Monday, April 30, 2018

Leaving Facebook

It’s time to for me to #DeleteFacebook. I hadn’t been on the platform regularly in years. My main interaction with it was to deny that I was trying to reset my password, and then find out that people had left me Messenger or direct messages 3+ months ago. Now that what we thought was happening–overarching harvesting of data with limited controls on how it gets used–has been revealed in the Cambridge Analytica fiasco, I am simply done.

I stayed on, despite working for a competitor who had shelved several variants, some with their own set of privacy concerns, in deference to a *ahem* less popular social network. Both companies are so heavily entrenched in applying user data toward advertising dollars. It’s easy to point out the spec in their eye, and so I don’t enter into criticism of Facebook glibly, especially where it appears I’ve been drinking Google’s own Kool-aid.

That said, it appears to me that Google and Facebook have different takes on the problem. Google takes privacy criticism and revamps its design and pre-launch evaluations to raise the bar on customers’ ability to understand and manage the data Google has and curates for them, including where it is handed to third parties in the hopes of an improved, customized experience. Meanwhile, Facebook, admittedly entirely from the outside, appears to fix the window dressing, only to have similar privacy concerns re-erupt later, with an ever larger affected populace as Facebook’s userbase increases1. I see no end to this, and literally cannot, as the history of abrogated promises cannot inform me.

I hope that I am wrong, and I know there must be dedicated individuals inside of Facebook working towards a better future for their customers and their data. I wish them the best, and can empathize with the difficulty of their plight, both technically and business-wise. Until then, I will be sticking to Twitter / Signal / Hangouts / E-mail until I find a better ecosystem.
----
1 Tufekci, Zeynep. "Why Zuckerberg’s 14-Year Apology Tour Hasn’t Fixed Facebook." Wired. April 6, 2018.

Tuesday, October 25, 2016

Systemic risk in leak-based electioneering

I recently interjected into the following twitter conversation, wherein @thegrugq asked if media self-censorship in the face of state-sponsored election meddling was warranted. Mr. Greenwald's answer, was a resounding, "No."
Mr. Greenwald went on to publish a related, thoughtful, long-form article in The Intercept. If you've not read that, start there and come back.

Let's presume that Mr. Greenwald's lemma #5 is satisfied, and that a particular leak of dubious legality has much material that is expressly in the public interest. Let's also assume that in a given election cycle, the various candidates have dirt to be uncovered that would also satisfy the bar of public interest. Then, given
  1. Election cycles have a limited duration.
  2. In any specific time period, the media has a whole has limited resources to investigate, vet, and publish.
  3. It costs less to validate leaked documents' authenticity than to uncover the same problem through direct investigation.
it follows that the most efficient media strategy, both in terms of cost and journalist-time, is to mine leaks and report on them before falling back on investigation.

Whereas Mr. Greenwald's commentary is a great decision criteria for publishing any one piece of revealed information, it does not address the concern of what to choose to follow-up on among multiple leaks, or what to do when you have leaks about one candidate, and investigative journalism to do on the other. Obviously reporting on the things you know in the public interest is important, but if the media on the whole satisfy themselves at the feeding trough of the leak, then the media will be complicit in differential coverage of the candidates. This model relies on partisan or contrarian journalists leaving said feed trough because their interests aren't simply costs or efficiency.

I think in the long run, information can find its way out: leaks run out of new reportable data and people forced to look elsewhere. But in the scope of a campaign, that long run may be well after election day, and leaks can serve as the smoke and mirrors distracting the electorate.

Furthermore, it follows that anyone wishing to influence the election is given incentive to, by any means possible, dump as much as they can get about their opponent and hope that as much dirt as possible passes the long-tail of each journalist exercising their own filter on what counts as public interest. I'm generally pro-transparency, but setting a high bounty on exfiltrating private data to help nudge elections toward having friendlier candidates in office seems like an inherent risk in this model of journalism.

