Guns, Rocket Science and the Daily Show – Lessons in Vulnerability

(Note: leaving this post unpolished for the principle of it.)

I’ve felt myself contracting lately, pulling back inward and operating more out of the body of fear. That’s neither who I am nor who I want to be anymore and so I need to stop it – and in realizing this received three good messages about vulnerability and remaining open this morning.

I tuned into NASA’s livestream of the unmanned SpaceX launch ten seconds before the vehicle exploded. There were ten seconds of awe and appreciation and pride as the rocket hurtled skywards on my part and then, two minutes after liftoff, it was obscured by an odd cloud. A second later the camera showed debris separating catastrophically, lighting up here and there and falling to the ground. A failure, sure – but a failure in the midst of exploration and greatness. Something made possible by remaining open despite how it exposes plans to millions of variables, millions of fail-states. The pride returned – overwhelming pride in SpaceX for what they’ve worked to achieve and that they’re still working damned hard to do amazing things.

William Gibson began tweeting about guns this morning. In particular the physical agency that such an inexpensive device provides and how hard it is to convince someone to give that up. Immediately I reflected on my own experience as a gun-owner and someone who carried a concealed weapon (licensed) everywhere for years. Gibson was most assuredly right, especially about the perception of increased agency – something I dealt with myself after I stopped carrying and later sold my guns. As I considered it the loss of such a potent force multiplier in hypothetical situations weighed heavily. Once I actually stopped carrying it weighed even further. I found myself out in the world and much more vulnerable without the reassuring weight on my belt behind my right hip.

But the mindset that encourages me to contract is the same one that caused me to carry a gun, and without it I found myself much more open to the world, more vulnerable but also more engaging. Every outing was no longer a series of locations in need of threat assessment before all else. Physical agency perhaps lessened, but social agency and confidence grew.

The last lesson this morning (they all occurred within an hour of each other – this day, it pulled no punches) had me crying. A good friend linked Jon Stewart’s first post 9/11 Daily Show broadcast in which Stewart spoke with such grief and hope that it affected me physically. He presented the place he was at with heartfelt humanity and total vulnerability and it drove home the day’s point.

I’m no longer the type to pull back into myself and armor up. It didn’t serve me well in the past. What serves me more than anything now are sociability, credibility, openness and curiosity. I’m not great at the first three but I am damn sure trying harder.

Microsoft’s Nadella Picking Up the Magical Thread?

In a recent company-wide email, Microsoft CEO Satya Nadella used the word “magical” twice, perhaps trying to pick up the “magic” narrative I believe worked well for Steve Jobs:

Team,

I believe that we can do magical things when we come together with a shared mission, clear strategy, and a culture that brings out the best in us individually and collectively.

and closing with:

I really do believe that we can achieve magical things when we come together as one team and focus. I’m looking forward to what we can achieve together in FY16.

Satya

Worth noting the difference here: Nadella thinks Microsoft can do magical things together, whereas Jobs gave us things that can do magic. Microsoft may be trying to pick up that thread but their focus is off. They’re not quite there yet.

Security and Technology Briefs: Flash, Machine Learning, Navy Sticks With XP, More

Busy morning of writing and reading.

Brian Krebs on an emergency software patch for Adobe Flash – this is a must read.

Neat, short video from SethBling explaining how he taught an AI, or rather it taught itself, how to play a video game. (YouTube)

IT World: The US Navy’s warfare systems command just paid millions to stay on Windows XP. Sigh. I feel like when AI turns sentient the thing it will judge us for first is staying on Win XP and Server 2k3.

EFF’s “Who Has Your Back” chart on how companies protect your data (or don’t).

RubyGems exploit looks like it makes vulnerable a million-plus Ruby installs.

NextGov reports that the OPM hack showed up at the National Archives.

*GREAT* Washington Post article on L0pht and the warnings they issued about the internet quite a while ago.

Good Reddit thread on a user’s concern about Bitcoin (I’ve got piece-in-production about bitcoin at the moment but needed to sit on it a few days thanks to events that happened yesterday).

