Programming Languages Mentoring Workshop: a POPL Workshop

If you're interested in programming languages, and especially if you might want to make a career in programming languages research, you may wish to attend PLMW - the POPL programming languages mentoring workshop.

We've got a whole bunch of great speakers, who will be talking about cool research, and about how to make it in the research community. If you're a student, we've also got funding for you to attend - so come to Rome and find out what it's all about!

Election Geekery

I've been offline for a bit while I panic about thesis stuff - but an election's happening here in the UK, so I thought I'd take a moment to link to a couple of handy tools:

Vote For Policies

Who should you vote for?

Both of these sites anonymise the policies of our major parties, to allow you to see how well your tribal instincts match up with your policy beliefs. If you're interested then it's worth using both tools, since they present the data in different ways - which may affect your results.

I think the whole concept of these things is fascinating. Firstly, it's worth noting that if a party were to promise "magic" - for example simultaneous tax cuts and spending increases - then they'd do well in these systems. By anonymising the policies, we remove some of our ability to judge how sincere and/or practical the promises are.

Also, I was a little surprised at how mind numbingly dull the process of wading through all those policies is. I mean, I expected it to be dull, but I found wading through all the options at the Vote For Policies site really quite hard. I may have been almost random in my choices by the time I got to the end. I think this is interesting, because I know that I'm well educated and very well placed to read and understand that kind of policy statement. It seems that voting rationally is hard. This leads me to wonder what we actually expect from our democratic system. Do we want the majority of the population to vote tribally (as I suspect I do)?

Are there any students of politics or anthropology out there who can give me some hint as to what it might all be about? :)

Facebook worm.

I just got hit by a facebook app worm :)

For those of you that aren't on facebook - here are some key things about it.Facebook sends you a "notification" when something interesting happens - like someone "liking" a photo of you, or commenting on something you did or said. Facebook also has a system of third party "apps", that can also send notifications and generally do anything that you can do, in your name. Usually these apps are things like "Farmville" and so on - silly little games that make use of the social network. They're very popular - but I tend to ignore them.

Today, I got a facebook notification that said "$FRIENDSNAME likes your photo". Only, you know, with a real friends name...

This is normal - I have some photos on facebook, and it's not unusual for my friends to like them. The usual procedure on being notified that someone likes your photo is to click on the hyperlink "your photo" to see which photo it was that they liked. I did that, and was asked if I wanted to give the "Like" app permission to access my profile.

Well, facebook used to have a bunch of built in functions that they later abstracted out into apps - I remember the transition. One of those functions was what is now the "photos" app. And they've just upgraded the whole UI again, so it seemed plausible that "like" had previously been a builtin, and had now been abstracted into an app that I needed to give permission to. Stupid, but plausible.

As it turned out, the app "Like" wasn't written by facebook at all- it was a third party app. The hyperlink in the notification wasn't a hyperlink to a photo, but to the app install page. Giving permission
on that page allowed the app to install and run, whereupon it spammed 27 of my friends with identical notifications "Totherme likes your photo", and then redirected my browser to some commercial webpage. (does anyone know if 27 is some kind of limit placed on the number of notifications an app can send out simultaneously? To prevent spam, perhaps?)

Of course, I immediately backtracked to facebook, and posted a status update warning others not to give permissions to the Like app. And then I went and removed its permissions from the app in my settings. I
also reviewed the app in question, giving it the minimum possible score and the review "It's a worm". There may be other apps doing essentially the same thing - I've seen friends post about "my_virtual_a" among other things, but it seems that the folk that were notified from my account have seen the same notification I saw - the "Like" app.

In the meantime, it may have harvested some of my personal data. There's nothing of real value in there, because I always suspected that facebook might be a bit insecure. I suppose I might get some more spam to one
or two of my email addresses now. On the other hand, I believe that some people store some kind of payment information in there, for buying silly valentines and things. So, the problem's potentially a bit more serious than just a new vector for some annoying spam.

So, what's the security hole? Is it my fault for giving permission to the app? Or is it to do with the software? Or with the whole concept of social networks generally? You could partially plug it by having the permissions page prominently say who wrote the app - I like to think that I personally would be less likely to give perms to an app that was obviously not written by facebook. But not everyone would get that. Maybe the problem is partially that I expect facebook to be just a bit crap - it didn't surprise me that I had to grant perms to something I already used. Maybe the problem is that the app name "like" was free for a third party to use? But would you like to come up with the list of banned app-names? Maybe apps should have less freedom in the notifications they can send out? "$FREINDSNAME likes your photo" looks the same whether it's FB or some third party sending the notification. And the URL is a hashed and pretty anonymous facebook-redirect rather than an obvious photo URL - so my usual safe-browsing habits don't help at all there. Maybe the mechanism for sending notifications should always involve a dialog box popping up which makes clear what's being sent, and who to? That'd make doing normal things on facebook quite a bit more clunky - people might well just get in the habit of clicking "yes" to every single one, leaving us back where we are now.

I think it's a fun set of questions anyhow. Any of you lot got any interesting thoughts?

ETA: Or perhaps we really just want to remove consequential things like money from facebook, and live with an insecure system that worms occasionally navigate? I mean, people still hang around in forums where rickrolling and other annoyances are rife - it's just less annoying to those users than the alternatives. What do you think? Are you willing to live with the occasional facebook worm if it means you can have a social network that looks like the one we're all familiar with (without any of the more irritating security measures I'm suggesting here) ? How annoying or damaging do the worms have to get before you'd rather avoid facebook altogether?

