Aetheric Research, Ltd.

Here’s a bit of Monday morning fun: Slashdot reports that SQL.com was cracked via an SQL injection attack.  

SQL is a very prominent database schema used in thousands of installations around the globe.  An SQL injection is when an attacker bypasses the normal front-end for the database and finds a means of executing their own commands, usually with the aim of either stealing information or of corrupting or changing the database in some fashion.

Cross-site scripting, also mentioned in the article, is a means by which such attacks can take place.  This is a slightly more complex vulnerability–essentially, it occurs when the client, rather than the server, is used to validate requests against the server.  If that is the case, then a sufficiently competent attacker can craft a malicious version of the script produced by the webpage in question and serve that to users (via the usual social engineering methods) in an attempt to gain login credentials, session credentials, or other information about how the resources are generally accessed.

Combining the two can lead to a theft of credentials usable for gaining access to the whole of the database for whatever purpose the attacker wishes–the “pwnage” that many attackers seek to gain.

The vulnerability in the SQL databae was apparently, according to the articles linked above, discovered in January by some enterprising folks out of Romania.  Whether it was reported ahead of time is not known to this author at this time–the original resources are protected behind a policy setting at a Romanian exploit site, and the XSS (cross-site scripting) vulnerability has a publication date of April 1–though this could be January 4, and a dd/mm/yy rather than mm/dd/yy confusion.  

The vulnerability in question appears to be something rather obvious; the actual attack is caused via inserting a “script” html tag in the URL of the resource requested.  

The countermeasures to prevent this sort of thing happening are twofold:  first, of course, is never to click on a URL without knowing what it is you’re clicking on.  Think before you click.  There’s no reason to click on a link with an html tag embedded in it, normally; such uses are endemic for exploiting security flaws, but are not often used by legitimate sites.

Secondly, if you are designing a site, assume that any input coming from the client side is unsafe and must be validated–there’s no point putting the validation mechanism out where it could be changed.  Javascript is inherently open-source because the source must be served to the client machine in order to run; as such, any vulnerabilities present in it will be found eventually.  There’s no way to ensure that input coming to your servers is being sent by the same javascript that was served from them originally; take this into account when designing your sites, and you will not be vulnerable to this kind of attack.

Beer, in general, is one of the oldest beverages known to man.  Being the result of spoiled grain, originally, beers have been refined over the ages into various kinds depending on their characteristics–there are lagers and weissbiers on the light end; ales of various sorts in the middle; and then there are stouts.

A stout (there is some overlap with the porters, but given today’s date, Irish stouts are the obvious focus) is a dark, strong beer formed from roasted malts and barley, together with hops, water and yeast.  The term ‘stout’ may have originally applied merely to the strongest of a brewery’s offerings, but present-day brewers have more specific standards as to what does and does not constitute a stout.

One of the more widely successful stouts, Guinness, has the distinction of being pressurized not only with carbon dioxide (produced by the fermentation of the sugars in the malt and barley by the yeast–the yeasts consume sugar and release both alcohol and carbon dioxide as byproducts) but with nitrogen.  Together with the specific design of their taps and the type of glass typically recommended for use with the stout, this gives a very distinctive appearance to the product as prepared for use.

Additionally, Guinness is most famous for the phenomenon of the ‘sinking bubbles‘–where the gas bubbles appear to defy expectations and sink to the bottom of the glass rather than rise like they ought.  As it turns out, this does happen in other beers; Guinness just happens to have the right combination of reduced visibility to block out the center column of rising bubbles driving the convection that carries the smaller ones down the outside and contrast in color between the froth and the beer itself to make these bubbles visible.

As an exercise, the reader may wish to carefully examine this phenomenon with a freshly-poured Guinness today.  In the interests of proper investigation, it is advised that a sufficient sample size be obtained for meaningful statistics to be extracted, and that the experiments take place in a safe, controlled environment.  Disposal of the samples after measurements are obtained are, of course, entirely up to the lab director’s discretion.

