Sunday, September 12, 2010

After the hack: Why you REALLY shouldn't do personal business on a corporate machine

Corporations hate employees doing personal business on office machines.

I, of course, have never done this. I've certainly not checked my family calendar, or managed personal email, or browsed my Google Reader feeds on my corporate laptop, either at home or at the office.

Corporations hate this because employees should be working. Besides, it's an obvious security risk. Employees visiting off-color web sites are sure to bring viruses to work.

I agree. Sort of. Specifically I agree employees shouldn't use their Google credentials on corporate machines, and I agree there's a security risk -- for someone.

Mostly, though, the security risk is for the employee, not the corporation.

Let me explain why.

As best I can tell the average large publicly traded company admits to at least one major XP malware attack every 4-12 months. I expect the real number is twice that. That's a pretty high attack rate. A lot this of this malware, like Lemir.VA, incorporates a keylogger function. This malware captures usernames and passwords and sends them on.

If you check your family calendar at work, that would include your Google credentials. Your robust password is now meaningless; you will be hacked like I was.

That's at work. How about at home? Well, in our OS X/iOS household we haven't had a malware attack for over five ten years. My home is far more secure than my workplace.

It's safe to access Google from home. It's not safe to access Google from my office.

So you shouldn't use the office computer for personal work after all. It's in a very bad neighborhood, you really don't want to take your Google credentials there.

Saturday, September 11, 2010

The Religion Poverty correlation - cause?

Religiosity and national wealth are inversely correlated.

This is not a new finding, though the linked graph is novel. The US is an obvious outlier. Iran used to be an outlier too -- more religious than expected. I can't find it on the chart, but I believe Iran is much poorer than it used to be, and perhaps less religious too.

The usual assumption is that as a nation becomes wealthy, and better educated, it becomes less religious. Of course it could be the other way around. It might be that religiosity makes a nation poorer.

That would explain Iran. And the US too, I suppose.

Most likely, however, both wealth and religiosity are more directly related to national education levels.

We're crazy now. We were crazier forty years ago.

Limbaugh. Beck. Palin. Bachman. Pawlenty. Mosque madness. Burning Qu'rans. Marketarianism. Denialism. Birther. TrutherAmerican torture.

We're certifiable. It's not just 9/11 -- we elected Cheney and denied reason before that. It took 9/11 though, to really put us in asylum territory.

If you care about humanity, or your own family, it's a wee bit depressing. That's why I liked Graham Burnett's Orion article. It's ostensibly about dolphins, but it tells the story of a peculiar man in a peculiar time not so long ago...
A Mind in the Water | Orion Magazine

... who was Lilly? His early biography offers little hint of what would be his enduring obsession with the bottlenose. Taking a degree in physics from Caltech in 1938, Lilly headed off to study medicine at the University of Pennsylvania, joining the war effort as a researcher in avionics. An early photo shows him as a rakish young scientist, smoking a corncob pipe while tinkering with a device designed to monitor the blood pressure of American flyboys—a number of whom, in those days, were actually using surfacing cetaceans for strafing practice.

After the war, motivated in large part by contact with the pioneering brain surgeon Wilder Penfield, Lilly turned his hand to neuroscience, applying the era’s expanding array of solid-state electronic devices to the monitoring and mapping of the central nervous system. Eventually appointed to a research position at the National Institutes of Mental Health (NIMH), Lilly spent the better part of a decade conducting invasive cortical vivisection on a variety of animals, particularly macaques. In the spy-versus-spy world of the high Cold War, this kind of work had undeniably creepy dimensions. Manchurian Candidate anxieties about “forced indoctrination” and pharmacological manipulation of political loyalties peaked in the 1950s, and security establishment spooks (as well as a few actual thugs) hung around the edges of the laboratories where scientists were hammering electrodes into primate brains...
Calech alumni. Medical training in Pennsylvania. Went into the tech industry. That's way too close to my life.

There are other intersections. I loved dolphins as a child; I'm sure I read his 1960 Man and Dolphin -- or at least the derivative works. (I was born in 1959, but in those days books lasted a long time in public libraries.)

