The uncertainty principle has always seemed perfectly reasonable to me
There’s an interesting article over at the New Scientist: Sorry Einstein, the universe needs quantum uncertainty. (It’s not new. I can remember being there, but I can’t remember how I got there.) The apology to Einstein is because he was never quite happy with uncertainty since God doesn’t play dice (but as soon as anyone mentions God, you can kiss goodbye to logic and start thinking about mystical unreality).
Now Stephanie Wehner and Esther Hänggi at the National University of Singapore’s Centre for Quantum Technology have taken a new tack, recasting the uncertainty principle in the language of information theory.
The upshot is that without uncertainty, a particle defies the second law – it effectively becomes a perpetual motion machine; ergo, the universe requires uncertainty to maintain this false sense of reality we call existence. If everything was in perpetual and perpetually increasing motion and commotion, we would be living in Pandaemonium. Don’t answer that.
Forgive the ramblings of a non-scientist, but where is the problem with uncertainty? Matter is simply a physical manifestation of energy. The smallest possible particle of matter is the manifestation of a very small amount of energy. The very small amount of energy in that very small particle is sufficient to display position or motion; but not both simultaneously. In order to display both, the matter would need to comprise more energy than the energy it takes to comprise the matter. Nevermind defiance of the second law of thermodynamics, this is a simple absurdity.
It’s just like when you find granddad – or me, for that matter – standing gormlessly at the larder door. He, or I, just about have enough energy to get there, but not enough energy to simultaneously know why we got there. That’s the uncertainty principle in practice; and it’s perfectly understandable.
The idiom in some Nigerian scams is slightly wanting
Sometimes Nigerian scammers just don’t quite get the idiom right. A headline screaming at me, Treat as Urgent For Christ Sake probably wasn’t meant to convey the attitude it does.
Mrs Marie Smith actually wants to give me a lot of money, because we can “become good friends in the Lord” and do good deeds together.
It is sad, though. She’s childless, 57 and only has two months to live; so probably can’t have any children of her own now. Her math is no better than her idiom.
So, Mrs marie_smith38 at AOL, you’ll need a better story than this, for chrissake!
LivingSocial got hacked; 50 million passwords stolen, but it still hasn’t learnt all the right lessons
We learnt over the weekend that LivingSocial got hacked, and 50 million passwords were compromised (I reported on the story for Infosecurity Magazine here: 50 million LivingSocial passwords stolen. We know that the passwords were salted and hashed with SHA1. And we know that LivingSocial thinks that’s enough, because talking about the hack it said, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.”
It is, of course, far from enough. SHA1 hashed passwords will take only a few seconds to crack using standard rainbow tables. Salted SHA1 hashed passwords will take a little longer, but not much. The only ‘correct’ thing LivingSocial has done has been a forced password reset for its users, and a subsequent shift to the more secure bcrypt hashing algorithm. But frankly that’s too late for any users that have had their passwords stolen if they’re re-used on other accounts (statistically highly probable).
LivingSocial has so far given no details on who perpetrated the hack, with what, or when. That last is important since all of the users’ other accounts using the same password have been vulnerable since the moment the hackers exfiltrated the data. Nor do we know if the hackers gained access to any salting scripts on the server – which would largely nullify any benefit from the salt process.
I don’t have a LivingSocial account, so I’m OK. But I decided to sign up after the hack. The sign-up page wanted an email address. I gave it ‘yougottabejoking’. It also wanted a password. I entered ‘12345678’. It accepted both, and gave me an account – this account:
My LivingSocial Account – no prizes for guessing the password…
Had I done this before the hack, said hackers would now be in possession of both my email address and my password – a password that even salted and hashed would not take long to crack. If I used the same password elsewhere – as many users do – then all of those other accounts would also be cracked.
My point is this. Salting and hashing is pretty useless if the password is weak. Salting and hashing (especially with bcrypt) is very good if the password is strong. So rather than allowing me to enter a 12345678, LivingSocial should be imposing a strong password policy that forces all users to use a strong password.
Business Vs privacy
The matter of fact way in which big companies seem to think they own and have a right to private and personal information about us is worrying. The following paragraph is lifted verbatim from a Juniper Research blog today:
The next step is to combine this with, say, healthcare data achieved through large-scale remote patient monitoring, to achieve a more accurate picture of the individual through knowledge of that individual’s peers. It may not be an exaggeration to say that we may be on the edge of a new era where individual circumstances are routinely informed through precise data analysis of a data “cloud”.
