Tag Archives: technology

An Open Reply to Zooko and Jon

Dear LeastAuthority and Silent Circle (aka Zooko and Jon),

I too know and like you both! I too admire your work, have tremendous confidence in your abilities, and it’s been amazing to watch your efforts, both sophisticated and useful, grow over time. I want to be customers of you both when I am less broke. Personally, I enjoy talking and hanging and hiking and all manner of things with you! (Zooko I really must go back to the mountains with you one day) That was a very sweet and erudite discussion of the problems of verifiability and technical trust and Open Source and Descartes and Godel. Seriously, I could totally have that talk with both of you while sipping nice port out of little crystal glasses.

But no one is going to attack the customers of either Silent Circle or Tahoe-LAFS by compelling you to deliver a malicious update. If they want to do it the hard way, they’re going to use an iTunes update or a Skype update or just attach a filed called interesting-shit.jpg.exe to a forged email to your customers. If they want to or can attack your customers the easy way, your customers will end up under fluorescent lighting in an airless room surround by buzzcuts with toothy rictus smiles. Your customers will have the distinct sense that while they’d like to see your customer’s computer/phone or else, they’re cool with or else for a while if your customers want to play that way.

The first way is of course stealthier, which is the real reason they go after hosted services, because that’s a stealthy way of monitoring communications, and gets you a historical record. (Which is also why I’m all like “No encrypted email! Encrypted email baaaad!” all the time.)

But if they’re going to own the endpoint, there’s no point in interfering with your two companies who are loud and skittish and likely to pull a “Ladar”.

They could own the end point any number of ways with off-the-shelf shit, and go home early for the weekend. If they really want to do bulk collection they’ll just send a malicious update of Angry Birds.

Seriously, attacking a target through your apps would be stupid and likely to get out. So they’re not going to. They’re going to use the vast number of easy weaponized apps built on top of the thriving 0day market to scoop not only every bit your targeted customers send you, but everyone else too. And it’s great! They won’t ever get caught for this. I don’t even have to provide links and evidence for what I’m saying because we all, everyone who works vaguely in this field, already know this.* But this is not just your customer’s problem, it’s your problem, too.

This all brings me to my point in my normally circuitous way. And Jon, you made this point in part, but for me, not nearly hard enough. These debates on crypto and code verification are actively beginning to annoy me, because malware/phishing is fucking terrible and the real fucking problem and everyone is ignoring it. I don’t mean you in particular are annoying me, but in general this tendency is. I worry watching two people as respected as you do this continues to distract people from our terrible problem. It’s like watching a couple gentlemen have a lengthy and erudite discussion on the merits of the front door’s lock while the back of the building is actually on fire.

I really do appreciate discussions of verifiability on an intellectual level. If I wasn’t also that kind of dork I would never have made it through the majority of my life hanging out with you people. I can sit around with friends trying to figure out when the halting problem comes into play in game situations. I teach writing with Shannon’s information theory in mind. I understand the dopamine rush of a *solution*. But we don’t have that luxury anymore, because everything and everyone is getting owned like crazy.

The answers to the malware problem are probably not verification. They are probably many answers, messy answers, and not always provable or even always effective. I think that’s why we don’t like them, because they aren’t elegant. And because we like to imagine malware can’t happen to us. It happens to people who don’t know better and live far away, but are also much more likely than us to do the kind of work that gets targeted by hostile actors.

I don’t mean to over-focus on you, because you guys aren’t close to the worst on this. We need to fix the industry’s incredibly broken threat model, because malware is everyone’s problem. You’re trying to protect your users’ data, period. Not just when it’s in your little mathematical garden, but before it gets there an after it leaves, because otherwise your mathematical garden is irrelevant to the real world. This problem is, for our kind, much harder than proving Godel wrong, because it’s tractable but huge and it’s messy and it will never, ever, ever feel right.

If we don’t start focusing some of our attention on malware, crypto is going to be irrelevant in yet another way.

Regards,
Quinn

 

* People who are not the people this is addressed to who would never make this mistake anyway, don’t even talk to me about AV. I mean, don’t even.

Count

For many years when I walked into a room I instantly counted the women. It told me a lot about what to expect from that room. One day, having lost my best friend over racial politics out of my control, I began to count people of color. That too was for safety, for understanding how my views would be taken. That too told me a lot I needed to know about the room. But it also hinted to me about a whole realm of experience I wasn’t having.

