Information Technology Research Update by Diomidis Spinellis Department of Management Science and Technology Athens University of Economics and Business (AUEB) http://www.dmst.aueb.gr/dds/ Volume 2 Issue 6 December 3rd, 2002 A free periodic newsletter providing summaries, analyses, insights, and commentaries on information technology research brought to you by the Information Systems Technology laboratory http://istlab.dmst.aueb.gr In this issue: - Machine Intelligence and the Turing Test - MIT's DSpace - Embedded Lightweight Software - Swarm Intelligence - The Economist on Digital Security - ACM: Special Interest Group on Electronic Commerce Machine Intelligence and the Turing Test ---------------------------------------- Alan Mathison Turing, the British mathematician, philosopher, and logician - also known for his participation in code breaking effort against the German Enigma encryption machine - proposed in 1950 that if a computer could successfully mimic a human during an informal exchange of text messages, then, the computer might be considered intelligent. In a recent article in the IBM Systems Journal 41(3)-524, (09/02), I. Brackenbury and Y. Ravin, employ the Turing Test as a means of identifying artificial intelligence (AI) technologies that should have a pivotal role in creating more intuitive machine-human interactions. The technologies identified are: - natural language understanding for processing the input; machine reasoning to obtain answers that are relevant within the context set by earlier exchanges; - knowledge representation technology to represent the knowledge of human activities as well as the rational, objective knowledge about ourselves and our society; - knowledge acquisition to automate the task of capturing the above knowledge; dialog management for representing the dynamics of dialog and identity; - emotion to recognize and use affective information in a variety of forms. The authors end their paper noting that other emerging areas that study machines based on models of brain behaviour, although relatively immature and more speculative in nature than the technologies based on linguistic models, may also allow us to make new, significant, and perhaps revolutionary progress in AI. MIT's DSpace ------------ DSpace is a joint MIT/Hewlett-Packard project to archive virtually all the intellectual material produced by MIT scholars and researchers in a "digital library." The goal of the archive is to relieve conventional libraries of the burden of storing content in formats--Dictabelt recordings, floppy disks, newsprint, etc.--that take up space and are subject to physical degeneration over time. The project was launched with a $1.8 million grant from HP. England's Cambridge University, Columbia University, and six other universities are expected to adopt DSpace by September 2003. A project is also underway to link DSpace with a similar system based in California universities and at Ohio State. Thus far, more than 2 TB of data has been stored in DSpace. The archive, which is based on open source software and features a Google-like search engine, is expected to cost MIT about $250,000 a year to maintain and operate. According to the MIT computer science and electrical engineering professor Hal Abelson DSpace will become an essential medium for recording each year's course material and course Web sites. Embedded Lightweight Software ----------------------------- We all know the traditional database management systems and web application servers. They are large complex systems, developed by teams of hundreds, consisting of megabyte-large packages, running on powerful hardware, and requiring installation, regular maintenance, and tuning by suitably trained competent system administrators. No one on their right mind would use such a system for implementing a mobile phone's contact list browsing. Your editor recently experimented with a number of open-source embeddable software libraries for database management and web page serving. Small, easy-to-use, light, and fast they can not run amazon.com, but can be easily integrated into your programs to provide a database or a web front-end. HSQLDB is a Java-based SQL database engine. You can embed it into your Java application to interact with the database it creates using the standard JDBC interface. It can run as a stand-alone server, or it can be part of your application. If you program in C, Perl, or Tcl/Tk SQLite provides similar functionality. Both database engines are fast, (SQLite can be four times faster than PostgreSQL) and provide a simple database manager front-end. If you want to jazz-up your old C/C++ or even Fortran application with a shiny new web interface, then the SWILL embedded web server library could be the answer. SWILL, written by Sotiria Lampoudi and David Beazley at the University of Chicago, will convert your application into a web server by simply adding three new lines of code and linking against the library. All you then need to do is to associate web pages with specific functions that deliver the corresponding results. All the above cases demonstrate that often small is beautiful. All libraries allow you to quickly experiment and prototype using SQL commands and a Web interface. When your application's needs outgrow the capabilities of these engines you can then upgrade to the big boys' offerings. Web links: HSQLDB: http://hsqldb.sourceforge.net SQLite: http://www.hwaci.com/sw/sqlite SWILL: http://systems.cs.uchicago.edu/swill Swarm Intelligence ------------------ A recent article in the Communications of the ACM (P. Tarasewich and P. R. McMullen, "Swarm Intelligence" 45(8):62-67) describes how using mechanisms that insects employ to work together can offer unique possibilities for problem solving. Collective activities of insects are often self-organising: a complex group behaviour emerges from the interactions of individuals who exhibit simple behaviours by themselves. Typical examples include ants building a nest, and bees searching for food. French scientist Eric Bonabeau and his colleagues devised "ant algorithms" based on their study of social insects. In their book, "Swarm Intelligence," (Oxford University Press, 1999) they argued that the social organization of ants could be applied to businesses to make them more efficient. Swarm intelligence algorithms simulate the movements and interactions of an organization's employees, products, and clients, a technique known as "agent-based modelling." Consultancies are now pusing these algorithms in a variety of applications. French gas company Air Liquide, with the help of Santa Fe's Biosgroup, employed swarm intelligence algorithms to improve its supply chain: by programming trucks to find and outline the shortest delivery routes so that subsequent trucks can retrace them - much like foraging ants leave pheromone trails - Air Liquide was able to save time and manpower in the organization of its delivery schedules. Meanwhile, Bonabeau's Icosystem company is employed by the U.S. Office of Naval Research to simulate the operation of unmanned aerial vehicles in an effort to improve communications and pave the way for smarter vehicle designs. Icosystem is also working to speed up Eli Lilly's drug delivery time by up to 80 percent by building a model of the firm's clinical development processes. The Economist on Digital Security --------------------------------- (excerpted by V. Skoularidou) The October 26th 2002 issue of the Economist magazine contained a very interesting survey of digital security. The article consisted of seven sections covering different but important aspects of computer security. The first introductory section entitled "Securing the cloud" argues that computer security has now become an important issue for consumers, companies, and governments around the world, for two basic reasons: a) the 11/09/02 terrorist attack in American and b) a cultural shift which is underway. The growing emphasis on security over the past year or two has been driven by a combination of factors, like: a) regulation, b) high-profile security breaches, and c) a shortage of senior security specialists. It is also argued that vendors like to present security as a technological problem that can be easily fixed with more technology (e.g. Oracle's campaign about its "unbreakable" RDBMS). But this is only one of the three misconceptions about digital security: 1. Improving security means implementing appropriate policies and managing risks, not just buying clever h/w and s/w. Security relies heavy on the human factor. Technology is necessary but not sufficient. 2. Security cannot just be left to be solved from the specialists of the system department. Senior management also plays a very important role. 3. Even senior managers who are aware of the problem worry about wrong things and they ignore the threat nature. Security is not just protection from virus and malicious hackers. There is also the problem of internal security, disgruntled ex-employees, network links to supposedly trustworthy customers and suppliers, theft of laptops, handheld devices and wireless links. Since technology is mere the part of the answer for digital security, the survey starts from this and the second section entitled "Tools of the trade" shows how a box of technological tricks can improve (but not guarantee) security. This section argues that for most of the security specialists, viruses and malicious hackers are everything that comprises computer security. Viruses are presented along with antivirus software as thee first line of defense. In the sequel, the section describes how malicious hackers act and presents firewalls, intrusion detection systems, encryption and cryptographic authentication as important techniques for confronting the problem. Apart from the advantages, it also describes the limitations of these techniques. It then goes one step further and identifies "badly written software" as the main cause of poor security. It describes Microsoft's new strategy on "trustworthy computing" and its new procedures followed for writing secure code and also identifies the problem of having the pressure of "time-to-market" for software systems, which leaves security as an afterthought for a lot of software vendors. The section concludes by identifying the importance of the human factor and the fact that security is like a chain and the weakest link is usually a human. With this corollary, the next section entitled "The weakest link" is introduced. Here, the main issue is the fact that hackers tend to exploit human vulnerabilities. As Bruce Schneier said, "Amateurs hack systems, professionals hack people". The survey describes the example of Kevin Mitnick; the famous hacker who usually tried social engineering attacks (who is also the author of the recent book "The Art of Deception" where he