November 8, 2009

Avoiding disaster when using svn switch

So I was going to be my usual negative self again this month, but I created something, so I'll share that instead. Your regularly scheduled cynicism will return next month.

The problem


So you're working away on a branch of your project in SVN, and you need to switch to a different branch. svn switch does exactly that, but there's a catch. Say your repository has a top level with a README and CLI scripts and whatnot. But you've been hacking away in the src/ folder because that's where all the real code is. And you carelessly type svn switch svn://myrepo/branches/other_branch while your working directory is src/. What you should have typed was svn switch svn://myrepo/branches/other_branch/src - notice the subtle but important difference there.

As soon as you hit Enter, you've screwed the pooch. Remember, SVN doesn't know about branches - it just thinks they're all folders. So what you've done is tell it to switch the working directory, src/, to the top level directory of some other branch. It's going to delete everything in your folder and start checking out the whole root directory into your working directory. It's going to make a mess, then yell at you about conflicts and slotting and mismatches and you're probably going to end up getting frustrated and running rm -r on the whole folder. If there's a graceful way to recover from this mistake, I have yet to find it. I've done this enough times that I usually realize my mistake as soon as the first message pops up, and I often mash Ctrl-C in hopes of preventing further damage, but honestly I think that makes it worse.

After making this mistake for about the fiftieth time yesterday, I finally decided it would be in my best interest to protect me from myself, and so I wrote a bash script. It checks the directory (relative to the root of the branch) that you're asking to switch to against your current directory and won't let you continue if it thinks you're about to screw something up.

This script assumes that your repository follows the standard SVN repo format - your code should be in trunk or branches/branchname. And it assumes you're going to run svn switch on your current working directory - I didn't write any support for more than one argument.

Installing


Because of the nature of SVN commands, we have to wrap svn and just pass arguments for the other commands through untouched. Shawn Parker gets credit for the original inspiration. You'll need to put the below code in a file and make it executable. Then edit your .bashrc to add the following line:
alias svn='/path/to/script.sh'



September 23, 2009

Worse than Nothing

Want to get phished? Don't worry, it won't hurt.

If you have an account with Vanguard, the investment firm, you can experience it for yourself right here (works on IE7, IE8, or FF3). If not, you can watch a quick screencast of me phishing myself. Note that this is clearly not the Vanguard site, and yet after I enter my username, I'm shown my personal image (mine's a canoe! what's yours?). I didn't answer any security questions, and yet that's my personal image that only my bank and I are supposed to know. And here it is on some scammer's site. That's the unique part of my attack, and the most dangerous.

By the way, that screen at the end is where the scammer has just obtained your password and is happily emptying your bank account (since I'm nice, I just display a hash and don't save it).

I don't mean to pick on Vanguard, I just happened to have an account with them. A similar attack should be quite possible on Bank of America, HSA Bank, or anyone else who uses the SiteKey system. SiteKey is a scheme banks came up with in response to the large and largely-intractable problem posed by phishing. It's sometimes labeled as a "multi-factor authentication" system, but I think that's incorrect - it's more of a "mutual authentication" system. The site proves that they are legitimate by showing you a picture that you selected when you sign up. Since no one else could know what picture you have set, this proves that the site is who you think it is. At least, that's the theory.

My attack is simple. The first page is just a static page that looks exactly like Vanguard's home page - standard phishing fare. When you submit the form with your username, I build a page with an iframe pointing to the Vanguard site, passing it the username. As long as you've logged in from this computer before, the Vanguard site happily shows your personal image. Then I create a form outside of the iframe with a password field and a submit button, and float those elements over the iframe. So while you're seeing the Vanguard site in the background, you're entering your password into a form I control, and the submit button you click submits to my page. And just like that, I have your password.

I have your password. I did this with a freakin' Bachelor of Arts degree. It took me about three hours of messing around to get the basics set up, and another few hours to spit and polish. It's a couple of dumb HTML pages with a few snippets of PHP, and a pinch of Javascript thrown in. There is nothing sophisticated here. I don't think this even qualifies as a "hack." I think you should be concerned. This attack has been possible as long as SiteKey has been in existence, and I see no reason why I would be the only person to think this up. In all likelihood, some smart phisher out there is already doing this.

