Monday, February 20, 2006

Leon Wieseltier's negative review of Dennett's new book

Leon Wieseltier, literary editor of the New Republic, has written an strongly negative review of Daniel Dennett's new book, Breaking the Spell. Wieseltier maintains that religion is beyond the scope of scientific examination, and so takes issue with a key aspect of Dennett's project.

Wieseltier's review has been critiqued by Brian Leiter (at Leiter Reports, here), P.Z. Myers (at Pharyngula, here), Taner Edis (at the Secular Outpost, here), and Michael Bains (at Silly Humans, here). I disagree with Bains about the term "scientism," even though I am quite sympathetic to "naturalized epistemology" and giving science a major role in philosophical questions. There is clearly quite a lot of room for disagreement about the idea that science should be the primary mechanism of inquiry in all domains--most scientists regularly argue that science draws no moral or ethical conclusions, which means they leave that area to philosophy or (a mistake, in my opinion) religion.

There is a key passage of Wieseltier's review that I partly agree with:
It will be plain that Dennett's approach to religion is contrived to evade religion's substance. He thinks that an inquiry into belief is made superfluous by an inquiry into the belief in belief. This is a very revealing mistake. You cannot disprove a belief unless you disprove its content. If you believe that you can disprove it any other way, by describing its origins or by describing its consequences, then you do not believe in reason.
In general, the origin of a belief is irrelevant to its truth or falsity. However, if Dennett's mission is like Pascal Boyer's, to give an account of why people believe in religion in general, rather than to prove that religion is false, then this is not an objection to what Dennett is doing. Further, if the explanation produced is the best explanation around, then that is good reason to believe that explanation (over an explanation that says religion is divinely inspired).

The fact is that there are lots of different religious beliefs that people hold, and they contradict each other. We know from the outset that all religions cannot be true--in fact, the mere existence of the contradictions is sufficient to show that much of the content of most religions must be false. Why people continue to believe it is something that requires explanation.

If the best such explanation is a naturalistic one, and that explanation fits the evidence for all religious belief better than supernatural explanations, then that is good reason to favor the naturalistic explanation over the supernatural explanations.

Wieseltier seems to reject "inference to the best explanation" as a form of reason.

UPDATE: Dennett has responded with a letter to the New York Times, and Wieseltier responds immediately following.

Sunday, February 19, 2006

The moral cowardice of Dick Cheney

Talking Points Memo points out that Cheney sent out three surrogates to assign blame to the victim (who then apologized publicly to Cheney!), contrary to Mary Matalin's claim on "Meet the Press"--even though she was surrogate #3!

Controversial hacker publishes cover story in Skeptical Inquirer

The latest issue of the Skeptical Inquirer (March/April 2006) features an article titled "Hoaxers, Hackers, and Policymakers: How Junk Science Persuaded the FBI to Divert Terrorism Funding to Fight Hackers" by Carolyn Meinel. The descriptive text on the first page (between the article title, subtitle, and author's name) says "Hoaxers warned of an imminent and deadly electronic Pearl Harbor. Consequently, the FBI diverted resources and attention away from terrorism and toward fighting hackers. This may have contributed to the September 11, 2001, attacks. Use of critical inquiry and the scientific method could have avoided this misdirection."

While most of the article appears to me to be accurate and its conclusion about treating claims from self-proclaimed computer security experts with scrutiny is sound, the article itself contains unsubstantiated arguments (in particular the arguments of the title and subheading) and comes from a self-proclaimed hacking expert of questionable credibility.

Meinel's article is in three sections--an introductory section about the title, a section about specific claims made by two hackers, and a section on "critical analysis of e-terrorism." I find little to criticize in the latter two sections, except for its implication that Peter Neumann's testimony before Congress was unfounded (Neumann is a highly respected expert on computer risks, the editor of the RISKS Digest, and author of the book Computer-Related Risks, 1995, The ACM Press).

Meinel begins by describing Fred J. Villella bringing hackers "Dr. Mudge" (Pieter Zatko, though Meinel never mentions his name) and "Se7en" ("Christian Valor", who was indeed exposed as a chronic fabricator as Meinel claims in the second part of her article) to meetings of federal policymakers where they warned of "a looming electronic Pearl Harbor." The most notable such meeting was testimony before the Senate Governmental Affairs Committee on May 19, 1998, where the above-mentioned Neumann testimony took place, and where Mudge testified that he could make the Internet unusable with less than thirty minutes of effort.

