June 19, 2011

On Hacking (or Why We Need Security Ratings)

Another website has been hacked. It seems almost routine now, with site after site getting demolished by hackers. The overwhelming public response to the catastrophe has been to ask, "can anything be made secure?" Security experts, naturally, are constantly attacking the companies in question for their dismal security practices, but what of the general public? They don't know what a hash is. They don't know what an SQL injection is. They have no reason to know these things and will never understand them. All they understand is that their company assured them they had good security, and then they were hacked, and somehow the good security wasn't actually good. So then they'll move to another company, and this time, they're told, this company really does have good security. But nope, it got hacked too, guess that good security wasn't actually good.

Can any security be good? A security expert knows why the companies were hacked and can answer that question - the average Joe probably won't be able to. This is the crux of the problem - What is good security? How can an average person figure out what good security is? Good security used to be MD5 hashing. Then it was MD5 hashing with a seed. Now MD5 is cryptographically insecure, so we're trying to move to SHA1, but even that might be crackable in the near future, so someone invented bcrypt, but now the bcrypt implementation has demonstrated some unnerving behavior, making its implementation unverified. Then there is SQL injection vulnerabilities and the long list of XSS attacks, along with cookiejacking made possible by unencrypted networks and Firesheep. Even now we are seeing weaknesses at the highest echelons of security - hacked RSA databases and even HTTPS certificates.

Answering our question of what good security is clearly isn't easy. Of course, what if we assume that all security is broken? We would have to outlaw all hacking and seriously punish the offenders because there is nothing that can be done to lock up the system. This approach, however, is inherently flawed. For one, it is closely related to the drug war waged by the U.S. authorities, which has been astoundingly ineffective at stopping the drug trade. Not because it can't shut down drug-rings (it's very good at doing that), but simply because the business is so profitable that for every player you kill in the game, another one crops up to take their place. Lulzsec serves as a harbinger of that scenario, where hacking is cheap, and even if you throw everyone involved in jail, someone else will replace them.

However, even this scenario is being optimistic. If security is near impossible, computers become useless. The real world would turn into Hollywood, where electronics are easily bypassed. The problem is that if computer security is easily bypassed, people will stop using it. Online transactions die. The paper trail comes back. People refuse to put their personal details in anything that could be digitized. Everything that has enabled the technological explosion of today would get stuck in a tug-of-war between security and convenience. If history is anything to go by, the public would rather give up the last bits of their privacy just so they could use all the conveniences of electronics without having to worry about hackers. Suddenly we live in 1964.

This scenario may seem implausible to you because it is. Computer security can be effective, it simply needs to be done properly, which is not impossible. It may be difficult, but so is starting a successful company, and that doesn't seem to stop any of the entrepreneurs. The problem we face is that the average customer has no way of discerning good security from bad security. If they could, market pressures would force companies to adapt the best security possible, or customers would take their data elsewhere. Security is crap because no one knows what security is other then the security experts.

We have building inspectors and elevator certifications and health inspectors... why not security inspectors? It doesn't need to be government mandated, considering the government's track record, it might be a lot better if a private company or group provided the service, but somehow, there needs to be a way to measure security in a verifiable manner. There are two ways I know of to do this (there may be others) - from the inside, and from the outside. An inside inspection is more reliable when done properly, but more likely to be corrupted and gamed. An outside inspection, however, doesn't rely on the consent of a company to plaster a security rating on them. The downside is that an outside inspection requires pummeling the company's product blindly, which will only catch the really stupid mistakes, and not the dangerous middle-ground between really bad security and really good security.

I'm not pretending I know how to solve this problem. I don't, but I do know that someone needs to figure this out. If we are going to make any headway with security, the general public needs a friendly, easy, intuitive way to check the security rating of a company, instead of relying on the company's insistence that it uses a "very sophisticated security system". Only then will market pressures push for the resurgence of proper security.

June 8, 2011

My Mom Had a Heart Attack

She is fine and will make a full recovery.

