April 21, 2014

Heartbleed's Companions: There Will Be Consequences



The Heartbleed bug appears to be a contender for Greatest Internet Security Fuckup of all time, but it also fits in the category of Here We Go Again.

At this point discoveries of massive data breaches have become pretty much routine. A study cited by Farhad Manjoo in the New York Times reported that 814 million data records were exposed in 2013, and that was before Heartbleed was outed.

It’s not data breaches, per se, that concern me, however. Rather, I’d like to point out a couple of Heartbleed’s broader implications.

The first is that we miss Heartbleed’s most important lesson if we think it applies only to the question of Internet security.  The designers of all sorts of technologies regularly assure us, and themselves, that their machines and their systems are absolutely safe and secure. Just as regularly we discover they’re wrong. Recent examples include the Deepwater Horizon oil spill, the Fukushima meltdowns, the chemical leak that poisoned West Virginia’s Elk River and Michael Lewis’s revelations about how the stock market has been rigged by flash traders.


Deepwater Horizon
We are similarly assured that we need not fear the even greater risks posed by such developing technologies as nanotechnology and synthetic biology, both of which have the potential to unleash unexpected consequences of Biblical proportions. (See Bill Joy’s famous article in Wired, "Why the Future Doesn’t Need Us,” for details.)

Synthetic biology is especially relevant here because its advocates are consciously basing, at least in part, both their hopes for advancing the technology and their confidence in its safety on the open source computing model that gave us Heartbleed.

The thinking in both cases is that there’s safety in numbers. Open source advocates argue that more people looking at computer code makes it more likely that openings for hackers will be prevented or closed. Synthetic biologists argue that the more people who know how to manipulate strands of DNA, the more prepared we’ll be to respond to the accidental release of harmful organisms or a bioterrorist attack.


The Heartbleed bug doesn’t prove that the open source philosophy is false, but it does demonstrate that it’s not perfect. As Farhad Manjoo put it, Heartbleed showed that “the Internet is still in its youth, and vulnerable to all sorts of unseen dangers, including simple human error. Today’s digital systems are complex and penetrate every corner of our lives. It is impossible to lock them down.” 

Manjoo argues that the Internet is less likely to correct its lapses than other large-scale industries have been because of its ubiquity, its complexity and its interdependence, and also because the human beings getting rich off the web pay more attention to building the applications that will make them rich than they do ensuring that those applications are safe. I agree with all those contentions except that the Internet is different from other large-scale industries, and the suggestion that industries become "locked down" as they mature.

Manjoo credits Upton Sinclair’s The Jungle and Ralph Nader’s Unsafe at Any Speed with helping alert the public and lawmakers to unsafe conditions in the “chaotic, unruly days” of the meatpacking and automobile industries, respectively. (Never mind that Nader’s book came out in 1965.) Those unsafe conditions have since been rectified, Manjoo says by “a combination of regulation and industrywide cooperation.”

Mary Barra, CEO of General Motors, is sworn in to testify before the House Energy and Commerce subcommittee on Oversight and Investigation

Well, yes and no. Certainly there have been improvements, but Manjoo seems not to have noticed that executives of General Motors have spent a lot of time recently testifying before Congress, trying to explain why they failed to correct a flaw in their ignition systems that killed 13 people over the past decade. And if Manjoo thinks The Jungle solved the problems in the meatpacking industry, he hasn’t read Eric Schlosser’s Fast Food Nation.

The point — painfully obvious yet persistently ignored — is that breakdowns in large-scale technological systems are inevitable, and breakdowns produce consequences. The complexity, ubiquity and interdependence of those systems contribute to that inevitability, as do the oversights and mendacities of the human beings who design and run them (not to mention the oversights and mendacities of the human beings who use them). The scale of consequences will vary from insignificant to catastrophic, but there will be consequences.

This brings me to the second point I’d like to make about Heartbleed.



In the days after the bug was revealed, most of the blame was pinned on the open source engineers who failed to detect it before the updated software was released. This seems to be the sort of explanation intended to make us all feel better. If only proper procedures had been followed, everything would have been fine.

Again, though, the oversight that opened the Heartbleed door is hardly an isolated incident. You don’t have to be a volunteer working on open source software for free to miss a flaw that will cause problems. Plenty of paid professionals do, too. Indeed, the Heartbleed bug was overlooked for more than two years by any number of major companies and institutions using the OpenSSL software that carried it, among them Google, Amazon, Cisco, Facebook, Netflix, Yahoo, the Pentagon and the FBI.