Friday, May 08, 2015

Individual Personal Liability for Software Patent Infringement

To understand where my bias lies, let me first explain that I believe the patent system, as applied to software, is pretty fundamentally broken. I also don’t think that this idea will fix the underlying system, but merely change the way the symptoms are exposed.
Whereas the penalties for patent infringement, with enhanced damages for willful infringement1, give the incentive to companies to not search patents before implementing code to reduce risk of liability, and

Whereas the lack of such searches both causes software patents not to improve the state of software development, causing companies to reinvent the wheel repeatedly, and contributes to a state of having multiple overlapping patents on a range of questionably novel processes, many of which with fairly well known2 prior art, watering down the value of the patent registry even for customers that do research patents, both of which contribute to general inefficiency, and

Whereas software developers are generally shielded from any personal liability incurred by infringing a patent while employed by a company, and therefore make different risk/reward decisions with regards to patents, mostly reinforcing the incentive to not search patents,

Therefore, be it resolved that we add enhanced damages to infringement when a proper search of existing patents for relevant patents has not been done, and

Be it resolved that we remove enhanced damages for willful infringement, under the new presumption that, based on having a proper search for patents, all infringement is willful, and

Be it resolved that the software engineers writing the code that infringes be held, along with their employer, jointly and personally liable for the damages for lack of proper search and infringement.



The corporate policy at my current and previous jobs both inhibit me from searching for patents, specifically to avoid risk of extra damages incurred by the company in case a lawsuit ever happens. This makes for a useless system that just adds legal risk and overhead, and employs a bunch of lawyers, especially in the form of patent trolls.

The idea for the above came from learning that some states’ anti-discrimination laws allow personal liability for sexual harassment. My hope is that the combination of changing the application of damages to invert the current head-in-the-sand relationship most companies have towards patents and making individual engineers have some skin in the game, will drive a sea change of patent registry grooming in the form of EFF's patent busting. Maybe at the other end we'd end up having a smaller registry of things engineers can actually use.

1 35 U.S.C. § 284 para. 2 (1994)
2 Within the industry, if not necessarily the patent office.

Thursday, November 08, 2012

Anchor to the left

Aside from all the bewildered centrist and right media pundits claiming a need to "reach across the aisle" in this next presidential term, I assert that instead, we should reach for the stars and force the GOP to choose between playing obstructionist games (and thus, I hope, frustrate their home base) or compromise and let us make progress.1

As such, I submit for your consideration a number of ideas:
  • Amend the Constitution to remove the electoral college and thus make every vote count equally for the presidency. Make the voting day a national holiday. Require that voting mechanisms be inspectable/verifiable by members of the public.
  • End the drug war. Spend the current funding on FDA approval tracks, social service harm reduction, and nationwide, fully-funded (optional) preschool education.
  • Replace the mortgage tax deduction (via 7 year step-down sun-setting clause) with a per-capita housing/rent-assistance stipend.
  • Single-payer healthcare.
  • Fix the whistleblower protection act.
  • Replace the corporate income tax with a series of fees related to the size of the business, and the number of regulatory areas the business falls in (i.e., to offset the expense of employing regulators, enforcers, etc.) Or at least reduce the corporate income tax to the point where that's effectively what it's paying for.
  • Universal high-speed internet as a federally funded public utility. If it's not available locally (with high standards for fidelity and price to consumer), the fed gov't will install it as an alternative.
  • Protection for LGBTQIA. (Civil) marriage for all. Repeal DOMA, DADT, etc.
  • Establish new rules for non-nation-state-war conflict. Reestablish writ of habeus corpus. Remove disparity for military combatant (citizen or no). Require bilateral nation-state-level treaty to allow US to prosecute such conflict on foreign soil. Citizens must get public (non secret tribunal trial), even in absentia, before being assassinated, and any such effort must show that (1) the target poses additional future risk and (2) that a capture operation's risk exceeds that of assassination operation risk and target's additional future risk combined.
  • Establish a bipartisan congressional committee to oversee exec branch invocations of state secrets.
  • Remove the senate secret hold rule.
  • Go back to the old senate fillibuster rules, requiring an actual senate member to stand and address the floor. At least it'll take away their time to devote to fundraising and other political causes, so it'd better be worth it to them and their base.
  • Treat capital gains as income for tax purposes. Reduce the income tax accordingly.
  • Institute redistricting rules that establish regular redistricting using a computationally fair model. (e.g., http://math.stanford.edu/~dankane/COMAP07.pdf)
Thanks to Planet Money, On The Media for several of these ideas. And I'm sure several filtered in from random sources via Boing Boing or Twitter.

