Slashdot Mirror

Yep. here's a better link: http://scriptorum.imagicity.com/2009/01/03/on-privacy/

Privacy issues aside, I've never had any trouble with Flash.

I like your logic: Aside from a single tile, Columbia's last mission went flawlessly.

Seriously, though: you've underlined the single greatest problem in computer security today - what we don't see can hurt us. I've written about this at greater length elsewhere, but to put it simply, privacy is the battleground of our decade.

The struggle to come to terms with privacy will manifest itself in the legal, moral and ethical arenas, but it arises now because of technology and the cavalier approach that the vast majority of people take to it.

The ramifications of our ability to transmit, access and synthesise vast amounts of data using technology are consistently underestimated by people because of the simple fact that, as far as they're concerned, they are sitting in the relative privacy of their own room with nothing but the computer screen as an intermediary.

On the consumer side of things, this creates what Schneier calls a Market for Lemons in which the substance of the product becomes less valuable than its appearance. As long as we have the illusion of security, we don't worry about the lack of real protection.

On the institutional side, we see countless petty abuses of people's privacy. There is nothing stopping a low-level employee from watching this data simply out of prurient interest. In fact, this kind of abuse happens almost every time comprehensive surveillance is conducted. In a famous example, low-level staffers in the US National Security Agency would regularly listen in on romantic conversations between soldiers serving in Iraq and their wives at home. The practice became so common that some even created 'Greatest Hits' compilations of their favourites and shared them with other staffers.

They would never have done so had the people in question been in the room, but because the experience is intermediated by an impersonal computer screen, which can inflict no retribution on them, their worst instincts get the better of them.

When discussing software in the 21st Century, we cannot ever treat privacy as just one incidental aspect of a greater system. Privacy defines the system. Starting an argument by throwing it aside in the first subordinate clause gives little weight to any argument that follows.

Privacy issues aside, I've never had any trouble with Flash.

I like your logic: Aside from a single tile, Columbia's last mission went flawlessly.

Seriously, though: you've underlined the single greatest problem in computer security today - what we don't see can hurt us. I've written about this at greater length elsewhere, but to put it simply, privacy is the battleground of our decade.

The struggle to come to terms with privacy will manifest itself in the legal, moral and ethical arenas, but it arises now because of technology and the cavalier approach that the vast majority of people take to it.

The ramifications of our ability to transmit, access and synthesise vast amounts of data using technology are consistently underestimated by people because of the simple fact that, as far as they're concerned, they are sitting in the relative privacy of their own room with nothing but the computer screen as an intermediary.

On the consumer side of things, this creates what Schneier calls a Market for Lemons in which the substance of the product becomes less valuable than its appearance. As long as we have the illusion of security, we don't worry about the lack of real protection.

On the institutional side, we see countless petty abuses of people's privacy. There is nothing stopping a low-level employee from watching this data simply out of prurient interest. In fact, this kind of abuse happens almost every time comprehensive surveillance is conducted. In a famous example, low-level staffers in the US National Security Agency would regularly listen in on romantic conversations between soldiers serving in Iraq and their wives at home. The practice became so common that some even created 'Greatest Hits' compilations of their favourites and shared them with other staffers.

They would never have done so had the people in question been in the room, but because the experience is intermediated by an impersonal computer screen, which can inflict no retribution on them, their worst instincts get the better of them.

When discussing software in the 21st Century, we cannot ever treat privacy as just one incidental aspect of a greater system. Privacy defines the system. Starting an argument by throwing it aside in the first subordinate clause gives little weight to any argument that follows.

Pretty much business 201 there. If you're doing hardware repair then no, you probably can't start a company on your own that does just that. The margin is too small in most markets. However, if you choose a thing like security consulting the current margin is ridiculously huge enough to really get something viable going with one single person.

Good point. Another thing that matters a lot is where you are in terms of seniority, capability and expertise. There is no such thing, for example, as part-time programming. Except at the most menial level. But a really seasoned design/implementation consultant can usefully spend a few days helping a development team find the track, or get back on it.

