Friday Squid Blogging: Sharp-Eared Enope Squid

Beautiful photo of a three-inch-long squid.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Read my blog posting guidelines here.

Posted on February 15, 2019 at 4:24 PM • 76 Comments

Comments

Clive RobinsonFebruary 15, 2019 5:11 PM

It would appear we are getting much closer to Quantum Repeaters without which Quantum Key Distribution thus Quantum Communications is a bit of a nich toy,

https://spectrum.ieee.org/tech-talk/telecom/internet/quantum-repeater-trial-ignites-hopes-for-longdistance-quantum-cryptography-and-computation

However... This only sort of solves one of the problems of QKD the real biggie is "switching" which is a bit of an issue at the best of times with fiber optics. It might also account for why the Chinese went for using a "free space" system based around a line of sight satellite for their system.

Oh and a book that might be of interest to some people,

https://spectrum.ieee.org/geek-life/reviews/when-good-engineers-write-bad-software

Sherman JerroldFebruary 15, 2019 5:15 PM

I looked at the photo of that squid. It is quite ethereal. I also found the thumbnail of the manta rays on the left of the page fascinating. I've always felt they were one of the most graceful sea creatures and the fact that they (like many cetaceans) grow so large feeding on such tiny bits food is rather amazing. In regard to security in the natural world, I always wondered how they survived being so docile and apparently un-armed/defenseless in an ocean of predators. (I sometimes feel rather defenseless and vulnerable in the ever growing Internet sea of predators).

Clive RobinsonFebruary 15, 2019 6:02 PM

@ Nick P and the usual suspects,

Back in the 1980's Amhdal tried to inctease computing power by putting everything on a single silicon wafer. The problem was the defects per square area. Amhdal's idea not just crashed and burned it "cratered" because of the defect issue.

Well some have taken a fresh look at the problem, and have decided using a large wafer as a PCB replacment where tested chips are welded into place is a way to get around the defect issue,

https://spectrum.ieee.org/tech-talk/semiconductors/processors/whats-better-than-40-gpubased-servers-a-server-with-40-gpus

I guess the next issue is not just "power conversion" but that ultimate and absolutly unavoidable form of polution "non-cohearent thermal energy" or what the rest of us call "heat". A back of a napkin calculation --with the usual fudges-- suggests modern "heat pipe" technology may not be up to it.

Clive RobinsonFebruary 15, 2019 6:28 PM

@ Sherman Jerrold,

manta rays ... I always wondered how they survived being so docile and apparently un-armed/defenseless in an ocean of predators.

Unlike most rays the manta (cloak) rays do not have the defensive spines which are quite capable of killing humans and other large preditors.

The manta actually has few "natural" preditors are killer whales and large sharks. Proportionately the manta has a much larger brain than other rays and sharks, which might make up for their lack of defenses.

Unfortunately though "Asian medicine" regards certain small parts of manta's as having special properties, and their large physical size (~7m & 1.34ton) means they are often caught up in nets as "bycatch", so mankind is their worst preditor.

I also like the other rays who even in captivity appear to have more curiosity than cats and in their own way can be quite playful.

WaelFebruary 15, 2019 7:36 PM

@Clive Robinson, @Nick P, all,

The problem was the defects per square area. Amhdal's idea not just crashed and burned it "cratered" because of the defect issue.

Heat dissipation is a factor as well. Clever usage of "crash and burn".

Rach ElFebruary 15, 2019 9:52 PM

Mr Clive Robinson

I hope you write as long a post as you feel the urge to. The only people entitled to respond negatively are Mr Schneier and Anonymous Moderator. Anyone finding your posts too long can abort reading or scroll over them. The rest of us will enjoy and benefit. And, unlike you or me, your posts will last forever.

JG4

looks like I'm taking it into the weeds again
Food security also relevant in times of scarcity.
http://nourishingtraditions.com/

'Nourishing Traditions' by Sally Fallon. Her work is an extension of the research into indigenous diets by Weston A Price and she heads his foundation. Mr Price found no exclusively vegetarian society, and also fermented foods featured in every single one.
The aforementioned texts singles out organs meats as offering essential and outstanding nutrition, and it discusses each in great detail including many recipes. Organic organ meat only recommended. Note, those on subsistence incomes are still able to source a good many organic organ meats for the most minimal price indeed.
I am not an advocate of eating animals but I'm able to hold conflicting beliefs simaltaneously. It's an excellent book


Rach ElFebruary 15, 2019 9:58 PM

JG4

thanks for the occasional shout-out. RE: treating PTSD with electricity. You basically said everything I might have responded with. EMDR (eye movement desensitisation and reprocessing) has proven highly effective. 'Brain Scanning' is the version I've found the most comprehensive. Influencing the optic nerve allows access to all cerebral tissue potentially allowing intra communication and integration not previously possibly in the fragmentation derived from PTSD - which we now know is an entirely, exclusively phsyiological condition

Wael
sad to hear of your investments getting forked up. May prosperity rain upon you in every way, golden and otherwise

WaelFebruary 15, 2019 10:26 PM

@Rach El,

sad to hear of your investments...

Thank you. Don't be sad. I'm not. Doesn't bother me a bit :)

Clive RobinsonFebruary 16, 2019 6:54 AM

@ Rach El,

Mr Price found no exclusively vegetarian society, and also fermented foods featured in every single one.

As a scientist --not nutritionalist what ever they may be-- will tell you there are three basic types of food we eat, protien, fat, carbohydrate. Only the first two are essential to sustained living. However there are a group of other chemicals we need that we get with our food which we call vitamins and minerals. At one time or another we had the ability to make most of our vitamins and other "essential nutrients" but over ten of thousand of years we have lost the ability thus are now reliant on other creatures to do the work our bodies and their biomes can nolonger do.

One of the reasons we have fetmented foods in our diet is we would become quite ill (share cropper disease) without them, thus that black sticky mess that kids just love to play with but not eat (marmite) adds a number of nuitrients we most definately need. Likewise we know of "scurvy" and the need for vitamin C which is preserved in fermented/pickled products. The list is quite long...

But,

The aforementioned texts singles out organs meats as offering essential and outstanding nutrition,

The organs are known as "offal", "lights", "sweetmeats" or "sweetbreads". Medieval history teaches us a few lessons about them...

Rabbit meat is insufficient to keep you alive, you need the rabbit to be "fat" as well as eat the internal organs otherwise whilst "Mr floppsy" will survive the winter on very lean nutrition you however will not survive by killing him and eating his carcus... Also whilst breeding rabits is not to difficult they are in the main bad tempered individuals and you can fully expect to be bitten and scratched a lot. However they are a lot more "energy efficient" than chickens bit not quite as good as goats and rats both of which appear capable of surviving but thriving on what looks like cardboard to most of us... My least favourit small holding live stock is pigs, they have their uses but...

One use for pigs used to be to "clear land" basically pen them in and they will not just eat all the vegetable matter they will turn the soil over for roots etc. This makes them quite inefficient as plant to meat conversion, but I ask myself who can live without a bacon sandwich ;-)

A more efficient way to clear land these days is with straw and potatoes... Trample or roll existing vegitation flat, cover with straw water well roll flat again add a new layer of straw and put in seed potatoes. The potatoes will require minimum effoet to lift and being one of the "whole foods" you can survive on them alone through winter (just learn how to make a "potato clamp" to keep them at their besy). Onevto two years of this straw and potato treatment is usually enough such that all the other plants have given up and you can then plant beans or other pulses the following year to fix nitrogen into the soil for cabages and the like the following year. Then a steady crop rotation there after.

Oh and with a little care another plant will grow in straw which many quite like and that's the "Strawberry" with those, apples and preserving jars you can certainly improve not just the flavour of what we now call puddings but main course dishes as well.

The hard survival items to make are not fermented preserved products or air dried / smoked charcuterie, but salt and sugar. Learning how to make those and nitrates (middens) and potash (to make caustics) to make the likes of soap etc are hard and do require knowledge. There is a good reason that the money we get paid is known as a "salary"... Whilst we can live without sugar, salt (sodium for nerve function) especially real sea salt for the iodine (thyroid) we most definitely need. It amusses me when I see "prepers" go one about various food stuffs but salt gets left of the list... Oh learning how to grow mustard, pepper, capsicums and chillies along with bay, rosemary lavender and lemons will also make life oh so much more pleasent.

