Review: Liars and Outliers by Bruce Schneier

tl;dr An enormously important book about understanding and optimizing security in the 21st century.

On the Internet, nobody knows you’re a dog. I don’t know Bruce Schneier, and he certainly doesn’t know me. Even so, when he announced a heavily discounted signed edition of Liars and Outliers he was effectively testing the main hypothesis of the book: That in any society it is reasonable to uphold a non-zero level of trust even in complete strangers:

  • Schneier trusted 100 (or at least many enough to make a net gain) random strangers to reciprocate the offer by writing and publishing a review of the book.
  • 100 random people trusted him to sign copies of the book and send it to the correct addresses upon receipt of the money.
  • All 101 of us trusted essentially the rest of the human race not to interfere in the transaction, even when interference could mean easy money with virtually no chance of retribution.

Schneier goes on to explain, with his famous lucidity and reference to much contemporary research, why this trust is essential to all human interchange, how trustworthiness is highly dependent on the situation and not just the person, how a society with 100% conformity is not just a terrible goal but literally impossible, the human and artificial pressures to cooperate or not, how more severe punishments are often ineffective or even counter-effective, and how social and technological evolution is too fast for democracy to stabilize the overall level of trust.

[At this point I wanted to double-check the scribbled-down criticisms below, but the book is 3,000 km away with a nephew. Please take the following with a grain of salt. And now that I’ve lowered your expectations, let’s continue!]

In some very few places I found the wording misleading. For example, the iTunes store doesn’t allow you to buy music, merely to license it for your personal use. As far as I understand from what very little I’ve read of this, when iTunes shuts down, there are many jurisdictions where you would not be allowed to download songs which are audibly indistinguishable from what you had paid for.

The graphs are generally informative, but sometimes confusing. For example (pages 72-73):

  • Traits/Tendencies and natural defenses are both in the social pressures box, while the text says neither is a social pressure.
  • There’s an incentives line and a separate box.
  • Why are some of the lines double? If they’re strong, a thick line would be clearer.

One note is terrifying: On average, 7% of terrorists’ policy objectives are achieved? What method could conceivably be considered more effective than 7% for a (usually) tiny group of what is often foreigners? Compare it to normal bureaucratic channels, where usually only billionaire citizens or corporations have the slightest chance to change policy within a reasonable time.

Conclusion: I wish this had been compulsory reading at high school. With entertaining anecdotes, scary implications of human nature, and scientifically grounded careful optimism it’s the most dangerous book everyone should read.

Social contract – Fulfilled!

Stuxnet motives

Which motives could there be for the Stuxnet virus’ behavior? This is more of a list to remember, in case more evidence of the behavior surfaces later. Note that there’s no mention of which motives I think are likely – I don’t know enough about Stuxnet or the people behind it for that.

Direct motives (possible perpetrators):

  • Plain sabotage. They simply don’t like the Iranian leadership (US, Israel, Iranian political group) the idea of an Iranian nuclear plant or nuclear enrichment program (US, Israel, environmentalist group), that particular plant (local interest group), or the nuclear plant administrative or technological leadership (disgruntled workers).
  • Creating a new Chernobyl (doomsday sects).

Indirect motives:

  • Demonstrate the possibility of disabling a nuclear plant (black/grey hats, environmentalist group).
  • Increase tension between Iran and its political opponents (Iran, US, Israel).
  • Demonstrate skill, to get hired by a government agency (highly gifted person or small group).
  • Discredit Siemens software (competitor companies like Realtek).
  • Scare people / governments into supporting more strict Internet legislation (US, UK, Iran).
  • Scare governments into investing more in “cyberwar” agencies.
  • Harvesting of secret information (US, Israel, any nation that wants nukes).
  • Other misdirection: The obvious political motive could be a cover for what is happening in Indonesia or elsewhere.

EIF replies

In response to Glyn Moody’s Open Source and Open Standards under Threat in Europe, here are the open replies to the key people (I’ll post as they are sent).

JoaquĆ­n Almunia:

Dear sir,

I have just read some disconcerting news and opinions regarding the EIF process (“Open Source and Open Standards under Threat in Europe” by Glyn Moody), and I hope you have the time to include the opinions of a software developer in your deliberations.

