Blog Fiasco

January 9, 2014

Online learning: Codecademy

Filed under: Linux,mac,The Internet — Tags: , , , , , , — bcotton @ 9:05 pm

Last week, faced with a bit of a lull at work and a coming need to do some Python development, I decided to work through the Python lessons on Codecademy. Codecademy is a website that provides free instruction on a variety of programming languages by means of small interactive example exercises.

I had been intending to learn Python for several years. In the past few weeks, I’ve picked up bits and pieces by reading and bugfixing a project at work, but it was hardly enough to claim knowledge of the language.

Much like the “… for Dummies” books, the lessons were humorously written, simple, and practical. Unlike a book, the interactive nature provides immediate feedback and a platform for experimentation. The built-in Q&A forum allows learners to help each other. This was particularly helpful on a few of the exercises where the system itself was buggy.

The content suffered from the issue that plagues any introductory instruction: finding the right balance between too easy and too hard. Many of the exercises were obvious from previous experience. By and large, the content was well-paced and at a reasonable level. The big disappointment for me was the absence of explanation and best practices. I often found myself wondering if the way I solved the problem was the right way.

Still, I was able to apply my newly acquired knowledge right away. I now know enough to be able to understand discussion of best practices and I’ll be able to hone my skills through practices. That makes it worth the time I invested in it. Later on, I’ll work my way through the Ruby (to better work with our Chef cookbooks) and PHP (to do more with dynamic content on this site) modules.

December 1, 2013

Book review: Captive Audience

Filed under: The Internet — Tags: , , , , — bcotton @ 5:25 pm

I recently learned Of Susan Crawford’s book Captive Audience when she was a guest on the “This Week in Law” podcast. In Captive Audience, Crawford examines the merger of Comcast and NBCUniversal. Crawford makes no attempt to hide her feelings on the nation’s largest cable provider getting (further) into the content business. The book is more of an advocacy journalism work than a dispassionate academic report. Comcast’s supporters may object to Crawford’s arguments, but her characterizations are refreshingly fair. She is quick to point out that the players are acting, not like evil madmen, but rational business actors pursuing their self-interests. Her main concern is that these interests do not line up with what she believes to be the public’s best interests.

Crawford does not blame Comcast CEO Brian Roberts for this disconnect, though his company has worked tirelessly to keep the status quo. The root of the problem is that the Internet industry is both unregulated and uncompetitive. Crawford rejects the notion that DSL, cellular, and satellite services are competitors to cable companies. DSL is too slow and satellite too high-latency for modern Internet applications and cellular, while convenient, is limited by lower bandwidth and small screen sizes.

The state of regulation for cable providers is like that of the early days of the rail road and electrical industries, which is to say non-existent. Cable providers lack the common carrier requirements imposed on the phone companies. As a result, Comcast and others are free to turn the Internet into a walled garden of curated channels, much like the current state of cable television. As dire of a picture as Crawford paints, it’s hard to see it as a likely threat. Plausible, certainly, but I don’t see it on the horizon.

Nevertheless, America clearly has an Internet problem. Our speeds and prices are worse than most of the developed world. In an age where high speed Internet access is increasingly important to social, academic, and economic activities, one third of Americans don’t subscribe to high speed Internet service. A strong correlation between non-subscribership and low socioeconomic status. If Internet connectivity is necessary for prosperity, expensive Internet prevents upward mobility.

Absent competitive pressure, the public interest can only be enforced by regulation. Interestingly, it was the Nixon administration that first sought to prevent monopolies in the cable industry. In recent years, Republicans and Democrats have proven equally unwilling to impose regulation on the industry. Municipal and private sector fiber installations seem to be the only near-term hope for keeping Comcast in check.

In short, I found Captive Audience to be an informative and compelling read. Crawford takes the reader through the history of monopolies in the United States and of the cable industry. She examines the technical and political reasons that Comcast became and remains a monopoly. In closing, Crawford looks at the effect that the Comcast/NBC merger had on AT&T’s failed attempt to purchase T-Mobile. I highly recommend this book to anyone interested in Internet policy.

