New supervisor

10 October 06

This guy will be my supervisor for my MSc, just as I was hoping. He’s done a lot of very cool work on quantum information processing. What’s more, his Erdös number is three.

This should be an interesting year!

Road traffic simulation

25 September 06

This weekend we’ve done a lot of driving, which got me thinking about the emergent properties of traffic. Here’s a nice paper about simulating road traffic as cellular automata. The chap says he can simulate Germany’s whole Autobahn network in real time.

paaac release

21 August 06

It’s almost the end of my contract here, so I’ve tidied up my perl access control stuff for the boss to look through. It’s all commented and there’s even a readme!

A sanguine blessing?

16 August 06

As Catholics will know, the latin for a blessing is “benediction” – obviously meaning “to speak well of”. The Greek word “eulogein” has the same sense, while the Hebrew connotes bending at the knee as in worship. These images are easy for us to connect with our sense of “blessing”, but our “native” European word “bless” has rather darker roots.

When Christianity was introduced to pagan peoples in Europe, lots of subtle concessions to the old ways were made in order to ease the transition – the dates of many major Christian holidays, for example. Translations of the bible into pagan tongues also needed a careful touch – too many foreign words and concepts would have overwhelmed the new (and often not very willing!) converts. So when the Roman concept of a blessing was translated into Germanic, they used the pagan word “blothisojan” – meaning to sprinkle with blood! This, of course, was what the pagans used to do to their altars by way of “blessing” them, so the translators found it the most apposite word to use. One has to wonder how long it took for the word to shake off its pagan connotations.

Major paaac update

16 August 06

I’ve done a lot of re-working of my perl access control code. Now it’s much less clunky – all the important stuff is in one cgi file and one setuid wrapper script (plus the libs of course). Not a static HTML file in sight!

I’ve deliberately resisted using (or even reading much about) web programming frameworks and the like; I use CGI.pm of course – I’m not a masochist – but I’ve tried to do all the cool statefull HTTP stuff myself. I was tempted to do it with lots of continuations, but as it is I just managed to squeeze in some first-class functions:

sub do_stuff {
	my $kont = shift;
	my @args = @_;

	my $fd = open(FD, "-|");
	die "Can't open pipe." unless defined($fd);
	if($fd == 0) {
		exec "./suid_core.pl", @args;
	}else{
		my $reply = <FD> ;
		&${kont}($reply);
	}
}

Slick, eh?

SUID auth script makes me nervous…

14 August 06

My access control code uses a couple of files to store authentication information – passwords in one and cookies in another. In order to access them from a CGI script they need to be accessible to www-data (or whoever I’m suexec’ing the script as). This means, of course, that a serious enough flaw in the CGI (or someone else’s CGI!) would give an attacker full access to all those files.

To get around this problem, I’ve written a set-uid root script which sits in between the (untrusted) CGI and the (secure ;-) auth backend. All the important files are owned by root so this SUID wrapper is the only way to do anything usefull.

It all looks nice, but I’m scared. In theory it’s even more secure because the goodies are protected even if the web server gets hacked, but I can’t help thinking that somewhere I’m opening a huge hole straight to root…

A stupid mistake

11 August 06

A few days ago I had an idea to make my perl auth code more secure. Rather than sending the password en clair and hashing it when it gets to the server, I wrote some javascript to hash it client-side and send the hash to the server, then changed a line of code server-side to forget about hashing the incoming password. It took me about thirty seconds to realize why it was stupid after changing that one line, but not before spending about an hour implementing the rest. D’oh!

My physics teacher told me that one of his tutors had had a large sign up in his room saying simply “THINK”. The more mistakes like this I make, the more profound that sign seems!

Wine and water again

9 August 06

The answer to this problem is fairly easy to work out: the two glasses end up with wine/water in the ratio T:t and t:T. However, I can’t (yet!) work out what happens after n iterations of this process. It seems intuitively obvious that it would tend asymptotically to 50:50 but I can’t prove it. Am I being stupid?

(T, by the way, is the size of the glass; t is the size of a teaspoon.)

St. Petersburg paradox

7 August 06

http://en.wikipedia.org/wiki/St._Petersburg_paradox

The St. Petersburg game involves tossing a coin untill it comes up tails; the gambler wins 2^n-1 pounds for every head that comes up before the first tail. Clearly the expected winnings from each possible outcome is one pound, so the overall expectation is for infinite winnings.

This paradox demonstrates the weakness of applying naive probability theory to real life. Various people have tried to escape it by invoking the limited bankroll of whoever’s paying out the winnings or the boredom threshold of the gambler or some such, but none really seems convincing. The best approach I’ve seen uses marginal utility – a reasonable man would be happy to pay four pounds for a 50% chance of a tenner, but probably not to pay four thousand pounds for a 50% chance of ten grand. This doesn’t fit with ‘decision theory’ which says that both those games are equally good.

I’m reminded of the Trinity Mathematician’s toast: “To pure mathematics; may it never be of any use to anyone!”

Water and wine problem

7 August 06

Take two glasses, A and B. A is initially full of water and B wine. Remove a teaspoon of wine from A and put it in B, then a teaspoon of the mixture in B and put it in A. In what proportions are the water and wine now mixed in A and B?