I learned retroactively that this technique is called UI Redressing, more commonly referred to as Clickjacking. It's behind a number of attacks, of which perhaps the most publicly visible (although not the most dangerous) was the Twitter "Don't Click" infection. Even worse, since my attack requires no clicking on the actual hidden elements, even NoScript's vaunted ClearClick technology doesn't detect it (NoScript does offer an opt-in to disable iframe content, which sounds like it should stop the attack, but it didn't work for me).

SiteKey was weak to begin with. It's bad enough that a vast majority of site users don't notice if the image is missing. And a weaker man-in-the-middle attack that involved asking security questions was demonstrated 3 years ago[pdf]. But this is worse. A malicious site that shows you your own handpicked image will lull you into a false sense of security. Who would think twice about providing personal information when that mountain stream or étouffée or whatever you picked is staring you right in the face? The banks have worked hard to train users to look for that image, and that very training can be turned against them to make phishing attacks even more successful than before. SiteKey is not just useless - it's worse than nothing at all.

I have been in contact with RSA Security, the vendors of SiteKey, about this attack. To their credit, they were very professional about the whole thing. They treated the matter seriously (I was surprised to get a response at all), and did not try to bullshit or bully me. So they get points for understanding how to make the vulnerability reporting process a productive one. They told me they have notified their clients about the problem and suggested corrective action. I imagine this action will consist of frame-busting Javascript and a proprietary IE8 header. I can only speculate because as of this posting, neither Vanguard nor HSA Bank have done anything to prevent the attack, even though it has been two months since I reported it. These changes will help, but the headers are opt-in and only work on newer browsers, and the Javascript isn't necessarily immune to circumvention. Besides, recall what I said about my qualifications as a security researcher. If I came up with this in a few hours of spare time, don't try to tell me there aren't similar attacks that could be discovered by a motivated person - say, someone who makes a living managing a phishing operation.

There's another reason I think SiteKey is worse than nothing. It's not just users who get a false sense of security from it - banks are biting on these supposed panaceas instead of facing up to the very difficult problem of performing real security. It's all too easy for companies to set arcane password rules and shell out money for "solutions" like SiteKey, and convince themselves that they've tried hard enough. Wrong. SiteKey is like a Mickey Mouse band aid on the wrong knee. Maybe it gets the three year old to stop crying, but it's not actually doing any good.

Epilogue

I know, I know, I'm such a negative person. Always bringing other people down. Complaining about what exists without offering any suggestions of my own. What would I propose to guard against phishing? Huh, tough guy?

I have to be honest - I don't see a silver bullet. Phishing is a serious threat, and one that preys on our inescapably human failings - inattention, belief that our perceptions are accurate, and willingness to adapt our actions to what we are presented with. I don't see it going anywhere any time soon. However, I think the Firefox address bar is a great start:
Firefox address bar
If we have to train users to look for something, it should be this. Benefits:
  • It's client-side. No man-in-the-middle. No UI redressing. Short of a serious Firefox exploit or SSL vulnerability, there's no faking this part of the address bar.
  • It comes (I assume) from the SSL certificate, which is a pretty okay security measure, and one that any respectable site dealing with sensitive information already uses.
  • It's friendly and distinctive - it's big and green and it tells you the name of the company.
  • It's right next to the address bar, which encourages one to also check the URL. This is the original best security measure, and one that eBay and others have been advocating for years. I should point out that the pretty little Locationbar² plugin is helping here as well by highlighting the domain name so it stands out against the rest of the URL.
Still, this only works if you think to look. The danger of phishing is that you get caught at the end of a long day, or when you're in a hurry, or when fucking PayPal actually has deactivated your account three times in the past and you're so annoyed by the prospect of a fourth that you get careless and don't check.

I've got another suggestion, but this one is a lot further from reality. This is what I think could be, if we would spend less time on fake security and more time on real security.

Imagine, if you will, a world where PGP is commonplace. That's right, I'm evangelizing again. Imagine every email you receive is signed, and you have an extensive trust network. When you open an account at a new bank, the rep hands you a piece of paper with instructions on downloading the bank's public key and a fingerprint to verify it. Because PGP is so common, your email client actually throws up a big red warning saying "Hey! This signature is untrusted!" whenever you get email from someone whose key you haven't imported. Suddenly you have a proactive warning on every phishing email that comes through. Nobody is going to click through a message from their bank that is labeled as "untrusted." You could teach your grandparents that.

