McDonalds breakfasts can be fatal

Daily Mail journo Harriet Arkell has no doubt about what killed firefighter Alan Soards:

Firefighter drowned during training exercise at Olympic white water rafting venue moments after he ate a McDonald's breakfast meal
Reading the article, she attempts to justify the headline:
Witnesses said Mr Soards, who was also a lifeboat volunteer, looked out of breath and that his face had turned purple, and he was found face-down in the water at the end of the course.
He was pulled from the water and attempts were made to resuscitate him, but Mr Soards vomited his undigested McDonald’s breakfast while he was being given CPR.
Clearly, it must have been the McDonald's breakfast that killed him. There's no way that someone pounding his chest with nearly their full body weight would have caused anything at all in his stomach (Egg McMuffin, Weetabix or lettuce) to return up his oesophagus. It's not like vomiting is a well-known complication of CPR. Heck, the McDonald's breakfast probably caused him to have broken ribs after CPR.

I can't find Ms. Arkell's degree subject (she studied at Bristol University) but no doubt she specialised in human physiology in order to make this diagnosis. Publicity-seeking empathy-lacking cow that she is. I'd have hoped that Alan Soards's family sue her, but I guess "maliciously self-serving ignorance" isn't legally actionable.

[Hat tip: the estimable Mark Wadsworth]

Queues in coffee shops

I'm encouraged by the length of the average queue in Starbucks and Costa - if you've got a steady stream of customers, nudging you towards your maximum coffee-drink-producing-capacity, you must be doing OK on your business plan.

However, this tweet from @GSElevator strikes a chord with me:

YES. They so need to have this. I'd be more willing to queue up at Starbucks if I knew that everyone in the line would turn up at the counter, spec their order in a compact and unambiguous fashion, have appropriate payment ready and waiting, and move swiftly to the collection area as soon as the transaction had concluded.

It's bad enough when the first person in the line orders eight different blended drinks, and you know how long that will occupy the barista making them until she can turn her attention to your americano. It's so, so much worse when the next person just wants a latte but spends several minutes havering about whether they want soy, what size they want, whether it's for here or to go, and then spends a while rummaging around in their purse for the payment. For heavens' sake, you spent nearly ten minutes in the queue waiting for your turn with a huge display of drinks, sizes and prices right in front of you. How in the world can you not be ready to order?

Obviously, anyone in the "shit together" queue who hesitates or havers during their order or payment will be brutally beaten by the people behind them and pushed to the back of the "shit apart" line.

Sorry for the rant; there are few things more irritable than an engineer kept away from their caffeine.

Sympathising with Rachel Jeantel

Watching the video of Trayvon Martin's girlfriend Rachel Jeantel on the witness stand at George Zimmerman's trial, my overwhelming emotion is sympathy. She's the prosecution's star witness and she was dreadful. Surely, George Zimmerman's defence attorneys can't have believed their luck. The prosecution opened with a witness who was illiterate, lied about any number of small things ("writing" a letter that it turns out she couldn't read, attending Trayvon's wake) and who tweeted a trail of destruction about drinking, getting high and driving under the influence before someone deleted the worst offending tweets just before her testimony.

Rachel has clearly been coached and steered by the prosecution team (and possibly hangers-on) on what to say, how to say it and how to present herself. This is part of the game of trials, and everyone does it. But she doesn't really understand what she's been brought into - the personal risk she's bearing with every falsehood she admits to. She's 19 years old, and boys and girls of that age do dumb things. Most of the time no-one's really looking at their acts apart from their mates, but now everyone in the USA has a laser focus on this case and Rachel looks untrustworthy, unreliable, lacking self control and generally everything that a court witness cannot afford to be.

My heart aches that a 19 year old woman can't read - or, presumably, write - cursive script. It's not surprising that Rachel was embarrassed about this, and lied about it. Unfortunately (for the prosecution) this blows a hole a mile wide in the case - reasonable doubt must be a slam-dunk at this point, unless something unexpected crops up in the forensics.

This case should never have been brought to trial. It wasn't headed for trial until political pressure (with cries of "racist killing!") forced the state to prosecute. Political influence on prosecution stops at the courtroom door, and this jury will find George Zimmerman not guilty of the murder of Trayvon Martin. It may even be that at the conclusion of the prosecution case the defence will successfully move for a dismissal, showing that the state has not proved its case; honestly, though, it would be a very brave judge to let that motion pass. In the mean time Zimmerman has been jailed, forced to spend huge sums on a legal defence, and in effect had his life ruined.

One article I read posed a very interesting (if unprovable) proposition that this case was never intended to succeed. Six months before the 2012 elections in the USA, it was a cause celebre demonstrating homicidal racism in modern America, a rallying point for Al Sharpton and co. The fact that Zimmerman was more Hispanic than white was glossed over, and US media organisations did their part in editing 911 tapes to make Zimmerman appear racist. The elections now over, the race-baiters don't particularly care what happens to Zimmerman; indeed, for them perhaps it's better that he's acquitted so that in 2016 they can rage about that acquittal and "Justice for Trayvon" as another rallying point.

If anyone is serious about improving the lot of black teenagers in the USA - and they damned well should be - they should start by exploring the deficits of the education system that left 19 year old Rachel Jeantel functionally illiterate.


Getting what you pay for in education

In the category of "consequences that anyone with a brain could have predicted", the Toronto District school board's decision to stop teachers being able to carry over their allowance of sick days from one year to the next (and cash them out for money on retirement) has worked out approximately as you'd expect:

New figures from the Toronto District School Board show a 22% spike in teachers reporting in sick last month compared to the previous year, and a 53% jump from three years ago.
Teachers get an allowance of 20 sick days a year - presumably if you take more then they will be unpaid - and up to now if they had any remaining at the end of the year they could add them on to next year's allowance. With no limit on carry-over, it was quite feasible to have 200 days of leave on retirement:
But some school boards — the Ontario government says 40% — also allowed teachers to cash the unused days out, up to 200 days, on retirement. The practice resulted in teachers leaving with a golden handshake worth up to half a year's pay.
What's more, I'm guessing that the days would be paid based on their final salary rather than the salary for the year in which they were allocated.