Lily was genuinely crazy, but, as  Burnett reveals, so was his time.

This may come as a surprise to some. My generation has been keeping the 1970s in the attic, pretending it never happened. We got rid of all the books and most of the movies (the early music  we kept). We had lots of help -- everyone from that time has something to hide. The 1960s made a good distraction.

It's been forty years though. There are curious adults alive today with nothing to hide. They're going to start poking around the attic.

They'l find that the 1970s were seriously crazy. Yeah, America's nuts now, but, the good news is, we were at least as crazy then.

Thunder in the Cloud: Lessons from my hacked Google Account

It was just another week in the age of insecurity. Yet another low tech Windows-only trojan spread throughout American corporations, costing a day or so of economic output and probably acquiring a rich bounty of passwords. Twitter implemented a defective OAuth security framework. Oh, and my Google (Gmail) account was hacked.

The last of these was the most important.

Cough. Go head, laugh. Check back in three years and we'll talk. For now, trust me on this. There are some interesting implications.

First though, a quick review. Nothing obvious was done to my Cloud data by the hacker, I only know of the hack because of defenses Google put in place after they were hacked by China. Secondly I used a robust and unique password on my primary Google account and I'm a Phishing/social engineering hard target. So, in order of descending probability the security flaw was
  • Keystroke logging > Google false alarm (no hack) > iPhone app credential theft > WiFi intercepts >> Google was hacked > password/brute force attack.
I changed my password, but that doesn't deal with the real security problems (keystroke logging, WiFi intercepts, App credential theft). The other changes I'm making are more important.

That's the background. Why is this interesting? It's interesting because of what we can infer about motives, and the implications for the future of Cloud computing, iOS devices, and Apple.

Consider first the motives. The hackers owned my Google credentials for 24 hours, but they did nothing. They didn't change my passwords, they didn't send any email. The most likely explanation is that the next move was to identify and attack our mutual fund accounts by taking advantage of harvested data (58,000 emails, hundreds of Googel Docs), accessible internet data, and the stupidity of mutual fund security systems.

We're not rich by American standards, but emptying our accounts would be a good return on investment for most organized criminal organizations.

Secondly if I can be hacked like this, anyone can. I am the canary in this coal mine, and I just keeled over.

Ok, maybe the impractically pure and young Cryptonomicon live-in-a-thumb-drive-VM-with-SSL geeks are relatively safe, but, practically speaking, everyone is vulnerable. Windows, OS X or Linux - it doesn't make a difference. (But the iPhone/"iTouch" and iPad do make a difference. More on that below.)

When history combines motive (huge revenue hits) with opportunity then "Houston, We have a Problem". Sometimes freaking out is not unwise. 2010 network security is a market failure. The business model of Cloud Computing is in deep trouble.

I think I know how this ends up. Somehow, some day, we will all have layers of identity and data protection, designed so that one layer can fall while others endure. Our most critical data may never be committed to the network, perhaps never on a digital device. If I were running Microsoft, Google or Apple I'd be spending millions on figuring out how to do make this relatively seamless.

That part is fuzzy. What's clear is good news for Apple, though everyone else isn't far behind. Untrusted devices, untrusted software, and untrusted networks are all dead. That means shared devices are dead too. Corporations need to own their machines and trust systems, we need to own our machines and trust systems, and when we have both a corporate and a personal identity we need two machines.

Practically speaking, we all need iPhone/iTouch/iPad class devices with screened and validated software that we carry everywhere [1]. That means the equivalent of iOS and App Store, but software apps that provide Google access need to be highly screened. Practically speaking, they need to come from Google or Apple.)

We need secure network access. For the moment, that means AT&T 3G rather than, say, Cafe WiFi (Witopia VPN is not quite ready for the mass market). Within the near term we need Apple to make VPN services a part of their MobileMe offering with seamless iOS integration. Apple currently provides remote MobileMe iPhone annihilation, we need the iPhone/iPod Touch FaceTime camera to start doing facial/iris biometrics.

Yes, Apple is oddly well positioned to provide all of these, though Google's ChromeOS mayb be close behind.

