sábado, 9 de enero de 2016
Pot
It seems very few people understand what I write. If you are one of those, then it might be because you smoke Cannabis. All the people I have known who smoke cannabis were stupid. Don't do it, it's a stupid drug. It may be legal in many countries, but being stupid is legal in every country in the world, look at the actions of any National Government if you want positive evidence.
miércoles, 6 de enero de 2016
Guerilla Logic : The Books
I want to publish three books. This is what they will look like:
The second one, will be Volume II: Standard ML for the Lady Programmer, is not yet written. It will be an advanced course in Standard ML, with the emphasis on using ML for Metaprogramming. It will show how to use abstract types for pluggable representations of Standard ML Basis units, and will include implementations of System F and Reynold's Definitional Interpreters in Assembler, C, Scheme and Standard ML.
The third one will be called Volume III: Intelligent Design and it will show how to use formal logic for creative design. It will also show how Intelligent Design arises naturally from the fundamental premiss that reason is a necessary condition of any scientific observation, including observations in physics.
I could have the first one ready for printing in two months, if I could secure sufficient funds to pay for my food, accommodation and the use of a computer. The proceeds of the sales of Volume I will be enough to pay for me and some willing collaborators to produce the second volume, which we could do within one year. I would like to crowd-fund the publication of Volume I, and give "investors" shares in a cooperative, which will publish the second volume. Shareholders and collaborators will receive a proportion of the profits of both publications, and if there is sufficient interest, we could even manage printing and distribution through the same cooperative.
To get this going, I need someone to help me set up a fund-raising web site and who can liaise with me here in Bolivia. I cannot do this, because I do not have legal residency here, so cannot receive money transfers, and cannot travel.
Please could anyone interested in helping me with this (there should be quite a few of you) send an e-mail to me: Ian Grant and tell me how you want to help.
Guerilla Logic Book CoversThe first one, called Guerilla Logic Volume I: The Foundation will be a collection of the essays I've written over the past 8 years or so, each with a short introductory preface explaining the circumstances in which it was written, and making explicit the connections between them, which otherwise may not be immediately obvious to everyone.
The second one, will be Volume II: Standard ML for the Lady Programmer, is not yet written. It will be an advanced course in Standard ML, with the emphasis on using ML for Metaprogramming. It will show how to use abstract types for pluggable representations of Standard ML Basis units, and will include implementations of System F and Reynold's Definitional Interpreters in Assembler, C, Scheme and Standard ML.
The third one will be called Volume III: Intelligent Design and it will show how to use formal logic for creative design. It will also show how Intelligent Design arises naturally from the fundamental premiss that reason is a necessary condition of any scientific observation, including observations in physics.
I could have the first one ready for printing in two months, if I could secure sufficient funds to pay for my food, accommodation and the use of a computer. The proceeds of the sales of Volume I will be enough to pay for me and some willing collaborators to produce the second volume, which we could do within one year. I would like to crowd-fund the publication of Volume I, and give "investors" shares in a cooperative, which will publish the second volume. Shareholders and collaborators will receive a proportion of the profits of both publications, and if there is sufficient interest, we could even manage printing and distribution through the same cooperative.
To get this going, I need someone to help me set up a fund-raising web site and who can liaise with me here in Bolivia. I cannot do this, because I do not have legal residency here, so cannot receive money transfers, and cannot travel.
Please could anyone interested in helping me with this (there should be quite a few of you) send an e-mail to me: Ian Grant and tell me how you want to help.
martes, 5 de enero de 2016
The Cloud Part III
This is a continuation of this story which I started writing in February 2015.
J. So what is The Cloud?
E. The Cloud is the communications infrastructure for The Foundation.
J. And The Foundation is ...
E. Well, The Foundation is the the reason The Cloud exists. It's kinda circular ...
J. So I only need to understand one of these things then. Cool.
E. Yes. And once you understand one, you won't have any problem justifying either of them.
J. But that won't tell me why either of them exist, will it?
E. No it won't. They exist because they had to exist, otherwise it would have been impossible for anyone to work for The Greater Good. The problem we had was that everyone had to earn their living, and before The Foundation, there was no way to do that other than by earning money. But money is only valuable because it confers a particular advantage on those who posess it.