1I assert that is what the GOP does anyway, so this is just using the tools of the trade.


Tuesday, March 20, 2012

Pwnd1

Jack jumped up the last few rungs, and through the open window, swearing again. He knew how to be careful. And this time was cutting it a little too close.



Crossing the border was always a nightmare. He expected the lines, the waiting, the mind numbing slowness, the bland faces of the agents working to sort through the safe from the un-. He expected to be pulled out of line—it was inevitable—and subjected to extra scrutiny and harassment. Such was the price for having irritated a few too many folks with ties into National Security. The only really irritating thing about it, other than the delay, was the dirty looks he received from the other passengers, as it already being a foregone conclusion that the agents must be right: He must be an undesirable. He must be worth taking away. “Now, that is a reflection of what’s wrong with society,” he thought as he shuffled toward a nondescript booth and the two hours of flowchart-directed Q&A. The answers flowed simply, for honesty was easy when there wasn’t anything to divulge, or, at least anything that would give them access to the technical underpinnings to accessing his digital life.

Later, sweaty, a bit worn, and more than a little frustrated for the G-men stuck in their roles as perennial persecutors, Jack emerged, papers and baggage cleared, sans phone. It was usually about a fifty-fifty chance he’d get his phone back, and even if he did, it was almost not worth the expense of delinting. Except for the wait, tossing it into the vendo-recycle and getting a new one was nigh equivalent – you still had to do a hardware x-ray, and providing your own firmware was de rigeur even if it weren’t required for safety. As much as the G-men were excited to try and probe his phone for some security hole, there wasn’t anything on it except for a few pointers to honeypots, and those were only to ensure that some long term key wasn’t rooted from one of his other servers. He imagined the look on their faces if they did happen to hit one of those servers though; the keys did guard information, but it was usually some carefully prepared wikileaks-style content package, and if he and his server got it right, it was usually dirt on the fellow actually doing the old skool B&E. Scaling the escalators to the transit bay, he traded some of his BC2 to dollars and some of those dollars into transit passes. First destination: the mall.

The mall is a necessary device. As mundane and reductive as it is for most of its custom, Jack is a fine breed of mall dweller. How many other patrons use its X-ray stores, not for self-MRI or for fine-tuned diagnostics of one’s own health, but instead for the devices they have on them. Jack steps out of the mall-bound bus mid-stop and heads across from the Orange Julius to the vending machines, and picks out a Kazer 103a. His BC2 is diminished, but now he has the device that will serve him until the next border, or next time someone pins him down. Kazer is a good brand, and more importantly, an often purchased brand, and thus not worth the G-men bugging every version, especially out of Southcenter. His natural device has about twice the horsepower, and four times the memory, but that’s far from being the important limitation… this new device, as much as it has a lovely intro movie to explain each aspect of how one might use it, is, well, unclean. The 90s and early 00s showed most people that giftware was crapware, if not outright spyware, and the denizen of the 10s brought their firmware with them. Unfortunately, Jack was not so blessed. Being stripped of his machinarium by the gestapo-lice meant that he was vanilla boy, home schooled, bootstrappin’ for great justice. He acquired a mundane firmware at another station, and refried the device as he walked to the x-station. Feigning recent cataract surgery, he said, I want to know if they “implanted something”, and got himself scanned. Looking at his device in the scans, he could see no foul play: The 389 would have been readily visible if it was there, gleaming like a bulbous capacitor above the headphone port. More advanced stuff was necessarily larger, and would have stood out like a sore thumb.

Jack walked into the mall transit station. His device, having locked into local Wifi, 4.5G, and subter, had started to download his packages… the ones that will let him actually talk to any part of the world that wasn’t right in front of him. Boarding a Westlake-bound train, he pressed his left cheekbone against the glass as his device woke up and figured out that there's a whole new world of applications ready to download and run. The physical world blistered by, and by the time he emited out of First Hill, his phone was now finally ready to use.