Funny coincidence isn't it? It's almost as though Apple thought this through a few years ago. I wonder what they're planning now to enforce trusted hardware. Oh, right, they bought the A4.

The page is turning on the remnants of 20th century computing. Welcome to the new world.

-- footnotes

[1] Really we need iPhone/iTouch class devices with optional external displays. Maybe in 2013.

See also:

Post-hack posts (past week):
Pre-hack posts

And some warnings of mine that were premature -- because Team Obama converted Great Depression II into the Great Recession.

Friday, September 10, 2010

P vs NP: terrific essay

I've read quite a few discussions about computational complexity and P=NP theorems, including several following a claim of a proof that, as expected P!=NP.

So I have a basis for comparison when I say that Julie Rehmeyer has written the best ever short discussion of computational complexity. It's ostensibly about "crowdsourcing peer review", but you ignore all of that. It's really about explaining the basic problem with bold excursions into the deepest realms of modern mathematics.

So where did Ms. Rehmeyer come from? Her LinkedIn site tells us she's a Wellesley/MIT alumn, which would explain some of it. Surprisingly, she doesn't seem to have a personal blog. That is different. Most freelancers keep a blog even if they only point to recent publications.

Thursday, September 09, 2010

No of 1 trials: lipid variability

In Nov 2009 my Chol was 249, LDL 181. These are unhappy numbers, though risk calculators still gave me about 20th percentile male risks (lipids aren't everything). I resigned myself to statins in a year or so.

Ten months later my Chol was 189, LDL 125. Those are good numbers, they don't merit statins.

I didn't change much between those two tests. The main difference is I weigh about 15 lbs less now than in 2009 [1], but that just moved me from the high end to the low end of recommended weight for my height and build. My diet isn't dramatically different. 

I really wouldn't expect that modest weight reduction to make a large difference in lipid levels. If I'd thought the effect was this big I would have dropped the weight years ago.

Weird. It's just another anecdotal "n of 1" data point, but it reinforces my suspicion that we still don't understand the basics of human metabolism very well.

[1] Thanks to the radical "eat substantially less" diet. I'm a forager, it's relatively easy for me to both lose and gain weight.

Another MSP house blows up

This is the 2nd or 3rd time in the past year a Minneapolis St Paul house has blown up, presumably due to a gas explosion, while sewer line construction work was being done ...

House explodes in Richfield; no one injured | StarTribune.com
... The 3:50 p.m. explosion in the 7600 block of 11th Av. S. leveled the house, set its ruins on fire and sent flames up the sides of two adjacent homes .... The homeowner was away, and his two daughters were in school, according to Richfield Fire Chief Brad Sveum. He confirmed that the family's dog was missing...
We don't know this one was a gas explosion. In similar recent episodes the culprit has been a methodology of constructing gas and sewer lines that led to occasional intersection. When sewer line work is done the gas line is punctured. It's assumed there are many unknown intersections out there, just waiting for sewer line work to expose them. I assume some of these are caught prior to explosion.

It does remind me how crude our world is, that we still pipe astoundingly explosive gas into our homes to create heat. By now we were all supposed to have fusion reactors in the basement (those explosions would be even more impressive).

I wish voters would show more interest in exploding houses, and less interest in Glenn Beck.

Update: To everyone's surprise, the dog turned up. Fur singed all about, but otherwise pretty well.

The Transparent Society - 1920 edition

I've mentioned David Brin's prescient 1999 book, The Transparent Society, a few times. In today's panopticon it's a premature cliche, but he deserves credit for working through so many of its implications.

