December 27, 2023 10:38:40 JST

  [Victor Miller noted this item:
https://spectrum.ieee.org/quantum-computing-skeptics
  Rod replied to a separate posting from Dave Farber.  PGN[

Just a few comments on the overall thrust rather than detailed comments, so
rather than top-posting I just deleted the content. You may both post this
to your lists if like.

As a confirmed optimist but realist who has now invested twenty years in
this field, by and large I endorse this. We are moving from analog through
digital to quantum information; in my opinion, quantum represents a fully
fundamental change in processing methods, but we still have a long ways to
go to realize the full impact.

For the most part, unlike many "hit pieces" on quantum, they have talked to
the right people. Le Cun is a known skeptic, and Meta is probably the most
important tech company in the world that is deliberately *NOT* doing
quantum. I don't really know how much he does or doesn't know about quantum,
but his opinion carries weight and I don't think he is simply knee-jerk
opposed. Troyer and Aaronson are both well known and respected researchers
(though Aaronson may be getting a little over-exposed in the media these
days; he's eminently quotable and is the field's most prominent blogger, so
he is the go-to guy for many media, it seems). (Please, PLEASE do not listen
to Michio Kaku on quantum; his explanations of how these things work are far
too garbled to be useful, regardless of what you think about the gauzier
musings about quantum computing and the Universe.)

My own favorite of Troyer's papers is this:
https://www.science.org/doi/abs/10.1126/science.1252319
https://arxiv.org/abs/1401.2910
talking about how to quantify a true quantum speedup.

Oskar Painter is also a professor at a little school called Caltech, which
the article didn't mention. (It's hard to overstate Tech's influence in
quantum. A list of prominent people would take a half a page, with Preskill,
Kitaev, Shor, Bacon, Raussendorf, Wehner, Kimble, Northup, Vuckovic,
Gottesman, Leung, Mabuchi, Brun, Hsin-Yuang Huang, Furusawa, Lloyd, etc. as
undergrads, grads, postdocs and faculty. And me, let's not forget me. Oh,
and some guy named Feynman, who gets a share of the credit for originating
the idea in the first place.)

Anyway, back to the topic...

This year saw huge advances toward effective error correction. The month of
December alone produced several juicy papers. One that is getting a lot of
attention is https://www.nature.com/articles/s41586-023-06927-3 which shows
logical operations using quantum error detection (not really quite
correction yet) on a large number of individual neutral atoms in a trapped
array. Personally, I have to issue a mea culpa here, because in the
mid-2010s I didn't see a path to solid control of neutral systems that
allowed for the individual control and programmability necessary. the
QuEra-Harvard-MIT team has done amazing work.

I could type for an hour about interesting results from this year, but I
don't have time this morning.

Everybody agrees that NISQ (noisy, intermediate-scale quantum) won't
scale. The biggest question on the table is whether NISQ becomes useful
before it stops scaling. I think right now a slim majority people are on the
side of "no", though personally I think the jury is still out.

So, the hardware is progressing; software tools, including compilers,
debuggers, etc. still have a long ways to go.

And it's fair to say that the breadth of applications has not advanced as
much as I might have hoped two decades ago, but our depth of understanding
of what is and isn't possible has continued to grow. I'm optimistic that
when we put these machines in the hands of the next generation of Knuths,
Lamports and Torvaldses, that amazing things will happen.

And we are going to have to continue to rethink education for the
#QuantumNative generation; quantum algorithms require a very different way
of thinking. (And yes, unlike some people, I think the interdisciplinary
skills such students will learn will stand them in good stead throughout
their careers, whether they actually focus on quantum or not.) Assuming
quantum succeeds, we are going to need a LOT of programmers, and not all of
them need to understand the low-level physics of the devices, just as most
software engineers today have a moderate-to-completely-nonexistent
understanding of semiconductor physics.

https://www.theguardian.com/science/2023/dec/16/physicist-bob-coecke-its-easier-to-convince-kids-than-adults-about-quantum-mechanics?CMP=Share_iOSApp_Other

Damn. All too common crypto use case. In spite of years-long ongoing
publicity and warnings.

https://fcpdnews.wordpress.com/2023/12/28/fcpd-combats-crypto-related-scams-how-to-avoid-falling-victim-to-fraud/

No details were released, but it seems that the hackers had targeted a
central payment system.

Full story at:
https://www.timesofisrael.com/israel-linked-group-claims-cyberattack-that-shuts-down-70-of-irans-gas-stations/

I have a short blog post that may be of interest to some of you:
https://www.lawfaremedia.org/article/write-the-laws-for-the-world-in-which-we-live-not-the-one-we-imagine.