“Don’t even f’ing go there.” After he entered his shortcode and 2authconf, that admonition displayed on the frontispiece. “Well, that’s just f’ing grand. What the hell else am I supposed to do,” he murmured, purportedly to himself, but anyone within earshot got a load of his invective. “I’ve just been done over by the gendarme and need a freakin’ break.”

Under the covers, his transmission headed out, carried on a stream of data from one accepted host to another. The very protocol he invented, multicast SSL, carries an alternate form across at least two other streams and makes his connection not just “hard,” but “solid”… a term used by his former teammate when he was able to ensure a control signal even despite 80% signal cancellation and “no way to get in”. The 2authconf seeded the phone with several one-time-bufs, and was able to live on those for minutes while trying to get in touch with the one person who might have made his trip to the homeland worthwhile: The Prince.

The Prince was busy.

Instead, Jack lurked on channels, opening one to the “389,” cruel homage to those that might track them and hunt them down. The 389 chip was a signal processing unit that would copy signal to another track and transmit it. Straightforward (mostly), and harmless (mostly), modulo those silly folks who still thought their unmodulated signal would not be noticed by the powers that be.

Jack got off the train, and walked nary a half block way, to the T-bar, where he ordered a double-espresso and Jameson’s, and tried to make contact. In the meanwhile, he tried normal avenues — Facebook (still an old standby) and Twitter, simple but misused, venue. Both seemed stymied, until… pure signal.

One of the unadulterated joys of the watched, concerned, or paranoiac crowd is a SSL .95 signal. That doesn’t even make sense unless you’re talking about multicast, which probes all available connection points for channels through the murk. It’s easy enough if you have a sufficiently faithful line to source, where you’re faithful all 100%, unless you drop packets. Instead, it’s when you’re watched, marked, nigh surrendered that .95 is the a4some, when despite signals being hacked, subverted, closed, or snooped on, you were entirely sure that what you had to say would not end up on some poor NSA analyst’s desk. Ninety-five-point, is what you call it, and it works… until it doesn’t.

On his unadulterated, vanilla unit, it sang “free and clear!” repeatedly until it got shut off. It wasn’t even clear until afterwards that whomever had watched what was transpiring on his social network actions had modulated signal, closing connections on one side, and then the other, hoping to be on the right side of entropy, and learn the keys that were controlling the session. Sadly, this kind of attack, which Jack’s software would have been warned against, was muted by vanilla versions of the same software, which had no idea that anyone might want to subvert them.

The tick-tock of repeating channel switching transpired as the vanilla unit tried to ensure the connection. Key-exchange after key-exchange occurred, with the watchers gathering data on the nonces, looking for patterns in the supposed randomness. The Kazer line was known not to have randomness faults, plenty of entropy given it took into account touch lengths, distances, accelerometer readings and, if necessary GPS slop. Yet still, given enough evidence, and a large enough MapReduce, the watchers could smoke an ordinary machine. It might take minutes or hours, days if you were careful and kept track of your exchanges.

To Jack, it looked like a craptastic connection, a regular occurrence while on the light rail, that finally stopped being so slow about the time that he reached Westlake. He tried one last time to reach The Prince before hitting the dead drop.

“When you need something done right, format it yourself,” is a motto held by many neteratti who have seen bad software ruin good devices. Jack failed again to contact his friend, but it was solace to be able to walk into the Nitelite, find the stored USB fixed drive secreted in one of the booths, and firmware replace the Kazer with Nutella 0.81b. Two slow gin fizzes masked the ghastly slowness of the update and the partial reconfiguration of the OS on the device after it compared package MD5 hashes and elected to sidestep the normal installation channel for some Important Updates.

The crowd was a normal before-10 croud, waiting for someone to start them up, or some DJ to blaze the latest crazed mix of house dubstep into their willing ears. After dragging a decent BC2 paytip onto a fringe and snapping it off onto the table, Jack was ready to leave.

And yet.

When people are well funded, when they’re out for blood and you’re a means to an end, one doesn’t expect fair play. Four large men in trenchcoats entered the Nitelite and scanned for their target. Sometimes having a regularly vacillating hairstyle pays off, and Jack noticed his “admirers” first. Dropping a “shiiiii…,” Jack silently shouldered through the employee door, ducked between two waiters, and dashed outside to the alley. Tearing north and then eastward, he stepped up onto one of the brick walls and grabbed the fire escape, mounting it with impressive force. Breathing hard, he launched himself through the half-open window into Gemini’s pad, and breathed a sigh of relief as the hard noise of boots on pavement echoed below and the G-men ran by.

