Blackhat 2015 Keynote
August 18, 2015 12:51 AM Subscribe
End of the Internet Dream? - by Jennifer Granick
This field should be in the lead in evolving a race, class, age, and religiously open society, but it hasn’t been. We could conscientiously try to do this better. We could, and in my opinion should, commit to cultivating talent in unconventional places.
Today, the physical design and the business models that fund the communications networks we use have changed in ways that facilitate rather than defeat censorship and control.
Today, the physical design and the business models that fund the communications networks we use have changed in ways that facilitate rather than defeat censorship and control.
The popularity of the net is to blame, surely.
Mum and grandma are on facebook and the whole worlds gone to pot because all these new netizen's don't think "how cool! a fiddly bit of tech, let me play with it" - they think "this is fiddly, but the ideas cool, so please give me a convenient way to do this" and so we are happily, madly, trading off our privacy for an easy sign up/log in as the balance in our population shifts from the few tinkers to the wide expanse of people who are able to switch a device on but then call their kids because ebay "isn't working".
I'm not saying this to put down the less tech-literate, but just as a way of thinking with more empathy about why our fellow man online is giving up freedoms we hold quite dear (they may in many cases, simply not see how much metadata, for example, could reveal about you) because the answer is probably going to be the same boring answer I give to questions like "how do we improve democracy?" - education.
Not easily achieved, sorry. No readily digested, tweetable slogans or hashtags. Just the hard slog of ensuring equal access to a progressive education system for all kids that includes a deep core of computer studies - hardware, software, creative tinkering and ethics classes.
That's the only solution I can come up with.
posted by Raunchy 60s Humour at 3:16 AM on August 18, 2015 [7 favorites]
Mum and grandma are on facebook and the whole worlds gone to pot because all these new netizen's don't think "how cool! a fiddly bit of tech, let me play with it" - they think "this is fiddly, but the ideas cool, so please give me a convenient way to do this" and so we are happily, madly, trading off our privacy for an easy sign up/log in as the balance in our population shifts from the few tinkers to the wide expanse of people who are able to switch a device on but then call their kids because ebay "isn't working".
I'm not saying this to put down the less tech-literate, but just as a way of thinking with more empathy about why our fellow man online is giving up freedoms we hold quite dear (they may in many cases, simply not see how much metadata, for example, could reveal about you) because the answer is probably going to be the same boring answer I give to questions like "how do we improve democracy?" - education.
Not easily achieved, sorry. No readily digested, tweetable slogans or hashtags. Just the hard slog of ensuring equal access to a progressive education system for all kids that includes a deep core of computer studies - hardware, software, creative tinkering and ethics classes.
That's the only solution I can come up with.
posted by Raunchy 60s Humour at 3:16 AM on August 18, 2015 [7 favorites]
equal access to a progressive education system for all kids that includes a deep core of computer studies - hardware, software, creative tinkering and ethics classes
Sounds great, but how is all that extra stuff supposed to fit into the curriculum? There are only so many hours in the school day.
Seems to me as if our obsessive drive toward convenience at all costs is inexorably painting us into a political corner that's going to be very costly to get out of, assuming we actually manage to do that.
The funnysad part is that I'm sure most of our new feudal overloads don't think they are being evil.
posted by flabdablet at 3:39 AM on August 18, 2015
Sounds great, but how is all that extra stuff supposed to fit into the curriculum? There are only so many hours in the school day.
Seems to me as if our obsessive drive toward convenience at all costs is inexorably painting us into a political corner that's going to be very costly to get out of, assuming we actually manage to do that.
The funnysad part is that I'm sure most of our new feudal overloads don't think they are being evil.
posted by flabdablet at 3:39 AM on August 18, 2015
flabdablet: gets back to that equality of access and public expenditure. Having the computers in the classroom, instead of in the library for one session a week, or not at all. For some kids, they're already in schools that are implementing this. Love seeing code academy coming up as a discussion point for my p&c, there's some lego robot thing another parent has mentioned - things that can be a part of existing learning areas.
The real problem is for students at schools that are not so well funded. Yes, if you only get one hour a week in the computer lab, you won't fit it all in. That's why it's important to advocate for funding and access issues to be resolved. I did say no easy fix.
But you're probably right with the raindrops not thinking they're the flood.
posted by Raunchy 60s Humour at 4:39 AM on August 18, 2015
The real problem is for students at schools that are not so well funded. Yes, if you only get one hour a week in the computer lab, you won't fit it all in. That's why it's important to advocate for funding and access issues to be resolved. I did say no easy fix.
But you're probably right with the raindrops not thinking they're the flood.
posted by Raunchy 60s Humour at 4:39 AM on August 18, 2015
The popularity of the net is to blame, surely.
Mum and grandma are on facebook and the whole worlds gone to pot because all these new netizen's don't think "how cool! a fiddly bit of tech, let me play with it" - they think "this is fiddly, but the ideas cool, so please give me a convenient way to do this" and so we are happily, madly, trading off our privacy for an easy sign up/log in as the balance in our population shifts from the few tinkers to the wide expanse of people who are able to switch a device on but then call their kids because ebay "isn't working".
Though who are the people who are doing the collecting of the private data? It's the people who believe(d) in this libertarian fantasy of the internet who've destroyed it.
posted by hoyland at 4:53 AM on August 18, 2015 [10 favorites]
Mum and grandma are on facebook and the whole worlds gone to pot because all these new netizen's don't think "how cool! a fiddly bit of tech, let me play with it" - they think "this is fiddly, but the ideas cool, so please give me a convenient way to do this" and so we are happily, madly, trading off our privacy for an easy sign up/log in as the balance in our population shifts from the few tinkers to the wide expanse of people who are able to switch a device on but then call their kids because ebay "isn't working".
Though who are the people who are doing the collecting of the private data? It's the people who believe(d) in this libertarian fantasy of the internet who've destroyed it.
posted by hoyland at 4:53 AM on August 18, 2015 [10 favorites]
I think the key point that Granick has missed all along is that the hacker ethic - valuing the freedom to tinker - is and always has been a minority ethic. Most people have never given two hoots about the way their stuff works, as long as it does. Sharpening knives or sewing up a split trouser seam remain dark mysteries to most people, let alone what to do with a malware-riddled PC or an uncooperative phone.
We have been a society of specialists for a very, very, very long time. Skills take time to build, and specialization is the natural evolutionary consequence of that simple fact.
The acquisition and wielding of overt political power is every bit as much a specialist skill as the ability to jailbreak a smartphone. The fact that we the people choose to outsource most of the wielding of such power is unsurprising.
Granick's talk, to me, is a reflection of the fact that the current technological priesthood has not yet come to terms with either its inevitable inherent status as a priesthood or the historical relationships that tend to form between priesthoods of all stripes and the wielders of State power.
Note well: I'm not saying that this state of affairs is a good thing. I am as keen on the democratization of technological power as anybody you'd find. It's just that I've had years and years of experience in fixing other people's computers and I get to see at first hand just how helpless most people are in the face of all this stuff. I can see no a priori reason to expect hackers organized in the shape of a Google to wield their indisputable power any more responsibly than politicians organized in the shape of a Congress or Parliament. That doesn't alter the fact that the tech priesthood does have a power advantage over the masses.
Having the computers in the classroom, instead of in the library for one session a week, or not at all. For some kids, they're already in schools that are implementing this.
I'm typing this on the back bench of a classroom in the school I netadmin.
This is an Australian primary school, which makes its student age range similar to a US K-6. We have 350 students, about 120 Windows workstations and about 100 tablets (some iOS, some Android). Over the ten years I've been working here, I could count the number of kids I've seen demonstrate any serious interest in learning how to seize control of any of these devices on the fingers of one hand. For most of them, as for most of the wider community, IT machinery is a means to an end rather than any kind of end in itself.
posted by flabdablet at 5:15 AM on August 18, 2015 [41 favorites]
We have been a society of specialists for a very, very, very long time. Skills take time to build, and specialization is the natural evolutionary consequence of that simple fact.
The acquisition and wielding of overt political power is every bit as much a specialist skill as the ability to jailbreak a smartphone. The fact that we the people choose to outsource most of the wielding of such power is unsurprising.
Granick's talk, to me, is a reflection of the fact that the current technological priesthood has not yet come to terms with either its inevitable inherent status as a priesthood or the historical relationships that tend to form between priesthoods of all stripes and the wielders of State power.