Is this a pipe dream? For now, yeah. But it's a good one - it's a world where email phishing is essentially solved.

Until then, keep checking your address bar.

Update (12/03/09): Looks like at some point in the past few months, Vanguard updated their site with some frame-busting Javascript, and now hides the pages if Javascript is disabled (bad news for accessibility, but arguably more secure). However, let me reiterate: the fact that they have stuck their finger in this leak doesn't mean there aren't other holes in the dike.

Another update: I sent this article to Jim Youll, the author of the original paper on SiteKey vulnerabilities. He emailed me back, and in his response was a remark that stuck with me: "they always say that the undisclosed back-end systems are the fail-safe for the front-end attacks. I don't think they're lying." At some point, it hit me: what if SiteKey is nothing more than security theater? Maybe they do know that it's useless. Maybe they don't expect it to stop anything. Maybe whatever fee they're shelling out isn't coming from the security budget, but from the marketing budget. If this is the case, I just hope the marketing spiel isn't working on the people who need to be doing the real security.

August 7, 2009

Making Chroma-Hash Less Leaky

Prologue

Recently, Jakob Nielsen yelled at everyone that password masking is a usability problem. When that man yells, people listen, and so were planted the seeds for some interesting experiments in providing password hints. The sexiest of these so far is Mattt Thompson's Chroma-Hash.

Some valid security concerns were raised over this widget. Mattt has solved several of these already with his recent improvements. I'd like to examine one of the remaining issues and suggest a solution. You can view my fork on Github for the source code.

The problem

The scenario goes something like this: a user takes and shares a screenshot or screencast of their login screen with password typed in. Someone malicious views this and can garner information about the hashed password from the color bars. From here, I'm going to assume that you understand the basics of how MD5 is a one-way function and why that's important.
Chroma-Hash password box
In the standard operating mode, Chroma-Hash is pulling number values right from the MD5 hash. We can get the colors with an eyedropper, and look - they match up (in reverse order) to the first part of the hash of the salted password.

$ echo -n "hooray12:7be82b35cb0199120eea35a4507c9acf" | md5sum
4ea16c514a6697bce642ee2250aa92f6 -

If we were using five color bars, we would have disclosed almost the whole hash.

People keep bringing up the fact that MD5 is not considered a secure hash function any more. These concerns are misplaced. MD5 is considered broken because it's too easy to find collisions - things that hash to the same MD5 sum. This is useful indeed if you are wanting to forge a digitally signed certificate or tamper with transferred data. But unless the authentication server is using the exact same salt and hash algorithm as Chroma-Hash, creating a collision with someone's color bar hash is useless - you'll be able to get the same colors, but you won't be able to log in.

The real concern here is this: we've allowed an attacker to move the computational load onto their own hardware. When you control the password oracle, it's easy to limit the rate at which login attempts may be made. This makes a brute force attack or even a dictionary attack infeasible. The attacker can't try passwords fast enough to have a reasonable chance of guessing the right one within years. But when an attacker has a hashed result of your password, they can run a dictionary attack as fast as their hardware allows, and a matching MD5 from a dictionary attack is likely to be the right password, because let's face it, people in general don't choose secure passwords.

An aside: at the leading edge of server-side security, the equivalent threat of a stolen database is dealt with by bcrypt, a hashing scheme that can be tuned to be computationally intensive. So maybe the password check takes a tenth of a second instead of a thousandth - it's no big deal in the course of regular business, but it will significantly slow down an attacker trying to test a lot of passwords against stolen hashes. This strikes me as impractical for our purposes, and not only because we would need to implement bcrypt in Javascript. Tune it too strong, and a user running on slow hardware could suffer a bad performance hit when trying to type in their password. Tune it too weak, and an attacker with a couple dedicated cores could crank through at a fair clip.

My solution

In this case, I say collisions are actually our friends. If we can limit the information available to an attacker, we can leave them with a very large set of possible matches that they can only check by attempting to log in to the server. The point here is to make them verify against the server, rather than doing it at their own pace.

This is where another convenient fact comes into play. In his blog entry, Mattt points out that over-the-shoulder attacks won't be effective against Chroma-Hash.
As a color expressed in Hex, there are 16,777,215 possible colors for each bar. Eye-balling it wouldn’t be enough to get an exact color value—the difference between #952A08 and #952A09 is nearly imperceptible...
Those millions of possible colors come from 24 bits used to represent each color, which in turn is 24 bits of our hash leaked for every color bar. If we don't leak the information in some of those bits, our attacker cannot be as precise about identifying matches. And since humans cannot really differentiate all those colors anyways, we're losing almost nothing by eliminating some of the possibilities.