J. So you mean that no-one worked for the Greater Good, because it doesn't pay cash?
E. Well, the problem was a bit worse than that. Working for the Greater Good didn't pay in either cash or kind. Working for the Greater Good just didn't pay, full stop.
J. So before The Foundation, nobody worked for The Greater Good then?
E. Oh no, thousands of people worked for The Greater Good, it's just that they didn't earn a living.
J. So how did they live?
E. They didn't, they all died.
J. Bummer!
E. Yes. It was a total bummer for everyone involved.
J. So how did it get off the ground then?
E. It was all done by dead people.
J. Such as?
E. Well, I was one of them.
J. Uh, ... and you're not dead anymore?
E. Not completely dead, no.
J. Well, I guess that's good to know, ... I wouldn't know how to start an interview with someone who was completely dead.
E. No, it's very hard, for the living to get in contact with the completely dead.
J. So the problem for The Foundation was resources.
E. Precisely. We needed resources, human and material, and we needed a lot of them. We needed an indefinite supply, in fact.
J. So, the resources of a nation state of some kind?
E. Yes. We needed the resources of a wealthy nation state.
J. So what is The Cloud?
E. The Cloud is the communications infrastructure for The Foundation.
J. And The Foundation is ...
E. Well, The Foundation is the the reason The Cloud exists. It's kinda circular ...
J. So I only need to understand one of these things then. Cool.
E. Yes. And once you understand one, you won't have any problem justifying either of them.
J. But that won't tell me why either of them exist, will it?
E. No it won't. They exist because they had to exist, otherwise it would have been impossible for anyone to work for The Greater Good. The problem we had was that everyone had to earn their living, and before The Foundation, there was no way to do that other than by earning money. But money is only valuable because it confers a particular advantage on those who posess it.
J. So you mean that no-one worked for the Greater Good, because it doesn't pay cash?
E. Well, the problem was a bit worse than that. Working for the Greater Good didn't pay in either cash or kind. Working for the Greater Good just didn't pay, full stop.
J. So before The Foundation, nobody worked for The Greater Good then?
E. Oh no, thousands of people worked for The Greater Good, it's just that they didn't earn a living.
J. So how did they live?
E. They didn't, they all died.
J. Bummer!
E. Yes. It was a total bummer for everyone involved.
J. So how did it get off the ground then?
E. It was all done by dead people.
J. Such as?
E. Well, I was one of them.
J. Uh, ... and you're not dead anymore?
E. Not completely dead, no.
J. Well, I guess that's good to know, ... I wouldn't know how to start an interview with someone who was completely dead.
E. No, it's very hard, for the living to get in contact with the completely dead.
J. So the problem for The Foundation was resources.
E. Precisely. We needed resources, human and material, and we needed a lot of them. We needed an indefinite supply, in fact.
J. So, the resources of a nation state of some kind?
E. Yes. We needed the resources of a wealthy nation state.
Love Songs
I thought of this playlist whilst I was trying to start a project "Te Amo Sorata" about the 2003 Guerra del Gas that started in Sorata, Bolivia, on 14th September 2003. Then a week or so ago, I thought of adding "Nights in White Satin" to the end.
https://www.youtube.com/playlist?list=PL6oHZBxajgkghkVv4nnJNwk9gFUTxULT1This is the closest impression I can give anyone who hasn't tried it, of how it feels to use coca.
domingo, 19 de julio de 2015
San Pedro and Penal Reform
Well, I was thinking, you know, that we should do some penal reform around here. I mean, we can't have vendenpatria sitting in their own houses, doing their usual jobs, at the expense of the State, and a joint and a line or two of coke every now again, can we?
So I had aqn idea. We make a NEW SAN PEDRO down around San José de Uchupiamonas, and we make it a proper prison. So one man, or pretty young lady, to a cell, which contains only a bed, and you each get an Amazon Kindle, and the Government decides what appears on it. At the cell is a Faraday cage, so it's radio quiet, and you get one visitor a week, for half an hour, and he or she must agree to wear a radio tag and to total surveillance of his or her communications, and must not leave the country, etc., etc. And you can talk to him or her for half an hour, through a speaker and microphone, with a guard standing half a meter behind of each of you, and the whole conversation will be recorded, and analysed in detail, which is why we can only let you have half an hour, sorry. And you will grow your own food and learn interestinmg crafts, so it won't be all that bad, will it, for you? I don't know how much your friends and family are going to be able to put up with though, do you?
