Liminal states

Tales from the Net co-author Deborah Pierce’s Into the Lion’s Den — a privacy advocate’s work is never done (on her tribe.net blog) talks about a panel she was just on at ere expo, “the nation’s leading recruiting conference.” She was there for a debate with the CEO of a company whose mission is “to map every business organization on the planet, contact by contact”:

The CEO started by asking how many in the audience had heard of Jigsaw or had used Jigsaw. About half of the people raised their hands. When my turn came, I asked how many people had heard of Fair Information Principles*. There were about a hundred people in the room and about three people raised their hands. With this crowd I wasn’t surprised.

Continue Reading »

Fourteen years ago today was my last day at Digital Equipment Corporation before leaving to work on the technology today became PREfix and the company I started with a few friends that became Intrinsa, so it seems especially appropriate to post about this today …

I’m delighted to announce that I’m starting a part-time strategy consulting gig working with San Francisco-based software engineering startup Coverity. My initial focus will be exploring possibilities in the security space, and I’ll be using techniques like community-driven strategy and design, asset-based thinking, and social network analysis. So it’s a very natural followup to each of my last three professional incarnations: static analysis architect, computer security researcher, and grassroots strategist.

Continue Reading »

Update, March 27: Macbook Air pwned and owned — in two minutes!

Update, March 28: Vista laptop pwned via an Adobe Flash vulnerability.

Update, April 16: Apple issues Safari patch.

Props to the winners — and to Ubuntu Linux, which emerged unpwned!

Continue Reading »

It’s amusingly difficult for me to write professional biographies, especially for print publications. Not only do I have a hard time reducing my career to the paragraph you’re usually allowed, at some level it feels like it forces me to reify my identity. Nonetheless, it has to be done; right now, I’m on the hook for bios both for the Computers, Freedom, and Privacy program committee and an upcoming book chapter on computer science as a social science.

So here’s a stab at it … feedback, please!

Update, 3/27: revised substantially after great feedback. Original version in the comments. Thanks all!  Additional minor edits on 3/29.

Jon Pincus’ current professional projects include Tales from the Net (a book on social networks co-authored with Deborah Pierce), starting a strategy consulting practice, and blogging at Liminal States and elsewhere. Previous work includes leading the Ad Astra project as General Manger for Strategy Development in Microsoft’s Online Services Group; creating the static analysis tools PREfix and PREfast (now available in Visual Studio) at his startup Intrinsa and then at Microsoft Research; security planning with the Windows Security Push and XPSP2 task forces; and the National Academies/CSTB panel “Sufficient Evidence?” His primary research interests relate to recasting the field of computer science as a social science. In addition to the applications of this lens to security discussed here, other social science approaches embodied in Ad Astra and the earlier Project Fabulous include asset-based thinking, narratology, cognitive diversity, intersectionality, philosophy of technoscience, oppression theory, and hot pink beanbag chairs.

(Note: that’s the version for the computer security paper; the other one will have slight differences in the last sentence.)

The Economist’s Technology Quarterly has an excellent article on Software bugtraps: software that makes software better. This is something of a followup to an article they did a few years ago; most people quoted think that the situation is improving, although of course as Capers Jones points out it depends on your metrics. And why the improvement?

According to … the chairman of the Standish Group, most of this improvement is the result of better project management, including the use of new tools and techniques that help programmers work together. Indeed, there are those who argue that computer science is really a social science. Jonathan Pincus, an expert on software reliability who recently left Microsoft Research* to become an independent consultant, has observed that “the key issues [in programming] relate to people and the way they communicate and organise themselves.”

Indeed, I have argued that — in keynote talks Analysis is necessary but not sufficient at ISSTA 2000 and Steering the pyramids at ICSM 2002, and then more explicitly in the “BillG thinkweek paper” Computer science is really a social science (draft) from early 2005 and my 2006 Data Devolution keynote with Sarah Blankinship applying this lens to computer security.

Continue Reading »

Like a lot of political sites these days, the Barack Obama Facebook page and One Million Strong for Barack group have been suffering from an infestation of trolls and hate speech. Obama supporters, like others, use Facebook to help with “get out the vote” work (for example posting links to information about polling places) and phonebanking — and get their questions answered. Especially with the key Ohio and Texas votes on Tuesday, the trolling’s a lot worse than just a nuisance: it’s an example of the dirty tricks described in How to Rig an Election.

