One newspaper article said the Raelian obsession with cloning was partly for a similar variation, which is to do a brain transplant into the clone's body. Yes, this means killing your clone's personality by chopping its brain out; the "keep it's brain blank" is unlikely to have any meaningful definition. But you don't have to worry about whether a copy will really be you.
As far as this is really what the Raelians believe, or just some reporter's interpretation, I don't know; finding out would mean reading their stuff, and there are more than enough kooks around.
It's still the right model, more or less, even though almost nobody's deployed it:-(
The big problem is getting buy-in from the people who run.com, which hasn't happened; I don't suppose there's any overlap between the people who run the various DNS registries and the people who run certification authorities, or that that would have anything to do with it, or that ICANN's many disfunctionalities are at all related? (Sigh.... Versign buying Network Solutions certainly didn't help, not that the business models in the registrar/registry world aren't confused enough.)
Maybe we will end up building some parallel structure that doesn't depend on the root servers or the COM/NET/ORG servers, or some of the other TLDs will start implementing it. I keep hearing various rumbles about Norway or Finland or Tonga, but one of the big registrars could also catalyze it if they wanted.
Razor2, and probably some of the other relatives of this, has a threshold voting system (so it takes more work to poison non-spam mailing list mail) and has a karma-like trust rating system to weed out poisoners. It turns out to be inherently hard to poison good email, except for mailing list mail, because normally it's only received by one or two people, so the spammer doesn't have access to checksums for good email messages, and the voting system makes it hard to whitelist messages that are really spam (though it'll certainly be tried:-)
The other aspect for poisoning is poisoning messages on legitimate mailing lists - other than individual kooks trying to harass lists or people they're obsessed about, which the karma system helps with, the obvious target will probably be anti-spam lists, e.g. the spammer will sign a lot of clones up for Spam-Killer-Tools@Example.net, and use random collections of them to cause random chaos or kill off discussions that are particularly productive. But even that is somewhat self-limiting, because it's the kind of creative and coordinated effort that requires a professional spammer, as opposed to the millions of wanabee spammers who bought the latest spamware kit thinking they'll get rich.
A self-signed cert for http://www.example.com/ doesn't tell you that they're the same Example Inc. that makes those really cool ExampleWidgets, so you may not want to give them your credit card number without some more verification. But it does mean that they're the same http://www.example.com/ that you accepted a cert from last week, and that your encrypted mail to postmaster@example.com is going to the address postmaster on the same system that controls the web site.
No, I'm not trying to be funny - while it's convenient to have your browsers come with certs for cert authorities that your browers' authors trust, the real certificate authority that a PKI tool should support is keys signed by you, the reader. (That's different from self-signed keys, which are signed by you, the keyholder, though you the reader at 127.0.0.1 will presumably have a self-signed key.) If the browser's certificate checker tools can't handle a hierarchy, where you get to sign the members of the hierarchy and what they can do, they're deficient. That's not exactly the same as "being able to add CAs to your browser", though it's pretty close; you may have different preferences for how deep different parts of the tree can be. For instance, there are some organizations you'll trust to sign certs for subdomains of their domain name, but not to sign other sites, while there are other organizations you'll trust to sign almost anything (e.g. Visa if you only use Visa credit cards on line), and others you'll trust for email addresses in their domains (e.g. you'll trust FreeEMail.Example.Com certs for sending encrypted mail to FreeEMail.Example.Com accounts, but you won't trust them to tell you that georgewbush@FreeEMail.Example.Com is owned by any particular George W. Bush that you might know from other channels.)
It's only an insurance policy if somebody is insuring something about it and has the resources to back up their claims. You have to read the small print to find out what the signer is certifying about the key and how they're backing their claims. They may be certifying that they checked N government documents, or that the recipient's credit card number worked once, or just that the name is unique, and they may be backing it up with anything from "Explicitly Nothing" to "we'll refund your certification fee" to "enough real money to cover damages from the first forgery", though the latter's pretty unlikely.
Sometimes a free or El Cheapo cert is enough; it gives you some calibration on risk levels. I've got a PGP key that I use to sign untrusted pseudonyms, with the policy that I'll only sign any specific name once.
If I pay a "small government fee", does that give me "small government"?
