Just came across this cartoon, by no means new, but wonderful, depicting a scientist’s view of the world, courtesy of the Abstruse Goose:

Yes, I can confirm it myself: this is exactly how I see the world. And then some.

While much of the media is busy debating how the United States already “lost” a cyberwar with North Korea, or how it should respond decisively (I agree), a few began to discuss the possible liability of SONY itself in the hack.

The latest news is that the hackers stole a system administrator’s credentials; armed with these credentials, they were able to roam SONY’s corporate network freely and over the course of several months, they stole over 10 terabytes (!) of data.

Say what? Root password? Months? Terabytes?

OK, I am going to go out on a limb here. I know nothing about SONY’s IT security, the people who work there, their training or responsibilities. And of course it wouldn’t be the first time for the media to get even basic facts wrong.

Still, the magnitude of the hack is evident. It had to take a considerable amount of time to steal all that data and do all that damage.

Which could not have possibly happened if SONY’s IT security folks actually knew what they were doing.

Not that I am surprised. SONY is not alone in this regard; everywhere I turn, corporations, government departments, you name it, I see the same thing. Security, all too often, is about harassing or hindering legitimate users. No, you cannot have an EXE attachment in your e-mail! No, you cannot install that shrink-wrapped software on your workstation! No, we cannot let you open TCP port 12345 on that experimental server!

Users are pesky creatures and most of them actually find ways to get their work done. Yes, their work. This is not about evil corporate overlords not letting you update your Facebook status or watch funny cat videos on YouTube. This is about being able to accomplish tasks that you are paid to do.

Unfortunately, when it comes to IT security, a flawed mentality is all too prevalent. Even on Wikipedia. Look at this diagram, for instance, illustrating the notion of defense in depth:

This, I would argue, is a very narrow-minded view of IT security in general, and the concept of in-depth defense in particular. To me, defense in depth means a lot more than merely deploying technologies to protect data through its life cycle. Here are a few concepts:

1. Partnership with users: Legitimate users are not the enemy! Your job is to help them accomplish their tasks safely, not to become Mordac the Preventer from the Dilbert comic strip. Users can be educated, but they can also be part of your security team, for instance by alerting you when something is not working quite the way it was expected.
2. Detection plans and strategies: Recognize that, especially if your organization is prominently exposed, the question is not if but when. You will get security breaches. How do you detect them? What are the redundant technologies and methods (including organization and education) that you use to make sure that an intrusion is detected as early as possible, before too much harm is done?
3. Mitigation and recovery: Suppose you detect an intrusion. What do you do? Perhaps it’s a good idea to place a “don’t panic” sticker on the cover page of your mitigation and recovery plan. That’s because one of the worst things you can do in these cases is a knee-jerk panic response shutting down entire corporate systems. (Such a knee-jerk reaction is also ripe for exploitation. For instance, a hacker might compromise the open Wi-Fi of the coffee shop across the street from your headquarters before hacking into your corporate network, intentionally in such a way that it would be discovered, counting on the knee-jerk response that would drive employees in droves across the street to get their e-mails and get urgent work done.)
4. Compartmentalization. I don’t care if you are the most trusted system administrator on the planet. It does not mean that you need to have access to every hard drive, every database or every account on the corporate network. The tools (encrypted databases, disk-level encryption, granulated access control lists) are all there: use them. Make sure that even if Kim Jong-un’s minions steal your root password, they still wouldn’t be able to read data from the corporate mail server or download confidential files from corporate systems.

SONY’s IT department probably failed on all these counts. OK, I am not sure about #1, as I never worked at SONY, but why would they be any different from other corporate environments? As to #2, the failure is obvious: it must have taken weeks if not months for the hackers to extract the reported 10 terabytes. They very obviously failed on #3, and if the media reports about a system administration’s credentials are true, #4 as well.

Just to be clear, I am not trying to blame the victim here. When your attackers have the resources of a nation state at their disposal, it is a grave threat. But this is why IT security folks get the big bucks. I can easily see how, equipped with the resources of a nation state, the attackers were able to deploy zero day exploits and other, perhaps previously unknown techniques that would have defeated technological barriers. (Except that maybe they didn’t… the reports say that they stole user credentials and, I am guessing, there is a good chance that they used social engineering, not advanced technology.) But it’s one thing to be the victim of a successful attack, it’s another thing not being able to detect it, mitigate it, or recover from it. This is where IT security folks should shine, not harassing users about EXE attachments or with asinine password expiration policies.

