Emergent Chaos
Uncle Harold (not his real name, not our real relationship, and I never even called him "Uncle") was a cool guy who always fixed his own cars. Most of my life, Uncle Harold has been complaining. It used to be you could actually fix a car. You could put things in, take them out, adjust them, tune them, and so on. As time has gone on, cars got electronics in them, then computers, and nowadays an auto mechanic is as much a computer tech with grease under his nails as a mechanic.
I never was much into mechanics as a kid. My father wasn't, either, and discouraged me from ever being a mechanic. If he were to read this, he'd deny discouraging me, but he did. All he did was point out that some bit of automotive fluff that caught my eye would literally be high-maintenance, and either you do that yourself or you pay someone else.
I eventually did buy a pre-1968 bit of automotive loveliness as part of a quarter-life (okay, third-life) adjustment. The 1968 date is important because that's when the US started requiring pollution controls, safety equipment, and so on that caused the transit of the gloria of Uncle Harold's mundi.
For a technologist, a pre-'68 car is utterly amazing because of sublime lack of technology in it. It needs petrol to burn, water to cool, oil to lubricate, and enough electricity to drive the spark plugs. That's it.
The first time I tuned a pair of SU carbs, it was amazing fun. I could really understand Uncle Harold's irritation. The tenth time it was far less fun, partially because I'd gotten good at it. It was just a chore. I could really understand my father's point of view even better. Eventually, the antique bit of fluff got sold and I got a modern fun car that has computers that run everything from engine to brakes.
It's really sort of sad that I can't tune the carbs (which of course I don't have; it's all fuel-injected). It's even amusing that if you pull the power from the car, the computers lose their state and they they have to re-tune the ignition system, over the next few miles you drive -- in a wtf sort of way. I mean, haven't these people heard of flash? How much space does it take to store ignition settings and radio presets? (Yes, Uncle Harold, a real radio stores its presets mechanically. Thanks.)
But it's really wonderful that I don't have to tune the carbs. There are reasons why those wonderful old systems were replaced. The new ones really are better. Uncle Harold thinks the world has gone to hell in a hand basket. I see the merit in what he says, but when it comes right down to it, I prefer my present hell to Uncle Harold's heaven.
The brilliant Ivan Krstić has recently written about the transit of his own personal gloria, the OLPC project. In part of his essay, he shows clearly about how some open source people, in particular RMS, have become Uncle Harold, insisting that if you can't tune those metaphorical carbs, it's like forcing people to be crack addicts. (And this is paraphrasing, not misquoting RMS.)
Krstić also talks about the same Haroldisms. He says:
About eight months ago, when I caught myself fighting yet another battle with suspend/resume on my Linux-running laptop, I got so furious that I went to the nearest Apple store and bought a MacBook. After 12 years of almost exclusive use of free software, I switched to Mac OS X. And you know, shitty power management and many other hassles aren't Linux's fault. The fault lies with needlessly secretive vendors not releasing documentation that would make it possible for Linux to play well with their hardware. But until the day comes when hardware vendors and free software developers find themselves holding hands and spontaneously bursting into one giant orgiastic Kumbaya, that's the world we live in. So in the meantime, I switched to OS X and find it to be an overwhelmingly more enjoyable computing experience. I still have my free software UNIX shell, my free software programming language, my free software ports system, my free software editor, and I run a bunch of free software Linux virtual machines. The vast, near-total majority of computer users aren't programmers. Of the programmers, a vast, near-total majority don't dare in the Land o' Kernel tread. As one of the people who actually can hack my kernel to suit, I find that I don't miss the ability in the least. There, I said it. Hang me for treason.
My theory is that technical people, especially when younger, get a particular thrill out of dicking around with their software. Much like case modders, these folks see it as a badge of honor that they spent countless hours compiling and configuring their software to oblivion. Hey, I was there too. And the older I get, the more I want things to work out of the box. Ubuntu is getting better at delivering that experience for novice users. Serious power users seem to find that OS X is unrivaled at it.
I used to think that there was something wrong with me for thinking this. Then I started looking at the mail headers on mailing lists where I hang out, curious about what other folks I respect were using. It looks like most of the luminaries in the security community, one of the most hardcore technical communities on the planet, use OS X.
