Presentation @ Wellcome Trust Centre for Gene Regulation & Expression, Dundee University

On Monday 14th January, I gave a short invited talk to members of the Open Microscopy Environment project based in the Swedlow Lab located in the Wellcome Trust Centre for Gene Regulation & Expression at the University of Dundee. There were a number of focii to this talk:

• overall research interests, starting broadly with AI, then focussing rapidly to argumentative dialogue systems,
• the broad classes of problems that I am interested in,
• a (very) brief, software focussed overview of projects I have been involved in sketching the thread of research from my early work on multi-agent dialogue systems through formalisation of dialogue protocols in my early post-doc research, and finishing with my most recent applied work in online argumentation, pedagogical dialogue, and web-scale argumentation technologies.

Presentation Slides:

Download now or preview on posterous

dundee2011.pdf (5836 KB)

Fundamentals Concepts in Computer Science: Computability

There is a nice brief introduction to computability over at Good Math, Bad Math. My research has increasingly moved in the direction of this area of formal computer science over the last couple of years as I have developed the Dialogue Game Description Language, a domain specific language underpinned by a formal grammar expressed in EBNF and used to describe inter-agent communication protocols.

From my perspective, if you are interested in finding out more about what Dijkstra meant when he stated that "computer science is no more about computers than astronomy is about telescopes" then this article is a good place to start. Computer science is the study of the theoretical foundations of information and computation as well as the more practically oriented implementation and application aspects. It is these theoretical foundations that computability is concerned with. More specifically computability is a sub-branch of the theory of computation an area of computer science that addresses questions like "what problems can we solve using a computing device?" and "if we can solve this problem on a computer, how efficiently can we do so?".

Introducing Filibustery

Whilst not directly argumentation in the sense that I am usually interested in, the Filibuster is a political debate technique that has a long history going back at least as far as the Roman empire. The Filibuster is a type of gamesmanship that (mis-)uses the rules of debate found in the parliamentary procedures of a range of countries to enable a proposal to be delayed or obstructed. This happens because the procedures allocate a given amount of time for discussion and voting. If the time runs out before voting is complete then the proposal is effectively blocked.

Over at Filibustery, the Filibuster is getting some attention with a series of videos exploring filibustery. The first episode has been posted and we are promised that the second will be posted in the lab fairly soon.

Analysing the Tactics Used in Debates

There are a series of interesting posts over at Jean Goodwin's blog that looks at the process of debate and the tactics used therein, using the debate between Marc Morano and Mark Maslin as an exemplar.

The tactics discussed are:

1. Civility - How do the speakers interact? Do they interact directly with each other or via the interviewer (in this case). Do the speakers maintain the appearance of civility all the way through? How do they address each other? Does this change during the debate? How do the speakers characterise each other? Are the speakers having fun? Are they irritated? Are the speakers engaging each other or are they dismissive?
2. Hedging & Asserting - Hedging is using words or phrases to limit the amount of imposition on the other party. Whilst debate is, by its nature, about disgreement, hedging backs away from open disagreement by using phrases like "I think" or "I believe" out of a desire to avoid a confrontation. Asserting sets up a confrontational position and hedging generally weakens such a position.
3. What's the issue? - What are the speaker's arguing about? Why are they arguing about this issue? Have they been influenced or coerced into the debate? Has the motivating issue changed from the original issue? Did one of the speaker's manage to shift the issue from the originating issue to something else that is easier to win?
4. Bringing the arguments home - Assess the arguments made during the debate. Have the speakers managed to persuasively link their supporting data to their conclusions? Are all the steps in the argument explicit or are there gaps? Are these gaps because there is no evidence? or are they rhetorical? or both?    
5. The adverse witness - Do both speakers quote the same data or sources? Are these used to draw different conclusions? Do the speakers try to use their opponents quoted data or sources against them?
6. The appeal to authority, by the numbers - Sometimes we have to trust what the experts say? Are we being asked to look at the evidence and draw our own conclusions or are we being asked to trust the experts who have already done this for us. Goodwin makes an interesting point about the role of appeals to authority in the modern world:
   

   Appropriate appeals to authority were taken off the list of fallacies long ago. For good reason: we couldn’t survive without others’ expertise. We’re everywhere dependent on knowledges divided up into disciplines far more minutely than the work in Adam Smith’s old pin factory. In some cases our very lives may hang on the specialized knowledge that went into the design of a car’s floor mat or a factory’s system for washing spinach–although we’re only likely to remember it when the design goes bad.