Heinlein once wrote:  

 A human being should be able to change a diaper, plan an invasion, butcher a hog, conn a ship, design a building, write a sonnet, balance accounts, build a wall, set a bone, comfort the dying, take orders, give orders, cooperate, act alone, solve equations, analyze a new problem, pitch manure, program a computer, cook a tasty meal, fight efficiently, die gallantly. Specialization is for insects.

This was during the 20th century, before the beginning of the so-called “Information Age.”  At that time, computers were in their infancy and the vast floods of information that would be generated as a result of widespread capacity to easily store and replay this information were still in the future.  The Library of Congress was only composed of printed matter–the archiving of movies and such had not yet begun–and what data storage technology there was could handle a few megabytes, at most.

Today, the Internet Archive, a project built to act as a record of how the Internet has grown and changed, has a capacity of just under 4 petabytes.  To put this in perspective, the sum total of a human’s experiences throughout their life may equal 1 petabyte.  

This is not to say that Heinlein’s ideal of a broad knowledge-base is no longer fulfillable, but that expectations may need to be revised in some fashion.  Given that the Internet Archive only holds a snippet of existing human knowledge–there’s little in there from scientific journals, for instance, or from other specialized documents.  Hundreds of times as much information remains locked away in various corporate archives–chip designs, calculations for auto efficiency, rocket and satellite schematics, and other proprietary secrets.  Governments, too, have a vast knowledgebase–intelligence, engineering of secret projects, valuable historical documents and footage of various sorts.

However, this same interconnection that has fostered an explosion of knowledge has also enabled a unique opportunity to both fulfil and reject Heinlein’s standards for human knowledge:  given the ability to ask for, and receive, reasonably-accurate information on a moment’s notice from a vast body of users–many of whom may very well be the specialists that Heinlein decries as insect-like–one can retain one’s own specialization without giving up the access to the body of knowledge that represents humanity.

There’s a joke about a chemist, a physicist, and an engineer who are all given a red rubber ball and asked to determine the elasticity.  The physicist performs a simple experiment with a meter-stick to determine a known drop height.  The chemist does an analysis of the rubber compound to determine energy storage.  The engineer pulls out his Pocket Ref and looks up the entry for “Ball, Rubber, Red.”

Three very different approaches–the first two depend on primary knowledge, while the third takes the sum of accumulated knowledge and accesses it when it’s needed.  This is similar in many ways to how information access works in this age of interconnection:  there are those who perform the actual measurements, and there are those who combine and manipulate those data.

Overspecialization is still crippling, though:  the old adage about hammers and problems still comes into effect if you’re so specialized as to forget that there are other tools–the method of statistical analysis that was published in a biological journal that amounted to a rough approximation of integrals comes to mind–and end up reinventing the wheel.  Even worse, if there is a lack of cooperative information available–for our academic society is often antagonistic rather than cooperative, with ‘publish or perish’ being the byword–the same ‘discovery’ may end up being made independently many times over, and the litigation over who stole what from whom further distracts and detracts from our progress as a species.

That’s not to say that our progress has been entirely hindered by antagonistic scholars, though; this self-same antagonism, this constant sniping at others’ work, is necessary: it provides the requisite evolutionary pressures for our body of knowledge to grow and change.  As philogiston gave way to energies of combustion; as the luminiferous aether and the crystal spheres gave way to Kepler’s orbits and, then, to Einstein’s modifications, so too will today’s ideas be subject to future revision as hungry researchers and scientists look to make a name for themselves.

The key is, here as everywhere, to strike a balance:  to keep these researchers hungry enough to progress, but sated enough not to obstruct others’ access to their material.  Research needs to be shared to be useful; the only way an insect can be a man is if he can access the specializations of all the other insects well enough to do whatever needs to be done, and in the most efficient way possible.

Science, the cause of all manner of nearly miraculous developments amongst the peoples of this land and others.  Science, the engine that drives progress.  Science, responsible for all manner of improvements for the human condition, from penicillin to pacemakers, from automobiles to automatic rifles.  Science, one of the most necessary of pursuits for our continued survival as a species.

