MD2: hash-collision scare of the day

Posted: September 24, 2009 | Author: | Filed under: cryptography, oped, risks, Security | 2 Comments »

Overshadowed by the far more serious X509 parsing vulnerabilities disclosed at BlackHat, one of the problems noted by Dan Kaminsky et al. was the existence of an MD2-signed root certificate.

On the surface it looks bad. If MD2 preimage collision is possible, an enterprising attacker could forge other certificates chaining up to this one, and “transfer” the signature from the root to the bogus certificate, complements of the MD2 collision. Root certificates are notoriously difficult to update– Verisign can not afford (for business reasons, even if it is the “right thing” for the Internet) to risk revoking all certificates chaining up to the root. Re-publishing the root signed with a better hash function is a noop: the existing signature will not be invalidated. Only option is to not trust any certificate signed with MD2 except for the roots.

But looked from another perspective, the MD2 problem is tempest in a teapot. Luckily no CA is using MD2 to issue new certificates. (At least as far as anyone can determine– CA incompetence is generally unbounded.) This is important because the MD5 forgery from last December depended on a bone-headed CA continuing to use MD5 to sign new certificate requests. That means a second preimage collision is necessary; simple birthday attacks will not work. Finding a second message that hashes to a given one is a much harder problem than finding two meaningful, but partially unconstrained messages that collide.

Eager to join in the fray against PKI, the researchers point to a recent result, An improved preimage attack on MD2, to argue that such a possibility is indeed around the corner. It turns out the feasibility of this attack and the 0wnership of MD2 was slightly exaggerated, to paraphrase Mark Twain. The paper in fact does quote 2**73 applications of MD2 hash function as the amount of time required to find a second pre-image. This is an order of magnitude above what any previous brute-force attack has succeeded in breaking but Moore’s law can fix that. What the paraphrase seems to have neglected is a far more severe resource constraint, stated bluntly in the original paper and mysteriously neglected in the Kaminsky et al summary: the attack also requires 2**73 bytes of space. Outside the NSA nobody likely has this type of storage lying around. None of the existing distributed cryptographic attacks have come anywhere near this limit– in fact most of them made virtually no demands on space from participants. To put this in context, if one hundred million people were participating, each would have to dedicate more than a thousand terabytes of disk space. Not happening. This does not even take into account the communication and network overhead now required between the different users each holding one fragment of this massive table as they need to query other fragments.

CP

New York Times badly confused on identity management

Posted: August 12, 2008 | Author: | Filed under: identity, Internet, MSFT, oped, review, Security | Leave a comment »

Goodbye Passwords is that rare misstep form the otherwise consistently solid Digital Domain section in the Sunday NYT: confused, misinformed and way off base. Among the several muddled arguments, four of them stand out:

1. Equating OpenID to passwords.

“OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site.”

Minor factual error: actually the password is not being typed into a random website. It is supposed to be provided only to the website where the identity was originally created, not the website where it is being used. But the general difficulty of determining whether one indeed starting at the authentic site instead of a fraudulent replace– especially when the user has been sent there by the “someone else’s Web site” in question leads to the standard critique of OpenID as increasing phishing risks.

Major factual error: OpenID is a federation standard, not a new user authentication approach. It does not mandate passwords or any other scheme for verifying identity. Open ID 2.0 specification is loud and clear on this point:

“Methods of identifying authorized end users and obtaining approval to return an OpenID Authentication assertion are beyond the scope of this specification.”

That means the identity provider can choose to use good old-fashioned passwords, smart-cards, biometrics or experimental approaches such as reading tea-leaves to authenticate the user; OpenID is silent on this. In fact one of the more hyped extensions to the protocol, added at the urging of MSFT which has been desperately trying to promote CardSpace, is a way for signaling to websites that the user authenticated with credentials resistant to phishing– Infocards in the original vision that carved out this niche case, but also more generally strong authentication mechanisms such as PKI capable smart-cards.

2. Narrow definition of single sign-on:

OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept OpenID credentials.

In the most general sense, single sign-on refers to one identity being valid for accessing multiple systems. This is in contrast to the current state of affairs on the web: most websites have their own notions of user identities, requiring users to create a new account. Each account is valid at exactly one website and not recognized anywhere else. Single sign-on (“federation” using the fashionable term) is about merging these disconnected islands of identity such that the scope of an identity can extend beyond that one site.

