March 2006 – GranneBlog

Global secrets are poor security

security / Scott Granneman / 29 March 2006

From Bruce Schneier’s “The Keys to the Sydney Subway“:

Global secrets are generally considered poor security. The problems are twofold. One, you cannot apply any granularity to the security system; someone either knows the secret or does not. And two, global secrets are brittle. They fail badly; if the secret gets out, then the bad guys have a pretty powerful secret.

This is the situation right now in Sydney, where someone stole the master key that gives access to every train in the metropolitan area, and also starts them. …

Another problem with global secrets is that it’s expensive to recover from a security failure. …

A final problem with global secrets is that it’s simply too easy to lose control of them.

Global secrets are poor security Read More »

Four principles of modernity

commonplace book, science / Scott Granneman / 29 March 2006

From “Relativity, Uncertainty, Incompleteness and Undecidability“:

In this article four fundamental principles are presented: relativity, uncertainty, incompleteness and undecidability. They were studied by, respectively, Albert Einstein, Werner Heisenberg, Kurt GÃƒÂ¶del and Alan Turing. …

Relativity says that there is no privileged, “objective” viewpoint for certain observations. … Now, if things move relative to each other, then obviously their positions at a given time are also measured relative to each other. …

Werner Heisenberg showed that if we built a machine to tell us with high precision were an electron is, this machine could not also tell us the speed of the electron. If we want to measure its speed without altering it we can use a different light but then we wouldn’t know where it is. At atomic scale, no instrument can tell us at the same time exactly where a particle is and exactly at what speed it is moving. …

If this system is complete, then anything that is true is provable. Similarly, anything false is provable false. Kurt GÃƒÂ¶del got the intuition that traditional mathematical logic was not complete, and devoted several years to try to find one thing, a single thing that was inside the mathematics but outside the reach of logic. … GÃƒÂ¶del’s incompleteness means that the classical mathematical logic deductive system, and actually any logical system consistent and expressive enough, is not complete, has “holes” full of expressions that are not logically true nor false. …

Turing’s halting problem is one of the problems that fall in to the category of undecidable problems. It says that it is not possible to write a program to decide if other program is correctly written, in the sense that it will never hang. This creates a limit to the verification of all programs, as all the attempts of building actual computers, usable in practice and different from Turing machines have been proved to be equivalent in power and limitations to the basic Turing machine.

Four principles of modernity Read More »

Funes the Memorious, for real

commonplace book, science / Scott Granneman / 28 March 2006

From “New form of superior memory syndrome found“:

Scientists at the University of California-Irvine have identified the first known case of a new, superior memory syndrome.

Researchers Elizabeth Parker, Larry Cahill and James McGaugh spent more than five years studying the case of “AJ,” a 40-year-old woman with incredibly strong memories of her personal past.

Given a date, AJ can recall with astonishing accuracy what she was doing on that date and what day of the week it was. Because her case is the first of its kind, the researchers have proposed a name for her syndrome — hyperthymestic syndrome — based on the Greek word thymesis for “remembering” and hyper, meaning “more than normal.” …

“What makes this young woman so remarkable is that she uses no mnemonic devices to help her remember things,” said McGaugh.

Funes the Memorious, for real Read More »

The incompetent don’t know it

commonplace book, science / Scott Granneman / 26 March 2006

From “Unskilled and Unaware of It“:

It seems that the reason for this phenomenon is obvious: The more incompetent someone is in a particular area, the less qualified that person is to assess anyone’s skill in that space, including their own. When one fails to recognize that he or she has performed poorly, the individual is left assuming that they have performed well. As a result, the incompetent will tend to grossly overestimate their skills and abilities. A few years ago, two men from the Department of Psychology at Cornell University made an effort to determine just how profoundly one misoverestimates one’s own skills in relation to one’s actual abilities. They made four predictions, and executed four studies.

Justin Kruger and David Dunning made the following predictions before beginning their investigation:

Incompetent individuals, compared with their more competent peers, will dramatically overestimate their ability and performance relative to objective criteria.

Incompetent individuals will suffer from deficient metacognitive skills, in that they will be less able than their more competent peers to recognize competence when they see itÃ¢â‚¬â€œbe it their own or anyone else’s.

Incompetent individuals will be less able than their more competent peers to gain insight into their true level of performance by means of social comparison information. In particular, because of their difficulty recognizing competence in others, incompetent individuals will be unable to use information about the choices and performances of others to form more accurate impressions of their own ability.

