Shared posts

13 Nov 20:17

How To Use 23andMe Irresponsibly

by Scott Alexander

As you might remember, the FDA stomped on 23andMe for using too many irresponsible genetic tests that purported to tell you things about yourself and your health with limited support. They eventually worked out a deal where the FDA allowed 23andMe to continue to operate, but they couldn’t claim to be able to predict personal outcomes from your genes.

That means if we want to use 23andMe irresponsibly, we’ve got to do it ourselves. Luckily I recently figured out how to do this and it is exactly as much fun as you would think.

If you’ve got a 23andMe account, log in, go to your name and picture on the bar on the top, and click on the little inverted triangle to get the drop-down menu. Go to the “Browse Raw Data” option, which will give you the option to go to a gene or an SNP. Now all you have to do is find an SNP you’re interested in (an SNP will look like the letters “rs” followed by a string of numbers) plug it in, and interpret the results.

Your best bet here is SNPedia, a wiki collection of different SNPs. If you want to know, for example, something interesting about your risk of heart disease, you can search “heart disease” and get a list of the most relevant SNPs (in this case, rs2383206, rs10757278, rs2383207, and rs10757274). If you click on the first, you can find on the top right in little colored boxes that someone with (A;A) at this site has normal risk of heart disease, someone with (A;G) 1.4x increased risk, and someone with (G;G) 1.7x increased risk.

In this case my 23andMe results are pretty straightforward – it tells me I am (G;G), which is common enough in white people (see the little colored bars on the left of SNPedia; the CEU bar is Caucasian Europeans). Other times the results require an extra step. For example, SNPedia’s page on rs1801133 offers three choices – (C;C), (C;T), and (T;T), but 23andMe tells me that I have (A;A), which didn’t appear to be an option. The problem here is that 23andMe is giving me the minus strand – if you click to expand your result, it will tell you that (“dbSNP Orientation: minus”). When it gives you the minus strand, you have to manually reverse it to get the plus strand. Remember, A is the reverse of T, and C is the reverse of G. So my (A;A) is their (T;T), and I have 1.5x risk of various cancers.

This doesn’t necessarily bear any relationship to reality, because genetics studies often fail to replicate, and even when they’re right they might only apply to certain populations, and even when they apply to people usually people misinterpret what they mean. That’s part of why the FDA banned 23andMe from doing this, and part of why the word “irresponsible” is right in the title. Even if these SNPs survive the tests of time and replication, they will explain at most a few percent of the variance in complex traits, and any claims otherwise are exaggeration at best and pure hype at worst.

But with that fair warning, here are some of the genes I think are most fun to look up. I cannot disclaimer enough that this is for your own amusement only and unlikely to resemble reality in more than the most tenuous way and if I imply otherwise it is a silly joke.

Rs909525 is linked to the so-called “warrior gene” which I blogged about in the last links roundup. People with the normal four or five repeat version of these gene are less violent than people with the three-repeat version, and people with the two-repeat version are massively overrepresented among violent criminals. See for example this article. Although this SNP isn’t the warrior gene itself, it’s linked to it closely enough to be a good predictor. This is on the X chromosome, so men will only have one copy (I wonder how much of the increased propensity to violence in men this explains). It’s also one of the minus strand ones, so it’ll be the reverse of what SNPedia is telling you. If you’ve got T, you’re normal. If you’ve got C, you’re a “warrior”. I’ve got C, which gives a pretty good upper limit on how much you should trust these SNPs, since I’m about the least violent person you’ll ever meet. But who knows? Maybe I’m just waiting to snap. Post something dumb about race or gender in the open thread one more time, I dare you…

Rs53576 in the OXTR gene is related to the oxytocin receptor, which frequently gets good press as “the cuddle hormone” and “the trust hormone”. Unsurprisingly, the polymorphism is related to emotional warmth, gregariousness versus loneliness, and (intriguingly) ability to pick out conversations in noisy areas. 23andMe reads this one off the plus strand, so your results should directly correspond to SNPedia’s – (G;G) means more empathy and sociability and is present in 50% of the population, anything else means less. I’m (A;G), which I guess explains my generally hateful and misanthropic outlook on life, plus why I can never hear anyone in crowded bars.

Rs4680 is in the COMT gene, which codes for catechol-o-methyltransferase, an enzyme that degrades various chemicals including dopamine. Riffing on the more famous “warrior gene”, somebody with a terrible sense of humor named this one the “worrier gene”. One version seems to produce more anxiety but slightly better memory and attention; the other version seems to produce calm and resiliency but with a little bit worse memory and attention. (A;A) is smart and anxious, (G;G) is dumb and calm, (A;G) is in between. if you check the SNPedia page, you can also find ten zillion studies on which drugs you are slightly more likely to become addicted to. And here’s the 23andMe blog on this polymorphism.

Rs7632287, also in the oxytocin receptor, has been completely proportionally and without any hype declared by the media to be “the divorce gene”. To be fair, this is based on some pretty good Swedish studies finding that women with a certain allele were more often to have reported “marital crisis with the threat of divorce” in the past year (p = 0.003, but the absolute numbers were only 11% of women with one allele vs. 16% of women with the other). This actually sort of checks out, since oxytocin is related to pair bonding. If I’m reading the article right (G;G) is lower divorce risk, (A;A) and (A;G) are higher – but this may only apply to women.

Rs11174811 is in the AVPR1A gene, part of a receptor for a chemical called vasopressin which is very similar to oxytocin. In case you expected men to get away without a divorce gene, this site has been associated with spousal satisfaction in men. Although the paper is extremely cryptic, I think (A;A) or (A;C) means higher spousal satisfaction than (C;C). But if I’m wrong, no problem – another study got the opposite results.

Rs25531 is on the serotonin transporter. Its Overhyped Media Name is “the orchid gene”, on the basis of a theory that children with one allele have higher variance – that is, if they have nice, happy childhoods with plenty of care and support they will bloom to become beautiful orchids, but if they have bad childhoods they will be completely screwed up. The other allele will do moderately well regardless. (T;T) is orchid, (C;C) is moderately fine no matter what. There are rumors going around that 23andMe screwed this one up and nearly everybody is listed as (C;C).

Rs1800955 is in DRD4, a dopamine receptor gene. Its overhyped media name is The Adventure Gene, and supposedly one allele means you’re much more attracted to novelty and adventure. And by “novelty and adventure”, they mean lots and lots of recreational drugs. This one has survived a meta-analytic review. (T;T) is normal, (C;C) is slightly more novelty seeking and prone to drug addiction.

Rs2760118, in a gene producing an obscure enzyme called succinate semialdehyde dehydrogenase, is a nice polymorphism to have. According to this article, it makes you smarter and can be associated with up to fifteen years longer life (warning: impressive result means almost certain failure to replicate). (C;C) or (C;T) means you’re smarter and can expect to live longer; (T;T) better start looking at coffins sooner rather than later.

Rs6311 is not going to let me blame the media for its particular form of hype. The official published scientific paper on it is called “The Secret Ingredient for Social Success of Young Males: A Functional Polymorphism in the 5HT2A Serotonin Receptor Gene”. Boys with (A;A) are less popular than those with (G;G), with (A;G) in between – the effect seems to be partly mediated by rule-breaking behavior, aggression, and number of female friends. Now it kind of looks to me like they’re just taking proxies for popularity here, but maybe that’s just what an (A;A) nerd like me would say. Anyway, at least I have some compensation – the popular (G;G) guys are 3.6x more likely to experience sexual side effects when taking SSRI antidepressants.