Science, about the most poorly-taught, misunderstood, poorly reported, and all around poorly understood disciplines in the United States today.

Granted, most scientific fields are extremely technical, so that even the basic vocabulary is difficult for those not trained specifically for that field to understand.  Granted, also, that one does not need to be trained in the disciplines of science to reap the benefits of the discoveries that are made by the scientists.  However, in this country, there are a number of less-than-useful behaviors connected with the public perception of the sciences (usually based on faulty understanding and training); the result is generally a losing proposition for both scientists and the public, as the scientists are unable to carry out their research due to excessive regulation or lack of funding, while the public is denied the improvements that could otherwise be made to their lives.

Science reporting, as it is practiced today, does not help this tendency.  It is immediately obvious to anyone conversant with a field which an alleged science reporter has written an article, in most cases, that the science reporter usually has little to no idea what they are reporting on–often to the point where the reporter will misrepresent the material that they are attempting to report.

This is one of the symptoms of a lack of proper science education, a situation that has far-reaching effects beyond the simple poor quality of reportage upon subjects of a scientific bent.

How shall this situation be rectified?

There is no quick and easy solution–for most things of worth, there never is.  Instead, a systemic and consistent effort by the scientifically conversant to encourage “good” science and discourage “bad” science (the scare quotes denoting the appalling imprecision of these terms) must be the basic foundation behind a constant and consistent push for a positive change.

Too often, in the vain hope of spreading a hunger for scientific knowledge, the “science fan” will push a “gee whiz” sense of wonderment over anything vaguely scientific-sounding, hoping to gain more “science fans” to marvel over the progress that science hath wrought–this is almost entirely useless.  The “science fan” in general tends to put enthusiasm before fact, and will accept even the most addle-pated pseudo-scientific claptrap as a valued addition to their store of knowledge and, even worse, pass this unfortunate miscarriage of knowledge on as a valued piece of truth–see “The Secret” for a rather extreme (and unfortunate) example of the result.

Instead, anyone who wishes to encourage scientific learning ought to first be very sure they fully understand the topic that they’re trying to encourage (yes, even learning the mathematics and formulae behind the nifty-keen pop-bottle rocket) and carefully teach others to approach science in a respectful and proper manner–to discourage the frivolous use of words like “theory” and “experiment”; to reject as unsound the “experiments” of popular science-esque television shows (e.g. the Mythbusters, who display very poor rigor by frequently having neither sufficient repetition of their experimental procedures nor sufficient controls to ensure valid results, amongst other sins); to pass along to others only that knowledge which they are reasonably sure is correct and they are reasonably sure they understand completely.

There are more than enough “science fans” in the world today.  What the world needs is more -scientists-.

A memetic hazard is a memetic structure that can reasonably be expected to cause some form of personal or societal harm.

“Homeopathy” is a description of one particular memetic complex containing a number of beliefs which, in the aggregate, have the potential to cause personal or societal harm to the host of these constructs or to those who depend upon the host for medical care.

The Homeopathy memetic complex is generally found paired with an “Alternative Medicine” construct as an adjunct belief; the “AltMedicine” beliefs are inherited by the “Homeopathy” complex and used as part of the basis for its acceptance by the host.

The Homeopathy complex has these core beliefs:

First, that Homeopathy is a valid method of curing or controlling medical conditions.

Second, that “Like cures Like”: some herb or other plant-derived (usually) product that when ingested or otherwise brought in contact with the body causes symptoms similar to those exhibited by the sufferer of an illness can be used to cure the sufferer of those symptoms.

Third, “Water Memory”: the compounds or mixtures described in “Like cures Like” can produce in water a “memory” of their effects, such that a small portion of this compound or mixture in water, diluted many thousands of parts of water to each part of “active” compound, can still have some effect even when the dilution is to such an extent that no portion of the original active ingredients is likely to remain within the dosage provided to the sufferer of the illness.

