It seems that everywhere I look lately there’s news about a new “weakness” found in the RSA algorithm. This has been reported with headlines screaming about the “severe” weakness and how everything in the universe that is encrypted depends on RSA. For examples of those rather overheated stories look here and here.

Let’s have a moment of sanity please. The sky is not falling. The attack described depends on manipulating the power supply of the targeted system, making tiny changes in the voltage to generate bad output from the algorithm. It’s a very interesting attack technique but the actual risk of it happening in the real world is incredibly low. Anyone who can get close enough to manipulate the power to a unit can do lots of other much more interesting things to it.

In general, no one can get close enough to perform this kind of attack.  Locking the doors on the server rooms is a standard IT practice. You see, most criminals who get close enough to attach the equipment needed to play games with the power supply are much more likely to simply unplug it and steal the computer.  We guard against that sort of thing and, incidentally, against creative attacks on the power as well.

This is just one more example (in a nearly infinite list) of why the news should never be taken at face value. Read carefully. THINK. Apply salt liberally and move on to something less ridiculous.

The big tech story of the week is the one about Google making people mad with it’s new “Buzz” service. The most interesting aspect of this story is that everyone seems to have gotten it wrong.

Here’s the short version of the story: Google has some new social media application that makes all your email contacts into “friends” in the social networking sense and a lot of people objected to that, claiming that email contacts should be kept private, not advertised to the world as a friends list. This is stupid on so many levels – Google, their users, all the “analysts” – it’s hard to know where to start. So I’ll start at the beginning as far as I knew it.

The other morning, as I do most mornings, I brought up my gmail account and glanced to see if there was anything new. There was some kind of banner or thing about something called “Buzz.” I immediately thought “Hmm. Could this be a whack at Yahoo’s boring Buzz bookmarking service?” But no. I saw that my boss had already been there and made a comment. I also saw that to reply to his comment I had to create a “profile” that would make all of my email contacts into friends who I could then get Buzzy with, or some such thing.

I decided not to create the profile because I don’t use my gmail account for general email purposes. I have a yahoo account for that. My gmail account is mostly for poetry and other writing. I use it to communicate with the members of the Science Fiction Poetry Association, a lot of editors and a few close friends and family. It’s the kind of account – intentionally – receives the kind of joke emails that people forward all the time. In other words, while it’s a public address, I tend to use it for more private purposes.

Weirdly, Buzz shows that I have 6 followers, including 4 who do not have public profiles – which I also do not have. How do you follow someone who does not have a profile to follow? And if you don’t have a profile, how is it possible to follow someone else without a profile? What the hell is going on here?

Anyway, notice the one interesting bit here: The complaint the privacy advocates have is that this new Buzz thing is advertising information people want kept private and that Google should have given them more warning of that fact. Google did give warning – enough that I decided not to sign up for the thing (but it still tells me there’s new stuff for me to look at there, which I find truly annoying). But, apparently, a lot of people failed to notice the warning and are mad AT GOOGLE FOR THEIR OWN FAILURE TO READ.

Don’t take my word for it. Here are some links to stories about privacy concerns with Gmail Buzz:

• http://www.theregister.co.uk/2010/02/11/google_buzz_privacy/
• http://www.businessinsider.com/warning-google-buzz-has-a-huge-privacy-flaw-2010-2
• http://abh-news.com/google-buzz-privacy-issues-for-gmail-users-1126.html
• http://www.washingtonpost.com/wp-dyn/content/article/2010/02/12/AR2010021201490.html

Believe it or not, this was highly predictable. At a previous job I used to take help desk calls sometimes (It wasn’t exactly my job but it had to be done). One of the things I found amazing was how often someone would call up complaining about an error message when they tried to do something and then not know what the error message was. The conversation went something like this:

Idiot User: “Hi. I’m trying to use [name application here] and it doesn’t work.”
Me: “What do you mean it doesn’t work? Does it give you an error message?”
Idiot User: “Yeah. It does.”
Me: “What does the error message say?”
Idiot User: “I don’t know. I just clicked okay.”

Of course, it’s impossible to diagnosis a problem when the only symptom is that you clicked okay but that’s not important right now. What’s important is that it is perfectly and absolutely normal for people to look for that little “okay” button and click it WITHOUT READING ANYTHING ELSE. For Google’s Gmail Buzz and any other service anyone ever wants to create the implication of this long standing and widely known user behavior is that people will almost alays accept the defaults, even if it is not in their best interests to do so.

As Facebook has shown many times and Google has proved yet again, when people accept the defaults without even looking at them and later find out there was something about those defaults they didn’t like, THEY’LL BLAME YOU, NOT THEMSELVES. Therefore, as Facebook has had shoved in their faces over and over again, forcing users to opt in instead of allowing them to opt out, saves you a lot of bad publicity and hassle down the road.

Yes, the users messed up by not reading. Google’s even bigger mistake was expecting the users to read in the first place (btw: This is an easy mistake to make and despite having articulated the lesson here, I can not claim to be too smart to be immune from this same error. Funny, huh?)

But there’s more that Google did wrong on this one and to understand that, we need to spend a few words discussing social networking theory and practice. Most of the world was introduced to social networking by websites like MySpace, Facebook and Twitter. However, the theory of social networks is not new nor is it restricted to the Internet. The social sciences have long studied the way humans for associational networks and how information and influence travels along those networks.

Also, completely independent of social networking websites, there has long been interest in the way email can be used to learn about a person’s social network. Who do you receive the most emails from? Who do you send the most emails to? A lot can be learned about relationships by studying these things.

I was first exposed to these ideas years ago when I was testing a demo of software being sold to law enforcement as an aid to complex investigations. One of the things the software did was take phone records as input and produce a visual depiction of communication patterns. The idea was that this was how police could find out who was really running the gang they were investigating (though really it would only discover who was running the operations, rather than who was calling the shots but that’s another story). The application to email is obvious.