“Given enough eyeballs, all bugs are shallow,” says open source software guru Eric S. Raymond.

The Heartbleed fiasco shows that the bug that lays you low can hide in plain sight, no matter how many people are looking. It also affirms Farhad Manjoo's point that Internet companies pay more attention to profits than they do to security.

All systems are fallible, and all systems are vulnerable. Anyone who says different is lying.

###








Note: This post originally stated that the Heartbleed bug was discovered by an engineer at Google. Other reports tell a different story, so I've eliminated the reference.

Earlier posts related to this subject can be found here, here and here.


 
Image credits: Heartbleed tshirt: Martin Mulazzan. Eyeball: Thinkstock 

©Doug Hill, 2014


 

April 14, 2014

A Problem with Reason

"The feelings of our heart, the agitation of our passions, the vehemence of our affections, dissipate all the conclusions of reason."
David Hume








April 13, 2014

The Company They Keep


"On the whole, technical people come to share the perspective of those who wield power rather than those over whom the power is wielded, with managers rather than labor, with officers rather than soldiers. If for no other reason, this happens simply because technical people do their work almost exclusively with the former rather than with the latter, and come to share a world with them. But they have very little, if any contact with the others, about whom they typically remain woefully ignorant."
David F. Noble, Forces of Production







March 31, 2014

The Disease of the Age


“Originally intended to make simpler and easier the doing of necessary things, the introduction of machinery with its train of attendant evils has so complicated and befuddled our standards of living that we have less and less time for enjoyment and for growth, and nervous prostration is the disease of the age.”                      
Gustav Stickley








March 29, 2014

From Lascaux to Las Vegas: A Short History of Virtual Reality



So, Facebook is taking a major plunge into virtual reality, paying $2 billion to acquire Oculus VR, which makes a headset that itself is something of a virtual reality, given that ordinary consumers can’t yet buy one.

Mark Zuckerberg is clearly giddy about the virtual reality future. Announcing the deal on (where else?) Facebook, he asked readers to imagine the possibilities. You’ll be able to enjoy a court side seat at a game, he said, or study in a classroom with students and teachers from around the world, or consult with a doctor “face to face,” simply by putting on a pair of goggles in your home. “People will build a model of a place far away and you’ll go see it,” he added in a conference call with reporters. “It’s like teleporting.” 



Experts quoted by Nick Wingfield and Vindu Goel in the New York Times weren’t so sure. One said he couldn’t see any compelling applications for virtual reality beyond gaming. Another said that he’s heard virtual reality being hyped as the next big thing for more than twenty years, and there’s no reason to believe Facebook’s partnership with Oculus portends anything different.

In my view neither Zuckerberg’s excitement nor the experts’ skepticism seem entirely justified. 

Zuckerberg presumably spends so much time looking at computer screens that he sees no significant difference between talking to a facsimile of a doctor through a virtual reality headset and talking to a flesh-and-blood doctor in person. He’s mistaken, of course, but the fact that the distinction blurs so seamlessly for him suggests why it’s probably a bad idea to bet against virtual reality being the wave of the future. 


Another reason for not making that bet is that virtual reality already has a solid track record, one that extends back as far as we do. Early practitioners include the tale spinners whose narratives ended up in Homer’s Odyssey and the artists whose haunting images of stags, bears and other beasts decorate the cave walls of Lascaux. 

It’s often said we tell stories to remind ourselves who we are, and to define who we are. The virtual realities of the sort Oculus is developing will be the latest manifestations of that basic human impulse, and not necessarily the most spectacular ones. 
 

It would be hard to beat the great cathedrals of Europe, for example, when it comes to teleporting one’s self to heavenly realms. Ralph Lauren has created some impressive virtual realities for more secular purposes. In the history of all-encompassing virtual environments, Disneyland was a landmark; Las Vegas may be the apotheosis. 

The best reason not to bet against the future of virtual reality is the difficulty we have confronting the reality we face in the mirror each morning. For millennia we've sought relief in various forms of ecstatic and narcotic experience. The reasons seem simple enough: Life is difficult, and death awaits. So it is that those seeking to create virtual realities have the deck stacked in their favor. We want to believe what they're selling.