Meinel argues that this testimony "may have contributed to an entrapment scheme" by the FBI against hacker "Chameleon" (Marc Maiffret, now "Chief Hacking Officer" of eEye Digital Security) as a way to show that "hackers were actually collaborating with enemies of the U.S." But she provides no evidence of a connection between the testimony and the action.

She falsely states that "books (Penenberg 2000; Mitnick 2005) hyped the raid [on Maiffret] to say that hackers were in league with al Qaeda." Neither of these two books says that. Adam Penenberg, in his book Spooked: Espionage in Corporate America (with Marc Barry, 2001, Perseus Books), writes that "Hackers are always on red alert for the FBI. In fact, when Maiffret was contacted over the Internet by the alleged terrorist Khalid Ibrahim, a member of Harkat-ul-Ansar, a militant Indian separatist group on the State Department's list of the thirty most dangerous terrorist organizations in the world, he assumed Ibrahim worked for the feds." Kevin Mitnick, in his book The Art of Intrusion (2005, Wiley, pp. 32-34), raises the possibility that Khalid Ibrahim was part of an FBI operation, but questions it on the ground that only Maiffret received any money from him. On the other hand, he points out that Maiffret told Wired News "he had not provided any government network maps" and wonders why, despite his confession to accepting money from an terrorist-connected individual (Mitnick writes "foreign terrorist"), no charges were ever filed. Then, he writes "Perhaps the check wasn't from Khalid after all, but from the FBI." (As an aside, Mitnick's book states that few know the true identity of "Chameleon," but Penenberg's book had already published his identity in 2000.) Perhaps Maiffret avoided prosecution by agreeing to work with the FBI, as other hackers have done (such as Justin Tanner Petersen, "Agent Steal," whose story is partly told in Jonathan Littman's The Watchman: The Twisted Life and Crimes of Serial Hacker Kevin Poulsen, 1997, Little, Brown).

The specific argument of the title and subheading--that the testimony of these hackers led to a diversion of funding that may have contributed to the success of the 9/11 terrorist attacks--is stated in a single paragraph in the second column of the first page of the article (p. 32). In that paragraph, Meinel states that cyberspace czar Richard Clarke's formation of the National Infrastructure Protection Center (NIPC) diverted funding increases "earmarked against terrorism to hire FBI agents for the hacker beat." This diversion of funds led to only $4.9 million spent by NIPC on counterterrorism, and it therefore lacked the resources to follow up on Phoenix FBI agent Ken Williams' warning about al Qaeda members training at U.S. flight schools.

This argument assumes that NIPC, rather than the FBI's counterterrorism unit, is the organization which should have followed up on Williams' memo. It also overlooks the role of the FBI's incredibly antiquated computer systems, which technophobe FBI Director Louis Freeh had refused to take steps to upgrade (with Congress withholding $60 million in funding for FBI's IT infrastructure between 1998 and 2000 because of its failure to produce a credible upgrade plan). Not until July 2000, when Freeh appointed Bob Dies to begin work on an overhaul, did Freeh address the issue. The result was that the FBI had 42 separate database systems that could not be searched simultaneously and many agents had computers that did not work or could not display images or connect to the Internet. Many agents used home computers in order to receive email photo images of suspects from local police departments. (See the "Missing Documents" chapter of Ronald Kessler's The Bureau: The Secret History of the FBI, 2002, St. Martin's Press. Similar observations are made in the "9/11" chapter of James Bovard's The Bush Betrayal, 2004, Palgrave Macmillan. Bovard cites (p. 27) a Los Angeles Times story that reports the FBI diverting $60 million in funds earmarked for IT upgrades in the year 2000 to be used for staffing and international offices. The fact that the dollar figure is the same in Bovard and Kessler may indicate that Bovard is misdescribing the same $60 million Kessler mentions.) By contrast, NIPC's entire budget (PDF) was under $20 million per year through 2000, and Bush requested a budget of $20.4 million for NIPC in 2001. (This is not to say that NIPC was effectively using what funds it had--it wasn't. But Meinel's complaint that only $4.9 million of NIPC's budget was spent on counterterrorism should be put in context--that was a quarter or more of its annual budget.)