The best way to do this is to redact the low-order bits, so that we keep the entire color range and lose only the fine distinctions between shades. You can think of this like counting in multiples. Instead of every number being an option, we round to the nearest even number, or multiple of 16, or whatever we like. The more we round, the more information we can withhold from an attacker.

Let's see it in action.
Chroma-Hash password box
In this version, rgbStepSize is 2. You can see that the color values are very close to the original, but each 2-character hex number is even (0x96 = 150, 0xbc = 188, 0xe6 = 230, and so on). And since we're rounding, the attacker cannot know if the original hash contained "96" or "97", "bc" or "bd", etc.
Chroma-Hash password box
In this one rgbStepSize is 16. Looking at the color values, you can see that the second character of each pair is 0. We've eliminated half of the bits leaked by Chroma-Hash, and the colors are still remarkably close to the exact values as far as the human eye is concerned. In fact, quick experimentation shows that we can go with a step size of 64 or so without affecting user experience too drastically.

Did it work?

Now, how much does this help us? I'm a little out of my depth here, so I can only provide some back-of-the-napkin estimates. The small version of Openwall's word lists, which consists of various words and word combinations, has about 300,000 entries. For a six-digit password consisting of lowercase letters and numbers, there are about 2 billion total possibilities. A 64 bit hash can have about 18 quintillion different values, so if a dictionary attack finds a match against all bits, it's almost certainly the true password.

Let's say we're showing three color bars with a step size of 64. This means that 6 of each 24 bits per color is leaked. So an attacker is working with 18 bits, a space of about 260,000. Assuming the distribution through this space is even (it should be), each possible combination of these 6 bits will match up with roughly 34 million possibilities in the six-digit password space. This is good, as the attacker cannot test 34 million passwords against the server in a reasonable amount of time. However, working with the small word list, we can expect an almost one-to-one correspondence, which is not good. If we were to drop to two color bars, we could expect 73 matches per colorset. If we were to use a step size of 128 instead of 64, we could bring it up to 585 matches per colorset. If we did both of these, 4,688 (but at some point, usability drops off).

Regaining perspective

By dead reckoning, I would guess that most passwords used in a reasonably computer-literate community are stronger than the small dictionary list, containing non-words, numbers and hopefully capital letters or even symbols. But humans do like phonetic constructions and show a strong aversion to random combinations of letters and symbols. And a not-inconsequential number of people are still using dangerously weak passwords, unaware of the dangers of computer security.

So, is it worth it? Assess the risks. A user must leak their password information through a screenshot or similarly exact reproduction. This must either be initiated by the user or social-engineered out of them - someone with direct access to the user's computer could just install a keylogger instead. Additionally, that user must have a weak password. An attacker must take the time to launch a dictionary attack against the gathered information, then test all resulting possibilities against the server until one works. Unlikely, but not implausible. Put this in context with the more mundane but oh-so-effective threats like phishing, email password reset, compromise from another site, and general password carelessness. And finally weigh your perceived threat against the usability benefits Chroma-Hash offers.

Is it worth it? That's up to you.

June 26, 2009

Movies I Hate: I, Robot and S.W.A.T

I have only one "Top Ten List" on Netflix, and it is titled Movies I Hate. The description reads, "Not just movies I strongly dislike. Movies I wouldn't piss on to put out a fire." Here are two more from that list. Enjoy.

S.W.A.T.

0.5 out of 5 stars

I'm actually not entirely sure I've seen this movie. It's hard to tell if I was somehow strapped down and forced to watch it, or if I just ate a bad chicken salad sandwich, went catatonic for a couple hours, and woke up to a preview showing on TV. I'm pretty sure the two experiences are comparable, right down to the taste of expired chicken left in my mouth by the end. All that I can come up with is vague recollections of explosions, shooting, and guns. I assume there were some protagonists and antagonists involved, but they were so forgettable the movie would likely have gone up in quality without them. Sometimes I worry that it's not normal to be missing such a large chunk of time from my memory like this. But mostly I just worry that I actually got tricked into watching this movie. Given the choice, I think I'd take food poisoning.


