Wednesday, November 30

Feed Your Head

I've just read John Markov's What the Dormouse Said: How the Sixties Counterculture Shaped the Personal Computer Industry which begins with Doug Englebart getting into place at SRI, looks-in on the creation of Stanford AI Lab and Xerox PARC, and ends after the first few meetings of the Homebrew Computer Club. Some people I know (Dennis and Jim, for instance) figure prominently in the book. I always knew they were famous, I just didn't know what for.

Buy the book for the titilating details -- sex and drugs, yes, but also how much the first Alto cost.

Friday, October 14

OK baby, we can skip the saran wrap!

Our friends at EducatedGuesswork are discussing the news that the FDA is considering approval of an at-home AIDS test. At issue is whether people can handle the truth without counseling, false positive rate, and such-like.

All that misses the point. The unmet need that a fast "oral fluid" HIV antibody test satisfies is screening prospective sex partners. Here, handsome -- let me take your glass to the kitchen to freshen-up your drink.

Believe me, *I* can handle the truth that maybe *you've* got AIDS. The question is: do social conservatives, who think AIDS has its good points (such as discouraging promiscuity), run the FDA?

Monday, September 5

You can quote me on this

You respond to disasters with the administration
you have, not the one you wish you had.

I thought I'd put that out there for anybody who wants to pick it up.

Friday, July 15

Weasels considered harmful

A message from Lorrie Cranor notes that the EFF is asking for aid in the hunt for Privacy Weasels, viz., websites who make empty privacy promises. They give examples such as:
Weasel language: "Although we take appropriate measures
to safeguard against unauthorized disclosures of
information, we cannot assure you that personally
identifiable information that we collect will never be
disclosed in a manner that is inconsistent with this
Privacy Notice."

Translation: "You can't sue us if we violate our own
policy."

Wednesday, July 13

One-liners for the digital age

I'm about half way through a wonderful book: The Inmates are Running the Asylum, by Alan Cooper. As an aside, the author's primary claim to fame is the invention of something truly horrible long ago. But I think he's sorry now.

The book does a good job of explaining why most industrial products are becoming increasingly unusable.

The simple reason is that it is cheap to add a microprocessor to anything. Once the manufacturer does this they: 1) can add new features at zero marginal cost, 2) put software engineers (and their feature mentality) in the critical path of product design. The book's issue is usability, my issue is security, and I'm quite certain we're on the slippery slope to downloading code into our kitchen appliances. I really have wanted to blog about the security aspect of this problem for some time [economist: apparently not]; the post would be called "Someday, your alarm clock will try to kill you".

Cooper has the first chapter of his book ask, successively:

  • What do you get when you cross a computer with an Airplane?
  • What do you get when you cross a computer with a Camera?
  • What do you get when you cross a computer with an Alarm Clock?
  • What do you get when you cross a computer with a Car?
  • What do you get when you cross a computer with a Bank?
The answer in each case, is: a computer.

Friday, July 8

More from SOUPS

Excellent paper on phishing from Dhamija and Tygar of UCB, The Battle Against Phishing: Dynamic Security Skins. Doug Tygar, you may know, was co-author of the security+HCI paper Why Johnny Can't Encrypt. They describe the problem of phishing, make a systematic analysis of the technical challenges, survey current phishing countermeasures, and describe countermeasures of their own.

Their proposed countermeasure attempts to address the lack of a trusted interaction path between users and servers for either data entry or security notices (such as the classic padlock). This is because of what they call the general purpose graphics property: on existing computer systems, anything a legitimate website can arrange to appear on the user's screen, a phishing site can put on the screen — or at least similar-looking enough that users won't notice.

A quick summary of how their system works:

  1. They use Tom Wu's Secure Remote Password protocol to allow low-entropy (bad) user-selected passwords as mutual authenticator for user and server. This is a verifier-based protocol where passwords aren't given to the server.
  2. Users choose an image to be used as a backdrop to a password entry window. Only the user's machine has this, so attackers can't guess it.
  3. The a visual hash of the verifier is used by the server to decorate data entry pages (i.e., as background), so that the website has a user-specific look.
...of course this stuff is still vulnerable to man-in-the-middle, but that's not the phishing problem.

