Feeds:
Posts
Comments

Archive for the ‘Computers and Internet’ Category

Some days, I wonder if I am in the right line of business.

I’ve believed in capitalism for my entire life and that free markets are the best way to run an economy, but lately I’ve wondered how that fits in to what I do at work. I think this because of my observations about the state of the world, and what I know from behavioral psychology.

Even though I still think free markets are great, I think it’s pretty obvious that there are inefficiencies everywhere. There are plenty of poor people still around (although their standard of living is rising), but study after study shows that while capitalism is great for creating wealth, most of it goes to a small group of people. The middle class, at least in the United States, isn’t sharing in much of these wealth gains. If free markets are so good at distributing wealth, why is so much of it concentrated in 1/10 of 1% of the population?

This makes me think that my faith in free markets is maybe not the best thing it should be; they’re great, but not as great as I think, especially for a majority of the population.

image

How this fits into work is what I see as the Tragedy of the Commons. This is a 19th century concept where if there is a common resource that gets depleted, everyone loses. It’s in everyone’s best interest to behave in a sustainable way, yet simultaneously also in everyone’s best interest not to behave in a sustainable way.

For example, suppose there is a lake and there are 25 fishermen, and each is allowed to catch only 1000 fish per year. This is to ensure that the fish stocks don’t get depleted. So long as everyone plays along, it’s great. But, suppose one fisherman – let’s call him Frank – decides “Well, instead of my catch of 1000 per year, what if I catch 1100? It’s only about 1 extra fish every three days and no one will notice.”

And nobody does notice.

However, Frank gets to sell 100 extra fish and make just a bit more money. A little later, Joe notices Frank is catching 100 extra fish and nobody is complaining. So Joe says “Well, if Frank is catching 100 extra fish, why can’t I?” and so he, too, catches 100 extra fish. And he, too, reaps the benefits.

But soon, everyone notices that some people are catching extra fish, and soon everyone decides to catch the 100 extra. And everyone gets a little extra money.

However, one thing does eventually catch up with everyone – because everyone is now catch 100 extra fish – 1100 per year – the lake becomes depleted. In a few years time, nobody is catching any fish. Nobody reaps any benefits because now the lake is empty. People’s short term desires trumped their long term interests.

And this is common in behavioral psychology, it’s a very human trait.

image


I see this at work. I have friends and co-workers who come from eastern bloc nations that lived under communism, and central planning ruined their nations. And now, after moving to the US, they have a pro-capitalist view because the opposite was a complete disaster.

I used to agree with them.

Except that I think that this point of view is pervasive at the company I work for, but the ignores the Tragedy of the Commons. Acting in your own interests to maximize short-term gain causes long term pain.

In email filtering, there are ways to run a business and I always have to fight to get others to do the right thing because it’s the right thing to do. Just as in industry, businesses can pollute the lake because it’s cheaper for them to dispose of refuse into the local lake than to transport it safely elsewhere (or treat the waste so it is neutral), email filtering systems can pollute the Internet. There are Internet rules that say “Don’t do this” and “Don’t do that” because it “pollutes” the Internet.

Yet I find it is common for others to think that just because we work for a large company, if nobody complains then it is okay in order to maximize short term profit. But I think we shouldn’t be maximizing short term profit at the expense of depleting a resource; we should keep the Internet clean and do the right thing because it’s the right thing to do, even if it takes a little longer or is a more complicated design.

I once said “What you’re saying is that it’s okay to pollute the lake so long as the Environmental Protection Agency doesn’t shut you down” and the response was “Yes.”

I understand that I am in business, and a business must make money, and this business pays me, and that customers pay us, but something about that now rubs me the wrong way.

image


I see a change in the Millennial generation. Mark Zuckerberg, who at 30 years old is part of that generation, has said that Facebook’s business exists to serve its social mission, not the other way around. Younger people are all about Fair Trade which costs more but is more socially equitable.

I realize that big business can exploit this feel-good-ism, but even on Shark Tank, the investors are almost all about making money because capitalism is the force that does the most good in the world, and charity is something you do voluntarily.

I agree that capitalism and free markets do a lot of good, but I also think that it doesn’t do as much good as its die-hard proponents think it does. I think that humans think about things in the short term and are hard-wired to not look out for their own long-term best interests. So, the profit motive wins even at the expense of doing the right thing since doing the right thing causes short term discomfort, but not doing the right thing is rewarded with money.

I like making money. But I don’t like making money if I think the lake is being depleted. I don’t think we should be polluting the lake just because the EPA doesn’t notice, I think we shouldn’t be polluting the lake because it’s the right thing to do.

Even as I type this, I find myself getting wound up with a mix of conflicting emotions. Am I in the right business? I like doing what I do professionally, and I know my company gives a lot to charity. Without their business generating profits, they wouldn’t do it all.

But I find myself identifying more with the Millennial generation than the profit-first goals of American business.

And I feel conflicted.

Read Full Post »

This weekend, I went shopping at random stores around the city where I live. For you see, the wife purchased a book of coupons and we decided to use some of them. We flipped through the book looking for ones we might like and found a few to stores we had never been to, nor would ever go to had we not purchased the coupon book.

We went down to a specialty coffee store and browsed around. We found a couple of coffees we might like to try. Good thing we had a discount because they cost roughly double what we normally buy at Trader Joe’s.

image

When we went to pay, the staff hadn’t seen the coupons before and then look them up. After confirming it was okay to use their own coupons they informed us we needed to supply an email address.

Normally, both me and the wife decline to provide an email address at any retailer. I don’t want your email notices, I just want the merchandise I can currently trying to acquire. But, this retailer informed us that “we needed to supply an email address in order to use the coupon.” The wife begrudgingly handed it over.

Why should I have to do that? Why do I need to give out an email address at all?

I just got an email from Home Depot today telling me my email address was leaked during their most recent hack this past September. Doing the math in my head, this means that I can expect more spam and probably a bunch of customized phishing attempts (i.e., some phisher impersonating Home Depot telling me that I have to take a particular action in response to the breach) going forward.

image

And this irks me about giving up my email address. Not only do I not want to give it out because I don’t want to sign up for advertisements from the retailer, I don’t entirely trust them to keep it secure, either. I feel like handing it over is akin to opening my front door and hoping flies and other insects stay outdoors.

I didn’t think fast enough at the time, but next time I have to hand over an email address maybe I should do one of the following:

  1. Claim I don’t have an email address

  2. Give a fake email address to domain that doesn’t resolve

  3. Give an email address to a known spam trap

  4. Give an email address that says “do_not_email_me_I_am_only_giving_this_because_I_have_to@example.com

This probably wouldn’t solve any problems or change anyone’s behavior, but it would certainly make me feel better.

Read Full Post »

A few days ago, I posted my notes on Keith Alexander’s talk at MIRcon about the NSA. Today, here’s a blog post about the opposite point of view.

Yesterday, I came across an interview with William Binney, a former NSA analyst who resigned from the agency in 2001. He is a whistleblower who, unlike Edward Snowden, did go through the proper escalation channels when he felt that he found things that the agency was doing that was against the US constitution.

The interview is on Dan Carlin’s Common Sense podcast. I listen to Carlin’s Hardcore History podcast and it is very good, but I just discovered his Common Sense podcast. You can listen to the interview here:

If you’re opposed to what the NSA is doing in terms of data collection, you will no doubt agree with Binney and his views he discussed in the interview. He is very much against what the NSA is doing.

If you’re not opposed to what the NSA is doing, you will probably disagree with what Binney says.

Finally, if you’re a fence-sitter, you probably won’t hear that much to sway your position beyond what you have already heard in the media, news outlets, and other blogs.

Read Full Post »

Last week, I attend MIRcon, Mandiant’s conference on Advanced Persistent Threats. One of the keynote addresses was given by Keith Alexander, the former head of the NSA. I enjoyed his talk, it was a good one.

What Others Are Saying

Here is Kelly Jackson Higgins’ take on his talk, from an article on DarkReading. Everything in the article is accurate:

* Former NSA Director reflects on Snowden Leaks
http://www.darkreading.com/analytics/threat-intelligence/former-nsa-director-reflects-on-snowden-leaks/d/d-id/1316466

Higgins’ main talking point is that Alexander and the NSA were trying to bring to the public attention the fact although that the United States is under constant attack from advanced persistent threats, the Snowden leaks ended up overshadowing any of the good work that the NSA was doing. The NSA is a professional organization and 3rd party auditing showed that what they did:

  1. Was authorized by Congress
  2. Was within the law
  3. Was 100% audited
  4. Even though they were audited afterwards, no violations ever came up that were not already self-reported
  5. The NSA is highly professional

That’s all I have to say about that, go ahead and check out the article.

My Impression of Others’ Impressions of the NSA

While I was in Washington, D.C., I noticed that there was more of “pro-America” feel, that is (and I am badly paraphrasing) “we understand that the NSA had to do what they did” perspective compared to where I live. Whereas on the left coast, Microsoft’s own top lawyer identified the American government as an advanced persistent threat [1], and you can read other technical blogs that are very critical of the US government’s actions (Google, Yahoo and Apple are all moving to encrypt their data in response to this), I didn’t find any of the anti-government sentiment at MIRcon.

I see this as either the attendees at MIRcon genuinely understand that what the NSA did is more nuanced, and a position of “The government should not collect any data” is too narrow a viewpoint; OR, representatives from these companies work with government and therefore their perspective is skewed; OR, I didn’t sample enough people to get a broader perspective.

In any case, that’s what I experienced.

My raw notes of Keith Alexander’s Keynote

I don’t have time to type this up into a more nuanced blog post, but here are my raw notes from the session.

—————

2014.10.07 – Keynote Keith Alexander

  • Keith Alexander – cyber security people are underpaid (he’s a funny guy)
  • CyberCommand was created based upon intrusion into DoD in 2008 (later believed to be the Russians), wake up call
    • Now Target, eBay, Home Depot, JPM; attributed to eastern Europe/Russia
    • Did you know 2014 (website, talks about rapid change in technology)
      • Top 10 in-demand jobs in 2013 did not exist in 2004. Half of college newbs tech knowledge will be out of date by the time they get to junior year. People being trained for a job that doesn’t exist today.
      • Talked about how using Watson, they can get cancer treatments figured out in 9 minutes rather than 30 days (important because that 30-days results in cancers metastasizing)
      • Within a decade, some diseases will be solved thanks to advances in technology
    • We created the Internet, we can secure it.
      • But what we have created, today, isn’t secure.