Sorry, I'm just cheesed off that I have only four students who're too shit-scared to talk to me. So I think I'll go and watch BTV for a few hours, and I hope whilst I do that someone brings back my "medicine" bag of coca with the packet of cigarettes and the lighter, you can keep the notes, I've got that stuff, and I don't mind starving, but I get really fucking grumpy whjen I haven't got cigarettes or coca. And, well Bolivias TV is great, so I'll watch that for a few hours, smoke a few cigarettes, and calm down, and hopefully when I come back here I will have a shit-load of e-mail, and someone will have apologized to my family for treating them like total shit, and someone will go along to migracion and sort out my PT1 for next week, and then everyone will be happy, won't we! I know I will, I don't fancy having to spend months every year lecturing political prisoners in a re-education programme in the tropis, I mean, it would be like Cambodia, wouldm't it? But still, San José is a nice place, and I have a lot of friends down there. And maybe someone will have sent all I've written in the past six years to the President, right fucking now, so that I see and hear something very, very stronglñy positive to the effect that h3e knows what is going on and has someone on the case.
That would be nice, because then we need never hear about any of this ridiculous farago again, and we can get on the process of saving the life of the Pachamama, which is important, because when she goes you people will noit kow you're insane, it'll be like a slughter-fest in a lunatic asylum, all over the world. That's not good.
Buck up your ideas, and never, ever fuck with me again, I hope you understand that.
Yours sincerely
Ian Alan Neil Grant
C.I. E0033311
.
So I had aqn idea. We make a NEW SAN PEDRO down around San José de Uchupiamonas, and we make it a proper prison. So one man, or pretty young lady, to a cell, which contains only a bed, and you each get an Amazon Kindle, and the Government decides what appears on it. At the cell is a Faraday cage, so it's radio quiet, and you get one visitor a week, for half an hour, and he or she must agree to wear a radio tag and to total surveillance of his or her communications, and must not leave the country, etc., etc. And you can talk to him or her for half an hour, through a speaker and microphone, with a guard standing half a meter behind of each of you, and the whole conversation will be recorded, and analysed in detail, which is why we can only let you have half an hour, sorry. And you will grow your own food and learn interestinmg crafts, so it won't be all that bad, will it, for you? I don't know how much your friends and family are going to be able to put up with though, do you?
Sorry, I'm just cheesed off that I have only four students who're too shit-scared to talk to me. So I think I'll go and watch BTV for a few hours, and I hope whilst I do that someone brings back my "medicine" bag of coca with the packet of cigarettes and the lighter, you can keep the notes, I've got that stuff, and I don't mind starving, but I get really fucking grumpy whjen I haven't got cigarettes or coca. And, well Bolivias TV is great, so I'll watch that for a few hours, smoke a few cigarettes, and calm down, and hopefully when I come back here I will have a shit-load of e-mail, and someone will have apologized to my family for treating them like total shit, and someone will go along to migracion and sort out my PT1 for next week, and then everyone will be happy, won't we! I know I will, I don't fancy having to spend months every year lecturing political prisoners in a re-education programme in the tropis, I mean, it would be like Cambodia, wouldm't it? But still, San José is a nice place, and I have a lot of friends down there. And maybe someone will have sent all I've written in the past six years to the President, right fucking now, so that I see and hear something very, very stronglñy positive to the effect that h3e knows what is going on and has someone on the case.
That would be nice, because then we need never hear about any of this ridiculous farago again, and we can get on the process of saving the life of the Pachamama, which is important, because when she goes you people will noit kow you're insane, it'll be like a slughter-fest in a lunatic asylum, all over the world. That's not good.
Buck up your ideas, and never, ever fuck with me again, I hope you understand that.
Yours sincerely
Ian Alan Neil Grant
C.I. E0033311
.
sábado, 18 de julio de 2015
Bootstrapping Secure Global Communications
The best possible cryptographic keys are random shared secrets, used as one time pads. This is because if the pads are random and if each block of data is never used twice, then there is by definition no logical connection between the cypher-text and the plain-text. This in turn is because, if the probability of any given bit of the pad being set is 50%, then each bit of the cyphertext has a 50% probability of being a genuine bit, or having been flipped. Therefore an attacker who has possession of only the cyphertext has no more information about the plaintext than he would expect to obtain by guessing, or flipping a "fair coin". So the cyphertext is effectively random, as far as he is concerned, and therefore so is the plaintext.