You'll note that in the old system if a teacher was feeling a bit under the weather they would be incentivised to struggle in to work (thereby infecting their pupils and colleagues); the sick day they avoided taking would be a future source of cash. Now, of course, if they are sick they'll stay at home. This is an improvement, except that there is a view among some teachers that if they have the allocation they might as well take it, as commentator marilynsouth remarks:

When I had 20 sick days and could bank them I hardly took any days off and only when I was really sick, as banking was an incentive. Now you take that away, give me 10 days with no banking, Im taking all 10 days because there is no longer an incentive. I take them or lose them now, So Im taking them, good luck trying to prove if im sick or not....
It's a tricky one to manage. On one hand teachers are exposed to tidal waves of germs as part of their job, you expect them to get sick (especially as they get older) and you shouldn't penalise them for it. On the other hand, setting out a fixed allocation of sick days doesn't seem to be optimal.

What does seem unarguable is that rolling over sick days and allowing them to be taken as cash only really benefits the moderately healthy teachers, and screws over students and less healthy teachers when the sick teacher struggles in to school to recuperate on the taxpayer's dime. While private sector practices vary, I don't know of any major firm who's taken this approach, and probably for a very good reason.

24 hours in A+E: the Guardian version

You couldn't really expect me to pass up the opportunity to blog on this, could you? Grauniad journo Denis Campbell spends a day at Bradford A+E:

"People have come with period pains, ingrowing toenails and wanting sets of false fingernails removed," said [head of Bradford A+E] Wilson. "I once even had a young woman arrive – by ambulance – asking for a pregnancy test when she could have just got one in Boots."
I'd like to invite the audience to imagine how this arose. You're a Generation Y member, moved out from your parents' house and living in a basement flat with no Significant Other in residence. On Friday morning your toe starts to hurt a little, and by Friday evening it's really quite painful. Obvious answer: go and see your GP. Surprise! There's little to no chance of seeing the GP until Monday morning (and even then it's random luck if you get a slot, if it's anything like my previous GP surgery). You have no idea what an NHS walk-in centre is. Easy choice: A+E.

It's all very well for Dr. Wilson to get excised about the undoubted lack of stoicism of the modern public:

Three hundred and fifty million years of evolution means the human body has learned to deal pretty well with most ailments. Yet no one is willing to give things time to get better. They access emergency practitioners for advice when all they really need is two or three days, or a week, to get better
but the reality is that with the parlous state of the job market they often can't afford to take the time off. Even if they did, staying at home for several days to try to recuperate and hope their injury or illness gets better, who would look after them? And what of the people who aren't sure whether their rash and aversion to bright light is just another bug or potentially fatal meningitis? Who makes that call?

People coming to A+E with minor ailments is undoubtedly a serious issue, tying up very scarce resources. The simple way to deal with that is to make GPs more accessible, but the Labour government really screwed the pooch on that one:

The current situation "isn't sustainable", she warns. "We need changes, like GPs being available 24/7," she adds.
Yes, we do. GPs have settled into a very comfortable 5 day week with regular hours, and retained really high pay for this. There are many GPs who go above and beyond for their patients out of hours, but unfortunately way too many who are quite happy to take the cash and do the minimum. My personal experience is that about 50% of GPs earn their money (or deserve more), and 50% are massively overpaid for what they do.
Spencer is also keen to introduce some GPs into their A&E, to handle those with less serious illness.
Now this is a good idea, if they can make it work, get triaging right, and actually find a source of GPs who will do this work without demanding vast sums of cash for the privilege. I wish Sandy Spencer luck, she's going to need it.

That's not the sole problem that A+E faces - even once it has deflected the minor injuries, there are still way too many people who need to be admitted, and not enough beds:

"More patients are more medically complex. People are living longer and therefore older people present with a higher incidence of illness", explains Halstead. "There's now no age discrimination. Previously you'd have said: 'Oh he's 75, that's a good innings, there's nothing more we can do for him.' Whereas these days everybody is treated with whatever is available to relieve their condition, no matter what age they are."
And with a health system with finite resources, the tens of thousands of pounds needed to give an 85 year old an angioplasty rather than letting him or her die will be money that can't be spent e.g. employing more care assistants to ensure adequate coverage on a geriatric ward. Now that may be a trade off that we should be making - or it may not - but no-one seems to want to have that debate for some strange reason.

The NHS has to decide what it wants to do about A+E and how it's going to ration the treatment and budget available against the unbounded demands of the public. If you want healthcare to continue to be free at the point of demand, you're going to find it quite surprising how expensive it can be to supply it. There are hard choices to be made, and we do not ask the Government to make them perfectly; they must, however, make them.


Precision engineering by Honda

This is not a sponsored post

A buddy of mine over Stateside nearly departed the land of the living today. Heading down the freeway at a speed around the limit (65 mph) he moved to avoid a collision, got clipped on the rear, and drove at nearly full speed into the concrete Jersey barriers separating the eastbound from westbound traffic. Those barriers being notable for their inability to yield, his Acura was reduced substantially in length. What was notable, however, was that the trashing of the engine compartment and its subsequent intrusion into the driver space stopped almost exactly at his knees - they were a little sore, and he was disoriented from the various exploding airbags, but he was able to climb out of the vehicle and wait for the emergency services.

While wanting to berate the EMS crews who let him walk away from the wreck and get a ride home without doing the prophylactic collar-and-board that anyone with a PHTLS certification would have carried out, we should stop and marvel at the design and engineering that has successfully dissipated the massive energy in a 50mph+ near-frontal impact into every single bit of the car except the space occupied by people. When we consider the steady decline in traffic fatalities since 1990, it seems pointless to deny the role played by safety engineering and relentless study of the mechanics of road traffic accident injuries.

For those of you looking at a Honda-brand car for your next vehicle, they seem to know what they are doing with regards to safety.

Needless to say, he was wearing his seatbelt. Princess Di conspiracy theorists, take note.