describes all the details of his attacks). It also identifies the importance of choosing good passwords and the importance of education. It again emphasizes on the management-based rather than the technology-based approach to security and identifies as an example of how expensive, glamorous security technology can be easily undermined by poor procedures, the biometrics systems. This is the fourth section entitled "Biometric fact and fiction". Here the biometrics technology is described in brief and the problems of this technology are identified: a) the insecurity of the technology, by failures in a number of examples described, and b) the fact that its effectiveness can be easily undermined by failures of process or policy. Here the example is taken from the science fiction movie "Minority Report" where Tom Cruise plays a policeman accused of a crime who goes on the run. In the movie's futuristic setting, eye scanners are used to ensure that only legitimate users can access computer systems. Mr. Cruise's character has eye transplants to conceal his identity, but also keeps his old eyeballs so that he can continue logging on the police computer network. After being on the run, he is still able to get into the police computer network, because someone has neglected to revoke his access privileges. The survey continues by emphasizing the need for proper security policies and the fact that management and security interact. In mentions Ross Anderson's approach on security and workflow and describes his ideas for applying ideas from economic theory to computer security. It then deals with the issue of lack of liability for software flaws and supports Bruce Schneier's approach that product liability lawsuits against software companies whose products are insecure would almost certainly discourage software makers for cutting corners on security. The next section entitled "When the door is always open" deals with the issues of wireless networks that are inherently insecure, rogue access points and handheld computers that are often used to store sensitive information and can bypass antivirus software and firewalls since they are carried by the employees and connected without notice to the company's internal network. This section concludes that companies should consider their networks not like mediaeval castles, where the main issue was to keep the enemy out, but like airports where people pass from one area to the other presenting credentials (tickets, passports, etc.). This inclusive model boils down to proper identity management mechanisms. The sixth section is entitled "Putting it all together" and deals with the issue that security spending is a matter of balancing risks and benefits. It argues that total computer security is impossible and the right thing to deal and take into account is risk management. It describes in brief the steps of risk analysis/assessment, presents the case of outsourcing security via "managed security monitoring" and also talks about cyber-insurance. The last section entitled "The mouse that might roar" deals with the issue of cyber-terrorism and the fact that critical infrastructures should be secured against digital attacks. The last year's attack in America is taken as an example. The survey concludes by arguing that the enthusiasm for technological solutions for security can go far, but in two particular areas, security technology could end up doing more harm than good: 1. Some measures introduced in the name of security may have the side-effect of needlessly infringing civil liberties, e.g. face scanning systems at the airports which can be used for other purposes rather than spotting terrorists. Similarly, new legislation that allows far more widespread wire-tapping and interception of Internet communications (e.g. Carnivore). 2. In the world of business, technology introduced to improve security often seems to have the side-effect of reinforcing the market dominance of the firm pushing it. As Ross Anderson claims "vendors build in things that they claim are security mechanisms but are actually there for anti-competitive reasons. The classic example is with Microsoft's Palladium technology for fencing off security areas inside a computer, which might enable Microsoft to gain control of the standard for the delivery of digital music and movies." Corollary: Security depends on balancing cost and risk, through the appropriate use of technology and policy. The tricky part is defining what "appropriate" means in a particular context. It will always be a balancing act. Too little can be dangerous and costly - but so can too much. ACM: Special Interest Group on Electronic Commerce -------------------------------------------------- The Association for Computing Machinery has launched SIGecom, a special interest group on electronic commerce. The scope of SIGecom specialty is to encourage research and advanced applications relating to electronic commerce and the sharing of new ideas and experience. Attention will be paid to foundational issues and to demonstrated applications. Stuart I. Feldman, Director, IBM Institute for Advanced Commerce, and Director, Networked Computing Software Research (and, two decades earlier, creator of the Unix make tool) is its contact person. The SIG hosts the ACM Conference on Electronic Commerce, and the SIGecom Exchanges, the official newsletter for SIGEcom. New articles are being solicited. More details in .