Entertaining and informative reading, Ethan Zuckerman’s notes on his talk at ETech, “The Cute Cat Theory”.

A couple of excerpts to draw you in, but you should go read it for yourself.

Web 1.0 was invented to allow physicists to share research papers.

Web 2.0 was created to allow people to share pictures of cute cats.

and

Based on my Tripod experience, I’d offer the hypothesis that any sufficiently advanced read/write technology will get used for two purposes: pornography and activism. Porn is a weak test for the success of participatory media - it’s like tapping a mike and asking, “Is it on?” If you’re not getting porn in your system, it doesn’t work. Activism is a stronger test - if activists are using your tools, it’s a pretty good indication that your tools are useful and usable.

When I was working in the online dating space, I assumed the deluge of porn was a function of our being the intersection of people who were single/horny and willing to use their credit card to buy things online. Now I’ll have to re-think that assumption, something I probably should have done long ago based on the presence of porn comments in my spam filter.

I don’t recall any activism in the dating business, but maybe it just never made its way over to me since I was focused on security and fraud.

But I digress…

The real point of the talk is about activism, not porn, and more specifically about how activists effectively use social networking tools to align the interests of people who share pictures of cats, drawing in the cat sharers of the world (who far outnumber the activists) as collateral damage.

That’s not to say this approach is perfect–he explains how the Chinese government has engaged in a game of measure and countermeasure censorship, but in general, it provides an interesting example of how activist signal benefits from cute cat noise and the unintended conseqences of both.

Bob sent me the link to this Daring Fireball post about Copying the Wrong Thing

A common knock against 37signals’s products is that they work perfectly — if you happen to think exactly like Jason Fried. And so of course none of the knock-off products are very good, because they’re aping the 37signals style without Jason Fried’s direct input. (And by “Jason Fried” I mean “Jason Fried and everyone else at 37signals who helps design their products”.)

What’s worth copying isn’t the final product but the attitude. It really is the case that Basecamp is a project management tool that looks and works exactly how 37signals thinks a project management tool should look and work. It is very much unlike any project management software that came before it. They didn’t start with what customers wanted, or with what existing project management software looked like, or by trying to guess what some group of faceless others would want. They designed and built what they themselves wanted, under the assumption that there were some number of other people who would want the same thing.

It’s like the bar that opens to try and copy the cool bar, but only poseurs and cheezy guys go there and the owners can never figure out why their bar never has any hot chicks in it.

First, a talk from TED by Barry Schwartz titled, “The real crisis? We stopped being wise”

I couldn’t agree more with what he has to say. Two of my favorite lines:

“Rules and incentives may make things better in the short run, but they create a downward spiral that makes them worse in the long run” (08:46)

“Rules prevent disaster, but what they guarantee is mediocrity.” (10:25)

Like Wisdom, good Risk Management is about decisions. Security is about rules.

Then, for an example of some very non-wise thinking, let’s take a look at what is being written about DRM in Windows 7:

That Photoshop stopped functioning after we messed with one of its nag DLLs was not so much a surprise, but what was a surprise: Noting that Win7 allows programs like Photoshop to insert themselves stealthily into your firewall exception list. Further, that the OS allows large software vendors to penetrate your machine. Even further, that that permission is responsible for disabling of a program based on a modified DLL. And then finding that the OS even after reboot has locked you out of your own Local Settings folder; has denied you permission to move or delete the modified DLL; and refuses to allow the replacement of the Local Settings folder after it is unlocked with Unlocker to move it to the Desktop for examination (where it also denies you entry to your own folder). Setting permissions to ‘allow everyone’ was disabled!

Windows is attempting to provide “security”–but not for the owner of the system. Rather, they are installing powers that I’ll bet will be exploited far more to reduce the value and usefulness of the platform than to actually make things better for anyone but industries who are still trying to deny the obsolescence of their business models. But just think of the fun that the malware will have with its new-found powers.