October 1, 2013

I’m famous, sorta

Filed under: HPC/HTC,The Internet — Tags: , , , — bcotton @ 4:55 pm

One of my co-workers happens to be a co-host of “Food Fight“, a DevOps podcast. Last week, he asked for someone to join in for a crossover episode with “RCE“. When nobody else volunteered, he roped me into it. It turned out to be pretty awesome, I would have loved to extend the conversation a few more hours. With any luck, I’ll re-appear on one of those shows sometime. As you may already be aware, one of my goals is for Leo Laporte to personally invite me to the TWiT Brickhouse to get drunk with him on an episode of “This Week in Tech.” I feel like I’ve moved a little closer today.

Anyway, here are the links:

September 21, 2013

Internet addiction and cell phone sociability

Filed under: Musings,The Internet — Tags: , — bcotton @ 8:24 pm

A picture of a restaurant’s cell phone policy posted to Reddit led me to a back-and-forth with another Redditor about cell phone etiquette. His(?) take was that using your cell phone while out to dinner with someone is unconditionally rude. It’s been my experience that no taboo is universal. The person I was talking to didn’t seem to understand this. “Of course, if every participant doing it, it might be acceptable, though I still wouldn’t agree with their choice. But it is disrespectful that your partner takes his time to spend with you and you just succumb to your addiction.” My point is that if everyone you’re with has no problem with it, then there is no problem. Certainly there’s some context required, too. Spending the entire meal playing Angry Birds is not the same as checking for updates on a loved one undergoing surgery.

Conveniently, Ben Johnson had a story on Marketplace Tech just a few days later. An inpatient treatment center for Internet addiction opened earlier this month in Pennsylvania. The director talked about how Internet addiction progressed from chat rooms and porn to day trading (and porn) to auction sites and social media (and porn). At one point, she referred to the Internet as a tool, which it is, but then went on to ascribe goodness and badness to it. Tools are not inherently good or bad; it’s the application of a tool that is good or bad. We don’t talk about “magazine addictions” because some people get addicted to Playboy or to Reader’s Digest.

Both of these cases strike me as examples of how our society has not yet caught up to the technology we use. Social norms, medical understanding, legal structures, and so on all need time to catch up to a world where communication is instantaneous and geographically-unbound. There’s a tendency to wring hands and say “this generation blah blah blah,” but people aren’t really any different than they were 100 years ago. The world we live in is different, and changing. But we change to fit it.

August 31, 2013

Liable for sending texts to drivers?

Filed under: Musings,The Internet — Tags: , , , , — bcotton @ 8:15 pm

On episode 225 of This Week in Law, the panel discussed a recent appeals court ruling in New Jersey. According to a summary by Jeremy Byellin, the court left open the possibility that someone sending a text message to a driver might be held liable for civil damages if the driver is distracted and gets into an accident. I haven’t been able to find the actual text of the decision, so all I have to go on is Byellin’s summary. Given that disclaimer, this seems like a questionable thing to put into a ruling. To be clear, the defendant in this case was not held liable. The court appears to be saying “but if you know someone is driving and will immediately look at your text, you may be partially liable for any damages they cause.”

From a theoretical perspective, it makes sense. If you know you’ll be distracting someone operating a four-wheeled killing machine, there’s a compelling interest to disincentivize such behavior. In the real world, this is tough to prove. The easiest defense is ignorance, since the court required active knowledge to hold a person liable. Unless the driver explicitly said “I’m driving and immediately viewing all messages I receive,” there’s little to prove that the sender had sufficient knowledge to be liable.

Even if the driver did send such a message, it might never see a court room. Because the parties to the conversation would likely delete incriminating messages and most carriers limit the amount of time they store messages, Byellin says “only a very narrow percentage of cases will the content actually be discoverable.”

TWiL panelist Gordon Firemark brought up an interesting point as well. Is the government repsonsible for distracting drivers with Wireless Emergency Alert (WEA) messages? From the New Jersey ruling, the government would not be liable because it could not know if a particular recipient is driving. Still, it’s easy to see how this opens the door for additional litigation. Even if every defendant wins, there’s a real cost to having to defend against a suit.

