It's rare, but once in awhile a co-worker says something so sincerely, so honestly and so fundementally at odds with anything rational humans would call productive that it borders on a Zen Koan.
For example, a co-worker sent this today, very sincerely beleiving it would get us to buy into his expensive $50 million (as yet unfunded) project:
"This is one more reason for projects like Solution Integrator, which add value to the customer centric business model, and make the partner centric business model more attractive to enterprise customers."
LAS VEGAS – The annual Black Hat computer-security conference has become a forum for experts to disclose vulnerabilities in tech products, often rankling the products' makers. But few companies go to the lengths that Cisco Systems Inc. did this week to suppress information about a flaw in its software that directs Internet traffic. Cisco threatened legal action to stop the conference's organizers from allowing a 24-year-old researcher for a rival tech firm to discuss how he says hackers could seize control of Cisco's Internet routers, which dominate the market. Cisco also instructed workers to tear 20 pages outlining the presentation from the conference program and ordered 2,000 CDs containing the presentation destroyed. In the end, the researcher, Michael Lynn, went ahead with a presentation, describing flaws in Cisco's software that he said could allow hackers to take over corporate and government networks and the Internet, intercepting and misdirecting data communications. Mr. Lynn, wearing a white hat emblazoned with the word "Good," spoke after quitting his job at Internet Security Systems Inc. Wednesday. Mr. Lynn said he resigned because ISS executives had insisted he strike key portions of his presentation.
XXX: It's irresponsible! Like yelling fire in a movie theatre or [...] Mark: or "Jihad" in a crowded mosque...
A followup thought from the previous post (below).
This advice was given to me in grad school by my advisor and was one of the few things he said that actually turned out to be useful. Birthday 41 is next week and, to be frank, I didn't expect to live this long so my expectations of additional years is 0. I've been clinically dead twice and, after the last time, I've always tried to live with the expectation that if I need to get something done, I'd better do it sooner rather than later. Much sooner. It's a philosophy which really helps prioritize the important things and helps brush away the seemingly important but long term trivial (e.g. filling out forms at work vs. actually fixing people's security problems). It also encourages a higher level of risk taking than average, leading me to travel to around the world, quit jobs I don't like, ignore people who waste my time etc.
It's good advice and I highly recommend it. There is never a guarantee the sun will rise tomorrow.
There is also an interesting paradox here with religion, although I may be conflating personality with religious tenants. I'm an atheist and don't believe in an afterlife, so it would seem that my priority should be extending my lifespan at all costs. Instead I've opted for the "enjoy it while you can" model, which has led (immodestly said) to a richer more interesting life than the alternative. OTOH, many Christians I know, who are as certain of the afterlife as they are of the sunrise, tend to go to greater lengths to avoid some risks and are strong advocates of life extension/digital uploading etc. in order to keep living as long as possible. Given that Heaven is supposed to be.. well... heaven, I've never understood the mania to avoid death. I went to UMass with an astronomer/born-again who spent hours each day trying to eliminate any possibility of consuming food she might have been allergic to, biking 50 or 60 miles and in general going to great lengths to extend her human life as long as possible. And I never got a very convincing reason why. She didn't think she was going to Hell, that much was certain.
Dunno. I'm not saying one way is better than the other in general, I am saying I know what works for me.
Heir CutsThe Congressional Budget Office recently found that, contrary to what we've always believed, only a couple of dozen or so farmers would benefit from repeal of the estate tax -- dubbed the "death tax" because of its painful effects on the dead.
"It's interesting that people laugh when you say, 'My probation officer doesn't let me have candles or fire-related objects anymore' to a room full of financial services people." ... " but it's more interesting when you say it to a room full of developers and a third or so nod knowingly..."
"What makes Bush a conservative?" Savage asked when I got him on the phone the other day. "On the economy, Bush has got more governmental workers than anybody before him. He's ballooned the government." As regards the so-called "war on terror," Savage points out that you can't win a war when you're afraid even to name the enemy. "He's never mentioned Islamofascism," said Savage.
As for the rest of the radio talkers, "They may as well work for the Republican Party. There's nothing interesting if you can predict what a man's going to say by just going to the GOP Web site." He's certainly got that right. Listening to an endless rehash of Karl Rove's talking points, leavened by a few Teddy Kennedy- is-a-drunk jokes, is not very entertaining.
I read something recently which, while I can't verify, seems true, i.e. there is more diversity of opinion in the left side of the blogosphere than on the right in part becuase the right needs to follow the approved talking points to keep the sharade going. The left is free to throw stones at everything or (in exceptionally rare cases) actually propose new, innovataive ideas. Not that I've seen many of those from the left but, to be fair, I haven't seen them from the right either.
