Can Science Improvise?

My friend Raquell Holmes is doing some really interesting work at using improv to unlock creativity. There’s some really interesting ties between the use of games and the use of improv to get people to approach problems in a new light, and I’m bummed that I won’t be able to make this event:

Monday Dec 17th – 7:15 to 9:15pm
835 Market Street, Rm. 619, Downtown San Francisco State University Campus

Register at http://www.acteva.com//booking.cfm?bevaid=234451
In advance- $15 At the Door- $20

What happens when you combine the playfulness of improvisation with
the rigor of science? The Life Performance Coaching Center which
leads people from all walks of life in a performance-based approach to
human development is pleased to host Dr. Raquell M. Holmes founder of
improvscience. Holmes has been bringing the discoveries in human
development and performance to researchers and educators in many areas
of science including biology and computing sciences.

In this exploration for scientists and those interested in creativity
and development, participants are introduced to what the
improvisational arts bring to science. Learning to build with the
contributions of others and see opportunities for improvisational
conversation helps us to take risks and discover new ways of seeing
each other and our work.

Come and play as we break down the social barriers that can inhibit
creativity, exploration and discovery.

Helen Abel, LCSW, has worked with people to develop their lives for
over 30 years as a social worker, therapist and coach. She is on the
staff of the Life Performance Coaching Center where she leads the
popular Playground series {link if available} where people learn how
to use their capacity to create, perform and play. As a life coach she
helps people access these same skills to develop creative and new
kinds of conversations with their friends, family and colleagues.

Dr. Raquell Holmes is Director of Outreach, Recruitment and Retention
at the Center for Cell Analysis and Modeling at University of
Connecticut Health Center. She helps biologists to incorporate
computing and computational resources into their teaching and
research. Community building and improvisational theater are explicit
components of the majority of her National Science Foundation funded
projects. She founded improvscience to provide scientists with
opportunities to develop skills in leadership, collaboration and
innovation. Since its inception improvscience has worked with over a
thousand professionals in Science, Technology, Engineering and
Mathematics education and research.

Two Models of Career Planning

There’s a fascinating interview with Mark Templeton of Citrix in the New York Times. It closes with the question of advice he gives to business students:

There are two strategies for your life and career. One is paint-by-numbers and the other is connect-the-dots. I think most people remember their aunt who brought them a gift for their birthday or whatever and it was a paint-by-number set or a connect-the-dots book.

So with the paint-by-number set, you know ahead of time what it’s going to look like. Then, by contrast, with a connect-the-dots puzzle, you can only guess at what it might look like by the time you finish. And what you notice about that process is the further along you get, the more clear it becomes. It might be a beach ball, or a seal in a Sea World park or something. The speed at which you connect dots gets faster as the picture starts coming into view.

You probably get the parallel. This isn’t about what’s right and what’s wrong. This is about getting it right for you. Parents often want you to paint by numbers. They want it so badly because they have a perception that it’s lower risk, and that’s the encouragement they’re going to give you. They’re going to push you down this road, and faculty members will, too, because they want you to deliver on what they taught you. It doesn’t make it wrong; it’s just that there’s a bias in the system. You have to decide for yourself. The earlier you actually get it right for yourself, the faster and the better that picture is going to look.

And the more time you spend on paint by numbers when you’re a connect-the-dots person, and vice versa, the harder it’s going to be. (Mark Templeton, quoted in “Paint by Numbers or Connect the Dots“)

When I got started in information security, there were a lot fewer jobs. They were less categorized. There might have been degrees in information security, but there certainly were not “Centers of Excellence” churning out graduates. (It turns out “degree” is one of those terms, like “hotel” or “mesothelioma” that’s so heavily SEO’d that it’s a pain to search that history.) Because there was no “paint by numbers” path, people entered the field from a wide variety of backgrounds. Everyone was connecting the dots as we went.

Anyway, I like the analogy, and think it explains why a lot of career advice fails to help its intended recipients.

This is what science is for

In “The Quest for French Fry Supremacy 2: Blanching Armageddon,” Dave Arnold of the French Culinary Institute writes:

Blanching fries does a lot for you – such as:

  • killing the enzymes that make the potatoes turn purpley-brown. Blanching is always necessary if the potatoes will be air-dried before frying.
  • gelatinizing the starch. During frying, pre-cooked fries form a crust faster than raw ones, and they can be cooked at higher oil temperatures than raw fries – which is easier for workflow.
  • pre-salting the interior of the fries. We blanched two batches of fries, one in boiling 3% salt water, one in boiling plain water. The plain-water fries tasted like crap next to the salt-water ones. All subsequent tests fries were blanched in a 3% salt solution.
french-fry-science.jpg

It’s easy to think of science as just being good for building computers and the internet, extending average lifespans, giving us goretex, nylon and vulcanized rubber. Some people may worry that it’s in the weeds when worrying about string theory. But science is an approach to problems. The testing of ideas to see how well they work, rather than loving the idea.