  • Pre-2007, Internet was used as a way of going out and exploiting (everyone was doing it)
    • Then in 2007 changed from exploitation to disruption (Estonia attacks), had to disconnect from Internet
    • Aug 2008 Georgia was hit with cyberattacks (coincided with attacks by Russia govt ground offensive), DDOS attacks
    • Tells of issue on DOD networks one Friday afternoon in 2008, some people found 1500 pieces of malware on classified network
      • Built a system to mitigate the problem at network speed.
      • NSA built the system in 22 hours (!!!)
    • In 2011, NSA took a look at DOD networks, 15,000 in all, discovered they have an indefensible architecture (opened up that bag… of fertilizer… can we give this back to the DOD? Nope.)
      • Created Cyber Command as a result. Our defense must be as good as their offense

  • Fast forward, actions in 2012 were timed to problems in the middle east
    • August: Attack on Saudi Aramco (DDOS coupled with a virus – destroyed data on 30k systems)
    • Over 350 DDOS attacks on Wall Street in the intervening one year. 2013: attacks on South Korea
    • Goes from stealing data to using the networks as an element of national power.
    • People attack cyberspace because that’s where the money and IP and secrets are

  • Cyber command
    • Joint taskforce to defend the DOD networks but when it came over decided to defend everything within the nation

      1. Need a defensible architecture – Too difficult to draw a picture of network without any situational awareness

      2. Training – Need to train at a classified threat, offense and defense need to be the same

      3. Command and control – How do we work together with govt and industry? There’s more industry by orders of magnitude, and exploitation surface is hundreds of time larger. Nothing prevents industry from working with govt for a common cause

      4. Cyber legislation – Didn’t really discuss this

      5. Signature based AV systems good for certain things but not for where we want to go. Need to have real time consumable threat intelligence; detect mitigate report at network speed; within and among networks. These are not technical challenges, it is culture and competitiveness. Just think if we were to work together. It will take several companies and a consortium to figure it out.
          

  • Q&A’s – Are we in a cyber war? When did it start? –> No, not yet but because of his definition
    • 22 cryptologists were killed in Iraq and Afghanistan (doing some cyber stuff to change intelligence collection)
      Someone asked a question – what does the NSA collect on me? Metadata goes into business data FISA program
    • gave example (2009) of stopping an Al Qaeda operative in the Pakistan area who was talking to someone in the Colorado area (by email, gave phone number in email to FBI). FBI can take that and get the phone number from the phone and email provider. Talked about bouncing around from Colorado to New York and North Carolina, who were also in contact with other known terrorists outside (?) the US.
  • Q&A’s (Did Angela Merkel have anything interesting to say?)
    • If you talk to known high risk contacts, there is a good chance you will be flagged. But otherwise you are probably not going to be looked at. These programs help connect the dots. Everything in the program is audited 100%. Not one person was found doing anything wrong that hadn’t already been reported before.
    • ACLU did a review of the NSA (Jeff Stone), found NSA helped to thwart plots, operates a high degree of integrity and deep commitment to the rule of law
    • People who touch special data have to go through 400 hours of training (more than pilots)
        

Those are all of my notes.


 

[1] “Like many others, we are especially alarmed by recent allegations in the press of a broader and concerted effort by some governments to circumvent online security measures – and in our view, legal processes and protections – in order to surreptitiously collect private customer data.

If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications. Indeed, government snooping potentially now constitutes an “advanced persistent threat,” alongside sophisticated malware and cyber attacks.”

Brad Smith on the Official Microsoft blog
http://blogs.microsoft.com/blog/2013/12/04/protecting-customer-data-from-government-snooping/

Read Full Post »

8 months ago, I wrote a blog post about how I am more concerned about being hacked by malicious spammers than I am about being spied upon by the NSA. In the year since Snowden, my views haven’t changed much. I understand that it’s a concern but I am more-or-less ambivalent about it [1].

I understand that there is a very vocal segment that protests this invasion of privacy vehemently, but I just can’t get worked up about it.

Why am I so different from this vocal segment? And why does this vocal segment care so much?

The Principle of Scarcity

To answer this, I recently read the book “Influence: The Psychology of Persuasion” by Robert Cialdini. In it, psychologist Robert Cialdini describes six outlining principles about how to persuade people – principles that have proven themselves over and over again. These are not self-help theories but instead theories that have been tested by science.

image

One of the topics of the book is the Principle of Scarcity. People view potential losses as more impactful than potential gains. This is universally true, we are more concerned about losing something than we are about winning.

Here’s proof. What would you rather have:

  1. Option 1 – A 10% chance of winning $1 million, or
  2. Option 2 – A 100% chance of winning $90,000

?

If you’re like most people, you probably go with Option 2. However, if you do the math on the expected payout, you multiply the chance of winning by the amount you would win to get the expected winnings. Option 1 has an expected winning of $100,000 (10% x $1,000,000) while Option 2 is $90,000, less than Option 1.

But most of us want to go with the sure thing of Option 2 even though it is less because it is too psychologically painful for us to “lose” the sure thing of $90,000 compared to the mere possibility of $1 million, even if you know the probabilities.

Even if you personally, reading this right now, say to yourself “Well, I know the math. I would certainly go with Option 1” you still have to fight your natural instincts to do this because it feels wrong and you don’t like doing it. Thus, while you may understand the math in this case, be very sure you won’t understand the math in every case, nor in every real world circumstance with deals with the Principle of Scarcity.


The Increasing Value of Time

Another example is the phrase “If it weren’t for the last minute, nothing would ever get done.” This is our tendency to put things off until there is very little time left and then scrambling to complete it. This is known as “hyperbolic discounting.” What is happening is that we, as humans, are not good at anticipating the future but as a deadline becomes nearer and near – and time-to-complete becomes correspondingly more scarce – the value of the thing we are putting off becomes more urgent as the remaining time becomes much more valuable.

image

Scarcity is increasing value of something.

As opportunities become more scarce, we desire more freedom, and we hate losing the freedoms we already had.

This goes one step further – it is not just a matter of scarcity that makes something that is more desirable, but instead a drop from abundance to scarcity that makes it much more powerful than constant scarcity.

For example, when governments ban books, it is then that people want to read them. And to add to the intensity, if the drop in abundance is because others want the scarce resource, this increases the desirability.

How it Works in Humans

Researchers have tested this – they had volunteers come in and answer some questions and then leave, but on the way out there was a plate of cookies. When there were plenty of cookies, people rated the cookies’ taste as fine. But when there was only a couple of cookies and plenty of crumbs (indicating that there had been a lot of them previously but others had depleted the stock), people rated them even more highly.

image

This principle of scarcity is hard-wired into our brains.

So what does this have to do with NSA spying?

Here’s what I think – the scarce resource that we thought we had was privacy. Privacy is valuable and we believed that nobody was looking over our shoulder. Who wants the government spying on them? Nobody, that’s who.

However, when the NSA scandal broke, suddenly this resource/freedom we thought we had was virtually non-existent. And we hate losing freedoms we had before. The fact that it was previously abundant due to encryption, and is scarce now (due to government circumventing it) made it that much worse.

And making it even worse is that government wants our privacy! Thus, someone else is stealing something that was ours and that’s what makes it scarce!

And I think that’s why people are so upset – because of the Principle of Scarcity and how we’re hard wired to react to it.

The Roots of the Desire for Privacy

Okay, so maybe we’re hard-wired to react to scarcity. And maybe we’re a little upset because we lost our freedom of privacy.

But why should we even care about privacy at all?

I think it’s because we don’t like being watched. There’s a myth that says that public speaking is our number one fear. Studies are conflicted about this, but it is one of the things that people are afraid of and it ranks very highly, higher than things we should be more afraid of like disease, car accidents, or violence.

So why are we even afraid of public speaking to begin with?

image

I think it’s hard wired into our brains because we don’t like to be watched. For you see, for hundreds of thousands of years, even millions of years, our ancestors wandered around on the African savannah, looking for game but also just trying to survive. Our ancestors had to work in groups and we would sometimes stalk our game for days or even weeks at a time.

image

However, humans are not particularly good fighters against any other animal without our tools or the groups of people we hunt with (i.e., working together). While we would hunt other animals, other animals would hunt us. And when they hunted us, they would secretly stare at us first, sizing us up before pouncing.

Eventually, we developed biases in us to dislike being watched because it meant that if we were, we could soon become the prey and would fail to pass on our genetic material. Natural selection favored genes that selected for being aware of being watched and taking steps to correct for it.

We don’t like to be watched without our permission because we have genes that have selected for this personality trait.

Your Brain is not a Lawyer

We sometimes think of ourselves as rational creatures. We have a model of ourselves where our brains are basically like Prosecuting Attorneys and Judges. The prosecuting attorney presents the evidence, the judge weighs it, and then issues a decision. In this way, we are mostly logical creatures; sure, we sometimes make mistakes but for the most part we act in our own best interest.

image

 

This was the view before the 1960’s and the rise of modern psychology, and the 1990’s before the rise of behavioral psychology. Not only do we now know that we make cognitive errors all the time but that we are predictably irrational.

Your brain is not an attorney/judge combination that weighs the evidence and makes a careful decision. That happens occasionally but it is not the norm. Instead, you have a limbic system which is the system that reacts and drives your emotions, and a neo-cortex which is the thinking and reasoning part of your brain. And these two are always working together, and sometimes they are conflicting.

We like to think that the logical side wins out over the “emotional” one (the limbic system is far more complex than what I described). What happens in reality is that most of the time, our limbic system has an emotional response to a stimulus (a physical feeling, or a sound, or an idea) and then our neo-cortex brain works to rationalize why we feel the way we feel.

If you ask a person why they took the $90,000 sure thing instead of the $100,000 expected payout (10% chance of $1 million), they may say something like “I can use the $90,000 today and the chances of getting $1 million aren’t worth the risk of losing it.” And that’s close to reality; our limbic brains tell us “Don’t lose the sure thing!” and then our neo-cortexes get on with the work of making up a reason why we are doing the irrational thing.

 

Putting it All Together

This is why I think (some) people hate the NSA spying scandal so much. We have justified it as they are over-collecting data and it could lead to abuse. While I think that’s possible, I think the disliking of it is because we don’t like being secretly watched by someone. Not being watched by someone is called “privacy” and we hate losing the freedoms we had (or thought we had), and that includes privacy. While we have reasons for disliking it, we come up with these after the fact; we don’t weigh the pros and cons and come to a decision. Instead, we come to a decision and then weigh the pros and cons.[3]

That’s why I think some people are so vocal about NSA spying.

So what about people who don’t seem to react so strongly? I will get to that in a future post.


[1] 10 weeks ago, I had braces put onto my teeth. I’ve never had them done before, that is, I didn’t have them as a kid [2]. Let me tell you, I experience way more angst up to and during that procedure than I ever had thinking about how the NSA might be spying on me.

[2] I’ve needed this procedure for at least a decade. I finally broke down and consented to wearing them for two years.

[3] Yes, this is oversimplified. As it turns out, there are good reasons for being against government over-collection of data just as there are good reasons for there to be a government that runs society.

Read Full Post »

I have discovered podcasts.

“What?” you ask. “How could you not know about them?”

Let me clarify. I’ve known about podcasts for years but I never listened to them. Why would I? And when? I’m too busy at work, and in the evening I usually watch video.

But I discovered a great time to listen to them – when I’m walking to work. For you see, it takes me between 25 and 30 minutes to walk to work each day which means I have around 50-60 minutes of just walking. It turns out that is the perfect time to listen to a podcast.

What I did was subscribe and download a bunch of them to my phone. I plug in a pair of headphones and on the way in, I listen to an episode and on the way home I listen to the rest of the episode. It really passes the time.

I also used it when I went hiking this past weekend. It also helps to break up the fatigue of moving uphill.

Man, why did I never think of this before?

Read Full Post »

You can call me cynical but the latest digital revolution – putting your life in the cloud where you interact with it using devices – seems overrated to me.

You know what I mean; if you’re a member of the tech industry, the latest major trend is cloud computing. This is where all of your data is stored in various companies’ cloud computing database and you interact with it through devices like tablets, smart phones and PCs (laptops/desktops, not necessarily Microsoft OS’es). I am exaggerating, but the hype surrounding it makes it sound like this is going to be greatest thing in the history of the computer! Get ready for it! It’s going to be amazing!

image

I’m not going into a lot of detail here, but you’re smart readers. You know what I mean. I’ve saving time to get to my real point.