Basically, the only person who’s getting shafted in this deal is the customer. If you’re a company, even a (decaying) natural monopoly like Microsoft, consistently shafting your customer in ways that they notice and care about is not good business.

(h/t BoingBoing and BoingBoing))

I’m somehow surprised that I totally missed the announcement of a DLP partnership between Microsoft and EMC.

Bob had seen it, but his response was a yawn: “I saw it but the results from the work are a couple of years out so I ignored it. Maybe it will come sooner, but I do not trust that it will work beyond the MS world for years to come.”

The more I think about it, though, the more I see that all it does is provide yet another example of how hard it is to keep things under control in a large corporation. I’ll start with a quote from Rich Mogull’s generally excellent analysis,

One of the biggest obstacles to a successful DLP deployment can be a poor directory infrastructure. If you don’t know what users have what roles, it’s awfully hard to create content-based policies that are enforced based on users and roles.”

Let’s be honest. Most large corporations can’t even begin to do that. At best, we know which Business Unit most of our employees generally work with. Take me as a case-in-point. I work for the CSO, who in turn works for the CFO, but I do half my work with IT, half with the Business Units, and half with the Security Group (yes, that’s three halves. I’m bad about 60 hour weeks).

So even if we could do this in theory, the reality is that this is as much a political as a technical or management problem. For example, when sales and marketing can’t agree who should be allowed to show sensitive information to customers, things tend to either be designed to fail open or get killed before they happen at all.

So now we’re left with an exception process that either subverts the goal of the control (indicating controls in excess of actual risk tolerances) or a huge cost center to manage and provision those exceptions, in which case the cost of the control makes it a target for cutting until we’re left with the former problem.

Second, given how much of our information no longer even pretends to live on systems we control, it would have to integrate with third parties, all of whom would need to be compliant. I suspect that even Wal-mart, legendary for their iron grip on their partners and suppliers, would struggle with this one.

Those third parties would have to have both the ability and the willingness to implement their technology to match “our” specifications, which probably aren’t their other customers’ specifications, and it all spirals downhill from there.

I’ll be honest. We struggle to get third parties to implement basic network-level controls or follow patching regimens (which, come to think of it, can we often can’t do so ourselves). What chance do we have of getting them to adopt a significant systems integration project which will require them to “open the kimono” to us regarding their own internal business processes and organizational structures?

Finally, given that the IT infrastructure, despite all efforts at “standardization” (which is what an IT person says when they really mean “monoculture”) is still a fragmented mess of platforms, vendors, and versions.

So what we have is something that sounds great in theory, but in more of a Platonic Ideal of secure information flow than anything that realistically accurately describes the messy reality of how information is created, used and distributed across the modern corporate world.

And, despite claims to the contrary, my experiences dealing with The Business–the non-IT people who actually conceive, make and sell things–that’s at least partially by design.

That’s not to say that all hope is lost, nor that this isn’t valuable and useful technology. But it’s like anything other tool–it has a time and a place, and things may get broken if used otherwise.

Hiring the head of risk for a failed investment bank to assess bank soundness seems a bit through the looking glass, don’tcha think? Even if he’s the best thing to happen to risk management since the invention of gambling, this going to be a tough sell on the credibility front any way you slice it.

In a move that is sure to put to rest the notion that there are no second acts in American life, former Bear Stearns chief risk officer Michael Alix has landed a job in the office of the Federal Reserve charged with assessing the safety and soundness of domestic banking institutions.

We suppose that Alix at least has plenty of experience with unsound banking institutions. He was the chief risk officer of Bear Stearns from 2006 until 2008. So, basically, he was the guy on the mast charged with yelling “iceberg” just before the titantic introduced its bow to a floating hunk of ice. Prior to that he ran credit risk management for Bear from 1996 to 2006, Jon Keehner at Bloomberg points out. That worked out just great.

Sometimes words almost fail me.

In many respects, this is similar to the people who hire (hopefully) former computer criminals as if they somehow know more about protecting networks just because they have hands-on experience with how not to do it.

