Why I Am Not An Early Adopter

I'm a gadget person. I used to run out and buy the latest gadgets. Here are a few reasons why I don't do that any more.

1. They're expensive. Makers of gadgets spend tens of millions of dollars (or yen, or deutsche marks, or euros) on designing, developing, implementing, and testing their latest toys. Investors want to see those toys turn a profit in a year or less. Easy math says that one million people buying a $600 iPhone on the first day should pretty much cover it. Not so fast. Most of that $600 goes to pay for marketing, advertising, distribution, and the cost of sales. Those big, bright Apple stores in shopping malls and other prime locations aren't cheap. My educated guess is that less that $50 of the iPhone's sale price is profit. That's not even as much profit margin as grocery stores make. Gadget makers that lose money on a new product release won't be around for very long.
2. Bugs. Every new gadget has bugs. No exceptions. In some cases, it's something the manufacturers just can't help. Makers like Apple and Sony test their products for months. They test every scenario they can possibly come up with. Then they release the product and it still has bugs. That's because they can't reproduce the millions and millions of different situations that we humans will experience when we use their gadgets. They also can't test for long term conditions because then they would never release their products. Other makers, like Microsoft and Samsung, do limited testing and then throw the product over the wall. They are relying on you to find their bugs and complain about them. Then they will spend a month figuring out how to fix it, do some more limited testing, and throw the fix over the wall again. That's why Microsoft bug fixes tend to create more bugs. They don't do extensive regression testing.
3. Limited new bells and whistles. Let's face it, we are becoming technically saturated. There just wasn't that big of a difference between the iPhone 4s and the iPhone 5s. People seem to have jumped right from the Samsung Galaxy S3 to the Samsung Galaxy S5, skipping the Galaxy S4. One reason for this is that gadget makers have to stay fresh in people's minds. Motorola was king of the 12-keys for a while with the Razor series. Along came Android and Motorola failed to respond with a smartphone. They still dominate the 12-key arena, but that is now a tiny part of the cell phone market. (Full disclosure, Motorola has a history of doing that) Microsoft and Sony own the game console arena because Nintendo and Sega failed to keep up. (No, Wii can't survive on the strength of Mario Cart alone.) In some cases, Windows for example, the new shiny thing is that it doesn't suck as much as its predecessor.

I like early adopters. They help bring down the prices of gadgets more quickly than would happen otherwise. I like the fact that there are more and more early adopters. Seeing lines wrapped around the block at Apple stores with people waiting for days sometimes makes me happy. In 6 months, I'll grab an iPhone 6 for a fraction of what they are paying now, and it will be relatively bug-free.

Keep on adopting!

You've Been Hacked!

In the great celebrity naked picture hack event of 2014, there were two sides to the reaction.

1. It's their own fault for having naked pictures of themselves on their phones.
2. It's not their fault. They should be able to put whatever they want on their phones.

They're both right. (Thanks for not equivocating, Steve!)

It is their fault for having naked pictures, or any other private data on their phones without adequately protecting them. That's like saying that it's not your fault that you left your front door open and thieves took off with your big screen TV. Technically, it's not your fault, but your stuff is still gone, and if you do it again, more of your stuff will get gone. Lament the downfall of modern civilization if you will, but lock up your shit.

The real problem is passwords. It is a model that was proven to be broken years and years ago. So here we are at, "it is and isn't the celebrities' fault." Unless you just got on the Internet yesterday (welcome!), you should know better than to use your aunt's birthday, the name of your pet, or "happy79" for your password. The mere fact that hackers got into their phones before they were old enough that no one wanted to see naked pictures of them means that they were using weak passwords. But, here's the thing, because you can use a weak password is a problem with passwords themselves. The password model is an impediment to using strong passwords. In the heat of the moment, when you absolutely have to show your latest naked selfie to your boyfriend, you aren't going to remember the 16 character string of random letters, numbers, and symbols you used to create your iCloud password. And if you are using the best practice of never using the same password twice, you will have to dredge up which password you used on which account. Definite mood-killer.

So, what is the answer, Steve? You're doing a lot of bitching about passwords, but you're woefully short on solutions.

Mea culpa on the bitching part, not so much on the solutions part.

The solution is a system that is a combination of known strong security measures combined in such a way that your average naked selfie taker (or online banker/shopper) is going to use because it is simple to use. It would have to be simpler to use than passwords, which sets the bar pretty low. The system is a combination of

1. Zero knowledge proof authentication.
2. Strong cryptographic signing.
3. Public key cryptography.

Well, Steve, that doesn't sound simple at all. It's not technically simple, but it is simple for users. It works like this:

Sally gets online and wants to check her bank balance. She has previously set up a couple of things with her bank. A public key, which is just a set of random numbers that identifies her. Instead of her username being "SallyMae1983," It will be something like

lQO+BFPOiY0BCADyCJ1GtQ3oVeLFVOEwlqvNmvDGHc5SlBPWgA

"But wait, Steve, you said this would be simple." It is, actually, because Sally will never have to remember it. It will get created and stored on her computer and the browser, or whatever else she's using, will know where to get it and hand it to the bank. And good luck Mr. Black Hat Hacker with trying to guess that one.

The second thing she set up with her bank was a passphrase. I'm not being disingenuous here. A passphrase, unlike a password, can be anything you want it to be. It could be Hamlet's soliloquy, or the words to your favorite song. The longer the better, but since you don't have to remember it, it can be anything at all, even "happy79." The secret to all of this is that you never, ever send your passphrase to the bank after you set it up in the first place.

So, Sally gets on her browser and her browser knows how to present her key, and the bank uses that to know that it is Sally. Now, the bank sends some data, called salt, which is different every time Sally logs on, back to her browser and the bank and the browser go to work performing some complex cryptographic math on Sally's passphrase and the salt. When they are both done, they will exchange their answers, and if they both got the right answer, the bank will let Sally in, and Sally will know that it's actually the Bank, and not some phishing site. Sally never actually sent her passphrase, she just proved to the bank that she knew it, and the bank proved to her that it knew it as well. That's called zero knowledge proof.

The idea works even better on smartphones. The key and the passphrase can be stored in a very secure location on the device's SIM card. If you lose your phone, the SIM card can be remotely wiped. Paris Hilton's contact list would have never ended up on Reddit.

"So, Steve, when is the world going to get this technological marvel?"

I'm working on it. Stay tuned.

Hackers are jerks.

I wish the news media would stop romanticizing hackers. There are two kinds of hackers. The first variety are thieves, the second variety are juveniles of all ages with a roaring case of Asperger's, or as they are sometimes known, basement dwellers.

The news media labels certain hacker groups as "hacktivists," Anonymous being the most well-known. Anonymous is best known for breaking into Sony's Play Station Network a couple of years ago and stealing millions of credit card numbers. They were romanticized as some kind of geeky David taking on the evil corporate Goliath, Sony. Stupid. They didn't steal from Sony, they stole from us. In that, they are no better than a common burglar. They are lesser known for taking down Freedom Hosting on TOR last year. Freedom hosting was home to a huge amount of illegal pornography. Their aim appeared to be noble, but who made them the Internet police? Their motto is, "We do what we want because we can." Their avatar is the Guy Fawkes mask from the movie "V." Not noble. Just belligerent.

This past weekend a group calling themselves, "Lizard Squad" launched a DDOS attack on the Sony Play Station Network and Microsoft's XBox Live. They also twittered a bomb threat against the President of Sony. This group is of the second variety. Their attack had no purpose other than to gain bragging rights. They didn't hurt Sony or Microsoft, and as far as anyone knows, they weren't able to steal anything. The only thing they did was annoy a bunch of gamers. So they were just a bunch of jerk-offs with too much time, and probably money on their hands. An attack that size is more than you can do with a PC botnet. These guys had to have some serious server horsepower and big network pipes.

Hackers aren't cool. They aren't mysterious or exotic. They aren't even very tech-savvy. They know a few things about system weaknesses and how to exploit them. They have about a half-dozen hacks in their bag of tricks, and all they do is put them together in various ways. Think about it. Their number one tool is called a brute force attack, which consists of trying as many passwords as they can until they find someone who used their grandmother's birthday or the name of their cat. Not elegant. Not exotic. Just brain-dead thumping and taking advantage of something stupid someone else did.

Makes Me Wonder

As I wander around in security and crypto land, I become more and more aware that even the people who know something about computer security and try to do things to enhance it are possibly living in a fool's paradise. (I can't think of that phrase without bringing to mind the old lady with the Yankee accent in the Swiffer commercial.)

