Akrasia and Morality

Akrasia

Is there a difference between "what I do" and "what I want to do"?

In fact, it looks a bit like a paradox. There's a very real way where want someone acts on is a better meaning for "what they want" than what they SAY they want. But also, we're all familiar with wanting to break a habit, and yet apparently being unable to do so.

There is a greek word, "Akrasia" (http://en.wikipedia.org/wiki/Akrasia) meaning "to act against your own best interests", where "best interests" is a bit subjective but we get the general idea. The concept has been adopted by many rationalist devotes/self improvers (http://lesswrong.com/lw/h7/selfdeception_hypocrisy_or_akrasia/).

The idea is, there IS a difference between what we want immediately, and what we want longer term. It may be unfair to call long-term wants what we "really" want, and there's still a difference between "what we want" and "what would be most likely to make us happy if we got it", but they can be as valid wants as immediate wants are.

For instance, someone who really wants a cigarette, but really wants to give up smoking, may be in the position of choosing between immediate and longer-term wants.

When we took about someone having will-power, or someone being logical, what we really mean is someone who can weigh their immediate and long-term wants objectively, without automatically following emotions/instincts. (When we talk about someone who is OVER logical, we often mean someone who discounts their immediate pleasure too much.)

Is that an apt description of the difference?

Morality

Is there a difference between "a moral action" and "an action I want someone to do", without an objective standard of morality? I know people are prone to see a difference even when it isn't there, which makes me suspicious of anything I might suggest, but it's sensible to think about any proposals and not dismiss them out of hand. It may not be something other than what I want, but might it be a different type of what I want?

If we have a distinction between "wants for now-me" and "wants for future-me" I wonder if we could draw a similar distinction between "wants for me" and "wants for everyone else".

That is, is there a recognisable difference between "what I would enjoy" and "what I would like because it would make someone I like happy" and "what I feel I should do because someone would do it for me" and "what I should do for someone else because it's the right thing, even if no-one else thinks so", even if you can only infer what's going on in someone else's head?

I think there is, that people recognise a difference between "what they should do" and "what they'd like to do", and what they DO do is governed at a particular moment by where they currently fall on a scale between thinking "of course I'll do what I should do" and thinking "I'm overdue for something just for me". However, I'm not sure if I can actually test that or if it's just speculation.

With little indescretions, I think people do see a difference between "I know it's against the law, but I think it's ok" and "I know I shouldn't do this if I had infinite amounts of time and money to fix every world problem however small, but in the real world, there's no realistic way to avoid doing X". And I'm inclined to think that even people who do bigger bad things are probably thinking in the same way: "well, yeah, ideally I wouldn't've killed him/her, but you know, what can you do?" And morality for a person is something like "those things they think they would do in a magically perfect world where they could", somehow combined with what they prioritise when they put it into practice. But I don't know if that point of view is actually valid for other people or not.

Gmail two-factor authentication

One of many potential links: http://www.mattcutts.com/blog/google-two-step-authentication/

Yesterday I turned on google two-factor authentication. (Stop using gmail is still on the TODO list! :))

I'd been leery of fancy new security measures, but recently it reached the tipping point where the risks of turning it on seemed smaller than the risks of putting it off.

In fact, my email and my bank are probably the things most vital, because most online accounts get tied to my primary email. It's a toss-up which is more secure: the bank will probably care more about a breach (if they can't just blame me), but know a lot less about security and avoiding social engineering than google.

I'm not sure how the parts interact, but I think how it works is:

* When you log in via a web browser, you need a password AND a verification code sent to your mobile (or android app).
* The verification code is good for 30 days, during which time you need a password to log in (?), but not another verification code. (Only enable this for computers you use regularly.)
* After that you need to reauthenticate.
* But signing in to a new computer needs a verification code
* If you lose your mobile, you can still log in to a "trusted" computer within the 30 days and choose a new mobile or turn off two-factor authentication
* If you lose your mobile AND your computer (or if you want to check your email abroad without any of your usual devices), you can print off a set of ten one-time backup verification codes, which function exactly like the mobile (except they're printed in advance instead of sent to you when you need to).
* I _think_ the back verification codes still need your password, so you're still safer than using a password only.
* But if you have "trusted" computers AND backup verification codes AND a backup mobile or landline specified, you're unlikely to lock yourself out.

Do you know, is all that correct?

For things like gmail on an android device you can generate a one-time per-device "password" which isn't really a password, but lets that device access your account, but (I think?) NOT reset your password or two-factor authentication stuff. And if you log into your account you can "untrust" computers or disable the per-app logins for android devices, apps, etc.

It seems the reason this is better is that if someone steals a device, they can access your account, but you can lock them out and they can't lock you out.

This _doesn't_ defend against trojans, or telling someone your password, but I think it's still better: I'm not a great judge of security, but it seems pretty well thought out and fairly reliable.

Attack vectors

I think the failures I'm protecting myself against are:

* A friend I trust rifles through my stuff or looks over my shoulder to see my password
* A hacker finds out my password somehow

I don't think I can defend myself against both of those simultaneously, nor a friend sufficiently dedicated to install spyware on my computer, but it's better to be somewhat protected against the most-likely case of hacker or an impulsive friend separately.

Recommendations

Find someone who knows more than me and do what they say.

Avoid using gmail at all (altough the risks of using gmail are different to the ones discussed above).

But FWIW, I think about this as, you may not be able to protect against the worst possible combination of events, but it's a start that you can still log in to your email and no-one else can if you suffer any ONE of the most likely things:

* You lose your computer
* You lose your phone
* Someone sees your password
* Someone keylogs your login, but isn't set up for a full man-in-the-middle attack
* Someone goes through your wallet and finds your back recovery codes

I still need to check that backup recovery codes still need your password.

I think you're still screwed if someone steals your "trusted" computer (assuming your password is stored in your browser but they can brute-force the browser's encryption), but avoiding that is significantly more hassle.