Do We Really Care?

In September of 2001 the band P.O.D. released their song "Youth of the Nation" which begins with the lyrics:

Last day of the rest of my life
I wish I would've known
'Cause I would've kissed my mama goodbye

I didn't tell her that I loved her and how much I care
Or thank my pops for all the talks
And all the wisdom he shared

Unaware, I just did what I always do
Everyday, the same routine
Before I skate off to school

But who knew that this day wasn't like the rest
Instead of taking a test
I took two to the chest

Call me blind, but I didn't see it coming
Everybody was running
But I couldn't hear nothing

Except gun blasts, it happened so fast
I didn't really know this kid
He wasn't part of the class

Maybe this kid was reaching out for love
Or maybe for a moment
He forgot who he was
Or maybe this kid just wanted to be hugged

Towards the end of the song is this stanza

Who's to blame for the lives that tragedies claim
No matter what you say
It don't take away the pain

When this song came out I was in high school.  I could still remember the reaction to Columbine which occurred when I was in middle school.  How could I have envisioned then that 16 years later we, as a nation, would have paid lip service over hundreds of bodies of adults and children about "never again" and then done precisely nothing to actually change the course of our society?

Honestly, I'm getting tired of trying to be nuanced about which gun owners are responsible and which aren't, it's about people not guns, it's a mental-health issue, did the Founding Fathers intend for an armed population as a hedge against tyranny, blah, blah, blah, blah.  The endless blathering only seems to amount to yet another dead child, yet another dead mother, yet another dead father.

What we're doing now, which is nothing, is not making the situation any better.

People who want to have continued access to firearms as part of their lifestyle need to stop hiding behind rhetoric and start proposing and implementing solutions.  I'm getting tired of holding a nuanced view on the matter while more people senselessly die.  I imagine there are more like me who, as time goes on, think that a "repeal and replace" of the 2nd Amendment might be the only way anything actually changes.

Research available options, pick a potential solution, plan and fund an implementation, study the outcome.  It really isn't that hard.

Do we really care?

The answer seems to be, "No."

Undermining the Credibility of an Investigation - A Game-Theoretic Analysis

Let's suppose you were the subject of a serious criminal investigation.  Further suppose you were also a prominent and influential public figure.  You know a priori whether there's anything damning that the investigation may find.  Should you choose to use your influence to affect the credibility of the investigation?  Should you bolster the credibility or undermine it?  Let's take a game-theoretic approach.

Like almost all game theory analyses we'll construct a payoff matrix to guide our analysis.  I suggest one axis capture the eventual outcome of the investigation: evidence of wrongdoing found (guilty) vs. no evidence of wrongdoing found (innocent).  The other axis will capture the subject's three possible actions regarding using their influence: bolster credibility (bolster), do nothing (null), undermine credibility (undermine).

Payoff matrix for subject using influence to affect credibility of investigation - Empty
Bolster Null Undermine
Innocent
Guilty

We now need to consider each possibility in the matrix and assign a relative payoff.  The payoff value represents the utility of the scenario to the subject, that is, how much does the subject benefit based on the scenario represented by each cell.

I don't think it's particularly controversial to argue that any "Innocent" outcome will be good for the subject.  Better if the credibility has been bolstered, but slightly worse if the credibility is undermined.

Payoff matrix for subject using influence to affect credibility of investigation - Partial
Bolster Null Undermine
Innocent 20 10 7
Guilty

Again, it shouldn't be controversial to assume that a "Guilty" outcome will be bad for the subject.  Worse if the credibility is bolstered, but slightly better if the credibility is undermined.

Payoff matrix for subject using influence to affect credibility of investigation - Complete
Bolster Null Undermine
Innocent 20 10 7
Guilty -20 -10 -7

At a global view, it seems like the only reason to actively undermine the credibility of the investigation is if you believe the outcome will be "Guilty" as it will increase your utility.  That should be concerning to anyone paying attention to current U.S. politics.

I think there is one potential argument for modifying the "Undermine" payoffs.  If the undermining is an attack on the biases and motivations of the investigation, the supporters of the subject may see an "Innocent/Undermine" outcome as better than "Innocent/Null" because "even the biased investigation couldn't find anything."  A similar argument could be made about the "Guilty/Undermine" payoff.  The increased nuance becomes important if you think that the subject's actions are more directly tuned to either the supporters or opposers.