And this is where Google really tripped up. They have wanted to get involved in the social networking arena for some time (check out orkut.com, for example) but have never found anything that caught fire. Then some genius found out about social science research into using email to examine people’s social networks and thought, “Hey! We’ve already got all their social network info! All we have to do is start using it!”

This completely overlooked an aspect of email that comes up very often when dealing with users (yes, back in my pseudo help desk days): The expectation of privacy. The upshot is that, no matter how many times you tell people that the company reserves the right to monitor their communications, and no matter how often you explain to them that nothing on the internet is truly private, people still think of their email as being private communications. They put their most personal stuff into email, things they wouldn’t want anyone else to know about.

It’s not all just forwarded jokes. It’s stuff that gets dragged into court in cases of sexual harassment, divorce, fraud, product tampering, negligence, even murder (In an unusual twist to that with immense privacy implications, see here). Everything people would ever talk about, and anyone they would ever talk to, can be discovered in their email, including their deepest and most humiliating secrets.

Even people who don’t have humiliating secrets to hide can be very touchy about their email. Even if they only use it for work, that doesn’t mean they want the boss reading it. The flip side to privacy is trust. When someone snoops into someone else’s email, or their contacts, or their desktop files, or whatever, the person whose stuff is being snooped feels distrusted. The response is generally anger.

Contrary to the popular formulation, privacy is important to nearly everyone, not just those who have something to hide. And by exposing people’s email contacts in one huge batch, Google ran head on into this deep need for privacy. They got anger in return. This is the real story. It’s not that Google failed to display their instructions in neon with all kinds of opt in notices to force people to think about what they were doing. It’s that by touching email AT ALL, Google made people worry about who they trusted and who trusted them. Consequently, Google lost trust from some of its users.

In this particular aspect, the users are not at fault. Google made the enormous mistake of thinking of email as a resource to be leveraged. Ironically, they tried to develop a social networking feature without giving enough thought to the social context.

The really funny part about this is that they needn’t have bothered. My second thought when I first saw that there was such a thing as Gmail Buzz, was, “I already have this stuff on Facebook. I don’t need yet another social network.”

UPDATE (same day): I found a link wayyyyy down at the bottom of my gmail page that said “turn off buzz.” So I did. That’s one annoyance out of the way!

UPDATE 2 (also the same day): How did I get all the way through this post without commenting that the backlash on this issue was like Google walked into a buzzsaw?

In a computer forensics class I’m currently taking, we studied a federal document that goes in to great detail about how to handle computer security incidents. Malicious code, intrusions, denial of service attacks, the whole gamut of computer/network events that can cause an organization trouble. The document, put out by the National Institute of Standards and Technology is called the Computer Security Incident Handling Guide (aka SP800-61) and it is some of the most useful, albeit hideously boring, reading available for IT professionals currently available.

However, useful and wonderful though it is, I have some problems with this publication. There is very little I can point to and say, “This is wrong.” It covers a lot of territory in an organized way. It gives good advice. Yet I find the total effect to be unsatisfying. Sure, any organization that implements all of the recommendations in this document will be well protected and very capable at responding to incidents when they happen. The trouble is that no organization on Earth is ever going to implement ALL of the recommendations. I don’t think there is enough trained manpower or enough time or money in the world to ever achieve the level of protection detailed (I could even say mind-numbingly detailed) herein.

There is discussion of plans, policies and procedures, guidelines and knowledge bases. The document includes checklists and tables, incident categories and even a marvelous equation for rating the severity of an event. It’s all very complete and very thorough and, as I said, all very sound and reasonable.

I just can’t imagine it can possibly work in practice.

Maybe it’s just me, but I think that when your computers have been compromised, the last thing you want is to run to a file cabinet (or open a password protected pdf, or pull out your cheat sheet) and look for the correct checklist or procedure (Wait! Do we want the procedure or the plan at this point? What’s the policy on that?) for figuring out what you have. Or are we in the containment phase now? I hope someone knows because the training budget on that was cut last year before all of our people could take the class. Come to think of it, they cut a bunch of our people, too.

Time and manpower are two of the real world influences that I think damage the implementation of this very idealized (if intense bureaucracy is your ideal) approach to incident handling. In the real world, incident reporting often comes down to, “Hey! The server is acting funny. Andy, what did you do?” (Real life example). And the responder (in this case a hypothetical server jockey/help desk/programmer/janitor named Andy) begins learning about incident handling AT THAT MOMENT.

Yes, this real world system is screwed up. If it could be implemented, SP800-61 would be an improvement over this ad hoc “OMG! What do I do?” system. If it could be partially implemented, it would be an improvement. That’s what got me started thinking. In even a well funded organization, implementation of these recommendations will take a concerted effort over a period of years. This increases the chances of overall failure (to about 99%) while still giving at least some benefit.

That’s what go me thinking. One of my problems with the whole system is the incredible emphasis on up front paperwork. Policies, plans and procedures certainly seem important but they take a lot of time to write and in the real world no one reads them. Or else one or two people read them when they first come out and then argue over what they said (or how they should be interpreted) when it’s time to follow them. This is one of the huge flaws in bureaucracy. In order for it to function, everyone has to be a lawyer. That’s not what you want when some hacker has broken into your systems and is stealing all your customer’s credit card numbers.

Yet, decisions have to be made at some point and planning them up front is important. Can we balance that with the real world?

Tax software offers some potential help for all sorts of paperwork problems, including this one. It would be helpful if there was a tool that could ask some simple questions (Is the file system encrypted? What are the most critical servers? How much monetary damage should there be before you call the lawyers?) and store them for retrieval at the right time. That would be interesting.

• Computer: “Are you experiencing a hacking incident now?”
• Me: “YES!!”
• Computer: “How many servers/workstations are compromised?”
• Me: “How the hell should I know? I just walked in the door and found 30,000 alerts from the Intrusion Detection System in my email!”
• Computer: “If you do not know, click here for guidance on how to run a scan on each system. Would you like to watch a video about liability issues?”
• Me: “NO! I want to kill the SOB!”
• Computer: “I’m afraid I can’t do that, Dave.”