Quick peek at the Wikipedia entry would have hinted that SSO is not tied to passwords. So it comes as surprise that a Microsoft architect is quoted as criticizing SSO. Cardspace is an instance of single sign-on: the vision calls for one identity held by the user’s machine to be usable for logging into any number of websites. Inside the enterprise, Active Directory is single sign-on because it allows the same credentials to be used for accessing everything from logging into a workstation with the three-finger salute to accessing email or HR systems.

3. Misconception that “information card” is a generic term-of-art as it relates to identity management. Information card, or infocard to use the original name for the technology before it was rebranded into CardSpace, is a particular proposal that defines specific formats and protocols for identity management. Writing about “the information cards” makes about as much sense as writing about “the Facebooks” and “the Googles.” Each is a specific incarnation of a general concept: a social networking site, a search engine and an identity management protocol.

4. No hint of the history of strong authentication or alternatives. A reader may walk away from this article with the impression no realistic alternatives to passwords existed until Cardspace magically burst on the scene. Basic fact checking would have unearthed some not entirely obscure facts: there is a concept of digital certificates dating back to the 1970s, leveraging the same brew of “hard to break cryptography” whose virtues are extolled in the article. Since late 1990s, digital certificates have been standardized by X509, a stable and widely implemented supported format. It would be a small jump from there to realize that the SSL protocol universally used for securing communications online has provisions for users to verify their identity with digital certificates and that many large organizations, including the United States Department of Defense have been depending on this capability for years.

This is not to say that there are not good points in the article. OpenID is a major distraction and duplication of effort precisely because it is a mediocre reinvention of the wheel, ignoring all the investments made towards deploying PKI on the web compliments of SSL and muddying the waters one more time just when there was a fighting chance that the industry might converge on a standard (SAML, far from perfect as it may be) as the underlying format for identity assertions. But it is a non-sequitur to argue that OpenID is doomed because of its dependence on passwords and inherent problems with single sign-on.

cemp

From 0wning DNS to 0wning SSL (2/2)

Posted: August 8, 2008 | Author: | Filed under: Internet, oped, review, risks, Security | Leave a comment »

But SSL does have an Achilees heel: its trust model is anchored on the digital certificate used by the web server: the only proof that the website you are communicating with Bank of America (as opposed to an impostor in Estonia) is the fact that they have a digital certificate issued by Verisign claiming that this website indeed is www.bankofamerica.com.

The fragility of this model has been pointed out before. Verisign is not the only recognized certification authority; out of the box Windows ships with close to 100 CAs, all of them equivalent for trust purposes. Any one of them incorrectly issuing the Bank of America certificate to somebody else is enough to ruin any guarantees provided by the cryptography– it does no good to secure your traffic, when the person at the end of that encrypted channel is the bad guy. (Perhaps the biggest CA goof was Verisign issuing Microsoft code-signing certificate to impostors in 2001. The implications were much worse than for SSL certificates, but revocation has addressed the fall-out for the most part.) While MITM attacks against SSL due to incompetent CA practices have always been possible, the challenge of playing that messenger in between so far made this a low-likelihood attack vector. Owning DNS changes that.

More importantly– and this is Kaminsky’s main point regarding SSL– the certification process itself uses DNS. According to this version of the story, when the proud new owner of the domain www.acme.net wants a digital certificate, the CA consults DNS records to verify ownership. They might even ask the user to insert some DNS records or add a particular page to the website, as additional proof. All of these checks are trivially subverted if DNS is corrupt because all of them will be routed to servers controlled by the attacker. This means that while the existing Bank Of America certificate is safe and sound, the enterprising criminal will:

  1. Choose a moderaly incompetent CA
  2. Subvert DNS to confuse name resolution for that CA
  3. Pass the domain ownership checks made by the CA
  4. Obtain a new valid certificate in the name of Bank of America
  5. Subvert DNS resoution for an ISP
  6. MITM all of the users at that ISP by using the perfectly valid certificate from step #4

That, at least is the picture painted in the presentation. The critical details are certification steps used– not just by Verisign, Geotrust and other major CAs but every single one of the dozens of certification authorities recognized by IE and Firefox. Extended validation does not help for two reasons: on the usability front, users pay no attention to all the fancy eye-candy browsers waste on displaying EV status, as demonstrated nicely by The emperor’s new security indicators.. On the the implementation level, the browser grants exactly same privilege to regular certificates; embedded content for example can still be subverted using a vanilla cert while keeping the main page over EV.

