There's a point here about heartbleed and security — I promise. Keep with me.
As I am wont to once the weather finally begins to coöperate, I've been trying a few new things out on the grill. When I'm in this exploratory phase, I love digging through the infinitely interesting BBQ blogs of the Internet - they're full of hard-won knowledge about fire and smoke, but often lack a certain level of technical polish.
Case in point, my reference blog for this week's experiment was a well-seasoned old blog, but they'd lost every single comment from years of discussions. Why? No technical glitch, but simply because they'd chosen a private company to manage their comments - and it went out of business, leaving them not only without a commenting tool, but without those years of educational clarifications and discussions.
Ownership and control matter. This is true when you're talking about your possessions, your house, your comments on a BBQ blog, and with your software. I've railed against app-ification before, but I want to make a slightly deeper point here. If you bought a house, but with the condition that any repair, no matter how minor, you had to contract the previous owner (and only them) to make at a cost of their choosing - would you feel you really owned or controlled that house? Would you buy a car where the hood was locked shut, accessible only to the specific dealership where you bought it?
These cases are very much the situation with the vast majority of software you run on your computer. From Microsoft Word to Apple's iTunes, and even more insidiously, OSX and Microsoft Windows themselves - are all locked away from you. You've been forced to pay hundreds of dollars for them with the purchase of any computer - but you have no control or real ownership over them.
The alternative is what's called "free" or "open source" software (people get into fierce debates on the terminology here, which I'm ignoring for the time being). All software starts with instructions that are more-or-less understandable by humans; commands like if (this thing) then (do this other thing). Generally speaking, this "language" is then turned into something that's closer the more basic tools that computers understand. Imagine a particularly skilled dog with a great memory - by stringing together enough fetches, play deads, stops, roll overs and so on, you could eventually come up with a sequence of commands that would have this dog go out and buy a beer for you at the corner store, and bring in back.
"Closed source" software only gives you the computer-understandable version, and it's surprisingly difficult to turn that back into a simple, human-understandable chunk of logic. "Open source" software, on the other hand, always provides you with the original, understandable language.
This means a lot of things - one, you can tweak it. If you don't like the beer that your dog fetched, you can find the human-speak parts of the commands where it's selected, and make sure your preference for hoppy beer is respected, and then turn it back into the commands your computer can do.
This ability to change how your own tools work itself has many additional benefits - you can share that change, and if it's useful enough, that change itself will be included in the next version of the "core" software that everyone uses.
And finally, Heartbleed
This openness also means anyone can look at the logic that is driving their tool. This means that when you start talking about trusting software, there's a heavy preference towards the software that you can look at the source code of, and even more preference towards software where a lot of people have been looking at this same code.
So, that failed with heartbleed. The team behind OpenSSL is tiny compared to their impact. Two out of every three secure servers in the world are running the software that this four-person team manages. And on New Years Eve 2011, one of their developers committed a very, very subtle piece of code that basically didn't make sure that all the doors were closed behind it, and no one else at the time (or anyone who'd taken a look the in two years and chance since) noticed.
So obviously the whole open source thing is broken, right? The bug is out in the open for anyone to figure out, but no one fixed it!
It's not quite so simple. Do you really think that a working piece of closed-source code gets a second glance by its development team? They're just as bound by priorities and shipping product releases as an open-source team, but their code gets locked away with not even the chance for a third party to find a bug and lend a hand — but it's no more secure than the open source tools from concentrated probing, and testing for flaws just like heartbleed.
So yes, heartbleed was bad, but it was also a reminder in how powerful the open source software world can be in finding and fixing a bug. Most of us woke up with some updates to install, and that was the end of it. What horrible, dark bugs are lurking, unfindable, in every piece of closed source software? The precise number is unknowable, but the prevalence of viruses and malware that affect deeply closed systems like Windows might be a strong hint.
