Hard truths about software

The global outrage about Russia's invasion of Ukraine in February 2022 has also highlighted the extent to which modern society depends on software. More specifically, on software written by other people. Much of this software comes from open source projects or makes extensive use of open source libraries. This is true also for commercial software that might do so legally or (often, I suspect) surreptitiously by simply copying code from open source projects where these projects have licence conditions that do not allow use in proprietary software.

The Open Source Initiative reports that protestware has been included in many open source projects, some of it malicious – at least one case was uncovered where the code was introduced by one developer to delete all files on devices with IP addresses in Russia or in Belarus. An updated version simply displayed an antiwar message. This piece of code is used in another project and another (as detailed by Lyran Tal at snyk.io), eventually impacting Vue.js which is a commonly used JavaScript framework for building websites.

The complexity of modern software cannot be overstated. Everyone builds applications that rely on a multitude of libraries (even the simple computational models that I write in Python include many libraries about which I know very little and these models run only in a text terminal interface) and, indeed, on an operating system. This can be seen in the size of the executable files: the latest version of Microsoft Edge is a compressed download of over 100 MB. There is no way that a single person can have an overview of the entire source code of the browser and I doubt there is a team that would fit into a single room that does.

Furthermore, software is everywhere. Since computing power became cheap many decades ago, common electronic devices no longer contain custom control hardware but rather have a general purpose computer inside with specific software to handle the connected hardware components. This is true for everything from your car to your phone, via your dishwasher and your smart lightbulb.

With commercial software the user gets the ability to sue someone if things go wrong (depending on the exclusions in the agreement, and I suspect there are cases of "not my fault" on the record). However, the sad news is that it is not only a practical but also a theoretical impossibility to fully guarantee software behaviour.

In his 1951 doctoral dissertation, Henry Gordon Rice proved that no non-trivial semantic property (like, "it never hangs") of a computer program can be universally decided by another program. That is, given a specific property that software should satisfy (e.g. not contain a backdoor) and a program for checking it, that program will always fail to give the correct answer for some of the software to which it is applied. It is however possible to verify the behaviour of some software by a formal verification proof, for example the operating system CertiKOS. Formal verification requires somewhat complicated mathematical modelling but hardware companies such as Intel have been pioneers in using it.

In telecoms, the programming language Erlang was developed at Ericsson for high reliability in the 1980s and is in current use for much of the code of WhatsApp. Substantial work has been done on the formal verification of Erlang software. Advocates of Open RAN (Radio Access Network) technology and telecommunications operators will probably have to keep in mind the hard fact that software reliability for realtime systems (like cars or networks) is orders of magnitude more important than for the likes of the Candy Crush app. Mixing hardware and software from different vendors in a critical realtime application is likely to pose more challenges in terms of verifiable reliability than some think.

Termination Shock – a masked adventure

I have long been enjoying the novels of Neil Stephenson. This includes the sublime Cryptonomicon, The Diamond Age: or A Young Lady's Illustrated Primer (probably my favourite) and The Big U, his 1984 novel about academic life. This year, summer holiday featured his latest speculative fiction, Termination Shock – a delightful romp from Texas to Indonesian Papua with local colour amply provided by Comanche, Punjabi, Afrikaans, Papuan and royal Dutch extras. It is set a decade or two in the future with the planet in chaos through climate change and semi-permanent waves of the viral infection that beset it in 2020, which will not be named here in an attempt to confuse the censor bots.

The treatment of climate change is, I would say, fairly nuanced. The main plot involves various parties' attempts to arrest it by seeding the high atmosphere with sulphur compounds and their opponents' efforts to stall any interference. 

There is more than a smattering of Texas and Dutch (colonial) history, with an emphasis on mining. It was probably fairly brave of Stephenson to feature epidemic control measures such as masks, border closures and warning apps as constant features of a future world. I am not sure whether this is primarily pessimistic, prescient or simply sarcastic. However, the book was the first work of fiction that I read which strongly features the masking situation.

Termination Shock is not one of my favourite Stephenson novels but it is generally well researched and entertaining. There is a minor point in the plot that I find very puzzling though. The Maeslant barrier at Rotterdam is destroyed during a storm, causing flooding in half the Netherlands, and the characters speculate about whether it could have been a freak wave. However, if you go online now, you will find plenty of live video footage of the barrier. How could it be that in future these cameras simply do not exist? If you are a fan of Stephenson's style of speculative fiction (or of Texas) you should definitely read Termination Shock.