In both cases, however, one of the bigger deterrents for many would-be miscreants, whether of the white collar or other more traditional criminal activities is the future deterrent of being forever unwelcome in what would otherwise be a chosen career or passion. This is part of why it is not illegal or even gauche to discriminate against convicted criminals in employment matters. By overlooking this bias at higher levels, it erodes respect for it at lower levels, which in turn reduces its deterrent effects (which are already minimal due to discounting) further down the ladder.

It doesn’t matter how good Alix supposedly was at his job. When you’re the CRO of a bank that fails due to poor risk practices, you should be a pariah, plain and simple. At least Nick Leeson paid his debt to society, which is more than Michael Alix will ever be able to say.

Update: More good commentary from Mark Thoma at Economist’s View on this one:

It seems that as chairman of the Securities Industry Association’s risk management committee, Alix was also an important part of the effort to convince regulators that investment banks didn’t need to hold nearly as much capital as their commercial bank brethren. Here’s a letter he wrote to the Federal Reserve’s board of governors in August 2003…

This, we now know, didn’t work so well, either.

But my favorite thing I found in my rooting around was Alix’s June 2004 House testimony on the topic of Basel II. One of the reasons investment banks should be allowed to use more leverage, he said, was because of the protective qualities of mark-to-market accounting…

This, we now know, not only didn’t work so well, but is also, we’re told, causing a lot of the problems we’re having.

Look, I don’t envy the position the New York Fed is in. I have the luxury of not having to go out and hire people who 1) deeply understand the operations of finance firms, and 2) are willing to take a job in the public sector. At the same time, I’m guessing I’m not the only person a little squinty-eyed over this one. …

No, Mark, you’re not.

As we talk about the shifts in computing from the mainframe to the PC, or from the enterprise data center to the cloud the big question is Trust.

Do you trust your employees?
Do you trust the programmer?
Do you trust your ISP?
Do you trust the system in the cloud?
…..
Do you trust yourself?

Over the last several decades we have changed the way we use computers and our relationships with them have also changed. When we were using the mainframe computer the trust boundaries were a lot different. Punch cards in, Paper out. The boundaries there were pretty clean, oh yes there were disks and tapes, but no network and it was all behind the “firewall” of the viewing window into the computer room and the computer operator. First we added terminals and you could access the mainframe from outside that picture framed room! Next came the remote terminal with a MODEM or a direct wire and all of a sudden you did not have to be in the same building or the same country to access the mainframe. Yet it was still constrained by the lack of inter-networking and the amount of data that you could get into a single computer…. See where we are going here?

Fast forward to today. The keyboard controller on the computer I am typing this on is pretty close to the base model IBM 360 from 1964! We have Google with the biggest set of data centers in the world, well commercial world. Networks span the globe and millions of computers are connected together. You and your closest friends in your favorite country over the pond are a few networks hops away.

You trust the Firefox add-in Foxmarks to keep track of your book marks across multiple computers but do you trust them to keep sync your passwords?

Foxmarks does a nice job of syncing your bookmarks between computers and it will also sync your passwords by encrypting them locally and then syncing them. This changes the attack vector from however you manage your passwords to attacking the tool, attacking your key, and attacking you. The game has changed.

You “trust” your PC to protect the files on your computer, do you trust Google Docs with that same data?

While trusting your PC is dubious at best, moving your data to Google Docs again changes the risks. Is there more risk when your data is on Googles’ servers or on your PC? The risk profile changes, your data is safe in Google from the physical loss issues when it is stored on a single computer. But, that data is only protected by the password you set on Google.

You trust Amazon with your credit card do you trust them with your corporate applications and data?

We trust for different reasons some good and some bad. We trust Amazon with our credit card because they have a reputation of protecting your information and your credit card company protects you from some of the risks of misuse. With Amazon S3 storage or EC2 computing you are now moving your data to the Amazon cloud and you are moving the computing from your local computer to the Amazon computing center.