Well, there may be some bugs to work out in this system. The basic idea, though, is to ditch some of the grunt work of generating paperwork that no one will read in favor of something that can answer people’s questions when they come up. This is a massive undertaking. As I type this, I’m thinking about starting a wiki or writing a survey program (or a combination of both) to start the ball rolling on this. The trouble is, like everyone else in the IT world, I doubt I have enough time to sustain the effort. I feel like I should take a stab at it though, simply to prove that I’m not just a complainer. Still, complaining is easier.

Anyway, the planning software idea only addresses part of the problem. Setting up the systems that SP800-61 quite reasonably recommends (IDS and centralized logging, for example) is to my mind much more important than doing the paperwork (Which is probably why I’m not in management). There are lots of those kinds of things that should be tackled too and they can’t be done all at once.

I’m thinking that in this instance an approach similar to agile development would be helpful. Pick a short period of time (say 2 weeks). Pick a task (getting anti-virus software on all the servers, or doing a penetration test of the web server, or centralizing the logging for X number of machines, whatever). do the task. Tell the software it’s done and move on. Yes, I’m (in my head) integrating actual practices into the incident response assistance tool (IRAT – note to self, come up with a better acronym). This way, during an event, the tool can provide guidance on responding, not just on paperwork.

• Me: “I have a report of suspicious activity on the web server”
• Computer: “You have few possible actions: Centralized logging is not enabled. File system integrity checking is not enabled. What have you been doing all this time, moron?”

Keeping the software up to date can be as much of a nuisance as filling out paperwork, of course. So the next step in this plan, (Besides teaching the computer better manners. I always have trouble with that part) is to set it up to allow people to enter data by voice. From their iPhone.

Then we just have to get management to pay for the phones and the voice software and the IRAT software. Maybe paperwork is the better way to go.

In The Moon is a Harsh Mistress, Robert Heinlein’s masterpiece about freedom, revolution and the humor of artificial intelligence, there’s a bit where the lunar colonists throw rocks at the Earth. Big rocks. Gravity makes them into incredibly destructive weapons. The people of Earth can’t do much about it because even getting to the moon is a huge effort. This is a military principle we’ll call the high ground effect, as in when you have the high ground, you have a huge advantage over the other guy. That’s why fighter planes attack from above, why artillery is placed on mountains and why countless battles have been fought over hills (Pork Chop Hill. Bunker hill. etc. etc)

Remember this effect. It will matter soon.

The big news this week is that that misbegotten ground hog has condemned us to another month and a half of global non-warming. Of slightly less import but possibly still newsworthy is that this budget cuts funding for NASA’s shuttle replacement program and for the planned return to the Moon (see here, here , here and here). One obvious point about this: In a budget with a deficit of $1.6+ trillion, the changes being made to NASA are not about the cost-benefit analysis. A budget with such an astronomical deficit is not one where there has been any effort to make the hard budgeting decisions. Just forget that idea. This leads to exactly one conclusion: The cuts to NASA and the narrowing of its mission is an ideological decision.

The ideology in question does not value human space exploration and is shutting the effort down (although it should be mentioned that some of the criticism leveled against some of the programs being canceled – Constellation for example – is entirely justified). Some particularly gullible people will point out the story about replacing NASA’s own launch capabilities with “commercial partnerships.”For the record, while this is a nice idea it has two flaws in my view: It doesn’t go far enough and it probably won’t work. NASA should be no more than a space port authority and maybe an insurance underwriter (since insurance is an essential part of any American activity today). Space should be the province of people, not merely governments. It is the job of humans to explore, to build lives, to start companies and set up homes. Governments don’t do that stuff and there’s no reason to expect them to.

Not to mention that NASA has essentially been on life support for decades. It was obvious even before the last Moon landing in 1972 that the US government in general and NASA in particular had become bored with the whole space program. Like any good bureaucracy, NASA hung on, trying to find ways to justify itself but it’s hard to get excited about billion dollar science projects when there is plenty of fine science going on in the world closer to home. Politicians in particular tend to focus on bread and butter issues (what goodies can I bring home to my district?). Justifying exploration to people of such petty vision is wasted effort. Even if one rare politician really gets it, not enough of the rest will to consistently get the votes to keep it going.

Unfortunately, though NASA has been legally obliged to cooperate with private companies for years, it has not been particularly good at doing so. Again, like the bureaucracy it is, NASA’s idea of cooperation is to design a 10,000 page application form and a committee (or twelve) to evaluate them (Note to the satire impaired: I might be exaggerating slightly to make a point). Few companies are willing or able to jump through all the required hoops. In any case, the future of space exploration is probably not in driving truck for NASA. More is needed.

Forty acres and a robot mule would be a nice start but never mind. At this point, we should turn our attention to the terrible flaw in both my preference for space exploration driven by people, rather than governments, and the new plan for NASA to not bother putting people into space on its own: Space is no longer the domain of one or two super powers. Dozens of countries now have space programs (see here). Most exist for the purpose of launching satellites. Quite a few have (using someone else’s launch facilities) sent astronauts to the International Space Station. Many have at least some military applications, even if they don’t advertise the fact.

This proliferation of space technology is important: Any country that has trained astronauts and launch facilities (such as India and China) and the intent to put humans into space can do so.

What this means is that the United States is giving up the high ground (Remember the high ground and the example of The Moon is a Harsh Mistress? I told you it would matter). Other countries are going to take it. This is guaranteed. A number of other countries are showing more interest in space exploration than the US is now. And there is nothing to stop them.

As ominous as that sounds (and I admit it’s intentional), I don’t believe that this is directly a risk to American national security. There is little evidence that any nation currently exploring the possibilities of space travel means to use space to harm the United States or any other country.  There has been some disturbing work to develop satellite killing technology (see here for example) but I’m not aware of direct threats to US material or people. That does not mean there is no risk of violence.

