Thursday, July 26, 2012

Theory vs Practice

A recent article lead me on a thread of discovery to a "battle" between Noam Chomsky (who I admire for his activisim) and Peter Norvig (who I've had as a teacher in an AI class).   I'm already to weigh in on the experimentalist side (Norvig) because of this quote from an article in MIT's Technology Review.

Chomsky derided researchers in machine learning who use purely statistical methods to produce behavior that mimics something in the world, but who don't try to understand the meaning of that behavior. Chomsky compared such researchers to scientists who might study the dance made by a bee returning to the hive, and who could produce a statistically based simulation of such a dance without attempting to understand why the bee behaved that way. "That's a notion of [scientific] success that's very novel. I don't know of anything like it in the history of science," said Chomsky.
Technology Review.

My take on this is to do a simple substitution of terms and see how this view works out:

Chomsky derided researchers in machine learning who use purely statistical methods to produce behavior that mimics something in the world, but who don't try to understand the meaning of that behavior. Chomsky compared such researchers to scientists who might study the motion made by an electron in a magnetic field, and who could produce a statistically based simulation of such a motion without attempting to understand why the electron behaved that way. "That's a notion of [scientific] success that's very novel. I don't know of anything like it in the history of science," said Chomsky. -- Substitutions Mike Warot

I think that it's very useful to know how to model something, even if you don't know the exact reasons of why. Science is the process of building increasingly accurate models (theories) of the world that fit all available evidence. If evidence is found that doesn't fit the model, and can't be explained by errors, new models must be sought. This is why we praise both Isaac Newton and Albert Einstein, as they both improved our models of the universe.

Tuesday, July 17, 2012

Secure programming - good intentions

I recently read a good article about security practices in applications and software as a service. The author lays out some very good rules to help keep users information secure in today's threat environment. However, it strikes me strong reminder of the vast amount of effort we're wasting by trusting applications programs at all.

We should never completely trust any programs, services, or drivers outside of the very kernel of an operating system. We shouldn't have to.  The millions of lines of code that are required to do even a basic database with a web front end are bound to have bugs which can lead to unintended and unwelcome side effects. The effects can be subtle to disastrous depending on what cascade of events happens.

The application programmer has no tools to prevent his program from exceeding its scope at a given task. Current operating system design holds that the user is the proper level of granularity for deciding what access a given task is to be allowed. All of the responsibility is then thrust upon programmers to keep things safe as a result. The programmer and/or install package is then responsible for setting all of the permissions on all of the the objects (files, pipes, registry entries, ports, etc) in the end system to be appropriate for the given tasks.

This is an impossible task, given that there can be literally millions of such permissions to set, and it only takes one mistake to let things pass through. 

It doesn't have to be this way.

Capability based security is an approach that uses the principle of least access to enforce security in a much more appropriate manner.  The millions of choices about what to deny are replaced with a much shorter list of what things to allow. This list is per process, not per user.  It tells which files, folders, ports are to be allowed, and which mode (read only, write only, append only, full, etc).

This is a much more natural way to handle risk, as you simple decide what side-effects you are going to allow a given process to have, and the operating system enforces your decision. You don't have to trust your code, nor does the user. If something goes wrong, the maximum extent of damage is already known. You don't have to worry about the entire system shattering.

Isn't it time we stop spending so much effort on making our programs safe, when it could be better spent building better programs?  Help support efforts which will deliver operating systems with capability based security, such as Genode, which provides a choice of 8 microkernels, capability based security, and runs native Linux applications.

Thanks for your time and attention.

Tuesday, June 19, 2012

When will IT stop blaming the user?

I'm a system administrator in my day job. Long ago I realized it was foolish to blame users when it wasn't their fault. It is easy to fall into a trap, an IT version of Stockholm Syndrome, in which we grow accustomed to the insane inconsistent behavior of our systems, and expect everyone else to do the same.

This article in dark reading is a typical example of blaming the user instead of solving the problem. Here's the lead paragraph:
On a chaotic workday, a top executive scans hastily through dozens of emails that have arrived in the last 10 minutes. There is one from an IT staffer whose name he doesn't know – he doesn’t know most of the people in IT – and it states that he needs to do a password reset or he will lose access to his applications. Without thinking, he clicks on the link provided in the email -- and malware is introduced to the entire corporate network. (Emphasis mine)

The basic setup is good, where some empathy is displayed, showing understanding of the pressures we all face from IT systems, especially the users.  Then the article goes off the rails, in assuming the user didn't think about it before opening a link, and blaming the user for all the subsequent damage to the network because of introduced malware.

