Epistemological Relativism

We have a fairly involved night-time ritual. First we read selections from Bennett’s Book of Virtues, then a Bible story or two from Egermeier’s Bible Story Book, then several pages from our current book (at this time it is MacDonald’s The Golden Key) and finally our Compline Office from Tickle’s The Divine Hours. Bennett’s compilation has all sorts of interesting stories and poems. The selection below is one my children enjoyed. Their enjoyment of this poem comes primarily from their ability to act it out when we put them to sleep!

BETWEEN the dark and the daylight,
When the night is beginning to lower,
Comes a pause in the day’s occupations,
That is known as the Children’s Hour.

I hear in the chamber above me
The patter of little feet,
The sound of a door that is opened,
And voices soft and sweet.

From my study I see in the lamplight,
Descending the broad hall stair,
Grave Alice, and laughing Allegra,
And Edith with golden hair.

A whisper, and then a silence:
Yet I know by their merry eyes
They are plotting and planning together
To take me by surprise.

A sudden rush from the stairway,
A sudden raid from the hall!
By three doors left unguarded
They enter my castle wall!

They climb up into my turret
O’er the arms and back of my chair;
If I try to escape, they surround me;
They seem to be everywhere.

They almost devour me with kisses,
Their arms about me entwine,
Till I think of the Bishop of Bingen
In his Mouse-Tower on the Rhine!

Do you think, O blue-eyed banditti,
Because you have scaled the wall,
Such an old mustache as I am
Is not a match for you all!

I have you fast in my fortress,
And will not let you depart,
But put you down into the dungeon
In the round-tower of my heart.

And there will I keep you forever,
Yes, forever and a day,
Till the walls shall crumble to ruin,
And moulder in dust away!

– Henry Wadsworth Longfellow,  The Children’s Hour

Books Henry Wadsworth Longfellow, Poetry

But indeed the business of the universe is to make such a fool of you that you will know yourself for one, and so begin to be wise!

– George MacDonald, Lilith 1895

I love the Platonic ring to this. Socrates in the Apology makes a similar statement about how little we really know and how we let ourselves to believe otherwise.

Well, although I do not suppose that either of us knows anything really beautiful and good, I am better off than he is – for he knows nothing, and thinks that he knows. I neither know nor think that I know.

– Plato, Apology

In MacDonald’s novel, as a twist of irony, the statement comes from the mouth of a talking raven! The exchange leading up to the quotation above is fantastic. It reminds me in how we sometimes do not want to go through the trouble of learning things for ourselves or doing the work required to acquire some skill. Here’s the rest if you’re interested.

“Could you not teach me to know a prayer-flower when I see it?” I said.

“I could not. But if I could, what better would you be? You would not know if of yourself and itself! Why know the name of a thing when the thing itself you do not know? Whose work is it but your own to open your eyes?”

– George MacDonald, Lilith 1895

Part of the fun is the journey itself. I know, it seems trite these days, but that doesn’t make it any less true.

Books, Thoughts George MacDonald, Lilith

Here is Monday’s poem.

I know a little garden-close,
Set thick with lily and red rose,
Where I would wander if I might
From dewy morn to dewy night,
And have one with me wandering.

And though within it no birds sing,
And though no pillared house is there,
And though the apple-boughs are bare
Of fruit and blossom, would to God
Her feet upon the green grass trod,
And I beheld them as before.

There comes a murmur from the shore,
And in the close two fair-streams are,
Drawn from the purple hills afar,
Drawn down unto the restless sea:
Dark hills whose heath-bloom feeds no bee,
Dark shore no ship has ever seen,
Tormented by the billows green
Whose murmur comes unceasingly
Unto the place for which I cry.

For which I cry both day and night,
For which I let slip all delight,
Whereby I grow both deaf and blind,
Careless to win, unskilled to find,
And quick to lose what all men seek.

Yet tottering as I am and weak,
Still have I left a little breath
To seek within the jaws of death
An entrance to that happy place,
To seek the unforgotten face,
Once seen, once kissed, once reft from me
Anigh the murmuring of the sea.