I work part-time to support my journalism habit (which barely gets me beer money) and my photography. The articles get me enough exposure that people know I'm not just a bullshit artist, and they call me in for all kinds of things, from setting a few servers to rights, to helping them dig their way out of a technological dead-end, to consulting on public telecoms policy.

It's nice work if you can get it, but it comes at a price. My life is much more uncertain now than it was. I live very simply, and can't afford to take on any kind of long-term commitments, because I'm never quite sure if the money's going to be there.

The only way I manage to do what I do is because I've been doing it since about 1992. I've been working on the Web for almost as long as it's existed, and I've invested a lot of unpaid time and effort establishing contacts and credentials. That said, I'm doing what I love. Part time.

Pretty much business 201 there. If you're doing hardware repair then no, you probably can't start a company on your own that does just that. The margin is too small in most markets. However, if you choose a thing like security consulting the current margin is ridiculously huge enough to really get something viable going with one single person.

Good point. Another thing that matters a lot is where you are in terms of seniority, capability and expertise. There is no such thing, for example, as part-time programming. Except at the most menial level. But a really seasoned design/implementation consultant can usefully spend a few days helping a development team find the track, or get back on it.

I work part-time to support my journalism habit (which barely gets me beer money) and my photography. The articles get me enough exposure that people know I'm not just a bullshit artist, and they call me in for all kinds of things, from setting a few servers to rights, to helping them dig their way out of a technological dead-end, to consulting on public telecoms policy.

It's nice work if you can get it, but it comes at a price. My life is much more uncertain now than it was. I live very simply, and can't afford to take on any kind of long-term commitments, because I'm never quite sure if the money's going to be there.

The only way I manage to do what I do is because I've been doing it since about 1992. I've been working on the Web for almost as long as it's existed, and I've invested a lot of unpaid time and effort establishing contacts and credentials. That said, I'm doing what I love. Part time.

One issue troubles me: In this and other projects, no-one has solved the problem of supplying internet connectivity in remote areas. I know that Google is launching a constellation of Ka band satellites - but they will be commercial. One idea that I saw was to use a WiFi server on either buses or motorcycles. Local servers pump email etc. to the mobile servers which then dump the data when they get to a hot-spot - and visa-versa. Sort of a sneakernet for the back woods.

You've effectively answered your own question. Yes, it's early days yet where rural Internet access in concerned, and as you imply, there is no silver bullet. Just as it was in the early days of Internet in the developed world, it's a matter of choosing what's technologically appropriate for each particular case.

In my neck of the woods (South Pacific) we're taking advantage of a happy accident to get very low-cost VSAT access throughout the region. In other countries that I've spoken and/or worked with, the plan is generally to start with VSAT, then attack the necessary policy issues that need to be addressed in order to create a national ICT policy.

It's slow going, but the work seems to be paying off. Here in Vanuatu, we're already piloting the XO with a local NGO, and the Ministry of Education has indicated their intent to run a pilot of their own. We're explicitly linking the provision of Internet to the XO roll-out for obvious reasons.

In all, the process of liberalising the local telecoms market has taken about a decade, and we're not done yet. It's unfortunate for us geeks who always want tomorrow's toys today, but slow and steady really is the only way to go if you want things to be sustainable.

To be fair he could be in a third world nation where that is actually the top teir plan. For example a 1mbps "unlimited" connection in Vanuatu goes for the princly sum of $585 USD per month.

The figure is accurate (I'm posting from a Telecom Vanuatu 1Mbps link right now), but let's not conflate bandwidth with transfer caps.

Telecom Vanuatu relies exclusively on satellite for Internet connectivity, so no matter what happens, their Internet fees are going to be high. In fairness, though, even though they charge frightening fees, there's not a huge amount of contention (I am usually able to fill the pipe when I need to) and they offer unlimited downloads on all their packages.

