Saturday, August 18, 2012

Getting Hacked: Who's to Blame?

The details about Duncan are he's pocked with acne scars and his scalp is brown along the hairline every two weeks when he dyes his gray roots. His computer password is "password."
—"Lullaby", Chuck Palahniuk

Mat Honan of WIRED recently fell victim to a pretty nasty hacking incident and wrote about it: http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

The details are pretty interesting (to me at least), but the gist of it is that attackers got his credit card numbers through Amazon and used the last 4 digits to impersonate Mr. Honan to Apple's phone support. Once they gained access to his Apple me.com email account, they used the password reset mechanism to get his Gmail, and from there his Twitter account. Finally, they deleted all of his data from his iPhone, iPad, and MacBook.

Reading all this, I got to wondering how other people would evaluate the situation. If someone hacked your accounts the same way, how would you assign blame between
  • the attackers
  • the service providers (Apple, Amazon, etc.)
  • yourself

Honan said he blamed himself for not taking better precautions, and even agreed not to press charges against his attackers in exchange for information about how the attack was carried out. I want to hear other people's assessments, but I can definitely see several angles on the situation.

Mat Honan is clearly a pretty tech savvy guy. He might have had some chance of understanding exactly what risks he was taking and how to protect himself, but very few people would. On the other hand, Amazon and Apple are there to provide a service, and there's a limit to how tightly they can secure customer accounts, especially when customers expect to be able to recover their accounts after forgetting their passwords.

Maybe it's just wrong-headed to expect these security systems to be impenetrable. After all, the physical locks on your doors aren't perfect either. Locks can be picked, or you might forget to lock them, or someone can knock in doors or windows. The thing that makes our physical security norms more-or-less work is that if someone does break in, in most cases they will take on some risk of getting caught.

The internet doesn't always work that way. People can strike anonymously on the internet. And since it's international, regulations are much weaker and more scarce. But it's at least worth considering a setup where technological protection ends exactly where legal protection begins, a setup that requires whoever is requesting password recovery to get enough skin in the game that they could be taken to court. Maybe the only way would be for them to request it in-person and be photographed, or maybe there's a more convenient option.

The thing that bothers me the most about the situation is that everywhere I look, people are still acting as if "secret personal information" is a good method of identification. You don't really have to be a genius to see the problem. My SSN, my mother's maiden name, my credit card numbers… I've given them out to hundreds of people to "prove my identity", people that I don't know personally and don't particularly trust, and each of those people can now impersonate me. The Honan article points out that even without involving Amazon, your pizza guy has everything he needs to get into your Apple account. I must have given the last 4 digits of my SSN to at least a dozen people at Comcast in the process of transferring my internet to a new address; the only one that really irked me was the last time, online, when they explicitly told me this was for "security purposes".

So anyway, that's my take on the situation. Now it's your turn. Comment away!

Monday, September 5, 2011

My Truck-free Move across the Country

"If you didn't have so much stuff, you wouldn't need a house. You could just walk around all the time. A house is just a pile of stuff with a cover on it." —George Carlin

I recently moved from Indianapolis, Indiana to the San Francisco Bay area for a new job with Meebo, and I decided to skip the moving truck, sell the car, and travel by airplane. That's the what, when, and where. Now for the why and how...

I was getting a relocation bonus, but I had a two-story house in Indiana and a lot of stuff in it, much of which wasn't going to fit in a small apartment in California, so I had some concerns about the logistics. Moving all of it would mean all the packing, driving or paying someone to drive a loaded truck through desert and mountains, and then probably storing most of it in an expensive storage unit in the Bay Area. And honestly, I didn't know what half of this stuff was anymore. So, my wife and I talked about it and decided to sell absolutely everything we could, give away everything we couldn't sell and didn't need, and dump everything we couldn't give away.

Phase 1: Sell, Give Away, Dump
I cannot possibly imagine how we would have done this without craigslist. We managed to sell a bed, dresser, two sets of tables and chairs, lots of shelves and cabinets, lots of baby gear, and a bunch of tools. And the best part is, these people hauled the stuff off themselves! We had a moving sale we also posted on craigslist, with limited success: people bought small furniture, unopened toiletries, dishes (some dirty ones from the dishwasher!), and a few other odds and ends. In the end, we got about $1000 out of it.

At this point we still didn't know if we would be driving and if we would need a trailer for the stuff we ended up taking.