Oh and also look into "Chinese earth bank glass houses" especially when combined with compost heaps, there are people up in the outer edges of the arctic circle using them to grow "spring vegtable" type food for large parts of the year.

The trick as always is let nature do as much of the work for you as possible. For instance I've seen an experimental "sewage digestor" which is essentially a series of long tubes through a compost heap that produce enough methane not just to cook with but also help heat a home... The resulting digested output is quite safe to add as a "plant feed".

Oh and boundry fencing, for stock keeping and the like. It's not that difficult to turn hazel or similar copising plants into living fences, which is one heck of a sight easier than dry stone walling which is an art I never realy did get a good grip on.

These are all hard won knowledge that we appear to have nearly lost over the past century. Which is a shame, as it makes us beholdent on others for our survival, in a way that is sacrificial as can be seen by the way we are becoming a "rent seeking" society which is just abother form of slave culture but with less security...

FaustusFebruary 16, 2019 8:23 AM

@Clive

Thanks for the link to the "Why Good Engineers Write Bad Code". It promises to give specific examples of bad practices, so I ordered it. When you are a programmer of the heroic school, one idea can go a long way.

I found it interesting that the IEEE article is identical to the book description on Amazon. Somebody is saving money.

And this author bio

Adam Barr worked as a programmer and manager at Microsoft for more than twenty years. He is the author of Find the Bug and Proudly Serving My Corporate Masters.

especially the proudly serving part, warns me not to set my hopes too high.

It is true that computer programs have bugs much more frequently than buildings fall down. But, on the other hand, I have never been severely affected by a software bug.

Computer Science is taught as a science. I would have thought that IT and MIS degrees would focus more on the mechanics of running a large project. In the large consulting company I worked for, people were trained in what was called "The Methodology", a system that was supposed to help projects to succeed.

Working on large projects I found that the reasons for failure were usually management related: scope creep, unclear requirements, and internal politics.

I think the new crop of languages, like golang, that are failure resistant, are brilliant, with principles such as:
- No warnings, all warnings are errors
- Pointer arithmetic made unnecessary
- Safe format strings
- Automatic index checking
- Automatic cleaning of output to ensure, for example, that javascript code is not masquerading as regular text.
- No unused variables
- Extensive type checking requiring explicit conversion

If a golang program compiles, it is very likely to be correct.

Once I get into the book, I'll post any interesting tidbits.

Denton ScratchFebruary 16, 2019 11:06 AM

@Faustus:

"If a golang program compiles, it is very likely to be correct."

Seriously? Suppose the intent of the programmer is incorrect? Suppose the programmer has an inadequate understanding of the problem domain?

I do not think that the majority of incorrect programs are incorrect because of syntax mistakes, typos and fencepost errors (and Go does not prevent fencepost errors). Most of them are incorrect because the programmer has addressed the wrong problem; or because she has reasoned incorrectly about the solution; or because, even with a correct understanding of the problem AND a clear solution, the implementation is faulty because e.g. it is infeasibly inefficient.

There are languages that help programmers avoid errors; but languages that make it "very likely" that a program is correct are a fantasy.

wumpusFebruary 16, 2019 1:13 PM

@Clive Robinson (on Waferscale GPUs).

Note that the "increase power consumption 140 fold" appears to be across 40 GPUs (the "20 fold" power increase must have worked that way), so you get a 3.5 fold increase *per GPU*. The other assumption is that you could take existing code written for a single GPU and run it as such on this waferscale GPU. For (traditional, expensive) HPC environments this seems to be hardly necessary.

Note that it isn't clear if a heatsink could handle a "40 fold" increase (zero per GPU increase), as while the heat/area wouldn't change, moving the heat away from the wafer could be problematic (if total heat & power isn't an issue, I'd try peltier coolers. You wind up using a lot more power, produce a lot more heat, but presumably the heat delta makes the heat pipes more efficient. Just understand the power bill will be considerable (perhaps only run when the wind is high enough for wind power).

I also didn't follow how they moved from discrete GPUs to waferscale: it looks like they tested all the GPUs and then stitched together the working ones. I'd expect them to stitch them all, and disconnect the failed ones (normal chip manufacture techniques: cover it all and scrape off what you don't want). I guess they don't want to risk what the data lines might connect to on the failed ones.

What I saw was what you would expect to get using waferscale techniques: certainly never a "drop in replacement", but probably much better than trying to connect things across a room with optical cable.

albertFebruary 16, 2019 1:24 PM

@Rach El,
"..I'm feeling very confused about the wall idea..."

Not to worry, it's just political theater. One should expect no more from a TV reality show star.
..

Denton Scratch, @Faustus,
I recall the systemd function example given in these pages some time ago. It was, to me, unbelievable.

As long as programmers continue to wallow in complexity, these problems will continue. In the good old days, security wasn't a serious issue, but now it can be a matter of life and death.

Perhaps we need a code generator that takes as input the system designers wishes, and builds the code from that.

. .. . .. --- ....

VinnyGFebruary 16, 2019 3:11 PM

@Faustus re: managing a large project - You might want to try to track down a book published in the late 70s by Deloitte & Touche entitled "Managing the Systems Development Process." Much of it is no doubt dated because it was written before the advent of cheap and widely available microprocessors but I suspect that a lot of the concepts remain valid. I haven't looked at my copy in years, sadly, my first employer as a developer seemed to take pride in violating every precept of sane development...

Denton ScratchFebruary 16, 2019 3:16 PM

Hey,@albert, that doesn't work.

You have described a telepathic code generator - one that can divine the programmer's intentions. Unless you believe in magic, that doesn't work; somehow or other, the programmer has to express her intentions to the code-generator.

Invariably that involves some kind of language. You can't just 'wish' a program into existence; even if your wish is coherent, you still have to translate it from a mental state into the kind of thing that could be input to a code-generator.

Programming is hard. Programming cannot be automated.

FaustusFebruary 16, 2019 4:33 PM

@ Denton

Not actually having used a language doesn't slow your opinions down, does it!?! Or have you used golang?

Have you heard of something called lint? It was used to look for potential errors in C programs. Tools like that go a long way towards catching common mistakes. Especially in a language like C that basically does its best to compile whatever code you give it, correct or not. (At least it used to. It's been tightened up a bit since my salad days of C programming.)

But I haven't run a survey, so really what I should have said is: If one of MY programs compiles correctly in golang, it is very likely to be correct. I have over 40 years of programming experience - I worked for a major bank when I was 16 - and I'm sure my experience has something to do with this effect. Most of my errors are typos or accidentally using the wrong variable names, things that are secondary and that I am not focusing on and that an extended compile checker will find for me when the language doesn't allow fudging types and doesn't allow unused variables. If an error sneaks through, the safe formatting, avoidance of pointer arithmetic and automatic data cleaning in golang help avoid a security exposure.

As far as being able to write programs automatically, that is what my AI system does, and quite effectively. Once it has a working program it simplifies and optimizes it. It doesn't use telepathy. It uses examples (Input Data -> Output Data) or a solution scoring function to test whether its solution is heading in the right direction. (An example of a scoring function is total trip length for the Traveling Salesman Problem.) It evolves programs that better and better match the examples or score better and better with the scoring function. The code has mutable and non-mutable variables, functions and subroutines, and as many data types as you need.

And the nice thing is that it doesn't need to be a literal program. The "program" could express rules or concepts and their relationships, anything whose accuracy can be evaluated.

After so many millennia of people saying things are not possible, and so many millennia of them being wrong, saying things are impossible still hasn't lost its allure. The stater of impossibility gets to feel smart and no work is required. You can be sure he/she will be scarce or suffering a memory problem when he/she is proven wrong.

To me, a statement of impossibility without an impossibility proof is simply a failure of imagination.

roberts robot doubleFebruary 16, 2019 5:46 PM

@ Faustus & Albert

Systems that can be specified as (Input -> Output) are trivial enough to be automated or hunted for by some kind of genetic algorithm or somesuch AI-ish search.

The quest for perfection is most important and, not incidentally, most difficult in the space:

((Input -> Output) => Changes in Context)

or

(Input -> (Output + Changes in Context))

if you prefer.

