. Even then, an eavesdropper could still see the two IP addresses involved, which will give away some amount of information. So for now, ZRTP is a good solution.


Deal or No Deal

Deal or No Deal is a fun show to watch for really only one reason, at least to me. It shows me why so many people waste so much money at casinos: because they never paid any attention in math class.

I'll skip the overview and just point you to the writeup on Wikipedia if you're not familiar.

The heart of my rant is this, when the contestant gets down to a few cases left they start saying things like "33% chance that his case contains $1,000,000". But when you get down to the math of it, that just isn't so. I know that because I actually learned something in my statistics class in college. I took it twice so I should hope so!

Here's the problem, when the contestant makes his initial pick from the unmarked cases, he has a 1/30 chance that it contains $1,000,000. That should be pretty obvious, right? What people don't understand is that those odds don't change during the course of the game. When there are just three cases left, the odds that the lucky contestant's case has $1,000,000 is still 1 in 30!

I find myself hoping that the contestant opens the big money and has to settle for $500. So in that way, I do have fun watching the show. Probably not the sort of thing the person playing the game would hope for, but what do I care? But do yourself a favor and read about the Monty Hall problem until you understand how it works. You might be surprised how often it will come in handy.

And if you ever get on Deal or No Deal and want to go for broke, that's fine. It might be fun for you. Just don't expect probability to be on your side. But when you win, do remember who tried to help you. :)

Leads Online

I ran across a site today named Leads Online. It's a tool for law enforcement to collaborate with pawn shops and the like. Essentially the pawn shop uploads all of its transactions at the end of the day and then if a law enforcement agency is looking for some stolen stuff, they search through the database. Leads Online tells how it's such a convenient and easy service, and helps good guys catch the bad guys.

My first thought was substantially different. I don't really relish in the thought of law enforcement having carte blanch access to business records, possibly without warrants. There's some good potential for abuse there. I recently read through all the Idaho Falls city ordinances (yes, it was actually interesting) and I'm aware that pawn shops are required to keep records of purchases for 2 weeks (IIRC), just in case a question of ownership arises. But there is not a requirement for them to proactively send those details to the police department. That seems to be a fair trade.

One immediate concern I have is that being a private company, they are not subject to laws that courts and police would be. They don't have to answer Freedom of Information Act responses. They aren't subject to public oversight. I don't think we should be outsourcing our key public infrastructure to private industry whose primary motivation is the almighty buck.

Even more than that, what really scares me isn't the intended uses but the ways the system could be expanded. There are all sorts of ways the database could be reused for marketing purposes, thus invading the privacy of sellers and buyers alike. There are pathetic privacy laws in the country, so it's hard to believe that anyone would have any recourse.

And what if law enforcement decided they wanted to browse through the database? The obvious abuse would be looking for religious material. Yeah, it seems pretty unlikely but the point isn't that we trust good people. I know a few law enforcement people and I would have no qualms with them using something like this. The point is that just as there are unscrupulous citizens, there are unscrupulous police. We need to make sure the system fails gracefully and I don't believe this one does.



I had the dubious honor the last couple days of breaking up an argument between a Linksys PAP2T and a Linksys WRT54G. You might think they would work well together, coming from the same family and all. Well not really.

The problem was caused by the WRT54G (version 5, btw) which refused to route SIP traffic back to the PAP2T. It was allowing HTTP and DNS traffic just fine, but it balked at SIP for some reason. The symptoms were that the PAP2T kept sending REGISTER requests without a WWW-Authenticate header. For a long time I thought it was a setting on the PAP2T, but instead it was because the PAP2T never got the WWW-Authenticate challenge, so it obviously couldn't respond. A dead giveaway should have been that the PAP2T would send 5 REGISTER requests in a row. It must have figured there was network congestion or something, so it was retransmitting.

The solution was to upgrade the WRT54G from version 1.00.0 to 1.02.2. Some bug in the 1.00.0 firmware caused the issue and now it's resolved. I haven't looked at the release notes to see what it was, and frankly I probably won't. I've never really liked the version 5 WRT54Gs and this just helps solidify it.


Egg Nog

People seem to have strong feelings about egg nog, mostly negative. I wondered how much of that might be because of commercially available egg nog, since often times home-made items will taste vastly different from something purchased at the store. Such is certainly true of chocolate chip cookies and bread, to name a couple. A lot of factors play into that I suppose. I decided to whip up a batch and find out.