The library has been incapacitated since October, and the effects have
spread beyond researchers and book lovers.

https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library

Data for nearly 36 million Comcast customers leaked to hackers
https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

Considerable scholarly attention has been paid to understanding belief in
online misinformation, with a particular focus on social networks.  However,
the dominant role of search engines in the information environment remains
underexplored, even though the use of online search to evaluate the veracity
of information is a central component of media literacy interventions.
Although conventional wisdom suggests that searching online when evaluating
misinformation would reduce belief in it, there is little empirical evidence
to evaluate this claim. Here, across five experiments, we present consistent
evidence that online search to evaluate the truthfulness of false news
articles actually increases the probability of believing them.

https://www.nature.com/articles/s41586-023-06883-y

  [See the full article for the footnotes not available here.  PGN]

A positive look back at this year's tech developments, from one journalist's
viewpoint.  Perhaps a refreshing change from the usual RISKS negativity.

  [I.e., our positive focus on reducing risks!  But we are always looking
  for items that minimize the risks.  Thanks, Steve.  Happy New Year with
  fewer risks.  PGN].

https://www.nytimes.com/2023/12/25/technology/the-2023-good-tech-awards.html

You do not need either one specifically. A software development company
should have a version control system (VCS). DVCS (distributed) is very
popular with developers as they are less likely to complain about slow
transfers, or merge problems. The slow transfer problem is specific to
Subversion's storage and transfer model, which operates at the document
level. Git operates on a mixed model of objects and archives. Mercurial uses
a similar DVC model. Developers don't complain about merges in git because
they tend to make that the problem for the person processing pull
requests. Subversion and Team Foundation are CVCS (centralized).  Subversion
distributed merge conflicts to the developers, and they don't like You
cannot commit a merge conflict in Subversion. I have not personally worked
with Team Foundation, but it is my understanding you cannot commit merge
conflicts in that system either.

Merge conflicts arise from multiple developers working on the same
document/object at the same time. If you have merge conflicts on a regular
basis, your developers are working on a crappy codebase. Moving to DVCS
won't fix that.

Git was developed by the hardest working man in IT to deal with a project
that was intentionally designed to be mostly monolithic as it was the
source for a kernel, which is monolithic.

Are you developing a monolithic kernel? No? Then you do not need git nor
DVCS. You need to fix your codebase.

Are you developing open-source software? No? Then you do not need git nor
DVCS.

Are you developing software which has a GRC mandate to be tracked? Yes?
Then you need CVCS. Unless you take a lot of extra time to ensure that your
git is setup for signed commits and that your developers are using signing
by whoever the developer said their email address was at the time.

Subversion only operates in two modes, anonymous and authenticated. If you
set authentication up, every commit is authenticated. Developers cannot
attempt a commit without authentication.

Are you working on a codebase which needs additional restrictions on
branches or specific files? DVCS pushes the whole codebase to everyone. If
you can see the project, you can see everything in it. And the file that
was deleted because it had a raw key in it? Hope you pruned your history,
otherwise, it's still there.

What do you mean you moved to git to stop having to deal with
administrative issues with the Subversion repository? Git still needs
things like historical pruning, backups, dead branch deletion. You can kick
the can down the road a bit longer with git because its model is smaller on
disk, but those 200 dead branches are going to prevent any new developers
from being able to onboard rapidly.

If you are using Subversion, the historical-key-file problem still exists,
if the developer can see the file, they can roll the history back on it.
However, as Subversion requires each revision checkout to be a separate
request, your inside threat is going to leave some very blatant log
activity.

What do you mean that Bitbucket Cloud doesn't provide access logs for
repos? How does your security team review potential internal threats or
access control misconfigurations? GitHub Cloud does. Maybe if you were
running your VCS internally you could use the server logs? Also if your VCS
was internal, those access logs would be a little smaller as the whole
world couldn't attempt bulk logins. Oh, your access log doesn't have
attempts. Only successes. Cool. How do you know if someone is prodding your
publicly-accessible private repo more or less than usual?

You're not that concerned because you're using VCS to host your
documentation? Why? Are you going to merge your old documents and your new
documents? Oh, so you didn't have to setup a CMS (content management system).

I am also fond of using the electrician's hammer.

Does that screw look like a nail to you,

  [Cliff, In defense of Subversion and github, you may have overstated your
  case a bit.  Both take a bit of learning to cover certaub corner cases,
  and they do have benefits in highly distributed team efforts.  PGN]

Thieves are stealing Apple iPhones, passcodes and thousands of dollars from
their victims' bank accounts.

WSJ's Joanna Stern sat down with a convicted thief in a high-security prison
to find how”and how you can protect yourself.

https://www.youtube.com/watch?v=gi96HKr2vo8

  [High-security has (at least) TWO meanings here.  I wonder if Joanna
  came out with her phone intact.  PGN]

The government that Frances Sharples served for more than four decades
considers the money to be income, compounding her pain

Frances Sharples walked through the glass doors of her credit union, ready
to make the worst decision of her life.