Many (most?) people know about HTTPS. Even if they don't know it by name, they have been educated to some extent to look for it in their browser location bar, or to look for the helpful lock icon on Firefox and IE, or the key icon on Chrome. If you didn't know about it before, you do now, so no excuses. All of those things should be present when someone enters personal information, especially credit card information, online. I'm going to try not to fall too far into acronym land, but all of that kind of online security is based on SSL and its successor, TLS. They are techniques to encrypt everything that goes over the wire from your computer to the web server. Anyone eavesdropping on that wire would see nothing but gibberish. Well, maybe. There are something like a couple dozen vulnerabilities and exploits associated with SSL and TLS. Granted, your garden variety hacker isn't going to have the tools, and there are much easier ways to steal your credit card info. However, with computer capacity and capability expanding at a breakneck pace, it's not hard to imagine some neck-bearded basement dweller having the ability to exploit those vulnerabilities in the near future.

By the way, if you think you can safeguard your credit card information by avoiding online purchases, you are living in a fool's paradise. Your credit card is online, whether you want it to be or not. Like I said, there are much easier ways to steal your credit cards than to eavesdrop on your browser.

Run a Darknet

More people should run darknets, even if they don't use them. The more darknet nodes that are running, the less unusual it is to see one. The less interesting it is to those who spy just because you use one.

Ever since Silk Road and Freedom hosting were taken down last year, Tor has been taking a beating. It can use the help. One group claims to be able to break it for less than $3,000. So far, no one has substantiated their claim. The more Tor routers that are running, the less likely that is. No one has made that claim about i2p, but it's probably only a matter of time. From a security perspective, i2p is a bit sturdier than Tor. It's a small network right now. An increase in routers would only harden it more.

The two major darknets, Tor and i2p, are easy to install and run. Using the Tor browser bundle is no more difficult than installing and running any other browser. It isn't as helpful as running a router, but every little bit helps. Even if you don't want to take a public stand on privacy, you can take a private one.

tl;dr

I've been thinking that my posts are too long and pedantic. I think it comes of not posting often enough. I wait weeks to post something and then it ends up being a brain dump.

I promise to do better.

Brain To Paper

For those of you keeping score, I have been wandering around in the world of cryptography lately. It is a brain-melting endeavor. The people who come up with cryptographic methods have my deepest respect. That is, my deepest respect when it come to thinking this stuff up. When it comes to their ability to tell the rest of the world what they thought up, well...

Some of them don't do a bad job considering what they are up against. Cryptography is hard. It's hard on purpose. Making it hard for the bad guys to figure out what you're doing is pretty much the purpose of cryptography. If it was just a matter of jumbling up all the letters and rearranging them, it would take the processor in your watch less than a second to decipher any message. Cryptography consists of complex algorithms applied to a wide variety of data.

One of the methods cryptographers use to publish their brain droppings is called a Request For Comments (RFC). This mechanism was set up by the Internet Engineering Task Force (IETF). It's as old as the Internet itself. The most basic protocols for getting information from one end of the net to the other are described in RFCs. It was envisioned as a mechanism for people to propose standard behavior on the Internet and get peer feedback. For the most part, it works. Almost all of the early RFCs have been revised based on incoming comments and questions to the originator(s) of the RFCs.

One of the things I recently did was to implement the CAST5 cipher. I won't go into the details of it, but it only took me a couple of evenings to code it, and another couple of evenings to test and debug it. The cipher is described in RFC-2144. While it is far from perfect, it is coherent enough to translate it from a mathematical function to a computer function. I am currently wading through RFS-2437, which describes the RSA encryption system. It is a heavy load, mathematically speaking, but following it isn't that hard. RSA is the basis for secure protocols like HTTPS which is the way that Amazon (and others) keeps the bad guys from being able to see your credit card number when you are ordering your yoga mats and Cryptography for Dummies book.

This brings us to the RFC for Open PGP. PGP, which stands for Pretty Good Privacy, is a very strong cryptography system (note the irony on "pretty good"). It gives the NSA fits. Imagine you wanted to let your Uncle Bob into your house when you're not home. You could leave the key under the mat, but then any old bad guy could come along and look under the mat. So, to prevent this, you hide the key in plain sight in such a way that it doesn't look like a key and no one who doesn't know how to look for it can see it. But, you need to let Uncle Bob know how to figure out where it is, so you send him a message in a secret language that only he knows how to read, telling him that the key is hanging on the third rhododendron bush from the left, 11-1/2 inches from the ground. The bad guy could technically find the key, but he wouldn't know where to start looking and he would have to get lucky to find it in any reasonable amount of time.

Open PGP is described in RFC-4880. The number is burned into my brain. It is the godawfulest mess I've ever run across. Imagine your autistic nephew trying to write instructions on how to build a house. He could probably build the house, but it would be nearly impossible for him to tell you how he did it. Everything is Open PGP happens in packets. One of the things that would be nice to know is how big are the packets. It starts off well enough, telling you that the first thing in the packet is a number telling you what kind of packet it is, and another number telling you how big the packet is. It goes straight to Hell in a handbasket from there. They use something called partial packet body lengths. Yes, that's right, a number that tells you that here is a number that represents how big the packet is, maybe. Well, it's at least this big, but it might be bigger. And there might be more packets hiding inside this one, but we can't tell you where they might be:

Each Partial Body Length header is followed by a portion of the packet body data.  The Partial Body Length header specifies this portion's length.  Another length header (one octet, two-octet, five-octet, or partial) follows that portion. The last length header in the packet MUST NOT be a Partial Body Length header.  Partial Body Length headers may only be used for the non-final parts of the packet. Note also that the last Body Length header can be a zero-length header.

Wut?

In another part of the RFC, they made a decision to use a bastardized version of a cipher called Cipher Feedback (CFB). It turns out that this bastardized version ended up being a vulnerability that no one has fixed. But I don't know how anyone would be able to figure that out from the RFC. Worse yet, the RFC describes how this mode works for encryption but is silent on decryption. Isn't that helpful? I think the authors need to either back up and take another shot at it or hire a ghost writer.

Well, I've bitched about this enough to get it off of my chest. Thanks for listening.

Stupid Texas Tricks

Someone named Shelby Conklin is suing Tor. You can read the complaint here.

The lawsuit comes about because of a hidden site call Pinkmeth that lives on Tor. Pinkmeth offers its visitors what is known as revenge porn and blackmail porn. The revenge variety involves people (usually men) posting compromising pictures of their ex-whatevers. It's in retaliation for whatever slight they felt when the relationship broke up, real or imagined. The blackmail variety consists of people (usually girls) who are blackmailed into producing compromising pictures. Whatever they did that is subjecting them to this kind of blackmail must be pretty horrific since they will have to live with those pictures floating around the internet until the end of time.

Whatever. I think I'm getting jaded because the lengths that people go to to get their freak on has ceased to surprise me in the least. This sounds to me like the kind of thing a 15 year old boy or a hairy sociopathic basement-dweller would get their kicks from. Or maybe frat boys, who are generally a combination of both. But I digress...

Anyway, Ms. Conklin is suing Pinkmeth.com. Her lawyer claims jurisdiction because, according to their assertion, Pinkmeth does business in Texas. The basis for that claim is that people from Texas can see the website. The complaint complains that Pinkmeth is apparently hard to grab hold of because they operate offshore, and the only handle they have is some law firm in Michigan. Maybe they are an LLC and the law firm did their paperwork. Who knows. The important part to remember is that Ms. Conklin's lawyer is flailing around wildly, trying to hit something. That's where Tor comes in.

The Tor project is a non-profit corporation. It has a president and a physical address. It's easy for Ms. Conklin's lawyer to reach out and grab them. Her lawyer has alleged that there is a conspiracy between Tor and Pinkmeth to put embarrassing pictures of people on the internet. It calls Tor an unscrupulous internet service operator, and states that the collusion is evident because Pinkmeth's home page has links to the Tor project website. That's like saying that because Hamas put a link to Google on their website, Google must, therefore be in cahoots with Hamas.

What the drooling dipshits in Plano don't get is that the only thing the Tor project provides is software. There isn't some entity called Tor running a network. All of the people participating in Tor are running the network. Or maybe they do get it, but they are so desperate to grab some real live entity, they have cobbled together this convoluted argument.

The whole thing would be kind of funny if it wasn't also a bit scary. There is enough precedent-setting material in this to scare the bejesus out of all but the most hardcore hanging judge. The legal snarl it would cause would be a thing to behold. That being said, stranger things have happened. If Ms. Conklin gets away with suing a non-profit software group in Massachusetts over the operation of a network that they don't operate, what's next? Sue Google for facilitating minors finding their way to porn? Oh wait. That actually happened. Google settled to make it go away. Since the Tor project is a non-profit loose affiliation of software developers, I don't see any settlements happening.

Honestly, I don't see this going anywhere. The suit is seeking injunctive relief. Since they can't seem to get their hands on Pinkmeth, a court order isn't likely to impress them. I don't know what an injunction against Tor would look like. It would seek to stop them doing something that they aren't doing.

