Showing posts with label identity. Show all posts
Showing posts with label identity. Show all posts

Sunday, August 28, 2016

Trumpism: a transition function to the world of mass disability.

We know the shape of the socioeconomic future for the bottom 40% in the post globalization post AI  mass disability world.

But how do we get there? How does a culture transition from memes of independence and southern Christian-capitalist marketarianism to a world where government deeply biases the economy towards low-education employment?

There needs to be a transition function. A transform that is applied to a culture. With the anthropology perspective I’ve long sought Arlie Hochschild makes the case that Trump is, among other things, a transition function that erases Tea Party Marketarianism and embraces the heresy of government support (albeit for the “deserving”).

In a complex adaptive system we get the transition function we need rather than the one we want. No guarantee we survive it though.

See also:

Friday, May 30, 2014

Don't lose the birthdate for your Fakebook account

Yahoo! has been an excellent spam-mail service. I use my Yahoo email whenever I want to avoid spam — such as when I have to deal with Ticketmaster.

I have a “spam” Facebook account too — I use it for sites that trade services for the right to access my Facebook timeline, friends, etc. My Fakebook account has no friends and no information, nothing except a birthdate that turns off the most obnoxious Facebook ads (70+). I’m happy to give it out.

Alas, I forgot the birthdate I made up. So when I tried to use my Fakebook account from a new machine I couldn’t answer Facebook’s authentication test — even though I knew the password. My account was locked out.

Fortunately it worked from home, and I’ve since added my Fakebook birthdate to my password database.

Now you know — when you create a Fakebook account, don’t forget the birthdate.

Saturday, November 16, 2013

Managing the Facebook Problem

Facebook Reasserts Posts Can Be Used to Advertise. So if I click "Like" on a new offering by Encyclopedia Britannica, my Facebook friends (friends of friends of friends?) will see that in their ad stream and EB will be charged a click fee.

Since my Facebook friends and family members are into sex dolls and bondage they'll be terribly offended by my boring tastes and stop sending me party invitations.

It's the same story with Google+ of course, but G+ isn't a Problem. That's because by the time G+ came out we all knew the rules of the game. My 2011 TrueName G+ account lasted about two weeks; I use G+ services today through my John Gordon and corporate/professional identities.

The Facebook Problem is that I started using it when I was young and stupid - and I still value it. It's been a good way to keep our distant family members connected, and keep connections to old friends. Facebook Pages have worked well for the kids sports teams and especially for following notifications from local non-profits, selected businesses, and government.  

So... a bit of a conundrum. Were I to start using Facenbook today I'd use a 3rd synthetic identity, bringing the total [3] to four (each of these has its own Chrome Profile - which works better on Windows than OS X)

  • Public geek: John Gordon. (Once we'd have said "intellectual", but geek is less pretentious and certainly accurate in my case.) I switched my blogs from my TrueName to John Gordon in June 2005.
  • Corporate-Net/Professional: Today that's LinkedIn and a G+ account at this time.
  • TrueName: This is John Gordon F.... Once it led to a web site, an Amazon account and a Google Profile. Most of those are gone.
  • FriendsAndFamily: Something like John Lanan -- where the last name might be somewhat unique but not too unique.
So can I do with Facebook what I did with my net identity in 2005 [1]?
 
Maybe -- for the moment anyway. Facebook allows one username change and a "limited number" of name changes -- though the new name is supposed to be a RealName and was designed for American marriage/divorce practices. Pseudonym use is a violation of Facebook's TOS. (Remember the 2010 Google Buzz and 2011 G+ TrueName wars? Charles Stross's rant is still a classic, he's still not on G+ [2])
 
I may do the Facebook name change - at least as a stopgap measure. I already have a separate locked down pseudonymous Facebook account with zero followers, I'll migrate to that account for subscribing to Page activities and managing Pages. I'll remove my image and identifying information from Facebook, and switch the phone to a GoogleVoice/Hangout number associated with one of my many non-TrueName Google identities. My oldest child has a Facebook account, but I think the younger two will go elsewhere.
 
I rather doubt Facebook will miss me, but I will miss the good things Facebook brought me.
 
- fn - 

[1] My TrueName is fairly unusual, but happily there's now an actor with the same name. He's almost as handsome as I am, and his images have swamped mine. It didn't take long for Google to more or less forget about me, the dominant hit with my TrueName is my public LinkedIn profile. 

[2] Charlie has a popular Twitter account and might worry about where Twitter is going, but as an professional writer he can't separate his professional and personal identities as easily as I can. I think he's always considered his Twitter identity to be both a professional and public intellectual identity.

[3] I'm simplifying. My iPhone's user-resettable advertising identifier is an effective identity, and iCloud/AppleID is a non-public identity related to a set of services not including email.

See also

Update: As part of my migration I made a Facebook profile picture which no doubt violates TOS.

JF FB Page

Here's the latest iteration -- my first ever use of Acorn.app (and not quite kosher because it's a section of an Apple owned desktop image, but I'm iterating...)

FacebookJF

 

Sunday, March 03, 2013

What Evernote reminded me about my Cloud services - and my 2013 security policies

Evernote was hacked, and they mandated a global password reset.

It's not surprising Evernote was hacked. As Schneier wrote a few days ago about waterhole and precision phishing ...

Schneier on Security: Phishing Has Gotten Very Good

... Against a sufficiently skilled, funded, and motivated adversary, no network is secure. Period. Attack is much easier than defense, and the reason we've been doing so well for so long is that most attackers are content to attack the most insecure networks and leave the rest alone.

... If the attacker wants you specifically ...  relative security is irrelevant. What matters is whether or not your security is better than the attackers' skill. And so often it's not.

Schneier quotes former NSA Information Assurance Director Brian Snow: "... your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of your opponents".

It's likely some of Evernote's 50 million customers are of interest to major opponents, so it's not surprising their defenses were inadequate [1].

