Welcome to the Scientific American podcast for the seven days starting February 22nd. This week on the podcast, I'll talk to Scientific American senior writer Wayt Gibbs about computer security. Physicist Mark Shegelski gives us the cold hard facts about one of the cooler events at the Winter Olympics and frequent SciAm contributor JR Minkel reports on what he found at the largest general science conference of the year. Plus we'll test your knowledge of some recent science in the news.
First up, Scientific American senior writer Wayt Gibbs just got back from San Jose, California, in the heart of Silicon Valley, where he attended one the biggest computer security meetings of the year called the RSA Conference 2006. To get the lowdown on hi-tech security, I called Wayt at his home in Pittsburgh.
Steve: Hi, Wayt. How are you today?
Gibbs: Hi, I'm fine, thanks.
Steve: And you just got back from this conference. Tell us about it. What were some of the highlights?
Gibbs: This disturbing trend that many, many experts at this conference pointed out is that what used to be a kind of gentleman's game of the hackers looking for recognition or fame or infamy has turned into serious crime, and that's in fact
of the malware or malformed software that's seen these days. Something like 99 percent of it is thought to be crimeware. Most of these are viruses and so-called Trojan horse program[s] that aim at co-opting a computer system and adding it to what they call a botnet. That is, they make it [a] sort of a robot system out of it that can be remote controlled by some malfeasant.
Steve: And what's the bottom line on this? How much money is being stolen this way?
Gibbs: Losses due to security breaches are now estimated at nearly 70 billion dollars a year—that's almost 200 million dollars a day. These estimates of course are very tricky to make because many, many computer crimes are not reported to the authorities. So this may be actually a very gross underestimate of the amount of computer crime going on. But the more alarming thing is the trend. The amount of dollar loss due to computer crimes seems to be growing at nearly three times the rate of investments in software and services to prevent computer crimes. So the bad guys are really outrunning the good guys.
Steve: What are the actual kinds of crimes that we're talking about?
Gibbs: A big one these days is extortion. I mentioned botnets earlier, where systems are taken over by hostile software and then they are used as launching pads for spam for so-called denial-of-service attacks, where they prevent some Web sites from operating. They take down the company's network.
Steve: So this is like an old-fashioned protection racket, where they don't actually do any damage unless you don't pay up.
Gibbs: Yes and from the Mafia's perspective, it's much superior to the old-fashioned racket, because it can be executed worldwide and because it doesn't require actual violence to enforce those who don't comply with your extortion request. Therefore the punishments, if you should be caught in it, are much less.
Steve: You don't have to break anybody's legs, you just press a few keystrokes and take down a whole industry.
Gibbs: In many countries, it's possible to operate these extortion rings with almost complete anonymityand almost complete protection from criminal prosecution by the law.
Gibbs: These botnets are huge. There was an arrest last month of three so-called bot herders who maintained one of these botnets, and they had more than 1.5 million machines under their control, unbeknownst, largely, to the owners of these machines.
Steve: All around the world…
Gibbs: They operated an extortion ring for months and they would just approach companies, tell them, "You will pay us x amount of dollars or we will destroy (laughs) your computer network"—and the alarming thing is that they operated for months overseas with no one reporting them to the authorities. When they struck a US firm, that company did report them to the FBI, and within hours, the FBI had taken them down.
Steve: All right! So that's the good news. In this case, at any rate,
that if the authorities are notified, they apparently can do something about it relatively quickly.
Gibbs: Yes and no. In the case of extortion, they often can trace it to its source. Whether they can actually get an arrest and an extradition is another matter—it depends greatly on where the attack took place and what the laws are in that country. A lot of the criminals seen to be behind these attacks are part of the Russian mafia. And they operate in countries where it's very difficult to get the authorities to actually arrest the perpetrators and to recover any monies that have been taken. Another major source of crime on the Internet
are [is] phishing attacks. These are fake Web sites that are set up to look like banking sites or pharmaceutical sites or other places where people might enter sensitive information. And they trick people via spam—or these days even by messages to cell phones—to go to these fake Web sites, enter their secure information and then, lo and behold, all the money is transferred out of the account, or the secure information is used to commit crimes.
Steve: Incredible. It's absolute[ly] frightening and…
Gibbs: I'll tell you what frightens me. Phishing people are starting to become aware that they should never click on a link in an e-mail to go to a Web site where they would be entering password information. People are starting to learn to avoid this. But there is a much more insidious form of attack now taking place called pharming. Again, like phishing, this is spelled with a p-h at the beginning. The idea behind pharming is you actually poison the trust-based system of translation from network addresses such as wellsfargo.com to IP addresses such as 192.168.yadda yadda. By poisoning these servers and creating directories that are false, they can actually redirect legitimate traffic from the bank sites, say, to some site set up by, say the Russian mafia.