She had a script from the man promising to save the retirement account she
built over decades as a science adviser to the U.S. government, including in
the White House.

He told her to transfer more than $600,000 ” and to keep her cellphone on so
he could listen to her. If anyone asked whether she was put up to it, she
was to reply: “No, absolutely not,” according to her hand-scrawled notes. No
one did. She handed the clerk the routing number, walked back to her dented
2005 Honda and returned home.

“Now I'm good,” she told herself. “Now, I'm safe.”  [...]

Billings started small, saying Sharples first needed to protect the $25,000
in her savings account at Commerce Federal. Williams would keep her on the
line from 7 a.m. until bedtime ” claiming to be removing malicious software
from her computer but mostly lingering silently ” for more than two weeks.

Finally, a document appeared on her screen with a list of account names and
numbers. Print it out, Billings told her. Drive to your credit union.

She did.

According to the script he gave her, if asked, she should say she was moving
the money to her investment account, something she does frequently.  [...]

At that point, a precaution set up to backstop bad customer decisions kicked
in. After Sharples asked TIAA ” which managed the retirement account ” to
transfer her money, a senior fraud investigator with the company called to
question her decision.

“Is someone else telling you to do this?” he asked.

“No, it’s my idea,” she said, following the script. “I’ve decided I want to
invest in a different way.” [...]

As she prepared her taxes online, Sharples was sickened by what she saw on
her Form 1040, which showed the fraud raising her taxes by hundreds of
thousands of dollars. She was then drawn through an excruciating education
in the nation's sprawling tax code.

https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/

Ahmed's first target was the undisclosed crypto exchange on the Solana
blockchain. He manipulated a smart contract to introduce false pricing data,
which led to the generation of approximately $9 million in inflated
fees. After withdrawing these funds, Ahmed brazenly offered to return the
stolen amount, minus $1.5 million, on the condition that the exchange would
not involve law enforcement. This attack closely resembles the breach that
impacted the Crema Finance decentralized finance platform in July 2022.

Following this initial hack, Ahmed turned his attention to Nirvana
Finance. He exploited a loophole in the DeFi protocol's smart contract,
taking a flash loan of ANA cryptocurrency tokens at a low price and selling
them back at a higher rate. This maneuver netted him around $3.6
million. Despite being offered a $300,000 bounty to return the stolen
assets, Ahmed refused, demanding $1.4 million and ultimately leading to the
shutdown of Nirvana Finance after no agreement was reached.

https://readwrite.com/ex-amazon-security-engineer-admits-to-stealing-over-12m-in-crypto/

If those are smart contracts, what would dumb ones be?

The bleeping computer article misses the distinction between TFA (two-factor
authentication) and TSA (two-step authentication), TFA being far more secure
than TSA.

With TFA, one must possess a physical crypto token (like an RSA SecureID
token) plus a password, the factors being something one possesses (token)
and something one knows (password).  The computer is not providing
authentication.

With the TSA, no physical token is used, it's something one knows (a
password) provided to a computer, and it is done in two steps.  If malware
has managed to sufficiently infect the computer, the malware can perform
both steps.

In the story of unsolicited OTP codes, the malware had not gained sufficient
control and was thwarted.  But the whole drama would not have happened if
true TFA had been implemented.

Amazon certainly knows the difference, which is why they call what they do
TSA, not TFA.

Is capitalism an efficient economic system?  It depends on what you want to
optimise for: if the purpose of your economic system is to transfer wealth
from everyone else to a handful of billionaires, then capitalism is already
very efficient and becoming ever more efficient.  If the purpose is the long
term thriving of the human race, then capitalism is a terrible system: the
thing you are optimisimg for (called "profit") is actually a form of
friction and *loss* to the system as stores of value (money) get extracted
from the economic cycle and stashed away unproductively.  Whole industries,
such as advertising and banking, are purely destructive of value.

A better economic system would eliminate the concept of "profit" as
something extracted by shareholders and board members.  Activities that are
most efficient when nationalised, such as fire service, police, army, energy
distribution, transport, and of course, the health service, should never be
allowed to fall into private hands or should be taken out of private hands.
Each of these activities gets a budget to do a certain thing and should be
laser focused on doing that thing.  The post office delivers letters and
parcels, the railway network runs railways, the health service keeps the
population healthy, the universities generate knowledge and so on. This
leads to a lot of difficult discussions about how much each service needs in
order to ensure human thriving without a negative impact on other
services. But the current approach where everything is reduced to profit is
once again, optimising for the wrong thing.

For private industry, small family businesses and small to medium
cooperatives will ensure that any "profit" is recycled back into the
economy.

In conclusion: The reason that poverty and homelessness exist is not because
capitalism is not working properly, but because that is the way it works.poappp