It is the contextual changes that are the bugaboo and I've been SMHing for years at all the pure functional guys with their monads and monoids and whatnot who end up creating systems that work solely upon immutable systems. One of my first internet rants was about an article that mentioned immutability as a feasible path to perfection. Pshaw.

Why pshaw? Well, let's look at all the mutable parts of a computer:

  • file system objects
  • registers
  • static program memory
  • stack
  • heap memory
  • device registers
  • os configuration settings
  • db data
  • web pages
  • even our beloved programs due to SDLC ;-)

What I'm saying is that immutability is a nicely convenient but very tiny subset of realworld computing contexts, so basing any kind of dev strategy on immutable models will *NEVER* result in realworld applicable models. If one tries to then shoehorn an immutability model's flow into a mutable execution environment, the inefficiences will be absurd. [Faustus, I'm assuming your (Input -> Output) fundamental execution unit is immutable in nature; please correct me if I'm wrong.]

Creating a system model where perfection can be generated (you're on the right track, Albert) requires a model that is tightly coupled to its execution environment, but where the abstractions used to specify the system (hopefully guaranteeing correctness) constrain the wild potential set of changes down to just the specific flavors needed to process the input data into both output data and the appropriate changes in context.

In a broader sense, incorrectness and insecurity (which is really just a kind of incorrectness) are the result of insufficiently and/or incorrectly constraining the processing of the input into output and changes in context. As such, you are correct that no language itself will *EVER* facilitate correct programs, but an environment that helps generate properly constrained software according to ever-more-sophisticated abstractions most certainly can be developed to incrementally reduce the spaces where error can creep in. The ultimate failure of language design to address correctness lies in the simple fact that what is really being generated are machine code instructions (even if they're the direct mapping of interpreted language semantics) that operate within very specific contexts (execution environment, os environment, et cetera).

Of course, I'm *NOT* saying that different languages don't have better models for more naturally producing correct code. No. Obviously, C# was a great step up from C in its relative lack of pitfalls (and F# is nothing less than fantastic). I've not been keeping up with Go and its contemporaries except to read a bit about them to see what problems they're attacking, but my conclusion is that while they certainly appear to have implemented some niceties, they haven't changed my fundamental view: the problem lies not in language design, but in constraining the universe of viable programs that are not correct down into the one that is correct, and that must be done one level removed from the language itself. It's just that the language one chooses will be more or less amenable to doing so.

Clive RobinsonFebruary 16, 2019 6:45 PM

@ Faustus,

With regards political infighting, MFC springs all to readily to mind as a major cause of issues.

Because Microsoft so badly documented the interface, espicially many suspected to retain a "competative advantage". Few actually used the "official interface" they went in at a lower level.

Such knowledge was often "hard won" by reverse engineering Microsoft's own applications to find the hooks. So much so that some guarded it jealously as a way of maintaining a "God like" status and a salary to match. Thus became resentful if not out right antagonistic to those going the more official way, who would insist the secret ways were removed from production code...

From much bitter experience I can say that many programers only wriye ~40% of the code they should do. That is the code that carries out the intended program logic with "clean input", "no error handling" and "no exception handeling" was the norm, hence Blue Screen of Deaths all over the place.

Often the programer would commit a basic design sin they would move input validation as far to the left as possible, well before the program logic. Thus any small changes in acceptable input would need changes in atleast two places and often involved major changes to the input validation code. The reason being as the input validation moved to the left it would in effect get "compressed" where commonality and similarity would become "efficient" by removal and other tricks. Which built in fragility, thus with a change in program logic the change to one part would in affect effect several parts of the program logic.

Also when rarely "error handling" was little more than "give up and die", "malicious error handeling" was not on a programers radar, and never any "malicious exception handling"...

To many programers think "left to right" and seldom ever right code that can "pass back" from right to left when an error is encountered or an exception happens. Both of which must be correctly dealt with in "fault tolerant systems" that are frequently needed in high availability systems.

As one RT systems engineer once rather drolly pointed out at a conferance "You don't want your brakes to fail because one tire has gone from 60psi to 15psi in less than a second and the steering's become jumpy"[1]. All systems and the software that runs on them should be able to not just hand errors back to earlier stages, they should also be able to deal with issues such as networks and hard drives becoming unavailable without loosing data / records.

Even today few programers appear to want to deal with input errors in what is a sound future proof way, even though their code is supposadly "reusable". As for exceptions lets just say it would be nice to see programmer's even acknowledging that not just do they exist there are things you can do to ensure continuity when they do occasional happen.

[1] Signs indicative of a front wheel blow out, which still kills a fair number of people each year.

FaustusFebruary 16, 2019 8:08 PM

@ Clive

Maybe I am being defensive, but I don't think programmers are to blame. It's management. How important is a non-evident bug or vulnerability to management versus some other more obvious issue? Not very. They want you done and on to the next thing.

FaustusFebruary 16, 2019 8:25 PM

@ roberts

It's not trivial at all; it's a general problem solver. It can handle functional and non-functional programming. As a general solver it is agnostic to the distinction. States are not a problem. The secret sauce is in avoiding bloat and exponential limitations.

I am going to release more information May 6 on a website with demos. Some of the secret sauce will be proprietary. But I am interested in any challenge problems you'd like to suggest. Something specific that you think is "non-trivial" would be great.

Sherman JerroldFebruary 16, 2019 8:32 PM

Dear Clive Robinson and @ Rach El,

Ah, fried liver, hash brown potatoes, Vegemite on toast and pickled beets for all!

But, on a Serious note, Mr. Robinson, I do very much admire and appreciate your encyclopedic knowledge and posting contributions.

Regarding 'pass back'. I'm not a coder, but had a friend that would always incorporate what he called 'recursive error handling'. I was never able to fully grasp his explanation.
But, that made me aware of such techniques. So, in a couple of javascripts that I wrote (o.k. maybe I am a scriptkiddie) I included profuse descriptive error messaging for when an incorrect user input halted the script. And, in a number of cases the testing user was able to correct the input and send the order.

@Faustus, Years ago listening to some Fortran programmers that updated themselves to original 'C', I heard of 'lint'. In my primitive way, my script debugging was accomplished by friends who would be test users. And, we would watch the process for crashes and halts. Back in the 70's many used the term 'abend' - 'ABnormal End'. Thanks for your posts, I'll be paying attention to yours and others insights into 'AI' in hopes of gaining enlightenment in that area.

Wesley ParishFebruary 17, 2019 5:03 AM

@Rach El

Interesting article on the Trump Border Wall by the Cato Institute. Thanks for giving the url for it.
https://www.cato.org/publications/commentary/why-wall-wont-work

I laughed through most of it - it said much of what I had independently concluded was the case, and I was writing as a satirist.

I still think Donald Trump should build his wall on stilts one hundred to a thousand feet above the ground. Nobody's going to climb over a wall that's raised on stilts, are they? That's just so obvious that I'm surprised Trump hasn't seen it. Alternatively he could build the Trump Border Wall underground - say dig a trench and bury it one hundred feet below the surface - that way people won't go underneath it.

Meanwhile the cattle on both sides of the Canadian-Mexican Militarized Border Zone are sinking deeper into depression because of the vast number of voices they hear in that self-same Militarized Border Zone whining plaintively that well-known song, "Please Fence Me In".

Denton ScratchFebruary 17, 2019 5:49 AM

@Faustus

"Not actually having used a language doesn't slow your opinions down, does it!?! Or have you used golang?"

I have used a programming language called "Go". As far as I am aware, "golang" is the name of a (the?) leading Go compiler. Apparently, having used a language doesn't help you remember it's name (yeah, don't patronize me, bro, and I won't patronize you).

You completely failed to address my point, that if the programmer's intentions are muddled, then it doesn't matter whether the language they are using prevents syntax errors or whatever.

Your claims about AI-driven software development are intriguing; I will certainly be impressed if you can show that AI can produce software without anyone directing the process using their insight into the problem domain and their clear intention as to what the resulting program should do.

I think you might do well to focus more on building that website, and less on puffing your inventions in the comment streams of blogs.


Denton ScratchFebruary 17, 2019 6:08 AM

@Faustus

"Have you heard of something called lint?"

Dude, be serious.