Stupid Texas Tricks.

The Deep Web and the Darknet.

I love those two terms. They sound so mysterious and intriguing.  What they represent is kind of mysterious and intriguing, so I guess in that respect, there is truth in advertising.

The deep web, simply put, consists of the parts of the Internet that Google can't reach. It's actually a little more complicated than that, but that's a pretty good summary. By various estimates, the deep web accounts for about 70 to 80 percent of the total content that is attached to the public Internet. All of the cat memes, all of the blogs with their brownie recipes, all of the commercial sites, including eBay and Amazon, and all of Facebook and its couple of billion users only accounts for 20 to 30 percent of what exists out there. Some places use the analogy of an iceberg. What, you say? There are places Google can't reach? Yes. Absolutely. Lots of places. Most places.

Next time you're wandering around on Amazon, consider how big it is, and it really is huge, and then remember that it is only a small fraction of what you could potentially reach if you knew how. It's not as ominous as it sounds, though. The vast majority of the deep web consists of information that is freely available if you know how to ask for it. Consider a trip to the Social Security website. Google can't just tap the Social Security's website on the shoulder and say, "How about passing me all of Steve's data." As well, when you go the the Library of Congress website, it's entire collection doesn't just open up in a panorama of information. You have to ask for something, and Google can't do that. It doesn't know what to ask for, and it can't just ask for everything. So, the deep web isn't quite as ominous as it sounds, it's mostly just innocuous information hiding behind a web form.

However, there is a sizable quantity of nefarious content on the deep web hiding behind a very thin veneer. There are hundreds of file hosting sites. These sites let you upload files and keep them in a more or less secure store.  The legality of the content of the files is all over the map. Unless you have the passcode to recover it, for all intents and purposes it is invisible. There are also scores of anonymous message boards that don't link to anything external to them, so a web crawler can't find them. You have to know where to go to access the board. As with the file hosting services, the legality of the content is all over the map.

Where the real mystery lives is on the darknet. Darknets run on what is called a network overlay. That just means that they are another network inside the public Internet. The three main forms of darknet in use right now are Tor, Freenet, and i2p. The technical term for these darknets is mixnet. The idea is that they break up all of your messages into smaller parts and send them all over the place to get to the place you are sending them. When encryption is added to the mix, it becomes all but impossible to track where the messages are coming from, where they are going to, or what they contain, thus the name, darknet.

Most of what is on the darknet is illegal somewhere. Remember that certain types of raw information are illegal in authoritarian countries. Chinese netizens are not allowed to see anything that is critical of the Chinese government. Therefore, all of that kind of information that lives on the darknet is illegal in China. Information is always dangerous to repressive states. Therefore, they always outlaw it. Even in the United States.

The darknet is home to what are known as free marketplaces. The model for them was a hidden site on Tor called Silk Road. Silk Road is/was (in)famous on the darknets. Everything for sale on Silk Road was illegal in most places. The most common product you could buy were drugs, but Silk Road offered everything from military grade weapons, to credit card fraud software, to assassins (yep, you read that right). All transactions were in bitcoin, which is an untraceable online currency. The owner of Silk Road was arrested last year after the FBI hacked the site and figured out where it really was. He had $84 million worth of bitcoins in his wallet, $28 million of which belonged to him. As the site owner, he would hold transactions in escrow until they were complete and then take a commission. Estimates of the amount of money that passed through Silk Road are in the hundreds of millions of dollars. It's important to note that the FBI didn't crack the site by hacking the network, they only got there because the owner did something stupid with the site. In the end, though, busting Silk Road didn't actually accomplish much other than seizing a lot of money. Other free market sites have popped up all over Tor and i2p like so many daisies. There is even a Silk Road 2.0 that is rumored to be run by some of the original Silk Road's administrators.

Sites offering illegal porn dot the darknet landscape as well, though they are not well tolerated by their fellow darknet residents. They are continually being busted for making some of the same dumb mistakes that Silk Road did. In the past, some of their darknet neighbors have aided law enforcement in tracking them down. A fairly well known hacker group called Anonymous broke into the hosting server of one of the biggest child pornography web sites in the world. They posted the names of 1500 people who had visited the site and threatened Freedom Hosting, the hosting company, with continuous attacks until they completely cleared their servers of illegal porn. It is rumored that they passed hacking information along to law enforcement, and soon after the original Anonymous hack, the FBI busted the owners of the site. The darknet might be secretive, but it is not completely amoral and unethical.

With all of that, where the darknet shines and earns it legitimate spot as a positive force on the Internet is in hosting services for dissidents and journalists in authoritarian countries. As I mentioned before, China has information flow on the Internet locked down tight. The only way free information can flow there is over the darknet. However, don't expect to get on Tor or i2p and find a Chinese dissident website. Computer ownership in China is tightly regulated. Internet access even more so. It is my understanding that if you are caught running a darknet node on your computer there, you will be arrested and likely never seen or heard from again.You aren't going to jump on Tor and go to chinesedissident.com. Darknet locations consist of anonymous strings of apparently random numbers and letters. On i2p, your real address is a cryptographic key that is 387 characters long. Good luck typing that into your browser's location bar. On Tor, the key is much shorter, but not much easier to randomly find a site. Both darknets have directories where different people post the addresses to their sites. The directories are generally geared toward some special interest, including politics. However, you will still not find the deepest web sites of that type publicly available.

So if you are a Chinese dissident group, how do you find one another? Usually it is done by posting a Tor or i2p key in some innocuous public venue. There are thousands of abandoned and inactive discussion boards on the public Internet. If someone makes a post with an i2p key that looks like random gibberish, it is unlikely that anyone will bat an eye. I am using the Chinese as an example, but there are dissident political boards of all nationalities, including the United States, though the Chinese boards are the hardest to find. I have been on Tor for years and I've only ever seen a couple of Chinese boards. I've been on i2p for several months and haven't seen one yet. The political landscape on i2p seems to be dominated by Russians.

So, the deep net and the darknet are kind of exciting when you think about what's going on behind the scenes, the darknet more so than the deep web. It's easy to get on Tor and look around. Google the tor browser bundle. It's a version of Firefox that is all set up and ready for you to cruise the darknet. Freenet and i2p are a bit more difficult to master, especially Freenet. If you are technically adept, you can easily find out how to get there. If not, stick with the Tor browser bundle.

And have fun!

About email.

Email (which is shorthand for electronic mail) is broken. The current model can't be fixed. It needs to be tossed, and we need to start over.

Way back when email was first conceived in the 1960s, it only involved very small groups of people. Basing it on the paper mail model wasn't really a problem. When I got my first email address back in the 80s, there were probably only a few hundred thousand others with addresses. No one worried about spam in their email. There was a system called Usenet that was email's baby cousin. It was the earliest type of message board. There were groups dedicated to discussions of particular topics, and the name of the group described the topic. I used to read a Usenet group called comp.os.unix. It had discussions on the Unix operating system, and it was just as thrilling as it sounds. There were lively discussions, and since techies tend to get worked up over their particular favorite whatever, there were more than a few flame wars. In the late 80s, a little bit of spam started showing up in Usenet, but it was still unheard of in email. Even Usenet spam was pretty harmless. It was mostly people hyping their latest brilliant idea or trying to get people to post on other Usenet groups.

The problem began with AOL (America Online). In the 90s, they connected their walled garden to the internet and the flood gates opened. Not unsurprisingly, it was child pornography that gave birth to the first amateur spam.  People used to put their email addresses on their Usenet posts so that discussions could be carried on offline, or people could contact one another for collaborations, or a number of other legitimate reasons. Suddenly, all over Usenet, even in groups like comp.os.unix, posts like this started showing up:

Where is the kiddie porn? Can you tell me?

Invariably, the poster would have an aol.com address. Remember that AOL was host to some of the biggest child porn rings in the world. Ever. The porn trollers would harvest email addresses from everyone who ever posted in the group. A short time later, posts like this started showing up:

WTF?! I just got 10 email messages from aol.com addresses asking me if I knew where to find the kiddie porn.

In response to all of the requests, purveyors of all kinds of porn started flooding newsgroups with links and addresses. Pretty soon, anyone who had used their real email address found their inbox bombarded with porn spam. Everyone had to stop using their real email addresses. By the way, Usenet is a wasteland now. Completely lost to porn and unsanctioned downloads. The social, technical, and religious discussion groups are nothing but spam buckets now.

And that's what's wrong with email. Anyone who has your email address can send you anything they want to. Not only that, but anyone who has your email address has the ability to track where your emails come from and where they are going to. And, if you aren't using a secure transport between your computer and the email server, anyone can see what your emails say. That brings us to the most villainous aspect of email, the email server. The server represents a trusted third party that you believe will have your best interests at heart and will protect your privacy. As we have discovered lately, that trust is largely unfounded. The government doesn't even need a very good reason to demand your emails from the owner of the server, and they are all too willing to give them up. Too many email servers are ridiculously easy to hack, giving access to your emails to whichever creepy-crawly happens to stumble upon them.

