edspace

From time to time, I’ve had to explain what I studied in college. I usually threw out the generic, “I’m in computers,” since it’s a safe thing to say to people who don’t know what the field is really about. Very few actually do, including those who still call it their major. I’m here to clarify some of the misconceptions in the hopes it will help correct misguided viewpoints and assist those who are still deciding what to do.

Firstly, let’s go over what it is not. The aim of computer science is not to create a new breed of code monkey button pushers. Unfortunately, most who study this field turn out that way. Computer science is also not playing games all day. Writing games is not the same as playing games. Being good at one does not mean you’ll be good at the other. Computer science most definitely is not doing tech support. You don’t need to spend years at a university to rearrange icons by penis.

Now that’s out of the way, let’s talk about what the field actually consists of. The fundamental goal of computer science is solving problems. That’s why it’s called computer science. I must stress the “science” part because it is frequently overshadowed by the word “computer.” Computers are simply used as tools to solve problems, but without a well designed plan, they are useless.

Freshman are usually taught basics consisting of data structures and algorithms. These are commonly elementary, which lead many people, mostly electrical engineers, to believe that computer science is simply basic programming, since this is the only exposure to computer science they have had. Although these concepts start out basic (sorting algorithms and the like), they develop into harder problems (graph theory, P vs. NP, etc). Common interesting graph theory problems include shortest path algorithms and other similar solutions that are useful for network and telecommunications problems. Studying NP-complete problems is useful for determining what problems are even solvable through the use of computers in the first place (don’t anyone dare say Moore’s law will make the brute force approach practical for all problems).

A common source of befuddlement for freshman is the introduction to formal logic. I know that I thought my first year logic course was simply just a weed out class. That was far from the truth. Every semester, I was introduced to new uses for predicate calculus. You start out with learning how to define problems. Then, you can use the notation to define an algorithm. Finally, you must prove the correctness of your algorithm using the same language used to define the problem and the solution.

Let me explain it this way: Anyone can pick a hammer, nails, and some 2×4s and build a dog house. Does that make them an architect? Would you trust just anyone who could use a hammer to build a house? How about a sky scraper? Suspension bridge? I’d imagine you’d expect someone who does such things know about support structures and weight distribution as well as the tensile strength of all the building materials. The higher up you get, the less you are concerned with whether or not this person can use a hammer.

Likewise, a computer scientist can be thought of in much the same way. Much is the study of computer science is focused on the feasibility of solutions to a problem and the best approach to them. Programming is simply the manifestation of these ideas, but to truly appreciate the solution, you must look past the implementation and more at the design it represents.

Unfortunately, this isn’t necessarily true in the industry. Companies are predominantly driven by time to market. Most executives tend to think of software as something ethereal that can be conjured rather than needing to be produced. The problem is that there are those who will throw something simple together in an effort to build the illusion that software is quick to build. Software thus is poorly designed and must be quickly patched, leading to even more poor design choices, thus starting a vicious cycle.

Beyond industry, computer science also covers research topics related to everything from artificial intelligence to advanced wireless networking protocols. All of these use programming to test theories, but the focus, again, is on solving the problems.

Before entering into computer science, you must ask yourself what you want to do? Push code out? You don’t need go to school for that; you just need passion for the art, much like a carpenter with wood. If you want to design large scale projects, you must appreciate intricacies of software architecture. If you just want to work on interesting research topics not out for mass consumption yet, then staying in school for a long time is the way to go. That’s when you focuse on the “science” aspect.

I really like watching playoff baseball. As they say, you can’t script October. Though, as I watch the (poorly officiated) ALCS, I can’t help but think that baseball, fundamentally, is a silly child’s game.

Whenever, someone gets caught in a run-down, it really is just a guy running away from the ball. It’s like the ball carrier somehow has cooties, but when that guy throws the ball away, it’s okay to run back towards him. I can just imagine a 5 year old running around, yelling, “Ew, cooties! Get that away from me!” But if the runner tags a base, then he’s immune to cooties. Don’t you remember playing tag as a kid and always saying, “I’m touching base! You can’t tag me!” It’s the same thing, only with grown men.

I mention this while watching Napoli (the catcher) tagging out Posada and Cano. Both the Yankee base runners scramble to touch the same base, then realizing that only one runner can occupy the base, both struggle to go back and touch it. Napoli casually touches both of them with the ball. Of course, the umpire blew the call, signaling that only Posada was tagged out. Still, it was funny watching how silly Napoli looked running with a ball outstretched while Posada tried to run away from him.

Video at:
http://mlb.mlb.com/media/video.jsp?content_id=7080147

So I’ve been watching the Tour de France the past couple of weeks, and lately, something has blown up. According to all the flurry on Twitter, people are blaming Lance Armstrong for stealing the yellow jersey from George Hincapie, while Armstrong points the finger at Team Garmin.