A few years ago, they were offering only metred bandwidth, and prices were horrendous. In one or two egregious cases, careless or ignorant customers managed to ring up monthly fees in the USD 10,000 range.

We in the Vanuatu IT Users Society (no link - that site is on a TVL 1 Mbps link as well!) went to TVL and said, 'Charge as much as you feel you must, but make it unlimited.' Since that time, Internet use has increased by about two orders of magnitude. (Of course, that's not much, starting from close to zero.)

Vanuatu may be hobbled in many ways where IT is concerned, but we've learned to do a lot with what we've got. I've been writing for almost two years now about IT developments here. Read more here, if you like.

Now that you mention OpenBSD, I recall an email from Theo de Raadt (2007-06-27 17:08:16 - source):

As I said before, hiding in this list are 20-30 bugs that cannot be worked around by operating systems, and will be potentially exploitable. I would bet a lot of money that at least 2-3 of them are.

People have been aware that microprocessor bugs are potentially quite dangerous for some time now. Here's a write-up of Adi Shamir's report to RISKS about using processing bugs to steal private encryption keys.

Others have already replied about Apple's intrinsically superior security based on its BSD roots and more sensible user permissions. There's no need to go into that agaiin.

But there's an additional by-product that good design gets you: If people believe that cracking your system is harder, they won't be as inclined to try.

Case in point: All Debian-based SSL encryption was fundamentally broken for over a year, and yet (as far as we know) it didn't occur to sysadmins and developers to actually test the security of their certs etc. More interestingly, it doesn't seem to have occurred to crackers to even probe Debian's SSL implementation for vulnerabilities.

I wrote a quick run-down on this phenomenon (with a few caveats) on my website. In hindsight, it's nothing short of astounding that nobody caught this error. Considering that the payoff for a computer criminal would be potentially huge, I can only attribute the failure to comprehensively exploit the vulnerability to a folk-wisdom phenomenon, which is that if your software is generally considered safer, rightly or wrongly, people will tend to treat it as if it were, and leave it alone.

The converse, of course, is that if your software (e.g. Windows) is generally considered insecure, people will go to great lengths to exploit it. When you look at the cleverness of some of the hacks used to infiltrate a Windows system and compare the level of knowledge and skill required to simply brute-forcing Debian's broken SSL, you'll see what I mean.

Hopefully we'll see more companies designing different products for different economic realities, instead of just dumping 5-year old designs here once they get "cheap enough for the third world".

In my little corner of the Developing World, this is exactly what's happening. The local telecoms monopoly has just been ended, and the newest entrant has offered up a cash bond to deliver mobile telephony services to 85% of the population in a country with incredibly difficult geographical features.

Obviously, they wouldn't do so if they weren't convinced that they can make money in these marginal areas. In order to do so, they need to tailor their products to local needs.

I write a weekly IT column in one of our national newspapers. Here's what I had to say about SMS as a computing platform. And here's one where I make the case for focusing on mobile communications technology.

In confess that it took me a long time to stop being a bit of an Internet bigot, refusing to see the potential applications of mobile phone technology. I've since changed my ways.

Hopefully we'll see more companies designing different products for different economic realities, instead of just dumping 5-year old designs here once they get "cheap enough for the third world".

In my little corner of the Developing World, this is exactly what's happening. The local telecoms monopoly has just been ended, and the newest entrant has offered up a cash bond to deliver mobile telephony services to 85% of the population in a country with incredibly difficult geographical features.

Obviously, they wouldn't do so if they weren't convinced that they can make money in these marginal areas. In order to do so, they need to tailor their products to local needs.

I write a weekly IT column in one of our national newspapers. Here's what I had to say about SMS as a computing platform. And here's one where I make the case for focusing on mobile communications technology.

In confess that it took me a long time to stop being a bit of an Internet bigot, refusing to see the potential applications of mobile phone technology. I've since changed my ways.

Here is my essay on privacy; see if reading it doesn't nail the issue for you in very short order.