While this may make the author, and sympathetic readers feel good to share "trench stories" about the enemy (the user)... it does nothing to solve the actual problem. In fact, this type of article makes things worse by draining emotional energy that could have been directed towards solutions away from the problem.

The outside of real problem here is one of a complete lack of security once something is inside the corporate firewall. The inner root issue is the complexity of modern software, and the need to trust millions of lines of code any time the user makes a choice. The user can't examine those millions of line of code, in fact nobody could evaluate them as a system and make them secure.

We use systems which contain millions of lines of code in fragile systems which offer no real security. Blaming the user for exposing this fact through accident isn't healthy.  We need to adopt systems which reduce the amount of trust we place in code, ideally reducing it to zero.

Capability based security offers a step in that direction. The Genode project is active, and hopes to be at the "eating our own dog food" stage by the end of 2012. They offer capability based security, a choice of 8 different microkernels, and the ability to run standard Linux programs as processes. This means that you could then set up a system where the user could run things in a sandbox by default, and have systems which aren't fragile, and don't shatter at the drop of any hat.

Instead of blaming users for our broken glass houses, let's go get some better building materials.

Tuesday, May 29, 2012

A future letter to Eben Moglen - draft 001

I watched a talk by Eben Moglen, and was quite moved by it. I felt the need to warn him about the next curveball about to be thrown his way (at least as I see it).

This is draft 001... and needs a lot more work before I send it to him directly.

Hello Mr Moglen,

Thank you for your work on behalf of all of us, re: PGP, and your well thought out 1st draft about innovation under austerity.

In your talk about innovation, you describe a conversation in 1995 with Jamie Gorelick and Stewart Baker where he thows out this spoiler at you after your victory on PGP

"buy nobody here cares about anonymity, do they?"

Which lead to 20 years fighting about anonymity, which you say isn't going so well.

I hope to convince you that there is another spoiler waiting out there, and to give you some advanced warning about it, to be able to help head it off proactively.

I believe the next excuse to be used to curtail freedom will be security. Specifically, the inability of the user-centric default permissive environment of Linux, Windows, etc... to be secure. It is this weakness in security which will be used as an execuse to assert the need to manage all hardware which can be made to do general purpose computation.

There is a big cultural assumption amongst the slashdot crowd that Linux is somehow much more secure than Windows. Nothing could be futher from the truth. They both share the same flawed assumptions, albeit with significant differences in implementation. The assumption is that the user is the correct line for determining security decisions. It is not.

In the past, it was a quite sane demarcation line, because students generally ran the code then wrote, and you were worried about their behavior. In an age where nobody writes there own compilers and tool chains, we all have to trust code we didn't write.

Because we don't write the code, and because it can't be perfect, you can't predict its results. You should have a way to run it without having to trust it. There is no (easy) way to do this under Windows, or Linux, or anything else out besides some research OSs like Eros.

Virus scanners try to maintain a list of known bad programs. This doesn't work.

Linux fanboys will have you believe that the users are stupid, and if you lock things down, they won't be able to screw up the system. The user is blamed here... this is a false conclusion as well.

It is my belief that We need to push, as hard as possible, for the adoption of a security design which allows NOTHING by default, and limits running code to a list of positively stated capabilities, maintained in a per-process list. This framework can still support the access control lists, user names, etc.. we all need to feel comfortable, and to manage users, when appropriate. But this framework makes possible a new form of expression, which isn't even possible for the user to do if they don't have the tools provided.

If a user can run a program without having to trust it, they are free to experiment on it much the same way as we were free to try things out when DOS fit on a floppy disk, and you could write-protect it. You can directly limit the side-effects of any given instance of running code to the list of things you give it, and rest easy.

We need to make this world possible... sooner rather than later.

Thank you for your time and attention.

Friday, May 25, 2012

Seagate NAS - Not ready for prime time.

We purchased a 2TB Seagate Black Armor NAS for some things at work. It turns out to have some big issues.

