Telephone Captcha

Something called during dinner yesterday.  I hung up almost immediately, but commented to the family that it is getting harder to quickly identify recorded calls.

My 16 year old Andrew remarked that I should ask for the answer to 1 plus 1.

He’s invented telephone captchas!  When you get a call and you can’t quite tell if it is a person, ask them a math question.  If you don’t get an immediate correct answer, hang up.

There’s a subset of robo callers with a recording that pauses in almost human places, and makes small talk about your expected answers.  I find this trend alarming and suspect it takes in lonely seniors pretty well.

Personally, I’ve gotten to where I don’t bother talking any more, if there is any sort of a pause after my hello, or anything recorded or that I can’t interrupt, I just hang up.  As they get better though, I’m going to use telephone captchas.

 

Meltdown and Spectre

The technically inclined can read the papers at Meltdown and Spectre but I will try for a less technical explanation.

Processor chips are supposed to be able to run multiple programs at once, while keeping the data of each program secret from the others. There is a special privileged program, called the operating system kernel, that coordinates all the activity. The kernel is necessarily allowed to read the data of any user program.

This isolation between the data of different programs, and between the secret data of the kernel and that of all user programs, is done by something called virtual memory. VM gives each program the illusion of a private memory space while in fact all the programs are using bits of the underlying real memory in a way coordinated by the kernel.

A user program simply does not have any way to ask for the contents of arbitrary real memory (and thus be able to read secrets of other program.) The memory of other programs is not present at all in the virtual memory of the attacker.

The relation between the user programs and the OS is a little different. For convenience, the kernel ususally has the entire physical memory “mapped” in its own virtual address space, and the kernel’s virtual space is also present in the virtual space of every user program. This is not supposed to be a problem because the kernel part of the memory is marked “kernel use only” and that restriction is enforced by the hardware. If a user program tries to read kernel memory, the hardware says “nope!”.

All this is just background.

Meltdown is a way for user programs to read kernel virtual memory, even though they are not supposed to be able to do it.

Spectre is a way for user programs to read the virtual memory of other user programs, even though they are not supposed to be able to do it.

Virtual memory is only one of the ways in which processors present a view that is different from the underlying reality. Another is the so called “architecture”. Most PC’s have an architecture called x86, due to Intel. AMD also makes chips with an x86 architecture. The architecture is the stuff that is visible to a program: instructions, registers, memory, and so forth. The general outline of a computer architecture is that of a central processing unit, containing registers and instructions, which talk to a memory unit, containing data. Neither thing is true, and hasn’t been true for 30 years.

Memory isn’t simply memory anymore! If you’ve looked inside a PC, you’ve seen those flat rulers with chips on them plugged in edgewise to the motherboard. Those are main memory. That part is true. The problem is that they are way too slow. It can take 60 to 100 nanoseconds to get data from main memory. In that time, the CPU can execute maybe 200–300 instructions. Something had to be done. Inside the CPU chip, there are smaller faster memories called cache. They automatically hold the most recently accessed and most frequently accessed data from memory. This works because programs tend to access the same stuff over and over and also to access nearby stuff.

CPUs aren’t just CPUs anymore! Executing a single instruction involves a 5–10 step process, fetching the instruction, decoding what it means, fetching the data it needs, maybe doing some complicated arithmetic, and storing the answer back where it goes. If CPUs did these things one at a time, they would be too slow, so the operation of many instructions are overlapped in a pipeline of work. It turns out that that is not nearly enough speedup, so many modern CPUs execute instructions “out of order”. They look ahead at instructions that are coming up and do as many as they can, even though earlier instructions have not finished. In order to avoid vast confusion, instructions are only allowed to finish in order, with “later” results being held in temporary storage until earlier instructions finish, even though all the work for the later instructions has already been done. Modern CPUs also engage in “speculative execution” which means they actually guess at what instructions will need to be executed sometime in the future and do them right away. Things like this happen due to IF THEN ELSE instructions in the program that could cause different instructions to execute. The CPU doesn’t really know which way the IF THEN ELSE (called a branch) will go, so it makes a very well educated guess.