Rs6265, known as Val66Met to its friends, is part of the important depression-linked BDNF system. It’s a bit depressing itself, in that it is linked to an ability not to become depressed when subjected to “persistent social defeat”. The majority of whites have (G;G) – the minority with (A;A) or (A;G) are harder to depress, but more introverted and worse at motor skills.

rs41310927 is so cutting-edge it’s not even in SNPedia yet. But these people noticed that a certain version was heavily selected for in certain ethnic groups, especially Chinese, and tried to figure out what those ethnic groups had in common. The answer they came up with was “tonal languages”, so they tested to see if the gene improved ability to detect tones, and sure enough they claimed that in experiments people with a certain allele were better able to distinguish and understand them. Usual caveats apply, but if you want to believe, (G;G) is highest ability to differentiate tones, (A;A) is lowest ability to differentiate tones. (A;G) is in between. Sure enough, I’m (A;A). All you people who tried to teach me Chinese tonology, I FRICKIN’ TOLD YOU ALL OF THE WORDS YOU WERE TELLING ME SOUNDED ALIKE.

11 Nov 16:41

Impro and the Cultural Destruction of Creativity

by Sister Y
Suppose an eight-year-old writes a story about being chased down a mouse-hole by a monstrous spider. It'll be perceived as 'childish' and no one will worry. If he writes the same story when he's fourteen it may be taken as a sign of mental abnormality. Creating a story, or painting a picture, or making up a poem lay an adolescent wide open to criticism. He therefore has to fake everything so that he appears 'sensitive' or 'witty' or 'tough' or 'intelligent' according to the image he's trying to establish in the eyes of other people. If he believed he was a transmitter, rather than a creator, then we'd be able to see what his talents really were.

We have an idea that art is self-expression — which historically is weird. An artist used to be seen as a medium through which something else operated. He was a servant of the God. Maybe a mask-maker would have fasted and prayed for a week before he had a vision of the Mask he was to carve, because no one wanted to se his Mask, they wanted to see the God's. When Eskimos believed that each piece of bone only had one shape inside it, then the artist didn't have to 'think up' an idea. He had to wait until he knew what was in there — and this is crucial. When he'd finished carving his friends couldn't say 'I'm a bit worried about that Nanook at the third igloo', but only, 'He made a mess getting that out!' or 'There are some very odd bits of bone about these days.' These days of course the Eskimos get booklets giving illustrations of what will sell, but before we infected them, they were in contact with a source of inspiration that we are not. It's no wonder that our artists are aberrant characters. It's not surprising that great African sculptors end up carving coffee tables, or that the talent of our children dies the moment we expect them to become adult. Once we believe that art is self-expression, then the individual can be criticised not only for his skill or lack of skill, but simply for being what he is.

Schiller wrote of a 'watcher at the gates of the mind', who examines ideas too closely. He said that in the case of the creative mind 'the intellect has withdrawn its watcher from the gates, and the ideas rush in pell-mell, and only then does it review and inspect the multitude.' He said that uncreative people 'are ashamed of the momentary passing madness which is found in all real creators . . . regarded in isolation, an idea may be quite insignificant, and venturesome in the extreme, but it may acquire importance from an idea that follows it; perhaps in collation with other ideas which seem equally absurd, it may be capable of furnishing a very serviceable link.'

Keith Johnstone, Impro, pp. 78-79. One of the most important books that exists.
19 Sep 11:42

Looking at Our Civil War History with LiDAR

by Betsy Phillips

I honestly don't care if this makes me the biggest nerd in the state — I am totally stoked for 30 Days of Tennessee Archaeology. Every day they feature something else interesting and informative and I feel like I am learning a lot. Day 16's entry is on the use of LiDAR, a laser that can penetrate vegetation, to find otherwise hidden earthen features at Nashville's Civil War sites.

Zada Law has located what could be earthworks at both Fort Negley and Shy's Hill. The important thing, as I understand it, about LiDAR is that it doesn't harm or disrupt the thing being examined. So, you can find a strange feature in dense undergrowth now and protect it from inadvertent destruction while you wait to get funding to examine it. I also read that it can be useful in tracing old roads, the beds of which might not be visible anymore to the naked eye, but the LiDAR can still see them.

So, in this case, thanks to Law's work, we now know these features which we thought were completely lost aren't gone, but hidden in the landscape.

You can scroll through all the daily features here. There's a ton of interesting stuff about archaeology, from a TDOT archaeologist (and who even knew that was a job?) who discovered a lost city to information about Mound Bottom over in Cheatham County.

15 Sep 19:37

A School District Bought An 18-Ton MRAP Because The World Is Insane

medical su
15 Sep 13:45

How to Tell Whether You Are Being Oppressed

by strevdrrev

Imagine that you’re faced with a problem, and some other agent X is involved in, or at least adjacent to, that problem. You suspect that X is oppressing you. How can you be sure?

Consider the following criterion:

If reality were altered such that X did not exist, and never had existed, would I still have the same problem?

If your answer is “Yes, I would still have this problem,” then consider the possibility that X is not actually oppressing you, but simply failing to serve your goals.  Then ask yourself this:

Am I upset that X is not serving my goals?

If your answer is “Yes, I am upset that X is not serving my goals”, then consider the possibility that you are the oppressor.

 

15 Sep 13:30

Beauty is Fit

by birguslatro

[E]very design problem begins with an effort to achieve fitness between two entities: the form in question and its context. The form is the solution to the problem; the context defines the problem. In other words, when we speak of design, the real object of discussion is not the form alone, but the ensemble comprising the form and its context. Good fit is a desired property of this ensemble which relates to some particular division of the ensemble into form and context.

There is a wide variety of ensembles which we can talk about like this. The biological ensemble made up of a natural organism and its physical environment is the most familiar: in this case we are used to describing the fit between the two as well-adaptedness. But the same kind of objective aptness is to be found in many other situations. The ensemble consisting of a suit and tie is a familiar case in point; one tie goes well with a certain suit, another goes less well. Again, the ensemble may be a game of chess, where at a certain stage of the game some moves are more appropriate than others because they fit the context of the previous moves more aptly. The ensemble may be a musical composition — musical phrases have to fit their contexts too: think of the perfect rightness when Mozart puts just this phrase at a certain point in a sonata. If the ensemble is a truckdriver plus a traffic sign, the graphic design of the sign must fit the demands made on it by the driver’s eye. An object like a kettle has to fit the context of its use, and the technical context of its production cycle. In the pursuit of urbanism, the ensemble which confronts us is the city and its habits. Here the human background which defines the need for new buildings, and the physical environment provided by the available sites, make a context for the form of the city’s growth. In an extreme case of this kind, we may even speak of a culture itself as an ensemble in which the various fashions and artifacts which develop are slowly fitted to the rest.

Christopher Alexander, Notes on the Synthesis of Form, pp. 15-16, Citations removed.

The concept of beauty in diverse domains has a unifying, definitive feature: it reflects the detection of fit between parts of a system. Beauty presents to us as a mystical quale; this is because a beautiful form is a solution to many simultaneous complex problems. Beauty in nature, art, music, architecture, mathematics, and even human faces is a response to the detection of fit.