Credit is also due a work I learned of through a throwaway comment of Melvyn Bragg in a 1999 (30 min!) program on Utopias (Anthony Grayling, John Carey). Lord Bragg mentioned a 1921 novel by Yevgeny Zamyatin called "We". The novel is described in an Amazon review by Leonard Fleisig ...
... WE takes place in the twenty-sixth century where a totalitarian regime has created an extremely regimented society where individual expression simply does not exist. All remnants of individuality have been stripped from its inhabitants including their names. Their names have been replaced with an alpha-numeric system. People are not coupled. Rather, each individual is assigned three friends with whom they can have intimate relations on a rigid schedule established by the state. Those scheduled assignations are the only times the shades in a citizen's glass houses can be closed. Apart from those hourly intervals everyone's life is monitored by the state. As in Orwell's 1984, language has been turned on its head. Freedom means unhappiness and conformity and the submission of individual will to the state means happiness...
Yes, rather like Huxley or Clockwork Orange or 1984. Orwell was a fan but Huxley denied having read We

We certainly belongs in a "panopticon" reading list. Glass houses are the ultimate transparent society.

See also:

Archives of In Our Time: Smolin, Gribbin and Greene

Every physics hobbyist should be familiar with the names of Smolin, Gribbin and Greene. All are literate physicists who've written excellent books and essays on tough topics, while still doing exciting research. If you're in this club, you'll love these superb In Our Time programs from the archives.
I'm a fan of Gribbin and Greene in particular. I tagged several Gribbin posts back when I was catching up with modern interpretations of Quantum Mechanics - before we started doing entanglement experiments with grossly macroscopic entities. Greene wrote the best modern physics book of the past decade (the non-string bits are the best), I'm way late to give it a review.

These gentleman turn out to be verbal gymnasts as well as physicists and writers. Really, it's not fair - but at least they share.

See also:

Torture is now an American state secret

This does not surprise me. We are a very sick nation ...
"State Secrets" Trump Justice Again | Mother Jones
... the Ninth Circuit Court of Appeals ruled that the so-called "state secrets" privilege protects the government and its contractors from a lawsuit brought by five men who say they were kidnapped, flown to foreign countries, and tortured on the behalf of the American government. Even the ACLU, which supported the men in their suit, acknowledged that the decision "all but shuts the door on accountability for the illegal program."
The 6-5 ruling (PDF) in the case, Mohamed et. al. v. Jeppesen Dataplan, rests on the "state secrets" privilege. In the years after September 11, the controversial doctrine has basically acted as a "get out of court free" card for the Bush and Obama administrations in cases related to torture and domestic spying ... the Obama administration, which continued the Bush administration policy of intervening in the case on Jeppesen's behalf, was still able to get a dismissal by saying the magic words "state secrets." ...
... This is a sad day not only for the torture victims whose attempt to seek justice has been extinguished, but for all Americans who care about the rule of law and our nation's reputation in the world. To date, not a single victim of the Bush administration's torture program has had his day in court. If today's decision is allowed to stand, the United States will have closed its courtroom doors to torture victims while providing complete immunity to their torturers. The torture architects and their enablers may have escaped the judgment of this court, but they will not escape the judgment of history.
This is very much in the tradition of states that sanction torture.

Mimicry - more than we imagined

The more we look around, the more mimicry we see ...
Basics - Surviving by Disguising - Nature’s Game of Charades - Natlie Angier - NYTimes.com
...  scientists recently discovered that in some ant species, the queen is a consummate percussionist, equipped with a tiny, uniquely ridged organ for stridulating out royal fanfares that help keep her workers in line. Who knew that the queen was such a squeezebox? Her freeloaders sure did. The scientists also discovered parasitic butterfly larvae in the colony that use their abdominal muscles or other body parts to precisely imitate the queen's stridulations, an act of musical piracy that induces worker ants to flutter and fuss and regurgitate food right into the parasites' mouths...
Dogs mimic humans to communicate with them. I mimic my dog to play with her. Humans mimic one another to facilitate communication, each participant in a conversation adapts to find a common ground. A way for very diverse minds to get along.

Monday, September 06, 2010

The disposable brain - lessons from our elastic axons

The human brain is misplaced. It ought to be inside our pelvic-abdominal cavity, where humans carry babies. Instead it's stuck at the top of a tall biped, fully exposed to all traumas.

Intelligent design, my ass.