The problem with-one time pads is that the pads must be kept secret by both parties for at least the full lifetime of any cyphertext they were used to encode, and if they are to be genuinely one-time then they will only allow a finite number of bits to be securely transmitted.
We can solve the first problem by keeping the one time pads secret forever. And we can solve the second problem once we recognise what we really mean by the term random, which is another way of saying that there is no knowable reason why any particular bit of the pad should be either 0 or 1. And so what is random information and what is not depends upon what we know, and not on the information itself. This is the case with the random numbers chosen for one-time pads: from the point of view of the communicating agents the pads are not random, but from the point of view of someone not in possession of the information, they are random.
It follows then that provided we assume the system is indeed secure to start with, then we can use the initial one-time pad to encrypt the exchange of further pad data for subsequent messages, provided we are careful to ensure that the attacker never has a crib, which is a piece of data which he knows is probably a part of the plaintext. The possibility of a crib arises because of the symmetry, from the point of view of the external observer, between a random pad and plaintext. We can avoid the possibility of cribs fairly straightfowardly by using a channel protocol which allows the sender to insert messages into the stream at random, which messages instruct the receiver to alter the encryption algorithm to be used for subsequent messages. If the alterations to the algorithm are in the form of fragments of executable program code, which describe mathematical functions which can be automatically composed in some way with the existing encryption that is in effect, then the attacker will not have any plausible cribs, because he would have no reason to suppose any one program fragment is any more likely than any other. We may then reason circularly, that our initial assumption that the system is indeed secure, holds good, and consequently that we can continue to use it to securely transmit all further one-time pads over the same channel, ad infinitum.
The problem is thus reduced to just that of securing the initial exchange of one-time pads. It may at first seem that secure pad exchange could never be achieved without some direct communication between the two parties, so that they can be certain they are not communicating through an unknown man-in-the-middle who has access to one or both of the initial one-time pads, and who can therefore read all the messages they exchange on that channel. The problem of pad exchange is not a problem of security however, but rather one of identity. And again, we can solve it by thinking carefully about what we really mean by the term identity.
Contrary to popular opinion, somone's identity is not "who they really are," nor even "who they know they are." Such definitions of identity are practically unverifiable, because they don't tell us anything at all about the individual concerned. If you are in La Paz, Bolivia, for example, you probably cannot get a new UK passport, by sending a letter to the British Embassy in Washington D.C. and declaring "I'm me!" They need to know who you are before they can identify you as the one-time holder of British Passport No. 307906487. So identity is not a matter of who someone really is, it is a matter of what everyone else knows about that person, in other words, it is common knowledge. So in order to establish the identity of someone with whom we wish to communicate, all we need is to establish sufficient common knowledge to convince ourselves that this person with whom we are in communication is indeed the same person of whom we share some of the common knowledge. You may well wonder then why we need identity documents to serve as so-called credentials, and the answer is simply that we don't, and the proof is that identity documents can and often are forged, but not even the CIA can forge common knowledge. If this sounds a bit puzzling, then don't worry, you're in good company: Bertrand Russell didn't seem to understand it either. But you, dear reader, can do better, just by thinking over the problem for a while and discussing it with your friends in a cooperative and inquiring manner. Thus, as we found was the case in the notion of randomness, the notion of identity too is a matter, not of fact, but of the knowledge others may or may not have.
Since we are intending to use our knowledge of the identity of the person with whom we are communicating to establish a secure communications channel, we can once again assume that the channel is indeed secure, and on the basis of this assumption, we can use that same channel to establish beyond any reasonable doubt that the person with whom we are communicating is indeed the person of whom we share some of the common knowledge. Then we proceed on the basis of directly shared common knowledge, in the form of biometric information, such as photographs, fingerprints, iris patterns, spoken voice recordings and DNA samples, combined with shared personal knowledge of life history, which may include such details as "one-time holder of British Passport No. 307906487", or it may not.