I don't make much use of Evernote, but I did a password reset anyway. Which is when I discovered ...

  • I was still using my non-robust 'evaluation period' password with Evernote. [2]
  • I was using said weak pw with test data that included photographs of the children's passports and my old PalmOS notes
  • I never purged my Evernote account when I decided not to use them (I went with Simplenote/Notational Velocity instead.)
Wow, by my standards that's quite a fail. When Cue.app failed a recent evaluation, I deleted my test data immediately. In the case of Evernote I may yet sign with them, so after I reset my password to something robust I merely deleted my old data [3]. 
 
All of which has led me to update my now laughably quaint 2010 lessons learned and security risks summary. Here's my current list. It's far from perfect; I'd like to say I avoid all services that use 'security questions' and high-risk reset procedures, but then I'd use nothing.
  1. If data is in the Cloud, and you do not personally hold the only encryption keys, it is 2/3 public. Treat it that way.
  2. Clean up your services. If you aren't using a Cloud service delete the account or your data.
  3. Obviously, don't reuse important credentials, use a password manager (ex: 1Password [4])
  4. Use Google two factor for your most critical Google credentials, even thought it has an longstanding egregiously stupid security hole and it's still a PITA to use.
  5. Use iOS for mobile and OS X Mountain Lion for desktop.
  6. On OS X desktop do not use Oracle Java plugin or runtime, Flash or Acrobat.
  7. On OS X desktop run as a non-admin user and enter your admin password with caution.
  8. Buy OS X software through the App Store unless you have exceptional trust in the vendor.
  9. Don't use OAUTH or OpenID on sites you really care about. For one thing, a password change doesn't repudiate OAUTH credentials on most sites. For another, it introduces too much complexity and side-effects and it's too hard to remember which OAUTH provider goes with which OAUTH service.
  10. Do not rely on encryption solutions that auto-open on login. (ex: iOS screen trivial bypass bug). I use encrypted disk images with no keychain pw storage on OS X desktop for my most critical data and I use 1Password on my iOS devices in addition to a (currently hackable) screen lock code.
  11. If something is really, really, secret, don't put it on a computer and especially don't put it on a networked computer. (I don't personally have anything that secret.) 
  12. Whether you're on the Net or on your own machine, remember Gordon's Five Levels of Information Affection [5] and manage accordingly:
Yeah, civilians can't do this stuff. I tell normal folk to use iOS and iCloud and treat everything they have as Public data. If they want something to be secret, don't put it on a computer.
 
 - fn -

[1] Among which antiviral software is worse than a snowball in Hell. At least the snowball will be transiently drinkable.

[2] An easy to remember and easy to break pw that I use for things I don't care about.

[3] The web UI doesn't support 'delete all notes', but if you create an empty notebook you can delete all non-empty notebooks, and associated notes, one at a time. Then empty trash. Of course the data will likely exist in Evernote backups for some time, possibly to be pillaged post-bankruptcy. Tags are not deleted.

[4] Note, however, the unanticipated consequences of strong security in cases of death, disability or disappearance

[5] aka Five tiers of data love, from Google's two factor authentication and why you need four OpenID accounts.

I: You want it? Take it.
II: I'd rather you didn't.
III: Help!! Help!!
IV: I'll fight you for it.
V: Kreegah bundolo! Kill!!

See also

Saturday, February 16, 2013

Preparing for the inevitable - Google Docs for the "Not available" letter

Yes, it happens. We die. Short of death, we can be lost in the wilderness, imprisoned by whackos, captured by space aliens, comatose, or gone.

This has always been inconvenient for those left behind, but in the digital age it's a particularly inconvenient. We don't use biometric authentication yet, but user names, passwords and the locations of things are bad enough. (Imagine when we do biometrics...). 

So how does one communicate this key information 'from the other side'? What method is most likely to work? Where should the information be stored and how should it be shared?

After playing around with a few options I've settled on a basic Google Doc that is shared with my wife [2], my brother, our executor, and several relatives and friends. We all use Google, and I assume access to a shared document will survive my demise. As a document of course it's simple to print a paper or PDF version that can go with our will. The paper version will include the URL of the shared Google Doc and directions on how to access it -- the paper version is a backup. This isn't a legally binding document but it's advisory so it's good to know the "source of truth" and it's handy to be able to see all prior versions and edits over time.

As a shared document it's somewhat private, but potentially public. It won't hold any truly confidential information.

Since it's a Google Doc there will be a synchronized copy on my Google Drive; a copy whose name, at least, is Spotlight indexed. The information is fairly robust -- anything that would take out all copies of the documents for all users would probably make my estate irrelevant.

Lastly, but not leastly [1], it's easy for me to edit. So I can put together an outline and gradually fill in the bits as I think of them. Odds are I'll get thirty years to work on it.

But you never know.

Here's the current outline, I'm sure it will expand.

  • Metadata: Title, author, last revised.
  • About: Describes use, includes URL on Google.[3]
  • Passwords and Combinations: Where my 1Password archive is and how to get to it -- including the location of a backup copy of the global password (paper). Where I keep the simple household combinations.
  • Backups: Where my backups are (office and home) in case of need.
  • Money: Where the money is. This is most important if both Emily and I are taken out by an errant meteoroid.
  • Domains: I own about a dozen domain names. Some are worth money, some provide access to digital content the kids might want.
  • Photo archive: How to get the family pictures.
  • Media archive: Probably not a top priority, but no reason the tunes should go.
  • Kateva: Dogs don't get into wills, but executors look for advice on canine provisions. I suppose I'll say something about the gerbil too.
  • What goes to which kid: This is the dangerous part. Who gets the Family domain? Who gets the wedding ring? (Ok, the last one is easy, we have only 1 daughter.) It is something I need to do though.
  • Dispensing of "John Gordon" (not my TrueName) - including the blogs.

[1] That really should be a word.