TNW reporting that music app Tidal just fired their second CEO in two months. Not looking good for them.

A Different Kind of Techno-Fetishim

I’ve said, again and again, that Steve Jobs’ constant reiteration that the iPad was “magical” was deliberate and done with specific intent. And we listened. We knew it was good technology because it had the language of magic in it. We made it do things by pointing at it. The screen was full of sigils. It was a 21st Century spellbook, and, brilliantly, we didn’t have to charge it up by murdering a chicken or wanking on it. – Warren Ellis

Thinking about CUNNING PLANS again. Specifically the points at which Ellis affirms the magical nature of our devices, usually along with references to Steve Jobs’ iPad fetish.

Fetish in the old sense, mind you. Not Jobs having a bit too keen an eye for flashy hardware but the old post-colonial anthropology term for a craft created by the natives and believed by them to have supernatural powers. Sticks bound by sinew, supposed crude representations of ever-present entities or embodiments of power.

August Comte, French philosopher and one of the founders of sociology, portrayed fetishism as the most primitive of religions wherein religions “naturally” evolved from there to polytheism and then monotheism. Hegel proposed fetishes as a reification of abstract thought that Africans were “largely incapable of” (what utter bullshit). Predictably, fetishes were lost penises to Freud. Even more predictably no one stopped to actually ask the people making them much at all.

Jobs, Ellis and some others stumbled upon and picked up the thread we’ve lost or ignored or suppressed for centuries. Far from primitivism physical fetishes represent an advanced relationship with nature, a more involved role in existence. What ethnobotanist and madman Terence McKenna called “partnering with deity in the co-creation of reality.”

In adopting mobile devices as fetishes we’ve begun to evolve back into that co-creating mindset. What better replacement for a local embodiment of a global presence than a platform that instantly connects me with friends in Japan or news from Russia? (Also thinking about the lightning-fast adoption of mobile finance in Africa as well as Michael Saylor’s Mobile Wave). The device is transcended by its own platform and yet I interact with it, talk to it and through it in order to try and shape life in the way I’d like. I draw sigils with my finger in invisible electromagnetic ink thanks to electroconductivity.

Comte condemned ‘fetishism’ as primitive thanks to, of course, unbridled racism but also a complete disconnection from interaction. We had lost the idea of helping make the Real and were relegated to observation and limited social negotiation.

A world without magic and ghosts is a world where we believe we can put the last ten thousand years in a box and consider it a done deal, just as scientists a hundred and twenty years ago considered science a completed enterprise aside from the nagging mystery of the luminiferous aether. – Warren Ellis

My phone brings me messages from Brazil. Shows me minutes-old solar flares and new planets in the ether. Encourages me to reply, engage, make and remake on scales that to Comte would’ve been deific (a bold statement considering Comte felt he had discovered the science to end all sciences).

The whole point was underscored this week when I went to change the passcodes on my mobile devices (which I do regularly). Creating new passcodes for my near-fetishes always carries a special quality to it. I feel as if I’m reinscribing the magic runes on my spellwear. Renewing the arcane protection of crucial ritual gear that allows me to participate in the co-creation of the now.

Which isn’t to say it’s all wonderfully holy – invariably I terrify myself by momentarily forgetting new passcodes. For a moment I’m cut off from that role and thanks to auto-deletion schemes also close to wiping my tools, reducing them to crude shiny bricks. Every time. Which only serves to reiterate the magic nature of all this stuff. The magic nature of us.

Embrace it. In pursuit of replicating the condition of magic, we are attempting to create our own new spirit world. We build magic doors that open upon the speaking of magic words, and we want our mystic artifacts to whisper to each other across the aether, and we use magic mirrors to enact remote viewing across the limb of the planet, and we arrange for Plato’s daemons to mutter at our shoulders. – Warren Ellis

Security and Technology Briefs: Romanian Hackers, Bitcoin, NSA vs. AV, Hackback

Interesting if somewhat odd short documentary produced by Norton antivirus on Romania’s plethora of hackers. (YouTube)

The Wall Street Journal’s Paul Vigna and Michael Casey talking about bitcoin at Google. (YouTube)

Expert J.M. Berger’s definition of terrorism – worth reflecting on at the moment.