Note well: I'm not saying that this state of affairs is a good thing. I am as keen on the democratization of technological power as anybody you'd find. It's just that I've had years and years of experience in fixing other people's computers and I get to see at first hand just how helpless most people are in the face of all this stuff. I can see no a priori reason to expect hackers organized in the shape of a Google to wield their indisputable power any more responsibly than politicians organized in the shape of a Congress or Parliament. That doesn't alter the fact that the tech priesthood does have a power advantage over the masses.
Having the computers in the classroom, instead of in the library for one session a week, or not at all. For some kids, they're already in schools that are implementing this.
I'm typing this on the back bench of a classroom in the school I netadmin.
This is an Australian primary school, which makes its student age range similar to a US K-6. We have 350 students, about 120 Windows workstations and about 100 tablets (some iOS, some Android). Over the ten years I've been working here, I could count the number of kids I've seen demonstrate any serious interest in learning how to seize control of any of these devices on the fingers of one hand. For most of them, as for most of the wider community, IT machinery is a means to an end rather than any kind of end in itself.
posted by flabdablet at 5:15 AM on August 18, 2015 [41 favorites]
Here is what is, in effect if not by direct intent, Brewster Kahle's response to the question of what the next 20 years should look like:
But I think I share some of the same reservations that flabdablet has expressed. Facebook is easy. Most of the centralized social media services and stores are similarly easy to use (or at least, easy enough). A distributed web that, in effect, requires the average user to operate a BitTorrent client, Tor node, Bitcoin wallet, and PGP all at once just to get the daily headlines and maybe tip $0.05 to the sportswriter presents a hard user interface design problem. Even if you solve that problem, the vast majority of the folks running the software will remain in no position to verify that it hasn't be subverted for the purposes of governmental or corporate surveillance. (And, of course, a web that's easy to archive presents a problem if you want to make a transitory comment.)
Cynically, or despairingly, I wonder if the next 20 years just leads us to continuing the moral compromise (or betrayal) of the web: the technical priesthood is allowed to have all the privacy and decentralization they can write software for; the masses just get Internet TV™.
posted by metaquarry at 5:44 AM on August 18, 2015 [10 favorites]
Our new Web would be reliable because it would be hosted in many places, and multiple versions. Also, people could even make money, so there could be extra incentive to publish in the Distributed Web.As a technical thought experiment — and one that might even get implemented to some degree — I find this fascinating. As somebody who works on software for libraries, I also find a lot to like about a web that includes the ability to archive itself as a design point.
It would be more private because it would be more difficult to monitor who is reading a particular website. Using cryptography for the identity system makes it less related to personal identity, so there is an ability to walk away without being personally targeted.
And it could be as fun as it is malleable and extendable. With no central entities to regulate the evolution of the Distributed Web, the possibilities are much broader.
But I think I share some of the same reservations that flabdablet has expressed. Facebook is easy. Most of the centralized social media services and stores are similarly easy to use (or at least, easy enough). A distributed web that, in effect, requires the average user to operate a BitTorrent client, Tor node, Bitcoin wallet, and PGP all at once just to get the daily headlines and maybe tip $0.05 to the sportswriter presents a hard user interface design problem. Even if you solve that problem, the vast majority of the folks running the software will remain in no position to verify that it hasn't be subverted for the purposes of governmental or corporate surveillance. (And, of course, a web that's easy to archive presents a problem if you want to make a transitory comment.)
Cynically, or despairingly, I wonder if the next 20 years just leads us to continuing the moral compromise (or betrayal) of the web: the technical priesthood is allowed to have all the privacy and decentralization they can write software for; the masses just get Internet TV™.
posted by metaquarry at 5:44 AM on August 18, 2015 [10 favorites]
It is a sad state of affairs that one of my first thoughts was whether the keynote speaker would get harassed for her gender and even speaking out.
posted by jadepearl at 7:15 AM on August 18, 2015 [5 favorites]
posted by jadepearl at 7:15 AM on August 18, 2015 [5 favorites]
the Distributed Web
already exists. It's called FreeNet, and almost nobody uses it.
Hackers talking about information freedom, privacy and security are like Pentecostals talking about redemption. It's really, really difficult to make them understand just how little everybody else cares.
posted by flabdablet at 7:25 AM on August 18, 2015 [6 favorites]
already exists. It's called FreeNet, and almost nobody uses it.
Hackers talking about information freedom, privacy and security are like Pentecostals talking about redemption. It's really, really difficult to make them understand just how little everybody else cares.
posted by flabdablet at 7:25 AM on August 18, 2015 [6 favorites]
Two words: convenience factor.
posted by jenfullmoon at 7:28 AM on August 18, 2015
posted by jenfullmoon at 7:28 AM on August 18, 2015
Two more: herd instinct.
The main reason people put up with all the bullshit that Facebook inflicts on them, or Windows, or Microsoft Office, is that those are what everybody else uses.
posted by flabdablet at 7:30 AM on August 18, 2015 [5 favorites]
The main reason people put up with all the bullshit that Facebook inflicts on them, or Windows, or Microsoft Office, is that those are what everybody else uses.
posted by flabdablet at 7:30 AM on August 18, 2015 [5 favorites]
Also let it not be forgotten that herds and flocks and schools exist because they are secure. It's hard to conceive of a better place to hide hay than somewhere in a haystack.
posted by flabdablet at 7:32 AM on August 18, 2015 [2 favorites]
posted by flabdablet at 7:32 AM on August 18, 2015 [2 favorites]
The main reason people put up with all the bullshit that Facebook inflicts on them, or Windows, or Microsoft Office, is that those are what everybody else uses.
Thing is, those sources of consternation and frustration are created by the nerds and geeks bemoaning them. Sometimes, listening to groups like that talk about the state of the web hits me a lot like the tale of the kid who kills his parents and then begs the court for lenience because he's an orphan.
posted by Thorzdad at 7:41 AM on August 18, 2015 [2 favorites]
Thing is, those sources of consternation and frustration are created by the nerds and geeks bemoaning them. Sometimes, listening to groups like that talk about the state of the web hits me a lot like the tale of the kid who kills his parents and then begs the court for lenience because he's an orphan.
posted by Thorzdad at 7:41 AM on August 18, 2015 [2 favorites]
Yeah, the lack of self-awareness is pretty stark. There's this completely unshakeable belief that information not only wants to be free but ought to be free - unless of course it's my information. Then it apparently ought to be private, regardless of what it wants.
This is exactly the same brand of conceptual dissonance that gives rise to idiocy like DRM when it happens inside the head of marketers rather than hackers.
posted by flabdablet at 7:57 AM on August 18, 2015 [1 favorite]
This is exactly the same brand of conceptual dissonance that gives rise to idiocy like DRM when it happens inside the head of marketers rather than hackers.
posted by flabdablet at 7:57 AM on August 18, 2015 [1 favorite]
Using cryptography for the identity system makes it less related to personal identity, so there is an ability to walk away without being personally targeted.
The privilege inherent in this statement is just amazing. Has Kahle not been watching what has happened the past several years?
For most of them, as for most of the wider community, IT machinery is a means to an end rather than any kind of end in itself.
This is something that needs to get hammered into the head of techies the world over - ultimately, you're building tools for other people to do things with.
posted by NoxAeternum at 8:03 AM on August 18, 2015 [1 favorite]
The privilege inherent in this statement is just amazing. Has Kahle not been watching what has happened the past several years?
For most of them, as for most of the wider community, IT machinery is a means to an end rather than any kind of end in itself.
This is something that needs to get hammered into the head of techies the world over - ultimately, you're building tools for other people to do things with.
posted by NoxAeternum at 8:03 AM on August 18, 2015 [1 favorite]
The main reason people put up with all the bullshit that Facebook inflicts on them, or Windows, or Microsoft Office, is that those are what everybody else uses.
No, it's the convenience factor.
Nothing matters more than convenience. Nothing. Not freedom, not privacy, nothing.
People will always choose the more convenient option. You can either bitch and moan about this and build awesome things no one will ever use because of the difficulty, or you can acknowledge this universal truth and build better systems in ways people will actually want to try.
If your pitch is, "Yeah it's a pain in the ass to learn all this stuff, but once you do it's great!", you've already lost.
posted by Sangermaine at 8:05 AM on August 18, 2015 [9 favorites]
No, it's the convenience factor.
Nothing matters more than convenience. Nothing. Not freedom, not privacy, nothing.
