Fazal Majid's low-intensity blog

I just wasted half an hour of my life on the phone with my credit card company’s fraud department, as someone attempted to buy expensive tickets from an airline in Panama. Most likely my card number was compromised by Target, although it could also be due to Adobe.

It is actually surprising such breaches do not occur on a daily basis—the persons paying for the costs of a compromise (the card holder, defrauded merchants and their credit card companies via the cost of operating their fraud departments) are not the same as those paying for the security measures that would prevent the said breach, a textbook example of what economists call an externality. There are reputational costs to a business that has a major security breach, but they are occurring so often consumers are getting numbed to them.

Many states have mandatory breach disclosure laws, following California’s example. It is time for legislatures to take the next step and impose statutory damages for data breaches, e.g. $100 per compromised credit card number, $1000 per compromised social security number, and so on. In Target’s case, 40 million compromised credit cards multiplied by $100 would mean $4 billion in damages. That would make management take notice and stop paying mere lip service to security. It might also jump-start the long overdue migration to EMV chip-and-PIN cards in the United States.

I live 1.2km away from Sutro Tower in San Francisco. At my wife’s request I was trying to calculate the safe radius at which emissions from the transmitters at Sutro Tower are of the same power as a cell phone held a meter away, with back-of-the-envelope calculations using the inverse square law and Wikipedia’s table of radio powers.

I was shocked to find out the total power from the transmitters is about 8 megawatts, not in the kilowatt range I was expecting, and once reached 29MW. For comparison, the power of France’s first-generation PWR nuclear reactors is 900MW, and a typical cellular tower is 100W to 500W. If I use 2W as the reference, this yields a “safe” radius of 2km, which excludes many desirable San Francisco neighborhoods like Twin Peaks, Forest Hill or Noe Valley (click on the map to expand).

I looked up the most recent Environmental Impact Report following the DTV transition, and it mentions a FCC maximum allowed flux level of 0.2mW/cm², and the measured levels in the Midtown Terrace neighborhood immediately adjacent to Sutro Tower reach 4% of this max level.

On further investigation, this is not one of those situations where US standards are significantly more lax than those in Europe, as France or the UK have the same level, derived from an international NGO called the ICNIRP. Interestingly, according to the WHO the maximum allowed emissions in such environmental paragons as Russia and China are one hundredth as high as those in the US or Europe and are just as science-based as those from ICNIRP (remember, for all its faults, the Soviet Union ranked very highly in maths and physics education & research, and in health care).

The ICNIRP/FCC standard is equivalent to a 25W isotropic emitter within a 1 meter radius, or 12x 2G GSM cell phones. Anyone who has experienced the squeal of unshielded and unpowered speakers next to an actively transmitting GSM phone will be skeptical about their claims that this is a safe level. Their methodology is based solely on the thermal effects of non-ionizing radiation, as if this were a mere microwave oven shielding exercise, and assumes that cells are otherwise unaffected by electromagnetism or cumulative exposure. This seems unwarrantedly optimistic.

People worry about cancer risks associated with radio frequency emissions from cell phone towers and cell phones themselves, but the real risk comes from overlooked obsolete technologies like TV and FM radio.

What to do? Getting a site survey from a Professional Engineer using calibrated equipment costs $1,500, which is something you would only do as part of a final inspection while buying a house. Most RF power meters sold on places like Amazon, usually in the $300 range, are pieces of junk with suggested applications like detecting paranormal activity and ghosts. Most likely solid engineering and metrology are optional given their application domain. Professional T&M gear like an Agilent V3500A or a Wandel & Goltermann/Narda EMR-300 cost $2,000 and $6,000 respectively, so the DIY route is also expensive.

Update (2014-03-08):

My father worked on some projects in the Soviet Union in the Seventies. He told me their workplace safety standards were much more stringent than the ones in the West. Workers were not allowed to lift weights above 25kg, for instance.

Update (2014-08-01):

We moved to a house across from Parkside Square (in the lower left corner of the map), well beyond the 2km limit.

Software Update for system components on my home Mac Pro has not worked in a while, and I have had to resort to manually downloading and applying updates. The updates just wouldn’t appear in the Mac App Store app where they normally should.

After upgrading to Mavericks, I finally figured out why. Instead of silently ignoring the updates, Mavericks displays a not-so-helpful error message “NSURLErrorDomain Error -1012”. On inspecting network traffic from the App Store app, I noticed it connects using TLS 1.2 to swdist.apple.com, then aborts. It then hit me – in 2011, after Comodo was hacked, apparently by elements affiliated with the Iranian government, I revoked the trust setting on their root certificates. The certificate for swdist.apple.com is signed by Comodo, and thus Software Update could no longer establish a secure connection to Apple and that’s why it was failing.

This is not the only time a Certificate Authority was hacked. Dutch CA Diginotar, which included the Dutch government among its clients, suffered a breach, apparently also involving Iran. Microsoft, Mozilla, Google and Apple promptly revoked Diginotar’s root CA certificates, which quickly led to the company going out of business. I guess Comodo is larger (the EFF calls them “too big to fail”) and better politically connected (it helps when you have people like Phillip Hallam-Baker on the payroll), and managed to elude the same punishment it richly deserved.

Apple should really step up its game and ditch a security provider which demonstrated incompetence at its alleged core competency, and I filed Radar bug report 15328323 to urge them to do so. In the meantime, the way to fix the error message is to temporarily reinstate trust in the Comodo root CA.

Update (2015-10-29)

At some point in the last 2 years they switched from Comodo to Symantec (probably 2014-04-13 when the current certificate was issued). Unfortunately, Symantec has its own problems.

Beloit College is famous for its Mindset List, which explains to teachers the radically different world view students have, because their assumptions and experience are different. One example from this year’s list: “GM means food that is Genetically Modified”.

I tried to imagine what the list looks like when my daughter starts University.

Some are no-brainers, as they have already occurred:

• A phone call has always involved both video and sound
• A computing device is always touch-enabled

For some others, I may have to go out on a limb:

• Cars have always been self-driving

Update (2015-08-25):

• House roofs have always been tiled with solar panels