These IT failings and the other failures reported in the 9/11 Commission Report and elsewhere strike me as more plausible reasons for the U.S. government's failure to avert the 9/11 attacks than trying to pin it on the hackers who testified before Congress in 1998 about the dangers of cyber attacks. Ironically, in October 2001 an article arguing that the Code Red worm demonstrates that there really are significant risks of Internet-based attacks on U.S. infrastructure ("They would be far worse than not being able to make bids on eBay--potentially affecting product manufacturing and deliveries, bank transactions, telephony and more. Should it occur five years from now, the results could be a lot more severe.") appeared in Scientific American. The author of this article, "Code Red for the Web," was Carolyn Meinel.

It's more surprising to me that Skeptical Inquirer published an article by Carolyn Meinel at all. Meinel's author description printed in SI states:
Carolyn Meinel is a consultant and science writer. She has assisted the Defense Advanced Research Projects Agency (DARPA) with its Intrusion Detection Evaluation Program and its Cyberadversary Workshop, and consults for Systems Advisory Group Enterprises, Inc. (www.sage-inc.com), the Institute for Advanced Technology (www.iat.utexas.edu/), and the Santa Fe Institute (www.santafe.edu/). She may be reached at [email address omitted to prevent spam].
Not mentioned are Meinel's books, web pages, and hacker conference appearances to teach hacking skills or her two articles in Scientific American ("How Hackers Break In... and How They Are Caught" in October 1998 and "Code Red for the Web" in October 2001). The existence of the latter two publications no doubt lends her credibility (and may have helped persuade SI to publish this latest article), but the content of some of her hacker training works and parts of the October 1998 Scientific American article serve to diminish it. The October 2001 article seems pretty accurate to me, and was selected for publication in Matt Ridley's Best American Science Writing 2002 volume. That article, as already observed, does point out the possibility of an "electronic Pearl Harbor," so Meinel avoids self-criticism as being a contributor to 9/11 failures under her own argument only by the month-post-9/11 publication date.

Meinel has long been a controversial character in hacker circles, as can be seen by Googling her name on the web and Usenet (you can search the latter with Google Groups). She also has a degree of infamy from her former marriage to Scientology critic Keith Henson. Henson, who was successfully prosecuted for "interfering with a religion" (Scientology--in part due to an online joke he posted about using a "Cruise missile") and fled to Canada, started the L5 Society with Meinel in 1975. In their divorce proceedings, Meinel apparently made charges of child molestation against Henson which were published by Scientology front group "Religious Freedom Watch" as a way to "dead agent" Henson. Meinel, while supportive of Henson, didn't actually retract the charges, though I took her comments to suggest they were bogus. (UPDATE July 18, 2008: Henson's daughter Val has recently gone public and argues that the charges are true.)

Meinel had a long-running feud with hacker "jericho" (Brian Martin), who runs attrition.org. Martin, as it happens, was once the roommate of phony hacker "Christian Valor" ("Se7en"), but was also one of the people who exposed his fabrications. In addition to exposing other bogus security experts, his site contains a large collection of criticisms of Meinel, her behavior, and her work. Given the personal nature of many of the criticisms it is difficult to know what, if any, to take seriously, except for those which specifically address her accuracy and knowledge of hacking and network security, such as the critique of her 1998 Scientific American article, "How Hackers Break In...", by Fyodor (author of the widely used security port scanning tool, nmap). That article, which may be partly based on a hacker break-in at Meinel's ISP, Rt66 Internet (in which case "Dogberry" may be John Mocho of Rt66), contains a number of questionable statements. For example, the scenario describes the firewall of "refrigerus.com" responding to a port scan by launching an attack in response, as though this is a good form of security, and the description of the attack itself suggests that either the description is inaccurate or the attack itself is incredibly naive. The author description on "How Hackers Break In..." stated that Meinel has an "upcoming book, War in Cyberspace" that "examines Internet warfare." As of today, there appears to be no such book.