Of cryptocurrency and chinchillas

The US Securities and Exchange Commission (SEC) has alleged that the operators of Ripple (a distributed ledger based payment network) has been making an illegal unregistered securities offering through its sale of XRP, a cryptocurrency which is associated with some of Ripple Labs' established payments business. As described by Roslyn Layton on Forbes, the charge poses questions regarding fair process and regulatory overreach. Jurisprudence on securities offerings rely heavily on the case SEC v. Howey Co., 328 U.S. 293 (1946) involving an orange grove development to which I simply refer as Howey.

There are two easy outs from the purview of the SEC: an investment that is mainly for consumption (e.g. a house in a sectional title development in which one intends to live), or a currency – even if there is a clear expectation of profit on the part of the investor. Even the government has to admit that people generally do not buy things in the expectation of making a loss! Extensive litigation around what constitutes a security has taken place and, confusingly, various circuits of the US federal courts have taken slightly different views on this. The three parts of the Howey test on which they agree are that their must be an investment of money, an expectation of profit and that this must be solely through the efforts of a promoter or third party.

Maria, the Chinchilla.
Photographed by her proud
owner in June 2005

The fourth part of the Howey test involves common enterprise which means that there might be pooling of the resources contributed by purchasers of the contract or token being offered and a link between the putative investor's returns and the efforts of the promoter. The link is clear in the case of shares or, as the court determined, possibly chinchillas as in Miller v. Cent. Chinchilla Group, Inc. (8th Cir. 1974) which determined that offering chinchillas for breeding with a guaranteed buy-back of $100 per pair did indeed constitute a securities offering.

It seems clear that the operations of Ripple Labs are funded to a large extent through sales of XRP but on the other hand, XRP has been traded and used as an ordinary cryptocurrency on exchanges for many years. Its fluctuation in value has also been correlated to a significant extent (around 0,3) with that of Bitcoin. To me, this suggests that any expectation of profit from ownership is significantly related to the general view on crypto and definitely not solely to the efforts of Ripple Lab.

It is not at all clear whether the SEC's case against Ripple will fail and, certainly, certain token offerings definitely have the character of a securities offering. However, I can also see the possibility of a Ripple test emerging from this which covers instruments which 

• have some aspect of a currency (by behaving similarly to Bitcoin),
• are weak on commonality of enterprise (since there is no explicit claim, in the case of XRP, on the profits of the enterprise that arise from anything other than the promoters' possibly continued holding of some XRP themselves) and
• where profit is clearly not (therefore) solely from the efforts of the promoter or third party.

It would be a shame if great innovators like Ripple Labs were shackled by the fear of SEC prosecution through an overly zealous interpretation of the Howey test.

WhatsApp support lines and bots

 WhatsApp support lines and bots only work if your bot or mechanical Turk (human) can respond practically immediately. I have been entangled for about a week with my internet service provider who proudly announced that they no longer use e-mail (it is supposedly very 1990s) for customer support.

Now, is is great that you no longer have to call a telephonic support line (especially if you are hearing impaired!) but as the image above shows, a human (or named bot) responded yesterday after six hours at which time I was having a haircut and unable to respond to it. It then went away and I am back where I was, suspecting only that Melissa (the virus) has taken an easy job on the WebAfrica support line.

Privaatheid tydens afsondering

Dis coronavirus-afsondering en almal kan sien hoe deurmekaar jou huis is. Terwyl ons links en regs deelneem aan video-konferensies en registreer vir aanlynkursusse, hou gerus in gedagte dat iemand moet geld maak uit al dié gratis dienste. Almal se gunsteling blyk Zoom te wees en ek stem saam dat die gebruikerservaring besonder goed is. Ongelukkig, soos elders, geld die beginsel dat indien jy nie betaal nie, is jý die produk. Ek het onlangs opgelet dat die skakel om 'n webinaar in my dagboek te plaas, behels het dat ek blykbaar vir Zoom toegang gee tot my gehele Google-dagboek. Dit was maklik genoeg om te omseil maar laat my nogal ongemaklik voel. Verder het Zoom 'n geskiedenis van privaatheid- en sekuriteitskwessies. Dink maar aan die volgende.

• The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer's camera. https://www.schneier.com/blog/archives/2019/07/zoom_vulnerabil.html (Blykbaar opgelos, maar dit is onlangs.)
• What Zoom’s current privacy policy says is worse than “You don’t have any privacy here.” It says, “We expose your virtual necks to data vampires who can do what they will with it.” https://blogs.harvard.edu/doc/2020/03/27/zoom/

Ek sou aanhou om Zoom te gebruik maar neem aan die vlak van privaatheid is soos in 'n gesprek in 'n koffiewinkel.