People will always choose the more convenient option. You can either bitch and moan about this and build awesome things no one will ever use because of the difficulty, or you can acknowledge this universal truth and build better systems in ways people will actually want to try.
If your pitch is, "Yeah it's a pain in the ass to learn all this stuff, but once you do it's great!", you've already lost.
posted by Sangermaine at 8:05 AM on August 18, 2015 [9 favorites]
Hackers talking about information freedom, privacy and security are like Pentecostals talking about redemption. It's really, really difficult to make them understand just how little everybody else cares.
Of course, few people have any fundamental interest in the mechanics of how their data can be kept confidential. Also, few are particularly concerned about Big Government or Big Corporatocracy as concrete, immediate threats — in the case of teenagers, their parents are of much more concern [PDF link].
But the statement that non-techies don't care about privacy goes too far: most web users do care about their privacy online. However, it doesn't manifest as a desire to keep all their use of the Internet anonymous and confidential; rather, most people want to be able to retain control over the bits of information they particularly care about.
They just would prefer not to swallow a horse pill of complicated security software to achieve that aim.
posted by metaquarry at 8:18 AM on August 18, 2015 [1 favorite]
Of course, few people have any fundamental interest in the mechanics of how their data can be kept confidential. Also, few are particularly concerned about Big Government or Big Corporatocracy as concrete, immediate threats — in the case of teenagers, their parents are of much more concern [PDF link].
But the statement that non-techies don't care about privacy goes too far: most web users do care about their privacy online. However, it doesn't manifest as a desire to keep all their use of the Internet anonymous and confidential; rather, most people want to be able to retain control over the bits of information they particularly care about.
They just would prefer not to swallow a horse pill of complicated security software to achieve that aim.
posted by metaquarry at 8:18 AM on August 18, 2015 [1 favorite]
I don't think it'd be hard to push back, if we wanted to. But sadly the majority of people don't want to. That corporate action in response to pressure works both ways. Amazon delisting Confederate flags is a corporate action many approved of, so they got cheers. At the same time, most people don't care enough to stop PayPal from refusing payments for Wikileaks, so they don't get many boos. We're not, as people, taking consistent stands. We're saying, "it's okay to break these rules if I agree" and forgetting there's a lot of things which are important to us but which we are in the minority on.
posted by corb at 8:26 AM on August 18, 2015 [1 favorite]
posted by corb at 8:26 AM on August 18, 2015 [1 favorite]
Nothing matters more than convenience. Nothing. Not freedom, not privacy, nothing.
Not stable employment, not good public services, not rational energy policy or climate change... in 2015, convenience does indeed trump all. And I think that's a problem, because the more convenience we have, the dumber and lazier and more helpless and discombobulated we become when the systems that provide it break down - as they always do, eventually.
It was not always like this. Convenience was much further down the priority scale when I was a child, and I'm only 53.
On the other hand I am 53, and for some years I've been amusing myself by noticing all the little ways in which I'm turning into my Dad. Perhaps a growing perception of the rest of the world as a pack of gurning spoonfed idiots is just par for the course for a technical priest approaching retirement age.
posted by flabdablet at 8:26 AM on August 18, 2015 [5 favorites]
Not stable employment, not good public services, not rational energy policy or climate change... in 2015, convenience does indeed trump all. And I think that's a problem, because the more convenience we have, the dumber and lazier and more helpless and discombobulated we become when the systems that provide it break down - as they always do, eventually.
It was not always like this. Convenience was much further down the priority scale when I was a child, and I'm only 53.
On the other hand I am 53, and for some years I've been amusing myself by noticing all the little ways in which I'm turning into my Dad. Perhaps a growing perception of the rest of the world as a pack of gurning spoonfed idiots is just par for the course for a technical priest approaching retirement age.
posted by flabdablet at 8:26 AM on August 18, 2015 [5 favorites]
In most implementations, security and convenience are opposites.
"Click here to see the dancing bologna. Click cancel to remain secure."
posted by rmd1023 at 8:30 AM on August 18, 2015 [1 favorite]
"Click here to see the dancing bologna. Click cancel to remain secure."
posted by rmd1023 at 8:30 AM on August 18, 2015 [1 favorite]
But that seems to be in large part due to the attitude of developers of security mechanisms. They seem to put usabiltiy and convenience way, way down the list of priorities.
A lot of programmers seem to have the attitude that if they make something that does something awesome, they're done. People will just naturally flock to it no matter how shitty the interface or how difficult it actually is to use in one's day-to-day life.
Or people are so deeply motivated by Privacy and Freedom that no other concerns like usability matter.
Or they'll take the stance that the measures being difficult to use isn't a problem, if you're too dumb to use them it's your fault.
Well guess what? With those kinds of attitudes, people just won't use your brilliant, beautiful systems.
posted by Sangermaine at 8:35 AM on August 18, 2015 [6 favorites]
A lot of programmers seem to have the attitude that if they make something that does something awesome, they're done. People will just naturally flock to it no matter how shitty the interface or how difficult it actually is to use in one's day-to-day life.
Or people are so deeply motivated by Privacy and Freedom that no other concerns like usability matter.
Or they'll take the stance that the measures being difficult to use isn't a problem, if you're too dumb to use them it's your fault.
Well guess what? With those kinds of attitudes, people just won't use your brilliant, beautiful systems.
posted by Sangermaine at 8:35 AM on August 18, 2015 [6 favorites]
There's this completely unshakeable belief that information not only wants to be free but ought to be free - unless of course it's my information. Then it apparently ought to be private, regardless of what it wants.
This is also a popular strategy in my workplace, where the various parties try to capitalize on the information they possess, to the detriment of the organization and their fellow employees. It's especially pointless when it's done simply out of habit.
posted by sneebler at 8:38 AM on August 18, 2015
This is also a popular strategy in my workplace, where the various parties try to capitalize on the information they possess, to the detriment of the organization and their fellow employees. It's especially pointless when it's done simply out of habit.
posted by sneebler at 8:38 AM on August 18, 2015
This perspective is an excellent match with Eben Moglen's talks on how our information systems have insecurity and non-privacy baked in. I'll now be linking to both where I used to link to one.
posted by tapesonthefloor at 8:41 AM on August 18, 2015
posted by tapesonthefloor at 8:41 AM on August 18, 2015
They just would prefer not to swallow a horse pill of complicated security software to achieve that aim.
None of my own computers run any complicated security software. But they do run a minority operating system that didn't come pre-installed on them.
"Click here to see the dancing bologna. Click cancel to remain secure."
This Way to the Egress...
Just this afternoon I spent two hours cleaning up a staff member's laptop.
She's doing an ICT training module as part of her teaching degree, and one of her assessment requirements was to make a video and upload it to YouTube. She had no video editing software on her computer, so her ICT trainer offered to install Windows Movie Maker for her. To which she agreed, and handed over her laptop.
So this afternoon she tells me that she can't use her computer any more because of all the crap that keeps popping up as soon as she logs on, and I take a look. Windows Movie Maker was not actually installed. But something called the Windows Movie Maker Package (signed by some bogus media company, not by Microsoft) had been, which turned out to be the foistware dropper collection from Hell: she had done no software installation of her own since the trainer installed "Windows Movie Maker", but the Control Panel showed sixteen different fake PC optimizers and fake backup "solutions" and fake "driver maintainers" and fake coupon offer toolbars and assorted other shite installed on four separate days since.
And that's where we are today. Not even the fucking priesthood can be arsed exercising a modicum of care any more.
posted by flabdablet at 8:43 AM on August 18, 2015 [2 favorites]
None of my own computers run any complicated security software. But they do run a minority operating system that didn't come pre-installed on them.
"Click here to see the dancing bologna. Click cancel to remain secure."
This Way to the Egress...
Just this afternoon I spent two hours cleaning up a staff member's laptop.
She's doing an ICT training module as part of her teaching degree, and one of her assessment requirements was to make a video and upload it to YouTube. She had no video editing software on her computer, so her ICT trainer offered to install Windows Movie Maker for her. To which she agreed, and handed over her laptop.
So this afternoon she tells me that she can't use her computer any more because of all the crap that keeps popping up as soon as she logs on, and I take a look. Windows Movie Maker was not actually installed. But something called the Windows Movie Maker Package (signed by some bogus media company, not by Microsoft) had been, which turned out to be the foistware dropper collection from Hell: she had done no software installation of her own since the trainer installed "Windows Movie Maker", but the Control Panel showed sixteen different fake PC optimizers and fake backup "solutions" and fake "driver maintainers" and fake coupon offer toolbars and assorted other shite installed on four separate days since.