Out of order and speculative execution are especially interesting due to those long memory delays. The CPU can be thinking about and running instructions several hundred instructions ahead of the “commit point”.

None of this violates the architectural rules. The program doesn’t see the results of instructions that were never supposed to execute, and can’t read memory it is not entitled to see…. Well it turns out it can.

The trick of Meltdown allows a program to read kernel virtual memory even though that is forbidden. The meltdown program, by some modest bluffing, tricks the CPU into speculatively executing a read from kernel memory and then using the result to choose which data to read from user memory.

The results of these reads are never reported to the user program, and in fact by the time the program logic gets to that point, the CPU knows the read would never have been executed anyway, so it doesn’t even produce the exception that would normally happen when a user program breaks the rules and tries to read kernel memory.

But… in the underlying physical machine, the microarchitecture, the reads from memory did happen, and that data was read into the caches we talked about earlier.

The user program can then measure how long it takes to read each location in the user memory and figure out that one of them is a lot faster than the others.  That one is the one that was already brought into cache by the read that was never supposed to happen.
In short, the CPU speculatively executes a forbidden instruction, and leaves faint echos in the timing of reading different memory locations, and those echos permit the meltdown attack to read, pretty quickly and reliably, secret data from the OS kernel.
Spectre is even more subtle.  In Spectre, a user program can affect the behavior of a different user program by tricking the processor into speculatively executing a read whose address is under control of the attacker. The program being attacked would never do this normally, and doesn’t even find out about it, because all the speculative work is thrown away. However, in the underlying hardware, the read did happen and leaves some of those faint echos in the form of detectably different timing of events that the attacker can measure.
Spectre can work in at least two environments but the important case affects web browsers.  Web browsers run programs downloaded from web sites that are written in a language called Javascript.  These programs are known to be suspect, since really, one shouldn’t trust anything found on the internet.  Javascript programs are run in a very constrained “sandbox” that they are not supposed to be able to get out of nor are they supposed to be able to access data outside the sandbox.  Spectre allows a Javascript program to read data outside the sandbox and potentially read passwords or other secret data stored elsewhere in the web browser.
None of this is new, unfortunately!  Processor chips have had the features that enable Meltdown and Spectre for over 20 years, and they went unnoticed.  Fortunately, Meltdown is relatively easy to fix in software, at some cost in performance, by patching the operating system,  If kernel memory is not mapped into user space, even with protections, then the user program cannot learn anything.  Spectre is harder to fix and at present seems to require patching every program individually that you wish to protect.  And this is the good news!
This business of computers leaking information by subtle changes in timing that can be caused by and measured by an attacker is a kind of thing called a “Side Channel Attack” in the security business.  Unfortunately, there is no general way to protect against side channel attacks.  All that anyone knows how to do is to limit the rate at which the attacker can steal data.  That’s good if you are trying to prevent the theft of something big, like a digital movie, but it doesn’t really help if you are trying to prevent the theft of something small, like a password.
Already in the month or so since Meltdown and Spectre came to light we have additional problems, such as “Meltdown Plus” that exploits a completely different microarchitectural mechanism.
It may be that the only thing to do is to have multiple small CPUs that are really quite independent, so you never never run untrusted software on the main processor, but only in a private little machine that shares nothing

Dr. Anita Kurmann

On August 7, 2015, Anita Kurmann was cycling on Massachusetts Avenue in Boston and was killed by a truck making a turn onto Beacon Street.

This week Boston Police cleared the driver of wrongdoing.

https://www.bostonglobe.com/metro/2018/01/23/bicycle-group-says-tractor-trailer-driver-was-responsible-fatal-back-bay-bike-crash/uew2Cau2d3hcqvpC5JyqkL/story.html

The thing is, that if Dr. Kurmann did nothing wrong, and the driver did nothing wrong, then the rules of the road are not adequate.