I, Robot

0.5 out of 5 stars

Well, here it is. The stinkiest stinker. The crappiest crapfest. The travesty of all travesties. If movies were animals, this would be the tapeworm. How not to make a successful movie: First, take the work of a greatly respected science fiction author. Next, spew vomit all over it. Now, feed that mess to your dog and hire some two-bit hack to make up a script that is, in fact, a disgrace not only to Isaac Asimov's collection of short stories, but to all writers everywhere. Finally, to add insult to injury, plaster blatant product placement everywhere, just to make clear exactly how little you respect the moviegoers who have made the unfortunate mistake of wandering into your film. And there you have it! I, Robot. If there is a convincing argument for why humanity will not survive another millenium, this is it. And that's not because we will design killer robots that will turn on us, it's because a society that actually condones sewage like this is in moral decline. Heck, the robots would be doing us a favor. Look for an exciting matchup sometime later this year, as I, Robot's right to the title of "worst movie ever" is challenged by a newcomer, I Am Legend, also starring who else but Will Smith.

May 26, 2009

Radio Sucks

Radio programming is just that!
-- Saul Williams, "Penny for a Thought"
Radio sucks! The same fucking songs over and over again! All the weak ones, all that disposable crap that isn't gonna matter in 3 months, it's just shit!
-- Matt Pinfield, Significant Other hidden track
Turn on the radio, nah, fuck it, turn it off!
-- Rage Against the Machine, "Vietnow"

When I posted my analysis of The Current's playlist a while back, I mused about how it might stack up against a station run by the mainstream corporate borg that is ClearChannel. The problem is that no other stations make their full playlists publicly available, so I had no data to work from. Most of them offer the 10 most recent songs played, and that's it.

I dropped the idea for a while, but when I got myself a cheapo hosting plan, suddenly I had an always-on box that could, say, run a cron every ten minutes, perhaps a cron that scraped some radio sites for their recent songs. And even better, since every ClearChannel subsidiary uses the same template, I only had to build one scraper and I could collect data on half the music stations in the Twin Cities. Score! A little later, I discovered Yes.com, a cool service that even provides an API, and worked out a way to scrape the other major stations in Minneapolis.

The code is available here. The data you see below is the averages for the period of 3/22/09-5/22/09. If you'd like more discussion of my analysis techniques, check out my original post. Don't worry, this post will not contain any sad kitten pictures. Without further ado, the results:
Unique Song Ratio
I went into this expecting KDWB (Today's Best Music) to suck, and they did not disappoint. They come out swinging with an absolutely abysmal level of uniqueness per week - which only gets worse when we measure over a month. However, they're facing some heavy competition from KS95 (Variety...80's, 90's and Today!). Those people seem to be rather confused about what constitutes "variety." Apparently the 80s, 90s, and today just didn't have that much to offer.

Most of the other stations muddle along between 0.2 and 0.3 - not as bad as they could be, but if you've spent any significant amount of time listening to Cities 97, you'll know that's still bad enough to drive a person to murder.

There are a couple notable standouts at the week level - KQRS and Love 105 (the latest owners of what was once Rev105's signal) do respectably. And Jack FM, who brags constantly that they are Playing what we want!, actually beats the Current for uniqueness at the week level. All these stations suffer significantly in the month-long measurements. To me, it looks like these stations have fairly large playlists, but simply rotate the same playlist over and over again. This isn't entirely a bad trait, especially for KQRS (Minnesota's Classic Rock), who doesn't have a growing field to work with.

Still, this demonstrates to me the importance of not only playing good songs, but playing different songs. Sure, it's fun to sing along with "Dirty Deeds" once and a while. But we've been singing along with it for decades now. And yeah, it's quirky when JackFM plays The Bangles right after Linkin Park, but it's a quirkyness that's manufactured by CBS Radio and shipped out to countless identically-named stations nationwide, and I don't think I'm the only one who starts to notice the cracks in the veneer after a while. So, hooray for The Current! Hooray for quirkyness that's actually just Mary Lucia being wacky and saying whatever goes through her head. Yes, Mary, I was listening that one day when you suggested that Mark Wheat take up cocaine.
Highest Playcount
Interesting. You'll notice The Current is definitely not ahead in this race. Jack FM, KQRS, and Love 105 again all put up very impressive numbers, and KOOL 108 isn't bad either. It makes a fair amount of sense - these are the stations that are drawing from several decades of music and shying away from new releases. So they're not under pressure to spin the latest single that some manufactured star just released. Good for them.

