Saturday, 19 January 2008

Budda's Finger

This fruit is a Budda's Hand Citron. Here we can ask is it giving an opinion?

Are we free or is it all a deterministic illusion?

The issue of whether we are we accountable for our own behaviour or if (and when) we are held firm in the clutch of biological factors and influences beyond our control is one that has dogged both science and philosophy for millennia. This captivating subject today is the province of behavioural biology and cognitive psychology. This discipline investigates the exchanges that occur within the mind, brain, body, and environment. Simply put, it entails the search into what factors of our brains compile to make our individual outlook.

Over two thousand years ago, Socrates taught us to, "know thyself". Today, neither behavioural biology nor cognitive psychology has mitigated the complexities surrounding our understanding of human behaviour. The debate over free will rages within psychology, theology and philosophy. Defined by Sartre (1939) as our ability to choose and behave as we wish without our choices being determined by outside sources, free will is a concept has been pondered by figures such as, Richard Hanley, Robert Kane, B.F. Skinner, William Lycan and Noam Chomsky and others.

B. F. Skinner and Robert Kane require the introduction of the conception of determinism. Determinism is the idea that all events are caused, occurring only as effects of causes before them. Determinism presupposes that a prior event will necessarily or inevitably result in the consequential occurrence. In strong determinism, this leads to only one potential consequence for every subsequent occurrence in a conception that is closely linked to the conception of predestination in theology. At its most extreme, the thought is that God has decided our destinies leaving nothing to be done to alter the predetermined and indomitable conclusion to events. This can seem to lead to fatalism as if our destinies are already decided, we seem to lack the free will to control our future (Huxley, 1931).

Indeterminism conversely argues events are not necessarily caused through a past occurrence. This idea proposes the contradictory argument concerning the cause of human action to determinism. It can in this be said to come to the equivalent conclusion regarding free will. An arbitrary action that is not a consequence of control is thus stated to not be measured an act of free will (Kane, 1996). The result is that neither indeterminism nor determinism is akin to free will. As in his view “Individuals seek to explain behaviour by looking inward” (Skinner, 1971).

Skinner (1955) argues that free will does not exist. To Skinner, choice and behaviour are a consequence of outside influence derived from the environment not free will. In Skinner’s world, societal control is unavoidable. Similar to Aldous Huxley’s “Brave New World” (1939), "We are all controlled by the world in which we live, and part of that world has been and will be constructed by men" (Skinner, 1956). The paradox in Skinner’s thinking is a realisation that free will is an illusion where "we cannot make wise decisions if we continue to pretend that human behaviour is not controlled".

Kane (1996) posed the question of free will differently by distinguishing amid “surface freedoms” and free will. Being conditioned "We would be free to act or choose as we will, but would not have the ultimate say about what it is that we will," (Kane, 1996). He admits that although an incomplete explanation, "parenting and society, genetic make-up and upbringing have an influence on what we become and what we are". Influences in our lives add factors that do not fix our behaviour, rather he argues they persuade it. In this way, an individual can not shirk all responsibility for ones actions and behaviour. Kane’s paradox is that "undetermined events in the brain or body it seems would inhibit or interfere with our freedom, occurring spontaneously and not under our control" leaving behaviour both undetermined and within the individual’s control. Kane’s paradox may be more succinctly stated in that free will requires control. He attempts to alleviate some of the difficulties invoked through this paradox in proposing that the decision to conduct ourselves in a desired manner is contingent on an indeterminate process of resolutions. In selecting a desired behaviour we create determinate realities for ourself as, “one set of competing reasons or motives prevail over the others".

Skinner stated that "We cannot use good sense in human affairs unless someone engages in the design and construction of environmental conditions which affect the behaviour of men" believing that as individuals, each of us ought to direct ourself, instead of existing under the control of another. Kane in comparison would dispute this proposing that even when behaviour is conditioned or controlled, we retain something of ourself for which we are obliged to take personal responsibility. As Skinner’s determinism requires actions to be caused by external events, we couldn't have free will leaving us in an illusion and removing responsibility for our actions.

Lycan (1987) addressed free will using the philosophical argument that an artificial intelligence can be regarded to be human when "freedom of choice is acting in (roughly) for one's action to proceed out of one's own desires, deliberation, will and intention, rather than being compelled or coerced by external forces..." Proposing a solution in functionalism, Lycan considers behaviour to be derived from external influences differing from Skinner in stating that they are not the result of external forces. In this point of view, "what matters to mentality is not the stuff of which one is made, but the complex way in which that stuff is organized" (Lycan, 1987). In this, human behaviour derives from psychological states that are functionally defined instead of being deriving through a material composition. That is, behaviour is initiated through internal processes and not external factors.