[2] Once it's setup I'll make her 'owner' and I'll keep edit privileges. Helps with survivorship. She can do the same for me of course.

[3] Almost impossible to type. Since the data isn't super-secure I used Google's URL shortening service to create something one could read off a paper version and type in a browser.

See also:

Update:

As I worked on this my outline grew. I also realized, with mild horror, that if the server were lost or destroyed my estate would need the passwords to my encrypted offsite backups. "Best" security practices are hell on an Estate. For example -- Google two factor. What if my phone is gone too?!

Friday, September 14, 2012

The Cosmo story, the facade of online security, and the US Postal Service.

Mat Honan, who is making a career out of being hacked, has a solid profile of a juvenile delinquent hacker [1] - "Derek", alias Cosmo (Cosmo, the Hacker 'God' Who Fell to Earth (via Schneier).

"Derek" is a troubled kid, but, in addition to hurting a lot of people, he's also done us a favor. He's become the latest in a series of people exposing the facade of online security.

Unsurprisingly AOL is the worst -- until recently you could reset someone's account just by knowing their address. Apple, Amazon, Netflix and just about everyone else isn't much better. Only Google makes a good try at it, and they just plugged a big hole.

This won't surprise anyone who knows the history of credit card hacks (example). The reasons are fairly easy to understand:

  1. If your iCloud account is hacked, Apple loses approximately nothing.
  2. Good processes and security are expensive. You have to train staff. To prevent one hack you probably have to irreversibly piss off somewhere between 10 and 1000 customers. Each of these customers will rage to at least five friends.
  3. Less than 1 person in a zillion can manage password security, and that person's family will be completely screwed when they run off or die [2].

What we have here is a market failure. Market failures are one reason we have governments.

Governments, particularly post offices, have managed identities for a long time. Passports for example, are managed by Post and Passport Offices. There are laws and procedures in place.

Digital identity management in most nations will eventually be handled by some cooperative mixture of government and business within a regulatory framework. We'll use multi-factor authentication, and we will have "break the glass" functionality available through government when access is lost (for a fee).

Preposterous? No. Six years ago these kinds of proposals generated snort-milk-out-the-nose laughter. I don't hear the laughter any more. It will take a decade, just because these things always stagger on for longer than I can imagine, but it will eventually happen.

See also:

[1] Steve Jobs was the most famous member of this cohort.
[2] Number of people who have both a highly secure password system and a method to pass information to spouse in event of death or disability? Does your spouse have your list of ten Google two-factor bypass codes? What if s/he dies in the car crash with you? Does your estate have them?

Monday, August 06, 2012

Net security is completely broken

Matt Honan was thoroughly hacked, including having his iCloud link computers obliterated [1], because our net security infrastructure is completely broken.

Here's just one bit of the hack ...

How Apple and Amazon Security Flaws Led to My Epic Hacking | Gadget Lab | Wired.com

... It turns out, a billing address and the last four digits of a credit card number are the only two pieces of information anyone needs to get into your iCloud account. Once supplied, Apple will issue a temporary password, and that password grants access to iCloud...

... First you call Amazon and tell them you are the account holder, and want to add a credit card number to the account. All you need is the name on the account, an associated e-mail address, and the billing address. Amazon then allows you to input a new credit card. (Wired used a bogus credit card number from a website that generates fake card numbers [1] that conform with the industry’s published self-check algorithm.) Then you hang up.

Next you call back, and tell Amazon that you’ve lost access to your account. Upon providing a name, billing address, and the new credit card number you gave the company on the prior call, Amazon will allow you to add a new e-mail address to the account. From here, you go to the Amazon website, and send a password reset to the new e-mail account. This allows you to see all the credit cards on file for the account — not the complete numbers, just the last four digits. But, as we know, Apple only needs those last four digits. We asked Amazon to comment on its security policy, but didn’t have anything to share by press time....

That sound you hear is the hollow laughter of Bruce Schneier, who used to write about the madness of 'secret questions' before the sheer stupidity of it all wore him down.

It's all broke guys.

Once upon a time civilians [2] used the same password everywhere. Smart civilians made it a bit harder to guess, like "Joseph45206". They knew their passwords.

They were hacked of course. So companies began insisting on more robust passwords. Civilians stopped remembering their passwords. So they took to requesting password resets whenever their browsers forgot a password. Except email addresses fade away, so resets often failed. Then sites started asking 'secret questions' to do resets, but nobody remembers the answer they gave to their #$! secret question [3]. So now Apple support basically hands over credentials to nice sounding voices.

This system can't be fixed.

Phone based two-factor might help, but I've been using Google's two-factor since day 1 and it's still a royal pain in the ass. It's strictly for geeks. Not to mention what happens when you lose your phone.

We need to give Schneier a few drinks and get him to talk about this again. Failing that:

  1. Backup for Darwin's sake.
  2. Don't enable remote wipe of Mac OS X hardware. Just encrypt it.
  3. Use Google two-factor (two-step verification) if you are a geek and can stomach it.
  4. Fear the Cloud. Keep the data you value most close to you.
  5. Don't use iCloud.
  6. Don't trust Apple to get anything right that involves the Internet and/or Identity. [4]
Not being Schneier my advice isn't worth much, but fwiw I suspect the "solution" is:
  1. Get rid of the secret security question.
  2. Strictly limit password resets. If someone lost last access, charge them $50 to go to bank, post office or notary to establish their identity.
  3. Incorporate biometrics (thumb print and speech probably).

[1] Of course he didn't have backups. Don't beat him up about that, he's busy flogging himself.
[2] As opposed to geeks with 15 yo FileMaker password databases stored on encrypted disk images. 
[3] Unless they've added a $!%!%$! secret question field to the #$!#$ FileMaker encrypted disk image database and the answer to the secret question is something like: "4hgoghi4ohh4tt".
[4] Apple needs to pay their executives less and their geeks more. 

