In Praise of Instability

In the current referendum, the Yes side’s posters tell us that by agreeing to this new European treaty we are ensuring stability. “Stability” is seen as an obviously “good thing”.

But is it? I would suggest that human society will not only always suffer intense periods of instability, but that such a bout of instability can actually be a good (and in fact unavoidable) thing.

Stability means the survival of the status quo. It means that real reform need not be undertaken. It ensures that the rich stay rich and the poor stay poor. But what if the status quo is not fit for purpose, what if our ruling class is so abjectly corrupt and incapable of self-reform that it really must be displaced by some kind of major upheaval.

In the higher education system that we are all so familiar with, the response to the current crises has largely been “business as usual”. Maybe this shows commendable sang-froid in the face of a crisis. Maybe it’s the band playing on with a stiff upper lip as the ship sinks. Demanding higher and higher fees to sustain a high-cost educational model in the context of an increasingly impoverished population seems unsustainable to me. Which is something that everyone will admit to, but no-one will act on.

Europe has certainly undergone some major bouts of instability in the past century, and indeed the whole point of the EU was to prevent such terrible events ever occurring again. But if the idea was perpetual stability, then it’s clearly misguided, in fact delusional.

But I would hope that we do have the capacity and wit to manage instability to an extent, to ease the pressure on the tectonic plates moving beneath us before we have a major disaster. Vigorous root and branch reform of all of our institutions is the only way forward.

Certainly thinking we can vote our way to a future of endless stability, is just plain foolish.

The Strategic Myth

(or why tactics matters and strategy is largely a waste of time)

Take Napoleon for example. A brilliant tactical mind, able to adapt quickly to changing circumstances, an intuitive opportunist if there ever was one. However for famous people its never enough to just have a good tactical instinct, they want to be seen as having had a grand overall vision – a strategy – all along. So they wouldn’t argue if their sycophantic supporters retrospectively fitted a strategy to a run of tactical successes. But Napoleon fully understood his own genius and its limitations. Famously when asked for what he wanted in a general, he didn’t blather on about them having grand strategic visions – he merely wanted them to be “lucky”. Which interprets as wanting them to be the kind of general that makes their own luck by making shrewd tactical judgments in difficult circumstances.

So my thesis is that there is really no such thing as a strategy. Clever people are making it up as they go along and if it succeeds, then after the event they will maintain that they had a strategy all along.

Take DCU (where I used to work!). Every 5 years of so we would go through the process of developing a strategic plan (and you would think that the Soviet experience of 5-year plans would have been enough to kill off this kind of thinking, but in fact the Universities are the last bastion of Stalinism). Nothing reads as irrelevant as a 5 year old strategy document. When strategies fail, as of course most often they will, they are simply forgotten and pushed under the carpet, and not talked about any more. DCU Centres of Excellence anyone? In fact most staff realise instinctively that strategic plans are just a waste of time, and don’t even bother to read them. It’s like a good bus service, if you miss this one it doesn’t really matter as there will be another one along shortly. But it’s the waste of time and energy that goes into this whole line of thinking that is so objectionable.

Irish Governments are classic slaves to the strategic myth. They are constantly developing plans, commissioning reports - and then shelving them. Which does of course give the impression of having a plan. In fact they are rather cluelessly thrashing around, trying to identify some other country’s strategy to slavishly follow, and missing any number of tactical opportunities in the process. Strategic thinking is a refuge for the intellectually limited. It’s also a great cover for can-kicking and the avoidance of decision making.

In the modern fast-moving world, strategy is even more irrelevant. The whole basis of the proposed strategy is likely to change overnight, rendering the strategy irrelevant, often before the ink is dry on it.

And go on, admit it – what we really admire is the good tactician, the person who can “take the ball on the hop” and do something innovative and clever with it. The person who sees an opportunity, rips up the strategy document, and just goes for it.

Moving an Eircom Pole

Sometimes when you get planning permission in Ireland for an extension to a house there is a requirement to move a utility pool (typically an ESB or Eircom Pole). Either to make way for the new extension or as a condition of the planning permission.

Now the cost of moving the pole falls to the house owner. So how much does it cost? This seems to be shrouded in mystery, and all queries get the response "it depends".