And that's where we are today. Not even the fucking priesthood can be arsed exercising a modicum of care any more.
posted by flabdablet at 8:43 AM on August 18, 2015 [2 favorites]
the attitude of developers of security mechanisms. They seem to put usability and convenience way, way down the list of priorities
This is essentially because security is hard. That's just how security is.
The reason that nobody has ever come up with Magic Security that Just Works is because the very idea of such a thing is conceptually incoherent. Security is about defending something you care about against an ever-expanding set of attacks from people you distrust and their automated agents, and this requires you to (a) understand what it is you're trying to defend and (b) learn enough about likely avenues of attack to have at least some grasp of the countermeasures your chosen security mechanisms are designed to implement.
If your securable information's attack surface were as simple as a hinged front door, security software would be as simple as a keylock. It isn't, so it can't be.
There has always been and will always be a tradeoff between security and convenience. The more sophisticated the attacks, the less convenient it will be to employ appropriate countermeasures. It's the nature of the beast.
Acknowledging this simple truth is, of course, completely incompatible with the belief that convenience properly ought to trump all, which brings us right back to the point I made earlier about the pursuit of convenience at all costs painting us into a corner we'll probably regret ending up in.
posted by flabdablet at 9:07 AM on August 18, 2015 [2 favorites]
This is essentially because security is hard. That's just how security is.
The reason that nobody has ever come up with Magic Security that Just Works is because the very idea of such a thing is conceptually incoherent. Security is about defending something you care about against an ever-expanding set of attacks from people you distrust and their automated agents, and this requires you to (a) understand what it is you're trying to defend and (b) learn enough about likely avenues of attack to have at least some grasp of the countermeasures your chosen security mechanisms are designed to implement.
If your securable information's attack surface were as simple as a hinged front door, security software would be as simple as a keylock. It isn't, so it can't be.
There has always been and will always be a tradeoff between security and convenience. The more sophisticated the attacks, the less convenient it will be to employ appropriate countermeasures. It's the nature of the beast.
Acknowledging this simple truth is, of course, completely incompatible with the belief that convenience properly ought to trump all, which brings us right back to the point I made earlier about the pursuit of convenience at all costs painting us into a corner we'll probably regret ending up in.
posted by flabdablet at 9:07 AM on August 18, 2015 [2 favorites]
ultimately, you're building tools for other people to do things with.
And "doing things with" = "making more money for those creators of the tools", in the end. At least, that's how Silicon Valley sees it. And I think that's part of the problem. They see it as tools - tools for making money.
That said - this is something I frequently think about. From my late 90s Wired Technotopian Fetishism, to my post-Facebook (I would consider MySpace to be the "pre-School" to my jaded Facebook Net Teenagehood, the seeds of such discontent lay in that place, but it was still Web 1.0 in all the gloriously bad ways...)
There is a question of ease of use vs mass use, vs difficult to use vs secure. Do we want a popular internet where all are welcome or only the elite who can figure out how to work the tech?
What happens when we find that the masses we believed could be enlightened if only they had access to world culture end up disproving our thesis?
What happens when Youtube Comments Happen? Eternal September, really.
Personally I do like the idea of a decentralized social network (it's something I've posed, even in the Green, as far back as at least 2009, if not earlier... I recall my first desire for this probably in 2007 when Livejournal started going stupid with the breast feeding icon issue, and that's when I thought the only way to resolve the issue was to give control to the end user).
I figured there'd be a way for P2P access with trust given between users on a one to one basis and your friend networks grow from that. Access controls to types of content (i.e. friends filters that LJ had long before the usurpers had such things.)
I realized that, like most of my insane ideas, creating something like that is absolutely difficult and presents very hard problems.
I don't know the answer. A decade ago I was blindly foolish towards a non-walled garden of p2p internet. Now that I've seen what FB hath wrought... And perhaps it was inevitable.
I just get sad that so many hackers/makers these days are focused on things that ... I dunno... they don't seem focused on the hard problems, necessarily. I mean, bitcoin was interesting was was bittorrent. But, well... bitcoin got taken up by a bunch of eager beavers on the hype train. And is there anything that won't? What is Capitalism's role in all this? How much of this is "human nature"? What about anonymity vs security? There are so many questions and we don't have the answers, because, really - we're watching this all unfold for the first time.
Unfold, more like watching a car wreck in slow motion, and nobody's doing anything, but continuing to push the pedal to the metal.
I wish we would take a step back and maybe say "fuck you Silicon Valley Vultures" but everyone wants to get rich and we brought up a nation of douchebrogrammers and now we're living with the consequences of that.
I'm part of the problem, because I'm not working towards a solution.
posted by symbioid at 9:14 AM on August 18, 2015 [4 favorites]
And "doing things with" = "making more money for those creators of the tools", in the end. At least, that's how Silicon Valley sees it. And I think that's part of the problem. They see it as tools - tools for making money.
That said - this is something I frequently think about. From my late 90s Wired Technotopian Fetishism, to my post-Facebook (I would consider MySpace to be the "pre-School" to my jaded Facebook Net Teenagehood, the seeds of such discontent lay in that place, but it was still Web 1.0 in all the gloriously bad ways...)
There is a question of ease of use vs mass use, vs difficult to use vs secure. Do we want a popular internet where all are welcome or only the elite who can figure out how to work the tech?
What happens when we find that the masses we believed could be enlightened if only they had access to world culture end up disproving our thesis?
What happens when Youtube Comments Happen? Eternal September, really.
Personally I do like the idea of a decentralized social network (it's something I've posed, even in the Green, as far back as at least 2009, if not earlier... I recall my first desire for this probably in 2007 when Livejournal started going stupid with the breast feeding icon issue, and that's when I thought the only way to resolve the issue was to give control to the end user).
I figured there'd be a way for P2P access with trust given between users on a one to one basis and your friend networks grow from that. Access controls to types of content (i.e. friends filters that LJ had long before the usurpers had such things.)
I realized that, like most of my insane ideas, creating something like that is absolutely difficult and presents very hard problems.
I don't know the answer. A decade ago I was blindly foolish towards a non-walled garden of p2p internet. Now that I've seen what FB hath wrought... And perhaps it was inevitable.
I just get sad that so many hackers/makers these days are focused on things that ... I dunno... they don't seem focused on the hard problems, necessarily. I mean, bitcoin was interesting was was bittorrent. But, well... bitcoin got taken up by a bunch of eager beavers on the hype train. And is there anything that won't? What is Capitalism's role in all this? How much of this is "human nature"? What about anonymity vs security? There are so many questions and we don't have the answers, because, really - we're watching this all unfold for the first time.
Unfold, more like watching a car wreck in slow motion, and nobody's doing anything, but continuing to push the pedal to the metal.
I wish we would take a step back and maybe say "fuck you Silicon Valley Vultures" but everyone wants to get rich and we brought up a nation of douchebrogrammers and now we're living with the consequences of that.
I'm part of the problem, because I'm not working towards a solution.
posted by symbioid at 9:14 AM on August 18, 2015 [4 favorites]
the attitude of developers of security mechanisms. They seem to put usability and convenience way, way down the list of prioritiesVery strong security is hard. Perfect security is hard or impossible. But that doesn't mean vastly improved security can't be paired with convenience and usability. To some extent, this has been happening for years. I'm not an expert but if you browse the security threads here you can find some well-informed (albeit limited) optimism. When you are starting from a place of very bad security, not all improvements are going to be very hard. There's going to be some low-hanging fruit.
This is essentially because security is hard. That's just how security is.
The reason that nobody has ever come up with Magic Security that Just Works is because the very idea of such a thing is conceptually incoherent. Security is about defending something you care about against an ever-expanding set of attacks from people you distrust and their automated agents, and this requires you to (a) understand what it is you're trying to defend and (b) learn enough about likely avenues of attack to have at least some grasp of the countermeasures your chosen security mechanisms are designed to implement.
Anyway, a lot of our security problems are not driven by user preferences but by top-down design, because advertisers and governments and employers don't really want us to have security. It's not quite right to lay all of this at the feet of user ignorance.
posted by grobstein at 9:33 AM on August 18, 2015 [3 favorites]
This is essentially because security is hard. That's just how security is.