Saturday, March 10, 2012

iCloud, iOS, and identity: The end of app sharing

I don't think we'll actually get to DRM RetinaLock (retinal enhancements enforce video DRM), but we are pretty much at the "Palladium" future I'd written about 8 years ago.

That's what I concluded after migrating a friend's iTunes and iOS content, and navigating the chaotic intersection of Digital Rights Management (FairPlay), identity management, ownership identity, and Cloud vs. multi-device iTunes vs. multi-user OS X. Not to mention the MobileMe vs. iCloud migration.

Really, has anyone figured this out? I mean, I think I'm pretty good at this stuff, but we're talking combinatorial explosion here. Different rules for email, calendar, music, video, apps, across multiple identifies and platforms -- with no way to merge or reconcile multiple identities...

Apple IDs and iCloud

... Enter the Apple ID you want to use for iCloud in Apple () menu > System Preferences > iCloud. Enter the Apple ID you want to use for store purchases (including iTunes in the Cloud and iTunes Match) in iTunes > iTunes Store... [1]

... You cannot merge two or more Apple IDs into a single one...

... You can switch the Apple ID you use for store purchases at any time. However, you can only change the account you use for any iTunes in the Cloud features once every 90 days...

and (emphases mine)

iTunes Store: Associating a device or computer to your Apple ID

... Your Apple ID can have up to 10 devices and computers (combined) associated with it. Each computer must also be authorized using the same Apple ID. Once a device or computer is associated with your Apple ID, you cannot associate that device or computer with another Apple ID for 90 days...

... : Removing a device from your Apple ID does not override the 90 day timer. The timer must complete 90 days from the day the device was associated before it can be associated to another Apple ID....

Only a post-singular AI could truly visualize all the options here.

It's fairly clear, however, where Apple wants us to go.

Today my family's five devices sync to one iTunes instance. Each devices has the same AppleID for store purchases, but different MobileMe identities. The family can share movies, apps, music and so on. [2] Mail and Calendars for each device go to the Cloud.

The future is quite different. There will be no more iTunes, no more shared media libraries, no more shared app libraries. Each iOS device will be associated with a single identity for both purchasing and iCloud services. (Though a child's identity may be associated with a parent's credit card, or purchases will be iTunes credit only.) OS X will become only a way to access Cloud media, and that access will be tied to identity as well.

My sympathy for piracy grows.

- fn -

[1] In reality, when I reviewed my friend's devices, it was not possible to set a different Apple ID for iCloud.
[2] Heaven knows what the licensing says we can do. Only some older music is DRMd.

See also:

Update:

More on the peculiar 90 day limit here. It seems to pertain to 'downloading past purchases' or iTunes Match. It applies to the entire computer rather than a user account. What a friggin' mess.

Update 2: More thoughts as I replay this post

  • I wonder if the 90 day limit will eventually be a standard for transferring ownership of digital purchases. I can't find any information on how that duration was established.
  • I suspect in a few years there will be a lot of digital material in the family repository that only I will be able to use. Ownership transfer would be "nice". Hacking FairPlay is more likely (eventually 2012 FairPlay should be pretty hackable).
  • With Apple's new regime there are significant advantages to combining Apple hardware with Google and Amazon products. After all, they can't fit into Apple's model. In the new world we can't share our iBooks, but everyone can share Kindle books. A shared Apple identity may prevent use of iCloud, but it won't prevent use of gCloud.
  • Curiously, this may mean the return of family night at the movies! Instead of sharing across multiple devices, we'll be back to sharing on a single device with a large screen.

Saturday, February 04, 2012

Google and Facebook: how Chrome supports life with an dully evil corporation

Just three years ago Facebook's Gordon's Evil Score was 12, and Google was a mere 6. Today, 3 months after Google's day of infamy, I'd give Google 10, Facebook 8, and Apple a 6. (Philip Morris gets 15. Evil is relative.)

These days Facebook is less evil than Google 2.0, probably because Facebook has been on pre-IPO best behavior. Post-IPO I expect 'em to hang with Google in the gray zone of generic AT&T-style corporate badness. After all, both companies package and sell us.

So why is Facebook's badness boring, and Google's badness Bad?

It's because we always knew Facebook was evil. I never gave FB anything I couldn't walk away from. If Facebook went away tomorrow, I'd be slightly sad.

Google though, Google once made me smarter. Our family uses Google Apps. My shared images are in Google's web albums. A lot of my external memory is Google dependent (so losing Google Reader shares felt like a mini-lobotomy). Google search, born in the day of the ad-infested Portal, was beautiful.

Google though, Google was going to make free the world's knowledge.

Google though, Google wants to build a sentient AI. Do we want our first sentient AI born of our bad parents?

That's why Google's Page-driven race to the Darkseid matters a lot more than Facebook's perennial villainy. We loved Google, we trusted Google,  we married Goole and made Data together -- and we were chumps. (Some of us are still in denial.)

What now? Well, Google hasn't turned into Philip Morris -- and it probably never will. They've just become as evil as most publicly traded corporations -- and a lot of us work for those. Besides, we can't completely divorce. Think of the Data. [1]

So I'm still living with Google. Yeah, I did try Bing. Have you ever used Bing? Go and give it a try. I'll wait here for a while. Right. Even EvilGoogle is better than Bing.

I'm living with Google, but I'm keeping my distance. Coincidentally (?) Chrome recently made this much easier.

Chrome now supports client-side identity management. On my Mac the Preferences:Personal Stuff menu has a "Users" section. A "User" is simply a separate identity, where an "identity" is a set of cookies, credentials, bookmarks, cache and so on. Optionally, a "User" on Chrome can be associated with a Google account, and Chrome/Google credentials and bookmarks sync between those accounts. These don't have to be Google+ accounts [2]. If you link a Chrome User to a non-Google+ account, you're basically using GoogleMinus. That's what I do.