Actually, I think there is a huge risk of violence in space, when astronauts from multiple countries that are not necessarily friendly to each other begin doing more up there than just running a few show orbits. When they establish bases on the Moon or in orbit, when they begin looking into economic uses (such as asteroid mining or zero-g manufacturing), this alone could spur interesting competition. Competition does not directly lead to violence, of course. Competition over scarce resources (such as the best orbits, or even the first discovery to win a big contract) certainly can. Even if, contrary to all history and common sense, the countries involved avoid the use of force, the possibilities for confrontation will escalate over time.

And, under current plans, the likelihood that the US will be in a position to act as a stabilizing force is tiny and diminishing. Maybe, just maybe, the government should do something more concrete than outsourcing what little space program remains. Just a thought.

Here are some more links that might give food for thought:

• Iran’s latest launch
• Succinct statement on NASA’s situation
• Increasing Chinese space presence
• Future space station plans

Tonight I watched the pilot of the Battlestar Galactica “prequel” (what language sadist invented that word?) Caprica. It seemed to start a little slow but eventually got going and had some interesting features. In no particular order, here are my thoughts (note: there are spoilers)

The terrorists are teenagers. Historically, it takes a little longer to become radicalized to the point of blowing yourself up. In the real world terrorists are more likely to be college age or older.  However, just as we’ve seen the average age of violent gang members decrease (and the sex of violent offenders widen to include a greater portion of females than used to be the case) in an advanced society where young people have access to sex and death clubs (albeit only as virtual reality) this is certainly possible. It is still different from reality at the current time.

The hedonistic virtual club shown a couple times in there, where bored teenagers (and presumably a lot of older people) went is not possible with current technology. In real life, clubs are not (to the best of my knowledge) this depraved. Close on the sex end maybe, but rarely if ever are there human sacrifices. But when technology makes this sort of thing possible, can anyone doubt they will come into existence? What kind of world will we have when teenager’s avatars lose their virginity before their physical selves do? This may not be more than a decade or two off.

Monotheists as terrorists. This could be taken by some as greatly insulting. Religious people who look for insults in popular media will certainly consider this to be one. I don’t think it’s meant that way, though, any more than the human sacrifice bit in the club was meant as an insult to polytheists. Really, this is almost required by the story this is supposed to precede. In BSG, the Cylons were monotheists (who, according to the series finale, may have had direct contact with their deity). They also annihilated billions of humans. The logic that one of the earliest cylons contained the personality of a teenage, psychopathic, monotheist, mass killer actually explains a lot. And really, is it even possible to have the same sort of terrorrism with polytheists?: “The many gods will drive out the One” just doesn’t sound quite as inspiring as what the kid actually shouted before blowing himself up. Maybe it’s just me?

Taurons approximate Sicilians (mafiosi). Or some other ethnic gang culture, taken to an extreme. Heavy handed but, again, it fits the story line. There were several references in BSG to the mixed legacy of Admiral Adama’s father. He was a brilliant lawyer but also a bad person (gee, who would ever have thought of that? A lawyer who’s not nice? Yeah. They’ll never see that coming.) Hey! Is that the future Admiral Adama at the game with his dad? He was kind of a snot, wasn’t he?

The sheer horror and also lure of having your kid recreated as an artificial life form is shown well both from the parent’s side and the ersatz kid’s.This was what had me thinking that, in some ways this show is much better science fiction than BSG was. I was surprised to enjoy it as much as I did. BSG made me mad at the lost opportunities or sheer stupidity even more often than it amazed me with its genius. I didn’t expect this much from Caprica. Interesting bit: “My baby! She couldn’t feel her heart!” My first thought was that they had made a robotic vampire but, no, it was actual drama. Close call there. (Warning to producers: This show could easily be reduced to self parody!)

But then there’s the silly theme. One of the characters (Adama?) made a comment about “the things that make you cry, make you feel. Those are the things that make you human.” This was always a big subtext in BSG. It was hard to avoid what with the Cylons being indistinguishable from humans and all. The truth is, though, that the human/machine duality question is too hackneyed for words. EVERY show, every book, every short story that deals with robots seems to feel obliged to consider “what makes us human.” If the people making Caprica think they’ve hit on a winning philosophical thing here, the show is doomed to have as hideously lame an ending as Galactica itself did. Please please please get beyond this and do something actually good!

Those are my initial impressions of the show. Because of the track record of BSG (and the lameness of  “BSG: The Plan” which should have just been part spliced into the series. Both would have made lots more sense that way) I had and have serious doubts as to whether Caprica is worth the effort. So far, though, they’ve managed to keep my interest.  There seems to be some serious exploration of the effect of technology on society. On the other hand, there’s an unfortunate tendency toward what Isaac Asimov called “The Frankenstein Complex.”

So I have concerns but I’m going to watch it again.

I learned an interesting lesson at my job today.

Our team recently gained a member who is trained in user experience stuff, actual testing and measuring it, not just eyeballing it like me. During a couple meetings lately, we’ve discussed the language used on the web site. We’ve changed the terminology a couple times during the course of development as we thought of new implications and also as we struggled to describe the technology in ways that people who are new to it can understand. When you’ve been working on a project for a couple years, learning how to talk about it to people who are brand new to it can be a challenge.

What do you mean you don’t understand what a child node is? It’s a node directly linked by a default or alternate path from a parent! (Note: Never end this type of sentence with words like “dummy,” “idiot,” “moron” or anything similar. For some reason it doesn’t go over well.) (See here for a partial explanation of child node)

One result of the changes in terminology is that the web site is inconsistent. Sometimes it uses one term, sometimes an older one that is no longer approved. This might be because we forgot to change it or it might be because someone was writing stuff and forgot that we had changed the term. An attentive reader might be thinking, “Ah! So you learned you should thoroughly edit everything when you make changes, maybe even have copy written by a professional who will be focused on the words and not think of them as a distraction from the real job of hacking code!” This would be wrong. Nice try though.