It seems to me very reasonable to ask for sets of rules for bicyclists and drivers, such that if both parties follow the rules, then no one is killed.  Boston Police may be correct and the driver was not at fault, but if they are then the rules are wrong.  Where is the effort to fix the rules?  Where are the BPD recommendations for drivers and cyclists and the city?

Maybe its as simple as not driving 40′ tractor trailers on city streets without flagmen and escorts.

In view of the power imbalance between motor vehicles and bicycles, in my view, if a motor vehicle hits a cyclist while the cyclist is in a legal spot, then the driver of the motor vehicle is at fault.  This is similar to the rules about rear end collisions.  If you smash into the back of a car, you are at fault.  Either you weren’t paying attention or you were tailgating to start with. Full stop.

I’m a little sensitive to these issues because I used to commute 36 miles a day into Cambridge and I’ve had my share of idiot drivers.

Swatting

On December 29, 2017 Andrew Finch was killed by police. He was an unarmed innocent man who made the mistake of answering his front door when Witchita police surrounded his house.

Much has been made of the culpability of Tyler Bariss, who made a false police report that lead to the event, and I agree with it. Bariss is essentially guilty of murder and has to be held to account.

However, the officer who killed Finch is also guilty.  He was too frightened, or too incompetent to do his job without killing an innocent man.   So far, the Witchita police have disclaimed any responsibility and are trying to blame everything on Bariss and Finch himself. The officer has not been named, probably because his feelings would be hurt by being in the newspaper.

According to the Washington Post in https://www.washingtonpost.com/graphics/national/police-shootings-2017/

police killed around 1000 civilians in 2017.  68 of them were unarmed. Noone keeps any statistics on swatting incidents.

At the same time crime is at its lowest point in decades, the police are more militarized than ever.

Police face almost no accountability for violations of civil rights and under current law are almost impossible to sue for damages.

It seems fairly clear that changes are needed.

  • Swatting needs to be a serious crime in all 50 states
  • The “Reasonably scared cop” rule of Graham v Connor must be changed so that officers are held accountable
  • Qualified Immunity must be changed, so that Police, departments, and towns can be sued when people are harmed by their actions.

I don’t care if an individual policeman can’t be sued due to qualified immunity, they can’t afford to pay damages anyway.  Departments and towns however can, and it may be that repeated large settlements in court may be the only way to keep cities and towns from giving guns to the sort of officers who kill the people they are supposed to protect.

It also wouldn’t hurt for congress to actually do their job and write laws that correct bad judicial results like Graham and qualified immunity.

 

Congress and Sexual Harassment

I’ve sent the following to my representative and senators.  They are all democrats so who knows how much good it will do.

I am outraged to learn about the secret fund, paid for by taxpayers, that is used to settle sexual harassment claims against members of congress.

I would like you to publicly commit to ending this practice. It is shameful.

Further. I would like legislation that makes a non-disclosure agreement as part of a sexual harassment settlement non-enforceable with regard to illegal conduct revealed to law enforcement.

I think it should be clear to everyone how evil it is for congress to settle claims against members, and make us foot the bill.  Congress has a habit of exempting itself from laws and the practice should stop everywhere, but it should certainly not extend to free settlements.  (And don’t get me started about tax returns.  Members should be required to do their own taxes and every one should be audited every year.)

Regarding non-disclosure agreements, frankly  I don’t know what to do about these quiet settlements.  It may be the only recourse people have, given the typical reluctance of law enforcement to pursue predators, but if those attacked are successfully silenced, then the powerful and entitled predators are free to attack others.

 

The Estate Tax

At present, the federal estate tax maxes out at 40% of the amount of an estate over 10 million dollars.  Almost no one pays it, because of the large exemption.

The best argument I’ve heard against the estate tax is that if the bulk of the estate is something that is not liquid, like a farm or a business, there may be no way to raise the money to pay the tax without selling the family farm or the family business.