All this talk about life in the cloud… I have real doubts that it in real life it will live up to its greatness.

Why do I say this?

Last week, my wife and I visited her family in Taiwan. She lives here in the US and speaks English but speaks Taiwanese with her parents who can also speak English. They speak English with me, but Taiwanese with each other. Last fall, they retired and moved back to Taiwan where it is cheaper (outside of Taipei where the housing costs are worse than most of the US).

I’ve tried learning a little Taiwanese but it is very difficult. I was also learning Mandarin for a few weeks before I left (also difficult). The problem is:

  1. Unless you spend a lot of time in the country where it is the native language, you will never pick it up well enough to converse.

    They say that for English speakers, Chinese, Japanese and Korean are the hardest languages to learn and it could take around two years.

    image

  2. There are not a lot of resources to learn it.

    This is important: Taiwanese != Mandarin. They are not the same language and they are not mutually intelligible. Even though Mandarin is the official language of Taiwan, most of the population also speaks Taiwanese. There are a lot of resources (books, learning apps on my tablets, translation sites) available for Mandarin, but not for Taiwanese. The population of Taiwanese speakers is perhaps 20 million which is why there isn’t that much.

  3. Mainland China’s writing system is Simplified Chinese which is what I was learning (I was also trying to learn Mandarin). By contrast, Taiwan uses Traditional Chinese.

    In the 1950’s, mainland China converted Traditional Chinese to Simplified Chinese in order to make it easier for the population to learn. However, Taiwan did not. While some characters are the same, many are different. Thus much of the time I spent learning Simplified Chinese did not help that much in Taiwan.


My wife, in-laws and other members of her extended family were nice enough to speak English to me, but with each other they spoke Taiwanese.

They say that communication is 7% verbal and 93% non-verbal (part body language and part tone-of-voice). Well, let me tell you, that’s completely false. I am good at observing body language and when my relatives were talking to each other I absolutely did not understand 93% of what was going on.

Perhaps if you are observing others this quote is true, but once you are part of the conversation and seated at the table, that 7% verbal communication is the most important part by far! I could follow basically nothing of what was being said. Sure, I can tell the emotions of what’s going on – sometimes funny, sometimes concern, sometimes curiosity. But that’s a far cry from taking part in a conversation. I know that most of the chatting is about regular family things – who’s working where, who’s neglecting what, who’s being irresponsible (you know, gossip – the thing we all do yet all say we revile), but I was not apart of what was being discussed. I could only sit and watch.

Out on the streets, I could tell what things were:

  • I could tell what food stores were
  • I could tell the street signs
  • I understood the food vendors

But in terms of advertisements and exact messages, I could read almost nothing. All of the symbols in Mandarin I knew already didn’t show up often except for water, 水 (that sign was everywhere and I never figured out why); fish, 魚; beef, 牛; meat, 肉; man, 男; woman, 女; and good, 好. But this amounted to 1% of all the symbols I saw. Imagine reading this blog post and understanding only 1% of all the words.

image

And therein lies my disconnect.

I expected to be able to understand very little conversation or read very little. Yet I had this vague hope in my mind that technology would help me. Why did I think this? Because somehow I had the idea that life in the cloud changed everything! Why would I think that? It’s not a conscious decision, it’s something I had to have picked up somewhere and it must be from advertising and the reinforced message of having lived and worked in tech for 10 years.

Yet technology was basically useless.

For one thing, my phone’s data plan works in the United States only. If I try to use data overseas, I get charged a ridiculous amount. Can I afford it? Yes. Will I pay for it? NO!

For you see, even though it’s not logical, I am psychologically averse to going through the trouble of getting additional communication devices (phones) for something I use so infrequently (going overseas). I know there are ways around this, but there are deep seated cognitive “defects” in my brain for loss-aversion that prevent me from doing it or trying to work around it.

It seems that technology’s “Life in the cloud is great” belief assumes you have Internet connectivity everywhere. Well, I don’t. And if you don’t, then what?

Secondly, even if you have a translation app like I did on my phone that works offline, it isn’t very good for east-Asian languages. Using the translator app on my phone it has Norwegian, Russian, Swedish, Dutch, Portuguese, Spanish, French, Italian, German and Simplified Chinese available for download. As I explained above, Simplified Chinese != Traditional Chinese. I tried using it anyways and the result was worthless. There wasn’t a single instance of me pointing my phone at a line of text and having it translate something intelligible back to me. It was all a bunch of gobble-de-gook.

Every. Single. Time.

image

There was a time when I thought that the major languages like the ones that are available for offline download were the most important ones. I still think that, but the smaller languages are also still very important for two reasons:

  1. Communication – not everybody can speak the major languages.

  2. Cultural preservation – I don’t think it’s a good thing to be losing smaller languages. Cultures are important, language is one of those things that preserves it and losing them loses a cultural identity. I don’t think that people moving to the main languages of a couple dozen worldwide is a good thing.

Basically, if I want to learn a foreign language and culture, then I need to learn the language and culture. I can take a class, buy some books, learn on the web, buy software like Rosetta Stone, download some apps, and converse with native speakers. There’s really no way around it (short of having a translator). In other words, I need to do this the old fashioned way.

But here’s the point – I don’t need my life in the cloud for that. Sure, the cloud helps. I downloaded a bunch of apps onto my iPad from the Cloud. There are ways to use Skype to help practice with native speakers. I can browse Amazon book reviews to see which ones are the best ones for learning languages.

But all of that stuff existed before the “life in the cloud revolution” took place. And now that it’s being sold as the next big thing, I didn’t find that it helped me in my real life for something new. This causes me a lot of cognitive dissonance and personal conflict because I work in an industry that is trying to get everyone to move to the Cloud, and I am paid to sell that vision.

I guess that’s the disconnect I’m having a hard time articulating. It’s true that maybe I’m probably doing things wrong. Sometimes I feel like I’m too dumb to use technology the most efficient way possible.

I wonder if anyone else feels the same way?

Read Full Post »

This will be another long post.

A couple of weeks ago, you may have read that the Syrian Electronic Army hacked into Forbes and posted a bunch of usernames and passwords. What you may not know is that Forbes has been fairly transparent in describing how it happened and how they plan to mitigate going forward. This is contained in a series of articles they posted on their website.

To make a long story short – they were phished.

image

From: How the Syrian Electronic Army Hacked Us: A Detailed Timeline of Events, all highlights are mine:

Early Thursday morning, a Forbes senior executive was woken up by a call from her assistant, saying that she’d be working from home due to a forecast predicting the snowiest day of the year. When she ended the call, the executive saw on her Blackberry that she had just received a bluntly worded email that seemed to have been sent by a reporter at Vice Media, asking her to comment on a Reuters story linked in the message.

Any other time, she says she would have waited to read the linked story later at the Forbes office. But with the sale of the 96-year-old media company pending, she was on the alert for news. Groggily stepping out of bed, she grabbed her iPad, opened the email in her Forbes webmail page through a shortcut on the device’s homepage and tapped the emailed link.

In her half-asleep state, she was prompted for her webmail credentials and entered them, thinking her access to the page had timed out. When the link led to a broken url on Reuters’ website, she got dressed and began her snowy commute from Brooklyn to Manhattan without a second thought. “It was so insidious,” she says. “I didn’t know I had been hacked for another two hours.”

In fact, the phishing email had set in motion a two-day cat-and-mouse game with Syrian Electronic Army (SEA) hackers who would deface the Forbes website and backend publishing platform, attempt to post market-moving news, steal a million registered users’ credentials, and briefly offer them for sale before leaking the data online.

This is an effective strategy and it was part of a two pronged attack. Someone from Forbes got an email that is somewhat related to what they do, and they may have even received a link like this:

Hey, what do you think about this? Is it true?
http://www.article-to-some-important-new-site.com/article/cgi?=randomstuff

If you hover your mouse (if reading this on a laptop or desktop) you will see that the displayed http link is not the same as where the link actually takes you.

The linked page asks the user to enter their credentials. Being prompted to enter your credentials at work is so common that many people don’t think twice about it. This person was doing their job and so far everything more-or-less fits with their general work flow. It’s not exactly congruent, but close enough.

Once inside, the hackers used another effective tactic – they moved laterally. They sent spam from the compromised account to other users in an attempt to gain access to important data. While the spam filter didn’t work the first time because it came from the outside, it definitely wouldn’t work when sent from the inside because most environments assume that the inside is secure. People inherently know that it isn’t, but it’s close enough.

Until it isn’t.

In an interview with the attackers, Forbes posted a follow up article by Kashmir Hill about why they attacked Forbes. According to a representative not involved in the attacks but close to those who were:

He says that Forbes editorial content on Syria made it a target, pointing to recent articles about a hacker who claimed to find porn on Syrian secret police’s computers and an article decrying the SEA’s hack of the Marines’ website. “This is pure propaganda,” he said. “This is a message, we will not tolerate lies.”

In other words, this was an episode of hacktivism and resembles that 2007 DDOS attacks on the government of Estonia by Russian youth angered by the Estonian government taking down a Russian World War II memorial.

I want to make three points about this incident:

  1. This was a well-executed social engineering attack.

    image

    When I say “well-executed”, what I mean is that all the pieces of the puzzle were done with minimal suspicion.

    – The web page where the user entered their credentials looked like a valid login page
    – The phishing email didn’t contain suspicious language (i.e., grammatically correct)
    – The phishing email was relevant to the target
    – The landing page was hosted on a compromised server
    – The phishing email was sent from a compromised server that had not previously sent high volumes of abusive content

    In other words, there was great deal of care taken by the attacker to disguise their tracks, and it would be difficult for the average consumer of email to detect this without a high level of vigilance (i.e., working in the security industry, receive lots of education, etc.)

  2. People in the security industry are very smug about their own non-susceptibility to fall for scams relative to others, but shouldn’t be

    image

    This is the point that prompted me to write this post. Forbes is not the first company to have something like this happen to them. People are targeted all the time. Yet there are people in the security industry – people I have personally talked to – who say that the people who clicked the link and entered their credentials are “idiots.” When I challenged them on this point, they dug in their heels and reiterated “Nope, they’re idiots.”

    The idea is that only an “idiot” would fall for something so obvious and do something so careless like entering their credentials on a web page that looks like their regular corporate login page.

    This strongly irritates me because the average consumer is not overly security aware but they do have a basic awareness. People know about bad passwords and poor security habits, they just don’t always follow them. In the Forbes case, the user was aware but made a poor judgment. The problem is that the average consumer does not have computer security awareness drilled into them over and over again to internalize these behaviors.

    What irritates me is that while we in the security industry complain about consumers’ poor security habits despite a lack of education, but what does it say about us when we ourselves have poor health habits? For example:

    * We all know too much sugar is bad for us. It makes us gain weight and is bad for our teeth. This is reinforced almost every day. How many of us eat too much sugar? And junk food in general?

    * We all know that an inactive lifestyle is very bad for us. Yet how many take steps to ensure we get our 10,000 walking steps per day? Or try to alleviate sitting for 6-8 hours per day like the typical office worker?

    * We all know that staring at computer screens is bad for our posture, our muscles, and our eyes. Yet we do it anyway in spite of health advice that tells us not to.