I have been working in private companies and the European Organization for Nuclear Research (CERN) since my graduation in 2004. I am also an active web user and contributor. This activity has taught me a few important business lessons:
1. Open source software and data based on open standards* are much more robust in the face of change than the alternative. Software is evolving fast, but if the proprietary software provider is unwilling or unavailable to make new software work with old data, the only options left are a costly and difficult re-implementation, a costly and difficult (often impossible because of data complexity) migration to other software, or outright abandonment.
2. Closed source means re-inventing the wheel over and over. Software business should be about creating additional value on top of what already exists, not about costly reiterations of what already exists.
3. With the availability of cheap Internet connectivity, storage and computing power comes the opportunity for individuals and communities to make millions of incremental improvements to software every day. These updates are available to anyone else, making for an enormous amount of work provided for free for anyone to build upon or profit from.

* I.e., software / standards which are available for free for anyone to view, modify and re-publish, optionally with additional restrictions or permissions such as the opportunity to change permissions on derivative works or the need for source attribution.

This text, and other appeals, will be available shortly at l0b0.wordpress.com/2010/03/29/eif-replies/

Just received a reply. The gist:

Recently, “draft versions” of the revised EIF have apparently been published on the Internet and we understand that you refer to these draft versions. You should note that the Commission cannot comment on such draft versions as they do not reflect a formal Commission position. But let me assure you that the guiding principles for the revision of the EIF include technological neutrality and adaptability, openness and reusability, as specified in the legal base of the Programme “Interoperability Solutions for European Public Administrations” (ISA)2, in the context of which the revision is being carried out.

Ever wanted to register your protest against the baggage check insanities at the airport? You know, the one where blunt, sharp, wet and flammable things are taken away from every passenger, for ridiculous reasons*? Unless you’re a high-ranking U.S. politician, there’s not much you can do to influence directly, and using other transport is out of the question for most people.

What any passenger can do is to frustrate the system as much as possible. You can fill a little water in a used bottle, bring it along in your hand luggage, and dump it at the security check. The bigger the better, for making the garbage bags fill up and showing your sympathy with other passengers. You can also bring a bottle smaller than the limit (WTF is up with that anyway? You can bring several deciliters in total, and I don’t suppose a lot of explosives are needed to blow up a plane), go through the check, and then suggest sending it separately. Korean Air did that for me free of charge. Just make sure you’re nice about it – It’s not the airport employees’ fault.

Let’s protest in a visible way.

* For those who want to rant about how it can prevented terrorist attacks, consider this:

  • There are so many possible attack vectors, you couldn’t possibly prevent all of them. If you disallowed hand luggage, stripped every passenger down and shackled them spread-eagle on the plane, a passenger could still have explosives or pathogens in his or her body.
  • The arrangement obviously steals time. A little math will show you that if the extra procedure takes 1 minute per passenger (a very conservative estimate) then this stupidity steals 5232 years of passengers’ lives annually (according to 2006 estimate)!

Is the U.S. evil?

The reputation of the U.S. has been taking a beating for decades now, and even more so since a lying adulterer gave up his office to a lying warmonger. Let’s see if a few search engines can give us an idea of what people think…

Google gives 254 million results for good and 40.9 million results for evil, that is 86% good.

All right, but that just counts the number of pages. How about del.icio.us, pages that people actually read? 2294 results for good and 515 results for evil, that is 82% good.

Interesting stuff. But in all fairness, Reddit deals a whole lot more with news, and should give a better zeitgeist than all the del.icio.us bookmarks thrown together. Counting only stories of the last month with a score over 1 (that is, at least two persons must have voted for the story) gives 2 results for good and 8 for evil, that is 20% good. Ow!

But check out those links! That’s not proper news… Unfortunately, the Digg search gave no results whatsoever in the “World & business” category for these searches, even when searching a whole year, and no useful results in the other categories.

Anyway, it’s a bit futile to get a semantically correct view. Reference.com’s thesaurus entry for the adjective “evil” lists “good” among five other antonyms, for a total of six. “Good” has a total of 19 antonyms (“Evil” is only listed in the noun definition). So how about we test with “evil” against all the other antonyms, “moral”, “righteous”, “sinless”, “upright”, and “virtuous”?

“Evil” versus “moral”, “righteous”, “sinless”, “upright”, and “virtuous” in search engines
Site Not evil Evil %Not evil
Google 39,600,000 40,900,000 49%
del.icio.us 242 515 32%
Reddit 7 8 47%

In plain words, web pages, and bookmarked ones in particular, look a whole lot worse when looking for the “moral” antonyms of “evil”, while news stories look a whole lot better. Who’da thunk? Of course, this method doesn’t take into account spam and other #$@%. In any case, this seems to be a rubbish method for gauging public opinion.

No, I don’t have a life right now. Thank you, and good night!