The group’s admins are doing a great job of trying to keep things under control, and Facebook is apparently working on tools to help them. There are only a few admins, though, so in the short term, it seemed like a good time for a “community defense” effort. Building on Classy Williams’ earlier idea of a troll registry, I started up a thread, and sent out mail to a “secret” group of about 60 people who were concerned about the trolling. Here’s a greatly expanded version of what I said, with some background for non-Facebookers.

Originally posted March 3

Most recent update May 6

Continue Reading »

From the CFP2008 web page:

This election year will be the first to address US technology policy in the information age as part of our national debate. Candidates have put forth positions about technology policy and have recognized that it has its own set of economic, political, and social concerns. In the areas of privacy, intellectual property, cybersecurity, telecommunications, and freedom of speech, an increasing number of issues once confined to experts now penetrate public conversation. Our decisions about technology policy are being made at a time when the architectures of our information and communication technologies are still being built. Debate about these issues needs to be better-informed in order for us to make policy choices in the public interest.

This year, the 18th annual Computers, Freedom, and Privacy conference will focus on what constitutes technology policy. CFP: Technology Policy ’08 is an opportunity to help shape public debate on those issues being made into laws and regulations and those technological infrastructures being developed. The direction of our technology policy impacts the choices we make about our national defense, our civil liberties during wartime, the future of American education, our national healthcare systems, and many other realms of policy discussed more prominently on the election trail. Policies ranging from data mining and wiretapping, to file-sharing and open access, and e-voting to electronic medical records will be addressed by expert panels of technologists, policymakers, business leaders, and advocates.

Updates:

• if you’re on Facebook, please join the Computers, Freedom, and Privacy Cause and/or group. Presence on other social network sites coming soon!
• For journalists writing about information technology and policy: some funding (covering registration, hotel, and travel) is available.

CFP2008 is being held in New Haven, Connecticut, on May 20-23. Back in 2000 Elizabeth Weise called it “the most important computer conference you’ve never heard of”; I think of CFP as the most important conference — and network of people and organizations — focused on civil rights (and increasingly, human rights in general) in an electronic society. Lorrie Faith Cranor’s Ten Years of Computers, Freedom and Privacy gives the early history, where hackers, lawyers, law enforcement, and goverment representatives fought out “crypto wars” and internet censorship battles (ending with a defiant “we’ll be back” from the Clinton adminstration as the Clipper Chip went to its well-deserved fate).

The technology policy focus is extremely timely. The upcoming election will feature significant differences between the parties and candidates on issues like net neutrality, warrantless surveillance, immunity for corporations who may have collaborated with illegal government wiretapping programs, Real ID, the McCain bill to censor social networks, and privacy — now on the national agenda thanks to MoveOn’s stance against Facebook’s Beacon.

Over the last several years, CFP has steadily broadened its horizons to take a more global view and pay increasing attention to perspectives that are getting overlooked: digital divide issues, normalization of surveillance and censorship by governments and corporations, hactivism, the special challenges of communities like the Mohawk Nation (spread over multiple jurisdictions), high school students in a panel organized by danah boyd in Seattle in 2005. After a few (in my humble opinion) rather bland and corporate years, things have taken a more activist turn: a 2003 New York walking tour by the Surveillance Camera Players, a 2005 demo by the ACLU that led to the US State Department changing policy on encryption and passports (props to State Department official Frank Moss for being there and taking the message back), Patrick Ball accepting his EFF Pioneer Award by satellite from Sri Lanka, where he was working with the truth and reconciliation commission. Last year in Quebec, during the height of Stop Real ID Now! grassroots activist campaign, a half-dozen coalition members ranging from libertarians to labor activists were there (as well as some people from DHS and elsewhere who strongly disagreed with us but were still willing to have very honest discussions), and Bruce Schneier’s keynote on the Psychology of Security for people on both sides of the debate.

The call for presentations, tutorials, and workshops asks for proposals on panels, tutorials, speaker suggestions, and birds of a feather sessions through the CFP: Technology Policy ’08 submission page. The deadline for panels tutorials, and speakers is March 17, 2008, and the birds-of-a-feather deadline is April 21.The list of suggested topics is really broad (I’ll include it in a comment) and so as always there are likely to be a lot more high-quality submissions than can easily fit; the program committee often merges and suggests changes to sessions to help squeeze more in. The submission process can seem a bit intimidating (this is an ACM conference and so it has some academic overtones) but the guidelines are helpful and have links to some examples.

