" /> net.wars: May 2015 Archives

« April 2015 | Main

May 29, 2015

The weakest link

There's an interesting effort at a pair of Newcastle universities to design ways to get people to make better security choices. Some of this work is complex mathematical modeling, but some is psychology, inspired by the kind of thinking that has been popularized in the 2009 book Nudge, by Richard Thaler and Cass Sunstein. The Choice Architectures project is trying to create the evidence-based cybersecurity equivalent of making it easier to grab the vegetables than reach for the desserts in a school cafeteria.

There's a lot to like about this approach. It's only logical that people will make better decisions if the easiest choice is the secure choice. No one who doesn't have to encrypts email because it's a pain. At least partly for security reasons, my version of Firefox is loaded up with Adblock Plus, Ghostery, and NoScript, and the result is frequent reloads, and workarounds when some, even many, sites don't work without one or more features turned back on. No one normal chooses to live like this.

One of the techniques that interests project researcher Lynne Coventry LynneCoventry.jpgis an approach familiar from health contexts to turn intentions into behavior: identify the behavior you want to change; identify the trigger situations; and figure out a consequence or substitute. Let's say the behaviour you want to change is choosing easily-cracked passwords. If you're asked for a password when you're in a hurry, you choose something familiar and quick just to get the task done. People don't experience enough personal damage to scare them off of this. But it's fixable: draw up a list of strong passwords in advance to choose from when you're pressed or use a password generator.

At a workshop about a month ago, Coventry had a group think up security scenarios for such interventions. This is when it became clear to me that the real problem is not us, the users, the people who are constantly being told we are the weakest link. It's *them*, the people who design systems.

For example, one idea was how people take care of the keys to the most complex and expensive computer networks individuals own: that is, their cars. The latest thing in keyless entry systems involves avoiding the arduous labour of pushing a button on an electronic key; the mere presence of the key is sufficient to unlock the car. To be fair, the point of such systems is to eliminate many issues with keys: they get lost, stolen, copied, cloned, and forgotten. But, as so often, new technologies also introduce new risks. Your modern car thief brings a signal booster instead of a wire hanger. So we were mulling: is the solution to teach people to buy RFID wallets? If the desirable behavior is for people to change the administrative password for their wifi routers, do we scare them (evil hackers might pwn you) or get ISPs to reward them with extra bandwidth? Are we after consciousness-raising, carrots, sticks, or some combination of all three?

There are of course orthogonal solutions to these things, such as hard-wiring your machines or buying a bicycle. But the underlying common problem is that consumers often can't behave securely because of system design. When open wifi became a problem, manufacturers began supplying pre-configured boxes with complex passwords written on their sides. Nothing similar has yet (though it may) happened with the administrative passwords for those routers, which are still shipped with known default settings. These are just two examples among many of situations where we as consumers are being "educated" to pick up slack that more thoughtful design would have avoided entirely.

The broader question, of course, which other parts of the RISCS projects tackle, is what *are* the better decisions we should make? So much of modern security advice is folk knowledge, built up by long practice and habit but originally conceived for situations very different from the one we're in now. While looking up the wifi administrator router password issue, I yet again encountered the advice to change passwords every 30 days. Long-time Purdue security professor spaf2011_full.jpgGene Spafford noted in 2006 that this advice was conceived 30 years ago for mainframes based on a very specific threat model that had calculated how long it would take contemporary machines to crack them by brute force. What does this have to do with today's data breaches, rainbow tables, and phishing emails?

The appalling thing is that copyright is starting to surface as an impediment to some choices. You can work freely on a 50-year-old car, but not so much a modern one, as manufacturers use the Digital Millennium Copyright Act to block such activities - even farmers with large, expensive equipment. As a result, a number of states are considering Fair Repair laws - lest you think copyright is all about abstractions. On what Chris Preimesburg in eWeek dubs the Internet of Other People's Things this is all going to be so, so much worse, in so many ways. At the moment, the smart decision is not to buy - or rent - "smart" things. In the near future, "smart" things with built-in flaws will be the path of least resistance. How do we make good decisions then?

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


May 22, 2015

Home rule

I have always suspected that the main reason Britain didn't join the euro was the suggestion that the Queen's head might not be allowed on the banknotes. Obviously the situation is more complicated that that, but Britain's hold-out status seems to me emblematic of Britain's underlying uncertainty about being "European" - that is, foreign. Nonetheless, assuming reinstalled prime minister David Cameron now holds the expected 2017 referendum on Britain's EU membership, it's hard to see the country voting to leave or the Conservatives wanting it to: business would surely be wildly opposed.