If you thought that the scary news from yesterday was the mass murder of 145 people at a Pakistani school, think again. Tragic as that event was, it has zero effect on your security or well-being unless you happen to live in northern Pakistan.

But what happened in Russia yesterday may threaten the security of us all. The Russian central bank’s decision to hike rates by a whopping 6.5% overnight is a sign that the Russian economy is in deep trouble. Worse yet, it is unlikely that Putin will change course, since his popularity is based mainly on his newfound nationalism, not his economic performance.

Which raises the possibility that Putin will lash out and do something stupid. Not just in the Ukraine but, perhaps in a fatal miscalculation, in the Baltic region. If he has any reason to think that NATO would not respond to Russian aggression in places like Estonia, we are all in deep trouble, because I cannot see how NATO would not respond… and that, of course, is a nightmare scenario.

Meanwhile, Obama made the bombshell announcement of restoring diplomatic ties with Cuba. Long, long, long overdue. (To those who think this amounts to appeasing a communist regime, all I can say is, look how well the policy of isolation worked in the last 50+ years.) I also wonder what the Kremlin’s masters think about this. Cuba was one reliable ally in America’s backdoor that they could always count on… what is going to happen now?

We seem to be living in interesting times.

Recently, I had to fill out some security-related forms with the Canadian government. To do so, I had to log on to a government Web site and create an account using a preassigned, unmemorizable user ID.

While I was doing that, I had to set up a password. It seems that the designers of the government Web site are familiar with XKCD, because their password policy (which also includes frequent password expiration and rules to prevent the reuse of old passwords) seemed like an exact copy of the policy ridiculed here:

Once I managed to get past this hurdle, I had to complete some forms that were downloadable as PDFs. Except that the forms (blank forms!) were in the form of encrypted PDFs, which made it impossible for me to load them with my old copy of Acrobat 6.0 for editing. The encryption was trivial to break (print to PostScript, remove encryption block using an editor, convert back to PDF) but it was there just as an annoyance.

If they invited me to audit their security policy (of course they wouldn’t), I’d ask them the following questions:

1. What is the rationale of your password expiration/password strength policy, ignoring best advice from actual security experts who know the meaning of terms like “entropy”? What are the data supporting Draconian rules that, effectively, force infrequent users to change their passwords every time they log on to your system?
2. What is the rationale behind your policy to encrypt PDF files unnecessarily? Exactly what threat is this supposed to address, and what is the anticipated outcome of employing this security measure?
3. Now that you have successfully alienated your users, what are your plans for detection, analysis, mitigation and recovery in case a real attack occurs? Would you even know when it happens?

I suspect that the real answer to the last question is a no. Security theater is not about protecting systems or preventing attacks; it’s about protecting incompetent hind parts from criticism.

The news tonight is that SONY has pulled The Interview from theaters, with no plans to release the movie at this time either through theaters or digitally.

This is wrong on so many levels.

Most importantly, because that grown up crybaby, that Eric Cartman from the land of dictators, should not have his way. Simply put, Kim Jong-un is not just a murderous jackass like his pa and his grandpa, he is also a vain little bully with a bloated ego who is throwing a hissy fit because someone dared to joke at his expense.

Dear little Kim Jong-un… grow up already. Right now, even South Park’s characters seem wise and mature in comparison.

I don’t usually like the idea of accessorizing kittycats, but Rufus is such an elegant creature, a bow tie seemed like an absolute necessity.

The cat who photobombed the shot in the background is our oldest kitty, Kifli.

And, since someone will inevitably ask for it, here is a picture of Rufus in the infrared (sans bow tie, this time):

Today, I became a proud owner of a new smartphone attachment: a thermal camera.

I long wanted to have a thermal camera, but the prices were frivolously high. One of the cheapest cameras from FLIR, for instance, the TG165, costs five hundred dollars and has a measly 80 x 60 pixel sensor resolution. FLIR has a smartphone thermal camera attachment that’s cheaper, but its resolution is also low, and it only works with the iPhone.