In Chrome I currently switch between 5 Users as needed, each with a paired Google account. One user is my original TrueName "113" Google account. I deleted that account's G+ Profile, so this "User" gives me something of an old-style GoogleMinus experience. This account owns my Google Docs, my Email, my Calendar, and way too many Google properties to remember (including the remnants of Google Reader social.)

I use my G+ John Gordon identity with Blogger [3] and Google Reader (I moved GR subscriptions over to this account). I have yet another identity associated with my corporate work, another with our family domain, and then 1-2 more to make it easy to switch between the kid's Google accounts [4].

Google Chrome has made it easier to live with Google 2.0, but it's an uneasy relationship. Evil Facebook is fine -- because I don't care. Evil Google is not a good long term relationship. I'm seeing other services now, services like Pinboard.in and the shared items I post there. It will take decades, but I'm hoping true alternatives to Google will emerge. Alternatives that charge real money for their services. That's how I'll know they're worth being with.

[1] It's no coincidence that when Google turned evil, the Data Liberation team fell silent.
[2] For now, though in future that might be impossible to avoid.
[3] Google's blogs can have multiple contributors, so I just made John Gordon an admin on blogs that started with John F. as admin. Early on Google forbade pseudonyms in G+ accounts; now they only require that pseudonyms "appear" to be well formed, generic names not associated with celebrities or historic figures.
[4] All through our family domain. They don't know the passwords.

See also:

Others

Me

Tuesday, January 31, 2012

Peak Oil 2005?

FuturePundit: 2005 Seen As Oil Supply Tipping Point:

Commentary in Nature: Can economy bear what oil prices have in store?

Stop wrangling over global warming and instead reduce fossil-fuel use for the sake of the global economy.

That's the message from two scientists, one from the University of Washington and one from the University of Oxford in the United Kingdom, who say in the current issue of the journal Nature (Jan. 26) that the economic pain of a flattening oil supply will trump the environment as a reason to curb the use of fossil fuels.

"Given our fossil-fuel dependent economies, this is more urgent and has a shorter time frame than global climate change," says James W. Murray, UW professor of oceanography, who wrote the Nature commentary with David King, director of Oxford's Smith School of Enterprise and the Environment.

The "tipping point" for oil supply appears to have occurred around 2005, says Murray, who compared world crude oil production with world prices going back to 1998. Before 2005, supply of regular crude oil was elastic and increased in response to price increases. Since then, production appears to have hit a wall at 75 million barrels per day in spite of price increases of 15 percent each year...

In 2007 I thought we'd started a long rise in gasoline prices, but today's gas pump price in MN is pretty much the same as in May 2007. (US consumption is, I believe, lower than it was in 2007.) We're still years away from $7/gallon gas in the US.

Even then I didn't imagine we'd hit a production wall in 2005; when I've written about "peak oil" I've meant simply that increasing demand will outstrip increasing supply of light 'sweet' crude.

Murray and King's prediction is far more severe than anything I've considered.

Friday, December 02, 2011

The AI Age: Siri and Me

Memory is just a story we believe.

I remember that when I was on a city bus, and so perhaps 8 years old, a friend showed me a "library card". I was amazed, but I knew that libraries were made for me.

When I saw the web ... No, not the web. It was Gopher. I read the minutes of a town meeting in New Zealand. I knew it was made for me. Alta Vista - same thing.

Siri too. It's slow, but I'm good with adjusting my pace and dialect. We've been in the post-AI world for over a decade, but Siri is the mind with a name.

A simple mind, to be sure. Even so, Kurzweil isn't as funny as he used to be; maybe Sir's children will be here before 2100 after all.

In the meantime, we get squeezed...

Artificial intelligence: Difference Engine: Luddite legacy | The Economist

... if the Luddite Fallacy (as it has become known in development economics) were true, we would all be out of work by now—as a result of the compounding effects of productivity. While technological progress may cause workers with out-dated skills to become redundant, the past two centuries have shown that the idea that increasing productivity leads axiomatically to widespread unemployment is nonsense...

[there is]... the disturbing thought that, sluggish business cycles aside, America's current employment woes stem from a precipitous and permanent change caused by not too little technological progress, but too much. The evidence is irrefutable that computerised automation, networks and artificial intelligence (AI)—including machine-learning, language-translation, and speech- and pattern-recognition software—are beginning to render many jobs simply obsolete....

... The argument against the Luddite Fallacy rests on two assumptions: one is that machines are tools used by workers to increase their productivity; the other is that the majority of workers are capable of becoming machine operators. What happens when these assumptions cease to apply—when machines are smart enough to become workers? In other words, when capital becomes labour. At that point, the Luddite Fallacy looks rather less fallacious.

This is what Jeremy Rifkin, a social critic, was driving at in his book, “The End of Work”, published in 1995. Though not the first to do so, Mr Rifkin argued prophetically that society was entering a new phase—one in which fewer and fewer workers would be needed to produce all the goods and services consumed. “In the years ahead,” he wrote, “more sophisticated software technologies are going to bring civilisation ever closer to a near-workerless world.”

...In 2009, Martin Ford, a software entrepreneur from Silicon Valley, noted in “The Lights in the Tunnel” that new occupations created by technology—web coders, mobile-phone salesmen, wind-turbine technicians and so on—represent a tiny fraction of employment... In his analysis, Mr Ford noted how technology and innovation improve productivity exponentially, while human consumption increases in a more linear fashion.... Mr Ford has identified over 50m jobs in America—nearly 40% of all employment—which, to a greater or lesser extent, could be performed by a piece of software running on a computer...

In their recent book, “Race Against the Machine”, Erik Brynjolfsson and Andrew McAfee from the Massachusetts Institute of Technology agree with Mr Ford's analysis—namely, that the jobs lost since the Great Recession are unlikely to return. They agree, too, that the brunt of the shake-out will be borne by middle-income knowledge workers, including those in the retail, legal and information industries...