Having thus established sufficient direct, i.e. biometric, knowledge of one another's identity, we can then fairly straight-forwardly extend this throughout the whole network, using shared multi-party communications. The principle is that we pass the biometric information -- information representing the direct knowledge people have of other people's bodies and brains -- around the network, so that any path on the resulting graph will be a chain of trust extending from the direct knowledge individuals have of one another, and passing via other chains of trust, to form what mathematicians call the transitive closure of the trust relation, which is ultimately founded on individual direct knowledge particular people have about each other.
Then what we mean by Identity-with-a-capital-I, amounts to the common knowledge which the whole of Humanity has, as to the essential identity of those individuals. This essential identity that individuals have in the common knowledge as a whole is strictly more than just their physical or bodily identity, or indeed their biographical and genealogical identities -- all of which are accidents of their being --- and which inevitably change with the passage of time: their Identity within the whole of common knowledge is their higher eternal identity of mind.
During this process of sharing of the information we have about people, we hope not to have to rely on any single "authoritative" source of information as to an individual's identity, because that would be no better than a passport. We need to find an algorithm which can somehow quantify the trustworthiness of any statement as to the identity of any individual, from the point of view of any other, in terms of the number of independent sources available, and the degree to which those sources corroborate each other. One possible method might be to include only the sources amongst which there is no disagreement whatsoever, and assign a score of one to each of them, but that might not be sufficient to establish the web initially, and it may be necessary to allow degrees of disagreement to be accounted for by adjusting the weights of evidence arriving via the different chains. Whatever is the particular algorithm chosen, it should be computed in a distributed manner, so that as any individual's identity information floods through the network, the calculation of the quantitative degree of trust is carried out at each node. Perhaps we could ask the people at Google how to do this sort of thing?
An indicator of the feasibility of establishing a transitive web of trust is the notion sometimes called "six degrees of separation". A similar notion is evident in "The Kevin Bacon Game", in which people are given the name of an actor or actress, and have to try to find the shortest chain of actors who have appeared together in films, and which connect that person with Kevin Bacon. But there are a great many different ways, apart from acting together in movies, in which different people may be connected to one another in common knowledge. So when we combine all possible connections, we may find that the "degree of separation" is in fact closer to one than to six. In other words, as we include more and more genealogical and biographical information about ourselves in the system, we will surely find that we share many, many more connections between ourselves (not to mention Kevin Bacon) than were ever immediately apparent.
The problem with-one time pads is that the pads must be kept secret by both parties for at least the full lifetime of any cyphertext they were used to encode, and if they are to be genuinely one-time then they will only allow a finite number of bits to be securely transmitted.
We can solve the first problem by keeping the one time pads secret forever. And we can solve the second problem once we recognise what we really mean by the term random, which is another way of saying that there is no knowable reason why any particular bit of the pad should be either 0 or 1. And so what is random information and what is not depends upon what we know, and not on the information itself. This is the case with the random numbers chosen for one-time pads: from the point of view of the communicating agents the pads are not random, but from the point of view of someone not in possession of the information, they are random.
It follows then that provided we assume the system is indeed secure to start with, then we can use the initial one-time pad to encrypt the exchange of further pad data for subsequent messages, provided we are careful to ensure that the attacker never has a crib, which is a piece of data which he knows is probably a part of the plaintext. The possibility of a crib arises because of the symmetry, from the point of view of the external observer, between a random pad and plaintext. We can avoid the possibility of cribs fairly straightfowardly by using a channel protocol which allows the sender to insert messages into the stream at random, which messages instruct the receiver to alter the encryption algorithm to be used for subsequent messages. If the alterations to the algorithm are in the form of fragments of executable program code, which describe mathematical functions which can be automatically composed in some way with the existing encryption that is in effect, then the attacker will not have any plausible cribs, because he would have no reason to suppose any one program fragment is any more likely than any other. We may then reason circularly, that our initial assumption that the system is indeed secure, holds good, and consequently that we can continue to use it to securely transmit all further one-time pads over the same channel, ad infinitum.
The problem is thus reduced to just that of securing the initial exchange of one-time pads. It may at first seem that secure pad exchange could never be achieved without some direct communication between the two parties, so that they can be certain they are not communicating through an unknown man-in-the-middle who has access to one or both of the initial one-time pads, and who can therefore read all the messages they exchange on that channel. The problem of pad exchange is not a problem of security however, but rather one of identity. And again, we can solve it by thinking carefully about what we really mean by the term identity.