And lest you think this is some kind of Apple-paid rant, I'll mention Mitch Bradley. Have you read the story of Mel, the "real" programmer? Mitch is that guy, in 2008. Firmware superhacker, author of the IEEE Open Firmware standard, wrote the firmware that Sun shipped on its machines for a good couple of decades, and in general one of the few people I've ever had the pleasure of working with whose technical competence so inordinately exceeds mine that I feel I wouldn't even know how to start catching up. Mitch's primary laptop runs Windows.
I know exactly what he means. Once, long ago, I'd fire up my GosMacs session in the morning and close it down when I'd go home. I and my colleagues had so customized our editors (which we lived in) the we said that using someone else's emacs was like using someone else's toothbrush. It's just not done.
When the Story of Mel came out, one of my coding buddies read it and it really creeped her out. She sent out an email to all of us that said, "Oh, my God, that's my *DAD*!"
I once patched a running CVAX just to watch it fly. I admit that I did it because of the smart remark in Dungeon. And I've changed my unices so many times I don't know what I look like.
Like me, Ivan's stopped being Uncle Harold with computers. I like being able to get grungy, but I also hate having to. The last remnant of my Uncle Haroldism is my main server that's running FreeBSD. I am especially glad this week that I listened to Ben and didn't put Ubuntu on it. I'm even chafing at that system and asking myself why I don't just outsource the whole damned thing. I'd tell you, but then you'd see my tinfoil hat. (Oh, all right. If you run your own mail server, they can't NSL your sysadmin. I know what you're going to say. I've said it myself. Hush.)
Nonetheless, the Uncle Harolds of the world have a point. It's nice to be able to change your kernel. It's nice to be able to recompile everything. It's just a drag to have to. When Open Source realizes that, it will make great strides to getting back people as non-technical as Ivan. And yeah, Ubuntu's getting close, I know that. I actually do love puttering around, but another prop has occupied my time.
Photo courtesy of Light Collector.
Bookmark this post:
So over the past few months, I've been noticing more and more people cutting the context out of their email, and replying in a way which can be read on a single screen. This is nice. Concise replies are often good. But where's the context? Why are you removing all the conversation which happened before? I get and send a lot of email. I send roughly 15-20 messages a day from my personal account, and probably 30-50 a day at work. How many I get is a little hard to count because of all the spam, but it's probably around the same into my inboxes.
The context of a conversation helps me remember what's being said, and why. (This, incidentally, is why top-posting is good for short conversations that stay short, and bad for long ones.)
For example, I'm trying to set up an appointment to talk to a former co-worker about some stuff. I haven't added him to my IM address book, and in his response agreeing on a time, he cut that information. Not only that, there was effort involved in cutting it. Maybe it's only 1 or 2 clicks, or 10-15 characters of typing to find the rest of the conversation, but that's still more work than having it all right there.
So please, think about context when you send email. Just like chess masters can see the board, let your co-respondent see what you're responding to.
If you do, you'll get more complete and useful responses faster. It's in your best interest. That's not just with me. Think about the usability of what you send to people--it pays off.
Bookmark this post:
If you travel a lot, you're used to dealing with many network difficulties. For a while now, I've been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.
Even more so, I now travel with at least three devices that have WiFi -- my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said "at least" because I also have a Nokia slate, which is a specialized device (I lug it along when I don't want to lug a laptop, for example).
Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.
This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President's Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.
However, another way that this is changing is that there's more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.
For quite some time, I've been complaining that the appropriate router doesn't exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB. I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access. There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn't set it up before I left. I would have taken time I didn't have to pull the "security" off of my my G network to experiment. (It's just WEP, hence the quotes around "security." I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I've been busy and in various stages of sleep-deprived brain damage, so I don't know that it's their fault that I haven't figured it out. I settled for hiding the SSID. I don't actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me. If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don't know that you can. If someone has a definitive answer, place a comment below. If you're from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.
Bookmark this post:
I really like what Chris Hoff did in his blog post, "Security and Disruptive Innovation Part I: The Setup."
I did something similar after "Security Breaches Are Good for You: My Shmoocon talk." I posted a PDF of the slides. I think the PDF is less effective, because you can't skim it, search it, or excerpt it as easily as with Hoff's HTML version.
Nice work, Chris!
