Thursday, April 17, 2008

The Effects of Religion on the Scientific Method

Very interesting. I recently found the following two quotes, when reading two different books, one day apart from each other --

= = = = =

From: Consilience (1998) by E.O. Wilson, page 31 --

"Reductionism, given its unbroken string of successes during the next three centuries, may seem today the obvious best way to have constructed knowledge about the physical world, but it was not so easy to grasp at the dawn of science. Chinese scholars never achieved it. They possessed the same intellectual ability as Western scientists, as evidenced by the fact that, even though far more isolated, they acquired scientific information as rapidly as did the Arabs, who had all of Greek knowledge as a launching ramp. Between the first and thirteenth centuries they led Europe by a wide margin. But according to Joseph Needham, the principal Western chronicler of Chinese scientific endeavors, their focus stayed on holistic properties and on the harmonious, hierarchical relationships of entities, from stars down to mountains and flowers and sand. In this view the entities of Nature are inseparable and perpetually changing, not discrete and constant as perceived by Enlightenment thinkers. As a result the Chinese never hit upon the entry point of abstraction and break-apart analytic research attained by European science in the seventeenth century." [italics supplied]

= = = = =

From: The Black Swan (2007) by N.N. Taleb, page 47 --

"The third major thinker who dealt with the problem [of induction] was the eleventh century Arabic-language skeptic Al-Ghazali, known in Latin as Algazel. His name for a class of dogmatic scholars was ghabi, literally 'the imbeciles' ... Algazel wrote ... a diatribe called Tahafut al falasifa, which I translate as 'The Incompetence of Philosophy.' It was directed at the school called falasifah ... the direct heirs of the classical philosophy of [Plato's] Academy, [who] had managed to reconcile it with Islam through rational argument.

"Algazel's attack on 'scientific' knowledge started a debate with Averroes, the medieval philosopher who ended up having the most profound influence of any medieval thinker (on Christians and Jews, though not on Moslems). The debate between Algazel and Averroes was finally, but sadly, won by both. In its aftermath, many Arab religious thinkers integrated and exaggerated Algazel's skepticism of the scientific method, preferring to leave causal considerations to God (in fact it was a stretch of his idea.) The West embraced Averroes's rationalism, built on Aristotle's, which survived through Aqunias and the Jewish philosophers who called themselves Averroan for a long time. Many thinkers blame the Arabs' later abandonment of the scientific method on Algazel's huge influence. He ended up fueling Sufi mysticism, in which the worshiper attempts to enter into communion with God, severing all connections with earthly matters." [italics supplied]

= = = = =

So there you have it. Belief that the world is an inseparable (nondual) whole that is constantly changing, wherein there are no true causes besides the will of God alone, was fatal to many early scientific endeavors. This may commend Christianity, whose belief in a God who "rules over you" may have other flaws, but in Western Europe facilitated the search for consistent determinable laws that order the world.

Labels: , , , , ,

Saturday, April 12, 2008

Notes from RSA 2008 Trade Show

Notes from RSA 2008 Trade Show
Frank Sudia, FW Sudia Consulting, 4-12-08

I spent about 4+ hours walking the RSA show exhibits, which seemed more uniformly high quality than usual. Almost all booths met high visual standards, and most offerings seemed relevant. The following are my take away perceptions and things that I found interesting. This is just an unscientific sampling, for the benefit of anyone who was unable to attend, and I did not not heavily validate all these assessments.

Appliances. Many Asian-looking vendors (over half a dozen) now offer metal boxes in all form factors. They will load your software, apply your logo, pack, ship to, and bill your client. This struck me as a great example of the magic of the marketplace. Many clients prefer the appliance delivery model, which eliminates the install step, and many vendors prefer it because it may make their product harder to clone, and/or pad top-line revenue. The devices can obviously include custom security processors, etc. Some of the smaller boxes looked very cute.