Chomsky (1980, p39) changed many of the ways in which we perceived both learning and behaviour. In stating that “Innate factors permit the organism to transcend experience, reaching a high level of complexity that does not reflect the limited and degenerate environment” free will and hence the mind are developed through a process of continual learning and reassessment where we can “usefully think of the language faculty, the number faculty, and others, as 'mental organs'". Oakhill (1988, p.178) likewise regards “cognitive development as a continuous process”.
“Darwinian algorithms” (Gigerenzer, 1995) suggest the notion of a “modular mind” derived through complexity. Fodor (1985, pp. 3-4; Fodor & Phylyshyn, 1988) expanded on this idea taking the theories of Chomsky to propose a limited modularity where “hard-wired” genetic instructions are divided into discrete sub-systems or modules. Fodor (1985) defines these modules as “an informationally encapsulated computational system … innately specified … and characteristically associated with specific neuroanatomical mechanisms”. These modules afford a perceptual input system that allows us to interact within the external world. Each of these modules are both inherent domain-specific, involuntary and neurologically distinct. These are to an extent also determined genetically.

In this approach, it could be argued that we start with a predetermined set of physiological features that develop through a combination of both external factors beyond our control and a series of choices. Rene Dubos (1998, p8) takes this idea and encourages us to consider our actions and not to allow ourselves to behave “independent of natural forces … ” least we “become a robot” as “the humanness of life depends above all on the quality of man’s relationships”.

We have seen already that Skinner would have us believe that all behaviour is a consequence of external forces and events. The problem with such a radically empiricist stance is that there are too many ways to topple what is in effect a house of cards. Chomsky (1959, Pp 26-58) rejected the entire notion of Behaviourism in his review of Skinner’s “Verbal Behavior” (1957). This paper changed the notions of deterministic thought and definitively put to rest the concept of behaviour being solely a result of external forces. It further set out the beginning of a new age in cognitive science.

Skinner sought a scientific taxonomy that could be definitively defined. In rejecting the use of terms such as “hunger” in the formulation of his methods, he attempted to define a quantitative methodology to describe mentals states and conditions based on their external influences. Thus, rather then stating an animal is hungry; Skinner would advocate quantitatively stating the level of deprivation. For instance, the animal was deprived of food for 30 hours. This he believed would allow for an accurate empirical analysis of the condition in what was stated to be a more scientific classification then the animal being made to be hungry. While there is some truth in a need for providing more accurate data, Chomsky (1959) established how Skinner’s language of “stimulus control merely add to the general mystification”.

Pinker (1994), whilst accepting Chomsky's current principles and parameters approach, rejects Chomsky’s scepticism. Pinker (1994) advocates that language ought to be considered to be an evolutionary adaptation in a similar idea as the eye in that the chief components of each are intended to provide essential functions (Marr, 1982). Chomsky (1959) proposed a “language organ” with language supposed to be a discrete module in the brain. Pinker (1994, p112) notes "the mystery of how children's grammar explodes into adultlike complexity in so short a time" leading to the question of whether " grammar genes really exist or is the whole idea just loopy?" (Pinker, 1994, P332). The rapid acquisition of syntax at childhood is only achievable due to a set of “super-rules” “hard-wired” into the brains. The result being that the developing mind will associate the precise values to the parameters determining an individual’s local language structure through a process of listening to the dialogue of their parents (Pinker, 1994, p22).

Language defines who we are. In Chomsky’s perspective the “paradox of language acquisition” comes from the fact that “In a given linguistic community, children with very different grammar arrive at comparable grammars” (1983). So whilst “each child has a different experience, each child is confronted by different data – but in the end the experience is essentially the same. As a consequence, we have to suppose that all children share the same internal constraints which characterize narrowly the grammar they are going to construct”. In this dilemma also lies the issue of free-will. If we are defined as Chomsky would have it through language, then our actions and behaviours are also a function of language making free-will a paradox as well in that an initial “starting condition” sets the initial state which is influenced both through our internalised choices and the external environment. Like the development of language, both the internalised framework or modules and also the interaction with external influences lead to our choices.

Consequently, it is not a determined pattern that leads to the human psychology or pure freedom in choice, but a series of complex interactions derived from both genetics and our environment or nature and nurture. The answer to the question of whether behaviour is deterministic or a consequence free will can not be answered simply. It would appear that the best answer is both. In this, we are determined and react in accordance with a predefined set of instructions that provide for our perceptions and consequently skew our reality. On the other hand, external forces are interpreted through interactions with social groups and the consequential effect is necessarily complex. Coupled with internal reflection, we manage to derive some sway on our cognition through choice even when moulded through genetics.