If this attack does indeed work– and it is impossible to determine without consulting the certification practices for CAs– it shows a circularity in the security model. SSL/TLS are designed to survive exactly the type of mayhem created by DNS hijacking. It does not matter whether traffic is routed to the right website or the wrong one. When the protocol is implemented correctly and the certificate checks out, the user is supposed to be guaranteed that they are dealing with the legitimate website. (That is not much of a guarantee: if the certificate has errors, the protocol will detect it but until recent web browsers used to respond by displaying a cryptic warning that users simply ignored. Even when the certificate is validated correctly, that only proves the identity is what is stated in the URL– which may not be at all the same one that is in the user’s mental picture, to the delight of phishing syndicates everywhere.) Weak certification practices destroy even this glimmer of hope by placing critical faith in DNS to bootstrap a protocol that was purportedly designed to survive complete breakdown of all naming and routing infrastructure.

cemp

From owning DNS to owning SSL (1/2)

Posted: August 8, 2008 | Author: | Filed under: Internet, oped, risks, Security | Leave a comment »

Dan Kaminsky walked away with the Pwnie award for most overhyped bug and being a good sport, appeared in person with a brief acceptance speech. The BlackHat presentation did turn into an over-crowded spectacle as expected, there was nothing new to report. (Even though a section of the deck was prefaced with “Here is something that did not leak…”) The cat had been out of the bag, compliments of earlier speculation by Halvar Flake and a miscue by the folks at Matasano. And that’s just the public disclosure: the presentation itself credited several people who identified the same vulnerability within days independently but decided to remain quiet, in keeping with the unusual request.

The more interesting was the second piece of the talk: the question of “why”, why it is worth subverting DNS and what can be accomplished. Decidedly more speculative in nature, in this section Kaminsky argued that SSL,  most software updates and online identity management services are vulnerable. If these claims hold for real-world implementation, not simply the marginal ones written by careless developers, it would be more remarkable than the original discovery.

SSL and in general PKI were designed to be resilient against an untrusted network. The design of the protocols assumes the transport is completely unreliable. The metaphor this blogger uses to describe it in security orientation classes is two people, say Alice and Bob, trying to communicate but restricted exchanging post-it notes carried by a shady messenger. In this model it is clear the messenger may fail to deliver the note, and the two sides never manage to communicate. No surprise there. But more interestingly, our shady messenger can erase part of the mesage, add forged languge, for that matter replace the entire note by a new one fabricated out of thin air, change the order in which notes are delivered, even replay one person’s note back to him/her as if it originated from the other side. This bizarre threat model is intended to capture the man-in-the-middle (MITM) attack in the abstract, where a malicious adversary is capable of reading and modifying any message sent between two people.

Communication protocols including SSL/TLS are designed to be secure in this model, in the sense that the nefarious messenger can not read a private message intended for Alice, nor convince Alice that Bob sent a message he did not in fact originate. SSL/TLS protocol itself has lived up to this claim so far– there are no known, practical cryptographic attacks against the protocol itself (as opposed to specific implementations, which can have coding issues that are not intrinsic in the protocol)  The closest call was the Bleichenbacher attack against RSA padding first published in 1998 and later refined.

[continued]

cemp

Standardizing on a standards body

Posted: August 3, 2008 | Author: | Filed under: Internet, markets, oped, software | Leave a comment »

Greetings to the Open Web Foundation. OWF is a new organization for promoting community-driven specifications:

“The Open Web Foundation is an attempt to create a home for community-driven specifications. Following the open source model similar to the Apache Software Foundation, the foundation is aimed at building a lightweight framework to help communities deal with the legal requirements necessary to create successful and widely adopted specification.”

The next statement goes on to state that one of the objectives is to avoid creating a separate foundation for each new technology. Of course the natural reaction to that will be: “In that case, why are you creating yet another self-appointed standard organization? What is wrong with IETF or W3C?” To recap:

  • W3C is the World Wide Web Consortium. It maintains core standards related to the web: HTML, CSS, XML, XSL, XPath, SOAP– for the most part, anything involving angle brackets falls under the jurisdiction of the W3C. Most of these are commonly recognized, widely supported data formats or data manipulation frameworks. (By contrast W3C forays into protocol design such as PICS, P3P and SOAP have met with mixed results.) The consortium charters working groups and issues official, versioned specifications.
  • IETF is the Internet Engineering Task Force. IETF does not officially endorse standards. Its documents go by the more modest name RFC or “request for comments,” suggesting ideas in flux, perennially under editorial review, always open to improvement and changes. Yet many of the core protocols and specifications underlying the Internet can be attributed to an RFC. Email addresses? That would be RFC822. The HTTP protocol shuttling web pages around? RFC 2616. The official TLS protocol that gives us the peace-of-mind and security of the lock-icon on those pages? RFC 2246.