Nicely put. But let's play duelling essays. This is a layman's introduction to understanding the nature of online privacy, written for my weekly Communications column in the Vanuatu Independent newspaper.

To summarise: You're dead right on your definition of privacy. Most everyone is at least innately aware of this. While technology has transformed our ability to access information, nothing about the nature of privacy has changed. Unfortunately, that doesn't resolve the problem that people often can't visualise the public and private sphere where computer data is concerned.

Put most simply, I would certainly take exception to someone reading my private email without permission, but I'd have to know they were doing it first. It's not even enough to know that 'Goverment X is reading everyone's email.' People need to see that Person X has read their email in order to trigger that sense of impropriety that is natural to us if the snooper is in the same room.

The Internet empowers the observer precisely because the observed almost certainly won't know they're being watched. This apppeals to a part of human nature that exists in all of us: If we could get away with it, we would invade others' privacy all the time.

Gossip, rumour-mongering and prurient spying are innate human instincts - and precisely why the social conventions on privacy arose. Social awareness and taboos need to be adjusted to the fact that the snoopy ones are no longer in the same room with us.

If a kid has no real concept of value anyway, what on earth would motivate him to be more careful than with anything else they are used to playing with?

I don't want to be seen to be defending your snarky reply, but it's relevant to note that the issue of caring for the XO laptop is a real one.

It is not, however, because of children's inability to see the value of such a device. I work in development, and I've tested the XO. I've also written about it a fair bit. The big challenge for children using this device will be the lack of ready infrastructure in the village.

When you have to walk several miles to school in the rain with nothing more than a banana or a taro leaf to cover you, the XO is vulnerable. When you have to wade across one or more small rivers on your way to school, the XO is vulnerable. When you live in a house with dirt floors, the XO is vulnerable. When you have to contend with the fact that your many siblings might well want to share the laptop, the XO is vulnerable.

BUT... I've tested a late prototype and seen for myself that, whatever its faults, there is nothing else available that even begins to approach the XO for robust construction. Try to imagine any other computing device surviving what I've described above. The XO laptop is the best available technology today, and that's why we'll shortly be deploying our first pilot project.

This is a case where a problem is being solved by law vice technical means. Consumers should vote with their money. If ISP#1 is throttling, then stop subscribing. No other ISPs in the area? Get satellite access.

That approach, while very commendable and principled, isn't enough.

I've written elsewhere about why this is the case, but in a nutshell it comes down to this: Net Neutrality is a basic precondition to an end-to-end network like the Internet.

Think of it as a law. It is, actually, if you read that in the sense that Net Neutrality is axiomatic when we talk about the Internet as designed. If this law is not adhered to, the Internet as we know it ceases to exist. Therefore, given that government's role is to enforce the law, there is a place for it in enforcing Net Neutrality.

None of this takes anything away from your argument for consumer activism, of course. But neither alternative is exclusive of the other, and there's a clear need for both.

Poor silly mortal. Have you forgotten the International Date Line? April Fools is already here!

Stories emerging from the other side of the planet:

A NEW Google program powered by artificial intelligence allows internet users to search web pages 24 hours before they're created, the company said today.

Yahoo! Confirms MS Merger, Name Change

Indeed. Just because people don't see it doesn't mean it's not happening.

Do a quick Google for 'ICT4D' - Information and Communications Technologies for Development. You'll be surprised how much work is being done by organisations big and small, and by individuals, too.

I work almost exclusively with FOSS in Vanuatu. Small linux servers running on ancient hardware was the only way we could conceivably have brought small organisations and NGOs online when I arrived some years ago.

The server OS we use is SME Server. I worked for the company that created this software starting back in 2000. I went to work for them specifically because of this software's suitability for use in the developing world. After I left these guys, I worked for 3 years as a volunteer using the same software (and a lot of other FOSS as well) to help people communicate electronically, often for the first time.

FOSS is critical to development work. I've written extensively about ICT and Development. This essay explains in layman's terms why FOSS is often the right tool for the job.