Category Archives: wonk

Culture of Secrecy

A culture of secrecy breeds power and the ability to act with impunity. Careerist elements within any government prefer secrecy because it allows them to forego the often tedious act of being accountable for even the smallest decision. It’s often justified as a Good Thing because the actors can circumvent bureaucratic red tape and work more efficiently. Ultimately, however, the end game is the same: A small elite minority within the permanent establishment begin to take privilege and influence for granted, and act independently of government policy.

This is not something unique to the US diplomatic corps. It happens in all organisations. And it is explicitly what freedom of information laws and regulations are designed to counteract. Absent this capability, it’s left to whistleblowers and WikiLeaks to serve in this role.

Viewed in this light, we have to conclude that the attacks on wikileaks are primarily driven not by the state, but by certain of its constituents who might lose the leverage that a culture of secrecy has given them. That’s why the counter-attack on WikiLeaks has been composed mostly of deft cuts at the the service’s underpinnings rather than overt state action. A quiet word here and there, and anyone hosting material even related to wikileaks goes offline. A whisper in the ear of an ambitious (or susceptible) Swedish prosecutor and a nuisance case becomes an international manhunt.

Secrecy and a scarcity of information are crucial to the continuation of the cronyism about which so many Americans complain. It astounds me how many of these same people who rail at the unhealthy, shadowy bonds between corporations, lobbyists and the government are now scandalised that an organisation like WikiLeaks is struggling to diminish the power of these linkages.

The China Market

On Saturday, the Guardian revealed fears by US officials that China was using its privileged access to the Microsoft Windows source code in order to prepare and launch attacks against certain targets. This fear appears to be justified, in light of the tactics used in the highly publicised attacks that led to Google’s withdrawal from China. The attacks, we are told, were initiated by the Chinese Politburo when one of its senior members googled himself (naughty!) and found material that was critical of him.

I confess feeling a bit of smug satisfaction when I say I Told You So. Microsoft’s drive to secure the co-called China market at any cost demonstrates perfectly the complete imbalance in power that most businesses face when attempting to gain a foothold in China.

Back in 2007, when reviewing the purported victory, I wrote:

With trademark deftness, China has largely de-fanged one of the most effective and brutal corporate negotiating teams in the world. This is the corporation that managed to buy off the US government and avoid any real punishment following its conviction for abuse of monopoly powers. It’s the company that has consistently and rather successfully thumbed its nose at the European Union, the largest economic entity in the world today. It has controlled standards processes, locked in countless corporations and ruthlessly dominated the supply chain world-wide.

Yet Chinese negotiators got everything they asked for. Price reductions? They pay about 10% of what other governments do per seat. Control? They not only have access to the source code, they have to right to alter it to suit their purposes.

Think about what that means to the Chinese. In economic, political and strategic terms, they’ve negotiated unprecedented access to an invaluable resource, and they’ve done it in a way that costs them next to nothing. Truth be told, Microsoft got almost nothing out of this deal. China still uses Linux whenever and wherever it wants.

It still astounds me that anyone thinks that the so-called China Market is anything other than what the Chinese regime decides it is at any given moment.

Sure, there’s a lot to be said for the beneficial effects of market forces. I won’t dispute that. The one thing people tend to forget is that, if push comes to shove -and it has in the past- the Chinese are capable of enduring unimaginable suffering to achieve a strategic goal. (Well, capable of allowing their citizens to endure unimaginable suffering, at any rate.) That willingness gives them the capability to impose any number of arbitrary conditions onto the economic environment.

Western governments don’t think of themselves as the owners of their respective economies. The Chinese do.

So when the likes of Cisco, Yahoo! and Microsoft betray every iota of principle (and expose a callously cavalier attitude toward strategic security issues) in pursuit of economic gain in China, I can only caution them that things only look manageable now because they’re not happening to you.

Yet.

Open Source Diplomacy

[This column appeared in the Vanuatu Daily Post.]

Say what you like about wikileaks and their recent dump of over 250,000 US diplomatic cables, but there is probably not a single researcher in International Relations, History or Political Science without a tingle in their pants today. Never in modern history has so much information been made available in such a readily accessible format. This is, for researchers, a gift that will keep on giving for decades to come.

The thing that impressed me most from my brief perusal of the 200-odd documents released on the first day was not so much the content as the quality of the analysis. The cables were well-written and obviously well-researched. I suspect that there’s more than one junior foreign officer out there with a quiet smile on their face today, because finally the world will see just how good they are.

Yes, I’m ignoring completely the ethics and morality of the situation. That horse is out of the barn, and incidentally, what a barn it is….