The slippery slope that I find particularly interesting is the non-SMS case. Indiana’s texting-and driving law was wisely written to cover more than just SMS messages. However, a pedantic reading could apply it to any method of data transfer. GPS-enabled applications, such as Google Maps or Waze, can reasonably determine if a phone is mobile or not. By design, they distract drivers from the road. Could Google be sued for not disabling Maps while the car is in motion?

Probably not. Really, this is all just an academic exercise. To my knowledge, no one has ever been held liable for texting a driver, in part because it’s so monumentally difficult to prove the plaintiff’s case. But the fact that a court would basically invite unwinnable suits strikes as little more than a stimulus program for the Bar Association.

June 3, 2013

Student speech rights

Filed under: Musings,The Internet — Tags: , , , , — bcotton @ 7:30 am

To continue the legal theme from a few days ago (with the addition of some “old news is so exciting!”), a high school in Kansas suspended the senior class president for comments he made on Twitter. What did he say? ““Heights U” is equivalent to WSU’s football team“. WSU’s football team doesn’t exist. That’s it. For that, the school deemed his initial tweet and responses were disruptive to the school.

It’s not clear to me if the Heights High School is acting in accordance with legal precedent (their decision is certainly unjust, but that’s another matter). The Supreme Court has affirmed and re-affirmed restrictions on the free speech rights of students. Bethel School District v. Fraser, Hazelwood v. Kuhlmeier, and Morse v. Frederick have all served to limit what students can say.

In Tinker v. Des Moines, the Court protected non-disruptive political speech, with the disruption being the critical factor. In Bethel, Hazelwood, and Morse the speech in question was part of a school-sanctioned activity even if the activity was not on school grounds (as in Morse). It would be a great stretch to consider Mr. Teague’s Twitter account to be a school-sanctioned activity, as it appears to be his personal account. To my knowledge, no Supreme Court ruling has ever addressed a school’s ability to restrict speech that occurs outside of school events.

Arguably, the concept of in loco parentis could be used to support the ability of schools to respond to behavior that happens outside the school. I don’t agree with this, but it would be interesting to see how this argument played out in the courts. In the meantime, I expect that this may end up being discussed in court rooms for years to come. If no suit is filed, it should at least be used as an exercise in high school government classes across the country.

May 30, 2013

Facebook’s post policing

Filed under: Musings,The Internet — Tags: , , , , — bcotton @ 9:59 pm

Casey Johnston had an article on Ars Technica today about Facebook’s announcement that they would step up monitoring and removal of what they deem to be hate speech. Because this appears to be driven by complaints from women’s advocacy groups, the commentary has been largely political. I’d like to set aside the specifics of this and focus on the general case. It’s an interesting move on Facebook’s part because it sets a precedent.

Long, long ago, when telephones were still a thing, there was a legal idea of a “common carrier” (it still exists, of course, I’m just employing some blogtistic license). Common carriers offered services to the general public and were generally prohibited from doing anything about the content. For example, AT&T could not cut off your phone service if you did nothing but swear and say profane things when you were on the phone.

Although phone provides are still considered common carriers, internet service providers (ISPs) generally are not. ISPs, while protected from liability under various laws (e.g. Comcast can’t be shut down because a customer used a Comcast connection to transmit child pornography), can [in my understanding] theoretically terminate service if they don’t like what you’re “saying” on your connection.

Moving up the stack, websites such as Facebook or Funnel Fiasco are neither ISPs nor are they telecommunications common carriers. The general consensus, though untested in court as far as I know, is that sites are privately owned and can allow or disallow whatever content they like. This seems to be a pretty reasonable position, but there’s a difference between Facebook and Funnel Fiasco.

Apart from having a smarter and better-looking founder, Funnel Fiasco doesn’t allow just anyone to have a presence on the site. Facebook, especially for businesses/organizations, is more than just a blog or a message board, it’s a key part of digital presence. While that doesn’t make it an ISP, it does move it away from being just a website. Perhaps some additional category (e.g. “hosting provider”) needs to enter the understanding in this context.

