Friday, February 21, 2020

Bruce Schneier on Policy vs Technology

Bruce Schneier posted this IEEE Security & Privacy essay on his blog today.

Read the posturing in the comments and wonder about the ones that resonate with you.

Compare with the thrust of the article and the purpose and nature of law and politics.

Discuss among yourselves.

Friday, February 14, 2020

Complexifying Elections: Technological Wishful Thinking over Accountability and Demonstration

Via ACM TechNews, Computerworld’s Lucas Mearian reports MIT researchers say mobile voting app piloted in U.S. is rife with vulnerabilities

There is a fundamental tension between having secrecy of ballots and a desire for auditability and detection/prevention of fraudulent manipulation of the voting system.

The TL;DR: The most important question concerning electronic/internet technical mediation of a voting system is this: When the system is determined to fail or corrupted on election day, what fall-back is in place for swift and certain recovery?

The next question is, what provisions are there for detecting such an incident is occurring or has occurred?

The Quandary

Insistence by researchers that paper ballots be the best choice has to do more with avoiding additional vulnerabilities and exploits that can be invisible, massive, difficult to audit, and not subject to the usual verification of chains of custody and handling between the means of submission (polling places and mail/drop systems) and current means of authenticating the registered voter and/or the unopened ballot.  Paper-ballot systems  limit the varieties of attack and their potential absence of detection.  Integrity of the system is grounded on human activity and the transparency of election administration. 

The paper ballot provides the best case of privacy, with the only connection being the handover of a ballot to a registered voter or the receipt of a sealed ballot before removal and introduction into processing.  The secrecy of the voter’s balloting is established at that point.

It is also the case that widespread fraud against voting systems has never been demonstrated, as much as it is feared by those who are contemptuous of voters not like themselves.  The small numbers of cases tend to be more pathetic than any serious rigging, such as the greater impact of voter suppression and distortion of choice through gerrymandering.

In some sense, those current manual-system provisions and safeguards do not go away.  Adding technological solutions is more complex and requires much more understanding, preparation, and dependence on specialized skills and appropriate conceptual models not possessed by polling place workers, those in election headquarters, and the management/administration, however well-intentioned. 

Advocates of technological fixes are on a death-spiral starting with the abandonment of paper ballots and continual fix and repair, adding complexification without addressing the importance of standard security requirements and especially risk management that applies to the delivery of invisible technology. 

A particular problem with citizen-facing voting technology is that it is not possible to have the normal cycles of learning and improvement.  It has to work the first time and every other time.  Furthermore, adversaries are not obligated to reveal their ability to penetrate and manipulate a system until it is too late. 

There is nothing new here in the difficulty of creating and deploying technical systems in which there are critical privacy and security requirements.  What is new is the impact on an area that is much more fragile in the face of disruption and breakdowns and the lost of trust inevitable breakdowns invite.  If the producers of technical components resist transparency for whatever reason, one must presume defects, not believe perfection with no evidence, only wishful thinking.

Thursday, February 13, 2020

What does “Winner” Mean?

As of today, there have been two Democratic Party Presidential Candidate Nomination events: the 2020 Iowa Caucus and the 2020 New Hampshire Primary. 

At this point, the Associated Press and other news media are distressed that they are “unable to declare a winner.”  Really?  What self-important ridiculousness.  

This is neither horse-race nor sporting event.  There is no such title and reward distinct from what is already determined: delegates pledged to different candidates going into the National Democratic Party Convention later this year.  Simple boring facts.

The candidates will, of course, step into the media-distorted view and proclaim their fortunes for their own purposes.  The behavior is akin to prize fighters claiming their advance to the title.  There are even metaphors such as “knocked out.”

We are seeing politics in the manner that politics is useful in a democratic society.  Noisy, disruptive, thrashing about, looking for consensus and if not consensus, determination of a way ahead in the face of uncertainty.

There are inside-baseball dramas of course, a feast brought about by failures of accountability and transparency, in the case of the Iowa Caucus operation. 

Although there has now been the equivalent of a public hanging, it remains unclear whether the lessons to be found in that process are being learned.  I’m thinking of the unfortunate introduction of technology and inadequate/absent risk management.

The processes behind the conduct and resolution of elections tend to be good enough until something “too close to call” arises.  Then reforms arise.  The injection of technology and technology fads offering technological cures to technological failures suggest that the lessons about human responsibilities, and our mutual fallibility, are not willingly recognized and learned.

