Archive for September 2007

Pure Mathematics is not Science   8 comments

This post was inspired by a recent discussion about “mathematics vs cryptography” over on Bruce’s blog, which I found particularly interesting given the discussions going on regarding the nature of scientific theories in my current graduate school class.

There is a fundamental difference between an axiomatic system (like, say, Geometry) and a Science. In an axiomatic system, you have a number of set definitions and a number of statements that are *given to be true* (these are the axioms). The practitioner then formulates a theorem, and proves the theorem to be true using the tool of logic, on the foundation of the axioms. If one of the logical consequences of the theorem contradicts one of my axioms, then the theorem is not true.

Compare this to Science, where instead you have a theory, which you attempt to prove or disprove by running experiments, gathering data, and analyzing the data in the context of what is considered to be the body of knowledge in your particular field. Science is the iterative process of trying to explain observable data using propositions that enable you to expand your capabilities to predict the outcomes of future events.

Mathematics is a *constructive* process – you are attempting to build a logically consistent system. In a real sense, it doesn’t matter at all if your system has any current practical use (the example I gave on Bruce’s blog is that there are no currently known applications for N-space topology). Of course, people will probably be more interested in your theory if you can show it has some real world application, but if your system is consistent, that’s all that is really required.

Science is a *de-constructive* process -> you are attempting to *derive* a logically consistent system given a bunch of experimental data and a bunch of additional theories that are supported in turn by experimental data.

This is one of the fundamental disconnects between a large percentage of non-scientists and people who practice science for a living; people who don’t understand how science actually works think that science is axiomatic; something is either true, or it is not true. Science isn’t like that, kids. As my high school AP Physics instructor said in class one day, “If you’re looking for Truth, go take a Philosophy class”.

Misunderstanding this is where the oft-repeated statement, “[Some particular scientific theory] is JUST A THEORY, you can’t PROVE that it’s true!” comes from. In an axiomatic sense, this is correct, but in a scientific sense it is totally irrelevant, because Science is not an axiomatic system. I can’t PROVE that the Theory of Gravity is true in an axiomatic sense. I can, however, prove that the theory of gravity is useful and therefore ought to be accepted as part of our our default understanding of the universe (well, to be precise, I have no desire to do this, but you can read plenty of Newtonian mechanics and physics and if you don’t get it, you’re just not a scientist).

Someday, someone will come along that has a better Theory of Gravity (Einstein did this – ed note), one which explains some things that the original Theory of Gravity did not explain. If those are useful things (they are), and there is no evidence that contradicts the newer Theory of Gravity, then scientists will adapt the newer, improved Theory of Gravity. Yay! This is how Science advances.

[Edited to add 08-22-2008] – another version of this post over at Cosmic Variance, with a follow up here.  Both are good reading.

Posted September 28, 2007 by padraic2112 in noise

Silly Surveys   3 comments

Ann did this on her blog. And I’m occasionally a sucker for these silly things. Her post is here.

In a drunken state I ask you….
What is the most important thing your mother taught you?: To love things beyond their merits
Have you ever voted for yourself in an election?: If nominated, I will not run, if elected, I will not serve. I might seize power unconditionally, though.
What is the first memory you have and how old were you?: About 3, I think. I remember a secret door in the closet of my bedroom that led to the playroom.
What has continually inspired you throughout your life?: The universe is a pretty fantastical place
What is the biggest lesson you have learned so far in life?: As a parent, the love you have for your children has the ability to completely wonk prior priorities
What one thing do you wish to instill the most in your children?: Remember that external validation is largely hollow
What one aspect of your personality do you actively work on to change?: I actively work on all of it. It changes. The two things are related, and not.
What is your favorite mythical creature?: Here be Dragons
Who taught you how to drive?: Nobody, can’t you tell?
Name two historic events that happened in your life.: The Wall Came Down. Challenger Exploded on Takeoff.
If you were invisible for one day, what would you do?: Hang out in the Oval Office with a tape recorder
What is the furthest from home you have ever been?: Australia
Pick a random friend. What do you admire most about them?: Self-honesty
What music are you listening to lately?: old Rush
Give me a quote from a favorite movie of yours.: “Others? When you say ‘Others’, do you mean ‘OTHERS’??? MORE THAN ONE ‘OTHERS’?!?!?!?!

Posted September 27, 2007 by padraic2112 in noise

Quis custodiet ipsos custodes?   Leave a comment

Information Week reports “Federal Agent Indicted For Using Homeland Security Database To Stalk Girlfriend”.  From the article:

Benjamin Robinson, 40, of Oakland, Calif., was indicted by a federal grand jury in San Jose Wednesday in connection with allegations that he accessed a government database known as the Treasury Enforcement Communications System (TECS) at least 163 times to track a woman’s travel patterns. He is being charged with making a false statement to a government agency, and unlawfully obtaining information from a protected computer. Robinson faces a maximum of 10 years in prison and a fine of $500,000.

Unfortunately, the audit controls on all these DHS computer databases are probably laughably poor, since information management and access policies are difficult to create, especially when there is too much implicit trust in an organization.  I suspect this is not an isolated incident, and it is probably very difficult to catch this sort of behavior.

