Tuesday, September 21, 2010

If I were rational, I'd vote GOP

I consider myself relatively rational.

I believe the GOP is the anti-civilization party. A vote for the GOP is a vote for the collapse of our technocentric science-dependent society.

I also believe the greatest threat to human survival is artificial sentience, and I think it will happen with 100 years. It might happen within the lifespan of my children.

Unless civilization collapses.

How rational am I?

Dentistry

What's the chance that our dentistry practices are optimal?

Think about it.

Many of the practices of 1980 medicine have been found ineffective or even misguided.

Remember estrogen therapy?  If you're a physician of a certain age, that question should make you shudder.

But we still brush and floss much as we did in 1980?

Do you really think we got it right the first time?

Or is that we really don't do dental prevention research?

Imagine the cost if we've got it wrong.

Monday, September 20, 2010

Google's two factor authentication and why you need four OpenID accounts

My Google account was hacked two weeks ago, so today Google is deploying two factor authentication to (paid) Google Apps.

What, you think that's coincidental? You underestimate my power (cue mad laughter).

This is a good thing, but it won't prevent a keystroke logger from pinching your password if you use an insecure (ex: XP) machine. On the other hand, maybe I'll switch to a trivial password and just rely on the more robust 2nd factor.

Which brings me to OpenID and OAuth. In my latest post-hack "what am I doing" post I warned against OpenID. The only thing worse than losing a critical password to keystroke logging is losing a critical OpenID password.

Since then I've been thinking about where we're going, and I think there's a place for OpenID/OAuth and two factor authentication.  More specifically, there's a role for multiple OAuth (I'll drop the /OpenID for now) accounts - one for each of the five credential classes.

What's a credential class? Think  in terms of how you'd feel about someone taking your credentials ...
I: You want it? Take it.
II: I'd rather you didn't.
III: Help!! Help!! 
IV: I'll fight you for it.
V: Kreegah bundolo! Kill!! 
We need a master account with Category V security. The One Ring account has two factor authentication and a robust reset procedure that might involving banks and other identity authentication services. It may be tied to a strong identity as well, but that's another post. You only enter these Category V credentials on a secure machine and an encrypted connection. The Master Account can be used to override and change the passwords on lesser accounts.

From the master account we have four other credentials (un/pw combinations), each with OpenID/OAuth services.

The Class IV credential service is what we use with Gmail and a range of high-end OpenID/OAuth services like banks. We enter these credentials only on a secure machine - but there's a degree of comfort from having a Class V account that can change passwords. On less secure machines maybe we use two factor authentication.

The Class III credentials are what we use anywhere that has credit card capabilities. Use these for Amazon and iTunes.

Class II credentials are for your spam only Yahoo email and the New York Times.

Class I credentials are for the Minneapolis Star Tribune.

In a world of widespread OAuth/OpenID type services and this type of master account we really need to know five passwords, and only three of them have to be decent passwords. We can manage that.

This is where we will go.

We can do it now of course, by setting up five Google accounts. It will probably get a lot easier when Google Apps start providing full Google account services for each user, with optional two factor authentication.

In fact, this is so simple I'm surprised MyOpenID doesn't do it already.

Maybe in two weeks.

Bayes theorem - in a nutshell

xkcd: Conditional Risk. Beautiful. Should be the first graphic in any lecture on Bayesian statistics.

Sunday, September 19, 2010

Yes, you're living at the end time - emulating the 6502 chip

jwz - Visual Transistor-level Simulation of the 6502 - in Javascript. This team use photographs of the 6502 chip to create a model of the circuits and their interactions, allowing the physical chip to be modeled ...
Visual 6502 FAQ
.... There are many excellent emulators available, but emulation is approximation. It can be extremely difficult to create an accurate emulator, because the typical approach to writing an emulator is to glean information from chip specification documents or more rarely from any chip schematics that happen to be available. This information is always incomplete and even the original chip logic schematics (also Verilog and VHDL code) can differ from what was actually built in silicon (see ECO). A disciplined emulator will capture and use traces of actual chip behavior, but it's near impossible to capture the billions of sequences of bits that a real chip gives rise to. Instead, we build a virtual chip by modeling and simulating the actual microscopic parts of a physical chip. We're interested in accurately preserving historic designs. It's archaeology for microchips.
While a multitude of people understand the instruction set for the 6502, almost no one, apart from the original designers, understands how the physical chip achieves this instruction set. The design is as elegant and sophisticated as any program written for the 6502. As digital archaeologists, we invite the current generation of hardware and software engineers to appreciate the work of the small number of designers who created the basis of everything we do today...