The recipe I followed was of course Alton Brown's, he being my go-to guy with recipes. Be warned that it calls for raw eggs which some people are sissies about. Not me, no sir.

Simply put, you make the nog in two steps. First is whipping up the yolks with sugar. Then toss in the cream, milk and nutmeg (I had to substitute cinnamon as I only to late discovered I was out of nutmeg). In another bowl you whip up the whites to stiff peaks, then combine. I chose to whip the eggs by hand and let's just say I don't plan to do that again. Ouch.

The biggest difference from store bought (and I'm going from memory on this) was the viscosity. Store bought nog is pretty thick, kinda makes you feel 10 pounds heavier after drinking it. Alton Brown's was nothing like that. I started with 3 cups of liquid, plus eggs and ended up with about 6 cups of egg nog. All the difference was air and I could definitely taste it.

I also liked that I could add my own flavoring. As I mentioned, I used cinnamon which was good. I also tried a bit with hazelnut syrup and that was nice too. I bet most of your coffee syrups would be yummy too.

Bottom line, this egg nog is a keeper.


Mark Cuban on P2P

Generally speaking I find most of what Mark Cuban has to say fairly good, but today I have to disagree. His latest rant against P2P I think starts off with faulty premises, thus the conclusions don't hold.

As a consumer, I want my internet experience to be as fast as possible. The last thing I want slowing my internet service down are P2P freeloaders. Thats right, P2P content distributors are nothing more than freeloaders. The only person/organization that benefits from P2P usage are those that are trying to distribute content and want to distribute it on someone else's bandwidth dime.

Have we conclusively shown that P2P slows down the Internet? I'd like to see the proof of that. It's apparent that what he's mainly complaining about here is the amount of upload traffic. If somebody downloaded the same content via non-P2P, aka the non-freeloading way, they would eat up the same amount of download. So the only difference is the extra upload with P2P. Is that really a problem though? I can tell you, my network has upload to spare. I would estimate that our upload traffic is about half of what the download is at.

Does anyone really think its free ? That all the bandwidth consumed with content being distributed by P2P isn't being paid for by someone ? That bandwidth is being paid for by consumers.

When I buy a DS3, I get 45mbps of bandwidth in each direction. I have to have enough to support the download demands of my customers and I just get the upload to boot. It's just sitting there. So yeah, the consumer is paying for it but there's no way to recover that cost. Even if every consumer stopped uploading, they would still pay the same amount. Why not put it to some good use?

And there is a good use. If that bandwidth isn't used by the P2P content distributors, they end up forking out additional money on their end for the extra bandwidth. They then have to pass the cost on to consumers. Why should consumers pay twice?

Consumers who pay for personal, not commercial applications. When consumers provide their bandwidth to assist commercial applications, they are subsidizing those commercial applications which if it isn't already, should be against an ISPs terms of service.

I'm a little surprised honestly, to see Cuban talk about consumers as people who just eat and eat whatever the big media companies feel generous enough to feed them. What about the generation of the long tail? Consumer created content and all that jazz? I realize that most of what's going on with P2P is unauthorized distribution of other peoples' copyrighted works, but baby, bathwater. You know the saying.

And finally, to round out my argument I will point out that blocking P2P isn't an easy task. P2P software designers have made is hard on purpose. That means ISPs have to shell out for big hardware to do the task. Who ends up eating those costs? I would have to redesign my network in order to even accommodate the devices, which would add even more.

I won't even get into the whole neutrality debate. That's a can of worms for another day.


On Food Recalls

Certainly you haven't missed the rash of food recalls. One that stands out in particular is that of the Topps Meat company, which recalled 21.7 million pounds of hamburger patties due to possible infections of E. coli. This eventually led to the company going bankrupt and closing its doors. I also remember the bagged spinach debacle from last year, because a local kid died from the illness and because I grew some mighty fine spinach in my garden last summer so I didn't worry for a second that I would be at risk for eating the affected food.

Well just today, moments ago in fact, I discovered that the latest recall has hit my freezer. General Mills has recalled a number of frozen pizza products including the "10.7-ounce packages of 'Totino's The Original Crisp Crust Party Pizza, Combination Sausage & Pepperoni Pizza'". I purchased them some weeks back to feed to the kids and in fact the only reason they're still in my freezer rather than in my children's bodies is that the smell of them makes my wife vomit. Don't be surprised by that though. She's pregnant and everything makes her drive the porcelain bus.