In contrast, the Seek Thermal camera attachment costs only two hundred bucks and has a 206 x 156 pixel sensor, which is quite decent, insofar as thermal sensors go. And it works with Android phones, notably my Samsung S3. Better yet, much to my delight I found out that the device is actually manufactured in the United States.

So I knew immediately what I wanted for Christmas. Okay, it arrived a little early, but that’s okay. It is a lovely little device, nicely packaged, looks very well manufactured, with a protective jewel case for safe storage when not in use.

And this is what I look in the infrared:

Lovely mugshot, isn’t it.

Now let me get this straight. You are a teenage thug who thinks it’s okay to use your bulk and strength to commit strongarm robbery. You take this a step too far when you encounter and threaten a cop who, in fear of his life, uses his firearm and kills you. And then you become… a national hero? A symbol of racial oppression in America?

I am not blind to the fact that racism remains prevalent in the USA. I know very well that a lot of the criticism of President Obama boils down to the simple fact that he is one uppity negro, an unforgivable crime in the eyes of too many. I understand all too well that despite exceptional success stories like that of Mr. Obama, the United States has a long way to go when it comes to eliminating racial prejudice. And I followed the news about the inept brutality of the police in Ferguson, including the arbitrary detention and arrest of reporters, a prominent Canadian journalist among them.

But Michael Brown was no saint. He was not a victim of racism. Nor was he a “gentle giant”. He was a thug who lived by, and died by the use of force. I am not saying that shoplifting, or even strongarm robbery, deserve the death penalty, but when you threaten an armed police officer, don’t be surprised if he reaches for his gun (as he has every right to do.)

And yes, Mr. Brown threatened the police officer. The grand jury found that it is so, and the physical evidence supports that conclusion. We may never know exactly what happened, but Mr. Brown’s DNA was found inside the police car and on the officer’s weapon, and unless you believe the cockamamie tale that the officer went berserk and decided to pull his much bigger opponent into the car through the car window, there is only one plausible way this could have happened: the way officer Wilson described it.

Unfortunately it was clear from the beginning that only one outcome would quiet the unruly masses: an indictment followed by a swift conviction. But I don’t believe in lynch mobs. As Barack Obama himself said, America is a land of the rule of law.

And just to be clear: I am not Michael Brown. I am not a thug, a petty criminal. I do not use my physical strength to rob convenience stores. And this has nothing to do with skin color. Nor do I believe that rioting, looting, and setting fire to businesses is the right answer to racial injustice.

Here is what my wife is like this morning:

That is because this is the view from our window this morning:

Oh well. Better than global warming, I suppose.

Kim Lane Scheppele is a professor of sociology and international affairs at Princeton University. She is also an expert on constitutional law in Hungary. Her writings frequently appeared in publications such as The New York Times.

A few days ago, Dr. Scheppele gave a video interview to an English-language Hungarian newspaper, the Budapest Beacon. In the interview, she explains how, in her opinion, Hungary can no longer be considered a constitutional democracy: how the system of checks and balances has been gutted and a constitution more resembling the country’s 1949 Stalinist constitution than the supposedly “communist” 1989 constitution it was intended to replace, was enacted unilaterally by a ruling party enjoying a two-thirds parliamentary supermajority.

Dr. Scheppele is not some liberal hack. She is an internationally renowned scholar. Her opinions are not arbitrary. Unfortunately, I do not expect to see meaningful change to happen anytime soon in the country of my birth, and I don’t think anything Dr. Scheppele says can alter this sad fact.

Judging by the enthusiastic reaction I just saw moments ago on CBC Newsworld, the lander Philae, part of the Rosetta mission to the comet 67P/Churyumov-Gerasimenko, has landed successfully.

This is big. This is the first time a man-made device landed on a comet. It is called “primary exploration”.

It is also big for the European Space Agency. Rosetta is a major deep space mission: the spacecraft spent ten years traveling to this comet.

All in all, wonderful news.

Today is Remembrance Day in Canada.

Unlike the Remembrance Days of recent years, today is perfect. The Sun is shining, the temperature is going to hit double digits. It is a sparkling, beautiful, almost unnaturally splendid late autumn day.

The combination of exceptional weather and the recent death of Cpl. Cirillo, gunned down last month while guarding the very memorial where Remembrance Day ceremonies will take place, will bring exceptional crowds.

But today is not a day of celebration. It is a day to remember.