7. Scientific Consensus - How do consensus claims work? Goodwin refers to one of her own projects which investigates this question. An interesting aspect is depicted called "rising above" which can turn the audience if they perceive that you are being condescending or arrogant. This is of course a risk if you are presenting yourself as the expert or amongst the experts as it could lead your opponent, or the audience, to perceive that you believe them to somehow be beneath you or not sufficiently educated to understand for themselves.

8. Repeating oneself all over again (Argument Craftsmanship) - Is the speaker taking a general idea, that has been expressed many times before, and adapting it to the current situation? Has the idea been formulated and refined in such a way as to provide a logically strong position, but no stronger? In this case, Goodwin suggests the use of topoi in the form of small but forceful chunks of domain knowledge that you can organise and assert as required to support your position or attack your opponents position.    

9. Take advantage of your opponents' commitments - Do the speakers each build their case based on the commitments incurred by their opponent? This approach was introduced in the adverse witness post where it was noted that in order to debate where there are numerous constrictions, e.g. issue complexity, limited audience knowledge, limited debate time, using shared concessions is a good way to make progress. Essentially, one of the most basic and powerful tactics for winning a debate is being able to take the things that your opponent has said and turn them around, use them against your opponent.

All in all a good analysis of the debate from a rhetorical perspective. Analysing those aspects of the debate that can be separated from the specific things that were said and the specific effect that they had on speakers and audience, and can be more generally identified as tactics for winning the debate.

Of Message Integrity & Suitcases

The Lifehacker post "Open a Locked Suitcase without Leaving a Trace" linked to this video showing how to tamper with locked suitcases. A suitcase zip can easily be forced apart using a pen so that items can be inspected, added or removed. The insidious part of this hack though is that zippers are self-healing, by moving the locked-together zippers backwards and forwards along the zipper path, the zip can be re-closed leaving the suitcase appearing as though it has never been tampered with. This is a failure mode of luggage security that most people will not consider. Yes, we assume that a suitcase offers little security but we also, as a rule, assume that we would notice if our suitcase had been tampered with. We expect that either the lock will have been visibly tampered with or that the case will have been cut or damaged in some obvious way. We don't generally expect that we can close and lock our suitcases and that they are then quickly and trivially manipulated.

To give us our due, I think that most of us do not see suitcases as being particularly secure and would not place anything valuable into them unless forced to do so, so the risk of losing irreplaceable items is generally quite low. We also kind of expect that our suitcases will be inspected nowadays, at the very least using a non-invasive scan such as X-rays if not being opened up and pawed through. The big risk for most of us, especially if travelling to somewhere like Turkey or Thailand, is that something might be introduced into our suitcase which could make our trip through customs worse than usual.

Generally we see having a lock on our suitcase as a check on the integrity of the suitcase but now we cannot be certain that our suitcase hasn't had something inserted into it without opening and going through it. This scenario not only gives a real world illustration of a physical man-in-the-middle attack but also illustrates an important element of security engineering, namely integrity. Schneier's definition of integrity [Applied Cryptography, second edition, (1996), pp. 2] is as follows:

Integrity It should be possible for a receiver of a message to verify that it has not be modified in transit;    an intruder should not be able to substitute a false message for a legitimate one.

If we consider the suitcase as our "message", one of the receivers of our message is the owner of the suitcase who wants to get it back containing only what it contained when it was checked as baggage, nothing more and nothing less. The owner desires that the message has integrity and ostensibly relies on the locks as a means of verifying that integrity. In a more general communication-oriented sense, integrity comes alongside two other elements, authentication and non-repudiation, defined thus (ibid.]:

Authentication It should be possible for the sender of a message to ascertain its origin; an intruder should not be able to masquerade as someone else.