Steve: How are we going to defend against all this?
Gibbs: This is at root a social problem. As Kim Cameron, the chief architect for identity at Microsoft put it, "We need to think of humans as devices and these devices are fundamentally poor cryptographic devices that shift," so the humans are definitely the weak link in any security system, because they can be corrupted, they can be tricked, they can make mistakes. We can't get humans out of the system because the system serves humans. So what's the solution? More education is part of it. Part of it is changing the level of trust that we use when we operate computer systems.
Steve: All right. Just be more careful in your personal use of computers.
Gibbs: Yeah. It seems clear that we need to raise people's level of suspicion, and the computer companies and the operating system companies, too, can do a lot to provide more clues that we can use and that we need to determine how suspicious we should be at anything that we see on our screen.
Steve: We're the weak link in the whole cyberworld apparently.
Gibbs: There's one other point that I want to mention. It's not just that computer security experts are seeing a dramatic increase in the number of online attacks, although that is impressive—one Boeing representative at the conference said that from 2002 she had seen an 11,000 percent increase in malware blocked at their corporate gateway—but more alarming is the increasing number of directed attacks. These are, instead of a virus or Trojan that's just sent on the Internet to go wherever it will go and to find its own way, these are attacks that are directed at a specific person, at a specific company—sometimes it is a specific machine. And Boeinghas reported attacks
like of this kind that were attempts coming from China to steal specific engineering data on the Net.
Steve: So they identify an individual who may be working on something in a particular company and can target that individual's computer.
Gibbs: That's right. And these attacks are much harder to defend against because they do not spread widely. They generally do not get picked up by the detection network that feeds the antivirus, antispyware program, so their signatures are never entered into the database that is used to screen incoming software or incoming connections for possible malware, so they tend to fly their ware under the radar of the security software we have installed today.
Steve: That's scary stuff, Wayt, but thanks.
Gibbs: You're welcome.
Steve: For more on what Wayt found out at the RSA Conference 2006, check out the Scientific American blog at blog.sciam.com that's blog.s-c-i-a-m.com.
Now it’s time to play TOTALL.......Y BOGUS. Here are four science stories, three are true. See if you can deduce, induce into it reason, [or] just plain guess which one is TOTALL.......Y BOGUS.
Story number 1: Obesity may be contagious. No, not because your brother passes the french fries, because he passes on a virus that increases fat deposits.
Story number 2: A study found that people who are better at tongue twisters, you know, like "a box of biscuits, a box of mix biscuits in a biscuit mixer," had much higher rates of gum disease than average.
Story number 3: While defending warrantless wiretaps, U.S. Attorney General Alberto Gonzales claimed that George Washington engaged in electronic surveillance.
And story number 4: The kind of earwax you have may be related to how you smell.
We'll be back with the answer. But first it's been called "chess on ice"—not hockey, that's foosball on ice—and most Americans only get a glimpse of this chess on ice every four years during the Olympics. We're talking about curling, the sport that looks like frozen shuffle board. One member of the team slides this 44-pound granite rock down the ice while two teammates with brooms feverishly sweep the ice in front of the sliding rock. The goal is to get your team's, big, heavy rocks closer to the bull's-eye than the other team's big, heavy rocks. Anyway, I was wondering
where [what] all this sweeping was about and found a real scientist who studies curling. He is Mark Shegelski, a physicist at the University of Northern British Columbia, who usually researches odd quantum mechanical phenomena like quantum tunneling. But he used to do some curling and sometimes publishes on the physics of curling with fellow U.N.B.C. physicist Erik Jensen. I called Shegelski at his office in Prince George, British Columbia.
Steve: Professor Shegelski, thanks for being with us today.
Shegelski: Well, it's a pleasure. Thanks for contacting me.
Steve: The reason I got in touch was, I was watching curling during the Olympics and you see these people furiously sweeping the ice in front of this big, heavy granite rock
s as it's going down the ice, and what are those sweepers actually accomplishing from a physics point of view?
Shegelski: Well, there
is [are] several things. The most important one is that by sweeping in front of the ice, you are reducing the friction between the rock and the ice. With the reduced friction, the rock still slows down, but it doesn't slow down as quickly. You know, if you turn over a curling rock and look at it, you'll see that it is not the case of a circle in contact with the rock. It's a thin ring. The ice itself is also not flat, it's pebbled. It has little hills and valleys, so that the actual area of contact is quite small, and therefore, there is a large pressure of the rock on the ice. In sweeping in front of the ice, you're bringing the temperature of the ice up and that reduces the friction. But you're also creating a thin dome of a quasi-liquid type of material. This is something that is not fully agreed upon by everybody, but you know, the work that we've done strongly supports the idea that the key thing going on is the friction that is due to this thin liquid film.
Steve: How many scholarly papers on curling have you published?