Next, my wife's church group helped us get everything out of the attic, closets, and her office and haul it all downstairs. The next morning, we filled up half of our driveway with as much of the stuff as we could get out there, put up a "FREE" sign, and put up a posting on craigslist called "Everything is FREE!"

What followed was absolutely amazing. It was like watching the nature channel. People appeared from all over Indianapolis to take our stuff. Half of the driveway was covered and piled high with all kinds of crap, and within 2 hours it was completely gone! People were pulling up in vans and indiscriminately loading everything they could grab into them. I thought about trying to refer some of these people to some sort of hoarder support group.

During and after this process, we had been going through all of our stuff and throwing most of it in trash bags with reckless abandon. I can't even remember what all we threw away, but there was a lot of stuff from the back yard deck, opened containers of food from our refrigerator and pantry, and all manner of odds and ends throughout the house. A lot of stuff that would otherwise have been worth keeping to me suddenly became trash when I figured in the cost of transporting it to California.

Eventually, we were down to just the bare essentials. Inflatable mattress, clothes, laptop, important documents, disposable kitchenware, and a TV to occupy the kiddo while we packed. We also had some electronics and a lot of Mary Kay product in boxes that we knew we were going to be transporting somehow.

Phase 2: Preparations
Somewhere in the middle of pruning down our stuff, we scheduled a flight out to our destination to do some apartment hunting. My parents took care of the youngin while we took a 2 day trip. We lined up several candidates beforehand, and while we were there we visited 10-ish apartments over the course of said two days.

Our main criteria, besides price, were that we wanted to have a washer/dryer (or at least hookups) in the apartment, and we were hoping to find someplace with a reasonable commute to Meebo (possibly near public transportation options). We learned of padmapper partway through, which is awesome, awesome, awesome, and again I don't know how we would have made this work without our internet resources. We ended up liking the very last one we looked at, and we put a deposit down on it before we left. Incidentally, the move-in date was a few days sooner than we were anticipating, and that accelerated our move timeline a touch.

Back in Indy, we looked into our shipping options for our boxes of stuff and found that UPS and USPS were going to be more expensive than we were hoping for. But we discovered that Greyhound has very affordable shipping, with a few restrictions on box weight and the value of goods being shipped. We specially shipped my wife's $300+ blender with UPS, and with the insurance that cost us about $50 alone.

At this point we learned that the air conditioning in my car, which had been out for a while, was not easily fixable. There was no way we were going to be able to make the 34-hour drive potentially through desert terrain with a toddler and no air conditioning, and there was no telling whether the A/C was going to start working well after we paid to have the compressor replaced, so we did some more planning and settled on selling the car and flying out.

We got our one-way tickets flying Southwest and secured a rental car for the first week in California. Southwest currently allows two free checked bags per passenger, and since we had 3 passengers, we were able to take 6 big, heavy bags with us in addition to our 3 fully-loaded carry-on bags and personal items. We bought a scale and packed the bags carefully to be under the 50-lb weight limit, loading books into the smaller ones to maximize the weight vs. space. We initially planned to shoot for 4 checked bags so we wouldn't be bogged down getting to and from the airport, but that changed pretty quickly.

We contacted our real estate agent about selling our house, but at the current market price we'd be taking a significant loss on it, and there was no telling how long we'd have to wait for that to change. We found a property management service that takes care of finding renters, collecting rent, and other legal and business concerns for a small percentage of the rent, so we're going to try being landlords. We won't be able to write off the mortgage on our taxes anymore, and we'll have to pay for some repairs, but we'll see how all that goes.

Phase 3: Goodbyes
Meanwhile, there was going to be a lot in Indiana I would miss. I lived there for 4 years, made a lot of memories there, and it's where my parents and siblings live.

I worked at a very small company where I was going to be missed. In general, I try my darnedest to document my work so people can pick it up later, but there was still some wrapping up to do in the time I had left.

I was particularly disappointed about having to say goodbye to my fluffy kitty, Harvey. Every apartment we found in Cali required a $500 pet deposit and somewhere around $50/mo pet rent to keep a pet, and as tight as finances were going to be, there just didn't seem to be any way to make that work. Fortunately, my coworker was able to adopt him, so I feel better about his future well-being, but I'm still going to really miss him.

I also had a lot of farewell lunches and dinners with my company, my friends, and my family. They all helped us immensely in getting moved, and we really appreciated it!

Phase 4: The Move
When the day finally came to set out for California, we were really excited and nervous. We got up early in the morning, loaded all of our luggage into two cars (there was no way it was going to fit in just one!), and my parents drove us to the airport.