Thanks to its bad neighborhood the poor brain is being constantly banged about. Every so often it gets plastered against its membranous sac, typically when a head meets an rapidly moving object such as a sidewalk or a baseball bat. This is not good for something with "the consistency of custard". Evolution has struggled to adjust (emphases mine) ...
The Brain: What Happens to a Linebacker's Neurons? | Carl Zimmer | DISCOVER
... axons are remarkably elastic. They can stretch out slowly to twice their ordinary length and then pull back again without any harm. Axons are stretchy due in part to their flexible internal skeleton. ... When an axon stretches, these microtubules can slide past one another. If the movement is gradual, the microtubules will immediately slide back into place after the stretching stops, with no harm done.
If Smith delivers a quick, sharp puff of air, however, something else entirely happens. Instead of recoiling smoothly, the axon develops kinks. Over the next 40 minutes, the axon gradually returns to its regular shape, but after an hour a series of swellings appears. Each swelling may be up to 50 times as wide as the normal diameter of the axon. Eventually the axon falls apart.
These kinks form, Smith believes, when microtubules are stretched so rapidly that they snap ... Normally, enzymes inside neurons are constantly taking apart microtubules and building new ones with the recycled parts. But now the enzymes attack the broken ends of the microtubules, causing the internal structure of the axon to dissolve...
... Smith’s findings could shed light on a common but puzzling brain trauma known as diffuse axonal injury. This happens when people experience sudden accelerations to the brain—from a bomb’s shock waves, for example, or from whiplash in a car crash ... When pathologists perform autopsies on people with diffuse axonal injury, they see severed axons with swollen tips, just like what Smith sees in his experiments.
Smith’s research also suggests that even mild shocks to the brain can cause serious harm. ... A moderate stretch to an axon, Smith recently found, causes the sodium channels to malfunction. In order to keep the current flowing, the traumatized axons start to build more channels.
Smith suspects that such a mended axon may be able to go on working, but only in a very frail state. Another stretch—even a moderate one—can cause the axon to go haywire ... The axon dies like a shorted-out circuit.
... Preliminary brain studies show that axons are still vulnerable even months after an initial stretch...
Just in case you're not depressed enough yet, wherever you read "axons" substitute the phrase "young axons". Any wagers on how well older axons stretch? Also note that "even months after" doesn't mean they're not vulnerable "years after".

It's interesting, after reading this article, to search PubMed with the phrase "microtubule amyloid axonal injury".  A 2006 paper looked at animal model transient accumulation of neurotoxic amyloid precursor protein after injury. Amyloid protein has, of course, long been associated with Alzheimer's dementia. Head injury is also strongly associated with dementia risk; head injury avoidance is about the only "intervention" known to reduce the risk of Alzheimer's disease. (Don't make too much of this injury/amyloid connection though, researchers have been banging on it since the 1990s. It's not straightforward.)

Short of radical genetic engineering, or spending our lives watching TV with thickly padded carpets, what can we do about our fragile brains? Sure, football is dead. Yes, soccer will lose the header. Sure we can change the rules of hockey. Yes, horseback riding is almost as crazy as riding donorcycles. But, really, have you watched any TV lately? There are worse things than dementia.

Today's helmets are not the answer. Current bicycle helmet designs, for example, don't materially change the rate of anterior impact deceleration. Their primary benefit is to facilitating head gliding and reduce abrasions; they aren't designed to reduce the deceleration injuries that matter -- without severing our wimpy cervical spines. (On road bikes effectiveness is further diminished by paradoxical automobile driver behavior.)

We need to revise our sports (so long NFL), but we also need much better helmets. Air bags anyone?

How to use Amazon reviews

I wrote a negative Amazon review of Apple's battery charger (2/6 batteries were defective). As expected "0 of 2 people found the following review helpful".

This is very common with certain items, such as Apple products, Microsoft products, Christian conservative books, and other products that have "fans". It also happens with lawn mowers and dehumidifiers [1], but in those cases the negative feedback comes from manufacturer employees and retailers.

The "helpful" metric on Amazon reviews is not only worthless, it's harmful. It points people away from important reviews. It's also used to create reviewer rankings, so those are also worse than worthless. (By using these metrics Amazon is setting itself up for emergent fraud.)