Non-Repudiation A sender should not be able to falsely deny later that he sent a message.

Because in this case the sender and receiver are, in one sense, the same person, the owner of the suitcase, then authentication and non-repudiation have little bearing on the circumstances because the lack of integrity is sufficient to consider the system broken. Under these circumstances it is enough to state that the luggage owner can be authenticated as being the person that they identify themselves as, and they have not, and perhaps cannot because of other checks and balances, repudiate their ownership of the luggage, the big gaping hole in the system is that the integrity of the luggage cannot be verified.

So how can we verify the integrity of our luggage? Simple methods like securing the locks so that they cannot be moved would stop this attack. Some suitcases have a built in mechanism or tie down point to allow this. I am sure that other mechanisms could be created but perhaps the integrity of checked luggage within a major airport cannot be verified cheaply, easily, or reliably. Perhaps ulitmately we have to openly accept this and not hold a person at their destination responsible for the contents of their luggage. Notwithstanding different laws on importation and prohibited items, we could ensure that the checks done at the originating airport are sufficient that they provide the owner with a defense should anything be introduced once the luggage is out of their supervision.

Creating secure protocols is hard

This Wired article gives a nice demonstration of Schneier's law which says that anybody can create a security system that they themselves cannot break. This particular security system is for scratch-lottery cards which the makers say are secure because they have been independently vetted by outside experts. But just because your experts can't break the system doesn't mean that nobody can, and if somebody breaks it then you can guarantee that the "bad guys" are going to be exploiting it even if the man on the street doesn't.

The weakness in this system stems from the need to control payouts. The lottery company can't just randomly allocate numbers to tickets and hope that they haven't produced too many winners. They have to carefully allocate winners in the right proportions to ensure not only that they don't bankrupt themselves but also that they make a healthy profit along the way.

The tickets are clearly mass-produced, which means there must be some computer program that lays down the numbers. Of course, it would be really nice if the computer could just spit out random digits. But that’s not possible, since the lottery corporation needs to control the number of winning tickets. The game can’t be truly random. Instead, it has to generate the illusion of randomness while actually being carefully determined

The nice thing about the breaks discussed in the linked article are that they achieved through inspection of the ticket only. The information given on the face of the ticket is enough to confirm whether or not the ticket is a winner or not.

The trick itself is ridiculously simple. (Srivastava would later teach it to his 8-year-old daughter.) Each ticket contained eight tic-tac-toe boards, and each space on those boards—72 in all—contained an exposed number from 1 to 39. As a result, some of these numbers were repeated multiple times. Perhaps the number 17 was repeated three times, and the number 38 was repeated twice. And a few numbers appeared only once on the entire card. Srivastava’s startling insight was that he could separate the winning tickets from the losing tickets by looking at the number of times each of the digits occurred on the tic-tac-toe boards. In other words, he didn’t look at the ticket as a sequence of 72 random digits. Instead, he categorized each number according to its frequency, counting how many times a given number showed up on a given ticket. “The numbers themselves couldn’t have been more meaningless,” he says. “But whether or not they were repeated told me nearly everything I needed to know.” Srivastava was looking for singletons, numbers that appear only a single time on the visible tic-tac-toe boards. He realized that the singletons were almost always repeated under the latex coating. If three singletons appeared in a row on one of the eight boards, that ticket was probably a winner.

What is most telling in this story is the reaction from the Ontario Lottery and Gaming Corporation; pull then game then claim that there was a design flaw, that it was a limited flaw that only affected this one game, carry on as normal. Meanwhile, other games had flaws and those who knew about them were able to exploit them as the office of the Ombudsman recognised:

..at least $100 million in prizes had been paid out to so-called “insiders” (i.e., lottery ticket retailers and staff of the Ontario Lottery and Gaming Corporation, or OLG) – some of it to “fraudsters.       