Consider botany. There is a major divergence in beauty between plants that must attract the attention of insects and other animals, and those that are pollinated by the wind (or by animals without requiring their attention, such as burrs that stick in passing animals’ fur). Plants that must attract attention of any species must fit themselves to the senses and nervous systems of these animals, for instance with bright colors and intense fragrances, and there is often a sort of leakage of beauty – nervous systems (such as those of humans) are often moved by the beauty of plants optimized to attract the attention of quite different species. Plants with no need to appeal to the nervous systems of organisms are generally dull in color and form with no appealing fragrance.

Intelligence may be represented as the discovery of fit. Fit with the nervous system of appreciating organisms is one type of “fit” that beauty encompasses. This is the beauty of a ripe fruit, a symmetrical young face, a shady spot by a creek. This is similar to the “awareness and response to the environment” type of intelligence. The other type of “fit” that beauty encompasses is the fit of a part within a system, viewed from outside that system; the detection and creation of formal fit within systems is the type of intelligence involved in the useful compression of complexity. Mathematical beauty is the extreme form of this latter type of fit – forms with no appeal to insect or ordinary mammal nervous systems, with only the most abstract form at all, are experienced as beautiful based on their fit within a complex system. Most human domains are at neither extreme, but balance both types of fit to achieve beauty; ignoring either type of fit leads to poor overall fit.

Finally, beauty reflects fit with respect to other forms in the environment (as filtered through the nervous systems of perceiving organisms). Forms are sometimes beautiful because they are novel, or because they are familiar; the contributions of novelty and familiarity to beauty mean that beauty of form changes depending on the contents of the present culture. Fashion and tradition are poles of this dynamic.

Nervous systems change through evolution, but they change very slowly compared to human culture. Forms with “timeless” beauty generally reflect fit with aspects of our system that do not change, such as our visual and auditory systems. Timeless beauty may also represent an elegant encoding of fit within an abstract system; though the text of Archimedes’ Method was lost for centuries, cultures having lost the tools to apprehend its meaning, the fit encoded within it remains beautiful.

Ephemeral beauty, on the other hand, reflects fit within an ephemeral system; novel beauty or traditional beauty may be rendered less beautiful by an influx of similar or novel forms, respectively. To experience the beauty of the forms of a lost culture, we must often come to understand the culture in depth. In Gödel, Escher, Bach (pp. 170-172 in PDF, pp. 162-164 of printed text), Douglas Hofstadter imagines that a record of Bach’s sonata in F Minor for violin and clavier is sent up in a satellite and intercepted by intelligent aliens. The aliens might well be able to locate the “compelling inner logic” of patterns-within-patterns of the Bach piece; it contains beauty in the sense of fit within its own self-enclosed system. However, what if the record contained instead John Cage’s “Imaginary Landscape no. 4″ – chance music whose structure is chosen by stochastic processes? This “maximally surprising” music contains no patterns at all, and aliens without knowledge of the sociology of 20th century music would be unlikely to find any beauty in it. Maximally surprising music of this type is not beautiful, just as the beauty of a mathematical result is not reducible to its surprising nature. Rather, in both cases, the type of surprise that creates beauty is the (perhaps sudden) apprehension of usefully organized complexity within the system – the apprehension, that is, of fit (see also).

Cage’s music is an example of the tendency for high-status human domains to ignore fit with human nervous systems in favor of fit with increasingly rarified abstract cultural systems. Human nervous systems are limited. Representation of existing forms, and generating pleasure and poignancy in human minds, are often disdained as solved problems. Domains unhinged from the desires and particularities of human nervous systems and bodies become inhuman; human flourishing, certainly, is not a solved problem. However, human nervous systems themselves create and seek out “fit” of the more abstract sort; the domain of abstract systems is part of the natural human environment, and the forms that exist there interact with humans as symbiotes. Theorems and novels and money and cathedrals rely on humans for reproduction, like parasites, but offer many benefits to humans in exchange. Humans require an environment that fits their nervous systems, but part of the definition of “fit” in this case is the need for humans to feel that they are involved in something greater (and perhaps more abstract) than this “animal” kind of fit.

In summary, beauty is not a mystical, irreducible quale, but an ultimately computational feature of detected fit within systems. My fellow crab has suggested that the “difference in creativity that can be generated algorithmically and that which presently can’t is measurable only in ‘frequency of apparent meaning or significance,’ not in vividness, complexity, or novelty.” Fit generated computationally may be even more satisfying than fit generated by human minds alone – and may be even friendlier to human minds.

14 May 21:48

CNNMoney: Strategist predicts end of Bitcoin

Chris Wage

This is idiotic.

"But Bitcoin has been the victim of a different type of intervention -- from hackers. The currency itself is nearly impenetrable to hackers, but the digital wallets that house bitcoins have been infiltrated. One of the world's largest Bitcoin exchanges, Bitfloor, was shut down in April, after it was attacked.
"Bitcoin has lost a lot of credibility from the hacking and all this volatility," said Bremmer"

That's like saying that USD is going to fail miserably because people managed to rob banks.

14 May 14:25

The ‘unnamed feeling’ named ASMR

by tomstafford
Chris Wage

i listened to a few "whispering" videos on youtube. conclusion? these people are on crack.

Here’s my BBC Future column from last week. It’s about the so-called Autonomous Sensory Meridian Response, which didn’t have a name until 2010 and I’d never heard of until 2012. Now, I’m finding out that it is surprisingly common. The original is here.

It’s a tightening at the back of the throat, or a tingling around your scalp, a chill that comes over you when you pay close attention to something, such as a person whispering instructions. It’s called the autonomous sensory meridian response, and until 2010 it didn’t exist.

I first heard about the autonomous sensory meridian response (ASMR) from British journalist Rhodri Marsden. He had become mesmerised by intentionally boring videos he found on YouTube, things like people explaining how to fold towels, running hair dryers or role-playing interactions with dentists. Millions of people were watching the videos, reportedly for the pleasurable sensations they generated.

Rhodri asked my opinion as a psychologist. Could this be a real thing? “Sure,” I said. If people say they feel it, it has to be real – in some form or another. The question is what kind of real is it? Are all these people experiencing the same thing? Is it learnt, or something we are born with? How common is it? Those are the kind of questions we’d ask as psychologists. But perhaps the most interesting thing about the ASMR is what happened to it before psychologists put their minds to it.

Presumably the feeling has existed for all of human history. Each person discovered the experience, treasured it or ignored it, and kept the feeling to themselves. That there wasn’t a name for it until 2010 suggests that most people who had this feeling hadn’t talked about it. It’s amazing that it got this far without getting a name. In scientific terms, it didn’t exist.

But then, of course, along came the 21st Century and, like they say, even if you’re one in a million there’s thousands of you on the internet. Now there’s websites, discussion forums, even a Wikipedia page. And a name. In fact, many names – “Attention Induced Euphoria”, “braingasm”, or “the unnamed feeling” are all competing labels that haven’t caught on in the same way as ASMR.