    * We all know that we consume too much energy in the first world. Yet how many of us make sacrifices to reduce our energy consumption without prompting from anyone?

    In other words, the average consumer makes mistakes in a very narrow set of circumstances. Yet the same people who call consumers “idiots” for making a bad choice in spite of their lack of knowledge make bad choices every single day in their own lives in spite of an abundance of knowledge.

    And that bothers me because it is a double-standard and we should know better.

  3. Criticizing others for falling for scams makes a Fundamental Attribution Error – not accounting for the situation

    From Wikipedia:

    ”The fundamental attribution error is people’s tendency to place an undue emphasis on internal characteristics to explain someone else’s behavior in a given situation, rather than considering external factors.

    For example, consider a situation where Alice, a driver, is about to pass through an intersection. Her light turns green and she begins to accelerate, but another car drives through the red light and crosses in front of her. The fundamental attribution error may lead her to think that the driver of the other car was an unskilled or reckless driver. This will be an error if the other driver had a good reason for running the light, such as rushing a patient to the hospital. If this is the case and Alice had been driving the other car, she would have understood that the situation called for speed at the cost of safety, but when seeing it from the outside she was inclined to believe that the behavior of the other driver reflected their fundamental nature (having poor driving skills or a reckless attitude).”

    image

    Thus, from my point #1, this was a well-executed phishing attack. Saying other people are “idiots” fails to consider the circumstances in which this person clicked the link:

    – She was an editor who is asked to comment on articles like this regularly
    – She got an article and was asked to comment
    – She has to login to pages regularly
    – She doesn’t normally see spam in her inbox
    – She is used to obvious spam like “Get your free Viagra” or something similar

    Security professionals have what I call an “empathy gap” where they are unable to see the situation from the average user’s perspective. It is obvious to us but it is not obvious to others.

    However, in my own life, there are many things that are not obvious to me:

    – I don’t know exactly how my furnace heater works (I paid a professional $800 to fix it this morning)
    – I don’t know exactly how the plumbing in my house works
    – I don’t understand the medical billing system or what many of the words mean when a doctor explains to me what is wrong with me
    – I don’t fully understand exactly how all the parts of my car work together

    When I look at myself, I am an expert in almost nothing in life. Because of this, I need to empathize with the average computer user who has as little expertise as I do in almost everything as they do in my field. Were they really careless? Or am I misjudging them due to cognitive bias?

 

Anyhow, those are my thoughts on consumers getting hacked. I’m not picking on Forbes because it could happen to anyone. According to some sources, it has happened to every organization in the Fortune 500.

Read Full Post »

This is going to be a long post.

How I spent my weekend

This weekend I took a quick glance at the World Economic Forum’s Global Risks for 2014 report. The WEF is a Swiss nonprofit foundation that describes itself as an international organization that is dedicated to improving the state of the world by engaging business, political, academic and others in society to shape global, regional and industry agendas (I pulled that description off of their Wikipedia entry). They bring together 2500 leaders and convene to compile a report of threats as well has how to combat them. The 2014 meeting, held late January, had the theme “The Reshaping of the World: Consequences for Society, Politics and Business.”

They face criticism; anti-globalization activists claim that capitalism and globalization increase poverty and destroy the environment (they are right in some ways, not wrong in others).

Anyhow, I was reading the report about the leading risks the world faces, and they divide them up into five categories:

  • Economic risks
  • Environmental risks
  • Geopolitical risks
  • Societal risks
  • Technological risks (purple in the chart below)

Within each category there are 6-8 specific problems except for technology where there are only 3. If you want more details I’d encourage you to read the report yourself (linked above).

What I want to focus are on how they rate the risks as per the below diagram:

image

The impact – how bad something would be if it happened – is plotted on the vertical axis and the likelihood – the probability of it occurring – is listed on the horizontal axis. The worse an event is, the further up and right it will be.

Looking at these, the acquisition (and presumably use) of weapons of mass destruction would cause a lot of damage but the odds of it occurring are small. On the other hand, mismanaged urban development is not nearly the impact of WMD’s but is much more likely to happen.

I looked at this table and I created another category – Expected Impact. To do that, I multiplied the Impact by the Likelihood to come up a third category that estimates how bad something is in objective(ish) numbers. The table above doesn’t have the number values, only the plots on the chart so I estimated their relative values by eyeballing them.

The Results

Of the 31 threats, Technology is responsible for 3 of them. Cyber attacks rate #7 and Data Fraud/Theft rate #8. The rest of the top 10:

  1. Extreme weather events
  2. Climate change
  3. Income disparity
  4. Unemployment and underemployment
  5. Water crises
  6. Fiscal crises
  7. Cyber attacks
  8. Data fraud/theft
  9. Biodiversity loss and ecosystem collapse
  10. Natural catastrophes

As someone who works in computer security fighting spam (among other things), it gives me a sense of pride to know that I work in an industry that the World Economic Forum considers my industry in the top 10 most important things that are facing humanity to address.

By that, I mean that cyberattacks (#7) are a serious issue, and working to enhance things like authentication (e.g., DKIM and DMARC) strengthen the Internet and make it more difficult for attackers to take it down. Reducing spam increases trust on the web and creating products that make software secure makes the risk of a cyber attack that much less. I play a small role in this; many others reading this are as well and we should take pride in it.

I won’t go into the full details about what the WEF means by this category, but the WEF defines cyber risks as crime, hacktivists, espionage and war. The worst case has been called “Cybergeddon” where the Internet would no longer be divided between attackers and defenders but between predators and prey. Because this would cause a loss of trust between people, they would rely upon the Internet less and less. The most transformative technology since the Gutenberg press would regress, to the loss of humanity.

It is a question of trust.

How this affects me

Part of my job is to create a more secure Internet; it’s what I do. My responsibilities at work are to help drive authentication in email. It’s my small part of the world and one thing where my abilities are useful in real life.

This is important to me. A few years ago, the wife and I looked into doing some sort of charitable work. After researching Doctors Without Borders, Engineers Without Borders, and a few other organizations, I realized that I have no useful skills in the developing world. I know nothing about medicine, I can’t build radios, and any physical strength I have is easily matched by anyone else (i.e., I provide no special benefit) and surpassed by people younger and stronger than me (plus, I have bad hips).

image 

Large companies like Google and Facebook have made it their mission to help connect the developing world by providing them with Internet access. However, Microsoft founder and philanthropist Bill Gates has scoffed at this and said basic things like access to clean water, immunization against diseases and reduction in child mortality is far more important.

“I certainly love the IT thing,” Gates said in the interview. “But when we want to improve lives, you’ve got to deal with more basic things like child survival, child nutrition.”

He said that making it a "priority" for the whole world to be  connected to the Internet was, "a joke."

“Take this malaria vaccine, [this] weird thing that I’m thinking of. Hmm, which is more important, connectivity or malaria vaccine? If you think connectivity is the key thing, that’s great. I don’t.”

Source: Vator.TV

Those are some tough words but he’s probably right.

As I have gotten older, I feel like I have become more cynical. I have started to be come more aware of the wealth gap that exists today, and this is highlighted in the #3 risk above – income disparity.

I feel weird sometimes being in an industry that pays me as well as it does and wonder if I’m doing the right thing. Am I making the world a better place? Should I be doing something different?

Last week, the Seattle Seahawks won the Superbowl and everyone around me was cheering. I was happy for them, too. The Seahawks were clearly the best team in the NFL this year.

image

I have watched football for nearly 25 years. But here’s the thing – as the press was writing glowing reviews about how the Seahawks worked hard to become champions, and how the owner of the Seahawks turned the franchise around and talked about him in glowing terms, and how so many fans were cheering, the following thought crossed my mind:

Middle class people who spent a lot of their income to watch the game are cheering for a bunch of millionaires and billionaires who will each be getting bonuses for one day’s work, the total of which is more than most of those cheerers make in a year.

I know that everyone on the team worked hard to get there and deserve the money they are paid, but it seemed weird to me that we would all cheer on the success of people who make more money than anyone else in the stands. It’s like “Hooray! You have more than I do! And now I congratulate you on getting even more!”

For the first time in my life, this puzzled me.

And this comes back to the the top 10 list above. There isn’t much I can do to fight climate change (outside of reducing my energy use but let’s face it – those of us in the developed world are responsible for most of this) and extreme weather events. I can give to charitable organizations to help reduce income disparity. But am I really making the world better?

I tell myself that at least I am making it not worse.

But with this report, with cyber attacks at #7, I can finally say that I am doing something worthwhile. This does not mean that I am correct in this belief. Instead, it means I can tell myself I am doing something worthwhile and that relieves my cognitive dissonance.

Perhaps I am helping the bottom line of the betterment of humanity after all.

That’s what I keep telling myself.

Read Full Post »

Don’t spammers know they are irritating the rest of us?

Lately, I have been thinking a little bit on why spammers spam. I have never conducted a large study of this, all of my research about their own explanations comes from my memory of articles I have read and videos I have seen of convicted spammers. They usually have a few explanations:

  • I did it for the money
  • I wasn’t annoying people
  • What I was (am) doing wasn’t illegal
  • You can always hit delete

I can understand the first motivation. It’s the middle two I want to examine. Many spammers think that they are providing a valuable service and that what they are doing isn’t that big a deal. Or, they minimize the irritation that they cause because the pursuit of money is more important.

Do spammers genuinely believe this? Or are they putting on an act? And if they do believe it, how can they possibly not know how annoying they are? And how much damage they are causing to the rest of the Internet? How can they possibly exist in the bubble that they do?

What can we learn from psychology?

I have a theory. I am going to try to explain it using psychology. This is only my theory, I am not trained in the psychological arts. Still, it’s my blog and I can write what I want.

One of the books I read this past summer was Steven Pinker’s The Better Angels of our Nature.

image

In the book, Pinker looks at historical trends regarding violence amongst humans (it has declined), why it has declined, explanations about why it occurs in the first place, and finally strategies for reducing it in the future.

The sample size of spammers amongst the human population is small, but all of us humans are prone to the same sorts of errors and biases. One of these is the Moralization Gap. Here’s an excerpt from Pinker’s book:


When psychologists are confronted with a timeless mystery, they run an experiment. They asked people to describe one incident in which someone angered them, and one incident in which they angered someone. The order of the two questions was randomly flipped form one participate to the next, and they were separated by a busywork task so that the participants would answer them in quick succession. Most people get angry at least once a week and nearly everyone gets angry at least once a month so there was no shortage of material. Both perpetrators and victims recounted plenty of lies, broken promises, violated rules and obligations, betrayed secrets, unfair acts, and conflicts over money.

But that was all the perpetrators and victims agreed on. The psychologists pored over the narratives and coded features such as the time span of the events, the culpability of each side, the perpetrators’ motive and the aftermath of the harm. If one were to weave a composite narrative out of their tallies, they might look something like this:

The Perpetrator’s Narrative:

The story begins with the harmful act. At the time I had good reasons for doing it. Perhaps I was responding to an immediate provocation. Or I was just reacting to the satiation in a way that any reasonable person would. I had a perfect right to do what I did and it’s unfair to blame me for it. The harm was minor, and easily repaired, and I apologized. Its time to get over it, put it behind us, let bygones be bygones.

The Victim’s narrative:

The story being long before the harmful act, which was just the latest incident in a long history of mistreatment. The perpetrator’s actions where incoherent, senseless, incomprehensible. Neither that or he was an abnormal sadist, motived only by a desired to see me suffer, though I was completely innocent. The harm he did is grievous and irreparable, with effects that will last forever.  None of us should ever forget it.