2TB - advertising vs reality.
The device has 2 internal hard drives, each about 1 Terabyte in size. The default configuration as shipped is to mirror the drives (RAID 1), which means that you actually get a 1 TB storage device. If you span the disks (spread your data across both of them), you can get 2 Terabytes, but you geometrically increase the failure rate when doing so. You're better with a single 2 TB drive, which is NOT this device.

Global access - broken
In order to be able to access your files "from anywhere" you have to set up an account on the Seagate Global Access site.
The site took my username and password, and apparently remembers it, but won't let me log in.
It's the middle of a business day, and the support people are apparently out to lunch. (Returning at 1PM?)

This is not the type of 24x7 bulletproof option that we expected from the Seagate brand. We'll probably be returning this item.

Monday, May 07, 2012

Hardware Hacking - The Anderson Storm Door

My friend Steve had a problem with his storm door, the wind got hold of it, and the screws holding the top 2 hinges got stripped out.

Stripped holes - not enough thickness to really hold things properly.

When we were discussing projects we wanted to get done at PumpingStationOne, this was top of mind for Steve, as he had only recently installed the door, and wanted to fix it before the bottom hinges also became detached, possibly destroying the door. The main problem we figured was that the metal is just too thin to hold something via a thread, or sheet metal screw.

We then made these blocks out of 1/2 inch square T6061 aluminum alloy. They are sized to match the existing holes, and threaded at standard 6-32 size. These provide adequate grip for machine screws, and sufficient size to spread out the load avoiding more tearing of metal.

Steve shows off our well built fix.

Once we had the door off and on it's side, we made the holes wide enough to easily fit the bolts to our backstop, using a tapered reamer.

Next we had to figure out how to get these into the proper position. We ended up using a piece of threaded rod as a stick to maneuver the backstops into place.

The key to placement is to have the backstop ride on top of the stick into position, then use a flashlight and a longer bolt to pull it up into place. You want some easy to break tape in place at this point, which is why we used cheap "magic" tape.

Once you've got the backstop to it's desired left-right position, shine a light down one hole, using the other hole, and rotating the stick to get it lined up you should then be able to use the long bolt to get a few turns into the backstop block, and pull it up into position. Insert and tighten the bolt into the other hole, and then remove the long one and repeat with the other bolt.

We did the top and bottom hinges first, then did the closer to the middle sets. Here's a shot of a completed hinge which should hold forever.

We hope this helps someone else in a similar situation. Thanks for your time and attention.

Saturday, April 07, 2012

Prementia - a new medical term

I'd like to propose a new word...

Prementia - from latin... pre (meaning before) and ment (root mens - the mind)... this would be when someone falsely assumes they are of sound mind before it actually comes to pass.

Prementia commonly occurs in subjects ranging from 3 to 30 years old, depending on the specific subject area and level of inexperience.

Treatment options - exposure to large amounts of experience has been shown to help mitigate the symptoms of prementia.

1. While somewhat inefficient, direct experience has been shown to be effective in almost all cases of prementia. Employment and living on ones own accelerate the effectiveness of this course of treatment.

2. Carefully administered doses of distilled experience with someone who is fully sound of mind and well versed in this manner of treatment have been found to be very helpful. In fact, in most states, this form of treatment has been subsidized regardless of insurance status.

3. Some patients are very resistant to treatment. In these cases, isolation for an extended period of time can be beneficial, if not to the patient, to those around them.

ContraIndications - If prementia is suspected, be careful disclosing this status to the patient, as they may become agitated and insisting that "I know how to do that already" or "I'm an expert". Sometimes it is best to ignore claims of competence, and switch the subject.

Thursday, April 05, 2012

If you can't even express a correct answer, you'll always be wrong.

In response to an ongoing thread on /. about computer security... I wrote this

What we have here, is a failure to communicate...
It's not the user.
Nor is in the internet
Nor is it the administrator
Nor is in the OS vendors
It's a very deep paradigm/vocabulary issue
The problem IS lack of security.... quick... how can You, in YOUR CHOICE OF ENVIRONMENT tell your OS that you want a program to enforce this set of rules on a program you want to test:
  • read access to itself, and it's install directory
  • read access to all of the system libraries
  • read-write access to a single folder
  • access to a specific set of windows in the gui (if any)
  • and nothing else?
If you can even begin to fulfill this list of un-restrictions, you're probably approaching it in terms of a locked down user account, which is exactly the problem. This list of un-restrictions is otherwise known as a capabilities list, and should be assigned on the basis of the needs of the moment, not some static definition.
If you can't even express the correct answer, you'll never get it right.
While people remain unable to even express ideas in terms of capabilities, it won't happen, and we'll be vulnerable... I suspect it's going to take about 12 more years.