In our case the planning permission conditions required the movement of two poles, one ESB one Eircom. Double trouble. The Eircom pole had nothing to do with the extension, it is far away from the house out on the road. Nevertheless its movement was part of the planning permission, for valid road safety reasons. In other words moving it anyway was a good idea, and this was the planners opportunity to get it moved at our expense by making its movement a condition of the planning permission.

(BTW Cavan County council demand €8K up front for themselves, and also insisted on a completely unnecessary upgrade to our perfectly functioning septic tank. Overall it turns out we would need to stump up about €20K before we paid anything towards the extension itself).

Anyway, getting back to the Eircom pole. The total movement was by 2 metres, We ourselves are not served from this particular pole.

I emailed Eircom and asked for a ballpark figure. They ignored that and told me that first I would have to pay up-front €340.50 for a survey. The cost of the survey would be deducted from the overall cost if we decided to go ahead. Some googling around indicated that the cost would be expensive, with prices fluctuating wildly. On the assumption that only an aggrieved minority post their experiences on the Internet, I guessed it would come in at around €2K.

So I paid my €340.50, and waited. A couple of months later this arrived.

So now you know. The attached invoice indicated that the Labour cost came to an astonishing €3162.50. Note the bit where it says that the final cost may increase (to God Knows What) and that we may have to pay more.

I guess if I wait long enough a passing truck will eventually demolish the damn pole. There have been a few near misses already.



DIY University Rankings - Take 2

Time for an update on the Scott I-Index of Universities/Major ITs in Ireland, as originally described here

http://begrudger.blogspot.com/2012/01/diy-university-ranking.html

1. UCD – 58 (+1)
2. DCU – 56 (-1)
3. TCD – 55 (+1)
4. UCG – 52 (-1)
5. UCC – 36 (+1)
6. QUB – 34 (-1)
7. Maynooth  – 21
8. Limerick – 19 (+2)
9. DIT – 18 (-1)
10. Ulster– 14 (-1)
11. Waterford IT – 14

Change in position in brackets. Not much movement really. Getting a bit bunched at the top, but Euro-for taxpayer Euro, DCU still the best. Even with me gone!

Of PINs and Passwords

When it comes to securing things that are important to us, sometimes we are asked to provide a Password and sometimes a PIN. The latter are clearly to be preferred, as they are only 4 digits long and easy to remember. Most of us re-use the one PIN for everything. I don’t know about you, but I have two different ones I use in different contexts.

Passwords are a curse. On the Internet we seem to need more and more of them, and not only that, there is now an insistence that a password should have a minimal length of 8 characters and some of the characters should be Capitals and some should be numerals. Again I have no idea what others do, but I have three passwords I recycle in various forms. If one of them was previously “mongoose” I now would use “Mong00se” to get past the security fascists. But of course such passwords are much harder to remember.

A common solution is to download a free “Safe” onto your computer and store all of your passwords in that, with the Safe itself protected by a single hyper-secure password. For example, see

http://passwordsafe.sourceforge.net/

But of course this is literally putting all of your eggs in one basket. Another nice idea is OpenID. See http://openid.net/. Here the one set of credentials (for example your Gmail or Facebook login) get you into a multitude of sites.

But why does a PIN work in one context, but a password is required in another? It depends on the kind of problem you are trying to set an attacker who is out to get you.

Now a PIN or a password has a certain amount of “entropy”, or unguessability. A PIN has exactly 4 decimal digits worth of unguessibility.  In the worst case it would take an attacker 10,000 guesses to find your PIN. A password on the other hand would be expected to have at least 16 decimal digits worth of unguessability, so it should  take an attacker up to 10,000,000,000,000,000 guesses to crack it. These attacks are sometimes called brute force, or dictionary attacks. The attacker simply works though a list of all possible PINs or all possible passwords. The counter-measure is to make the dictionary simply too big to be attacked in this way. For a PIN it is, roughly speaking, sufficient that a dictionary attack should be hard for a human. For a password, a dictionary attack should be impossible even for a fast computer.