Contrary to popular opinion, somone's identity is not "who they really are," nor even "who they know they are." Such definitions of identity are practically unverifiable, because they don't tell us anything at all about the individual concerned. If you are in La Paz, Bolivia, for example, you probably cannot get a new UK passport, by sending a letter to the British Embassy in Washington D.C. and declaring "I'm me!" They need to know who you are before they can identify you as the one-time holder of British Passport No. 307906487. So identity is not a matter of who someone really is, it is a matter of what everyone else knows about that person, in other words, it is common knowledge. So in order to establish the identity of someone with whom we wish to communicate, all we need is to establish sufficient common knowledge to convince ourselves that this person with whom we are in communication is indeed the same person of whom we share some of the common knowledge. You may well wonder then why we need identity documents to serve as so-called credentials, and the answer is simply that we don't, and the proof is that identity documents can and often are forged, but not even the CIA can forge common knowledge. If this sounds a bit puzzling, then don't worry, you're in good company: Bertrand Russell didn't seem to understand it either. But you, dear reader, can do better, just by thinking over the problem for a while and discussing it with your friends in a cooperative and inquiring manner. Thus, as we found was the case in the notion of randomness, the notion of identity too is a matter, not of fact, but of the knowledge others may or may not have.
Since we are intending to use our knowledge of the identity of the person with whom we are communicating to establish a secure communications channel, we can once again assume that the channel is indeed secure, and on the basis of this assumption, we can use that same channel to establish beyond any reasonable doubt that the person with whom we are communicating is indeed the person of whom we share some of the common knowledge. Then we proceed on the basis of directly shared common knowledge, in the form of biometric information, such as photographs, fingerprints, iris patterns, spoken voice recordings and DNA samples, combined with shared personal knowledge of life history, which may include such details as "one-time holder of British Passport No. 307906487", or it may not.
Having thus established sufficient direct, i.e. biometric, knowledge of one another's identity, we can then fairly straight-forwardly extend this throughout the whole network, using shared multi-party communications. The principle is that we pass the biometric information -- information representing the direct knowledge people have of other people's bodies and brains -- around the network, so that any path on the resulting graph will be a chain of trust extending from the direct knowledge individuals have of one another, and passing via other chains of trust, to form what mathematicians call the transitive closure of the trust relation, which is ultimately founded on individual direct knowledge particular people have about each other.
Then what we mean by Identity-with-a-capital-I, amounts to the common knowledge which the whole of Humanity has, as to the essential identity of those individuals. This essential identity that individuals have in the common knowledge as a whole is strictly more than just their physical or bodily identity, or indeed their biographical and genealogical identities -- all of which are accidents of their being --- and which inevitably change with the passage of time: their Identity within the whole of common knowledge is their higher eternal identity of mind.
During this process of sharing of the information we have about people, we hope not to have to rely on any single "authoritative" source of information as to an individual's identity, because that would be no better than a passport. We need to find an algorithm which can somehow quantify the trustworthiness of any statement as to the identity of any individual, from the point of view of any other, in terms of the number of independent sources available, and the degree to which those sources corroborate each other. One possible method might be to include only the sources amongst which there is no disagreement whatsoever, and assign a score of one to each of them, but that might not be sufficient to establish the web initially, and it may be necessary to allow degrees of disagreement to be accounted for by adjusting the weights of evidence arriving via the different chains. Whatever is the particular algorithm chosen, it should be computed in a distributed manner, so that as any individual's identity information floods through the network, the calculation of the quantitative degree of trust is carried out at each node. Perhaps we could ask the people at Google how to do this sort of thing?
An indicator of the feasibility of establishing a transitive web of trust is the notion sometimes called "six degrees of separation". A similar notion is evident in "The Kevin Bacon Game", in which people are given the name of an actor or actress, and have to try to find the shortest chain of actors who have appeared together in films, and which connect that person with Kevin Bacon. But there are a great many different ways, apart from acting together in movies, in which different people may be connected to one another in common knowledge. So when we combine all possible connections, we may find that the "degree of separation" is in fact closer to one than to six. In other words, as we include more and more genealogical and biographical information about ourselves in the system, we will surely find that we share many, many more connections between ourselves (not to mention Kevin Bacon) than were ever immediately apparent.
