Epistemological Relativism

So, I’ve written some Ruby classes that interact with a web application that provides web service-like functions. One of the “interesting” features it provides is authentication. Having created the Ruby API to authenticate users I now want to try to use timing attacks to enumerate valid usernames. Unfortunately, I have not been able to find anything that fills this role. There is Benchmark, but it is more focused on CPU-like measurements. I’d like a tool that is focused on measuring time between HTTP requests and responses and makes adjustments for any overhead associated with Ruby itself.

Security Timing Attacks, Tools

In my struggle to meet the demands of my now long forgotten, but now remembered, resolutions of the New Year I read Adam’s Curse by W.B. Yeats last night. Some of the stanza’s I have faint memories of. If I can dare to do so I’d say that this poem summarizes nicely what I tell my children; doing things that are worthwhile take serious time and effort. Yeats, I think, agrees. Poetry, beauty and love all take work. I should correct myself here. If you are successful, the recipient of your effort should scarcely notice the labor. This is one of the signs of its quality according to Yeats; the quality of seeming like “a moment’s thought”.

Sadly, and I get this sense near the end, we’ve lost the motivation to pursue this sort of quality. Or we invent new ways that short-circuit some of that time and effort. Maybe when we do this, we lose some of the personal benefits of this exertion?

We sat together at one summer’s end,
That beautiful mild woman, your close friend,
And you and I, and talked of poetry.
I said, “A line will take us hours maybe;
Yet if it does not seem a moment’s thought,
Our stitching and unstitching has been naught.
Better go down upon your marrow-bones
And scrub a kitchen pavement, or break stones
Like an old pauper, in all kinds of weather;
For to articulate sweet sounds together
Is to work harder than all these, and yet
Be thought an idler by the noisy set
Of bankers, schoolmasters, and clergymen
The martyrs call the world.”

And thereupon
That beautiful mild woman for whose sake
There’s many a one shall find out all heartache
On finding that her voice is sweet and low
Replied, “To be born woman is to know –
Although they do not talk of it at school –
That we must labour to be beautiful.”
I said, “It’s certain there is no fine thing
Since Adam’s fall but needs much labouring.
There have been lovers who thought love should be
So much compounded of high courtesy
That they would sigh and quote with learned looks
precedents out of beautiful old books;
Yet now it seems an idle trade enough.”

We sat grown quiet at the name of love;
We saw the last embers of daylight die,
And in the trembling blue-green of the sky
A moon, worn as if it had been a shell
Washed by time’s waters as they rose and fell
About the stars and broke in days and years.
I had a thought for no one’s but your ears:
That you were beautiful, and that I strove
To love you in the old high way of love;
That it had all seemed happy, and yet we’d grown
As weary-hearted as that hollow moon.

Thoughts Poetry, W.B. Yeats

Since I don’t blog nearly enough, I figured I’d at least use this as a dumping ground for all the lame ideas I have for tools that would have made my life easier. The first tool, or the most recent tool that would have saved some time, is the ssl-cert-spoofer-helper. Can you see that I’m not very creative? In my experience, especially with the iPhone you not only need a trusted CA certificate on your iPhone, but a server certificate that looks *almost* like what the iPhone application is expecting. Specifically, the CN has to match the original. So, rather than go through the trouble of grabbing the “real” server certificate, examining it, and using openssl to generate my CA and fake certificate, I would like a tool that does it all for me. I started working on one in Ruby, but it isn’t terribly interesting OR fun….at all.

Security SSL Certificate

Wow, has it really been a month since my last post?  It certainly isn’t because I don’t have anything on my mind. It is a time/motivation thing. So, since I am writing now I must have something worthwhile to say? Maybe.

I’ve had several conservations over the past couple of years about religion. Yes, probably more than several. In particular though, these conversations centered around the most pure, earliest, oldest or the most correct form of a given religion. There is a continuing effort, it seems to me, by people of all religions to try to “get back to the roots” of their respective religions. It is as if they are saying that the current forms are somehow deficient. I find this fascinating.

Obviously, over time religions “evolve”. As people and cultures change, religious expression and understanding also undergo changes of their own. But, when people become unsatisfied by current religious forms, what are they trying to recover by going back in time?  I would venture a guess that there is some connection in their minds between time and accuracy. The older the religious practice, the more pure (read: correct) it must be. Naturally, if this is our position, one would look to the oldest practices to find solace in their religion. But doesn’t this make a fatal mistake? Doesn’t it elevate the people of the past into positions that they themselves would not lay claim to? Namely, that they alone understood what the correct religion looked like or that they were less likely to make errors of judgment? I don’t think the devout peoples in antiquity would touch that with a 10-foot pole.

