Security Speedbumps

Software, more than most other things that are designed, tends to be designed by trial and error. That’s because it’s so easy to build a a design to test it. Other engineers have to actually construct a prototype to test, so their time is better spent working out in advance whether the design is good enough.

This principle is responsible for the relative shoddyness of software.

It has been observed that this approach doesn’t work for security purposes, as there you’re not concerned to how your design responds to specific, or even random stimuli, but in whether some stimiuli can be constructed that will cause a misbehaviour. This is the concept of Programming Satan’s Computer, coined by Ross Anderson.

But software isn’t the only thing designed by trial and error. Any system that can evolve over time will basically be constrained by the requirement that it must appear to work. That constraint will keep most errors out, but not security flaws, just as conventional software testing keeps out most errors, but not security flaws.

There’s an unrelated concept in security of the “speedbump”. A speedbump is something that discourages people from doing something the designer doesn’t want them to do, by forcing them to undertake some procedure which shows unambiguously that they are doing what they’re not supposed to – like breaking an easily-breakable lock, or something. It doesn’t actually stop them from being able to do it, but it stops them pretending – even to themselves – that they’re not really doing anything they’re not supposed to.

Putting these two concepts together, a real-world security process that is preventing something virtually nobody really wants to do, and is evolving over time, will tend to end up as a speedbump. If it becomes less than a speedbump, it will no longer appear to work, so that won’t happen. But because the speedbump deters casual attackers, and virtually all attackers are casual, it will appear to work.

The one kind of person who shows up this kind of security speedbump is the person who, usually under the influence of alcohol, is too oblivious to be deterred by the speedbump. Back in the 1991 Gulf War, a man I knew slightly walked into the Ministry of Defence in London, wandered round some corridors, went into a random office and asked in alcohol-slurred cockney “What is this Gulf War all about then?”. Similar, via Schneier, this story of a drunk man climbing over the perimiter fence and boarding a plane at Raleigh-Durham International Airport.

The fence is supposed to stop people from being able to board aircraft without passing through the proper security channels. It appeared to work, but only because nobody wanted to do it badly enough to actually climb the fence. The fence is a speedbump: entirely effective, except against terrorists and eccentric drunks.

This speedbump phenomenon is not the same as “Security Theatre”. Security theatre is generally a new measure introduced for show, which, while possibly effective against a narrowly-defined threat, is easily bypassed and not effective against a broader, more realistic range of threats. These speedbumps are more likely to be long-standing security measures, which are assumed because of their long standing to be working effectively.

The complaint is that if a decision is made that security must be improved, searching out and rectifying security speedbumps is likely to be less visible and obvious than installing new, showy, security theatre, even though it could be much more productive.

Therefore we are dependent on the eccentric drunks finding our speedbumps.

HDTV and Freeview

boingboing suggests that HDTV will flop and looks admiringly at the UK’s Freeview system.

Cory Doctorow overstates the case slightly:

1. Freeview is “standard definition”, but it is standard definition PAL, which is higher definition than the US and Canada’s NTSC. On paper the difference isn’t that huge, but subjectively to me it’s a very significant one – NTSC looks as much worse than normal as HDTV is better. Thus there is likely to be a bigger push for HDTV in NTSC countries than PAL ones.

2. Freeview exists by accident, as the original infrastructure was built as a subscription service by ITV Digital, which then went bust. Left with the infrastructure and proof that people weren’t willing to pay subscriptions for it, converting it to a free service made sense.

3. Freeview’s terrestrial broadcast signals don’t have 100% coverage – some remote areas are not covered. By British standards, probably 20% of the US population live in remote areas – the UK is smaller than Oregon.

Significant update: Further to point 3, I recently tried to pick up Freeview myself, as an alternative to my subscription-based cable service. What I found is that Luton is basically not covered. Luton is a town of 200,000 people, 35 miles or 30 minutes from central London, and I can’t pick up a signal. Asking around, quite a few people have tried, and given up and got cable or satellite. If I spend the equivalent of two years’ cable subscription on installing an antenna on a tall pole on top of the house, there is a chance I might be able to get a decent signal — but only a chance; there are two hills directly between the town and the nearest transmitter 22 miles away.

Insignificant update 14 years later: changed underscores to hyphens in the boingboing URL because why would a tech blog preserve link validity?

Newcomb, Voting, and Moist Robots

Patri Friedman points out in a comment that, since “correlation is not causation”, using the correlation between my vote and those of others to estimate an amplified effect for my vote is bogus.

Oh yes, so it is.