What makes Facebook’s policy interesting to me from my perch as an armchair lawyer is the selective enforcement. While they are well within their legal rights, does it set a dangerous precedent for them? By choosing to police some content, are they liable (legally or otherwise) for not policing other content? Can they be held liable for policing content when other substantially similar content was not policed? Can the publicness of Facebook make it a common carrier?

Eventually this will become better defined. Whether it be by legislation, regulation, or litigation.

April 19, 2013

CERIAS Recap: Featured Commentary and Tech Talk #3

Filed under: The Internet — Tags: , , , , — bcotton @ 8:24 pm

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is the final post summarizing the talks I attended.

I’m combining the last two talks into a single post. The first was fairly short, and by the time the second one rolled around, my brain was too tired to focus.

Thursday afternoon included a featured commentary from The Honorable Mark Weatherford, Deputy Undersecretary of Cybersecurity at the U.S. Department of Homeland Security. Mr. Weatherford was originally scheduled to speak at the Symposium, but restrictions in federal travel budgets forced him to present via pre-recorded video. Mr. Weatherford opened with an observation that “99% secure means 100% vulnerable.” There are many cases where a single failure in security resulted in compromise.

The cyber threat is real. DHS Secretary Napolitano says infrastructure is dangerously vulnerable to cyber attack. Banks and other financial institution have been under sustained DDoS attack and it has become very predictable. In the future, there will be more attacks, they will be more disruptive, and they will be harder to defend against.

So what does DHS do in this space? DHS provides operational protection for the .gov domain. They work with the .com sector to improve protection, especially against critical infrastructure. DHS responds to national events and works with other agencies to foster international cooperation.

Cybersecurity got two paragraphs in President Obama’s 2013 State of the Union address. Obama’s recent cybersecurity executive order has goals of establishing an up-to-date cybersecurity network and enhancing information sharing among key stakeholders. DHS is involved in the Scholarship for Service student program which is working to create professionals to meet current and future needs.

The final session was a tech talk by Stephen Elliott, Associate Professor of Technology Leadership and Innovation at Purdue University, entitled “What is missing in biometric testing.” Traditional biometric testing is algorithmic, with well-established metrics and methodologies. Operation testing is harder to do because test methodologies are sometimes dependent on the test. Many papers have been written about the contributions of individual error on performance. Some papers have been written on the contribution of metadata error. Elliott is focused on training: how do users get accustomed to devices, how they remember how to use them, and how can training be provided to users with a consistent message.

One way to improve biometrics is understanding the stability of the user’s response. If we know how stable a subject is, we can reduce the transaction time by requiring fewer measurements. Many factors, including the user, the agent, and system usability affect the performance of biometeric systems. Improving performance is not a matter of simply improving the algorithms, but improving the entire system.

Other posts from this event:

April 7, 2013

CERIAS Recap: Panel #3

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended.

The “E” in CERIAS stands for “Education”, so it comes as no surprise that the Symposium would have at least one event on the topic. On Thursday afternoon, a panel addressed issues in security education and training. I found this session particularly interesting because it paralleled many discussions I have had about education and training for system administrators.

Interestingly, the panel consisted entirely of academics. That’s not particularly a surprise, but it does bias the discussion toward higher education issues and not vocational-type training. This is often a contentious issue in operations education discussions. I’m not sure if such a divide exists in the infosec world. Three Purdue professors sat on the panel: Allen Gray, Professor of Agriculture; Melissa Dark, Professor of Computer & Information Technology and Associate Directory of Educational Programs at CERIAS; and Marcus Rogers, Professor of Computer & Information Technology. They were joined by Ray Davidson, Dean of Academic Affairs at the SANS Technology Institute; and Diana Burley, Associate Professor of Human and Organizational Learning at The George Washington University.