Bookmark this post:
Carl Ellison has been doing some really interesting work on what he calls Ceremonies:
The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.He's talked about it in public a little before, and now has a paper available from the IACR eprint service, "Ceremony Design and Analysis."
If you design network protocols, or think about the intersection of security and usability, this is very much worth reading.
Bookmark this post:
A funny clip for Saturday. I can't figure out how to embed the video here, so click on the picture to be taken to Gizmodo.
Bookmark this post:
I think I just watched someone pick up a girl with an iPhone.
Photo courtesy of maliavale.
Bookmark this post:
El Reg reports that Microsoft claims to be sticking to its timetable for shutting down XP.
No fewer than three people told me yesterday, "This means I have to buy that Mac Book Pro this year. They can't be alone. I have several co-workers running Vista running on laptops, and even without the overhead of a VM, it's slow.
Thus, an investing opportunity presents itself -- buy a number of copies of XP this year, and then resell them at a profit. There are, of course, many risks in this strategy too obvious to name, but hey, money is risk.
If during the holiday shopping season, you see a run on copies of XP, take note.
Bookmark this post:
Don't miss Andrew Patrick's "Commentary on Research on New Security Indicators," Alan Schiffman's "Not The Emperor's New Security Studies," or Alex's "Bad Studies, Bad!"
As an aside, Chris used the useful "paper" as his link text, rather than "The Emperor's New Security Indicators," which made it a real pain to search for the paper.
Bookmark this post:
A little bird reports that at the Usable Security Conference they handed out conference proceedings in PDF form on a flash drive. I'm told that the flash drive was cheaper than printing on paper. I hope this trend spreads, as I'm always lugging back paper from conferences along with the inevitable bag or t-shirt. Flash drives are easier to carry, and if I get too many of them, I can always put them together into a RAID drive.
Those clever usability experts. What will they think of next?
Photo "Gersterbrot" courtesy of hannesstruss
Bookmark this post:
Orwell said it best in "Politics and the English Language," and if you haven't read him recently, you should. Abuse of the language has adverse effects on thought, and it's true in security as well as politics. He gives some wretched examples and says of them:
Each of these passages has faults of its own, but, quite apart from avoidable ugliness, two qualities are common to all of them. The first is staleness of imagery; the other is lack of precision.There are many examples of this in security terminology, but I'll give a few.
Pharming has both of the faults Orwell mentions. It's stale (being a back-formation from phishing) and imprecise. It's so imprecise that one can't imagine what it is just from the name. I could complain about phishing itself, but it is at least poetic and suggestive of the actual criminal activity, and that particular spelling appeared as early as 1996 in an AOL password-stealing scam. However, the word forgery was created for this very case.
Using cutesy terms is jargon at its worst. It creates a group of insiders and outsiders, where there insiders can wrap their minds around the problem and the outsiders can't. We need to have security understood by non-experts. We need less jargon, not more.
This lack of clarity hurts people. The State of California recently defeated an proposed anti-pretexting law because the MPAA argued that there were legitimate uses for it. It's harder to defend impersonation and fraud when it is called impersonation and fraud. Cutesiness is euphemism.
Don't be a cutesy monkey. Use precise language. Use powerful language. Don't let the bad guys get away with defending the indefensible, as Orwell put it, with euphemism. While you're at it, read or re-read Orwell's essay.
Photo "Emily and me kiss kiss da cutesy monkey" courtesy of Nanikas.
Bookmark this post:
Stuart E. Schechter, Rachna Dhamija, Andy Ozment, and Ian Fischer have written a paper which examines the behavior of persons doing on-line banking under various experimentally-manipulated conditions.
The paper is getting some attention, for example in the New York Times and at Slashdot.
What Schechter, et. al. find is that despite increasingly alarming indicators that something may be amiss, subjects frequently provided their passwords to an on-line banking site with which they were at least somewhat familiar. Absence of indicators that SSL is used, and absence of an image-based site authenticity indicator (such as SiteKey -- although the authors do not mention which bank was involved in the study -- are almost entirely ignored by subjects. Only a relatively dire IE7-style warning page seems to dissuade the subjects, and even then over a third logged in even when their real credentials, at their real bank, were involved.
The press is focusing on the Sitekey angle. The hook seems to be this: even when this highly-touted anti-phishing feature is absent (and a suspicious text box left in its place), people merrily supply their passwords. Therefore, Sitekey doesn't help.