 

This points to something curious about the way we create knowledge, illustrated by a wonderful story about the scientific history of meteorites. Rocks falling from the sky were considered myths in Europe for centuries, even though stories of their fiery trails across the sky, and actual rocks, were widely, if irregularly reported. The problem was that the kind of people who saw meteorites and subsequently collected them tended to be the kind of people who worked outdoors – that is, farmers and other country folk. You can imagine the scholarly minds of the Renaissance didn’t weigh too heavily on their testimonies. Then in 1794 a meteorite shower fell on the town of Siena in Italy. Not only was Siena a town, it was a town with a university. The testimony of the townsfolk, including well-to-do church ministers and tourists, was impossible to deny and the reports written up in scholarly publications. Siena played a crucial part in the process of myth becoming fact.

Where early science required authorities and written evidence to turn myth into fact, ASRM shows that something more democratic can achieve the same result. Discussion among ordinary people on the internet provided validation that the unnamed feeling was a shared one. Suddenly many individuals who might have thought of themselves as unusual were able to recognise that they were a single group, with a common experience.

There is a blind spot in psychology for individual differences. ASMR has some similarities with synaesthesia (the merging of the senses where colours can have tastes, for example, or sounds produce visual effects). Both are extremes of normal sensation, which exist for some individuals but not others. For many years synaesthesia was a scientific backwater, a condition viewed as unproductive to research, perhaps just the product of people’s imagination rather than a real sensory phenomenon. This changed when techniques were developed that precisely measured the effects of synaesthesia, demonstrating that it was far more than people’s imagination. Now it has its own research community, with conferences and papers in scientific journals.

Perhaps ASMR will go the same way. Some people are certainly pushing for research into it. As far as I know there are no systematic scientific studies on ASMR. Since I was quoted in that newspaper article, I’ve been contacted regularly by people interested in the condition and wanting to know about research into it. When people hear that their unnamed feeling has a name they are drawn to find out more, they want to know the reality of the feeling, and to connect with others who have it. Something common to all of us wants to validate our inner experience by having it recognised by other people, and in particular by the authority of science. I can’t help – almost all I know about ASMR is in this column you are reading now. For now all we have is a name, but that’s progress.


14 May 08:15

On cellular encryption

by Matthew Green
If you're interested in technology/privacy issues then you probably heard last week's big news out of the Boston Marathon case. It comes by way of former FBI agent Tim Clemente, who insists that our government routinely records all domestic phone calls.

Clemente's claim generated lots of healthy skepticism. This isn't because the project is technically infeasible (the numbers mostly add up), or because there's no precedent for warrantless wiretapping. To me the most convincing objection was simple: it'd be hard to keep secret.* Mostly for boring phone company reasons.

But this led to another interesting discussion. What if we forget local phone eavesdropping and focus on an 'easier' problem: tapping only cellular phone calls.

Cellular eavesdropping seems a lot more tractable, if only because mobile calls are conducted on a broadcast channel. That means you can wiretap with almost no carrier involvement. In fact there's circumstancial evidence that this already happening -- just by different parties than you'd think. According to a new book by reporters Marc Ambinder and Dave Brown:
The FBI has quietly removed from several Washington, D.C.–area cell phone towers, transmitters that fed all data to wire rooms at foreign embassies.
This raises a few questions: once you've tapped someone's cellular signals, what do you do with the data? Isn't it all encrypted? And how easy would it be for the US or some foreign government to lay their hands on the plaintext?

All of this which serves as a wonderful excuse to noodle about the state of modern cellular encryption. Be warned that this is not going to be a short post! For those who don't like long articles, here's the TL;DR: cellular encryption is a whole lot worse than you think.

GSM

GSM is the granddaddy of all digital cellular protocols, and it remains of the most popular protocols in the world. One thing that makes GSM special is its call encryption capability: the protocol is designed to encrypt all calls in between the handset and the local tower.

Call encryption is facilitated by a long-term secret key (call it K) that's stored within the tamper-resistant SIM card in your GSM phone. Your carrier also has a copy of this key. When your GSM phone connects to a tower, the parties execute the following authentication and key agreement protocol:

GSM authentication and key agreement protocol (source). MS represents the 'mobile station' (phone) and
HLR is the 'home location register', a central database. The MS and HLR combine a long-term secret Ki
with a random nonce RAND to create the shared communication key Kc. A3 and A8 are
typically implemented using the COMP128 function.
The interaction above serves two purposes: first, both the phone and carrier (HLR) derive a pair of values that will be used for authentication and key agreement. This includes a session key Kc as well as a short authentication token SRES that the phone will use to authenticate itself to the tower. Derivation is performed using two functions (A3 and A8) that accept the long-term secret K and with a random nonce RAND.

There are a handful of well-known problems with the GSM security protocols. In no particular order, they are:
  1. Lack of tower authentication. GSM phones authenticate to the tower, but the tower doesn't authenticate back. This means that anyone can create a 'fake' tower that your phone will connect to. The major problem here is that in GSM, the tower gets to pick the encryption algorithm! That means your attacker can simply turn encryption off (by setting encryption 'algorithm' A5/0) and simply route the cleartext data itself.

    In theory your phone is supposed to alert you to this kind of attack, but the SIM chip contains a bit that can de-active the warning. And (as researcher Chris Paget discovered) carriers often set this bit.
     
  2. Bad key derivation algorithms. The GSM ciphers were developed using the 'make stuff up and pray nobody sees it' school of cryptographic algorithm design. This is a bad approach, since it's incredibly hard to keep algorithms secret -- and when they do leak, they tend to break badly. This was the case for the original A3/A8 algorithms, which are both implemented using single function called COMP128-1. Unfortunately COMP128 turns out to be seriously broken -- to the point where you can clone a user's SIM key in as few as 8 queries.
     
  3. Bad encryption algorithms. Fortunately it's easy to replace COMP128-1 by swapping out your SIM card. Unfortunately the situation is much worse for GSM's A5/1 call encryption cipher, which is embedded in the hardware of most handsets and tower equipment. A5/1 was leaked around the same time as COMP128 and rapidly succumbed to a series of increasingly powerful attacks. Today it's possible to conduct an efficient known-plaintext attack on A5/1 using a series of rainbow tables you can obtain from BitTorrent. The upshot is that most A5/1 calls can now be decrypted on a high-end PC.
     
  4. Terrible encryption algorithms. But it's actually worse than that. GSM phones support an 'export weakened' variant called A5/2, which is so weak you can break it in real time. The worst part is that A5/2 uses the same key as A5/1 -- which means an active attacker (see #1 above) can briefly activate the A5/2 mode, crack to recover the encryption key, then switch back to A5/1 with a known key. This is much faster than attacking A5/1 directly, and allows eavesdroppers to intercept incoming phone calls from a legitimate (A5/1 supporting) tower.  
Alleged 'Stingray' tracking device
mounted on an SUV (source).
Another unfortunate aspect of the GSM protocol is that you don't need to attack the crypto to do useful things. For example, if all you want to do is determine which devices area in an area, you simply present yourself as a valid tower -- and see which phones connect to you (by sending their IMSI values). This is the approach taken by IMSI-catchers like Stingray.

Now the 'good news' here is that attacks (1), (2) and (4) require active involvement by the attacker. This means they have to be after you specifically and -- at least in principal -- they're detectable if you know what to look for. (You don't.) However, the weaknesses in A5/1 are a whole different kettle of fish. They permit decryption of even passively recorded A5/1 GSM calls (in real time, or after the fact) even to an attacker with modest resources.