Payoff matrix for subject using influence to affect credibility of investigation - Supporters/Opposers
Bolster Null Undermine
Supporters Opposers
Innocent 20 10 14 0
Guilty -20 -10 0 -14

These supporter/opposer payoffs are probably up for much debate, but I think this is probably a good ballpark.

With an "Innocent/Undermine" outcome, opposers will use the attacks on the credibility of the investigation against the subject.  But, supporters will see it as stronger evidence of innocence ("even the biased investigation couldn't find anything").

With a "Guilty/Undermine" outcome, supporters will see it as "proof" that the investigation was biased and not valid.  Opposers will see it as an attempt to evade justice.

What's interesting is if the subject cares only about supporters then the only better possible outcome than undermining the investigation is to bolster an investigation that finds the subject innocent.  If the subject, knowing a priori the truth of their actions, believes that the likelihood of the investigation concluding "Innocence" is almost zero and cares most about their supporters' response then undermining the investigation becomes overwhelmingly the best action to take.

Does the President care so little about those who oppose him that he's willing to take another hit from them in the event that the Mueller investigation finds nothing?  Or is he expecting the investigation to find evidence of wrong-doing and he's laying the groundwork to salvage the only group possible?  Or is my analysis completely wrong?

Stop the Escalation of Stupidity

New reports over the weekend discussed that the U.S. Air Force is making preparations to return the global strike force of nuclear-weapon bombers to a 24-hour alert deployment schedule (which hasn't been done since 1991).  This follows weeks of inane bluster from the U.S. President about raining down "fire and fury like the world has never seen" upon North Korea.

Can we please stop with this escalation of stupidity already?

Even a cursory analysis of the situation between North Korea and the United States reveals that North Korea literally has nothing to gain by launching a first strike of nuclear weapons against the United States.  Not only would doing so guarantee their own annihilation, no other country in the world would feel particularly bad about it happening--and many would help carry it out.

For a country in North Korea's position, nuclear weapons can only serve as an insurance policy to encourage other countries (namely, the U.S.) to leave them alone.  If we briefly look at all the nations that have been invaded or bombed by the U.S. in the last 50 years (a disturbingly large number), you'll notice a pretty clear trend that we haven't touched any nation with a nuclear arsenal.  North Korea developing a nuclear arsenal, especially one that can threaten mainland U.S. cities, is an eminently rational move.

I am not remotely concerned about a first-strike nuclear attack from North Korea.

Unfortunately, I am concerned the U.S. President will create a situation where he feels compelled to do something stupid in order to save face.  Or will create a situation where North Korea feels like they are being existentially threatened and decide to take a few million people with them as punishment.

Acting irrationally and unpredictably can be a rational strategy.  North Korea has a good reason for appearing to be irrational and unpredictable because it can keep countries like the U.S. from engaging in overly threatening actions (like say, flying a squadron of nuclear-armed B-52s toward North Korea).  Such an aggressive act could be misinterpreted as an attack and a seemingly irrational and unpredictable leader in North Korea may order a retaliation rather than waiting to see where the planes are going.

Acting irrationally and unpredictably as the leader of the a country like the United States is foolish.  You have nothing to gain.  Instead, you stand to lose credibility on the international stage.  Allies will become reluctant to support your cause if they believe your big mouth is what got you there in the first place.  No one feels particularly bad when the bully is waving his finger in someone's face, yelling, screaming, and threatening and the victim decides to punch them in the nose first.

I have no idea whether Trump really is a petulant child with a short temper and over-inflated sense of self-importance or not.  But acting like it is not making our country or the world a better place to live in.

Who's waging war against HTTPS?

In April 2016, Let's Encrypt went live.  Let's Encrypt is a group making it significantly easier to encrypt web traffic.  Some entity seems to have begun waging a war of public opinion against them.

Previous to their existence conveniently securing web traffic meant paying money to a company which would then provide you with a "certificate" for your website.  Servers and browsers use these certificates to create a secure communication path between them.  This secure path (denoted by URLs starting with "https://" rather than "http://") prevents entities between your computer and the website from seeing or altering the data being sent to and from the website.

Because of the cost and inconvenience many websites used unsecured connections.  However, places like banks, shopping, and healthcare providers have pretty much always used secure connections.  It took a few years but eventually social media websites began using secure connections by default as well.