These cables will provide more insight and understanding into American diplomacy than anything else ever has. Just as access to hitherto proprietary source code sometimes unearths dirty secrets of which even its author is ashamed, there is likely to be a lot of unpleasantness to be found in the cables.

I think the longer term result, however, will be that much of what’s good about the US diplomatic corps (and there’s a lot of that) will assist countless others to improve their own work. In fact I think it’s likely there might be more than one diplomat that might actually be relieved to see the unspeakable spoken aloud. This torrent of data just might break more logjams than it creates.

The rise of the Free Software movement in the 1990s increased access to the source code that runs our computers and caused fundamental changes in software development. Their echoes are still quite strong today. Code that was once hidden behind thick corporate walls was now being handed about in a vast open source bazaar. This discomfited many vendors who were dismayed to discover that their crown jewels could become valueless overnight as software became commoditised.

A lot of dirty laundry got aired in the process. Bug-reports, software update schedules, coding practices all became subjects of open discussion and, yes, dispute. Tolerance for second-rate code dwindled significantly. Emphasis began to fall more and more on results. As one acerbic commenter wrote: “A single line of running code trumps a thousand lines of argument.”

Companies who attempted to retain their secretive ways were simply bypassed and their flaws exposed for all to see. Sound familiar?

In the late 1990s, Microsoft identified Linux specifically and Free Software generally as the greatest strategic threat to their organisation. They were right. Microsoft’s stagnation is partly attributable to the advantage that FOSS has given several of its competitors. IBM, Apple and Google have all leveraged open source software to jump-start various endeavours that compete directly with Microsoft. Likewise, Microsoft’s need to increase the pace of development resulted directly in their death-march to Windows Vista.

Just as Microsoft was able to drive Netscape Communications out of the market by commoditising the web browser, others are commoditising vast swathes of the computing industry by leveraging FOSS.

The commoditisation of information proceeds apace, and although the stakes are perceived to be higher in this case, the effects will probably be similar in nature. A fractious dialectic is already emerging between those who truly believe in the benefits of information resources like those circulated to millions of US military and government staffers on SIPRNET, and those who seek to leverage proprietary knowledge for their country’s -and sometimes their own- gain.

All secrets are like kindling. Used at the right time, gossip can provide warmth, build allegiance and influence. Used rashly, well… you know where this is heading. In that sense, wikileaks may seem like a 10 year old boy with a stolen box of matches. But applied judiciously and with a sober sense of timing, the same principles of openness as a default stance and and a predilection toward sharing that are at the heart of free software development (and the Internet itself) could usefully animate international diplomacy.

To be perfectly clear: I’m not suggesting that there is no need for secrecy whatsoever in diplomacy. I’m suggest that, as we’ve discovered with programming processes, secrecy might prove to be less necessary -and effective- to security than it appears to be.

False Equivalence

Again and again over the years, I’ve listened to people excuse Microsoft’s chronic insecurity and apparent inability to escape from its virus-infected legacy. This in spite of the fact that the nearly boundless contagion of the Microsoft world has yet to spread into other, increasingly popular areas of technology.

The claim typically runs like this:

If Linux or OS X ever exceed Microsoft’s market share you’ll see the malware flood onto them too.

The logic behind this statement runs more or less as follows:

  1. Windows gets attacked a lot because it’s the most commonly used computing platform in the world.
  2. The majority of exploits these days are due to so-called Stupid User Tricks – people are gullible, witless creatures who will click on anything appropriately enticing.
  3. There is no way to tackle this behaviour using only technical means.
  4. On top of that, all software has bugs. If you build something of equal complexity to the Windows operating system, you’re guaranteed to leave holes that the Black Hats will exploit.
  5. And anyway, most of the exploits coming out recently attack flaws in third party software. These days, Adobe’s applications (particularly Flash and Acrobat) are getting perforated on a nearly weekly basis.
  6. But why don’t the bad guys attack iPhones, Blackberries or Linux servers? Well, that’s simple economics of scale. If the reward for crafting a new Windows exploit is measured in hundreds of thousands or even millions of PCs infected, and the reward for creating even a simple exploit on a competing platform can only be measured in the hundreds or thousands… well, which would you choose?
  7. So to sum up: Microsoft bears the proverbial White Man’s Burden of supporting the vast majority of benighted, clueless users, suffering the slings and arrows of its outrageous fortune. And all you MacHeads or Linux geeks: you should be bowing your heads and saying, “There but for the grace of God go I.”

So people should really be grateful to Microsoft for offering itself as a target, for shouldering the unenviable burden of having to support the thoughtless, unwatched masses.

This argument is invalid in many respects. Ultimately, it relies on false equivalence: If no software application can be 100% secured, all software is therefore equally insecure.