Which you need, PIN or password, depends on the context in which it is used, and how much it costs to make a guess. In short a PIN is used in a context where it is only exposed to “on-line “attacks, and a password is needed if it should be exposed to an “off-line” attack. A PIN can typically be used in the context where an attacker is forced to go on-line to some entity outside of his/her control in order to test a guess.  And that entity can make it costly to make a guess, and can punish a wrong guess. The classic example would be if an attacker were to steal your ATM card. If they don’t know the PIN the only way to test a guess is by trying the card in an ATM machine. And after a few wrong guesses the attacker will be rumbled, and no further guesses allowed. So in practise it would be difficult to even make 100 guesses, never mind 10,000.

But if you are storing data in the cloud, it needs to be encrypted. And encrypted data is only really safe if it is protected by a key created from a suitably “high entropy” password.  An attacker who gains access to the encrypted data (which must be assumed to be possible– otherwise why is it encrypted?) can, at their leisure, program a computer to try a multitude of guesses for the key at computer speeds and leave that program running overnight. Now a computer can attempt one hell of a lot of guesses in 24 hours! Hence the need to hide our needle in a haystack of at least 10,000,000,000,000,000 needles.

The problem here is that computers are getting faster and faster, and can search bigger and bigger dictionaries. And search algorithms can be perfectly parallelized, so 100 computers can complete the search 100 times faster. Which explains the recent insistence on more and more elaborate, and hence less and less easily memorisable, passwords. And the elephant in the room is the fact that 10,000,000,000,000,000 is actually not nearly enough, it really should be 10,000,000,000,000,000,000,000,000 which is reckoned to be the bare minimum for reasonable levels of security against a sophisticated and powerful attacker with massive parallel computing resources at his/her disposal. And to make matters worse the patterns that appear in memorisable text can be exploited to reduce this search space still further. So unless you are using a password like iUy78t^&aB1@ you really can’t be feeling 100% secure.

Conclusion: Wherever possible a PIN is obviously preferred to a password. Systems should clearly be designed so that an attacker must always be forced to go on-line to test a guess.

On a serious note, I would suggest that the whole Internet/Cloud Computing project is at risk until and unless this problem can be solved!

Stupid Old Pencils

As Bertie Ahern famously described our manual method of voting in Ireland.

It turned out our manual method was far superior to a proposed e-voting system. This came to mind again last week as I saw students in some pain from the effort of three hours of non-stop handwriting. Clearly exam time is the only time that prolonged handwriting is required anymore.

e-voting and e-learning would, at first glance, appear to have little in common.

At first glance both appear to be “easy” activities to revolutionise using technology. Computers can count (extremely quickly and accurately), hence e-voting should be simple - no need for hundreds of people manually counting votes. Modern methods of communications mean that the very best educational material can be widely disseminated with ease via the internet - no need for the classroom!

And that's what they have in common - in fact they are not easy problems to solve at all! On the face of it technology should be very relevant to these processes but in fact its very frustrating to get it to work effectively. E-voting involves all sorts of subtleties around security, and preventing things like vote buying, and coercion, not to mention the integrity of the poll and trust in the result. With e-learning the problems are mostly around accreditation. In both cases it proves very hard to come up an alternative to our “stupid old pencils” for voting, and old fashioned in-class lecturing and the handwritten exam for measuring learning.

Consider for a moment the problem of setting and marking an exam over the internet. It doesn't take long to see what the problems are. How do you prevent collusion and cheating? How do you know who is actually doing the exam? How can you prevent candidates communicating?

Getting the worlds best teachers to record lectures which anyone can access is the easy part! But the economies of scale which should therefore arise are pretty pointless if each student still needs to be individually tutored, assessed and examined.

We still vote by making a mark on a piece of paper. We still mark exam papers by red-penning hand-written scripts. Both activities are in fact stubbornly resistant to technology.

So are we to conclude that there are activities for which technology in just naturally inappropriate?
No. These problems are probably not insuperable. Cryptographers have already come up with very cunning techniques to support e-voting, even internet voting. For example see
http://eprint.iacr.org/2011/568

Perhaps in time some-one with come up with a high-tech solution for e-learning/e-accreditation. But we are not there yet.