Wednesday, February 12, 2020

nfoCentrale: Longing for Clear Voices

I have had several blogs.  Some of their dormant states are linked on the sidebar here.  My inattention to maintenance of consistent voices on particular themes has led to fracture and confusion (for myself at least) with respect to my Internet presences.

A feature I miss is having separate blogs focused on roughly-consistent themes.  There has been 10 years of neglect since I was flummoxed by breaking-for-me changes in how Blogger worked. Now there is fragmentation of voice to reconcile. 

What a mish-mash!

Some of this has to deal with me being so easily distracted and pursuing of new shiny things. “Squirrel!”.  At the same time, there is also confirmation that life-cycle of vendor (i.e., MIcrosoft) products and the continuing-use dependency of end-users are wildly different. 

So many blogs are dormant since 2010 because I failed to come up with appealing replacements.  Self-hosting of Movable Type on nfoCentrale.com and node.js development of hexo-based blogs didn’t pan out and they managed to have little deployment apart from experimentation on Spanner WIngnut. 

Here I am, having traveled full-circle, using Blogger and free blogspot,com hosting.  This restoration of Orcmid’s Lair (and continuation of Orcmid’s Live Hideout) is just one step. 

I remain wary and cautious, faced with tending this octopus’s garden of mine and achievement of some manageable consistency.

Monday, February 10, 2020

Teaching and Research: Front and Back of the Same Hand?

Amy Ko’s article “The false dichotomy of teaching and research” unveils great questions and a personal story.  That's amazing.

Forty years into my career and then retired, I began an M.Sc in IT (I'm ABD though so it is a University of Liverpool diploma for courses without the degree). My thinking was to qualify an adjunct/lecturer at a place like the U of W. What scared me was teaching taking me away from the scholarly/research pursuits that retirement afforded me. I was and am also wary of academic culture.

Work on the M.Sc, conducted on-line with many discussion assignments, did teach me something unexpected. It confirmed I am a good student, much better than when I dropped out of college in my freshman year.

I had never taken any academic CS courses (though successfully challenged the major for my late-career BA).  The M.Sc courses taught me how much I already knew and understood having grown up in the field.

Before retirement, I once sat down with Terry Winograd (when I was located at PARC) and pondered going to graduate school at Stanford. When he asked why, I said it was because I wanted to do the work. Terry's remark was I was already situated to do that, and if I did not desire to be a professor, I didn't need the graduate school.

I recognize now, as an independent scholar, the value of colleagues and a community where our mutual intellectual juices are nurtured. I get more out of GitHub issues that question and challenge my efforts than almost anything else. I can also confirm seeing how graduate students interact and thrive among themselves. It would be great if there were forums for that, especially for adult learners.

Oh, and I have been a mentor/TA on Coursera MOOCs. How did I manage to forget that? The discussion and sometimes-collaboration opportunities on MOOCs are also rewarding.

Navigating the Rapids of the Long Tail down to the Sea

In 2004, the idea of the Long Tail was promoted in a Wired article by Chris Anderson.  The idea was catchy and the somewhat anecdotal evidence was appealing to many, including myself, blogging about it in 2005.

The Long Tail meme seems to have reached its use-by date.  Hannah McNamee writes, What Happened To The Long Tail (and LongTail.com)?

Although it is considered ironic that Chris Anderson’s own web site of that name has disappeared, I don’t think that defeats the long-tail idea.  Appealing to a power curve model may have been inappropriate, and assuming the long tail is a bigger market is perhaps a grave misunderstanding of how it works.  Yet the long tail does persist, and the ability to search the Internet supports its visibility.  That’s different than being a guide to undertaking eCommerce and making more money.  It is more like having an antiquarian bookstore and a deep social resource, a kind of living almanac, encyclopedia, and yellow pages at our fingertips.  

I am a serious Internet inhabitant, and the ability to connect internationally and temporally is something I am able to thrive with.  I am a long-tail persona among long-tail communities.  Operating without that is unimaginable.  The opportunity has only been available for the last 25 years, mostly in retirement, of my 62-year vocation and I cherish it.

On the downside, apparently spammers do succeed to achieve a long-tail economy, as do opportunistic security/privacy intruders.

Back Story

In addressing the Uncomfortable Truth that Links Are Not Forever, I remarked that I periodically receive emails about broken links in 15-year-old blog posts.  That happened once again regarding links in my 2005-04-02 post on The Long Tail Meme.  On examination of that page I also detected broken links, now repaired, to my own archives under a domain name I have since abandoned in favor of another.