The incompetent can gain insight about their shortcomings, but this comes (paradoxically) by making them more competent, thus providing them the metacognitive skills necessary to be able to realize that they have performed poorly.

… In short, the study showed that the researchers’ predictions were spot-on. …

Also interestingly, the top performers tended to underestimate their own performance compared to their peers. The researchers found that those participants fell prey to the false-consensus effect, a phenomenon where one assumes that one’s peers are performing at least as well as oneself when given no evidence to the contrary.

The incompetent don’t know it Read More »

How to really practice to get better

business, commonplace book / Scott Granneman / 25 March 2006

From “How to be an expert“:

Maybe the “naaturally talented artist” was simply the one who practiced a hell of a lot more. Or rather, a hell of a lot more deliberately. Dr. K. Anders Ericsson, professor of psychology at Florida State University, has spent most of his 20+ year career on the study of genuises, prodigies, and superior performers. In the book The New Brain (it was on my coffee table) Richard Restak quotes Ericsson as concluding:

“For the superior performer the goal isn’t just repeating the same thing again and again but achieving higher levels of control over every aspect of their performance. That’s why they don’t find practice boring. Each practice session they are working on doing something better than they did the last time.”

So it’s not just how long they practice, it’s how they practice. Basically, it comes down to something like this:

Most of us want to practice the things we’re already good at, and avoid the things we suck at. We stay average or intermediate amateurs forever.

Yet the research says that if we were willing to put in more hours, and to use those hours to practice the things that aren’t so fun, we could become good. Great. Potentially brilliant. We need, as Restak refers to it, “a rage to master.” That dedication to mastery drives the potential expert to focus on the most subtle aspects of performance, and to never be satisfied. There is always more to improve on, and they’re willing to work on the less fun stuff.

How to really practice to get better Read More »

3500 forgotten cans

commonplace book, weird, writing ideas / Scott Granneman / 25 March 2006

From “Mental Health Association of Portland“:

Over 3,500 copper canisters like these hold the cremated remains of patients of the Oregon State Hospital that went unclaimed by their families and friends. They sit on shelves in an abandoned building on the grounds of the Oregon State Hospital. They symbolize the loneliness, isolation, shame and despair too many patients of the hospital experienced.

Our members are helping find a final resting place for the remains. We have helped families find their lost relatives. We’re pressing the hospital and the state to create a suitable memorial. We’ve demanded former, current and future patients be advised and consulted about the creation of a memorial, its site, design and any ceremony.

From The New York Times‘ “Long-Forgotten Reminders Of the Mentally Ill in Oregon”:

Next to the old mortuary, where the dead were once washed and prepared for burial or cremation, is a locked room without a name.

Inside the room, in a dim and dusty corner of one of many abandoned buildings on the decaying campus of the Oregon State Hospital here, are 3,489 copper urns, the shiny metal dull and smeared with corrosion, the canisters turning green.

The urns hold the ashes of mental patients who died here from the late 1880’s to the mid-1970’s. The remains were unclaimed by families who had long abandoned their sick relatives, when they were alive and after they were dead.

The urns have engraved serial numbers pressed into the tops of the cans. The lowest number on the urns still stored in the room is 01, the highest 5,118. Over the decades, about 1,600 families have reclaimed urns containing their relatives’ ashes, but those left are lined up meticulously on wood shelves. Short strips of masking tape with storage information are affixed to each shelf: ”Vault #2, Shelf #36, plus four unmarked urns,” one piece of tattered tape says.

Most of the labels that once displayed the full names of the dead patients have been washed off by water damage or peeled away by time. Still, a few frayed labels are legible: among the urns stored on one shelf are a Bess, a Ben and an Andrew.

3500 forgotten cans Read More »

A 4000 year old ship in the desert

commonplace book, history / Scott Granneman / 21 March 2006

From “World’s oldest ship timbers found in Egyptian desert“:

The oldest remains of seafaring ships in the world have been found in caves at the edge of the Egyptian desert along with cargo boxes that suggest ancient Egyptians sailed nearly 1,000 miles on rough waters to get treasures from a place they called God’s Land, or Punt.

Florida State University anthropology professor Cheryl Ward has determined that wooden planks found in the manmade caves are about 4,000 years old – making them the world’s most ancient ship timbers. Shipworms that had tunneled into the planks indicated the ships had weathered a long voyage of a few months, likely to the fabled southern Red Sea trading center of Punt, a place referenced in hieroglyphics on empty cargo boxes found in the caves, Ward said.