For those with more liquid assets like stocks and bonds and a dozen houses, well the estate tax isn’t that big a deal.  Heres why.

Estates change hands about every 25 years, which arguably is the length of a generation.

The long term average appreciation in the stock market is around 7%.  In 25 years, a stock market investment might grow by 5x.  If you start with 20 million, in 25 years you will have about 100 million.

With the estate tax, your notional 20 million drops to only 16 millions, because 10 million is exempted and you pay 40% of the rest.

After 25 years, that 16 million would only increase to 86 million.

In this case, the estate tax cost the equivalent of about 4 years of growth.

Even if the exemption were zero, the estate tax would represent about 8 years of growth every 25 years.  The fortune just keeps growing.

Of course this analysis is true only if you just leave the money in the market.  Historically, fortunes last about three generations before being diluted and generally squandered.  However, once you get into serious money, it is kind of hard to spend enough to keep the rest from growing to infinity.

If the policy objective of the estate tax is to prevent self sustaining multigenerational fortunes, it doesn’t accomplish its purpose.  However it does kill those family farms and family businesses.  What might be done?

Idea 1: Make the estate tax payable over a generation, rather than as a lump sum.  In effect, this is a wealth tax, rather than an estate tax.  If my figuring is right, the 40% estate tax applied every 25 years is very close to a 1.3% wealth tax applied annually.  This has the same effect on cash estates, but might be managable for those family farms and businesses. Like the estate tax, this would apply only to wealth over 10 million.

Idea 2: Bump the tax rate on income for the 1% to raise the same amount of money.  Evidently, the estate tax raises about 20 billion per year. In 2014, an income of 465,000 put you in the 1% and the average income of the 1 percenters was 1.2 million, and there were about a million 1% households – that is 1.2 trillion in income, and the income tax surcharge to replace the estate tax would be . . . 1.6%

These two ideas are not that far apart.  On the whole a 1.6% income tax surcharge is easier, because  income is reported, and wealth is (a) not reported and (b) often consists of unrealized gains.

All this leaves unresolved the question about the policy goal.  Is the estate tax or a possible replacement just a way to pay for government? Or is it really intended to reduce income or wealth inequality?  If the latter, we need a much larger discussion about how to accomplish the goal, because the estate tax doesn’t do it.  Repealing the estate tax will surely make inequality worse, but keeping it only slows down increases in inequality, and not by that much.

 

Credit Freezes

It is possible to place a “credit freeze” on one’s account at the credit reporting companies.  The major ones are TransUnion, Equifax, and Experian.

A freeze prevents other companies from doing credit checks on you, which generally prevents them from opening accounts in your name.  This is important because the way that identity thieves monetize their theft is to open credit and bank accounts in your name, that you don’t even know about.

At present, credit freezes are governed by individual state laws, that range all over the map.  In Massachusetts, a victim of identity theft with a police report can get a credit freeze for free, but everyone else must pay $5 to each agency to place a freeze and another $5 to lift it, even temporarily, to apply for credit.

In view of the recent Equifax breach which revealed the private information of millions of Americans, it it clear that the credit reporting industry itself cannot be trusted to keep personal information secure.

I propose that credit freezes and credit monitoring be made free for everyone.  I would go further and suggest that a credit freeze should be the default state, but I suspect that would just destroy the whole industry (is that a bad thing?)

Since companies cannot keep private information secure, the alternative seems to be to devalue the information.  Credit freezes help do that.

This will require state by state or federal legislation.  I have just contacted my state representative and senator here in Massachusetts, as well as my representative in congress and both senators, requesting that they sponsor and support such legislation.

I recommend that you do the same.

Here’s what I sent Representative Clark:

I am Lawrence Stewart, of XXX.

In view of the recent Equifax breach which revealed the private information of millions of Americans, including 3 million Massachusetts residents, it is clear that the credit reporting industry cannot be trusted to keep personal information secure.