Now, a little bit of background for those unfamiliar with what’s going on this year. George Hincapie (Team Columbia) used to be teammates with over half the riders of Team Astana (Lance Armstrong, Alberto Contador, et al) along with Astana’s manager, Johan Bruyneel. Contador and Armstrong sat in second and third place respectively, just seconds behind overall leader Rinaldo Nocentini. Hincapie was over five minutes behind the leader.

In today’s stage 14 ride, Hincapie broke out and gained around a 6 minute lead (along with 11 other riders) ahead of the peloton. This would have given him the overall lead with time to spare. However, Team Astana kept up the tempo, never letting that lead slide to higher than 9 minutes. Then, towards the end of the race, Nocentini’s team, Team AG2R, finally sensed the urgency and decided to pick up the pace with around 50km to go. However, all the AG2R riders were too tired to keep it up, and they looked like the they would surely lose the yellow jersey. Astana dropped back, unwilling to help them try to catch the breakaway.

Out of nowhere, Team Garmin sends up a few riders to bring the pace back up and try to close the gap on Hincapie. They manage to bring the time in closer, allowing AG2R to sit back a little and just ride in the middle of the peloton.

The ironic part came when the pack reached the finish line. Team Columbia also has a stake at the green jersey (sprint points). They had to try to get there sprinter, Mark Cavendish, in place to get in ahead of all the other sprinters in the pack, but they had to do it in a way that wouldn’t jeopardize Hincapie’s time for the yellow jersey. Columbia’s sprinters kept looking around, wondering if it was too soon to charge. However, with the pressure building from the other riders, they had no choice but to go. Cavendish crossed a bit too soon, bringing in the group with a time that allowed Nocentini to hold the yellow jersey with five seconds ahead of Hincapie.

Hincapie is obviously very upset, seeing his chance for the yellow jersey slip away by just seconds. He immediately blames Astana for not allowing that gap to grow. Astana blames Garmin for closing that gap enough to allow AG2R to stay in the lead. However, you still can’t ignore that Columbia crossed the finish line first (even though Cavendish did get disqualified for interfering with another rider across the line).

It’s no secret that Garmin (an American team) has a running rivalry with Team Columbia (another American team). That could be why they volunteered to ride in the front when AG2R looked tired. People have dismissed that move, despite the fact that the team had no chance to pick up any sort of victory on this stage. But alright, they’re a rival team, so they can do stuff like that, right?

Instead, many people are outraged at Team Astana for keeping the gap at 8 minutes and not letting explode to something like 15. The demand on the team is that since most of the team members used to ride with Hincapie and are good friends with him, they should let him win. Instead of giving chase, they should have sat in the back of the field and let AG2R pedal themselves dizzy until they had nothing left. By doing so, they’ve betrayed a friend in the eyes of many. This “malicious intent” is strongly denied by Bruyneel and Armstrong, who claimed he wanted Hincapie up there with 2 minutes to spare.

You can blame whoever you want, since everyone is a spectator who just want to see his or her idol cross the line ahead. But keep this in mind: Bruyneel has a job to try to keep, and he has two riders that are seconds from the lead time. Team Columbia, regardless of who is on the team, is a rival team that has to be chased. It’s hard to explain away why your team, regarded as the strongest in the Tour, forfeited a 6 second gap from the leader and watched it turn into minutes. I believe that he had to keep it close, and if everything went according to his plan, Hincapie would have been first, with the two Astana riders within a minute behind. If Bruyneel really wanted to steal the yellow jersey away from his former team member, Hincapie would be back behind the leader by much more than 5 seconds.

This is only the second time I’ve ever made it to a place in Middle America (and that’s not a densely populated metropolitan area). It’s a great place to go when you want to get away from the hustle and the bustle of urban life.

Among other things, Cincinnati has great views of the natural environment around it. Outdoor parks and trails line the streets. Even downtown, there are public parks with grass and benches to relax during a lunch break. For those of you who really need to work, but would like to enjoy the outdoors, the city has sponsored free public wireless Internet! The city promotes a strong outdoor active lifestyle, which I find very inviting.

Cincinnati also has a very popular art scene. The Cincinnati Art Museum features local artists, whom capture the beauty of the city and the area around it. Admission (and coat check) is free to the public. The Cincinnati Symphony Orchestra is an absolute delight to listen to. The orchestra, led by Paavo Jarvi, plays at a very well-preserved historic hall. Afterwards, I got to meet Paavo at a private reception. It’s nice to be able to have someone that well-respected that accessible to you.

Of course, what visit to Cincinnati would be complete without a visit to the Great American Ballpark, the home of the Cincinnati Reds. Unfortunately, it was the off season at the time, so I just spent my time at the Reds Hall of Fame (really just a small museum out by the ballpark). It was a great place to view memorabilia from players past, such as Johnny Bench, Pete Rose, and Tony Perez. I also had the whole place to myself, so I ended up running around the place, spending a lot of my time trying to pitch a strike in a replica bullpen, complete with mound and speed camera.