The reason that nobody has ever come up with Magic Security that Just Works is because the very idea of such a thing is conceptually incoherent.
flabdablet
This is true, but I think that this is often used an excuse by developers and researchers for not even trying to improve usability. If you want people to widely implement better security measures, you'll need to work to make them as simple as possible, simple enough for grandma to get and use.
If there is some hard technical or other limitation that absolutely prevents something from being simpler or more convenient, fine, but in reality I think developers just say "security is hard" and don't even look into ways to make things easier for normal people.
You'll never get perfect universal security, but you can probably achieve much better widespread security if it were easier for people to implement. Because there's no alternative. The fantasy is that people will come to their senses and learn to deal with less convenient methods for better security.
The reality is that people will just not use those security methods, and be unsecure.
posted by Sangermaine at 9:35 AM on August 18, 2015
The reason that nobody has ever come up with Magic Security that Just Works is because the very idea of such a thing is conceptually incoherent.
flabdablet
This is true, but I think that this is often used an excuse by developers and researchers for not even trying to improve usability. If you want people to widely implement better security measures, you'll need to work to make them as simple as possible, simple enough for grandma to get and use.
If there is some hard technical or other limitation that absolutely prevents something from being simpler or more convenient, fine, but in reality I think developers just say "security is hard" and don't even look into ways to make things easier for normal people.
You'll never get perfect universal security, but you can probably achieve much better widespread security if it were easier for people to implement. Because there's no alternative. The fantasy is that people will come to their senses and learn to deal with less convenient methods for better security.
The reality is that people will just not use those security methods, and be unsecure.
posted by Sangermaine at 9:35 AM on August 18, 2015
This is true, but I think that this is often used an excuse by developers and researchers for not even trying to improve usability.
Do you have any evidence for this? I work in the community of security developers and researchers, and I've found this not to be the case. Like any other industry, there are tools for power users and there are tools for folks who want to be power users some day, but I've literally never heard of anyone using the fact that the security domain is challenging as a means of shirking their responsibility to release usable tools.
posted by tonycpsu at 9:38 AM on August 18, 2015
Do you have any evidence for this? I work in the community of security developers and researchers, and I've found this not to be the case. Like any other industry, there are tools for power users and there are tools for folks who want to be power users some day, but I've literally never heard of anyone using the fact that the security domain is challenging as a means of shirking their responsibility to release usable tools.
posted by tonycpsu at 9:38 AM on August 18, 2015
tonycpsu,
This is just the sense I get. For example, think of things people often suggest for security and anonymity. Someone above suggested BitTorrent clients, Tor, Bitcoin wallets, and PGP. Maybe you have other things in mind.
Now are any of these things, realistically, things that would be widely adopted by the general population? A population that isn't really very tech savvy, that any IT help person will tell you struggles with extremely basic things like email, web browsing, or even word processors? As said before, are these something grandma could or would use?
Because if not, there will continue to be massive security problems, because most people aren't "power users and...folks who want to be power users some day". Most people are users who don't care at all about how or why technology works, and have zero interest in learning or trying anything new.
I'm not saying people are stupid, just that they don't care. Many people get a computer and just want a tool that does a few things, and have no interest in anything else. How do you protect those people, or help them protect themselves.
posted by Sangermaine at 9:47 AM on August 18, 2015 [1 favorite]
This is just the sense I get. For example, think of things people often suggest for security and anonymity. Someone above suggested BitTorrent clients, Tor, Bitcoin wallets, and PGP. Maybe you have other things in mind.
Now are any of these things, realistically, things that would be widely adopted by the general population? A population that isn't really very tech savvy, that any IT help person will tell you struggles with extremely basic things like email, web browsing, or even word processors? As said before, are these something grandma could or would use?
Because if not, there will continue to be massive security problems, because most people aren't "power users and...folks who want to be power users some day". Most people are users who don't care at all about how or why technology works, and have zero interest in learning or trying anything new.
I'm not saying people are stupid, just that they don't care. Many people get a computer and just want a tool that does a few things, and have no interest in anything else. How do you protect those people, or help them protect themselves.
posted by Sangermaine at 9:47 AM on August 18, 2015 [1 favorite]
Here's a real life example: KeePass.
KeePass is wonderful. It does one job, and does it well: it secures a list of websites and the credentials you use to log into those. The list is kept in an encrypted file that belongs to you, which you can store wherever you like and back up as you see fit. I keep all my digital identities in it.
When I demonstrate it for people, they watch me using it and go "wow, that's cool". And then I spend twenty minutes running through the basics, showing them where to look for the less-basics, and giving them enough supervised hands-on practice to get them comfortable. And they agree that it is an easy thing to use, and that it clearly will render every single online account they ever use effectively hackproof.
And then nineteen out of twenty go right back to using Tigers99 as their password for everything because that's what they've always done, and launching KeePass is one extra step and they don't want to do that.
I can't even persuade my wife to use it.
Little ms. flabdablet (ten years old) does, but only because I've never showed her any other way to log on to her email account.
posted by flabdablet at 9:55 AM on August 18, 2015 [8 favorites]
KeePass is wonderful. It does one job, and does it well: it secures a list of websites and the credentials you use to log into those. The list is kept in an encrypted file that belongs to you, which you can store wherever you like and back up as you see fit. I keep all my digital identities in it.
When I demonstrate it for people, they watch me using it and go "wow, that's cool". And then I spend twenty minutes running through the basics, showing them where to look for the less-basics, and giving them enough supervised hands-on practice to get them comfortable. And they agree that it is an easy thing to use, and that it clearly will render every single online account they ever use effectively hackproof.
And then nineteen out of twenty go right back to using Tigers99 as their password for everything because that's what they've always done, and launching KeePass is one extra step and they don't want to do that.
I can't even persuade my wife to use it.
Little ms. flabdablet (ten years old) does, but only because I've never showed her any other way to log on to her email account.
posted by flabdablet at 9:55 AM on August 18, 2015 [8 favorites]
Personally I do like the idea of a decentralized social network (it's something I've posed, even in the Green, as far back as at least 2009, if not earlier... I recall my first desire for this probably in 2007 when Livejournal started going stupid with the breast feeding icon issue, and that's when I thought the only way to resolve the issue was to give control to the end user).
I figured there'd be a way for P2P access with trust given between users on a one to one basis and your friend networks grow from that. Access controls to types of content (i.e. friends filters that LJ had long before the usurpers had such things.)
Heartbeat may hold some promise, providing you and all your friends are Apple users.
posted by acb at 10:03 AM on August 18, 2015
I figured there'd be a way for P2P access with trust given between users on a one to one basis and your friend networks grow from that. Access controls to types of content (i.e. friends filters that LJ had long before the usurpers had such things.)
Heartbeat may hold some promise, providing you and all your friends are Apple users.
posted by acb at 10:03 AM on August 18, 2015
This is just the sense I get. For example, think of things people often suggest for security and anonymity. Someone above suggested BitTorrent clients, Tor, Bitcoin wallets, and PGP. Maybe you have other things in mind.
You're casting a pretty wide net here by including things like Tor and Bitcoin wallets in the category of security tools that novices would need to use. As you say in your last paragraph, most people just want to do a few things, and I don't think anonymous communication or use of cryptocurrency rank highly on that list, no matter how much coverage they get on techie news sites.
I agree that people don't want to try anything new, but as flabdablet alludes to, they're going to have to if they really want security instead of just paying lip service to it. Two-factor auth with hard tokens suffers from many of the same complexity problems that have doomed things like PGP and X.509 authentication -- in the end, someone has to distribute the credentials, maintain them, renew them, etc. and nobody so far has found the sweet spot between one central authority doing that (Big Brother!) and a thousand islands of authorities doing it (too complex!). It's not quite zero-sum -- we can find incremental ways to make these technologies easier -- but in the end, users do still have to do their part.
posted by tonycpsu at 10:07 AM on August 18, 2015
You're casting a pretty wide net here by including things like Tor and Bitcoin wallets in the category of security tools that novices would need to use. As you say in your last paragraph, most people just want to do a few things, and I don't think anonymous communication or use of cryptocurrency rank highly on that list, no matter how much coverage they get on techie news sites.