3G/4G/LTE

A valid response to the points above is to note that GSM is nearly 30 years old. You probably wouldn't blame today's Ford execs for the crash performance of a 1982 Ford Escort, and similarly you shouldn't hold the GSM designers responsible for a 1980s protocol -- even if billions of people still rely on it.
Overview of the 3G AKA protocol. Look familiar? 

The great news is that modern phones often support the improved '3G' (e.g., UMTS) or LTE standards. These offer a bundle of improvements that substantially improve security over the original GSM. These can be summed up as follows:
  1. Mutual authentication. The 3G protocols use a new 'Authentication and Key Agreement' (AKA) protocol, which adds mutual authentication to the tower connection. To validate that the phone is speaking to a legitimate tower, the carrier now computes a MAC that the phone can verify before initiating a connection. This prevents many of the uglier protocol attacks that plagued GSM.
     
  2. Better authentication algorithms. The session keys and authentication tags are still computed using proprietary algorithms -- now called f1-f5, f5* -- but the algorithms are purportedly much stronger. Since their design is carrier-specific it's not easy to say exactly how they work. However this 3GPP recommendation indicates that they might be based on a block cipher like AES.
     
  3. Better encryption. Call encryption in 3G uses a proprietary block cipher called KASUMI. KASUMI is based off of a Mitsubishi proposal called MISTY1, which was heavy customized to make it faster in cellular hardware.
The biggest source of concern for 3G/LTE is that you may not be using it. Most phones are programmed to gracefully 'fail over' to GSM when a 3G/4G connection seems unavailable. Active attackers exploit this feature to implement a rollback attack -- jamming 3G/4G connections, and thus re-activating all of the GSM attacks described above.

A more subtle concern is the weakness of the KASUMI cipher. Unfortunately KASUMI seems much weaker than the original MISTY1 algorithm -- so much weaker that in 2010 Dunkelman, Keller and Shamir were able to implement a related-key attack that recovered a full 128 bit call key in just under two hours!

Now before you panic, you should know that executing this attack requires a substantial amount of data, all of which must all be encrypted under highly unrealistic attack conditions. Still, it's interesting to note that the same attack fails completely when applied to the original MISTY1 design.

Top: generation of keys (CK, IK) and authentication tags AUTN, XRES using the functions f1-f5. Bottom: one proposed implementation of those functions using a 128-bit block cipher Ek. This could be AES (source).
And yes, it looks complicated to me, too.
What if you have already the keys?
  
The encryption flaws above seem pretty significant, and they really are -- if you're a private eavesdropper or a foreign government. For US national security organizations they're probably beside the point. It seems unlikely that the NSA would have to 'break' any crypto at all.

This is because both the GSM and AKA protocols lack an important property known as forward secrecy. What this means is that if I can record an encrypted call, and later obtain the long-term key K for that phone, then I can still reliably decrypt the whole communication -- even months or years later. (Protocols such as Diffie-Hellman or ECMQV prevent this.) Worse, for cellular conversations I can do it even if I only have one half (the tower side) of the communication channel.

Unfortunately I don't think you have to be a conspiracy theorist to suppose that the carriers' key databases are probably stored somewhere in Ft. Meade. Thus to the truly paranoid: stop talking on cellphones.

In conclusion

Sometimes conspiracy theories can be fun. Sometimes they're downright creepy.

For me this discussion veers towards the 'creepy'. Not so much because I think the NSA really is tapping all our cellphones (I suspect they just read our Facebook). Rather, the creepiness is in seeing just how vulnerable our privacy infrastructure is, even to people who are far less capable than the NSA.

As a result, your data isn't just available to nation states: it's also potentially available to that goofball neighbor who bought an IMSI-catcher off the Internet. Or to your business competitor. Or even to that one girl who finally got GnuRadio to compile.

We're rapidly approaching a technological crossroads, one where we need to decide if we're going to keep trusting others to protect our data -- or if we're going to take charge of it and treat carriers as the dumb and insecure pipes that they are. I suspect that we're well on our way towards this world -- and sadly, so does the FBI. It'll be interesting to see how things play out.

Notes:

The argument is that recording all local calls in real time is a bigger job than just splitting major trunks or re-routing a few specific targets. It would seem to require significant changes to the US phone infrastructure. This is particularly true at the local office, where you'd need to upgrade and provision thousands of devices to record all calls passing through them. Building this capability is possible, but would require a lot of effort -- not to mention the complicity of hundreds (or thousands) of collaborators at the local telcos. And that means a whole lot of people keeping a very big secret. People aren't so good at that.
11 May 07:43

Oreck founder: ‘We would revert to what we did successfully in the past’

by Geert De Lombaerde

When storied vacuum cleaner maker Oreck filed for bankruptcy on Monday, founder David Oreck was saddened. The 89-year-old vacuum cleaner magnate is hoping to get the company back in the family after selling it to venture capitalists in 2003.

On Thursday afternoon, Oreck spoke to the Post via phone and from his Mississippi farm.

 
NP:
How did your family go about making the decision to try to buy back the company?

Oreck: I started the company 50 years ago and the company did remarkably well. We built our product in America which I feel keenly about... we were very successful. There are 10 million people that own an Oreck today.

Ten years ago at 80, I decided that I ought to sell the company... When you're 80, what do you look forward to? The answer is tomorrow. So, I'm 90. My god, what then? [laughs] I did sell the company to a venture capital group and they somehow decided that everything I did was wrong and that it should be done differently.

I'm certainly not very happy about it, but they have filed bankruptcy. It's not about the product. The product is better today than it has ever been. It's the management. It saddens me greatly to see them file [bankruptcy], frankly. The fact that it has my name on the company has a little to do with that.

NP: Was it an easy decision for you to pursue an acquisition?

Oreck: Yes and no... This outfit in New York bought us and loaded the company with debt and feathered their own nest, you might say, with the proceeds. It's just been one thing after another and it kind of makes me sick.

NP: How confident are you that this deal will get done?

Oreck: I'm not involved in any way in the negotiation. My son is. My understanding of it is that it's in the hands of the court. The court will decide whether the offer that we made acceptable or not.

NP: If you get the company back, would you consider moving manufacturing overseas?

Oreck: If we prevail, production will remain in the United States and will not go to China. There are some things that are essential that you have to get elsewhere in the world [...] and there are many efficiencies if you make it in the U.S. The inventory turn is much greater, the transportation costs are less.

I'm a World War II veteran, frankly, and I feel very keenly that Americans have got to help Americans.

NP: If you're able to buy the company back, what changes would you make?

Oreck: The marketing policies that I used successfully, most of those things these new people opted to change... We would revert to what we did successfully in the past. If we prevail, we are going to do what we know works. Marketing has been my field for the past 70 years and I think I know a little bit about that.

11 May 07:26

How Much Impact Does a Tiny Extra Payment Have on Your Mortgage?

by Trent

Let’s look at a “typical” mortgage. Right now, the average American mortgage is $235,000, so let’s use that as our baseline. The Seattle Times reports that, right now, the average 30 year fixed mortgage rate is 3.42%.

So, let’s use those numbers. We’ll look at a 30 year fixed mortgage at 3.42% that borrows $235,000.

Under those conditions, a person will be paying $1,044.79 per month for the next 360 months. That’s assuming they make the minimum payments on that mortgage over the entire term. They end up paying a total of $141,123.93 in interest over the course of the loan.