Is this a sight-seeing destination? Not so much. However, if you have the itch to be outside, definitely make this a place to hit up.

Pictures from this wandering.

My photostream.

I went to Chicago last winter to see some snow. Though, I did have some problems getting there, as the airports were closing that day. I ended up stuck in the middle of a layover for a few hours before finally making it there. There was a lot of snow to be seen, and now I can say that I’ve braved a Chicago winter.

It was my first time seeing a lake frozen over, trapping boats and ships parked at Navy Pier. Ice floats broke off and made their way down the river. Gardens and parks are blanketed with white powder, which records telltale signs of wanderers past. Skaters skated in Millennium Park in the falling snow. Winter time in the city is fun to explore.

The biggest attraction to Chicago is the architecture that lines the city. Since the great fire, the city has rebuilt itself in a manner that allows for such great buildings to be constructed (and with decent traffic flow, unlike some cities not on a grid system). The Chicago Architecture Foundation offers guided tours and insight into these magnificent buildings.

One complaint I do have about skyscrapers in general and the architectural landscape of Chicago specifically is the phallic imagery that plagues the skyline. In particular, the Aon Center shoots out from the ground unapologetically, straight up into the air. The architect, Edward Durell Stone, had a quote where he emphasizes that a skyscraper should continue straight up in the air, with no hint of any downward tendencies. Of course, this tower is only the third tallest building, behind the Sears Tower and the newly build Trump Hotel and Tower, which beats the Aon Center out by a few hundred feet, thus perpetuating the mentality of, “mine is bigger.”

One of the highlights of the trip, though, was visiting the Chicago Institute of Art. The gallery holds a vast collection of works, including canvas paintings from all periods to a good sized photography gallery. The most impressive collection had to be the Thorne Miniature Rooms, featuring miniature interiors of homes from the late 13th century to the early 20th century. Though for the best individual work, my happiest moment was seeing Nighthawks, my favorite painting, in person with my own eyes.

I still need to see Chicago again some other time when the snow and the ice are gone. But that’s for another time.

More pictures from this photoset

My photostream

Recently, I’ve had the “pleasure” of dealing with a few cryptography libraries. Due to the nature of cryptography itself, it sometimes becomes difficult to properly build an secured application that conforms to the strict requirements that most algorithms prescribe. Any variation in ciphertext generation could lead to an insecure cryptosystem.

Cryptographic Basics

Before I discuss the libraries themselves, I’ll run you through a crash course on cryptography. When encrypting a string of text or a binary file, you use a block cipher such as 3DES or AES to encrypt a single block of text. To encrypt an entire message, you use a mode of operation that prescribes how to repeat the block cipher computation. Examples of modes of operation include Electronic Code Book (ECB), where each block is independently encrypted, and Cipher Block Chaining (CBC), where each block is combined with the previous block before being encrypted. More information on these and other techniques can be found here.

Python

The Python cryptography library, pyCrypto, is a great framework that’s easy to use, but there are some details about it that causes me agony and long hours of pondering. It seems to be difficult to use with anything other than a simple block cipher using ECB mode. Any other mode of encryption that relies on randomization will cause some headaches when trying to piece a scheme together.

Most encryption modes rely on using randomized initialization vectors to hide any information about the plaintext. Modes such as CBC and CFB will XOR plaintext or keys with these IVs to make the encryption process non-deterministic, which protects it against chosen plaintext attacks. This is a bit of what it looks like.

from Crypto.Cipher import AES
obj = AES.new('abcdefghijklmnop', AES.MODE_CBC, '1234567890123456')
obj.encode("Hello, World!!!!")
ciph = obj.encrypt("Hello, World!!!!")


In the call to AES.new(), the key is the first parameter, and the IV is the last parameter. Seems really easy, but the problem is how do you generate the IV randomly? Using a fixed IV is really no better than using ECB mode. Instead, randomly generate a string to use as the IV.

Now, the thing to remember is that you should not use the Python random module. It says so on the documentation. The reason is that it uses the Mersenne Twister, which is a completely deterministic function. If an attacker can determine what time a message will be encrypted, then it’s possible to craft a message to be encrypted that can feasibly break the cryptosystem. Instead, use the os.urandom() function, which reads from /dev/random.

One of the more flexible modes of operation, Counter mode (CTR), is difficult to implement. PyCrypto only provides the framework with which you can harness the block cipher and encryption mode. However, you are expected to provide a function that will generate an incrementing counter value each time it is called. Seems easy enough, right? Well, if you read the notes for it, you’ll realize that your function must meet a strict set of requirements, primarily that the counter values can never repeat across the entire lifetime of the key. Not just this instance of the cryptosystem, but across *all* runs. Ever. Or else encryption is insecure. For everything. If you think about it, the logistics are a bit daunting.

