On the Assimilation Process

Three years and three days ago I announced that “I’m Joining Microsoft.” While I was interviewing, my final interviewer asked me “how long do you plan to stay?” I told him that I’d make a three year commitment, but I really didn’t know. We both knew that a lot of senior industry people have trouble finding a way to be effective in Microsoft’s culture.

So I wanted to pipe up and say I’m having a heck of a lot of fun, and have found places and ways to be effective. I’m getting to develop and share things like our SDL Threat Modeling Tool, and I get to be very transparent about the drivers and decisions that shape it. I’ve got some even cooler stuff in the pipeline, which I’m hoping will be public in the next year or so. My management (which has shifted a little) is supportive of me having two external blogs.

It’s been a heck of a ride so far. Dennis Fisher asked a great question to close this Hearsay Podcast, which is what surprised me the most? I was a little surprised by the question, but I’m going to stand by my answer, which is the intensity and openness of internal debate, and how it helps shape the perception that we’re all reading from the same script. It’s because we’ve seen the debate play out, with really well-informed participants, and remember which points were effective.

I can’t wait to see what happens in the next three years.

Emergent Traffic Chaos

Paul Kedrosky has an amazing video:

As described in the New Scientist:

Researchers from several Japanese universities managed the feat by putting 22 vehicles on a 230-metre single-lane circuit (see video).

They asked drivers to cruise steadily at 30 kilometres per hour, and at first the traffic moved freely. But small fluctuations soon appeared in distances between cars, breaking down the free flow, until finally a cluster of several vehicles was forced to stop completely for a moment.

The Cost of Anything is the Foregone Alternative

The New York Times reports:

At least six men suspected or convicted of crimes that threaten national security retained their federal aviation licenses, despite antiterrorism laws written after the attacks of Sept. 11, 2001, that required license revocation. Among them was a Libyan sentenced to 27 years in prison by a Scottish court for the 1988 bombing of Pan Am 103 over Lockerbie.

It’s long been a truism of economics that the cost of anything is the foregone alternative. In this case, a huge amount of our air travel security spending goes into ensuring that you can’t fly if your name and ID don’t quite match (looking at you, Jim), rather than preventing convicted terrorists from getting aviation licenses.

The emergent chaos of fingerprinting at airports

HONG KONG (Reuters) – A Singapore cancer patient was held for four hours by immigration officials in the United States when they could not detect his fingerprints — which had apparently disappeared because of a drug he was taking.

The incident, highlighted in the Annals of Oncology, was reported by the patient’s doctor, Tan Eng Huat, who advised cancer patients taking this drug to carry a doctor’s letter when traveling to the United States. (“Cancer patient held at airport for missing fingerprint“, Reuters, May 27 2009)

Reuters classifies this as “oddlyEnoughNews,” but in fact it’s not odd at all that over time, additional layers of “no” will expose conditions unimagined by their designers. Chaos will emerge. In a free society, that chaos is an accepted part of life. We stop only that which is explicitly denied, not that which the designer didn’t anticipate. In information security, we often default to deny, because we know our imaginations are limited. But the role of security in society used to be carefully limited, for precisely these reasons.


(Via Slashdot)

UnClear where the data will go

So Clear’s Verified Line Jumper service has shut down. Aviation Week has a blog post, “
Clear Shuts Down Registered Traveler Lanes
.”

Clear collected a lot of data:

The information that TSA
requires us to request is full legal name, other names used, Social Security number (optional), citizenship, Alien Registration
Number (if applicable), current home address, primary and secondary telephone numbers, current email address, date of birth,
place of birth, gender and height. TSA also lists as optional, but helpful, the following personal information: home addresses,
driver’s license number and employer’s name and address…digital photo and digital images of all of your fingerprints and your irises…your credit card.

This raises a very serious problem with a company like Clear/Verified Identity Pass, Inc. The in-depth, validated customer data is likely to count amongst such a company’s most valuable assets. Their privacy policies make no mention of what would happen to it in the event that the company goes bust.


Does anyone know where Clear was incorporated? Maybe I’ll bid at the bankruptcy auction.

[Update: Tamzen points out that there’s an update on their site, promising that Clear will abide by the “Transportation Security Administration’s Security, Privacy and Compliance Standards” and “take appropriate steps to delete the information.” Google thinks that those standards might refer to “Transportation Security Administration’s Security, Privacy and Compliance Standards.” Me, I wonder why they say “take appropriate steps” rather than just promising to delete it. Back in the day, Brill’s Content might have taken them to task for that.]