Ben Laurie seeks to preempt that question, also raised in the discussion group. Jury is out on the characterization of W3C as pay-to-play-cartel but the article does highlight a basic problem with IETF: being too inclusive. A former colleague at MSFT described it the requirements for participation in IETF as “a keyboard and Internet connection.” (We can also add: “… and an unshakeable conviction in the infallibility of your ideas.”) This model probably worked well when the workings of arcane protocols was of interest to the academic community only, and everyone that cared to participate started out on the same page, sharing common interests. Today the Internet is too large, the range of stake-holders too diverse and too much commercial success hinges on the outcome of standardization process to continue with that naive assumption of unified purpose.

That same colleague provided this insightful comment on the IETF process: It is a great forum to capture the dominant paradigm on paper and enshrine it as the Internet standard when consensus exists around one. It is not a very good forum for creating consensus in the first place, when everyone shows up at the table with different ideas and irreconcilable objectives. These words were uttered in the aftermath of the Sender ID meltdown where the working group rejected an anti-spam proposal from Microsoft.

OWF raises anew the question of who gets the privilege of a seat at the table once the IETF model (anyone is welcome or “no fool left behind”) is declared dysfunctional, because there is too much randomization. Intuitively those writing software to implement the standard emerge as obvious candidates. But are some implementors more equal than others? Surely not every crackpot with a copy of networking for dummies is entitled to derail the standard process. What about individuals who are recognized subject matter experts but not currently developing software in this space? Moving away from the core, how about companies whose products will be indireclty impacted? Do ISPs get a say in the development of a P2P filesharing protocol, considering it is their infrastructure about to get hammered? Does a firewall vendor get to express an opinion on anti-spam technology because they want to inspect traffic at the edge? Do other participants have the right to declare that they are not interested in supporting that scenario, shutting them out of a particular market segment? Even more controversially, what about companies whose business model is at risk from the existence of the technology? (Advertising networks, criticially dependent on third-party cookies for their existence, were participants in the working group tasked with developing the privacy standard P3P that Internet Exporer uses to manage cookies.)

Assuming that OWF gains any traction, at least one benefit will be forcing some soul searching inside IETF and W3C.

cemp

Customer lock-in and US mobile market

Posted: July 8, 2008 | Author: | Filed under: Internet, markets, oped, policy, software | Leave a comment »

Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices  without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.

It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy.  But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.

On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”

cemp

Charter and Project Canoe: one step forward, two steps back

Posted: June 30, 2008 | Author: | Filed under: Internet, markets, oped, privacy | Leave a comment »

Charter communications announced that it was canceling a controversial plan to sell advertisers information about the web usage patterns of customers. The plan had sparked backlash from privacy advocates, soon spreading to regulatory agencies, culminating in Connecticut Attorney General formally asking Charter to throw in the towel. As CNN/Money reports the market barely shrugged, sending the stock down a mere 3.5%, leaving it trading well above its 52-week low. All of that effort for nothing? Once the dust settles, Charter may be remembered for successfully generating free PR (but not necessarily of the desirable variety) and positioning itself as an ISP ready to make aggressive, ill-advised moves in the name of monetizing existing subscribers with complete disregard for privacy.

With the ink on that story barely drying, another news item from Reuters reports on privacy concerns about US cable providers have teaming up to mine the TV viewership data from their subscribers. Objective: stop the advertising revenue from shifting over to the web. Individual, targeting is the main differentiating factor for advertisement the web, whether this is done by profiling users over time or derived from point-in-time context, such as a search query. By contrast mass media suffers from its “broadcast” nature where many people by definition will see the same content. The ability to tailor the message to the audience is very crude by comparison, despite heavy investments to improve that over the years. For example today newspaper can target particular zipcode– it is possible to get New York Times to print a full page ad but only for certain zipcodes in Manhattan. Impressive as that sounds for an old school newspaper, this is primitive compared to the level of customization on the web.