Posted September 24, 2007 by padraic2112 in management, security, social

Password Storage   4 comments

Jeff Atwood recently wrote a post to warn his coding brethren that they’re probably doing really bad things with user’s passwords. Reading the comment thread for that blog post convinced me that he’s 100% correct, they are. One commentator, Mats Helander, wrote a very good post about why storing passwords in plaintext ought to be illegal, from which I’m stealing this quote:

In my opinion, this is one of the very rare cases where I think the law should get involved, protecting the developer from having to compromise my security in order to keep his job. The developer should be able to say “No boss, that would be against the law”.

Why should it be illegal?

Because of the simple fact that users reuse their passwords between systems. And that, in combination with an increasingly online life, means that online impersonation is going to become a very serious concern.

… which is one of the points I was arguing in this thread.

If you are assigning an authentication pair (i.e., username/password) to a user, you have an obligation to protect that digital identity, both in your own database *and* in transit.

Posted September 19, 2007 by padraic2112 in security, software, web sites

All Your Updates Are Belong to Us   Leave a comment

This story has some pretty scary implications given the trusted insider problem.

From the InformationWeek post:

Windows Update does not automatically update itself if automatic updates are turned off, according to Microsoft’s Clinton. However, Windows Secrets reports that it found the updates downloaded and installed even under those circumstances. Even Microsoft’s own reports appear to be inconsistent: Windows program manager Nick White writes on his blog that “self-updating is done regardless of whether the user has enabled automatic checking, download and/or installation of updates.”

I can verify that these updates are installed automatically, and silently, if you have automatic updates enabled.

Aside from the obvious ethical implications here, this is a potentially heart-stopping nightmare of a back door.

Posted September 19, 2007 by padraic2112 in OS, security, software, tech, Windows

Intelligent Access Seminar   Leave a comment

I attended this seminar on Tuesday, and found parts of it very interesting.  If you’re in New York or Toronto, they’re coming soon to a venue near you.  Full day attendance is worth 5 credits towards your CISSP (if you have one), so if you’re a bit short on credits to keep you current, here’s a quick fiver.

It’s a vendor-sponsored event, but until the “technology in action” part (right at last half-hour at the end) when a IBM representative came out (and did a largely unimpressive talk about IBM services) the sessions were almost entirely vendor-neutral and spurred some interesting conversation.  I was very impressed with David Sherry’s talk about his IM (Identity Management) project at Citizen’s Bank.  He talked not only about the practical benefits of the project, but also discussed lessons learned, project management issues, and how he dealt with various groups politically.  If you’re planning an identity management project, you could do a lot worse than to talk to David.

Additionally,  Mark Diodati of the Burton Group gave one excellent talk (about the strong auth marketplace) and one pretty good talk (regarding identity management).  Without getting into overwhelming technical detail, he discussed some interesting strong authentication products in the context of well-matched deployments.  I’ll give Mark a lot of credit here, his second talk (Digging into Stronger Authentication) was after lunch and he kept the crowd engaged, which isn’t easy when you have a room full of full bellies.  It was also immensely practical.

Posted September 19, 2007 by padraic2112 in management, security, tech

On the Bookshelf: The Craft of Research   Leave a comment

I finished the first book for IS 360 last week, there are some blog posts about it on the class community blog.

I thought this was an excellent book for an introduction to research, and I should add “mandatory reading of this book” to the post about blogging etiquette as part of #4.

Frankly, it bothers me that logic and rhetoric are no longer part of the high school curriculum. The level of public discourse regarding research, theory, and proof in this country is horrid, and is unlikely to get better as long as it is considered acceptable to consider yourself “informed” on a topic if you’ve read a few op-ed pieces and listen to talk radio.

“The Craft of Research”, or some book like it, should be mandatory reading for college undergraduates by the time they hit their sophomore year at the least.

Posted September 17, 2007 by padraic2112 in books, msis

IS 360   Leave a comment

New class begins next Monday night -> IS 360: Principles of Information Science Research Methods.  Bibliography for the class is being added to my CiteULike page.

Yes, there is an unnecessarily verbose formal title for the class, but I have to admit I’m looking forward to this one.  Research methodology is something that is generally overlooked in the U.S. educational system; even a great number of graduate programs don’t teach people how to do research, especially scientific research.  As a non-practicing mathematician and a fan of formal logical systems, I’m looking forward to reading the books, not to mention the couple of dozen research articles we’re going to critique as part of the class.

It was nice taking the second half of the summer off, but I’m getting geared back up for gray matter training.   Graduate school is much more rewarding when you’ve been in the workforce for a while.

Posted September 4, 2007 by padraic2112 in msis, newsflash

Bit Commitment and Collisions   Leave a comment

Matt Blaze wrote a blog post at the beginning of the year that does a most excellent job of detailing to the non-cryptogeek some of the difficulties inherent in one of the fundamental problems in security: establishing trust.

Two particularly well turned phrases from the post:

 “It can be very difficult to convince even an expert in the field that a proposed protocol is secure and fair. I’m not aware of any such protocol that’s also easily understandable to a non-specialist. Arcane complexity is a regrettably common feature in modern cryptography.”


“The first requirement for a democratic election is that voters understand and have confidence in the outcome. The crypto-based voting systems proposed thus far by and large fail this test from the start. Voting, like psychic debunking, is first and last a human-scale problem.”

The longer you work in this field of IT, the more you ought to realize the truth: Most of the problems you tasked with trying to solve are not technology problems.  The technology problems you solve are symptoms, not root causes.  In the end, all IT projects are people projects.

Posted September 4, 2007 by padraic2112 in management, security, social, tech