When an interrupt is important

So it’s cool that this “S.M.A.R.T” stuff tells the computer when the hard drive is failing. The next step in user interface is to take the message out of /Applications/Utilities/Disk Utility and into an interruptive UI, so that I don’t discover this problem when I happen to get an extra drive for backup.

I know Apple knows how to interrupt the user when it matters to them, because iTunes always gives me two chances to enter my password so it can auto-update things. Maybe they’re hoping I won’t notice this one and just figure I need a new machine:

Disk Utility

Toorcamp: Gender Issues, Cognitive Psychology and Hacking

So the announcement for Toorcamp is out, and it looks like an exciting few days.

A few talks already announced look very new school, including “How you can be an ally to us females” by Danielle Hulton and Leigh Honeywell, and “Cognitive Psychology for Hackers.”

It’s in the far northwester corner of the US, and you should check it out.

How to get my vote for the ACM Board

I’m concerned about issues of research being locked behind paywalls. The core of my reason is that research builds on other research, and wide availability helps science move forward. There’s also an issue that a great deal of science is funded by taxpayers, who are prevented from seeing their work. One of the organizations which locks science behind a paywall is the ACM. As it turns out, the ACM is having elections, and I’m a member, so I thought maybe I could usefully vote on this issue. So I went to the ACM website to see what’s being said on it. Here’s what I had to go through to find the answer:

  • Are the elections important enough to be listed on the home page? Apparently not.
  • Maybe it’s an issue of importance to the ACM Membership? Nah.
  • Maybe I can find something about it on ACM US? That’s actually the “public policy” arm.
  • So perhaps it’s a matter of who will be on Boards and Committess? No, that points to this page, which is highly informative.
  • Maybe it’s under MyACM? Nope
  • Ahhh! Finally, it’s under Membernet: here

And it turns out that there’s no one running for the board of the ACM who’s running on open access issues. That’s too bad.

So let me be very clear. I’m a one-issue voter for academic societies. I believe that open access to science is a key part of everything that these societies should be doing, and it’s the only part that involves change to the business, and thus controversey.

If you want my vote, run on an open access platform.

(If you’re not familiar with the arguments for open access, see The Open Access Pledge site, The Cost of Knowledge site, or this faculty memo from the library of a small college in Cambridge, Mass.)

[Update: Don’t miss the comment by Brighten Godfrey, who’s been reaching out to the candidates, and gathering their positions.]

Twitter Weekly Updates for 2012-04-22

Powered by Twitter Tools

Suck My Underground

Hey! Jam Jarr has a new album and its free today. They asked for a Facebook link, and since I can’t do that, I figured a blog was in the right spirit. So go check it out: Jam Jarr: Suck My Underground.

It’s free. Why not take a listen?

PS: When I say free, I mean free like free, not free like “please register” or free like “let our app pwn your Facebook account for a while.” It’s free to listen and free to download. And if you like it, you should check out some other music from African Dope Records, like the soundtrack to Lauren Beuke’s Zoo City.

Calyx and the Market for Privacy

So there’s a new startup in town, The Calyx Institute, which is raising money to create a privacy-protecting ISP and phone company. I think that’s cool, and have kicked in a little cash, and I wanted to offer up some perspective on the market for privacy, having tried to do this before.

From 1999 until 2002, I was Director of Technology and Most Evil Genius at Zero-Knowledge Systems, a Montreal-based startup devoted to delivering privacy-enhanced internet services. Zero-Knowledge raised approximately $71 million dollars to deliver internet privacy, and then had to pivot its business model (before pivoting was trendy). Because management pivoted and found value in what we had built, it didn’t deliver on the privacy dream, but the company did make good money for shareholders.

It’s my hope that Calyx can deliver more privacy to more people over a longer time, and make money for shareholders as it does so. To do that, they’ll need to move from the excitement accompanying their announcements to delivering products in the market. So let me turn to:

The market for privacy
There’s a lot of excitement. Nearly a thousand people have donated cash. They’ve put together a nice advisory board. That’s because people care about privacy. A lot of folks claim that there’s no market for privacy (pointing to things like Zero-Knowledge), but I believe that they’re wrong. There is a market, and it’s hard to tap into.

One of the key reasons it’s hard to tap into the market is because privacy means different things to different people. It means so many things that there’s a good book on “Understanding Privacy.” (My review.) So, does privacy mean the same thing to consumers as it will to Calyx? Resisting demands from 193 national intelligence services is great, but what about protecting me from advertisers? The disjointed things people mean by privacy make it challenging to ensure that you line up with people’s concerns.