The big problem with usefully countering this argument, however, lies in the fact that the answer is quite nuanced and therefore not compressible into a 20 second elevator speech.

On the face of it, there is something to the argument that popularity makes Windows a target. Black Hats often do go to inordinate lengths to craft malicious software aimed at Microsoft Windows. And they often ignore holes in other operating systems. A few years ago, it was discovered that a number of Linux distributions had a gaping flaw in software used to secure websites, email and other private communications, all deriving from a single error introduced by a software package maintainer. Not only was the flaw jaw-droppingly obvious, but it had lain there undiscovered for nearly 18 moths.

I commented at the time that:

[p]eople at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn’t notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

So yes, it must be granted that some software benefits from an occasionally unwarranted assumption of strength. But, the occasional WTF moment notwithstanding, this assumption doesn’t come from nowhere. Linux has earned itself a dominant position in the server market because it actually is more robust, less resource-intensive and yes, more secure than Windows server. (Why these successes haven’t translated into widespread success on desktop PCs is flamebait for another day….)

But point 2 states that, even if it did succeed on the desktop, Mac OS or Linux would still be vulnerable to the same Stupid User Tricks as Windows. But wait – at what point does a platform become a useful target for mass exploitation? 10 million? How about 41 million and rising? Are iPhone users more sophisticated than their Windows-using counterparts? Contrary to what the advertisements tell us, sadly no. Do they use them for the same purposes as Windows (like online cash transactions, email, etc.)? Sure ’nuff.

So why aren’t they being attacked and exploited? Well, when we mentioned the numbers game, we forgot to mention another basic aspect of economic theory: Risk. IPhones and iPads and various other devices from Apple exist in what’s known as a walled garden. Unless you deliberately ‘jail break’ your device, you’re largely reliant on Apple’s App store, and you’re beholden as well to the telco that charges you for every byte you send. Not only is there a strong incentive to phone users to closely monitor their bandwidth use, Apple also insists on evaluating every single app that runs on its platform.

Likewise, most Linux software is installed from repositories maintained by the various commercial or community-run distributions. Oversights like the notorious SSL flaw are rare indeed. On one occasion a server that distributed packages for a popular web server was found to be compromised. The problem was fixed quickly. These days, most software is digitally signed so that the installer can verify that it has not been altered by third parties.

Argue all you like about the limitations of these approaches (and there are more than a few), they do increase the likelihood of getting caught while trying to inject something nasty onto someone’s iPhone or Linux box. Rather than being trusting by default, these systems have built a chain of trust between agents in the system. Each of these agents is verifiably trustworthy, so anyone compromising the system is subject to discovery.

Such scrutiny is largely missing from the Windows environment. At best, it’s provided ex post facto, via anti-malware applications.

This means that users of different systems can be equally trusting, with significantly different outcomes.

All computing environments are not created equal. While Microsoft has staked its entire business on giving the customer convenience at any cost, others have not. They realised that you have to be careful not to make software easy for anyone at all – especially not a total stranger.

Windows is the target for authors of malicious software, therefore, because the whole Windows environment is attractive:

  • Security is not at all systematic. Even as Windows itself improves, many popular application vendors lag, partly because they want to keep things easy, partly because security is seen as a cost-centre and therefore treated as an externality by ambitious managers.
  • Risk is low. A wide-open trust-by-default philosophy permeates all levels of the system, so you really have to be spectacularly dumb or naive to get caught.
  • AND… Windows is ridiculously popular.

I’m not for a moment suggesting that writing malware as a business won’t continue after Windows is long gone. Of course it will. I will predict, though, that the era of mass-infection will end with Windows XP.

Just as US banks in the 1920s-30s learned (eventually) to make themselves less susceptible to bank robbers (whose activity peaked at that time due to recent improvements in transportation –good roads and a getaway car made robbery popular), personal and institutional computing will eventually learn to take malware in stride, to reduce the scope of any given exploit from its current colossal size to something much smaller.

There will always be another rube willing to allow another con-man to fleece him. There will always be innocent victims who get mugged because they were in the wrong place at the wrong time. There will always be ‘bad neighbourhoods’ on the Internet. But to suggest, as the some do, that this somehow excuses the appallingly poor security models, practices and culture that ensure Microsoft’s continued relegation to the security gutter… well, that’s just disingenuous.

To tar other OSes with the same brush is to suggest that one should not move to another bank because, once enough people move to it, it too will become the target of bank robbers. It’s wrong because:

1. Nobody is suggesting that everyone has to move all their money to one single bank;
2. The new bank might not be perfectly secure, but at least it doesn’t leave all the money in a pile in the middle of the floor.