Professor Gray began the opening remarks by telling the audience he had no cyber security experience. His expertise is in distance learning, as he is the Director of a MS/MBA distance program in food and agribusiness management. The rise of MOOCs has made information more available than ever before, but Gray notes that merely providing the information is not education. The MS/MBA program offers a curriculum, not just a collection of courses, and requires interaction between students and instructors.

Dean Davidson is in charge of the master’s degree programs offered by the SANS Technology Institute. This is a new offering and they are still working on accreditation. Although it incorporates many of the SANS training courses, it goes beyond those. “The old days of protocol vulnerabilities are starting to go away, but people still need to know the basics,” he said. “Vulnerabilities are going up the stack. We’re at layers 9 and 10 now.” Students need training in legal issues and organizational dynamics in order to become truly effective practitioners.

Professor Dark joined CERIAS without any experience in providing cybersecurity education. In her opening remarks, she talked about the appropriate use of language: “We always talk about the war on defending ourselves, the war on blah. We’re not using the language right. We should reserve ‘professionalization’ for people who deal with a lot of uncertainty and a lot of complexity.” Professor Burley also discussed vocabulary. We need to consider who is the cybersecurity workforce. Most cybersecurity professionals are in hybrid roles, so it’s not appropriate to focus on the small number who have roles entirely focused on cybersecurity.

Professor Rogers drew parallels to other professions. Historically, professionals of any type have been developed through training, certification, education, apprenticeship or some combination of those. In cybersecurity, all of these methods are used. Educators need to consider what a professional in the field should know, and there’s currently no clear-cut answer. How should education respond? “Better than we currently are.” Rogers advocates abandoning the stove pipe approach. Despite talk of being multidisciplinary, programs are often still very traditional.”We need to bring back apprenticeship and mentoring.”

The opening question addressed differences between education and training. Gray reiterated that disseminating information is not necessarily education; education is about changing behavior. Universities tend to focus on theory, but professionalization is about applying that theory. As the talk drifted toward certifications, which are often the result of training, Rogers said “we’re facing the watering-down of certifications. If everybody has a certification, how valuable is it?” Dark launched a tangent when she observed that cybersecurity is in the same space as medicine: there’s so much that practitioners can’t know. This lead to a distinction being made (by Spafford, if I recall correctly) between EMTs and brain surgeons as an analogy for various cybersecurity roles. Rogers said we need both.They are different professions, Burley noted, but they both consider themselves professionals.

One member of the audience said we have a great talent pool entering the work force, but they’re all working on same problems. How many professionals do we need? Davidson said “we need to change the whole ecosystem.” When the barn is on fire, everyone’s a part of the bucket brigade; nobody has time to design a better barn or better fire fighting equipment. Burley pointed out that the NSF’s funding of scholarships in cybersecurity is shifting toward broader areas, not just computer science. This point was reinforced by Spafford’s observation that none of the panelists have their terminal degree in computer science. “If we focus on the job openings that we have right now,” Rogers said, “we’re never going to catch up with the gaps in education.” One of the panelists, in regard to NSF and other efforts, said “you can’t rely on the government to be visionary. You might be able to get the government to fund vision,” but not set it.

The final question was “how do you ensure that ethical hackers do not become unethical hackers?” Rogers said “in education, we don’t just give you knowledge, we give you context to that knowledge.” Burley drew a parallel to the Hippocratic Oath and stressed the importance of socialization and culturalization processes. Davidson said the jobs have to be there as well. “If people get hungry, things change.”

Other posts from this event:

CERIAS Recap: Fireside Chat

Filed under: The Internet — Tags: , , , — bcotton @ 10:15 am

Once again, I’ve attended the CERIAS Security Symposium held on the campus of Purdue University. This is one of several posts summarizing the talks I attended.

The end of Christopher Painter’s talk transitioned nicely into the Fireside Chat with Painter and CERIAS Executive Director Gene Spafford. Spafford opened the discussion with a topic he tried to get the first panel to address: privacy. “Many people view security as the most important thing,” Spafford observed, which results in things like CISPA which would allow unlimited and unaccountable sharing of data with government. According to Painter, privacy and security “are not incompatible.” The Obama administration works to ensure civil liberty and privacy protections are built-in. Painter also disagreed with Spafford’s assertion that the U.S. is behind Europe in privacy protection. The U.S. and the E.U. want interoperable privacy rules. They’re not going to be identical, but they should work together. Prosecution of cyber attacks, according to Painter, aids privacy in the long run.