So, there are four aspects of email that have to be fixed:

1. Your email address needs to be private and only accessible to those who you allow to have it.
2. There can be no "trusted" third party involved in storing or delivering your emails.
3. Your emails need to be absolutely untraceable.
4. Your emails need to be encrypted, end to end, using strong cryptography.

There are providers who try to address these issues, but it's all just icing on the poop cake. They offer all sorts of spam filtering, but the problem is that they accepted the spam on your behalf, and even worse, sent it to you so it could fall into your very own spam bucket, which you have to scour every once in a while to make sure nothing you wanted accidentally fell in there. If, instead of accepting the mail in the first place, they bounced it, especially from known spammer origins, spam would fall off very quickly. But, they can't do that because they don't know what you want and don't want. That's because they have to honor the broken "trust" relationship with you. Google is going to offer end-to-end encryption for gmail. It's a step in the right direction, and it goes a long way toward allowing them to tell the government to take a hike when it comes calling, but the problem is that your email, at some point, resides on their server, and the server knows where it came from and where it is going to. That, in itself, is enough to tell a fourth party a lot about your emails. None of the provider solutions can address item 2 because it takes them out of the loop. And if they can't address item 2, then there is nothing they can do about item 3.

The good news is that there are several people working on solutions. I'll have more about that in future posts.

On Security

Sorry for not posting for a while. I've been wandering around in techie-land for a bit.

I've always thought that online security is important. I've also always taken a decidedly lazy approach to it. I used eight character passwords that were dictionary names with a few letter-to-number transpositions. I didn't always pay attention to whether I was using a secure interface when I set up an email account. I didn't pay attention to whether or not the web pages I was looking at were secure.

It was the Edward Snowden incident that really started to wake me up. If you don't know, Edward Snowden is an ex-NSA counterintelligence specialist who leaked thousands of classified documents on the NSA's domestic spying programs. You can read about it here. It woke me up. I'm typing this fully aware that once Google crawls this page, an NSA droid somewhere has added my blog to a list of sites mentioning Snowden. This post isn't about what I think of what Snowden did. Maybe I'll address that later.

So, some reflections on online security...

Usernames and passwords are part of a completely broken security system. They date back to the early days of computing. We have made gigantic leaps forward in technology, but we're still using an antiquated system for you to prove to a computer that you are who you say you are. It was an OK system back then because A) people were more honest, and B) computers just weren't powerful enough to run a brute force attack to crack a password in a reasonable amount of time. These days, things are different. Passwords are cracked all of the time. There are better ways for you to prove your identity, and the really sad part is that they have been around for quite a while. The most prevalent method is to use a cryptographic key. It works like this. You create a secret key and a public key. Think of them like keys to a lock box that holds messages. Anyone can use your public key to put a message in the box, but only you can take them out using your secret key. In public key authentication (a techie term for using your public key to prove who you are), you give your public key to the internet entity you want to contact (your bank, your Amazon account, etc.). Then, when you contact the site, you present your key. The site looks to see if it has a record of your key, and if so, it sends you a message using it. You prove that you can read the message by using your secret key and telling the web site what it said. The keys are very long strings of random data. For all intents and purposes, they can't be cracked any time during the remaining lifespan of the universe. A similar way to prove who your are is with digital certificates. They work in a way similar to public keys, but they involve a trusted third party that certifies that you are who you say you are. Another way that has been around for quite a while, but never seemed to gain traction is the zero knowledge proof (ZKP). In the ZKP system, you have a secret that you share with the website, kind of like a password, but more complex. You never send the secret to the website after you initially share it. When you go to the site and log in, the website will ask your browser indirect questions that will prove that your browser knows the secret. Once the browser proves that it knows the secret, the website lets you in. Because no passwords are exchanged, they can't be phished or cracked. The questions that the website asks your browser are different every time, so no one can listen in and use the last set of questions that were asked.

A lot of people think that because they can't see their internet traffic, neither can anyone else. Once again, the whole internet system was invented (not by Al Gore) a long time ago. Even though it was initially built by the defense department, no serious thought was given to securing what traveled over the wires. The people who built it never imagined what it would become. Only in the last few years have people begun to take security of the lowest levels of the internet seriously. The Snowden incident has accelerated that. There will be more attention paid to things like encryption (hiding things in secret codes) and traffic analysis (snooping to find out who is talking to whom and how). That's a good thing. A lot more commercial websites will start to use secure interfaces. Does your browser say http, or does it say https? It matters. Secure transports use the cryptographic key system I described above to turn all of the information that goes over the internet into random gibberish that can only be decoded by the parties on either end of the traffic. No one can listen in on the conversation, including the NSA.

The email system is probably the most broken thing on the internet. It it based on a simple, but archaic system, regular mail (sometimes known as snail mail). You give someone your address, and then they can send you messages. Sadly, so can the evil bastards who generate junk mail. The email system has the same problem, and it adds additional problems to the mix. An email message can have browser links in it. If you click on the link, it will send your browser to some location on the internet. That location could have malware (viruses and other bad juju), and if you are using a defective browser (in other words, Internet Explorer), you run the risk of putting a virus on your computer without knowing it. Also, most email is not sent over a secure transport. With snail mail, it's not likely that someone is going to open up random letters and read them for nefarious purposes. With email, it happens all of the time. With snail mail, you would probably know if it happened. With email, you don't. I am very sure that at least half of the people who read this post have had an email intercepted for one reason or another. And finally, the most infuriating aspect of email is spam. With snail mail, you might get half a dozen or so junk letters in a week. With email, you can (and will) get hundreds per day. Spammers have no shame, and they use automation to flood inboxes everywhere with crap. Spammer know about security, though, and they can hide their tracks. Evil bastards. Once again, using things like public key encryption (like I described above), no one would be able to track or intercept your emails. Using keys, certificates, and another kind of cryptographic identity called digital signatures, no one can fool you into believing that they are someone else.

Security is important. Instant information can lead to instant destruction of your privacy. Think about it next time you log into a site using "SusieQ" as your username and "happy1" as your password.

Broken Internet

There are two things that are completely and irreconcilably broken on the Internet (besides the Internet itself, which I'll cover in another post). They are; user names and passwords, and email. They are broken because of the same principle - how you identify yourself on the Internet.

Some of you reading this got here from Facebook.  You are you, for the most part, on Facebook. Your real name is there. Your pictures of your kids, spouses, and significant others are there. All of your heartfelt emotions, bipolar outbursts, rants, platitudes, and misquotes are there. You are as much of you as you are in any social setting. Maybe more, since you don't have to look anyone in the eye when you lie or say something stupid. However, you only got to be you on Facebook because you had a way to introduce your self at Facebook's front door in order to get in. That way was a user name, which happens to be your email address for Facebook, which is doubly broken, and a password. Essentially, you say to Facebook, "This is me, and I can prove it." The problem with doing that with a user name and password is that if it really isn't you, but someone else can prove they are you, Facebook will let them in the door, and they can go about the business of pretending to be you. The same is true of any other place on the Internet that you have a presence, such as Twitter and Instagram, but especially banks and credit companies.

On a more personal scale, if you want to exchange communications one on one, without all of Facebook and the rest of the Internet eavesdropping, you use email. A lot of people have forgotten what email even means. It's an anachronism. It means electronic mail, as in the electronic equivalent of paper mail (yes, people still do that). Email was built on the paper mail model. It was done that way to give people a familiar sense of communication. With paper mail, you send a letter to a physical location. You identify the source of the letter by your own physical location. It was always assumed that you and the physical location were the same thing. If that was not the case, then the person on the other end could return the mail, throw it away, or read it. There was no guarantee that the proper participants in the exchange were related to the physical locations on either side. Some ways to help tie a location to a person were invented, like registered mail, certified mail, and in extreme cases, a courier. There were still all sorts of ways around those safeguards. In a world of 7 billion people, it was and still is a bad model. So, for this new age of nearly instant communications, the best we could do is model the new system on a broken old system. It was badly done. The system still relies on a belief that the right person is located on both sides of the conversation. Worse yet, all of the letters are sent in transparent envelopes. Anybody who can watch the letter go by can read it.