Random 11pm thought: Privacy through insecurity.

If you haven't considered the potential for (and potential dangers of) total lack of privacy in the information age, go watch this before reading the rest of this post.

I've met a whole bunch of cool new people in the last year, and I keep "in touch" with many of them primarily using facebook. You know how this story goes - you go to a conference or take a short course of gardening classes or something ; you meet new folk ; you spend a lot of time with them for a few weeks ; then you go your separate ways and communicate for a year or two only through the medium of broadcast "status updates" that can be read by anyone you've ever met.

One of the folk I met last year has been getting increasingly facebook-eccentric. They've been posting increasingly embarrassing and personal status updates, starting their own fan club, joining the support groups for controversial political parties, and most recently, writing long essays defending their strange and cultish religious views. Of course, none of that stuff was actually my new friend - all they're really guilty of is forgetting to log out of facebook after using a public terminal. Repeatedly.

So now, any time I see anything embarrassing on my new friend's facebook page, I'll just assume that they've left themselves logged in again, and someone's having a laugh at their expense. I don't know what's actually going on - I haven't seen or spoken to them in months. I'll just assume that anything "normal" is the truth, and anything out of the ordinary is a practical joke. And so will anyone else who knows them. If they run for the presidency of the US in 20 years time, and some journalist finds something juicy in the old digital records, the spin doctors will be able to laugh it all off. That wasn't our candidate - that was a well documented series of attacks by notorious hackers of the time.

Of course, this is just a special case of increasing the signal to noise ratio on the net - which you can do any number of ways. It's fairly well known that companies will post fake product reviews if they can get away with it. Perhaps we could all open large numbers of facebook accounts, and use each of them to communicate with 1/n of our friends. Perhaps spin doctors should spend their time inventing implausible stories about their candidates, and filling the net with them, so the real stories get lost in the mess. Perhaps they already do. I'm sure none of this is a new idea, but it tickled me that forgetting to log out, or having an easy to guess password might offer my friend more privacy in the long run, not less.

Also: I decided to try using the plural in this note - if anyone has an opinion on that vs GNPs or any other way of writing what I wanted to write, then feel free to comment.

Random 6am Thought

If the economy is like an ecosystem; then perhaps pushing your company into an aggressive monopoly is kinda like being such a dominant species that you can wipe out other species with impunity, and significantly alter planetary ecosystem. Good medium term strategy, potentially quite bad long term strategy.

This train of thought began with a vague memory of this old reg snippit.

Temporary email addresses

ISPs are now keeping records of everyone you email (if you live in the EU)

Not the contents of the mail yet - so perhaps it's not quite time to break out the PGP ubiquitously (and it's not a lot of use if you only use it for suspicious things, so it's pretty well got to be all or nothing). But what if you wanted to make your email flist just a little bit harder to automatically snoop and mine?

Well, it seems to me that the answer is in randomly generated throwaway webmail accounts. Swap contact details with a person (using the same system) for the first time - this involves picking and registering a new webmail address.

Each time you email them (or they, you), pick a new randomly generated address for both of you, and include the username and password of their new throwaway address in the email.1

With a bit of standard markup for including the new throwaway address and password in the email, this should be relatively easy to automate... Though it might involve typing a couple of capchas when you send a mail.

Anyone fancy starting on a mutt or sup plugin? Some kind of uber-greasemonkey script might do something cool too.... Bonus points if you can make it work nicely with your threading engine of choice ;)

1 Of course, if only suspicious people use it, and if the syntax for describing a new address is easy to mine for, then we're back where we started. So we may have to present a new randomly generated presentation syntax in each email too. But that's doable :) Especially if you do it in the middle of a markov chain generated signature, where it won't get on anyone's nerves,

Functional Reactive (web) Programming

I just saw a talk by Shriram Krishnamurthi.

He showed us something live - essentially the thing I'm doing in this sub-one-minute video.

From some of the questions asked afterwards, I gather that the concept may not be a new one, but I don't care - I'd not seen it before, and the idea blew me away.

In the video, I show the scheme setup. The good folks at Brown have also seen fit to furnish us with a web programming setup which works on all the main browsers right now.

False Positives and Security.

Bruce Schneier continues to document the increasingly ridiculous war on the unexpected:

Offshore oil rig evacuated after someone dreamed of a bomb.

Sheridan College under lock-down because someone notices a tripod.

Man arrested for posession of an MP3 player.

While reading, I found myself thinking about the fire service. I remember being taught in school how prank 112/999/911 calls cost lives. While all the fire engines are out entertaining the prank caller, a real fire elsewhere may be killing people.

One of the characteristics of those real fires though, is that they're almost certainly not consciously trying to kill people. Except in extremely rare cases of premeditated arson, the probability of a real fire is independent of the probability of a prank call. That's not going to be the case with terrorists though - unlike accidental fires, terrorists actually want to hurt and frighten people. They're quite capable of calling the police to one place, and doing bad things in another. So surely our safeguards against false-positive terror alerts should be significantly stronger than our safeguards against false-positive fire alerts?

The War on the Unexpected: Not just annoying - downright dangerous.

Stop. Moshertime.

Run the following script in the same directory as a copy of "Killing in the name of" by Rage Against The Machine.

Collapse )

Whenever the music's playing, everyone has to mosh. That's the Rule.

Other track/activity pair suggestions are welcome. Particularly if they happen to work nicely with the existing timestamps ;)