Sunday, March 11, 2012

Attribution burden for podcasts

Editor’s note: I am an avid listener and sponsor of On The Media, and acquaintance of the author of the Feminisnt blog, who uses the moniker Furry Girl when posting on that site.

On March 2nd, OTM producer Sarah Abdurrahman was featured in a segment on the On The Media podcast, talking to with Bob Garfield about making Freedom of Information Act (FOIA) requests about herself. In that segment, she refers to her source idea, being “this blog post about this woman who” made FOIA requests about herself. She then goes on to quote several details out of this blog post verbatim, specifically, some of the entries in the FOIA results. Bob moves on to discussing Sarah’s own experience doing the same and never is the blog mentioned, nor the author of the blog post mentioned.

Sarah also produced her own blog post on the OTM site the same day, covering some of the same details as the segment. It, too, never mentions either the name of the blog, or the author, but does provide a link to the Feminisnt blog post from which she gathered her source idea.

This event, which, on a better day would have served the dual purpose of spreading the word about citizen access to government information, and more readership of a blog which helped initially promulgate that information, ended up turning sour.

The original Feminisnt blog post has, at the bottom, a little icon, Creative Commons License, and a comment that the text is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License. It requires that, presuming you’re a non-commercial entity (OTM is a not-for-profit), that you would need to provide attribution if you were to share the work (i.e., copy, distribute, or transmit). Whereas the OTM blog post has a link (and thus attribution), it doesn’t strictly, license-wise, need one—it is not copying, distributing or transmitting the original work, but merely providing a reference. On the other hand, the OTM segment, copies/transmits select small portions of the work over the public radio airwaves and via the internet in podcast form.

The lack of attribution by the OTM show itself spawned a series of angry tweets and a blog rant and, so far, one response by OTM’s Senior Producer, Katya Rogers, which includes a denial: “neither our blog post nor our broadcast segment constitute copy, distribution or transmission of Furry Girl's original work.”

The OTM segment was clearly not a whole copy, but neither is it free of the work in question. From a legal perspective (and I am not a lawyer), it seems that both of the following are true: (1) OTM only borrowed a small amount, and (2) even if that were to be sufficient to show a prima facie case of copyright infringement, OTM could argue fair use.

That said, I argue that there’s been a bit of a departure from ethics on OTM’s part. In order to bolster their OTM segment, presumably due to the humor value and simultaneous big brother nature of the FBI commentary, they use another person’s produced information. This is information that they could not get for themselves: In the case of Furry Girl’s story, OTM FOIA requests would never return such data, it being a request that only Furry Girl could have fulfilled. In terms of Sarah’s own data, FOIA requests are notorious for how long they take to fulfill, so they could have waited until the FBI finally responded to put up the story, but they did not–they instead used information from the original blog post. I know that we don’t own the news we break, but in this case, there’s no available, more original direct source. The fact that OTM did this and didn’t bother to refer to the original source material in situ is what I take issue with. They could have produced the entire segment without any of the Feminisnt source material, and gotten most of the idea across and not incurred an ethical obligation.

It does not suffice that Bob gave a link to Sarah’s post and that Sarah’s post, in turn, gives attribution to Furry Girl. The OTM segment itself should have given attribution, and not just in the form of a “if you want to know more, here’s a link”.

If it had been a random guest on the show instead of Sarah, it would have been an issue I would have taken with that guest about their own standards of sourcing and attribution. Instead, the segment was produced entirely by the OTM staff, who raise the bar about journalism standards around the globe, and it seems that they, of all people, should know how to do better.

P.S., Whereas I think the OTM staff could have done better, the hyperbolic escalation by Furry Girl and the yield-no-ground nature of Ms. Rogers’ response seem to me to be largely wasted efforts on both sides. All Furry Girl wanted was attribution, and attribution would have been trivial to provide. Instead, we have a threatened legal battle and Google bombing, and who knows what future waste. Aren’t there more things wrong on the Internet to which we can now attend?