I've had email accounts and user names and passwords for as long as I can remember. I used to have one email address and one user name and password. Now I have six email addresses and a couple dozen user names and passwords. Why so many? I use different emails for different purposes - personal, professional, educational, and general. They give me a context for the mail I'm reading. I have a lot of user names and passwords because I don't want someone to be able to impersonate me everywhere, just by guessing one pair. I have to use a password keeper to remember all of them. I also use long passwords with random numbers, letters, and symbols that are almost impossible to memorize. A password keeper is a piece of software that records all of the information about your different online presences and the passwords that go with them. There is a single password to access them, but it never goes over the public Internet. I have to be sitting in front of my computer to use it. As if all of the user names and passwords aren't bad enough, if you forget your password, guess how your online partner lets you fix that? You guessed it, email! Brokenness layered on top of brokenness.

So, what is the solution, Steve? Are you just whining, or do you have a better idea? Why yes, yes I do.

How can you irrefutably identify yourself? How can you prove to someone, beyond a shadow of a doubt, that you are who you claim to be? The most obvious answer would be some kind of biometrics. Fingerprints. Retina scans. DNA. The technology of biometric authentication is progressing well, but it will be years before it is as ubiquitous as user names and passwords. Right now, we can create an electronic fingerprint that is at least as unique as your DNA, and much easier to identify accurately. This fingerprint is called a cryptographic key, specifically an RSA key. This key can be any number of bits (ones and zeroes) long. The longer the key, the more unique, and therefore, the more secure. We used to use 128 bit keys, but computing power has advanced to the point that even 256 bit keys are endangered. My current RSA key is 4096 bits long. It would take the entire computing power available on the planet crunching until well beyond the predicted end of the universe to break my key.

4096 bits is equal to 512 characters. You will say, "But Steve, I don't want to type in a 512 character password every time I want to log in." Of course not, and it's actually even more onerous than that, because there are actually two keys, a public key, and a private key. The public key is the one that you use to tell everyone that you are who you are, the private key is the one you keep secret, the one that really is you. One won't work without the other. And in the system, called public key authentication, you never type in your key, any time, anywhere. In the system I propose, you will use something called a soft token. When you open an account somewhere, say Facebook, you and Facebook exchange your public keys via your soft token (remember, your secret key never goes anywhere). That allows Facebook to send you a secret message that only you and Facebook can understand. You respond back with the right secret message, and Facebook lets you in. But, you never actually see any of these messages. They are happening on what is called the protocol layer. The protocol is how your computer and Facebook's computer figure out how to talk to each other. From then on, Facebook knows how to make sure that you are you by using your public key. In this system, nothing secret, like a password or a user name ever goes across the Internet. There is no way for anyone to steal your password because there is no password to steal.

Sounds like magic? It isn't. It's the system that is in use every day, millions of times, that lets millions of computers talk to each other securely. Why aren't Facebook, Twitter, and all the banks and credit card companies already using it? They will give you dozens of excuses, but the bottom line is that it will cost them money, and you aren't forcing them to spend it. One of the reasons you aren't forcing them is because you didn't know about it. Now you do. Another reason they will give is that it is complicated. It is complicated on the protocol level, but remember I said that you don't have to go there. That's what the soft token does. It is a small piece of software that runs on your computer that keeps track of your keys. It presents your public key when it is necessary, keeps your private key secret, and handles the initial messages that allow you to get connected to wherever you are going.

But, what about email? Under the covers, here is how email works. Your email account is on a server somewhere that is running a piece of software that understands how email works. There are dozens of these programs written by different people, but they all understand the email protocol so they can talk to one another. You are given an email address by your provider that identifies your account. Your account is more or less private (depending on the NSA or provider incompetence, YMMV). You access your account by, here it comes, giving it a user name and a password. Your email consists of two parts, your user name and the address of the server that holds your account. Right away, you have given up half of your identity to anyone who cares to find it.Your address is like having a physical mailbox. Anyone who can find it, can send you email. Back in the days when humanity was smaller and more benevolent, that was considered a good thing. Today, companies that sell things think that they can bombard you with advertising to beat you into submission, causing you to buy their stuff. In the paper world, it's called junk mail. In the electronic world, it's called spam. It's good to have an email address so you and your friends can exchange brownie recipes and agree to meet each other somewhere. It's bad to have an email address because sooner or later, spammers will find you. But, email has a more insidious attribute. You trust it. You think it's secure. You think that no one can steal from it, and no one will find things out about you that you don't want them to. Wrong. For the vast majority of people, it is the least secure form of communication there is.

So, what do we do? We have to be able to give each other our email addresses so we can exchange our brownie recipes. That's true, but we want a way to be able to let people know where we are in a way that even if some spammer finds out our address, they won't be able to spam us. Once again, we go back to your public and private keys. Remember that I said that your public key identifies you, but no one can use it unless you let them. They have to send you the right messages, once again at the protocol layer, before you'll even talk to them. Why not use your public key as your email address? Well, your public key identifies you, but it doesn't identify where you are. However, we can use our public and private keys to create another key that identifies where we are. It is another key that can only be used by the people that you explicitly give it to. Not only do we protect our identity from the spammers, it will be very, very difficult for them to find us, and even if they do, we won't talk to them. Our new secret address won't even accept mail from them. It gets dropped on the digital floor. To do all of this we use something called a mixnet. The concept and execution is extremely technical and complex, so I won't go into it here. There are two aspects of a mixnet that are important to us. First, everything is encrypted. Someone snooping on the network wouldn't see any useful information. It would all be gibberish. The two ends of the conversation have their public and private keys and there is no way for the snooper to figure it out. Second, your email account isn't on a server somewhere, where it could be broken into and your private business stolen. Your email account isn't anywhere but on your computer. In this mixnet, everyone is identified and located by their keys. The location keys don't identify a server, they identify you and your connection to the mixnet. When someone sends you an email, their email program waits patiently while it finds you using your key, and then sends the message to you. The message never sits on someone's server, waiting to be delivered. The communication is completely closed between both ends of the conversation.

Well, congratulations. If you got this far, it means you have a real interest in improving your online security. My ideas aren't likely to happen any time soon, especially the mixnet email idea. The ideas about using cryptographic keys are already being discussed. The debate is over the best way to make it simple for people to use. People won't use technology if it's not simple, even if it is in their best interest. There is a company that makes the RSA soft tokens. They're easy to set up and even easier to use. Much easier than a user name and password even. All that is left is to create the browser software that uses them and get online businesses to start using them. That last is no easy task. There are still websites out there that don't even do credit card transactions over secure connections. It's just a matter of creating the demand.

Bugs

I have been a huge proponent of open source software for years. I don't plan to change that outlook. However, I think it is time for the open source community to take some responsibility for policing itself. Or, more accurately, I think it's time for the big players in the community to step up and take responsibility for the free software from which they benefit.

On Monday, a security specialist at Google discovered a bug in the OpenSSL software library. OpenSSL is used all over the Internet. For example, it is used by the Apache web server, which accounts for 50% of all web sites on the public Internet. The bug allows an attacker to potentially gain access to a lot of very, very sensitive information. SSL stands for secure sockets layer. It is a piece of software that sits between your programs and your network connection. It uses a system called public key encryption to scramble what is being sent out over the public Internet so it can't be read by anyone who doesn't have the right keys. The most obvious place you will see it is with its use in the secure HTTP protocol, or HTTPS. Go to Google. Look in the location bar on your browser. You will see something like this:

https://www.google.com

The https means that anything you send to Google, and anything Google sends back to you is encrypted.  If some nefarious person (or the NSA, same thing, actually) hooks a device called a network sniffer up to the Internet, all they will see is a steady stream of gibberish. They can't see what porn you are looking for, and they can't steal your sister's secret chocolate chip cookie recipe that she sent you in gmail. You should always look for this, by the way, especially where your credit cards are concerned.

The OpenSSL bug can give up your usernames and passwords, your credit card information, and a lot of other even worse stuff (x.509 certificate keys and passphrases, long term server secret keys, EEK!).

The bug is the result of a bit of sloppy programming and a lack of rigorous testing. Both of those are the chinks in the amor of open source software. Open source software is different than proprietary software in that no one actually owns it. You don't have to pay anyone to use it. If you want to change it for your own use, you can. One of the important aspects of open source that has emerged is that of community testing and feedback. The people who use the software have a stake in making the software work right. They will fix bugs on their own or very quickly report them. If they are good open source citizens and they fix code on their own, they will donate the fixes back to the project. It has been demonstrated time and time again that the general quality of open source software is superior to that of proprietary software. Big companies code in secret, so they can hide big uglies for years and years. I shudder to think about what the Microsoft Windows code looks like. If the open source software you are working on is widely used, and the code you are writing is crap, you will hear about it very quickly.

Another important aspect of open source software is the speed that open source groups can respond to something like this bug. The OpenSSL group has already issued a patch to fix the problem. Red Hat has already issued a critical update. On the other hand, Oracle is not going to do anything about it until their regular update on April 15th. HP hasn't announced any intention to do anything about it. Oracle and HP are big companies. They're not built to turn on a dime when things like this happen. It could be argued that the big companies do more testing before releasing a fix, and that is true, as far as it goes. The big companies also have a lot more bureaucracy and other unproductive overhead built around testing and releasing software.

