Jonathan Walther wrote to
ask me an interesting question about the area of a Möbius strip.
I've been having a debate with a friend about how to calculate the area
of a moebius strip, where the moebius strip is constructed by taking a
1" by 10" area, twisting it, and joining the ends.
I have been maintaining that the area remains the same; that is, 10
square inches. My friend insists it is 20 square inches.
After discussion with my friend it became apparent that our different
calculations came from our having different concepts of "area". He used
a strip of paper to "illustrate" the moebius strip, and I feel this gave
him erroneous intuition in this case.
My observation was that if you did make the strip from paper, you
would need 20 sq. in. of paint in order to paint the whole thing.
If you used 10 sq. in. of paint, you would have 10 sq. in. of
surface unpainted.
However, Jonathan argues that this is a misinterpretation if the
Möbius strip is seen as having zero thickness, because then
points on one "side" are actually identical with the corresponding
points on the "other side". He suggests that, on a zero-thickness
strip, you can go only 10" before you return to your starting point.
(On a strip made of paper with non-zero thickness, you must go
20" before returning to your starting point.)
Does anybody have a view to clarify this? It does just seem like a
question of how to define surface area, but maybe there is a
particular definition of "surface area" or "Möbius strip"
which is somehow preferable.
(Normally you deal with areas in a plane, and the definition is easier.
Is there something handy from multivariate calculus here?)
Five people came from Microsoft
to meet with us on Tuesday about Palladium. It was very interesting.
"Sealed storage" is a very technically clever idea. Some of the
subtleties hit me only after the meeting. Basically, you have a
hardware co-processor within a machine which contains some unique
secret symmetric key (not known to anybody other than the co-processor).
Call this s. Also assume that the co-processor is also to take a
hash h of whatever kernel k is running on the ordinary CPU. (In
Palladium this is actually something called a "nub" -- in their
marketing materials a "Trusted Operating Root" or "TOR" -- but we
can pretend it's the OS kernel instead.)
The co-processor provides two functions, c=SEAL(p) and
p=UNSEAL(c). Within the co-processor, SEAL is implemented
approximately as aes_encrypt(s+h, p), and UNSEAL approximately
as aes_decrypt(s+h, p). (I am simplifying and eliding many
details; the real implementation is more complex and provides
several additional features.)
The interesting consequence of this is that any program
running on the system can call into the coprocessor and
ask the coprocessor to encrypt or decrypt arbitrary data.
(Actually, usually just a symmetric key for data, not the data
itself, but we'll pretend it's the data.) The coprocessor
by its very nature can successfully decrypt whatever
it has previously encrypted, but only if the encryption
was performed on the same machine while the same kernel k
was running! If the decryption is attempted on a different
PC (which has a different secret key h), or even on the same PC
while running a different or modified operating system, the
decryption routine will fail to decrypt the data. Thus, a
program is able to say "encrypt this so that it can only be
decrypted by a process running on the current machine under
the currently-running operating system kernel". And the
program can have confidence that the encryption occurs in an
unobservable way and that the resulting encrypted data can
be safely stored in an untrusted medium, because it will never
be possible to decrypt it except upon request of software
running in an identical environment.
I feel that I'm not quite doing justice to this clever technique,
partly because I'm omitting some details, and partly because I
haven't actually described the rest of the environment (how the
coprocessor fits into the rest of the system, how and when
the hash of the kernel is taken, how the coprocessor knows that
the hash of the kernel is accurate, etc.).
But one interesting consequence of this idea is that you can
actually have software which can be open source and runs on an
ordinary PC and yet can store information locally on a hard
drive in a way that the PC's owner (or somebody who steals the
hard drive) can't use or transfer the information except
according to a policy specified within the software. This can
be the case even though the owner of the PC is able to examine
and modify the software, and even to reboot the machine in
single-user mode, and run debuggers and emulators and so on.
There is no security-through-obscurity necessary, although
there are still certain physical security assumptions
involved (the user can't arbitrarily read or modify the contents
of the coprocessor or certain other parts of the PC's hardware).
Think about this: if you move the file (and, if you like, the
entire software operating environment!) to another PC, the
application can no longer decrypt the file. If you modify the
operating system (which you are able to do), the application
can longer decrypt the file. If you run a different operating
system (which you are able to do), the application can no
longer decrypt the file. If you modify the application (which
you are able to do), the application can no longer decrypt
the file. This is a technically impressive capability! After
the meeting, I kept realizing more and more interesting features
of this design.