The neighborhood where I grew up in LA gentrified unbelievably hard through my childhood. The odd Mormon Filipino family whose son was my BFF for a while eventually sold the shack they lived in, which was badly enough constructed that despite Legrande’s father’s efforts to patch his walls, you could still hear the ocean wind from inside his room. When they moved it was torn down, and the garden (like most of them would be) was filled in with expensive house, in the Socal Hollywood style of all stucco and reaching up past your neighbors for views. The houses got torn down one by one. The neighbor to the right, across the street, eventually my best friend’s, and all replaced with opulent houses. But opulent not so much to be seen as to keep the residents from prying eye — the way you signaled you were important in Los Angeles. As this happened across my neighborhood I stopped knowing my neighbors. The class divide had moved next door. Still, children don’t get this, and when they escaped from grown-up eyes they flocked together. I made a few friends at moments. Going back to their houses, I first heard the phrase “We don’t discuss money.” My mom discussed money, my dad, far away in northern California hardly discussed anything else.

How could you not discuss money? It was like a family that announce they didn’t allow the mention of food. Or hope. It was exactly like a family that didn’t mention food or hope.

I visited Oklahoma one as a teenager to see my paternal grandparents. They lived outside Tulsa in a place you could mistake for rural with a bad littering problem if you’ve never seen desperate poverty, American style. Out there the poor whites told me “We’re colorblind. We don’t even see color.” But there were no people of color to be seen in the area. The closest lived on the Res, and I learned many years later that when my father was a child, he was one of the only whites that snuck across to visit the kids at the BIA schools. He never told me what he saw there, but when I was young he would get very drunk sometimes at night and tell me we should all get back on the fucking boats and go back to Europe. I didn’t know what Europe was.

For a time I decided I couldn’t see color. But then I couldn’t see what happened to people of color. To not see their color, I realized, was to not see its absence, and its absence was everywhere I wanted to be, in every room I aspired to get into. I had made their pain and struggle invisible to me. I argued that this position was not racist, but anti-race altogether. And besides, many of my best friends hadn’t been white. How could I be racist?

In 2010 I went to a prestigious invite only conference in the tech world. I was, at this point, widely welcome in those rooms I’d dreamed of going in. I counted. My heart soared — it really felt like we’d turned a corner. It wasn’t just that there were more women. There were, but also they were talking. It was like pushing on a giant stone for all my life, then one day feeling it finally shift underneath my fingers.

On Saturday night I was sexually assaulted. Specifically, I was groped. I hit my aggressor in the chin and knocked him back. Despite having probably 100lbs on me, he stumbled drunkenly and barely kept his footing. “Touch me again and I’ll break your nose,” I told him. He laughed lightly, still finding his feet, and said “I like this one!” I looked at him, to catch his eye, and replied calmly, matter-of-factly “No. If you touch me again, I will break your nose.” He laughed again, but wandered away from me, looking to grope easier prey.

This is how I’d felt all my life, like my job was to not be easy prey. But this was a professional field, not the fucking Serengeti. I walked a little later with the conference organizer, a woman older then me, and of much stature in tech. I told her I was so happy to finally see women in my field. “But,” I said, “I think these incidents will be more common for a while. These guys don’t know how to behave around women.” To myself, I added bitterly, or other human beings at all.

In part, the tech community had allowed in women, but in part it had also only failed to keep them out.

It was always the ones that said they didn’t see gender or color who did the most damage. “They’re just words,” they would say, “Why do you let them hurt you?” And with that, my pain was made as invisible as me. “They’re just words.” Indeed, just the verbal incantations of power, like law and code and everything else that made the world. I decided to leave tech for words.

But now I’m all shouty. Now people are angry at me because I have a stage, and they can’t make me invisible and ignore me, because the truth is you can’t ignore words, and I have the words. So now they really hate me. The others, the majority, sit uncomfortably with the conflict. No one is quite sure what to do, they want things to be abstractly better, but they don’t want anyone to be loudly upset, either. One side is considerably louder than all the others.

This is what I ask: when you walk into a room, count. Count the women. Count the people of color. Count by race. Look for who isn’t there. Look for class signs: the crooked teeth of childhoods without braces, worn-out shoes, someone else who is counting. Look for the queers, the older people, the overweight. Note them, see them, see yourself looking, see yourself reacting.

