Liminal states

Slashdot’s linked to a bunch of good stories on computer security recently. Squirrelmail repository poisoned has the catchiest title, and plus it’s about squirrels, so it goes first.

What happened was that an intruder got into the site where you download Squirrelmail, and introduced a very subtle change in the code that would allow somebody who know about it (the intruder or anybody he/she told or sold the secret to) to “an arbitrary code execution risk” aka “pwning” both of which are security speak for “doing whatever you want to on the system”.

YOW! Dreamhost, my ISP, provides a nice one-click install for Squirrelmail (“webmail for nuts!”) and I use it on a couple of my domains. Maybe somebody’s used this to hack in — and that’s why my colors keep intermittently changing from pink to blue! Hmm, well, probably not … although other than the unsatisfyingly generic “intermittent software bug” it’s the best explanation so far.

Imagine, though, that this was a political candidate’s blog; and that the hack gets exploited to delete a random 10% of mail from potential supporters and voters. This might not get noticed for a while … and if it went on long enough, it could easily lead to enough impact to swing a close election. Or suppose there’s a mass-mailing from the account to everybody in the district the day before the election: “This account has been hacked, can you really trust this bozo?” Hmm. Talk about your social engineering attacks.

It’s also another interesting example of the “security as a social science ” theme — and more specifically, the process issues for web services that came up in How’d that get through QA? Something that’s really encouraging here is that in both cases the software providers did exactly the right thing here, including being transparent about what had happened — Squirrelmail’s blog shows how quickly they reacted, announcing immediately and getting the fix out within a day.

Recently somebody who’s interviewing around Microsoft told me that they had brought up Ad Astra in an interview context as a way of demonstrating that they understood viral marketing: “Remember all those hot pink Mashup posters around campus? Well, here’s how we approached it; this was my role; this is what I learned.” And it worked out well!

It’s a great way of framing it, because even though we didn’t do a great job of marketing Ad Astra in general, Mashups were something we got a lot of people to notice and talk about. And best of all, it had measurable results: attendance at Mashups steadily increased by 50% monthly, using techniques like this, emailing, leafletting, … classic viral marketing.

For those of you who haven’t spent time on the Microsoft campus, there are posters everywhere, mostly in blue brown and gold, occasionally in other colors — but never any pink. So these stud out And we put up a lot of posters; in March, the guy who runs the internal postering service told me that we had already put up more posters than Windows or Office had in the previous 12 months. [I pointed out that they had better existing name recognition.] So (at least in the Redmond area) the reasonable odds that the person either heard about it, or knows somebody who has, are pretty reasonable.

Thinking about it afterwards, I realized that there are probably 50 to 100 people who were involved in various aspects of marketing Mashups. Most of them have no previous marketing background; all of them now have at least one anecdote that they can use to show their awareness and understanding of this kind of marketing. That’s kinda cool.

Yay us!

James Grimmelmann has an excellent post over at the Laboratorium. His summary:

Another member of a professorial mailing list I’m on asked whether Facebook may have violated the Video Privacy Protection Act of 1988. Nicknamed the “Bork Bill” (a newspaper published his video rental records during his confirmation hearings), the VPPA protects your privacy in the videos you rent and buy. Well, guess what? One of Facebook’s Beacon partners was Blockbuster, so some of the items that wound up in people’s news feeds were the names of videos they’d bought. Oops.

I dug a bit into the legalities of the issue, and this is roughly what I came up with: Facebook and Blockbuster should hunker down and prepare for the lawsuits. Their recent move to allowing a global opt-out may cut them off from accruing further liability, but there’s probably an overhang of damages facing them from their past mistakes.

As usual with James, it’s a very detailed analysis; the discussion is also excellent.

Looking specifically at Blockbuster’s liability, there’s an interesting parallel to my as-yet-unanswered question in the thread about Beacon’s announcement of a global opt-out about whether Beacon caused advertisers to violate their privacy policies. In the web 2.0 world, the dependencies between software components mean that service providers (Facebook in this case) can put their customers (Blockbuster) at legal risk. As Google, Yahoo, Microsoft, Amazon, eBay, Facebook et. al. compete, it will be a major advantage to whoever first seizes the high ground by providing services and platforms that are noticeably less risky. In addition to the classic considerations like security and ability to deliver on service level agreements (SLAs), this will increasingly include considerations like well-thought-out policies — and getting and listening to a broad range of perspectives, including from privacy advocates, before launching new services.