And as an counter to sophisticates who despair that users can't be trained to distinguish between indicators (e.g., the padlock) in the browser chrome from indicators in the page, they show a Citicorp page where a teeny padlock is on the page next to the password entry box to show that although the page isn't protected, the form will be sent via an SSL-protected HTTP Post!

Thursday, July 7

Live from SOUPS 2005

Blogging from SOUPS 2005 at CMU and cross-posting to The Now Economy.

Ches just gave the keynote talk titled My Dad's Computer, Microsoft, and the Future of Internet Security, which like all good talks, has been evolving for some time. Money quotes:


  • "Dad, your computer is blowing blue smoke all over the Internet!"
  • "These virus-building tools have GUIs, *nice* GUIs."
  • On 0wn3rs: "They try not to be too disruptive. They've got uses for your computer. It's called time-sharing. They install patches for you to keep (other) attackers out, they work very hard to get bugs out of their software."
  • "You have to get out of the game. Or, as the Karate Kid's Mr. Miyagi says: ''Best block is not to be there.''"

Ches quoted spot prices for botnet cycles — 3 cents per week on the low end for spam forwarding, $40 each for machines on targeted networks. Also interesting, the Phatbot command list.

Ping and others are blogging the conference at Usable Security.

Wednesday, May 4

We're number 17! We're number 17!

I threatened I would recycle email if I had to...

I received a long message from idealistic young friend of my nephew whose family fled Iran after the revolution. He had read an article that claimed that American students placed seventeenth in some ranking of international educational achievement and wondered:

If American no longer has the most talented students, how does it hope to keep its edge in the computer world, or is this the same as what happened in the past like the textile industry?

As is my wont, I told him not to worry about his original concern, that there were more worrisome things to think about:

That's a pretty good question, and I don't think I have a good answer. It's certainly possible that America won't hold its edge in the computer world, for this and perhaps other reasons.

The textile industry is not a good example though, since textiles are the most primitive industrial product. If you lead in textiles, by definition your country is poor (has a very low wage rate).

The right way to think about competitiveness, as a nation or for smaller organization, is as a complicated ecosystem, with lots of complex interacting mechanisms. One of the important ingredients, no doubt, is the quality (and quantity) of the active "elite" labor force. By elite I mean the managers and inventors, not the ones on the production line. The quality of the non-elite labor force is an important factor as well, but that discussion is for another day.

The quality of the elite labor force might seem to be primarily a function of the educational system, requiring well-prepared young students, an expert older generation as teachers, the proper organization to select, recruit and train the students, and an infrastructure of patient employers to give new graduates appropriate early experience. But that's not the only way to get your elite workforce!

In 1930 the United States had none of these advantages in the sciences (e.g., nuclear physics). It was a backwater where gifted students had to leave the country (for England or Germany) to get a good education. By 1940 (the beginning of WWII) the US was the undisputed leader in almost every major scientific field. How did that happen? Simple: the best scientists created by the remarkable scientific establishments of Central Europe (which had taken 100 years to create), fled their countries and came to the US as refugees.

It's true that by an accident of history, the US subsequently created a wonderful educational system for the scientific elites of the world. We took those grand old men (those central european refugees), after the war and used our money to build a great scientific establishment around them, which was eventually inherited by the successors they trained. America's leaders created this establishment, somewhat absentmindedly, because it occurred to someone that it was one more tool to fight global communism. But this system trained as many foreigners (I'm speaking of advanced degrees), quite deliberately, as it did natives.

My point is that the US competitive advantage was never really that it had the best students. It usually didn't. Its competitive advantage was this: if you were a certain type of person, the US was a better place to live your life. Not that the food was better or the people were nicer, or the cities were prettier. But if you wanted to be left alone or be given a chance (or a second chance), America was the place to be.