About 3 weeks ago, on Thursday, May 19th, at approximately 6 PM, my mom went into ventricular fibrillation and collapsed while walking on a nearby trail. She was found by two walkers who called 911 and initiated CPR. After almost a half hour of CPR and 3 defibrillator attempts, she was stabilized and taken to the nearby hospital. She had no identification, so we didn't know about it until after 2 hours of failed searching, at which point my dad called the local hospital.

As I was taken to see her while in critical condition, we didn't know if she was going to survive, or if she did, if she would have serious brain damage. A lot of things went through my mind on that car ride, but the one that was the most striking was when I realized that my inability to achieve what I had been trying to do for so long could potentially mean the last thing my mom was mentally capable of processing would be a son who had simply tried to accomplish something. Who had tried very hard, but hadn't actually managed to do anything of significance. My life was simply a lot of determination, a lot of talk, a lot of failures, and no results. I was still in college, I still didn't have a company, I didn't even have a job, and I still hadn't brought any of my more spectacular ideas to fruition. I was almost 21 years old, my mom had almost died from a heart attack, and I hadn't actually done anything.

The next day my dad called "just about everyone" to tell them what was going on, which indirectly resulted in me being reunited with one of my old friends. Due to my mom's condition in the ICU, she had little to no short term memory, and so every day when I went to visit her I would tell her that my best friend from forever ago had visited, and every day (once the breathing tube was removed), she would react with surprise. She was very confused and kept asking about why she was in the hospital. It turns out this was a pretty good question.

They did a CT scan of her chest to see if she had any blockages or other potential threats to her heart, and discovered that her arteries were entirely devoid of plaque buildup, and she appeared to be almost perfect health, aside from the fact that her heart suddenly stopped working for what appeared to be no reason at all. The only connection we could find was that a similar event happened to my grandfather (her father) at almost the same age. While he also passed out, his episode was caused by atrial fibrillation. She has since had a miniature pacemaker of sorts installed that will automatically deliver a defibrillator shock if the event ever occurs again, but it raises questions about whether the condition is hereditary.

If this is some kind of strange genetic disorder, it carries the lovely news that even if I'm in perfect health in 30 years, my heart could get a random bad signal from my brain for absolutely no reason at all and I could keel over and die if no one happens to notice me pass out. Luckily I don't have to worry about that until I have kids in elementary school.

Thankfully my mom is back home and, aside from some minor lingering medications and precautions, has fully recovered. Unfortunately, I still haven't done anything.

June 3, 2011

The GPL Sucks

When I release an open-source program, I want to guarantee something very simple. The program and its source code can be distributed and used by anyone for any purpose, and all modifications to the program must be released as open-source under these same terms. I want to guarantee that the program and any improvements made on it are available to anyone, proprietary or not, forever.

This is impossible.

Why? Because the GPL specifically states that any code used in a GPL project must be under a GPL license. The GPL is written in such a way so that your code must somehow be able to be converted into GPL-licensed code if it is to be used in a GPL project. This doesn't really seem to be a problem, at first, until you start thinking about what it means for code that is designed to be used by ANYONE, including commercial ventures. Lets say I write a program under the BSD license. Some guy can run along, fix a bunch of bugs for me, but release those bugfixes under the GPL, preventing me from using any of them in my program unless I'm under the GPL. This even happens if you release under the LGPL, because LGPL code can be converted to GPL and, whoops, you can't get it back!

This is just as bad as a company taking my code, fixing some bugs, and making those bugfixes proprietary. Both sides of the fence are excluding the other side of the fence, and explicitly prevent me from trying to straddle both sides. The free software foundation is making it impossible to be neutral. Either your with them, or you are against them. This is stupid.

This might be good for free software, but not for open-source software. The GPL destroys the entire point of open-source software - contributions from outside sources provide substantial improvements. The GPL's viral nature dissuades people from using it because it acts to the exclusion of everything else. A company has zero motivation to help improve GPL'd software because they can't benefit from their improvements. On the other hand, if open-source software was open-source for the purpose of being open-source instead of for free speech, we'd have companies who could legally use open-source software and consequently improve on it, and be required to release these improvements to the open-source community, to the benefit of everyone.

