March 28, 2024

Archives for September 2008

Preparing for a natural disaster

As Tinker readers may know, I live in Houston, Texas, and we’ve got Hurricane Ike bearing down on us.  Twenty-four hours ago, I was busy with everything else and hadn’t even stopped to think about it.  Earlier this week, the forecasts had Ike going far south of here.  That all changed and now it appears likely that Ike will hit the Texas coast not to far away.  The eye of the storm is probably not going anywhere near us, but we’ll be on the “dirty” side of the storm, and that means lots of rain and possible power outages.

Yesterday, I went to the supermarket and stocked up on assorted non-perishable goods, waters, batteries, and all that.  The lines were entirely reasonable.  The supermarket was clearly more prepared than I was, bringing in several shipping palettes of bottled water.  (Today, I’d bet the supermarket is crazier, but I’m not heading there to find out.)

My house is 51 feet above sea level and is outside the statutory flood plain.  At least in theory, I don’t have to worry much about flooding.  The most likely concern would be wind-driven rain getting through the not-terribly-well-sealed front door or some of the “French doors” that our builder overused on the house.  (“French doors”, which I doubt have much to do with France, are double doors, hinged on the side, and meeting in the middle where they latch to one another.)  My plan is to run a seam of duct tape around around the outside of the doors and windows on the first floor.  We’ll get in and out via the garage (which we tend to do, anyway).  I’m not going to try climbing up a ladder to the second story, since those “casement” windows seem to be more solid.

To evacuate or not to evacuate?  That’s the question.  When Hurricane Rita came through three years ago, we spent a thoroughly unpleasant 17 hours driving from Houston to Dallas (normally a four hour drive), where my parents live.  This time, our plan is to ride out the storm and then evaluate what we’re doing next.  Assuming the house is intact and we have power, we’ll be fine.  If we lose power and it appears unlikely to come back any time soon, or if our house is thrashed, then we’ll worry about evacuating.

Of course, I have to worry about more than just my family.  I also have to worry about my research group, the students in my classes, and so forth.  My security class meets this afternoon.  We’ll be talking about disasters.  (I tried to get some people from our university’s IT department to come talk about their disaster preparation, but unsurprisingly they’re busy preparing.  I’ll try to get some of them after it’s all over.)

For our research group, I’ve got a paper in the works for NDSS ’09, whose submission deadline is basically the same as when the hurricane is due.  The chair was nice enough to give us an extension, so now we just have to work out how we can keep doing the writing, even if there’s no power around.  (Felten has graciously offered to host our subversion server.  Luckily, the experimental work is all done, so it’s just a matter of getting it written up properly.)

Who knew disaster preparation could be so much fun?

A curious phone scam

My phone at work rings.  The caller ID has a weird number (“50622961841” – yes, it’s got an extra digit in it).  I answer.  It’s a recording telling me I can get lower rates on my card (what card?) if I just hit one to connect me to a representative.  Umm, okay.  “1”.  Recorded voiced: “Just a moment.”  Human voice: “Hello, card center.”

At this point, I was mostly thinking that this was unsolicited spam, not a phishing attack.  Either way, I knew I had a limited time to ask questions before they’d hang up. “Who is this?  What company is this?”  They hung up.  Damn! I should have played along a little further.  I imagine they would have asked for my credit card number.  I could have then made something up to see how far the interaction would go.  Oh well.

Clearly, this was a variant on a credit card phishing attack, except instead of an email from a Nigerian dictator, it was a phone call.  I’m sure the caller ID is total garbage, although that, along with the demon-dialer, says that the scammer has some non-trivial infrastructure in place to make it happen.

So, the next time one of you receives an unsolicited call offering to get you lower rates on your card, please do play along and feed them random numbers when they ask for data.  At the very least, there’s some entertainment value.  If you’re lucky, you might be able to learn something that would be useful to mount a criminal investigation.  Maybe half-way through you could suddenly have an important meeting to get to and see if you can get them to give you a callback phone number.

Update: reader “anon” points to an article from The Register that discusses this in more detail.

It can be rational to sell your private information cheaply, even if you value privacy

One of the standard claims about privacy is that people say they value their privacy but behave as if they don’t value it. The standard example involves people trading away private information for something of relatively little value. This argument is often put forth to rebut the notion that privacy is an important policy value. Alternatively, it is posed as a “what could they be thinking” puzzle.

I used to be impressed by this argument, but lately I have come to doubt its power. Let me explain why.

Suppose you offer to buy a piece of information about me, such as my location at this moment. I’ll accept the offer if the payment you offer me is more than the harm I would experience due to disclosing the information. What matters here is the marginal harm, defined as amount of privacy-goodness I would have if I withheld the information, minus the amount I would have if I disclosed it.

The key word here is marginal. If I assume that my life would be utterly private, unless I gave this one piece of information to you, then I might require a high price from you. But if I assume that I have very little privacy to start with, then selling this one piece of information to you makes little difference, and I might as well sell it cheaply. Indeed, the more I assume that my privacy is lost no matter what I do, the lower a price I’ll demand from you. In the limit, where I expect you can get the information for free elsewhere even if I withhold if from you, I’ll be willing to sell you the information for a penny.

Viewed this way, the price I charge you tells you at least as much about how well I think my privacy is protected, as it does about how badly I want to keep my location private. So the answer to “what could they be thinking” is “they could be thinking they have no privacy in the first place”.