Java

Security in Java is implemented using the Java Cryptography Extension (JCE), using the javax.crypto and java.Security libraries. As with any other Java library, you have to do a lot of typing in order to make use of any cryptosystem.

The first difference you will notice between the Python and Java libraries is that PyCrypto defines access to block ciphers via wrapper classes, while JCE requires the API user to pass in encryption modes and ciphers via string in the constructor. Although this allows for greater flexibility, the immediate design flaw is that the application must check for the NoSuchAlgorithmException and NoSuchPaddingException compile time exceptions upon construction of the cryptosystem.

What’s nice about the JCE is that it does all the busy work normally required in PyCrypto for you. You don’t have to generate your own random values or implement any other randomization function. You simply specify what mode and padding scheme you want, and it will generate both the ciphertext and initialization parameters and return them to you. However, the shortcoming in this approach is that you do not have fine tuned control over how your data is encrypted. If a specific cryptosystem is not supported by the library, then you simply cannot use it. An example of a serious lacking is that you cannot use AES in anything other than ECB mode. If you try to specify CBC mode, it will actually generate the ciphertext for you, but when you try to retrieve the IV value, it won’t tell you what it is.

Another hassle of using this library is that it falls under strict U.S. export restriction policy. In order to use any of the longer keys for the AES cipher, you must have permission (from whom, I do not know) to use it. You also have to do more exception handling in case your app is run on a platform with a reduced set of cryptosystems. For this reason, PyCrypto only accepts code submissions from non-U.S. nationals, though a good portion still falls under the same restrictions as JCE.

Summary

PyCrypto will allow you to do anything you want, provided you meet it halfway. JCE is a breeze to use if you’re willing to work within its small capability confines, but won’t let you go outside of its limitations. I have yet to try other libraries for other languages, but I hope to find one someday that’s simply a dream to use. Though with the nature of cryptography, I doubt that this is likely.

I traveled a bit in the past few months, but I haven’t been able to get all the pictures online. I have a few weeks of downtime, so I’ll attempt my best at going through a city per post of my travels along with photographic visual aids.

I’d like to start a “What I Learned in School” series of posts discussing topics I picked up in graduate school in the hopes that some people could glean some information without spending the money nor the 60 hours a week of stress. The predicament, however, is that I don’t know if I could write it for any particular audience. On the one hand, most people don’t want to hear about the differences between existential forgery and selective forgery for cryptographic hash functions. On the other hand, people who would be interested in that topic already know all the proofs and don’t care to see anymore. I’m still looking through the past year’s worth of content for stuff that would be interesting yet useful.

That, combined with the fact that the last few weeks of the semester has been compressed in terms of assignment makes it very hard to try to look at school work when I don’t have to.

No, not the kinky fetish material…. I’m talking about the typesetting program.

Don’t get me wrong: I don’t hate LaTeX. It’s awesome that I can write professional looking documents that didn’t look like I banged something out on Microsoft Word. But to me, it’s such a beating to do all my homework assignments with it and try to remember all the symbols.

I’ll admit that I cheat, though. I use LyX as a front-end GUI since I *really* don’t want to remember all the tags. Though, there are sometimes that I’ll need to use something that’s not on a button on screen or a key on my keyboard. Thankfully, I can use this guide:

http://www.artofproblemsolving.com/LaTeX/AoPS_L_GuideSym.php

It has handy little things like how to express set unions (\cup) and accent marks.

Now, if there was only some sort of software that could do my Crypto homework for me….

So late last year, Adobe released an early Christmas gift by releasing an alpha version of the 64-bit Flash Player plugin. What did that mean? You no longer had to run 32-bit browsers on your 64-bit Linux install or try nspluginwrapper for your 64-bit browser that ultimately failed out if you had too many windows open.

I’m posting this now because it took me this long to figure out what I was doing wrong and why it wouldn’t work. I had copied the libflashplayer.so file into one directory and then symlinked it into another, very much the same way Ubuntu does with the flashplugin-nonfree package. That’s a mistake. My system would crash every time it loaded an FLV.

It turns out if you (on Ubuntu 8.10) just do a straight copy into the /usr/lib/mozilla/plugins directory, it won’t crash. You can also copy it into the /usr/lib/firefox/plugins directory for good measure, but it didn’t do very much for me.

Some perks of having this:

• Sites like Hulu took a long time to load, and now that no longer is the case.
• When I have multiple pages with Flash (say, watching a lot of YouTube), sometimes, some pages would gray out the embedded Flash objects, and sometimes the Flash video wouldn’t even load; now, no problems.
• I no longer have to run a 32-bit browser in my dchroot jail to view certain pages.

I’ll talk about my chroot jail some other time.