" /> net.wars: June 2008 Archives

« May 2008 | Main | July 2008 »

June 27, 2008

Mistakes were made

This week we got the detail on what went wrong at Her Majesty's Revenue and Customs that led to the loss of those two CDs full of the personal details of 25 million British households last year with the release of the Poynter Review (PDF). We also got a hint of how and whether the future might be different with the publication yesterday of Data Handling: Proecures in Government (PDF), written by Sir Gus O'Donnell and commissioned by the Prime Minister after the HMRC loss. The most obvious message of both reports: government needs to secure data better.

The nicest thing the Poynter review said was that HMRC has already made changes in response to its criticisms. Otherwise, it was pretty much a surgical demonstration of "institutional deficiencies".

The chief points:

- Security was not HMRC's top priority.

- HMRC in fact had the technical ability to send only the selection of data that NAO actually needed, but the staff involved didn't know it.

- There was no designated single point of contact between HMRC and NAO.

- HMRC used insecure methods for data storage and transfer.

- The decision to send the CDs to the NAO was taken by junior staff without consulting senior managers - which under HMRC's own rules they should have done.

- The reason HMRC's junior staff did not consult managers was that they believed (wrongly) that NAO had absolute authority to access any and all information HMRC had.

- The HMRC staffer who dispatched the discs incorrectly believed the TNT Post service was secure and traceable, as required by HMRC policy. A different TNT service that met those requirements was in fact available.

- HMRC policies regarding information security and the release of data were not communicated sufficiently through the organization and were not sufficiently detailed.

- HMRC failed on accountability, governance, information security...you name it.

The real problem, though, isn't any single one of these things. If junior staff had consulted senior staff, it might not have mattered that they didn't know what the policies were. If HMRC used proper information security and secure methods for data storage (that is, encryption rather than simple password protection), they wouldn't have had access to send the discs. If they'd understood TNT's services correctly, the discs wouldn't have gotten lost - or at least been traceable if they had.

The real problem was the interlocking effect of all these factors. That, as Nassim Nicholas Taleb might say, was the black swan.

For those who haven't read Taleb's The Black Swan: The Impact of the Highly Improbable, the black swan stands for the event that is completely unpredictable - because, like black swans until one was spotted in Australia, no such thing has ever been seen - until it happens. Of course, data loss is pretty much a white swan; we've seen lots of data breaches. The black swan, really, is the perfectly secure system that is still sufficiently open for the people who need to use it.

That challenge is what O'Donnell's report on data handling is about and, as he notes, it's going to get harder rather than easier. He recommends a complete rearrangement of how departments manage information as well as improving the systems within individual departments. He also recommends greater openness about how the government secures data.

"No organisation can guarantee it will never lose data," he writes, "and the Government is no exception." O'Donnell goes on to consider how data should be protected and managed, not whether it should be collected or shared in the first place. That job is being left for yet another report in progress, due soon.

It's good to read that some good is coming out of the HMRC data loss: all departments are, according to the O'Donnell report, reviewing their data practices and beginning the process of cultural change. That can only be a good thing.

But the underlying problem is outside the scope of these reports, and it's this government's fondness for creating giant databases: the National Identity Register, ContactPoint, the DNA database, and so on. If the government really accepted the principle that it is impossible to guarantee complete data security, what would they do? Logically, they ought to start by cancelling the data behemoths on the understanding that it's a bad idea to base public policy on the idea that you can will a black swan into existence.

It would make more sense to create a design for government use of data that assumes there will be data breaches and attempts to limit the adverse consequences for the individuals whose data is lost. If my privacy is compromised alongside 50 million other people's and I am the victim of identity theft does it help me that the government department that lost the data knows which staff member to blame?

As Agatha Christie said long ago in one of her 80-plus books, "I know to err is human, but human error is nothing compared to what a computer can do if it tries." The man-machine combination is even worse. We should stop trying to breed black swans and instead devise systems that don't create so many white ones.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 20, 2008

Print rules

Here's the modern, efficient way to kill a club: dump the printed newsletter in favour of an electronic one.

Probably ten years ago I suggested easing the ecnomics of producing the Skeptic by turning it into an electronic magazine. Several people disagreed with this idea. How right they were.

The theory is pretty obvious. Club saves money on paper, printing, and postage. Club member gets informed just the same.

The practice is less obvious. First of all, not everybody has email, and the ones who don't aren't going to buy computers and spend hours figuring out how to set up a Gmail account just to get the club newsletter. They will be effectively disenfranchised and will rely on friends among the membership to phone them if anything they should know about is going on.

Second of all, people use email in different ways. Some only read it at work. Now the club newsletter is on their work computer, but isn't available at home, where it might actually inspire the club member to join some activity or other. Some don't check it more than once every few days and don't respond when they do.

But third of all - and this can't be news to anyone - the whole point of email is that it's easily ignored. People join clubs because there's an activity they're interested in, but like everything else there's a core of obsessive active members and then a much, much larger group of discretionary members who need to be coaxed along to things. In theory the immediacy of email ought to galvanize those people into action, but the effect seems to be the reverse: they set the email newsletter aside "to read later" and forget all about it.