Iran Links

Ron Paul supporter inadvertently gets iPhones banned from U.S. aircraft

Via CNN:

Steve Bierfeldt says the Transportation Security Administration pulled him aside for extra questioning in March. He was carrying a pocket edition of the U.S. Constitution and an iPhone capable of making audio recordings. And he used them.
On a recording a TSA agent can be heard berating Bierfeldt. One sample: “You want to play smartass, and I’m not going to play your f**king game.”
Bierfeldt is director of development for the Campaign for Liberty, an outgrowth of the Ron Paul presidential campaign.
[…]
Unbeknownst to the TSA agents, Bierfieldt had activated the record application on his phone and slipped it into his pocket. It captured the entire conversation.
An excerpt:
Officer: Why do you have this money? That’s the question, that’s the major question.
Bierfeldt: Yes, sir, and I’m asking whether I’m legally required to answer that question.
Officer: Answer that question first, why do you have this money.
Bierfeldt: Am I legally required to answer that question?
Officer: So you refuse to answer that question?
Bierfeldt: No, sir, I am not refusing.
Officer: Well, you’re not answering.
Bierfeldt: I’m simply asking my rights under the law.
[…]
The officers can be heard saying they will involve the Federal Bureau of Investigation and the Drug Enforcement Administration, and appear to threaten arrest, saying they are going to transport Bierfeldt to the local police station, in handcuffs if necessary.
[…]
Near the end of the recording an additional officer enters the situation and realizes the origins of the money.
Officer: So these are campaign contributions for Ron Paul?
Bierfeldt: Yes, sir.
Officer: You’re free to go.

Suffering for Art

barrel-monster.jpg

Joseph Carnevale, 21, was nabbed Wednesday after a Raleigh Police Department investigation determined that he was responsible for the work (seen below) constructed May 31 on a roadway adjacent to North Carolina State University. Carnevale, pictured in the mug shot at right, was charged with misdemeanor larceny for allegedly building his orange monster from materials pilfered from a construction site. According to an arrest warrant, Carnevale “destroyed three road blocking barrels by cutting and screwing them together to form a statue.”

Via The Smoking Gun.

Posted in art

Privacy Enhancing Technologies 2009

The organizers of the 9th Privacy Enhancing Technologies Symposium invite you to participate in PETS 2009, to be held at the University of Washington, Seattle, WA, USA, on Aug 5-7, 2009.

PETS features leading research in a broad array of topics, with sessions
on network privacy, database privacy, anonymous communication, privacy
policies, and privacy offline. (The PETS 2009 program is here.)

Like last year, we also present the HotPETs workshop, which showcases hot new research in the field.

We will also be presenting the Award for Outstanding Research in Privacy
Enhancing Technologies to researchers who have made an outstanding
contribution to the theory, design, implementation, or deployment of
privacy enhancing technology.

Important dates:

Stipends deadline: July 2
Hotel group rate deadline: July 5
Earlybird registration deadline: July 9
Symposium: August 5-7

Venue and registration information, as well as the program, can be found
at the PETS 2009 website.

We hope to see you in Seattle!

– The PETS 2009 organizers

Chaos in Iran

iran2009elections.jpgMillions of people in Iran are in the streets, protesting a stolen election. Nate Silver, who did a great job on US election statistics has this:

However, given the absolutely bizarre figures that have been given for several provinces, given qualitative knowledge – for example, that Mahdi Karroubi earned almost negligible vote totals in his native Lorestan and neighboring Khuzestan, which he won in 2005 with 55.5% and 36.7% respectively – there is room for a much closer look.

Nate is a big fan of data, and posted the official election results.

What’s most interesting to me is the role of power and chaos in the midst of this. The first use of power, Ahmadinejad’s theft of the election, was a classical use of power by the leviathan to exert control. The responses of the world’s hyper-power is deeply constrained by history. In 1953, the CIA overthrew the elected Prime Minister, Mohammed Mossadeq, a fact well known to Iranians. If the US acts improperly or throws power around, it will de-legitimitize whatever result comes. The sheer extent of power that the US has makes it hard to use without looking like a bully.

In the meantime, in the chaotic world of everyone a publisher, opposition is forming, organizing, and changing the face of Iran. It’s hard to know how it will all turn out.

Twitter is being used to cover the election and protests and the rate of posts is staggering. It’s worth a few minutes just to see the pace of use of the #iranelection tag. (Compare the pace to whatever happens to be in second place by looking at how many seconds of posts are between the first and last on the page.) Iranians on Twitter during the june clashes. A moving Flickr slideshow is here. There’s also a tremendous amount TehranLive.org. In the more traditional media, Andrew Sullivan is doing as good a job as the New York Times capturing the English language end of it. Both add some context and history, as does Wikipedia’s Iran presidential elections 2009 article. Neither capture the sheer energy and pace of on the ground reporting.