GV Mobile is back. What's next?

This pusilanimous Apple web site document justifies a reasonable amount of Apple hatred. It was written after Apple declared war on Google in July of 2009 ...
Apple Answers the FCC’s Questions 
Contrary to published reports, Apple has not rejected the Google Voice application, and continues to study it....
The following applications also fall into this category.

  • Name: GVDialer / GVDialer Lite... 
    Name: VoiceCentral.. 
    Name: GV Mobile / GV Mobile Free...
One of the most wretched things about this press release is that none of the complaints Apple had with Google's application (some legitimate) actually applied to GV Mobile and its competitors. Banning them, along with Google Apps like Latitude, was proof that Apple wasn't protecting the user experience, they were in a commerce war with Google.

Since then the FTC has been squeezing Apple, and GV Mobile is back (bit of a botched debut though). I wonder if they pointed out that while Apple might get away with blocking Google Voice, they had gone too far when they blocked GV Mobile. If that's true, I wonder if we'll see other Google related apps appear, like a Google Latitude client that actually works (sorry Latitudie).


PS. Yes, I know the formatting of this post is a mess. Google has outsourced their Blogger rich text editor to Microsoft Adobe. You have a better explanation? (I wrote Microsoft, but, really, this stuff they do well.)

Saturday, September 18, 2010

Muslim world - I'm sorry too

Nicholas Kristof apologizes for his fellow Americans ...
Nicholas Kristof - Message to Muslims - I’m Sorry - NYTimes.com

Many Americans have suggested that more moderate Muslims should stand up to extremists, speak out for tolerance, and apologize for sins committed by their brethren.

That’s reasonable advice, and as a moderate myself, I’m going to take it. (Throat clearing.) I hereby apologize to Muslims for the wave of bigotry and simple nuttiness that has lately been directed at you. The venom on the airwaves, equating Muslims with terrorists, should embarrass us more than you. Muslims are one of the last minorities in the United States that it is still possible to demean openly, and I apologize for the slurs.
I don't agree that moderate Muslims should apologize for their brethren's sin. Otherwise, I liked the essay.

Even though I don't believe in the cultural or tribal inheritance of sin, I'm personally ok with apologizing for American whackos. Sorry everyone, we have more than our share of frightened people living in a world they can't understand. We also have Newt Gingrich, but he's just a psychopath.

Monday, September 13, 2010

Technological regressions: two examples

Two examples of technological regressions.
  1. Typing. I'm filling out hockey forms. By printing with a pen. Once upon a time I might have typed them. I was a fast typist.
  2. Reliable phone calls. Switched circuit calling was inefficient, but the quality was excellent. Now we have layers of VOIP everywhere -- and it's nowhere near as good as switched circuit. When you add mobile delays to VOIP home phones to VOIP teleconferencing systems you get voice quality from 1940s long distance.
I'm sure there are others ...

RIP Bloglines. So is the feed next?

Bloglines is closing - at last.

It was a mercy killing. I started out with NetNewsWire on OS X, but Bloglines is what I remember -- starting in 2004. They were good then. When Reader first appeared in October 2005 Bloglines was clearly superior.

In 2006 Bloglies was acquired by Ask.com, and they rolled out a nice constrained search feature.

That was the high water mark. After the acquisition Bloglines was put in the freezer, but Reader kept getting better. I started playing with Reader in late 2006, but I was still a Bloglines guy in July 2007. I did note, however, that the feeds were updating erratically.

That was a bad sign, but not as bad a sign as the failure to develop a mobile version of Bloglines. My iPhone made me switch to Reader for good in August of 2008. By September of 2008 there was no comparison - Google Reader was clearly better.