Though the club does save money - that part works. At least, until it starts losing members.

I'm not suggesting that clubs shouldn't use email. They should - for late-stage reminders, for last-minute changes, for calls for volunteers to help with a specific activity.

Before they do that, though, they should - as many seem not to - think through a standard format for those emails that make them quick and easy for recipients to parse. One of my clubs sends out a steady stream. None of them have meaningful subjects, and since they all come from the same person I can't easily search back later and find the one with the details I need. The messages are all formatted by different people (who send them on to the distribution point), and some think that GIANT FONTS filling the entire first screen with one word makes them look interesting. Others fill the first screen with words exhorting me to be inspired before getting around to tell me what the event is and when. This is a serious user interface error: if you are trying to get people to do something you need to make it as easy as possible for them to understand your request.

Scheduled distribution dates also seem to evaporate when the newsletter goes electronic. I don't quite understand why, although I suspect that outside pressures of printer deadlines, planned dates to go to the post office, and copy deadlines that gave time for layout are probably a lot of it. Printed newsletters provide regular confirmation that the club still exists as an entity; they provide, if you like, evidence that you still belong to it. I'm sure a steady stream of emails ought to do the same thing, but I'm not sure they carry the same weight as the newsletter magneted to the refrigerator.

I'm entirely prepared to be told that this is a generational thing, or maybe even a cultural thing (are things the same in the US? I can't tell). I'm sure today's kids, who are unaware that there ever was a time when there was no email, IM, or social networks, don't see the point of a printed newsletter they can't carry on their mobile phones. But even if that's true, most of today's clubs have a large phalanx of - let's say politely - "legacy" members who simply do not function that way. And I'm not convinced that it is true.

Some organizations do know this, most notably the Association for Computing Machinery, the leading membership organization for computer industry professionals. If any organization were most likely to adopt electronic publication you'd think it would be this group: they all had email in the 1980s. Instead, although the ACM has indeed begun issuing a digital edidtion of its highly respected and valuable Communications of the ACM, it has no plans to eliminate the print edition.

Why? Said ACM in an email announcing the digital edition, "Print continues to be a vital way for the ACM to reach its members and the computing industry at large." That ought to tell people something: when computer people themselves don't want to use computers in a particular way there's usually a good reason. (Note that the ACM also opposes electronic voting because they do not believe it can be made sufficiently secure.)

So: trust your local, native guides. Print is a proven technology. Abandoning it is false economy.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 13, 2008

Naked in plain sight

I couldn't have been more embarrassed than if the tall guy carrying a laptop had just told me I was wearing a wet T-shirt.

There I was, sitting in the Queen's club international press room. And there was he, the only other possessor of a red laptop in the entire building, showing me a screen full of a hotel reservation from a couple of months back, in full detail. With my name and address on it.

"If I can see it," he said in that maddening you-must-be-an-idiot IT security guy way, "so can everyone else."


I took that laptop to Defcon!

(And nothing bad happened. That I know of. Yet.)

Despite the many Guardian readers who are convinced that I am technically incompetent because I've written pieces in which it seemed more entertaining to pretend to be so for dramatic effect, I am not an idiot. I'm not even technically incompetent, or not completely so. I am just, like most people, busy, and, like most people, the problem most of the time is to get my computers to work, not to stop them from working. And I fall into that shadowland of people who know just enough to want to run their computers their way but not enough to understand all the ramifications of what they're doing.

So, for example: file shares (not file-sharing, a different kettle of worms entirely). What you are meant to do, because you are an ignorant and brain-challenged consumer, is drop any files you need to share on the network into the Shared Documents folder. While it's no more secure than any other folder (and its name is eminently guessable by outside experts), the fact that you have to knowingly put files in it means that very little of your system is exposed.

I, of course, am far too grand (and perverse) to put up with Microsoft telling me how to organize my system, so of course I don't do things that way. Instead, I share specific directories using a structure I devised myself that is the same on all my machines. That's where I fouled up, of course. That laptop runs XP, and in XP, as I suppose I am the last to notice, the default settings have what's known as "simple file-sharing" turned on, so that if you share a directory it's basically open to all comers. XP warns you you're doing something risky; what it doesn't do is tell you in a simple way how to reduce the risk.

Yes, I tried to read the help files. They're impenetrable. Help files, like most of the rest of computing, separate into two types: either they're written for the completely naïve user, or they're written for the professional system administrator. Despite the fact that people like me are a growing class of users, we have to learn this stuff behind the bicycle shed from people randomly selected via Google.

This is what it should have said. Do one of the following two things: either set permissions so that only those users who have passwords on your system can access this directory or stick a $ sign at the end of the directory name to make it hidden. If you do the latter, you will have to map the directory as a network drive on all the machines that want to use it. I note that they seem to have improved things in Vista, which I will no doubt start using sometime around 21012). I know Apple probably does this better and Linux is secured out the wazoo, but that's not the point: the point is that it's incredibly easy for moderately knowledgeable users to leave their systems with gaping wide open holes. What I would have liked them to do is offer me the option to view how my system looks to someone connecting from outside with no authentication. I feel sure this could be done.

