Life

Life.jpg

Today will be remembered along with the landing on the moon and the creation of the internet:

Researchers at the J. Craig Venter Institute (JCVI), a not-for-profit genomic research organization, published results today describing the successful construction of the first self-replicating, synthetic bacterial cell. The team synthesized the 1.08 million base pair chromosome of a modified Mycoplasma mycoides genome. The synthetic cell is called Mycoplasma mycoides JCVI-syn1.0 and is the proof of principle that genomes can be designed in the computer, chemically made in the laboratory and transplanted into a recipient cell to produce a new self-replicating cell controlled only by the synthetic genome.

Press release, or read more in Science or the Economist. (Whose image I borrowed.)

We’ll always have Facebook…

Facebook, Here’s Looking at You Kid

The last week and a bit has been bad to Facebook. It’s hard to recall what it was that triggered the avalanche of stories. Maybe it was the flower diagram we mentioned. Maybe it was the New York Times interactive graphic of just how complex it is to set privacy settings on Facebook:

facebook-privacy.jpg

Maybe it was Zuckerberg calling people who trust him “dumb fucks,” or the irony of him telling a journalist that “Having two identities for yourself is an example of a lack of integrity.” Or maybe it was the irony that telling people you believe in privacy while calling them dumb fucks is, really, a better example of a lack of integrity than having two identities.

Maybe it was the Facebook search (try ‘my dui’), or Facebook: The privatization of our Privates and Life in the Company Town. Maybe it was getting on CNN that helped propel it.

It all generated some great discussion like danah boyd’s Facebook and “radical transparency” (a rant). It also generated some not so great ideas like “Poisoning The Well – A Response To Privacy Concerns… ” and “How to protect your privacy from Facebook.” These are differently wrong, and I’ll address them one at a time. First, poisoning the well. I’m a big fan of poisoning the wells of mandatory data collectors. But the goal of Facebook is to connect and share. If you have to poison the data you’re trying to share with your friends, the service is fundamentally broken. Similarly, if you’re so scared of their implicit data collection that you use a different web browser to visit their site, and you only post information you’re willing to see made public, you might as well use more appropriate and specialized sites like Flickr, LinkedIn, Okcupid, Twitter or XBox Live. (I think that covers all the main ways people use Facebook.)

But Facebook’s problems aren’t unique. We’ve heard them before, with sites like Friendster, MySpace, Tribe and Orkut. All followed the same curve of rise, pollution and fall that Facebook is going to follow. It’s inevitable and inherent in the attempt to create a centralized technical implementation of all the myriad ways in which human beings communicate.

Play it Sam…once more, for old time’s sake

I think there are at least four key traps for every single-operator, all-purpose social network.

  1. Friend requests The first big problem is that as everyone you’ve ever had a beer with, along with that kid who beat you up in 3rd grade sends you a friend request, the joy of ‘having lots of friends’ is replaced with the burden of managing lots of ‘friends.’ And as the network grows, so does the burden. Do you really know what that pyronut from college chemistry is up to? Do you want to have to judge the meaning of a conversation in light of today’s paranoia? This leads us to the next problem:
  2. Metaphors Facebook uses two metaphors for relationships: friend and network. Both are now disconnected from their normal English meanings. An f-friend is not the same as a real friend. You might invite a bunch of friends over for drinks. Would you send the same invite to your f-friends list? Similarly, if I were to join Facebook today, I could join a Microsoft network, because I work there (although I’m not speaking for them here). Now, in the time that Facebook has been open to the world, lots of people have gained and lost Microsoft email addresses. Some have been full time employees. Some have been contractors of various types. Some have been fired. Is there a process for managing that? Maybe, we have a large HR department, but I have no idea. One key point is that membership in an f-network is not the same as membership in a real network. The meaning of the words evolve through practice and use. But there’s another issue with metaphors as made concrete through the technical decisions of Facebook programmers: there aren’t enough. I think that there’s also now “fans” available as an official metaphor, but what about salesguy-you-met-at-a-conference-who-won’t-stop bugging-you? The technical options don’t match the nuance with which social beings handle these sorts of questions, and even if they do, telling a computer all that is too much of a bother. (See the chart above for an attempt to make it do something related.)
  3. Privacy means many things Privacy means different things to different people. Even the same person at different times wants very different things, and the costs of figuring out what they will want in some unforeseen future is too high. So privacy issues will keep acting as a thorn in the side for social network systems, and worse for centralized ones.
  4. Different goals Customers & the business have different desires from the system. Customers want fast, free, comprehensive, private, and easy to use. They don’t want to worry about losing their jobs or not getting one. They don’t want to worry about stalkers. They don’t want their sweetie to look over their shoulder and see an ad for diamond rings after talking to their friends about engagement. But hiring managers want to see that embarrassing thing you just said. (Hello, revenue model, although Facebook has not, as far as I know, tapped this one yet.) Stalkers are heavy users who you can show ads to. Advertisers want to show those diamond ring ads. Another example of this is the demand to use your real name. Facebook’s demand that you use your real name is in contrast to 4 of the 5 alternatives up there. Nicknames, psuedonyms, handles, tags are all common all over the web, because, in fact, separating our identities is a normal activity. This is an idea that I talk about frequently. But it’s easier to monetize you if Facebook has your real name.