We got to the airport, got all of our luggage out and up to the check-in desk, and…oops! Either the luggage scale wasn't that accurate, or a few last-minute items got packed that were heavier than we expected, because one bag was 58 lbs, and another was 53. The guy behind the counter waited patiently and helped us check our progress on the scale while we swapped out the contents of our luggage. All of our bags ended up being 50.5 lbs or so, but he let us check them anyway. (We gave him a nice tip!)

We bought a portable DVD player for the kiddo anticipating a difficult flight. She had a meltdown at the end of the first flight and was rolling around on the airport floor screaming during most of the layover, but she did pretty well on the rest of the trip.

We finally arrived around noon (yay, 3-hour time change!), and my wife picked up the rental car while I caught a taxi van to the apartment with the kiddo and all our luggage. She had been up since 4am or so, and while we were riding to the apartment, I heard her stop singing to herself for 2 seconds, looked over, and she was out cold. I tried to wake her up, but within those few seconds she was hibernating like a ground squirrel. After we got to the apartment, I let her sleep in her stroller in the shade while I carried the luggage up to the doorstep.

Phase 5: Moving In

There was plenty to do settling into our new life in California. We got to work unpacking our clothes, and the stuff from our boxes once those arrived. We made several trips to IKEA and bought a delivery-truck-load of furniture there, and almost a week later, we're still working on getting it all put together.

The car situation was difficult because we didn't have any established credit in the area. We had hoped to get a very cheap car somewhere and have a good percentage of the cost as a down payment, but the interest rates were still going to be just insane. We've gotten a rental car for an extra two weeks, and we've got plans to put the relocation bonus straight into the car instead of paying down the moving debt immediately. We'll see how that works out.

Thoughts
I had a few motivations for doing this kind of move. I've always thought it sounded like an interesting idea, and I wanted to finally try it firsthand. A lot of people I've talked to in the meantime have told me they wished they had sold everything instead of putting it on a moving truck. The smaller living space was also a factor. I was hoping to condense some stuff down, say replace two so-so couches with one good one, and get some more space-efficient stuff (our new couch and bed have storage built-in).

It certainly hasn't been a pain-free experience, but I keep reminding myself that moving is always painful, and I'm pretty sure we made the right choice in how we executed this move. Hopefully that won't change in a few months, when we have the car situation and the Indiana house rental situation sorted out better.

Sunday, June 19, 2011

Hunches

About thirty years ago there was much talk that geologists ought only to observe and not theorise; and I well remember some one saying that at this rate a man might as well go into a gravel-pit and count the pebbles and describe the colours. How odd it is that anyone should not see that all observation must be for or against some view if it is to be of any service! —Charles Darwin

Imagine you're contacted by the FBI and asked to help solve a difficult murder case. You have full access to the evidence they've collected so far. What approach would you take in trying to structure your investigation, locate a suspect, and build your case?

If you're anything like me, you'll begin by going over all the facts you have so far and freely imagining scenarios that would be consistent with all the available evidence. As your brain is busily generating scenarios, going through all the permutations of different possibilities, you'll begin ruling out all the scenarios that are patently ridiculous and prioritizing the rest by likelihood, maybe without even being consciously aware of it. Otherwise, you would be swamped in a heap of every possible scenario your mind could concoct.

Many people seem to believe that hunches are unscientific, and that science is hostile to or incompatible with hunches. Nothing could be further from the truth! A scientist's finished work, a published paper, should be as free as possible of hunches and speculation, but the scientific process would be starved and impotent without hunches to feed it.

Creativity plays a much bigger role than generating an array of hypotheses to test. It's imbued into every step of the process: it takes nothing short of genius to design a scientific study that properly controls for every possible way the evidence could be tainted. It takes an active imagination to visualize all the ways your swarm of preconceptions could sneak into the data and morph it into an unintentional deception (maybe even a profitable one). A scientist is like a werewolf waiting for the moon to transform it, trying to outsmart itself and keep the inner beast chained through the night. It takes cunning, not just a dry, emotionless commitment to scientific rigor, to be a good scientist. You might say science is an art, not a science.