This move to a more heterogeneous and inherently secure environment will happen in small increments, and the process will lurch along in fits and starts, but it is far more likely to happen than another single, monolithic operating environment taking over from Microsoft Windows – and I include future versions of Microsoft Windows in that grouping.

And that, my friend, is why I find the contention that ‘Linux and Mac OS will be just as bad when they get popular‘ to be inane, misleading and, frankly, intellectually lazy.

Blogging for Dollars

Over at the Wired Epicenter blog, people are speculating that Next Monday’s big announcement from Facebook’s Mark Zuckerberg will be a webmail client, aimed directly at stealing Google’s technological thunder.

Reaction from commenters was universally negative. People complained about privacy concerns, made silly FailMail jokes and observed that Google would be pretty hard to beat in terms of simplicity, reliability and functionality.

But the comment that caught my eye was this:

“I’ll sign up at Failmail when Zuckerberg personally starts sending my PP around 40$ a month.”

Haha, very fu- Hang on a sec….

On reflection, that probably would work, wouldn’t it? Zuckerberg could do that, too. Well, not for everyone, certainly not all the time. But think about it: Knowing what we do about human nature, what’s to stop someone from creating a social networking site that operated using cash as a measure of social connectedness and success?

The mechanism would be simple enough. Members join for a nominal fee, not high enough to be painful, but enough so that someone would have to make a deliberate decision to join. More to the point, it would have to be enough that, for many, peer pressure would be necessary to drive them into the fold. Once there, an algorithm would identify the most connected, popular and useful members of the community and award them a share of the pot.

Call it a Social Credit Union.

Right, you’re probably thinking. Exactly how many seconds would it take for someone to begin gaming the system for money? The answer is alarmingly simple: as long as people like something and/or find it interesting, who cares? As Randall Munro so aptly put it: “Mission. Fucking. Accomplished.”

Seriously, as long as the integrity of the metrics and the security of the cash flow are not compromised, it won’t really matter how someone connects with others, impresses and/or influences them. I’ll grant you, the potential for absurdity is very high, especially when one considers just how stupid people are willing to be for free.

Humanity may have some spectacular examples of its inanity, its shallowness and its capacity for self-deception. But they are, happily, in proportion to its ability to explore beauty, wit and learning. A social credit union would reward each without fear or favour.

The capitalists in the audience are no doubt asking why someone would pay -and continue to pay- for a service that a) they could get for free; and b) which rewards others but costs them? It’s been demonstrated time and again that people will actually deny themselves in order to spite others. Surely the service would last exactly long enough for it to be castigated as a cesspool of self-promoting poseurs, a pyramid preying on the socially naive?

Yeah, that could happen. In fact, it’s as likely an outcome as any other. I’d give odds that if you started a dozen of these, 8 of them would implode within months. But here’s the thing: with the right dynamic and the right ethos, it could succeed, and those who wish they could spend more time writing, researching arcana, making fanvids… doing all of those niche activities that add spice and, occasionally, actual art to our online existence – some of them, at least, could prosper.

The vast majority of people would never get more than a few pennies back, of course. Which leads the Adam Smith devotees in the audience to ask, ‘Who in their right mind would pay for something that they could otherwise get for free, and continue to pay even after it becomes clear that they will likely never be rewarded for their use of the service?’

The answer is dead simple. People pay to phone and text; they pay for Internet; they pay club memberships; they buy people beers; they spend vast amounts of money trying to buy social credit. As long as they receive a useful level of service (for some amalgam of collective and individual perception of what constitutes service), and as long as membership is less costly than being left out, they will pay.

This is not a new Athenian Agora we’d be building[*]. The most likely people to profit will be the very same people we hated in high school: Pretty, cool, witty and self-assured, funnier and sometimes -only sometimes- smarter and more interesting than the rest of us. Nonetheless, if you’re a creative person looking for a way to survive in the 1st Century of the Internet, this is probably your best hope.

[*] Well, actually, it is. Remember that the Agora was not only where Socrates sat with his students, but where the whores, petty thieves, shysters, con men and plain old merchants all hung out.

Steal This Book, But Buy Me a Beer

The Economist’s Babbage has written a sardonic critique of Amazon’s recently announced decision to allow its customers to lend e-books to one another:

AMAZON.COM says soon you will be allowed to lend out electronic books purchased from the Kindle Store. For a whole 14 days. Just once, ever, per title. If the publisher allows it. Not mentioned is the necessity to hop on one foot whilst reciting the Gettysburg Address in a falsetto. An oversight, I’m sure.

Enumerating the ways in which this current offer fails, he correctly notes that time is running out for publishers. Perhaps it’s already too late.

