A syllabus for a history of Internet social and privacy issues

Paulina Borsook, Freedom to Tinker: Neophilia and Human Nature. After a well written illustration about how concern about Internet behavior and regulation is more “nothing new under the sun,” Borsook offers a bibliography that would make a fantastic syllabus for a college course on the roots of Internet culture, policy, and journalism.

Near miss

A Wikipedia page I was largely responsible for has been spared the axe, and I feel like a successful defense lawyer. 

Wikipedia is an encyclopedia that’s free for anyone to edit, that aspires to surpass other encyclopedias in quality. To meet both goals it has evolved a series of rules, a few arbitrary but most well thought out and endlessly debated, that determine what stays in and what goes. Rules like “Wikipedia is not a directory” and “Wikipedia is not for promotion” are self explanatory; “Wikipedia is not a memorial” may take more careful reading. (I find this page a helpful summary.)

So when Wikipedia editors get in an argument about whether something belongs, it is through a formal process called AfD, for “Articles for Deletion.” And the discussion often goes down the various principles listed above, frequently referred to by initials rather than by name. 

That the ensuing debate is called Wikilawyering is unsurprising, as is the fact that that term itself can refer to misuse of rules to obey the letter of the Wikipedia policy while violating its intent. 

But in the end, your article is likely to prevail if you have taken steps to ensure you write about notable things, cite your facts, and avoid original research and puffery. It’s a great educational process, in that way. 

“We clearly missed the mobile phone”

Slashdot: Satya Nadella: “We clearly missed the mobile phone.” What is so frustrating to those of us whose fortunes were tied to Microsoft’s (I was an intern in 2001 and an employee from 2002 to 2004) is that it wasn’t for lack of trying.

There was constantly something going on in mobile, often with senior leadership taking the reins. But too often it was trying to push a version of the Windows user experience into a handheld format.

The lesson? Don’t let your product portfolio strategy overrule user experience, or users will overrule you.

Vote early (not often)

Early voting sign in Andover, Massachusetts (AP)
Early voting sign in Andover, Massachusetts (AP)

I just did early voting for the first time this morning. It was easier than I expected.

My town offers one early voting location, in Cary Memorial Hall. I found a parking space in front (reserved for early voters) and entered the lobby, where there were about twelve other voters reading signs and standing in line to check in. About eight more were already inside voting.

I was given a ballot and an envelope that the poll worker marked with my precinct number. I voted, then signed the envelope and wrote my address on the outside, sealing my ballot inside. I turned in my ballot to a sealed box; because the ballot was sealed, there was no scantron and no counter, so I can’t tell you which voter number I was.

From a security perspective, the voting process seems no more or less secure than regular voting. It’s possible that someone could give a poll worker someone else’s name and street address, thus blocking their attempt to vote (just as they could on Election Day). It’s also possible that someone could register under their own name and then write someone else’s information on the early voting envelope and thus invalidate both ballots. But I think both outcomes are unlikely to be practiced at scale.

Massachusetts passed legislation in 2014 requiring that early voting be offered, and this is the first presidential election in which the law goes into effect. I’m hopeful that it will spark higher turnout. I’m wearing my “I Voted” sticker with the same goal.

The day after the election?

The New Yorker: Donald Trump and the Day After the Election. This is the thing I find most horrifying about the coming election: the prospect that in his ensuing tantrum, Trump will cement what a big part of the electorate already fears, that democracy is broken. When in fact, the most probable outcome is that democracy will be proven to work.

Leonard Cohen, as usual, is way ahead of us:

Everybody knows that the dice are loaded
Everybody rolls with their fingers crossed
Everybody knows that the war is over
Everybody knows the good guys lost
Everybody knows the fight was fixed
The poor stay poor, the rich get rich
That’s how it goes
Everybody knows

But also:

It’s coming to America first
The cradle of the best and of the worst
It’s here they got the range
And the machinery for change
And it’s here they got the spiritual thirst
It’s here the family’s broken
And it’s here the lonely say
That the heart has got to open
In a fundamental way
Democracy is coming to the USA

Friday Random 5: Dry the Rain

An odd grab bag of stuff for an odd grab-bag of a day. But as the morning fog and rain burns off before the afternoon clouds roll in (feels a little like Seattle!), it’s a good day to strap the headphones on for a little Random 5.

Radiohead, “4 Minute Warning”: A song from the “Disk 2” companion to In Rainbows, it’s like a lot of the songs on that masterwork: pretty and conventional on the surface, shot full of existential dread underneath.

Nick Drake, “Know”: Speaking of existential dread, this bare guitar-and-voice track from Pink Moon carries the same emotional payload as Drake’s devastating “Black Eyed Dog,” without the comforting John Fahey-inspired solo guitar work. The repeated guitar figure comes across as accusatory and mocking as the narrator sings “You know that I love you/You know I don’t care/You know that I see you/You know I’m not there.” Is the narrator accusing? Stalking? Dead? A great track for Halloween.

PJ Harvey, “Hanging on the Wire”: Another pretty song of despair, this one from the battlefield. The technique is offputting for me, which may be why I never cottoned much to this album.

Nada Surf, “Here Goes Something”: Lovely, optimistic track from an album I’ve slept on a bit. Lucky isn’t as unabashedly brilliant as Let Go or The Weight is a Gift but there’s some really good stuff on it.

The Chieftains & Kevin Conneff: “The Green Fields of America”: No, I know. But come back. This isn’t the typical Chieftains track, heavy with tin flute and bonhomie (though I like a lot of those tracks too). This is a solo song by Kevin Conneff about the Irish immigrant experience, and it’s totally devastating. Must listen.