I agree that people don't want to try anything new, but as flabdablet alludes to, they're going to have to if they really want security instead of just paying lip service to it. Two-factor auth with hard tokens suffers from many of the same complexity problems that have doomed things like PGP and X.509 authentication -- in the end, someone has to distribute the credentials, maintain them, renew them, etc. and nobody so far has found the sweet spot between one central authority doing that (Big Brother!) and a thousand islands of authorities doing it (too complex!). It's not quite zero-sum -- we can find incremental ways to make these technologies easier -- but in the end, users do still have to do their part.
posted by tonycpsu at 10:07 AM on August 18, 2015
Heartbeat may hold some promise
Except that it appears to rely on centralized servers for making connections between users, which kind of defeats the purpose; there will be an absolute goldmine of social graph metadata on that server.
posted by flabdablet at 10:14 AM on August 18, 2015 [4 favorites]
Except that it appears to rely on centralized servers for making connections between users, which kind of defeats the purpose; there will be an absolute goldmine of social graph metadata on that server.
posted by flabdablet at 10:14 AM on August 18, 2015 [4 favorites]
How do you protect those people, or help them protect themselves.
If you're a high priest from the Church of Redmond, you do it by seizing as much control over their computers as you can get away with. If you're me, you install Debian for them and then take their phone calls.
posted by flabdablet at 10:19 AM on August 18, 2015
If you're a high priest from the Church of Redmond, you do it by seizing as much control over their computers as you can get away with. If you're me, you install Debian for them and then take their phone calls.
posted by flabdablet at 10:19 AM on August 18, 2015
You're casting a pretty wide net here by including things like Tor and Bitcoin wallets in the category of security tools that novices would need to use. As you say in your last paragraph, most people just want to do a few things, and I don't think anonymous communication or use of cryptocurrency rank highly on that list.
Indeed, I had mentioned PGP, Tor, Bitcoin, and so forth — and was aiming for the implication that they're not exactly the friendliest of tools to use for the general user. However, ordinary users operating that combination of functions (possibly embodied in a single browser?) is effectively what Kahle is calling for in his Distributed Web proposal I linked to above.
posted by metaquarry at 10:28 AM on August 18, 2015
Indeed, I had mentioned PGP, Tor, Bitcoin, and so forth — and was aiming for the implication that they're not exactly the friendliest of tools to use for the general user. However, ordinary users operating that combination of functions (possibly embodied in a single browser?) is effectively what Kahle is calling for in his Distributed Web proposal I linked to above.
posted by metaquarry at 10:28 AM on August 18, 2015
You won’t necessarily know anything about the decisions that affect your rights, like whether you get a loan, a job, or if a car runs over you. Things will get decided by data-crunching computer algorithms and no human will really be able to understand why.
Twenty years from now? Has she seen the ACLU thing on pre-crime from last week?
The Government's 'Predictive Judgments' Land Innocent Travelers on the No Fly List Without Meaningful Redress
posted by bukvich at 10:59 AM on August 18, 2015 [1 favorite]
Twenty years from now? Has she seen the ACLU thing on pre-crime from last week?
The Government's 'Predictive Judgments' Land Innocent Travelers on the No Fly List Without Meaningful Redress
posted by bukvich at 10:59 AM on August 18, 2015 [1 favorite]
most people just want to do a few things, and I don't think anonymous communication or use of cryptocurrency rank highly on that list, no matter how much coverage they get on techie news sites.
Yes, but. People DO want to communicate, and people DO want to engage in commerce. So what if we lived in a world where communication was secure by default, and in which currency were anonymous by default (like it was 70 years ago).
If you were to ask people "if it wasn't more difficult, would you like your communications to be secure," I'd bet 98%+ people would say yes. If you were to ask people "If it wasn't more difficult to use, would you like your financial transactions to be anonymous, like cash," you'd get similar responses.
And this isn't impossible, by any means. What if textsecure was the default messaging app?
This may be tricky (politically, certainly), but not impossible.
People do actually want privacy, security, but they don't want to be privacy and security experts to achieve this.
What if the only locks that your hardware store that you could buy were Abloy locks? Well fuck, then everything would be nearly secure (from lockpicking) by default. This isn't a pipe dream (go visit Sweden, and go look at the physical locks they have everywhere - it's crazy; funny thing is they don't actually seem to have a lot of property crime, they just are secure by default).
But there are harder problems (and these aren't easy problems to solve, but they are solvable). Are citizens around the world willing to demand from their government that they allow security? Are people willing to put up with jihadist propaganda (is that shit so compelling that we are terrified of it? is everyone one youtube video away from swearing loyalty to ISIS?). Are we willing to have abhorrent speech as a price for free speech?
Is the convenience of our phone suggesting that we might want to buy some condoms at the store worth the inherent creepiness of countless agents on the net knowing our sexual habits? I'm happy she pointed the finger at ourselves, and the security community in general, because we've all failed on so many levels.
Security usability may be a challenge, but it's not the overriding force helping create our cyberpunk dystopia. We are.
posted by el io at 11:24 AM on August 18, 2015 [3 favorites]
Yes, but. People DO want to communicate, and people DO want to engage in commerce. So what if we lived in a world where communication was secure by default, and in which currency were anonymous by default (like it was 70 years ago).
If you were to ask people "if it wasn't more difficult, would you like your communications to be secure," I'd bet 98%+ people would say yes. If you were to ask people "If it wasn't more difficult to use, would you like your financial transactions to be anonymous, like cash," you'd get similar responses.
And this isn't impossible, by any means. What if textsecure was the default messaging app?
This may be tricky (politically, certainly), but not impossible.
People do actually want privacy, security, but they don't want to be privacy and security experts to achieve this.
What if the only locks that your hardware store that you could buy were Abloy locks? Well fuck, then everything would be nearly secure (from lockpicking) by default. This isn't a pipe dream (go visit Sweden, and go look at the physical locks they have everywhere - it's crazy; funny thing is they don't actually seem to have a lot of property crime, they just are secure by default).
But there are harder problems (and these aren't easy problems to solve, but they are solvable). Are citizens around the world willing to demand from their government that they allow security? Are people willing to put up with jihadist propaganda (is that shit so compelling that we are terrified of it? is everyone one youtube video away from swearing loyalty to ISIS?). Are we willing to have abhorrent speech as a price for free speech?
Is the convenience of our phone suggesting that we might want to buy some condoms at the store worth the inherent creepiness of countless agents on the net knowing our sexual habits? I'm happy she pointed the finger at ourselves, and the security community in general, because we've all failed on so many levels.
Security usability may be a challenge, but it's not the overriding force helping create our cyberpunk dystopia. We are.
posted by el io at 11:24 AM on August 18, 2015 [3 favorites]
what if we lived in a world where communication was secure by default
Then we'd be living in a fictional universe, because in the real world that can't happen.
If you're talking about a world where communication was end-to-end encrypted by default, sure. We can have that. But encryption cannot guarantee security without severe inconvenience, because key distribution is a thing. And if you push key distribution toward the convenience side of the convenience/security tradeoff, as SSL/TLS attempts to do, you end up in the mess we're in now with thousands of root certificate authorities that we're all de-facto forced to trust completely blindly, regardless of how little we know about how any of them actually work internally.
If you're using SSL/TLS inside a workplace, there is a very high chance that most of the SSL certificates you're currently trusting are in fact spoofed. Many, many workplaces are now outsourcing their web security (again, in the name of convenience) to Security-As-A-Service providers like Zscaler, whose operation requires installation of an extra root certificate in users' devices for the specific purpose of running undetectable man-in-the-middle attacks against "secure" traffic, decrypting it on-the-fly for filtering and inspection purposes.
I'd bet 98%+ people would say yes
I'd bet the same thing. And then I'd bet with equal confidence that about 80% of the people who said yes would then go right back to doing whatever they're used to, leaving your wonderful innovative secure-by-default systems to wither on the vine.
IT security is not fundamentally a technical problem. It's a people problem that scales incredibly badly. Always has been, always will be.
posted by flabdablet at 11:45 AM on August 18, 2015 [1 favorite]
Then we'd be living in a fictional universe, because in the real world that can't happen.
If you're talking about a world where communication was end-to-end encrypted by default, sure. We can have that. But encryption cannot guarantee security without severe inconvenience, because key distribution is a thing. And if you push key distribution toward the convenience side of the convenience/security tradeoff, as SSL/TLS attempts to do, you end up in the mess we're in now with thousands of root certificate authorities that we're all de-facto forced to trust completely blindly, regardless of how little we know about how any of them actually work internally.