There are two pieces to the puzzle: first one is being able to understand the audience better and the second one is being able to deliver unique, personalized content for each subscriber. Digital cable in principle already solves the second problem. Unlike analog systems where all channels are delivered to the user at all times and a “tuner” picks out the particular one, with digital cable the subscribers set-top unit requests a particular channel from the provider. That also allows solving the first problem: getting to know the subscriber. DVRs were the first devices with visibility into everything a user is watching and the ability to call home with this information. TiVo unwittingly created the first privacy scare over DVR tracking by commenting on the 2004 Super Bowl. Cable providers have long been able to derive similar conclusions. (The DVR does have an advantage in that it can report on multiple-views, including the number of times a recorded program is watched and when. But then again many DVRs today are bundled with cable packages and cobranded by the provider so it is not clear who is calling the shots on the device logic.)

With both pieces in place, what remains is creating the platform. Enter Project Canoe. Backing this new initiative are Time Warner, Comcast, Cox, Cablevision — and Charter. From a privacy perspective there is good reason for concern. The extent of data mining is unclear. A key question is whether it will be limited to TV content. Several of these companies are both cable providers and broadband Internet providers. Charter crossed the line once before backing down. The current attitude is summed up in this quote:

“The cable industry is betting that full disclosure to subscribers about the information being collected, the ability for them to opt out, and the attraction of more relevant ads would help overcome potential misgivings.

The problem is few people read the disclosures and even fewer understand the extent of data collection and its implications to make an informed decision on whether this practice is consistent with the person’s personal values on privacy. Even for users who decide to take issue, some fraction will be deterred by the difficulty of the opt-out process. Quoting an analyst about the initiative the article concludes:

“It’s all but certain that the cable operators will have to set a third-party clearing house for information to safeguard privacy concerns,” Moffett said.

The article does not speculate on which independent entity would be stepping up to the plate for that role. In general the idea of trusted third-parties safeguarding information is very attractive in principle, but so far there have been no takers. Even the organization trying to offer a much simpler service, third-party verification of privacy practices have been dogged by skepticism about their effectiveness.

cemp

Charging by the gigabyte and end of the free bandwidth lunch

Posted: June 15, 2008 | Author: | Filed under: Internet, markets, oped, policy | Leave a comment »

This Sunday an article in the NYT takes up the question of bandwidth pricing, joining earlier speculation on this blog about the twilight of flat fee subscription models. The article with the self-explanatory title “To curb Internet traffic, access provider are beginning to charge by the gigabyte” cites an experiment Time Warner is running in Beaumont where customers can choose between 5GB, 20GB or 40GB capped monthly plans. In case you have never heard of Beaumont: the article states that it is a city in Texas with around 100K population– exactly the type of place to run such an experiment without attracting a lot of attention or generating resentment from a cosmopolitan audience spoiled on the comforts of streaming YouTube videos all day long. It is a good, balanced piece aside from the author’s confusion between BitTorrent the protocol verses BitTorrent the company when recounting the Comcast debacle

These magic 5/20/40GB numbers also raise the question of exactly what the average bandwidth usage is. There seems to be few academic papers in this area. One TTime-Warner exedcutive quoted in the article says:

“Average customers are way below the caps… These caps give them years’ worth of growth before they’d ever pay any surcharges.”

The only figure cited in the article is that 95% of customers use under 40GB of traffic each month. (It is not clear if this is downstream, upstream or combined.) Chances are Time-Warner has sliced and diced the bandwidth usage data very carefully before choosing these numbers and associated prices that range from $30 to $50, and the $1 per GB overage fees for exceeding the caps. One problem is there is no single average Internet user, as the author of the NYT piece argues very convincingly. The novice checking email and movie times could be happy with the 5GB cap but an addict streaming videos or watching TV shows on Hulu.com is likely to run over even the more generous limits. One Netflix download is a couple of GB. Watching a handful of movies every month may not break the bank in this model but at the surcharge rates of 1$/GB, suddenly a movie ticket or rental from the local store is competitive with what used to be “free, unlimited” instant viewing. More importantly there is a network version of Parkinson’s law which states that content expands to saturate the bandwidth available. As the capacity of networks increase, more bandwidth-hungry application are introduced.

So far it is an experiment but if this model goes mainstream, it would threaten the revenue stream for media companies. Netflix and Hulu are dependent on consumers being able to stream their content. Until now subscribers did not have to dutifully count their bytes the way cell-phone users count their minutes. An iTunes download is not competing for scarce bandwidth quoates with a high-definition movie from XBox Live Marketplace. Even if the bandwidth is not capped but throttled in the interest of fairness, it will create a mindset of scarcity and zero-sum choices between different options. On the bright side, broadband users may become more discerning and not forward that inane lolcatz video around one more time.