Now, what if a person adds just $1 as an extra payment each month for the entire loan? Each month, they pay $1,045.79. What changes?

Well, the final payment drops to $419.19. By putting in just $1 extra each payment – a total of $359 – you save $626.60 on that last payment.

What if a person adds just $5 as an extra payment each month for the entire loan? Each month, the total payment is $1,049.79. What does that look like?

In that case, you don’t even need to make your last two payments, and the payment before that is only $25.20. Over the course of the loan, you pay in $1,785 extra, but you end up with $3,109.17 in payments you don’t have to make at the end of the loan.

What’s happening here is that every dollar you pay extra on your mortgage effectively “earns” interest at a rate equal to your mortgage interest rate for the rest of your mortgage.

So, if you pay $1 extra on that first payment, your dollar will earn a 3.42% return tax free over the next twenty nine years and twelve months. (You receive that return in the form of having the home paid off earlier than you otherwise would or if you sell the house before the mortgage is finished.)

Could you do better than that with your dollar? That’s a better return than your savings account will give you right now. It’s better than inflation right now, which is below 3% by most calculations. It’s probably not as good as the return you’d get in the stock market over that period, but the stock market also causes risk and it also has tax implications.

The question you really have to ask yourself is will you miss that extra dollar or that extra five dollars? What would you do with it that would really make an impact in your life?

If you don’t have a productive use for that money, it makes sense to simply add it to your mortgage payment. It earns a steady and safe return over the long haul.

It doesn’t take much to add up to a big difference as long as you keep doing that little thing regularly.

The post How Much Impact Does a Tiny Extra Payment Have on Your Mortgage? appeared first on The Simple Dollar.

08 May 22:32

Violence Against Women Can Be Funny

by Hanna Rosin

Louis C.K. recently told Jon Stewart that, when it comes to making rape jokes, comedians and feminists are “natural enemies.” Why? “Because stereotypically speaking, feminists can’t take a joke” and “comedians can’t take criticism.”



Add to Facebook Add to Twitter Add to digg Add to Reddit Add to StumbleUpon Email this Article
08 May 07:15

National Institute of Mental Health abandoning the DSM

by vaughanbell
Chris Wage

whoa

In a potentially seismic move, the National Institute of Mental Health – the world’s biggest mental health research funder, has announced only two weeks before the launch of the DSM-5 diagnostic manual that it will be “re-orienting its research away from DSM categories”.

In the announcement, NIMH Director Thomas Insel says the DSM lacks validity and that “patients with mental disorders deserve better”.

This is something that will make very uncomfortable reading for the American Psychiatric Association as they trumpet what they claim is the ‘future of psychiatric diagnosis’ only two weeks before it hits the shelves.

As a result the NIMH will now be preferentially funding research that does not stick to DSM categories:

Going forward, we will be supporting research projects that look across current categories – or sub-divide current categories – to begin to develop a better system. What does this mean for applicants? Clinical trials might study all patients in a mood clinic rather than those meeting strict major depressive disorder criteria. Studies of biomarkers for “depression” might begin by looking across many disorders with anhedonia or emotional appraisal bias or psychomotor retardation to understand the circuitry underlying these symptoms. What does this mean for patients? We are committed to new and better treatments, but we feel this will only happen by developing a more precise diagnostic system.

As an alternative approach, Insel suggests the Research Domain Criteria (RDoC) project, which aims to uncover what it sees as the ‘component parts’ of psychological dysregulation by understanding difficulties in terms of cognitive, neural and genetic differences.

For example, difficulties with regulating the arousal system might be equally as involved in generating anxiety in PTSD as generating manic states in bipolar disorder.

Of course, this ‘component part’ approach is already a large part of mental health research but the RDoC project aims to combine this into a system that allows these to be mapped out and integrated.

It’s worth saying that this won’t be changing how psychiatrists treat their patients any time soon. DSM-style disorders will still be the order of the day, not least because a great deal of the evidence for the effectiveness of medication is based on giving people standard diagnoses.

It is also true to say that RDoC is currently little more than a plan at the moment – a bit like the Mars mission: you can see how it would be feasible but actually getting there seems a long way off. In fact, until now, the RDoC project has largely been considered to be an experimental project in thinking up alternative approaches.

The project was partly thought to be radical because it has many similarities to the approach taken by scientific critics of mainstream psychiatry who have argued for a symptom-based approach to understanding mental health difficulties that has often been rejected by the ‘diagnoses represent distinct diseases’ camp.

The NIMH has often been one of the most staunch supporters of the latter view, so the fact that it has put the RDoC front and centre is not only a slap in the face for the American Psychiatric Association and the DSM, it also heralds a massive change in how we might think of mental disorders in decades to come.
 

Link to NIMH announcement ‘Transforming Diagnosis’.


05 May 02:54

Joshua Cogan

by Geoffrey Hiller


Jewish Graveyard in Cochin, Kerala State, India 2011

Joshua Cogan (b. 1984, United States) is a photographer and anthropologist whose work focuses on documenting vanishing cultures, and those in transition.  He has also used technology and traditional storytelling for exploring social issues with photography and new media. In addition to his personal work on Diaspora Judaism in India, Ethiopia and Israel, Joshua has pioneered a number of innovative projects with ad agencies and NGO’s alike. He has won an Emmy in New Approaches to Storytelling for his collaboration with the Pulitzer Center on Crisis Reporting; Live Hope Love, a revelatory look at the silenced voices of HIV-positive Jamaicans enduring the stigmas of their society. His work has been published in the New Yorker, VQR, GQ, Washington Post, and the New York Times among others.

About the Photograph:

“Sometimes there is a experience that changes the whole story, and allows you to understand the purpose of the story you might be “trying” to tell. The picture is from Cochin, India in the state of Kerala. I had gone there to explore the community of Jews that had settled there as spice traders around the time of King Solomon. The members of the community had become quite small in number and I was struggling with how to tell the story of the remaining members and the impact the community had on the area.  I began to look for remnants of material culture, and I found them. Abandoned Synagogues, grown over Mikvehs and old pieces of Judaica scattered about curio shops. It was at  the Jewish Graveyard that I met four young men playing cards along the wall. They took an interest in me, and began to ask me questions about the project. I told them what I was up to and they assured me that they had something interesting to show me. It was Friday night, and I had been desperate to spend a sabbath with the Jewish Community, and spent most of the day asking them if there would be the required number of Jew’s for a service in the synagogue that night. Often it would require travelers and tourists to fulfill the needed ten, and it seemed to me that this was a very important part of the story.”

“I told the young men I would come with them, but only if the there would be no service that night. I ran back to the shul and saw from the dim lights that indeed there would be no service. And so I wandered back to where the men were playing and they led me to a grave that was far outside the walls and inside one of the chawl villages. Once there I saw this grave, it had Hebrew script but had essentially been “Hindu-ized” painted with bright colors, a stupa added to the top, and candle burnish and marigolds covered it. This was different than the way Jewish graves are generally treated and I immediately was fascinated by what I was observing, I asked my guides, but they could provide little context. It was then the these young men, of both Hindu and Muslim faith came over to begin lighting candles. When I asked them why…the simply replied “Shabbat”. About a week later I took an Israeli friend to translate that writing on the grave for me. It was a holy man named Avram Motah, a Kabbalist from somewhere in the middle east that had traveled to Cochin in the 16th century. It was revealed that he was considered such a pious man, that he has become a symbol to all faith communities of the island.”


