Tuesday, October 31, 2006

Disruptive change in military technology?

A few days ago I responded to Max Boot on military supremacy. He arrives at the right result for the wrong reason. Changes in military supremacy are almost without exception the result of economic forces rather than technology alone. If you don't have the economy you can't afford the technology either.

There is perhaps an exclusion to the rule and possibly even a combination of two current technological trends that may combine to create a blind spot for the US military machine. The politics of US military appropriations may be such that these create the equivalent of a 'disruptive change'.

The first trend is the use of unmanned weapons. Remote controlled drones are no longer limited to reconnaisance, armed with missiles they become a potent force.

Although the US is well positioned at the forefront of the development of robotic warriors it is much less well placed to deal with one of the consequences - automation and mass-mass production. The US is very good at producing relatively small numbers of exceptionally high technology military equipment. It is much less well suited to producing vast numbers of servicable arms. If the AK-47 Kalashnikov rifle had pushed the limits of manufacturing in 1949 it would not have been possible to built 100 million.

The politics of US military procurement ensure that when a contract is awarded for a weapon it will be awarded on the most favorable political terms. This generally means securing jobs in the districts of the politicians with the sharpest elbows and the most generous campaign contributors. Procurement rules intended to secure the lowest possible cost frequently end up inflating costs dramatically.

While there is little doubt that the US will be the first country to have a supersonic drone capable of intelligent independent action this may prove to be the wrong approach. It is likely that the more potent force will be to have a hundred thousand or a million slower, less intelligent, less powerful but expendable drones.

China has factories that can stamp out DVD players for $10 a time. When they start stamping out robot warriors by the million instead who will be the superpower then?

Max Boot on military supremacy

Max Boot muses on The Race for Military Dominance. As Eric Rescorla has pointed out he is mistaken in the examples he uses to assert that the key developments in computing came from individuals not working for the government. But this does not negate his main point that military supremacy tends to be an ephemeral condition.

The larger flaw in his argument appears to be his insistence on technology as the driving force rather than economics. The British Navy did not lose its dominance due to a failure to grasp the military importance of the Air Craft carrier. On the contrary the British Navy developed the concept as aggressively as any other world power. Britain lost its number one status in naval power because the British economy could not possibly continue to support it after the loss of the Empire which in the aftermath of World War II no amount of military force could possibly have prevented.

Choosing the Spanish Armarda as an example of a weak force defeating a strong one is strange to say the least. The Armada pretty much defeated itself the British Navy did little more than assist them. The Spanish invasion was based on a hopeless plan that depended on coordinating the action of two forces more closely that the communications technology of the day permitted.

The whole point of military supremacy is or at least ought to be not to have the need to put it to the test. It does not much matter if you are not the world superpower as long as everyone assumes that you are. Nor does possessing a greater strength than your opponents imagine help much in matters of defense.

A reasonable conclusion to draw from the US experience in Iraq is that it is no longer feasable for any nation to occupy another country with more than about five million inhabitants for any extended period of time. This is only a depressing conclusion if your military objective is not primarily defensive.

As to the grander thesis Boot advances; it is most unlikely that the US will remain the sole superpower but not because of technology or even economics but because of politics. In addition to smashing up the US military machines the neo-cons have unfortunately given other powers the incentive to compete. The economies of China and India will inevitably overtake the US economy in the very next couple of decades. The doctrine of pre-emptive war means that they must insist on being global powers.

The US government is certainly spending enough to expect to remain at the forefront of military technology but this may not guarantee success, an issue I will return to tommorow.

Push polling

John Dickerson finds Republican push polling efforts to be 'lame'

There have been many reports of push polling efforts so clumsy that one really does wonder who is behind them. If it is the GOP then they are really off their game. If the Democrats are using the polls to fire up their base they have suddenly found an extra helping of devious.

I don't think it at all likely that Democrats will turn out to be behind them but the very fact that the question can be asked shows how bad they are. The whole point of a push poll is to present partisan attacks as authoritative facts. Voters are unlikely to be fooled when they are asked about an opponents purported support for terrorists, pedophiles and rapists.

What seems to be going on here is that campaign finance reform is having an effect. Independent groups are not allowed to coordinate with the candidate's campaign. So when an independent smear operation goes off the rails there is no way to (legally) pull it back.

On the other hand Ken Blackwell, the bizzare Ohio candidate for Governor did accuse his opponent of supporting NAMBLA in person in a debate so maybe the push polls reflect the way that the GOP actually thinks about politics.

YouTube - The Chaser's War on Everything - Terrorism

Another Chasers episode that needs to be labelled 'don't try this at home'.

Monday, October 30, 2006

Slashdot | Venezuelan Interest In U.S. Voting Software

According to reports a Venezuelan company controls a leading provider of U.S. voting software [Slashdot]

While I very much doubt that electoral fraud is actually taking place this last news should surely cause concern. The idea that a corporation such as Diebold could hatch a plot to rig an election in their own country is not very credible. Corporations might have the technical capability to do such a thing but not the political will to act in concert without anyone reporting the activity to Law Enforcement.

