Asheeshworld

Absurd Asheesh lunch: Friday April 20, MIT Media Lab, 1 PM

2012-04-20T12:24:30Z

I'm visiting the Boston area for a few hours (like literally less than 24), and so I thought I'd stop by the MIT Media Lab's 5th floor lounge and have lunch there with Deb, and anyone else who wants to join.

Bring lunch from home, or buy food at the lovely MIT trucks, or just come for the company.

It's quite easy to get to; take the Red Line to Kendall, then walk to the end of the street with the food trucks. If you need help finding me/it, call my cell phone!

P.S. I'm in town just while in transit to Troy, NY, to run an open source teaching workshop there.

Advocacy-free

2012-04-07T21:13:37Z

advocacy-free My writing used to be heavily philosophical, with lots of advocacy and questioning. I still consider the why of things much more meaningful than the how, but it's time to focus on the how rather than the why. I'm making this little writing place a "no trolling zone." I will try to avoid preaching, and the obvious corollary is that I will also avoid worrying about whether people agree or disagree. Instead, I will try to simply share little pieces of code as it comes to me. There is no advocacy on here. I frequent a few scuba diving forums. One annoying part of scuba culture is that it can be very polarizing. A bunch of people over here say there is only One True Way to dive, right down to using the exact same equipment as each other. Another bunch of people over there disregard the conventional wisdom and choose to dive solo, attracting criticism from young and old. The forums discovered a long time ago that running flame wars simply drove members away, so they have instituted "no trolling" zones within their boards, places where people can discuss the how of solo diving, or sidemounting, or DIR, without getting into a battle of whether such a thing is a good idea or not.

-- Reg Braithwaite.

Help a BSD developer bike across the US, and give hope to cancer communities

2012-02-18T22:31:33Z

'Cancer' is a cluster of diseases, a betrayal by the majesty and power of the development program that constructed and heals us.

Support Venkatesh's bike ride, and alleviate the toll of cancer.

My friend Venkatesh, pictured above, is going to bike four thousand miles, all the way across the continental US, from Baltimore to Portland. He's doing it to raise money for the Ulman Cancer Fund for Young Adults. I'm writing this because I want you to donate money to his cause. He's a DragonFly BSD developer, loves bikes, and your donation could make a big difference.

I first met Venkatesh through the Johns Hopkins computer club, an ACM chapter. I was the head of the club, and he had just started his career at Hopkins. He was looking for advice on running Brickwiki, the LEGO encyclopedia. Quickly, I became his friend; in that time, I've learned the following things about him.

He is friendly!
He believes in science; beyond just writing sharp code, he likes to ask questions.
He is melodramatically attracted to the power and complexity of biology. (The above quote about cancer are his words.)
He wants to do something to make cancer less of a killer.

In the years since I graduated from Hopkins, I've been impressed by Venkatesh's ongoing curiosity and contributions to open source projects like DragonFly. I'm honored to have this chance to help him bike across the country for a good cause.

Here is a quick word about the 4K for cancer effort:

Since 2002, groups of college students have undertaken a 70 day, 4000+ mile summer bike ride across the United States with the goal of offering hope, inspiration and support to cancer communities along the way.

This past summer was our 10th year of cycling across the country as 76 volunteers rode along three different routes: Baltimore to San Francisco, Baltimore to Portland, and Baltimore to Seattle. Our riders raised a combined $476,000 to support organizations and individuals in the fight against cancer.

His fundraising goal is $5,000. Anything from $5 to $500 is a donation to an organization that helps young adult cancer surviers and their families get access to information and support resources. Can you help?

Short key IDs are bad news (with OpenPGP and GNU Privacy Guard)

2011-12-26T22:21:15Z

Summary: It is important that we (the Debian community that relies on OpenPGP through GNU Privacy Guard) stop using short key IDs. There is no vulnerability in OpenPGP and GPG. However, using short key IDs (like 0x70096AD1) is fundementally insecure; it is easy to generate collisions for short key IDs. We should always use 64-bit (or longer) key IDs, like: 0x37E1C17570096AD1 or 0xEC4B033C70096AD1.

TL;DR: This now gives two results: gpg --recv-key 70096AD1

Some background, and my two keys

Years ago, I read dkg's instructions on migrating the Debian OpenPGP infrastructure. It told me that the time and effort I had spent getting my key into the strong set wasn't as useful as I thought it had been.