This is behaviour seen time and again in other so-called secure systems. For example, with so-called phantom withdrawals and flaws in Chip & Pin, and other supposedly secure systems, where, at least publically, the onus has been on the victim to prove that they are not at fault.

Another interesting aspect is that the payout statistics from the plundered games demonstrate that there is a break because the people exploiting the break don't buy tickets that they know will only pay out the face value of the ticket, i.e. there is no point buying a two dollar ticket that only pays back two dollars as that is wasting your own time. Therefore plundered games are going to have a higher than expected proportion of higher value payouts.

While there were far too few $2 break-even winners redeemed, there were far too many $4, $6, $10, and $20 winners. In fact, the majority of scratch games with baited hooks in Washington and Virginia displayed this same irregularity. It’s as if people had a knack for buying only tickets that paid out more than they cost.

The final thought that I have is that although the numbers on many of these tickets are the hook to get the player to buy them there is no reason why they couldn't also be covered with latex so that the tickets couldn't be pre-inspected for winners. There would be more to scratch off, but I have a suspicion that that is part of the game for many scratch card devotees. Perhaps these games haven't been fixed for two reasons, firstly, security protocols are hard to get right, and secondly, perhaps given the organised crime/money laundering angle, a large enough group of people have a vested interest in being able to pick a winner?

Sukey take it off again

Until the police and government deploy a proper cure for kettling we will have to make do with defences. It requires a lot of police to seal an area, especially given the size of crowds that we have seen at recent protests. This means that there are a limited number of locations where kettles can be imposed. In an area as geographically complicated as a major city the best defence against the kettle is avoiding it in the first place and there is now an app for that. Whilst there are questions about whether a technological solution is appropriate, in the short term Sukey is going to help protestors know which way direction to head in to avoid the kettles.

The objectives laid out in the Sukey executive summary are as follows:

To keep peaceful protesters informed with live protest information that will assist them in avoiding injury, in keeping clear of trouble spots and in avoiding unnecessary detention. The application suite gives maximum information to those participating in a demonstration so that they can make informed decisions, as well as to those following externally who may be concerned about friends and family. It should make full use of the crowd in gathering information which is then analysed and handed back to the crowd.

From the security perspective it looks as though the developers have at least sought advice and thought about defending both themselves and the crowds supplying data. Without details though and a thorough code review it is hard to be certain. Whilst generally the advice has been that open systems can be more secure, the developers of Sukey are taking a hybrid approach. Source code will be released after each protest at which point the current codebase can be worked on by third parties and the developers will fork and work on the next version. This will maintain the longer term openness of the project whilst attempting to minimise the equivalent of a zero-day exploit that could be used by the police during a protest.

So, given that any protestors who are kettled are likely to be identified anyway, what are the defenses against Sukey? I can't imagine that the police will be shutting down mobile phone networks during protests or jamming wifi for that matter. One potential weaknesses is in the source of input data. Amongst the crowds providing data will doubtless be police acting as saboteurs or provocateurs so input data could be spoofed. Perhaps there will be a sufficient density of non police sourced data that police-originated spoofing will be lost in the genuine data. An alternative weakness may lie in the reliance on web services and non-distributed nature of the system. If there is a single, or sufficiently critical, point of failure then the police could target that on protest day. My last, and admittedly most far-fetched initial thought is of infiltration, if the police are able to take control of the system on protest day, rather than just breaking or shutting it down, then they could direct protestors towards kettles rather than away. Which would be bad.

To be honest I think it is sad that protestors have to come up with a solution like this to defend themselves against those whose sworn duty is to protect them and maintain safety. That said it is a really cool piece of code and an exemplar of what smart-phones (iPhone), crowd-sourcing (the protestors and interested by standers), and mash-ups (swiftly, Google Maps) can achieve.