Photo: TehranLive.org

Publius Outed

The pseudonymous blogger, Publius, has been outed. Ed Whelan of the National Review outed him in what appears to be nothing more than a fit of pique at a third blogger, Ed Volokh, and Publius commented on Volokh’s criticism of Whelen, so Whelen lashed out at Publius. Or so it seems from the nosebleed bleachers I sit in.

I suppose Publius isn’t completely blameless, but the only thing I’d criticize him for is his taste in names. “John J” would have been cuter, and heck why not just use “Jim Madison”?

However, the particulars aren’t really important. What’s important is the issues of pseudonymity, and so on. So I will move on to those.

Let’s get something straight from the start: pseudonymity and anonymity are not the same thing. I feel like it shouldn’t need constant repeating, but hey, if law professors can’t get it right, how can we expect other people to get it right? A pseudonym is an identity. It is an identity that is earned, because you don’t get to use any of your previous reputation. You’re starting from zero, especially when blogging.

There are many reasons people use a pseudonym. Publius did it because he’s a reasonably young law professor and has heard that there can be tenure issues for controversial blogging.

Maybe. If what you write isn’t very good, there’s a low cost to it, personally. But if what you write is good, then ironically, being known to be a pseudonym is better than the pseudonym itself. Mark Twain, Voltaire, and are better known than their so-called real names. Think of all the great actors and musicians who are known far better by their stage names.

This is why outing a pseudonym is a two-edged sword. It will likely irk the person using a pseudonym, but it’s less likely to hurt them, especially if they’re reasonably good. John Blevins is probably not going to have tenure problems, especially now that Whelan outed him. Ironically, he’s probably better off for having been outed than not and part of that is who outed him.

Well-known personages who are irked by pseudonymous writers may think they’re being attacked by some anonymous little nobody who is hiding, but no, they’re being attacked by an identity that’s just not easily tied to some SSN. The power relationship is such that the better-known person is unlikely to look good. Whelan certainly hasn’t come out on top on this one. While pseudonymity is somewhat controversial, it cuts across political lines and some of the most thoughtful criticism of Whelan comes from his admirers. And in the future, everyone in the law biz who remembers Publius will think better of Blevins. We human beings do that; that’s why the old movie star’s dictum about publicity is, “spell my name right.”

In other cases, the pseudonym still wins. Dan Lyons wasn’t hurt by being outed as Fake Steve Jobs. Joe Klein wasn’t hurt by being shown to be Anonymous. Juan Non-Volokh was probably helped by being outed, too, and Prof. Brian Leiter, who outed him, probably suffered in his reputation.

This is perhaps, I think the most important point, as it’s simply practical. If a pseudonym ticks you off, you’re better off letting them stew in their own juices. The better known a pseudonym is, the better it is for the author to be known as the pseudonym.

There are exceptions to this, of course. If Publius were a politically conservative professor blogging out his inner liberal, there’d be a hypocrisy issue that would hurt him, but it doesn’t make it any more right. Thoughtful people who out hypocrites usually talk about the outing being necessary despite it being questionable.

Nonetheless, an important lesson to this is that as Feedie said, outing a nym is “a matter of basic decency” and “unworthy of someone with [his] impeccable professional credentials”.

Pirate Party Victory in Sweden

“Together, we have today changed the landscape of European politics. No matter how this night ends, we have changed it,” Falkvinge said. “This feels wonderful. The citizens have understood it’s time to make a difference. The older politicians have taken apart young peoples’ lifestyle, bit by bit. We do not accept that the authorities’ mass-surveillance,” he added.

Funny thing about what happens when the majority of the population participates in an illegal activity: eventually it’s not illegal anymore.

So writes John Quarterman in “Pirate Party Legitimized by Winning EU Parliament Seat.”

As an author who’d love to make enough money to live off my writing, I’m somewhat saddened by the idea that people’s creative work is easily copied. I wonder a lot about the business models of the future, and what winner-takes-all and the rise of prosumer enthusiasts means to the middle of the production curve. That is, people who aren’t Steven King or J.K Rowling or ever going to get a book on the Times bestseller list. Will there be thousands of people able to earn a living writing book-length articles without a patron?

But I’m heartened to see the abuse of power result in a backlash. I can’t help looking forward to the first copyright hearings in the new EU parliament.