This grows more acute when there are religious figures in the mix. Even if these religious figures are elevated to some perfection because of some innate power, does it follow that emulating their religious practices would lead one to the correct understanding and practices of a religion? Doesn’t this commit the same error? It removes the figures from their historical setting. If they are a part of history, then aren’t they also constrained in some ways by space and time? I think there is a sort of reverse chronological snobbery at play here. Anything “old” is good, anything “new” is bad. Or, maybe, “the older the better”.

Why were the ancient caretakers of religion any more or less human, imperfect or prone to error than us? I don’t think they were any of those things. I think it is more a modern phenomena. Maybe it is a means to preserve and connect with a larger community. Maybe the current religious experiences are devoid of any real content, meaning or force. But is the answer to this that twe revert back to 2500 year old practices? I don’t think so.

Theology, Thoughts Orthodoxy

Contrary to my expectations, Lilith by George MacDonald is a tough slog. I’m not sure why. Maybe I was expecting something more like The Princess and the Goblin. It seems as though Lilith is really a message with a story as a background rather than a story with a message in the background. I’m sure it is just my lack of sophistication. Despite this, MacDonald manages to transmit quite a few profound ideas to the attentive reader.

“These words are too big for you and me: all is one of them, and ever is another,” said a voice near me which I knew.

George MacDonald, Lilith, p.93

Ahh, such sweet music to my epistemological senses, however distorted they may be. Yes, there is little context to go on here, but it does speak for itself doesn’t it? All and ever are rarely epistemologically admissible and yet easily used in our everyday speech. Who has such authority to lay claim to all and ever? Is it you and I?

“Doubt”, I said to myself, “may be a poor encouragement to do anything, but it is a bad reason for doing nothing.”

George MacDonald, Lilith, p.97

Classic. Do I need to elaborate?

Books, Thoughts George MacDonald, Lilith

The classic CIA Triad (Confidentiality, Integrity and Availability) as it is affectionately called has been used for decades as a means to coarsely outline certain security/assurance expectations of a system. It has lasted this long because who can forget a TLA? Sadly, it is too general to be used effectively in most application security endeavors. There have been many who have attempted to elaborate on the triad to make it more useful. Microsoft’s Security Frame was a great effort. It identified the important and relevant categories that were hidden away within the triad. However, going from a TLA to a set of ten concepts or IAACSSCEA isn’t exactly easy to recall. Yes, I know, this should be documented as part of a defined process chock full of cheat sheets, tips and lists. Well, in an effort to align these concepts with my view of security functions and properties I created a set of six concepts that are derived from CIA, but that add more precision. You’ll probably recognize some of these labels. Yes, some of them made sense to retain from Microsoft’s Frame, others were useful labels gathered from the Common Criteria (oh no! not that!?). So, I managed to trim a few items by merging them with a more common categrory. Let’s see if an uninformed reader can make sense of these:

1. Accountability and Event Reconstruction
2. Data Protection
3. Identity and Access Management
4. Exception Management and Availability
5. Management and Configuration
6. Survivability

Identity and Access Management is perhaps the most intuitive category. In encompasses authentication, authorization and other concepts related to access control. Accountability is also fairly straight forward. What is your take on the others?

Security Application Security

So, I’m reading Without Roots, by Pera and Ratzinger and stumbled across a sentence I cannot help but respond to.

…dialogue cannot be an instrument for the discovery of truth, because Revelation plays that role. In other words, in Christianity truth is not a process, but a state, not a becoming but a being.

– Marcello Pera, Without Roots, p.28

Having never read anything by Pera in the past, I don’t have any real reference point to infer what he may be getting at. Reading this sentence as it stands however, I have to take issue. Even if we grant that Revelation is a valid source of knowledge, it does not follow that we, without the aid of our reason, can understand unequivocally, through whatever medium this revelatory knowledge is delivered, these truths. In other words, there will always be a human mind receiving data. If this is so, then we have all of the baggage that goes along with the human receiver. Time, place, language, culture, religion, all of this will undoubtedly influence the receiver’s interpretation of data. To presume that we are a blank slate capable of receiving data, delivered in most cases within a historical context, exactly as a divine authority intended it is quite amusing. From what I’ve read so far, I don’t think Pera intends this, but I can’t be sure. This objective truth that Pera refers to may be a state, but human minds still have to go through a process of apprehension. This process, as history has no doubt proven, is always a challenge to get right. Furthermore, how do we know when we have received the *truth* and not falsehood? Which measurements do we use? Here, we fall back again upon time, place, language and culture. We judge this truth based on our current criteria for truth. So, if Revelation is a valid source of knowledge, we have to answer in a very real way how we gain access to that knowledge when it is encased in anthropological dressing.