 


The psychologists next had a follow up wherein they had people come in and read a fictional account of a college student help another with some coursework. The first student reneges on his promise and the second receives a poor grade, has to change their major and switch to another university. The psychologists had the volunteers retell the story – some from the perspective of the first student (perpetrator), some from the second student (victim) and some from a third party (neutral) viewpoint. Both the victims and the perpetrators distorted the story to the same extent but in opposite ways, either omitting details or embellishing points to make their own characters look more reasonable and the other one to look less so. And this was for a fictional story!

The Self Serving Bias

This set of events wherein we minimize the gravity of our own infractions, and emphasize the damage of infractions committed by others is called the Moralization Gap. It is part of a broader phenomenon known as the Self-Serving Bias. This is when we interpret events in ways that are favorable to ourselves, but do not extend the same courtesy to others. From Wikipedia:

A self-serving bias is any cognitive or perceptual process that is distorted by the need to maintain and enhance self esteem. When individuals reject the validity of negative feedback, focus on their strengths and achievements but overlook their faults and failures, or take more responsibility for their group’s work than they give to other members, they are protecting the ego from threat and injury. These cognitive and perceptual tendencies perpetuate illusions and error, but they also serve the self’s need for esteem.

This is also called the Lake Wobegon Effect. Lake Wobegon is a fictional town where everyone thinks that they are above average drivers. When they told everyone who said they are above average that everyone else said the same thing, they stuck to their guns, insisting that they were above average. When the surveyors explained that it wasn’t possible for everyone to be above average and that people inflated their own abilities, the respondents were firmly committed to their own positions – everyone else was inflating their own abilities but they themselves were perfectly capable of assessing their own superior driving ability.

image

The reason why we do this is because it’s an evolutionary adaptation, a survival technique. It is persistent in humans because it was useful to us to get to where we are today. We can see why everyone else is a hypocrite because it helps cuts others down to size. Back when we were still hunters on the African savannah for hundreds of thousands of years, social status was crucial (it still is). People higher up the social ladder had better reproductive odds and the ones that were higher up survived to pass on their genes. If you could fake it your higher status, so much the better!

Of course, if someone else was faking it, showing their status (and therefore odds of attracting a mate to reproduce) was better than your own, it was in your best interests to point out they were hypocrites and not of a higher social standing than you. Better to push them down and pass on your genes then let them go on faking it and you pass on into oblivion.

By contrast, faking it was in your best interest. If you could convince others that you were the best, the top of the ladder, then your odds of reproductive success and passing on your genes would increase. And even better: rather than you faking it, if you genuinely believed you really were better than anyone else, you could thereby convince others even more convincingly. You wouldn’t have the tell-tale signs of deception like fidgeting, sweating, or needing to keep your lies straight. Thus, it’s in your own best evolutionary interest to believe in your own greatness regardless of whether or not it is true, and point out the hypocrisy of others to prevent them from getting ahead.

And that’s why the Self-Serving Bias exists. We exonerate ourselves while not granting the same leeway to others.

And this brings us back to spammers. The reason they don’t see why they are so annoying is because of this Moralization Gap. They are minimizing the damage of the infractions they are committing and the Self-Serving Bias prevents them from seeing it.

The Perpetrator’s Narrative:

What we are doing isn’t such a big deal: We have good reasons for doing it, we are making money and being a productive member of society. The damage is minor (only a few email messages) and easily repaired (hit delete). Just get over it and let bygones be bygones.

That’s why I think spammers don’t know (or don’t care) why they are so annoying – at one point they got into it and now they rationalize it with a feature of the brain that worked well in our evolutionary history but is now being used for the wrong reason.

That’s my theory.


Unfortunately, there is a twist

But there’s one problem: the problem of self-deception has its limits and it’s difficult to show that it exists in all cases. To test this, psychologists had a group of volunteers to help them evaluate a study where half of the people would get a pleasant and easy task (looking at photographs for ten minutes) while the others would get a boring and difficult one (solving math problems for 45 minutes). They then allowed the participants to pick what task they wanted to do and give the other task to another paired off participant.

Most participants selected the easy task for themselves and gave the difficult task to the other participant (who was actually one of the researchers). When given a questionnaire afterwards, most of the participants said that their choice was fair. However, when describing these actions to another group of participants, most of them said it wasn’t fair at all.

Up to this point, this is all consistent with the self-serving bias.

The researchers probed deeper. Did the “selfish” participants they really, deep-down think their choice was fair? Did their unconscious mind know of their own hypocrisy?

They tested this by tying up the participants conscious minds by forcing some of them to keep seven digits in memory while they filled out the questionnaire indicating whether or not their choices were fair. The truth came out: the participants judged themselves as harshly as they judged other participants. The reality was there all along, it just took some coaxing to bring it out. Be careful though, in the absence of ridicule/argument/time, the default state is for people to misjudge the harmful acts they have committed.

So, perhaps there is hope for spammers after all. Deep down, perhaps they do know that what they are doing is irritating (and illegal) but it is repressed in their unconscious minds.

Perhaps the final justification for why they spam is a Freudian slip – “You can always just hit delete.” Is this a tacit confession that the “service” they provide is not a service that everyone wants? Maybe. Spammers do use antispam filters to keep their mailboxes clean, they themselves do not want to be annoyed so they are aware to some extent what they are doing.

If only there were some way to make them memorize seven digits the next time they send out a spam campaign.

Read Full Post »

I have been fighting spam for 9 1/2 years. Sometimes I wonder what I am going to do after it, and how long I should even spend fighting spam. I’ve always said that I would stay until I had nothing left to accomplish. With any luck I could put myself out of a job.

That still hasn’t happened.

Lately I have been reading a little bit about what makes people happy. I’ve seen talks on TED about how to motivate people. As it turns out, for people who are in jobs that are highly creative and require critical thinking, extrinsic motivation like more money doesn’t work. That is, saying they’ll pay me more if I work harder is not a good motivator. It works for jobs like assembly line where what you do is measurable but not for me where the results between what I do and what the end result is, is unclear.

image

When it comes to happiness, the wife and I saw a video recently where there are five things that contribute to it:

  1. Having new experiences

  2. Being part of a cause more important than yourself

  3. Having a wide social circle (family, friends) you get together with regularly

  4. Plus two more things I can’t remember

When I first started as a spam analyst back in 2004, I wasn’t making much money. However, I was pretty happy because I felt I was contributing to an important mission – fighting spam and I hated spam. I still hate spam. Sometimes when new people from other divisions join the team, others introduce me by saying no one else in the world hates spam more than I do.

Thus, even though I wasn’t getting paid very much, I enjoyed it. I was driven to be good at it and I wrote lots of blog posts in my spare time because it was fun.

You can see that this corresponds to #2; whether or not I was right or just being ideological, I saw the fight against spam as a mission more important than myself. I was making the world a better place.

(It doesn’t matter whether or not I actually was making the world a better place, it only matters that I thought I was).

image

Several years have passed since then a couple of years back I was thinking about leaving the team and moving internally. I am probably rewriting history but I remember having conversations with other co-workers who were less ideologically devoted to stopping spam and more concerned with company profitability even though the ideas they were presenting were wrong (in my opinion, of course).

I had a conversation with a co-worker that went something like this:

“Stopping spam is not important. Money is. It doesn’t matter whether or not the idea is good. Even if it’s bad, it’s about money. Money is what matters. It is all about money.

That’s an exaggeration but not much of one. I was driven by being a good internet citizen and not polluting the Internet and my co-worker was telling me that this was a secondary concern.

Now, I am well aware that the goal of a business is to make money. Businesses are not charity. If it’s not making money, then I am out of a job. I understand that.

But the flip side is that the goal of making money (wherein I receive a very small fraction of the profits) is not a cause that is bigger than myself (#2). Whereas humans need that for happiness, money does not meet that requirement. It is an extrinsic motivator, not an intrinsic motivator. As I explained in my last post, money does make you more happy but there are diminishing returns.

image


This is the paradox of me fighting spam – as soon as I see that my goals and efforts are “merely” contributing to the company’s bottom line and making money, the business will be more successful and more profitable, but this will decrease my motivation. Once spam is solved, what do I do next?

I get paid very well at Microsoft. It’s allowed me to not have to worry about money, my health care is mostly paid for and I get to travel (e.g., Ireland, San Francisco, Vienna and Prague). But what keeps me going is the belief that I am making the world a better place and it’s not just about the money.

So what would I do once my job is done?

I think I’d still stay in the security space. I sometimes think about moving to the Digital Crimes Unit. I think it’d be fun to help co-ordinate botnet investigations with the company and with others in industry as well as law enforcement. I think it’d be fun to bring together multiple sources of fraudulent Internet activity. All in the noble pursuit of making the world a better place. I think that is what I would want to do next.

But not yet. My work fighting spam is not yet done.

Read Full Post »

For nearly all of my time at Microsoft, where I work as a Program Manager, I have had no desire to manage people. I have been able to get away with this for years because I have only been there for 8 1/2 years and they usually want more senior people to manage others. I don’t know how long I can get away with this because there’s a motto – Either move up or move out. I don’t know how long I can last as an individual contributor, rather than having to go into management (of people).

So why don’t I want to be a manager of people?

#1 – The technology interests me too much

I like learning about technology. As an individual contributor, I can do a deep dive into how something works and implementing it. I like to be an expert about technical things.

I interviewed for a manager position one time and I thought it would be 30% management and 70% technical. It turns out that expectations where 30% technical and 70% management, the exact opposite ratio.

This would mean that I wouldn’t get as much time to do what I really enjoy – learning the technical aspect. I couldn’t become an expert on it, learning it for myself.

That is a big deterrent.

#2 – The money isn’t a big draw for the additional burdens

It’s true that as a manager my pay would go up. I also think that good managers are probably more important than good technical people and that’s why they are paid more.

But it isn’t that inviting.

I’ve read about a study in the United States about whether or not money really does buy happiness. The result: Yes, it does. But only up to a point.

You see, if you are poor, that makes you miserable. Being sick, or hungry, or cold (because the heat is too low) makes you unhappy. Having money for shelter and physical needs adds to your happiness by meeting your basic needs.

Once you have enough money to live in relative comfort and you have the ability to do nice things occasionally such as go out to eat or see a movie or a play, that’s the extent of happiness money can by. Afterwards, it doesn’t make much difference. So yes, money can make you happy but there is a cut off level.

In the USA, that level is about $75,000/year. In some parts it’s a bit more (e.g., New York and San Francisco) and in other parts it’s a bit less (e.g., Oklahoma and Kansas). But by and large, $75,000 is the amount to shoot for.

If I were a people manager, I wouldn’t get to do the things I like (learning technical stuff) and instead I would have the headaches of managing people. Sure, I’d get paid more but according to the above, the additional money would make no difference to me. Instead, work would be more stressful but the extra money wouldn’t make me any happier.

Instead, why not do something I like to do? I’m already at the optimal pay scale. I think I am happier where I currently am than I would be if I made a change.

* * * * * * * * * * * *

That’s why I don’t have any intention of going into management.