The Intercept on NSA and GCHQ targeting anti-virus products. While I don’t necessarily dig the Intercept’s politics all the time their technical analysis is often razor sharp, as it is here.

The Norse Security blog Dark Matters posted an interesting take on ‘hackback doctrine’ or the idea that if you’ve been hacked you should, as a private individual or corporation, have the right to hack back to stop the attack and retrieve your data.

Review: CUNNING PLANS by Warren Ellis

Just finished CUNNING PLANS by Warren Ellis, the $0.99 ebook formatting of several talks he’s given recently. Ellis is a comics and prose writer as well as a much-sought public commentator at this point, especially on matters of technology and culture. He’s of the storyteller vintage old enough to be labeled ‘olde’ and viewed out of the corner of one’s eye at all times to avoid losing sight or looking directly at him. The talks interweave the long and weird history of Britain with how we all approach technology today and often end up a call to action for listeners to go beyond anything he’s done. An avatar of the mechanism that Terence McKenna used to talk about of the universe seeking to transcend itself.

A few highlights for me:

A world without magic and ghosts is a world where we believe we can put the last ten thousand years in a box and consider it a done deal, just as scientists a hundred and twenty years ago considered science a completed enterprise aside from the nagging mystery of the luminiferous aether.

And:

Now imagine a world where space travel to other worlds is an antique curiosity. Imagine reading the words “vintage space.” Can you even consider being part of a culture that could go to space and then stopped? If the future is dead, then today we must summon it and learn how to see it properly.

Security and Technology Briefs: Spamtraps, OPM, Apple Password Flaw, more

Farsight Security’s Senior Program Manager Kelly Molloy provided a so-far three part series on creating “spamtrap” email addresses that has proved fascinating: Part 1: Demistifying Spamtraps, Part 2: Keeping It Confidential, Part 3: Creating and Seeding.

Ars Technica provided a great, damning article on the sad state of affairs at the Office of Personnel Management that led to it being hacked. Twenty year old COBOL-coded apps running on Oracle frameworks and IT outsourcing to a systems administrator in China who was given root access. Unreal.

9-to-5 Mac among others published about a major security flaw in iOS and OS X which Apple sat on for six months that exposed two different password applications (Apple’s Keychain and 1Password) to exploits. Here’s Brian Krebs on the iOS/OS X vulnerability as well as one affecting Samsung devices.

Lots of talk on an FBI investigation into the St. Louis Cardinals “hacking” the Houston Astros; it appears they just used a password list from a previous employee at this point, leading Motherboard to criticize the terminology employed by the NYT and others.

The Sunday Times put out an article this weekend suggesting that Russia had decrypted all of the Snowden documents and Britain subsequently had to burn quite a bit of its foreign intelligence structure. The story seemed pretty weak at the outset and was made all the weaker by this interview with the author on CNN who seems to literally know nothing about his own story.

The Hill reports that the head of the US Marshals is resigning rather than dealing with increased scrutiny about their surveillance techniques, which is a bit of a tell.

Norse had several posts of note this week; the US Navy’s bold announcement (now retracted) seeking zero-day exploit contractors, an uptick in Cryptowall infections and some numbers showing a 1400% return on investment in malware.

Panel from last year with writer Warren Ellis, technologist Ben Hammersley and journalist and political analyst Edie Lush talking about whether IT has changed how we think at the Institute of Art and Ideas. (YouTube)

Sanguine IT: Donating Blood and Information Security Incentives

Busy thinking about this rather fantastic bit of ingenuity from Sweden:

People who donate initially receive a ‘thank you’ text when they give blood, but they get another message when their blood makes it into somebody else’s veins.

Swedish blood donors receive a text message when their blood is actually used. That’s a masterful way to leverage a handful of different cognitive mechanisms to incentivize donation. We’re primed for donation anyway, I would hope; doing a bit of civic good for people in dire circumstances. But the donation is so removed from the utility that it’s hard to achieve buy-in. That is, it’s hard to get people to own and engage with the process, to feel invested in the institution and manifestation, rather than just doing it for the principle.