Shegelski: (laughs) More than I would like to admit. I don't actually remember how many I've published, but the one that's the most important in my opinion is the most recent paper that Doctor Erik Jensen and I elaborated on and published in the Canadian Journal of Physics in November 2004.
Steve: And that's "The Motion of Curling Rocks: Experimental Investigation and Semi-phenomenological Description."
Steve: So one of the big deals is that the rock, if I understand this correctly, the rock doesn't move in the direction that you would expect it to move. It's breaking in a way that you would expect not to happen based on the direction that the rock is spinning.
Steve: So if it's spinning, let's say the rock is spinning clockwise, you'd expect it on dry ground, if you had something spinning clockwise on dry ground it would break to the left.
Shegelski: Yeah! You take a drinking glass and you turn the drinking glass over and rotate it clockwise and push it so it's sliding away from you. This glass will curl to the left as it goes away from you and that's exactly the opposite to what a curling rock does.
Steve: Okay, so what's going on? Do we know?
Shegelski: We investigated that rather thoroughly, and one of the main things about this was that there'll be more melting of the thin liquid film at the front than at the back, and this thin film is very very thin to use. You can't observe it directly, but having more melting at the front of the rock than its back makes the friction at the front of the curling rock less than it is at the back, and so you can understand this by looking at the drinking glass and the curling rock. Let's take them both to be rotating clockwise and let's look first at the drinking glass, and as it lies on a countertop, the front of the drinking glass has a sideways motion to the right.
Shegelski: And therefore the friction at the front will be to the left.
Steve: Right. I mean correct, to the left.
Steve: Got it. The motion is to the right as it's turning clockwise, so the friction that it's encountering is going to the left.
Shegelski: Correct. The drinking glass has a tendency to shift forward. It doesn't actually lift off. The back doesn't actually lift off unless the friction is very high, but it has a tendency to push harder. It does push harder on the tabletop at the front than in the back, and therefore, the tabletop pushes harder back on the drinking glass up front as compared to the back. Now, being that the friction at the front is greater, as it has this stronger force from the friction at the back.
Steve: So that component is pushing it to the left as it moves forward.
Shegelski: That's right. At the front of the drinking glass, the sideways motion is to the right, the friction is to the left, and it's greater than what goes on at the back. At the back, the clockwise rotation, the sideways motion [is] to the left and the friction is to the right, so the friction at the back is to the right, friction at the front is to the left, but the friction at the front is stronger than it is at the back.
Steve: Got it.
Shegelski: And that's what curling, the rotating drinking glass, curls to the left.
Steve: Right! But in your rock situation on the ice, because of what you just explained about the thin film up front, you have the opposite frictional situation.
Shegelski: Exactly. This is rolled to reverse. The friction at the front of the curling rock is less than it is at the back, and so therefore, the sideways component of the friction force at the back is to the right, and therefore, the curling rock curls to the right.
Steve: Very interesting. Doctor Shegelski, thank you very much.
Shegelski: Thank you.
Steve: If you are looking for more info or images that help to make this stuff clear, they are out there on the Web. Now the urls for those Web sites are pretty ugly, so just Google the professor's name, Shegelski, and you'll find them. That's Shegelski: s-h-e-g-e-l-s-k-i.
Now it’s time to find out which story was TOTALL.......Y BOGUS. Let us review the four stories, three of which are real.
Story number 1: A virus may contribute to obesity.
Story number 2: People good at tongue twisters get more gum disease.
Story number 3: The attorney general said that George Washington engaged in electronic surveillance.
And story number 4: Your earwax type and your body odor may be linked.
I'll give you a second to think about those. Time is up.
The link between viruses and obesity is true. In animal studies, a couple of adenoviruses have been implicated in increasing fat levels. You should still eat right, get exercise and wash your hands to try to keep from being infected.
The story about the attorney general and George Washington, well, here's what he said.
Gonzalez: President Washington, President Lincoln, President Wilson, President Roosevelt, have all authorized electronic surveillance.
Steve: Now he didn't explain how George Washington did electronic surveillance, but I have a good authority that it involved trained eels, trained eels.
The one about earwax and body odor is true. There are basically two kinds of earwax—known as wet and dry—and researchers studying earwax genetics say that people with the wet kind generally have more unpleasant armpit odor than people with the dry kind. There is a correlation there.
Which means that the story about tongue twisters and gum disease is TOTALL.......Y BOGUS. Nevertheless, Theophilus Thistle was a successful thistle sifter.
Next up, frequent Scientific American Magazine contributor JR Minkel. He just returned from the biggest general science conference of the year, the annual meeting of the American Association for the Advancement of Science, usually just called the AAAS. To find out what JR found out, I called him at his home in Brooklyn, New York.
Steve: Hi, JR. How are you?