Otherwise, you've got a model that says you've got One True Name, usable for everything, and anybody who steals your wallet or hacks your PC (Microsoft and wu-ftpd and sshd would NEVER have bugs!) now 0wnz you. The Social Security Number, with one number that gets used for everything, is a terrible idea, and guarantees that it's easy to correlate any two databases from any groups that have either been forced to use your SSN as a tax number or found it convenient as a "unique" identifier. Besides, then Californians who can speak Spanish wouldn't be allowed to have web sites, just as one of our previous governors decided they shouldn't be allowed to drive. No thanks.
DNSSEC isn't widely deployed, but it's the right identity/authentication model for many of the reasons people want certs. Unlike the "Produce Lots of Official-Looking Documents" model of identity, which says that Example, Inc. is the real owner of a certificate, and lets Example use the cert to sign any web site they want, DNSSEC uses the "People Who Give You The Domain Name Sign You A Cert" model, which lets whoever owns the domain name example.com certify that you're connected to a web server at the real example.com or www.example.com.
In general, there's a lot of confusion about Public Key Infrastructures, partly because of the big gap in the middle of "1. Write Marketing Hype!! 2. ???? 3. ???? 6. PROFIT!!" chain, but mainly because there are different ways to answer questions about "Who's certifying whom or what to do what or be who or what?" which lead to different applications and solve (or fail to solve) different business problems. One major effort to address this systematically is the IETF SPKI Simple Public Key Infrastructure group, much of which is based on the work of Carl Ellison and Ron Rivest (RFC2692, Requirements, RFC2693, Theory.) It turns out that, while the "Some Authority Certifies that You have Documents with your True Name" model that's popularly used is often useful, it's often not the right model, and there are often more useful relationships, such as the DNSSEC authentication used for web sites and email.
If there are a small number of honeypots, yes, it's easy to stop them. But what if everybody had one, or at least everybody who didn't need a real smtp server? All those cable modems out there, which aren't allowed to run servers because of blazingly clueless policies by cable companies, could be running honeypots, especially teergruben, which run valid SMTP vvvv...eeee..rrr..yyyy...sssss...loooowwwww....lyy yyy and can keep spammers tied up for long times. They don't usually look like open relays; they usually look like end users. Cable modem companies could be heros by having people running the things. (And if spammers respond to this by not sending email to domains hosted on cable modems, that's a big win too....)
Dear Bob, I am sending you this message in order to have your advice...
If you're using Outlook Express instead of Full-Scale More Expensive Outlook, you're probably fetching the mail using POP3 or IMAP instead of the MS Exchange proprietary protocols. If so, there are filter programs that you can run on your own PC that proxy POP3 from a server, so you can tell your Outlook Express that your email server is 127.0.0.1:pop3, and the proxy fetches it from mail.example.com for you, which gives it a hook to hang filtering tools on. There are probably similar filters for IMAP by now.
Vipul's Razor, Cloudmark, etc. are collaborative filters that let humans mark messages as spam and share the spam ratings, so even Spam-Of-The-Future messages that evade filterbots are likely to get caught by humans. That means that if a roughly-identical message gets sent to N people, and sneaks by their spam filtersbots, the first few humans to read it send in ratings that let everybody else's filterbot kill it for them. They do some kind of hashing function to catch similar-but-not-identical messages, which is necessary because message headers will obviously be different for every recipient, but have useful information, and message bodies for different recipients may be identical, but often have some recipient-customization, like "Dear Bob" and "remove-2184242314231-Bob@spammer.com".
Vipul's Razor on Sourceforge is the canonical collaborative spam filter network. These things really do make a dent in spammers constructing not-very-spam-looking messages that sneak through filters, because to get around them, they need to send sufficiently different messages to each target, though the openness of the matching algorithm means they do have the tools to try it.
One of my ISPs's implementation of SpamAssassin seems to be using it as part of their rating heuristic.
Disposable addresses really help a lot, for the reasons you've mentioned, and they're easy to create if you've already got your own domain name. You give Somebody1 an address of Somebody1@yourdomain.com, and Somebody2 an address of Somebody2@yourdomain.com (or mangled or obfuscated versions of that), whitelist them, blacklist any that get abused, and do something appropriate to unknown addresses (probably blacklisting them, but possibly bouncegramming them.)
There are also tagged versions of Unix email clients around, which let you receive messages to yourname+tag@your-isp.net, letting you do the same with tags that you did with addresses in your own domain, but surprising numbers of humans and web-forms seem unable to use those addresses correctly. (They also don't work for me, because my email forwarder doesn't know how to translate myname+tag1@emailforwarder-domain.com into myrealname+tag@my-real-isp.com.)