Even in the near term, the US Labor Department predicts that the 17% of US workers in "office and administrative support" will be replaced by automation.

It's not only the winners of the 1st world birth lottery that are threatened.

 China's Foxconn (Taiwan based) employs about 1 million people. Many of them will be replaced by robots.

It's disruptive, but given time we could adjust. Today's AIs aren't tweaking the permeability of free space; there are still a few things we do better than they. We also have complementary cognitive biases; a neurotypical human with an AI in the pocket will do things few unaided humans can do. Perhaps even a 2045 AI will keep human pets for their unexpected insights. Either way, it's a job.

Perhaps more interestingly, a cognitively disabled human with a personal AI may be able to take on work that is now impossible.

Economically, of course, the productivity/consumption circuit has to close. AIs don't (yet) buy info-porn. If .1% of humans get 80% of revenue, then they'll be taxed at 90% marginal rates and the 99.9% will do subsidized labor. That's what we do for special needs adults now, and we're all special needs eventually.

So, given time, we can adjust. Problem is, we won't get time. We will need to adjust even as our world transforms exponentially. It could be tricky.

See also:

Sunday, November 06, 2011

The sharing challenge: access, topic and identity. Why G+ fails.

Setting aside the act of mass datacide that moved Google up my corporate evil scale, G+ suffers from a fundamental Circle problem. It may be an attempt to work around Facebook patents rather than a misguided design, but either way it doesn't work.

G+ provides these tools for publication and subscription:

  • A single identity. (In this case, identity is equivalent to a maximal set of Identity-Circles + Public)
  • Circle: both Access Control and Topic definition and Subscription-filter option
  • Person level blocks

These aren't sufficient. They put far too much of a burden on the publisher to create and maintain a multitude of Circles that pre-coordinate Access Control and Topic definition [1]. The pre-coordination work fails due to combinatorial explosion [2].

A full set of controls looks like this.

  • Multiple identity: where identity is a set of access controls and topic definitions.
  • Access controls: who can see what.
  • Topic definitions: what are the topics, so subscribers who can see a stream can choose what they follow within that stream
  • Person blocks: hide all comments from a person

A full set of controls seems more complex, but the workload largely falls on the Publisher, not the consumer -- and the combinatorial explosion problem is resolved. Subscribers choose which topic to follow. Unfollowing all topics is equivalent to blocking a person's posts but not their comments.

Google Reader Social had no access controls (that I remember), but it did allow multiple identities (an identity is equivalent to a subset of topics). The topic controls were very weak (subscribe to tags - almost never used), but the UI made it very easy to pick items of interest from a large stream. The G+ UI makes the combinatorial problem much more significant.

Google has promised pseudonym support. That will be roughly equivalent to a subset operation on Circles. Boolean operations on Circles would also somewhat alleviate the publisher combinatorial problem.

Alleviate, but not eliminate. Sooner or later, G+ will need to separate access control from topic definition.

(I'm grateful to a G+ comment from Peter C that helped me think this through.)

[1] Note too the 3 people on earth who'd probably appreciate this. This is identical to the pre- and post-coordination problems that bedevil anyone who works with concept based knowledge representation ontologies, including clinical terminologies/vocabularies like SNOMED and (yech) ICD-10-CM and ICD-10-PCS.
[2] A Sept 2011 WSJ post on "injury by falling turtle" in ICD-10-CM causes of injury illustrates this also. See #1.

Saturday, October 08, 2011

Anonymous

Google is trying to enforce full transparency in their, large, corner of the web. I think they're making a terrible mistake.

I can see why they do it though. Most large sites can't handle the spam attacks routed through anonymous posting.

Gordon's Notes, though, we're not so big. Most of the comments I get are anonymous (excepting Martin and MaysonicWrites). Many of them are excellent. Fortunately Google's AI is now pretty good at killing the spam attacks, so I can easily manage the low volumes I get. [1].

Anonymity is something a *cough* specialty blog like GN can support.

[1] Sure would help if Google gave me an RSS feed of comment counts though - so i know there are new ones to inspect. As it is comments go immediately to recent posts and I get a notice by email, but older post comments can sit around until I notice and authorize them.

Wednesday, August 31, 2011

Google's identity failure: recreating the joy of Buzz

Google + requires us to use our "true name". In may case John F, not "John Gordon" or any of my other aliases.

Charlie Stross has a good rant on why this is a bad idea. He finishes with a set of solid recommendations (emphases mine) ...

Google is wrong about the root cause of online trolling and other forms of sociopathic behaviour. It's nothing to do with anonymity. Rather, it's to do with the evanescence of online identity. People who have long term online identities (regardless of whether they're pseudonymous or not) tend to protect their reputations. Trolls, in contrast, use throw-away identities because it's not a real identity to them: it's a sock puppet they wave in the face of their victim to torment them. Forcing people to use their real name online won't magically induce civility: the trolls don't care. Identity, to them, is something that exists in the room with the big blue ceiling, away from the keyboard. Stuff in the glowing screen is imaginary and of no consequence.

If Google want to do it right, they're going to have to ditch their naming policy completely and redo from scratch.

To get it right, they need to acknowledge that not everyone has a name of the form John Smith or Jane Doe; that not everyone uses the same character set or same number of names. They might be able to get away with insisting on a name that appears on a piece of government-issued ID; but then they need to acknowledge that people have legitimate reasons for using one or more pseudonyms, allow users to register pseudonyms associated with that name, attach pseudonyms to different (or even overlapping) circles of friends, and give the user a "keep my real name secret" check-button. Then and only then they'll begin to develop a system that has some hope of working.

I can't improve on Charlie's rant. He's one of many, but he says it well.

Unfortunately, this isn't the first time Google got it wrong. They made the exact same mistake with the Buzz Profile. I wrote about that over a year ago ...