DIY University Ranking

Rank your own!

Worried about the methodology (and agenda) of existing university ranking organisations?

Consider this institutional citation count. Note that a variant of this proposed measure is also used, and heavily weighted, by those other ranking organisations. Indeed it is probably the biggest, and least subjective component in the mix. It is based on the number of citations to research papers written by staff members.

Its easy – go to this Web page
http://scholar.google.com/citations?hl=en&view_op=search_authors&mauthors

(I know you get an error message) and input the name of a university in the box at the top and click on “Search Authors”. Then, starting from the top count down (1,2,3..n) through the staff until your count n is greater than the citation count for the next staff member. Lets call this the institutional or i-index. For example type “Dublin Institute of Technology” without the quotes, click on Search Authors, count down through the list, not forgetting to click Next to move to the next page. You get a score of 13. Not bad! (Note all these counts were observed on January 10^th, and are liable to change in the meantime)

Now let’s try and calibrate the method using some world famous universities. In major ranking exercises Harvard and Stanford often comes out ranked number 1 or 2, and Oxford typically 4 or 5. According to the proposed method Harvard scores 233, Stanford scores 159 and Oxford 126. Looks about right.

For Irish Universities (and some prominent ITs) the ranking is (drum roll please!)

1. DCU – 40
2. UCD – 38
3. UCG – 34
4. TCD – 26
5. QUB – 26
6. UCC – 22
7. Maynooth – 15
8. DIT – 13
9. Ulster– 11
10. Limerick- 11
11. Waterford IT – 5

Not quite what you expected? Well you can hardly complain that Google’s algorithms have an axe to grind when it comes to Irish Universities…

Lots of interesting observations can be made. Obviously DCU comes out on top – so no surprise there . Drilling down a little deeper, and from a purely parochial point of view, observe that Computing is still far and away the dominant research school within DCU.

Colleagues from other universities (and departments!) might complain that their staff have not “signed up” with Google Scholar. My response is – if you choose to hide your light under a bushel, who is to blame? You or the bushel?

But of course I accept that as more academics sign up with Google Scholar, the more accurate the measure will become. I have observed that academic applicants for jobs now often attach their Google Scholar citation profile, so its use is rapidly becoming more widespread. Certainly if I am to interview an academic for a research post, it’s the first place I look, and I know that internationally colleagues are doing the same.

Lets fall in Love

Everyone is doing it (with apologies to Cole Porter)

Irish kids are doing it..

http://coderdojo.com/

Regular guys are doing it..

http://codeyear.com/

Girls are doing it…

http://girldevelopit.com/

The Mayor of New York is doing it...

http://www.bbc.co.uk/news/technology-16440126

They are all coding! Also known as Computer Programming.

It would be great to be able to say that Irish Schools were doing it (by and large they aren’t ). But the pressure for coding to become part of the secondary curriculum is building up all over the developed world, and hopefully we will not be too far behind.

Of course I am old enough to have seen all this before. For me coding is still a hobby that I love.

The early 80’s was the era of the coding hobbyist magazine, with titles like Personal Computer World (PCW), Practical Computing (UK) and Dr. Dobbs Journal (US). PCW closed in 2009 having long morphed into a rather dull trade magazine, Practical Computing closed in the 1990’s, and even Dr. Dobbs disappeared as a print magazine, but lingered on as a Website. However interestingly in March last year Dr. Dobbs commenced a resurrected PDF version of the magazine. In fact it would seem like the perfect time for some entrepreneurial type to launch a new hobbyist magazine to ride the current wave of popularity.

In the 80’s inexpensive home computers first became available, and since they didn’t do much of anything unless you programmed them yourself, learning to program was an absolute requirement. I still recall my pleasure in having an article accepted for publication in Practical Computing, featuring a program to solve alphametic puzzles.

Then in the late 1990s personal computers became things you played games on rather than programmed yourself, and the hobbyist scene died away. But now its back with a vengeance, and our discipline will certainly benefit from the renewed surge in interest. Exposure to coding at a young age brings huge benefits to all.

So maybe its time to fall in love with coding all over again.

And the bottom line is - coding is a skill that gets you a well paid job.