Episode One Hundred and Forty Five: Up To Code; Science Fictional Network Security; Notes on Infrastructure; Response; 2014 (5)

by danhon

0.0 Station Ident

30,000 feet again, this time on the way back to Portland from the family farm. It’s inexplicably hotter in Portland than it is in Farmland, Missouri. My son is amusing himself by running around and around in circles and saying “woah!” a lot, and I’m re-reading Constellation Games and wondering when, exactly, I’m going to write this damn book I’m supposed to be writing.

1.0 Up To Code

At some point, you’ve got to wonder where regulation is going to come in. From my Wikipedia-reckoning, if you don’t count Hammurabi, it took the Great Fire of London in 1666 to institute what’s regarded as a modern building code: ie, lots of buildings burnt down and lots of people died. And then (sorry, still Wiki-reckoning), you’ve got the London Building Act of 1844, that specified things like common thickness of walls and height of rooms and so on.

I mean, I guess if you’re counting from the Bronze Age – say, about five thousand years ago – then it only took around, say, about five thousand years for us to develop building codes. (It probably had something to do with critical systems and density of population, though).

So.

Regulations for the Development and Deployment of Connected Software, anyone? Obviously not a thing that’s a new concept by any means, but at this point in time of lack of standard, you’re kind of (to me at least) having a bit of a laugh. You’ve got stuff that people use every day and for some reason or another, governments haven’t stepped in and said: “look, if you’re going to go around deploying this stuff all over the place so people come to rely and depend on it at least you could standardise a bit.”

I suppose we have the lower-level standards, so you can say something like, oh, I want something POSIX-compliant and we need to be able to read and write UNICODE and your thing needs to support SNMP, but…

But these are describe-how-it-acts standards, and not necessarily safety-standards. I mean, you’ve got car safety standards, and I suppose we have the same in FDA standards for medical devices, but we don’t really have standards for “things that involve personal user data”.

A long, long time ago, when I used to be a lawyer, or when I was training to be one, one of the things I got interested in was the English and Welsh piece of legislation that ended up becoming the Data Protection Act 1998[1]. It’s a useful thing, and a tricky piece of legislation, because one of the things that it identified was the concept of personal information and sensitive personal information. In the UK at least part of the Act is administered and enforced by the Information Commissioner’s Office, and it’s here that at least one aspect of software standards might come into force. Part of this has to do with Maciej Ceglowski’s talk, The Internet With A Human Face[2], in particular his suggestions as to regulation.

I can already hear the refrain from the tech industry about this: part of what makes the tech industry unique is its ability to ship fast and ship often, and software is software, you know – it’s just going to have bugs in it. Well, shit. It doesn’t have to. And you can always be doing a better job. So whilst Ceglowski suggests things like Privacy Policies that are actually enforceable and that users are given the right of download, I’d also like to see some sort of best-practices or certification. In other words, if you’re required to build a Target supermarket in a way so that it doesn’t fall down and kill everyone inside it, perhaps you should also require Target to build its software infrastructure so that it doesn’t accidentally leak everyone’s credit card and magstripe data through an open HVAC port[2].

Look, this is a gravy train for everyone. Everyone gets to spend more time building software. Verisign gets to make more money at being, well, Verisign. We can look at things like PCI compliance.

But, just to pose as an open-ended question, what type of technological literacy is needed for at least security regulation from the government if they can also regulate building materials?

[1] The Data Protection Act 1998
[2] The Internet with a Human Face:
[3] Bloomberg Businessweek covers the Target hack

2.0 Science Fictional Network Security

(In which I attempt to do a low-fidelity impression of Charlie Stross, and fail miserably).

See, the problem with the TARDIS is that it’s a bit of a backdoor into, well, the Universe. I’m not even that big of a Doctor Who fan (I stopped watching partly through the current Moffat-era because although Moffat was outstanding on individual episodes – for example, when he introduced the Weeping Angels, his misogyny and lack of follow-through on long-term plotting is just a bit pants. But I digress), but when there’s a crucial episode of the current run that states that the TARDIS is used to reboot *the universe*, you’d want to make sure that it’s got a damn good security system. You know, maybe better than ctrl-alt-delete to gain access to the TARDIS computer. (Which, interestingly, TARDIS feels like it doesn’t really *have* a computer, because it’s kind of alive, because Billie Piper).

Anyway, here’s a list of alternate-universe things the Doctor should be worried about, because everyone knows it’s easier to social-engineer your way on to the TARDIS than conduct a side-channel attack (NB. I look forward to reading a forthcoming paper presented at Defcon entitled: “Using The Cosmic Microwave Background Radiation as a Side-Channel Attack To Circumvent the TARDIS Access Control Lists and Gain Privilege Escalation”).

* An alternate universe where China grooms millions of attractive, young and rebellious-but-still-pliant girls to gain the Doctor’s trust and then execute the Infinite Year Plan

* An alternate universe where the Doctor has to maintain a lock-step ten-minutes-into-the-future simulation of any companion to guard against any social engineering.