In the latest case, I was offered a substitute for the link to a now-absent web site.  Unfortunately, that breaks the time sense of my 2005 post.  I have provided that link in this new post instead.

I remain heartened that my document-engineering of blogs has the files be on a server that I lease and back up to my private web-development machine, all under source-code control.  Those ancient-in-Internet-terms posts will remain accessible about as long as I do.  I have a virtual Windows XP running obsoleted software that preserves the document-engineering approach that I have sustained all this time and affords means to repair link rot.

I don’t have that capability with my current use of blogger (or of GitHub).  What I do have, instead, is my own archive of Live Writer originals (for Blogger posts and reposts from other blogs) or Markdown files (in the case of GitHub published pages).  I can repost and make repairs, and I can move posts where Live Writer or Markdown remain workable. I am going through an adjustment period; my efforts have not settled down to some convergent consistency just yet.

Saturday, February 8, 2020

Suspicious Numerals in the Forest of Representations

In speaking of representational ambiguity as it arises in connection with the Miser Project, I realize that such ambiguities should not be surprising.   Representation ambiguities are plentiful in the daily lives of those reading this post.  They arise casually but suffer when incorporated in computer-processed data.

Here’s a value that is relevant in my world: 800-00-0271.  It has the form of a United States Social Security Number (SSN).  It might be one, if it’s established that it was so-assigned to someone by the US Social Security administration, and if that is the intended usage.

Calling something a Social Security Number because it has the pattern of one is different than claiming it is the SSN of an identified person.  In working around computers, we need to be more careful in distinguishing what a data element might be intended to designate and the simple data form used absent any context.

So far, the “800” is not used in SSNs, and it is used where I see it on the assumption that will never change. 

Something that 800-00-0271 can be is a Student ID Number appearing on a transcript from Regents College of the University of the State of New York.  I attest that I am that student. 

US educational institutions have tended to rely on actual SSNs of students as identifiers for student records and other purposes.  In the State of New York, at the time I registered, the State requested SSNs but did not require them. It was considered illegal to compel SSN for that purpose at that time.  I declined and was provided with a unique identifier having the same form.  It has SSN form because the Student ID Number in their systems are mostly SSNs and have that format.  The “800” part is not found in any actual SSN (so far) and that ID number is safely comingled in the college’s records and databases indexed by their Student ID numbers, ones which are most-often also SSNs.

Another case arose recently, with the date of February 2, 2020 being represented as 02-02-2020.  The question is, considering that as representative of a date, is the form mm-dd-yyyy or dd-mm-yyyy?  It can be either, and the form does not reveal the answer.  In this case, it doesn’t matter.  Both forms are satisfied and can be taken to reference to the same date (with agreement about the same calendar).  The differences are apparent when different dates are recorded in different international contexts.  Both forms have been used in the USA in the past.

It might be easier now to understand the International Standard preference for recording dates in form yyyy-mm-dd.  Although only about as well received in the USA as the metric system, this form does tend to be used in the internals of data systems.  If we mean that to be a date somewhere on the planet, the time zone becomes relevant and without it, the expanded form 2020-02-02T02:02 is still representationally ambiguous, assuming of course, that this is intended to represent a local-time date somewhere on the planet.  Then, what about Daylight Time?  In Australia?

[added 2020-02-09T11:03] The “T11:03” here resolves another representational ambiguity.  It is in 24-hour time.  So there need be no concern whether it is AM or PM (T23:03).

[added 2020-02-09T10:53] Although it took a few years too many for Microsoft Outlook to deal with local times and time zones, it now does so and I can record on my calendar a trip starting in one local time (departure) and ending in a different local time (arrival) on the same or different date.  I can also record times from two time zones along a day-calendar page.  I use s pair of UTC and whatever the local time zone I awoke in on a particular day.  The tricky part comes with Daylight switch-overs and the fact that the daylight time status of a date in the past is not retained.  Recurring items can get a little wonky.

[added 2020-02-09T19:10Z] (with the “Z” for Zulu signifying UTC) One case I hadn’t figured out how to manage in all of this is for timestamps on my public web sites.  I author pages on a local machine and file timestamps are in my local time, the way that has always been presented on the Windows file system.  When I FTP changed pages to the public site, they get a different time stamp.  So I can have my FTP utility check and only upload newer pages than those there, I have to specify a time-offset so FTP gets it right.  I fumble this far too often, and passing in and out of Daylight time messes me up even more.  I would love to just use UTC in this context and have not figured out how to accomplish it.  Hmmm.  Maybe if I fudge the clock on the local web-site development server?