This prompted a fair amount of back-and-forth among geeks, along fairly predictable lines. The majority riffed on the mantra that Information Wants to be Free, while others tried to find some accommodation between droit d’auteur, commerce and society’s fundamental desire to share:

I realize Slashdot has a certain “information should be free” ethos, but it doesn’t make much sense to build in the ability to give unlimited copies to everyone and think that it won’t undermine the business. While the publishers “wish you to engage in two separate hallucinations”, it seems like lots of other people want us to engage in another hallucination: that giving out unlimited copies won’t turn into a financial problem for booksellers.

Just for the sake of argument, let’s accept that assertion as truth: Infinite distribution necessarily causes financial problems for publishers. That doesn’t explain why they would choose to give fewer lending rights to possessors of digital copies than to those who buy the paper object. Nor does it explain why they charge pretty much the same price for this reduced capability.

We seem to be dealing (yet again) with anti-features: The publishers are actually adding to the consumer’s burden in exchange for nominally lowering the cost and ‘allowing‘ them the convenience of reading an electronic copy of a given book.

As the Economist rightly notes, this won’t stand. Anti-features (including DRM) only need to be removed once. Argue however much you like about the rights of the author. As a writer, I’m pretty damn sympathetic. But realistically, creators have to adjust to the world as it is. People will share things that delight them. They do so with photos, with posters, books, music, TV shows and movies… in short, with everything they can.

And there will always be someone willing to feed that desire.

Yes, it puts creators in a quandary. Yes, it threatens livelihoods and, potentially, might even prevent the next great opus. But to attempt to remodel the world to fit an outdated vision? That’s just insane. I don’t mean stupid -it actually requires a fair amount of imagination to get there- I mean insane, nuts, cuckoo. The idea is premised on the fact that all of society (save the poor, beleaguered author) is wrong, and must change. Even if the first clause is correct, the second does not follow. And even if we accept it logically, we still have no hope of effecting that change through technical means.

I suppose it is possible that we could change society. It’s happened before. But we will not do it with DRM and anti-features.

So what, then, is a creator to do? The best I can come up with right now is enough to make most established professional creators despair: Rely on the kindness of strangers.

Let’s face it; as Adrian Hon says, rampant sharing of books (and music, and TV shows, and movies, and photos, and… well, everything digital) is a fact of life. Some publishers will fail. Some (more) newspapers will die.

But surely there must be some way to extend the practice of gift culture[*] beyond the geek world? Surely there’s a way to turn social approbation into status and status into success?

It already happens in the celebrity world. People will go out of their way to provide goods and services for free -even to pay handsomely- solely because they want appropriate someone’s popularity for their own purposes, be it more guests at a restaurant or more people buying their shirt. Interestingly, celebrity endorsement’s success is inversely proportional to its relationship to straight-up capitalist quid pro quo. We like both the celebrity and the product less when we know their relationship is strictly economic.

Let’s take a perverse example for a gedankenexperiment: Imagine if the Star Wars kid had not only received millions of views, but millions of pennies from people willing not only to laugh at him, but to show a little fellow-feeling as well? Ignore the mechanics for a moment; just imagine what society would be like if our online status were directly related to economic and social standing?

Follow that scenario far enough and one arrives at some fascinating places, not all of them pretty. Jealousy, gossip, pretension and slander become more influential. One has only to get a certain number of people to dislike someone to limit or even end their ability to profit.

Worse yet, if we make it possible for people to take their pennies back, we quickly approach the tyranny of the small town. Life would at times resemble a Hawthorne novel more than anything else.

But it might easily create a few Shakespeares (or more accurately, Lord Chamberlain’s Men) as well, with the populace more than willing to toss a penny[**] each their way and society figures vying to be seen supporting and associating with them.

The mechanisms by which this could be achieved are not hard to imagine. An iPhone or a Facebook app would suffice – if online commerce could ever be wrested from the banks and credit card companies.

The unpredictable part is the non-technical side. Making it not only Good but Desirable to be seen associating one’s wealth with popular figures of all stripes would require a quantum shift in online society. I’m sure if a poll were conducted, most people would agree with the idea of rewarding those who have delighted, entertained or enlightened us in some small way. But as every busker will tell you, there’s an immense gap between the idea and the practice.

I’m going to offer a prediction: Something like this will –must– happen. And sooner rather than later. I await the change with mixed apprehension and excitement.

[*] Eric Raymond may be a kook, but he’s right about this.

[**] According to my admittedly poor math, about 1/2000th of a prosperous merchant’s monthly income.

Cyber Wuh?

Seymour Hersh is a better, more generous man than I. He does a characteristically sober and thorough job of investigating purported threats to military and civilian communications networks in the latest edition of the New Yorker magazine. I might like him better if he had avoided using the words ‘Cyber’, ‘War’ and ‘Terror’ all in a single headline, but in fairness, sometimes to you have to use the language to negate its power.