Sunday, March 11, 2012

Machine shop 001 - Day 2

I've managed to determine a few things...

  • A 5" cross feed vise has mounting holds about 6" apart.
  • An 8" drill has a table with slots 4.5' apart
  • The adjustable table has a 3/4" bolt, which actually measures about 0.73"
  • The vise can not be put on top of the adjustable table, otherwise there is -1" of clearance!
  • The cross vise is going to take a lot of tweaking before it starts being useful
  • I'm going to have to improvise a mount involving large pieces of lumber.
Lots of work, a kludge of a setup, barely able to cut through a zinc slug, but it did it. I actually milled something today. ;-)

Saturday, March 10, 2012

Machine shop 001 - remedial edition

I want to build a metal shaper... from scratch.

It will be small, made from the stuff I can get locally, and kinda wimpy as a result. No castings, no 50 pound bull gear with a slot, yoke, etc...

I'm going to drive a pair of 7/8" screws with a gear reduced drive... this will provide the necessary force to drive a cutting tool in a planing motion through a piece of steel or aluminum.  (I did an excel sheet to get the numbers right... I was surprised at how little actual cross section there is in a planing operation... which makes it feasible to do it this way).

I got some tools in motion today. I have managed to mount a 6"x6" 1/4" aluminum plate to one side of a 6" Lazy Susan. I drilled and tapped holes at 10/24 to allow hex cap screws to hold it in place.  Now I just need to trim the screws so they don't protrude out the other side of the plate. 8)

Next up will be figuring out some arraignment whereby a 4" vise can bolted to the plate via it's mounting slots, so that I can align the center of the work piece with the center of rotation.

Once that is done, then I should be able to use this to cut a few gears out of aluminum plate. I want to make a a pair of 2" radius gears (one for each screw), and a 1/2" radius gear to be driven by the electric screw driver.

5 inch pounds of torque from the screw driver, should result in about 314 pounds of thrust at the business end of the screws.  8)

My backup plan is to make worm gears if there turns out to be insufficient torque available.

Thursday, February 02, 2012

So now I get free censorship along with my blogging tools?

So now it appears that Google (who provides the tools and hosts this blog) not only get ad revenue from my work in trade, will also provide free censorship services to government. Such a deal!

Now, at this point, remember the situation we are all in.

None of our computers are secure because the operating systems have no provisions to support Capability Based Security. (Which would work, but would require massive amounts of new code for everything)

Because our computers aren't secure, they can get used to provide infrastructure for others as part of bot-nets, spamming us, spreading virii, running spy software, rootkits, and all sorts of things for everyone by us.

Only true peers on the internet can host their own stuff, but most of us have internet access not actual peerage.

Thus we are forced to choose who will host our stuff, and who will let us access the stuff of others via the internet.

For 99%+ of us, sharing photos with friends and family now always involves uploading it to some multi-national corporations, where it gets put into a massive database, and the faces of people in them are compared against other databases.

For 99%+ of us, everything we send out across the internet is not encrypted, and is automatically scanned for threats to the powers that be.

Most people aren't aware of the layers of surveillance built into things since the 1960s, the secret rooms where all internet and phone traffic is diverted for the convenience of the NSA and others.

Most people don't know what the difference between money and currency is, viewing real money as an amusing relic.

we're all cattle in farms called countries... get used to it.

Wednesday, January 18, 2012

iCloud - Apple copies Microsoft

Steve Jobs liked claiming that Microsoft merely copied what Apple did... it turns out that Apple has copied Microsoft this time.

Microsoft Exchange is one of the best database servers you'll ever use. You can make offline changes on multiple devices, and it will handle things automatically. It just works.

iCloud is what happens when Apple decides to copy Microsoft Exchange, and possibly Sharepoint.

iCloud is NOT something that lets you see your calendar everywhere (unless it's the iCloud calendar).
iCloud does NOT sync your settings across devices
iCloud does NOTHING to help you deal with an Exchange account you want to see on all your iDevices.

$218 down the drain....