A 4000 year old ship in the desert Read More »

Interesting way to acquire someone’s signature

security / Scott Granneman / 8 March 2006

From Simson Garfinkel’s “Absolute Identification“, chapter 3 of Database Nation:

Already, the United Parcel Service, the nation’s largest package delivery service, is also the nation’s leader in biometric piracy. For most packages, UPS requires that a signature be written to serve as proof of delivery. In 1987, UPS started scanning the pen-and-ink signatures recorded for each package delivery. These images were stored in a database and faxed to any person who called UPS’s 800 number and asked for a ‘proof of delivery’ receipt. In 1990, UPS improved its piracy technology by equipping its drivers with portable electronic computers called DIADs (Delivery Information Acquisition Devices). Each computer has a built-in bar code reader and a signature pad. When a delivery is made, the UPS driver scans the bar code on each package and then has the person receiving the delivery sign for the package. The bar code number and the handwritten signature are recorded inside the DIAD, and ultimately uploaded to the company’s databanks.

The push to make signatures available in electronic form came from UPS customers, Pat Steffen, a spokesperson for UPS, told me when I called the company to complain about the practices. Signatures are considered proof of delivery. Digitizing that proof allows UPS to manipulate it like any other digital data. The faxed proof-of-delivery certificates are sent automatically from UPS computers, she explained. It’s also possible for UPS customers to download tracking software and view the signatures directly on their personal computers.

Ironically, by making a person’s written signature widely available, UPS is helping to dilute the written signature’s very value. Once the signature is digitized, it’s easy to manipulate it further with a computer–for example, you can paste it at the bottom of a contract. UPS’s system is particularly vulnerable: any package can be tracked as long as you know the package’s airbill, and UPS issues its preprinted airbills in sequential order–for example, ‘0930 8164 904,’ ‘0930 8164 913,’ and ‘0930 8164 922.’ An attacker can easily learn a company’s UPS airbill, use that airbill to obtain a comprehensive list of every delivery recipient–and then make a copy of every recipient’s signature.

UPS understands the vulnerability, but it can’t address the problem very well. A note on the company’s web site says:

UPS authorizes you to use UPS tracking systems solely to track shipments tendered by or for you to UPS for delivery and for no other purpose. Any other use of UPS tracking systems and information is strictly prohibited.

But, realistically speaking, UPS can do little to prevent this kind of attack. ‘If someone wants to go out of their way to get package numbers, it can be done. If someone wants to go out of their way to do anything, I suppose that’s possible. It is not an easy thing to do,’ said Steffen. Guessing would be harder, of course, if UPS used longer airbill numbers and didn’t issue them in a predictable sequence.

Interesting way to acquire someone’s signature Read More »

Pi to unfathomable places

cool stuff, science / Scott Granneman / 4 March 2006

From “Man recites pi from memory to 83,431 places“:

A Japanese psychiatric counselor has recited pi to 83,431 decimal places from memory, breaking his own personal best of 54,000 digits and setting an unofficial world record, a media report said Saturday.

Akira Haraguchi, 59, had begun his attempt to recall the value of pi – a mathematical value that has an infinite number of decimal places – at a public hall in Chiba city, east of Tokyo, on Friday morning and appeared to give up by noon after only reaching 16,000 decimal places, the Tokyo Shimbun said on its Web site.

But a determined Haraguchi started anew and had broken his old record on Friday evening, about 11 hours after first sitting down to his task, the paper said. …

Pi, usually given as an abbreviated 3.14, is the ratio of the circumference to the diameter of a circle. The number has fascinated and confounded mathematicians for centuries.

Aided by a supercomputer, a University of Tokyo mathematician set the world record for figuring out pi to 1.24 trillion decimal places in 2002.

Pi to unfathomable places Read More »

An interesting way to look at DRM

commonplace book, technology / Scott Granneman / 3 March 2006

From “The Big DRM Mistake?“:

Fundamentally, DRM is a about persistent access control – it is a term for a set of technologies that allow for data to be protected beyond the file system of the original machine. Thus, for example, the read/write/execute access control on most *nix file systems will not only be applicable to the original machine but to all machines.

Stated in these terms, I agree with the aims of DRM. However, it is the ways in which large media and software businesses have mis-applied DRM that have ruined the associations most users have with the technology.