* An alternate universe where the Doctor picks up a plucky young drone as companion and has to make sure she stays in the network DMZ because he’s not sure if the NSA’s TAO team has ever, or will ever, have access to her

* Or, the inverse, where the Doctor attempts to pick up RMS as his Companion (against better judgment, I suppose, or because he got one of RMS’ business cards) but RMS elects not to enter the TARDIS because he can’t inspect its source code.

Network security is a tough nut to crack. I mean, there’s that episode of Star Trek: The Next Generation where the Romulans kidnap Geordi and brainwash him through his convenient VISOR interface[1], but they clearly don’t spend enough time (or enough episodes) worrying about side-channel attacks on Geordi because he can “see” a bunch of stuff. I mean, there’s that whole matter of always having to be on the lookout because there’s this massive voice network that you could just piggyback on with the Starfleet communicators. And, out of *everyone* you’d expect to have good network security, it turns out that Data and Picard can just send them to sleep by giving them the sleep command, or, even, that the Borg are susceptible to the Halting Problem. Of course, the alternative is a whole novel series based on Star Trek devops and the people who have to clear up the mess every time Geordi or Data or Wesley suggests a new feature and everyone else in Engineering goes *sigh* great now we have to roll back and do a new fork for this new feature those guys are doing and nnnggghhhh.

[1] Star Trek: The Next Generation / The Mind’s Eye

3.0 Notes On Infrastructure

Some kinds of infrastructure are easier to build than others. It was easier to build $5bn worth of satellite positioning technology due to the threat of the cold war, and to open it up for all as a “common good” as part of showing superiority and that the American way of doing things was just better. It’s hard (still!) to build $5bn worth of high-speed rail to get from DC to New York, or from San Francisco to LA, mainly because there’s thing like a) people who own land, b) airlines, c) car manufacturers and so on. Does this mean it’s easier to build invisible infrastructure than visible infrastructure? Hide that $5bn in a black budget somewhere, make it part of the military-industrial complex, and then spring a surprise “presidential directive” making it a common good, and then wait thirty-odd years for Moore’s law to miniaturise and make accessible your stupendous constellation of satellites and relativistic equations. Where can you build infrastructure where no-one’s looking? No one was looking when Google bought up all that dark fiber – remember when Google bought all that dark fiber? It feels like ages ago (it was in 2005[1], nearly ten years ago! Is Elon Musk building his super-charger network (aka sunlight farming and distribution) in plain sight? And then there’s infrastructure-hiding-as-capitalism, that I can’t remember how I found on this 2007 Supercolossal article[2] that includes the following mmnngh-inducing phrases: “China as USB External Hard Drive to the French” and “If in the event of a catastrophic episode, the part of France in question could be restored and life would go on as it was before”, a sort of French version of the Long Now foundation, aimed at being some sort of hot-spare of the French way of life.

[1] Google Wants Dark Fiber
[2] China, USB External Hard Drive to the French

4.0 Response

So, some of you took the bait on the whole RSS-is-dead provocation, and some of you noticed that I said *consumer* usage of RSS, which didn’t really solve the problem for enough people of “let me know when a thing is happening”, and RSS has potentially moved back into its role of “way to let computers know when a thing has happened” and “way to let a small subset of humans who are obsessed about following things know when a thing has happened”. Perhaps part of the deal is that RSS was never that big in the first place – especially now that we know how big consumer internet technologies *can* be – RSS certainly never had hundreds of millions of daily active users, I don’t think (and if you say it did, then I’m pretty sure you’re double-counting somewhere). Let’s just say that Google Reader probably didn’t have that great DAU/MAUs.

A lot of you miss text-based clients, and I suppose it’s just one of those things that the older amongst us are going to have to put up with. There’s probably an efficiency there (even though you can point to all the studies about pointing at things with pointers and, indeed, fingers) but perhaps one of the things that we’re remembering is simplicity and ease-of-access. Only so many commands, and all so many-keystrokes away, with a good dose of muscle memory. If you’re a reasonably good typist, then perhaps muscle memory and key-mapped interfaces are a great thing when you’ve got a good mental model of what it is you want to do, and what key it’s mapped to.

5.0 2014 (5)

A network of seven radio telescopes performing very-long-baseline interferometry and connected by a custom optical fiber newtork, is being set up in the UK to observe radio-loud galaxies, interstellar gas clouds, quasars and the formation of black holes. Police forces in the United States are able to acquire surplus military supplies for the cost of shipping and maintenance. Observation programmes routinely discover extra-solar planets, there are at least four active space-based observation programmes. Autonomous, self-driving cars commonly use a range-finding system that uses laser light to provide three hundred and sixty degrees of depth data at up to 15 frames a second. The LIDAR system costs over USD 60,000, marginally less than a luxury electric powered car. The internet relies on over 300 international submarine cables, providing over 100 terabits per second of bandwidth. Most cars don’t brake when you depress the brake pedal, a computer decides instead.

It’s 2014.

Apparently it’s Monday. I had no idea. Send me notes!

Best,

Dan