In 1998, a hacking group that called itself "Hacking for Girliez" or HFG defaced a number of websites, including that of the New York Times. Brian Martin believes he was on the list of suspects. A number of HFG defacements made reference to Meinel (which I interpret to mean that HFG had a grudge against her rather than that she was involved), and she was herself questioned by the FBI and asked to take a polygraph, which she wisely declined (given the lack of empirical support for the validity of the polygraph).

In 2001, Meinel's techbroker.com website was compromised and a piece of software placed on it. A message was sent to the Vuln-Dev mailing list under Meinel's name (apparently a forgery), claiming that the software was an exploit for a vulnerability in the wu-ftpd FTP server; but in actuality it was malware which would attempt to delete files.

Given the lack of support for the title claims in this article and the lack of Meinel's expertise in computer security, I don't think Skeptical Inquirer should have published it, at least in the form it appeared.

Meinel, it should be clear, is not an advocate of illegal hacking--she seems to be fairly emphatic about not breaking into machines unless you own them or have permission to do so. But at the same time, she seems to give a wink and a nod to those who are going to break into the machines of others and has been billed as a "walking script kiddie factory." She also seems to advocate offensive measures as a mode of defense (as described in her 1998 Scientific American article), which is not responsible computer security advocacy.

UPDATE (March 4, 2006): Today I obtained a copy of Gerald Posner's book Why America Slept (2004, Random House), which is cited by Meinel at the end of her paragraph claiming that NIPC budget diversion to cyber warfare was the cause of 9/11 failures. The concluding sentence of that paragraph reads: "Therefore, the FBI lacked the resources to follow up on an agent's warning of al Qaeda members at U.S. flight schools (Posner 2003)."

The relevant section of Posner's book is pp. 169-173. It in no way supports what Meinel has written--Posner makes no reference to NIPC in his entire book, and he enumerates several failures on the part of the FBI with respect to Ken Williams' memo--the lack of communication with the CIA, the failure of middle management of the FBI to recognize the significance of the memo, and lack of resources within the FBI: "The FBI considered the Phoenix idea [to check out the thousands of students at the flight schools] too costly and time consuming, and a few even expressed concerns that such a probe might be criticized in Congress as racial profiling."

The main thesis of Meinel's article is not supported by the facts, and she has misrepresented at least three of the sources she cites--Gerald Posner's book, Kevin Mitnick's book, and Adam Penenberg and Marc Barry's book. That's sloppy work that doesn't deserve publication.

UPDATE (February 19, 2007): I thought I had already added a link to the April 2006 discussion of Meinel's article by Jeff Nathan at the Arbor Networks blog, but I hadn't. This remedies that oversight. There's a good exchange between Nathan and Meinel in the comments.

Also, Skeptical Inquirer published my letter to the editor regarding Meinel in the July/August 2006 issue (p. 62) along with a response from Meinel.

UPDATE (August 8, 2010): James Bamford's most recent book, The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America (2008) contains more detail about intelligence screwups that, had they been prevented, might have averted all or part of the attacks of 9/11--but NIPC's budget had nothing to do with it.

Saturday, February 18, 2006

The Security Catalyst podcast

I recommend Michael Santarcangelo's "Security Catalyst" podcasts, which can be subscribed to at no charge via iTunes or Yahoo Podcasts. He's got additional information and links related to the shows at the Security Catalyst website.

Michael, who I met a few years back through a consulting engagement that was a "death-march project," is a sharp, witty, and well-spoken advocate of and educator for good computer security.

Carrier and Wanchick debate: Argument from Mind-Brain Dysteleology

I've posted a commentary on the exchange between Richard Carrier and Tom Wanchick about this particular argument from Carrier. The post is at the Secular Outpost.

Friday, February 17, 2006

Underground London

Some very interesting photos of old subway lines, former stables, and other semi-abandoned tunnels underneath London. (At BLDGBLOG.)

UPDATE (May 21, 2007): Nick Catford's Subterranea Britannica is the place to go for photos and information about underground sites in Britain.

Coyote Carnival #1

The first Coyote Carnival, a collection of posts from Arizona blogs, may be found here.