Seeing all these food recalls has really got me to thinking about food policy in this country, specifically to the lack of a sane food policy. Look no farther than the farm bill which subsidizes food in the exact opposite proportion of that which the FDA recommends to us for better health. I have just a few questions which I would really like some answers to.

  1. What is the USDA actually doing since they're clearly not protecting our food supply? You can see the little "Inspected" symbol on my box of pizza, but obviously they didn't check closely enough. I could cut them a little slack if they missed this E. Coli outbreak because they were all busy playing Halo 3. I mean, c'mon. That's a fair excuse. But I suspect instead it's because the USDA is so filled with corporate goons from the very industry it's meant to police. They've got little incentive to do anything about all the problems.
  2. Why do people keep buying this crap? Literally. You do know were E. Coli comes from, right? Perhaps I should explain why I bought "this crap" in the first place, especially since I really should know better. It's because of the aforementioned pregnancy, which has sent me scurrying around the supermarket trying to find something, anything, that we can eat without disgusting my wife. It's getting pretty tough. This was just one of the many things I would normally not buy.

    Consider also that this is the cheapest form of calories in the store. Dollar for dollar you can buy more calories in a frozen pizza than you can in say a carrot (props to my man Michael Pollan whose book I will review shortly). If you look at the waistline of Americans, those are typically calories we can do without. But profits are to be had, so companies go for it.

  3. Why are these pathogen outbreaks a nationwide epidemic? While food contamination is a mostly preventable problem, it's going to be impossible to completely obviate them. But let's go back to the spinach incident of last year. If the spinach I bought this year (mine all died the moment it sprouted), I would know exactly who infected it, the wonderful folks at Shoemaker Farms in Blackfoot, ID who sold me a big bag of fresh spinach at the farmers market. He told me that when the news came out, he couldn't give his spinach away until he put up a sign saying that he grew it locally. What a crying shame because they have some of the best produce I've ever had.

    Of late I've been trying to change to a more local diet. We now get our milk at the local dairy (and in fact, it's cheaper now since gas prices have skyrocketed). I spent more time at the farmers market this year than last. I intend to join the new food coop that is getting started up here in Idaho Falls, possibly tomorrow even. We've gotten into canning our own food, my favorite probably being the tomatoes (which we got from Shoemakers).

    It's impossible to change our track and revert out of this global economy that we've constructed, and I'm not sure that I would want to anyway. But just because something can be done, doesn't mean it should. We definitely need to import chocolate from Africa and South America. It just doesn't grow here, so that's our only option. But we shouldn't be bringing in New Zealand apples during the height of North American apple season. Give me a break! (And if you're buying apples in September, you've clearly got no friends.)

That's enough ranting for now. I hope dear reader that you will be spurred to some introspection. I am definitely not the model of perfection, as evidenced by the fact that I bought the contaminated pizza-like cardboard object in the first place. Slowly I'm getting better though. I find that I think a lot more about my food purchases and that's really what I hope to inspire in you. I think I'll send in the UPCs from my pizza boxes, just to send General Mills through the hassle, but I can tell you for certain I won't be redeeming any coupons for frozen pizzas.


Net Neutrality

Ed Felten has a wonderful blog entry on Net Neutrality, unsurprisingly. Also no shock is that he totally agrees with me. That's how we know he's a smart guy.

To sum up, net neutrality sounds like a good thing and I believe it is, but I fear that many are too quick to rush to legislate it. I mean, this is Congress we're talking about. That's who you want controlling your Internet? Seriously?

The far better solution is competition. The more players in the game, the better the service will be for the customer. There's no doubt about that in my mind. I think a much better use of tax dollars would be to build municipal fiber networks and allow one and all to offer services on it. I see a lot of benefits and few drawbacks to a model like that. Well, few drawbacks unless you're a mega-ISP who hates its customers. Which is a pretty good benefit too.


IIS Is Paranoid

Back in July I went to the Idaho Department of Transportation's website with the intent to renew my car registration. I was rather surprised that the connection was "reset by peer". OK, their site is having trouble. I'll just come back later, right? Next day, same thing. That's when I got suspicious. I played around for a while and discovered that by changing the browser identification string, I could get in. Well, that was good because I was rather uninterested in getting arrested for driving illegally.

