Friday, May 27, 2005

Security costs money, it's cheaper for banks to pay the crooks.

PBS | I, Cringely . May 26, 2005 - Phish or Phisher?

Cringely tackles phishing scams, and he's sufficiently impolitic to point out why credit card companies and banks don't fuss about this fraud:
Another problem is that a large group of phishing victims -- banks and credit card companies -- don't want to publicize their losses, which might lead to a loss of business as customers start to worry about being victimized. But it goes even further, because the financial institutions are only on the hook for reported thefts. So by not making a big deal of it, maybe you won't notice that extra $30 charge and won't demand that your credit card company cover the loss. Being upfront about phishing could easily double corporate losses because of it by forcing these outfits to actually assume the risk that they say they'll assume.

So nobody talks about it, and the costs of phishing are generally hidden in the average eight percent that credit card companies figure they'll lose through theft, bankruptcies, etc. In a business with interest charges often going above 20 percent, phishing is tolerable...
This has been true forever. When credit cards started being used outside of brick-and-mortar settings fraud and identity theft exploded -- but the costs of fraud are still much less than the costs of preventing fraud. Especially if the victims don't notice their losses.

It's no different with checks. Check fraud is a very common crime, but in general the banks and police don't bother to bring these cases to court. It's just not worth the hassle -- for them.

Of course we bear the costs, but that's another story. Happily there are plausible solutions:

... Thinking there must be a better solution I contacted Max Levchin, who used to chase phishers for a living as co-founder and CTO of PayPal, a company he left a few months after it was bought by eBay back in 2002.

"The way to nail phishing," says Max, "is for the companies being impersonated to offer cash bounties -- to the first person to report the incident, the first person to call the free host and take down the site, the first person who figures out the identity of the perp. This would mean admitting that the matter is much more serious than most people realize, but that's going to have to happen, sooner than later, if columns like yours continue to give coverage to the matter. On the other hand, it's peanuts, financially, for the companies involved. There is the adverse selection problem -- why not set up phishing sites, report them, and collect the bounties? -- but it's easy to mitigate this by making the pay-outs contingent on all kinds of personal information from the good samaritan, and making the bounties really significant financially only when criminal charges are brought against the perpetrators. In fact, about a year ago, I was thinking of starting a site that would be an independent agency, holding the bounty money in escrow, ensuring the actual payments, and providing the war-room-style up-to-the-second information about what the latest phishing scams were. In the end, I decided this was a project not too different from my PayPal work, and I could do more fun things with my personal time, but still think the idea is sound."

Race as a collection of genes that travel together

The New York Times > Opinion > Op-Ed Contributor: A Family Tree in Every Gene

The thesis of the article is that genes tend to travel together and that it's possible to assign a human being to a geographically isolated population in which that the gene set was very common. That assignment group can be called a "race" (actually, from the article, it might even be a "tribe" or "extended family") and this theory is a statistical (rather than cultural) model of "race".

This makes sense to me. I've been skeptical of passionate statements that "race does not exist" -- they reminded me of the earnest statements that "intelligence is not genetically determined". Well intentioned, but unpersuasive.
The New York Times
March 14, 2005
A Family Tree in Every Gene
By ARMAND MARIE LEROI

Armand Marie Leroi, an evolutionary developmental biologist at Imperial College in London, is the author of "Mutants: On Genetic Variety and the Human Body."

... The dominance of the social construct theory [jf: of race, vs. the genetic theory] can be traced to a 1972 article by Dr. Richard Lewontin, a Harvard geneticist, who wrote that most human genetic variation can be found within any given "race." If one looked at genes rather than faces, he claimed, the difference between an African and a European would be scarcely greater than the difference between any two Europeans. A few years later he wrote that the continued popularity of race as an idea was an "indication of the power of socioeconomically based ideology over the supposed objectivity of knowledge." Most scientists are thoughtful, liberal-minded and socially aware people. It was just what they wanted to hear.

Three decades later, it seems that Dr. Lewontin's facts were correct, and have been abundantly confirmed by ever better techniques of detecting genetic variety. His reasoning, however, was wrong. His error was an elementary one, but such was the appeal of his argument that it was only a couple of years ago that a Cambridge University statistician, A. W. F. Edwards, put his finger on it.