Fastmail.fm has a nice intermediate version, using subdomains - tag@username.fastmail.fm is equivalent to username+tag@fastmail.fm, so you can give people human-readable tagged names and do all the same processing tricks. It's pretty limited use in their free service, but has much more flexible tools in their paid service.
The other approach that helps with filter-evaders is collaborative filter nets such as Vipul's Razor or Cloudmark. Some recipients will still get stuck reading the spam, but they'll mark it so most recipients can auto-trash it.
Enough people don't like spam that most big ISPs are offering some kind of spam-prevention service; the real question is when this will become the default. Many ISPs already reject mail from open relay sites, cutting down their spam load a good bit. While it may be a mistake to use an ISP that accepts and then deletes messages without the user's permission, lots of ISPs offer "we'll kill your spam for you" services, and many also offer "we'll mark spam for you" features that come with instructions for setting popular mail clients like Outlook, Netscape, and Eudora to filter the spam, and at least make it obvious in the Subject line so you can delete before reading.
Less controversial than ISPs trashing suspected spam is ISPs trashing virus email - that almost never gets false positives, and almost nobody minds (or at least, almost nobody minds if the virus part gets deleted, if it was an attached document on a real email message.) That won't stop Good Times Hoaxes, which are wetware problems rather than software problems, and it's a much more common feature for corporate email systems (because they're usually the suckers\\\\\\\customers for Certain Popular Email Systems and Certain Popular Word Processors which make it easy to auto-execute code.)
They didn't _ask_ anything, they ordered. They told him to take down the website - not just the logo, but anything using the term "PCI", and said if he wanted to go to a lot of work and expense to do them a favor by having his employer put the site back up, they might consider it. If the PCI-SIG (themselves) has asked him to do something about the logo, and maybe add some trademark notices, he probably would have been ok with that, but they were clearly not just talking about the logo, but the whole thing.
You do need to protect your trademarks if you want to keep them, but you're not required to do it using lawyers, cease+desist letters that go far beyond their legal justification, or nuclear cannon shells to do so. A polite request from them should have done the job, and if they wanted to say "our lawyers say we need to do these couple of things to protect our trademark use", that's much more reasonable. The common footnotes about "SomeFancyName is a [registered] trademark of Example, Inc." seem to be adequate trademark protection for the vast majority of products in the US. I haven't seen his original website, because he took the whole thing down when they harshed him out, but I expect the same applies here.
The use of the PCI-SIG trademark logo is something they might have needed to do something about to protect, but they should have asked him politely to make it obvious that his site was unofficial, if it wasn't already obvious enough, and either make the logo point to their web site or put appropriate words next to it, or even to take the logo off if it was used in a confusing way. I'm guessing that the logo was there to say "The official PCI-SIG site is at www.___.etc." or whatever. That's really about all.
I was wondering what kind of "intellectual property" the SCO folks had been claiming to have, and your explanation makes sense - thanks! The trademark "Unix" doesn't cover Linux. Much of the effort that went to building the non-AT&T-owned 4.xBSD operating system versions and the various GNU tools was to make sure that there was code that clearly wasn't derived from AT&T source, and therefore SCO wouldn't own that. The SetUID patent has almost certainly expired, and most of the fundamental ideas in Unix date from before widespread abuse of software or business method patents and were published in various journals even if the source code wasn't. There's very little else that was potentially patentable that doesn't impinge on prior art sufficiently for them to claim that either. There may be some device driver things that are proprietary, I suppose. But the use of a couple of SCO-compatibility libraries, including the actual code and not just general concepts, is the kind of thing that could still be copyright-protected.
Some of you may remember the "Mentally Contaminated" buttons somebody gave out at Usenix to people who'd dealt with the real code and therefore had to be careful about what they wrote to avoid contaminating BSD and freeware apps.
You missed the Internet boom and bust
on
Ask Kevin Mitnick
·
· Score: 2, Interesting
The whole internet boom-and-bust thing happened while you were Off Net, and the economy's worked it's way back down to about what it was before you got caught. What's it been like watching it from the outside? Do you have any perspectives that are different from what people experienced going through it?
Hi, Andrew! While there are real applications like postal workers for the things (where it may be worthwhile for a business to spend $5K on them), the price does seem sufficiently out of line compared to, say, a Vespa scooter or electric bike, for basic transportation, and the fact that it's pricy, too heavy to carry onto the bus or train, and doesn't require being in good physical shape to ride (unlike a skateboard or roller blades) means that it is more likely to be used by pasty-assed yuppies as opposed to punk teenagers.