Another aspect of this study is worthy of note. One of the experimental treatments was whether subjects used their own account credentials, or whether -- as instructed by the researchers -- they played the role of a fictitious person using credentials supplied by the researchers (with and without a lecture about security).
Unshockingly enough, people behaved "more securely" (my words, not the study's) when their real bank accounts were on the line.
So, even if we know that people act more securely when they have some skin in the game, how do we explain it when they nonetheless do seemingly dumb things?
This is where I want to see some follow-up work. If the Sitekey-style images aren't there, and if people have been warned to look for them, what were they thinking when they just clicked on by? Why were they thinking that? Why weren't they thinking precisely what they had been told to think -- namely that this could be an attempt at fraud? When a blatant message was presented, the equivalent of a blinking neon sign, it helped, but why did a third of people disregard it? Did they read it? Was it "pop-up fatigue" at work? Do people not care about SSL indicators because they've seen one too many "secure login" pages that collect creds via HTTP-based forms and simply POST them via SSL? Is it that all this web security stuff is indistinguishable from magic (hard to believe of the young Harvard-area types that were the subjects of this study, but hey, maybe they were visiting from Somerville or Boston)?
These are important questions, and more and more is riding on them.
I haven't seen any figures on losses due to phishing that I can remember offhand, but I strongly suspect that they are on the rise. Moreover, as operating systems and web browsers become more secure, it's increasingly important for businesses like banks to understand the human side of these technologies because that's where fraudsters will take aim. What people think when they interact with computers, the mental models they use, how they react to cues presented to them by applications and web sites, and how all of these mix with things they already know (or believe) about sites ("It must be reliable -- it's FooBarCoLand National Bank") are things that will increase in importance.
I'm eager to learn more.
Bookmark this post:
That's what "ridiculous" means, worthy of ridicule. If you're fond of etymologies, it comes from the Latin word ridiculus, which means "laughable."
Right after 9/11, I decided to show my patriotism and devotion to freedom by getting on airplanes. I got great cheap trips all over the world. Sadly, this means that my answer to "what did you do during The War On Terrorism, Daddy?" would have to be that I lounged on beaches and stayed in swanky Mayfair hotels. However, during the first of my trips (to Hawaii), we were gripped not only in airplane-and-bomb fever, but white powder fever, too. A couple of times a day some hotel had the hazmat crew from the fire department visiting.
A genuine overreaction that happened at about that time was that somewhere someone had called in suspicious white powder and found that it was a crushed Altoid. Despite the fact that snorting a crushed Altoid would sure make your eyes water, this was a newsworthy gaffe. I took to referring to all such false alarms as "someone stepping on an Altoid." I made the point to say with a wry grin to the obviously bored and irked fire department guys, "What, did someone step on an Altoid again?" and got some laughs. I even heard people people start to pick up my line.
This week, we have something else happen that is ridiculous. Bruce Schneier has a good overview of the events. My summary: Cartoon Network puts up magnetic signs with blinking LEDs advertising some cartoon in ten cities, including Boston. Photo of one of these in Cambridge is the accompaning photo. After two to three weeks, people in Boston notice them and think, "Oh, my God! Blinking lights, wires! It must be (cue organ) terrorists!" They shut down half the city. They postured, they arrested the perps.
This brouhaha is worthy of ridicule for two reasons. First, they were embarrassingly wrong. Second, they were two weeks late! Comparing Boston's Finest to the Keystone Kops is a grave insult to the memory and bravery of those immortal boys in blue.
I have a new word for the vocabulary of Thomas Menino, Deval Patrick, Ed Markey, and others. That word is, "oops." It's an easy one, devoid of 'r's. You can say it. We'll forgive you. Really. I speak for the President of the United States when I say that admitting you were wrong will improve your popularity. It will have brightened up an otherwise depressing week.
For the rest of us, after they say, "oops," we can forget the exact details (as I have forgotten the exact details of the Altoid), simply refer to future incidents as "finding a cartoon sign."
My army of loyal fact-checkers have come up blank, so I may be misremembering and am likely misquoting, but I remember Asimov having Hari Seldon say, "There is no tower so high, nor throne so mighty that it cannot be rocked by laughter." If I'm wrong, then maybe I said it. If you know who did, tell me, and I'll post an update here.