General, Philosophy, Theology Joseph Ratzinger, Marcello Pera

What smites us with unquenchable amazement is not that which we grasp and are able to convey but that which lies within our reach but beyond our grasp; not the quantitative aspect of nature but something qualitative; not what is beyond our range of time and space but the true meaning, source and end of being, in other words, the ineffable.

– Abraham Joshua Heschel, Man is Not Alone P.4

Many times we experience things we do not fully understand and cannot begin to adequately articulate. It is as if something has grasped us as we struggle in search for meaning or something bigger than ourselves. Sometimes we are grasped even when we are not searching. Heschel comes very close, I think, to explaining this sort of experience. To those that are fortunate enough to share in such an encounter, Heschel’s words need little explanation. Nature’s mysteries sometimes draw us into this mystery of causes. Who or what is this mystery that we sometimes glimpse however dimly? What is it that we feel kinship with in those mundane and extradinary of times? Is it imagination or wishful expectation or something much, much greater?

Books, Theology, Thoughts Abraham Joshua Heschel, Theology

After reading several Longfellow poems with topics ranging from children, life, death and faith I’m beginning to have a certain affinity for the fellow (pun intended). I don’t mind at all if his poems were written for the masses as some have claimed. When I read a poem, I am the only one responding to his words at that moment in time. There is nobody else the poet is speaking to other than me. Can it really be any other way?

My favorite stanza has got to be sixth. I try to focus on what I can do in the present. Alas, my focus seldom turns into action. So many times we linger in the past or wander into the future that we forget about our responsibilities to act in the present moment. Longfellow clearly understand this challenge and our natural inclination to do nothing. After reading this poem I feel compelled or inspired to continue acting in the present, to make the most of the time that we have here and to get to a place where I can, just maybe, leave “footprints on the sands of time” for someone to benefit from.

Tell me not, in mournful numbers,
Life is but an empty dream!
For the soul is dead that slumbers,
And things are not what they seem.

Life is real! Life is earnest!
And the grave is not its goal;
Dust thou art, to dust returnest,
Was not spoken of the soul.

Not enjoyment, and not sorrow,
Is our destined end or way;
But to act, that each to-morrow
Find us farther than to-day.

Art is long, and Time is fleeting,
And our hearts, though stout and brave,
Still, like muffled drums, are beating
Funeral marches to the grave.

In the world’s broad field of battle,
In the bivouac of Life,
Be not like dumb, driven cattle!
Be a hero in the strife!

Trust no Future, howe’er pleasant!
Let the dead Past bury its dead!
Act,–act in the living Present!
Heart within, and God o’erhead!

Lives of great men all remind us
We can make our lives sublime,
And, departing, leave behind us
Footprints on the sands of time;–

Footprints, that perhaps another,
Sailing o’er life’s solemn main,
A forlorn and shipwrecked brother,
Seeing, shall take heart again.

Let us, then, be up and doing,
With a heart for any fate;
Still achieving, still pursuing,
Learn to labor and to wait.

– Henry Wadsworth Longfellow, A Psalm of Life

General, Thoughts Henry Wadsworth Longfellow, Poetry

We have a fairly involved night-time ritual. First we read selections from Bennett’s Book of Virtues, then a Bible story or two from Egermeier’s Bible Story Book, then several pages from our current book (at this time it is MacDonald’s The Golden Key) and finally our Compline Office from Tickle’s The Divine Hours. Bennett’s compilation has all sorts of interesting stories and poems. The selection below is one my children enjoyed. Their enjoyment of this poem comes primarily from their ability to act it out when we put them to sleep!

BETWEEN the dark and the daylight,
When the night is beginning to lower,
Comes a pause in the day’s occupations,
That is known as the Children’s Hour.

I hear in the chamber above me
The patter of little feet,
The sound of a door that is opened,
And voices soft and sweet.

From my study I see in the lamplight,
Descending the broad hall stair,
Grave Alice, and laughing Allegra,
And Edith with golden hair.

A whisper, and then a silence:
Yet I know by their merry eyes
They are plotting and planning together
To take me by surprise.

A sudden rush from the stairway,
A sudden raid from the hall!
By three doors left unguarded
They enter my castle wall!

They climb up into my turret
O’er the arms and back of my chair;
If I try to escape, they surround me;
They seem to be everywhere.

They almost devour me with kisses,
Their arms about me entwine,
Till I think of the Bishop of Bingen
In his Mouse-Tower on the Rhine!

Do you think, O blue-eyed banditti,
Because you have scaled the wall,
Such an old mustache as I am
Is not a match for you all!

I have you fast in my fortress,
And will not let you depart,
But put you down into the dungeon
In the round-tower of my heart.

And there will I keep you forever,
Yes, forever and a day,
Till the walls shall crumble to ruin,
And moulder in dust away!

– Henry Wadsworth Longfellow,  The Children’s Hour

Books Henry Wadsworth Longfellow, Poetry