Somebody pointed out to me in email that my repeating the characterization of me as “airing dirty laundry” looks like an example of something that politicians (and persuasive communicators in general) are warned against: publicizing the attacks against you.  It’s an good point, especially since attempts to combat or defuse the attacks often reinforce them — think of Tricky Nixon saying “I am not a crook”.

On the other hand, it’s often very important to talk about the language your critics and opponents [or others for that matter] use; and there’s usually no way to do that without repeating their language.  In a situation like this, I try to explicitly use quotes, to highlight that “airing dirty laundry” is a phrase that has some meta-level significance.  Links to a web page with a definition or discussion of the term are also useful — bear in mind, though, that they call further visual attention to the phrase.

This does require awareness of the convention from readers, and making the effort to apply it.  Most people are pretty familiar with the idea of visibly quoting something to be able to discuss it when talking — you often see people making stylized quotation marks with their fingers to show this.   While folks may not have seen it in online discourse, it’s a straightforward extension — and one that people ware used to thinking about abstraction already understand.  And while there’s always a risk that people reading quickly will misunderstand, noticing this convention becomes second nature, so I think given the target audiences of this blog it’s a reasonable tradeoff,

Or so it seems to me that this stage.  My position may well evolve … I’m curious what others have to say.

jon, “asking for feedback”

A kerfuffle that recently went on in one of the online communities I hang out in is a nice illustration of some of the complex interaction between moderator privilege in discussion forums, power vectors and bullying.

Briefly, a poster engaged in a bunch of techniques such as using loaded and admittedly-pejorative terms in a theoretically-neutral discussion, lashing out at critics while claiming victim status, ignoring constructive suggestions, and trotting out the hoary “I’m privileged” chestnut of disclaiming responsibility while attempting to put the burden of making up for his ignorance on others (“I’m looking for some specific suggestions here” aka “I don’t think my mistakes is important enough to feel like doing the work myself”). While I don’t see the guy as a bully in general, this is classic bullying behavior.

What made this case particularly interesting is that the moderator took the bully’s side. As moderator, he could edit the discussions after the fact to rewrite history — and he did. For example, he deleted a post as “an off-topic flame” (later reposting it on his private friends-only blog). He deleted a thread of mine and then posted his response (quoting my original words, but now in a way that marginalizes them) in a thread he had started. And so on.

(The really funny thing is that my thread that he deleted specifically called him out for abusing his moderator privilege by deleting threads. I tell ya … you can’t make this stuff up.)

Those who have spent a lot of time online will recognize the dynamic. In this particular case the forum’s very new, and so it’s not a big deal: at some point soon, the moderator will either realize that if he wants people to work together he’ll have to stop bullying and start listening and learning … or everybody will get bored and drift away. Regardless of what happens here, the bully will either change his ways, leave the community, or become another “self-exile”, feeling excluded from the power structure and unable to understand why.

Still, it gives a very interesting and unusually clean snapshot into the kinds of power vectors that moderation — or other control over the discourse — inherently introduces.

Thoughts, similar experiences, discussions of how this plays out in other discussion media (wiks, email lists), etc.?

jon

Continuing the theme for the day, I was looking at a couple of abstracts from Christian Jarret’s excellent BPS Research Digest:

• Why do some men insult their partners? concludes “men who habitually insult their wives or girlfriends do so, somewhat paradoxically, as part of a broader strategy to prevent them from leaving for someone else – what evolutionary psychologists call ‘mate retention'”

• Does your boyfriend let you out of his sight? suggests that “certain male behaviours tended to be associated with the use of violence against women.” The ones they discussed in the summary are pretty much what you’d expect: “men who were violent toward their partners also tended to use emotional manipulation (e.g. threatening to hurt themselves if their partner left them), to monopolise their partner’s time (e.g. not letting her go out without them), and/or to punish their partner’s infidelity (e.g. by becoming angry when she flirted with anyone else).” By contrast, ‘mate retention behaviors’ such as telling your partner “I love you” and spending lots of money on her* is associated with a lack of violence.