Interviewers don't know jack

At least, that's the impression given by Google's HR head Laszlo Bock:

Years ago, we did a study to determine whether anyone at Google is particularly good at hiring. We looked at tens of thousands of interviews, and everyone who had done the interviews and what they scored the candidate, and how that person ultimately performed in their job. We found zero relationship. It’s a complete random mess, except for one guy who was highly predictive because he only interviewed people for a very specialized area, where he happened to be the world’s leading expert.
For anyone who's done any substantial amount of interviewing, this will ring a bell. Without the data following-up on hired candidate performance in their jobs, there's very little that the individual interviewer receives as feedback on their interviewing. If you consistently have 4+ people doing interviewing the same candidate on closely-related topics you can compare their score and identify interviewers who give diverging scores - but then you have no idea whether the outlying interviewer was correct or not. I sometimes wonder whether in these situations companies should hire a small fraction of candidates who score highly with divergent interviewers but moderate-to-low for the rest. Of course, that's an expensive way of stats gathering.

Megan McArdle analyzes the interview and draws conclusions that I think are slightly off:

Resume and past work history are much better predictors of future performance [than brainteasers]. The problem is that in most fields, these are hard to ascertain unless you're pretty prominent.
I take a little more hope from Bock's analysis. I'd agree with McArdle (and Bock) about the relative useless of brainteasers. I would disagree to some extent with the resume and work history as predictors. What resume and work history really give you as an interviewer is a baseline for what to expect of an interviewee's performance, and to give the interviewer a pointer to the work-related questions to ask.

Example: the resume (CV) claims that the interviewee has experience building distributed systems, and has 8 years of Perl development. Immediately you, as hiring manager, know that one of your interviewers should throw a (company-standard) distributed systems development at them, and expect them to nail most of the high points. All interviewers should expect them to be able to write some Perl on demand and expect it to parse, use modern idioms, and employ efficient and suitable constructs. Falling short on any of these indicates that either the resume is "generous" with the facts or that the interviewee does not learn and increase their ability with experience as quickly as could be expected.

To make use of these facts, as Bock notes, you need to have standardised assessments of your candidates - a smallish bank of interview questions with a calibrated range of possible responses. This may well not be the world's best predictor of ability in a job, but at the very least it's a reliable way of screening out the under-performers and the outright resume fabricators.


Sow the wind of femininity, reap the whirlwind of violence

Annalisa Barbieri in the Guardian is properly concerned about the proliferation of abusive relationships and wonders what can be done to stop it:

We can teach our children about the correct way to deal with emotions such as anger and frustration, and that it's never OK to hit another person. Currently, where do our children learn about this? The top source is from soap operas, where the information may or may not be accurate. Only 13% had learned about it at school. The logical place would be in Personal, Social and Health Education (PSHE), but even in schools where PSHE is taught, (it is not compulsory although the sex education element is) domestic abuse is rarely covered.
PSHE is taught in the age group 10-16. Children (and I use the word advisedly) of that age do not in general have the emotional or social maturity to appreciate the implications of what they are being told. I can't see this making much of a difference to the problem, no matter how good the intentions.

If you want to know why modern young men are so prone to violence in relationships, look at the environment in which they grew up. The usual outlets of the violent impulses that arise naturally in young men (play wrestling with other boys, playing soldiers, physical playground games) have been systematically suppressed. Where else are these violent impulses - strengthening with age - going to be channelled? As Annalisa herself writes "it's never OK to hit another person" - but punching and grappling is what boys thrive on. What they need to learn, and indeed learn as they grow up, is the difference between a moderate punch to the arm or torso to score a metaphorical point, and a punch to the head aiming to cause injury or worse. Remove the opportunity to play fight, and you remove the place where they learn those lessons - where a playful punch grazes your buddy's nose, causes it to bleed profusely and generates remorse and moderate recriminations.

Rory Miller's Meditations on Violence made clear the distinction between playground violence, confrontations for territory / status, and then the third tier of violence intended to injure or kill. This third tier can be seen in UK cities when alcohol or aggression have young men throwing kicks at the heads of innocent victims. A kick at the head has only one purpose - to injure severely or kill. This is bottled-up violence finding an outlet that ruins the lives of people - the injured party, their family, and then the aggressor himself as he is sent down for a number of years.

Barbieri quotes Refuge's CEO Sandra Horley:

If the abuse is physical, she advises, "Never ignore that first push, that first shove."
She's right enough; that's the sign of a man (or woman) who has not learned control over their violent impulses and found an appropriate channel for them. If you're the inappropriate channel, pack your bags and leave. But we want this to be a rare occurrence, we need to restore the time-honoured ways in which young men can relieve the pressure of their violence urges harmlessly. Feminising them is not helping.


Breaking veganism - the new hotness

Tomorrow I'm going to break my usual diet and have toast (unbuttered) with orange juice and coffee for breakfast, a nutburger with lettuce and pickles for lunch, and pasta with tomato sauce for dinner. This will officially qualify as a vegan diet, and so make me a vegan. I'll keep this up for three more days. The day after, I'm going down the diner and having brunch incorporating every animal on the menu. This will officially qualify me as an ex-vegan and thus eligible for the ex-vegan list:

Please do not post names that fall under the following categories:
  • Was never vegan
  • Pretended to be vegan
  • Was vegan for 3 days then sold out.
I would have thought that last point somewhat redundant given the "ex-" prerequisite, but hey what do I know?

Why do I care? Well, I would love to be listed on exvegans.com, a site dedicated to the persecution of those who have crossed from the (skinny, pale, underfed, too-much-time-on-their-hands) righteous to the animal-eating murdering blood-dripping-from-mouth unrighteous. Extracting a random entry from their hate list:

Jack Scuncio: Once upon a time Jack completely rejected all forms of animal product and was one with nature, now he has embraced the love of murder in such a wholehearted way that he now rejects the consumption of plants almost entirely. He wears leather (and fur!) whenever he can and consumes copious amounts of burnt carcasses, even partakes in gatherings some know as BBQ, but what I would like to call "Murderocalypses"
I hope that this entry was satire - or, indeed, added by Jack himself, but I fear it may just be in earnest. For something beyond satire, I offer you the ex-vegan take on Natalie Portman:
Vegan from 2009 to 2011. Stopped when she got pregnant, and had some ignorant concerns about the health of her unborn child. Her statement on the subject was very uninformed. Having kids isn't vegan anyway.
I'm not sure where you can start on that.