It should be noted at this point that the vast majority of open source groups, including OpenSSL, do not allow just anyone to write code for the product that they publicly release. So, this bug wasn't a case of some high school kid writing sloppy code that found its way into the finished product. OpenSSL has been around for a long time. The people who work on it are experienced developers. The hackers and amateurs were weeded out long ago.

Sadly, experienced developers are not immune to writing sloppy code. That was the case here. The OpenSSL group has not been forthcoming with exactly who did this. I applaud them for not throwing anybody under the bus. I think that first and foremost, the failure here was probably in peer review. The programmer either took on or was given a particular task to complete, coded it, did some basic testing and debugging, and added it to the mix. No one probably gave it a second look, or if they did, it was perfunctory. Granted, the bug is very subtle. I had to read through the explanations and code several times to get it. But, that leads to the second issue, which is testing. One of the fundamental requirements in software development is to do regression testing when you make a change. That means that you go back and make sure that everything that used to work still works after your change. I am convinced that this is what happened to OpenSSL. No regression testing.

A lot of big companies use open source software these days. There was a time when they wouldn't go near it for exactly this reason. However, open source software is free. At some point, the objections to it were answered and the economics of it tipped the balance. However, using it shouldn't be free. If companies are going to benefit from it, they need to step up to the plate and be good open source citizens themselves. Red Hat has adopted this stance. In cases where certain open source packages are fundamental to their business, they supply developers and testers. They pay people just to participate in open source development groups. Other companies that use open source should do the same. The fact that someone from Google discovered this indicates that they are involved. Other big companies like Facebook, Amazon, PayPal, eBay, and every single bank and credit card agency should be participating in testing and refining. Open source software should be free, but it shouldn't be invisible.

There Is No Now

A mathematical point has no dimensions. No width, no length, no depth. It's just an abstract concept. "Now" is a mathematical point. Not only does it have no physical dimensions, it has no temporal dimensions. It doesn't exist outside of an abstract idea. It is a singularity. The present is an artificial construct that we use to capture that dimensionless instant between past and future. We don't deal well with singularities. We need things to have a size that we can grasp. We want to be able to see that event or place or concrete point where future transforms into past. Even the phrase, at this instant, has no real meaning.

There is no one who can give you a precise definition of now. We define it by what it is not. It's not the past, and it's not the future. Even the euphemisms we use to describe it don't adequately hold it. Today. We think of it as now, but when we try to nail it down, we have to subdivide it, trying to slice it into ever smaller pieces to get closer to the magical point. Morning, afternoon. Hours, minutes, seconds, even parts of seconds. We measure events in infinitesimally small fragments. A billion nanoseconds in a second. A trillion picoseconds. We measure how long it takes for an electron to travel its own length. Even in that tiniest fragment we haven't captured that very instant that what will be becomes what was.

Even time itself is an invention we use to try to grasp what we cannot reach. A ruler held up against air. A ruler that can't measure now, no matter how small the divisions. And the more we poke and prod at time, the more it evades us, even to the point of blurring the line between cause and effect. Relativity and quantum physics tell us that our concept of time is more like a rubber band than a ruler. Now can be in two places at once. It's like finding out that your yardstick with its 36 markings, is actually 37 inches long.

Now is the very definition of a singularity. Go ahead and try to point at it. I dare you.

Evolving to Entropy

From Wikipedia:

Evolution is the change in the inherited characteristics of biological populations over successive generations.

Note that there is no stated goal, nor is there any implication that the process is positive or negative. Now, I'm not trying to sell Wikipedia as the ultimate source of definitions, but this one is essentially the same as you will find from any other noted source.

Evolution must be good, right? I mean, we're the result of evolution, and we're pretty awesome, right? Right? Not really. Evolution just means change. We're the result of evolution through a long history of natural selection. In the minds of ordinary people, evolution equals progress. We think that it means that because social scientists tell us it does. The truth is, there is no evidence that the entire process is in any way benevolent toward us. There is no evidence that we are evolving toward something better; only that we are evolving toward something different.

Most evolution through natural selection favors those new characteristics that are the most successful given the enclosing environment. Human beings wreak havoc on natural selection because we have evolved the ability to change our environment. We put clothes on. We grow food. We live in houses. We have central heat and air conditioning. It was inevitable, if you think about it. Natural selection among species passive to their environments resulted in a lot of dead ends. Dodo birds and dinosaurs. It makes sense that the ability to change the environment to be less hostile would be more a more successful characteristic.

Except now, we're busy creating an environment that is increasingly more hostile toward us. Technology and socialism, both the economic system as well as the societal trait, are making us stupid and lazy. We're making our world more dangerous, and we're not evolving in a direction that allows us to adapt to it. In the past, our evolution took many tens of thousands of years to make small changes. I offer that we have evolved many noticeable changes just over the last century or so. We're fat. We're soft and weak. We eat poison and survive for a while. We breath poison and survive for a while. But, we're not evolving fast enough to keep up with how fast we are changing the environment. At the current rate of progress, we'll extinct ourselves in a century or so.

So what happened? How is it that the pinnacle of evolutionary natural selection has gone so wrong? The answer is entropy. Entropy is the process by which everything tends toward its lowest potential energy. Thermodynamic equilibrium. The end state of maximum entropy is a universe of inert atomic dust evenly dispersed across the void. If there is a ghost in the evolutionary machine, its goal is maximum entropy. The whole process is blindly oblivious to our existence. In actual fact, we aren't the pinnacle of natural selection because our potential energy is too high. We're one of those evolutionary side trips. We'll keep evolving toward maximum entropy.

If maximum entropy is the end state, how did we get as far as we did? We've actually been pretty successful. Our control over our environment let us avoid entropy for a long time. However, evolution into entropy is a difference engine, and we have made a pretty wide variance. The differences are catching up with us quickly.

If there is a pinnacle of natural selection here on planet Earth, it is likely the cockroach, or maybe the shark. Cockroaches are born, they eat, they breed, they die. They are the most entropic life form on the planet. There is no need for them to evolve toward anything until the entropy of the rest of the universe catches up with them.

Depressing? Not really. It's inevitability, and there is no reason to be depressed about the inevitable. Get on with what you were doing and don't worry about it. Seek maximum psychological entropy. Just evolve.

Of Knowledge and Memory

Knowledge and memory aren't the same thing. They are, however, built at the same time.

Dr. Marvin Minsky has a theory of memory called Knowledge Lines, or K-Lines. Dr. Minsky believes that our minds (not our brains) are constructed of multitudes of mental agents, each with a particular function. The function can be very simple, or it can be very complex, involving relationships with many other agents. In any given situation, some number of these agents work together and separately to create an idea or solve a problem. If the same, or similar, problem comes along again, we want the same agents to try to solve the problem in the same way. In order to accomplish that, the agents are wired together by K-Lines. The structure of the agents and their connecting K-Lines represents knowledge. Mental agents can be connected to many K-Lines. The simpler the task of the agent, the more K-Lines it is likely to be connected to. When a K-Line is "activated" for a problem that is similar, but not identical to the original situation, new K-Lines can be created or new agents can be connected to the existing K-Line. K-Lines can be connected to other K-Lines to form especially complex sorts of knowledge.

Memory isn't a passive collection of events. Memory isn't stored in our minds like books on a shelf. Our memories are based on our reactions to events and the knowledge we gain from them. Even when we are passive observers of events, our minds are forming ideas about what we witness and trying to solve what we do and don't understand about it. Later, when we try to solve the same problem or a similar problem, the K-Lines are activated and they put the mental agents in a particular state. It is the state of the agents that forms the memory. Our mind recreates the situation that resulted in the association of the agents. It is literally restoring our state of mind at the time of the situation. Memory is built by the agency that creates the K-Lines.

K-Lines and agents are built and activated by our sensory inputs and by other K-Lines and agents. We are born with a fundamental set of mental agents, and from the instant we gain consciousness, we start building more agents and K-Lines. For the first years of our lives, the mental agencies with their K-Lines are built at a furious rate. By trial and error, we process our sensory inputs, building knowledge and memory, and driving our coordination with the world around us. A baby has to work out how to pick up the toy by trial and error. She has to process the colors, shape, and weight of the toy to associate it with the desire to grasp it. She has to discover which parts of the toy are suitable for grasping it. She has to coordinate all of the muscles and tendons and bones in her hand to lift it. The best she can do at first is to simply touch the toy. As her efforts proceed, she will drop the toy and try again. In our view, she is clumsy and inept, but there is an amazing amount of work going on in her mind, just in the effort of reaching out and picking up the toy. Once she masters the task, she will do it over and over again, strengthening the newly built K-Lines and building new ones for the minute variations in the experience of picking up the toy.