Minkel: I'm pretty good. Hi, Steve.
Steve: So you just got back from the AAAS Conference in Saint Louis. What in your opinion were some of the more interesting stories that you ran into there?
Minkel: Yeah. There were a few stories that I like. One of the topics being addressed was the changing nature of mathematical proof. Keith Devlin from Stanford University, who has written lot of popular books on mathematics, spoke about that. Though the idea there is that in the past, say, 50 years, there have been a few major examples of mathematical proofs that are so, you know, horribly long and complicated, possibly needing a computer to run, that mathematicians can't actually say with certainty that the proof is proved. The four-color theorem was originally checked by—it involved the checking through a number of different cases by computer, and at the same time, it came out, it was somewhat controversial whether that actually constituted a proof because you had to, you know, accept that the computer was doing this. But no single mathematician or may be even a group of them could check all the lines of the code, all these cases the computer was checking.
Steve: And the four-color theorem is the one about that you only need four colors to do any kind of math.
Steve: No two countries with the same color would be next to each other, with only four colors being enough.
Minkel: Right! And so there were [a] couple of other examples. The Kepler conjecture, which has to do with what's
the most the least wasteful way to pack spheres. The intuition of that is the way that a grocer would do it, by, you know, the way [a] grocer would arrange oranges or grapefruit is the best way to do it, the way that makes the most use of the space. But actually proving that was terribly complicated and required this long, computerated proof that came out a few years ago. And it was submitted to, I think, the Annals of Mathematics, and they reviewed it, came back and said, "Well, we, you know, we're 99 percent sure that this is true, but we can't check every line of the computer code, so that’s the best we can do," and the paper was, I believe, published with a little note saying something to that effect.
Steve: And the packing problem is really advantageous to manufacturing, for example, because they would love to know if there is a way to get more spherical objects in the same size box.
Minkel: Yeah! You know, you could fit more golf balls into a box. That, you know, I would love to know.
Steve: How do we know that something is absolutely proven in a mathematical sense? What do we really know about the nature of mathematical proof?
Minkel: So what it means is it's believed that we have to take [a] mathematician's word for it. We have to take the word of the people who know the problem best. So that one point is that basically, there might be a few sort of high-profile example[s] of cases in which we cannot say with ironclad certainty that this is true, but that just makes mathematics sort of like, more like, other sciences.
Steve: So the old proverb about "trust but verify" in mathematics has become just trust?
Minkel: Well, in some cases, yes.
Steve: What else do you have from the meeting?
Minkel: There is a, you know, a cute symposium on how insects fly. I think the highlight from that was a neuroscientist at Caltech, who, so he pointed out at this point, we
you know mathematicians have given a, say, a rough but good understanding of the basic forces that a wing creates when it is flapping, and the question now is how to use that knowledge to figure out how a fly, for example, you know, flies around, find[s] things, navigates in the environment based on the fundamental way that it's going to work; how does it control the wings. Though he is trying to reverse engineer the fruit fly, as he says, and that he started out with putting sensors on insect wings, and has now moved to what he calls the GUFM, the grand unified fly model, which is a simulation of a flapping, navigating fly.
Steve: What is the researcher's name?
Minkel: His name is Michael Dickinson.
Steve: And what does he hope to accomplish by getting a better understanding of insect flight?
Minkel: I mean there is
a one sort of obvious application, which is, you know, the government would like to have really small robots that can fly around then, and then spy on, you know, whoever. So there is an application to little flying vehicles, but it's also just sort of an interesting problem.
Steve: Anything else that turned up interesting at the conference?
Minkel: Yeah. There was another cool one. Human evolution is always sort of popular at these meetings, and there was another cute talk about the possibility that eating more fish and shellfish fuels the growth of our brain. And that fish provide
a high-quality, long chain, polyunsaturated fatty acids, which are very useful in the developing brain.
Steve: These are the omega-3s that you always hear about?
Minkel: Yeah, and the idea is that after some climatic changes, the environment became wetter and we had more access
driven to getting more fish and that'll be, you know, having more of those omega-3s presumably, you know, or either drove the growth of our brain, or gave us the fuel with which we have bigger brains.
Steve: So fish really is brain food.
Steve: Interesting stuff. Thanks very much, JR.
Minkel: Sure. Thanks, Steve.
Steve: For more info on the AAAS meeting, go to www.aaas.org.
Well! that's it for this edition of the Scientific American podcast. Our e-mail address is firstname.lastname@example.org. Remember, SciAm in this case has nothing to do with Thailand. SciAm is short for Scientific American, so the e-mail address is email@example.com. And also remember that science news is updated daily on the Scientific American Web site, www.sciam.com – www.s-c-i-a-m.com. I am Steve Mirsky. Thanks for clicking on us.
Web sites mentioned on this episode include www.aaas.org