The Current, of course, is still a long, long way from the real offenders here. KS95 again manages to compress three decades of music into playing one song almost 50 times per week. And B96 pulls out a surprise win over KDWB here, playing the top song for a given week roughly 85 times in that week. I just threw up a little in my mouth.

Radio sucks, people. It sucks, sucks, sucks. Some stations suck more than others, but I can't lionize anyone here. The best we can ask for in playlist variety, it seems, is mediocrity. Listen to WLTE, who's completely unremarkable in every degree. Or, listen to Rage. Turn it off. There is no guerilla radio. The war was lost to the strains of Howie Day's simpering falsetto.

Epilogue

I've got one last graph for you all because, well, I still have an agenda. Here's the uniqueness graph again, but with one new data point: values from The Current for the same two-month period in 2006 as opposed to 2009.
Unique Song Ratio Redux
This is what I had hoped to see in the earlier charts. It's completely dwarfing the other stations. The scale is all off. It's not even worth debating how one conglomerate scores compared to the others, because The Current is embarrassing all of them. That's what it looks like when one station is single-handedly saving radio. That's where I want us to be.

March 22, 2009

Enacting my own Terms of Service

I currently have a couple web crawlers running that periodically request content from a couple websites and store it in databases. It struck me as strange that these websites deigned to stipulate certain "Terms of Service" (ToS) over my use of their content and believed that these terms formed a contractual agreement, even though there had been no negotiation over these terms, and I had never signaled my assent (I haven't clicked any little "I agree" buttons on any of these sites). So I decided to bring the art of negotiation back into the formation of these previously one-sided agreements.

So, when one of my spiders makes a request, it adds a name/value pair to the query string of the URL, like so:

http://server.contentprovider.com/requested/1234567?tos=http://static.iangreenleaf.com/TermsOfService.md
This parameter directs the content provider to my own Terms of Service for the transaction. My terms start out by making clear how a content provide may accept or decline them:

By serving the content I requested, you are agreeing to all the terms and conditions set forth in this document, without reservation. If you do not wish to agree to these terms, do not serve your content in response to this request.

They go on to detail how I may use the content I am requesting. My favorite part is this:
By serving the requested content, you agree to hereby waive any and all restrictions on use of your service that you may stipulate in your own Terms of Service, Terms of Use, or other legal document...
So if the content provider responds to my request, they have agreed to my ToS and waived any terms that they may subsequently try to stipulate on my use of their content.

Now, you might think this is stupid or absurd. You might even think that this is totally unenforceable, seeing as how all I have done is provide access to the terms I am stipulating and take continued participation as consent. And I would tend to agree with you.

However, I claim that if my terms are unenforceable, so are those stipulated by the content provider. How is my request any different than providing a tiny link to the Terms of Service way down at the bottom of the page?

Example of Terms of Service link

I have as much right to place limitations on the transaction as they do. My limitations just happen to nullify all of their limitations. They're welcome to stop serving me content if they don't want to accept my terms.

Think I'm wrong? Tell me why.

March 20, 2009

Rsync and retrying until we get it right

Ok, this isn't all that special, but I scoured the first two or three pages of Google results and didn't come up with anything that solved my problem. So here it is, Internet - may the next person be luckier than me and not have to read any man pages.

Rsync is a cool utility, especially when I'm trying to plonk my 10Gb backup onto Dreamhost's flaky backup server. But I wish I could make it retry when things go south. There are various threads on doing this, but it would seem it's not built into rsync itself.

The obvious solution is to check the return value, and if rsync returns anything but success, run it again. Here was my first try:

while [ $? -ne 0 ]; do rsync -avz --progress --partial -e "ssh -i /home/youngian/my_ssh_key" /mnt/storage/duplicity_backups backupuser@backup.dreamhost.com:.; done
The problem with this is that if you want to halt the program, Ctrl-C only stops the current rsync process, and the loop helpfully starts another one immediately. Even worse, my connection kept breaking so hard that rsync would quit with the same "unkown" error code on connection problems as it did on a SIGINT, so I couldn't have my loop differentiate and break when needed. Here is my final script:



On a side note, duplicity is pretty neat. I only wish it would support resuming of interrupted backup sessions so that I didn't have to do this in two steps. My current backup workflow is

PASSPHRASE="backup" duplicity --encrypt-key 77XABAX7 /home/youngian --exclude "**/.VirtualBox" --exclude "**/.kde" --exclude /home/youngian/tmp/ --exclude /home/youngian/backup/ file:///mnt/storage/duplicity_backups/ --volsize 100

...and then the above rsync script.

