One-liners for the digital age

I'm about half way through a wonderful book: The Inmates are Running the Asylum, by Alan Cooper. As an aside, the author's primary claim to fame is the invention of something truly horrible long ago. But I think he's sorry now.

The book does a good job of explaining why most industrial products are becoming increasingly unusable.

The simple reason is that it is cheap to add a microprocessor to anything. Once the manufacturer does this they: 1) can add new features at zero marginal cost, 2) put software engineers (and their feature mentality) in the critical path of product design. The book's issue is usability, my issue is security, and I'm quite certain we're on the slippery slope to downloading code into our kitchen appliances. I really have wanted to blog about the security aspect of this problem for some time [economist: apparently not]; the post would be called "Someday, your alarm clock will try to kill you".

Cooper has the first chapter of his book ask, successively:

• What do you get when you cross a computer with an Airplane?
• What do you get when you cross a computer with a Camera?
• What do you get when you cross a computer with an Alarm Clock?
• What do you get when you cross a computer with a Car?
• What do you get when you cross a computer with a Bank?

The answer in each case, is: a computer.

More from SOUPS

Excellent paper on phishing from Dhamija and Tygar of UCB, The Battle Against Phishing: Dynamic Security Skins. Doug Tygar, you may know, was co-author of the security+HCI paper Why Johnny Can't Encrypt. They describe the problem of phishing, make a systematic analysis of the technical challenges, survey current phishing countermeasures, and describe countermeasures of their own.

Their proposed countermeasure attempts to address the lack of a trusted interaction path between users and servers for either data entry or security notices (such as the classic padlock). This is because of what they call the general purpose graphics property: on existing computer systems, anything a legitimate website can arrange to appear on the user's screen, a phishing site can put on the screen — or at least similar-looking enough that users won't notice.

A quick summary of how their system works:

1. They use Tom Wu's Secure Remote Password protocol to allow low-entropy (bad) user-selected passwords as mutual authenticator for user and server. This is a verifier-based protocol where passwords aren't given to the server.
2. Users choose an image to be used as a backdrop to a password entry window. Only the user's machine has this, so attackers can't guess it.
3. The a visual hash of the verifier is used by the server to decorate data entry pages (i.e., as background), so that the website has a user-specific look.

...of course this stuff is still vulnerable to man-in-the-middle, but that's not the phishing problem.

And as an counter to sophisticates who despair that users can't be trained to distinguish between indicators (e.g., the padlock) in the browser chrome from indicators in the page, they show a Citicorp page where a teeny padlock is on the page next to the password entry box to show that although the page isn't protected, the form will be sent via an SSL-protected HTTP Post!

Live from SOUPS 2005

Blogging from SOUPS 2005 at CMU and cross-posting to The Now Economy.

Ches just gave the keynote talk titled My Dad's Computer, Microsoft, and the Future of Internet Security, which like all good talks, has been evolving for some time. Money quotes:

• "Dad, your computer is blowing blue smoke all over the Internet!"
• "These virus-building tools have GUIs, *nice* GUIs."
• On 0wn3rs: "They try not to be too disruptive. They've got uses for your computer. It's called time-sharing. They install patches for you to keep (other) attackers out, they work very hard to get bugs out of their software."
• "You have to get out of the game. Or, as the Karate Kid's Mr. Miyagi says: ''Best block is not to be there.''"

Ches quoted spot prices for botnet cycles — 3 cents per week on the low end for spam forwarding, $40 each for machines on targeted networks. Also interesting, the Phatbot command list.

Ping and others are blogging the conference at Usable Security.

We're number 17! We're number 17!

I threatened I would recycle email if I had to...

I received a long message from idealistic young friend of my nephew whose family fled Iran after the revolution. He had read an article that claimed that American students placed seventeenth in some ranking of international educational achievement and wondered:

If American no longer has the most talented students, how does it hope to keep its edge in the computer world, or is this the same as what happened in the past like the textile industry?

As is my wont, I told him not to worry about his original concern, that there were more worrisome things to think about:

That's a pretty good question, and I don't think I have a good answer. It's certainly possible that America won't hold its edge in the computer world, for this and perhaps other reasons.

The textile industry is not a good example though, since textiles are the most primitive industrial product. If you lead in textiles, by definition your country is poor (has a very low wage rate).

The right way to think about competitiveness, as a nation or for smaller organization, is as a complicated ecosystem, with lots of complex interacting mechanisms. One of the important ingredients, no doubt, is the quality (and quantity) of the active "elite" labor force. By elite I mean the managers and inventors, not the ones on the production line. The quality of the non-elite labor force is an important factor as well, but that discussion is for another day.

The quality of the elite labor force might seem to be primarily a function of the educational system, requiring well-prepared young students, an expert older generation as teachers, the proper organization to select, recruit and train the students, and an infrastructure of patient employers to give new graduates appropriate early experience. But that's not the only way to get your elite workforce!

In 1930 the United States had none of these advantages in the sciences (e.g., nuclear physics). It was a backwater where gifted students had to leave the country (for England or Germany) to get a good education. By 1940 (the beginning of WWII) the US was the undisputed leader in almost every major scientific field. How did that happen? Simple: the best scientists created by the remarkable scientific establishments of Central Europe (which had taken 100 years to create), fled their countries and came to the US as refugees.

It's true that by an accident of history, the US subsequently created a wonderful educational system for the scientific elites of the world. We took those grand old men (those central european refugees), after the war and used our money to build a great scientific establishment around them, which was eventually inherited by the successors they trained. America's leaders created this establishment, somewhat absentmindedly, because it occurred to someone that it was one more tool to fight global communism. But this system trained as many foreigners (I'm speaking of advanced degrees), quite deliberately, as it did natives.

My point is that the US competitive advantage was never really that it had the best students. It usually didn't. Its competitive advantage was this: if you were a certain type of person, the US was a better place to live your life. Not that the food was better or the people were nicer, or the cities were prettier. But if you wanted to be left alone or be given a chance (or a second chance), America was the place to be.

Our students can sit and watch TV all day if in the end all the ambitious and restless people of the world come here. They have done so for 350 years. The question is: will they stop coming?

This could the basis for a pretty good Simpson's episode, don't you think? I mean, start with Bart and Homer being their lazy good-for-nothing selves; cut to desperate immigrants climbing over razor wire and crawling through miles of cruel desert; subsequently living in squalor and working in humiliating and grindingly hard jobs in order to put their children through school. One child becomes a doctor who treats Homer's donut overdose and Bart's videogame repetitive stress disorder. Homer and Bart make cruel fun of doctor's accent, laugh heartily.

Don't like that? I've got a million others.

Happy belated birthday, recondite!

Recondite was eleven months old yesterday, and I didn't even post. I'll post today, even if I have to recycle random scraps of email.