This is how we begin.

How to Criticize Women in Technology

For the background to this post, here is Chris’ first post, Ryan’s quite complex and important response, and Chris’ second post.

Before all this was a Twitter exchange. Chris tweeted saying there was a special place in hell for me three days before his post. I ended up calling him a dick, for being a dick to Nick Bilton, after which he wrote the now infamous post that kicked all this off. I hope in vain that this post may close the conversation.

The internets have been abuzz with the talk of whether Chris Soghoian’s attack post on me (and other journalists) was, among other things, sexist. After a litany of faults, put downs, and misunderstandings, this one question has emerged above all others. So let me address whether Soghoian was sexist towards me.

Of course he was.

But perhaps not the way the vast majority of people think of sexism. I have no idea if Soghoian has a problem with women, per se. But I have a problem with perpetuating an environment so hostile to women that most leave and the ones that remain often describe their own careers as “traumatic.” This is what Soghoian has done, and this is sexism in its most pernicious form.

I don’t know (nor am significantly concerned) what Soghoian was thinking when he attacked me. He has stated he doesn’t hate women journalists. But there’s more than intention to sexism, whether my gender fueled those intentions or not. Sexism isn’t merely the stance: the sexist mind, where one denigrates women deliberately in thought and word. It is also the performing of sexism, which requires very little consciousness and does the majority of damage. When someone like Soghoian chooses a target for a political attack, he chooses for maximum impact, and hopefully little harm to him. The fact that women are less supported in tech makes us easier targets. And we are — given any arbitrary level of accomplishment, attacking women is safer than attacking men. When Soghoian patronizes us, he reinforces this relative weakness. In short, he performs sexism. He can be assured of the support of overt sexists, which he received in his post’s comments, and that others will be loath to weigh in.

The performance of sexism and racism is almost always all upside for the performer. It’s generally too subtle to be criticized, guarantees a constituency no matter how odious you may find that constituency, and melds in seamlessly into an environment of sexism like one more violin in the string section — ultimately strengthening an anti-woman culture. And this is exactly what Soghoian did by adopting a patronizing and disrespectful tone during his take down on me.

In this specific case, after leading with the technical inadequacy of journalists, Soghoian ran into a problem with me. I am not, as one would get the impression from how Soghoian structured his attack, a technical illiterate. I didn’t get a quote explaining the biggest flaw in Cryptocat from any of Soghoian’s favorite men, which he criticized me for, because I didn’t need to. I can explain that a hosted Javascript application is vulnerable to a deep structural attack better than any of them — I explain things for a living. Each time you go to the site and re-download Cryptocat, the only assurance you’re getting the right code is SSL, the encryption layer of web communication which is signaled to users by the lock icon in their browser. But SSL is broken, and relying on it is a design flaw for Cryptocat. The fact is, I covered the flaws. I agreed with Soghoian and others about what the worst problems were, and not only restated that the software was experimental, but that the author himself wouldn’t bet his life on it. That statement, more than any mention of HTTPS stripping or man-in-the-middle, was there to tell real people with real problems that they shouldn’t bet their lives either.

Soghoian practices talking down with the skill of an artist. Robbed of actual technical insufficiency on my part, he could only imply it, and switched to criticizing my writing. He said I placed the technical details too low in the article, implying that my readers wouldn’t read that far.

I am a long form, literary non-fiction writer who specializes in technical subjects. I write whole articles, I write them with my whole heart, and I work damn hard to keep my reader engaged. It does hurt to have Soghoian cleverly talking down to me on a technical level when I may very well know more than him. To go on to subtly insult my ability as a writer is not only contemptible, but an unqualified attack.

I have to spend time unwinding these assumptions about my skills every day I interact with the community I cover. I have explained that I am no one’s girlfriend more times than I can count. I have to tell people to stop dumbing down when I enter a conversation. In the 19 years that I have socialized with, worked in, lived with, and eventually came to write about the tech community, I have come to terms with disrespect and patronizing towards women that is simply breathtaking. The attitude is how this is performed. Sexism isn’t merely present, it is the water we swim in.