If you're using SSL/TLS inside a workplace, there is a very high chance that most of the SSL certificates you're currently trusting are in fact spoofed. Many, many workplaces are now outsourcing their web security (again, in the name of convenience) to Security-As-A-Service providers like Zscaler, whose operation requires installation of an extra root certificate in users' devices for the specific purpose of running undetectable man-in-the-middle attacks against "secure" traffic, decrypting it on-the-fly for filtering and inspection purposes.
I'd bet 98%+ people would say yes
I'd bet the same thing. And then I'd bet with equal confidence that about 80% of the people who said yes would then go right back to doing whatever they're used to, leaving your wonderful innovative secure-by-default systems to wither on the vine.
IT security is not fundamentally a technical problem. It's a people problem that scales incredibly badly. Always has been, always will be.
posted by flabdablet at 11:45 AM on August 18, 2015 [1 favorite]
Security usability may be a challenge, but it's not the overriding force helping create our cyberpunk dystopia. We are.
Absolutely agreed. And the way we're doing that is by embracing the infantile pursuit of convenience at all costs. The ability to delay gratification used to be the measure of a well-adapted adult. Now it's simply unfashionable.
posted by flabdablet at 11:51 AM on August 18, 2015 [1 favorite]
Absolutely agreed. And the way we're doing that is by embracing the infantile pursuit of convenience at all costs. The ability to delay gratification used to be the measure of a well-adapted adult. Now it's simply unfashionable.
posted by flabdablet at 11:51 AM on August 18, 2015 [1 favorite]
Was that back when you had to walk uphill 30 miles both ways in the snow to get anything done?
I'm not sure pining for a past that never existed helps. People have always valued convenience, it's why people have consistently been inventing things to make their lives more convenient. You're older than me but I seriously doubt people in the 60s and 70s when you were growing up were all self-denying paragons of discipline any more than they were in the 80s and 90s when I was growing up.
People like convenience. They avoid the difficult. This isn't a new thing. We have to operate in the world we live in, not the world we wish we lived in.
posted by Sangermaine at 1:04 PM on August 18, 2015 [4 favorites]
I'm not sure pining for a past that never existed helps. People have always valued convenience, it's why people have consistently been inventing things to make their lives more convenient. You're older than me but I seriously doubt people in the 60s and 70s when you were growing up were all self-denying paragons of discipline any more than they were in the 80s and 90s when I was growing up.
People like convenience. They avoid the difficult. This isn't a new thing. We have to operate in the world we live in, not the world we wish we lived in.
posted by Sangermaine at 1:04 PM on August 18, 2015 [4 favorites]
You're casting a pretty wide net here by including things like Tor and Bitcoin wallets in the category of security tools that novices would need to use. As you say in your last paragraph, most people just want to do a few things, and I don't think anonymous communication or use of cryptocurrency rank highly on that list, no matter how much coverage they get on techie news sites.
Ironically Tor is the easiest to set up and use (except for having to know specific .onion URLs for hidden services) of all the tools mentioned. It does have an inconvenience factor because it's slow, though.
posted by atoxyl at 1:09 PM on August 18, 2015
Ironically Tor is the easiest to set up and use (except for having to know specific .onion URLs for hidden services) of all the tools mentioned. It does have an inconvenience factor because it's slow, though.
posted by atoxyl at 1:09 PM on August 18, 2015
Except that (Heartbeat) appears to rely on centralized servers for making connections between users, which kind of defeats the purpose; there will be an absolute goldmine of social graph metadata on that server.
I'm under the impression that there can be any number of servers, which can federate. Is this not the case?
posted by acb at 2:29 PM on August 18, 2015
I'm under the impression that there can be any number of servers, which can federate. Is this not the case?
posted by acb at 2:29 PM on August 18, 2015
Was that back when you had to walk uphill 30 miles both ways in the snow to get anything done?
No. That was back when milk got delivered in glass bottles that you were expected to wash and leave out for re-use, and shops closed at noon on Saturday and didn't open at all on Sunday which meant that most people actually got their weekends free, and walking or cycling to school unsupervised instead of being driven there in an SUV was normal, and government agencies were in charge of post, telecommunications, public transport, electricity and water supply and ran all of those things more competently, efficiently and sustainably than they're run today.
There was much less waste. Conspicuous consumption was generally held to be crass and idiotic rather than something to be celebrated and aspired to. And personal privacy was a matter of common sense and decency rather than a thing requiring a tangled web of law and regulation to preserve.
I did not grow up in a golden age. There were lots of things wrong with the sixties and seventies: compared to today, it was a horrible time to be black, female or homosexual. But there were also lots of things handled much better then than we do today, and I remain completely convinced that the drift of convenience from a nice-to-have to a must-have-at-all-costs has played a big part in the loss of those.
It was a better time to be intellectual. It was a better time to be employed. It was far more likely, having got employed, that you'd stay that way.
Labour-saving devices are a good thing when they're saving unpaid labour: domestic washing machines and vacuum cleaners are an unalloyed good. But once the labour we're saving is the minimal amount required to get up out of a sofa and walk to the light switch, we're so far into diminishing returns it's not funny.
The eighties really was when it all changed. It was in the eighties that we started being customers rather than members, clients, patients or patrons. The idea of public service became toxic and contemptible and everything, all the way down into the fundamental ways we view interpersonal relationships, turned commercial, transactional, quid-pro-quo. So it's very easy for me to understand how people who were children of the eighties and subsequent decades have come to view those of at least my age as hopeless onion-on-belt romantics wearing rose-coloured glasses of nostalgia.
But I'm 53, not 80. I'm not senile. I'm not stupid. I'm at least as cynical and hard-bitten as you are. And there was an upside - a large upside - to a society where commerce was not something that people thought should happen 24x7x365, the media fear machine was much less capable, intrusive advertising was far less ubiquitous, and the default ideological assumption was not that public service is always and everywhere less "efficient" than private enterprise.
I don't expect you to understand what that upside could feel like. But it was real.
posted by flabdablet at 10:19 PM on August 18, 2015 [4 favorites]
No. That was back when milk got delivered in glass bottles that you were expected to wash and leave out for re-use, and shops closed at noon on Saturday and didn't open at all on Sunday which meant that most people actually got their weekends free, and walking or cycling to school unsupervised instead of being driven there in an SUV was normal, and government agencies were in charge of post, telecommunications, public transport, electricity and water supply and ran all of those things more competently, efficiently and sustainably than they're run today.
There was much less waste. Conspicuous consumption was generally held to be crass and idiotic rather than something to be celebrated and aspired to. And personal privacy was a matter of common sense and decency rather than a thing requiring a tangled web of law and regulation to preserve.
I did not grow up in a golden age. There were lots of things wrong with the sixties and seventies: compared to today, it was a horrible time to be black, female or homosexual. But there were also lots of things handled much better then than we do today, and I remain completely convinced that the drift of convenience from a nice-to-have to a must-have-at-all-costs has played a big part in the loss of those.
It was a better time to be intellectual. It was a better time to be employed. It was far more likely, having got employed, that you'd stay that way.
Labour-saving devices are a good thing when they're saving unpaid labour: domestic washing machines and vacuum cleaners are an unalloyed good. But once the labour we're saving is the minimal amount required to get up out of a sofa and walk to the light switch, we're so far into diminishing returns it's not funny.
The eighties really was when it all changed. It was in the eighties that we started being customers rather than members, clients, patients or patrons. The idea of public service became toxic and contemptible and everything, all the way down into the fundamental ways we view interpersonal relationships, turned commercial, transactional, quid-pro-quo. So it's very easy for me to understand how people who were children of the eighties and subsequent decades have come to view those of at least my age as hopeless onion-on-belt romantics wearing rose-coloured glasses of nostalgia.
But I'm 53, not 80. I'm not senile. I'm not stupid. I'm at least as cynical and hard-bitten as you are. And there was an upside - a large upside - to a society where commerce was not something that people thought should happen 24x7x365, the media fear machine was much less capable, intrusive advertising was far less ubiquitous, and the default ideological assumption was not that public service is always and everywhere less "efficient" than private enterprise.
I don't expect you to understand what that upside could feel like. But it was real.
posted by flabdablet at 10:19 PM on August 18, 2015 [4 favorites]
Was that back when you had to walk uphill 30 miles both ways in the snow to get anything done?
No, but I'd wager that it was back when it took more than a played-out cliche and some boiler-plate this is the future, old man-type sneering to adequately refute somebody's argument on the internet.