I would also have preferred it had he not given such prominence to Richard Clarke’s fear-mongering, indulging him with a lengthy quote describing a catastrophic cyber war scenario with nationwide power cuts and planes ‘literally falling out of the sky'[*]. It takes him several more paragraphs to debunk Clarke’s ramblings as self-promoting opportunism, and he does so with trademark aplomb – describing in some detail the economic interests at stake in this discussion and drawing a compelling portrait of the desire for control that motivates many of the characters in the world of online security.

A more cynical writer might jam a refutation up front in order not to leave impatient readers with the mistaken impression that he might somehow be endorsing these views. Hersh, it seems, trusts his readers to work through 6000 words of calm analysis; and, damn him, his trust in me at least is never misplaced.

Alas, he suffers fools far more gladly than I. His style is one which provides all involved with more than enough rope. I suspect that this equality of opportunity is what allows him to maintain access to extremely privileged sources in defense circles.

But what makes Seymour Hersh so valuable as a reporter on the military is his ability to cut through the fog of war-talk, to make clear distinctions between the actual threats and their portrayal in popular dialogue. In this particular case, he renders the world a service by drawing a clear line between electronic espionage (a commonplace activity in which the intrusions come more often from Western allies then from enemies) and actual Cyber War. He lines up a number of analysts who cogently and calmly dispel the latter as largely a fabrication used to drum up support (and budget) for increased military influence in civilian communications networks.

Most infuriatingly, he does so without down-playing the truly disturbing lack of protections against attack that characterise much of our modern communications infrastructure.

His dry-eyed depiction of NSA Director and newly-minted commander of the US military’s Cyber War command Gen. Keith Alexander is a truly magisterial piece of work. Without once voicing a word of criticism, he lays out a portrait of a man who wants, effectively, to dismantle the open, distributed (and yes, sometimes even anarchic) Internet and replace it with the digital equivalent of the Maginot Line.

There exists an innate tendency among all people with any influence to say, “Wait, this Internet thing is completely out of our control. We need to do something!” While the first sentence may be true, they neglect the simpler conclusion: If the network can’t be controlled from any single point, it can’t easily be destroyed by a single, targeted attack.

… Which is exactly what the Internet was invented to prevent.

I’ve argued in the past that the centralisation of network hardware is a liability not only to civil defense but to personal liberty. It’s gratifying to see someone else make the case so well. If you want to understand the current dynamic between an open Internet that enables unparalleled social forces and a network infrastructure that allows vastly increased levels of surveillance, censorship and control, you have to read Hersh on the matter. He’s not the last word in the discussion, but his contribution is indispensable.

[*] Clarke’s words, of course. It’s those literal falls you have to worry about. The figurative ones aren’t nearly as dangerous.

Cautionary Note

Every now and then, someone stumbles across my blog and asks me how they, too, can work in development. I try to be supportive, but usually find myself actively discouraging them, at least at first.

You’d better be strong, flexible, resourceful, good with languages and have more than the normal allotment of patience.

I’ve been stuck in cyclones, got malaria, dengue, been hospitalised from the after-effects of prolonged dehydration, had more parasites in more places than anyone really wants to know. I’ve been stung by things straight out of a Tim Burton movie. I’ve had death threats and constant, insanely unreasonable demands on my time and my pocketbook.

To put things into perspective: we had a 7.5 earthquake here a couple of weeks ago, and were laughing about it within the hour. Nature is tough and unforgiving here. You’d better be prepared.

You may think all this is exciting. It’s emphatically not. Put your Hollywood imagination away. It’s tedious, uncomfortable and often dangerous in small, boring, trivial ways.

I walked away from an affluent existence as one of the first few professional web developers to enter the field and survive now on a small fraction of what I used to earn (although I do live quite well by local standards – my new house has hot water!). That may sound romantic – I’ll admit it does to me – but the price is no security in my old age. I’m fool enough not to worry, but you may not be so inclined.

Development is a dirty, arduous grind, with few noteworthy victories. You have to measure success like a batting average. Just assume you’ll strike out more than you succeed. Most projects are unwinnable from the start, and you only go through with them because to do nothing would be worse.

On top of all of that, you’ll need to adjust to a culture so foreign to your experience that it will often leave you bemused or even shocked to the core. And you won’t have any safety net to rely on. There won’t be any police if you’re in a tight spot (unless they’re the ones who put you in it), the fire truck – if it arrives at all – will come in time to water down the ashes.

You’ll see children crippled and even killed by trivially treatable conditions. You’ll see good people die and bad people prosper.

But once in a while, someone will smile at you like this, and it will all be worthwhile….