– William Morris, A Garden by the Sea

Is this another poem about death? Is the garden by the sea a grave site or the sacred spot shared by two lovers? I’ve gone through this poem only a dozen times, but there is certainly a musical, almost mysterious rhythm to it. I use the word mysterious because I can think of no better word to describe how it reads.

Books Poetry, William Morris

Here is a poem that I’ve been contemplating for the past several days.

The tide rises, the tide falls,
The twilight darkens, the curlew calls;
Along the sea-sands damp and brown
The traveller hastens toward the town,
And the tide rises, the tide falls.

Darkness settles on roofs and walls,
But the sea, the sea in the darkness calls;
The little waves, with their soft, white hands,
Efface the footprints in the sands,
And the tide rises, the tide falls.

The morning breaks; the steeds in their stalls
Stamp and neigh, as the hostler calls;
The day returns, but nevermore
Returns the traveller to the shore,
And the tide rises, the tide falls.

- Henry Wadsworth Longfellow, The Tide Rises, The Tide Falls

After several readings I’m beginning to think this poem has something to say about Death. I have a few reasons for this conclusion. The coming morning, instead of arousing traditional feelings of life, hope and renewal, bring into focus the termination of a journey. The traveler will never return to the shore. I think this reversal, using the morning to speak of some loss instead of renewal, is very powerful. The tide and its cyclical and almost timeless nature contrasts well with the fate of the traveler. The tide continues in perpetuity, but the traveler cannot. The traveler is finite and limited. The footprints emphasize this fact. The memory, life and activities of the traveler fade quickly away, but the tide repeats its playful and deliberate act.

I’m not sure if my conclusion is accurate, but it does seem reasonable. Of course, more examination is necessary. Why, for example, do the waves have soft, white hands? Where are there steeds and a hostler? I imagine that as these questions are answered my conclusion may seem more or less accurate. What do you think? Am I “right”? Better still, what does it mean to be right?

–UPDATE: I found an audio link to The Tide Rises, The Tide Falls on archive.org. Enjoy!

Books, General, Thoughts Henry Wadsworth Longfellow, Poetry

I will occasionally pull a book off the shelf that isn’t on the following list, but my aim is to get through all of these books (and hopefully more) in 2009. I tried to stick to the Lewis Rule that “after reading a new book, never to allow yourself another new one till you have read an old one in between. If that is too much for you, you should read one old one to every three new ones.” I think I did okay. I have an even split between old and new. Although, technically the Allan Bloom collection is “old” since it starts from Chaucer, but I’ll count it in the new.

“Old” Books

• Augustine – Confessions
• Athanasius – On the Incarnation
• Plato – Thaeatetus, Republic
• George MacDonald – Lilith
• Malory – Le Morte Darthur
• Cervantes – Don Quixote
• Francis Bacon – The New Organon
• Aristotle – Nichomachean Ethics

“New” Books

• Laurence Bonjour – In Defense of Pure Reason
• Emil Brunner – Dogmatics
• Meg Meeker – Boys Should Be Boys
• Karen Marie Yust – Real Kids Real Faith
• C.S. Lewis – Miracles
• C. Behan McCullagh – The Truth of History
• Harold Bloom – The Best Poems of the English Language
• Alvin Plantinga – Warranted Christian Belief

Books Books

Today I had an interesting discussion with a colleague who will remain nameless. The subject was one of my favorites: attacks and countermeasures. One of the methods that we employ to evaluate new, existing or  emerging technologies is to run it through the attack tree gauntlet.  When the gauntlet is run we are left with a variety of attacks that range from the real to the completely theoretical.  Following this and other bits to be discussed later we try to discover countermeasures for each of the attacks. The countermeasures range from factoring out the exposures or adding compensators to reduce the as yet unquantified risk.