No more broken hearts
Going forward, I obviously have a long wishlist of things I'd like to see - a public discussion on what trust in software really means, better tools on every platform to guarantee software packages are what they claim to be (Tor is doing amazing work here), a return to inter-operable standards, especially when we're talking security systems... But as a beginning point, simply better support structures for open code development would be nice. We have volunteers building the basic structures of the Internet - which is an absolutely amazing and good thing - but let's make sure they have the time and resources to do it.
Thank you for sharing your thoughts regarding the National Security Agency's surveillance program. Input from fellow Texans significantly informs my decision-making and empowers me to better represent the state. During my time in the Senate, I have consistently reiterated my support of programs that can detect impending threats to our homeland or diplomatic and military facilities abroad. It is imperative, however, that we strike an appropriate balance between remaining vigilant against terrorism and protecting the civil liberties guaranteed to the American people by the Constitution. Unfortunately, the government has eroded the American peoples' trust by the secrecy surrounding these surveillance programs. I will continue working with my Judiciary Committee colleagues and the entire Senate to review existing law and the actions of the Administration to ensure that we protect our Constitutional liberties. In doing so, I hope to guarantee true accountability in these programs so that we protect Americans from the threats of both terrorism and unwarranted government intrusion. Thank you for sharing your views with me. Please feel free to contact me in the future about any issue important to your family. It is an honor to serve you and the people of Texas. For Liberty, Senator Ted Cruz
I once rented a part of a house that had been, well, not fully cleaned out from the previous occupants. It was a house full of hackers that had been variously occupied by friends and friends-of-friends for almost a decade as they passed through Austin on their way from or to new lives, which is to say, it had, well, "character".
One of the odder things left behind by the previous inhabitants was a literal pile of Final Fantasy boxes, completely intact save for the all-important registration codes. A bit of digging uncovered a fascinating tale of cross-border, tax- and fee-free value transfer. The former occupant, let's call him "Bob" was engaged in a business proposition with a colleague based in South Korea, let's call her "Alice." Whatever version of the RPG Final Fantasy had just been released in the States (only). This had proved very difficult to pirate, causing a huge untapped demand in Korea. Koreans, however, had been happily hacking away at another RPG game which was only just now catching on Stateside. So, Bob would tear off and destroy these registration codes, emailing the codes themselves to Alice in Korea. Alice, in exchange, would provide Bob powerful and rare in-game items for the newly-popular game - these were of less value to the Korean market, as it was saturated with players and therefore items, but there was no arbitrage market into the States -- before Alice and Bob, at least. Bob could then sell these on online grey markets for such items, effectively creating a way for both Alice and Bob to profit (rather lucratively, from my understanding) from local markets, and transfer value across borders without incurring bank costs, wire fees, or, for that matter, taxes. This setup lasted for as long as both were able to extract value from the arbitrage process, but obviously wasn't able to scale or even easily re-adapt to new opportunities.
With the rise and increasing stability of bitcoin as an actual contender for a digital currency, the global market suddenly starts looking a lot more local.
ATF DOD WACO RUBY RIDGE OKC OKLAHOMA CITY MILITIA GUN HANDGUN MILGOV ASSAULT RIFLE TERRORISM BOMB DRUG KORESH PROMIS MOSSAD NASA MI5 ONI CID AK47 M16 C4 MALCOLM X REVOLUTION CHEROKEE HILLARY BILL CLINTON GORE GEORGE BUSH WACKENHUT TERRORIST.As an aside: maannnnnn, do you remember the 90s? Was that an unpleasant walk down memory lane or what? Anyhow, this amusing idea that this would work for more than a few minutes just doesn't seem to die, and someone's trying it with a new "security" tool called ScareMail that "takes keywords from an extensive US Department of Homeland Security list used to troll social media websites and utilizes them “to disrupt the NSA’s surveillance efforts by making NSA search results useless.” " While that's ... well, whatever. It's a nice thought, right? Probably not very useful overall. Anyhow, it gives me a small boost of civic pride to tweak my email settings and put the fourth amendment text back in to almost every email I send out. This requires an actual email client (Thunderbird works nicely), and some configuration hacking:
- Go to Edit → Preferences → Advanced → General → Config editor
- Right click, new, "string"
- For 'Enter the preference name' use "mail.identity.id1.header.header1"
- For the string, add "X-Fourth-Amendment: The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."