But of course, free software is about freedom of speech, and so we come to the unfortunate conclusion that, should free software continue its misguided crusade, the ideal open-source project will be fundamentally incompatible with free software, and so free software and open-source software will inevitably diverge into two parties with mutually exclusive goals.

And to think that all I want to do is guarantee that everyone can use my code and benefit from all improvements made to it. But I guess people don't care about that, they only care about whatever cause they might be fighting for, instead of mutual co-operation for the benefit of humanity. Since, apparently, I'm against free software, because I want to share my code with everyone, instead of only people who agree with me.

Great. Is this really what Free Software stands for? Is this what you want it to stand for? If it is, I'm afraid I simply can't support something that forbids compromise. Progress requires compromise. This is unacceptable.

EDIT: It is truly amazing how many ways people manage to misinterprete or flat out not read my blog post. This is not the GPL, the LGPL does not work, I am not championing any BSD-related licenses, and my comment about companies was directed at proprietary software. Of course Redhat makes a profit off the GPL, its business model is compatible with it.

Perhaps I will try again at some later date with a blog post that spends less time actually explaining what I'm talking about and more time preventing people from latching on to completely irrelevent points.

The Logical Basis of Ethics

In modern times society has come to understand that some moral standards are unfair - Most people agree that racism is unfair and should not be tolerated. What is interesting is that almost any given ethical system will be considered unfair only if it is logically inconsistent. That is, an ethical system is fair precisely because it is logically consistent with itself. While racism is commonly considered unfair because thinking another human being is inferior to oneself based on some arbitrary physical attribute makes no sense, the entire concept of a superior race being allowed to make another race suffer is logically inconsistent. This, in turn, leads us to the problem of animal rights.

It is generally accepted that humans are superior to animals, at least for the sake of moral consideration. This is usually rationalized by a number of logical reasons, such as a sentience, or simply that any creature has a right to favor its own species over another. While this is a common aspect of several environmental ethical structures, it isn't necessary. It is a known fact that some people respond well to vegetarian diets, while others suffer from serious nutrient deficiencies. This is because humans are omnivores; we do not eat vegetables OR meat, we eat vegetables AND meat. We usually require both to remain healthy, although some individuals can successfully short-circuit this. However, it only justifies killing the animal for the purposes of a food source, not for torturing, poaching or other activities that are, coincidentally, illegal. We are therefore obligated to make an animal's death as painless as possible - something PETA has repeatedly brought up in its war against factory farming.

Factory farming itself is obviously immoral as it involves inflicting substantial amounts of suffering on animals that are then slaughtered. One can say its immoral for all the reasons PETA loves, usually involving graphic pictures of mistreatment, but we are more interested in the fundamental aspects of an ethical system. Specifically, a logically consistent ethical system can be constructed using only two postulates: Living things can suffer, and living things don't want to die. More accurately, the ethical system only applies to things that can suffer and things that have a survival instinct. From these postulates, we can formulate two simple theorems: One should not cause unnecessary harm, and one shouldn't kill unless necessary. From this, it is obvious that PETA is, surprisingly, correct - Factory farming is inescapably immoral. Unfortunately, things are never that simple.

The problem with factory farming is that almost the entire meat industry relies on it, all across the world. If it was made illegal, it would simply be done illegally, or the entire world meat industry would collapse and things would really, really suck. This kind of suffering is unnecessary, but it would be more accurate to come up with a new theorem: One should minimize the amount of suffering. This is why factory farming still exists and why we ignore what is clearly an immoral situation - there is no current alternative. PETA, in a brief flash of sanity, recognized this and has since been pushing for better treatment of the animals in the factories; but even this has problems. While there is obviously widespread animal mistreatment, there is also widespread rape, murder, extortion, bribery, theft, bullying, racism, sexism, anything-ism, homophobia, poaching, global warming, lying, hate crimes, harassment, trolling, abuse, etc. etc. etc. There is literally so much stuff going wrong that fixing factory farming simply isn't a priority right now, and so we end up in a case where an obviously immoral act must be tolerated for the sake of practicality. At some point in the future when we have presumably reached a more utopian society, we will be able to make fixing this a realistic priority. Clearly, the simple fact that something is immoral does not paint a black and white picture. Life is always a shade of gray.