To remember the War to End All Wars, which began exactly 100 years ago. Far from ending all wars, it claimed nearly 40 million lives, and redrew the maps of Europe, laying the groundwork for another, even more devastating war less than a quarter century later. To remember all the dead: not just Canadians, not just Allied soldiers, indeed, not only just soldiers but also civilians who suffered and died in even greater numbers.

To remember, for instance, my wife’s great-grandfather, who served in the Austro-Hungarian army at one of the bloodiest fronts of the Great War, along the Isonzo river in present-day Slovenia. His little notebook [in Hungarian] detailing, often in verse, his horrendous experience in the trenches, was found among the papers left behind by my wife’s father when he died.

To remember my great uncle Béla, who taught me to play chess when I was little and who was the first among elder family members who awakened my interest in science and mathematics. Uncle Béla served in both world wars and (if I remember family lore correctly) even spent some time as a POW. A memento, a stringless balalaika, hung on the wall of their tiny, bathroom-less working-class flat in central Budapest, where he lived with his wife, aunt Flóra, until his death.

To remember my grandfather on my mother’s side, whom I never met, as he passed away a year before I was born. He spent some horrendous months as an army engineer near the Don river; he only escaped the devastating defeat of the Second Hungarian Army (and thus, likely death or long-term captivity in Stalin’s gulag) because he was allowed to return to Budapest after contracting pneumonia. Nonetheless, what he went through there probably contributed to his declining health and the massive stroke or brain hemorrhage that struck him just a few years later and left him severely disabled for the last 15 years of his life. He was several years younger than I am at present when his life effectively came to an end.

His wife, my grandmother, was responsible for keeping a family of six (including a newborn baby and two preschoolers, one of them my Mom) alive and fed through the siege of Budapest, when the family spent an entire winter in a basement bomb shelter, even as she herself was coping with illness that nearly took her life.

As I am writing down these thoughts, I am listening to the musical Johnny Johnson, by Kurt Weill. Weill, well-known for his Threepenny Opera, is one of my favorite 20th century composers. He escaped Germany when the Nazis came to power in 1933, to live the rest of his all too short life (he was only 50 when he died) in the United States. It was here that he composed Johnny Johnson, an astonishing anti-war musical. One of my favorite songs has a German and an American priest preaching in canon on the battlefront to their respective troops: one in German, one in English, but preaching the exact same words. But perhaps the most heart-rending scene is at the very end: the protagonist, Johnny Johnson, is now a toymaker selling his “toys for nice little girls and boys” on the street. Unfortunately, nobody is buying: they are more interested in the speech of a politician just a block away, calling for another war.

The title of Johnny Johnson was inspired by the fact the name appeared on United States casualty rolls more often than any other.

Earlier today, someone I know shared a video on Facebook. The video is just a text slide show, retelling a story that, according to snopes.com, has been around for almost a century.

Condensed version: an atheist university professor keeps ridiculing religion year after year in his class, “demonstrating” that God does not exist by dropping a piece of chalk, which shatters into pieces as God fails to intervene. When finally, just as a young man stands up to him, the demonstration fails (the chalk slips from the professor’s fingers and does not break), the humiliated professor flees the classroom, leaving the young man sharing his faith in Jesus with his fellow students for the next half hour. The video version then laments on people’s lack of faith and how everyone wants to go to heaven but so few are willing to do what it takes.

I felt compelled to reply to the post of my Facebook friend. I told him that as a committed atheist, I would call the professor of this story a much bigger fool than he thought his religious students were. He basically turned his atheism into a matter of faith… a religion, in other words, with himself the firebrand preacher.

The chalk story reminds me of the joke about a deeply religious person who is caught in a flood. When rescuers come to his door, he refuses the help, “God will help me”, he says. When later, he had to climb to the top floor of his house to escape the waters and rescuers in a boat arrive at the window, he once again rejects their assistance. Finally, when a helicopter tries to rescue him from his rooftop, he again says no. Needless to say, he dies and finds himself in heaven before God. He asks, “God, I feared you, loved you, prayed to you all my life, why didn’t you help me in my deepest need?” God answers, “I sent you rescuers on foot, I sent you a boat, I even sent you a bleeping helicopter, what more do you want?”