Have you heard of something called COBOL? One wrote this language using a pencil and a stack of coding forms. The completed forms were then sent to a punch operator (through internal post), who would transform them into a deck of punched cards; the cards were then submitted to a multi-pass compiler (the one I mainly used had seven passes).

A missing full-stop at the end of one statement would cause the entire program to fail to compile - usually with extremely obscure error messages. Starting a statement in any column other than column seven would also result in failure. On a compile failure, the programmer would receive a stack of green-striped listing paper (again, through internal post) containing a program listing and an error report. COBOL provided complete protection against minor syntax errors and typos. No 'lint' was needed. In the event of a successful compile, you'd get your finished program back either as a deck of cards or as a reel of punched tape (internal post again).

COBOL is not now considered the epitome of sophistication in programming languages, for good reason: it was a truly horrible language to use. Protection against syntax errors and typos is not a very stretching challenge for a language to meet.

bttbFebruary 17, 2019 8:29 AM

From https://www.emptywheel.net/2019/02/15/dan-coats-still-refusing-to-provide-the-evidence-that-russia-didnt-affect-the-election/ :

"Dan Coats [ Director of National Intelligence (DNI) ] Still Refusing to Provide the Evidence that Russia Didn’t Affect the [ 2018 ] Election


Last month, I [ emptywheel ] noted a troubling exchange between Martin Heinrich, Dan Coats, and Richard Burr in the Global Threats Hearing.

[...]

DOJ missed its 45 day plus 45 day deadline of reporting whether any election tampering had had an effect. But just by one day. The day after their deadline, the Big Dick Toilet Salesman Matt Whitaker [Acting Attorney General at that time] and serial liar Kirstjen Nielsen [ Secretary of Homeland Security ] gave Trump a report claiming that any tampering had not had any impact on the election.

[...]

Then, today [15 February 2019] , CyberComm boasted that that they had helped deter Russia during the midterms.

[...]

But ODNI [ Office of DNI ] is still not providing SSCI [ Senate Select Committee on Intelligence ] — the people who are supposed to see such evidence — proof. Heinrich wrote Dan Coats a letter, signed by every member of SSCI

[...]

They’re clearly hiding something. The question is whether it’s that Trump didn’t try to prevent tampering, or that some of the efforts — included the known effort to hack Claire McCaskill [ former Senator who lost in Missouri ] — actually did have an effect."


Clive RobinsonFebruary 17, 2019 10:26 AM

@ bttb,

    Dan Coats Still Refusing to Provide the Evidence that Russia Didn’t Affect the [ 2018 ] Election

Common sense says that there is a spectrum of activities that might or might not have been aimed at the rather dull 2018 US mid term elections. Thus three answers are possible,

1, No evidence.
2, Indeterminate evidence.
3, Definite evidence.

But 1&2 are in most cases likely to be very broad and arguably evidence will be missed. Or misinterpreted, which effects all three. So I suspect no definitive report will get issued on that alone.

What ever answer the Director of National Inteligence gives it will not be popular with politicians or the MSM or others in Government who have already staked claims in variois ways for political reasons thus have put themselves in positions they realy should not have.

That however is all before the tricky part of attribution, which even if there is evidence of tampering has the issue of by "whom". Which as the US IC was caught with "false flag tools" we should assume other nations have, thus the water is at best muddy if not thoroughly poluted. If the US blabbers on about it's latest cyber-existential-threat nation, and a nation wanted to take a pop at the US and and lets be honest there's a long que out their including their supposed allies, what better nation to fake it as than the latest US advertised cyber-existential-threat nation.

But again this is realy a side show, when we start looking at say Venezuela...

As once used to be said "People who live in glass houses should not throw stones"...

Unmasked UnderflowFebruary 17, 2019 10:39 AM

ARM introduced a new extension called Secure EL2

https://community.arm.com/processors/b/blog/posts/introducing-2017s-extensions-to-the-arm-architecture

I can't decide if this is a good or bad thing. It is effectively support for 3rd party secure-hypervisor so that a compromised hypervisor can't snoop on a secure OS.

However, is this not also a tool for a state actor to snoop on a common user without detection? Common user and even private market types are not exactly equipped to handle a huge infrastructure such as a secure hypervisor.

So is this a good thing, or will this instead equip state level spying on all cell phones?

FaustusFebruary 17, 2019 10:54 AM

@Denton

Come on, Denton. Don't be grumpy.

You really refuse to consider things that don't match your preconceptions, don't you?

I, and others, use "golang" to avoid the ambiguity of the word "go". A search on the word "go" is pretty hopeless.

It is a pretty trivial statement that you cannot write correct programs without a clear intention. I didn't think it required comment. Of course I agree. No, I obviously don't expect a compiler to fix that.

Since you have taught programming I understand that you have been exposed to a lot of this "programming by guessing". I've seen it in new graduates. It's pretty disturbing. But it is not what I am talking about. If you don't have a well defined intention then you really don't have a basis for evaluating the correctness of a program either.

My system writes programs with the proviso that they can be tested against some expression of the user's intention. Test cases work well. Otherwise, how would the system know what was being asked of it? (It is not telepathic technology. Maybe Release 2!) But nobody has to explain the reasoning behind the test cases. The system figures that out.

I talk about my system for several reasons:

- To encourage people to talk about what they actually do. It's simple to criticize things. So far Thoth & Clive & myself are the only people who I remember showing signs of actively programming. (I am sorry if I missed other people. I'd love it if you raised your hands now.) There have to be more people who actually create systems. Why are people focusing on knocking down the work of others rather than putting forth their own?

- People's criticisms help me anticipate the kinds of questions I need to answer on my website. They also jog my thinking. This group has helped me refine my approach, often in conversations that don't seem to be about ai at all. And this group puts forth tons of great links. As I have said before, I think it is the best social media around. I don't do any other.

- And I seek collaborators at many levels.

They could simply be people who challenge the system to do something. Roberts says what my system does is "trivial". So asked I asked him to define a problem that he considers non-trivial. If people disappear when they are asked to give clear examples that is all the rebuttal I need to make. And if roberts comes through, it may very well be a cool idea I hadn't thought of. So it's a win-win for me.

And there may very well be people around who actually merit an invitation for active collaboration. Obviously a lot of people missed out on the bitcoin moment. Maybe they don't want to miss this one. Maybe the idea of AI excites them. Crazy, huh?

- I am trying to develop a new model for business that isn't based on venture capital and IPOs. One that never sells your data, and only works towards socially helpful or neutral goals. One that provides good jobs where they are hard to find. In other words, rather than trying to make somebody else fulfill my social goals, I am trying to directly realize them. I think we would all be better off if we looked to ourselves for solutions rather than trying to find people to hang our problems on.


Alyer Babtu February 17, 2019 11:29 AM

@Faustus

Re correctness

A clear, defined intention is not enough. The program design has to match the problem being addressed. Perhaps that is what @Denton Scratch meant in some of his comments.

Never tiring of plugging that most esteemed treatment of what programming really is, Michael Jackson’s “Principles of Program Design”, I offer this quote

“Getting a Program to Work Versus Getting it Right

The beginning of wisdom for a programmer is to recognize the difference between getting his program to work and getting it right. A program which does not work is undoubtedly wrong; but a program which does work is not necessarily right. It may still be wrong because it is hard to understand; or because it is hard to maintain as the problem requirements change; or because its structure is different from the structure of the problem; or because we cannot be sure that it does indeed work.”

The aim of Jackson’s writing is to provide, as the title states, the principles by which one can find the matching design for any problem. This is an analysis of the nature of the problem and precedes any “coding” or expession in a programming language.

(It is delightful to note that Jackson’s examples are given in a kind of COBOL, itself a proof that he must be right, if his methods can survive that language. :)

C. A. R. Hoare appears to have had a favorable estimation of Jackson’s approach. Some are found here:

http://people.csail.mit.edu/dnj/talks/mjtribute09/hoare-jsp.pdf

hermanFebruary 17, 2019 12:20 PM

Walls keep out simple people. It works as a high pass filter and keeps out lots of people who would be a drain on society. Smart people don't need to climb over a wall, they can follow the regular immigration process. In between these two groups are the crooks - they are at least slowed down a bit.