HTTPS & Facebook

Although it hasn't yet reached my account, Facebook have announced that they will soon be enabling HTTPS for all communications with the site and not just when you send your password. This is a bit of a privacy win and should enable us to better protect our personal data. Given that most of the data that we share on Facebook is private, in the sense that we share it with our friends and not the world at large, and because Facebook is one of those online venues where people organise themselves and the lack of HTTPS has lead to some unfortunate security lapses. For example, with the collusion of an ISP, the Tunisian government were able to disrupt protests by inserting malicious Javascript into users pages after authentication and subsequently deleting accounts and censoring critical pages. Even if you are not planning protests that might overthrow a government, the idea that a third party can interfere with your private communications should give us sufficient pause to want to make use of this facility. This is especially true if you are logging in from public terminals or over wifi.

Over the last few months there have been a number of reminders of how easy such session hijacking is to achieve. FireSheep, a FireFox extension, showed us how easy it was to hijack a FaceBook session, whereas idiocy.py demonstrated how, in 129 lines of code, you can automatically highjack somebody elses Twitter account and post your own tweets as them.

Which brings me almost round full circle to say that HTTPS Everywhere is a FireFox extension that I have been using for a few months to make FireFox default to HTTPS when available. This is a tool that just works and is a necessary step along the path to the secure by default future internet.

Serious Games & Energy Efficiency at the Interactive Institute

The Interactive Institute has a range of energy consumption interfaces, devices and services designed to feedback to folk about the amount of energy that they are consuming and possibly also to influence their behaviour with respect to their energy consumption. These include:

• The Energy Coach - a service to help you take better control of energy usage
• The Energy AWARE Clock - a feedback device that visualises the spikes of energy usage in your household on a clockface.
•  The Energy Plant - an LCD that visualises household electricty consumptions as a growing plant

Many of the ideas in isolation are not entirely novel although they do have a shiny factor that isn't to be found in similar offerings elsewhere. For example, OPower have a similar system that they describe as their smart grid front-end. This is designed to influence customer behaviour through a combination of feedback via a hardware peripheral, good usage analytics and visualisation, and social influence, e.g. see how much energy you are consuming compared with the aggregated consumption of your neighbours.

One of the interesting things that the Interactive Institute is doing is combining serious games with energy consumption monitors. The important thing I find with this approach is having a game that is worth playing in the first place. Once you have done that I can imagine a game in which data from the sensors in your, and possibly your neighbours houses, affect the game world. Increased energy consumption might negatively affect the variety or amount of game items available. Other things, such as running a higher consumption device at a peak usage time might affect how exciting or dangerous the game world is.

A Glass of Water

I have posted before about gamification and the use of persuasiva techniques to improve the efficiency of drivers. For example, the ford dashboard and use of simple lights and meters to encourage drivers to accelerate smoothly without aggression. Here is another take on the same idea that doesn't require buying a new car just an iPhone. The glass of water app displays a glass of water and the aim is to not spill any of the water as you drive. I am assuming that the app is correlated to the movement of the iPhone so that if you drive smoothly then you won't spill the water, and hence will improve your driving efficiency.

This seems like a great way to improve fuel consumption. Link it to an online leaderboard, possibly with prizes for the best drivers, or best improvement, and you can make a broader multiplayer game out of it. Link the leaderboard to each individual drivers social network and you might actually begin to get real improvements in average drivers fuel consumption. Of course there is also a corresponding race-to-the-bottom game that could conceivably develop as well and the rules should take this into account. If the GPS could also be used to log journeys then, suitably anonymised, it would be interesting to visualise whether there are particular roads, areas, or times that lead to increased fuel-consumption or bad driving. I also wonder how much penetration would require before we could use a system like this to monito traffic flow. Whilst many autonomous-traffic management systems rely on transponders attached to individual cars or cameras watching all vehicles, perhaps there is a lower bound to the number of vehicles we track that can still give meaningful statistics about traffic conditions?

I do wonder about how traffic police in the UK would see this though. In one sense it is only an add-on version of what could be built into the car dashboard, and is not that different to a tom-tom, especially if there were an audible cue that could be used so that the driver wasn't watching their glass rather than the road. That said, an iPhone has a screen and could be used to display video and hence should not be within the drivers line-of-sight as far as I am aware.

Now we just need an android version, and cheap mass produced widget that sits on your dashboard and does the same thing for the non-smart phoners amongst us.