That almost disposes of the question. But my thought experiment about identical robots all voting the same way is still valid, I believe. And while I and some other voter I pick out are not robots and not identical, we are phenomena in a physical universe with some strong mechanical resemblances.

Like Newcomb’s paradox, it comes down to the nature of human choice. The traditional view is that each person is an independent entity that can make uncaused choices at any point in time.

That traditional view is implicit in the question, “what difference does it make whether I vote or not?”. The assumption is that, in imagination at least, we can hold the whole world constant and consider it with or without me voting.

As I have implied by talking about robots, the traditional view is not true. My mind is part of the world, and you cannot “hold the world constant” without holding my decision also.

One response to the problem is to say that the whole question is invalid, humans do not make choices, they are “moist robots” (as Scott Adams would say) following their predetermined programs.

But the question clearly is valid. We maybe cannot hold the world constant in every last detail while varying my decision, but surely we can come close enough for the question still to make sense. We will just have to assume some small changes to the world to be consistent with my decision being changed.

Now if we vary, for instance, how much of an idiot the candidate is, we will get an answer to my question very much greater than one. But that’s silly. Whatever the question really means (because I’ve demonstrated it’s not quite as unambiguous as it looks), it doesn’t mean that. Facts we have observed must be held constant.

It would be a more sensible interpretation of the question to, for instance, hold the universe outside my skin constant, while varying the inside as far as necessary to be physically consistent with different votes.

If we do that, then the answer we will come up with is that my vote makes exactly one vote of difference – the whole argument I made in the first place is wrong.

But varying my brain is not straightforward, even in principle, because it breaks continuity over time. In order to be imagining a physically possible universe, that nonetheless is consistent with the history we have observed. I might have to vary unobserved facts that extend beyond my brain and body. Those facts may even extend into other voters’ brains and bodies, possibly giving me the >1 answer I wanted. This is what was nagging at me in the first place: the notion that “my mind” is not quite something that can have a neat boundary drawn around it, that it is some kind of extended phenotype. In the identical robots examle, there is only really one mind, that is duplicated or distributed in space, which is why one decision produces many votes. As Dennett says in Freedom Evolves, “if you make yourself very large, you can internalize anything”. In order to internalize the decision to vote, that is, to be able to describe it as something I have done, might I need to make myself large enough that I overlap with others?

That is a coherent possibility, but it seems much more likely that to create the hypothetical implied by the original question, we could vary my vote without varying past observed facts by merely varying quantum randomness in my brain between now and when I vote, or, failing that, that varying unobserved facts in my brain back to my birth would be sufficient. In either case, 1 is a reasonable answer to the question “How many votes of difference does my decision to vote make”

Summary

The question is: How many more votes will my candidate get if I vote for him than if I don’t?

The question is too vague to give an absolutely rigorous answer – changing my vote requires, in order that physics be consistent, that other things (by implication, things that are too small for us to have observed) are changed also. Depending on which other things are changed, the answer possibly could vary.

However, there is a large probability that the most straightforward possible answer to the question is, one vote, meaning that unnoticeable changes inside my body are enough to change my vote without being inconsistent with the observed past.

I’m slightly disappointed (I liked the idea of getting free extra votes), but, on the other hand, the answer is the one that is consistent with “free will”, so if you’re insecure about whether you have free will, the answer is good news for you.

And I’m pretty sure I’m close to having a good answer to Newcomb’s paradox, which is the same kind of question. It’s an attempt to turn the question of free will into a motivated question. Asking about things like free will in the abstract tends to degenerate into arguing what the words mean, and unless there’s some reason to care, then one meaning is as good as another. Taking both boxes is an assertion that you have independent free will, and that you are not just a cog in a machine, but at the same time it’s a choice that matters and could cost you money if you’re wrong.

Job Losses

This is something that always irritates me:

Minister to fight for Alcoa jobs

Talks to save 298 jobs at the Alcoa aluminium plant in Swansea are under way following an announcement that the plant is to close in March.

298 jobs in 4 months time.

According to national STaTiSTiCS (sic) (and sick), 56,000 extra people entered employment over the last quarter.

Therefore, about 1000 new jobs were created per working day.

Also, that’s net of job losses. I don’t have a source for how many job losses there were per day over the quarter – all I can say is that there were a thousand more jobs created than were lost, per day on average.