FaustusFebruary 17, 2019 1:14 PM

@ Alyer Babtu

Perhaps that is what he meant. I have made clear what I mean.

If somebody can nominate a precisely defined problem that you think doesn't fit in my model I'll see what I can do with it.

Jackson's approach is attempting to have problems solved in a certain way. What makes perfect sense in the average commercial setting where consistency reduces work and increases accuracy. (In the case of Jackson, as long as you are doing batch processing on a mainframe 20 years ago.)

But have you read the papers? Holy moly, what a way to make the simple complex. I wouldn't want to live in the JSP world, which only handles a boring subset of problems in any case. And it was a long time ago...

I think AI has been slowed down by academics who need to simplify things to make them amenable to analysis. I'm a real world heuristics kind of person.

What interests me more are the ways that problems can be solved contrary to our usual frameworks using approaches that nobody has discovered yet.

FaustusFebruary 17, 2019 1:38 PM

@ Sherman

"Thanks for your posts, I'll be paying attention to yours and others insights into 'AI' in hopes of gaining enlightenment in that area."

Thanks for the encouragement!

patronFebruary 17, 2019 2:52 PM

What would you do for a loved one setting up their first cell phone account. Person is not computer savvy.

Threat model- unknown.

Ease of use, bill payments (automatic renewal), etc. important

Use a new email?

Use the loved ones landline phone # on the application?

The person will be using their cell phone mainly near their residence.

Get an alias named credit card, from an existing credit card, ala Julie Angwin, and use that name and email address.

'Angwin did ask her credit card company to issue her a new card on her existing account with a different name: Ida Tarbell, the turn-of-the-century investigative journalist. She’s been using it for a year and no one’s caught the historical reference.


"The cell phone was the hardest challenge for me because basically, it’s transmitting all the time – it has to be in order to do its job."Angwin explains, "I decided to turn off WiFi, because it’s very easy for companies to notice the WiFi signal on your phone and track you." She has another phone that’s in Ida Tarbell’s name, which she uses for more sensitive calls. "Although obviously now that I’ve told the world, I’m going to have to get a new phone." She also uses a special case called a Faraday Cage that is supposed to block a cell phone’s signal.


Protecting your data can be expensive. Angwin says that she spent almost $2,000 on her project. But there are some free resources out there, including the ad-blocking technology that she used and the search engine DuckDuckGo.


Julia Angwin's book is called Dragnet Nation: A Quest for Privacy, Security, and Freedom in a World of Relentless Surveillance.



https://www.wnyc.org/feeds/people/julia-angwin

Plan to BYOD, unlocked, iOS

Consumer Cellular, Ting, Verizon, Credo Mobile, Tracphone, other?

Use Verizon (not selling location data as much, perhaps)?

Get added to a family members plan?

Any other ideas?

References:

https://blog.filippo.io/securing-a-travel-iphone/

https://ssd.eff.org/en/module/how-use-signal-ios

https://ssd.eff.org/en/module/how-use-whatsapp-ios

https://ssd.eff.org/
https://ssd.eff.org/en/taxonomy/term/362/
https://ssd.eff.org/en/module-categories/tool-guides
https://sec.eff.org/

Rach ElFebruary 17, 2019 4:19 PM

Faustus

Thank you for articulating your vision
You request challenge, and hinky thinking.
Although, so far (and, no doubt, neccessarily) your overview has been far too broad for me to ascertain your scope in practical terms.

Here is a question. Can your tool deal with cognitive bias aka prejudice as it manifests socially and demographically.

Which in the overarching realm of security is a critical flaw whichever level or strata it manifests in. Macro, micro, Turtles all the way..
Macbeth didn't expect his enemies to be hiding AS a forest, because he loaded the prophecy with his own interpretation.
Whether it's the gilets jaunes or Nick P black hat attacking an ergonomic keyboard because its a users blind spot (See Waels link) it's all prejudice, baby

actually I'd like to see AI justify it's reason to exist. And have AI demonstrate that the solution for an ill is 'more and better' technology
Part of my reaction to blockchain is I have trouble seeing beyond it's rationale of 'progress, because' (not, not digging a rabbit hole there for you)

I can't really justify this as on topic but I am reminded
there is a scene in the film Terminator 2 of 1991 that has forever riled me. They seek out the inventor of Skynet to convince him to shut it down before it wages war on humanity. Turns out to be a well off black man. Even before he is shown, the inventor of Skynet is set up as the worst villain the world has ever seen.
Gasp, and he's also rich and comfortable from his work! Some serious social programming going for audiences there.

JG4February 17, 2019 4:45 PM


@Rach El

I hadn't seen the scientist character in that light, but your point is well taken. To his credit, as soon as the implications of his work were made clear, he gave the last full measure of devotion in an attempt to contain/limit the problem.

I like seeing people of all races solving problems. It couldn't have been lost on the audiences for T2 that the majority of technicians, scientists and engineers building technology for the peasant extermination programs (human extinction programs?) are Caucasian, as am I. It would have been about thirty-three years ago that I realized that I was working to solve a problem in the lab with a guy from the middle East, a guy from India and a guy from China. At the time, I realized that was a somewhat unusual situation and that it was a privilege to meet them and work with them. I'm happy to know some black scientists and engineers who live comfortably from their work. Many of them have deep reservations about the peasant extermination programs.

https://www.nakedcapitalism.com/2019/02/links-2-17-19.html
...

Researchers Create ‘Rat Cyborgs’ That People Control With Their Minds Discover. What could go wrong?

Payback for Bezos Has No Limit Bloomberg. Good clean fun.

Google’s Waymo risks repeating Silicon Valley’s most famous blunder Ars Technica. Important and interesting, but the promise of robot cars wasn’t driverless golfcarts running fixed routes in Florida retirement communities, now was it?
...

IBM’s fast-talking AI machine just lost to a human champion in a live debate CNN

[this is a clever publicity ploy]

Researchers, scared by their own work, hold back “deepfakes for text” AI
...

Police State Watch

Houston police officer in drug raid had previous allegations against him Houston Chronicle. No kidding.

Imperial Collapse Watch

What Did Elliott Abrams Have to Do With the El Mozote Massacre? The Atlantic

Army leadership calls for “disruptive thinkers” to step forward so they can be more easily liquidated DuffelBlog
...

Alyer Babtu February 17, 2019 4:47 PM

@Faustus

... have problems solved in a certain way ... the average commercial setting ...

Jackson rather is giving something like a scientific account (i.e. explanation through causes) of what is involved in any programming effort, which account applies in any setting whatsoever. The relationship to programming is analogous to the mathematics underlying numerical algorithms.

@Rach El

... the inventor of Skynet is set up as the worst villain the world has ever seen ...

It hit me more that the film was saying that Skynet was the worst invention the world had ever seen, which well meaning ingenious people had striven for without an appreciation of unintended consequences. Not off-topic, we are in basically that grinding crisis today.

Impossibly StupidFebruary 17, 2019 4:54 PM

@Faustus

My system writes programs with the proviso that they can be tested against some expression of the user's intention. Test cases work well. Otherwise, how would the system know what was being asked of it?

By expressing the only thing of value that would be a breakthrough: intelligence. Otherwise, all you'll be offering up is the same sort of "automatic programming" nonsense that went nowhere after the first AI bubble burst.

(It is not telepathic technology. Maybe Release 2!) But nobody has to explain the reasoning behind the test cases. The system figures that out.

Based on my experience working with the "reasoning" of some people regarding the software and solutions that they want, it would require telepathy to figure out what they're really asking for. A big part of the intelligence that humans bring to problem solving is detecting meta-errors in the intentions of those posing the problem.

If people disappear when they are asked to give clear examples that is all the rebuttal I need to make.

I didn't see you eager to adopt my "humor" test, which was quite serious. If you'd like something more pointed, I'd ask how your system will deal with the Turing Test, or what new insights it will offer into the Halting Problem. If you "disappear" for those sorts of classic computing conundrums, it makes it hard to expect you've got a breakthrough on your hands.

Or maybe lets try this approach. Since this is a security blog, let's see you direct your system at fundamental security questions. Will it be able to figure out the difference between truly random numbers and pseudo-random ones? Will it be able to decrypt messages that use even simple ciphers? Can you progressively take it from, say, learning ROT13 to more complex Caesar ciphers and demonstrate a process of learning that is increasingly sophisticated?