In the two weeks since the election we've been hearing a lot about "British values" (which may not include remaining a member of the EU) and how they should be legally reinforced: by squelching extremism and bringing back the "snooper's charter" Communications Data Bill. The Guardian's sarcastic take and New Statesman's more somber discussion do a fine job of outlining the gap between what Cameron and May mean and what everyone else means.

On Monday, ORG's London meetup group featured asmolov.jpgGregory Asmolov, an Israeli LSE PhD student researching ICT-enabled crowds in crisis situations. The question he sought to answer: how did Russia's democratic internet collapse? In 1994, when Runet was created, the early adopters were, as elsewhere, scientists, geeks, media, and creative people generally. Between 2000 and 2010, he said, LiveJournal became the "major public sphere online". In 2010, when the Berkman Center began surveying the Russian blogosphere, it looked very different from the traditional Russian media: it was a genuine alternative space for sharing ideas and was much more critical. It was also a space for public mobilization: when wildfires broke out around Moscow in 2010, tools and a crowdsourcing platform helped coordinate activities and compensated for the lack of response from traditional institutions. The government seemed friendly to these developments.

Change began in March 2012 with the election of Vladimir Putin, when the internet's bottom-up protests around that election were notably more successful than the top-down government attempts to mobilize crowd support for Putin. In the years since, a number of significant changes have occurred:

- The government has imposed control over large internet companies such as the Yandex search engine. Some company leaders had to leave: the head of VKontakte, Russia's equivalent of Facebook, was pressured to shut down opposition groups and rather than abandon his commitment to freedom of speech he sold his stake.

- The government began discussing implementing a "kill switch".

- State institutions built a greater presence online.

- A new legal regulatory environment began to take shape, with new proposals almost every day. Eighty-seven such initiatives were approved by the Russian parliament in 2014 alone.

- The Russian Association of Internet Users, set up in 2013, cites 2,591 cases of limitations of Internet freedoms.

These regulations focus on four areas, run by four different government departments: extremism or anything that challenges political stability; anything suicide-related; drugs and drug-related issues; child protection. The latter category enables censoring anything LGBT-related and promotes "family values". All four categories are flexible enough to encompass pretty much anything the government would like to close. On top of that, individual regions can introduce their own laws, and it is these that generate most of the "really ridiculous" stories about the way the law has been imposed.

Asmolov believes the key factor is general public support: "The majority of the population supports any type of internet regulation." A few weeks ago, when there was a new set of wildfires, "There was almost no mobilization. There is fear now."

Given the expectations surrounding next week's Queen's speech - a revival of the Communications Data Bill and new extremism legislation - in the discussion that followed, some wondered about the potential for the same kind of change to happen in the UK given today's widespread blocking. The general feeling was optimistic: there is still public debate, considerable support for freedom of speech, and the culture and traditions are quite different. Let's hope they stay that way.

No such issues were raised at yesterday's Internet Policy Forum, run by Britain's domain name registry, Nominet. At this event, you would never have guessed that big issues surrounding the internet in Britain include censorship and surveillance. The panel on privacy talked mainly about corporate use of personal data; the speakers on digital citizenship focused on the use of digital media in the recent election, the Government Digital Service's efforts to remake British government IT, and Speaker John Bercow's report on digital democracy.

The most interesting takeaway came from andywilliamson.jpgAndy Williamson, the 2011 founder of Democrati.se, who named the big winners and losers in the last election. Not the politics, the technology. On the social media so much followed by the mainstream media, as recent research has also showed, people were mostly talking to other people in their bubbles. The big winner for getting elected, traditional canvassing, doorstep meetings, and face-to-face interactions. The other big winner: gov.uk, which registered 450,000 people on the last day of eligibility, people who previously would have to present themselves in person or be disenfranchised. There's a British value.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 15, 2015

Theoretical maximum

Probably most of us have had a moment when the electronic device we're working on burps and says, Nope, full, can't eat another byte. This week, the Royal Society held a scientific meeting to debate whether this might happen to our communications networks.