I felt deflated. I had put in quite a bit of effort over the years to strongly-connect my key to a variety of signatures, and I had helped people get their own keys into the strong set this way. If I migrated off my old key and revoked it, I'd be abandoning some people for whom I was their only link into the strong set. And what fun it was to first become part of the strong set! And all the eyebrows I raised when I told people I was going meet up with people I met on a website called Biglumber... I even made it my Facebook.com user ID. So if I had to generate a new key, I decided I had better really love the short key ID.

But at that point, I already felt pretty attached to the number 0x70096AD1. And I couldn't come up with anything better. So that settled it: no key upgrade until I had a new key whose ID is the same as my old key.

That dream has become a reality. Search for my old key ID, and you get two keys!

$ gpg --keyserver pgp.mit.edu --recv-key 0x70096AD1
gpg: requesting key 70096AD1 from hkp server pgp.mit.edu
gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported
gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 2
gpg:               imported: 2  (RSA: 1)

I also saw it as an opportunity: I know that cryptography tools are tragically easy to mis-use. The use of 32-bit key IDs is fundamentally incorrect -- too little entropy. Maybe shocking people by creating two "identical" keys will help speed the transition away from this mis-use.

A neat stunt abusing --refresh-keys

Thanks to a GNU Privacy Guard bug, it is super easy to get my new key. Let's say that, like many people, you only have my old key on your workstation:

$ gpg --list-keys | grep 70096AD1
pub   1024D/70096AD1 2005-12-28

Just ask GPG to refresh:

$ gpg --keyserver pgp.mit.edu --refresh-keys
gpg: refreshing 1 key from hkp://pgp.mit.edu
gpg: requesting key 70096AD1 from hkp server pgp.mit.edu
gpg: key 70096AD1: public key "Asheesh Laroia <asheesh@asheesh.org>" imported
gpg: key 70096AD1: "Asheesh Laroia <asheesh@asheesh.org>" not changed
gpg: Total number processed: 2
gpg:               imported: 1  (RSA: 1)
gpg:              unchanged: 1
gpg: no ultimately trusted keys found

You can see that it set out to refresh just 1 key. It did that by querying the keyserver for the short ID. The keyserver provided two hits for that query. In the end, GPG refreshes one key and actually imports a new key into the keyring!

Now you have two:

$ gpg --list-keys | grep 70096AD1
pub   1024D/70096AD1 2005-12-28
pub   4096R/70096AD1 2011-03-11

There is a bug filed in GNU Privacy Guard about this. It has a patch attached. There is, at the moment, no plan for a new release.

A faster attack, but nothing truly new

My friend Venkatesh tells me there is an apocryphal old Perl script that could be used to generate key ID collisions. Here in the twenty-first century, l33t h4x0rz like Georgi Guninski are trying to create collisions.

In May 2010, "halfdog" posted a note to the full-disclosure list that generates PGP keys with chosen short key IDs. I haven't benchmarked or tested that tool, but I have used a different tool (private for now) that can generate collisions in a similar fashion. It takes about 3 hours to loop through all key IDs on a dinky little netbook.

You don't have to use any of these tools. You can just rent time on an elastic computing service or a botnet, or your own personal computer, and generate keys until you have a match.

I think that it's easy to under-estimate the seriousness of this problem: tools like the PGP Key Pathfinder should be updated to only accept 64-bit (or longer) key IDs if we want to trust their output.

My offer: I will make you a key

I've been spending some time wondering: What sort of exciting demonstration can I create to highlight that this is a real problem? Some ideas I've had:

Publish a private/public key pair whose key ID is the same as Phil Zimmerman's, original author of PGP
Publish a private/public key pair whose key ID is the same as Werner Koch's, maintainer of GNU Privacy Guard
Publish a set of public keys that mimic the entire PGP strong set, except where I control the private key of all these keys

The last one would be extremely amusing, and would be a hat-tip to some work discussed in Raph Levien's Google Tech Talk about Advogato.

For now, here is my offer: If you send me a request signed with a key in the strong set, I will create a 4096-bit RSA public/private key pair whose 32-bit key ID is one greater than yours. So if you are 0x517DD4E4 I will generate 0x517DD4E5.

I will post the keys here, along a note about who requested it, and instructions on how to import them into your keyring. (Note: I will politely decline to create a new key whose 32-bit key ID would create a collision; apologies if your key ID is just one away from someone else's.)