If you don't even have a theory of intelligence to offer up that takes those sorts of baby steps, there's no reason to believe that you've implemented anything special. I say that as someone who has a long history in AI myself, with enough failures under my belt to recognize what is and isn't on the path to genuine machine intelligence.

Rach ElFebruary 17, 2019 5:42 PM

thank you everyone

Wesley Parish

admire your lucid absurdity. What about creating a story of present day world where Steve Jobs, and therefore his distortion-abberations upon the physical reality sphere, never existed. ( Apparently he had a 'reality torture field' )


ThothFebruary 17, 2019 6:35 PM

@Unmasked Underflow, Clive Robinson

You can find the usual discussions between @Clive Robinson and me regarding In/Secure Enclaves via searching for our usual posts. Trying to keep the post shorter otherwise there will be people who will complain about long posts.

This is not a new "ARM feature" as it is dated 2017 and I have been looking around and recent STM32 chipsets that are "open and friendly" and well-liked by "open HW/SW" projects (if you really believe in "open") comes with these additional In/Secure Enclave extensions. The access are mostly abstract and who knows what's the firmware underneath as those are proprietary extensions.

Most of these In/Secure Enclaves actually presents not just a good hideout for chip level malware (i.e. recent Intel SGX enclave malware report) but also the immense complexity by adding more useless trash features that bloats the chip really badly.

Wesley ParishFebruary 18, 2019 4:09 AM

@Rach El

Thanks. I'd need to do a lot of research on Steve Jobs, though - I know next to nothing about him.

@herman, I presume your remarks were aimed in my general direction: you need to upgrade your information. The Great Wall of China did wonders in keeping out the Mongol Empire, didn't it? Hadrian's Wall in the north of what is now England, and had forts every five miles or so: it worked while it was manned by Roman troops. When they were all called back during one of the periods of civil war over which general became emperor during the collapse of the Roman Empire, and the defense of the province of Britannia was left in the hands of the foederati (non-Roman warriors under contract to support the otherwise overextended Roman Army: Saxons, Jutes, Angles and Friesians in the case of the province of Britannia.), it stopped being a defense.

And for what it's worth, if the example of New Zealand, Australia and Indonesia is anything to go by, most foreign crooks and criminals together with their illegal drugs and the like come in through sea ports and airports. I have no doubt in North America (even in the Militarized Border Zone on the Canadian-Mexican border) the situation is the same. So if said MBZ President Donald Trump were serious that walls were the answer, he'd be building walls around sea ports and airports. The fact that he isn't, merely means he's intent on bilking you out of your hard-earned money. (I would be interested to know whether or not the situation is the same in the case of Switzerland, which has no maritime borders and land borders all around. And Outer Mongolia, and Uganda, and Chad, and Swaziland, and Nepal, and Afghanistan, and Tadjikistan, and Bolivia ... )

The Mullah Nasrudin was sitting in his favourite coffee shop one day, when a scholar he barely knew came in with some friends and sat at his table. The scholar opened with the statement, "There are no questions that cannot be answered!"
The Mullah Nasrudin begged to differ: "Last Thursday I was asked a question I could not answer."
"Oh, let's hear it then, and I will do my best to answer it for you."
"Someone asked me, "what do you think you are doing, climbing into my house at night?""

Denton ScratchFebruary 18, 2019 5:03 AM

@Faustus

"But nobody has to explain the reasoning behind the test cases. The system figures that out."

That's not how it works. Test cases are constructed by a developer/designer who knows where the weak points in a system-design are. They aren't just a bunch of random examples, that some AI is supposed to use as the basis for divining a system definition. Test cases are specifically designed to prove that a design doesn't fail when confronted by a particular, challenging case. The test-cases and the design work as a complementary pair. If the design is derived directly from the test-cases, that all falls apart.

I'm glad to see you falling back from your earlier claims, which appeared to suggest you thought that an intelligent, human programmer was not needed, if an AI programmer was present. I've seen this suggested elsewhere in recent days, in an article on careers in IT - specifically that automation was going to make software developers redundant. I thought that smelled strongly of bullshit. I'm not going to say the same about your claims, mainly because you haven't actually made any yet. I'm patient - I'll wait for the website.

But apparently you can sense that I smell BS in your claims; well, I'm no poker player, I'm quite easy to read. Strong claims based on unpublished research make me suspicious, to say the least.

As I have said, I look forward to visiting your website, and having my suspicions neutralized.

"You really refuse to consider things that don't match your preconceptions, don't you?"

You really do go out of your way to be rude and offensive, don't you?

You've read three or four posts by me on the subject of AI; I reckon I may have posted here about 20 times in total. You don't have much to go on in claiming to know anything about my preconceptions, other than that I own a book on the AI that was published in 1995.

I hope your AI invention doesn't jump to conclusions as quickly as you do.

roberts robot doubleFebruary 18, 2019 5:13 AM

@Faustus et al

Here is an example I will present as a generalized problem:

Write a function that takes three inputs: a list of strings, a string to search for and a string that replaces each substring occurance thereof. After replacing all substring occurances in the list of strings, return both the number of lines where one or more replacements occurred and the total number of replacements overall.

Now, as a longtime programmer, my analysis of this problem starts with "What is the context this function will execute within?"

As a master C programmer, am I to deal with a list of heap allocated strings? Well, that's a finicky problem, because then the relative sizes of the search and replace strings need be considered, because if the replace string is zero length, it is effectively a delete operation. If it is simply equal to or smaller than the replace string, then no reallocation will be needed, but then each line will be overallocated (if actually shorter), and then the potentially greater demands of the system must be taken into consideration (i.e. is this an embedded device where each byte is precious?).

The considerations for a C programming environment being so finicky are a big part of why our operating systems are so insecure. Even coding it correctly is only the beginning of the road if optimization must be done, not to mention the fact that there is a serious possibility that if the replacement string is larger than the search string a heap allocation may fail at some point. What to do then? Ahhh, such a rabbit hole.

Of course, if your list of strings is to be passed as the contents of a text file then you get issues of encoding, line endings, and file naming. A different context and a vastly different set of problems and requisite design.

Being well-versed in database programming, from Informix 3 and 4 to Microsoft Access and SQL Server to Oracle and finally DB/2, writing such a "function" to perform this in a database is an entirely different set of considerations, failure modes, inefficiencies and whatnot.

Then, if, instead of straight C, one uses the .NET runtime in, say, C#, one gets auto-allocation via a garbage-collected runtime, but then you have the possibility of banging into a garbage-collection cycle in the middle of processing or even banging into a 2GB data structure hard ceiling. Once again, what are the operational requirements of the system?

Perhaps piping a file through a grep, sed or awk invocation will suffice? Perl would most certainly work as well and helped me earn a year's worth of living expenses and three months in a very beautiful European city (thanks Mr. Wall!).

It struck me this morning that your AI-based program generator is directly related to your belief that we human beings can someday unload our governance to an AI and that your desired path to efficiency for humanity is the guiding principle of your programming system. On a pure level, it is a noble goal for you have a noble heart that seeks to end the misery we human beings inflict upon each other with apparently ever-worsening degree.

And, yet, in the interest of the blunt honesty all good engineers must possess, I have to tell you that that goal is neither realistic nor desirable, either on the societal level or the level of data flow programming.

The primary problem with perfectly opaque black boxes is that one never knows that they work unless they know how they work, and that they *must* be designed by human beings, directly and openly. Yes, neural networks and AIs can function very well as simple signal processors but they are only ever going to be tools that push bits, as all digital information processors are, by their very nature. They will never be able to take the bigger picture into consideration and we are all witnessing the disasterous results that occur when human beings like those in FB and Microsoft don't take the bigger picture into consideration. They have both chosen to adhere to the MBAs' dictate that more money means success and as such they have not only not made the world a better place, but have made the world a worse place.

No AI will ever be able to consider compassion in its calculations. Unlike 'War Games' no AI will ever learn that "The best way to play is to not play at all". No, no information tool will ever make that grand leap, just as we human beings can never make such a leap to truly comprehend our Unfathomable Creator. We are in a very real sense just tools of our Creator capable of exploring this magnificent creation and the tiny bit of It that we can comprehend when we strech ourselves to the furthest points of our ability.