But a text message when the blood gets used is a tiny and wonderful behavioral nudge crafted through being recognized not just for doing good but by being notified of the tangible good when it came to fruition. Knowing that you received recognition timely to the actual good you did reinforces it in memory – it’s the same principle that tells us that punishing kids needs to be done around the time of the transgression, rather than some arbitrary moment (except in this case we’re obviously talking positive reinforcement instead). The synchronous nature of the notification with the dopaminergic reward feelings in your brain cements the positive nature of giving blood and, I would guess, easily and drastically raises returning donor rates. And it encourages buy-in not just to blood donation but a system that recognizes you like that. It provides a certain amount of commitment to and faith in an organization and its digital systems.

Of course the blood donation is cognitively reinforced in another way: the system also feeds into the slot machine-esque dopaminergic nudge that we’re thoroughly primed for already, the text message notification. That goes off and our brains light up.

The entire experience incentivizes people to donate blood on a number of levels: neurochemically, cognitively and institutionally.

The federal government proclaims security principles often and loudly (though not always, as their emphasis on weakening encryption systems shows). But the feds don’t incentivize stakeholders in the bureaucratic or IT systems and without that buy-in you get things like the OPM hack. Looking at the structure and operations of government agencies and IT issues you find a series of disincentives that leave principal parties avoiding any kind of buy-in.

-Government IT security is offered irregular, initiative-based funding for anything more than the obscenely bare minimum. So it’s not funded as a necessary principle and the irregularity of it means stakeholders will wait for the next initiative rather than use their own precious funds.

-Plausible deniability means stakeholders are disincentivized to hire highly competent, motivated security personnel so they’re not confronted by the scope of security problems and forced to fix it with their own departmental budget.

-Seeming lack of consequences for government compromises versus, say, private sector (in which not just IT heads but often CEOs are washed out with the post-breach bathwater).

-Buy-in is about as far from likely as possible with stakeholders on multiple levels. Disenfranchisement runs rampant and especially in IT situations the constant slapping on of band-aid solutions rather than systemic reform and rehabilitation means that it’s no longer about safeguarding the institution you’re part of but just holding a job.

The question becomes – how do you incentivize system administrators and higher-level stakeholders to do their fucking jobs? The answer could be that you turn it into an incentivized civic duty. Which is damn hard with the burnouts and the disenfranchised, and it’s damn hard in an environment that caters to the lowest bidder and motivating contractors to do the most mediocre job possible.

The whole situation is further complicated by the government’s hardening stance on security research. Financing bug bounties and encouraging independent security researchers is crucial. The most eyes on the system that know they’ll be appreciated and compensated for finding and disclosing holes, the more secure the system. It’s not hard to imagine a genuinely productive partnership between the public sector and private security experts but that’s impossible in the current climate. Mostly thanks to the government.

Achieving institutional buy-in for government technologist positions will be damn hard to accomplish as well as hideously expensive. But compared to the prospect of our entire federal background investigation and SF-86 application system getting lifted, it’s peanuts.

Security and Technology Briefs: St. Louis Fed, Blood and Texts, Another Mobile Study

Brian Krebs on a DNS breach at the St. Louis Fed.

Robert Lenne shares on twitter one of the coolest things I’ve seen in a while – if you donate blood in Sweden, the county council will text you when it’s used.

Motherboard explaining a remarkably low-tech attack trying to steal the bitcoins of Agora Marketplace users through spam messages.

Ars Technica on the (well-known but necessary to repeat) fact that even VPNs don’t keep you well-secured if you insist on using open wifi networks. Also Ars on how the OPM hack just got much worse.

Bruce Schneier with an excellent essay on Reassessing Airport Security and a bit on Duqu 2.0, the newest state-sponsored cyber attack.

Technology Review relays How Mobile Phone Data Reveals The True Toll Of Mass Layoffs:

These people made fewer calls, called a smaller percentage of their original network of contacts and traveled shorter distances.