We figured out how to get to a better system, starting with having our new usability expert compile an approved dictionary for the web site and all the training materials. She’s not a technical person like the rest of us (mostly programmers. The boss is not a programmer, but he has a PhD in aeronautical engineering. He understands what a child node is) so she’s a good choice to repair some of the damage us tech geeks have done to the message.

No, that’s not the lesson either. It is VERY common for business development experts and all-wise columnists to explain that it is incredibly important for technical people to be able to “speak to non-technical business managers” or something like that. The conventional wisdom is that geeks only speak geek and if you can find one who can talk to regular people, you’ve struck gold. When I read this argument, I usually see Dilbert’s boss (in my head. I have not starting having such horrifying hallucinations yet) yelling, “Stop talking to me as if I have a brain! Use smaller words even if they don’t mean anything!”

Note to Scott Adams: I don’t remember if you’ve written the particular exchange just described or not. There was a time when, if I laughed at it, I would have been sad at the same time because it was so close to my real life job. Now that I work for a genuine rocket scientist (see above), would you consider having another boss who actually tops Dilbert’s big words with even bigger and more incomprehensible ones (while still technically accurate) until one of their heads explodes? Just a thought.

Where was I? Oh yes! Today’s lesson was not about the difficulty of finding technical people who can communicate with the non-technical. That problem will go away by itself when the day comes that the non-technical can drink a potion or take a shot and finally learn some minimal amount of real math (a minimal amount being about how much I know. Real math knowledge would be more like what my boss knows).

There was a real lesson that came out of the language discussion, though. It was that, as we discussed terms that users of our web site should not be exposed to (such as “node”) I realized that we could not simply banish those words from out vocabulary because we still needed them. “Node” has a meaning. The day one of my colleagues on the project first declared “everything is a node” it was a breakthrough that made several developments since possible. Even easy. “Everything is a unit abstracting all types of structural elements” or “everything is one of those web page type thingies and other stuff that we work with” would not have had the same value.

Sometimes we look at technical language as being like a secret handshake; it’s just something the in crowd uses to distinguish themselves from the rest of the world. When doctor’s say “myocardial infarction” or when computer science students say, “It’s not a hacker. Hacker is an honorable term for someone who likes to fix broken code in creative and efficient ways. The correct term for someone who invades networked systems is cracker” it seems more like melodrama than technical accuracy.

But there still needs to be technical accuracy somewhere, doesn’t it? We figured out today that it isn’t just us. We have plans to open up at least some portion of our code to outside developers. Part of the project is already out there as open source for anyone who wants to get work with it. That was the lesson, or at least part of it. After we have a complete dictionary for how to communicate our ideas to end users, we will probably need another one for when we’re communicating to other technical people. Those outside developers need to understand that everything is a node. (For some reason that phrase always reminds me of the song “Everything is Food” from the Popeye movie that starred Robin Williams in possibly his last really funny role. Maybe it’s just me.)

Our lesson today was something along the lines of how technical accuracy has to be preserved, even though it doesn’t help us communicate with end users. We also talked about creating a mapping of one set of terms to the other (a geek to English dictionary, more or less). A way to communicate with the people who aren’t inside without losing the information we need. It’s surprisingly hard. I’ve never heard of a project having that sort of translation layer before, though it seems obvious once you think of it.

But how many centuries have doctors been doing without anything like that either? If I knew some medical terminology, I’ll bet I could make some money selling a dictionary like that.

• Myocardial: heart thing.
• Infarction: ouchie.

Note: If you’re wondering what I do on my job that inspired this brilliant post, click the “trails” tab at the top of this page, or go to trailmeme.com. There’s some cool web tech here.

If there is meaning in life, then there must also be poetry. Whether you like it or not.

Some of us like it more than others. Many of us were brought up to think of poetry as an inaccessible creature, something belonging to smug self-involved intellectuals who dressed badly and had even poorer social skills than the average computer geek. (Completely unrelated question: Do computer security geeks – like me – count as being more or less geeky than regular computer geeks?)

High school has a way of making people think that way. It turns out that a large part of this may be the result of the way poetry is taught, rather than the poetry itself. It’s just a fact of life that many of us, particularly males (and, according to a survey I read once, political conservatives) are more likely to enjoy Rudyard Kipling than Elizabeth Barrett Browning. Yet English teachers are far more likely to use the second as examples of great poetry than the first. Such is life.

So we learn that poetry is for the elite. Those of us who don’t belong to the elite probably won’t understand the stuff anyway, so why bother?

That sort of disconnect from literary poetry was the subject of a terrific blog post I found the other day at the Poetry and Culture blog about Dashiell Hammett and poetry (here). Since I’m a poet (these days) and Hammett is one of my favorite authors, I had to read it. The post gave several examples of Hammett’s main character expressing less than positive feelings about not just written poetry but the entire idea that there is anything poetic in life.

Well, a hard boiled detective might find life’s poetry to be a bit rough around the edges, wouldn’t he?

By complete coincidence, I began experimenting recently with noir poetry – poetry from the point of view of a hard boiled detective in the midst of a murder investigation. I found this hard to write and so far impossible to sell, though it’s too soon to declare a verdict on that. A search of Google turned up a couple of instances of it in the past, though always referring to the movies, not the books or stories. Noir does not yet seem to be an established genre like science fiction poetry, or even cowboy poetry. Maybe it’s too narrow a field to be worth it. I’ve had fun trying so far.

Incidentally, I found the Poetry and Popular Culture blog because someone posted a link to a nice article there about science fiction poetry (here). When I discovered a few years ago that science fiction poetry was an established (albeit small) genre and that people might even pay me for it, my attitude towards all poetry changed, almost instantly. You mean there’s poetry even for someone like me? Why didn’t my English professors ever mention? I might have started writing the stuff decades earlier if those esteemed experts hadn’t worked so hard (admittedly unintentionally) to discourage me from liking poetry.