Read Full Post »

A couple of weeks ago, I read a blog post on the Wall Street Journal where they were commenting on comments made by Brad Smith, Microsoft’s top legal counsel. His comments were in response to latest revelations that the NSA sometimes sniffs network traffic between data centers:

Microsoft’s top lawyer compared the National Security Agency to elite hackers, and said the technology giant will encrypt customer information traveling between its data centers, according to a company blog post published Wednesday night.

That makes Microsoft the latest Internet company – following Google, Facebook and Yahoo – to say it is encrypting internal traffic in response to NSA snooping efforts. The agency sometimes siphons off customer information traveling on rented fiber optics cables between U.S. company data centers, former U.S. officials have said.

Brad Smith, Microsoft’s general counsel, said the NSA is circumventing the legal process if those assertions are accurate. Smith, of course, does not mention the NSA by name, but clearly alludes to them.

“If true, these efforts threaten to seriously undermine confidence in the security and privacy of online communications,” Smith said in the blog post. “Indeed, government snooping potentially now constitutes an ‘advanced persistent threat,’ alongside sophisticated malware and cyberattacks.”

In other words, Microsoft is not okay with unauthorized government collection of user data.

image


But a more interesting article is one in Wired entitled Clash of the Titans! Inside Microsoft’s Battle to Foil the NSA. The title sounds like a spy novel, and in it Wired talks with Microsoft Technical Fellow Mark Russinovich who is one of the lead architects in Azure.

I have never met Russinovich but I have heard his name and seen it in various articles and possibly on email threads. But the part I want to get to is Russinovich’s opinion on whether or not Microsoft collaborates with the US government on creating back doors into its systems:

Amid the Snowden revelations, many pundits have also wondered whether the Microsoft brain trust — the people who run the company — have actively worked with the NSA to provide access to data. More than a decade ago, privacy geeks questioned Microsoft’s relationship with the agency when a researcher discovered a variable called “_NSAKEY” buried in the Windows operating system. More recently, Snowden’s leaked documents reportedly show that Microsoft cooperated with the FBI to make sure the government — including the NSA — could access Outlook.com e-mail.

But Russinovich says the NSAKEY controversy was a red-herring, and he believes that Microsoft would only be hurting itself if it cozied up to the NSA. “I can’t say for sure that that hasn’t happened, but I will say that I’m really skeptical that it could. The risk to the business is monumental,” he says. “Without trust, there is no cloud. You’re asking customers to give you their data to manage, and if they don’t trust you, there’s no way they’re going to give it to you. You can screw up trust really easily. You can screw it up just by showing incompetence. But if you show intentional undermining of trust, your business is done.”

The way I interpret these comments is that Microsoft never knowingly puts in back doors into its software and gives them to any government. To say that he can’t say for sure means that there may be some secret program he is not aware of but it would be localized to a very small group of people and it would be difficult to keep secret given the amount of scrutiny code receives internally.

That’s my view, too, but I’m just a ham-and-egger here within the company. I’m not that far up the chain.

image

But this is not what I want to focus on, either. Instead, I want to look at a psychological phenomenon known as The Backfire Effect.

Many of us here are familiar with Confirmation Bias. This is when we, as people, look for things we agree with and ignore things we don’t agree with. For example, if you’re a staunch Republican you probably watch Fox News and read right-wing blogs. If you’re a die-hard, left-wing liberal you probably watch Rachel Maddow and read The Huffington Post.

Confirmation Bias has been studied many times and confirmed multiple times over and it’s not just politics. It is psychologically painful to be on one side of an issue and read or listen to the opposing side. Try it yourself sometime – if you’re a political left-winger, watch Fox News’ editorials for 20 minutes without changing the channel. If you’re a political right-winger, watch Rachel Maddow for 20 minutes and not tune out. You will struggle to reach the end of that 20 minutes. It will feel like such a relief when you flip back to what you already agree with.

The Backfire Effect is related to Confirmation Bias. It occurs when you are given material that contradicts what you currently believe, you discard it and it then ends up actually reinforcing what you previously believed. It doesn’t change your beliefs, it makes you more secure in what you though previously.

From You Are Not So Smart:

In 2006, Brendan Nyhan and Jason Reifler at The University of Michigan and Georgia State University created fake newspaper articles about polarizing political issues. The articles were written in a way which would confirm a widespread misconception about certain ideas in American politics. As soon as a person read a fake article, researchers then handed over a true article which corrected the first. For instance, one article suggested the United States found weapons of mass destruction in Iraq. The next said the U.S. never found them, which was the truth. Those opposed to the war or who had strong liberal leanings tended to disagree with the original article and accept the second.

Those who supported the war and leaned more toward the conservative camp tended to agree with the first article and strongly disagree with the second. These reactions shouldn’t surprise you. What should give you pause though is how conservatives felt about the correction. After reading that there were no WMDs, they reported being even more certain than before there actually were WMDs and their original beliefs were correct.

They repeated the experiment with other wedge issues like stem cell research and tax reform, and once again, they found corrections tended to increase the strength of the participants’ misconceptions if those corrections contradicted their ideologies. People on opposing sides of the political spectrum read the same articles and then the same corrections, and when new evidence was interpreted as threatening to their beliefs, they doubled down. The corrections backfired.

Once something is added to your collection of beliefs, you protect it from harm. You do it instinctively and unconsciously when confronted with attitude-inconsistent information. Just as confirmation bias shields you when you actively seek information, the backfire effect defends you when the information seeks you, when it blindsides you.

 

When you read a negative comment, when someone dumps on what you love, when your beliefs are challenged, you pore over the data, picking it apart, searching for weakness. The cognitive dissonance locks up the gears of your mind until you deal with it. In the process you form more neural connections, build new memories and put out effort – once you finally move on, your original convictions are stronger than ever.

image

Via XKCD.

If you’re reading this, I hope you don’t feel too smug. I do this all the time. And so do you.

And that brings me back to the article in Wired. The gist of the article is this:

  • Microsoft was surprised by the scope of data collection by the US government
  • Microsoft is planning to encrypt all of its data
  • Microsoft does not insert any back doors into its software

Let’s now head to the comments of the article. An example of the Backfire Effect would be this: “Microsoft says they don’t insert back doors. Well, the fact that they deny it proves that they do it! Why else would they deny it!”

Do we see any examples like this in the comments? Yes, we do!

“Smokescreen. Microsoft regularly hands over encryption keys to governments such as India, Pakistan, UAE, China (and others), so they can monitor Skype and other programs.

As usual, follow the money. This is nothing more than a sophisticated PR campaign by the mega-corps”

And this:

yeah right, after MS being the first one to hop on the NSA bandwagon we now have to believe that they are fighting them, lipstick on the pig. I don’t believe anything from a company who’s business model was always about monopolizing and using their customers at any cost.

And this:

what’s in it for Microsoft? you ask
GOVERNMENT CONTRACTS MONEY$$$$$$

 

And this:

Microsoft? The same company that altered Skype so that all calls go through a server that they control instead of directly between the two callers so it would be easy for the government to spy on them?

Yeah, this sounds like a puff piece of PR crap.

 

And this:

This M$ fluff piece is up there with 60 Minutes. Sad and tired, Wired.

Example after example of people discarding what the article said and re-iterating what they previously believed. This is a textbook example of the Backfire Effect. And here’s the thing – the more informed a person is about something, the more biased they are towards their own beliefs.

That’s part of the problem of an Internet-connected world with social media and news articles. Aren’t we supposed to live in an information utopia where we can learn everything, where right beliefs are only a few clicks away?

Yes, we do live there. But, our brains are not wired that way. For you see, millions of years of evolution have programmed us to protect our beliefs and shield our sense of selves from conflicting evidence. Rather than using the Internet to correct ourselves, we use it to reinforce what we believe. We quickly run to the sources that make our brains feel good and we express it online despite what anyone else says. From You Are Not So Smart:

When our bathroom scale delivers bad news, we hop off and then on again, just to make sure we didn’t misread the display or put too much pressure on one foot. [tzink – I do this] When our scale delivers good news, we smile and head for the shower. By uncritically accepting evidence when it pleases us, and insisting on more when it doesn’t, we subtly tip the scales in our favor.

– Psychologist Dan Gilbert in The New York Times

That is not to say Microsoft does or does not put in back doors (I don’t know but like Russinovich, I doubt it).

But I do know this – I will interpret the evidence in a way that I already agree with. And so will you.

 

image

Read Full Post »

This is going to be a long post.

I have been following this NSA spy-story for several months now ever since Edward Snowden started revealing back in the summer that the US government was spying on everyone.

At the time, I wasn’t sure how I felt about it. Based upon what I was reading from security experts (and I am oversimplifying the discussion… sorry about that), I was supposed to (a) care a lot, and (b) be outraged.

When it comes to government accountability, I am not the most informed person. I do try to keep up with technology, policy and governance but I only have so much mental bandwidth. After work, I like to relax and rather than reading discussion forums and important articles, I frequently watch Netflix (I just made my way through Orange is the New Black, in case you are wondering). Sometimes I like to read books on my Kindle (I just finished You are now Less Dumb), or just doodle around on my iPad. I have read some stuff on spy-gate, but I don’t know all the nuances of the arguments for it on both sides.

Thus, when it comes to a complicated topic like NSA spying, I end up relying upon my gut instinct. This is a poor way to make decisions. But, in my defense, everyone uses gut instincts to make decisions most of the time. Us humans are subject to dozens and dozens of biases. Most of the time, we make snap decisions intuitively and then make up logic to rationalize why we think this way.

This is not how we think we make decisions but it is how we do it most of the time. And sometimes it works; back when the United States was talking about taking military action against Syria, I was strongly against it. I am not blasé about all things.

image 

When I hear people in my local social circles – the ones outside of security and even a few inside of it – talk about the NSA, most of them are a little surprised by the scope of it but don’t really give it much thought. Many joke about it.

Many references to it in pop culture are equally dismissive. The South Park episode Let Go, Let Gov parodies people who actually do care. Eric Cartman is outraged at the NSA spying scandal, so he infiltrates the NSA and exposes all of their hacking. Yet immediately afterwards, he is shocked by the amount of nonchalance everyone around him has. Indeed, he starts crying to his mother because he exposed everything they were doing, yet no one cared. He tries to push the NSA into violating his constitutional rights, but they dismiss him as “fat an uninteresting.”

I’m tempted to take this thinking as most people don’t care about NSA spying but this would make me guilty of the availability bias – the belief that since my immediate social circles think a certain way, that everyone thinks this way. Maybe only those around me don’t give it much thought. Or maybe people who matter think this is a big deal (i.e., people on Intelligence committees).

Yet the other day on All Things D, an article entitled People are More Freaked Out by Hacking than Tracking shows the following:

  • 75% of people surveyed were worried about hackers stealing their personal information. As if to underscore this, Target admitted it leaked 40 million credit and debit cards over the 2013 Thanksgiving weekend and now these are for sale on the black market.
  • 54% of people are worried about their browsing history are being tracked by advertisers.
  • Only 15% reported the top threat is government accessing people’s information.

image

After reading the article, I ran through my own mental processes – the things which I worry about online the most are those three things, in that exact order. I’m just like everyone else.

I check my credit card statements looking for possible fraud and I get angry when my credit card is leaked and I have to change it. I keep my anti-virus up-to-date and I have started using more unique passwords.

I delete my cookies regularly, clean my cache and sometimes use private browsing. I have adjusted the privacy settings on some websites I visit and I sometimes read privacy policies (parts of them, anyway).

As you can see, the two things that I think matter the most to me I have taken action to lower my risk.