Here is where the fun started. I am of the opinion that there has to be some method for quantifying the effectiveness of the countermeasures. In other words, if I deploy one of the discovered countermeasures how much does it really help? We have a bad habit of listing countermeasures and taking the all-or-nothing approach. I happen to think we can use an informal qualitative method of communicating effectiveness. What does such a method look like? Well, a rough percentage works for me. Some complain that it is too “gut-check” oriented. They’d be right. However, I’d have to argue that the very method for discovering countermeasures themselves is a gut-check. “Say it ain’t so!”, you claim. Sorry, it is. If we can’t say a thing about how effective a countermeasure is then how can we claim it can do anything at all? The fact is that we use intuition, reflection or what some would call our experience to make a universal claim. Induction anyone? If we can use experience to discover the countermeasures themselves then why can’t we also use the same set of collective experiences to estimate the effectiveness (Induction again..) “Yes, but what numbers are you going to use?”, you may ask. You can use any range, scheme, etc that works for you. I use percentage in increments of 10. I like this because it is easy to reason with it. “80 times out of 100 AV is effective against non-0day malware delivered via E-mail.”, seems to work for me. Is it too detailed? I don’t think so. I think a broader range is better for the types of estimates we’re dealing with. If we use high, medium or low we run the risk of grossly over/under estimating. The bottom line is that we have to provide information to make informed decisions. We don’t get this right very often. By exposing our assumptions and methods we can move away from the “black magic” of the security practice. Being fearful that our methods are not “scientific” is a lame excuse for not trying in my opinion.

Security

Over the past several weeks I have had the pleasure of reading through a large stack of academic papers (that I could retrieve without cost) on security requirements. As I suspected going into this task there were as many opinions on the proper way to elicit, describe, generate and document such things as there are tastes in chocolate. That said, there were some gems that I  found scattered throughout. It may be that I consider them gems because they happen to agree with my thinking on the subject, but I digress. Why did I go to all of the trouble? In my almost insane quest for continually improving the state and practice of security I knew that there had to be a better way of “doing requirements” and introducing this part of security into a lifecycle (however broken it might be). I’ve seen bizarre checklists, a ream of non-functional requirements appended to a project with almost no budget or critical regions of functionality and unintelligible policy-laden statements trying to masquerade as requirements for engineers and designers. It is a mess. It gets worse. Most of the time requirements of the security variety, in whatever form they appear, may be all that a project team ever sees prior to construction of their widgets. Not only is their an interpretative barrier at times, but the fact that we’ve left requirements at the door without venturing further into the various stages of a life cycle guarantees that things will break.

It really doesn’t end after requirements. Well, it may if your requirements look anything like what I’ve discussed above. After requirements someone has to come along and take that information and turn it into some form of design. It seems to me that security requirements are for the most part existential statements about security *functions*. That’s where some security folks go wrong. We think that requirements are really just a synonym for policies and procedures. Sorry, they’re not. They should be something closer to prescribed functions of a system or constraints on functions dictated by business requirements. A simple example is authorization. We can make some general statements about the existence of an authorization component. Something should be there to grant the appropriate entitlements to a user. This make sense right? What sometimes happens though is that we load in all sorts of other implementation or design requirements into the cart. When we do this we run into all sorts of problems like traceability, complexity and adoption. Should statements about least privilege, compartmentalization or filesystem access control lists be included in requirements? I don’t think so. Those states are either design principles and constraints or implementation details. Maybe if we can think about security expectations more broadly we will realize that those expectations can be articulated in a more contextually useful manner. Here is a very coarse taxonomy of what I’m talking about.

• Goals
• Non-Functional Requirements (Security Functions, Attack Resistant Qualities)
• Design Constraints/Principles
• Implementation Guidance

Each one of these categories depends in some part on its predecessor. You can see the process here. We’re moving from the general to the specific. What security people typically do is something like this:

• Requirements = Policies, Standards, Attack Language, Security Functions, Design Statements

It is a wonder that any of this makes its way into a final product. There could be information in that bundle of joy for developers, architects, requirements engineers, business analysts and others. To make things work we have to do a better job of understanding the who consumes our documented expectations. We can’t use the kitchen sink of requirements if we really want our applications to be “secure”.