But hunches alone will be just as worthless: pure emotion-laden preconceptions. The true value of hunches is when you give them enough slack to guide the scientific process, but not enough to compromise it. Intuitions are quick and powerful tricks the brain has developed to come to reasonably good answers. The scientific method is a system to check those reasonably good guesses and flesh them out in such a way that you (and others) can check your brain's work. I like how Robert Pirsig describes it:
When I think of formal scientific method, an image sometimes comes to mind of an enormous juggernaut, a huge bulldozer…slow, tedious, lumbering, laborious, but invincible.
Put hunches and scientific controls together, and you have a recipe for optimal problem solving, steadily ratcheting your way from existing knowledge to new knowledge.

Sunday, March 27, 2011

A God in the Shadows

"For rain that's falling halfway down the sky
I apologize"—"I apologize", Splender

I've never understood why, if God exists, he would leave so many people so much room for doubt about his mere existence. I've heard people say, "What do you mean? I see God working in my life every day!" and, "If you're not looking for miracles, you won't notice them." That may be true, but I don't understand why God would purposefully stay aloof, from everybody or just from me.

God supposedly healed plenty of lepers and cripples and blind people, but he seems to be shy about anything as dramatic as healing an amputee. I guarantee you that would get nonbelievers' attention, even if they're just predisposed to doubt.

People might say that God doesn't want to make it too easy because having faith is so important, and people wouldn't depend on faith if they had clear evidence. But that sounds a lot better when you're talking about a yes-or-no question, whether God exists, than about what sort of God exists and how to do what he wants. If you have blind faith, but it's faith in the wrong god, that's a double shame. And I just can't see how God would be doing us a service by giving us just enough evidence that we still have the "freedom" to reasonably conclude he doesn't exist.

And if it's a personal God, why would he pass up the chance to have a relationship with so many people? It's not just major miracles I'm thinking about. How is a relationship more meaningful if you talk in barely audible whispers?

For me, it's not really compelling anymore to go hunting for prophecies that might have been fulfilled, or otherwise chasing after God, since any sort of God I would be inclined to worship would have already contacted me directly, or at the very least would do so sometime in the near future. There is no other evidence or line of reasoning any person can show me that would lead me to reconsider. If you want me to believe in God, you'll have to take it up with him.

Sunday, January 30, 2011

The Lottery and Advertising

I'm totally outraged at the way state lotteries are managed, specifically the massive advertising campaigns they run. There's an excellent article from the Washington Monthly about it that basically explains what I'm so angry about. I'd really encourage you to read the whole article, but I'll summarize the main points I got from it:
  • lottery programs are hugely successful marketing machines that rake in billions of dollars nationwide, and it's illegal for free-market businesses to compete directly with them
  • the marketing campaigns are misleading, intentionally exploit vulnerable people in moments of weakness, and don't even comply with the FTC's truth-in-advertising standards
  • it's by-and-large the poor that end up pouring their money into the lottery machine
  • lottery campaigns claim that the money goes toward education, or some noble cause ("right back into your pocket", according to the Indiana lottery), but this is just an "accounting trick": According to David Gale,
    "What happens is, the legislature budgets this much for education. They see the lottery will contribute this much. So they take the money they would have spent on education and put it to other uses."
It might sound like I'm going back on some of my libertarian principles here, but it's a confluence of things that bother me: we're talking about a government business that outlaws competition, gets its money from the poor, and goads them on with beautiful fictions about all the good their wasted money is doing.

Let me clarify a few things I'm not claiming:
"The lottery is evil because it steals money from people."
People voluntarily participate in the lottery, albeit under false pretenses and coercive tactics.
"The lottery is a tax on the stupid. People who play it don't understand probabilities and don't realize that they're throwing their money away."
The big product people pay for when they gamble is not the money they hope to win, but the excitement that comes with a chance of winning big. If they have the money and desire to gamble responsibly, it's not something that they need to be "saved from".

But advocates of lottery programs claim that they are only providing a constructive outlet for people to do what they would be doing anyway. They claim that if our state doesn't provide a lottery, people will go across state borders and pay into other states what they should be paying into their own. That might justify the mere existence of the lottery, but it just sounds ridiculous in light of the oppressive radio, TV, and billboard advertising campaigns they launch. If the advertising isn't netting customers, stop doing it! If it is, stop doing it! You can't claim that gambling is an unfortunate vice that you're just making the best of while you're spending public money to promote it!

I've come to the conclusion that if I'm concerned about the gap between the rich and the poor, and want to support some government policy to do something about it, the most effective option would be to hamstring lottery advertising. If the lottery is a hidden tax, it's an obscenely regressive one. Furthermore, I will flatly ignore anyone's crusade for wealth redistribution or an even more progressive tax structure if it doesn't make a priority of hamstringing lottery advertising.