So I’m shocked, shocked to discover that Facebook is screwed up. A lot of other shocked people are donating to Diaspora ($172,000 of their $10,000 has been pledged. There’s interesting game theory about commitment, delivery on those pledges, and should they just raise a professional round of VC, but this post is already long.) There’s also Appleseed: A Privacy-Centric Facebook Slayer With Working Code.

Now, before I close, I do want to say that I see some of this as self-inflicted, but the underlying arc doesn’t rely on Zuckerberg. It’s not about the folks who work for Zuckerberg, who, for all I know are the smartest, nicest, best looking folks anywhere. It’s about the fundamental model of centralized, all-purpose social networks being broken.

To sum it all up, I’m gonna hand the microphone to Rick:

If you don’t get off that site, you’ll regret it. Maybe not today, maybe not tomorrow, but soon and for the rest of your life. Last night we said a great many things. You said I was to do the thinking for both of us. Well, I’ve done a lot of it since then, and it all adds up to one thing: you’re getting off that Facebook. Now, you’ve got to listen to me! You have any idea what you’d have to look forward to if you stayed here? Nine chances out of ten, we’d both wind up with our privacy in ruins. Isn’t that true, Louie?

Capt. Renault: I’m afraid that Major Zuckerberg will insist.

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes:

Blanching fries does a lot for you – such as:

  • killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying.
  • gelatinizing the starch. During frying, pre-cooked fries form a crust faster than raw ones, and they can be cooked at higher oil temperatures than raw fries – which is easier for workflow.
  • pre-salting the interior of the fries. We blanched two batches of fries, one in boiling 3% salt water, one in boiling plain water. The plain-water fries tasted like crap next to the salt-water ones. All subsequent tests fries were blanched in a 3% salt solution.
french-fry-science.jpg

It’s easy to think of science as just being good for building computers and the internet, extending average lifespans, giving us goretex, nylon and vulcanized rubber. Some people may worry that it’s in the weeds when worrying about string theory. But science is an approach to problems. The testing of ideas to see how well they work, rather than loving the idea.

And Dave Arnold, along with Harold McGee and others, and driving the intersection of science and cooking. And while they’re likely to skewer quite a few cows along the way, the results are worth it.

Where’s the Checks and Balances, Mr. Cameron?

[Update: See Barry’s comments, I seem to misunderstand the proposal.]
The New York Times headlines “
Britain’s New Leaders Aim to Set Parliament Term at 5 Years
.” Unlike the US, where we have an executive branch of government, the UK’s executive is the Prime Minister, selected by and from Parliament.

As I understand things, the primary check on the Prime Minister is that if their choices are sufficiently unpopular, their party defects and votes against them, leading to a new election. This threat of government collapse is a major check on the power of Parliament, as evidenced by how both Cameron and Clegg are repeating that “this government will last 5 years.”

So if Parliament will last 5 years, what are the checks on its power?

[Edit: Steps on scrapping ID cards and ContactPoint are very positive, but to my mind, those are symptoms of the already barely-checked power of the Prime Minister.]

Malware reports? (A bleg)

I’m doing some work that involves seeing what people are saying about the state of malware in 2010, and search terms like “malware report” get a lot of results, they don’t always help me find thinks like the Symantec ISTR, the McAfee threats report or the Microsoft SIR.

To date, I’ve found reports from Cisco, IBM/ISS, Kaspersky, McAfee, Microsoft, Sophos and Symantec. Are there others that cover malware? (I’m leaving off Verizon since it doesn’t cover what I need for this particular project.) Recent things like the Nocebo paper here are also interesting.

If you know of other reports that will help me gain insight into the state of the world, please leave a comment.

Welcome to the club!

As EC readers may know, I’ve been sort of a collector of breach notices, and an enthusiastic supporter of the Open Security Foundation’s DataLossDB project. Recently, I had an opportunity to further support DataLossDB, by making an additional contribution to their Primary Sources archive – a resource I find particularly valuable.

Unfortunately, that contribution was a breach notification letter[pdf] addressed to me! Since I now have some skin in the game, I figured I’d use the opportunity to take a close look at this incident and see what can be learned from it.

Who sent the letter, and how do I reach them?

Let’s start with the letter itself. While it identifies the data owner (“EHP”, an emergency room practice I had patronized), it provides no return address, and the letter is unsigned. Unsurprisingly given this opacity, the envelope return address is a post office box. While a toll-free number is provided, this is a requirement of many state breach laws, and repeated calls to the number resulted in my being placed in an ACD queue, rather than being routed to a human being. So far, it looks to me like they’re trying to ensure that all communication regarding this issue is either squelched by the magic of painful on-hold music, or diverted into a call center. In particular, there seems to be no enthusiasm for written correspondence.