This post adapted from my book, Not So Fast: Thinking Twice About Technology.

©Doug Hill, 2014

March 20, 2014

SXSW As Metaphor: More than a marketing opportunity

Austin's own Mysterious H performing at SXSW in 2010

A week ago I posted an essay on the absorption of the SXSW Music festival by commercial forces. Even as I was writing the piece, I was aware that, by focusing my comments on the schedule of official and sponsored events, I was ignoring the fact that those events hardly constituted everything that was going on at SXSW.

To the contrary, while the official and sponsored events may have been the festival’s most prominent attractions, they were not its most important ones.

What mattered most, I was sure, unfolded on the backstreets. That's where hundreds of little-known or unknown musicians played out-of-the-way bars and coffee houses, paying little or no attention to the branding crap that was being discussed and displayed in the high-profile venues.

Most of those musicians, no doubt, dream of becoming rich and famous. They imagine headlining, in future festivals, the sorts of stages where the likes of Lady Gaga, Jay Z and Coldplay held forth this year. At the same time I don’t doubt that many of them also sing (as Texas’s own Townes Van Zandt once put it) for the sake of the song.  
No limos, no roadies, no publicist
My assumptions in this regard were confirmed by Randall Roberts of the Los Angeles Times. Disgusted by Lady Gaga’s unctuous keynote address (in which she had the nerve to claim that “without these companies coming together to help us, we won't have any more artists in Austin"), Roberts headed off in search of “more darkened clubs and more dissonant vibes.” He found them.

“Go ahead and toast those who prevailed at SXSW by getting signed, licensed or folded into a future marketing plan,” Roberts wrote, “but the losers in this vicious cycle earned more respect.” 

New York Times music critic Jon Pareles made many of the same points, expressing dismay at the commercialism on the main stages (the headline on his piece read “Big Money Upends a Festival: South by Southwest Festival Starts to Feel Corporate”) before noting edgier things more worthy of attention in the clubs.

“Somewhere within the big, loud, heavily branded party that thronged the streets of downtown Austin” he wrote, “…there was still the core of what SXSW has done since 1987: provide exposure for striving musicians, many of them independent.”
Outer Minds performing at SXSW last week.
In my earlier essay I cited Jacques Ellul’s contention that rebellion in the technological society is readily co-opted by the forces of technique for their own purposes. Chief among those purposes, in addition to creating lucrative marketing opportunities, is the safety valve rebellion provides the frustrated masses, allowing them to harmlessly blow off steam without posing any real threat to the continued operation of the machine.

While I think there’s great truth in that argument, I also think it demonstrates one of the more striking examples of Ellul’s occasional tendency to overstate his case. Creative ambition doesn’t necessarily exclude genuine love for the music, or genuine conviction. Well expressed, those feelings can, in turn, provide those who hear them with genuine, meaningful inspiration.

Yes, nearly everything these days gets corporatized, but not everything. The machine is powerful, but not yet all powerful. A good song, or dance, or poem, or play, or painting, or story, can replenish a little of that reservoir of human spirit that technique so relentlessly sucks dry. That’s no small gift, and one we need to make sure isn't drowned out by the marketing people with the loud megaphones. 


©Doug Hill, 2014



Credits: Mysterious H and walking musician photos by Jay Janner, Austin American-Statesman.  Outer Minds photo by Josh Hanner, New York Times.






A Different Take on the Automation/Jobs Debate


Recently I participated in an online discussion on the issue of automation and jobs, featured on O'Reilly Media's Radar blog.

The discussion turned into a debate when a lawyer/scholar named James Besson weighed in to argue that there's every reason to believe that in the long run technology will increase rather than reduce employment, as he and many others believe it historically has.

I'm not so sure that will be the case, although I acknowledge that predicting the future with any accuracy is an uncertain enterprise, to say the least.

One of the main points I made during the exchange with Bessen was that the potential for automation to create or eliminate jobs is not the only concern we need to be thinking about. Just as important is the quality of jobs that automation bequeaths.

While it's true that technological advance has often created jobs, often as not those jobs have consisted of repetitious tasks that numb the mind and kill the soul. Workers may earn a living, but their jobs can hardly be described as fulfilling. They essentially become machines who tend the machines.

I laughed this morning to see that the Onion had posted an article that makes essentially the same point, satirically. Its headline:

"Chinese Factory Workers Fear They May Never Be Replaced With Machines."