Gordon's Notes: The Buzz profile problem: I am Legion (feb 2010)

I am father, brother, in-law, son, and spouse. I am coach. I am volunteer. I am citizen and activist. I am a physician. I am an (adjunct) professor. I am an oddity in a large, conservative, publicly traded corporation. In the corporation I am a team member, known to some customers, occasionally publicly facing, known in various ways and various places. I have other roles and have had many more over time.

I am Legion. So are most middle-aged persons.

Only one person knows all the roles and all of the stories that are not excruciatingly boring (hi Emily).

That’s the problem with Google Buzz, and why my Google Profile doesn’t include my pseudonymous (John Gordon) blog postings or my Google Shared items.

Buzz is tightly linked to my Google Profile, and my Profile is trivially discoverable. I don’t want corporate HR or a customer or business partner to instantly know that I’m a commie pinko Obamafanboy with a dysfunctional Steve Jobs relationship.

I have LinkedIn as my bland corporate face, and, despite Facebook’s innate evilness, a FB profile for friends and family. Inside the corporation I’ve a blog that serves as a limited persona.

We all have many roles, identities, avatars, personae, limited liability personae, characters, facets and so on. The problem with Buzz today is that it’s tied to the Google Profile, and that profile is the closest thing to my unified public face. It crosses boundaries. So it can only hold the limited information channels that are available to all.

Google hasn't learned enough from the disastrous failure of Buzz. They're repeating old mistakes, and seeing old results. Already G+ activity seems to be falling, and losing people like Stross isn't helping.

This can be fixed. Like Charlie says - give us a hard identity that the police can track if need be. Tie it to credit cards. Heck, for a fee "validate it" so we can better protect ourselves against identity theft. Then give us as many pseudonyms as we want, and give us tools to manage them while keeping our TrueName to ourselves.

Thursday, July 07, 2011

G+ impressions mine

With the help of a few friends, I somehow slipped through this narrow window into Google Plus (my G+ profile, which has lost its vanity URL for the moment) ...

Google+ For Businesses Coming Later This Year -- InformationWeek

... Google+, the company's recently introduced set of social communication services, briefly opened to new participants last night, between about 7pm PDT and 9:40pm PDT. Google engineering director David Besbris, in a Google+ post, said that the Google+ field trial is going well and that Google is seeking to double the undisclosed size of the field trial...

It's good. After Wave and Buzz failed, and Google Reader Share succeeded but got no love, G+ works. So far Streams is a smarter, better, version of Facebook personal Pages (no corporate/org/group equivalents, however). I don't think it's more complex that Facebook; FB at best is only transiently comprehensible. As soon as I figure it out, the rules change.

FB's constant attempts to hack their own customers has pissed off so many users, including my wife, that G+ has a pretty good chance to compete. At the very least, it should own the Android demographic. Whether iG+ gets the iPhone crowd or not depends on the shaky state of the Apple-Google detente. At the very least, G+ strengthens Apple's hand with both FB and Twitter.

Some quick impressions of my own ...

  • I'm looking forward to the day when Google moves Google Reader Shares/Notes into the Streams framework, closes Buzz, and makes Streams/Sparks the "comment" framework for Google Blogs. Until then G+ will be fun to play with, after that I'll be spending a lot of time with it.
  • Safari is showing page errors with G+. Unsurprisingly Chrome works best.
  • It will be interesting to see how I manage the John Gordon/John F identity clash in G+. I think I should be able to make it work.
  • Google Data Liberation has its own home on my post G+ Accounts page. It includes all Picasa web albums, my profile, my stream, by Buzz data and all circles and contacts. Very impressive.
  • Profile settings says I can control which circles see parts of my Profile, but that's not working for me yet.
  • The Privacy page is excellent.
  • My Google Profile vanity URL now redirects to a G+ Profile with my old 1138 .... Google ID showing.

Of the coverage I've read, I like these best ...

Monday, July 04, 2011

Life with Google Two Step Verification - Sign-in Failed with Places.app

Places.app is one of Google's newer iPhone "social" apps. This is what you see if you try to sign in with a Google 2-step verification (two factor) account:

Sigh. It's been 3 months now since I implemented Google's "2-step verification" (technically, "two-channel" verification), and while I still rely on it the process has been painful.

I've had to create so many "app-specific" passwords that I've taken to reusing them. They're not app-specific at all in truth, so now I have about 20-30 "extra" passwords for my one Google account.

Google started out reasonably well on this "beta" effort, but they haven't progressed. Now, with their focus on Google Plus, I'm afraid they're stuck.

At this point, 2-step verification is only for the hardiest of geeks.

See also:

Saturday, January 01, 2011

Why the United States Postal Service should manage our primary digital identity

For a non-expert, I do a fair bit of ruminating about the relationships between identities, credentials, and avatars/facets. Today a bug related to Google's (covert) Identity Integration initiatives, a recent flurry of stories on the endtimes of password based security, and the earth's orbit have got me chewing again.

I'll deal with the earth's orbit by making my solitary 2011 tech prediction. 2011 will be the year of two factor authentication and the gradual realization that management of digital identities is too important to be left to Google, Amazon and especially Citicorp, Facebook, and AT&T/Verizon.

So if we can't rely on Google (or Facebook) or Citicorp to manage our digital identity, including claim resolution and identity control, who can we rely on? What are the other alternatives, assuming that almost none of us will run an identity service out of our homes?

Obviously, government is an option. The (US) Federal government, for example, makes a robust claim on my identity. That claim, however, is so robust I would prefer to separate my obligatory IRS identities from all other identity related services. In any event direct US government identity management is a political non-starter. The right wing will start ranting about beastly numbers and rationalists will fret about the day Bush/Cheney II takes power.

That leaves business entities with strong governmental relationships, extensive regulation, and a pre-existing legal framework support that could be extended to support identity management.

An entity like, for example, the United States Postal Service (USPS).