In retrospect Bloglines died in July 2007 -- more than three years ago. I assume Ask.com kept it around while they looked for a buyer who'd sell it into the corporate marketplace. (I tried to persuade Ask.com that this was a good idea). Maybe Bloglines had some secret revenue somehow.

Even though Bloglines was well past its due date, the formal expiration has produced the usual comments about the death of the Feed Reader. I am sure none of those commentators actually used Bloglines in the past year or two.

Even if we disregard the uninformed, however, it is true that Onfolio (Win), Omea Pro, and Newsgator Inbox all expired alongside Bloglines. They were done in by the combination of Outlook 2007 (abysmal reader - like OS X Mail.app, but workflow is good) and Google Reader. On the other hand, iOS and Android have produced a new crop of very useful clients (albeit all Reader clients!) and OS X has Safari (fair) and NetNewsWire (still!).

Between Outlook 2007, Google Reader, and OS X/iOS/Android readers we're probably neutral to positive across the Feed Reader landscape over the past four years. What about use of feeds then? Google has some numbers ...
Official Google Reader Blog: A welcome and a look back 
... Since Reader's fifth anniversary is also approaching (though it feels like yesterday, Reader was launched on October 7, 2005), we thought it might be a good time to reflect on how Reader has grown over the past few years.... Here's a graph of Reader users over time (where 'user' is defined as someone who has used Reader at least once a week)...
And as we found out this past April, Reader users sure do like to read lots of items. Here's another graph, this time of the number of items read per day...
The graphs would be more interesting if the y axis were (cough) labeled, but there's pretty respectable growth -- albeit with a 2010 plateau that's only now turned upwards again.

As a consumer of feeds I can report the quality remains excellent. Some of my favorite writers have slowed down, but many of them do return over time.  I particularly appreciate the combination of direct feeds and shared items from the Readers I follow. The Notes/Comments muckup makes my teeth ache, but Reader remains one of Google's best products.

Readers aren't for everyone (though they should be), but for infovores they are red hot data joy. It's a big world, and the infovore community is big enough, and geek-powerful enough, that feeds and readers have years to go.

After all, Google is clearly a fan.

Sunday, September 12, 2010

After the hack: Why you REALLY shouldn't do personal business on a corporate machine

Corporations hate employees doing personal business on office machines.

I, of course, have never done this. I've certainly not checked my family calendar, or managed personal email, or browsed my Google Reader feeds on my corporate laptop, either at home or at the office.

Corporations hate this because employees should be working. Besides, it's an obvious security risk. Employees visiting off-color web sites are sure to bring viruses to work.

I agree. Sort of. Specifically I agree employees shouldn't use their Google credentials on corporate machines, and I agree there's a security risk -- for someone.

Mostly, though, the security risk is for the employee, not the corporation.

Let me explain why.

As best I can tell the average large publicly traded company admits to at least one major XP malware attack every 4-12 months. I expect the real number is twice that. That's a pretty high attack rate. A lot this of this malware, like Lemir.VA, incorporates a keylogger function. This malware captures usernames and passwords and sends them on.

If you check your family calendar at work, that would include your Google credentials. Your robust password is now meaningless; you will be hacked like I was.

That's at work. How about at home? Well, in our OS X/iOS household we haven't had a malware attack for over five ten years. My home is far more secure than my workplace.

It's safe to access Google from home. It's not safe to access Google from my office.

So you shouldn't use the office computer for personal work after all. It's in a very bad neighborhood, you really don't want to take your Google credentials there.

Saturday, September 11, 2010

The Religion Poverty correlation - cause?

Religiosity and national wealth are inversely correlated.

This is not a new finding, though the linked graph is novel. The US is an obvious outlier. Iran used to be an outlier too -- more religious than expected. I can't find it on the chart, but I believe Iran is much poorer than it used to be, and perhaps less religious too.

The usual assumption is that as a nation becomes wealthy, and better educated, it becomes less religious. Of course it could be the other way around. It might be that religiosity makes a nation poorer.

That would explain Iran. And the US too, I suppose.

Most likely, however, both wealth and religiosity are more directly related to national education levels.

We're crazy now. We were crazier forty years ago.