Once things settled down, I wrote to their webmaster and complained. I was a little rude the first time, yammering on about tax dollars and discriminating. I knew that would get their panties in a wad, and it worked. They responded and asked for clarification. I provided them with quite detailed info (maybe too detailed) and offered to work with them to get it resolved. They never wrote back and I forgot about it.

Well flash forward to this evening when the same thing happened again, this time on Idaho Public Television's website. I knew it couldn't be a fluke that I'd get the same reaction with the same workaround. One difference is that I've been to Idaho PTV's website on this computer before, using this same browser, so they must have changed something on their end to cause it.

First I eliminated Cold Fusion which Idaho PTV is using but IDT isn't. Then I looked at the web servers, Idaho PTV is IIS 5.0 and IDT is IIS 6.0. Well I had assumed they must be running IIS because what other crack pot web server out there would do something so inane?

Finally I stumbled upon the perfect test: grab a capture of the headers that Firefox sent and make slight alterations until I figured out the exact character or combination of characters to break their site. And that is what I did. I saved the headers to a text file and piped them to netcat, that most useful of network tools. Here is the browser string as it appeared unaltered:

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20061201 Firefox/ (Ubuntu-feisty)

Starting from the end, I removed "(Ubuntu-feisty)" from the browser and tried it out. Voilà! That was the offending part. Lucky for me I got it on the first try.

I narrowed it down by process of elimination to the four characters "isty". They can appear anywhere in the User-Agent header and it will immediately cause IIS to send a TCP reset. Not even an HTTP error code, but a RST. I tried it in other headers and there was no problem (e.g. X-Linux-Distro: Ubuntu-feisty).

The only sense I could make out of this behavior is some sort of security setting in IIS. It's doing some sort of content analysis and determining that anybody who uses the letters "i", "s", "t" and "y" in the User-Agent header is a bad guy. With logic like that, you'd think the IIS team was working for the TSA. Hmm, a conspiracy maybe? Anyway, I remember when I was a lowly IIS admin that there was some security lockdown tool that Microsoft recommended. I wonder if that's what's doing it. Or maybe it's an antivirus software. It's hard to say. I think I have a good lead with Idaho PTV since it just started happening. Surely they must remember the changes they've made to their production web server. I might just write to them and find out.

In the mean time, I smell some sort of nefarious hack here but I can't come up with anything good. Somehow you've got to be able to leverage this bug to bring doom upon unsuspecting IIS users. If you've got any ideas, please post them in the comments.


Air Travel

I had the dubious pleasure the other week of flying to Oregon to pick up my wife and drive her home. She was feeling pretty sick and just wasn't up to the drive. The trip was planned at the very last minute and while I'm glad to help out my wife of course, it was a fairly stressful adventure. It's a good thing the TSA was on the job to keep my from relaxing.

Understand that I haven't flown on a plane since 1999. So first I went to the TSA's website and read up on the rules for what I could have in my carry-on. They say to think of "3-1-1" to help you remember the rule. Apparently it means "take 3 things you want to have with you, put them in 1 box, leave them at home and take your 1 sorry self to the airport". I couldn't make heads or tails of the rules, so I didn't take any liquids or gels.

If you look closely at the boarding pass to the right, you'll see at the bottom it says "SSSS". That's code for "we think you're a terrorist". I think between the fact that I booked the night before, that I was flying one way, that I didn't check any baggage, that I'm male, and that I'm not a frequent flier contributed to that assessment.

What annoyed me most wasn't the fact that I had to go through these absurd security checks. If they were done randomly, I would feel a lot better about their use. But mostly it bugged me that I didn't find out about it until after I showed them my ID, a rule I think is totally ridiculous. As if the 9/11 hijackers didn't have valid IDs. As if the no fly list is even a useful tool. At last count it had around 500,000 people. If there were that many terrorists in this country, we'd we be finding bombs on every corner.

Then I hear that the next tool the TSA wants to deploy is forcing everyone to book 3 days in advance! It just defies logic. By their count, they'll inconvenience 7-10% of passengers. The only numbers I could find (I admit I stopped at the first hit) was that in 1997 500 million passengers flew in the US. They seriously think that 35-50 million people are now terrorists? It's mind boggling.

I understand that people want to do something about terrorists, but there's too much doing without thinking. Most of our politicians and bureaucrats are acting based on emotion, which is a poor way to function.



Subscribe to zmonkey.org RSS Subscribe to zmonkey.org - All comments