If the Supes hadn't been snobby enough to ban the things on bike lanes, it would have been interesting to see how they'd have competed with the bike-messenger business - higher up-front cost, easier to carry more kinds of cargoes, and probably a lower level of aggression compared to biking through SF's traffic, because the basic fight-or-flight stress mechanisms that work well for city biking don't really apply.
Disney World owns a bunch of them, mainly used for supervisors to zip around Epcot checking on things and delivering things. It's the obvious market for them - I mean, if *you* lived in an Experimental! Prototype! Community! Of ToMORRow!, and you weren't going far enough to take the Flying Car and but farther than you can actually go on a Rocket Belt, this would be just the right kind of Jetsons-looking transportation to take. It really did work well there; the park has huge wide sidewalks instead of streets, so there's enough room to zip around without squashing pedestrians. However, that's not the same case as sidewalks in the real world.
SF shouldn't have banned the things on bike lanes, though; they'd be just fine there, and no more suicidal than biking in SF's traffic and hills is anyway. Also, as a vertical-standing passenger, you're probably more able to look around for cars and for pedestrians than the average bicyclist, who's at a different angle and probably can't stop as fast or turn as tightly.
San Francisco has lots of bike lanes. The Supes banned Segways on them too. It's mostly snobbery, but apparently the Segway people were trying to get approval to run the things on sidewalks, which is much more dangerous to pedestrians, and it backfired on them.
There's no reason to involve the police powers of the city to ban the things - people driving in the dark in dark clothes with no helmet won't be in the gene pool for all that long. There are occasionally bikers that stupid, of either the motorized or non-motorized flavors.
Banning them on the sidewalks is consistent with banning bikes and other high-speed devices (though you'd be surprised how fast some of the electric wheelchairs can go...) There may be some exceptional uses, such as the Post Office and other delivery services, where sidewalk access may be justifiable, but generally not.
However, that's no excuse for banning them in bike lanes, which San Francisco has lots of. It's pure snobbery, as near as I can tell, though probably triggered by Segway's attempt to pre-emptively get states and city councils everywhere to approve driving the things on sidewalks. A segway cranks up to about 12mph, which is a medium speed for a bike on flat ground; YMMV on hills (which SF has lots of), and the acceleration patterns are probably a bit different, and there's no macho factor, unlike cranking your bike from 0-30 in 2 seconds by pointing it downhill on Mason Street.
Don't get me wrong, I liked APL, and its model of "You shoot all the bullets at all the feet, then select the feet that belong to you" was really nice for doing time-series analysis. But it is somewhat nice to have language designers who at least stick to an ASCII keyboard to find weird symbols from:-)
As far as this is really what the Raelians believe, or just some reporter's interpretation, I don't know; finding out would mean reading their stuff, and there are more than enough kooks around.
The big problem is getting buy-in from the people who run .com, which hasn't happened; I don't suppose there's any overlap between the people who run the various DNS registries and the people who run certification authorities, or that that would have anything to do with it, or that ICANN's many disfunctionalities are at all related? (Sigh.... Versign buying Network Solutions certainly didn't help, not that the business models in the registrar/registry world aren't confused enough.)
Maybe we will end up building some parallel structure that doesn't depend on the root servers or the COM/NET/ORG servers, or some of the other TLDs will start implementing it. I keep hearing various rumbles about Norway or Finland or Tonga, but one of the big registrars could also catalyze it if they wanted.
The other aspect for poisoning is poisoning messages on legitimate mailing lists - other than individual kooks trying to harass lists or people they're obsessed about, which the karma system helps with, the obvious target will probably be anti-spam lists, e.g. the spammer will sign a lot of clones up for Spam-Killer-Tools@Example.net, and use random collections of them to cause random chaos or kill off discussions that are particularly productive. But even that is somewhat self-limiting, because it's the kind of creative and coordinated effort that requires a professional spammer, as opposed to the millions of wanabee spammers who bought the latest spamware kit thinking they'll get rich.
A self-signed cert for http://www.example.com/ doesn't tell you that they're the same Example Inc. that makes those really cool ExampleWidgets, so you may not want to give them your credit card number without some more verification. But it does mean that they're the same http://www.example.com/ that you accepted a cert from last week, and that your encrypted mail to postmaster@example.com is going to the address postmaster on the same system that controls the web site.