The final flourish, will be to provide a "launchpad" whereby individuals could prime certain "addresses" to accept one or more programs from one or more different types of communications media, such as SMS messages, Web Server URLs, IP Datagrams, USB flash memory devices, MicroSD cards attached to the legs of migrating Canada Geese, or scanned pieces of paper recovered from floating bottles, and run those programs, passing the output of one to the input of another. As well as exchanging the initial one-time pad and identity credentials, each pair of people authenticating would exchange, let's say six, primes, which are each sets of two 10 digit random addresses, and a 10 digit random pad. If each person then authenticated with another six others, then each would have six possible nodes to which they could send programs, and which programs could trigger the sending of further messages, either directly, or indirectly via other primes, depending on the particular programs actually sent. These prime sheets would not be transmitted electronically, in the first-stage bootstrap at least, they would be little pieces of hand-written paper, and the bearer would record separately to which physical address and protocol any sheet of primes corresponds.
The purpose of the primes is to provide an asynchronous boot process, so that the initial message exchange that triggers, say, reading of a one-time pad by the receiver, is not correlated in any externally observable way, with the actions of the sender of that message, to whom that pad in fact corresponds. The same mechanism also allows us to keep the initial pads a secret for ever, because we can arrange for the actual pads that are used to be hybrids of the pads we know, based on the order in which the initial messages just happen to arrive at their destinations, and then we ourselves could not at any point actually know that order, any better than a would-be attacker could. And if we don't actually know the secret, then we can't "spill the beans," even under extreme duress.
The reason we suggest n primes shared between each of n peers is to make possible the random exchange of primes to defeat an attacker who can observe all the parties engaging in pad-exchanges and thereby identify all the potential participants. Provided he cannot observe which primes are swapped during authentication, he will not be able to correlate the transmission and reception of the first step of each initial message transmission.
It should be clear that what we have described above is just one possible way to start a network. One would not expect to be able to have complete confidence in the result, especially given the impossibility of actually knowing that the network has not actually been compromised. So one should expect to have to iterate the process, using several independent first-stage networks as transport media to bootstrap a second-stage. Then proceed to a third-stage from several independent second-stage networks, etc. etc.
The reason we suggest n primes shared between each of n peers is to make possible the random exchange of primes to defeat an attacker who can observe all the parties engaging in pad-exchanges and thereby identify all the potential participants. Provided he cannot observe which primes are swapped during authentication, he will not be able to correlate the transmission and reception of the first step of each initial message transmission.
It should be clear that what we have described above is just one possible way to start a network. One would not expect to be able to have complete confidence in the result, especially given the impossibility of actually knowing that the network has not actually been compromised. So one should expect to have to iterate the process, using several independent first-stage networks as transport media to bootstrap a second-stage. Then proceed to a third-stage from several independent second-stage networks, etc. etc.
I hope this is not too hairy. I think it is just about possible for someone to get the gist of it from prose alone, without using diagrams or notes. Ed Dijkstra recommended this as a good way of making sure an algorithm isn't too complicated. I hope he's right!
So much for the theory, then. That's just to get the academics off our backs and buy ourselves a bit of breathing space. Don't wait for them to unanimously agree that it's a Good Thing, they never will. Make the most of it by just getting on with building it. Actual security is not theoretical, it's practical, and it's not a matter of fact, it's a matter of knowledge. I say "it", but I mean them. Don't just write millions of lines of technical bit-twiddling code implementing one huge rat's nest of networking wire, like ARPANET, then wait for it to be hacked, because it will be hacked. In fact, try not to write any code at all. Certainly, you should not be exchanging code. You should exchange only formal definitions, and you should independently develop the absolute minimum of manually-written code you need to automatically translate those formal definitions into actual working, interpretable or compilable computer languages.
All we need are a few neat and simple bytecode language definitions, and a few languages like node.js for writing low-level interpreters.
For the languages, look at Reynold's "Definitional Interpreters". Write translators which parse those interpreters and JIT compile lightning or LLVM IL implementations: both of these support tail-recursion, and will easily interpret Reynold's interpreter IV. Then write a term-rewriting system in that, look at PLT redex to get some ideas of how you can make a system with completely configurable semantics. If you've got the guts, look at System F and proofs and Types, but as soon as you think you're about to go nuts, put it down and write some concrete code. But not too much, just for therapy, you know! Try writing a Reynolds-style interpreter for System F, and compile it into lightning or LLVM, or something else. If that works, try defining lightning as system F primitives of "atomic" type. For parsers, look at Tom Ridge's P3 and P4 parsers: they will be easy to write in System F and Reynold's III/IV and V.