By contrast, ever since the NSA story broke, I have changed nothing about my habits. Not one thing. Furthermore, I don’t worry about the NSA spying on me because in the back of my mind, my gut instinct says “You’re too boring for the NSA to care about.” I don’t worry about them stealing my credit card information, searching my browser history or tracking my online behavior. Maybe I should be worried, but I’m not.

So how come I’m not?

Like I said, this is a gut instinct (in Daniel Kahneman’s book Thinking Fast and Slow, this is called System 1 thinking; for a full explanation, read the Wikipedia summary). The threat from hackers is clear to me: they might steal my identity and I can see the fall out – they could steal money from my financial accounts, or they could degrade my credit, or they could infect my computer with malware. These are all real and tangible and I can see a direct link between hackers and bad things that come as a result of being hacked.

Privacy is a little tougher but I can still see the issue – online retailers, browsers, and large corporations are tracking everything I do and sending data back to a central processing unit and then sending me something based upon what I do. This “something” is usually advertising. I’m not quite sure how I feel about that targeted advertising since I use the Internet to do things I enjoy, and now that’s being used “against” me by private corporations for their own profit. A bit more blurry, this one.

But when it comes to NSA tracking, I have a very hard time seeing the fallout and that’s the problem. The cost is hard to see.

image

Defenders of the NSA spying program say that if you’re not doing anything wrong, you have nothing to worry about. My System 2 thinking – the part of my brain that is logical, reasonable and analytical – knows that this is true on some level, but it also knows that we are entitled to privacy rights. Yet it also doesn’t fully understand the arguments. My System 1, on the other hand, happily accepts this argument:

“The NSA is looking for criminals and terrorists. Since I am not one, I have nothing to fear and there’s way too much data they are collecting for this to be a problem since I can hide in my own obscurity. This is different than companies tracking me and selling my information or targeting me with ads. They are browsing my legal, normal behavior looking for patterns, whereas the NSA is looking for people with malicious intent; they are looking for illegal behavior.”

And you know what? It’s probably true. The NSA isn’t targeting ordinary Americans.

My System 2 has to fight to overcome this belief. This is difficult because System 1 is nearly automatic, and System 2 is lazy (this is true in all humans, even you). It frequently just goes along with what System 1 says. Did you ever wonder why sometimes you are tired after a long day of thinking? Because System 2 drains a lot of your physical energy.

Last week, General Keith Alexander appear on the TV show 60 Minutes to defend the NSA program, and The Guardian posted a rebuttal. They have the best summary I have seen about why the NSA program is wrong:

Very few people think the NSA is staffed by mustache-twirling villains who view the law as an obstacle to be overcome. The real concern is two-fold.

First, even if NSA doesn’t mean to break the law, the way its data dragnets work in practice incline toward over collection. During a damage-control conference call in August, an anonymous US intelligence official told reporters that the technical problem bothering Bates in 2011 persists today. The NSA even conceded to Walton in 2009 that “from a technical standpoint, there was no single person who had a complete understanding” of the technical “architecture” of NSA’s phone data collection.

They haven’t succeeded yet in convincing me why this is a problem, not enough to override my System 1.

Second, there is a fundamental discrepancy in power between the Fisa court and the NSA. The court’s judges have lamented that they possess an inability to independently determine how the NSA’s programs work, and if they’re in compliance with the limits the judges secretly impose. That leaves them at the mercy of NSA, the director of national intelligence, and the Justice Department to self-report violations. When the facts of the collection and the querying are sufficiently divergent from what the court understands – something the court only learns about when it is told – that can become a matter of law.

In other words, it can be simultaneously true that NSA doesn’t intend to break the law and that NSA’s significant technical capabilities break the law anyway. Malice isn’t the real issue. Overbroad tools are.

And therein lies the problem; in the United States, the government is built on a system of checks-and-balances. It seems like the government sometimes can never get anything done, but that’s because it’s supposed to be hard to get things done. With the NSA system, the courts say they can do X but there’s no way to make sure that’s all they are doing. We have to trust them to do what they say they are doing.

image

So you see, intellectually, I understand the issue (or rather, I understand what The Guardian is saying the problem is; you readers might have other issues like the government should straight up not be reading your email, ever). But even though I understand it, I still have trouble really caring about it.

In order to do this, I have to make it more emotional. Here’s the way I do it – the whole situation reminds me of an episode of The Simpsons, back when the show was funny. A cat burglar has plagued the city of Springfield so Homer forms a vigilante group and sets out to stop crimes. While he does succeed in stopping some crimes, he ends up causing others. For example, while underage drinking is down, sack beating with doorknobs is up. Homer’s task force is popular with the people because he has taken the law into his own hands, but the trouble is the city now has unabridged power without the checks and balances.

Homer is basking in his glory when Lisa asks him a question: “Dad, don’t you see? If you’re the police, who will police the police?”

Homer shrugs and flippantly responds “I don’t know. Coast Guard?”

image

 

It’s a very funny moment and it is the only argument I can think of that makes me think that the problem is not so much that I personally have nothing to hide so who cares, but rather, that an entity with unconstrained power has the ability to spiral out of control. This is not a linear relationship the way malware and hacking is. The reason I don’t care as much is because it requires my System 2, and System 2 doesn’t like to work.

I think that’s how I feel about the NSA scandal. To those of you who think I’m too flippant, sorry about that.

But it’s better than not caring at all.

Read Full Post »

I’ve been aware of password managers for years but I never used one – I was skeptical. While I understand their benefits, I always thought they would be too inconvenient to use.

I’m going to assume that you’re aware of what these things are – little pieces of software that keep track of all the passwords you use to login to various websites, and the only way to get at them is to enter in your one master password. So, instead of memorizing a ton of random passwords (which no one does), you only need to remember one. The password manager can even generate passwords for you if you want, and then you just need to reset your password on whatever website you log into with the one that was randomly generated.


I broke down this past week and decided to stop relying upon my brain to do my password management and instead use software. I did this for two reasons:

  1. For security

    I have quasi-uniqueness for many of my passwords, but I do reuse some of them for web sites I don’t care about that much.

  2. Because my $WORK is making me

    At work, I have to login to a bunch of different environments and it’s pretty much impossible to keep track of them. Furthermore, they rolled out a change this past month where you can’t pick your own password to login to these environments (excluding my PC logon), they generate them for you. Either I write them down or I use a password manager. The password manager won.

We had a security presentation a few weeks ago and the one thing I remember is that the recommended piece of software to use internally at the company is called… well, I’m not sure if I am supposed to advertise it so I will refer to it as ComboPass. I hope that doesn’t actually exist, I don’t look things up while I am blog-writing. This is a 3rd party tool and the reason the company recommends it is because it integrates with certain other tools we use like Windows Phone (I can’t recall if this is the real reason but I’m on a roll and can’t be bothered to stop typing).

First impressions

Anyhow, I downloaded the tool, installed it, and… nothing happened. Did it work properly? I started digging through the help guides and figured out that a little icon shows up in my Windows SysTray.

Oh. Right.

I double-clicked the icon and createdea new master password to unlock it. Now what? I looked at the screen and I couldn’t figure out what to do. This may seem obvious to all of you but I didn’t know what my next steps were. Weren’t these things supposed to be easy to use? In my mind, I envisioned that every website I used could easily integrate with this stuff.

Eventually, I figured out that I had to right-click and add a new entry. I guess that makes sense, looking at it in retrospect.

Well, first things first. The main reason I have resisted using a password manager is this – won’t I have to sync this across all my devices?

I have a Windows 8 PC, a Windows 7 PC, a Windows Phone, an Android tablet (which I got for free), an iPad 3, and an older iPad which I also got for free. My wife also has a Mac. I don’t use all of these devices at the same rate. But I do use them all once in a while. Was I going to have to install ComboPass on every single one of these?


I decided to start small. To begin with, I decided to save only my work environment passwords on my primary Windows 8 machine, but I made the mistake of saving the password file to the local hard drive. I generated some new passwords and stored them in ComboPass.

Now how do I use them?

Oh, I have to copy/paste them when I want to login. But first I have to unlock ComboPass every time using that new master password I generated for it and I don’t have it memorized yet.

Ugh. What an inconvenience. But at least those crazy work passwords are stored so I don’t have to remember them anymore.

Syncing to another device

Okay, well, since I have two main PCs – Windows 8 and Windows 7, I figured I better get ComboPass set up on Windows 7. I downloaded and installed it and then pointed the password file as SkyDrive Pro (Microsoft’s enterprise cloud storage solution). I copied my Windows 8 password file from the hard on that PC onto SkyDrive Pro where my Windows 7 machine could pick it up. So, now they’re sync’ed!

That was not going to end well, as we’ll see later.

Aside: I got my Windows 8 PC back in May and I do most of my work on it, but I retain my old Windows 7 PC for a couple of reasons:

  1. I like the hardware better. The keyboard “clicks” better, and the mouse trackpad is more responsive.

  2. I can’t figure out how to get certain connectivity to the corp network working in Windows 8 the way it works in for me in Windows 7. This is clearly user error. But this user’s workaround is to use Windows 7 instead of calling the IT department to fix it.

My website logins

Next up – my website logins. I am not thrilled about the possibility of having to copy/paste my password from ComboPass into Amazon, Mint, Netflix, my banks, etc. every time I want to login to them (I don’t save them in my browser, I retype them each time I login). So, I decided to experiment with a website I don’t care about as much – FutureAdvisor. This is a website that analyzes your stock portfolio and makes recommendations on the best way to balance them. Pretty cool, if I could get it to work. I reset my password for it and stored it in ComboPass.

At this point, I only have a few things stored in ComboPass. But then I realized something – my Windows 7 device pulls the password file from SkyDrive Pro, but my Windows 8 device pulls it from the local hard drive. That shouldn’t be; I copied it from the hard drive to SkyDrive Pro.

That was a mistake.

For you see, I wasn’t keeping things in sync (I know, it’s my fault), I overwrote the password file and I locked myself out of FutureAdvisor along with a couple of other websites.

Ugh!

And I can’t reset my password because FutureAdvisor’s password reset currently doesn’t work. Every time I click the “reset my password” which sends me an email, it tells me the link has expired. It is physically impossible to click it any faster than what I am doing.

I know it’s always possible to lock yourself out of your own accounts even using conventional password management. But this only happened because of me using a password manager and trying to sync it between only two devices.

My impressions so far

So far, my initial reactions are mixed. While I like the ability to not have to remember my passwords:

  1. Remembering the new master password is inconvenient. I had to write it down and physically carry it with me on a piece of paper.

  2. Copy/pasting from the password manager is inconvenient. I liked being able to logon to Amazon by typing in my username and password (I had it memorized and it is unique). It is now an extra step. Or at least it would be if I hooked it up to Amazon. I thought these things were supposed to auto-fill in web logins? Right?

  3. Even though I know that locking myself out of FutureAdvisor was my fault, and it’s their fault the password reset doesn’t work, it feeds my paranoia that using a password manager adds too much complexity. I don’t mind adding accounts that I only access on two devices that sync with Skydrive Pro. But am I going to have to type in those super-long passwords on each of my Windows Phone, iPad 3, old iPad and Android?

    So for now, I still memorize the passwords on websites that are important which I may log onto on multiple devices (which defeats the purpose of a password manager).