ConfigureSoft. I sat through a short talk (by Dave Shackleford) explaining their audit compliance product. They've hired a full-time staff (which Dave heads) to monitor major info-sec policies (GLB, PCI, HIPAA, etc.) and continuously update their policy database, which is mapped to an inventory of your systems, allowing you to immediately assess which machines need what remediation to bring them into compliance with which policies, and possibly take corrective action at the touch of a button (when the change is amenable to that). Attractiveness would depend on pricing and maintenance costs, and software escrow might be desirable, in case you got highly dependent and they went out of business or an acquirer dropped support. Still, it seemed to deliver on its promise that you could pass an unscheduled audit.

GraniteKey. Small company with a kiosk in someone else's booth. I saw a brief demo of a risk assessment tool, offered as an online browser-based service, which allows you to build complex dependency trees, which the system will then reason about, to see whether your mitigations actually mitigate your risks. Works for problems other than security, as there was an example of leaking seals on food containers. I asked for a more in-depth demo (they are SF based). I liked it because a) you could potentially build very detailed dependencies, b) the system-generated reasoning may help catch human errors, c) many sets of eyes could review your analysis, d) analyses could be cloned and improved over time in a standard format, and e) the resulting printout would nicely document your assumptions, for when others came back later to second guess you. I could imagine a site license with multiple departments standardizing on it and sharing templates. (NOTE: I have not tested this yet.)

PKWare. How could they justify a full-size RSA booth? After Phil Katz died in 1997 his mother ran the Milwaukee-based co for a while, then his wife sold out to private investors. The investors included former corporate and banking IT execs, who transformed it into a rising competitor to PGP, with 20 developers on staff. Now there are mainframe versions of PKZip. They've added AES-256, X.509, secondary recovery passwords, USB stick encryption, and more, to target major accounts. This worked, as Citigroup has deployed SecureZip on 320,000 desktops. Now they're moving to automate customer service and shift back down market to the SME level. Their advantages are ease of use, universal user recognition, and X.509 based key management -- as long as PGP is not already deeply entrenched at a given client. I agreed with the rep that this was a potential B-School case study.

==> For a limited time you can download a free, fully-licensed, individual copy of SecureZip at after giving up your e-mail. (Use MS-IE, not FireFox.)

PGP is now offering command line versions that run on mainframes and other platforms for automating batch operations.

Chilled RAM Attacks. At least 3-4 booths had huge photo renderings of big-horned sheep in polar ice conditions. (Good grief!) Apparently vendors were eager to profess that they were on top of this newly publicized vulnerability.

GemAlto / Microsoft. Two years ago GemPlus merged with another firm to form GemAlto, which now has 60% of the worldwide smart card market. I didn't see any big changes in their cards, but their rep touted Microsoft's new Identity Lifecycle Framework (ILF). The ILF is not free and runs (maybe) $14K extra, but will "turn on" and leverage the smart card features of the rest of Microsoft's software suite (Office, Outlook, etc.), e.g., for securing SOA under the .NET Framework. Evidently this is of great interest to GemAlto, since it can drive enterprise smart card deployments.

NetGear is now offering a large selection of (what I assume are) reasonably priced firewalls, secure gateways, and other boxes.

Red Hat is now offering an X.509 certificate system, and an audit policy framework.

Elsevier will soon commence publication of the International Journal of Critical Infrastructure Protection. (IJCIP). This will no doubt cost real money, but is certainly needed.

Target department stores had a booth solely to recruit security engineers to come and work for them in Minneapolis.

NapaTech offers a family of boards that can sniff all the packets off a network, with protocol flitering, traffic analysis, etc. Prices run from $1,500 to $9,000 for the more high performance sniffer (ahem, traffic analysis) boards. This reminded me of a case study of a large health care provider that logs their entire network, so if they notice a problem, such as inappropriate actions by a user, they can replay past traffic to look for related prior incidents.

Verdasys, Dan Geer's company, is taking their enterprise desktop security product down market with a B2C solution, where one initial deployment has (I think) 3 million clients. Dan may have acquired something resembling rock star status. I could not attend any of his book signing sessions, but when I mentioned that I knew Dan, the floor rep asked me to put in a good word for him, suggesting to me that he has developed a near-cult level of respect.

Labels: , , , ,