The twistedness of the contributors is captured perfectly in Why People Hate Vegans. When this site publishes contributions like:

The spirits of the billions murdered have risen to deliver: The Vegan Sellout List – an online directory of those who have regressed from moral consistency to moral depravity.
even the most considerate animal-loving pacifist feels a primeval urge to bludgeon the nearest tasty animal to death and eat it. "When an Irishman drives a pig, he ties a string to the pig's rear leg - the pig reacts by running forwards." Ironically, ex-vegans may be just that pig.


Fatal buttock enhancements

In the category of "unintended consequences of medical advances", I give you the Mississippi woman who has been charged in a second death related to giving buttocks-enhancing injections without being trained or licensed:

Garner had been on house arrest awaiting trial in a similar case in the 2012 death of an Atlanta woman.
If (and it's a big, huge "if") I were looking for someone to give me a cut-price buttock enhancement injection, I might just draw the line at someone who was already under house arrest - and, no doubt, featuring in the popular press - for homicide in a similar situation. Still, what do I know?

This is obviously unfortunate for her victims, seekers of cut-price buttock pertifying which led to a probably unanticipated early exit from this mortal coil. On the other hand, think of the headstone engraver who can engrave her epitaph.

It's not all upsides on the publicity front, however:

Records show Garner was in the Hinds County Detention Center on Monday. Her attorney, John Colette, was not immediately available.
I'll bet he wasn't. Assuming that Ms. Garner is rather strapped for cash and Mr. Colette is a state-appointed defender, he's not being paid anywhere near enough to try to defend Ms. Garner in the popular press, where his name will be permanently attached to the search "silicone buttocks death", which (for me) finds this case dominating the top 20.


Training is overrated

I've taught and lectured quite a bit here and there on various subjects in my time and so today's news that Labour intend to "sack" "untrained" teachers in free schools made my eyebrow twitch:

"It is shocking that this government is allowing unqualified teachers into the classroom," Twigg said. "High-quality teaching is the most important factor in improving education. We need to drive up the quality of teaching, not undermine it."
Just a quick question here, Stevie. Isn't the whole idea of school inspections and regular exams to ensure that objective observers outside the school can determine whether the school is failing to provide either good quality teaching or help its pupils attain the required level of performance. If this is the case, what does it matter whether a teacher is trained (by which they usually mean the 1-year Post-Graduate Certificate in Education, if not a full B.Ed) or not? How exactly has Mr. Twigg leapt from "unqualified" to "poor quality"?

I note in passing that Stephen Twigg doesn't seem to have much if any experience in teaching so one wonders where this idea of eliminating "unqualified" teachers has come from. Perhaps the teaching unions who don't like the idea of the free or independent schools where some of these teachers are found? Perhaps the lifer educrats in the Department for Education, who would prefer that all teachers be directly subjected to their influence. Perhaps those in the profession of education of educators are concerned about their waning influence and job security. I'd love to know.

Outside the formal education system I've met some fantastic teachers, in and out of the classroom. For sure, some of them had previous teaching qualifications before they branched out - but by no means all. The ability to connect with a class, to deeply understand your subject and be able to explain and convey it in an interesting way, are all a) learned over time and b) strongly rooted in personality and ability. I'm sure PGCE gives you useful insight into methods of education, but the most useful part of it is the practice teaching time - this lets students know whether or not they're really cut out for teaching.

I'd be a lot more impressed if Labour promised to fire bad teachers whereever they were found, whether trained or untrained, state or independent schools, union or non-union. But I think we all know how likely that is.


The law of unexpected consequences

Situation: the US government admits to keeping records of phone calls within the USA. The expected outrage, debate duly occurs.

Problem: the defendant in a criminal case thinks that phone records can exonerate him, but the phone company (MetroPCS, who seem to be a bunch of clowns) have misplaced the records for the month in question.

Solution: just ask the NSA for their copy:

Accordingly, he is seeking the records from one resource that has stored every call from every citizen: the National Security Agency (NSA). After all, the Administration has admitted the existence of the storage and program. After that, Dore is arguing that it is just another government agency with material evidence. Indeed, the NSA wanted a complete record of all calls to store and it is now being called upon to hand over material evidence in its possession.
The article's author doesn't think much of the defendant's chances, but I'm not so sure. It's a matter of public record that the NSA has this data, and if MetroPCS would have been compelled to turn it over to the defendant then there's no obvious reason why NSA can't be so compelled, unless they can carry some form of "unduly burdensome" argument. This has the potential to be an extra-large-popcorn-bucket event.

The government - people disconnect

I have to admit, I would not have predicted this as a result of the Sandy Hook shootings:

The week after [the Sandy Hook massacre] set a new record for background checks. CBS Connecticut reported that permit applications in Newtown itself more than doubled in the three months following the killings.
This is intriguing. So of the population that's closest to a particularly egregious mass shooting, one of the responses seems to be that people feel that they needed a gun:
Newtown in recent years has issued about 130 gun permits annually. Police say the town received 79 permit applications in the three months since the Dec. 14 massacre, well over double the normal pace.
"A good percentage of people are making it clear they think their rights are going to be taken away," said Robert Berkins, records manager for Newtown police.
What I'd really like to know is what the national figures were for the increase in those 3 months, and whether Newtown's increase was in line with, above or below the national rate. I rather suspect (from some back-of-the envelope math) that it was higher.

Generally it seems that whenever a major shooting-related event occurs, people who did not previously own guns rush to get a permit to own them in anticipation of future denial of this right. People who do currently own guns stock up on ammunition and spare weapons. All of which leads me to the inescapable conclusion that if a government really wants to reduce firearm ownership, they will loudly promise not to change anything in the country's current gun ownership rules. Since the US government has been all over gun owners in the aftermath of Sandy Hook, one can only conclude that they are in pursuit of votes rather than lower firearm ownership.


