Jach's personal blog

(Largely containing a mind-dump to myselves: past, present, and future)
Current favorite quote: "Supposedly smart people are weirdly ignorant of Bayes' Rule." William B Vogt, 2010

What if we used Scrypt with one-minute work factor for SSNs?

I've only lived about 24 years on this planet, and already I feel like my SSN has probably been compromised somewhere due to the leaky information channels I've had to transmit it, database hacks (published and unpublished) of big companies (government or non-government), a couple mistakes on my part, and maybe some other reasons. It'd be nice if this weren't so, just about every story I hear of people who do get an attacker is unpleasant. I don't want it to happen to me.

Would Scrypt be a panacea? No. But it would surely be better than what we have now. We could make it so that there's only a single point of failure instead of multiple ones in easily identifying the link between a person's name and their SSN by having that unhashed association existing within one government agency and nowhere else. (Make it illegal to store SSNs unhashed.)

If my SSN is required, the party requiring it can give me a publicly known salt (for instance, their company name) and request I send them my full legal name and the result of scrypt(SSN, genSalt(work_factor) + salt + interactionNumber) where work_factor is such that on the latest AMD GPU generating the hash takes, say, one minute. For an average person's CPU, this could take quite a bit longer. interactionNumber is just an integer representing how many times the company has had to request the SSN. Say they're a loan company: you want a loan, you give SSN hash (and probably a hash with a credit agency's salt+interactionNumber too so the loan company can look up your credit score). If you want a new loan, or an extended loan, you give a new SSN hash with a new interactionNumber.

See Full Post and Comments

Random birthday gifts

It's difficult to shop for others when you don't really know what they want. Especially if they are financially stable enough to in all likelihood already have what they want that's in the $20 or less range.

My method: I grab a random word from my computer dictionary with cat /usr/share/dict/words | shuf -n 1, enter it into Amazon's search bar, and see if anything I think the other person might be kind of interested in shows up. If not, I try more words. This has led to some good finds, and the recipients did enjoy them. It seems unlikely I or they would have found them otherwise.

I'm thinking of making a simple Clojure application that makes this process easier (since sometimes I'll have to go through a lot of random words). I spent some time today looking at doing native UIs in Clojure, alas it looks like there's no really awesome solution yet. (My feelings about Seesaw are a little cold...) I've thought about having a web app instead since holy crap the box model and the image tag are a godsend to UI development, but then I can't use PhantomJS. We'll see if I maintain interest in this or not.

See Full Post and Comments

Understanding opposing frameworks

I was reading about the ideological Turing test and Krugman's remark about not being able to explain what a Keynesian economic argument is struck me as interesting. Personally I don't have too much respect for Krugman -- he has made what I think are really stupid statements (especially on bitcoin) in the past.

I admit I don't really get what a "Keynesian economic argument" should look like; my econ knowledge and opinions are acquired in my spare time. I admit I don't know the underlying framework of the theory that generates various statements. All I know is that when I encounter certain statements, the framework I'm reasoning from disagrees with them. For some cases (like some things Objectivists say) I do understand the underlying framework, because I used to be there, but I reexamined the foundations and found them lacking, so I moved on. For unfamiliar cases, the fact of disagreement may give me pause to consider reevaluating my foundations again, or if I'm particularly interested to evaluate the other person's foundations (if they even have any).

Should I spend more time understanding an opponent's framework? I'm not so sure I should. Imagine someone comes to me and proclaims 2+2=5. Well, reasoning under PA (and ZFC et al.) I know that's false. I'm very confident in PA answering this sort of question correctly, so I'm not very inclined to double-check the axioms and arithmetic functions. I'm also not too inclined to understand what sort of madness led the other person to proclaim such a wrong fact, even if their madness is a coherent logical system (e.g. PA with one additional axiom that special-cases 2+2 to be 5, but 1+3 is still 4 and so on).

See Full Post and Comments