The morale of the story is not that God does parlor tricks, as in the chalk story. (That just kind of ruined it for me, to be honest. Is the Christian God really just a stage magician?)

The morale of the story is that if there had been true believers in that classroom, and I mean true believers, not just timid, half-committed people practicing a form of Pascal’s Wager in the vain hope for a better chance in the afterlife, one of them would have stood up and caught the chalk long ago. And then, perhaps even the half-hour sermon would not have been necessary afterwards to convince others of the purity and depth of his faith.

And yes, I am a committed atheist. It does not stop me from respecting, even defending other people’s right to their faith, though I have no use for it. And no, everyone does not want to go to heaven. I have no need for an imaginary kindergarten afterlife. I just want to make the most of this one life here on Earth, as a decent (I hope) human being. Which includes not ridiculing others for their faith, even if I myself find the subject of that faith somewhat ridiculous.

Once again my country of birth, Hungary, made it to the cover of both the North American and Asian editions of The New York Times.

And not for a good reason.

The article laments that, 25 years after the collapse of the Berlin Wall, Hungary, which was back then at the forefront of the transition from communism to democracy, is now turning away form Western values. That the prime minister, the same Mr. Orban who once played a leading role in that transition, now rejects Western values and preaches “illiberal democracy”, citing countries like Russia or Turkey as worthy examples.

Such criticisms are routinely rejected by supporters of Mr. Orban as “misguided”, a product of a Western media that “only listens to liberal critics”. And this plays well with an audience that is accustomed to the notion of national victimhood. Hungary is seen by many Hungarians as a victim throughout history. The country was a victim of the Paris-Versailles peace treaties. A victim of Germany and national socialism. A victim of communism. And now, a victim of Brussels’ new “colonialism”.

Even the national anthem is all about victimhood: “Fate, who for so long did’st frown / Bring him happy times and ways / Atoning sorrow hath weighed down / Sins of past and future days.”

Maybe one day the focus in Hungary will shift from victimhood to responsibility. For being accountable for one’s actions. Maybe that day, Hungary will no longer be easy pray to populist demagogues like Mr. Orban.

But I am not holding my breath.

Many popular science books and articles mention that the Standard Model of particle physics, the model that unifies three of the fundamental forces and describes all matter in the form of quarks and leptons, has about 18 free parameters that are not predicted by the theory.

Very few popular accounts actually tell you what these parameters are.

So here they are, in no particular order:

1. The so-called fine structure constant, $$\alpha$$, which (depending on your point of view) defines either the coupling strength of electromagnetism or the magnitude of the electron charge;
2. The Weinberg angle or weak mixing angle $$\theta_W$$ that determines the relationship between the coupling constant of electromagnetism and that of the weak interaction;
3. The coupling constant $$g_3$$ of the strong interaction;
4. The electroweak symmetry breaking energy scale (or the Higgs potential vacuum expectation value, v.e.v.) $$v$$;
5. The Higgs potential coupling constant $$\lambda$$ or alternatively, the Higgs mass $$m_H$$;
6. The three mixing angles $$\theta_{12}$$, $$\theta_{23}$$ and $$\theta_{13}$$ and the CP-violating phase $$\delta_{13}$$ of the Cabibbo-Kobayashi-Maskawa (CKM) matrix, which determines how quarks of various flavor can mix when they interact;
7. Nine Yukawa coupling constants that determine the masses of the nine charged fermions (six quarks, three charged leptons).

OK, so that’s the famous 18 parameters so far. It is interesting to note that 15 out of the 18 (the 9 Yukawa fermion mass terms, the Higgs mass, the Higgs potential v.e.v., and the four CKM values) are related to the Higgs boson. In other words, most of our ignorance in the Standard Model is related to the Higgs.

Beyond the 18 parameters, however, there are a few more. First, $$\Theta_3$$, which would characterize the CP symmetry violation of the strong interaction. Experimentally, $$\Theta_3$$ is determined to be very small, its value consistent with zero. But why is $$\Theta_3$$ so small? One possible explanation involves a new hypothetical particle, the axion, which in turn would introduce a new parameter, the mass scale $$f_a$$ into the theory.