Oh well. Let that be a lesson to me: There’s poetry out there for everybody, even people who don’t think much of poetry and who don’t like the stuff that wins awards. (not including the Science Fiction Poetry Association’s Rhysling award. I often like the winner of that one).

Meanwhile, I tried an experiment last week. I made a Google Wave and put a couple of stanzas from an unfinished fantasy poem in it. Wave is an interesting technology, part email, part instant messenger, part something that runs applications (but not really an operating system).  It is decidedly cutting edge on the web today. Like anything brand new, it has not yet found it’s place. It is still by invitation only (I think). A lot of people still haven’t heard of it and, even among those who have accounts, most people are unsure what to do with it.

I thought it would be interesting to find out if it would be useful for poetry collaborations. It seems like it should be but who knows? So I sent an email to a poetry mailing list inviting all members to collaborate with me on the poem I started in the wave. I told them that I would share the wave with anyone who had an account and some interest in collaborating. And anyone who wanted to collaborate but didn’t have a wave account, I would send them an invitation (note: Anyone reading this post is invited to take advantage of the same offer).

No takers, so far. This might mean that even science fiction poets are, in general, not very up on technology. It could also mean they’ve read my poetry and would rather not get involved. Wave sounds to me like a fine platform for exactly this kind of collaboration. But what do I know about poetry?

Two unrelated things clicked in my head today as actually being related on a theoretical level. Thing one I spent some time the other day looking over the websites of some potential vendors. I’ve done this sort of thing lots of times before. As per usual, I was unimpressed by the websites themselves (which may or may not say much about the company itself). Thing two: Someone cracked the algorithm for cell phone signal encryption (really a sort of hiding) to the internet. Both these things show the conflict between the old industrial era way of doing things (let’s call it web 0.5) and the newer Twitter-ified way of doing things (web X.0). It tells us a lot about the changing generations and the growing struggles of the information age.

After that slightly pompous lead in, it’s tempting to just stop but I’ll add some detail, starting with the cell phone encryption code, which is a pretty big deal news-wise. The biggest weakness of cell phone security – and it’s a very big weakness – is that, in order to work, cells broadcast their signal in all directions at once. It’s not like the old fashioned landline phones that send their signal down a wire. In order to intercept the signal of one of those old phones, you have to tap the physical wire. In order to intercept a broadcast signal, on the other hand, you just need to be within range with the right equipment.

For a couple decades now, most cell phones have attempted to evade broadcast interception by (somewhat) randomly changing frequency multiple times during every transmission. That way it’s very hard to intercept more than a single tiny portion of the signal, hopefully too tiny a portion to make sense out of the message. The flaw in this scheme is that for the message to be received, the other end (the cell tower) must be able to follow all the frequency hops and put the complete transmission back together. So both ends need to be synchronized. True randomness is impossible.

News came out the other day that Karsten Nohl, a researcher with the A5/1 security project, has developed a way to crack that frequency hopping protection and released it to the public (See here and here and especially here or just google “GSM crack” for a horde of other sources). The first question that came up was, “Is it ethical to make dangerous information public?” This is an old debate in security circles. On one side are the people who believe that it is always wrong to make life easier for hackers, that keeping systems and methods secret is an essential part of protection. On the other side (and the side I’m on) are those who say that secrecy gives mostly the illusion of protection and that learning from failures is an essential tool to building better systems.

But there’s another, more basic, way of looking at this conflict, which brings me to the other thing I mentioned, looking at the websites of vendors. What the vendors were for is unimportant. What is important is that I found all of the websites to be visually very nice, sometimes using state of the art technology, professionally designed and almost completely devoid of useful information. I’ve done these sorts of surveys numerous times both as part of my job and through the course of formal education and there is nothing unusual about these findings.

Companies tend to design their websites as very fancy advertising brochures. They have a link for investors. They have a link to logos or names of famous clients. They have a link to information about “our team” or some such. They may have a link to their blog, though it’s not much like a real blog because it contains almost exclusively corporate cheerleading and marketing approved advertising copy. They might have a link to a twitter stream but that’s just another promotion channel to them. What they don’t have is the kind of information customers really want and that was once envisioned as being available through means like Amazon customer reviews and ratings. There’s no way to find out anything about the products, services or company that is not directly approved as part of the “corporate message.”

Ten years ago none of this would have been a big issue. Companies were considered to be riding the wave of Internet innovation if they had a website at all. The marketing brochure approach to web communication was considered a professional and effective thing to do. This is no longer true on an Internet where Facebook and Twitter are generating more traffic than every other corporate website combined. But note my criticism above of the way that blogs and twitter feeds are usually implemented. Even when they do them, they don’t do them in a way that seems to me to give people what they want: Actual communication.

If you’re one of those people who says things like, “I don’t get Twitter. Who cares what you’re about to have for lunch?” You may have a future in corporate communications – if there is such a future to be had. Because what ties together the current state of corporate websites AND the hacking of 20 year old cell phone code AND the debate over disclosure vs secrecy is the thing that seems to me to separate a successful Internet presence today  from the methods and even personalities of the last century:

The old way emphasizes control. Control of the message. Control of presentation. Control of the program code and the way people interact with the product and the other people. The new way demands giving up a large measure of control in favor of more fluid and fluidly evolving communication.

I highlighted that point because I believe it is key to success on the Internet as it is developing and is something even very large companies need to understand and cope with over the coming years. Probably because of the presence of the Internet in their lives, younger people seem to be much more likely to take the less control is better side of most issues (we’re talking about technology and interacting with others and with companies, here, not about politics). This has profound implications for the future, both near term and long term.