The Airport years

I installed a new Airport Extreme (6th generation) on our home network yesterday. We haven’t run Cat5 through our whole house the way we did in Arlington, so our primary FiOS WiFi router has to live in the basement right next to the FiOS network box, and its signal is unacceptable in about a third of the first floor and almost all of the second.

We had been limping along with an Airport Express in the upstairs bedroom as a second network, but it didn’t really have enough signal strength to solve the problem. I experimented with substituting in our old Airport Extreme (dating from around 2007), but it had weird range problems, with range and signal strength dropping unexpectedly. So we decided to bite the bullet and get a new router.

Man, am I glad we did. The range and speed from the new router are incredible; I even get WiFi out at the kids’ bus stop now. And things that used to give the old network fits, like running the microwave, are no longer an issue.

I was talking about it with Lisa last night and we realized that we bought our first AirPort router before most of the planet had WiFi. We had the original “flying saucer” model back in the fall of 2000—so long ago, the base station had a dial-up modem in it. We’ve come a long way.

What is free?

My company, Veracode, published our most recent State of Software Security Report yesterday (disclaimer: I’m one of the authors). The report mines data from hundreds of thousands of application scans to paint a picture of the risk profile of software.

This year we included data on risk from open source components. The idea is that it’s common, especially in Java development but also in Javascript, Python, PHP and other languages, to use libraries and frameworks that were developed by the open source community for certain foundational parts of the application’s functionality. Why write a new object persistence layer (to pick one example) when you could simply use a free off-the-shelf one and focus on writing the actual behavior of the application?

Turns out there’s one major issue with this approach: all software, even open source software, is buggy, and some of those bugs are vulnerabilities: they can be exploited to compromise the confidentiality or integrity of the data the application accesses, or impair the availability of the application itself. And widely shared components create a big target of opportunity for attackers, who can focus on finding vulnerabilities in the shared components for a payoff of attacking hundreds or thousands of applications.

The open source community generally stays on top of fixing these vulnerabilities as they’re discovered. Look at any popular Java framework like Struts or Spring—you’ll see dozens or hundreds of point releases fixing all sorts of defects, including security vulnerabilities. So what’s the problem?

The problem is that developers don’t upgrade to newer versions of the components they use. From the developer’s perspective, there’s almost zero benefit, and a high downside, to a component upgrade: it takes time out from developing features that the business has asked for, and there’s a non-zero risk that upgrading the component will break functionality in the application. From their perspective, the possibility of a hack via the component is remote, so the upgrades don’t get done.

This attitude makes sense in the short term, but in the long term is fatal for security. Because vulnerabilities do get found in older components. The best description I’ve heard of this phenomenon comes from Josh Corman (who says he heard it from someone at Microsoft): “Software doesn’t age like wine, it ages like milk.” As developers widely adopt components, the attack surface for newly discovered vulnerabilities in those components becomes broad indeed.

It’s not open source’s fault, but I do think it reflects a misunderstanding of the cost/benefit analysis for using open source. Yes, open source is free of commercial licensing fees, but it is not free of downstream maintenance costs. It’s as if someone gave you a car. Just because it’s free doesn’t mean you don’t have to periodically change the oil.

Likewise, developers who adopt open source components should set expectations with the business that they’ll need to reserve some of their development time for basic maintenance, like component upgrades. Doing so proactively helps improve predictability—and avoid the likelihood of having to do an emergency update that disrupts the roadmap.

Hacking away

It was an incredibly busy last couple of days, to the point where I couldn’t even think at some points. The older I get the more I learn things about my cognitive style. Things like: there’s a point beyond which I can’t multitask any more, where adding additional things to the “to do” list simply adds anxiety. Where the startup time for thinking about any additional item is more than the time allotted to work on any small item.

I don’t know when my multitasking muscles got so flabby.

It’s Veracode‘s Hackathon, meaning Thursday and Friday (and Monday) we all are encouraged to work on something outside our normal work responsibilities, whether for fun or for something that moves the company forward or both. There have been patents and product features that have come out of these hackathons, as well as … more explosive experiments.

But this afternoon is the best part of it, when I get to bring my kids to the office to work on their own hacks. When my daughter was six she made LED throwies; there have also been programming classes and giant fort construction events. I hear tell there might be an egg drop this afternoon. Can’t wait.

“Uncontrollable innovation”

New York Times: Why Samsung Abandoned Its Galaxy Note 7 Flagship Phone. Like John Gruber, I am curious about the closing quote, from Park Chul-Wan, the former director of the Center for Advanced Batteries at the Korea Electronics Technology Institute:

“The Note 7 had more features and was more complex than any other phone manufactured. In a race to surpass iPhone, Samsung seems to have packed it with so much innovation it became uncontrollable.”

Uncontrollable innovation? That’s an interesting claim.

I think the thing that’s forgotten here, as in so much of the smartphone feature war, is that features aren’t useful if they can’t be used, or safely manufactured, or if they don’t meet a customer need.

It doesn’t sound to me like the problem was out of control innovation. It sounds to me like the problem was an engineering culture that created a product that was untestable, and a management culture that made it impossible to react rapidly to new developments in the marketplace.

Hacking the legal system for reputation repair?

Eugene Volokh and Paul Alan Levy, Washington Post: Dozens of suspicious court cases, with missing defendants, aim at getting web pages taken down or deindexed. Brilliantly slimy hack of the legal system and search engine infrastructure. Google won’t take down search results without a court order? Sue an imaginary defendant with a similar name, get him to settle, and use the settlement to get the pages taken down.