This complex can be considered a memetic hazard due to the likelihood of the host to resort to homeopathic remedies rather than seeking “conventional” medical help for any diseases or other conditions they may suffer; this can result in personal harm to the host (should they suffer from a nontrivial disease) or in harm to others (should the host be the authority in charge of another person’s, e.g. a child’s, medical care).

The “Homeopathy” complex would normally be trivial to remove from the host’s mind with basic proofs against its claims (that water “memory” is not long enough to account for any effects, that any alleged cures by Homeopathy can be shown to be the result of the placebo effect) except for the adjunct memetic structures inherited from the AltMedicine complex.

The relevant beliefs that protect the influence of this particular memetic complex from ordinary disproof procedures are generally those of “Distrust of Establishment,” “False Standard of Proof,” and “Perceived Optimal Cost/Benefit Ratio;” all of which are inherited from the generalized Alternative Medicine memetic complex.

Distrust of Establishment is a generalized tendency for those who adhere to this memetic complex to hold beliefs that “conventional medicine” or “the establishment” is either ineffective or actively harmful to the host’s well-being. The more severe implementations of this construct tend to be found in those hosts who hold other conspiracy theory constructs. This acts as an adjunct memetic construct that protects other beliefs from scrutiny or criticism labeled as “scientific” or “rational;” the perception of the host’s beliefs regarding the validity of “scientific” or “rational” inputs is diverted to a default disbelief and rejection state before any evaluation of such claims is made.

False Standard of Proof is an adjunct construct whereby a misstatement of the scientific method is held to be a requirement for belief in any new claims. This construct is common to many “Alternative Medicine” memetic complexes, and is found fairly widely in pseudoscientific memetic complexes in general. It is, in essence, a hijacking of the concept of the scientific method that produces pseudoscientific results, generally by (consciously or unconsciously) lending credence only to those facts that support a position rather than adopting a position in accordance with facts. It generally acts to protect any extant memetic structures through a perception that other’s claims “must be questioned.”

Perceived Optimal Cost/Benefit Ratio is one that particularly applies to homeopathy; it is based upon the perception of a very low risk of side effects from homeopathic preparations as opposed to those from “conventional” medicine (due mostly to the fact that homeopathic preparations are, frankly, almost entirely water, which very very few people have any reaction to) and that any benefit derived from homeopathy would thus be far and above better than any “conventional” drug.

Excising this construct from the host to alleviate the memetic hazard is a difficult task. To do so requires that the adjunct memetic structures–specifically, the False Standard of Proof and, especially if conspiracy-derived, the Distrust of Establishment memetic constructs–be dissolved, preferably in favor of a proper understanding of the scientific method. Distrust of Establishment does not need to be replaced with -trust- in established medical procedures; conventional understanding of the validity of medical expertise will generally follow from any period of introspection after the memetic complex of “Homeopathy” or “Alternative Medicine” being invalidated.

It is worth noting that belief in homeopathy is not necessarily an indication for a memetic hazard; the indication for a memetic hazard is belief in homeopathy to the exclusion of conventional medicine. Keep in mind that the standard of a memetic hazard is the potential for harm to the host of the memetic construct or to those for whom the host makes decisions.

The University of Zurich has developed a new and improved fabric for waterproofs, stating that their invention has the potential to remain dry even after two months’ submersion in water.

It seems that the use of very small fibres of silicone actively repel water from settling on the fabric, and that this effect is strong enough to cause water to roll off of the fabric more quickly even than it would the back of a duck.

Stefan Seeger explained the means by which this novel fabric acts by comparing it to the mysterious art of the fakir and his bed of nails. The New Scientist has provided a photograph of the effect in action.

Another application of this novel fabric currently being discussed is for reduced-friction bathing costumes; the repelling of the water is hypothesized to be amenable to less friction while submersed, which may lead to faster times for those athletes wearing the costume.

An application more useful to most readers would be a self-cleaning fabric suitable for suits and coats; should a suit be manufactured that shrugged off dust as easily as this fabric shrugs off water, doubtless it would be warmly accepted by many busy business-people.