More crap about PRISM

My brain hurts from reading one of the most God-forsakenly awful pieces of allegedly technical writing about PRISM:

There's the issue of encryption, such as an SSL connection, which offers a HTTPS [secure web connection] secure pipe between the user's computer and the website providing the service. It's like a metal pipe that stretches end-to-end. The port that's opened up on your computer is encrypted and everything that flows through it is completely unreadable.
But if the NSA were intercepting traffic and decrypting it somehow on the edge connection between the application service provider — such as Facebook, Gmail, Amazon, for example — and the Tier 1 network, the application service provider would be unaware that this was happening.
Yes, and "if" my aunt had testicles she'd be my uncle. Author Zack Whittaker "writes for ZDNet, CNET and CBS News. He is based in New York City." There's a reason why he's writing about computer security and not actually doing it for a living.

Aware that Facebook, Google, Amazon use HTTPS as default, the author tries to overcome the obvious objections:

Although SSL-encrypted data is still unreadable at its current destination, the NSA likely has the capabilities to break this encryption later at its datacenter, presumably using vast computational resources. This would have to be done for each session, and likely only for targets of interest since the ability to do this would be extremely computationally expensive, as both public key and symmetric keys would have to be cracked.
Flipping heck. Does he have any idea how expensive a brute force attack against a 128 bit symmetric key is (assuming that you have some known plaintext so you can check it)? And you have to brute force each individual session, i.e. each HTTPS connection of each user, since the key is unique for each session. Even if you have a way in to massively reduce the search space e.g. by exploiting weakness in the randomness of the key generation, you're still looking at something that is computationally infeasible unless you have a very small number of sessions you're targeting e.g. you know the source internet addresses of your bad guys.

His lack of understanding is also apparent here:

Facebook and Google, for example, use 128-bit RSA encryption with TLS 1.1 connections for their Web servers. (Google is planning to move to a 2048-bit RSA key later this year.)
OK, let's talk slowly here. RSA (Rivest, Shamir, Adleman) is a way for two people talking over a connection that others can eavesdrop on (e.g. an Internet connection) to agree a mutual secret key that can then be used to encrypt the rest of the conversation. The algorithm is such that although the eavesdroppers can see the entire conversation, they can't deduce the secret key. Now that secret key is 128 bits (16 characters) in length. You can use it with a range of symmetric encryption algorithms - where user A encrypts the message with a secret key, and user B decrypts it with the same key - and a common one is RC4_128 although other algorithms are in use. So "128 bits" refers to the shared secret used to encrypt an HTTPS conversation, whereas "RSA" is the method by which that secret is agreed. RSA uses much bigger keys (1024 or 2048 bits long) in a public-key encryption scheme where each user makes enough of their key public to allow anyone else to encrypt a message for them, but keeps enough secret that only they can decrypt the message. If Whittaker can't get this right, I'm not optimistic about his understanding about the more technical details.

Not forgetting:

Cracking the encrypted SSL sessions could also be achieved through compromised certificates from the issuing certificate authority, making decryption of vast amounts of sessions that much easier.
No. Just, no. Compromising a certificate authority (hard, but not impossible) means that you can "man in the middle" communications - intercept the messages from a user to Facebook by pretending to be Facebook, then in parallel relay his messages to Facebook pretending to be him. You're not "cracking" the SSL sessions except in a very, very loose sense; you're just disguising yourself as Facebook. But this doesn't work in many cases anyway, now that this risk is known and the major browsers know what the real Facebook/Google/Amazon certificates should look like before checking with the certificate authority. There are also improvements to the SSL protocol that make man-in-the-middle attacks much harder to carry out without detection. And again, you'd require massive computing resources to tackle this at any scale - it only works for very targeted snooping.

In summary: Zack Whittaker is talking through his lower digestive tract. If anything he writes about PRISM is correct, it's going to be by accident.

Political banking

If you want to steer a course for disaster, there are certain strategies which are better than others. "Never get involved in a land war in Asia" is a good one, as is "Never go against a Sicilian when death is on the line," and of course "when someone assures you that a high tension cable is powered down, tell them to touch it before you go near it." Along with those, I'd add never let politicians take charge of a bank:

The surprise announcement of Hester's departure [from Royal Bank of Scotland] came after the stock market had closed. It then emerged that Osborne met the bank's chairman, Sir Philip Hampton, last week to discuss the succession planning being undertaken by the bank, which is aiming for privatisation by the end of 2014.
A certain amount of reading between the lines suggests that it had become politically expedient for both the RBS board and the UK Treasury for Hester to leave, allowing him to carry off a certain amount of blame for RBS's failure to lend sufficiently to small businesses. Of course, this failure was because RBS, being a bank, likes leaving easy money in the form of high-interest loans to good prospects on the table.

Hester has had nearly five years at RBS, parachuted in with no real prospect of earning big bucks from the bank (due to ritual public outcry). As far as I can see, he's done a solid job navigating the bank back in the general direction of future profitability, albeit assisted by the BoE keeping interest rates at rock-bottom. But now he's thrown overboard by the board, no doubt because he's a political liability, to be replaced with someone else who's suitably unknown and politically inoffensive, in preparation for an eventual privatisation and claims of "getting taxpayer money back" (even if the taxpayer would be better off with a later and slower sale).

We trust the Government with getting "our money" back from the bank, but in reality the only interest the Government has is in seeming to get something done. If we want value for money from a bank in which we have a financial interest, letting its direction be controlled by politicians may not prove that fruitful.


Polly Toynbee and her posterior gaseous emissions

I do try to stay away from Polly Toynbee's CiF columns. I swear, they're so bad for my blood pressure. But her latest opus breaches the dikes of my self control:

Published this week, The Entrepreneurial State, by Professor Mariana Mazzucato of Sussex University, offers a forensic analysis of how the state is prime investor and creator of most great innovations.
Oh, this will be good. Mariana Mazzucato hasn't had a meaningful job outside academe in her entire life. So what does she say?
Not only the internet but its technologies sprang from vast state investment (such as GPS and touch screens, biotech and nanotech), where the state took the risk but others took the profit; Apple and Google rode on the back of state research;
My arse, Polly. Apple (and, let's be fair, Microsoft) took inspiration for their operating systems lock, stock and barrel from Xerox PARC. Last time I checked, Xerox was a privately owned company - that had the crown jewels of the desktop computing revolution and just gave them away, but hey. Google built on the success of search engines like Alta Vista, coming up with their PageRank algorithm independently while students at Stanford University, following an education at private schools. A claim that "the state" was involved in any significant degree in either Apple's or Google's success fails even the laugh test.