The error is easily illustrated. If one were asked to judge the ancestry of 100 New Yorkers, one could look at the color of their skin. That would do much to single out the Europeans, but little to distinguish the Senegalese from the Solomon Islanders. The same is true for any other feature of our bodies. The shapes of our eyes, noses and skulls; the color of our eyes and our hair; the heaviness, height and hairiness of our bodies are all, individually, poor guides to ancestry.

But this is not true when the features are taken together. Certain skin colors tend to go with certain kinds of eyes, noses, skulls and bodies. When we glance at a stranger's face we use those associations to infer what continent, or even what country, he or his ancestors came from - and we usually get it right. To put it more abstractly, human physical variation is correlated; and correlations contain information.

Genetic variants that aren't written on our faces, but that can be detected only in the genome, show similar correlations. It is these correlations that Dr. Lewontin seems to have ignored. In essence, he looked at one gene at a time and failed to see races. But if many - a few hundred - variable genes are considered simultaneously, then it is very easy to do so. Indeed, a 2002 study by scientists at the University of Southern California and Stanford showed that if a sample of people from around the world are sorted by computer into five groups on the basis of genetic similarity, the groups that emerge are native to Europe, East Asia, Africa, America and Australasia - more or less the major races of traditional anthropology...

...Yet there is nothing very fundamental about the concept of the major continental races; they're just the easiest way to divide things up. Study enough genes in enough people and one could sort the world's population into 10, 100, perhaps 1,000 groups, each located somewhere on the map. This has not yet been done with any precision, but it will be. Soon it may be possible to identify your ancestors not merely as African or European, but Ibo or Yoruba, perhaps even Celt or Castilian, or all of the above.

... The billion or so of the world's people of largely European descent have a set of genetic variants in common that are collectively rare in everyone else; they are a race. At a smaller scale, three million Basques do as well; so they are a race as well. Race is merely a shorthand that enables us to speak sensibly, though with no great precision, about genetic rather than cultural or political differences...
A statistical model of "race" implies a (pardon the language) sort of n-dimensional "bell curve". Imagine a 'gene-space' consisting of (say) 100 or so marker gene values. If we treat this a 100-dimension space then an individual human should appear as a point in this space. If we add a dimension for frequency then we may "see" (humans aren't good at visualizing 100 dimensions -- pending our upgrades) "mountains" in the space. Those are "races". Most of us are somewhere on the flank of a mountain, but there ought to be (how can one resist the word) "pure" folk at the peaks.

Yahoo Search drops the big one: non-commercial search

Yahoo! Mindset

Ooookkkaaaay. This is actually interesting. Yahoo's new "Mindset" search allows you to weight search results based on how "commercial" they are. I tested this by searching on product with the slider set to "non-commercial". Instead of Google's 50 pages of ads I got a very useful review in the 3rd hit.

Of all the search experiments I've seen in the past year this one has impressed me the most. In the search wars, filtering out 'commercial' sites is a dramatic and risky move.

Thursday, May 26, 2005

Stanford Center for Clinical Informatics: Seminar series

2004-05 Seminars - Stanford Center for Clinical Informatics (SCCI) - Stanford University School of Medicine

This is a remarkable resource for medical computing/health informatics folks. Admittedly it's a small audience, but the collection of resources and speakers is remarkable. Kudos to Stanford for putting it online.

Wednesday, May 25, 2005

Our first interstellar probe - leaving the solar system

NASA - Voyager Enters Solar System's Final Frontier

Heading for the stars.
The consensus of the team now is that Voyager 1, at 8.7 billion miles from the Sun, has at last entered the heliosheath, the region beyond the termination shock," said Dr. John Richardson from MIT, Principal Investigator of the Voyager plasma science investigation.

Why did Palm Fail? A Slashdot thread.