Another issue is that privacy is rarely a thing sold in and of itself. Privacy is an aspect of some service, either by providing a privacy-protecting version of the service, or privacy protection against the service. A privacy-protecting ISP has to offer me ISP service equivalent to what I get today, or some bundle that makes sense for me. For example, I pay extra because Speakeasy didn’t demand my SSN, and had technically competent people answering the support phones. They’re less awesome since Megapath bought them, but they’re not Comcast, and they’re not running for most infuriating company in the country. Tor is an example of privacy protection against your ISP. You have to get the whole bundle right, which is likely going to be harder than getting the bundle right without privacy. Of course, sometimes it’s easier. By billing my credit card, Speakeasy doesn’t need to collect my SSN, doesn’t need to protect it, and doesn’t need to pay for a credit check. (They do have to pay a monthly cut to the credit card company, but Comcast probably also pays that for most of their customers.)

That said, consumers do care about privacy, and do spend money on it when they can understand the threat and defense. It requires entrepreneurs and hackers willing to experiment. and eventually someone’s going to make a boatload of money doing so.

For more in-depth comments on this, see my home page, especially the end of 2002 and the start of 2003.

With that, let me turn to some questions about…

What Calyx is doing
Let me start with two quotes, which is the sum of my knowledge:

This project’s goal is to raise funds for my nonprofit organization, Calyx Institute, which will launch a privacy-focused Internet Service Provider and mobile phone service using end-to-end encryption technology.


Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics. (Both quotes from “The Calyx Institute fundraising page“)

So running a privacy-preserving ISP is great. And again, I want what I have to say to be heard in the context that I’ve given them money to help them get going.

My first questions are around the ISP part of the business. Is this an ISP in the form of “I can buy a DSL line from them?” (or otherwise, get internet service directly?) If it’s a partnership, how are we protected from the partner? Encryption is all well and good, but if I don’t have cover traffic, then my use or non-use of the service gives out information. Someone at the entry node (say the partner) who choses to collaborate with someone who can watch the exit node (say the NSA, or the FSB/KGB) can figure things out over time. This issue is fundamental to all low-latency internet-based privacy systems, including the Freedom Network that Zero-Knowledge operated, Tor, etc. The fix is approximately sufficient and continuous cover traffic that exceeds the bandwidth in use.

The second comment, which derives from that is “if Calyx can’t read it, it can’t be targeted by … surveillance tactics.” That is simply untrue. An observer which can see more can apply more clever analysis. I’m willing to forgive this as an aspirational statement today, but it’s important for privacy providers to ensure that they don’t over-promise.

My next question is why New York? Because the founder is there? The NYPD has done some bad things in the civil liberties camp, including for example surveillance of mosques without cause, kettling and rounding up protesters and bystanders without cause during the 2004 Republican Convention. Does New York have the most favorable laws in the US for this sort of thing?

When we get to the phone company idea, I’m in favor of the idea, but operating a nation-wide mobile phone service is expensive. If you don’t do so yourself, you can operate a “Mobile Virtual Network Operator.” But if Calyx does so, then the network operator from whom it leases bandwidth can see IMEI numbers and otherwise fingerprint phones. There are some interesting challenges here, and we need to know more to understand what Calyx can deliver.

In conclusion
There is a market for privacy, and there is a market for private internet services. Calyx has an opportunity to tap into such a market, but it’s tricky and complicated to do so successfully. There are a lot of hard questions to be addressed along the way. However, it’s important to remember that privacy is an important and cherished value for excellent reasons. Calyx is unlikely to be either perfect, or as bad as the main players in today’s market. So they deserve your support, your attention, and perhaps even your money. Why not go donate?

Twitter Weekly Updates for 2012-04-15

Powered by Twitter Tools

Fascinating Storyline around Instagram & Facebook

First, congratulations to the folks at Instagram, who built something that was so valuable to Facebook and managed to get a great exit.

Me, I suspect that Facebook did it so they can gradually sepia-tone all your photos, but that’s not important right now.

I was struck by the nature of this article by the fine folks at Petapixel: “Instaport Lets You Download All Your Instagram Photos as a Zip File.” The article starts “Unhappy with Facebook’s acquisition of Instagram and want to flee the photo sharing service?”


Fleeing Facebook is no longer something for the digerati and the privacy nuts. Now it’s presented as a reasonable response to Facebook acquiring Instagram.

That’s a good sign for the theory that all general purpose social networks eventually get overwhelmed with people you don’t care about, and perhaps a bad sign for those who bought Facebook stock at a $100 Billion valuation.