No, I'm not trying to be funny - while it's convenient to have your browsers come with certs for cert authorities that your browers' authors trust, the real certificate authority that a PKI tool should support is keys signed by you, the reader. (That's different from self-signed keys, which are signed by you, the keyholder, though you the reader at 127.0.0.1 will presumably have a self-signed key.) If the browser's certificate checker tools can't handle a hierarchy, where you get to sign the members of the hierarchy and what they can do, they're deficient. That's not exactly the same as "being able to add CAs to your browser", though it's pretty close; you may have different preferences for how deep different parts of the tree can be. For instance, there are some organizations you'll trust to sign certs for subdomains of their domain name, but not to sign other sites, while there are other organizations you'll trust to sign almost anything (e.g. Visa if you only use Visa credit cards on line), and others you'll trust for email addresses in their domains (e.g. you'll trust FreeEMail.Example.Com certs for sending encrypted mail to FreeEMail.Example.Com accounts, but you won't trust them to tell you that georgewbush@FreeEMail.Example.Com is owned by any particular George W. Bush that you might know from other channels.)
Sometimes a free or El Cheapo cert is enough; it gives you some calibration on risk levels. I've got a PGP key that I use to sign untrusted pseudonyms, with the policy that I'll only sign any specific name once.
Otherwise, you've got a model that says you've got One True Name, usable for everything, and anybody who steals your wallet or hacks your PC (Microsoft and wu-ftpd and sshd would NEVER have bugs!) now 0wnz you. The Social Security Number, with one number that gets used for everything, is a terrible idea, and guarantees that it's easy to correlate any two databases from any groups that have either been forced to use your SSN as a tax number or found it convenient as a "unique" identifier. Besides, then Californians who can speak Spanish wouldn't be allowed to have web sites, just as one of our previous governors decided they shouldn't be allowed to drive. No thanks.
In general, there's a lot of confusion about Public Key Infrastructures, partly because of the big gap in the middle of "1. Write Marketing Hype!! 2. ???? 3. ???? 6. PROFIT!!" chain, but mainly because there are different ways to answer questions about "Who's certifying whom or what to do what or be who or what?" which lead to different applications and solve (or fail to solve) different business problems. One major effort to address this systematically is the IETF SPKI Simple Public Key Infrastructure group, much of which is based on the work of Carl Ellison and Ron Rivest (RFC2692, Requirements, RFC2693, Theory.) It turns out that, while the "Some Authority Certifies that You have Documents with your True Name" model that's popularly used is often useful, it's often not the right model, and there are often more useful relationships, such as the DNSSEC authentication used for web sites and email.
If there are a small number of honeypots, yes, it's easy to stop them. But what if everybody had one, or at least everybody who didn't need a real smtp server? All those cable modems out there, which aren't allowed to run servers because of blazingly clueless policies by cable companies, could be running honeypots, especially teergruben,y yyy
which run valid SMTP vvvv...eeee..rrr..yyyy...sssss...loooowwwww....ly
and can keep spammers tied up for long times. They don't usually look like open relays; they usually look like end users. Cable modem companies could be heros by having people running the things. (And if spammers respond to this by not sending email to domains hosted on cable modems, that's a big win too....)
If you're using Outlook Express instead of Full-Scale More Expensive Outlook, you're probably fetching the mail using POP3 or IMAP instead of the MS Exchange proprietary protocols. If so, there are filter programs that you can run on your own PC that proxy POP3 from a server, so you can tell your Outlook Express that your email server is 127.0.0.1:pop3, and the proxy fetches it from mail.example.com for you, which gives it a hook to hang filtering tools on. There are probably similar filters for IMAP by now.
Vipul's Razor, Cloudmark, etc. are collaborative filters that let humans mark messages as spam and share the spam ratings, so even Spam-Of-The-Future messages that evade filterbots are likely to get caught by humans. That means that if a roughly-identical message gets sent to N people, and sneaks by their spam filtersbots, the first few humans to read it send in ratings that let everybody else's filterbot kill it for them. They do some kind of hashing function to catch similar-but-not-identical messages, which is necessary because message headers will obviously be different for every recipient, but have useful information, and message bodies for different recipients may be identical, but often have some recipient-customization, like "Dear Bob" and "remove-2184242314231-Bob@spammer.com".
One of my ISPs's implementation of SpamAssassin seems to be using it as part of their rating heuristic.