February 26, 2009

Pascal and Global Warming

"Global warming?" I hear you ask. "Why bother? The scientific community has already delivered a verdict." Well, yeah. But big names like George Will are still churning out the occasional piece on how global warming doesn't exist, and while they generally get slammed in certain online circles, the big names aren't losing their jobs. This suggests that a significant portion of the population still likes hearing about how the sea ice is totally not melting at all.

And there is one facet to the global-warming-doesn't-exist camp that I acknowledge as having some merit. This is the argument that we humans don't know shit. Despite all our jetpacks and holograms, there are still a lot of things we don't understand, and how the climate works is by and large one of those things. Meteorology is hard, and you don't have to go farther than the local news to see how poorly we have mastered it. So yeah, the planet's been a bit uncomfortably warm lately, and we're kinda thinking maybe it has something to do with us, but we don't know that. We can't prove it. We can't even prove that cigarettes cause cancer, so of course we can't prove that our dirty habits are causing the North Pole to become the world's biggest EZ-Bake oven.

Take one step more moderate, and you can claim that we don't know what course global warming will take. This is hard to argue against because, well, we don't. Maybe things will level off again and we'll only lose Florida. Maybe the Great Filter will turn out to be something totally unrelated that wipes the floor with us long before we get too warm. Maybe Xenu just bumped into the thermostat dial on his way to the office and is gonna straighten things out as soon as he gets home.

What I'd like to do is advance an argument that doesn't demand wholesale acceptance of global warming. Leave facts and statistics out of it, since there's not much we truly know on the subject. All I ask is that you acknowledge that global warming, in the human-created worldwide-catastrophe sense, is a possibility. The "we don't know" argument works both ways, so it's certainly conceivable that the pinkos are right and we're on the first SUV to Sweatyville, right?

This is where Pascal comes into play. You've probably come across his triangle at some point or another. But never fear, we're not doing math today. Pascal was a well-rounded dude, so besides being a skilled mathematician, he was a bit of a famous philosopher too. He's best known for a theological argument that has since become known as Pascal's Wager. To make short work of it (the hardcore philosophers out there are already wincing), Pascal reasoned as follows:
We don't really know if God exists. But if he does, the stakes are high (eternal life, Hell, all that jazz). And if he doesn't, the believers aren't any worse off than the non-believers - we all cease to exist in the same way. So it's a good gamble to be pious regardless of any proof of God's existence.

I'm not so sure that Pascal's claims of no cost were true - I would argue that the effort of regular church attendance is a cost, not to mention possible financial losses from behaving like a pious Christian rather than an opportunistic capitalist. And since Pascal probably wasn't happy with an entirely risk-return based belief - "I accept Jesus into my heart because it makes good economic sense" might not cut it with St. Peter - you'll be needing to convince yourself that you truly believe, which sounds like a lot of emotion work to me (bam! sociology blindside!). But the reasoning still stands with a non-zero cost - a little bit of piety during one's lifetime doesn't seem like such a sacrifice when compared to an eternity in Hell.

Scott Adams (yes, the author of Dilbert) has taken the wager and run with it in some interesting directions, including the conclusion that we should become peace-loving Muslims. Of course, I have yet to convert (as does Adams), so maybe it's not as convincing as all that, but it's at least a good read. For me, the interesting next step of Adams' musing is this: Can we apply Pascal's argument to other avenues? I don't see why not.

Pascal's argument is dealing with theoretically infinite values, but I am convinced that humans cannot actually conceive of the infinite (that really is a topic for another day). My position is that our conception of infinite is the same as our conception of really, really big. I like Adams' framing of the argument in mathematical terms, because I don't think we have to actually hit infinity for the probability to tilt in our favor. Think about the math that considers what happens when a value is infinite, like limits or Big O. It's all couched in terms of "as x approaches infinity" because all we need is for x to get big enough that the numbers behave in a predictable way. We can't actually model infinity in math, but once we see a definite trend, that last step is easy to infer. This isn't math we're doing here (trust me), but I argue that we can approach it the same way. If a reward is large enough, and the costs small enough, we can apply Pascal's wager to it.