The situation changes significantly when the proposition is to rig the election in a different country and changes entirely when the operation is being run by a government. The idea that a US company might have helped to rig the Nicaraguan elections during the Sandinista period is not at all far fetched. Given a reasonable chance of success the CIA would certainly have run such an opporation if the opportunity existed.

It is not at all farfetched to imagine that Chavez would attempt to rig a US election, any such attempt would be made through a front company and look very much like the current situation.

There are two ways to go about a remedy. The first is to try to regulate who is allowed to manufacture election machines for use in the US so that foreign ownership is prevented. In addition to being futile and expensive this would further fuel suspicions that there was a domestic attempt at ballot rigging.

By far the best solution would be to adopt a technology that is not as hopelessly insecure. In the UK we use a thing called a ballot paper and a pencil...

Friday, October 27, 2006

The Great Risk Management Debate

Arthur at Emergent Chaos joins in the argument Mark Rothman and Alex Hutton have been having on Risk Management.

As often happens trying to follow arguments on the blogosphere trying to work out who is arguing what is a bit like trying to find a bug in a large piece of code by looking at just the diff files.

I agree that Risk Management is a management task and needs to be separated from the task of managing devices. What I object to though is the assumption that management of a device is necessarily the task of a person.

Already the principle of Managed Security Services (MSS) is established as the way to run network security in medium to large sized enterprises. The risk manager sets the policy by considering the various business risks concerning the network. The policy is then enforced at the device level by the MSS team using a combination of manual and automated techniques.

The risk manager is thus interacting with their network at a much higher level of abstraction than Cheswick and Bellovin were working at two decades ago when they were chasing Berfd.

Another way to look at it is that Risk Management is not the same as Threat Control. Threat control is an objective process: we have a list of threats that are to be excluded, we apply controls to eliminate those threats (as far as is practicable). We can outsource Threat Control because it is objective.

Risk Management requires us to decide which threats are to be controlled and which are to be allowed. This is inevitably a subjective process because it involves the estimation of three sets of unknowable quantities, the value of the assets to be protected, the probability of loss, the cost of applying controls.

I don't see Alex, Mark or Arthur actually disagreeing on the principles here, I think that the reason they are engaged in their semantics debate is that they have one term and two distinct meanings.

Wednesday, October 25, 2006

Quebec turns against electronic voting

A report by the Chief Electoral Officer of Qu├ębec slams the electronic voting systems used in the Municipal Elections of November 2005 (via slashdot).

Concern over voting systems tends to be highest amongst those who have lost an election. Concern over electronic voting in the US has to date been almost exclusively the concern of Democrats. The opinion polls suggest that this is likely to change next month.

One of the main problems with the schemes is that the designers apparently fail to understand that the purpose of an election is to permit the peaceful transfer of power by convincing the losers that they have lost.

The principle concerns are auditability and transparency of the election. Except in a police state secrecy is a very low priority. It is very difficult to bribe or intimidate sufficiently large numbers of voters to swing an election without the activity attracting attention.

Despite the vast sums held on election gadgetry the US electoral system is spectacularly ad-hoc and ramshackle. There is no consistency from county to county let alone state to state. In statewide elections different voting machines with different failure rates are often used in different parts of the state. This should be utterly unacceptable and prohibited by federal law.

In the UK we do things differently. We use a paper and a pencil. The voter places a mark next to the name of the candidate they are voting for. After the close of polls the votes are counted by bank tellers. The process is understood by all the participants including voters, polling clerks and tellers. The standards for scruitineering are well established by a century of case law.

The UK system only appears to be more labour intensive because the time taken to count the votes is a clearly identifiable cost. The labour costs in the US system are largely hidden. The polling clerks must be trained in the use of the machines, the machines must be tested before and after each election.

If elections were held every week the cost benefits of electronic voting would be clear. When elections are held twice a year in alternate years it is impossible to recoup the startup costs.

Monday, October 23, 2006

Patents again

IBM is suing Amazon over some patents it owns [AP]

What caught my eye was this line: "IBM is the world's leading patent holder, spending $6 billion a year in research and development and earning about $1 billion a year in royalties."

In other words even IBM with the worlds largest patent portfolio makes only a modest sum from each patent and does not recover its R&D costs from patent licensing alone.

Sunday, October 22, 2006

More from the Chasers

Hmm, what do you think happens when a person tries to film a bridge or a nuclear power station? Does it matter how they dress?

Cow makeovers stop taxi crime, for a while

A taxi driver from Chile has his taxis decked out in a black and white cow motif. The idea being that the cabs are so garish and distinctive nobody will want to steal them. The scheme appears to be working, but like most schemes of this kind there is a catch, if everyone was to copy this strategy interior decor in synthetic cow hide would no longer be unusual and the deterrence value would be lost. [Video BBC News]

This is the reason why 'it works for me' does not mean that a scheme is going to be generally applicable as a plan to foil phishing or spam or other Internet crime issue of the day.