Perhaps Prof. Mazzucato should stick to economics, because even my economic blatherings have more accuracy than her ventures into matters technological. She asserts:

Thus, while entrepreneurial individuals like Steve Jobs are needed, their success is nearly impossible without their ability to ride the wave of State investments. And if Europe wants its own Googles, it needs more State action, not less.
Hmm, it seems that Europe has much more State action than the USA in general and Silicon Valley in particular. So why are all the Googles, Yahoos, Microsofts etc. popping up in Silicon Valley rather than Europe? Anyone? Bueller?


Facebook through a PRISM

There's a tremendous amount of hot air being talked about the alleged US Government access to personal data from the major internet companies via the supposed PRISM system. I'm not entirely sure who to believe, though I'm defaulting to "no-one"; there's no reason to trust any Government denials, nor any better reason to put faith in the technical understanding of journalists. So let's look at how PRISM might actually work from the limited point of view of snooping on Facebook.

The size of the problem

Facebook has somewhere around 1bn users, but they're not all active - indeed, they vary greatly in levels of activity. So let's say there are 250M distinct FB users per day, and they spend an average of 10 minutes per day on it with 2 activities (read a post or instant message, view a photo, update status, make or delete a friend) per minute. That's 5bn activities per day, or 60,000 per second, that you want to record. How do you find out what they are? Bear in mind that your key requirement is to be able to know who is talking to and associating with whom, and what they are saying.

Snooping at the ISP

The easiest place to start surveillance is at the user's domestic Internet Service Provider (ISP). This is where most USA-based people will connect to the Net. The user will have a public IP (internet address) which is the point where their traffic enters and exists the Net proper, and the ISP will - or should - normally know which of their users, physical locations and bank account ties to that IP. This knowledge will be looser for entities like public wi-fi networks, but they should still have physical location info e.g. the Starbucks on the corner of 5th and Maple.

Regular (HTTP) internet traffic consists of packets - consider them as postcards - with "from" and "to" Internet addresses, plus some text content. The packets are very small, so you have to be able to aggregate a lot of them in order to build up e.g. the entire contents of an email; however they have index numbers so you know what order they are supposed to be in. The "from" address will be the user's public IP, and for our purposes we know what "to" addresses belong to Facebook, so we can require the ISP to just capture those packets for our use. Assuming that we monitor all 250M people in this way, and that each "activity" is about 4KB in size (ignoring photos and voice chat) that's an average stream of 240MB/sec, nearly 2Gbits/sec that the Government has to collect from the various ISPs and process in real time. In practice you need to double that bandwidth because usage isn't flat throughout the day - there will be a definite diurnal cycle and you need to have capacity for the daily peak.

This is a substantial processing challenge but it's not impossible - the Government just has to write its own mini-Facebook back-end that records user activity, without the need to handle photos and videos, and allows them to associate Facebook IDs with real people IDs. Then they can run their own queries over that data store. They'll be writing nearly 20TB/day to that store, so they'll need quite a few hard drives (more when you consider redundancy) but hey, it's the government, they've got the spare $ somewhere.

Of course, someone has to actually pay for the hardware and bandwidth to filter, store and forward the traffic from the ISPs - more government cash - and someone's going to have to monitor and maintain it. This has to happen in nearly all USA ISPs, without any word of it getting out. I'm sure this is completely realistic.

Problem! We're primarily interested in "bloody foreigners", and not just the ones based in the USA. If two people outside the USA are communicating, even if it's via a USA-based Facebook data center, we won't even know it's happening. How can we improve this situation?

Snooping at Facebook's edge

Here we take advantage of the fact that even foreign users end up talking to a FB data center, and many of them are in the USA. (Presumably whatever we work out here could also be done by friendly governments like Eire or the UK for data centers abroad.) Instead of monitoring at the USA users' ingress points, you look at where they egress into Facebook's network. This gives you many fewer places to monitor, though obviously much more traffic per spot so you need fewer instances of hardware but at a much higher grade. You also have fewer places for news of the additional hardware installation and operation to leak from.

The IP packets still have source addresses so you know where they came into the Internet (more or less). You'll need additional collection of data from US ISPs tying IPs to locations and people, where feasible, and you won't have this quality of source information, but you can probably manage.

So far we've seen that just for Facebook you're looking at quite a substantial volume of traffic, and we've ignored all photos and videos, but you can probably infer quite a lot from this data and it doesn't seem to be an insurmountable volume. So far PRISM seems to be not technically infeasible. But there's a wrinkle...


So far we've been blithely assuming that we can read the plain text of what the user is sending to and receiving from Facebook - the URLs, the posted text - without any problems. Indeed, HTTP - the system by which web browsers communicate with web browsers - makes it easy to read this information. An HTTP conversation happens in plain text and looks something like this:

From the browser: asking for the page "index.html" on host "www.example.com":
GET /index.html HTTP/1.1
Host: www.example.com
From the server:
HTTP/1.1 200 OK
Date: Mon, 30 Feb 2012 20:31:00 GMT
Server: Apache/ (Unix) (Red-Hat/Linux)
Last-Modified: Sun, 29 Feb 2012 01:10:25 GMT
Etag: "2e70e-7d6-5f1c883b"
Content-Type: text/html; charset=UTF-8
Content-Length: 100
Connection: close

  <title>An Example Page</title>
  Hello World
The first block is the information about the server and what it's returning, the second block is the HTML page itself.

If you've got access to the stream of data between a user and a website, you can very easily work out what they're doing. You could even change the data, e.g. modifying every instance of the word "Guardian" to "Grauniad" in the stream back to the user, so that the user browsing the eponymous website gets very confused.