There's another weakness of Amazon reviews -- name changes. Just as Google's Ballmer Schmidt tells teens they'll need to rename themselves as adults, so to do vendors change model numbers to dodge bad reputations.

There are workarounds for both problems. Here's how to use Amazon reviews:
  • Always read the negative reviews, even on a 4.5 star product. The two star reviews are usually the best, some of the 1 star reviews are nonsensical.
  • Remember statistics, a 50 review product will usually have meaningful negative reviews.
  • Look at other models by the vendor to defeat name change strategies. Amazon keeps older model information around for a while, so you can usually find the previous model number. Vendors don't change their behaviors as quickly as they change their model numbers.
  • When looking across a product category, sort the category by sales, not by average rating. The rating averages are not discriminating and are unreliable.
  • Give more weight to True Name (authenticated) reviewers. If a review seems unusual, look at other reviews by the same person.
- footnotes

[1] Based on my experiences with appliance purchases over the past few years, I think Sears or even Best Buy are better options than Amazon -- because it is practical to use the warranty.

Why not Depo-Provera dart wild horse mares?

Horses are tougher than they look. Millions used to live in awful conditions before the internal combustion engine filled the world's glue factories. Now, in the absence of wolves and mountain lions they're overflowing their bounded western world and the private lands that stockpile the overflow.

Modern Americans are more sentimental than they were 100 years ago, so we're unwilling to shoot them all. Were I a horse I'd rather be shot than starve or be eaten alive by wolves, but nobody asks the horses.

So why can't we hire cowboys to shoot mares with Depo-Provera in late May? It's cheap stuff, its used with horses, and it's designed for deposition. Shoot a capsule of it into the mare buttocks around mating time.

It's been done for lions.

Sunday, September 05, 2010

After the Google Hack: Life in the transparent society

My Google Account (Gmail and more) was hacked on 9/3/10, a day before I wrote about the risks of online backup.

I had a 99th percentile password. It had six letters, four numbers, no words or meaningful sequences. It wouldn't be in a dictionary. On the other hand, like Schneier and other security gurus, I didn't change it often. I also had it stored locally on multiple desktop and iPhone apps. As far as I know it wasn't stored on any reasonably current web app.

If my password had been a bike lock, it would have been one of those high end models. Enough to secure a mid-range bike on the principle that better bikes with cheaper locks were easy to find.

That wasn't enough. For some reason a pro thief [2] decided to pinch my mid-range bike. They didn't do any damage, they didn't seem to send spam [1]. They seem to have unlocked my bike, peaked around, and locked it again.

Why would a pro bother? Trust me, I lead an intensely narrowcast life. It's interesting to only a few people, and boring to everyone else.

On the other hand, it wasn't always so. "I coulda been a contendah." I knew people who have had interesting lives, I still correspond with some. If a pro was interested in me, it was most likely because of someone like that. My visitor was probably looking for correspondence. Once they found it, or confirmed my dullness, they wouldn't have further interest in me.

Fortunately even that correspondence is quite dull.

I've changed my password. The new one is 99.9th percentile. Doesn't matter, I doubt I'm much more secure.

This isn't a complete surprise. Passwords died as a high end security measure about ten years ago. What's more surprising, except in retrospect, is that you don't have to really do anything or be anybody to get some high end attention. You only have to be within 1-2 degrees of separation of someone interesting. Security and "interest" are "social"; even a dull person like me can inherit the security risk of an interesting acquaintance or correspondent.

Welcome to the transparent society. If you put something in the Cloud, you should assume it's public. Draw your own conclusions about the corporate Cloud business model and online backup, and remember your Gmail is public.

footnotes --

[1] Of course they could erase the sent email queue, but I haven't gotten any bounce backs. Anyway, there are much easier ways to send spam.
[2] Russian pro, Chinese government equivalent, etc. Why pro? Because the hacker didn't change my password after they hacked the account, they didn't trash anything obvious, they didn't send out spam, and the access was by an abandoned domain. I'm not vulnerable to keystroke logger hacks except at my place of employment and wifi intercepts are relatively infrequent. Still, it's all probabilities.