Sealed storage is one part of Palladium, although not the whole
thing. It is one of the pieces which provide what we referred to
as "epistemology" for software running on a trusted system. How
can the software tell that it isn't running in a
virtual machine, an
emulator,
a debugger, a
system
call tracer, a
deceptive
system-call tracer, a
virtualized
OS kernel, etc.?
It's been suggested that
it's
a good thing when software can't tell, because end-users
thereby acquire more control, or reverse-engineering for
interoperability and competition is possible, or we can
preserve computing
history, or
preserve
human culture. If software can tell, maybe we can't do these
things, because someone can try to make the software enforce a
policy against running under emulation.
Descartes was one of the early epistemologists to worry about
whether his sensory experience (what software calls input and
output) is real or merely emulated, although that concern goes
back to the very beginnings of philosophy and speculative
thought.
Plato's cave is one more ancient instance of this anxiety -- and
in some sense so is Chuang Tzu's "butterfly dream". Plato and
Descartes, wholly unlike Chuang Tzu, specifically imagine a conspiracy
on the part of a malignant intelligence. Shall we say that
Western philosophy is more paranoid than Eastern, that the Western
philosopher is always prepared to believe in the Adversary? In
Chuang Tzu, the deception is simply a result of a dream, and no
moral evil or ill will. But in Plato the victims of the deception
are actually "en tautêi ek paidôn ontas en desmois kai
ta skelê kai tous auchenas". Ouch! (Who would be so cruel
as to chain people in a cave beneath the earth and shackle them
since childhood, "ek paidôn"?) In Descartes we start
off with ordinary and harmless dreams:
Praeclare sane, tanquam non sim homo qui soleam
noctu dormire, & eadem omnia in somnis pati, vel etiam
interdum minus verisimilia, quam quae isti vigilantes.
Quam frequenter vero usitata ista, me hic esse, toga
vestiri, foco assidere, quis nocturna persuadet,
cum tamen positis vestibus iaceo inter strata!
Age ergo somniemus, nec particularia ista
vera sint, nos oculos aperire, caput movere, manus
extendere, nec forte etiam nos habere tales
manus, nec tales totum corpus [...]
But eventually, just a few paragraphs later, we come to possess
an infinitely powerful and intelligent adversary whose only
goal in life is to deceive us in the service of some terrible evil:
genium aliquem malignum, eundemque summe potentem & callidum,
omnem suam industriam in eo posuisse, ut me falleret
(!)
If you walked into a psychiatrist's office talking about the
genius malignus, summe potens et callidus, qui posuit omnem suam
industriam in eo, ut me falleret, wouldn't
you be diagnosed with paranoid schizophrenia, at least as long
as your psychiatrist understood Latin?
But it's a reasonable fear for an epistemologist, or for a computer
program. In the computer security world,
there
is an Adversary,
there is
a Devil, summe potens et callidus...
Cory suggested that trusted computing initiatives (and their
technical features like sealed storage) occupy in security software's
epistemology the same position God and God's perfection occupied in
Descartes's epistemology.
Ut autem etiam illa tollatur, quamprimum occurret
occasio, examinare debeo an sit Deus, &, si sit,
an possit esse deceptor; hac enim re ignorata,
non videor de ulla alia plane certus esse unquam
posse.
(But so that that this [problem] might also be removed, I should,
as soon as possible, examine whether there be a God, and, if
there be, whether he might be a deceiver; for, being ignorant
of this thing, I cannot appear to be able ever to be entirely certain
about anything else.)
It doesn't take Descartes very long:
In primis enim agnosco fieri non posse ut ille me
unquam fallat; in omni enim fallacia vel deceptione
aliquid imperfectionis reperitur [...] nec proinde
in Deum cadit.
(For in the beginning I perceive that it is impossible
that he should ever deceive me; for in every deceit or
deception there appears some sort of imperfection
[...] and [this] does not thereby fall to God.)
Cory says God's part here in the software's epistemology is things
like sealed storage, and the counterpart of God's perfection is
Microsoft's trustworthiness.
It was nice of the Microsoft folks to come down and talk with us;
I really enjoyed it, and I learned a lot about Palladium, not that
I have a clear assessment of whether Palladium is good or bad. We
met with them for about four hours, and I spent much of the rest of
the day digesting and talking to other people about those four hours.