At present, the best defense against identity theft is a credit freeze, which prevents companies from doing credit checks without your permission.  This stops identity thieves from opening accounts in your name.

Credit freezes are governed by a conflicting mess of state laws.  Generally someone who has been a victim of identity theft can request a freeze for free, but the rest of us have to pay for the privilege of protecting our credit to the very companies that caused the problem through their negligence.

I urge you to introduce or support legislation to make credit freezes free for everyone. It is the best way to hold industry accountable for their actions and the best way to protect the citizens from identity theft.

Chuck Thacker

Chuck Thacker died yesterday, and the world is poorer for it.

Chuck won both the Draper prize and the Turing award. He’s been described as “an engineer’s engineer”, epitomizing Antoine de Saint-Exupery’s remark that “Perfection is achieved not when there is nothing more to add, but when there is nothing left to take away.” He established a track record of simple, beautiful, and economical designs that is exceedingly rare.

Over the last day I’ve been struggling with how to explain Chuck to non hardware engineers.  He could achieve amazing results with fewer components than anyone else and yet after the fact, mere mortals could understand what he had done.  But he also understood the physics and technologies very well, and knew just where to apply the unusual part or custom design to make the entire project coalesce into a coherent whole. If you are a software developer, think of Chuck as someone like Niklaus Wirth who invented Pascal. If you are an aviation buff, think of Chuck as someone like Kelly Johnson who designed the SR-71. Chuck really was at that level.

I had the privilege to work directly with Chuck on three different computer system designs.  I was a coauthor on several papers with Chuck and coinventor on a networking patent, so I suppose my Thacker number is 1.

I first met Chuck Thacker when I was a summer intern at Xerox PARC in 1977.  We both joined Digital Equipment’s Systems Research Center, working for Bob Taylor, in 1984.  At SRC, Chuck led the design for the Firefly multiprocessor workstation.  I wrote the console software for the 68010 version, and designed the single and dual microvax CPU modules. I wanted to add sound I/O to the Firefly and Chuck helped me figure out how to do it by adding only three chips to the design for the display controller.

Later at SRC Chuck launched the idea of the “Nameless Thing” which was to be a liquid immersion cooled computer built around an ECL gate array running at 200 MHz.  I worked on the first level caches, to be built out of 1.2 nanosecond Gallium Arsenide static rams.   We had to rewrite the CAD tools to get sensible board layouts that could run at those speeds.

NT was never built because it was overtaken by the Digital Semiconductor Groups’ design of the first Alpha processor. Chuck led a team of Digital Research folks to build development systems for the Alpha chip.  The effort was credited with advancing Alpha’s time to market by about a year. At the time, Digital had a standard design for multiprocessor systems based on the “BI” bus.  The specification ran to over 300 pages.  Chuck was incredulous, and worked out a design for the Alpha Development Unit multiprocessor bus that was 19 pages long.  The Alpha EV-3 and EV-4 chips were very unusual in that they could be configured for either TTL signaling on the pins, or ECL signaling.  The ADU became an unrepentant ECL design.  Strict adherence to ECL transmission line signaling and a complete disregard for power consumption allowed for exceeding fast yet low noise signaling.  Chuck designed the bus and the memory system.  If I remember correctly, he commissioned Gigabit Logic to build custom address line drivers so that the memory would meet timing.  Dave Conroy designed the CPU module, and I designed the I/O module.  I recall that SRC built the chassis and ordered cables for the 400 amps of -4.5 volts from a local welding shop.  They asked “what kind of welder needs 18 inch cables?”

I learned a tremendous amount from Chuck’s economy of design and from his ability to make hardware vs software tradeoffs to achieve simplicity.  I also learned that it was completely allowed to rewrite all the software tools to make them do what you want.

Chuck was a “flat rock engineer”, in his own words.  The reaction of such a person to a new project is to first rub two rocks together to make a flat working surface. He was a lifelong opponent of complexity, not only in hardware, but in software as well, remarking that unnecessarily complicated software was apt to collapse in a rubble of bits – a phrase I adopted as the title of this blog.