For the interpreters, look at the ML Kit, which, in the guise of smltojs, lets you write browser JavaScript in a really nice typed functional language, and will be fairly easy to coerce into writing neat little JavaScript server apps in ML. I wouldn't bother with SMLServer though, at least while it needs Apache to run.
And while you do that, exchange primes, under many and various schemes, at every available opportunity. Make friends with really weird people and set up networks with them. Don't think of networks as precious. Play around with them, try to break them deliberately, and report only the negative results publicly. We don't need another OpenBSD honeypot. Don't be afraid to set up "spare" networks, and "spoof" networks and redundant duplicates. The more smoke around the sooner the little girtls at the NSA and GCHQ will say "Fuck it, let's just join in." And don't turn them away. You need secure communications with your enemy much more than you need them with your friends. You are not going to start a war with with your friends, and create a new extremist religious state, over a silly little misunderstanding, are you?
Read about X.500 directory server. Directories are vital, and having a good formal description from which you can automatically generate implementations in any language will make the higher-level functions like mail and instant-messaging, and distributed JavaScript RAID disk block loops running on Chrome browsers easier to configure remotely.
The three laws of metarobotics are
And it's fun!
So much for the theory, then. That's just to get the academics off our backs and buy ourselves a bit of breathing space. Don't wait for them to unanimously agree that it's a Good Thing, they never will. Make the most of it by just getting on with building it. Actual security is not theoretical, it's practical, and it's not a matter of fact, it's a matter of knowledge. I say "it", but I mean them. Don't just write millions of lines of technical bit-twiddling code implementing one huge rat's nest of networking wire, like ARPANET, then wait for it to be hacked, because it will be hacked. In fact, try not to write any code at all. Certainly, you should not be exchanging code. You should exchange only formal definitions, and you should independently develop the absolute minimum of manually-written code you need to automatically translate those formal definitions into actual working, interpretable or compilable computer languages.
All we need are a few neat and simple bytecode language definitions, and a few languages like node.js for writing low-level interpreters.
For the languages, look at Reynold's "Definitional Interpreters". Write translators which parse those interpreters and JIT compile lightning or LLVM IL implementations: both of these support tail-recursion, and will easily interpret Reynold's interpreter IV. Then write a term-rewriting system in that, look at PLT redex to get some ideas of how you can make a system with completely configurable semantics. If you've got the guts, look at System F and proofs and Types, but as soon as you think you're about to go nuts, put it down and write some concrete code. But not too much, just for therapy, you know! Try writing a Reynolds-style interpreter for System F, and compile it into lightning or LLVM, or something else. If that works, try defining lightning as system F primitives of "atomic" type. For parsers, look at Tom Ridge's P3 and P4 parsers: they will be easy to write in System F and Reynold's III/IV and V.
For the interpreters, look at the ML Kit, which, in the guise of smltojs, lets you write browser JavaScript in a really nice typed functional language, and will be fairly easy to coerce into writing neat little JavaScript server apps in ML. I wouldn't bother with SMLServer though, at least while it needs Apache to run.
And while you do that, exchange primes, under many and various schemes, at every available opportunity. Make friends with really weird people and set up networks with them. Don't think of networks as precious. Play around with them, try to break them deliberately, and report only the negative results publicly. We don't need another OpenBSD honeypot. Don't be afraid to set up "spare" networks, and "spoof" networks and redundant duplicates. The more smoke around the sooner the little girtls at the NSA and GCHQ will say "Fuck it, let's just join in." And don't turn them away. You need secure communications with your enemy much more than you need them with your friends. You are not going to start a war with with your friends, and create a new extremist religious state, over a silly little misunderstanding, are you?
Read about X.500 directory server. Directories are vital, and having a good formal description from which you can automatically generate implementations in any language will make the higher-level functions like mail and instant-messaging, and distributed JavaScript RAID disk block loops running on Chrome browsers easier to configure remotely.
The three laws of metarobotics are
- Don't steal.
- Don't lie.
- Don't be lazy.
That's all there is to it.
And it's fun!
Suscribirse a:
Entradas (Atom)