Our students can sit and watch TV all day if in the end all the ambitious and restless people of the world come here. They have done so for 350 years. The question is: will they stop coming?

This could the basis for a pretty good Simpson's episode, don't you think? I mean, start with Bart and Homer being their lazy good-for-nothing selves; cut to desperate immigrants climbing over razor wire and crawling through miles of cruel desert; subsequently living in squalor and working in humiliating and grindingly hard jobs in order to put their children through school. One child becomes a doctor who treats Homer's donut overdose and Bart's videogame repetitive stress disorder. Homer and Bart make cruel fun of doctor's accent, laugh heartily.

Don't like that? I've got a million others.

Happy belated birthday, recondite!

Recondite was eleven months old yesterday, and I didn't even post. I'll post today, even if I have to recycle random scraps of email.

Sunday, April 3

For Free (Ode to Open Source)

I don't know why I'm so tempted to write stuff like this. Apologies to Joni Mitchell.
I slept last night in Los Altos Hills
I went shopping today for Treos
The GIFs brightly beamed on my hand-held's screen
While I checked in upon my Keoghs
I was sitting in a quiet corner
Sniffing at my latte steam
In the Starbucks he sat
And coded like that
On his own laptop for free

Now me I hack for options
And that fancy in-house lunch
I've got a new M5
And a company masseuse
To work-out my shoulder's hunch
I hack if you have the money
Or if you're a top VC
But that unkempt guy
Didn't sell, didn't buy
He was coding real good for free

Nobody stopped to watch him
Though he coded clean and tight
They knew he would never make
Stuff for their PC
So they ignored his download site
I meant to go over and sell him some tools
Maybe make him my licensee
I watched, feeling foolish
As my venti got coolish
He was coding real good for free

(Don't) Hear the music

Long drive today, the traffic made terrible by the spring rains and the end of spring break. Stopped into Starbucks to get caffeine, and surprised myself by buying a Joni Mitchell CD; her so young and winsome on the cover. How did I forget how much I liked her lyrics? It made me think of my commuter marriage:

Oh you are in my blood like holy wine
And you taste so bitter but you taste so sweet
Oh I could drink a case of you
I could drink a case of you darling
Still I'd be on my feet
I'd still be on my feet
And it made me think of the life I've just given away for an interesting job:
I was a free man in Paris
I felt unfettered and alive
There was nobody calling me up for favors
And no one's future to decide
You know I'd go back there tomorrow
But for the work I've taken on
Stoking the star maker machinery
Behind the popular song
On second thought, I probably should have listened to George Thorogood & The Destroyers — better to be bad to the bone than maudlin.

Thursday, March 10

VC-funded Startups (a song written by me)

OK, I haven't posted in a while. OK, for a month. But I've been busy. Came out of retirement to a job (and maybe to a PhD program). More on those topics later, maybe.

On the job I've been meeting with all sorts of entrepreneurial types; people who have started companies, people who want to start companies, people who want to know people who want to start companies. [They're the luckiest people in the world.] When I'm with the old hands we reminisce about the startups, good and bad, that we've been in. Talking about the bad ones makes for way better war stories.

All this talk about bad companies reminded me that I've had a song working it's way out of my subconscious for many years now. To be sung to the tune of Tom Lehrer's National Brotherhood Week:
Oh, developers hate the testers
And the testers hate developers
To hate all your coworkers
Is a standard management tool

But in a VC-funded startup
VC-funded startup
PhDs and MBAs
Don't cross each other up
It's fun to use the guys
Who do stuff you despise
As long as you are sure you got more stock

Oh, the ops guys hate the apps guys
And the apps guys hate the ops guys
The new CEO hates the wise guy
Who happens to be the founder

But in a VC-funded startup
VC-funded startup
Everyone can get along if
We don't f**k it up
Who cares which products won't
As long investors don't
Howjya think the tall blond made his mint

Oh, the customers hate the sales force
And the sales force hates the customers
And the management hates the chairman
And everybody hates marketing

But in a VC-funded startup
VC-funded startup
Get big or go home, that the way
No prize for runner-up
Why should you get along,
With people who are wrong?
Who cares your stupid job is getting old --
You only have to wait until we're sold!

