Wiki Titles Singable to TMNT Themesong

Someone has set up a bot on Twitter that does nothing but tweet out Wikipedia titles that could be sung to the Teenage Mutant Ninja Turtles theme song.

Intellectual Laziness of the Right and Left

This year there were two epic screwups in fact checking in books published by authors on the left and right.

On the left, Naomi Wolf published her book Outrages: Sex, Censorship and the Criminalization of Love which, among other things discussed dozens of executions of homosexual men in Great Britain during the Victorian era. It turned out, however, that notations that Wolf concluded were evidence of an execution having been carried out were actually cases of a judge recommending the pardoning of a death sentence.

On the right, Doug Wead’s Inside Trump’s White House caused a stir by claiming that the Obama White House subjected intelligence officials to “nonstop PC [political correctness] meetings.” It turned out, sadly for Wead, that “PC” in this context refers not to “political correctness” but rather to meetings of the National Security Council Principals Committee. The officials that Wead interviewed were essentially complaining that under the Obama administration they had to vet their decisions with this committee, whereas the Trump administration let them more freely make decisions lower down the chain of command.

Everyone’s worried about deep fakes and false statements spread through social media, but what does that matter if authors and publishers can’t even be bothered to make certain they are accurately understanding and explaining key parts of their books?

In my opinion the issue isn’t so much deep fakes and social media–lies widely dispersed by the media have been with us since the birth of the newspaper–but the sort of credulity and confirmation bias that people like Wead and Wolf fall victim to (and those who support them…Wolf, for example, has repeated nonsensical claim after nonsensical claim her entire career and yet has no problem finding a publisher, an audience, and an alarming degree of respectability in some circles).

In Defense of Iterating Passwords

Most of the time Graham Cluley gives good advice regarding computer security (his Smashing Security podcast is both entertaining and informative), but I think he is wrong about workers who simply iterate their passwords when asked to change them on an arbitrary schedule.

Cluley writes,

So it’s important to ensure that all your passwords are unique, as well as being impossible to guess and hard to crack.

But that doesn’t mean it’s good enough just to make a minor change to your passwords.

A survey of 200 people conducted by security outfit HYPR has some alarming findings.

For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.

Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users’ tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.

There are a number of things wrong with this analysis.

First, while it is almost always better to rely on password managers rather than memory to keep track of passwords, there are some situations where this is not feasible.

For example, the company I work for assigns me a single sign on username and password that I use not only to log in to company resources, but that I also have to use to unlock my company-provisioned laptop.

I need to be able to have a password that I can memorize in that case. I would argue that pulling out, say, a mobile phone, accessing my password manager, and then using that to type my password into my laptop is far less secure than memorizing it. I need to enter this password routinely throughout the day at meetings and in public places.

Second, as long as the memorized password is strong, there is little to no security implication for simply iterating the password when required to do so on an arbitrary schedule.

As Cluley himself notes later in the article, “I don’t believe it’s a good idea to force users to change their passwords unless there’s a cause for concern.”

So let’s say I have a secure passphrase along the lines of XKCD’s famous “correcthorsebatterystaple.” I have that memorized, and I only use it for my corporate SSO account. As Cluley points out, there’s no good reason to ask me to change that password every 3 months.

But, alas, that is what is going to happen. As long as I know this is just a routine password change request, there is no good reason to believe that “correcthorsebatterystapleone” is any less secure than “correcthorsebatterystaple.”

I could see someone saying, “Yes, that may be true, but if users get into the habit of simply iterating their passwords, they will also do that then when we need them to change passwords because of a potential breach or other issue.”

And this would, in fact, be very bad. But that’s a problem created entirely by this practice of enforcing arbitrary password change schedules. If your security team is the proverbial boy who cried “change your password” over and over where there wasn’t a genuine threat, don’t be surprised when they don’t respond appropriately to the real thing.

80% of Android Apps Use TLS to Encrypt Traffic

Back in 2018, Google announced that beginning with Android 9, it would prevent apps from using unencrypted connections by default. As of December 2019, Google notes that 80 percent of all apps in the Google Play store use TLS, and that rises to 90 percent of all apps targeting Android 9 and higher.

Android 7 (API level 24) introduced the Network Security Configuration in 2016, allowing app developers to configure the network security policy for their app through a declarative configuration file. To ensure apps are safe, apps targeting Android 9 (API level 28) or higher automatically have a policy set by default that prevents unencrypted traffic for every domain.

Today, we’re happy to announce that 80% of Android apps are encrypting traffic by default. The percentage is even greater for apps targeting Android 9 and higher, with 90% of them encrypting traffic by default.

Since November 1 2019, all app (updates as well as all new apps on Google Play) must target at least Android 9. As a result, we expect these numbers to continue improving. Network traffic from these apps is secure by default and any use of unencrypted connections is the result of an explicit choice by the developer.

That last sentence is a bit concerning. If app developers want to explicitly make their apps communicate through unencrypted connections, that’s fine, but as far as I can tell there is no way that consumers are made aware of this.

Just as modern browsers warn me that the website I’m visiting doesn’t use encryption, Google should inform users when they are using apps that do so as well. I’d be happy with a notification on the Google Play store page for such apps that “This app sends network traffic over unencrypted channels” or something like that.

(Yes, users could set up a packet analysis tool to look at the data their phone is sending, but they shouldn’t have to do so).

Paper: There Is No Artificial General Intelligence

Jobst Landgrebe and Barry Smith argue there is no such thing as artificial general intelligence.

The goal of creating Artificial General Intelligence (AGI) — or in other words of creating Turing machines (modern computers) that can behave in a way that mimics human intelligence — has occupied AI researchers ever since the idea of AI was first proposed. One common theme in these discussions is the thesis that the ability of a machine to conduct convincing dialogues with human beings can serve as at least a sufficient criterion of AGI. We argue that this very ability should be accepted also as a necessary condition of AGI, and we provide a description of the nature of human dialogue in particular and of human language in general against this background. We then argue that it is for mathematical reasons impossible to program a machine in such a way that it could master human dialogue behaviour in its full generality. This is (1) because there are no traditional explicitly designed mathematical models that could be used as a starting point for creating such programs; and (2) because even the sorts of automated models generated by using machine learning, which have been used successfully in areas such as machine translation, cannot be extended to cope with human dialogue. If this is so, then we can conclude that a Turing machine also cannot possess AGI, because it fails to fulfil a necessary condition thereof. At the same time, however, we acknowledge the potential of Turing machines to master dialogue behaviour in highly restricted contexts, where what is called “narrow” AI can still be of considerable utility.