Mercury Rising 鳯女

Politics, life, and other things that matter

Heard on the public airwaves

Posted by Charles II on June 23, 2009

DemocracyNow hit the trifecta: charter schools, deep packet inspection (wiretapping), and a detailed analysis of a number of cases of innocent men held at Guantanamo.

On Charter Schools, Stanford University has come up with a new report called The Credo Report (interesting choice of names) which looked at 16 states. They found charter schools very slightly underperforming traditional schools, which is bad news for the movement, since it is promising improvements. Arne Duncan is trying to spin this by saying, well, yes, if we got rid of all the bad charter schools, they would be better than public schools. Of course, if we properly funded and did oversight on bad public schools, they’d be better than charters. Anyway:

this study reveals in unmistakable terms that, in the aggregate, charter students are not faring as well as their TPS counterparts. Further, tremendous variation in academic quality among charters is the norm, not the exception. The problem of quality is the most pressing issue that charter schools and their supporters face.

but with a surprising twist:

two subgroups fare better in charters than in the traditional system:
students in poverty and ELL students.

Bob Peterson of Rethinking Schools gave a powerful rebuttal, demolishing EdSec Arne Duncan’s record and pointing out that charter schools, contrary to the assertions of the Credo Report, cherry pick by dumping students with behavior problems. In Illinois, 15% of traditional classrooms are special needs children, while only 10% of charters are.

Deep Packet Inspection means searching mail/phone/FAX/etc. for keywords (but “words” could include, for example, the ISP, the type of program used to generate the transmission, or the time of day) and referring them to a police agency. Siemens and Nokia set up a centralized system for Iran’s government, which is how they have managed to all but shut down communications. China uses a decentralized system. The US has the capability and it’s legal, according to Josh Silver of FreePress.Net.

I know for a fact that deep packet inspection is used by at least one ISP, which used it for a time to block transmitting things like the link to the Cornell University site on the Constitution! The potential for abuse in a society so completely dependent on electronic communication is enormous.

The segment on the innocence of many Guantanamo detainees added some important detail to what we know. Andy Worthington delivered such a solid exposition that I’m adding him to the links. The case of Abdul Rahim, who was tortured by Al Qaeda and held in a Taliban jail, only to be seized and transferred to Guantanamo was particularly moving. The Syrian government is unlikely to accept him, so as the final (or so we hope) indignity, he will become a stateless person, forever separated from his family.

8 Responses to “Heard on the public airwaves”

  1. Stormcrow said

    “Deep Packet Inspection” is a far broader class of actions than the definition you’re giving here.

    Think of a “packet” as a series of envelopes, one inside the other, with the actual message content inside the innermost one.

    “Deep packet inspection” involves parsing through that innermost message content.

    Most Internet packets are just 1500 bytes long, (maximum size is 65535 bytes) and have headers (think of these as the sum total of all the envelopes) which vary from 54 bytes to perhaps 70. So the ratio of content to header is about 30/1. Or higher, with “jumbo” packets whose size pushes that 65535 byte maximum.

    Conventional firewalls inspect the header data only, not the content. That’s why you can get by with putting a firewall with an incredibly archaic 266 Mhz CPU between your home network and your 20 megabit/second cable modem line.

    Try using a system with a CPU like this as a malware proxy and it’ll be crawling on its hands and knees trying to deal with only 1/10 of that bandwidth. I’m not guessing; I’ve seen this tried.

    The problem is that a malware or spam payload will be in the message content itself, not in the addressing and routing information of the packet header. Your processing overhead just jumped to 20 to 20 times what it’d be if you merely restricted your inspection to the header information only.

    From a legal and civil rights standpoint, deep packet inspection is a two-edged sword. You can use it to filter spam and malware, or to censor or otherwise sanction politics you don’t like.

    From a network engineering standpoint, it’s a power hog, an immense black hole down which you must pour CPU resources in order to achieve your design goal. Whatever that design goal may be.

    There has long been grassroots pressure to filter malware and spam at the network perimeter. Particularly spam, since the volume of spam has grown so large these days that without some sort of filtering, email becomes essentially unusable. Here’s an experiment you can try if I haven’t convinced you: look at the “spam” folder of your email account. Boggles the mind.

    Assuming your ISP bows to this pressure (which nearly all have done by now), and installs powerful enough hardware, the ability to filter spam and malware also confers the ability to breach user privacy on a level not previously practical.

    Bottom line? If you can filter for “v1agra” or the latest malware exploit “shellcode”, you can also filter for anything else your management chooses to filter for.