Tuesday, February 8

They have a word for it

Recondite readers will find it useful to know that Department of Homeland Security renders to German as Ministeriums für Heimatsicherheit.

Sounds so much better.



Wednesday, February 2

Let's play, "What's the real problem?"

In the spirit of Harper's Index, here are some numbers for you.
  1. Projected federal debt over next ten years: $5.8 trillion.
  2. Social security program surplus, same period: $2.6 trillion.
  3. Anwar estimated reserves: 10.4B barrels.
  4. Anwar reserves into US consumption at current rates: 17 months.
  5. Annual US healthcare spending: $1.6 trillion.
  6. Total costs of malpractice cases: $24 billion (or, 0.024 trillion, if you prefer).
It's not that the administration is on the wrong side of every issue, it's that they pick the wrong issues in order to obscure our country's real priorities. Don't let them get away with it!

One death a tragedy, millions a statistic

I swore I wasn't going to watch the SOTU. Really, I turned on the TV by accident, preparing to cue-up a DVD (Yimou Zhang's Hero, if you must know). I had tuned-in during one of those applause lines for someone being singled-out in the gallery. I saw a close-up on what were probably the parents of some dead soldier, and then cut to our fearless leader...beginning to tear-up.

Gee, as a balance to this cheap sentimentality, maybe the broadcast could have had a crawl at the bottom of the screen pointing out that given the 1440 US troop deaths in Iraq as of today, there are thousands more parents just like these two — only they won't fit in the gallery.

Friday, January 21

Vincit qui patitur

A little patience, and we shall see the reign of witches pass over, their spells dissolve, and the people, recovering their true sight, restore their government to its true principles. It is true that in the meantime we are suffering deeply in spirit, and incurring the horrors of a war and long oppressions of enormous public debt...If the game runs sometime against us at home we must have patience till luck turns, and then we shall have an opportunity of winning back the principles we have lost, for this is a game where principles are at stake.
— Thomas Jefferson, 1798 (quoted by Paul Glastris)

Thursday, January 20

Five or better

My Erdös number, that is. It took some thinking and use of the Erdös Number Project Data Files.

Rivest (E=2) → Lampson → Deutsch → me.

That's not so great, actually. Got to co-author a paper with Odlyzko, get me a three.

Update (1/30/05): Phylis notes she can now determine that her Erdös number is six.

Sunday, January 16

They just don't get it

The Washington Post (registration required) ran their exclusive interview with Bush today. I guess reporters Fletcher and VandeHei were so excited to be on Air Force One that they didn't have a chance to think about what Bush actually said.

In their analysis article the reporters say:

And he said he has no plans to cut benefits for the approximately 40 percent of Social Security recipients who collect monthly disability and survivor payments as he prepares his plan for partial privatization.

But in the interview transcript, after he makes a "no plans to cut" remark, Bush says:

Frankly, our discussions in terms of reform have not centered on the survivor/disability aspect of Social Security. We're talking about the retirement system of Social Security.

That puts a different spin on "no plans" to cut survivor/disability benefits, doesn't it? These people just don't think those benefits (which are 40% of the program) are worth discussing much. I don't know about you, but this implies to me that in the end, they're very likely to get cut.

Addressing a problem of their own devising

By all means, if you are foolish enough to use Windows XP (like me), install Microsoft AntiSpyware. It sucks less.

Thursday, January 13

Oh, so that's why its got bugs!

Charles Simonyi, writing in Edge, likens programming to encryption. Encryption without benefit of automation, because programming is largely done manually.

The plaintext in this case is the notional specification (of a problem and how it is to be solved). The encryption process transforms this specification into the chunks of gibberish we call programs.

This nicely highlights the difficulty of changing software when the problem (or solution) specification changes — since we've invested so much manual labor "encrypting" the specification, we invariably choose to edit the cyphertext.