Nonetheless, it's time for us all to stop being terrorized, it's time for us to ridicule the ridiculous.
Bookmark this post:
"I can’t believe you are advocating typing your ssn or credit card into a mystery box."So Dave, why would I trust a PIR implementation to help me here? Have you seen Matt Blaze's excellent "James Randi Owes me a million dollars?" In that article, Matt talks about the value of 'strong cryptography' versus believability to a non-expert audience.That's "ben", commenting at TechCrunch on Stolen ID Search, a service from Trusted ID that will tell you if your social security number has shown up online. Thanks to 27B Stroke 6 for the story.
The idea is that you visit www.stolenidsearch.com, then type your social security number (SSN) or credit card number into the box, and the web site tells you if the number is on their list of "IDs we've seen in the wild being traded by evil persons." If it is, they then helpfully offer you the opportunity to put a freeze on your credit report and purchase other services. The first problem that comes to mind, though, is that typing your SSN into the box gives them your SSN. Now you need to trust that they won't turn around and sell it to those same evil persons. Maybe you can, maybe you can't, but it'd be much better if you didn't need to trust them at all.
Well, this sounds like the scenario for the cryptographic primitive of Private Information Retrieval (PIR). In PIR, a client wants to query a database in such a way that the database learns nothing about the query.... As they say, helger, call your office.
Bookmark this post:
They are:
Here is a sad tale of a man who has a failure on (3), realizes he's done (2), and his solution to the problem. It's a classic tale of how more is often less when it comes to security. Lest you think it, I am not making fun of his solution to the problem.
The sad part is that he thinks the problem is dependence on technology, when in fact it is the inappropriate use of technology, and the "ooo, shiny" technolust making you think that something is a good idea when it isn't. Other cases include electronic voting machines, RFID passports, airport fast-track systems, and so on.
photo courtesy of split-ends.
Bookmark this post:
Tufte frustrates on a number of levels. He is enormously influential in business. Businesses send people to his seminars and they come back energized with the essential truthfulness of his message. Yet weeks later those principles are abandoned by the lack of practicality of his message. No one in business is going to design a graph in Adobe Illustrator as he can. They use Excel. Seldom can we spend days or weeks refining and testing a graph. The work must be done and then we move on.So I totally agree with this, and ask, why aren't we asking more of Excel? Why can't we get graphics that are of Tuftian quality from them? As I've said, I'm really fond of the ribbon design, and if enough customers were asking for great, and defined improvements in graphical excellence, I suspect Excel would ship it. (A personal example: I'd like to be able to lock a set of graphs to the same scales for the axes, so I can create small multiples more easily. I have some graphs today that slice one data set differently, and I have to work hard to make the scales the same.)
It would be really interesting to see if the community of excellence around Excel could come up with ideas.
(In another post, Zach points to Re-Visions of Minard.)
Bookmark this post:
If you're not, it may be because you recognize that there are arguments that take longer. There's also arguments that don't take so long, and I think I've made mine.
PS: I don't think that Juice or Tom would ever argue for a hard-and-fast rule of this sort, but guidelines with subtlety become rules that people get tied up about.
Bookmark this post:
Juice Analytics comments on "Godin’s take on Tufte:"
So, Seth's points are good. They're made in this video presentation at GEL 2006 (Google video, worth watching).(Godin) I think this is one of the worst graphs ever made.I think Seth has it just right. Personally, I can hardly resist the a well-constructed infographic, but I have an unnatural interest in data. For the many business users, better to construct information displays that are simple and to the point.He’s very happy because it shows five different pieces of information on three axes and if you study it for 15 minutes it really is worth 1000 words.
I don’t think that is what graphs are for. I think you are trying to make a point in two seconds for people who are two lazy to read the forty words underneath
I'm really irritated by Juice's words. It is never better to construct information displays that are simple and to the point, absent an understanding of why you're constructing a display. If your point is "Napoleon lost a lot of lives attacking Russia" maybe a bar graph would do. Sometimes complex reasoning requires complex data. The question is not "Should your graphics be simple and to the point," but rather "do my graphics help present the data and help people reason about it?"
To put it another way, start from the user story, use case, or scenario, and construct your information presentations to help that story along. Then, and only then, should you make it as simple and to the point as possible, but no simpler.