And in case you’re wondering: At this moment, I’m sitting in my office at Princeton.

Come Join Us Next Spring

It’s been an exciting summer here at the Center for Information Technology Policy. On Friday, we’ll be moving into a brand new building. We’ll be roughly doubling our level of campus activity—lectures, symposia and other events—from last year. You’ll also see some changes to our online activities, including a new, expanded Freedom to Tinker that will be hosted by the Center and will feature an expanded roster of contributors.

One of our key goals is to recruit visiting scholars who can enrich, and benefit from, our community. We’ve already lined up several visitors for the coming year, and will welcome them soon. But we also have space for several more. With the generous support of Princeton’s Woodrow Wilson School and School of Engineering and Applied Sciences, we are able to offer limited support for visitors to join us on a semester basis in spring 2009. The announcement, available here, reads as follows:

CITP Seeks Visiting Faculty, Fellows or Postdocs for Spring 2009 Semester

The Center for Information Technology Policy (CITP) at Princeton University is seeking visiting faculty, fellows, or postdocs for the Spring 2009 semester.

About CITP

Digital technologies and public life are constantly reshaping each other—from net neutrality and broadband adoption, to copyright and file sharing, to electronic voting and beyond.

Realizing digital technology’s promise requires a constant sharing of ideas, competencies and norms among the technical, social, economic and political domains.

The Center for Information Technology Policy is Princeton University’s effort to meet this challenge. Its new home, opening in September 2008, is a state of the art facility designed from the ground up for openness and collaboration. Located at the intellectual and physical crossroads of Princeton’s engineering and social science communities, the Center’s research, teaching and public programs are building the intellectual and human capital that our technological future demands.

To see what this mission can mean in practice, take a look at our website, at http://citp.princeton.edu.

One-Term Visiting Positions in Spring 2009

The Center has secured limited resources from a range of sources to support visitors this coming spring. Visitors will conduct research, engage in public programs, and may teach a seminar during their appointment. They’ll play an important role at a pivotal time in the development of this new center. Visitors will be appointed to a visiting faculty or visiting fellow position, or a postdoctoral role, depending on qualifications.

We are happy to hear from anyone who works at the intersection of digital technology and public life. In addition to our existing strengths in computer science and sociology, we are particularly interested in identifying engineers, economists, lawyers, civil servants and policy analysts whose research interests are complementary to our existing activities. Levels of support and official status will depend on the background and circumstances of each appointee. Terms of appointment will be from February 1 until either July 1 or September 1 of 2009.

If you are interested, please email a letter of interest, stating background, intended research, and salary requirements, to David Robinson, Associate Director of the Center, at . Please include a copy of your CV.

Deadline: October 15, 2008.

Beyond this particular recruiting effort, there are other ways to get involved—interested students can apply for graduate study in the 2009-2010 school year, and we continue to seek out suitable candidates for externally-funded fellowships. More information about those options is here.

Cheap CAPTCHA Solving Changes the Security Game

ZDNet’s “Zero Day” blog has an interesting post on the gray-market economy in solving CAPTCHAs.

CAPTCHAs are those online tests that ask you to type in a sequence of characters from a hard-to-read image. By doing this, you prove that you’re a real person and not an automated bot – the assumption being that bots cannot decipher the CAPTCHA images reliably. The goal of CAPTCHAs is to raise the price of access to a resource, by requiring a small quantum of human attention, in the hope that legitimate human users will be willing to expend a little attention but spammers, password guessers, and other unwanted users will not.

It’s no surprise, then, that a gray market in CAPTCHA-solving has developed, and that that market uses technology to deliver CAPTCHAs efficiently to low-wage workers who solve many CAPTCHAs per hour. It’s no surprise, either, that there is vigorous competition between CAPTCHA-solving firms in India and elsewhere. The going rate, for high-volume buyers, seems to be about $0.002 per CAPTCHA solved.

I would happily pay that rate to have somebody else solve the CAPTCHAs I encounter. I see two or three CAPTCHAs a week, so this would cost me about twenty-five cents a year. I assume most of you, and most people in the developed world, would happily pay that much to never see CAPTCHAs. There’s an obvious business opportunity here, to provide a browser plugin that recognizes CAPTCHAs and outsources them to low-wage solvers – if some entrepreneur can overcome transaction costs and any legal issues.

Of course, the fact that CAPTCHAs can be solved for a small fee, and even that most users are willing to pay that fee, does not make CAPTCHAs useless. They still do raise the cost of spamming and other undesired behavior. The key question is whether imposing a $0.002 fee on certain kinds of accesses deters enough bad behavior. That’s an empirical question that is answerable in principle. We might not have the data to answer it in practice, at least not yet.

Another interesting question is whether it’s good public policy to try to stop CAPTCHA-solving services. It’s not clear whether governments can actually hinder CAPTCHA-solving services enough to raise the price (or risk) of using them. But even assuming that governments can raise the price of CAPTCHA-solving, the price increase will deter some bad behavior but will also prevent some beneficial transactions such as outsourcing by legitimate customers. Whether the bad behavior deterred outweighs the good behavior deterred is another empirical question we probably can’t answer yet.

On the first question – the impact of cheap CAPTCHA-solving – we’re starting a real-world experiment, like it or not.