[The mate retention inventory (.doc file) makes interesting reading … too bad there’s nothing in the digest summary about the assocations of “56. Wore my partner’s clothes in front of others”. I’d really like to check out the full paper … alas, at $29.00 for the online copy, it can wait until I get to a library. But I digress.]

Of course, whether or not it’s linked to physical violence, as a mate retention behavior, insulting the other person clearly has the goal and effect of tearing down their self-esteem. So do quite a few others others on the list, such as ’17. Told other men terrible things about my partner so that they wouldn’t like her’ and the first batch of the ones listed above. By contrast things like ’58. Complimented my partner on her appearance’ and the second batch (“I love you/will spend money on you”) show appreciation and are more likely to be done in a way that builds self-esteem. My guess would be that there would be a general correlation between self-esteem-destroying mechanisms and violence … it’d be interesting to see the data. I wonder if the authors would make an anonymized version of their data available?

Anyhow. Two thought-provoking pieces of research, and an interesting synergy. Other thoughts welcome.

jon

* although presumably these results largely generalize in a gender- and orientation-independent way!

An anonymous commenter on Mini patronizingly critiqued me for “airing dirty laundry” about Microsoft on a public forum under the guise of a “helpful” warning me that “my new employer” might have second thoughts about me because I’d presumably “do it to them as well”. (See the thread for the full language and context — it’s near the end.)

Especially in context, it’s one of those comments that’s fascinating on so many levels, and representative of certain kinds of thinking that it’s well worth analyzing. Where to start?

First of all, it’s kind of bizarre and very amusing to critique me for “airing dirty laundry” in a thread that starts with Mini’s saying “What does it take to be disappeared from Microsoft? We can only guess one day Stuart Scott was walking outside of his building when a black Escalade with VI0L8R plates pulled up, Ken DiPetrio swung open a door and said, ‘Get in.'” So no matter what the poster thinks of my argument, he’s shooting himself* in the foot by framing his critiques in this way. In an environment where people value transparency, “airing dirty laundry” is something that’s generally seen as a good thing. Putting me completely aside, showing his lack of understanding while unnecessarily dissing and devaluing whistleblowers and all the people who *do* see appropriate airing of dirty laundry as potentially in the company’s best interests (like Mini and his/her/their fans) isn’t a good way of starting an argument.

For his goal of criticizing my behavior, rather than using the vague and loaded term “dirty laundry” it would have been better for him to be more concrete about what he thought I had done that was against Microsoft’s interests. Making blustering and sneering implications like he did is easier but usually counter-productive, leaving him with a hard time responding when you’re challenged — for example, if he attempts to advance a more concrete argument now he risks looking defensive.

Lots more to cover, including the reason potential future employers at Microsoft and elsewhere would be likely to see this discussion as a positive rather than counting against me (quick summary: it embodies positive transparency and empowers employees by helping them understand existing processes), why the “let me explain” framing similarly backfires, the hegemonic effects of devaluing personal experience, and of course gender issues.

To be continued,

jon

* Or, potentially, if the poster’s a she, shooting herself in the foot. Since the communication style here has several pattern that are much more common among males, I’ll use male pronouns for simplicity; so whenever you see “he” in relation to the poster, please mentally translate to “the poster, whatever gender he and/or she might be” or something like that.

Ann Rostow’s excellent Bay Times article gives details and context. After transwoman Diane Schroer was denied a job at Congressional Research Service when she told them she would be reporting at work as a female,

Schroer sued in federal court under the aforementioned Title VII, alleging that her job was revoked due to impermissible sex discrimination. The government asked U.S. District Court Judge James Robertson to dismiss the suit, based on the fact that Title VII doesn’t ban discrimination based on transgenderism. Judge Robertson declined, pointing out that Price Waterhouse [the 1989 Supreme Court precedent] might apply, and also wondering in a court memo whether Title VII’s ban on “sex” discrimination might be interpreted to ban discrimination against transgendered people based simply on the plain language of the statute….

The bottom line is good news for Schroer. Robertson ruled that her suit could proceed based on the possibility that she could prevail under Price Waterhouse and its ban on gender stereotyping. But Robertson then rejected the idea that Title VII might outlaw trans bias on its face. Why? Because of the trans-less ENDA that recently passed the House of Representatives.