The problem for Microsoft on this kind of thing is the same problem that afflicts everyone trying to do IT security: everything you do to make the system more secure makes it harder for users to make things work. In the case of the file shares, as long as your computer is at home sitting behind the kind of firewalled router the big ISPs supply, it's more important to grant access to other household members than it is to worry about outsiders. It's when you take that laptop out of the house...and the really awkward thing is that there isn't any really easy way to test for open shares within your own network if, like many people, you tend to use the same login ID and password on all your machines for simplicity's sake. Do friends let friends drive open shares?

The security guys (really, the wi-fi suppliers and tech support), who were only looking around the network for open shares because they were bored, had a good laugh, especially when I told them who I write for (latest addition to the list: Infosecurity magazine!). And they obligingly produced some statistics. Out of the 60 to 100 journalists in the building using the wireless, three had open shares. One, they said, was way more embarrassing than mine, though they declined to elaborate. I think they were just being nice.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).

June 6, 2008

The Digital Revolution turns 15

"CIX will change your life," someone said to me in 1991 when I got a commission to review a bunch of online systems and got my first modem. At the time, I was spending most or all of every day sitting alone in my house putting words in a row for money.

The Net, Louis Rossetto predicted in 1993, when he founded Wired, would change everybody's lives. He compared it to a Bengali typhoon. And that was modest compared to others of the day, who compared it favorably to the discovery of fire.

Today, I spend most or all of every day sitting alone in my house putting words in a row for money.

But yes: my profession is under threat, on the one hand from shrinkage of the revenues necessary to support newspapers and magazines - which is indeed partly fuelled by competition from the Internet - and on the other hand from megacorporate publishers who routinely demand ownership of the copyrights freelances used to resell for additional income - a practice that the Internet was likely to largely kill off anyway. Few have ever gotten rich from journalism, but freelance rates haven't budged in years; staff journalists get very modest raises and for those they are required to work more hours a week and produce more words.

That embarrassingly solipsistic view aside, more broadly, we're seeing the Internet begin to reshape the entertainment, telecommunications, retail, and software industries. We're seeing it provide new ways for people to organize politically and challenge the control of information. And we're seeing it and natural laziness kill off our history: writers and students alike rely on online resources at the expense of offline archives.

Wired was, of course, founded to chronicle the grandly capitalized Digital Revolution, and this month, 15 years on, Rossetto looked back to assess the magazine's successes and failures.

Rossetto listed three failures and three successes. The three failures: history has not ended; Old Media are not dead (yet); and governments and politics still thrive. The three successful predictions: the long boom; the One Machine, a man/machine planetary consciousness; that technology would change the way we relate to each other and cause us to reinvent social institutions.

I had expected to see the long boom in the list of failures, and not just because it was so widely laughed at when it was published. Rossetto is fair to say that the original 1997 feature was not invalidated by the 2000 stock market bust. It wasn't about that (although one couldn't resist snickering about it as the NASDAQ tanked). Instead, what the piece predicted was a global economic boom covering the period 1980 to 2020.

Wrote Peter Schwartz and Peter Leyden, "We are riding the early waves of a 25-year run of a greatly expanding economy that will do much to solve seemingly intractable problems like poverty and to ease tensions throughout the world. And we'll do it without blowing the lid off the environment."

Rossetto, assessing it now, says, " There's a lot of noise in the media about how the world is going to hell. Remember, the truth is out there, and it's not necessarily what the politicians, priests, or pundits are telling you."

I think: 1) the time to assess the accuracy of an article outlining the future to 2020 is probably around 2050; 2) the writers themselves called it a scenario that might guide people through traumatic upheavals to a genuinely better world rather than a prediction; 3) that nonetheless, it's clear that the US economy, which they saw as leading the way has suffered badly in the 2000s with the spiralling deficit and rising consumer debt; 4) that media alarm about the environment, consumer debt, government deficits, and poverty is hardly a conspiracy to tell us lies; and 5) that they signally underestimated the extent to which existing institutions would adapt to cyberspace (the underlying flaw in Rossetto's assumption that governments would be disbanding by now).

For example, while timing technologies is about as futile as timing the stock market, it's worth noting that they expected electronic cash to gain acceptance in 1998 and to be the key technology to enable electronic commerce, which they guessed would hit $10 billion by 2000. Last year it was close to $200 billion. Writing around the same time, I predicted (here) that ecommerce would plateau at about 10 percent of retail; I assumed this was wrong, but it seems that it hasn't even reached 4 perecent yet, though it's obvious that, particularly in the copyright industries, the influence of online commerce is punching well above its statistical weight.

No one ever writes modestly about the future. What sells - and gets people talking - are extravagant predictions, whether optimistic or pessimistic. Fifteen years is a tiny portion even of human history, itself a blip on the planet. Tom Standage, writing in his 1998 book The Victorian Internet, noted that the telegraph was a far more radically profound change for the society of its day than the Internet is for ours. A century from now, the Internet may be just as obsolete. Rossetto, like the rest of us, will have to wait until he's dead to find out if his ideas have lasting value.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, at her personal blog, or by email to netwars@skeptic.demon.co.uk (but please turn off HTML).