P.S. The prize for best sarcastic retort goes to Ian Jackson. He said, "I should go and create a lot of keys with your key ID. I'll set the real name to 'Not Asheesh Laroia' so everyone is totally clear about what is going on."

Learning baritone again (for the Russian Nonsemble)

2011-12-26T06:46:17Z

In fifth and sixth grade, I used to play the baritone horn. A few weekends ago, I played a show with the Russian Nonsemble. Look for me in a blue shirt and tie:

When I joined the Brighton public school system in fifth grade, other students had been playing musical instruments for a year. I tried a few different options, and I settled on the baritone. Maybe I really liked the sound, or how buzzing works with a mouthpiece and combines with the entire horn. Maybe I was suggestible and accepted something that the band needed.

I learned the instrument on bass clef, which was its own oddity. It was a little confusing to use bass clef in band and treble clef in chorus, but I managed. (Maybe this exercise taught me something about the concept of equivalence.)

There is something relaxing about playing the baritone: I am not keeping the melody. The tone quality I send out is not, at least in a fifth grade band, make or break the performance. One downside is that, with the highly repetitious lines, it can be easy to get lost.

Early in the sixth grade, our band director asked for volunteers to learn the French horn. Steve Marler picked it up for the musical challenge. I picked it up because I was willing to fill an institutional need.

It was a lot of fun to play French horn. Well, it was a challenge, at least. Every single group performance setting I had for the French horn -- from sixth grade through high school, through the Johns Hopkins concert band -- there was someone sitting next to me who was a full notch better at me. It was disheartening, to be honest.

I stopped playing horn somewhere in college. For a while I played mellophone in the Johns Hopkins pep band, but that wound down eventually.

About a year ago, my friend Irina invited me to be part of a band, for which she lent me a baritone.

Halfway through the concert you see above, I began to do more than just read the music. I listened to the sound of the band and looked at my bandmates, making bom-pom sounds on the horn while bobbing up and down with the rhythm of the song we were playing.

Thanks to Jess Schumann for taking the picture!

Computer fraud and abuse by Universal Music Group

2011-12-17T22:48:32Z

It seems that Universal Music Group willfully misrepresented its copyright interest and probably violated its service contract with YouTube. By my understanding of the Computer Fraud and Abuse Act, UMG likely took actions that exceed authorized access, subjecting it to criminal prosecution. (I am just a computer enthusiast and not a lawyer, so I welcome corrections from others.)

The emerging details, reported by Wired.com's Threat Level blog, are as follows:

YouTube said Friday that Universal Music abused the video-sharing site’s piracy filters when it employed them to take down a controversial video of celebrities and pop superstars singing and praising the notorious file-sharing service Megaupload.

In particular, Google created a system for antipiracy that is being abused by UMG:

“Our partners do not have the right to take down videos from YT unless they own the rights to them or they are live performances controlled through exclusive agreements with their artists, which is why we reinstated it,” Google-owned YouTube said.

I look forward to a speedy criminal prosecution of the employees or board of Universal Music Group. If that is not feasible, perhaps the organization itself should be put behind bars.

Even if Megaupload.com fails in its own lawsuit against UMG, I eagerly await the criminal prosecution of UMG as in another case where Federal prosecutors had to get involved.

Twisted high scores

2011-12-12T07:44:56Z

Living in the Boston area, I've had the chance to spend time with the lovely maintainers of the Twisted project.

Twisted is an event-driven network programming framework in Python. It's also a community of people for whom software is never good enough -- and they're right.

I visited the Twisted November sprint at the Smarterer.com office a few weeks ago and reviewed a ticket. So now I am on the Twisted high scores list for November!

It was one of the most rewarding short periods of time I've ever spent contributing to an open source project. I took someone's contribution and turned it into a patch, and also gave some feedback. This counted as reviewing a ticket, for which I was immediately and strongly socially rewarded: J.P. (exarkun) turned to me and say, "Thanks for contributing to Twisted. An IRC bot pinged me with a note saying my ticket review was complete. And now I appear in the high scores list for November!

Vertical

2011-12-05T07:04:41Z

After the November Python Project Night, Noah and I unlocked our bicycles.

The OOT Killer

2011-11-28T06:33:41Z

Commitments require care, and recently I have been suffering from the delusion that making more commitments will make me more able to achieve them.

When overcommit reaches a certain point, the OOT (out of time) killer comes and reaps time from whatever it finds, often with disappointing consequences.

(See also: OOM Killer.)