In being endowed with such intelligence, abstract thinking and detailed planning we must be very careful of the tools we create. We must design them carefully and with as much thought as to their precise use and potential misuse as we can, not to mention the methods they use to do their work (and now strip-mining is no longer acceptable). We are, as a technological world society, moving in the precisely opposite and wrong direction and the technology we have created is mostly serving for-profit corporations and power-hungry governments, both of whom worship it the satanic altar of the MBA, where personnel have become human resources and compassion is anathema.

The openness of the Open Source movement is a glimmer of light into a future where cooperation is the rule, not the exception, but the problem with OSS is that the for-profit corporations' inherent competitive greed has impelled them to use the good will of the legions of good-hearted contributors without the slightest compunction to give back (unless it serves their profit motive, that is). This is because they only take. Note that a great part of their evil is their being opaque black boxes themselves, with their NDAs, legal lies, and their privileged directors drawn from the good `ol boy networks of the world.

Our society will never succeed with an opaque government and neither can a non-trivial information processing system succeed without knowing exactly how and why it makes its decisions to transform (Input -> Output).

I hope you succeed in helping make the world a better place, my dear friend. As a lifelong elite programmer, I know how to design, build and test software that does not fail. We're never going to have tools to help us perform this literally most difficult kind of toolmaking without a thorough understanding of either how our metatools do their work or how the information processing tools they produce do theirs.

bttbFebruary 18, 2019 7:16 AM

From https://www.emptywheel.net/2019/02/17/malwaretechs-judge-seems-more-sympathetic-on-the-intent-of-prosecution-than-the-law/ :

"MalwareTech’s Judge Seems More Sympathetic to Hutchins about the Intent of Prosecution than the Law


JP Stadtmueller, the judge who will preside over MalwareTech (Marcus Hutchins’) case, last week denied his pretrial motions to get his post-arrest interview and all the charges of his indictment thrown out. The order starts this way:

'On March 30, 2018, Hutchins filed a motion to suppress the statement that he made to Federal Bureau of Investigation (“FBI”) agents immediately following his arrest, as well as any evidence the government may have obtained as a result. (Docket #55)'

We are almost 11 months into the pre-trial process and we’re virtually the same place we started. Just two things have happened in that time: the FBI Agents who arrested Hutchins had badly damaged their credibility, and Stadtmueller has given a read of how he views the case.


Stadtmueller scolds the already discredited FBI Agents for violating Federal Rule of Criminal Procedure

As to the first issue, in ruling against Hutchins on his Miranda claim..."

FaustusFebruary 18, 2019 8:28 AM

@ Rach El

Cognitive bias is an interesting question. I'd say my system models cognitive bias rather than avoids it. Our brains are wired to try to simplify information. My system works similarly. In cognitive biases the information is over simplified or generalizations are made with insufficient information.

If I fail to provide rich enough data my system often simplifies the processing in a way that won't work when the data set is enlarged. For example, when I trained a system with lists that were 10 to 25 integers long, one of the resulting programs didn't work with lists of length less than 7. (Many others worked fine)

That program wasn't biased against shorter lists, it just never saw them and didn't take them into account. But it is an analogous situation to the facial recognition system in the news that didn't work well with African faces. And the way that humans are less able to distinguish faces of unfamiliar races.

I believe that bias stems from insufficient data, not pernicious algorithms.

@ Denton

You have been consistently negative towards what I say, but you want to be treated with kid gloves. Life doesn't work like that.

@ Alyer Babtu

I looked into JSP some more and found some interesting examples. It's ok. I've worked with similar schemes for structured design in consulting. I was a big CASE guy in the 90s. What I found was that having to use a separate detailed design language and then rewriting the detailed design as code created two points of update, and time demands insured that the design would become out of sync with the code. The solution was to generate the code from the design (via CASE), but these tools were never as flexible as the programmer or client wanted.

You like the idea of JSP, but I doubt if you or anybody else uses it extensively any more in a non-school environment. Am I wrong?


FaustusFebruary 18, 2019 8:45 AM

@ Rach El

To be clear, when I said "I believe that bias stems from insufficient data, not pernicious algorithms", I was talking about AI. In humans, there are genetic and social learning components to bias.

FaustusFebruary 18, 2019 9:06 AM

@ roberts

I am at heart a mathematician. I am interested in the algorithms more than the implementation. I will add the suggested string problem to my queue of demo problems. That is the kind of program my system writes.

As far as the details of a particular language go: My system does all of its work in abstract syntax trees. A particular language comes into play only in the output generation phase.

Problems of heap allocation and the like could be modeled as separate problems. Or I could work with the really low level ops that C provides, and solve the whole problem, but I am not that inspired to reinvent every wheel. In general I focus in generating languages like golang and clojure that have general solutions to lower level problems.

roberts robot doubleFebruary 18, 2019 10:11 AM

@Faustus

Cool, I'm glad I could add to your compendium. It sounds like you really are developing something grounded in reality with your system targeting specific language design environments (and their specific runtime environs as a result).

My primary question is simply whether or not your generated code will be comprehensible by humans? Of course, technically, *all* source code is comprehensible if the reader is given enough time, but my question is whether generating understandable code is a part of your design criteria.

Regardless, I wish you all success.

robertsFebruary 18, 2019 11:16 AM

@ roberts

Thanks for your best wishes!

Comprehensibility is a mixed bag. I am thrilled when my system finds novel algorithms, but they can sometimes look like the results of a "shortest apl program" contest if not the same contest in Brainf*ck!

I have various output formats. Code that is incomprehensible in one can be clearer in others.

A longer term plan is to score a few hundred sample output programs for clarity and then feed them back into my system to evolve a metric that captures what humans consider clarity. Then I would incorporate this metric into the scoring function that evaluates each program.

I do something like this now in that I score programs with less tokens as marginally better than programs with more so my solutions go through a process that generally decreases their token count by a half to a two-thirds. A simplification and simplification/mutation system is always running, the first being simplification that doesn't change results and the second being simplification that may change results in some cases. The second isn't a problem in that programs are always reevaluated after simplification.

FaustusFebruary 18, 2019 12:01 PM

@ Impossibly

I do not believe in blacklisting people solely for having opinions that disturb me, but I also am busy and I am finished with word games.

As far as your challenges go: Take distinguishing random from pseudorandom and consider the definition of pseudorandom:

"In theoretical computer science, a distribution is pseudorandom against a class of adversaries if no adversary from the class can distinguish it from the uniform distribution with significant advantage." https://en.wikipedia.org/wiki/Pseudorandomness

In other words, you are asking my system to do something that is impossible by definition. That's not what my system does.

I might reframe the challenge as "Given a sequence of numbers, find the rule that determines how it is generated". That is a problem that my system can attack.

As far as breaking ciphers that are not semantically secure, that leak information about the plaintext, that is something that can be addressed if there is a way to recognize correctly decoded plaintext (it is in English, for example). Basically a lot of examples of possible plaintexts (not the actual plaintexts, just plaintexts of the same type) would be used to let the system tell how its progressing. Nobody can break encrypted random data where a correct decryption can't be recognized.


roberts robot doubleFebruary 18, 2019 12:27 PM

@Faustus

Seeing as how your data structure is an AST, perhaps you can pattern match the output trees with a set of known structures that you build up over time. Maybe something like, "this looks like a loop that counts over an array" or somesuch. I imagine it would require a different flavor of knowledgebase than the one that builds your inputs and would, therefore, require experienced programmers just as your input set needs curating by yourself. Being a logically distinct processing step would also allow it to evolve by itself with updates being able to be applied retroactively to previously generated solutions to update their "translation".

Denton ScratchFebruary 18, 2019 3:53 PM

@Faustus:

OK, that'll have to do for me. I'm not OK with you countering my reasoned positions with insults; I have not insulted you, as far as I am aware. I'm not here for a scrap, and until about a week ago I thought you were a person who shared my views.

Anyway, I am detaching myself from this discussion with you, as of now. Let's see your website, and the details of your invention (you are claiming it's patentable, which implies it really is an invention). Maybe you'll be interested in re-opening a channel after you've published.