Schmidt commends Hackett for his service, but believes Hackett should "stand with the president" by "supporting the Iraqi war effort and our troops that are over there," her campaign manager Joe Braun said. (Through Braun, Schmidt declined to speak with Salon.)
When asked to answer that charge, Hackett is blunt: "The only way I know how to support the troops is by going over there." He doesn't hesitate to criticize Schmidt's support of the war: "All the chicken hawks back here who said, 'Oh, Iraq is talking bad about us. They're going to threaten us' - look, if you really believe that, you leave your wife and three kids and go sign up for the Army or Marines and go over there and fight. Otherwise, shut your mouth." (Emphasis added.)
Schmidt is one of those republicans who is patriotic to the president, not the country. I like seeing one of them called on it. The Hackett/Schmidt election is Aug 2nd.
One of my pet peeves is reasoning by analogy. Don't get me wrong, it's often a useful pedagogical tool and has some place in science and argument. My problem is that people use it too freely and often grossly overextend analogies and come to strange conclusions.
For example, in Reason this week there is an mildly interesting article on creationism:
So what "speculations" do creationists wish to destroy? In his talk, "Fossils, the Flood and the Age of the Earth," Dr. Tas Walker, a former Australian mining engineer, takes a whack at old Earth geology. Walker says that Noah's Flood is needed to produce fossils. Why? The conventional explanation for how fossils form is that, say, a dinosaur dies, falls into a swamp or ocean, and sinks to the bottom; there the bones are covered by layers of silt and eventually turn into stone. Walker says that this scenario is very unlikely. He illustrates his point with the humble example of what happens to a dead fish in an aquarium. Dead fish don't sink; they are eaten by other aquarium denizens, leaving nothing to fossilize. As further evidence, Walker adds that nature documentaries showing the bottom of the oceans do not find it littered with the bodies of dead fish waiting to be fossilized. The only way to fossilize a dead fish in an aquarium is to dump a bunch of concrete on it before it's eaten. QED, Noah's Flood was the moral equivalent of dumping concrete on all the fossilized animals found in rocks today.
Since it doesn't happen in my fish tank, it must be impossible even if you have trillions of organisms over millions of years...
Adding to my list of "Things the Market tends to Screw-Up because people don't make rational choices".
Airport Delays Take airports like Atlanta, Washington-Dulles, and Newark, which are dominated by a single carrier. If the tragedy of the commons theory bore out, then these airports would be less tardy, because a dominant carrier has an incentive to take into account the delays that it causes by crowding the runways. That's why the solution that economists always offer for the tragedy of the commons is to give one entity an exclusive property right. Yet Atlanta, Dulles, and Newark are among the top 10 tardiest airports in the country. In a study of more than 65 million flights over 12 years, economists Christopher Mayer at Columbia Business School and Todd Sinai at Wharton business school recently found only a small correlation between the dominance of a single carrier at an airport and the length of flight delays.
Mayer and Sinai's study also identified the real culprit: the deliberate overscheduling of flights at peak periods by major airlines trying to increase the amount of connecting traffic at their hub airports. Major airlines like United, Delta, and American use a hub-and-spoke model as a way to offer consumers more flight choices and to save money by centralizing operations. Most of the traffic they send through a hub is on the way to somewhere else. (Low-cost carriers, on the other hand, typically carry passengers from one point to another without offering many connections.) Overscheduling at the hubs can't explain all delays—weather and maintenance problems also contribute. But nationally, about 75 percent of flights go in or out of hub airports, making overscheduling the most important factor.
Yea! KENNEDY SPACE CENTER, Florida (CNN) -- Discovery roared into the skies over Florida Tuesday morning as NASA returned to shuttle space flight for the first time since the 2003 Columbia disaster. Under a blue, nearly cloudless sky, the spacecraft lifted off at 10:39 a.m. ET, as scheduled. "Liftoff of space shuttle Discovery, beginning America's new journey to the moon, Mars and beyond," said George Diller, the voice of shuttle launch control. The launch followed days of troubleshooting to fix a faulty fuel sensor in its external tank that led to cancellation of a planned launch on July 13.
Wrote this in about an hour for one of our publications next month. Comments welcome. It's a first draft and I'm still thinking about what people should do about it other than not panicing.
How Broken is SHA-1 and What are the Implications for Banking Security? Mark Horvath, Microsoft Corporation
A recent paper by Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu, Finding Collisions in the Full SHA-1 (http://www.infosec.sdu.edu.cn/paper/sha1-crypto-auth-new-2-yao.pdf) has raised some questions about the strength of the SHA-1 hashing algorithm and it’s application in the commercial space, specifically in the areas of financial cryptography and online banking applications. In this discussion I’ll talk about three things, what is SHA-1, what does it mean to say it has been “broken” and what should the FS community do about this news?