And Dave Arnold, along with Harold McGee and others, and driving the intersection of science and cooking. And while they’re likely to skewer quite a few cows along the way, the results are worth it.

Women In Security

Today is Ada Lovelace Day, an international day of blogging to celebrate the achievements of women in technology and science.

For Lady Ada Day, I wanted to call out the inspiring work of Aleecia McDonald. In a privacy world full of platonic talk of the value of notice and consent, Aleecia did something very simple: she figured out how long it would take for consumers to do what the Direct Marketing Association recommends: read privacy policies.

She then multiplied that by an estimate of how much it would cost, and demonstrated pretty conclusively what we all intuitively knew: the current scheme is a massive wealth transfer because of transaction costs. (I’m interpreting her results here; I believe she would be more conservative in the interpretation.)

Her work also prefigures Cormac Herley‘s recent work “So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users.”

So Aleecia McDonald is my choice for a woman in science and technology who’s inspiring me to think about the economics of security and privacy in new ways.

PS: I have an another choice over at The New School blog. Hey, two blogs, two choices.

How to Make Your Dating Site Attractive

bookio.jpg

There’s a huge profusion of dating sites out there. From those focused on casual encounters to christian marriage, there’s a site for that.

So from a product management and privacy perspectives I found this article very thought provoking:

Bookioo does not give men any way to learn about or contact the female members of the site. Men can join for free, if they have been invited—and if a current Bookioo member can vouch for their information. They can then post a profile for the perusal of the female—and paying—members of the site. It’s those paying women, however, who get to call the shots.

As interesting as the approach is, what’s more interesting is how they came to it. They focused on a set of female customers, and asked what is it that they worry about, and what do they want? Co-founder David Olmos:

We think that women don’t feel comfortable with the current dating sites. The latter are too masculine: they were designed by men and they fundamentally address men’s needs. We know that many women prefer a different approach: they’re eager to socialize, to meet new people, and we propose to do that through activities. It may lead them to find a partner, of course, but they may as well enjoy an afternoon in a museum with a new girl friend whom they met Bookioo! So we propose to socialize through activities, common hobbies and common tastes.

As you can see, we actually want to revamp the “dating” concept, taking the perspective of women. The key issue for us is to make sure that women enjoy the level of privacy they wish and that the males’ profiles are fully validated. (“Bookioo: dating and social networking site gives women full control.”)

It’s also a very different approach to “creep management,” which we’ve covered in past posts like “Emerging dating paranoia,” “Dating and Background Checks in the UK” or “Dating & Background Checks in China

Pay for your own dog food

At Microsoft, there’s a very long history of ‘eating your own dogfood’ or using the latest and greatest daily builds. Although today, people seem to use the term “self-host,” which seems evidence that they don’t do either.

Eating your own dogfood gives you a decent idea of when it starts to taste ok, which is to say, ready for customers to see in some preview form.

Apropos of which, there’s a really interesting post at the Inkling blog, “Pay for your own dog food:”

Using your own product comes with a ton of benefits, because you become your own customer. The quality of your product likely increases because you can’t ignore it’s problems. They aren’t just your customers problems. They are your problems.

We’ve gotten in the habit of actually taking out our own credit card and using it on our own account sign up page. Yes, it’s a bit silly when the credit card processing takes some money off the top. But it makes the feeling very real that you are paying for this, and now it’s an expense just like it’s going to be an expense for your clients.

Non Commercial

If you haven’t listened to Larry Lessig’s 23C3 talk, it’s worthwhile to listen to the argument he makes. As I was listening to it, I was struck by the term non-commercial, and, having given it some thought, think that we need a better word to describe the goals Creative Commons is pursuing.

The term non-commercial reminded me deeply of the invention of non-secret encryption by James Ellis, Clifford Cocks, and Malcolm Williamson at the British GCHQ. Despite having invented what the world now calls public key encryption, the idea languished under both classification and a failure to make the critical jump from ‘non-secret’ to ‘public.’ Even when something isn’t a secret, you might not want to shout it from the rooftops, unless you’re Whit Diffie. In which case you might think that it would be great to have a phone book full of keys. Whit probably wouldn’t have thought of that with ‘non-secret’ keys, but he certainly did think of a directory of public keys.

Defining your movement by what you are not isn’t the best way to rally people to the cause. No one claims to be on either the anti-life or anti-choice side of the abortion debate. Beyond that, I’m going to say that non-commercial as a descriptor may be essential in the legal licenses associated with the Creative Commons licenses. Non-commercial may even be almost the right word but, as Mark Twain pointed out, the difference between the almost right word and the right word is really a large matter–it’s the difference between the lightning bug and the lightning.