PalmOne to become Palm Again; PalmSource & Linux

I wrote this comment in a very interesting Slashdot discussion. Lately Slashdot discussions have been quite boring; but this one has good comments (other than mine of course!). This comment from a Palm developer is particularly interesting.
When I teach about data interfaces in healthcare systems, and the complexity of integration, I compare Palm original representation of a 'contact' (address book entry) with Outlook/Exchange server's contact representation. The complexity (non-computable complexity in some areas) of synchronizing between these two was a huge problem for Palm. I'm not sure when they figured out how much trouble they were in, but once Microsoft took over the enterprise with Exchange server Palm's fate was pretty much sealed.

In later versions of the OS they tried to better match Outlook's data models, but they botched the software layer that provided some backwards compatibility (arguably they should have given up on the backwards compatibility, they ended up with the worst of two options).

Linux on the Palm is not as important, really, as matching the Exchange server data model.

More broadly, synchronization is a problem that's been grossly underestimated in many quarters. It often requires a fuzzy non-deterministic reconciliation of semantic models; the same challenge that Berners-Lee addresses in the context of the semantic web. This issue is a major part (along with some perverse economics) of why healthcare IT projects are so difficult.

I hope Palm now understands these issues, I fear that much of their intellectual capital may have moved on...

The immense power of denial: one handed professional ball players

...But I Went Out and Achieved Anyway! | MetaFilter

One hand. No arm. No leg. Lots of denial. Never underestimate the power of denial.

Action Squad: Minneapolis Urban Adventurers

Action Squad: Minneapolis Urban Adventurers

This was featured on metafilter, but they didn't mention this is a Minneapolis street gang! I may have met some of these guys. Reminds me of exploring steam tunnels at college -- but in those days Caltech allowed undergrads to have keys to many buildings, so it wasn't even trespassing (though it wasn't approved either).

My personal experience with urban adventures was limited to rooftop camping in the ancient days when I had far more time than money.

The treadmill desk -- coming soon to an office near you

New Weight-Loss Focus: The Lean and the Restless - New York Times

A researcher studying idiosyncratic non-exercise activity and weight loss installs a treadmill desk:
... At meetings, he stands instead of sitting. Talking on the telephone, he paces around. In his office he has a treadmill in place of a desk. He got it last year when he saw the data from the study comparing lean people and obese ones.

'My computer is stationed over the treadmill,' he said. 'I work at 0.7 miles an hour.'

A stand-up desk might seem simpler, but he prefers the treadmill.

'Standing still is quite difficult,' he said. 'You have a natural tendency to want to move your legs. Zero point seven is the key. You don't get sweaty, you can't jiggle too much. It's about one step a second. It's very comfortable. Most people seem to like it around 0.7.'
I've seen a few people in our office sitting on a large ball while working -- keeping stable would certainly burn calories. This takes things to the next step. I'd read that he'd done this, but I hadn't seen the speed setting -- 1 step a second seems quite pleasant.

All of can practice standing at meetings. Lose weight and get the meeting done faster ..

I wonder how long it will take to turn the "treadmill desk" into a commercial product. When that happens perhaps employers would consider paying for them through employee FlexPlan coverage.

The UK approach to patient privacy with electronic health records

Britain toughens patient privacy

We're unlikely to get such strong protections; historically US law does very little to protect privacy. It's nice to know someone's doing it however. In practice using the full power of these restrictions would be unwise for almost any patient, but it's easier to loosen such rules than to tighten them later. Emphases mine.
The United Kingdom's Health Department published tough new rules to guarantee that patients in England can control access to their electronic health care records in a system under development by the National Health Service.

The NHS National Programme for Information Technology kicked off a 10-year, $10 billion project in late 2003 to develop a nationwide e-health record (EHR) system for 50 million patients and 30,000 doctors in England. It would not cover Scotland, Wales or Northern Ireland.

The NHS Care Record Guarantee, published May 23, will allow patients to prevent information in their records from being shared, Health Ministry officials said. But the quality of care could deteriorate if patients block information sharing.

The health record guarantee also states that:

* Patients will be able to obtain a list of everyone who looks at their records.

* NHS will not share information outside the agency, particularly with other government agencies.

* Records will only be shared with health care providers or social service or education organizations with patient permission.