Luckily, some clever chaps were aware of this vulnerability of HTTP and came up with a modification: HTTP Secure (HTTPS). This is widely used, and is the default for new Facebook users. The difference it makes for our purposes is that all an external observer can see in plain text is a conversation between the browser and the Facebook server negotiating a "shared secret" - a string that both of them know but that no other observer can know. Once this is agreed, they encrypt the rest of their conversation using that shared secret. The observer can't see what URLs are being requested, or what data is returned. All they know is that IP is communicating with Facebook, and that (judging by the encryption negotiation) they're using Internet Explorer 9. That's not a lot of use to an eavesdropper.

There are a number of approaches to compromising HTTPS sessions, but they're generally rather CPU intensive, target specific web applications, and are progressively being prevented by upgrades to the secure protocols. Here's a little light reading of some examples for the curious. Generally, the only approach that really scales is a man-in-the-middle attack. This is where an eavesdropper intercepts the user's packets to Facebook and pretends to be Facebook itself; in turn, the eavesdropper connects to Facebook pretending to be the user and relay's the user's requests and Facebook's responses.

The way that HTTPS/SSL defeats this is via Certificate Authorities, a small number of trusted firms across the world who provide the data that can verify that when you connect to a server believed to be from Facebook that the electronic signature you receive back from that server really does belong to Facebook. The ins and outs of how this works are complex, but the net effect is that it's really rather hard for even a Government to pretend to be Facebook, and requires a substantial compromise of either Facebook's secret SSL keys (so it can sign the connection just like Facebook does) or a certificate authority (so it can claim that its fake signature really is Facebook's). Even these approaches are not foolproof, and have to be cracked for each company and updated whenever each company changes its signature. Unfortunately this can be detected by browsers; for instance, modern browsers know what the real certificates should be for major websites and can warn you if someone is trying to impersonate Facebook even if a compromised certificate authority claims that they're kosher.

There's also the not insignificant issue that such an interception approach has to be at least as reliable as the servers the user connects to, and must not introduce any detectable latency into the connection despite having to relay all the traffic both ways and filter out the text it's interested in.

The killer, though is that you have to inspect all traffic to Facebook. Unlike plain text traffic, where you can easily see that packets pertain to photos or videos and ignore them, you can't tell this for HTTPS until you've intercepted the conversation and started to man-in-the-middle the connection. You've got to continue relaying the photos or video data, even though you're not interested in it, because if you drop the connection the browser will notice and so will the user. This massively magnifies the problem - you need as much processing capacity as Facebook itself has at its front ends.

Insider access

Google, Facebook et al have strenuously and specifically denied giving PRISM-like access to user data. Let's take them at their word. Assuming they're not co-operating, how would you get the access you'd like to user data without them knowing?

The most effective approach, as noted above, is to have an insider compromise their SSL secret keys. That lets you man-in-the-middle all HTTPS traffic. Unfortunately you have a very small set of insiders who have that access - and, by definition, those insiders will be as trustworthy and hard-to-compromise as possible.

The talk swanning around about "free access to data on Facebook's servers" is rubbish. There is no way any substantial routine access to user data is going unnoticed. Facebook will be monitoring read traffic, bandwidth usage, CPU and memory load for all its critical servers. If there's unexplained traffic in any volume, it's going to show up in dozens of monitoring consoles scattered all over the firm. So many people would have to be in on the snooping that word of it would inevitably leak.


It's just about feasible for a government to snoop on the plain-text non-photo non-video traffic for Facebook, and the best place to do it is probably where traffic exits the Internet going to Facebook's network. You're looking at a very serious amount of hardware to snoop and store the information, but it's tractable with the budget available from a major government. When it comes to routine snooping on encrypted (HTTPS) traffic though, forget it. It would require a major systematic compromise of closely-held secret keys, a very high performance software infrastructure operating at very high reliability, and - the killer - would have to be able to deal with as much traffic as the Facebook front ends themselves do. By extension, the same is true for Google, Yahoo, Microsoft etc. The Government is going to require inconveniently large amounts of hardware placed inconveniently close to the major Facebook, Google and Microsoft data centers.

I should add that the alleged $20M/year cost of PRISM would cover the capital costs of about 15,000 servers written off over 3 years (say, $4000 per server since you have to cover associated network, power and cooling infrastructure). That's really not a lot. If you have 5 TB of storage per server, that's 75,0000 TB over 3 years; the above requirements just for Facebook basics would be about 21,000 TB over that time, and you'd have to at least double that for redundancy. This doesn't even approach all the other personnel and software development costs.

Conclusion: the scope of PRISM has almost certainly been massively exaggerated. Journalists have been taken for a ride.


Emma Sinclair needs to extract her head before she suffocates

Ex-investment banker and "serial entrepreneur" Emma Sinclair writes indignantly in the Telegraph on the sexism perpetuated by the GS Elevator advice for summer interns:

I was an investment banker post university so I know what sort of stereotypes to expect and at times, they are funny.
Tip 8 says "As it relates to fellow interns, make no mistake about it - it's war: Let's be clear. It's impossible to compete with female interns. And it's not cool. So don't bother trying."
Tip 8 is actually true. Women are so painfully under-represented in front desk roles in banking that HR have decided that a) banks will hire female interns disproportionately in order to try to redress the numbers and b) said interns are essentially untouchable in peer assessments. They'll always end up out-scoring all but the top-end male interns, simply because no sane associate, VP or MD wants to be on record giving a female intern a bad score. The only exception is if the female intern in question does a Lucy Gao.

Ironically, this has precisely the opposite effect of that ostensibly desired by HR. Everyone rolls their eyes when a female intern turns up at their desk, precisely because they know that the principal factor in her hiring was her lack of Y chromosones. I invite you to consider how demeaning this is for the subset of female interns who are as able, if not more able, than their male counterparts. Incidentally, if you want to know why successful women in banking are some of the worst chauvinists, this is a major factor.

Emma is also not keen on Tip 12:

Ask the secretary for the travel schedules of the senior members of your group for the week ahead. She's dumb enough to think you are being proactive. But now you know when you can sleep in, hit the gym, or beat the traffic.
Emma takes umbrage, noting that her secretary was male. But Emma, darling, secretaries are almost universally female. They're a lot more organised than many bankers, but they're not generally as Machiavellian or plotting. A position as a secretary in an investment bank is well paid but generally not fulfilling since you have to deal with the obnoxious alpha++ personalities in detail and take the flak if anything goes wrong with their meetings or travel. The only real upside is the chance of meeting a hot MD or PMD who's not a total asshole and getting hitched. This is not a strategy with a high payoff rate for blokes.