Proceedings began with sunny optimism, when Andrew Lord, head of BT's optical core and access research, said he sees no problem. A few minutes later, Chih-Lin I, China Mobile's chief scientist of wireless technologies, begged to differ: with 800 million subscribers, China Mobile's costs keep rising while its revenues stay flat and called it "unsustainable". Later, she specified: the "OTTs" (over-the-top "BAT" services - search engine Baidu, retailer Ali Baba, and entertainment service Tencent). Tencent also has 800 million users, but nothing like the same costs. Echoing the complaints we hear from Verizon or AT&T, with some exasperation she asked how we allowed internet users to believe everything should be free. Well: like water, consumers flow to lowest-cost and payment is uphill.

Lord 's optimism isn't encouraging. South Korea is already talking about 10Gbps internet service. According to Akamai's State of the Internet report, the UK averages 10.9Mbps, less than half South Korea's current average. Cue pictures of a country lane, which a couple of speakers duly posted.Seattle-bike-path.jpg

Still, Lord asked a valid question: "How much is enough?" He divided the thinking into three groups. Moore's Law: traffic has grown like this for decades, so it always will. Conservatives: growth will have to end sometime, and video has long been known as the most bandwidth-hungry application; besides, the eye-to-brain data rate is fixed at 10Mbps. Provide and they will consume: we don't know what the next killer apps are, but we never have; keep providing bandwidth and allow innovation, because besides video there's gaming, cloud, machine-to-machine, smart cities, and virtual reality, all still developing.

I recall that somewhere around 1999 Peter Dawe, founder of the early UK ISP Pipex, told me video might kill the internet. Obviously, it hasn't - yet. But it's likely that video may become a small part of the problem: the amount a single individual can consume in a day is finite, even when you add in bandwidth-sapping moves to 4K and 8K. Video has established (efficient) alternatives, like broadcast. The joker in the pack is the largely hidden traffic none of the speakers mentioned: billions of authentication requests, the data shipped around by third-party trackers, and, as Jon Crowcroft pointed out, the 98% of email that's spam. It's another of those Yes, Minister irregular verbs: I say rip-off, you say waste, he says valuable economic activity. Throw in trillions of sensors communicating like mad to create a system whose complexity Crowcroft estimates will be 1,000 times that of today's internet, and while yes, each sensor's data is invisible noise in a minute of YouTube, machines don't sleep. What will the data loads be from projects like Ken Goldberg's cloud robotics and remote medical surgery? Let's call that video-plus because probably multiple streams where zero latency and constant connection is crucial (talk about your "killer apps"). "Provide it and they will consume" might be entirely wrong, we don't know. But we do know that if you *don't* provide it, they *can't* consume it.

And so: what emerged over two days was prospective trouble in all directions.

The basic problem is physics. Thumbnail image for Claude Shannon.jpgClassic information theory, developed by Claude Shannon, holds that every channel has a maximum capacity above which error-free transmission is impossible. Once a channel is saturated, either you accept unpredictable errors, or you increase the channel capacity, or you spread the traffic across more channels. There's an array of ideas for increasing fiber capacity, which Rene-Jean Esiambre outlined: go parallel (like processors have), change design to multicore or hollow core, develop higher-capacity materials. Polina Bayvel noted, however, that individual links but about maximizing the capacity of the network overall. Jacob Aron, at New Scientist, has a nice write-up of the research presented. Engineers, meanwhile, are looking for things they can build, such as more efficient caching, so data is closer to where it's being consumed.

"What is the rare element in this?" someone asked midway. "As far as I can see no resource is rare." He tallied it up: labor, silicon, capital... Well, OK, the world does have lots of sand. Ditto labor. But capital? China Mobile's graph comparing flat revenues to escalating costs and dubious payback seemed to make the case pretty clearly. What's expensive is not fiber, but digging up the road and pulling it: a business model crunch.

The scariest prospective crunches came from Crowcroft, who noted that the internet was designed as an experimental platform. "Unfortunately, it got successful." Among the pieces he singled out: TCP ("not really fit for purpose"), the routing system (BGP "doesn't scale or converge" and "no one's working on a replacement"), poor safety and security models, few considerations of the consequences of failures... He suggested that engineers should be thinking of unreliability as a goal at every layer, allowing multiple opportunities to correct faults. "Engineer for an unreliable world" sounds like a sensible motto to me.

Ah, yes: sense. There's another crunch. It already has a T-shirt.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 9, 2015

Mad technology

SPOILER WARNING: Here be dragons for anyone who has not watched Mad Men through Season 7, episode 12.