* NHS will take disciplinary action against anyone who accesses health records without permission or a good reason.

The new NHS electronic Care Records Service “has enormous potential benefits for patients," said Lord Warner, UK health minister. The system allows medical staff throughout England to have instant access to patient histories, including allergies, current medications and recent treatment.

Warner said the department developed the new privacy rules to address any patients’ concerns about the confidentiality of their records.

The Care Guarantee clearly establishes the rights of patients to control who has access to their information, Warner said. "These rules will be backed up with tough security measures to prevent unauthorized access to records, ensuring everyone can have confidence in the new system," he said.

National Provider (physician, pharmacist, etc) Identifier assignment system - Not quite ready yet!

National Plan & Provider Enumeration System - Home Page

As of May 23rd physicians and other healthcare "providers" are supposed to start obtaining their unique ID numbers that are the basis for many future healthcare transactions. I figured I'd give it a try.

It didn't work. I entered my UPIN number around step 5 or so and the server crashed (I noticed in the state drop down list that MN was in an odd location, not quite alpha-sorted):
Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, you@your.address and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Hmm. A few teething problems! Another bad sign was the initial login. They use the "secret question" method for password recovery, the approach favored by 99/100 crackers and identity thieves.

Tuesday, May 24, 2005

Evangelical america

False Prophets
Surely there is no subject on which more words are currently being said with less real meaning than that of the intersection of religion and politics in America. And that is why you ought to read a recent New Republic piece by the indispensable Alan Wolfe, who cuts through the fog like a search-light.

In the format of a review of Jim Wallis' much-discussed God's Politics, along with a collection of case studies of religio-political cooperative ventures, Wolfe pens a long, eloquent and often angry essay about the growing willingness of evangelical Christian leaders to reject the liberal principles of tolerance, pluralism and church-state separation that made the growth of their own tradition possible in the first place...

....
As you may know, in the Judeo-Christian tradition one who takes a prophetic stance believes the moral and spiritual conditions of a society have become so depraved that the faithful are obliged to step outside the normal bounds of civility and respect for authority and call down the righteous wrath of God. Taking a prophetic stance is by definition exceptional; occasionally essential, but always spiritually as well as politically dangerous. And that is why true prophets are so greatly honored, and false prophets are so feared and despised...
Two interesting and thoughtful discussions -- both Wolfe's article and the above commentary. Wolfe doesn't mention the history of catholicism as a state religion, but from what he does write I gather he'd agree with me.

Google Earth vs MSN Earth - the next battle in mass market earth imaging

So now it's Google vs. Microsoft to own the earth: MSN Virtual Earth To Take On Google Earth.

To be fair to Microsoft, they've had TerraServer around for ages. They just didn't use it very well. Now they know how.

And where is Amazon's business photo project? I couldn't find any St. Paul business with a neighborhood image.

Monday, May 23, 2005

The Economist's Millenium edition is now available online (five years later)

Reporting on a thousand years

It only took them a few years, but the Economist has put their justly famed 'Millenium Issue' online. I came across it by accident; on review it's even better than I remembered. Well worth a quick browse for fans of history and economics. This was one of my all time favorite articles.

Identity theft: almost hopeless

Data at Bank of America, Wachovia, others compromised - May. 23, 2005
Account information on the customers was illegally sold by bank employees to a man identified as Orazio Lembo, whom police said was doing business by illegally posing as a collection agency.

When police in Hackensack, N.J., first announced arrests in the case on April 28, they estimated that more than 500,000 people were affected. That number was raised to 676,000 Friday. Because some people have more than one account, Hackensack Police Chief Charles "Ken" Zisa says the number of accounts breached may top 1 million.

"As this gets going, these numbers are going to go up and up," Hackensack Detective Capt. Frank Lomia told CNN earlier Monday, adding that more arrests may be coming in the case.
One of the most interesting thefts of this kind involved a legal purchase of such information through a legal "front" bank. This is crude by comparison.

It does emphasize, however, how hopeless the situation is. It is not coincidental that fingerprint scanners are being integrated into some supermarket checkouts.

If they were smart, the feds would hire Bruce Schneier to devise a solution.