Before Let's Encrypt, millions of websites only had their content available via unsecured communications.  For many people, like myself, running websites without any goal of making money from them the expense and hassle of certificates wasn't worth it.  Now, my websites are all available through secured connections, for free, thanks to Let's Encrypt.  (To be clear, many websites still haven't taken advantage of this service yet, but they at least have the option now.)

But, if banks and such use secure connections anyway, why do we care about Let's Encrypt, should I care if "someone" can see that I'm reading this blog post?

Maybe.

On March 28 Congress voted to repeal FCC regulations that prevented your Internet Service Provider (ISP) from spying on your web traffic and using that information to their financial benefit.  The regulations also prevented ISPs from altering your web traffic for similar purposes (e.g., injecting ads into a webpage when you view it).

Maybe you don't care if Comcast, or AT&T, or Verizon knows you like to knit and shop at JoAnn's Fabrics.  But maybe you'd be concerned if they started selling information to other companies about you visiting cancer treatment websites, or rape support groups, or divorce attorneys, or any number of kinds of sensitive information.

Using encrypted connections doesn't solve this problem entirely, but it makes the information available to your ISP a lot less useful.  For example, your ISP would still be able to tell you're looking at Amazon.com, but they wouldn't be able to tell if you're looking at knitting needles or books about infertility treatments.

Regardless of your stance, someone seems to be working hard to turn public opinion against Let's Encrypt and again make it harder to encrypt web traffic.  Articles like this one: "14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing Sites" have been showing up all over the Internet recently, all making similar claims that it is Let's Encrypt's fault that people are falling for fake PayPal scam websites.

I don't think it's actually PayPal behind these articles, because this problem is nothing new, but the concerted, direct attack on Let's Encrypt is new.

Let's Encrypt does not verify the identity of the person requesting a certificate (which other certificate providers will do for steep fees, $300+ per year, these "verified" certificates are significantly different than the "non-verified" certificates issued by Let's Encrypt).  Instead Let's Encrypt verifies that you control the website for which you're requesting a certificate, slightly different.

The argument made by these articles is that now someone can get _a_ certificate for "paypall.com" and people will think that the green lock icon on their browser means they're connected to "paypal.com" instead.  Which it doesn't and never has.  The "verified" certificates show up differently in your browser.  For example, on this blog you'll see something like this:

With a "verified" certificate you'll instead see something like this:

This indicates that the company issuing the certificate verified that the company requesting the certificate is "PayPal, Inc." and the certificate is for "paypal.com".

The articles want you believe Let's Encrypt is somehow at fault if people end up at "paypall.com" with a green lock and think it's "paypal.com".  Let's Encrypt isn't providing "verified" certificates or trying to solve that problem.  The problem they're trying to solve is that too much web traffic is unencrypted by default because certificates were expensive and inconvenient.

Someone with a vested interest in being able to read and/or modify your web traffic has been working really hard to get these articles out and make it look like some kind of "public safety" issue.

I have no idea who that entity may be, but it's making me really annoyed.  Let's Encrypt is a good thing for anyone that thinks that their Internet communications should be private by default.

Update 3/31: Engadget just ran one of the attack pieces too: "When the 'S' in HTTPS also stands for shady".  Which is the most mainstream source running these articles that I've seen thus far.

To be completely clear, when a URL starts with HTTPS it only means that your connection is encrypted between your computer and the website--it has never meant anything about who is running the website is or whether the website operator is trustworthy.

Line in the Sand

In February 2016 Donald Trump emphatically told the world, "I'd bring back waterboarding and I'd bring back a hell of a lot worse than waterboarding."

I've previously stated how unacceptable the use of torture is by our country.

So here's my line in the sand:

I am a software developer supporting the mission of counter-proliferation of weapons of mass destruction.  I am a member of the Intelligence Community.  If Trump reinstates the use of torture by American personnel I will resign from my job in the Intelligence Community in protest.

If we come to such a point, I may keep working at the Lab, but I will not work on intelligence projects and have my efforts in any way used in support of such despicable behavior.

Waterboarding is torture.  Anything "a hell of a lot worse than waterboarding" is torture.  I will not spend my time and energy on projects that imply that such treatment of prisoners is acceptable.

We should be better than that.

I am better than that.

What do you stand for?  What is your line in the sand?