Chomsky, N. (1959). A review of Skinner's Verbal Behavior. Language, 35, 26-58.
Chomsky, N. (1968) “Language and Mind”. New York: Harcourt, Brace and World
Chomsky, N. (1980) “Rules and Representations” New York: Columbia University Press
Chomsky, N., (1983) “Interview with Noam Chomsky”, OMNI, November 1983
Dubos, R. J. (1998) “So Human an Animal: How We Are Shaped by Surroundings and Events” Amazon co.
Fodor, J.D. (1985) "Deterministic Parsing and Subjacency", Language and Cognitive Processes 1.1, 3-42.
Fodor, J. & Pylyshyn. Z. W. (1988) “Connectionism and Cognitive Architecture: A Critical Analysis”, Cognition 28, 3-71.
Huxley, Aldous (1931) “Brave New World” Penguin Press
Kane, Robert (1996) “The Significance of Free Will” Malden, MA: Blackwell
Larkin M. (2002) “Professional studies in psychology: Course Notes”, School of Psychology, University of Birmingham.
Lycan, William (1987) “Consciousness” The MIT Press
Marr, D. (1982) “Vision”. San Francisco: W. H. Freeman
Pinker, S. (1994). The Language Instinct. New York: William Morrow and Co.
Sartre, Jean-Paul (1939) “Esquisse d'une théorie des emotions” (Outline of a Theory of the Emotions), Free Press
Skinner, B.F. (1956) ”Freedom and the control of man” Amer. Scholar, 1955-56, 25, 47-65.
Skinner, B. F. (1957) “Verbal Behavior” New York: Appleton-Century-Crofts.
Skinner, B.F. (1953) “Science and human behaviour”. New York: The Macmillan Co

Thursday, 17 January 2008

Why do companies fail their PCI-DSS Audits

As an auditor for many years, the top failing I have noted with companies that process or store credit cards is a lack of adequate controls on the database. Next would come backups and storage. I am yet to see a company that has maintained adequate backups with encryption or has a process of compensating controls.

Encryption is generally inadequate or non-existent on both the network and database. SSH is simple - there is no excuse to use telnet over the Internet!

Encryption is a key component of the “defence-in-depth” principle that the PCI attemptsto enforce. Even if other protection mechanisms or controls fail and an attacker accesses data, the data will be indecipherable if it is encrypted. Unfortunately, many companies stockpile credit card data on mainframes, databases, and other legacy systems that are not and were never designed to support encryption. For these companies, encrypting stored data (data at rest) is a key hurdle in PCI compliance.

A compensating control is to Obfuscate card holder data without encryption. The PCI Data Security Standard allows for obfuscation (making the credit card data unreadable) as a compensating control for not using encryption. One-way hashing, truncation, and other approaches may all be used.

Wednesday, 16 January 2008

Stored Proceedures and SQL injection

When the database server supports them, use stored procedures for performing access on the application's behalf. This will not eliminate SQL injection attacks, but it will reduce them.

It is feasible to write a stored procedure that constructs a query dynamically. This will not provide any fortification against SQL Injection. The process of correctly binding data input through prepare/execute or direct SQL statements using bound variables is the only way to grant this defence.

Encapsulating the restrictions for a definite action (including query, update, delete, and other calls) into an atomic stored procedure allows it to be documented and hardened. Doing this on a standalone basis lets you implement the agreed business rules to the database in a manner that can be trusted. The difficulty comes where a stored procedure calls another process or procedure. This adds complexity.

Using an atomic procedure makes the individual stored procedure larger, but does not mitigate reusing code. When implementing atomic stored procedures for an operation, you make them more robust and simplify the maintenance.

SQL injection is still possible if the dynamic SQL inside the stored procedure is not handled correctly.

See the following site for more - or just google it...

Tuesday, 15 January 2008

Critical Readings... A must for all

I recomend that anybody involved with IT Security or Critical Infrastructure read a paper by Michael J. Assante:

Infrastructure Protection in the Ancient World
What the Romans can tell us about their Aqueducts – What we may apply to our modern infrastructures

This is available online from:

The Abstract
This paper provides lessons learned from ancient Roman attempts to protect the aqueduct, which was considered one of their most critical infrastructures. It also offers an analogy to modern day efforts in securing our own critical infrastructures, particularly the Nation’s electric power grid.

Monday, 14 January 2008

Systems Review

Many people seem to make the over-simplification that all code can be written correctly and tested completely. This is that no matter how long and complex there is a way of determining the error rate - this is a fallacy.

The majority of libraries used in development (excluding open source eg. Linux) are complied object code. In expecting that code is verified, are we expecting that the world stop using all code unless they have the source? That all source be checked? I fail to see how this could be completed and hence the issues with GCC a number of years back.

Dijkstra developed the method "correct by construction". He also did extensive work on the mathematical proof of algorithms. References to these works are attached below.