“At the time of my 2006 opinion,” wrote Robinson, referring to his initial memo on the case, “there was no relevant legislative history as to Title VII’s relationship to discrimination on the basis of sexual identity. That is no longer the case. In recent months, a bill that would have banned employment discrimination on the basis of both sexual orientation and gender identity was introduced in the House of Representatives. An alternate bill that prohibited discrimination only on the basis of sexual orientation was also introduced. The House ultimately passed the version that banned discrimination only on the basis of sexual orientation.

“…Even in an age when legislative history has been dramatically devalued as a tool for statutory interpretation,” Robertson went on, “one proceeds with caution when even one house of Congress has deliberated on a problem and, mirabile dictu, negotiated a compromise solution.”

Ouch. So much for the argument against trans inclusion on the grounds that transfolk are already protected. Thanks, Barney Frank (and thanks, HRC) for a ‘compromise solution’ that compromises existing protections.

jon

In  a comment in the Power vectors thread, Vanita said:

You were useless (I met with you several times at Microsoft) and it looks like you still are. I am glad to hear you are gone – it made no sense for Microsoft to pay you a hefty salary given the “work” you were doing. All this high level bullshit…

I let the comment through because it’s a great illustration of the kinds of attitude and environment that’s disappointingly common at Microsoft these days, unwilling to take the time to understand new ideas and so threatened by anything “high level” that might actually lead to a change in the system, that the response is to hide behind the cloak of anonymity to spread around virulent negative abuse in completely inappropriate situations.  Yeah, that’ll help.

Imagine working in an environment where this kind of behavior is widely tolerated.  When I was at Microsoft, I got reactions similar to this from maybe 5-10% of the people, and so on large mailing lists or with the 200+ people who attended a mashup the odds were extremely high that somebody would jump in with some garbage like this — with superficially more polite phrasing if their names were associated with it, but still the same mix of knee-jerk uncomprehending rejection and personal attack.

And bear in mind the impact this has not just on the person receiving the abuse (me), but all those witnessing it.  No wonder so many people at Microsoft are unhappy and frustrated.

In an interesting study recently published in the Journal of Applies Psychology and summarized in British Pscyhological Society’s Research Digest:

Male and female employees who said they had witnessed either the sexual harassment of female staff, or uncivil, rude or condescending behaviour towards them, tended to report lower psychological well-being and job satisfaction. In turn, lower psychological well-being was associated with greater burn out and increased thoughts about quitting.

….

Crucially, while these negative effects were not large, they were associated purely with observing the mistreatment of others, not with being a victim of mistreatment oneself – the researchers took account of that (for participants of both sexes) in their statistical analysis.

It’s especially interesting to see “uncivil behavior” called out. There have been several times in the last few years where for one reason or another I’ve spent a chunk of time in environments where this kind of behavior towards women is normalized, and it certainly does have those effects on me — and many others I talk to.

One of the clearest examples was at Microsoft with the Litebulb distribution list (DL), where the attack-based and disrespectful norms of discourse combine with the 99% male participation and lack of understanding of “soft” (i.e., feminine-identified) disciplines such as marketing, communication theory, and diversity to create an enviroment that’s extremely hostile to women. Since it was (and probably still is) the largest innovation-focused DL at Microsoft, and filled with intelligent and analytical people, it was a key potential channel for culture change — and a fertile recruiting ground for my Ad Astra work — so from time to time I participated; and I could really notice the difference in my state of mind just being surrounded by that attitude. Quite a few people, of all genders, who had stopped participating there told me that they felt noticeably less irritable at work as a result; and with several colleagues, I could see real differences in their behaviors more generally that appeared to correlate with how much time they were spending on the DL. Of course this is all anecdotal, but very consistent with the results from this study — and elsewhere. As Bob Sutton points out:

This research is so important because — consistent with prior research on bullying — it provides further evidence that allowing assholes to run rampant in an organization doesn’t just hurt the victims, it hurts everyone.

While the study specifically looked at gender issues, this dynamic is likely to generalize to a large extent to other diversity- or power-based dimensions. It’s also interesting to think about how this might apply to other contexts, such as social networks — so for example the Kathy Sierra episode, and more generally the lack of civility of large factions of both the progressive and neocon blogospheres.

I’m a big believer in the importance of civil discourse for many reasons; looks like I just added another to my list.