And certainly there's a lot of sophistication there.
My foot continues to feel better. I think it's going to be back to
normal soon; today I was able to walk on it. I tried to scan the
x-rays with a regular scanner, but it didn't come out well. (I would
have posted a picture of the bones in my foot here if I'd been able
to.)
It's amazing how great things feel when you regain them again after
a long absence. Eating after fasting (or being unable to eat),
eating bread after observing Passover, recovering from an illness --
everything is sweeter and more beautiful by contrast with its
absence, and everything can be taken away, even things we couldn't
imagine we could ever lose. "E quindi uscimmo a riveder le stelle."
Sterling:
Here's a good one: how the hell do you write a thriller novel in a
world that has cellphones? I happen to be writing a
thriller novel right now: in fact, I'm here researching
it, not that you'd ever guess. I'm not really here to
pontificate at you. I'm here to soak up your grand ideas
for use in fiction, because I need them even worse than
you do.
It's amazing how little technical room is left for
the customary cliches of a thriller novel, in this, our
modern, digitized, networked society. No more car chases
-- because I just use my cellphone and I call the cops in
the next town. No more gunfights in deserted warehouses
-- I just use my cellphone and I call the cops. No more
trailing the spy to his sinister lair -- I just use my
cellphone and I call up the cop's video monitors.
I was thinking about this after reading The Holy Sinner.
Much of the romance in writing set in earlier times comes from the
incredibly long journeys. One character goes on a pilgrimage.
Others go on quests. Typically, journeys take weeks and months.
Who nowadays in the industrialized world would take longer than a
weekend to get somewhere? My longest-ever trip was across the
continent by train: three nights and four days. Ordinarily, it
takes just a few hours. The folks who came to visit from Redmond
yesterday were no doubt back home in time for dinner.
Even using an automobile and stopping to sleep, you can cross this
continent in a week.
The only exception to the rapid-travel rule I can think of is
Wolfgang's walking trip. She walked to Oregon, and it took an
amount of time she could notice, and it was romantic or
educational or at least experiential as something she
noticed and lived and something which happened to her. But
walking to Oregon in a novel doesn't make sense for most of the
population. (Sure, not everybody has enough money to afford
plane tickets. But most people who can't afford plane tickets
also don't have months of spare time to walk to other states.)
The smaller world and the transportation-as-product industries do
eradicate entire plot elements connected with travel. You don't
have to find a good horse and a good map because there is a
company whose business model is getting you from one airport to
another for $200 with no intervention (but some identification)
on your part.
Travel is more anonymous in older stories because things are more
decentralized. When a person comes from another country, you
don't know anything about that person. (You don't have state-issued
ID, and you don't have credit bureaus, and you don't Google.) In
The Holy Sinner, Gregorius shows up and says he's a
knight, and other people ask him to prove he's a knight, so he
proves he's a knight by riding a horse and by fighting. He doesn't
have a "knight certificate", and he doesn't have any personal
or professional connections. (OK, he turns out to be the
illegitimate child of the ruler of that country, but nobody knows
that for several chapters more...)
Today, it's difficult to get from one place to another without
revealing (even possibly proving) your identity.
Amitai
Etzioni thinks this is good.
But the Sterling-relevant thing here is not whether it's good or
bad but whether it affects writing literature, and I guess it
does, because travel and communications just don't seem to work
the way they used to, and that interfere with standard devices of
mystery and suspense.
Bruce Sterling also said something particularly funny in that
speech:
Ladies and gentlemen, yes, I know that THE MATRIX is
a sci-fi movie. In my game, you get the good stuff where
you find it, okay? I don't have to name-check sci-fi
movies up here. I could have stolen you something nice
and exciting from the many bright and accomplished people
at Microsoft Research and Development. I pay attention
to them, too. I know they're into stuff like a Sensory
Pocket PC that that detects touch, tilt and motion; and
Chinese text-to-speech software that probably detects
Chinese piracy in real-time. So I tried that. I Googled
it. I surfed over to the Microsoft Research "Archived
Headlines", but since they are a modern computer company
instead of a big-budget science fiction movie, this is
what I got off their web page:
[Microsoft][SQL Server Driver] Invalid object name
'features'.
Drivers error '80040e37'