Kert Godel, Alan Turning and Alonzo Church (GTC) did work which resulted in "Computability Theory". They discovered that certain basic problems cannot be solved by computers. Cohen, Hollingworth and Dijkstra all developed this theory further.

Now I get to error determination. GTC demonstrated in computational theory that it is not possible to create a machine that can determine wether a mathematical statement is true or false. All code and programming is a mathematical statement or algorithm. The determination of the codes function is a mathematical proof (see Cohen and Dijkstra).

As it is not possible for either an automata or turning machine to determine the correctness of the programme, it is not possible to determine the effects of code in general and only the simplest of automata are determinable.

Dijkstra's started work on formal verification in the 1970's. Formal verification was the prevailing opinion at the time. This was that one should first write a program and then provide a mathematical proof of correctness.

"The Cruelty of Really Teaching Computer Science" (Dijkstra, 1988) saw Dijkstra trying to push computable correctness. This missed the need for engineers to compromise on the one hand with the physical world and on the other with cost control.

This is the issue. To move ahead and develop code that people want we can not complete mathematical software verifications. No machine (at least yet known) can verify code. The term machine refers to the computer science idea of a machine - not a physical item.

To state that all code should be verified would be great for myself. I am a mathematician. Computers can not verify code (see the theory of computation). This would make my mathematical skills in greater demand and help next time I go for a raise. (See Dijkstra, Turing et al and all the other people who created the foundations of computer science).

The use of finite state machines, labelled transition systems, Petri nets, timed automata, hybrid automata, process algebra, formal semantics of programming languages such as operational semantics, denotation semantics, Hoare's logic or any other existing method of computational verification just adds to the complexity.

I recomend reading a paper of Dijkstra's paper "On the Cruelty of Really Teaching Computing Science". In this, Dijkstra argues for formal verification against software engineering. Yet we still trust in software security...


Cohen, Fred, “Protection Testing”,, September 1998

Cohen, Fred, 1997, “Managing Network Security, Penetration Testing?”, Available from

Cohen, Fred, 1996, “National Info-Sec Technical Baseline, Intrusion Detection and Response” Lawrence Livermore National Laboratory, Sandia National Laboratories December, 1996

Cohen, Fred, 1992, “Operating System Protection, Through Program Evolution” research for ASP, PO Box 81270, Pittsburgh, PA 15217, USA

Dijkstra, Edsger W. (1976). A Discipline of Programming. Englewood Cliffs, NJ: Prentice Hall

Hollingworth, D., S. Glaseman and M. Hopwood, "Security Test and Evaluation Tools: an Approach to Operating System Security Analysis," P-5298, The Rand Corporation, Santa Monica, CA., September 1974.

Sunday, 13 January 2008

And back in the Burb's

It is definately summer and the fruit and vegetables are starting to ripen. I do not eat anywhere near as much fruit and vege as my physician tells me, but when it is fresh it is easier.
The Babacco (like a paw-paw or papaya but a hybrid) gives prolific amounts of fruit that ripen all spring and summer. It has a slightly lime flavour and makes a good adition of a fresh fruit drink.

The pumpkins are green but starting to swell. In this one small garden (which had paths once I think - that's right under the vege) we get all we need for the year and engough to give away as well.
And salad greens are also not an issue. I like a good range, so there are the normal Cos and other lettuce as well as solsice, various chinese and japanese greens and a variety of mustard brassicia - these add a little bite or spice to the salad.
Peas and Beans are going strong. I have a roman bean in this year. The beans are supposed to grow to a meter or longer, well let us see. Snow peas directly from the vine are a great snack.
The flowers are marigolds. They reduce pests and stop me having to spray anywhere near as much as I otherwise would. With these, a little white oil and pyrethrium are enough most of the time.
Finally the elder berry. They are still in bloom while there are ripe berries. I can see a good sauce.

Weekend Work

Good use of a bad thing.
Or .... Positive in the unwanted.
We have (like many farms) many rocks we do not want. They make slashing grass difficult and damage blades. Being on a hilly property, they find their way to the surface given time.
The answer is to make use of them. The pond is full of tadpoles, so this has made adding the second coat of sealant difficult and we had to keep topping it up (lucky we are on tank water or we would have an issue). Strange how you get more water when you collect your own. We get to waste water at the farm, watering plants, filling the pond, just leaving taps running. You would think it the opposite.
So we have extended the garden around the home and added a kitchen herb garden.
Adding both decorative plants and also the majority of the herbs I need in the kitchen. There is also the coffee tree. Extremely necessary. We have also added an arch with Wisteria to grow over it and at the base is a water bowl. The kangaroos eat a good deal of the herbs, but they also aid in reducing the mowing around the homestead.

Good use of a bad thing.