Limbaugh. Beck. Palin. Bachman. Pawlenty. Mosque madness. Burning Qu'rans. Marketarianism. Denialism. Birther. TrutherAmerican torture.

We're certifiable. It's not just 9/11 -- we elected Cheney and denied reason before that. It took 9/11 though, to really put us in asylum territory.

If you care about humanity, or your own family, it's a wee bit depressing. That's why I liked Graham Burnett's Orion article. It's ostensibly about dolphins, but it tells the story of a peculiar man in a peculiar time not so long ago...
A Mind in the Water | Orion Magazine

... who was Lilly? His early biography offers little hint of what would be his enduring obsession with the bottlenose. Taking a degree in physics from Caltech in 1938, Lilly headed off to study medicine at the University of Pennsylvania, joining the war effort as a researcher in avionics. An early photo shows him as a rakish young scientist, smoking a corncob pipe while tinkering with a device designed to monitor the blood pressure of American flyboys—a number of whom, in those days, were actually using surfacing cetaceans for strafing practice.

After the war, motivated in large part by contact with the pioneering brain surgeon Wilder Penfield, Lilly turned his hand to neuroscience, applying the era’s expanding array of solid-state electronic devices to the monitoring and mapping of the central nervous system. Eventually appointed to a research position at the National Institutes of Mental Health (NIMH), Lilly spent the better part of a decade conducting invasive cortical vivisection on a variety of animals, particularly macaques. In the spy-versus-spy world of the high Cold War, this kind of work had undeniably creepy dimensions. Manchurian Candidate anxieties about “forced indoctrination” and pharmacological manipulation of political loyalties peaked in the 1950s, and security establishment spooks (as well as a few actual thugs) hung around the edges of the laboratories where scientists were hammering electrodes into primate brains...
Calech alumni. Medical training in Pennsylvania. Went into the tech industry. That's way too close to my life.

There are other intersections. I loved dolphins as a child; I'm sure I read his 1960 Man and Dolphin -- or at least the derivative works. (I was born in 1959, but in those days books lasted a long time in public libraries.)

Lily was genuinely crazy, but, as  Burnett reveals, so was his time.

This may come as a surprise to some. My generation has been keeping the 1970s in the attic, pretending it never happened. We got rid of all the books and most of the movies (the early music  we kept). We had lots of help -- everyone from that time has something to hide. The 1960s made a good distraction.

It's been forty years though. There are curious adults alive today with nothing to hide. They're going to start poking around the attic.

They'l find that the 1970s were seriously crazy. Yeah, America's nuts now, but, the good news is, we were at least as crazy then.

Thunder in the Cloud: Lessons from my hacked Google Account

It was just another week in the age of insecurity. Yet another low tech Windows-only trojan spread throughout American corporations, costing a day or so of economic output and probably acquiring a rich bounty of passwords. Twitter implemented a defective OAuth security framework. Oh, and my Google (Gmail) account was hacked.

The last of these was the most important.

Cough. Go head, laugh. Check back in three years and we'll talk. For now, trust me on this. There are some interesting implications.

First though, a quick review. Nothing obvious was done to my Cloud data by the hacker, I only know of the hack because of defenses Google put in place after they were hacked by China. Secondly I used a robust and unique password on my primary Google account and I'm a Phishing/social engineering hard target. So, in order of descending probability the security flaw was
  • Keystroke logging > Google false alarm (no hack) > iPhone app credential theft > WiFi intercepts >> Google was hacked > password/brute force attack.
I changed my password, but that doesn't deal with the real security problems (keystroke logging, WiFi intercepts, App credential theft). The other changes I'm making are more important.

That's the background. Why is this interesting? It's interesting because of what we can infer about motives, and the implications for the future of Cloud computing, iOS devices, and Apple.

Consider first the motives. The hackers owned my Google credentials for 24 hours, but they did nothing. They didn't change my passwords, they didn't send any email. The most likely explanation is that the next move was to identify and attack our mutual fund accounts by taking advantage of harvested data (58,000 emails, hundreds of Googel Docs), accessible internet data, and the stupidity of mutual fund security systems.

We're not rich by American standards, but emptying our accounts would be a good return on investment for most organized criminal organizations.

