Blog Ipsa Loquitur

Robert Graham of Errata Security on cracking iPhone PIN codes:

All the data (on the internal flash drive) is encrypted with a random AES key that nobody, not even the NSA, can crack. This random AES key is stored on the crypto-chip. Thus, if your phone is stolen, the robbers cannot steal the data from it – as long as your phone is locked properly. To unlock your phone, you type in a 4 digit passcode. This passcode gets sent to the crypto-chip, which verifies the code, then gives you the AES key needed to decrypt the flash drive. This is all invisible, of course, but that’s what’s going on underneath the scenes. Since the NSA can’t crack the AES key on the flash drive, they must instead get it from the crypto-chip.

Thus, unlocking the phone means guessing your 4 digit PIN. This seems easy. After all, it’s only 4 digits. However, offline cracking is impossible. The only way to unlock the phone is to send guesses to the crypto-chip (a form of online cracking). This can be done over the USB port, so they (the NSA) don’t need to sit there trying to type every possible combination – they can simply write a little script to send commands over USB.

To make this more difficult, the crypto-chip will slow things down. After 6 failed guesses, the iPhone temporarily disables itself for 1-minute. Thus, it’ll take the NSA a week (6.9 days), trying all 10,000 combinations, once per minute.

I really enjoy the Errata guys’ walkthroughs of these kinds of topics. This one is a little scarier than most, as the tools that the NSA and law enforcement use are readily available to the sufficiently motivated.

Published on under Scimitar Golems Have 10 Hit Dice

The number one cause of bankruptcy in America is medical bills. It’s been this way for a while, although that may be changing slowly. Frankly, it’s a little ridiculous when the rest of the developed world has solved the problem. Progress is progress, though.

Here’s a really great example of how medical bills get to be so bad for so many Americans. Researchers at Johns Hopkins have named the fifty hospitals in America where uninsured folks pay ten times the list price for services.

Now, sure, you’re allowed to make a profit. That’s all well and good; but a 90% markup is something out of the Apple playbook. It’s one thing to markup a luxury cell phone for people who insist on buying one. It’s another thing to mark up the treatment of an inflamed appendix for people who couldn’t afford insurance.

From the article:

“They are price-gouging because they can,” said Gerard Anderson, a professor at Johns Hopkins Bloomberg School of Public Health, co-author of the study in Health Affairs. “They are marking up the prices because no one is telling them they can’t.”

He added: “These are the hospitals that have the highest markup of all 5,000 hospitals in the United States. This means, when it costs the hospital $100, they are going to charge you, on average, $1,000.”

Okay, that sounds bad. But come on. Everyone knows insurance is a good thing. With Obamacare, you actually pay extra in taxes if you don’t have insurance. So really, isn’t it just the corner-cutters who get screwed by this practice?

Well, no.

The researchers said other consumers who could face those high charges are patients whose hospitals are not in their insurance company’s preferred network of providers, patients using workers’ compensation and those covered by automobile insurance policies.

Carepoint Health-Bayonne Medical Center in Bayonne, N.J., for example, also charges rates 12.6 times the actual cost of patient care. […] By comparison, the researchers said, a typical U.S. hospital charges 3.4 times the cost of patient care.

As usual, the article gets a quote from hospital spokespersons, who say that yes, they have “set” prices for each procedure, but nobody actually pays the listed price. Insurance companies negotiate bulk discounts for their customers, and the uninsured get to bargain down to less-obscene prices. This isn’t price gouging, it’s just imaginary price gouging.

Look. In law school, we were taught how to bill our friends and family for legal work. Always make up a crazy hourly rate, put that on the invoice, but then discount it down to your actual rate that you can actually bill your friends with a straight face. It’s a little dishonest to make up a fake price and a fake discount to arrive at a “bargain” price you wanted to charge to begin with.

But, you know. Lawyers. Sociopathy is kind of expected.

In our case, the deception was to avoid putting strain on social relationships by haggling over the price of legal services. It’s a passive-aggressive power play to your friends and family.

In this case, the deception seems to be… to frighten the unwell and uninsured (and the out-of-network and the underinsured etc.) into submission, by showing them an imaginary price they can’t afford next to a smaller price that will probably be the reason they’re bankrupt.

Published on under The News

Another day, another bleeding heart hippie in New York City pretending that Stopping and Frisking youths doesn’t prevent crime. Get real, man! It’s scientific fact. It’s us versus them, and cops need to be forced to stop and frisk hundreds of thousands of kids a year or we’ll slip into an age of lawlessness the likes of which you can’t imagine.

Let’s hear what the hippie of the week has to say:

“Let’s get over this issue of stop-question-and-frisk, how impactful it is, or isn’t,” Bratton said in a press conference at NYPD headquarters this morning. He pointed to 2011 as proof. That year, the city recorded 685,000 stop-and-frisks, the most ever. And, Bratton said, “In that year, rapes, robberies, assaults, burglaries, grand larcenies were all up—the year that we did the most stop-questions-and-frisks.”

Last year, Bratton said, police officers conducted approximately 48,000 stops, and “murders, rapes, robberies, assaults, burglaries, grand larcenies, were all down. So, the year we had the highest number of stop-question-and-frisks, which so many are clamoring to go back to, we actually had more crime and less of a reduction. Last year, when we had the lowest number of stop-question-and-frisks, we had much less crime.”

All right, this Bratton guy clearly has his head in the clouds. Who is he? Where does he get off making up nonsense like this? Why, I ought to-

New York Police Department commissioner Bill Bratton, responding to a call from some police union leaders to conduct more stop-and-frisks amid an uptick in violent incidents…

Oh. Well, then.