An interesting way to look at DRM Read More »

What is a socio-technical system?

social software, tech in changing society, technology / Scott Granneman / 3 March 2006

From “Why a Socio-Technical System?“:

You have divined by now that a socio-technical system is a mixture of people and technology. It is, in fact, a much more complex mixture. Below, we outline many of the items that may be found in an STS. In the notes, we will make the case that many of the individual items of a socio-technical system are difficult to distinguish from each other because of their close inter-relationships.

Socio-technical systems include:

Hardware Mainframes, workstations, peripheral, connecting networks. This is the classic meaning of technology. It is hard to imagine a socio-technical system without some hardware component (though we welcome suggestions). In our above examples, the hardware is the microcomputers and their connecting wires, hubs, routers, etc.

Software Operating systems, utilities, application programs, specialized code. It is getting increasingly hard to tell the difference between software and hardware, but we expect that software is likely to be an integral part of any socio-technical system. Software (and by implication, hardware too) often incorporates social rules and organizational procedures as part of its design (e.g. optimize these parameters, ask for these data, store the data in these formats, etc.). Thus, software can serve as a stand-in for some of the factors listed below, and the incorporation of social rules into the technology can make these rules harder to see and harder to change. In the examples above, much of the software is likely to change from the emergency room to the elementary school. The software that does not change (e.g. the operating system) may have been designed more with one socio-technical system in mind (e.g. Unix was designed with an academic socio-technical system in mind). The re-use of this software in a different socio-technical system may cause problems of mismatch.

Physical surroundings. Buildings also influence and embody social rules, and their design can effect the ways that a technology is used. The manager’s office that is protected by a secretary’s office is one example; the large office suite with no walls is another. The physical environment of the military supplier and the elementary school are likely to be quite different, and some security issues may be handled by this physical environment rather than by the technology. Moving a technology that assumes one physical environment into a different environment one may cause mismatch problems.

People Individuals, groups, roles (support, training, management, line personnel, engineer, etc.), agencies. Note that we list here not just people (e.g. Mr. Jones) but roles (Mr. Jones, head of quality assurance), groups (Management staff in Quality Assurance) and agencies (The Department of Defense). In addition to his role as head of quality assurance, Mr. Jones may also have other roles (e.g. a teacher, a professional electrical engineer, etc.). The person in charge of the microcomputers in our example above may have very different roles in the different socio-technical systems, and these different roles will bring with them different responsibilities and ethical issues. Software and hardware designed assuming the kind of support one would find in a university environment may not match well with an elementary school or emergency room environment.

Procedures both official and actual, management models, reporting relationships, documentation requirements, data flow, rules & norms. Procedures describe the way things are done in an organization (or at least the official line regarding how they ought to be done). Both the official rules and their actual implementation are important in understanding a socio-technical system. In addition, there are norms about how things are done that allow organizations to work. These norms may not be specified (indeed, it might be counter-productive to specify them). But those who understand them know how to, for instance, make complaints, get a questionable part passed, and find answers to technical questions. Procedures are prime candidates to be encoded in software design.

Laws and regulations. These also are procedures like those above, but they carry special societal sanctions if the violators are caught. They might be laws regarding the protection of privacy, or regulations about the testing of chips in military use. These societal laws and regulations might be in conflict with internal procedures and rules. For instance, some companies have implicit expectations that employees will share (and probably copy) commercial software. Obviously these illegal expectations cannot be made explicit, but they can be made known.

Data and data structures. What data are collected, how they are archived, to whom they are made available, and the formats in which they are stored are all decisions that go into the design of a socio-technical system. Data archiving in an emergency room it will be quite different from that in an insurance company, and will be subject to different ethical issues too.

What is a socio-technical system? Read More »

DRM Workaround #18: HP printer cartridges

tech in changing society, technology / Scott Granneman / 3 March 2006

From “Cartridge Expiration Date Workarounds“:

In light of the lawsuit against Hewlett-Packard over the expiration date of their cartridges, two ways to fix the problem:

1) Remove and reinsert the battery of the printer’s memory chip

2) Preemptive: Change the parameters of the printer driver

Search for hp*.ini … In it there is a parameter something like pencheck. It is set to 0100. … Set it to 0000 in the file and save the file and REBOOT.