  4. What happens if I ever cannot connect to SkyDrive Pro (e.g., I ever leave the company I work for)? Then I can’t log onto anything! I’d have to go and reset the password on every service and then update it on every device.

    I prize convenience, and this adds a lot of risk.

I am probably whining about a lot of things that have already been solved. I readily admit that I have not climbed the learning curve that exists for changes in anything. While I find the password management useful in some cases, I’m not ready to make the full leap.

Read Full Post »

Yesterday, while reading a book on my Kindle app (on my PC), I got an email from American Express with the subject line “Fraud Protection Alert.”

“Fraud protection?” I said (out loud, to no one in particular, except for possibly my cat who did not respond).

Yes, fraud protection. In the email message, it had the last 5-digits of my account number so I knew it was probably my card and then it had the name of a merchant – Shell Canada – and a charge of $20.00 Cdn funds.

image

I racked my brain. Did anyone I know have my credit card in Canada at the moment? No, they don’t. I looked at the contact information and gave Amex a call where I subsequently reversed the charges, got the card cancelled and got a new one.

I don’t know how this card could have been breached. It is my corporate credit card, and I use it very rarely – only to travel on business. It stays with me at all times. How did some scammer steal it and use it?

I started making a paper trail in my head. Since nobody had physical access to my card, I could only assume that it was a breach – some hacker broke in to a business I had used and leaked all the credit card data, probably pasting it online somewhere. Some other scammer (or possibly the same one) used that leak to buy gasoline.

Working my way backwards, my theory is that the probable source of the leak is proportional to how recently I used the card. That is, if the last time I used the card was May 1, then that is the most likely source of the leak. If the second last time I used the card was April 28, then that is the second most likely source.

Now, you may not agree with this theory; however, because I use this card so rarely and the time space between major transactions is weeks (or months), it’s a good place to start for my usage-pattern.

image

Using this as a starting point, I started thinking about what I’ve purchased in the past two months:

  1. Airline tickets
  2. Booked a hotel

Well, that doesn’t help much. Either the airline leaked it, or the hotel leaked it. If I were to guess, I’d guess the hotel leaked it since they are tempting targets for identity thieves because of their clientele (business travelers) and hotels don’t always have the same safeguards that banks do (airlines are under more scrutiny).

I called up my credit card company and canceled the card. They sent me a new one and it arrived today. Upon checking my account, I discovered that said thief charged three different purchases at a gas station in Calgary.

I am no closer to figuring out where this leak may have happened.

* * * * * * * * * * * * *

Fast forward to today, and I got a letter from my bank. I opened it up and inside is a new debit card. For you see, while they were doing routine fraud detection, they discovered some fraudulent activity on my card and sent me a new one.

What in the world?

First my credit card, now my debit card?

As disconcerting as this is to lose two cards in a week, it also potentially helps narrow down the target. Where did I use my debit card and credit card in the same place?

I went to my credit card website and made a list of all purchases from the start of the year. I figured that a likely suspect was this past February while I was at the MAAWG conference in San Francisco. That’s when I would use my corporate credit card.

Next, I checked my debit card purchases during that same time frame, looking to see if there were any vendors that were in common.

There was: the Buckhorn Grill in San Francisco. One day I went there because I was there on business, but I stayed an extra day in San Francisco and paid for it myself.

Two cards in one place.

Both cards leaked this week.

This could be a coincidence, but I don’t think so. I think that’s where the data leak occurred. I don’t remember much about the transaction, but either the card information wasn’t encoded and someone wrote down the number, or they had a breach.

I guess I’m not going back there again.

My theory about the “recentcy” effect was right, but I didn’t go back far enough. I had to go back 3 months in time rather than a few weeks.

While I don’t like getting my data exposed, it does make me feel better to engage in this detective work and figure out a likely place of origin.

 

Read Full Post »

A few weeks ago, I created a Kickstarter campaign to help fund the $25,000 required to develop the app for the iPad.

The campaign is not yet over, but I’m pretty sure it’s dead.

There’s only a few days left and I have raised a grand total of $35. I posted on Facebook and Twitter and people talked with me that it was a cool idea but I never gained any traction in raising money.

I went to Google and created an adWords campaign. That’s where you register a bunch of words used in Google searches and drive traffic to your website if people click on your advertisement.

I set a budget of $5.00 per day. In total, I’ve spent around $50 and registered 200 clicks but it only resulted in $25. That means I have to spend twice what I can raise in capital.

That’s too expensive.

At this point, I think that the app is dead. However, I plan to re-incarnate it as a web page and figure out how to make it profitable. But it will be a few more weeks before I get anything off the ground.

Proposed Go Somewhere icon square

  Go Somewhere…

Read Full Post »

I haven’t written that much so far in 2013. But I haven’t been idle.

No, instead I have been working on another project – launching a project on Kickstarter!

image

And my app is going to be awesome! I’m combining great writing, visual aesthetics along with a solid user experience (intuitive, easy to use and never crashes). Trust me, you’ll all like it.

You see, I’ve been able to travel a fair amount in my time, especially over the past few years. I also like to write; I always have. When I was in junior high and high school, I was good at math and science but my highest grades were in Language Arts. When I go back and read some of my old journals, I am impressed by what I wrote way back then.

I decided to combine my two hobbies into an app for iOS and call it Go Somewhere. I wanted my app to have a tactile experience. Not just a website but an app where I can control how the user interacts with it.

It’s kind of like a travel book except I find that travel books have too much information. I just skim it. And they also aren’t personalized enough whereas I like to write in editorial style (the way I do on this blog).

I checked out a couple of apps in the Apple store last year and downloaded them. My favorite is National Geographic’s 50 Places of a Lifetime. I liked the way it went through and talked about all the places in the world and what was neat about them. However, I thought I could do it better:

  1. I could build a better way to navigate through the various places.
  2. The descriptions were good, but not “deep” enough. I wanted to go a bit deeper in each place. For example, for Peru, I wanted to write 6-8 things about Machu Picchu instead of National Geographic’s short blurb.
  3. I also wanted to write about interesting socio-cultural facts such as conditions that led to the downfall of the Incas. Education + Entertainment.
  4. I wanted my writing style to be funnier (you know, like the knee-slapper that is this blog).

I found a couple of other apps like Amazing Earth and Beautiful Planet. The pictures in them are good but the descriptions are too short.

The above icon represents the spirit of Go Somewhere: a silhouette looking out into the background. Where do I (that is, you) want to go next?

The below is the splash screen when you open the app:

Splash screen

You can navigate through the app with a bunch of countries and places using a map:

Navigation

I’m not going to go through the full set of features because you can read about it at the Kickstarter link for Go Somewhere.

I’ve designed most of the app and written or edited all of the little blurbs (so far over 400, with two more places to go before launch, and two more to come by the end of the year). However, I outsourced the development and I didn’t get the quality I needed so I’ve decided to start over.

I’ve gotten some other quotes and they are expensive. I can’t keep putting more money into this without a good understanding of whether or not I’ll see a return (my wife wouldn’t stand for it). So to that end, I’m getting funding on Kickstarter!

Or trying to, anyhow.

I figure this represents a good proxy for whether or not there’d be any demand. If I can raise funds to develop a polished app, then I figure there’s a good chance that this will “sell” (that is, be downloaded. The app is free with some free content and you can purchase to unlock additional content for a low, low price).

Looking out New Zealand

 

So check out Go Somewhere on Kickstarter! And if you feel like it, kick in a little bit of money.

Read Full Post »

If you clicked that link, you’ve been tricked by me spoofing Microsoft.com. Evil Terry has struck!

DSCI0186

Read Full Post »

Fanboy-ism.

You all reading this know what I mean – it’s when people have such a devotion to a certain product that they will defend, to the death, their preferred device or product and attack, to the death, their non-preferred anti-product. Mac vs. PC. iOS vs. Android. PS3 vs XBox. Just go to any article about any device on the Internet and you will see lots of comments that reflect this phenomenon.

Why does it exist?

I recently purchased the book You Are Not So Smart by David McRaney. In the book, he looks at all of the various behavioral biases that we humans have. As it turns out, we all have tons of them. The fact that we can get anything done is a miracle. We all like to think that we are logical, rational actors most of the time and act irrationally only occasionally. It’s actually the other way around.

The reason why fanboys exist with such blind devotion is because of something called Choice Supportive Bias. This occurs when we make a decision to invest a significant amount of time, energy, money or a combination thereof into a product. In order to justify to ourselves that such a purchase was worth it, we make up reasons why it was a good idea.

From the You Are Not So Smart blog post: Fanboyism and Brand Loyalty:

… if the product is unnecessary, like an iPad, there is a great chance the customer will become a fanboy because they had to choose to spend a big chunk of money on it. It’s the choosing one thing over another which leads to narratives about why you did it.

If you have to rationalize why you bought a luxury item, you will probably find ways to see how it fits in with your self-image.

Apple advertising, for instance, doesn’t mention how good their computers are. Instead, they give you examples of the sort of people who purchase those computers. The idea is to encourage you to say, “Yeah, I’m not some stuffy, conservative nerd. I have taste and talent and took art classes in college.”

Are Apple computers better than Microsoft-based computers? Is one better than the other when looked at empirically, based on data and analysis and testing and objective comparisons?

It doesn’t matter.

Those considerations come after a person has begun to see themselves as the sort of person who would own one. If you see yourself as the kind of person who owns Apple computers, or who drives hybrids, or who smokes Camels, you’ve been branded.

Once a person is branded, they will defend their brand by finding flaws in the alternative choice and pointing out benefits in their own.

This type of irrational behavior doesn’t occur when you have to buy something where it doesn’t matter where you get it. Nobody cares where they buy their brand of gasoline – Shell, Exxon or 76. Nobody cares where they get their box of Kleenex. You don’t care that much which super market you go to.

I think this explains why people throw so much hate at Microsoft but not at Apple or Google. For years, Microsoft’s OS was the only game in town and you had to buy it. It was a successful model for the company but  you didn’t develop any sort of brand loyalty.

By contrast, devices that are optional like phones or tablets do develop loyalty because of Choice Supportive Bias. This is when you look at all the various options and finally settle on one. After you decide, you look back and rationalize your actions by believing the TV you bought was the best one. If it didn’t matter which TV you could have bought, it wouldn’t matter. But personal devices do because you have options.

As the blog post puts it:

To combat post-decisional dissonance, the feeling you have committed to one option when the other option may have been better, you make yourself feel justified in what you selected to lower the anxiety brought on by questioning yourself.

All of this forms a giant neurological cluster of associations, emotions, details of self-image and biases around the things you own. This is why all over the Internet there are people in word fights over video games and sports teams, cell phones and TV shows.

Many people in my generation grew up with only Microsoft OS’es to choose from and didn’t develop the loyalty. But the people coming up after me who are younger and have many options – Google, Amazon, Facebook, Apple, and Microsoft – won’t have those same sorts of biases. Microsoft will be another option and if they have to sink a lot of money into it, they’ll develop blind for their devices. But if only one product or company from that list were dominant, it wouldn’t develop brand loyalty either.

So all you lovers-and-haters out there:

  1. Our decisions about why we like the things we do are irrational.
  2. Why do we defend these things so fervently? Unless you own shares in the company you love so dearly, your loyalty increases their bottom line, not yours.

After I read this book, I realized “Man, maybe I shouldn’t care so much about the things I like, and shouldn’t pay much attention to the things others like, either.”

Because we are not so smart.

Read Full Post »

Older Posts »