The DNA of Big Data
If you think, don’t worry, the new EU General Data Protection Regulation (GDPR) will keep our privacy safe, think again. On Friday Ross Anderson attended a GDPR lobbying meeting in London. He has thoughtfully published his notes in the Cambridge University Light Blue Touchpaper blog:
There were about 100 people present, of which only 5 were from civil society. Most were corporate lobbyists: good-looking, articulate and impressive, but pushing some jaw-dropping agendas. For example the lovely lady from the Association of British Insurers found it painful that the regulation might ban profiling that was unfair or discriminatory.
How Privacy is Lost
It’s worth reading in full – but I’m afraid it doesn’t get any better. And when you add the more direct lobbying of companies like Google and Facebook, I think we can confidently predict that the GDPR that emerges at the end – if it survives at all – is going to be vastly weaker than the one that started out last year.
Mitigating hostility when the terrorist threat increases
I came across this news announcement. It’s an occupational hazard for journos. But this one caught my eye. It was about a new product – or more specifically, a ‘hostile vehicle mitigation product’.
I immediately thought of the press release I got from Europol on Thursday, where the latest statistics:
Hostile Vehicle Mitigation product?
source: EU Terrorism Situation and Trend Report
…show how the total number of terrorist attacks and related arrests in the EU significantly increased in 2012, in contrast to previous years. This and other findings in the report describe a threat from terrorism that remains strong and varied in Europe.
This new hostile vehicle mitigation product is probably related, I conjectured – some new unmanned remote-controlled robot able to locate under-chassis bombs, remove and defuse them; or perhaps the latest drone able to locate, track and take out suspicious vehicles with a single targeted strike.
No. It’s a bollard. A hostile vehicle mitigation product is a strategically placed bollard.
Clearly I need to upgrade my automatic overhype detection, filtration, isolation and elimination system – the delete button.
If you’re British, and you think you live in a democracy, I need to disabuse you
Consider the Communications Bill. That’s the bill that will supposedly allow the intelligence agencies to catch serious criminals and terrorists. But the only people it won’t catch are serious criminals and terrorists. And the only thing it will do is allow the government to know who you are talking to and where you go on the internet at all times and as you do it – at a huge cost to the public purse. (Incidental #1: The public purse is not government money. It is your money. The government doesn’t have any money. It is therefore taking your money to pay for a system to spy on you.)
Obnoxious as this is, it is not in itself undemocratic. You can argue that in a democracy, the electorate votes for a government and gives it the authority to make decisions without further reference to the electorate. (Incidental #2. I believe that this is a mis-interpretation of democracy developed and promoted by governments. I believe that in a democracy, the government is always subservient to the will of the people.)
But what is quite incredible is the experience of Conservative MP Dominic Raab. As a member of parliament he is being asked by the government to vote in favour of this bill. A fundamental part of the spying process will be the filter. ISPs are going to be asked to keep complete records of our communications and browsing. That will be a national database of everything, albeit spread across the different ISPs. Technically, not a problem – it’s a national database from a government that promised to ‘roll back the database state.’ The filter is the mechanism by which the agencies can get to what they want – that is, it is effectively a private government search engine for our emails.
Quite reasonably, Raab wanted to know more about what he was being asked – no, told – to vote for on our behalf. All he wants to know is the advice given to the Home Office to justify the filter. The Home Office said no. So with true Yorkshire grit (he can kiss goodbye to any government preferment in the future) he issued a freedom of information request. But again the Home Office said “no, national security issues, don’t you know old boy.”
So he referred it to the Information Commissioner. The Information Commissioner has requested more information from the Home Office so that he can make a ruling on whether the refusal of the FoI request is justified. The Home Office has just over 20 working days from now to respond or face potential legal action for what amounts to contempt.
My bet is that the Home Office will respond, but we won’t know how, because the Information Commissioner will agree that it is in national security interests to withhold the information. His only alternative is to side with the people, upset the government and kiss goodbye to his knighthood – just like Raab. I will be delighted and will beg his forgiveness for besmirching his noble position if he sides with the people. I doubt that I will have to.
But step back and think about this. The Home Office is demanding that our elected representatives simply do what they’re told with no understanding nor knowledge of what exactly they’re doing. That, I fear, is democracy in 21st Century Britain: we elect people to do what the government wants which is what big business and secret services want. What the electorate wants is irrelevant.
91% of people trust business, but 97% don’t
Statistics – don’t you just love ‘em?
“91% of people trust business to keep data safe despite rise in breaches” is the headline announcement from Varonis today.
“Only 3% say that their data is very secure with social networks and 11% say the same about online retailers,” concluded the Economist Intelligence Unit earlier this month.
Now I’m no mathematician, but this adds up to just one thing for me: don’t believe anything anyone tells you – and that includes me. Make up your own mind because everyone else has an agenda that may not be in your best interests.
Hint: always err on the side of distrust; you may be pleasantly surprised, but you won’t be disappointed, and you’ll almost certainly be right.