So if there’s a topic you’d like to see covered, one or more speakers you think would be good, a presentation you’d like to give, a panel you’d like to organize, or a tutorial you’d like to attend (or provide), please think about submitting it. If you’re not sure whether it makes sense, feel free to give it a trial run in a comment here or just send me some mail.

If it seems like CFP means a lot to me, it does: I’ve been going there for over 10 years; my SO Deborah Pierce has been going even longer and chaired it in 2005. I’ve volunteered, asked questions, been on a panel, run a couple of BoFs, and taken photos of Deborah during the various sessions she’s appeared in or moderated, and this year I’m excited to be on the Program Committee. There are lots of friends and long-term acquaintances we only get to see in person at CFP — and every year we met a lot of new people. This year, with the two of us working together on Tales from the Net, and Computers, Freedom and Privacy 2008’s ambitious goal of “shaping public debate” on technology policy in an election year, I’m particularly looking forward to it!

jon

Hactivists Cult of the Dead Cow (cDc) have released a Windows-only beta of Goolag, a rich client for the Google Hacking techniques pioneered by hacker J0hnny I Hack Stuff.

Basically, Goolag makes it easy to use Google to search out security vulnerabilities related to your web site — or, presumably, others.  From cDc’s blog:

SECURITY ADVISORY: The following program may screw a large Internet search engine and make the Web a safer place.

Continue Reading »

Update on February 22: How to respond when Facebook censors your political speech is up on Tales from the Net and Wired’s How-to Wiki and links back to comments in this thread. Alas, the Facebook Barack Obama discussion board was deleted on February 20, so many of the links here go off to oblivion.

If you are doing political activism on Facebook and you’re getting warned as a spammer — or if your account has been disabled for engaging in political speech — please leave a comment here or on the Wired Wiki page. Thanks!

February 19: another account was deactivated with less than one hour notice. I’m getting flagged by Facebook’s automated filters for posting info about how to find polling locations. (Okay, I posted it twice, an hour apart. Still.) It’s not pretty. More soon.

Continue Reading »

Update on February 12: Final votes were today. Barack Obama voted against telecom immunity — as did Harry Reid and 29 other Democrats. John McCain along with every single Republican Senator, Joe Lieberman, and 19 Democrats voted for. More here.

Update on Super Tuesday: Ari Melber’s Nation article gives the current snapshot; read the thread for more.

Russ Feingold’s video on YouTube sums it up perfectly:

Continue Reading »

The two months since I left Microsoft have been low-key recharge-and-relax time: catching up on sleep, visiting my mom, reconnecting with friends, doing some writing (blogging, poetry, the fictional The anomaly and the goddesses), and hanging out with Deborah. It’s been great. My friends consistently tell me how relaxed I look and sound (my Facebook status messages apparently give the same impression), and that’s exactly how I feel.

Continue Reading »

Slashdot’s linked to a bunch of good stories on computer security recently. Squirrelmail repository poisoned has the catchiest title, and plus it’s about squirrels, so it goes first.

What happened was that an intruder got into the site where you download Squirrelmail, and introduced a very subtle change in the code that would allow somebody who know about it (the intruder or anybody he/she told or sold the secret to) to “an arbitrary code execution risk” aka “pwning” both of which are security speak for “doing whatever you want to on the system”.

YOW! Dreamhost, my ISP, provides a nice one-click install for Squirrelmail (“webmail for nuts!”) and I use it on a couple of my domains. Maybe somebody’s used this to hack in — and that’s why my colors keep intermittently changing from pink to blue! Hmm, well, probably not … although other than the unsatisfyingly generic “intermittent software bug” it’s the best explanation so far.

Imagine, though, that this was a political candidate’s blog; and that the hack gets exploited to delete a random 10% of mail from potential supporters and voters. This might not get noticed for a while … and if it went on long enough, it could easily lead to enough impact to swing a close election. Or suppose there’s a mass-mailing from the account to everybody in the district the day before the election: “This account has been hacked, can you really trust this bozo?” Hmm. Talk about your social engineering attacks.

It’s also another interesting example of the “security as a social science ” theme — and more specifically, the process issues for web services that came up in How’d that get through QA? Something that’s really encouraging here is that in both cases the software providers did exactly the right thing here, including being transparent about what had happened — Squirrelmail’s blog shows how quickly they reacted, announcing immediately and getting the fix out within a day.