… It better be, anyway, because most of the time, that’s all the payment you get.

If, after all that, you’re still intent on coming, then read this and come on along.

You Are All Driving Pintos And I Want You To Stop

I have a bone to pick with you.

I’ve lived with this for a while now, but really, it’s getting intolerable. The vast majority of you are using the computer equivalent of a Ford Pinto. Poorly built, underpowered and yet inefficient, lacking both in style and substance. And unsafe at any speed.

You really need to ask why?Worse still, you’re not even driving it.

Back in 2007, Vint Cerf, one of the inventors of the Internet, stood up at the Davos Forum and announced that, out of about 600 million personal computers worldwide, about 150 million are remotely controlled by criminals. These ‘zombies’ or ‘bots’, as they’re commonly known, are formed into legions of compromised machines called ‘botnets’.

Let’s put this in perspective: If your own PC is not infected, then odds are very high that one of your next-door neighbours’ is. When you factor in the strict security and controls that many enterprises maintain on their corporate resources, the odds that your home PC (and your neighbour’s) is a bot increase significantly.

Next time you’re having a coffee and using the wifi service, take a look around. Count the number of non-Mac laptops. Divide by 4. That’s how many computers are trying to infect you on the very network you’re using to buy stuff. You wouldn’t jump into a hot tub with a bunch of strangers even at better odds than that. Why do it with your laptop?

The Pinto is notorious for actually blowing up if you bumped into it in a certain way. Botnets currently aren’t doing as much damage as that. They could, but they don’t. Simply put, their controllers would rather use them than lose them. They are quite happy to pollute the Internet with spam, viruses and other nasties, but they’d much rather steal your credit card number than your Internet access.

To switch analogies, it’s like some dark overlord deciding to postpone the zombie Apocalypse, using his legions to pick pockets and snatch purses instead.

Why am I so upset? Why should I care if most people cruise the Internet in the equivalent of a polluting, gas-guzzling, style-less lemon? Because you’re not only destroying my view, you’re damaging the road itself.

According to a recent report, 40% of the world’s spam is being generated by a single botnet. The botnet, named Rustock, comprises approximately 1.3 million individual PCs. This one botnet, in other words, has enlisted the services of almost the same number of people as there are in the US Military. Their combined efforts result in about 46 billion spam messages a day.

46 billion-with-a-B spam messages. Every day. From one botnet alone.

Take a look at this graph. See those peaks and valleys? Notice how they match perfectly the pattern of people turning on their computers in the morning and off again later at night? See the lull over the weekend? This graph tracks spam activity over the course of a normal week on just one spam trap operated by some people who run an anti-spam operation.

They say:

The Y [vertical] axis is emails per second. “5.0k” means 5000 emails/second. For each 1000 emails/second this trap averages over a day, the total is another 86 million emails/day. For example, a 5000 emails/second average over a day represents 432 million emails per day.

Botnets are used for other nefarious purposes, but spam is the most noticeable. The Rustock botnet mentioned above sends mostly pharmaceutical spam, offering to sell dangerous, controlled substances, among other things.

But even if they were flooding the Net with messages of love and hope, botnets would still be a menace. Imagine if every time you drove on the freeway, 1 in 4 fellow commuters’ vehicle would blow a gasket, slow down to a fraction of the speed limit, start making an infernal noise and spew smoke so thick that you had no choice but to slow down to a crawl.

That’s what’s happening, but you can’t see it. The computer industry has responded to this threat by selling the moral equivalent of frosted windows. Email providers have become so good at hiding spam that only a tiny fraction of it ever appears in your mail box. So, I can hear you say, where’s the problem, then? Spam created; spam deleted. Problem solved.

Not quite. That spam chews up a tremendous amount of bandwidth and processor time. Bandwidth you pay for. Don’t imagine that your ISP is going to say, “Oh, that’s just spam, our beloved customer didn’t actually mean to send that message 14,000 times. Let’s not charge him for those megabytes.”

Billions of dollars are spent on software and hardware to treat the symptom without once addressing the cure. Your PC runs slower and costs more because of the antivirus that comes installed on it. And even that isn’t nearly adequate to protect you.

To be clear: The Pinto in this picture is the Windows XP operating system. I’m going to apply some precise technical terminology here, so pay close attention:

Windows XP Security Sucks The Hind Teat of a Scrofulous Cow.

Some argue that once there are as many Macs (or Linux machines, or iPads, or Android phones) on the market, they’ll be just as beset by malicious software as Windows. Theoretically, that’s possible. In the real world, however, the opposite is true.

In the realm of computer servers, Linux-based operating systems are taking a dominant position. Yet when it comes to the number of servers compromised by malicious software, they represent a vanishingly small fraction of the cases.