If the K-Lines are there, and the agents are there, waiting to be activated, why don't we remember everything that happens to us during our entire lives? The answer is that the vast majority of our experiences, from instant to instant, are somewhat unique. Every instant of our existence is taken up with activating and deactivating mental states. Over time, certain K-Lines fall into disuse because the identical or near identical situation that created them doesn't occur. As they fall farther into disuse, their connections to agents become weaker and weaker. Sometimes two agents have similar functions. When there is conflict, the agent with the stronger connection to the K-Line will be activated. As any situation recedes over time, the exact state of the mental agents that form the memory of the situation becomes harder and harder to recreate. Sometimes, a situation that activates a similar set of K-Lines and agents will reactivate certain K-Lines that have been dormant in an effort to solve a problem or in the formation of an idea, and the long disused state will be reactivated. We've all said, "That reminds me of..." It is reasonable to assume that all of the K-Lines we have built and every agent we have created are still in our minds. it just takes a situation or event that is close enough to reactivate any state. We don't remember being in the womb because there is never another situation even close to it that occurs in our everyday lives, but in theory, we could, because the agents and K-Lines are still there.

Pleasant memories everyone!

Third Rail, But Just For A Minute.

This post is about religion. You've been warned.

Leviticus 11:12 says, "Whatsoever hath no fins nor scales in the waters, that shall be an abomination to you." Some people, on both sides of the believer aisle, interpret this to mean that you could go to Hell for eating shrimp. Actually, the Jews don't believe in Hell and never did. Their closest concept of Hell is a kind of spiritual washing machine where sinners go to get their souls cleaned in preparation for the coming of the Messiah and the resurrection. The Torah, or the Law, is more intended as a set of rules for living your life, here and now. Violating them risks irritating God, which is a big no-no for Jews, as He might neglect to wake you up when the resurrection comes. Remember that concept of Hell. It's important later.

Leviticus 15, verses19 through 33 contain an entire set of rules surrounding menstruation. Menstruating women were considered unclean. Obviously, sex was not allowed, but it went further, you weren't allowed to sit in a chair, or lie on a bed which a menstruating woman had occupied. If you did, you were unclean until evening. It's not clear what is exactly meant by evening. Eight days after her period, a woman is supposed to bring two birds to the temple for the priest to sacrifice. Leviticus is full of weird shit like this.

So, how is it that Christians come to believe that we are bound and not bound, as we see fit, by Jewish law? Step deep into the Bible Belt, and you definitely won't find preachers sacrificing birds to cleanse a woman after her period. In a congregation of any size, the preacher would be sacrificing several birds a day, all month, every month. Christians do certainly believe that we are bound by what are called The Ten Commandments, but those are a very small part of the Law. It is filled with things like how to deal with someone who sells you sick livestock all the way to what you should do if you find out your wife wasn't a virgin when you married her. Christians tend to cherry-pick the Law, especially for things like its prohibitions on certain types of sexuality.

In breathtaking feats of twisted logic, Paul comes up with several reasons why Christians are no longer bound by the Law. The very early Christians were Messianic Jews. They tended to still try to keep the Law. As more and more Gentiles were converted, there was a problem with making them follow the Law. In Acts, Luke specifically mentions circumcision, saying that the uncircumcised cannot be saved. Paul then tries to solve the dispute by asking why the early Christians would test God by putting the burden of the Law on the Gentiles when their forebears couldn't keep it. (Testing God is one of those warning flags when you are reading Paul. You know something tricky is headed your way when you read it.) So, in other words, the Law is too hard, so let's not make the Gentiles live with it. Besides, your grandpop couldn't manage it anyway. Later, Paul says that being a Christian is hard, but stop whining about it. The Law is too hard, so let's not do that, but being Christian, which arguably entails at least some of the Law, is hard, and we need to suck it up. See what I mean about twisted logic? In his letter to the Galatians, Paul further explains that the Law was just a tutor for righteousness, and now that Jesus was here and we were saved by his death and God's grace, we don't need the tutor any more. At various times, Paul assures his readers that he will let them know how to be good Christians. Apparently he nominated himself tutor in place of the Law. In his first letter to Timothy, he goes on to say that the Law doesn't apply to the good guys, only to the bad guys, and that the righteous are welcome to beat the unrighteous over the head with it.

Ah hah! Official sanction for Christians to wield the Law as they see fit to beat heathens into submission, without actually having to live it themselves. At this point, it is worthwhile to mention that throughout the Gospels, one of the things that irritated Jesus most was hypocrisy. There is a whole chapter in Matthew devoted to it. I think the irony was probably lost on Paul.

You may have figured out by now that I'm not a fan of Paul. Aside from the arrogance of summarily assuming the mantle of arbiter of everything Christian, he is directly responsible for creating the twisted swamp that Christianity became. He was an angry, misogynistic, ascetic zealot. It's doubtful that Jesus saw him as a suitable successor. But, that's for another post if I decide to hazard the third rail again.

In Matthew 5, verses 17 through 20, Jesus says, "Think not that I am come to destroy the law, or the prophets: I am come not to destroy, but to fulfill. For verily I say unto you, until Heaven and Earth pass away, one jot or one tittle shall in no wise pass from the law, until all be fulfilled. Whosoever therefore shall break one of these least commandments, and shall teach men so, he shall be called the least in the kingdom of heaven: but whosoever shall do and teach them, the same shall be called great in the kingdom of heaven. For I say unto you, that except your righteousness shall exceed the righteousness of the scribes and Pharisees, ye shall in no case enter the kingdom of heaven." (Jesus really didn't like the scribes or the Pharisees). There's a lot going on there. Some Evangelicals will use the first two sentences to explain that Jesus did indeed fulfill the law and the prophets, so it's OK not to worry about them any more. A sterling example of cherry-picking. It's the third sentence that gets interesting, which is probably one of the reasons some Christians avoid it. First of all, it's unconditional. Whoever violates even the tiniest bit of the law is in deep yoghurt. But, and here's the interesting part, breaking the Law won't keep you out of heaven, you just have to go live on the South side of town. The fourth sentence really rounds the whole thing up. The scribes and Pharisees were lawyers.  That chapter on hypocrisy in Matthew that I mentioned is full of what Jesus thought of them. So, part of what he's saying here is that if you are intent on enforcing the Law without actually holding yourself to it, no heaven for you. Oops. But even more to the point, if you try and fail to keep the Law, you're still better off than the lawyers who point at it and say, do as I say and not as I do.

So, what are we to do if we want to be Christians without passing up the shrimp cocktail or buying new furniture every month? Well, on one level, if all you're worried about is staying out of Hell, then relax, the worst thing that can happen is that you'll have to take a bath and live in the poorer section of Heaven (remember that Jewish concept of Hell and the stuff about being the least in the kingdom of heaven?). Sounds snarky, but it's hard to avoid. The totality of rules and regulations for being a literal Christian at all, let alone a good one, would make a lawyer weep. It is the big problem with being a Bible literalist. It can't be done by anyone with a sane, rational mind. The Bible isn't an instruction manual for how to be a Christian. It's full of extraneous material. What theological purpose is served by the "begats?" As beautiful as it is, how is the Song of Solomon relevant to Christianity?  And, who knows what the deal is with the Apocalypse of John, a.k.a. "Revelations," other than that it could mean just about anything and the author had been reading waaay too much Daniel.

In John 13, Jesus says, "A new commandment I give unto you, that ye love one another; as I have loved you, that ye also love one another. By this all men shall know ye are my disciples, if ye have love one for another." That seems pretty clearcut. In Matthew 22, he is asked what is the greatest commandment of the law, to which he responds that "Thou shalt love the Lord thy God with all thy heart, with all they soul, and with all thy mind" is the greatest, but second "and like unto it, Thou shalt love thy neighbor as thyself." He said that upon those two commandments hung the Law and the prophets. If you can't keep those two, then the whole rest of the Law is meaningless. The first time (in my example, not chronologically) he said it was right before Judas turned him over to the Romans. The second time was in answer to a lawyer of the Pharisees who was trying to trick him into saying something blasphemous. In both cases, it seems that this was important for him to say. He didn't say it was important to avoid eating shrimp, or sitting on random chairs, or taking your neighbor to court over the sick oxen he sold you, or taking the proof that your new wife wasn't a virgin to the priests so they could decide whether she needed to be stoned to death. No. He said love God first, closely followed by loving one another. The Law is still in effect, and will be until stars burn out, but if nothing else, live up to those two commandments.