Checklists and Information Security

I’ve never been a fan of checklists. Too often, checklists replace thinking and consideration. In the book, Andrew and I wrote:

CardSystems had the required security certification, but its security was compromised, so where did things goo wrong? Frameworks such as PCI are built around checklists. Checklists compress complex issues into a list of simple questions. Someone using a checklist might therefore think he had done the right thing, when in fact he had not addressed the problems in depth…Conventional wisdom presented in short checklists makes security look easy.

So it took a while and a lot of recommendations for me to get around to reading “The Checklist Manifesto” by Atul Gawande. And I’ll admit, I enjoyed it. It’s a very well-written, fast-paced little book that’s garnered a lot of fans for very good reasons.

What’s more, much as it pains me to say it, I think that security can learn a lot from the Checklist Manifesto. One objection that I’ve had is that security is simply too complex. But so is the human body. From the Manifesto:

[It] is far from obvious that something as simple as a checklist could be of substantial help. We may admit that errors and oversights occur–even devastating ones. But we believe our jobs are too complicated to reduce to a checklist. Sick people, for instance, are phenomenally more various than airplanes. A study of forty-one thousand trauma patients in the state of Pennsylvania–just trauma patients–found that they had 1,224 different injury-related diagnoses in 32,261 unique combinations. That’s like having 32,261 kinds of airplane to land. Mapping out the proper steps for every case is not possible, and physicians have been skeptical that a piece of paper with a bunch of little boxes would improve matters.

The Manifesto also addresses the point we wrote above, that “someone using a checklist might think he’d done the right thing”:

Plus, people are individual in ways that rockets are not–they are complex. No two pneumonia patients are identical. Even with the same bacteria, the same cough and shortness of breath, the same low oxygen levels, the same antibiotic, one patient might get better and the other might not. A doctor must be prepared for unpredictable turns that checklists seem completely unsuited to address. Medicine contains the entire range of problems–the simple, the complicated, and the complex–and there are often times when a clinician has to just do what needs to be done. Forget the paperwork. Take care of the patient.

So it’s important to understand that checklists don’t replace professional judgement, they supplement it and help people remember complex steps under stress.

So while I think security can learn a lot from The Checklist Manifesto, the lessons may not be what you expect. Quoting the book that inspired this blog again:

A checklist implies that there is an authoritative list of the “right” things to do, even if no evidence of that simplicity exists. This in turn contributes to the notion that information security is a more mature discipline than it really is.

For example, turning back to the Manifesto:

Surgery has, essentially, four big killers wherever it is done in the world: infection, bleeding, unsafe anesthesia, and what can only be called the unexpected. For the first three, science and experience have given us some straightforward and valuable preventive measures we think we consistently follow but don’t.

I think what we need, before we get to checklists, is more data to understand what the equivalents of infection, bleeding and unsafe anesthesia are. Note that those categories didn’t spring out of someone’s mind, thinking things through from first principles. They came from data. And those data show that some risks are bigger than others:

But compared with the big global killers in surgery, such as infection, bleeding, and unsafe anesthesia, fire is exceedingly rare. Of the tens of millions of operations per year in the United States, it appears only about a hundred involve a surgical fire and vanishingly few of those a fatality. By comparison, some 300,000 operations result in a surgical site infection, and more than eight thousand deaths are associated with these infections. We have done far better at preventing fires than infections. [So fire risks are generally excluded from surgical checklists.]

Security has no way to exclude insiders the fire risk. We throw everything into lists like PCI. The group who updates PCI is not provided in depth incident reports about the failures that occurred over the last year or over the life of the failure. When security fails, rather than asking, ‘did the checklist work’, the PCI council declares that they’ve violated the 11th commandment, and are thus not compliant. And so we dan’t improve the checklists. (Compare and contrast: don’t miss the long section of the Manifesto on how Boeing tests and re-tests their checklists.)

One last quote before I close. Gawande surveys many fields, including how large buildings are built and delivered. He talks to a project manager putting up a huge new hospital building:

Joe Salvia had earlier told me that the major advance in the science of construction over the last few decades has been the perfection of tracking and communication.

Nothing for us security thought leaders to learn. But before I tell you to move along, I’d like to offer up an alpha-quality DO-CHECK checklist for improving security after an incident:

  1. Have you addressed the breach and gotten the attackers out?
  2. Have you notified your customers, shareholders, regulators and other stakeholders?
  3. Did you prepare an after-incident report?
  4. Did you use Veris, the taxonomy in Microsoft’s SIR v11 or some other way to clarify ambiguous terms?
  5. Have you released the report so others can learn?

I believe that if we all start using such a checklist, we’ll set up a feedback loop, and empower our future selves to make better, and more useful checklists to help us make things more secure.