It means, I believe, that attempts to maintain complete control over the corporate message or even over source code of products are, over time, going to become harder to do (there will be leaks and hacks) and more repugnant to the public. As the older generations (ie: mine) grow old, retire, die, the people who will become the prime consumers and decision makers, will have lived most of their lives under the assumption that the old levels of control are both impossible and undesirable. Sure, as they age, they will want more control. But they will be aiming at a lower bar than previous generations. Someone who grew up with twitter will never have the same view of communications (corporate or otherwise) as people who used to buy newspapers printed on physical paper.

I mentioned newspapers for a reason. I believe the failure to understand the loss of control is one of the central problems the newspaper industry has right now. I don’t know the answer yet but, hopefully, I’ve framed the problem in a way that will help people work on that.

If I had a bigger brain, how many more languages would I be able to say, “The check is in the mail” in? Wouldn’t it be nice to be smart enough to answer the important questions (some of them may even be more important than that one)?

The nature of people with big brains has been a favorite science fiction theme for many years. I’ve seen it done in an old episode of Outer Limits and a much newer episode of Farscape, for example. In an excerpt from their book Big Brain, published online in Discover magazine’s December offerings (here) Gary Lynch and Richard Granger come up with some interesting thoughts on this question. I’ll say up front, this was interesting enough reading that I bought the book and really hope it’s not completely obsolete by the time I have a chance to read it (Do you think there might be a flaw in my reading strategy?).

According to a blurb about the book on Discover’s website (here) Lynch is a psychiatrist and Granger a cognitive scientist, which seems to mean they are doing a little more than speculating about the subject. The hook they use to get into it is the skulls of a pre-human species of hominid called Boskop (named for the place the skulls were found). Measurements of the skulls indicate that the brains of the Boskop people were roughly 25% larger than those of modern humans. From this, Lynch and Granger calculate an average IQ for Boskop of 150 which is 50% higher than the human average. But according to the excerpt they’re gone, now. Boskop became extinct maybe 10,000 years ago. We did not.

Were Boskop not as smart as the brain size calculation seems to indicate? Or was intelligence not an important thing 10,000 years ago? Hmmm. 10,000 years ago. Isn’t that about the time the last ice age ended? Maybe their brains overheated as the temperature went up. No, that sounds a little far fetched

Anyway, there are serious flaws in calculating intelligence based on brain size alone. The biggest one is that brain size is only one parameter in intelligence. Whales have bigger brains than humans but are not necessarily smarter. The convolutions in the cerebral cortex make a big difference. Roughly speaking, the more complicated the folding of the cortex, the smarter a species will be. This is why humans are (mostly) smarter than whales. [For a decent discussion of brain size see this article at HowStuffWorks.com]

Nutrition is an important factor in brain development, too and this may have a direct bearing on the discussion of the intelligence of prehistoric peoples. For children to develop to their best potential they need the right kind of nutrition continuously at the right time of their lives. Irregular meals or irregular protein (or sickness or injury or failure of stimulation or who knows what else) in the first two years of (human) life can cripple brain development. After that time, it can never make up the ground it lost early on.

Agriculture and animal husbandry helped humans to improve nutrition and improve brain development. If Boskop people did not adopt those things (and, during an ice age, it might have been harder, or at least different than it became later), they probably did not live up to their potential, despite their brain size. Evidence of their nutritional habits is almost non-existent now. Still, significantly bigger brains would probably correlate to a longer childhood and a longer period of time needed for the brain to develop internal connections. This also increases the window of time when a famine or plague could cause irreparable damage to child mental development. Not to mention more time to develop “issues.” Imagine being a teenager for twice as long! Any creature like that could maybe be excused for having a high rate of suicide, or of teenagericide.

Lynch and Granger raise some interesting possibilities for what beings with Boskop-sized brains might have been capable of if they did live up to their mental potential. For example, their brains probably would have stored much more sensory detail for memories than humans normally do. For them, every memory would include all the sounds, smells and feelings of the original experience. The visual details would be sharp and clear, whereas ours tend to be vague and even mutable. Human brains tend to conjure up only partial memories, and fill in the blanks with imaginary details. This is one reason why two eye witnesses to the same event can have wildly different stories (see here for interesting background on how fluid eye witness testimony can be).

Would super-detailed memories be an advantage in trying to survive in an uncivilized world? On one hand, lessons learned from experience would be more accurate when the memory of the experience was more accurate. Lynch and Granger point out that this does not apply just to individual memories but to whole sequences and hierarchies of memory. That is, connections between disparate things learned are more complex, allowing more to be learned in a shorter time. On the other hand, accurate memories would also be likely to be intense memories – and those can be intensely distracting. Maybe, though, that’s one of the reasons memory is so hazy. Maybe it works best when it’s just a guide and not a complete roadmap.

The uses to which a great brain are put make a difference, too. If these hypothetically smarter people never invented scientific method or mathematics or representative government, their view of everything would have been vastly different from ours. And there would have been a tremendous impact on their adaptation to the world – and to competing species such as Cro Magnon and Neanderthals. Even a truly brilliant race of poets, musicians or bartenders may not have been able to survive as a distinct race in that world.

There is a strong argument that the Boskop people, in fact, were not a distinct race, that the whole idea is a result of sloppy science and poorly defined categories (see here for a good rundown). That explains the seeming conundrum of a smarter species than ours that somehow failed to survive even though we did. They did not die out because they never really existed. The bones ascribed to them belonged to exceptional members of other species. This should not detract from the useful discussion of the implications of a bigger and correspondingly more complex brain than ours. It is worth wondering how a more complicated brain is really different from the ordinary ones we are used to? What
is the role of intelligence in history and human development? How is it tied to culture? What is the point of diminishing returns?