Chuck Thacker was unique, and I deeply mourn his passing.  Evidently he didn’t wish a memorial service, but I think the duty falls on all of us to edge our designs a little closer to simple, elegant, straightforward, and beautiful.

 

Bob Taylor

Robert W. Taylor died yesterday.  While working at ARPA, he funded the work that led to the Internet.  He managed the legendary Xerox PARC Computer Science Lab, where the Alto and the Ethernet were created. He won the National Academy of Engineering’s Draper Prize. You can read about these things more elsewhere.

Bob Taylor hired me, with my new PhD, into CSL.  Later, he hired me again, at the Digital Equipment Systems Research Center.  I learned not everything I know, but quite a lot of it, on his watch. Bob had the special genius of assembling groups of people who could invent the future.

At Xerox, the weekly group meetings were called Dealer, as in Dealer’s choice.  The speaker set the rules.  The culture was for the audience to do their level best to challenge the ideas.  Bob talked about civility, and about the necessity of “turning type one disagreements into type two disagreements”.  A type two disagreement is where each party understands and can explain the position of the other.

I was first exposed to CSL as a research intern while a graduate student. On either side of my office were Dave Gifford and Eric Schmidt. When I graduated, I turned down a couple of faculty appointments to stay at CSL. There was no place else that had the same concentration of talent and the freedom to build new things.  Both of those factors were the work of Taylor.  He felt his job was building the group and building the culture, then defending it from outside influence.

In 1984, corporate finally got the best of him and Taylor left to start the Systems Research Center at Digital Equipment.  I was number 24 to quit and follow him.  Against all odds, Taylor repeated his success and built another outstanding research group at Digital.  Occasionally, some dispute or other would arise, and folks would go complain to Bob.  He had a plaque on his wall “Men more frequently need to be reminded than informed.”  Bob would gently remind us of the rules of disagreement.

It’s not well known, but Taylor was from Texas and a little bit of the Lone Star State followed him around.  One time, Dave Conroy and I had succeeded in getting a telephone audio interface running on our lab-built Firefly multiprocessor workstations, and mentioned it on our way out to lunch.  When we got back, we found Taylor had dialled in and left us a 30 second recording.  Dave and I knew this had to be preserved, but the test program we had had no code to save the recording!  Eventually, we sent a kill signal to create a core dump file and fished the recording out of the debris.  Here’s Bob Taylor:

 

 

Carmen Ortiz to step own

Carmen Ortiz, the US Attorney in Massachusetts, is leaving.  I am glad she is leaving, but she should never have been appointed or confirmed.  She should have been fired in January 2013, after she and her henchman Steven Heymann caused the death of Internet activist Aaron Schwartz through extreme over prosecution of a “crime” that was at most civil disobedience.

Here’s what I wrote at the time:

http://larry.stewart.org/2013/01/13/aaron-swartz/

Here’s what the Guardian had to say:

https://www.theguardian.com/commentisfree/2013/jan/16/ortiz-heymann-swartz-accountability-abuse

Ms Ortiz now says (quoted in the Boston Globe here:  https://www.bostonglobe.com/metro/2016/12/21/attorney-carmen-ortiz-announces-resignation/fV7IJmesqOU8SEYd1pylEO/story.html )

“I feel tremendous sorrow for what his family has gone through,” Ortiz said Wednesday.

“I regret I wasn’t able to identify that situation early on and we didn’t have that opportunity to have that go on a different path because a young man at the end of the day did lose his life.”
I am hopeful that Ms Ortiz will never be in a position again to cause the death of another shining star, or indeed anyone.   As US Attorney, she was much more interested in personal power and headlines than justice.  US Attorneys have little oversight and no accountability and many of them are not up to the job.  Carmen Ortiz was one. For myself, I will not forgive or forget her actions.

She will be moving on, but Aaron Schwartz is still dead.