Secondly if I can be hacked like this, anyone can. I am the canary in this coal mine, and I just keeled over.

Ok, maybe the impractically pure and young Cryptonomicon live-in-a-thumb-drive-VM-with-SSL geeks are relatively safe, but, practically speaking, everyone is vulnerable. Windows, OS X or Linux - it doesn't make a difference. (But the iPhone/"iTouch" and iPad do make a difference. More on that below.)

When history combines motive (huge revenue hits) with opportunity then "Houston, We have a Problem". Sometimes freaking out is not unwise. 2010 network security is a market failure. The business model of Cloud Computing is in deep trouble.

I think I know how this ends up. Somehow, some day, we will all have layers of identity and data protection, designed so that one layer can fall while others endure. Our most critical data may never be committed to the network, perhaps never on a digital device. If I were running Microsoft, Google or Apple I'd be spending millions on figuring out how to do make this relatively seamless.

That part is fuzzy. What's clear is good news for Apple, though everyone else isn't far behind. Untrusted devices, untrusted software, and untrusted networks are all dead. That means shared devices are dead too. Corporations need to own their machines and trust systems, we need to own our machines and trust systems, and when we have both a corporate and a personal identity we need two machines.

Practically speaking, we all need iPhone/iTouch/iPad class devices with screened and validated software that we carry everywhere [1]. That means the equivalent of iOS and App Store, but software apps that provide Google access need to be highly screened. Practically speaking, they need to come from Google or Apple.)

We need secure network access. For the moment, that means AT&T 3G rather than, say, Cafe WiFi (Witopia VPN is not quite ready for the mass market). Within the near term we need Apple to make VPN services a part of their MobileMe offering with seamless iOS integration. Apple currently provides remote MobileMe iPhone annihilation, we need the iPhone/iPod Touch FaceTime camera to start doing facial/iris biometrics.

Yes, Apple is oddly well positioned to provide all of these, though Google's ChromeOS mayb be close behind.

Funny coincidence isn't it? It's almost as though Apple thought this through a few years ago. I wonder what they're planning now to enforce trusted hardware. Oh, right, they bought the A4.

The page is turning on the remnants of 20th century computing. Welcome to the new world.

-- footnotes

[1] Really we need iPhone/iTouch class devices with optional external displays. Maybe in 2013.

See also:

Post-hack posts (past week):
Pre-hack posts

And some warnings of mine that were premature -- because Team Obama converted Great Depression II into the Great Recession.

Friday, September 10, 2010

P vs NP: terrific essay

I've read quite a few discussions about computational complexity and P=NP theorems, including several following a claim of a proof that, as expected P!=NP.

So I have a basis for comparison when I say that Julie Rehmeyer has written the best ever short discussion of computational complexity. It's ostensibly about "crowdsourcing peer review", but you ignore all of that. It's really about explaining the basic problem with bold excursions into the deepest realms of modern mathematics.

So where did Ms. Rehmeyer come from? Her LinkedIn site tells us she's a Wellesley/MIT alumn, which would explain some of it. Surprisingly, she doesn't seem to have a personal blog. That is different. Most freelancers keep a blog even if they only point to recent publications.

Thursday, September 09, 2010

No of 1 trials: lipid variability

In Nov 2009 my Chol was 249, LDL 181. These are unhappy numbers, though risk calculators still gave me about 20th percentile male risks (lipids aren't everything). I resigned myself to statins in a year or so.

Ten months later my Chol was 189, LDL 125. Those are good numbers, they don't merit statins.

I didn't change much between those two tests. The main difference is I weigh about 15 lbs less now than in 2009 [1], but that just moved me from the high end to the low end of recommended weight for my height and build. My diet isn't dramatically different. 

I really wouldn't expect that modest weight reduction to make a large difference in lipid levels. If I'd thought the effect was this big I would have dropped the weight years ago.

Weird. It's just another anecdotal "n of 1" data point, but it reinforces my suspicion that we still don't understand the basics of human metabolism very well.

[1] Thanks to the radical "eat substantially less" diet. I'm a forager, it's relatively easy for me to both lose and gain weight.