23 Apr 01:23

Zerocoin: making Bitcoin anonymous

by Matthew Green
Chris Wage

Interesting article about a proposed extension to run alongside bitcoin to provide anonymous transactions.

This is what it's like to die of stupid.
Wow, what the heck is going on with Bitcoin?

When I started this post, the value of a single bitcoin had surged upwards of $250. It's corrected a bit since then (down $100 or so), but it's pretty clear that we live in a very different world than we did two weeks ago.

And I'm not sure I really like this world. It's a world where I have to listen to CNBC reporters try to understand Bitcoin. Ouch. I think we can all agree that we were better off before this happened.

The explosion of interest in Bitcoin is both wonderful and terrible. It's wonderful because Bitcoin is an amazing technical innovation -- the first decentralized electronic currency to actually make something of itself. It's terrible because Bitcoin has some technical rough edges that really need to be filed off before we start using it for anything.

The rough edge that particularly interests me is user privacy. Or rather, Bitcoin's troubling lack of it.

In this post I'm going to describe a new piece of research out of my lab at Johns Hopkins that provides one potential solution to this problem. This is joint work led by my hardworking students Ian Miers and Christina Garman, along with my colleague Avi Rubin. Our proposal is called Zerocoin, and we'll be presenting it at this year's IEEE S&P.

For those who just want the TL;DR, here it is:
Zerocoin is a new cryptographic extension to Bitcoin that (if adopted) would bring true cryptographic anonymity to Bitcoin. It works at the protocol level and doesn't require new trusted parties or services. With some engineering, it might (someday) turn Bitcoin into a completely untraceable, anonymous electronic currency.
In the rest of the post I'm going to explain Zerocoin, what it can do for Bitcoin, and how far away that 'someday' might be. This is going to be a long, wonky post, so I won't be offended if you stop here and take my word that it's all true.

For everyone else, strap in. I need to start with some background.

Bitcoin in 300 words

Before I get to Zerocoin I need to give the world's shortest explanation of how Bitcoin works. (See here for a slightly less terrible explanation.)

At its heart, Bitcoin is a transaction network with a distributed public ledger. Transactions are files that contains messages like "User X transfers 3 bitcoins to user Y" and "User Y transfers 2.5 of those bitcoins to user Z". Users aren't identified by name. Instead, their identities are public keys for a digital signature scheme.* This allows users to sign their transactions, and makes it very difficult to forge them.

Now none of this stuff is really new. What makes Bitcoin special is the way it maintains the transaction ledger. Rather than storing the whole thing on a single computer, the ledger -- called a block chain -- is massively replicated and updated by a swarm of mutually distrustful parties running in a peer-to-peer network.

To make this work, nodes pull transactions off of a peer-to-peer broadcast network, then compete for the opportunity to tack them on the end of the chain. To keep one party from dominating this process (and posting bad transations), competition is enforced by making the parties solve hard mathematical problems called 'proofs of work'. The integrity of the block chain is enforced using hash chaining, which makes it very difficult to change history.

Now the block chain is fascinating, and if you're interested in the gory details you should by all means see here. This post mostly isn't going to get into it. For now all you need to know is that the block chain works like a global ledger. It's easy to add (valid) transactions at the end, but it's astonishingly difficult to tamper with the transactions that are already there.

So what's the problem?

The block chain is Bitcoin's greatest strength. Unfortunately from a privacy perspective, it's also the currency's greatest weakness.

This is because the block chain contains a record of every single Bitcoin transaction that's ever been conducted. Due to the way Bitcoin works, this information can't be limited to just a few trustworthy parties, since there are no trusted parties. This means all of your transactions are conducted in public.

Illustration of a Bitcoin block chain. Each transaction is tied to the one that precedes it.
The transaction at far left is almost certainly a drug deal.
In a sense this makes Bitcoin less private than cash, and even worse than credit cards. If you choose to engage in sensitive transactions on Bitcoin, you should be aware that a record will be preserved for all eternity. Spend with care.

Now some will say this is unfair, since Bitcoin users are not identified by name -- the only identifier associated with your transactions is your public key. Moreover, you can make as many public keys as you'd like. In other words, Bitcoin offers privacy through pseudonymity, which some argue is almost as good as the real thing.

But don't get too comfortable. Already several academic works have succeeded in de-anonymizing Bitcoin transactions. And this work is just getting started. You see, there's an entire subfield of computer science that can roughly be described as 'pulling information out of things that look exactly like the Bitcoin transaction graph', and while these researchers haven't done much to Bitcoin yet -- that's only because they're still fighting over the grant money. We will see more.

If you're a Bitcoin user who values your privacy, this should worry you. The worst part is that right now your options are somewhat limited. Roughly speaking, they are:
Just be careful. Generate lots of public keys and make sure your client software is extremely careful not to use them in ways that could tie one to another (e.g., getting 'change' from one key sent to another). This seems to be the major privacy thrust of the current Bitcoin development effort, and we're all waiting to see how it pans out. 
Use a laundry. For the more paranoid, there are services called 'laundries' that take in bitcoins from a whole bunch of users, mix them up and shuffle them back out. In theory this makes it hard to track your money. Unfortunately, laundries suffer from a few problems. First, they only work well if lots of people are using them, and today's laundries have relatively low volume. More importantly, you're entirely dependent on the honesty and goodwill of the laundry itself. A dishonest (or hacked) laundry can steal your coins, or even trace its inputs and outputs -- which could completely undermine your privacy. 
Use a Chaumian e-cash system. On the wonkier side, there have been attempts to implement real anonymous cryptographic e-Cash for Bitcoin. I've written about these systems before and while I think they're neat, the existing schemes (from Chaum on forward) have one critical flaw: they all rely on a central 'bank' to issue and redeem e-Cash tokens. The need for this bank has been a major stumbling block in getting these systems up and running, and it's almost unworkable for Bitcoin -- since trusted parties are antithetical to Bitcoin's decentralized nature.
In short, the current solutions aren't perfect. It would be awfully nice if we had something better. Something with the power of cryptographic e-Cash, but without the need to change Bitcoin's network model. And this is where Zerocoin comes in.

Zerocoin

Zerocoin is not intended as a replacement for Bitcoin. It's actually a separate anonymous currency that's designed to live side-by-side with Bitcoin on the same block chain. Zerocoins are fully exchangeable on a one-to-one basis with bitcoins, which means (in principle) you can use them with existing merchants.

Zerocoins themselves can be thought of literally as coins. They're issued in a fixed denomination (for example, 1 BTC), and any user can purchase a zerocoin in exchange for the correct quantity of bitcoin. This purchase is done by placing a special new 'Zerocoin Mint' transaction onto the block chain.

Once a Mint transaction has been accepted by the Bitcoin peers, the same user can later redeem her zerocoin back into bitcoins. She simply embeds a (preferably new) destination Bitcoin address into a 'Zerocoin Spend' transaction, then sends it into the network. If the transaction checks out, the Bitcoin peers will treat it just like a normal Bitcoin transfer -- meaning that she'll receive the full bitcoin value of the coin (minus transaction fees) at the destination address.