I kinda miss it.
posted by hap_hazard at 1:23 AM on August 19, 2015
No, but I'd wager that it was back when it took more than a played-out cliche and some boiler-plate this is the future, old man-type sneering to adequately refute somebody's argument on the internet.
I kinda miss it.
posted by hap_hazard at 1:23 AM on August 19, 2015
Hard call to make, given that the internet wasn't a thing.
I do seem to recall that the BBSes I used to frequent in the 300bps modem era needed rather less moderation to keep them civil than seems to be the prevailing norm today. To the extent that this was true, I expect that most of it can be accounted for by the fact that the majority of users on those BBSes already knew each other IRL first.
posted by flabdablet at 2:19 AM on August 19, 2015
I do seem to recall that the BBSes I used to frequent in the 300bps modem era needed rather less moderation to keep them civil than seems to be the prevailing norm today. To the extent that this was true, I expect that most of it can be accounted for by the fact that the majority of users on those BBSes already knew each other IRL first.
posted by flabdablet at 2:19 AM on August 19, 2015
No. That was back when milk got delivered in glass bottles that you were expected to wash and leave out for re-use, and shops closed at noon on Saturday and didn't open at all on Sunday which meant that most people actually got their weekends free, and walking or cycling to school unsupervised instead of being driven there in an SUV was normal,
BTW, for this part of your list to work, it required the unpaid work of women. Who do you think washed the bottles and was home to keep an eye on neighborhood kids walking to and from school, as well as develop the social network to make that level of trust possible? Shops are open on the weekend, because that's when two incomes families generally have time to shop, they didn't used to need to be open on the weekends because women were home to do the shopping during the week.
Which I think speaks to the large point that you're missing in your quest to deny instant gratification: Time is finite. My Father-in-law wants an easy to-use Facebook because he doesn't have time to learn a hard one, as well as do the other things he shares pictures of. My kids' teachers want easy (less secure) e-mails because they don't have time to fiddle with a more secure version, neither do the parents, and nobody wants a kid to miss some assignment\cool activity because of a glitch in the technology.
posted by Gygesringtone at 6:13 AM on August 19, 2015 [7 favorites]
BTW, for this part of your list to work, it required the unpaid work of women. Who do you think washed the bottles and was home to keep an eye on neighborhood kids walking to and from school, as well as develop the social network to make that level of trust possible? Shops are open on the weekend, because that's when two incomes families generally have time to shop, they didn't used to need to be open on the weekends because women were home to do the shopping during the week.
Which I think speaks to the large point that you're missing in your quest to deny instant gratification: Time is finite. My Father-in-law wants an easy to-use Facebook because he doesn't have time to learn a hard one, as well as do the other things he shares pictures of. My kids' teachers want easy (less secure) e-mails because they don't have time to fiddle with a more secure version, neither do the parents, and nobody wants a kid to miss some assignment\cool activity because of a glitch in the technology.
posted by Gygesringtone at 6:13 AM on August 19, 2015 [7 favorites]
Granick's talk, to me, is a reflection of the fact that the current technological priesthood has not yet come to terms with either its inevitable inherent status as a priesthood or the historical relationships that tend to form between priesthoods of all stripes and the wielders of State power.
the idea of a cognitive priesthood/elite is really interesting to me, first from the perspective of ernest gellner on how institutions of production, coercion and cognition (plough, sword and book) have evolved to shape society:
The eighties really was when it all changed.
the other intriguing aspect of a cognitive priesthood, and perhaps more pertinent to this discussion, is its current incarnation of economists as a financial priesthood as wall street gained ascendancy in the eighties to the dominance of central banks now in regulating financial and economic affairs. BUT, i would argue, the current technological priesthood (silicon valley) is now challenging the financial priesthood (wall street) in terms of influence. software/mobile is 'eating the world', interest rates are stuck at the zero lower bound (in part due to technological unemployment/deflation) and economists are taking classes in machine learning as finance tries to coopt technology; they're starting to merge... that is, if money can be abstracted into digits, who controls the digits?
also btw...
-China announces it is scoring its citizens using big data
-When One App Rules Them All: The Case of WeChat and Mobile in China
-With High-Profile Help, Obama Plots Life After Presidency:* "The dinner in the private upstairs dining room of the White House went so late that Reid Hoffman, the LinkedIn billionaire, finally suggested around midnight that President Obama might like to go to bed... He then lingered with his wife, Michelle, and their 13 guests — among them the novelist Toni Morrison, the hedge fund manager Marc Lasry and the Silicon Valley venture capitalist John Doerr — well past 2 a.m. Mr. Obama 'seemed incredibly relaxed', said another guest, the writer Malcolm Gladwell. He recalled how the group, which also included the actress Eva Longoria and Vinod Khosla, a founder of Sun Microsystems, tossed out ideas about what Mr. Obama should do after he leaves the White House."
posted by kliuless at 3:03 PM on August 19, 2015 [5 favorites]
the idea of a cognitive priesthood/elite is really interesting to me, first from the perspective of ernest gellner on how institutions of production, coercion and cognition (plough, sword and book) have evolved to shape society:
The late social anthropologist and philosopher Ernest Gellner had a really profound analysis of the political aspects of scientific rationality (see e.g. Plough, Sword and Book, or most centrally Legitimation of Belief; or the exegesis by Michael Lessnoff), where he pointed out that one of the effects of rationalism and empiricism was to "locate the well of truth outside the walls of the city", i.e., to create a source of epistemic authority which was not under social control, and which could be appealed to by those currently lacking in power. (He was, of course, fully aware of all the ways in which this is only an imperfect approximation.) This tends directly to undermine traditional sources of epistemic authority, which are overwhelmingly self-justifying and circular — authoritarian in a stricter sense.like gellner expounds a lot about the 'joint domination of priests and kings' when examining the role of the catholic clergy in medieval europe and then you can read stephenson's baroque cycle or whatever about the royal society, the scientific revolution and enlightenment humanism in 'locating the wells of truth outside the city walls' and its impact on helping bring about the industrial revolution... and the ideologies of control -- nationalism, capitalism, socialism -- that followed.
The eighties really was when it all changed.
the other intriguing aspect of a cognitive priesthood, and perhaps more pertinent to this discussion, is its current incarnation of economists as a financial priesthood as wall street gained ascendancy in the eighties to the dominance of central banks now in regulating financial and economic affairs. BUT, i would argue, the current technological priesthood (silicon valley) is now challenging the financial priesthood (wall street) in terms of influence. software/mobile is 'eating the world', interest rates are stuck at the zero lower bound (in part due to technological unemployment/deflation) and economists are taking classes in machine learning as finance tries to coopt technology; they're starting to merge... that is, if money can be abstracted into digits, who controls the digits?
also btw...
-China announces it is scoring its citizens using big data
-When One App Rules Them All: The Case of WeChat and Mobile in China
-With High-Profile Help, Obama Plots Life After Presidency:* "The dinner in the private upstairs dining room of the White House went so late that Reid Hoffman, the LinkedIn billionaire, finally suggested around midnight that President Obama might like to go to bed... He then lingered with his wife, Michelle, and their 13 guests — among them the novelist Toni Morrison, the hedge fund manager Marc Lasry and the Silicon Valley venture capitalist John Doerr — well past 2 a.m. Mr. Obama 'seemed incredibly relaxed', said another guest, the writer Malcolm Gladwell. He recalled how the group, which also included the actress Eva Longoria and Vinod Khosla, a founder of Sun Microsystems, tossed out ideas about what Mr. Obama should do after he leaves the White House."
posted by kliuless at 3:03 PM on August 19, 2015 [5 favorites]
« Older Bay Gold: the brand appropriate to a junior... | A love letter to the Internet of old Newer »
This thread has been archived and is closed to new comments
Great essay/speech, but I didn't feel like the 'call to arms' was strong. Certainly the staff and leadership from Twitter/Facebook/Google isn't going to work hard to make the web more decentralized (as she seems to advocate). Even the users in the audience (including herself) aren't likely going to start going back to blogs.
While she acknowledges that everyone (herself included) is to blame for the trends that are occurring, a solution doesn't seem to be evident.
On the other hand, perhaps I shouldn't expect a nice package of neat solutions in a keynote, but instead a solid explanation of where we are, how we got there, and where we will head to if we don't do something about it. She did a very good job at that.
posted by el io at 2:24 AM on August 18, 2015 [3 favorites]