In science fiction stories, smart aliens either view humans as primitives almost unworthy of notice, or become god-like yet pacifistic teachers, depending on who is doing the writing. Imagining more detail about how a bigger brain works and sounds more interesting. At least, it seems to me to be much more interesting to study people who were at least potentially smarter than us, than people who were, comparatively speaking, kind of dumb. Right?

update 1/4/2010: John Hawks, who wrote the post debunking Boskop as a species (see above) has added another post explaining how bad the anthropology is in the book Big Brain. The new post is here. I’ve started reading the book and while it uses the fictional Boskops as a way of explaining concepts about intelligence, the book is not about Boskop. It’s about the brain and the nature and qualities of intelligence with specific reference to how intelligence can be modeled (top-down style artificial intelligence). I’m not far enough into it yet to judge whether the rest of the science is as poorly researched as the anthropology. I thought about leaving a comment on Mr Hawks’s blog to tell him what I’ve just typed here,  but couldn’t find a link or form for submitting comments. His loss.

My boss and I have an ongoing disagreement that sometimes flares up (loudly), about who was the better detective: Hercule Poirot, or Sherlock Holmes? The boss takes the point of view that Holmes relied on “parlor tricks” while Poirot used pure intelligence to reason out the solutions.

I contend (very reasonably and with only enough shrillness in my voice to convince people to listen) that this shows a lack of understanding of Holmes’s true skills as a detective. The famous parlor tricks – where he figured out people’s life stories by observing tiny clues he noticed in a glance at them – are NOT how he solved cases at all. Unlike the indolent Poirot who seemed to get most of his information by eavesdropping, Holmes investigated cases. He used disguises to infiltrate locations and spy on suspects. He had a network of informants (The Baker Street Irregulars). He studied shipping and train schedules and knew the map of London intimately, in order to understand the movements of people and things related to his cases. He did experiments in order to improve his understanding of potential evidence. He worked at the business of investigating.

To be honest, it’s been decades since I absorbed the complete Sherlock Holmes novels and stories and I never did get into the Poirot stuff because I find Agatha Christie’s writing style to be dull. Really really really dull. Maybe it’s a British thing. Odd, really, since my mother has everything Christie ever wrote. Most of what I know about the brilliant Belgian detective I got from watching the series with David Suchet on TV. I enjoyed them and often found the solutions to be quite clever. But to compare Poirot’s skill at thinking to the monomaniacal investigative prowess of the great Sherlock Holmes is silly.

This argument and a related thought about a currently popular TV series came to mind yesterday when I saw a new movie inexplicably titled “Sherlock Holmes.” The movie was very entertaining, with humor, explosions, suspense and period (like) costumes and settings related to Victorian England. It even had characters with names confusingly like some of the ones in the Holmes stories. This is confusing because anyone expecting (possibly fooled by the title) a Sherlock Holmes story will not find it. Maybe this movie should have been named “Greg House, Consulting Detective, but in a Past Life.”

Ever seen House?

It’s a funny show about a more or less psychopathic doctor who is miles smarter than everyone else around him but who is so dishonest, manipulative, childish and insulting that almost no one can stand him. I’ve believed for years that the character House was probably inspired by Dr. Joseph Bell, who was, according to Sir Arthur Conan Doyle, the inspiration for Sherlock Holmes.

Like Holmes and House, Dr. Bell was uncommonly good at noticing seemingly small details about people and figuring out from them huge amounts about their lives, personalities, circumstances. This skill is what my boss referred to (not necessarily unfairly) as a parlor trick. It amazes people and often annoys them or even frightens them. The kind of person who can practice this sort of skill must be very confident to the point of arrogance and willing to be disliked for discovering things that people may have (mistakenly) considered private. A big mouth seems to be part of the package too.

The similarities between these different characters is significant because the relationship between Holmes and Dr. Watson in yesterday’s movie reminded me of the relationship between Dr. House and his best (possibly only) friend Dr. Wilson. In particular, Holmes’s clumsy attempts to meddle in Watson’s romance with Mary had much of the petty selfishness and childish humor of House, with none of the stuffiness or personal obliviousness that Holmes showed in Conan Doyle’s stories. Wilson and House often play pranks on each other and it is normal for Wilson to lie about his relationships for fear his friend will sabotage them.

Why would anyone re-write the Holmes-Watson relationship to make it less Victorian and more like House-Wilson’s adversarial version of friendship? There are three possible explanations:

1. Didn’t know any better. Just too ignorant of the Holmes stories to know what would work and what didn’t. This would certainly explain much about the movie, not just about Watson punching Holmes in the nose, or Holmes intentionally offending Mary.
2. Thought it would be funnier. No arguing with that. There was very little humor in the Holmes stories and Watson was one of the most unfunny characters ever written. The movie had a small amount of humor.
3. Not a good enough writer to get it right. The simplicity of the “mystery” in the movie and the reliance on explosions and stunts (like Holmes jumping out a high window and diving into the water) would tend to bear this explanation out.

Two of our three possible explanations boil down to incompetence. Doesn’t sound good when you look at it that way, does it? Most of the reviews I’ve seen went with that explanation, too. To be fair, whenever trying to work with well known material like Holmes, there will always be people like me to nitpick over historical accuracy (so to speak). Remember the debacle of the so-called “Bram Stoker’s Dracula?” It turned out to have very little resemblance to the Stoker version of the story. The use of the name was, to be kind, a miscalculation.

By contrast, House is a show that is (or was, in the first couple seasons) inspired by Holmes in a way, while being unique in its execution. It’s a bit of a mystery why the movie Sherlock Holmes was named for Sherlock Holmes when so little of Holmes made it into the story. Sometimes it seems that the culture of Hollywood is determined to avoid creativity at all costs.

So we have two lessons we can learn from this little farce:

1. Be observant. It won’t make you liked but it will make you seem very smart. You could maybe even be a great doctor or great detective if you can learn not just to observe but to reason about what you observe.
2. At least try to be creative! Change the names, for God’s sake! How hard would it have been to make the main character a brilliant detective who’s NOT Sherlock Holmes? Then instead of annoying fans, you could be lauded for doing something different.

Never mind. Who wants that anyway?