Sure, if you're already being a pedant about it, I'm bet you could trot out some claims about the types of logic involved. But frankly, if you're using phrases like "epistemic probability," I think you're already missing the point. Pascal's argument is just numbers. Adams gets this, and it's what helps him hit some interesting points without sounding like a pretentious windbag. The strength of the argument lies in pointing out some very big numbers and some not-so-big numbers, and from there any bookie could tell you which horse to bet on.

So, the argument:

If global warming exists, preventing it earns us the reward of continued existence. Worst case scenario: if the Earth keeps warming up, it's going to stop supporting human life sooner or later. We're remarkably fragile creatures, and our technological prowess will only get us so far, especially when we will have to cope with not only climate change but all the wars, famines, and tempests that spring up as a result. We'll probably snap and bomb each other into oblivion long before the last corn crop fails, but the end result is the same - we cease to exist, Darwin declares us the weakest link and sends us home. The water bears trundle along happily, and the universe quickly forgets about us.

What are the costs of preventing global warming?
  • We might have to start driving cars that get more than 8mpg. Yes, I know you love your Expedition.
  • We should probably insulate our houses our houses and use fluorescent bulbs. Quickly recouping your investment in monthly utility savings is a big sacrifice, I'm aware.
  • We'll have to research and improve alternative sources of energy. People, we're going to need to do this eventually, because the oil is going to run out, warming or not. I don't see why getting a head start on this is such a bad idea.
The costs come down to this: we'll have to spend some money now. There are some more factors that mitigate this further, especially for Western society - we'll be creating local jobs, we'll be reducing our dependence on other nations, and so on. I'm not qualified to judge the strengths of all these arguments, nor do I feel the need to. I'm satisfied that the costs of reasonable action on this front are not ridiculous or unachievable. We don't have to sacrifice any sons or clean the Augean stables, so I think this is doable.

So in one corner, we have a significant but manageable financial investment. In the other corner, we have the possibility of extinction of the species. Even if this possibility is somewhat remote by your reckoning, it's there, and it's a near-infinite value. Balanced against the low cost, this is a wise investment by the Pascal/Adams metric.

Even if you don't think global warming exists, you should still buy a hybrid. Or, y'know, bike to work.

January 11, 2009

Movies I Hate: War of the Worlds & Gone in 60 Seconds

Hooray, filler! I only have one "Top Ten List" on Netflix, and it is titled Movies I Hate. Here are two of the members of that list. Enjoy.

War of the Worlds

0.5 out of 5 stars

Never before have I sat in a movie theater and actually wished that a scene would turn out to all just be a dream. But as I sat through the transcendentally bad denouement of this movie, I realized that if Tom Cruise woke up, and it was just a dream, and he was really dying of pneumonia, I would forgive everything this movie had put me through. I would forgive the fact that our so-called protagonist is a lousy father and totally unsympathetic character. I would forgive the fact that tanks and helicopters can't take down a Strider, but apparently Tom Cruise with a couple grenades can. I would forgive the fact that each time Dakota Fanning screamed, I involuntarily squirted a little bit of urine into my pants from the horror.

It was not to be, and unless I blacked out momentarily from the sheer idiocy, the scene was not, in fact, a dream. If I end up an alcoholic five years from now, this movie is at least a little bit to blame.


Gone In 60 Seconds

0.5 out of 5 stars

What is the one reason we tolerate all the horrible plots, awful dialogue, and wooden acting in movies revolving around cars? Why, it's because we get to watch cars run into each other! So if you're going to make one of these movies, which element should you NOT remove? I'm no expert, but I would go with 'cars running into each other.'

To this day I am at a loss for why anyone thought it was a good idea to give this movie a plot stipulating that none of the sexy cars the characters drive can be smashed to smithereens. That was all it had going for it. Instead all we get to see is some police cars hitting scenery, and everyone one of those is followed immediately with a shot of the bumbling policeman appearing from the wreckage unscathed. Because, y'know, if someone got hurt, Nick Cage might be morally responsible (gasp), and how could we root for a washed-up felon then?

This movie also subjected me to the worst scene involving dirty talk and car parts I have ever witnessed. Really just one of the worst scenes of any type. It's been about five years, and I'm still angry.