I wonder why Emma didn't touch on Tip 9?

Don't be too good to do the coffee runs. It shows confidence. Just don't fuck it up. If you can't be trusted with coffee, how can you sell bonds or manage risk.
Yes, Emma, all interns do coffee runs, irrespective of gender. How egalitarian - why didn't you mention it? Did it undermine your narrative?

I'd love to know the details of Emma Sinclair's investment banking career. I suspect she flamed out in short order, and the fact that she could recognise Lloyd Blankfein's face indicates it may well have been at Goldman Sachs itself. It's fine to blame this on a sexist environment, and investment banking is still pretty sexist, but don't blame GS Elevator for giving interns advice that actually reflects the workplace.


Free speech - we've heard of it

Clucking bell. A couple of Gwent Community Support Officers could do with some sensitivity training:

Matthew Taylor, 35, the owner of Taylor's clothes store on Emlyn Walk in the city, printed up and displayed the T-shirt with the slogan: "Obey our laws, respect our beliefs or get out of our country" after Drummer Lee Rigby, 25, was killed in near [sic] Woolwich barracks in London last week.
Following a complaint from a member of the public (I'm really curious about who this was, but I'd probably bet a fiver that they were white and an avid reader of The Guardian) the CSOs dropped by to advise Mr. Taylor that someone had found the shirt design offensive. At this point Mr. Taylor advised the CSOs in turn of his right of freedom of expression, pointed out the lack of targeting at any ethnic, racial or religious group, and the CSOs accepted his argument and departed peacefully.

Kidding! Mr. Taylor ended up removing the shirt from display:

A spokeswoman for Gwent police confirmed: "We did have a call from a member of the public. We visited the shop and asked him to remove it (the T-shirt) as it could be seen to be inciting racial hatred."
Holy little green apples. Was the spokeswoman fighting to keep a straight face when she said this? Racial hatred against whom? Indonesians? Scots? Gloucestersharians? Inuits? Criminals? If this had been the CSOs being a little over-zealous then I could almost understand this, but Gwent Heddlau backing up the action makes me despair for humankind. I can't help but feel that the late lamented Inspector Gadget was spot on here - this is what you get, and the mindset of people you end up hiring, when you create lots of comfortable REMF diversity-related jobs.

As a thought experiment, what if the shirt had said the same thing but in Welsh? What if it said "Obey our laws, stop claiming illegitimate expenses or get out of our Parliament"? Perhaps, to gather better data, Mr. Taylor should produce sample shirts with a range of variations on the theme, sit back and watch to see which ones the police make him remove. Better yet, his MP should back him up, tell him to reinstate the line at his convenience, and tell Gwent police and the local busybodies to take a running jump.

Someone who wasn't paying much attention in his "Life in the UK" test was Newport city councillor, Majid Rahman:

I believe in freedom of speech and defend his rights to say what he wants, but once it starts offending people then it's a police matter and it's up to them whether they think it's broken any laws.
Wow. Well, I'm offended by people claiming that Marmite tastes delicious. We should definitely refer the matter to the police for further consideration. I didn't realise that offending people was ipso facto grounds for a criminal complaint...


Illegal car sales

Thank goodness for the American legislature protecting the consumer from evil predations of private firms. North Carolina has taken a great step forward by aiming to make it illegal to buy cars online:

In North Carolina, a bill in the works would make it illegal to sell a car online. Can you imagine that? The black clad ninjas may be headed Tesla's way – not for ripping off taxpayers by forcing them to subsidize the making of economically untenable electric cars – but for how they are sold.
You can configure your Tesla online, submit your order online, and get your car delivered to your door. No salesman involved. No need to go to a dealership. No-one trying to stick his hand into your wallet, haze you about the car buying process, trick you into bad extended financing or warranty deals. How will the car salesweasels make a profitable living from you? The National Automobile Dealers Association (NADA) has been strenuously lobbying to protect its members' livelihoods. Of course, this means that anyone in North Caroline (or Texas, or Virginia) is going to have to jump through hoops to buy a Tesla, assuming they have the $60K-$90K necessary in the first place.

Eric Peters is quite clear on the future of car buying that Tesla portends:

Imagine how neat it would be if you could go online and shop for your next new car – your next new Chevy, Honda or whatever kind of car. Pick only the options you want, on an a la carte basis – not "bundled packages" heavily marked up. The price for the car – and each option – is right there, clearly stated. No bullshit. No deliberately obfuscatory paperwork. No haggling. No hassles.
And no middlemen.
The Internet is famously great at removing the middleman from transactions. Understandably, the middlemen aren't keen on this, but it's not the job of the legislature to protect the middlemen. Not unless they want to join the car salesmen, real estate agents and HMO administrators in being hung from the nearest lamp post.

A Greek on Greeks

I was privileged to sit beside a rather interesting Greek lady on a flight the other day. Well into her 80's, she was flying back to the homeland to spend a few weeks with her family. Her sons had seen her to the airport, but she was otherwise making the multi-segment journey alone. She was a very self-possessed and chatty lady, and the otherwise tedious flight simply flew by as we talked. She made an excellent sales pitch to me for spending a vacation in the islands where she would be staying.

We got talking, and the topic of conversation turned to Greece itself. She had left the country several decades ago to live and work abroad, and had prospered there. She was in no doubt about why Greece was in its current state. "They just don't pay taxes," she explained. "There's no respect for the law." She personally knew of several people in her small Greek home town who went to the town hall each month to claim their state disability benefit for blindness, then happily drove back home. She was quite happy to pay taxes in her adopted country, and benefit from the relatively ordered society that those taxes funded, but was appalled at the mentality of consumption without contribution back in Greece.

While "anecdote" is famously distinct from "data" (except in the case of short stories about Brent Spiner) it seems that even the Greeks don't feel that the structure of current Greek society is particularly sustainable.