Seriously, though, Stop and Frisk is unrelated to the amount of crime in New York City, and it’s refreshing and A Good Thing that the police commissioner says things like this. What’s more interesting to me is police union leaders calling for more Stops and Frisks to combat crime. (Which they pretend is rising, but is still falling at roughly the same rate it has been for decades) I’m not sure how public and contentious that disagreement is going to get.

Published on under You've Got Time

Advertising Age is the home of this eyebrow-raising story of what viruses are doing these days:

…the bad guys have grown far more sophisticated. Malware was once primarily used for banking fraud, but two-factor authentication (for example, when a bank asks you for a code from your cellphone before you can sign in on a new computer, or asks whether you really meant to send money to Uruguay) severely reduced its profitability. Then, the hackers moved to credit-card fraud, but the security on that front is now so good that you can buy thousands of active credit-card records for a few dollars, because they’re essentially worthless. Next up was Bitcoin mining, where hacked machines were used to unearth the crypto currency.

But that too became less profitable, leaving ad fraud as the most lucrative endeavor a cybercriminal can undertake today. “We’re at a point now where malware is being used principally for ad fraud,” Mr. de Jager said. Scary words for an advertising industry only starting to grasp the problem.

A few things here.

Firstly, I didn’t realize I could buy thousands of credit card numbers for “a few dollars.” I’ve been guarding mine like some kind of moron from the 20th century. Secondly, even the criminals running botnets can’t make money on Bitcoin. That seems odd.

Thirdly, there’s actually an economy of hackers who’ve decided that the best way to make money is to infect computers, open invisible web browser windows, and get paid to surreptitiously click ads on sites.

Published on under Eyeballs For Hire

Aaron Carroll, writing for the New York Times’s Upshot Blog, on some interesting aspects of medical malpractice. Studies and surveys have shown for decades that there are certain specific things some doctors do which gets them sued for malpractice. Carroll runs through the literature and, in a departure for “old media,” actually links to the studies in question. Basically, doctors get sued for malpractice when they don’t spend enough time talking to their patients, not when they practice medicine poorly.

This isn’t new, we all learned that in law school, and I think we also learned that legal malpractice lawsuits happen the same way. Talk to your clients, make them feel like you’re listening to them, and you’ll do okay. No kidding, right?

Here’s the great part:

Physicians and patients don’t communicate well even about malpractice. A study published in 1989 surveyed patients who sued physicians as well as physicians who had or had not been sued. Almost all (97 percent) of the patients reported negligence as the reason for their malpractice action. Fewer, about half, of non-sued physicians thought negligence was the cause of malpractice suits in general.

Only 10 percent of sued physicians, however, thought negligence was the reason for claims against them. While only a fifth of patients reported financial compensation as their motive for suing, more than 80 percent of all physicians thought this was the reason patients filed suits.

Virtually every patient who files a malpractice suit thinks they’ve been neglected. Doctors who haven’t been sued think malpractice suits are caused by doctors’ negligence half the time. But 90% of the physicians who have been sued come up with some reason besides their own negligence. They think that medical malpractice suits are a shameless cash grab.

The fact that there’s some cognitive dissonance at play here isn’t surprising. It’s the depths to which this misunderstanding goes: we’re approaching questions of epistemological possibilities here. Is it possible for physicians and plaintiffs to understand one another? And, like, what if what I see when I’m looking at the color orange isn’t what you see at all, man? Whoa.

Actually, the one thing that most everyone agrees on, whether they be plaintiff or defendant, is that communication is key to preventing these kinds of problems in the first place. Why is why, in one recent study about people visiting emergency rooms for relatively harmless chest pains:

The median estimate of whether a patient might die at home of a heart attack was 80 percent in patients and 10 percent in physicians.


Published on under We Can't Have Nice Things

Hey, so, uh, this thing happened in McKinney, Texas. It’s pretty ugly. Really, really pretty ugly.

Ugly things like this don’t have to involve guns. One of my friends pointed me to this story in New York Magazine from a few years back. People can be pretty awful to one another:

Jenny Tsai, a student who was elected president of her class at the equally competitive New York public school Hunter College High School, remembers frequently hearing that “the school was becoming too Asian, that they would be the downfall of our school.” A couple of years ago, she revisited this issue in her senior thesis at Harvard, where she interviewed graduates of elite public schools and found that the white students regarded the Asians students with wariness. (She quotes a music teacher at Stuyvesant describing the dominance of Asians: “They were mediocre kids, but they got in because they were coached.”)

Real nice, guys.

I think the short version is “we’re all striving for these accomplishments, but when people who aren’t white achieve them, it’s a bad thing.” Got it.

Ah, but there’s more from the New York Magazine piece:

In 2005, The Wall Street Journal reported on “white flight” from a high school in Cupertino, California, that began soon after the children of Asian software engineers had made the place so brutally competitive that a B average could place you in the bottom third of the class.

See? Look! Downfall of the school, just like the racists warned us would happen! It’s a damn shame.

Here’s the worst part:

Colleges have a way of correcting for this imbalance: The Princeton sociologist Thomas Espenshade has calculated that an Asian applicant must, in practice, score 140 points higher on the SAT than a comparable white applicant to have the same chance of admission. This is obviously unfair to the many qualified Asian individuals who are punished for the success of others with similar faces. Upper-middle-class white kids, after all, have their own elite private schools, and their own private tutors, far more expensive than the cram schools, to help them game the education system.”

I mean, this whole thing is pretty awful, but the real tragedy here is obviously that I didn’t get into Harvard even with a 140-point White Dude Bonus.

Published on under Educated Guesses