What was exposed, and how?

Now let’s consider the nature of the exposed data. According to the notification letter, a hard drive was stolen from a 3rd party service provider (Millennium Medical Management Resources). That hard drive contained “unencrypted copies of records with health and financial information about [me]”. Furthermore, the service provider

…believes the hard drive contained personally identifiable information about EHP patients, including name, address, phone number, date of birth, and Social Security Number and, in some cases, other information such as diagnosis and/or diagnosis code, types of procedure and/or procedure code, medical record number, account number, driver’s license number, and health insurance information.

Surprisingly, the letter does not say that “the exposure appears to be the work of criminals interested in the hardware” or other such language often used to suggest that crooks don’t go after data. This even though the police report notes that the “suite [was] in disarray”. Kudos to EHP for this. And kudos to the Westmont, IL PD for handling my FOIA request same day. I understand they received literally hundreds of requests for this report. Anyone who handles a dramatic, unexpected increase in work so cheerfully deserves praise.

As to what was stolen, the notification letter — seemingly drafted by an attorney — states what the service provider believes, not what the service provider knows. This suggests there is some question as to what precisely was on the unencrypted drive. Clearly, though, health and financial information are involved, suggesting that this breach is subject to HITECH and HIPAA provisions, as well as to myriad state breach laws. Reading on, this is further reinforced, when EHP says they “…will report this security breach to the Office of Civil Rights of the U.S. Department of Health and Human Services.” Such a report is required by HITECH when more than 499 persons have been affected by a breach, which establishes a lower bound for the likely number of affected individuals in this incident. (In the few days I have been composing this blog post, the report has appeared on HHS’s web site. 180,111 folks impacted by this one. Ouch. Why not put this in the letter to me, if it will be one mouse-click away anyhow?)

How long did notification take?

HITECH requires that notification occur within sixty days of the discovery of the breach. This breach was discovered March 1st. The letter is dated April 30. I wonder if the delay would have been longer, were it legally permissible?

How will future incidents be prevented?

According to the letter,the service provider has

…implemented new and improved technical, physical, and administrative security measures to prevent future thefts and security breaches, including encryption of electronic personally identifiable information stored on portable storage devices. Millennium will also take additional steps to further secure patient information.

Meanwhile,

EHP is carefully monitoring these security measures to ensure that they meet regulatory requirements and appropriately secure information about its patients.

With a letter such as this, which undoubtedly was closely crafted by people who pay attention to word choice, it seems fair to read it as attentively as it was written. An admittedly cynical interpretation is that this “careful monitoring” is a new thing for EHP. After all, they didn’t say they would “continue to carefully monitor” or would “more carefully monitor”. As to what “technical, physical, and administrative” measures Millennium might be adding, who knows? It’s hard enough to audit ones own service provider. Knowing what somebody else’s is doing is harder still.

So what can I do?

The letter concludes with sections which roughly follow the guidelines provided by various sample breach notification letters. This is impressive. After reading many notification letters, I’ve come to expect some soft-pedaling of the risk of identity theft. This one does not do that. Again, kudos.

Closing Thoughts

So this has been a long blog post about one incident and one letter, and not exactly a man bites dog situation either. Apologies. I think two things are interesting about this particular letter:

  1. For matters that pertain to breaches generally rather than to this one specifically, it was straightforward, clear, and reasonably complete. The advice about what to do, how to interact with credit bureaus, when to notify law enforcement, etc., was all sound, with little or no “spin”.
  2. With respect to the details of this specific incident, the letter was more circumspect, with — to my eyes — more parsing of words.

Unsurprising, perhaps, but (I have not done a content analysis to verify this) I wonder how typical the openness would have been three or four years ago. Perhaps, if California’s SB 1166 is signed by the Governor (rather than vetoed, as was a previous version), this greater transparency will extend to incident-specific details as well. I don’t see the harm in it. I’ve already filled in the blanks with what I think really happened to my information. There isn’t too much EHP could say that would make me feel much different about their vendor management program, or about the degree of care Millennium evinced here, so they should just say it.

Word!

We show that malicious TeX, BibTeX, and METAPOST files can lead to arbitrary code execution, viral infection, denial of service, and data exfiltration, through the file I/O capabilities exposed by TeX’s Turing-complete macro language. This calls into doubt the conventional wisdom view that text-only data formats that do not access the network are likely safe. We build a TeX virus that spreads between documents on the MiKTeX distribution on Windows XP; we demonstrate data exfiltration attacks on Web-based LaTeX previewer services.

Are Text-Only Data Formats Safe? Or, Use This LaTeX Class File to Pwn Your Computer.,” By Stephen Checkoway, Hovav Shacham, and Eric Rescorla, In Proceedings of LEET 2010. USENIX, Apr. 2010.

As they say “Amusingly, some advocacy documents list ‘no macro viruses’ as an advantage tex has over Word.” Which sorta runs me out of jokes.