Despite the recent proliferation of Macs, linux-based netbooks, tablets and smart phones, none has yet to show any significant signs of affliction. That’s not to say it won’t happen, but it hasn’t yet.

Do yourself a favour. Do us all a favour. Stop using Windows. Buy a Mac. Try Linux. Do something, anything, but stop polluting the view and the digital motorway with your second-rate death trap of a clunker.

Seriously: stop.

If you absolutely must use the Pinto OS, the least you could do is get the latest version. Windows 7, while still flawed in oh-so-many ways, is nonetheless a vast improvement over XP.

Do something, please. Anything is better than what you’re doing now.

Cheap Shots

Aspiring photographer? Trying to make an impression on an online world with your nascent mastery of a century-old craft? Allow a fellow neophyte to offer a few words of advice.

Not all photographers have the time, opportunity or, heck, the money to take those seriously WTF, how-did-you-DO-that, I-will-see-the-world-differently-because-of-this kind of shot. Sadly, such moments are relatively rare. You may yet have your chance to blow the world away with your incandescent, visionary imagery. But in the mean time, here is a quick primer to help you put your own special genius into perspective.

Shots We Have Already Seen

This may come as a shock, but others have taken photographs before you. Some of them were very talented. Among the shots we have already seen:

  • The water droplet
  • The water droplet on a blade of grass
  • The water droplet on a blade of grass with a distorted reflection of something visible deep inside. (Tragically for you, the visual metaphor of Worlds Within has indeed been considered once or twice before.)
  • The blade of grass, without the water droplet
  • The forced-perspective skyscraper
  • Two forced-perspective skyscrapers
  • Forced-perspective anything, actually
  • The reflection in the window
  • The distorted reflection in the rainy window
  • The staircase (It turns out there are several spiral staircases in the world. They have, alas, all been photographed before. Yes, even that one.)
  • The beggar
  • The self-conscious hipster made edgy and cool by rotating the camera 30 degrees
  • Someone blowing smoke in a dimly lit room (Did you know this happens sometimes in bars? What brave new world is this, indeed.)
  • Footprints (in anything, leading anywhere)
  • Sunset

Shots We Didn’t Want To See In The First Place*

  • Your pet
  • Your girlfriend
  • Your child
  • Your street
  • That old farmhouse
  • Grass
  • That tree (not even at sunset)

* Don’t get we wrong. I’m sure your family and friends would love to see a well-taken shot of any of the above, but unless your date is truly unique, your pet looks like this or you have the skill to capture your child in a moment like this, we’d all rather you didn’t foist them on us for comment. After all, we hardly know you.

Shots Which Had Better Be Really Fucking Good Before You Even Consider Showing Them To Others

See, we don’t mind seeing these. They’re kinda cool. But you might want to think twice before crowing about them. The examples above are just a small sample of the stuff found on one website in about one month.

Things Which Are Never Tasteful, No Matter What

  • Watermarks (Seriously, if someone can’t immediately identify your photos from their own inimitable style, then a watermark isn’t going to help you. And no, cursive text does not make it all right.)
  • Women in bad makeup
  • Women on the railway tracks (I mean, seriously: Dude, what?)
  • Actually, nude women sitting anywhere they wouldn’t normally sit, if you hadn’t paid them*
  • More than two shots of any one thing (Remember: Shake it more than twice and you’re playing with it.)
  • Shots of your camera (especially if you’re holding it.)
  • Models who have been painted all one colour
  • Saturation. It is the photographer’s ketchup. Use it accordingly.
  • The one-colour wash (Guys, seriously, that sepia tone was an artifact of the chemical process required to develop the film. It does not make your model look hotter.)
  • The single colour element of an otherwise monochrome shot. (Shit, even the banks don’t use this in their ads any more; that’s how cliché it’s become.)
  • Captions that say what’s in the model’s thoughts (This goes double when the model is your pet.)
  • Tragically, wedding shots. Don’t know why. They just never are. Ever.

* Okay, on rare occasions, nude women in strange postures are genuinely beautiful. But are they more beautiful than normal postures, really?

Shots We* Actually Do Like To See, Really (Provided You Possess Any Skill At All)

* By ‘we’, of course I mean ‘I’. Shyeah…

Shots That Will Be Popular*, Whether You Do Them Well Or Not

  • Young women
  • Two women touching or nearly touching
  • Children
  • Pets, especially cats
  • Baby animals
  • Children
  • Shiny, especially red and gold

* These are all things we’re wired to stare at, and which can get you far in terms of popularity, until you discover that this hasn’t necessarily made you a better photographer. Then again, they’ve made you popular, so who cares?