Alyer Babtu February 18, 2019 5:47 PM

@Faustus

I doubt if you

I use Jackson’s design analysis+synthesis approach as outlined in his Principles book whenever I program, which until recently was most of the time. I find it invaluable in bringing to light what the problem context really is asking to be coded. It leads generally to a habit of inquiring into the real nature of the problem. Once that is obtained the coding is always straightforward.

All the best with your project!

FaustusFebruary 18, 2019 6:03 PM

@ Alyer Bantu

That is wild! I thought uml and such won out the design sweepstakes. Do you use the Jackson code generator? If not, so you do all the detail in JSP and then code it afterward or do you stop design at a less detailed level?

A lot of the 90s were structured methodologies for me, in large projects. In the end I didn't find them that helpful, though I was a true believer for a while.

How does Jackson play with agile? Does it work well with sql? My understanding is that it makes program design parallel the data structure. Also that it is for batch processing. Can you design web functionality with it?

Alyer Babtu February 18, 2019 8:34 PM

@Faustus

I don’t use any automated assists, just work things out on paper, like doing an argument in mathematics, then code from that. Also, the principles appy to any situation, batch, interactive, databases, etc. The programming problem itself determines the structure i.e. point of view on the data and the design uses that. It is not necessarily the “obvious” structure the data might seem to carry.

Not wanting to risk fatiguing the blog unduly, I’ll finish with this.

Impossibly StupidFebruary 19, 2019 12:17 PM

@Faustus

In other words, you are asking my system to do something that is impossible by definition.

Not impossible. I'm simply asking what level of "adversary" your system would represent when it comes to the problem of figuring out what is and isn't random noise. I would hope you understand how important that kind of analysis is when it comes to applying intelligence of any kind.

I might reframe the challenge as "Given a sequence of numbers, find the rule that determines how it is generated". That is a problem that my system can attack.

That is a similar but different problem. I would encourage you to follow through with that class of problems, though, because there are a wide variety of them, and it will be very telling about your system to demonstrate how it learns as you give it sequences generated by increasingly complex formulas.

Nobody can break encrypted random data where a correct decryption can't be recognized.

There's the rub: it is the underlying intelligence that enables that recognition. A simple substitution cipher is literally child's play. Current language translation software essentially works on the same principle, but it's not AI because there is no thinking about the meta process of what is being done. The child will understand what makes ROT-13 interesting/useful. Your system will not only need to solve the initial problem you give it, but demonstrate that it can effectively use what it learned as it is given more advanced ciphers to attack/recognize.

FaustusFebruary 19, 2019 5:45 PM

@ Alyer Babtu

What one misses not being in school anymore! Your link leads a fascinating book. It has a totally different perspective on proofs from my usual one, it is full of useful proof steps, and it is a limpid survey of so many areas of mathematics. Thanks for passing it along.

Of course, what I want my system to do is to intuit solutions from scratch. This book contrasts nicely with that mindset.

David WalshFebruary 19, 2019 11:47 PM

a brief news article about attribution by 'cyber defence' in Australia and how they tell it's a state actor. this is in the wake of supposed attacks on parliament house in Australia and both major parties - which was immediately suspected as being of China (of course)
they acknowledge that Australia does not have the skills to contend in a 'cyber war' scenario

https://www.abc.net.au/news/2019-02-20/cyber-activists-or-state-actor-attack-how-experts-tell/10825466

Wesley ParishFebruary 20, 2019 4:05 AM

@usual suspects

completely off the Wall, which while being Security Theatre, is not only bad security, it's also bad theatre - no one would pay five cents to see such a ghastly performance in any theatre house, and no respectable theatre house would survive putting on such a show full of whiny self-pitying characters such as Trump and Spence ... even Punch and Judy has a villainous villain!!!

As I say, getting back to the topic of security news:

Germany tells America to verpissen off over Huawei 5G cyber-Sicherheitsbedenken
https://www.theregister.co.uk/2019/02/19/germany_huawei_5g_security/

Although the German government meeting ultimately decided to take a diplomatic approach – neither rejecting nor approving Huawei – a clear indication that they are skeptical of American security claims came when German Data Protection Commissioner Ulrich Kelber pointedly noted in an interview with Handelsblatt that "the US itself once made sure that backdoor doors were built into Cisco hardware."
One thing I learnt at school was telling the truth meant you didn't have to remember everything.
The irony of course is that fears of undetectable state-sponsored spying across a network are credible only because the United States government managed to achieve exactly that through its National Security Agency (NSA).
An International Health Warning follows: Shooting oneself in the foot while said foot is firmly within one's mouth - even if one's tongue is equally firmly in one's cheek - can be fatal, particularly if you are using a shotgun or a Rocket Propelled Grenade.

And as proof there are sane people on the MBZ side:

Tomgram: Michael Klare, A Long War of Attrition
http://www.tomdispatch.com/post/176528/tomgram%3A_michael_klare%2C_a_long_war_of_attrition/

Certainly, given what’s publicly known about Chinese cybertheft activities, it’s reasonable for American officials to apply pressure on Beijing to curb the practice. However, the Trump administration’s drive to blunt that country’s technological progress is also aimed at perfectly legitimate activities. For example, the White House seeks to ban Beijing's government subsidies for progress on artificial intelligence at the same time that the Department of Defense is pouring billions of dollars into AI research at home. The administration is also acting to block the Chinese acquisition of U.S. technology firms and of exports of advanced components and know-how.
Living in a small agricultural nation I have observed New Zealand - and Australian - frustrations over the decades over the MBZ's insistence that everybody else except them reduce tariffs on agricultural goods. See above on International Health Warning. And people with working long-term historical memory may well remember the Soviet Union, as part of glasnost, loaning an institution in the MBZ their most advanced computer, and then when time came to return it, it ran afoul of MBZ export regulations - it was too advanced to be "exported" back to the Soviet Union.

1&1~=UmmFebruary 22, 2019 1:29 AM

@ALL:

Privacy and 'Something to hide' argument and why Privacy is a 'human right',

https://kevq.uk/privacy-vs-i-have-nothing-to-hide/

Also getting rid of Android,

https://kevq.uk/why-im-ditching-android/

As a part of 'de-googling' an online life,

https://kevq.uk/category/de-googling

Worth reading even if you are not in the UK... which in this century so far has been the most surveillance intensive/person country in the world. Yes even more so by a long way than the USA, but China looks set to overtake before the middle of this year depending on who is making the claims and about which technology. It is getting increasingly difficult to tell not just because of 'secrecy' around state level hidden 'surveillance' on communications, but also on who decides what is 'private' and what is 'public' and why. Giving rise to questions such as, are privately owned and operated surveillance equipment systems, used on the public in spaces they freely use, and where the authorities have access to the output of such systems, realy 'private or public' surveillance? Because the easy way to hide 'public' is to 'out source it' to a private company and call it 'private' even though it is payed for directly or indirectly through taxation or privatised revenue raising systems from the public.

For instance in the UK mass transport such as buses operated by private companies for public usage have CCTV cameras that have been used to raise revenue by traffic offense fines by private companies. Who make very large profits from them but are rarely subject if ever to independent leagle or civil oversight.

More on UK surveillance,

https://bigbrotherwatch.org.uk/2018/01/the-surveillance-state-in-2018/

1&1~=UmmFebruary 22, 2019 6:14 AM

@Bruce Schneier:

Lets see, Chinese New Year Full Moon just gone, and new picture down below...

What happened to the other hat?

1&1~=UmmFebruary 22, 2019 6:28 AM

@ALL:

It would appear journolists are not being very investigating in these days of "click bate".

Unsuprisingly recruitment companies want to get "free advertising" and some increased level of "Brand Recognition" thus more candidates to push at more potential employers.

Nothing realy surprising, quite a few companies do "infomercial" type advertising through journalists and has been going on for more than twenty years or so, especially in glossy mags.

But what about false or misleading research that plays to gender stereo typing issues?

Well yes it would appear that is exactly what some but not all recruitment companies are upto,

https://www.vox.com/2019/2/20/18232762/gender-diversity-tech-bad-research-recruiting-new-york-times

I would like to check the "methods and sources" as well but it appears that one has ceased trading under the name it used when publishing it's headline grabbing story, and for neither story can the methods be found...

The journalist does mention a third story, which produces different results, with the method used apparently available for review.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.