Now you're probably wondering what any of this has to do with privacy. To explain that, I need to give you one more piece of information:
Aside from educated guesswork, there's no way to link a Zerocoin Mint transaction to the Zerocoin Spend transaction that redeems it.
Redeeming a zerocoin gives you a completely different set of bitcoins than the ones you used to purchase it. In fact, you can think of Zerocoin like the world's biggest laundry -- one that can handle millions of users, has no trusted party, and can't be compromised. Once as user converts her bitcoins into zerocoins, it's very hard to determine where she took them back out. Their funds are mixed up with all of the other users who also created zerocoins. And that's a pretty powerful guarantee.

Illustration of a Bitcoin/Zerocoin block chain. A user transforms bitcoins into a zerocoin,
then (at some unspecified later point) 'Spends' it to redeem the bitcoins. The linkage between Mint
and Spend (dotted line) cannot be determined from the block chain data.
The key to the whole process is to make it all work at the protocol level -- meaning, without adding new trusted parties. And doing that is the goal of Zerocoin.

How does it work?

Zerocoin uses a combination of digital commitments, one-way accumulators and zero-knowledge proofs, and some extensions to the existing Bitcoin protocol. It also shares some similarities to a previous work by Sander and Ta-Shma. For the details, you can see our paper. Here I'm going to try to give a very high-level intuition that avoids the muck.

The key idea in Zerocoin is that each coin commits to (read: encrypts) a random serial number. These coins are easy to create -- all you need to do is pick the serial number and run a fast commitment algorithm to wrap this up in a coin. The commitment works like encryption, in that the resulting coin completely hides the serial number . At the same time this coin 'binds' you to the number you've chosen. The serial number is secret, and it stays with you.

To 'Mint' the new coin you post it to the network along with a standard Bitcoin transaction containing enough (normal) bitcoins to 'pay for' it. The Mint transaction adds some new messages to the Bitcoin protocol, but fundamentally there's no magic here. The Bitcoin network will accept the transaction into the block chain as long as the input bitcoins check out.**

The Zerocoin 'Spend' transaction is a little bit more complicated. To redeem your zerocoin, you first create a new transaction that contains the coin's serial number (remember that you kept it secret after you made the coin). You also attach a zero-knowledge proof of the following two statements:
  1. You previously posted a valid zerocoin on the block chain.
  2. This particular zerocoin contained the serial number you put in your transaction.
The key to making this all work is that zero-knowledge proof. What you need to know about these is that anyone can verify such a proof, and she'll be absolutely convinced that you're telling the truth about these statements. At the same time, the proof reveals absolutely no other information (hence the 'zero' knowledge).

This means anyone who sees your Spend transaction will be convinced that you really did previously Mint a zerocoin, and that it contained the serial number you just revealed. They can then check the block chain to make sure that particular serial number has never been Spent before. At the same time, the zero knowledge property ensures that they they have absolutely no idea which zerocoin you're actually spending. The number of such coins could easily run into the millions.
All of this leads us to one final question: where do your bitcoins go after you Mint a zerocoin, and how do you get them back when you Spend? 

The simple answer is that they don't go anywhere at all. The bitcoins used in a 'Mint' transaction just sit there on the block chain. The Zerocoin protocol semantics require that nobody can access those coins again except by publishing a valid Zerocoin 'Spend'. When you publish a Spend, the protocol allows you to 'claim' any of the previously-committed bitcoins -- regardless of who posted them. In other words, you Mint with one set of bitcoins, and you leave with someone else's. 

When will Zerocoin be available?

For those looking to use Zerocoin tomorrow, I would advise patience. We've written a proof-of-concept implementation that extends the C++ bitcoind client to support Zerocoin, and we'll be releasing a cleaned up version of our code when we present the paper in May.

But before you get excited, I need to point out some pretty serious caveats.

First of all, Zerocoin is not cheap. Our current zero-knowledge proof averages around 40KB, and take nearly two seconds to verify. By the standards of advanced crypto primitives this is fantastic. At the same time, it poses some pretty serious engineering challenges -- not least of which is: where do you store all these proofs?

This probably isn't the end of the world. For one thing, it seems likely that we'll be able to reduce the size and cost of verifying the proof, and we think that even the current proof could be made to work with some careful engineering. Still, Zerocoin as currently construed is probably not going to go online anytime soon. But some version of Zerocoin might be ready in the near future.

Another problem with Zerocoin is the difficulty of incrementally deploying it. Supporting the new Mint and Spend functionality requires changes to every Bitcoin client. That's a big deal, and it's unlikely that the Bitcoin folks are going to accept a unilateral protocol change without some serious pushback. But even this isn't a dealbreaker: it should be possible to start Zerocoin off using some training wheels -- using a trusted central party to assist with the process, until enough Bitcoin clients trust it and are willing to support it natively.

In fact, one of the biggest barriers to adoption is human beings themselves. As complicated as Bitcoin is, you can explain the crypto even to non-experts. This makes people happy. Unfortunately Zerocoin is a different animal. It will take time to convince people that these new techniques are safe. We hope to be there when it happens.

In conclusion

I realize that this blog post has run slightly longer than usual. Thanks for sticking with me!

As regular readers of this blog know, I have a passion for anything that gets interesting crypto out into the world. Bitcoin is a great example of this. It would be wonderful if this gave us an opportunity to do even more interesting things. Perfectly untraceable e-Cash would definitely fit that bill.

But even if we don't get there, the fact that reputable computer science conferences are accepting papers about 'that crazy Bitcoin thing' tells you a lot about how much it's grown up. In the long run, this is good news for everyone.

Notes:

* There are a lot of simplifications in here. Identities are the hash of your public key. The block chain is really computed using a Merkle tree for efficiency reasons. The peer-to-peer network isn't quite a broadcast network. Did I mention you should read the paper?

** Note that for those who 'know' their Bitcoin, you can think of the Zerocoin as a piece of extra data that gets added to a Bitcoin transaction. The inputs are still standard bitcoins. There's just no output. Instead, the transaction contains the coin data.
09 Apr 16:32

Duel

Chris Wage

does anyone see this? where does it go?

Updrafter
08 Apr 18:58

Mixed news everyone: update, help search, report and pics.

Mixed news everyone!

1. First and the most important: thank you everybody for your donations. We now have enough to secure our servers for the next two months or so. You can donate using Flattr or using bitcoins: 1JMYDeTaJHvfL6stbvwNdbY8zVqWfEnucU.

2. We’ve got an incredible amount of emails during last three weeks. There’ve been several days when all three of us were busy mostly dealing with user requests. If you believe that The Old Reader is missing something (and it surely is), please go to our Uservoice page, browse the issues (most likely, someone has already created your suggestion), and vote for the ones you like. Also you can see what’s already planned there. And please, check our Status page or subscribe to our Twitter account — we are updating these two on current issues.

We only have that much time during the day to spare on this project, and we would prefer to spend it making The Old Reader more reliable or implementing new features, not removing duplicate feature requests or explaining how to create a folder.

We are focused on making everything work for the vast number of users and feeds, for now this is our top priority.

image(image by ProlificPen)

3. We could really use some help on the Ruby on Rails front. If you have experience engineering medium-size websites, and you’d like to become a part of our small team, please, drop us a line to hello@theoldreader.com. If you have any other suggestions about how you can help us, feel free to email us as well. Or just spread the word, that’d be much appreciated.

We can’t pay you a huge pile of money, but we still have something interesting to offer.

4. Cool graphs, no?
cool graphs