SHA-1 is one of dozens of algorithms called hashing functions, mathematical operations which take an arbitrary sized text (any where from 1 to 2^64 bits) and reduce it down to a specifically sized, nearly unique signature. In the case of SHA-1, that’s 160 bits. The algorithm is written in such a way that’s it’s very sensitive to any changes in the input text and changing so much as a single character will produce a completely different result. So, I could feed in any document, say a mortgage application, and I would get 160 bits that would be unique to the information in that document. This provides a record or signature that I could use to verify the information later. Anytime I ran the algorithm on the document or an exact copy, I would get the same signature. On the other hand, if I changed a few characters in it (say from owing $200,000 to $000,200) and re-ran SHA-1, I would get a completely different signature. This, combined with a little public key cryptography, allows us to create digital signatures so that electronic documents can be verified at anytime to make sure that they have not changed.
I said that the signature was “nearly unique”. That’s because the algorithm takes arbitrary sized documents and reduces them to the same sized 160 bit signature. There is a chance that another document could hash to the same set of output bits, which is called a collision. Because of the nature of the algorithm, the two texts would likely look very different, one looking like a mortgage, the other looking very much like garbage. In a space 2^64 documents, very few of them look like normal or plain text with words, sentences etc. Most of look like the results of monkeys hitting random keys at typewriters. The exact probability of a collision depends very much on the details of the algorithm, which is where the problem comes in. Up until now it was believed that it would take 2^80 operations to get a collision in what is called a brute-force search, i.e. trying every possible input text to get a match.
Imagine you had a cluster of 1000 computers dedicated to the task, each one capable of trying 1,000,000 tests per second. (this is the approximate computing power of a large settlement network like SWIFT or DTCC). It would take 12,089,258,196,114,629.1747 seconds to “break” the algorithm, or 38,500,822 years, 3 months 11days, 1 hour and 25 minutes (give or take a minute). That’s a while. And that’s for one document! I’m sure over the course of 38 million years Moore’s law would help, or you could add more computers to the cluster, but generally it’s considered “secure” in that no one outside the NSA would waste that many resources on changing a mortgage.
The point of the Wang, Yin and Yu paper is that the probability isn’t 280 it’s more like 2^69, or 2^11 ( 2048 ) times more likely. This means it would take only 5,902,958,103,571.5961 seconds or 187992 or so years. Worse, but still a very long time. And this is assuming hardware and programming skills outside the access of governments or worldwide finance institutions.
The real concern here is not the drop of 2048 in ease of breaking the algorithm, it’s that the algorithm has been shown to have a weakness. It’s not impossible that the algorithm, with further study, might have additional problems, thus dropping the security still further.
It’s important to remember that this is a mathematical algorithm and it is not specific to any given vendor’s implementation of it on their software. Everyone using SHA-1, whether it be on Linux, Windows, VAX, Unix, FORTRAN, COBOL or even coded into the firmware of hardened cryptographic devices like Cylink, RSA, nCypher, SPYRUS or those used by NSA is, if they implemented it correctly, effected by this result. Hence this is a community problem, which needs to be solved through the normal security and cryptographic standards processes.
So what is an FSI Security professional to do? At this stage, the important thing is to avoid panic and recognize the problem for what it is, i.e. the normal cryptographic vetting process. As of this writing there has not been any demonstrated, successful attack on any text hashed using SHA-1 (although you might want to watch for one in the next 100,000 years or so). Good security policy would suggest the following actions:
Inventory where you are currently using the SHA-1 hashing algorithm in your digital signatures.
Other hashing algorithms exist, some much stronger than SHA-1, so start considering what it would take for your organization to switch in the future.
Work with your software vendors and see what they suggest.
Keep informed of the latest developments on security algorithms and see how SHA-1 and other tools develop.
Again, let me repeat, there is no cause for any kind of panic or mass exodus from SHA-1, but it is something to keep in mind over the next few years when upgrading your security systems.
XXX: "Hey, they shot the guy responsible for the London bombings!" Mark:"Really? How did they know it was him?" XXX: "They had his picture and he ran when they tried to stop him. Must be him." Mark:"One doesn't know that. Besides I didn't think the Brits carried guns" XXX: "Some do. And they aren't afraid to use them. He would have gotten death anyway if he'd been convicted. This saves time." Mark: "If they got the right guy..." XXX:"Must be him, he ran!"
Obviously, it was the wrong guy. This was one conversation which neatly wrapped up my views of our efforts on terrorism and on extra-constitutionalism. XXX is a brit ex-pat I work with.
I'm an unrepentant atheist with a background in science, math and technology. By education, an astronomer, by training, a cryptographer, by profession, a technology specialist. While people tend to peg me as "left" I don't really know what they mean. I'm for small government, low taxes and I believe that the right to swing my fist ends before your face. I distrust anything the government says no matter what party is in power, although I must admit to having worked for the government (ours and others).