An audience member wanted to know how do to address the risk of attribution and proportional response now that cyber defense is transitioning from passive to active. Painter noted that vigilante justice is dangerous due to the possibility of misattribution and the risk of escalating the situation. “I don’t advocate a self-help approach,” he said.

Another in the audience expressed concern with voluntary standards concern me, observing that compliance is spotty in regulated industries (e.g. health care). He wondered if these voluntary international standards were intended to be guidance or effective? Painter said they are intended to set a “standard of care”. Governments will need to set incentives and mechanisms to foster compliance. Spafford pointed out that there are two types of standards: minimum standards and aspirational standards. Standards can also institutionalize bad behavior, so it is important to set the right standards.

Painter had earlier commented that progress has been structurally. An audience member wondered where the gaps remain. The State Department, according to Painter, is a microcosm of the rest of the Executive Branch. Within State, they’ve gone a good job of getting the parts of the agency working well together. They weren’t cooperating operationally as much as we could, but that’s improved, too. Spafford asked about state-level coooperation. 9/11 drove a great deal of state cooperation, but we’re now beginning to see states participate more in cyber efforts.

One member of the audience said “without accountability, you have no rule of law. How do you have accountability on the Internet?” Painter replied there are two sides to the coin: prevention and response. Response is more difficult. there have been efforts by the FBI and others in the past few years to step up enforcement and response. Spafford pointed out that even if an attack has been traced to another country with good evidence, the local government will sometimes deny it. Can they be held accountable? We have to build the consensus that this is important, said Painter. If you’re outside that consensus you will become isolated. A lot of countries in the developing world are still building capabilities. They want to stop it, but they can’t. Cybercrime is often used to facilitate traditional crime. That might be a lever to help encourage cooperation from other nations.

Fresh off this mornings attack of North Korean social media accounts, the audience wanted to hear comments on  Anonymous attacking governments. “If you’re doing something that’s a crime,” Painter said, “it’s a crime.” Improving attribution can help prevent or prosecute these attackers. The conversation moved to the classification of information when Spafford observed that some accuse goverments of over-classifying information. Painter said that has not been his experience. When people reveal classified information, that damages a lot of efforts. We have to balance speech and protection. The openness of the Internet is key.

Two related questions were asked back to back. The first questioner observed that product manufacturers are good at externalizing the cost of insecurity and asked how producers can be incentivized to produce more secure products. The second question dealt with preventing misuse of technology, with The Onion Router being cited as an example of a program used for both good and bad. Painter said the market for security is increasing, with consumers becoming more willing to pay for security. Industry is looking at how to move security away from the end user in order to make it more transparent. Producers can’t tell how their work will be used, but even when technology is used to obscure attribution, there are other ways to trace criminals (for example, money trails).

One other question asked how we address punishment online. Painter said judges have discretion in sentences and U.S. sentencing laws are “generally pretty rational.”  The penalities in cyberspace are generally tied to the penalties in the digital world. In seeming contradiction, Spafford pointed out that almost everything in the Computer Fraud and Abuse Act is a felony and asked Painter if there is room to have more misdemeanor offenses in federal law? Painter said there are misdemeanor offenses in state and local laws. Generally, Spafford says, policymakers need better understanding of tech, but tech people need better understanding of law.

There were other aspects of this discussion that I struggle to summarize (especially given the lengthy nature of this post). I do think this was the most interesting session of the entire symposium, at least for me. I’ve recently found my interest in law and policy increasing, and I lament the fact that I’ve nearly completed my master’s degree at this point. I actually caught myself thinking about a PhD this morning, which is an absolutely unnecessary idea at this stage in my life.

Other posts from this event:

« Newer PostsOlder Posts »

Powered by WordPress