Security, Thoughts

After hearing of the Supreme Court’s decision regarding detainee’s rights at Guantanamo Naval Station I decided it was time to read their opinion. No, I have not read the entire 125 page document. I just finished reading the eight page syllabus. For those that are living under a rock, the detainees at Guantanamo Bay have been held there without the entitlement of the Writ. This basically means that they have not been given the opportunity to question the legality of their imprisonment. As a result, many of the detainees are held there indefinitely. Now, this is a gross oversimplification. There are many other factors at play such as the location of the detention center, it’s status as a territory, the citizenship of the detainees and their status as “enemy combatants”. Based on these and other factors the court ruled that the detainee’s rights to the Writ cannot be suspended. I have to say at first, because of the “at war” considerations, I thought this was a bad decision. After reading, some reflection and a few interesting conversations I now think this was a good decisions. It is, of course, not without difficulties, but the decision heads in the appropriate direction.

One of the main themes touched on in the Syllabus is the Writ’s ability to ensure individual liberty. If the conditions by which the Writ may be suspended are broadened our liberties will have been significantly curtailed.

That the Framers considered the writ a vital instrument for the protection of individual liberty is evident from the care taken in the Suspension Clause to specify the limited grounds for its suspension: The writ may be suspended only when public safety requires it in times of rebellion or invasion.

The problem is that the Guantanomo scenario is unique. Some argue that because Guantanamo isn’t a United States territory that the Constitution has little influence or power. The Court does agree that this uniqueness presents challenges for effectively resolving the dilemma.

None of the cases the parties cite reveal whether a common-law court would have granted, or refused to hear for lack of jurisdiction, a habeas petition by a prisoner deemed an enemy combatant, under a standard like the Defense De- partment’s in these cases, and when held in a territory, like Guantanamo, over which the Government has total military and civil control.

The Court, thankfully, does not agree that the location of the detention center determines where and when the Constitution applies. We cannot simply claim that because Cuba is sovereign over Guantanamo that we must obviate the entitlements to the Writ.

but it does not accept the Government’s premise that de jure sovereignty is the touchstone of habeas jurisdiction.

Furthermore, to draw a clear line in the sand, it is not the place of the Executive or Legislative branches to determine where the law should be applied.

The Constitution grants Congress and the President the power to acquire, dispose of, and govern territory, not the power to decide when and where its terms apply.  To hold that the political branches may switch the Constitution on or off at will would lead to a regime in which they, not this Court, say “what the law is.”

The Court, through the Syllabus, understands that there are other considerations when extended the entitlements to Writ to detainees. “Due process” in this context takes time. It may be the case that the governement and/or military have very good reasons for detaining individuals. At the end of the day, at some reasonable point in time and in this context they must be allowed to understand why they are being held.

This holding should not be read to imply that a habeas court should intervene the moment an enemy combatant steps foot in a territory where the writ runs.

I think the Court understands the complexity of the situation. This isn’t a straight-forward case of a citizen being withheld certain rights. This isn’t a straigh-forward case of detention on U.S. soil. There are aspects terrorism, intelligence information, “aliens” that are intertwined in this case. We have to protect the country from foreign hostilities, but it cannot come at the expense of the liberty of citizens or, worse still, at the expense of our countries heritage of preserving liberty through due process.

 In considering both the procedural and substantive standards used to impose detention to prevent acts of terrorism, the courts must accord proper deference to the political branches.  However, security subsists, too, in fidelity to freedom’s first principles, chief among them being freedom from arbitrary and unlawful restraint and the personal liberty that is secured by adherence to the separation of powers.

General, Thoughts

Whether you perform “threat modeling”, conduct “design reviews” or engage in “risk assessments” for the purpose of identifying and hopefully correcting design flaws in an application’s design there is always a lingering question of completeness and accuracy. I’ll try not to derail the conversation and talk about what you do with the flaws (ie, how you rate them, prioritize them and a method for correction) you’ve found even though I really want to.