DRM Workaround #18: HP printer cartridges Read More »

More distribution channels = more viewers

business, tech in changing society, technology / Scott Granneman / 3 March 2006

From “NBC: iPod Boosts Prime Time“:

NBC’s “The Office” delivered a 5.1-its highest ratings ever-last Thursday among adults 18 to 49, a bump the network credits in large part to the show’s popularity as an iPod download. …

Such a connection between podcast success and broadcast ratings success is particularly significant because the NBC data is among the first available evidence of what network executives have been gambling on when striking their new media deals-that the new video platforms are additive because they provide more entry points into a show for consumers. …

NBC is confident that the iPod exposure contributed to the rise. …

The iTunes offering is bringing new audiences to the show that would not otherwise have watched, said Frederick Huntsberry, president of NBCU Television Distribution. “Consumers have choices, and we are not reaching all consumers with one technology,” he said.

ITunes is one way to bring fresh eyeballs to the network, he said, in particular the younger demo that uses video iPods. …

Yet ABC has also seen a ratings increase for its iTunes shows. To date since their debut on iTunes in October, both “Lost” and “Desperate Housewives” are up versus the same period last year. …

That growth and the knowledge that iTunes distribution possibly grew and certainly did not cannibalize ratings gave the ABC Disney Television Group the confidence to add another round of iTunes programs last week …

More distribution channels = more viewers Read More »

Did plague cause the Little Ice Age?

history, science / Scott Granneman / 2 March 2006

From BBC News’ “Europe’s chill linked to disease“:

Europe’s “Little Ice Age” may have been triggered by the 14th Century Black Death plague, according to a new study.

Pollen and leaf data support the idea that millions of trees sprang up on abandoned farmland, soaking up carbon dioxide from the atmosphere.

This would have had the effect of cooling the climate, a team from Utrecht University, Netherlands, says.

The Little Ice Age was a period of some 300 years when Europe experienced a dip in average temperatures. …

“Between AD 1200 to 1300, we see a decrease in stomata and a sharp rise in atmospheric carbon dioxide, due to deforestation we think,” says Dr van Hoof, whose findings are published in the journal Palaeogeography, Palaeoclimatology, Palaeoecology.

But after AD 1350, the team found the pattern reversed, suggesting that atmospheric carbon dioxide fell, perhaps due to reforestation following the plague.

The researchers think that this drop in carbon dioxide levels could help to explain a cooling in the climate over the following centuries.

Did plague cause the Little Ice Age? Read More »

Better technical security increases personal risks

commonplace book, security / Scott Granneman / 2 March 2006

From The New York Times‘ “They Stole $92 Million, but Now What?“:

Just one week ago, Colin Dixon, the manager of a depot where bank notes are stored, was driving home on a quiet Tuesday evening when what he thought was a police car with flashing blue lights pulled him over.

It was the beginning, as it turned out, of Britain’s biggest ever cash caper. Seven days later, a staggering $92 million Ã¢â‚¬â€ around twice the previous record in a country that seems to specialize in mind-boggling robberies Ã¢â‚¬â€ seems simply to have disappeared.

The men who ordered Mr. Dixon, 51, to pull over were not police officers but hoodlums who bundled him into their Volvo and handcuffed him. According to police accounts, he was told that his wife, Lynn, 45, and son Craig, 8, would be shot if he did not cooperate.

Less than two hours later, more bogus police officers called at Mr. Dixon’s home in Herne Bay and told his wife that he had been in an accident. She and her son believed their story and walked into captivity. The family was reunited at a farmhouse, then driven to the depot at Tonbridge, in the county of Kent southeast of London, according to police accounts. Then their ordeal really began. …

The haul was enormous even by the standards of a land that likes to express its criminal landmarks through thefts of industrial proportions Ã¢â‚¬â€ more than twice the $45 million taken in a caper at Northern Bank in Belfast, Northern Ireland, in December 2004, at that time the biggest cash robbery on record. The Irish Republican Army was blamed for that robbery.

But one similarity between the robberies has raised worrisome questions about the way money is protected.

In both cases, employees and families were taken hostage, forcing managers to help the thieves. And so the most vulnerable point in guarding the cash has become the people who know the codes and procedures to bypass sophisticated security systems.

Such tactics “are part and parcel of the shift towards the technologized management of money,” said Tim Newburn, a professor of criminology at the London School of Economics.

According to the BBC, such abductions are known as tiger kidnappings, because the victims are stalked before they are seized. “Tiger kidnapping requires a detailed knowledge of staff Ã¢â‚¬â€ their journeys, their responsibilities and their families Ã¢â‚¬â€ which often comes with the help of a current or former employee.”

In other words, an inside job.

Better technical security increases personal risks Read More »