- If you have multiple mail accounts, you'll have to do this for each one, using id2, id3, etc. and header2, header3, etc.
- Restart thunderbird, make sure you didn't break anything. For more details, peek at http://kb.mozillazine.org/Custom_headers
Quick quiz. Which of these should not be protected as free speech?
[ ] A gun (you know, the kind you can hold and shoot)
[ ] Plans for a nuclear weapon
[ ] Political statements (lots and lots of them)
[ ] Detailed instructions on how to communicate privately
[ ] Detailed instructions on how to make an archival, digital copy of a DVD
The answer is either none or all of the above - we are in a world where free speech (in the form of computer code) can create real world objects and actions that are themselves regulated or outright illegal. But if the action is illegal, is the code that causes it also illegal? If so, the line gets very blurry very quickly. If not, we still have some fascinating problems to deal with, like printable guns. Regardless, we need to educate policy makers to understand this digital frontier and be prepared to defend free speech when this gets unpleasant. Spoiler: It's already unpleasant. Our world is defined by code, where programmed actions have very real, tangible effects.
Code of Protest
Civil disobedience can take some weird forms. While today masked digital vigilantes of Anonymous act as a curious type of Internet immune system; reacting against gross infringements of cyber liberty, their methods are not as new as you might think. In the late 90s, the Electronic Disturbance Theater (http://en.wikipedia.org/wiki/Electronic_Disturbance_Theater) was supporting the Zapatistas by flooding Mexican government sites with a rudimentary DDoS (Distributed Denial of Service) attack, which brings a webserver down by overloading it. This concept is at the heart of LOIC, Anonymous's "Low Orbit Ion Cannon" (http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon). EDT's version, "Floodnet," had the nice touch of requesting webpages with names like "human rights" from the government sites, resulting in errors clogging up the server reading something like "404 - human rights not found." Asking for a webpage is pretty clearly something akin to shouting at a rally, or a "cyber sit-in" (http://angelingo.usc.edu/index.php/politics/cyber-sit-ins-grassroots-to-gigabytes/) - get enough people to do it, and it causes some level of annoyance - but it's still an act of speech.
Free speech and a dead-end for copy controls
Fortunately, CSS was not particularly well crafted, and was quickly and thoroughly broken with a chunk of code nicknamed decss by a Norwegian teenager nicknamed "DVD Jon". This caused a slight bit of controversy. DVD Jon was accused of theft in Norway, and users in the States were threatened with fines and jailtime for re-distributing it under the DMCA law.
In a predictable story arc, the next chapter of this story is of course the Internet digerati of the day getting royally teed off and causing a ruckus. The source code of decss was immediately turned into graphic art, secretly embedded in photos, turned into poems, and even a song (http://www.youtube.com/watch?v=GekuuNqAiQg) - a gallery of creative works using or containing the decss code remains online: http://www.cs.cmu.edu/~dst/DeCSS/Gallery/ . DVD Jon won his case (http://news.bbc.co.uk/2/hi/technology/3341211.stm) and we all celebrated the somewhat obvious win for free speech and consumer power.
Private speech and munitions export controls
We can rewind even further back to the early 90s, when Phillip Zimmerman published the entire source code of his powerful encryption tool, PGP, in a book (of the paper, box-shaped physical object type). Now, encryption this powerful was classified (until 1996) as a "munition" and subject to export controls with the types of penalties you might expect for selling military equipment on the black market. Had PGP been released as a program, it would obviously fall into this categorization. As text in a book, however, it appeared to be protected as free speech. The stupidity of the distinction of course also spurred many to make t-shirts and code snippets of this "illegal" code. Eventually, a series of court cases (Bernstein v. United States, Junger v. Daley) establishing that source code, indeed, counts as free speech.