A am an advocate of moving your data off of local machines and out on to the “cloud”. I believe that computing in the cloud has great advantages. Protecting your data and managing the risks around the data is not something to be taken lightly. Trust is a part of the equation.

—-
The title of this post comes from the soundtrack album from the first Batman movie, the song is Trust by Prince..

I can’t properly attribute this, since my wife sent it to me as an email, but I still wanted to share:

Last night my sister and I were sitting in the den and I said to her, ‘I never want to live in a vegetative state, dependent on some machine and fluids from a bottle to keep me alive. That would be no quality of life at all, if that ever happens, just pull the plug.’ So she got up, unplugged the computer, and threw out my wine.

She’s such a bitch.

Happy Friday, everyone!

When I read stories like this, I really begin to wonder if my country has gone irrevocably off the rails:

A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. “This laptop doesn’t belong to me,” he remembers protesting. “It belongs to my company.” Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself.

I guess that the Fourth Amendment is the latest member of the Bill of Rights to be put explicitly out-of-scope at airports.

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

This boggles my mind…

…election officials shook their heads in disbelief as investigators confirmed 20 ballots in the 49th Ward’s 42nd precinct were cast with inkless pens.

Apparently, the poll workers at 1723 W. Greenleaf Ave. told incredulous voters that the touch-screen stylus was actually an invisible-ink pen to fill out paper ballots, city elections spokesman James Allen said.

“You spend months trying to prepare for every contingency,” Allen said. “Trying to anticipate every possible way people might be confused . . . Then this? Incredible.”

Even the ballot scanner knew better, he said, rejecting all 20 ballots. Each time, the judges overrode the scanner and recorded the vote as blank. By 3 p.m., only five of the 20 voters had been contacted to return to recast their votes.

Amy Carlton, 38, of Rogers Park said that all the judges at the polling place insisted they had been trained in the use of the pens.

“I’ve voted before,” Carlton said. “I was thinking ‘This is crazy.’ But when someone in authority insists, what are you supposed to do?”

Lots of things are disturbing to me about this. The pens are black ink pens that you use to color in the gap in a series of arrows pointing to the candidate you want to vote for. This system has been in place here in Chicago for some time.

First, that someone would be clueless enough to make this sort of mistake. Second, that the officail would stand by their mistake, even as the machine was confirming what their eyes already knew. Third, that people were willing to accept what they clearly knew to be bad data, confirmed by the technology, because an authority figure insisted.

Sure, it’s just stupid on the surface, but it’s also an opportunity for some low level election fraud. People need to have at least a baseline level of knowledge of the system and its procedures, both the judges and the voters. Whatever happened to the concept of an “informed electorate?”

And, yes, the system is simple enough that my cats could vote with it. In fact, seeing as how this is Chicago (”vote early, vote often!), come November they might.

It’s Super Tuesday, so if that applies to you be sure to read up the the races in your primary, then get out and vote today.*

I got to my polling place about 10 minutes after the polls opened at 6am and they had not yet cleared out the initial backlog of early morning voters. It’s a combined polling place for three precincts and there were lines of 3-10 people at each precinct with six booths per precinct. I was ballot #10 in my precinct, and I would estimate that mine was the slowest of the three. By the time I left, the lines were even longer.

Beyond the heavy turnout, I fortunately have nothing to report. We use optical scan ballots in Cook County, which I’ve always found extremely easy to read and use, especially compared to punch cards.

I’ve always wished that I’d gotten to vote once on the old mechanical switch voting machines with the big red lever which closed the curtain, leaving the voter inside with banks of switches like the Wizard of Oz. I know they were vulnerable to all sorts of interesting retail-level vote fraud, but those banks of giant aquamarine machines lined up in my elementary school somehow got burned into my brain. The idea that I would one day get to go in there and flip switches and pull that red lever was one of my greatest aspirations as a child, and that was before I really even understood why it mattered.

And one final reason to get out there today*…if you don’t vote, you don’t get to complain later.

* Offer valid only in participating states and territories of the United States of America.

Voting machine image shamelessly stolen from Bits from Bill