Finally, the canonical form of the Standard Model includes massless neutrinos. We know that neutrinos must have mass, and also that they oscillate (turn into one another), which means that their mass eigenstates do not coincide with their eigenstates with respect to the weak interaction. Thus, another mixing matrix must be involved, which is called the Pontecorvo-Maki-Nakagawa-Sakata (PMNS) matrix. So we end up with three neutrino masses $$m_1$$, $$m_2$$ and $$m_3$$, and the three angles $$\theta_{12}$$, $$\theta_{23}$$ and $$\theta_{13}$$ (not to be confused with the CKM angles above) plus the CP-violating phase $$\delta_{\rm CP}$$ of the PMNS matrix.

So this is potentially as many as 26 parameters in the Standard Model that need to be determined by experiment. This is quite a long way away from the “holy grail” of theoretical physics, a theory that combines all four interactions, all the particle content, and which preferably has no free parameters whatsoever. Nonetheless the theory, and the level of our understanding of Nature’s fundamental building blocks that it represents, is a remarkable intellectual achievement of our era.

The once famous Hungarian language broadcasts of Radio Free Europe ceased more than two decades ago, shortly after the end of communism in my country of birth.

Now, however, Radio Free Europe joined the growing choir of voices concerned about the policies of Hungary’s current government, and the country’s slide away from the values of Western-style liberal democracy.

This article, which will no doubt be dismissed by supporters of the ruling FIDESZ party as misguided and uninformed, misled by “liberal propaganda”, provides a nice summary of the events that unfolded in the country in recent years. It is also accompanied by a video report, which details the rising popularity of the ultra-right in Hungary and the dangers that it represents.

I just feel compelled to repeat the famous quotation by the Spanish-American poet, writer and philosopher George Santayana: “Those who do not remember the past are condemned to repeat it.”

Spacecraft sometimes catch a glimpse of the Sun as it reflects off a sea or an ocean. Here is an example:

Except that this example was not captured by Earth-orbiting spacecraft. The sea here is not a terrestrial ocean. It is a hydrocarbon sea of Saturn’s largest moon, Titan.

Just to clarify, the reflection of the Sun is in the upper left of the image, where the outline of the sea is also clearly visible. The redder, arrow-shaped object closer to the center is a cloud formation.

The parkways of the Gatineau Park are now closed and the autumn colors are nearly gone. Still, my wife and I enjoyed a pleasant walk today in the outskirts of the park, after a fine lunch at Le Buffet des Continents.

Autumn remains my favorite season. My only complaint is that it ends too soon, and it is often followed by a nasty winter.

This afternoon, I felt compelled to take a walk to downtown Ottawa. Our home is within walking distance of Parliament Hill and the National War Memorial, where a deranged shooter killed a ceremonial guard, Corporal Nathan Cirillo.

It was a beautiful autumn day and the walk was very enjoyable. On my way downtown, I dropped by my favorite computer store (Canada Computers, on Rideau Street) to purchase some needed cables. Then I continued.

There was quite a crowd at the War Memorial, and it was full of flowers. Flowers, flowers and more flowers. Also, many Canadian flags.

And it so happened that I was very lucky: I caught the changing of the guard ceremony. I even managed to record it on video.

Near the end of the clip, a police officer (armed with what appeared to be a fully automatic weapon) crosses in front of my phone camera. He apologized for doing so (I can be heard muttering, “no problem,” on the video). After I was done recording, I stepped over to the policeman and had a brief conversation with him. I mentioned to him that it is an unfortunate necessity that he has to be part of the picture. He understood immediately what I meant. I also thanked him for his service.

I then carried on, right up to Parliament Hill. As a free citizen of a free country, I entered the grounds without encountering any guards, obstacles, metal detectors or other obscenities. It occurred to me that this is the first time I walked on Parliament Hill in 41 years.

The flag on top of the Peace Tower is still at half mast.

I also managed to take a panoramic photo of sorts of the view from the Hill:

Ottawa is still a beautiful city. And, having just returned from the Middle East, it was good to reassure myself that it remains a free city of a free people.

On my way back from sunny Abu Dhabi to autumn Ottawa. My wife asked me to bring some warm weather. I’ll try…

When you fly over trouble spots, the flight path can get interesting.

Our flight carefully avoided Iraqi, Syrian and Ukrainian airspace. We also spent as little time in Iranian skies as possible.

Soon, we’ll be flying over Hungary. Maybe I should try to wave to my Mom, in case she sees me…