How To Put Corporations in Jail and Prison (draft)

2011-11-10T17:20:38Z

In the U.S., some crimes carry jail or prison terms for the persons who commit them. Some of the persons who commit these crimes are so-called "natural persons" -- people like you and me. Some of them are corporations. This brief essay explains how and why to apply prison sentences to these artificial persons.

I am not a lawyer. I do live in a country with laws, and I worry that these "artificial persons" can skirt the law by being structured to avoid jail time. So I propose this draft, and I am interested in feedback.

1. A brief summary of jail and prison

First, let us review life for natural persons when they are convicted of a crime with a prison term. Prisoners may find themselves in a minimum-security institution, where they are given some small degree of autonomy, limited (but non-zero) access to communication systems like postal mail, telephones, and in-person visits, and are put to work. Persons who commit violent crimes and constitute a risk to other inmates may be incarcerated in a medium- or high-security facility; in these, inmates are carefully tracked and intensive barriers and check-points prevent too-great movement.

It can be disruptive for a person to find himself or herself behind bars, but it is a disruption that the legal system is willing to make so that the public can enjoy a law-abiding society.

Life in prisons is still life: inmates may always eat, drink water, think to themselves, and (as far as I know) make written notes to themselves. Many famous activists have spent time in jail or prison and gone on to continue their careers. Prisoners in low-security facilities may enjoy lots of communication with other persons, so long as it does not require the use of communication technology.

Persons spending time in prison may continue to own property outside of the prison. Their ability to use it while incarcerated is minimal to nonexistent, but they may have bank accounts, investments, or other financial instruments that appreciate in value.

2. How the structure of corporations makes law enforcement harder

Now that we have a concept of what prison is like, let us carefully consider what it means to be a corporation. Corporations are legal constructions, created to achieve a specific end. They have a primary place of business where individual natural persons meet to do work to help the corporation achieve those ends. Most corporations are created for the private profit of their founders.

The corporation is, fundamentally, a legally-approved veil over the collective activity of individual persons. This corporate veil limits the financial liability for its Directors; if the corporation owes rent on its property, for example, the Directors are not responsible personally for this debt. Virtually all actions of corporations are about the transfer of money. The existence of this structure is widely-considered a good, efficient thing.

Some actions of a corporation go beyond the transfer of money; some actions are criminal. At the moment, individual natural persons who commit crimes as part of their duties to the corporation may find themselves in court and possibly in jail. This can flow all the way up the chain to the Directors.

But if an employee is asked by her manager to commit a crime for the private inurement of the corporation, she is the one most at-risk for criminal proceedings. If a corporation profits from check fraud, the fines may be smaller than the profits earned.

The incentives are mis-aligned: if an investor calculates that the financial punishment for breaking the law will not hurt the corporation, he might urge the corporation to flout the law. The result might be dramatically increased profits with a side-effect of an employee or a Director in jail.

There is an elegant solution to this problem: when an agent for the corporation commits a crime with a jail term, the corporation should spend some time incarcerated as well. This brings us to the final part: the mechanics of applying jail and prison terms to corporations.

3. How to put companies behind bars

Rather than painstakingly identify the employees most responsible for lawbreaking within a corporation, it may be simpler to put the corporation behind bars. Practically speaking, this means moving the primary place of business of the corporation to a jail or prison.

In this regime, when a company is in jail, the employees must go to the jail and subject themselves to the standard restrictions of the jail as they go about their business. If the company has committed a violent offense (perhaps the calculated murder of citizens who live near its place of toxic waste dumping), then while employees are contributing their time to the corporation, they would be subject to highly-secured perimeter fences and close supervision.

Just like a natural person, the corporation can continue its life while in prison. It may have limited access to communication technology, but (depending on the security level of the facility) employees will be able to take notes on paper, send checks in the mail, plan the corporation's future actions, and possibly attend meetings with each other. If this is not enough to maintain the corporation's activities, it should have considered that before committing criminal acts.

One downside to this system is that as corporations are increasingly convicted of crimes, their employees could fill up our already-stretched prison capacity. This, and other practical problems, are easy to address if you consider the spirit of this proposal. The restrictions of prison life could be applied by sending jail wardens to corporate headquarters, where employees are scrutinized and restricted under the same rules as they would be in prison. The warden can be responsible for ensuring limits on communication technology use are enforced.

It can be disruptive for a corporation to find itself behind bars, but it is a disruption that the legal system should be willing to make so that the public can enjoy a law-abiding society.