And a government minister is spending effort on trying to do something about 298 of them. On current trends 70,000 new net jobs will be created between now and the time these 298 are laid off – is there nothing that could be done that might make that 70,500, swamping the effect of this one event? Some regulation that could be removed that might have that

Quote of the day

I am passionate about this! cried Tessa Jowell as she gave evidence on the London Olympics to MPs yesterday. And I thought, oh no, give me politicians who are not passionate; give me politicians who can add up.

Alice Miles in The Times

Clear thinking on IP

Patri Friedman precisely expresses my own views on intellectual property. I am not confident enough to come out entirely against IP, but I am doubtful of the benefits of having it at all.

The strongest – but not the only – argument against it, as I’ve said previously, is the cost of enforcing it. Friedman quotes Paul Phillip saying “Enforcing IP law in the 21st century will require government intrusion on a level we can barely imagine”.

I can see no argument against drastically reducing the term of copyright (here in the UK a bill is being proposed to increase the term), and no argument in favour of increasing the scope of IP law into areas such as film plots and fashion styles.

Like Patri Friedman, I have to accept that “you aren’t going to see a few people whip together Lord Of The Rings for fun anytime this century”. However, the feature film is one possibility among a huge range of possible styles of entertainment, and many of them, unlike feature films, can be produced incrementally. It doesn’t immediately occur to you that, faced with producing something on the scale of LOTR without copyright to give you return on your investment, you have the whole world of previously-produced films to use as raw materials. It is difficult to produce a feature film incrementally because you need to use the same actors all the way through, but animated films, for instance, do not present that same difficulty. It is clear we would lose some things without copyright, but it is not at all obvious what we might gain in return. In the cases of the proposed regimes for fashion or stories, however, we can say with confidence that nothing those industries have produced in the past could possibly have been created had the proposed regimes been in force at the time. Every film without significant exception has been derived from earlier stories, and every piece of clothing is derived from earlier garments.

Therefore, I suspect (but cannot prove) that the space of entertainment products that could be made without copyright but not with it, is much larger and more valuable than the space we are familiar with, of products that can be made with copyright but probably not without it.

Matthew Taylor

Tony Blair’s outgoing policy chief has said he fears the internet could be fuelling a “crisis” in the relationship between politicians and voters.

What is the big breakthrough, in terms of politics, on the web in the last few years? It’s basically blogs which are, generally speaking, hostile and, generally speaking, basically see their job as every day exposing how venal, stupid, mendacious politicians are.

He challenged the online community to provide more opportunities for “people to try to understand the real trade-offs that politicians face and the real dilemmas that citizens face”.

In one sense, he’s right: the big problems in politics are not about politicians, they are about competing and incompatible demands.

What prevents these difficult problems being even seriously addressed, however, is the venality, stupidity and mendaciousness of politicians.

It’s not the public who are ignoring the real issues, it is the politicians.

If we were to get politicians who were not venal, stupid and mendacious, the real difficult problems would not go away, but at least they could be faced.

The Freedom Bill

The Liberal Democrats are hardly really a party – they have no coherent political position, and no core of policies that their members and supporters share, but I think this initiative has not received the positive response it deserves:

Nick Clegg and the Liberal Democrats are proposing a Freedom Bill to sweep away unnecessary laws.

They list a “top 10”, including ID cards, restrictions on protests, control orders, indefinite DNA retention of innocent suspects, and so on.

They also ask for suggestions from the public.

BBC story

My voting paradox has a name

I learn from Chris Dillow that the question I asked about voting – “Is the fact that others’ votes are correlated with mine something I need to take into account when estimating the effect of my vote?” – is in fact a long-standing question with a name: Newcomb’s Paradox

The questions are not quite identical – Newcomb postulates an entity called “the Predictor”, whereas I am working from the observed fact that opinion polls more or less work.

The question may come down to why Fred Bloggs’ vote is correlated with mine. I used a thought experiment in which Fred and I are identical robots being fed identical inputs, and our votes are correlated 100%. In that case, the correlation is due to the fact that the two votes are determined by the same inputs.

On the subject of free will, I take the view that what matters is whether my decisions are all determined by the world outside myself – and I think it’s pretty obvious that they usually aren’t, and that therefore I am free.

The fact that my actions are determined by the state of the world including myself is both trivial and uninteresting.

The bit that is interesting is “what am I”. The relevant answer is that I am a phenomenon of matter – that what I refer to above as the world outside myself must necessarily not include my brain and body. The reason this subject has caused confusion historically is that there was an assumption that my body was external to my self.

(There is much more to the answer than that, but that is the part that is relevant to questions of determinism and freedom).

Scott Adams is interesting on this, though he doesn’t yet get the point. I suspect he eventually will.