Much Ado about Technology

He Knows, You Know...

Donald Rumsfeld was the United States Secretary of Defense from 2001 to 2006 under President Bush. He is known for many things, but will always be remembered for his statement of an old truism, as quoted -

Continue reading

Copyright

© 2014, Christopher Ambler

It's been 25 years, I guess I can come clean

By now you're aware that there's yet another security bug, this time in "bash," a "shell" used on many servers. For the non-geeks, the gist of the issue is that a very common and absolutely necessary part of the operating system could, in some reasonable circumstances, allow a malicious user to run any code they want on a server to which they should not have access. This is, of course, a bad thing. The bug, now identified, has been fixed and system operators are rushing to patch their systems with newer versions that don't exhibit the flaw.

It's been over 25 years, so I think I can come clean. I knew of such a bug when I was in college that gave me 100% read access to any file on any system. I couldn't modify them, and this bug didn't let me execute arbitrary code, but if I noticed that you had a file in your home directory called "ChrisIsADoodyHead.txt," I could read it. Even if it was in a closed-off directory and locked down, itself. While I never had a need to, I could have looked at all of your code for the computer science class we shared and cheat on my homework. And I mean every file on the file system.

I could read all of your email.

After about a year, the bug was discovered, and I was actually beta testing a version of UNIX (SCO - remember SCO?) that had it and I reported it. It took about another year to move through production and be deployed. Remember, these were the days before automatic patching. Most installs were done from a stack of floppy disks and new versions came out yearly. Maybe quarterly, at best.

The point I'm making is twofold. First, these bugs are everywhere and will always be around. Don't be shocked when they're reported. They happen, they get fixed, and the next one comes along. You're going to get burned by them. And yes, evil douchebags are going to exploit them to, say, illegally download nude pictures of celebrities. There's no victim-blaming when I say that you should acknowledge this reality and do what you can to protect yourself.

And my second point, which is the takeaway here, and the reason I've "come clean" after 25 years to make the point: These bugs are in the wild and known right now. Please stop and think about that. Someone, somewhere, is almost surely reading or copying your stuff if it's online. These bugs don't live in obscurity until someone discovers them and immediately fixes them. Someone finds them and uses them for years until someone else discovers them in a more public way. Remember the speculation and then confirmation that the NSA was exploiting a bug for years before it was ever discovered in public? You don't need to take my word for this.

And please don't shoot the messenger.

Full disclosure: I never shared this bug with anyone else in college as far as I remember. I never found anything illegal, and only once found something that, if disclosed, could have caused problems (someone was cheating something seriously in a number of classes). I never said anything. I honestly can't remember ever seeing anything on anyone that was even remotely bad. Email, back then, also was only something shared among geeks, for the most part. There was pretty-much no private social online usage. I mostly poked around administrative stuff. This being a time before digital photography, I never even saw any nude selfies :-) Some people may not believe this disclosure, and I'm okay with that.

The move to SSL

Some of you (okay, two of you) may have noticed that this blog is now 100% on SSL. If you try to get to any page here normally, you will find that you're redirected to the HTTPS version of the page.

No, this doesn't mean I'll be adding e-commerce any time soon (well, if the logo that my incredibly talented friend Shawn is working on for me is a hit, maybe I'll offer t-shirts :-)). What it means is that web sites being secure simply as a matter of course resonates with me. There's no compelling reason for this site to be SSL, but there's no reason not to.

And with Google's announcement that SSL sites will get more search engine love, there's a benefit. Google's plan is clear - offer some value for web site owners to go SSL and it will become more comfortable for everyone. Enacting social and technical change through positive reinforcement. I can get behind that.

Changing to HTTPS means a lot of the previous likes and shares won't track, but that's okay. With good change sometimes comes a little pain.

Ello? Ello? Anyone There?

As will happen once or twice a year, we have a new social site that many are prematurely calling the death of Facebook. And as happens even more rarely, it appears to be getting traction towards overcoming the network effect. For those unaware, the "network effect," simply put, states that nobody will use a thing until enough people are using a thing. To overcome this seemingly catch-22 circumstance, you need a degree of interest and virality in a short period of time. It doesn't matter how good something is, if it relies on a critical mass of users, you'll have most people standing around waiting to see if anyone else jumps first, and nobody jumps.

In the case of a very few sites, if you get enough people to jump at the same time, you overcome the initial barrier. Chemistry geeks can consider this the activation energy threshold. Physics geeks can consider this the coefficient of static friction.

LiveJournal did it. Heck, Facebook did it to MySpace.

And yes, there are "tricks" to help. Artificial scarcity, for example - you need an invite to join, and you can ask for one, but you'll have to wait. Never mind that once you're in, you get 10 invites. The laws of simple math will make it clear that getting an invite from a friend should be no problem at all if you're even remotely connected. And this makes total sense to the site's owners, as it biases new signups to people who are connected. Using an invite code also gives you an initial social graph connection (to the person who invited you), thus bootstrapping the graph of the site.

In short, Ello is doing everything right.

And it may or may not matter, because once you overcome the network effect barrier, you still need to keep the users. Just ask Google+. That said, Wil Wheaton is already there. Consider that the low-threshold gating function: his presence doesn't make the site, but his absence would be a statement.

So, for right now, Ello is clean, crisp, simple, and pretty-much no better than a somewhat expanded Twitter feed. Friends/Noise has an appeal, but it's pretty basic. Many people want basic, but many more have come to rely on features that Facebook provides. Ello needs to find a way to provide these features, but in a non-cluttering way.

And, of course, the policy - transparency. You own your content. There's no curation and filtering happening. And, in an interesting (and dare I say refreshing) twist, everything is public. Anyone can follow anyone else, and all of your posts are public. It's wide open, and intended to be so from the start.

Some people have a problem with that. This morning, a friend of mine had a post on Ello, "Dear @person, please unfollow me, I only want friends here." Now perhaps @person will comply, but @person is under no mandate to do so. There's nothing my friend can do. Again, there are no private posts on your feed.

From last April: http://betabeat.com/2014/04/would-you-like-your-social-network-to-share-your-content-or-just-monetize-the-bejeesus-out-of-it/

The open question now is what Ello does with the current rush of early adopters. Will they roll out features that everyone wants and loves and maintain the elegant simplicity? Will they stick to their philosophical guns and will the fickle crowd agree? Will there be an initial rush, only to have the novelty wear off like Google+? Only time will tell. I'm keen to wait, watch, and see.

So I'm @dogberry over on Ello. Feel free to follow me.

Tags:

It's time to nuke password security questions

I'll come right out and say it - password security questions are not only insecure, they're a blatant security hole. They're worse than not being there at all, and for any of a number of reasons.

Continue reading

Twitter Stream