Sunday, January 2, 2011

A Guided Tour of Hacking

"Colonel," I said in a serious tone, "let me tell you something about these locks: When the door to the safe or the top drawer of the filing cabinet is left open, it's very easy for someone to get the combination."
...
The colonel had sent a note around to everyone in the plant which said, "During his last visit, was Mr. Feynman at any time in your office, near your office, or walking through your office?" ... The ones who said yes got another note: "Please change the combination of your safe."

That was his solution: I was the danger. So they all had to change their combinations on account of me. ... Of course, their filing cabinets were still left open while they were working! —Surely You're Joking, Mr. Feynman, Richard P. Feynman & Ralph Leighton

I've known since I was 5 that I wanted to be a software developer, but for most of my life I thought that hackers were a different breed that somehow was just born knowing how to break into computers. I've flipped through several books about hacking, and they all looked very dull, and none of them really seemed to answer my burning questions; I figured that there must be some "second tier" to it where it really got interesting.

As I've gotten older and nerdier, I've discovered that hackers draw on experience as much as raw skill, just like safe crackers who develop their skills and intuitions practicing on their own safes and door locks. I would have no idea where to start breaking into a system if I didn't have day-to-day experience using secure systems (like password-protected computers).

I should mention at this point that hackers are typically pretty nice people, that the term "hacking" was used for writing software before it was used for unauthorized cyber-activity, that the preferred term for what I'm discussing here is "cracking" instead of "hacking", and that most hackers are just trying to make the general public aware of security holes before malicious people figure out how to exploit them. People who write nasty viruses and distribute malicious software are usually a quite different type of person, and many of them don't even understand the intimate details of the art of hacking. They're often referred to as "script kiddies".

I will also mention that I think sections of the book Surely You're Joking, Mr. Feynman make an excellent companion to all this information, and it's one of my favorite books to boot.


There are a lot of misconceptions floating around about what hackers do and how, and I think a lot of people I know would be interested in some of the details if those details could be explained properly. I'm going to enumerate some of the different methods hackers use, grouped by my own cleverly-conceived system of categories. It's something of an epic, but feel free to skip around.

Stealing the Key
A fairly obvious method of breaking into a house is getting a hold of the key. Usually with computers, the key in question is a password. Sometimes hacking is as simple as trying every password until one works, which is known as a "brute-force attack". Almost always the hacker will write a simple program to automatically try one password after another.

People can protect against this attack by using a long password, but often there's some trick so a hacker doesn't have to try every password. I was surprised to learn how quick it is for a hacker to try every word in the dictionary (a "dictionary attack") if you happen to pick a real word as your password. (Another such trick is the Trucha Bug on the Wii). Many login systems will also prevent you from trying too many passwords or trying passwords too quickly one-after-the-other, which helps security a lot.

But even the best password in the world won't help you if you don't keep it a secret. Tricking someone into sharing their password with you is called "social engineering", and it's easier than you might think. If you have a favorite password you use when you register for a new account online, you're pretty vulnerable to being hacked (in comic form: "Password Reuse").

Back Doors
Sometimes a hacker doesn't even need the key itself to get in. For instance, they can trick you into "leaving the door unlocked" for them by distributing game software that surreptitiously opens up your computer for them to get in while you're playing it.

You have a similar problem any time you have software checking your password: How do you know that whoever wrote the software didn't put a secret "master key" in that would give them access to your computer? How do you know the password you set is the only one that will work? Ken Thompson created a mind-blowingly elegant example of this in 1984 that covered its tracks 3 layers deep, known as the Thompson trust hack.

One other security weakness happens when "randomness" isn't random. Magicians can do some amazing card tricks based on a gimmick called a "card force", where they fool someone into "randomly" choosing one particular card from a stack. Any place where supposed randomness enters into a security system is an opportunity for an exploit. Random password generators are vulnerable, and there was a bug in an early Netscape browser with the same problem.

Picking the Lock
With some exploits, the attacker doesn't need to know anything about the key. There are systems that send the password off to another computer to ask if it's valid. All you need to do to trick a system like that is figure out how to say, "yes, whatever key you sent was valid", and pose as the validating computer. I've seen that technique used to unlock full versions of games/software. (This is almost the same thing as a "Man-in-the-Middle" attack, except in that case the attacker normally fakes communication in both directions.)

A similar hack is to break open the code of an existing program and modify it in-place so that the part that's supposed to check your password never does its job. In both of those cases, you put in a dummy password to get the ball rolling.