Thursday, October 19, 2006

Move showing dangers of Trojan Horse



[via Emergent Chaos]

Wednesday, October 18, 2006

Your tax dollars at work

This video shows British mercenaries in Iraq shooting at the local population for sport.

The video was posted to a site www.aegisiraq.co.uk purporting to be run by employees of the company. The company has denied responsibility and the domain name now points to the Aegis corporate Web site.

Saturday, October 07, 2006

Micro-Economics is to Macro-Economics as Quantum Physics is to ...

A recurring trope in politics is explaining the national economy as if it was a household budget. Magaret Thatcher was particularly good at this, her hustings schtick was to give presentations on the economy in gorcery stores.

Some (but not all) of the points Thatcher raised were valid. Deficit spending was one of the causes of the inflation of the 1970s and inflation was one of the causes of the recession.

But the comparisons can be misleading. National deficits have bad effects, household deficits have bad effects but the causes and effects are very different. There are even (rare) situations when a national economy should be spending more than it takes in. The inflation of the 1970s was caused by the money supply being too loose. The depression of the 1930s was caused by the money supply being too tight.

Economics works rather differently at the large and the small scale. This is very much like Quantum mechanics and Newtonian physics. In aggregate particles behave according to familiar laws. But something very different is happening at the level of the individual particles. As Feynman remarked, if you don't find Quantum mechanics wierd then you don't understand it. Particles are not particles at all, rather they are a random wave sort of affair with infinite extent that only interacts with other particles as discrete events.

The main difference between physics and economics is that in physics we are familiar with the problem in aggregate and must struggle to deduce the individual case, in economics the reverse is true.

In the 1930s Keynes invented the modern science of economics by applying the engineering science of control theory. While a large part of modern economics is complete bunk (not least their insufferable habit of turning simplifying assumptions into immutable laws) they do seem to have a better understanding of how the small scale effects lead to the large scale results. Collaboration across that divide could be mutually beneficial.

Tuesday, October 03, 2006

Firefox exploit hoax...

The widely reported 'zero day attack' on Firefox has been reported as a hoax (WaPost)

I am not at all suprised, people who report bugs to the media rather than to the software providers are suspect in my opinion. The days of 'full disclosure' should be behind us. It is not necessary to tell the bad guys how to exploit a vulnerability to get it fixed. Limited disclosure where the vulnerability is disclosed to major customers of the vendor is just as effective in putting pressure on the vendor to issue a patch but avoids making it easy for a hacker to turn the vulnerability into an exploit.

Some people are already reading into the debunking of this particular attack confirmation of their prejudice that open source code is automatically safe. Unfortunately the mere fact of publishing 4 Mb of source code does little to make it safe. Only expert review improves the security of code and that is rather harder to achieve.

The relative resilience of Mozilla owes rather less to being open source than it does to the software architecture. In particular the use of safety checked string handling routines rather than the notoriously buggy and buffer-overun prone UNIX string handling routines. C# and Java represent a further step forward, managed code makes it even easier to avoid buffer overuns.

But even the most resilient code will do little to eliminate the biggest security problem in the system - the user. We still need to solve the problem of designing security interfaces people can use.

Patchguard

Symantec and McAfee have been griping about patchguard again. But all patchguard does is to protect the kernel against modification, anti-virus products are still supported and there is an entire filtering infrastructure provided that allows anti-virus to work without hooking the kernel. Robert McLaws does an excellent job of separating fact and fiction here.

I don't run AV on my personal machines. I find that the machines become markedly less stable and considerably slower with the AV installed. The major reason for that is that the AV programmers are hooking the kernel to implement their systems. The people doing this don't have the kernel sources, they only have a limited understanding of the kernel architecture.

McLaws points out that there is a fully documented filtering API in Vista and that the Microsoft products run on top of the filtering API. Not only is this more efficient, it is less likely to lead to system problems as unknown third party code interacts with the kernel.

It appears that the real reason that McAfee and Symantec are complaining here is that Microsoft has made it too easy for competitors to implement AV in Vista. Meanwhile they will be forced to rewrite their AV engine to work on the new platform which will cost them money.

There is a history here that the McAfee and Symantec management should remember. Long ago in the distant past there were two companies that were king of the word processor and spreadsheet software markets. The reason that Lotus and WordPerfect lost their market clout was their failure to support the new Windows platform when it was released. Instead management sat twiddling their thumbs waiting to see whether OS/2 or Windows would be the eventual winner.

IBM and Microsoft both spent considerable time and effort trying to persuade Lotus, WordPerfect to support their platform and both were rebuffed. One of the (many) reasons that Microsoft won was that they were able to provide a decent Word processor for Windows by porting the product they had previously written for Macintosh.

McAfee and Symantec are in a very similar position. They have a cash cow that dumps a huge amount of cash into their corporate coffers each year. Doing the job right on Vista would cost a tiny fraction of that revenue.