This is the last year I can drift into obsession with the latest episodes of the TV series Mad Men that has given me so many new perspectives on my own childhood: two more episodes will close out its eight-year run. Myriad blogs cover the show, its costume design, and its decor. The show repays close study: in these last few episodes series creator Matthew Weiner is paying off meticulously set-up details from years past. Technology is the one area where Weiner has taken some temporal license: the IBM Selectrics on the February 1960 secretarial desks in the pilot (Season 1, episode 1, "Smoke Gets in Your Eyes") weren't introduced until 1961. The office manager, Joan Holloway, later Harris (Christina Hendricks), tells first-day-on-the-job Peggy Olson (Elisabeth Moss) not to be scared of "all this technology". Joan also introduces Peggy to a new technology of greater personal and social significance: the birth control pill, which in real life arrived a couple of months later. The typewriter never gives her any trouble, but the pill...was inadequately documented (S1e13, "The Wheel").

The technology Weiner foregrounds is aviation. Personally, it offers both dreams (S1e08, "The Hobo Code"), and disaster (S2e02, "Flight 1"). In business, the show's ad men measure achievement by signing an airline and a car. They fight for Honda (S4e05, "The Chrysanthemum and the Sword"), Jaguar (S5e11, "The Other Woman"), and Chevy (S6e06, "For Immediate Release"). They are forced to resign the small, regional carrier Mohawk (bought by Allegheny in 1972, swallowed by US Airways in 1979) to try for American (a rare survivor). One of the show's most memorable fictional-real moments is, of course, the moon landing (S7e07, "Waterloo"). If they only knew.

Because: as it has turned out, the 1960s were the last decade in which people still measured progress in terms of transport. We landed on the moon, and stalled.

A second strand of technological development changes the tools advertisers have available. The art department moves from illustrations to photography, as Sal (Bryan Batt) laments (S3e04, "The Arrangements"). Cameras evolve: the Polaroid arrives to show Don an unwelcome instant truth (S1e04, "The Hobo Code"), and super-slow motion lets Peggy offer a bean ballet (S5e01, "A Little Kiss"), an ad I personally would have loved to see but that Heinz resisted. Black and white television and radio give way to color - a simple win for a Sunkist orange (S6e11, "Favors").

In her 2008 book The Age of Unreason, Susan Jacoby argues that the highly visible 1960s counter-culture overshadowed the forming Christian right. Similarly, here aviation and media overshadow the technology that has meant progress ever since: computers. The characters notice more than we do.

At the show's 1960 opening, the Sterling Cooper agency has a secretary per executive, a huge, central pool of typists, and a small room for three switchboard operators who patch through phone calls with cables and plugs and, one says, "ice our wrists". Male lead Don Draper (Jon Hamm) is king: he can disappear without notice or explanation, insult and fire clients, and break every rule of reasonable behavior because his rare creative imagination enables everything else.

New phone systems and intercoms soon see off the switchboard operators. Thumbnail image for vlcsnap-2015-05-09-01h28m58s123.pngThe Xerox 914 copier arrives (S2e01, "For Those Who Think Young") to disperse the typing pool. Teleconferencing links the New York and California offices. By 1970, an IBM 360 displaces the creatives from their lounge (S7e04, "The Monolith").

The arc of today's world begins to clarify when the principals arrive at McCann-Erickson, the show's Hell. "McCann is mission control," the weaselly, data-loving Harry Crane (Rich Sommer) gloats to Roger Sterling (John Slattery). "Statisticians, programmers...ten men and five women just handling data!" These include Bill Phillips (Eric Ninnenger), whose research approach commentators Tom and Lorenzo sum up:

Don's very best pitches were about finding universal experiences in products; about appealing to people's broader emotions and desires - for love, acceptance, family, romance. Bill Phillips' approach was to describe a very specific customer and claim that this was the exact person they should be targeting in their approach. It's micro-marketing, not advertising. It limits people to a series of tics and behaviors rather than appealing to their better natures.

This is, as noted here two weeks ago, a recurring theme. You could say it as Apple versus Google: Apple hires great, intuitive designers and lets them work; Google tests 43 shades of blue - perhaps no coincidence that the Mad Men episode pondering the different ways individuals see the world is titled "The Color Blue" (S3e10). The consequences for the quants winning are profound: Don Draper needed no one else's inner thoughts; the data-ravenous Harrys of this world are increasingly privacy-invasive.