So, what about completeness and accuracy? Many organizations now go about performing some sort of activity prior to the construction of their widgets. Most probably think they’re doing a decent job. But how do we know? Is it the volume of flaws that are discovered? This is more like a warning light on an automobile than a measurement of the completeness of the efforts. I know, our buddies Saltzer and Schroeder have spoken about proving a negative requirement and I agree with them. I tend to think that this notion of completeness and accuracy are rolled up into a more well-known concept of code coverage. No, it’s not perfect, but it does a decent job here. Of course there is no “code” to cover in the sort of per-construction activities we perform. We deal with the raw materials that will eventually materialize into code. We don’t have the luxury of measuring the scope of our activities based on properties of the code (the number of lines, critical regions, etc). So how do we measure coverage? Do we rely upon methodological adherence? That seems dangerous. What about the quality of the design artifacts? Do they have use cases? The sort of inspection that we can perform seems to be proportional to the amount of time one has taken to articulate the design. But that only makes it more probable that we will be more complete and accurate. We can’t use that to measure our coverage either.

There are two aspects that contribute to quality code coverage ; identification of security code paths (I know there is no code yet) and depth of analysis. The first is the process whereby all untrusted points of input and output in the design are discovered and validated. In my world very few points are trusted, but there are levels of trust. The next is depth of analysis. It is not enough to go through a series of binary questions like “do you authenticate this communication channel” even if there is a well-defined policy governing authentication requirements. It isn’t just the coarse-grained patterns we’re speaking of here. It is the *design* of those patterns that must be evaluated. This is, I think, where many security efforts go awry. They boil down analysis and expertise into questions and answers. Questions do not achieve the depth of analysis criteria for code coverage. Without a doubt if a design doesn’t answer yes to these fundamental questions you’re at a hard stop, but for those that can answer yes you must go deeper.

So, are you confused? “Code coverage” in pre-construction security efforts must consider the methods to identify (and validate) inputs and outputs and the degree of analysis performed upon that data. How do we do this? I don’t know. What we can do is use these two categories (there may be more) as controls points for the consistency and/or reliability of our data. For example, if we’ve simply reviewed available documents to discover the project’s design elements there is probably a greater margin for errors and omissions. It follows then that our code coverage will not be as complete as it could have been. Yes, I know, it is only probabilistic. But that may be the best we can do. I’ll leave it up to everyone (all two of you) else to consider whether what I’m saying is valid. Good luck.

Security

I had a very interesting discussion with my carpool buddy about those atheism versus theism debates that are all the rage these days. He had some very astute observations despite his self-proclaimed lack of knowledge (he’s agnostic and I’m kidding). He noticed how the various camps typically claim that their side was the victor. See, debates aren’t exactly like the UFC. There isn’t a tap-out, a referee stoppage or a decision in the end. Instead, it is just a bunch of fans cheering for their fighter. What’s worse is that it is unlikely that one side would switch to the other as a result of such a brawl, but it is still entertaining and a great fuel source for conversation.

We discussed how atheistic arguments are sometimes made up of refutations of theistic arguments. Now, there is nothing wrong with this. If you can demonstrate that premises are incorrect or invalid you have successfully torpedoed the conclusion. What we observed is that in some cases this method (the refutation of theistic arguments) is successful. If they are successful (I think they are in some cases) then the argument for god is refuted. I agree with this. However, and I know this is obvious here, by refuting a positive proposition we have in no way confirmed it’s negative. In other words, refuting an argument for the existence of god does not get us to the truth claim that there is no god. I know, “the burden of proof is on you to prove god”. I agree. But if I cannot conjure up proof or my proofs are refuted, we simply slide into agnosticism. I can’t jump over the chasm into atheism without some logical help (I need some arguments). At the heart of it atheistic propositions, just like their theistic counterparts, are knowledge claims.

This of course led to all sorts of discussions regarding the problem of knowledge (a favorite of mine). Rarely, if ever, do I get the opportunity to talk about something that I think is fun and yet painful. So, I was sort of like the abominable snow man in this Looney Toons spoof. We talked about deduction and induction and the challenges of a priori knowledge. We talked about what meta-justification is. We even ventured off into the notions of “proof”. It seems that many today view scientific knowledge and proof in  the same way and forget that even within science there are a priori assumptions at play; nevermind the fun that ensues when we talk about sense data and what that data represents. Needless to say debates are a great way to pass the time of a long commute!

Philosophy, Theology, Thoughts