    We can pass as many laws against misuse as we like. Assuming, of course, that Obama will sign them or even support them. Which I doubt.

    But when our government, or anybody elses’ government, comes knocking on the door with a political laundry list in hand, it’s going to be much easier for an ISP’s senior management to comply than not.

    I think the only real solution to this is an embrace, by the general public, of strong encryption. For absolutely everything that goes across an unsecured line, from CC data to gossip about your cats.

    I don’t think that’s going to happen anytime soon. I can hope I’m wrong, but I really don’t think I am. Not about this one.

  2. Charles II said

    I think I’ve characterized it correctly, Stormcrow, though not as eloquently as you. Based on a Wired article, I did a post on the topic some years ago.

    I didn’t realize that ISPs were using it routinely on the body of messages… my ISP misses half the spam, so they’re giving me no privacy in exchange for virtually no protection… but I certainly knew that they were using material in the body of the message to block me from sending information that might help people understand the law that supposedly governs this country. There is a slight difference between the ISP invading privacy and the government doing so, though the difference between corporations and government is ever-thinner.

    I’ve not used encryption because of the simple reality that it guarantees that someone will be reading your mail and spending your tax money to do so. Encryption does, I suppose, limit who gets to read your mail to people who can afford supercomputers. Only if large numbers of people went to encryption would it inconvenience the snoopers.

    No, we need to change the way our country works. For too many years, it has been on a war footing. We need to declare peace.

    • Stormcrow said

      I disagree. I read your definition to imply a negative moral value for deep packet inspection, from the git-go.

      The first point I was trying to make was that deep packet inspection is no more immoral, or moral, in and of itself than dynamite is.

      You can use dynamite to clear away rock for a roadbed or remove stumps or dig out mines or pits or topple a ruined building. You can also use it to blow other humans to bits.

      The second point is that the technology to make deep packet inspection practical is relatively new. 10 years ago, we wouldn’t be talking about this technology in the present or past tenses.

      There’s something else you wrote I must also take issue with.

      I’ve not used encryption because of the simple reality that it guarantees that someone will be reading your mail and spending your tax money to do so. Encryption does, I suppose, limit who gets to read your mail to people who can afford supercomputers.

      No. That’s simply wrong. It’s popular mythology, and it’s just simply wrong.

      Many, many, many people believe the myth that the government can always break any cipher it chooses to, by throwing enough computing horsepower at it. That does not make it true, anymore than the myth that the Roman Empire fell because of “moral decay”.

      If the encryption is done by someone who knows what the hell they’re doing (and it isn’t rocket science at this level), then the person who wants to read the plaintext either has to obtain the key by trickery or coercion, or else get used to being ignorant.

      Yeah, it’s really as simple as choosing the right algorithm and a key with enough “entropy” to render both brute-force attack and informed guesswork useless. Really. Having the cash to line up supercomputers the way a used car dealer lines up autos isn’t going to buy you much except bragging rights anymore.

      This stopped being true more than 30 years ago, if it ever was. You don’t have to take my word for it. I can hand you more reference on cryptography than you can easily digest even if I exclude the ones that do deep dives into the math.

      But the basic principle that drives the development of modern strong crypto is more than a century old! It’s also the reason why you should never accept that a secret algorithm is secure. Think “Skipjack” here. This is called Kerckhoffs’ Principle. Bruce Scheier writes about it here. Or just look up the Wikipedia page.

      The bottom line is that every algorithm in widespread use today is public, and has been subjected to publicized attack by serious professionals for years. This is designed to be brutally Darwinian and it is just that.

      Almost all new cryptographic algorithms fall by the wayside very soon after they are first published, because somebody, or several somebodys, finds a flaw.

      What we use are the survivors.

  3. […] Charter Schools and other forms of School “Choice”: Huh, it seems that charter schools aren’t doing quite as well as public schools. Oh, and look how complicated a school choice program can be. I know that locally, we have 5 magnet […]

  4. Stormcrow said

    Here’s an example of what I talked about when I said that trustworthy algorithms are trustworthy precisely because they are (i) public, and thus are (ii) subjected to a prolonged process of progressive and published attacks by professionals.

    I stress the word “published” because if the attacks aren’t published, they cannot build upon one another.

    Bruce Schneier’s latest blog post, Another New AES Attack, shows this process at work on an established algorithm.

    Supercomputers can only consolidate those attacks which cryptanalysts have already pioneered.

Sorry, the comment form is closed at this time.

%d bloggers like this: