human life could be defined as a calculus where zero was irrational. This formula is just an image, a mathematical metaphor. When I say “irrational”, I’m referring not to some unfathomable emotional state but precisely to what is called an imaginary number.

the zero is precisely an irrational imaginary number, eh? the “precisely” is what makes it great to me. he’s not just wrong, he’s wrong and smug about it.

reminds me of TAing freshmen computer science classes. you’d have people who never wrote a program in their life thinking that since it was confusing to them, it must be confusing to everyone else, when in reality it becomes clear as english after about a year of reading and writing it. kids screwing up their sentences then laughing it off as “objects, methods, who can tell the difference?”.

so the diaspora code got released just a bit ago and unsurprisingly it’s a security nightmare. if in the year 2010 you are trusting _GET passed item ids with no authorization checking, you shouldn’t be writing anything that’s not a dream diary, much less trying to create the secure/privacy respecting facebook replacement.

hits up against that whole “just because you have good intentions, doesn’t mean that your actions are improving the world” thing. it’s surprisingly hard to realize your own limitations and what things you’re not capable of doing well. unfortunately with matters of security there is an objective test of your abilities, and diaspora is currently profoundly failing it.

– -

totally unrelatedly, i’ve been trying to run a minecraft server on a 12 year old laptop (hi nando) and oh man is it making some fascinating noises as the drive is thrashing every which way.

– -

surrealistic mood indicator:

Much like early websites, built by enthusiasts (in all the negative connotations of this word), our current approach to distributing information about us has very little security precautions. This is partly because we don’t really understand the scope of our actions, partly because what we’re writing is free content for the social media sites: the more we write and the more people read it, the higher the value of their website.

This isn’t an attack on any specific protocol, site, or network, though I will discuss a few, but rather a talk in the general about our attitude. I realize I’m writing this 1 day after the launch of Google Buzz, but all of these vulnerabilities existed previously as well, Google ubiquity and attempt to centralize all of it makes it more obvious.

One great example of trust is the hash tag mechanism on Twitter. Companies are using hash tags to foster conversation about themselves without any thought about the lack of moderation in the medium. A corporation that would instantly file a cease and desist against a website that in official looking type made claims in it’s name, is more than happy to lend legitimacy to “its” hash tag by having reps post it to it from their twitter account. This creates a trusted space with absolutely no access control as anyone can post using with any hash tag.

If an attacker waits for this company name hash tag to achieve legitimacy and a crowd of followers, all she has to do is to push enough posts quickly enough to cause a (pardon) buzz and an instant bad press rumor is launched. There are plenty of forums that can (and off the top of my head 4chan, digg, and reddit have) push enough posts to create a trending rumor out of the blue, especially as the retweets from confused readers begin and take over the process. Since Twitter provides an API, this could also be done by a bored single person who created a few thousand accounts for himself with a capcha breaker and can write scripts. By endorsing these open hash tags, companies are basically giving the world at large the ability to speak in their voice.

Companies also have taken to displaying screens with their hash tags displayed as scrolling searches in their lobbies (or in one case in San Diego, on a large TV behind the bar). The lack of moderation means that anyone can post ads for their competitors, or simply embarrassing content in order to hurt the brand name. There is no way to stop this content from being posted to the hash tag, and short of closing the feed, no way to remove it. Some of the software goes as far as displaying images inline, ways to prank this are left as an exercise for the readers.

On the complete opposite side of this target space be personal social media attacks. A casual glance at facebook, twitter, and buzz feeds shows that we treat these websites like personal conversation tools, not billboards for all to see. Things that we’d never plaster over our house, like “I’ll be gone on vacation for 7 days so no one is home”, we’re more then happy to put online on a site that also has our address. We fight like mad against the invasive nature of omnipresent cameras while tweeting our exact location every 30 minutes in order to get Foursquare points, with absolutely no sensation of irony.

Google Buzz, which by default appends map information if posting by phone, makes this even more obvious. A chatty person involved in a back and forth might leave a complete trail of where they were at near constant intervals in their day. While I grant that this lack of privacy is not catastrophic in and of itself, a criminal with a smart phone and access to the “local buzzes” feature would be able to have up to the minute reports of who is where, who just went to the atm, who is bringing home a new expensive TV (and where exactly are they plugging it in), and with a trip to the airport, a constant feed of people excited to be going away for a few days.

The last in particular highlights that we have not reached the point that caused the tip towards security on the net: automation of attacks enough to let every Joe the Script Kiddy do harm. Currently an attacker would have to go to the airport, set up a laptop, pull buzzes of people leaving or arriving, compare it to their previous buzzes and figure out their home address. However, all of the above can be converted into a simple application which performs all these steps in a few seconds, something which we’ll playfully call iBurglar. Once it’s an easy to use app, available for download, is the point where we might start to see action from the social media websites.

We also do not realize how permanent the things we write on these website are and how trivial searching them has become. A search on social sites for phrases related to drug use (try 420) shows people more than happy to discuss illegal actions in criminally implicating ways. And this time, unlike phone or txt messages, we can’t even begin to claim an expectation of privacy, we are literally posting it for everyone to see. There was recently a news story about a bail-hopper who was caught because cops recognized the resort in the background of his new Facebook profile photo. This didn’t even require a warrant, it was a public photo.

It’s easy to dismiss examples like that, and all the previous ones, as the fault of the users, but users assume privacy and assume good intention. Currently the social media is a giant space completely open to attack, and our current open-by-default approach is not sustainable. It is the responsibility of social media designers to create mediums that steer users into safe behaviors and quite literally to protect them from themselves, while at the same time balancing the needs of their shareholders and advertisers. It’s an interesting future, no doubt.

along the ways i ran into a single quote from the 70s that completely stopped me.

“The question of whether a computer can think is no more interesting than the question of whether a submarine can swim” – Edsger Dijkstra

in one sentence it summarized for me that “thinking computer” is a just a language illusion. it’s not real and it will never be real.

a computer will never think in the same way a submarine will never swim. swimming is what living things do, a submarine instead ‘propels itself through water’. a computer will never ‘think’, it will ‘perform computations in order to arrive at conclusions’. which, guess what, they already do and have been for ages.

for people to agree that a machine is a “thinking computer” would be one that can feature a display of a pleasant cartoonish face that, when computing, would furrow it’s brow and make “hmm” noises. while an interesting task and a cognitive/behavioral challenge, it’s not a computer science problem.

the better goal i learned in compilers: we should be working to precisely define problem spaces where computers can help with decision making, and then writing better and more robust expert systems (by whatever buzzword they’re going by nowadays) that can read data about the situation, and suggest or perform actions in response. not as glamorous as ‘thinking’, but infinitely more useful.

one random facet of this is the assumption that crowds and their voting can be trusted to behave in a productive way. let’s say you have a website where people vote on who is the best poster / reviewer / uploader / whatever, and rewards them in some way. simple to implement, simple to test, and you’re done, right?

well, never underestimate the willingness of crowds to behave maliciously. getting 1000 people to do a prank on a system like that is trivial, and it’s even easier to get one person with a bunch of zombie machines all over the planet.

attacks like this are really common: websites raid amazon review / recommendation pages for fun, 4chan obliterated a “person of the year” TIME poll, and twitter “trending topics” seem to be raids more often than not.

the last one in particular strikes me as funny. businesses are now using personal hash tags to let people talk about them using hashtags, and in some cases display the results real time in the lobby or on their page. i’m astounded at this. all it takes is one message board post asking everyone to twitpic porn to the hashtag and voila, instant PR disaster.

always program for the worst case, not the best case. unless you have some method to block them, assume that at any point in time there are thousands of bored suburban teenagers who would love to abuse any ranking system you have for laughs.

if you find yourself constantly striving to match a paradigm, back up. maybe you’re not really meant to work that way. do you have something that works for you?

keep in mind though, some people really might not have a method that works, in which case anything that involves structure might be beneficial.

one random example from my own life: my email. i spent a stupid amount of time attempting to stay on top of sorting email because i was told at one point that organized email is important. i tried tags, rulesets in the hundreds, smart folders, all at the same time, and the results were dismal. best part? i never used it. i never once said to myself “oh, i need this communication from the prime minister of ukraine, let me look under “prime ministers”, tagged “ukraine” “. no, i’d just go to the search bar, click “From” and type ytymoshenko@gmail.com. ta-da.

new solution? 4 inboxes (i have 4 mail aggregating accounts), total of 2 regular folders marked “important” and “not”, and 1 smart folder. the rule for the smart folder is:
- if the email is unread, or the email is in folder important, show it.

the only folder i look at is the smart folder. all unread emails are in there and disappear after they’re read (technically, they disappear after i close the window, which i do as soon as i’m done looking at mail), unless they’re something relevant in which case i drag them to the “important” folder. once they’re solved/answered, they’re dropped in either “not”. every blue moon i drag all emails from the inboxes to the “not” bin, just in case things go bad if the inbox gets too large.

that’s really all i need from email, it works with my actual work flow, and actually uses that CPU power this machine has. i imagine this would work even better with gmail, but at work we have lolexchange so eh.

different example of this: i have a bizarre music writing method. i work in these bursts where i write and record for about 5 hours straight, in which time i like to be alone with no one listening, then when done, i leave it alone for a week while sending it to half the people on my IM list to ask for opinions on what they think of it and where it should go

somehow the conversation process is what lets me mentally decide where it needs to go. it’s silly, but songs which i don’t talk about end up piling up as minute long fragments that never went anywhere. songs i do, end up growing into actual songs. well, not immediately. they go through a bunch of cycles of this. some more than others.

(btw, apologies if you happen to be on the “hey can you tell me if this works? what do you think of the cut up trumpet loop?” and are annoyed by it. just let me know, i wont be offended)

in any case, yes, don’t get obsessed with following footsteps of others, just set a similar goal to what they had and find what manner of movement works best for you. but don’t use that as an excuse to be lazy either.