Re: Guns don’t kill people, people kill people

This humungous over-simplification of a complex problem (entropy vs. optimism) seems to crop up whenever there is talk about banning something which has both practical and malicious uses. The latest example is the discussion about a stupid, frightening, or just weird proposal to criminalize “mak[ing] network monitoring tools publicly available […]”.

I really have no idea how such issues can keep being used as examples for why guns are not “inherently bad”. I also can’t understand why non-lethal means of self protection seem to be ignored as viable alternatives. The founding fathers really messed up when they didn’t foresee more humane and efficient means of protection than guns. Using a stun gun or other non-lethal self defence methods / tools, you

  • avoid being tried for involuntary manslaughter, or worse
  • avoid basically any fatal or permanent injuries in case of accident
  • What, you need another reason?!

I’d love to keep going for a couple hundred paragraphs, if only to get this steam out, but I think my point has been made.

Oh, and if you’re looking for a way to sneak in “If guns are illegal, only criminals will have guns”: The only thing that matters if both of you have weapons of any kind, is who gets hit first. You are not Bruce Willis, and the “bad guy” is not a fucking terminator! So leave out the heavy artillery, and learn to use a stun gun (if you really need one) quickly.

Sex & violence on the ‘net

Context: Slashdot recently featured an article entitled “Internet Porn More Addictive Than Crack, Senate Told“. As is usual on Slashdot, the most interesting part of the articles are the comments from the readers, often extending to tens of pages of political, religious, and technical debate. Sure, most people seem to be left-leaning nerds, but everyone gets to say their piece. Back to the article, it touches the highly controversial theme of how “computerized” sex and violence influence people of all ages, and whether and how it should be controlled. I started on a new comment at Slashdot, but realized that it had slid into being quite off-topic, so instead I’ll post it here. Comments are welcome, but please note:

  • Be nice, even if you disagree.
  • Please don’t quote out of context.
  • If you can, back up any straight-out medical claims with links to articles published in acknowledged journals.

Now for the contents…

Sex is good. Violence is bad. Anything combined with violence is bad, even sex. It’s that easy. For the picky, I probably should mention that I am of course thinking about the kind of violence that happens without the consent of the person in question. Piercing, tattooing, S&M, legal boxing, and the like are therefore not included.

Now we get to the really difficult question: What are the effects of exposing people to sexual and/or violent material?

Speaking for my (obviously statistically freaky) self, see the two following paragraphs.

I’ve played tons of blood’n’gore FPSes, watched loads of heavily violent movies, and frequently listen to music promoting violent actions (relevant favorites include Grand Theft Auto, Silent Assassin, Fight Club, Army of Darkness, Marilyn Manson, and Clawfinger). Even so, I’ve never been in a fight with another physical human being. In fact, I abhor violence of any kind, and won’t even serve military service since I can avoid it.

Before switching to a non-sucky browser, I’ve seen my share of pop-ups with actions I wouldn’t like to perform, but what the hey, whatever gets you going (so long as it doesn’t hurt anyone, physically or mentally, directly or indirectly).

I believe that Internet porn has two very different sides to it: The bad, in which people are forced or coaxed into performing actions against their will, or pictures believed to be private are submitted to public pages. The good, which I believe most of us know, and is used by people for inspiration, entertainment, outlet, discussion, getting serious information, etc.

A perhaps more controversial point: Children are going to get exposed to both sex and violence while growing up. This is something you can’t avoid without a complete bereaving of their freedom, something which would probably be much more harmful. So tell them what they are seeing and hearing. Explain that performing an act of violence is bad, that sex is good but age limited, and what they should do if they ever get into contact with a child molester. I don’t believe it is necessary to put a lot of fear into the discussion, children are usually defenseless against an adult in any case. More important is to stress which situations they should avoid, and that they must tell their parents about any such episodes. E.g., Internet chats with strangers in which meetings are requested, grown-ups undressing or touching the children when alone with them, and other. It’s a complicated subject, so try to make it easy to understand. Another important point: IIRC, most child molesters are family members or close friends of the family, and even teenagers below the legal age have been found to be rapists. Still, be very careful to get the facts right before discussing the matter outside the four walls of the home, as even a rumor is enough to throw a person’s life into hell and worse.

Then again, this is probably something any parent has already thought about.

And last, a request for anyone providing news to the public: Don’t use the phrase “sex offender”! If someone has had sex with another person without his/her consent, it’s the act of constraining that person’s freedom and harming the person that is the point, not the sexual part of it. It’s called rape, not sex. Euphemisms won’t make the act any less hideous, and only serves to introduce ambiguity. You wouldn’t call a thief a “house offender”, or a murderer a “knife offender”.