Breaking Down the Door
Some attacks work by blasting a system with such strange data that it doesn't know up from down anymore, and gives up protecting itself. Even though the data is strange, it has to be carefully crafted, and it usually takes insider information about how the system works to create the data properly.

For instance, several web browsers and image viewer programs will get confused if an image file claims to be one size but has too many pixels of data. And if you're very clever about it, you can inject a program into an image, or similar data, so that the computer gets tricked into running that part of the data as a program. This is usually called "smashing the stack", and is unfortunately what it takes to run software on your own Wii (see the Twilight Hack) or iPhone (see iOS jailbreaking) that isn't approved by Nintendo or Apple, respectively.

For another neat example of the same type of exploit, check out the ACS:Law data leak.

These attacks only work if there is some flaw in the way a program is written, so the best way to protect against them is to use modern software written with modern tools.

Burning Down the House
Sometimes an attacker doesn't actually care about controlling a system, but just wants to make it unusable for everyone else. A denial-of-service attack does just that, by bombing a website, say, with hundreds of hits per second, so that it can't keep up and can't function normally for regular users. This works best if it's a distributed denial-of-service, or DDoS, where lots of computers are involved in flooding the system. For a notable example, check out the Low Orbit Ion Cannon, a system used to coordinate DDoS attacks.

Often a good firewall can prevent these attacks by quickly figuring out which hits are legitimate and blocking out all the malicious hits, but if it takes more work to determine which hits are malicious than just to serve them normally, the only solution is to buy more powerful servers.

A system can also be made unusable by destroying data in a database. Many websites are poorly written and essentially hand the keyboard over to users when they ask for data from a user. Like the techniques mentioned in the previous section, someone can cleverly craft the data sent to a website so it starts interpreting part of the data as commands. There's a great demonstration in comic form here (the details are technical, but I think you'll get the gist of it).

Squatting
One final class of exploit is less catastrophic and more of a nuisance. A hacker uses your computer to do work for it in the background without your knowledge, usually along with hundreds or thousands of other computers.

When you get those incomprehensible junk emails about Viagra, those are usually sent from unsuspecting Windows computers that are way behind on their Windows Updates. Malicious (usually Russian) hackers release worms that ruthlessly copy themselves from computer to computer, and create a massive "botnet" of infected computers. Then they direct the botnet to send out junk email to one randomly generated email address after another, and the computers work together to inflict their plague of spam on every conceivable email address.

Another possible exploit of this sort is something called "parasitic computing". Unlike worms and botnets, parasitic computing wouldn't involve installing anything on your computer. Instead it would hijack the normal proper functioning of your computer to help do calculations for another computer. The reason I say "possible exploit" is that nobody has devised any way to make productive use of parasitic computing. Every example devised so far would require more work to facilitate than it would take to just run the calculations.

Wednesday, November 3, 2010

The Ontological Argument in One Easy Step

"Oh dear," says God, "I hadn't thought of that," and promptly disappears in a puff of logic.The Hitchhiker's Guide to the Galaxy

I was watching an interview with Colin McGinn where he said that he thought the ontological argument is interesting because nobody's ever managed to pinpoint exactly what's wrong with it even though it's wholly unconvincing to everybody who hears it. There are lots of ways to show it's absurd (e.g. Guanilo's Island), but none are concise and direct enough to seem like the problem with it.

Well, a line of reasoning recently occurred to me that I'd like to put forth as the problem with the ontological argument. The normal version goes something like this:
  1. God is defined as the most perfect being conceivable.
  2. If he didn't exist, he would be less perfect than a being who did exist.
  3. Therefore, God exists.
I think there's a two-part gimmick in the argument, and that I can simplify it down without losing any of the meaning:
  1. God is defined as a being who exists.
  2. Therefore God exists.

The trick is in confusing the levels, and losing the difference between a definition and reality. If you dream that you woke up, it doesn't mean you're awake. By the same token, a being that's defined to exist doesn't necessarily exist (nor a being that's defined as "a being defined to exist"). The part about "what it means to be perfect" just acts as misdirection from the meat of the argument enough to block your common sense.

There's no contradiction whatsoever within the definition, nothing wrong with it even, but every definition is a hypothetical of sorts, just a label to tell me what you mean when you use the word.

I did happen to notice that Kant looks to have proposed almost the same counterargument, but his version seems wordier and was one of four bullet points in his argument. I wonder if Colin McGinn is familiar with Kant's refutation...