In the show's 1970, the characters are settling back into new stability. Pete Campbell (Vincent Kartheiser), sums it up while meditating on his brief, giddy flirtation with changing his life in California: "Now it sort of feels like a dream. But at the time it felt so real" (S7e08, "Severance"). Corporate America is swallowing the counter-culture and spitting out anyone who can't assimilate. As they do not know, twenty years in their future the internet will revive these same battles.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

May 1, 2015

Hung voters

Contrary to popular belief, the imminent election is not the US Presidential one but the UK's general exercise on May 7 - next Thursday as I write this. A week hence, the United Kingdom of Great Britain and Northern Ireland could be watching a government in formation by a coalition of Labour and the Scottish National Party. Or the Conservatives and everyone else (so much messier). The first of those intrigues. What if, instead of voting for independence, the Scots were simply to slowly take over in Westminster? The SNP leader, Nicola Sturgeon, seems to have the highest approval rating of any party leader ("she was like a breath of fresh air," a friend said this week, referring to the April 16 BBC debate), and why shouldn't SNP start fielding candidates south of the border? They'll need a different platform, of course: less Scottish independence, more..."these people in Westminster have done to you what they did to us; fight with us against a common enemy ".

Around my area, things haven't changed much since the 2010 polls. Five parties have fielded MP candidates: Conservative (incumbent, with polls predicting a much bigger majority this time); LibDem (the previous incumbents, back to the constituency's creation in 1997, and the only opponent with any chance); Labour; Green; UKIP. Nationwide, the LibDems have cratered since 2010 (the latest Guardian poll projects 27 seats, down from 57). So my choice is between someone whose party's policies I despise and someone who will have no influence whatsoever in Westminster. This is not satisfying, somehow. And it is a common conundrum.

Through the efforts of Democracy Club (which I recounted recently at TechPresident, I found a hustings this week where all five candidates appeared for questioning. The place was packed; this constituency's turnout in 2010 was 76.9%.

richmond_hustings_460_2.jpgNotably, the questions asked largely covered topics that feature frequently in media coverage: Heathrow expansion (a huge local issue); whether to cancel HST2; balancing the budget; welfare cuts; Britain's EU membership; lots of tax issues - "non-domiciles", mansions, assets. Questions usually have to be pre-approved by the organizers; at an earlier such event, a friend had no luck getting intellectual property questions onto the list.

There was a fair amount of entertainment value, much of it supplied by the - it has to be said, lame - UKIP candidate, who frequently found herself saying, "You may not agree with me..." Among the things we might not agree with her about: that staying in the EU means the young can't find affordable homes, and risks damaging the NHS. Her addendum to the (perfectly sensible) policy of saving £4 billion by scrapping HST2 was classic: "We have a pretty good Underground at the moment". A near-universal gasp at that: HST2 heads north from London to Birmingham, later beyond. Does she think it's on the Northern line? (Later, I realized she probably had HST2 confused with the in-progress east-west London link, Crossrail, but that doesn't make her look any more competent.)

It's all good fun, but in a couple of weeks real people are going to be grappling with the effects of real policies. The Open Rights Group, pointing out that this is the first general election since the Snowden revelations began, has a page suggesting ways to provoke candidates into discussing government surveillance, and find out both what they've said themselves and what their parties' policies are. ORG also has a page summarizing the party manifestos. Traditionally, the LibDems have been the most sensible of the parties on digital issues; now they compete with the Greens. The big Green advantage: they oppose TTIP, the little treaty that could bring down democracy.

Other manifesto summary pages to consult: the Drum analyzes press freedom; the Guardian considers technology; the Huffington Postalso looks at digital rights.

Looking over my wish list from the 2010 election, I see that we did get a number of the items listed: the ID card was scrapped, along with the national database and ContactPoint; libel got reformed (except, as this week's Private Eye points out, in Northern Ireland); we moved from large IT projects to small ones, and the Government Digital Service continues to push IT across government in that direction (so if they're going to fail, they fail quickly and cheaply instead of slowly and expensively). On the other hand, the battle to keep medical data confidential continues; Snowden's revelations still have not led to any serious public debate about government surveillance; the 2010-2015 government complained repeatedly about EU court judgments that defended our human rights against it; and much economic pain has been dumped on the already vulnerable. Many of the worst spy-on-us policies originated under Labour; the LibDems that we hoped would offer some protection against the worst Conservative polices will be castrated; and there's not actually a lot of hope from SNP, since their policies in Scotland have included privacy-invasive plans for an identity database and benefits cards.

It feels to me like everyone wants a change as much as the US did in 2008, but none is available, or at least none that will be on the ballot paper. What is a voter to do?

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.