Database error causes unbalanced budget

Bruce Schneier reports on how a house in Valparaiso, Indiana was incorrectly valued at $400 million due to a single-keystroke error by an "outside user" of Porter County's appraisal records. This incorrect valuation led to an expectation of $8 million in property taxes due from that homeowner, which led to a erroneous increase of budgets and even distribution of funds. Now the Porter County Treasurer has had to ask 18 governmental units to return funds--the city of Valparaiso and Valparaiso Community School Corp. have been asked to return $2.7 million, which will leave the school system with a $200,000 budget shortfall.

The number of errors here is huge--first of all, an external user shouldn't have access to change budget data at all, let alone by a typo which caused the user to invoke "an assessment program written in 1995" which "is no longer in use, and technology officials did not know it could be accessed." Second, there should have been checks on the data to identify anomalies like a house suddenly jumping in value to $400 million. Third, there should have been checks on the accuracy of budget numbers before the disbursement of funds. And I'm sure I'm only scratching the surface--it sounds like they've got some serious IT infrastructure issues.

Thursday, February 16, 2006

RIAA: Burning CDs to MP3s is not fair use

Every three years, the U.S. Copyright Office accepts comments on the Digital Millennium Copyright Act (DMCA) for additional rule-making and exemptions. The Electronic Frontier Foundation (EFF) has given up on participating in the process, which they consider too broken to be worthwhile--consumer interests are simply not taken into consideration.

The RIAA's most recent filing (PDF) in this process shows that they've reversed their position since testifying before the Supreme Court last November in the MGM v. Grokster case, when attorney Don Verrilli stated (PDF, p. 12):
The record companies, my clients, have said, for some time now, and it's been on their website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it onto your computer, put it onto your iPod.
The RIAA's position in the new filing (PDF, p. 22 footnote 46) is:
Nor does the fact that permission to make a copy in particular circumstances is often or even "routinely" granted, [...] necessarily establish that the copying is a fair use when the copyright owner withholds that authorization. In this regard, the statement attributed to counsel for copyright owners in the Grokster case is simply a statement about authorization, not about fair use.
That is, they are claiming that they've given permission for such use, and have the right to take it away at any time, because it is not a matter of fair use. The filing points out that this is the 2003 position of the Register of Copyrights, who is quoted (p.22):
proponents have not established that space-shifting or platform-shifting is a noninfringing use.
On the same page (22), the filing states:
Similarly, creating a back-up copy of a music CD is not a non-infringing use....
(Somewhat less information may be found at the EFF's blog entry which pointed me to this filing, Deep Links.)

Tuesday, February 14, 2006

Geddes on net neutrality

Martin Geddes has a nice commentary on the vagueness of "net neutrality" and its implications (I previously commented on the subject here). He divides net neutrality advocates into bottoms, middles, and tops (based on layers, not giving vs. receiving). "Bottomistas" want neutrality on offered underlying protocols and aren't happy just getting IPv4 (or just IPv6), and at the extreme would want a choice between ATM, Ethernet, their own Layer 2 protocol. The "middlemen" distinguish "raw IP" (which backbones carry, or perhaps which ISPs use internally) from "retail IP" (what the end user customer gets), and endorse neutrality on the latter. The "top" are comfortable with the kind of filtering done by many retail ISPs (e.g., port 25 filtering), but oppose filtering directed at particular service providers or applications.

Geddes argues that the Internet isn't really a thing, but a set of agreements between different entities that are each doing their own thing with their own property--and that "Internet Governance" itself doesn't make much sense outside of IP address allocation and routing.

He raises a host of interesting questions, like:
Is neutrality a wholesale or a retail problem? What if the access infrastructure owner offers “neutral” IP connectivity, but no retail provider chooses to pass that on directly to the public without layering on some filtering and price discrimination?
and
Oh, and what’s so special about the Internet? Do other IP-based networks need neutrality principles? Do any networks? Should more network industries be forced to forego “winner takes all” rewards? Google looks awfully dominant at adverts, doesn’t it… I wonder if that ad network needs a bit of “neutrality”?
These are the sorts of issues that need to be considered in formulating any kind of "net neutrality" that can actually be put into a statute or regulatory framework, and it doesn't seem likely to me that it will be easy to come up with one that has broad appeal and doesn't trample on private contract and property rights. I think Geddes may be right when he says neutrality is "an output, not an input."

His post is well worth reading, as is the commentary from Brett Watson.

UPDATE: Geddes has more at Telepocalypse.