You laugh. Ok, but consider the advantages:

  1. The USPS has been in the business of managing confidential transactions for centuries.
  2. There are post offices in every community that could support the person-present aspects of identity claims.
  3. It's a regulated quasi-governmental agency that already exists.
  4. The USPS manages passports
  5. Much of the legal framework used to manage mail and address information could be extended to manage digital identities.
  6. The USPS is dying and is desperate for a new mission.

I admit, it sounds crazy.

Except ... I'm far from the first person to think of this. It was proposed by (cough, choke, gag) Michael Chertoff ...

... former Department of Homeland Security Secretary Michael Chertoff ... mused that the USPS was ideally situated to take part in the evolution of the government’s role in validating identity. He points out that the Post office is already the primary issuer of passports – an extremely important piece of personal identity. In the speech he expands on that model as follows: “one of the things I hope to see is, as the Post Office re-engineers itself over the next, you know, few years, they increasingly look at whether they can be in the business of servicing identity management. They can – because every town has a post office.”....  DHS: Remarks by Homeland Security Secretary Michael Chertoff at University of Southern California National Center for Risk and Economic Analysis of Terrorism Events

I can't believe I find myself agreeing with Chertoff, but there you go. What a way to start 2011.

See also (Gordon's notes unless otherwise noted);

[1] Incidentally, now that my kateva.org Google Apps users have Blogger privileges, and since Blogger is supposedly an OpenID provider, I'm thinking of implementing this using Blogger/Google Apps/Kateva.org

Update 1/8/11: A few days after I wrote this news emerged of a federal identity and certificate management initiative. Maybe I'm psychic.

Tuesday, December 14, 2010

Gawker was hacked yesterday. Today LinkedIn?

Yesterday we learned Gawker was hacked. I got this message today ...

We have recently disabled your account for security reasons. To reset your password, follow these quick steps:
....
The LinkedIn Team

My LinkedIn password was not the same as the disposable Gawker password. It wasn't an ultra secure 64 character random string, but it was a 5th percentile good quality password, one of my class III credentials. It wouldn't fall to a standard attack.

So was LinkedIn hacked? Is this a false alarm? Are they being extra cautious after the Gawker hack?

There's another possibility. Since my Gmail account was hacked I don't enter my Google credentials on untrusted machines. Practically speaking, that means only OS X machines I control. Since that day I divide my credentials into five classes.

  • I: You want it? Take it.
  • II: I'd rather you didn't.
  • III: Help!! Help!!
  • IV: I'll fight you for it.
  • V: Kreegah bundolo! Kill!!

Category IV and V credentials are only used on trusted machines. Category I is used everywhere. Category II and III I'll use on my work machine -- an XP box with corporate class antiviral software. In other words, a vulnerable machine.

The fourth possibility is that one of my Category III credentials has fallen to a keystroke logger on my corporate laptop.

Yech.

I've reset my LinkedIn password (and reviewed the list of reset emails), and, on reflection, I've moved those credentials into "Class IV". So I won't use those credentials on an untrusted machine.

What's next?

See also (my stuff):

Update 12/14/10: LinkedIn wasn't hacked, unless you consider that they've hacked themselves. They'd matched every email address posted by the Gawker hackers, and reset the passwords associated with them. They explain that today (emphases mine) ...

We recently sent you a message stating that your LinkedIn password had been disabled for security reasons. (Note: If you have more than one email registered with us, you will receive more than one password reset message. You only need to act on one of them.)

This was in response to a security breach on a different site, Gawker.com, where a number of usernames and passwords were exposed. We want to make sure those leaked emails and passwords were not being used to attack any LinkedIn members.

There is no indication that your LinkedIn account has been affected, but since it shares an email with the compromised Gawker accounts, we decided to ensure its safety by asking you to reset its password ...

They would have done better to explain that yesterday. What a screw up.

Monday, December 13, 2010

The Gawker hack - and two factor authentication

I got my email from Gawker today

... the user name and password associated with your comment account were released on the internet...

Gawker was hacked - big time. Forbes has the gory details ...

The Real Lessons Of Gawker’s Security Mess - The Firewall - the world of security - Forbes

... Despite this, they do not really seem to be acknowledging the scale of what happened. They still try to put some blame back on users, suggesting that if they had a weak password they might be compromised. Well, that really does not make much of a difference when you expose the entire database table and have way too much faith in the 34 year old encryption algorithm reported to be used to safeguard the data...

Briefly, I take security far more seriously than Team Gawker. They were a big fat soft target.

I don't remember creating a Gawker account - I probably created it on io9 originally. I'm sure I used my throwaway password (still far more robust than most). I have retired that password, but it will now be a part of a future dictionary attack. I need to check that Emily doesn't use it any more either.

In the wake of these events there are typically calls to "use strong passwords". Except, of course, if the server side password store encryption is hacked then even the world's best password is useless. And, of course, there are keystroke loggers out there.

This is what I do now, but, really, we need two factor authentication urgently.

I did go through Gawker's password reset procedure, which seems to have given me a new username and password. There's no way currently to get to their accounts page so I'll just leave it as it is.

Update 12/14/10: This Lifehacker (Gawker) article on lessons learned from a hacked google account is quite ironic now. They didn't learn any lessons.

There've been two good commentaries today ...

Sunday, December 05, 2010

If Google acquires Groupon they're absolutely insane

There's a rumor that Google is going to acquire Groupon for a zillion dollars.

I signed up to see what it was about. Naturally I used my mail.yahoo.com junk email address - a disposable digital identity. (If it ever annoys me too much, I will destroy it and create a new Yahoo persona.)

Groupon is a service that sends you spam. You can't opt out of the spam. Oh, and you can never leave. There's no obvious way to delete a Groupon account.

If Google buys Groupon then I will begin disentangling my data from Google. It will be an incontrovertible sign that they've gone off the rails.