Anti-tracking May Lower Temperatures, and It May Not Matter

Commentary::Reliability
Audience::All
UUID: c078319b-b156-404f-a48b-1e639dd734b6

Earlier today, in the midst of an ongoing project, I noticed that

1. The temperature of a single physical CPU was running at 104° F; about 10° hotter than expected.
2. There were a large number of Firefox tabs open (40-odd), as is typical when abnormal high temps are seen.

My first reaction was my normal knee-jerk: This is totally FUBAR. The extent of tracking of Web tracking creeps me the hell out, and long experience with hardware has led to a lot of exposure to the notion that increased temperatures lead to decreased service life.

Knee-jerk reactions seldom lead to any good outcome.

Step one was to take a quick a quick shot at verifying the problem. Since Firefox 35, we have been able to set privacy.trackingprotection.enabled=true in about:config. I had done that the day before, (before the problem was noticed) but had not restarted Firefox. This time I bookmarked all pages, restarted Firefox, and reloaded all tabs. Temps returned to normal. Though based on a single datum, I may be able to assign a provisional cause. Go, me! Possible progress! I did some ancillary things, such as noting before and after memory usage (in case the kernel scheduler was part of the problem), etc.

None of that really mattered, though. In the greater scheme of things, it seems likely to be irrelevant. At the very least, a lot more open research is needed.

Temperature

First off, the widely-taught inverse correlation between temperature and lifetime, may be entirely bogus over large domains, and seems highly likely to be far more nuanced than is often taught.

Perhaps it matters in, say, applications related to RF power systems, such as radars and electronic countermeasures, but I haven't worked in those fields in years. Though messing up fire-control radars was tons-o-fun. I care a lot more about, to use an overly-generic term, IT.

HPC centers, the hyper-scale service providers, and large enterprises, all care about bills due to power. Supply costs, conversion efficiency, what is devoted to heat dissipation, thermal effects on the longevity of vast fleets of servers, etc.

Google does not provide OpenSource code at anything like the rate that they consume it, but they do provide landmark papers, which is at least partial compensation. Failure Trends in a Large Disk Drive Population (2007) was such a paper, and it implied that increased temperatures enhanced longevity.
Temperature Management in Data Centers: Why Some (Might) Like It Hot (SIGMETRICS12, University of Toronto) extended those results to DRAM, set some boundary conditions, etc.

In the same year (2012) No Evidence of Correlation: Field failures and Traditional Reliability Engineering was published, but I have not digested that yet. It's corporate, and I've only recently discovered it. I'm interested in the intersection of security and traditional reliability engineering (it's the 'A' in the CIA security triad, after all) you might want to read it as well.

Obviously, this is nothing like a comprehensive literature search. But I really doubt that simplistic schemes purporting to draw an obvious inverse correlation have any merit.

Tracking

Without taking extraordinary measures, anyone using the Web is going to be tracked. Usually very effectively, because tracking was baked into the Web, from protocols to economics, from the start.

Unfortunately, this post has gone on for too long. Not in terms of what should be covered, but in what I have time to cover. It's 1915, there are still Things To Do, and it is already going to be a late night.

Some things are going to be left for a possible future post. I tend to want to leave this sort of thing to more consumer-oriented security sites, where 'Don't Run Adobe Flash' might possibly help someone. An obvious problem is that many of the consumer sites do not cover tracking issues, and some of those that do are either biased or intentionally misleading. That sucks, but it isn't as if I am going to write a definitive post, complete with an economic history, this evening.

Why Do Security Sites Penalize Tor Users?

If you are a regular user of Tor, you are already on an NSA watch list. That came out back in July. OTOH, being on an NSA watch list is not a very exclusive club: all you have to do to qualify is read Linux Journal. That came out in July as well.

Tor development, IIRC, was originally funded by the US Navy, and received additional funding from the State Department. It was useful for dissidents living under repressive governments. You can probably fact-check me at on About Tor, with no additional penalty, because NSA are likely to be targeting most likely readers of this blog.. Systems or network admin? Check. Encrypted mail user? Check. Ad nauseum.

Is startpage.com on the side of light?

Startpage.com bills themselves as  "the world's most private search engine", and are the default search engine of Tor. But if you use Tor, you will be periodically presented with a CAPTCHA. On the page, you will see the following text.

As part of StartPage's ongoing mission to provide the best experience for our users, we occasionally need to confirm that you are a legitimate user. Completing the CAPTCHA below helps us reduce abuse and improve the quality of our services.
Thank you,
The StartPage Team

But I have never seen this using Firefox, upon which Tor is based.

What about that symbol of rebellion and hackerdom, BlackHat?

I am not a fan, for reasons that seem good to me. But no security worker can ignore the storied history of this conference. For those with short memories, BlackHat 2009 was when Moxie Marlinspike, Dan Kaminski and Mike Zusman, in separate presentations managed to collectively beat SSL/TLS to death.

Yet Tor users will see something that is probably a bit familiar.

One more step
Please complete the security check to access www.blackhat.com

aaaaand... Another CAPTCHA.

The Worst Thing is Teh Stoopid.

CAPTCHA is far past any sort of relevance. Mechanical Turk CAPTCHA-solving was available years ago. Neither faster timeouts nor more obfuscated puzzles have fixed the problem. At this point, I can only characterize them as both increasingly annoying, and increasingly useless.

Google, whatever you may think of them from a privacy standpoint, recognizes this, and has introduced RECAPTCHA.Though this entire approach is fundamentally flawed, this is at least temporary and partial fix. Now, if only sites that choose to market themselves as either secure Internet tools, or security-focused, would just suck a bit less, I am sure we all appreciate it very much.

Privacy Advocacy Turns Out to Be Common

It is fairly common for security people to also be privacy advocates--it's security on a personal scale. So the NSA/Snowden thing is something I follow. And, while I don't really want this blog to become focused on something so politicized, some additional commentary is in order.

Here is a graphic I found particularly striking.

I am not a fan of Anonymous. The Guy Faulkes masks work, and they have been known to do what seemed useful cult-control. A large amount of media attention was a foregone conclusion, as was a commensurate amount of attention from law enforcement.

I can't approve of their methods, or admire their approach to operational security. If you are going to declare <Operation Whatever>, which often enough consists of a DDoS attack, don't use a tool like LOIC, which reveals the IP number of everyone you talked into the gig. Duh. Law enforcement did it's thing, and anons are being busted left and right. This will continue, and it is unfortunate that so many people were, in the end, victimized by Anonymous.

Idealism always carries a high cost, and it is usually dis-proportionally borne by the young and not yet cynical, so this is not a surprise.

It is a pretty sad state of affairs, as usual. Law enforcement is supposed to do it's thing. That's what we pay them for. If we, as a society, find the idea of the future of our children being ruined abhorrent, what needs to happen is fairly obvious. The law, and government accountability under the law, has to change.

It turns out that there are economic incentives to fix this. So even we cynics have some cause for hope. I'll either update this post, or point to new post(s) with updates. I'd prefer to just update this post.