There are also tagged versions of Unix email clients around, which let you receive messages to yourname+tag@your-isp.net, letting you do the same with tags that you did with addresses in your own domain, but surprising numbers of humans and web-forms seem unable to use those addresses correctly. (They also don't work for me, because my email forwarder doesn't know how to translate myname+tag1@emailforwarder-domain.com into myrealname+tag@my-real-isp.com.)
Fastmail.fm has a nice intermediate version, using subdomains - tag@username.fastmail.fm is equivalent to username+tag@fastmail.fm, so you can give people human-readable tagged names and do all the same processing tricks. It's pretty limited use in their free service, but has much more flexible tools in their paid service.
The other approach that helps with filter-evaders is collaborative filter nets such as Vipul's Razor or Cloudmark. Some recipients will still get stuck reading the spam, but they'll mark it so most recipients can auto-trash it.
Less controversial than ISPs trashing suspected spam is ISPs trashing virus email - that almost never gets false positives, and almost nobody minds (or at least, almost nobody minds if the virus part gets deleted, if it was an attached document on a real email message.) That won't stop Good Times Hoaxes, which are wetware problems rather than software problems, and it's a much more common feature for corporate email systems (because they're usually the suckers\\\\\\\customers for Certain Popular Email Systems and Certain Popular Word Processors which make it easy to auto-execute code.)
They didn't _ask_ anything, they ordered.
They told him to take down the website - not just the logo, but anything using the term "PCI", and said if he wanted to go to a lot of work and expense to do them a favor by having his employer put the site back up, they might consider it. If the PCI-SIG (themselves) has asked him to do something about the logo, and maybe add some trademark notices, he probably would have been ok with that, but they were clearly not just talking about the logo, but the whole thing.
The use of the PCI-SIG trademark logo is something they might have needed to do something about to protect, but they should have asked him politely to make it obvious that his site was unofficial, if it wasn't already obvious enough, and either make the logo point to their web site or put appropriate words next to it, or even to take the logo off if it was used in a confusing way. I'm guessing that the logo was there to say "The official PCI-SIG site is at www.___.etc." or whatever. That's really about all.
Some of you may remember the "Mentally Contaminated" buttons somebody gave out at Usenix to people who'd dealt with the real code and therefore had to be careful about what they wrote to avoid contaminating BSD and freeware apps.
The whole internet boom-and-bust thing happened while you were Off Net, and the economy's worked it's way back down to about what it was before you got caught.
What's it been like watching it from the outside? Do you have any perspectives that are different from what people experienced going through it?
If the Supes hadn't been snobby enough to ban the things on bike lanes, it would have been interesting to see how they'd have competed with the bike-messenger business - higher up-front cost, easier to carry more kinds of cargoes, and probably a lower level of aggression compared to biking through SF's traffic, because the basic fight-or-flight stress mechanisms that work well for city biking don't really apply.
SF shouldn't have banned the things on bike lanes, though; they'd be just fine there, and no more suicidal than biking in SF's traffic and hills is anyway. Also, as a vertical-standing passenger, you're probably more able to look around for cars and for pedestrians than the average bicyclist, who's at a different angle and probably can't stop as fast or turn as tightly.
San Francisco has lots of bike lanes. The Supes banned Segways on them too. It's mostly snobbery, but apparently the Segway people were trying to get approval to run the things on sidewalks, which is much more dangerous to pedestrians, and it backfired on them.
There's no reason to involve the police powers of the city to ban the things - people driving in the dark in dark clothes with no helmet won't be in the gene pool for all that long. There are occasionally bikers that stupid, of either the motorized or non-motorized flavors.
However, that's no excuse for banning them in bike lanes, which San Francisco has lots of. It's pure snobbery, as near as I can tell, though probably triggered by Segway's attempt to pre-emptively get states and city councils everywhere to approve driving the things on sidewalks. A segway cranks up to about 12mph, which is a medium speed for a bike on flat ground; YMMV on hills (which SF has lots of), and the acceleration patterns are probably a bit different, and there's no macho factor, unlike cranking your bike from 0-30 in 2 seconds by pointing it downhill on Mason Street.
Don't get me wrong, I liked APL, and its model of "You shoot all the bullets at all the feet, then select the feet that belong to you" was really nice for doing time-series analysis. But it is somewhat nice to have language designers who at least stick to an ASCII keyboard to find weird symbols from :-)