The alternative is for the content providers to compensate the ISPs. In this model Netflix would pay Comcast directly and those downloads would not count towards the monthly quota. In effect this is a type of revenue sharing or extortion depending on which side of the deal one is focusing on. It also creates a troubling situation for network neutrality. When some content is “free” and others require payment in scarce bandwidth allocation, speakers that are not able to pay ISPs to absorb access costs are in effect disadvantaged. Critics might content the same situation applies today, in that companies with large data centers and fat egress pipes are better able to push their content to an audience. Yet those correspond to capital invesments in the endpoints, fully under control of the speaker. An ISP metering bandwidth is situated between the content provider’s data center and the target audience, able to manipulate economic incentives for accessing that content regardless of how state-of-the-art the data center originating the content may have been. This is a case where artificially created bandwidth scarcity may have the effect of picking winners and losers between business models, as well as content providers.

cemp

“Unauthorized charger” and other device restrictions

Posted: June 7, 2008 | Author: | Filed under: hardware, markets, oped | Leave a comment »

One of the common complaints about electronic gadgets is that nearly each one requires a different power adapter. The diversity can not be explained by the difference in power consumption; a laptop that burns 90W could just easily be powered by an adapter that is rated to 100W. The price would at best go up increase very slightly with maximum rating and this difference would be likely compensated for by the economy of scales from standardizing on a small number of models. Yet manufacturers continue to insist on not standardizing their adapters in the hopes of generating additional revenue.

Mobile phones are an interesting case. As smart-phones proliferate they require both power and data connectivity. The other end of the data connection is likely going to be USB. A sufficiently arrogant company could insist on their own Firewire (or is that IEEE1394?) technology in left field as the original iPods were but most consumer electronics have settled on USB2.0 fortunately. Speaking of the iPod it was one of the first that combined data and power into a single cable. Mobile phones are following suit now.

So it is something of surprise to see the Razor V3m display “unauthorized charger” when connected to a MacBook Pro. It is not a smart-phone so there is hardly any data to synchronize but USB is still good as a power source. There is no good reason for the phone to reject it. If this is by design and not just flakiness on the part of the handset, it is yet another pointless attempt to go against the current of interoperability in order to lock in consumers into a single brand of peripherals.

cemp

Suburban sprawl in numbers

Posted: June 1, 2008 | Author: | Filed under: environment, oped | Leave a comment »

A Sierra Club handout from the unimpressive NYC Green Festival shows a country that is sprawling in very uneven ways. On the one hand there are boom-towns exemplified by Charlotte: it’s population increase 63% between 1970 and 1990. That by itself is not out of line with a ~2% average population growth the US itself has experienced during the same time. But Charlotte’s “urbanized area” (a misnomer since this largely describes the expansion of suburbs) expanded by 129%. Kansas City showed a modest 16% increase in population but over triple that growth in area at 55%. Even Chicago which maintained its population more or less unchanged expanded by a quarter. Then there is Pittsburgh that managed to expand 30% in spite of a drop of 9% in population.

On the other side is Seattle with an almost perfectly balanced 41% population growth over 42% sprawl increase. (It’s a safe assumption that the miserable climate has deterred more people from moving to the Pacific Northwest.) A few cities even became more “dense” during these two decades: Las Vegas population grew threefold but it’s land area only doubled. Salt Lake City shows the same pattern.

These are the exceptions. US Department of Housing report cited claims that nationwide urban areas expand at about twice the rate of population growth. This is the great suburban flight all over again. (Strangely a survey for Pew Center found sprawl tied with crime as top local concern for most Americans– the same ones checking out of urban centers because of intractable problems such as crime.) Sierra Club attributes the problem to misguided government subsidies that encourage development at the fringe while robbing the urban cores of resources necessary for education, as well as haphazard planning at the state level. Cue in the usual refrain about investing in public transportation, mixed-use approach which blends residential areas with commercial ones and not encroaching on wildlife habitat for building the next subdivision. The New Urbanists have been beating this drum for a while without much success. If anything the housing bubble has aggravated the problem of the  Suburban Nation by making it more attractive to purchase property in what appeared to be the next up-and-coming regions such as Phoenix, Arizona. The report concludes with a somber reflection on the connection of sprawl to population but no viable solution aside from the same platitudes.

cemp

← Older Entries
Follow

Get every new post delivered to your Inbox.