Free speech and real munitions
Code is speech, code is reality.
In linguistics, you have the concept of "Illocutionary Acts" - acts which are embodied in language. There aren't many - no matter how I say that I'm going to go for an after-work run, the act of running can only be done by my whole body. Oaths are the best example of these acts - speaking the oath is making the oath, and that combination of idea and action is a powerful sentiment.
And every line of code can be just as powerful.
The earlier attempts all were centralized startups, each proposing a competing faux-currency to ease online (providing simplicity and improving trust) transactions and slowly build a virtual currency of sorts. Their business plans generally involved taking margins from the transactions or cost differentials. The early Internet currency attempts ran into regulatory problems (most countries frown upon private companies setting up alternate currencies, it turns out), and had to evolve their offerings to avoid getting shut out. Bitcoin provides something different. Instead of a currency that has evolved from being backed by precious metals into fiat currencies, Bitcoin is backed by cryptographic algorithms, and has no company--or even an identifiable person--behind it. This shared system provides an amazing openness for a currency: Every transaction is part of a public, collaborative log. However, the people behind those transactions are known only by their account numbers, in a world where you can create as many accounts as you like.Read the full article at Fast Co.Exist
That being said, the TV comes with, as most new TVs seem to, an app store. And it sucks. By gods, the offerings are horrible, the interface is via the clunkiest of all possible remotes, reminiscent more of an 80s-era cellular phone than a 21st century Internet-enabled TV control device. Once you manage to navigate into the app store, there are but a scant few useful apps and a smattering of crappy games and info apps. Don't get me wrong - I'm excited about new form factors of devices, and computational power showing up in more devices - but give me a device that I can use and that is multifunctional at its heart. It may have a nice skin and intended purpose, but technology changes rapidly, and I don't want to churn through hardware devices at the speed of change in software. Part of this is that companies must accept failure -- or at least change -- as a possibility. Your framework, support, upgrades and management of a walled garden app store may be fantastic, but what if you ditch your entire business unit? (HP, I'm looking at you). Apple has provided a solid model of the benefits of the app path, but few companies can match Apple in their abilities to keep up with the store - and even then, it suffers from being a disneyfied (http://phandroid.com/2010/03/16/iphone-is-a-sterile-disney-fied-walled-garden-surrounded-by-sharp-toothed-lawyers/), tightly controlled and kid-friendly store. The Android market is certainly a bit more wild and wooley, but that creates a new foothold for innovation. This disneyfication is unavoidable for any centralized store, since that centralization focuses responsibility on to the ones who make decisions about what goes in to the store and what stays out - which ends up being increasingly restrictive and eventually anti-competitive. As Dave Winer points out at Scripting News, this is a classic cycle in technology over control (http://scripting.com/stories/2011/12/31/theUninternet.html). This trope affects the continuum between being able to compile your own software to being able to download whatever software you like all the way to only having access to pre-approved app-store apps, but its influence also is seen in web services and consumer electronics. There's a value to the app store model, as there's a value to Disneyland. You know everything is tailored, tweaked, padded and sanitized. If something goes wrong, it won't be your problem -- but the cost for this level of safety is freedom. Your iPhone works great, but just try to swap out its SIM card for an affordable local provider in another country, or, really, do anything that Apple hasn't approved of, despite if it would be useful or not to you. It's not called jailbreaking for nothing.
I have a critical flaw - not being able to say no to helping out worthwhile projects get their technological house in order.
I've left a trail of wikis, content management system-run sites, and creative cabling across three continents. One such effort was in the pre-iPhone world of the early 2000s with a creative social enterprise that empowered artisans to realize the full market value of their goods (often undercut by middlemen taking advantage of innumeracy, a need for liquidity, or both). These goods are then shipped to the US to sell. The NGO takes a small cut for its operations and the shipping cost, and everyone benefits. Beyond dealing with the unpredictability of the Nicaraguan electrical system, they were efficient in their offline practices, but saw the need for inventory tracking. That seemingly basic task is both a key to empowering online sales and other scaling activities, but is no short order. The system must be able to know what items were stored in what locations in the US and in Nicaragua, and meet the needs for a geographically disperse set of volunteers to sell those items at events. It also has to have a simple and largely foolproof way of adding inventory from the Nica office that can absorb a backlog of work if the power or Internet connection is off.