So in seeking the right word, it may help to think about what we mean by non-commercial? We mean almost every word we say to our families, children, or lovers. We mean pillow talk, explaining to kids why the sky is blue, and that I would prefer not to live as a vegitable. We mean our scientific papers, our poems and our fair use of the song Happy Birthday. We mean blogging (others may see their blogs as commercial), asking a stranger directions, talking to our elected representatives, water cooler chatter, graffiti, and even all the unneeded words we say to a cashier in a checkout line.

It’s honest speech. It’s human speech. Let’s not demean it by asserting that commercial speech is the norm.

Identity is Mashed Up

I posted last month about Bob Blakely’s podcast with Phil Windley.

Now (by which I really mean last month, wow I’m running behind!) Bob posts that the “Relationship Paper Now Freely Available,” and I’m embarrassed to say I stole Bob’s opening sentence.

Now that I’ve actually read the paper, I’d like to remix the ideas with some web 2.0 Zero Knowledge Infomediation craziness and having thus altered it, send it back out, its identity changed.


One of the core ideas in the paper is that of intermediaries who will represent for you. These intermediaries, who Bob says have a ‘custodial relationship with your data,’ rather than a transactional one, will know lots about you, and gossip as you let them. It’s like letters of introduction or recommendation–you select who you think can represent you well, and if they have a relationship with the person you want to talk to, then things are great.

This is a useful model because a business can perform due diligence on a few of these infomediaries, rather than on each customer. I’m using the phrase infomediary, which some of you may remember from the book Net Worth. The idea was you’d have someone representing you to the net, who would help you get good deals. It was a very consumer-centric idea in some ways, advertising-centric in others.

The difference with the 1990s infomediary concept is that Bob has a great angle on why a business would want to engage with the infomediary, rather than engage in surveillance itself.

It’s a compelling vision, but I’m not sure I buy it as a complete view of identity. As a citizen, I don’t want to work with a single identity provider. The lock in risk seems very high.


But worse, I don’t have one identity. My identity is created through a set of relationships: with family and friends, with employers, but also with colleagues who I’ve never worked with directly (like Mordaxus and Chris) and with former co-workers who aren’t exactly friends. For example, I had a great three hour lunch and walk around Rock Ridge with a fellow who I’d worked with at Zero-Knowledge, and seen maybe once since. I feel a little like Comic Book Guy, caught in a new situation, and forced to say “There’s no emoticon for what I’m feeling!”

Some of our business relationships lead to personal ones, of friendship or romance. The bright lines which once existed are gone. A business which tries to help us with all of these may end up creepy like Facebook. One which only sees one aspect of our lives may well get and give a one dimensional view of us.

I’m thinking of two folks reading this. One is saying “what’s the point?” Another is identifying this as “Adam brain spew.” Which is another way of saying that this is all over the place.

And perhaps, in a world in which we present different selves at different times, that is exactly my response to Bob.

Joseph Ratzinger and Information Security

Joseph Ratzinger (a/k/a Benedict XVI) made some comments recently made some comments that got some press. In particular, as Reuters reports: “Pope in Africa reaffirms ‘no condoms’ against AIDS.” Quoting the story, “The Church teaches that fidelity within heterosexual marriage, chastity and abstinence are the best ways to stop AIDS.”

Many of you are likely outraged. Saying, “sure, if only people would do that, then we wouldn’t need condoms. But people don’t behave that way.”

I’d like to explain what this has to do with information security. Some of you may be saying “sure, but we’re not that bad.”

In information security, we often keep saying the same thing over and over again, because we know it’s right. We tell people to never write down their passwords, to always validate their input, and to run IDS systems. Deep in our hearts, we know they don’t, and yet we keep saying those things. We tell them they “have to” fix all the security problems all the time.

It’s my hope that we in information security will be less religious than the Pope, but there’s plenty of evidence that, like him, we offer advice that makes people shake their heads in disgust.


Wherever you work, whatever you do, it’s worth asking yourself: am I being dogmatic in what I’m asking of people?

Me, I’m being dogmatic about asking you all to keep it civil in the comments.

Public Perception of Security

So the US Consulate in Jerusalem sold a file cabinet full of secret documents. What I found interesting about the story is the perception of the finder:

Hundreds of files — with social security numbers, bank account numbers and other sensitive U.S. government information — were found in a filing cabinet purchased from the U.S. consulate in Jerusalem through a local auction.

“We couldn’t believe what we found,” said Paula, who purchased the cabinets and asked that her last name not be published. “We thought of calling the American consulate right away, and then we thought, you know they’ll just hide it and say, ‘Oh, we made a mistake.’” (“U.S. Consulate Mistakenly sells secret files in Jerusalem,” Fox News)

Transparency is a powerful idea. There’s little risk in disclosing this incident, except to the career of the person who sold the cabinet. Security professionals on both side know that these things happen. If we talked about the incidents we could assess their frequency and see if there are cost effective ways to prevent these things. I expect that there are, but no one wants to add a layer of bureaucracy for a threat that they can’t really assess. There are too many threats and too many ways to address them.