So, can we be good Christians when we don't adhere to "every jot or every tittle" of the Law? My opinion? Yes. To be Christian is to be Christ-like. He loved all of us, publicans and sinners too. He wanted us to love each other as he loved us. Loving one another is proof that we are his disciples.  He wouldn't suffer the prostitute to be stoned, neither should we. "Judge not, that ye be not judged." It's not our job to interpret the Law especially when we can't live up to it ourselves. Don't point at the guy with the shrimp cocktail in front of him when you've got seafood sauce on your napkin. Got it? Motes and beams, right? Live the two great commandments, you must; live as much of the Law as you can. I refuse to believe that the man who taught love and forbearance would set us up to fail so spectacularly. And, by understanding the totality of what the Gospels have to say, I don't have to.

In Dreams

Some think that dreams are a continuation of our internal dialog after we fall asleep, but presented in terms our conscious mind doesn't find obvious. They think there is some plot and narrative meaning to them. They believe that dreams are the way our minds work things out that they couldn't handle during waking hours. They believe that, in some cases, our minds are working out issues we didn't even know that we had. Freud said that dreams are the way that our subconscious, usually tightly reined in by  our ego, blows off some steam. He said that glimpses of our primal urges would be so disturbing that some agent of our unconscious mind translates the urges into highly symbolic images. Decoding the symbolism allows one to glimpse the underside of consciousness. There is even a cottage industry built around regurgitating some of the symbolism that Freud described in his writing.

Others say that dreams are just random synapses firing, activating bits and pieces of your experiences in a haphazard way. They say that there isn't any special meaning to them. Often as not, they are jumbled elements of your everyday existence and the memory of past experiences. In fact, every fundamental element of a dream is based on some past experience. Your dreams may put together people and places that couldn't possibly have been together. Your grandmother scuba diving with your ex-boyfriend. It matches people of the wrong ages and times. Being a toddler while watching your younger sister drive you to the store. We may even create houses and landscapes that never existed, or at least never existed together. But, no matter how bizarre the plot and the characters are, every single basic element is something we have experienced at one time or another. Even people who claim to have fantastic dreams will tell you that the unicorns are just horses with a horn on their heads. There is no symbolic narrative. A cigar is just a cigar, and a tunnel is just a tunnel.

Either way, the fact that you can remember your dreams at all means that they are connected in some way to your conscious mind. However, the connection is usually tenuous. Most people forget the minute details of their dreams shortly after waking up. Many people can't remember even the gross (as in big, not as in yucky) details within minutes. Still more don't remember anything at all about the dream by mid-morning. I would bet real money that most of you reading this can't remember with clarity more than a dozen or so dreams you've had in your entire life. Of those, you likely don't remember the full story line, just the details that stuck with you. L. Strumpell, a contemporary of Freud theorized that we don't remember the particulars of dreams because we don't learn from them. He theorized that we learn by association and repetition. Dreams are usually so random and the plot lines so vague, that nothing sticks with us. That would seem to lend credence to the second theory I outlined above.

At one time, it was believed that dreams are connected to REM (Rapid Eye Movement) sleep. Most of us experience a period during sleep in which our eyeballs move back and forth very rapidly. Tying dreams to REM sleep raised an interesting paradox. REM sleep generally only lasts for a few seconds to a few minutes, while the subjective plot lines of dreams can go on for hours, or in some less common cases, days. Nowadays, it is believed that REM sleep and dreams are not connected. Sleep studies have shown that people experience vivid dreams without ever going into REM sleep.

Dreams are dreck that our mind drops on the ground as it starts up the dialog once again after sleep. They show us events that would certainly jar us if they happened during our waking hours. However, they don't give us glimpses into a hidden realm, other than what we glue together from available bits and pieces of experience. It certainly isn't useful to build the goals of our lives on the contents of our dreams. Artists and authors have based their work on their dreams, but many of the rest of us, talented as we may be, don't have dreams that are universally interesting enough to make a living by selling them.

For one, I just enjoy having a laugh at how utterly bizarre my dreams tend to be.

Mind vs. Brain

Brain is not mind, and mind is not brain. Just as the symphony isn't the orchestra, and the orchestra isn't the symphony.

Your brain is the most amazing feat of engineering humanity has ever encountered. It's made mostly of fatty cells called neurons. Neurons look sort of like tadpoles with lots of fingers. The fingers are called dendrites and the tail is called the axion. Dendrites and axions can connect neurons to other neurons. But, they don't touch one another. There is where the magic is. The neurons talk to each other using electrical pulses that jump across gaps called synapses. The electrical activity is caused by different chemicals that are released and withheld at the right times.

Scientists and philosophers have been looking for the mind for millennia. Mind and spirit have been related to one another countless times. René Descartes was the first to put forth the idea that mind and body are separate. Later, Sigmund Freud would divide mind into conscious and subconscious. Much more recently, it was believed that mind is contained in the electrical impulses that constantly fire across the trillions of synapses in the human brain. Yes. Trillions.

We've mapped the brain pretty well. That is, as far as cognition goes. We know which parts of the brain control sight, hearing, and motor functions like breathing and keeping our hearts beating. We even know which parts of the brain become more active during extreme emotional events. We know that you can scramble the frontal lobe and the patient can still walk and talk, but their emotions and motivation have been suppressed. Lately, we've discovered that certain chemicals in the brain cause behavior and mood disorders like depression, bipolar disorder, and schizophrenia. We discovered that certain other chemicals can control the creation and suppression of brain chemicals that cause the disorders. Lobotomies with chemicals and without that messy brain scrambling. But, none of that is mind.

With all of what we know, we think we're on the verge of discovering mind. According to people who have tried to discover mind scientifically, as opposed to philosophically, we're nowhere near it. Many of them say the the human mind is incapable of understanding the human mind. We may never understand the processes we use to think. We understand cognition quite well. We create all sorts of machines that mimic human cognition. We call it artificial intelligence, but that's a little arrogant. Cognition isn't mind. Cognition is incapable of learning by testimony. Cognition isn't self-aware. Cognition isn't innovative.

Your mind might actually be rattling around inside your head, but maybe not. Maybe it is something even more separate and apart from the body than we thought. After all, we thought epilepsy was caused by bad air at one time, didn't we?

The Individual

I've been reading Society of Mind by Marvin Minsky. It's about the mind and how it works from an artificial intelligence point of view. This quote struck me:

...without the concept of an individual, we would have no sense of responsibility.

Dr. Minsky does that. He makes profound statements in an offhand sentence.

A little background. The context is a discussion of self and Self and how we perceive them. The lower case self being the general concept, and the upper case Self being our perception of it. Upper case Self manages our internal dialog and steers the ship. Lower case self differentiates us from the furniture. That leads to the individual, which differentiates us from the other selves and Selves.

The question that opened up to me when I read that was, why? Why does responsibility follow conceiving the individual? As I said above, individuality is a boundary between our selves and everything else. At the most basic level, we act to survive. We seek food and shelter. We act to preserve the species. We reproduce. But those things not really responsibility. They are instinct. You can't assign responsibility to instinct unless you want to split hairs and say that we have a sense of responsibility to act on our instincts. What Dr. Minsky seems to be saying is that there is some kind of causality between individual and responsibility. Instinct and individual don't have a causal relationship. Consider reproduction. That is a purely instinctual urge. There is no immediate benefit to the individual. The individual doesn't have any conscious sense of responsibility to the species.

To my mind, responsibility involves another Self. Think about aboriginal communities. They weren't formed for the purpose of abstract society. They were for survival. One guy with a spear trying to take down the woolly mammoth was suicide. Ten guys with spears was dinner and shelter. One guy had to sleep and risk being dinner for a saber toothed tiger. Ten guys could rotate keeping watch. Also, in an example of purely instinct driven behavior, the bigger the society, the deeper the gene pool. But, in these societies, each member had a responsibility to pull his/her weight or get the boot and become carnivore fodder. But, that doesn't exactly link the individual to responsibility.

An aboriginal community wasn't exactly socialist. The tribe was important, but not more important than the individual. It was a community of individuals who took responsibility for the tribe. Inevitably, there was eventually going to be a leader. Cats are individuals, too, but we know how hard it is to get them to work together. At some point the tribe progressed from simple survival to larger goals. Territory. Advancing from hunter-gatherers to agrarians. But, the tribal leader who built his position purely from the collection of power didn't stay leader for long, one way or the other. Leaders who built the tribe on the importance of the individuals well as the tribe survived for a long time. American Indians built a society truly based on the consent of the governed. The tribe followed the chief as long as he acted in their best interest, when that wasn't true any more, they moved on. And there it is. Individuals responsible to themselves and to the tribe.

In socialist and communal systems, the individual gives up his sense of self for the good of the community. The basis of such systems is sacrifice, not responsibility. One of the most widely heard political sound bites is on the subject of personal responsibility. It preaches that personal responsibility will cure the ills of the current system, but it has it backward. The system has to be fixed to restore the individual and repair our sense of responsibility.

And, I think that's what Dr. Minsky meant by his offhand comment.