No problem - totally doable. For the US side, we work with a Salesforce Foundation volunteer to create an online, cloud-based inventory system where the volunteers can log transactions live on the site using a re-purposed cue:cat barcode scanner -- the cue:cat itself being a dotcom-era QR code wannabe, best summed up by Jeff Salkowski of the Chigao Tribune as "You have to wonder about a business plan based on the notion that people want to interact with a soda can." and by Wired’s Leander Kahney as "a cheapo bar-code scanner that looks like a marital aid."
On the Nica side, the staff can add the inventory on a spreadsheet and batch upload it into SalesForce whenever they have power. This gives them an offline backup, and lets work continue (on a laptop) even if power cuts out. The Excel sheet automatically creates a code that can be barcode-ified for matching by the volunteer sales staff without painstaking scribbling of notes.
We’re in this to save and improve lives, not make a profit. If a plan fails, it’s lives lives - not just bank accounts -- that are not enriched.
Perfect, right? With so much time spent on the “challenging” part of the equation in Nica, not enough thought went into the sales side - often outside, at craft markets, sometimes in the rain. Not happy environments for laptops, rarely enough electricity or battery power to last the day, and never any wifi to actually connect to the Internet to track sales in realtime.
Times have changed, and the plan, like the cue:cat itself, may have a new life in our 3G-saturated world with QR Codes and Square point-of-sale gadgets replacing the bulky laptop, but at the time, it was simply a failure.
What do you do when your project just falls flat? Moving on and hiding it is the wrong answer. The right answer is that you get up in front of a crowd of your peers, donors, and investors (past and potentially future) and spill the beans. In the startup world, some amount of failure is expected, and even welcomed. Learning from failure is, after all, the best education out there. But in the do-gooder space of non-profits and international development organizations, failure is not an option.
The challenge is that we’re in this industry if you will to save and improve lives, not make a profit. If a plan fails, it’s lives lives - not just bank accounts -- that are not enriched.
There are obviously failures in development, as evidenced by the mere fact that we’re five to six decades in to concerted global efforts, and still working on it. More ICT4D projects fail than ever scale beyond the pilot stage. The World Bank bravely released its internal study revealing that while most of its projects succeed overall, in the ICT4D category of projects, only achieve their intended outcomes 30% of the time. Some of those may be wildly successful in unanticipated ways, others just complete flops.
Katrin Verclas has done the community a huge favor in creating and open-sourcing the concept of the FailFaire.
The Failfaire celebrates and de-stigmatizes failure by loosening lips with some alcohol and then throwing people on staqe for a tightly scheduled 5 minute moment of candor. Thanks to the open-source philosophy, these have spread to internal organizational events as well as a few public failfaires, most recently one hosted by Inveneo’s Wayan Vota in DC at the World Bank itself, and another coming up this December in NYC hosted by MobileActive.
The risks of failure in development work are clearly weightier than Q3 profits,which makes the relaxed, raucousness of a failfaire that much more important. For a community that has no normal mechanism for learning across the various implementers, the only way we can advance the whole cause is through these commiserations over good goals, good people, and solid technology completely failing - and learning from them.
This was best encapsulated after the event. One presenter discussed his media-darling pedal-powered phone booth for remote villages, which was a complete failure. Another Failfaire-er approached him afterwards to commiserate on similar problems - their own popular bike-powered computer system actually took almost seven people pedaling to reliably power the system. While bikes garner tons of often-misguided warm feelings and media popularity, they aren’t necessarily silver bullets -- a lesson for the road.