Semantic Werks

Perhaps all of my thoughts are minor …

Git: I’ve been experimenting briefly with Git, a distributed version control system written by Linus Torvalds to manage the vast codebase that is Linux. There’s a great tutorial site here, which I’ve been following. For a recent paper, I moved all of the source files (Latex, bibtex, images, etc) into a git repository. The master is running off my school machine, which is accessible via the Interweb. Then I have a local repository on my laptop.

At first, it’s a little confusing — the whole idea is that there is no real need to synchronize with the master. Instead, you ‘commit’ to your local repository. If necessary, you then ‘push’ to the master (where others can sync your changes). None of my collaborators used Git, so it wasn’t that important, and fortunately we didn’t need to revert to older versions. Still, the idea is a cool one — the Git model is one of smaller, incremental commits (i.e., one file at a time) — to make patches and merges smaller (and that almost always means simpler).  It’s a good idea, but to me it still seems like we need to rely on a good process model — i.e., commit often, only commit working code — rather than just use better tools. Even a swell tool like Git is of little use if the commits are monolithic and infrequent.

On the subject of collaborating on papers, it amazes me that in this day and age there is still no good tool for distributed collaboration. I’m sure there are many expensive ones, but I don’t see why it needs to be expensive. Surely we could have a tool that did the basic review/merge process simply? I’ve found MS Word to be the best tool to date (although for some reason the version control and change tracking functions are separated). And, of course, it costs money and only works on 2 of my 3 operating systems. Adobe is horrendous: half of the time the comments are locked and can’t be copied, it’s not the master copy of the text anyway (we generate them with pdflatex), and the interface for viewing them is horrible.

Interac email transfers: You can transfer money within Canada using Interac, at any of the big five banks. You give your email address, the recipient’s email, the amount, and a security question. They get the email, and if the security question is correctly answered, they go to their online banking site and it gets deposited directly. It costs the sender $1.50, and comes with some interesting security questions. First, obviously you need to get the recipient’s email correct. Second, there’s a possibility that the site you visit after the email is received could be compromised. I’m trying to think of how it could go wrong. Say I send the email to a friend, and his email is unencrypted (i.e., my bank sends bob@email.com a plain-text email). So essentially, we have to assume anyone can get the URL of the specific transaction web page. So now this bad guy, Alice, can get to the page with the question I’ve chosen. It all comes down to a sort of bastardized one-time pad approach: I need to select a question and answer that the two of us, Bob and Neil, know, but that can’t be readily discovered by Alice (i.e., the hunt for the answer wouldn’t be worth the small amount the transfer contained). I should continue to assume that Bob’s email is easy to access (either by hacking into the account or sniffing it as it comes by). So the challenge/response should be something not in emails, that we both know about, that we both agree on the spelling for … it starts to get harder to find a suitable challenge. It probably works best between old friends or family, where you both know that in 1988 you visited Mexico, or that your Dad’s second wife was addicted to .. cocaine, etc. Not good: year of birth, current employer, etc.

What’s funny (as in “d’oh”, not “haha”) is that banks routinely ask me these silly questions over the phone. “What’s your address? What’s your mother’s maiden name? What is the year of your birth?”  I would think these are essentially useless at preventing ID theft — they’re all components of the stolen ID!

At any rate, it’s handy, but it seems like a solution that would have been better off by using public key infrastructure — if I signed the transfer with Bob’s public key, only Bob (well, whoever had his private key) could get it. Unfortunately, few people have keys like this — but couldn’t they be issued by the banks pretty easily? After all, you already store a password/passphrase to log in to your bank account.