This, of course, brings us back to racism. Racism is commonly discarded as an invalid belief because you can't assume that you are better than someone else just because they're skin color is different. What this ignores is the more fundamental question - what if you are better than someone else? Most moral systems try to do away with this by invoking the standard equality statement, "All men are created equal". This, unfortunately, does not really solve any problems. Is Albert Einstein on the same level as a hobo on the street? For the sake of the general public, the answer is usually yes, because considering everyone as an equal simplifies an ethical system greatly. Unfortunately, it stops working with things like animal rights. However, our previous two postulates can be brought to bear on this situation, because we know that one should not cause unnecessary suffering. Just because you are somehow superior to someone else does not give you a right to do anything to them. The only reason we are allowed to herd cattle for slaughter is because we require sustenance. Consequently the fundamental idea of racism is totally flawed - even if, by some insane, misguided logic, black people were on the same level as animals, it doesn't actually justify jack shit. Slavery would still be immoral. Discrimination would still be immoral. All of this stuff is still immoral. Racism is not only wrong between human beings, its wrong for anything. Being better than something else does not let you torture it.

Our modern day equivalent to racism is same-sex marriage. There are still a large percentage of the population that maintain that homosexuality is immoral. This is logically inconsistent, and surprisingly a lot of arguments used against homosexuality can actually be proven to be logically inconsistent, and therefore unfair. Many people state that homosexuality is unnatural and therefore bad. The common response to this is that homosexuality is present in nature and therefore not unnatural, but this ignores the more fundamental assumption that something unnatural is bad. This assumption can be proven false using proof by contradiction: Someone has a heart attack. A defibrillator is used to restart their heart and they go on to lead a happy, fulfilling life. The defibrillator is obviously very unnatural, but it prevented loss of life. Preventing loss of life is inherently moral because all beings that this moral system applies to have a desire to live. Consequently something unnatural cannot be inherently bad.

But what if same-sex marriage is against your religion? This line of thinking doesn't work for several reasons. For one, someone can simply invent a religion where your existence, and only your existence, is against the religion and therefore you must be killed. More fundamentally, however, you can't force your religious convictions on someone else, unless someone is using your religion to deliberately harass you, which is a problem of harassment, not religion. Consequently if someone needs to draw Muhammad to make a political point, you have to let them do this even if its insulting to your religion because they aren't deliberately trying to make you suffer, and so if you oppose them you are instead forcing your own religious opinions on them, which simply does not make any sense, because anyone can have a religion that does anything they want. You must have a better reason than "its against my religion", like "that is a deliberate attempt to aggravate me". Ironically, this same line of thinking is why someone is allowed to not say the pledge of allegiance if its against their religion. It isn't because its against their religion, its because they simply chose to not say the pledge, and not saying the pledge doesn't cause harm to anything, and therefore cannot be forbidden for any ethical reason.

This idea of something not causing harm to anything else is the basis for a famous ancient moral system, "If you harm none, do what you will". This has to be inferred from our two ethical postulates, because all our postulates state is that one should not cause harm or kill things. However, it is the very fact that these are the only postulates that lead us to this new inference - you can't use the ethical system to prevent someone from doing something if that something doesn't harm anything. You can try to justify it using some other system, but the ethical system will not allow you to make a valid logical argument against an action if that action doesn't cause unnecessary harm.

The fact that ethics are inherently based on logical consistency suggests that a sort of Ethical Calculus should, in fact, be possible. While one constructs the basis of an ethical system on moral absolutes, (do not kill or cause suffering), this foundation is given a qualifier, "unless necessary". The complex interactions that arise from minimizing suffering are what form the complex relative moral systems that govern our higher-order ethical considerations. Like economics, moral relativism exists because the absence of suffering is a scarce resource. This relativism, however, is formed from a logical basis, and so can be represented by an abstract logical system and analyzed as such. Perhaps a system of Ethical Math will one day allow us to quickly decipher the best ethical course of action, or failing that, what exactly makes a given ethical situation so complex.

Besides, if ethics are logical, and computers can evaluate logical statements, what is stopping us from making ethical AI?