This doesn’t mean that it’s impossible to criticize women in technology without being sexist. But it is a bit harder. The tool you have to give up when criticizing women who have been talked down to all their lives, if you want to avoid performing and therefore reinforcing sexism, is talking down to them. For a man in tech, speaking down to a woman in public is a fundamentally different act than speaking down to another man. (Bringing up appearance, dating, or sex, while not applicable in this case, is equally problematic.)

And before anyone says that’s not fair, I’ll point out there’s a lot of not fair here to go around. If you want someone to blame for that, don’t start with either the men who have stepped forward to call bullshit when they see it or the women who stand up for themselves in an environment that can often feel like a lion’s den. If you want someone to blame for the fact that you can’t patronize women without performing and reinforcing sexism, blame the rich history of sexism that created the situation we find ourselves in now.

Context matters. If you have two men working for you, and one is white, and the other a person of color, it means something different if you call the latter “boy”. What might sound affectionate to the former is likely to sound like hundreds of years of oppression to many people of color. So just don’t ever do that. We learn these things.

If you want to deliver a cogent, non-sexist criticism to a woman in a non-traditional field that doesn’t reinforce nasty cultural norms, (which we need as much as the next person) you have to take the rhetorical tool of patronizing them out of the tool kit. Speak respectfully and recognize their achievements in public. It’s not too much to ask.

If, as has been suggested to me by several people, this is the only tone Soghoian has, we might consider that this as a personality flaw would run deeper than mere sexism. A person who is unable to adjust to circumstances or speak with a compassionate and deliberate argument is not a good person to be. I prefer to think that this isn’t who Soghoian is, but rather that, soaking in an environment of sexism, he performed it unknowingly.

Everyone knows that sexism runs rife in tech. Yet no particular instance of it can be spoken about without recrimination towards the speaker. This is not the way to make things better. Instead, Soghoian should publicly apologize to me, and then we all should forgive him his outburst. I doubt that this will happen, but it would help the community if it did.

Why I won’t be buying an iPad, and why it doesn’t matter as much as you think it does.

There’s all sorts of interesting arguments about the inherent politics of the iPad out there, like Cory‘s and Aaron‘s, or maybe most interestingly, Dale‘s. But none of that has to do with why I won’t be buying an iPad. I didn’t get as far as those thoughtful concerns. I simply don’t have the money.

Rich people looove to hug the iPad

I’m known among my friends for generally having less money than they do, for living hand to mouth, and for having thoughtful critiques of the American Poverty Trap, but from the inside. (In some future post I’ll try to explain why there is no point in me (& many others) trying to save or work my way out of the Trap, but that’s for another time.)

I have a laptop, and a car. But like many poor people, my big ticket items are old and I need them to survive. The poor make their durable goods really durable. People are resourceful, and the poor have ways of getting what they need that generally trade time for money. It falls down sometimes, and we can’t get what we need, but in general it’s amazing what someone will eventually lay their hands on with enough time, thought and determination. Increasingly I am seeing a lot of homeless people with older laptops, some of the straight up street people, huddled near public outlets and presumably open wifi. It’s exciting, because it opens up worlds of knowledge and communication that were always closed to the poor. The net is becoming simply a part of everything, to the point where taking a break and moving back into early 90s technological life seems to have the feel of going on an Arctic adventure. Did bears try to eat Aaron in his month off? Mysteriously, he never says.

I live a really rich intellectual life and get to do lots of things most poor people don’t, and I appreciate that it’s because almost none of my social group are poor. But sometimes my social group kind of goes crazy and forgets that while they have a lot of power, my class is a whole lot bigger than theirs. And none of them will be buying iPads.

A few of them do have iPhones, because phones are one of those durable goods we need to survive and that’s most of their meager disposable income. A few probably have iPod touches that they got as gifts, hand-me-downs, or because that was their one nice thing they wanted. But the iPad does absolutely nothing vital, and nothing a cheaper piece of electronics doesn’t already do well enough to get by. I’m pretty sure Apple knows this, and couldn’t care less. Poor people do buy iPods, sometimes even new, but they’ve never bought anything else Apple has ever made. And that’s fine. I’ve never felt the urge to get me some Tiffany, and they’ve never felt the need to try to get my money. Similarly, Apple’s just not a brand very open to the poor. But why does this mean anything to the political arguments? Because other vendors out there do want to take our money. We don’t have much, but there’s a lot of us, and unlike the other classes, we’re getting a lot bigger.

These vendors squeak by on razor thin margins, especially in electronics, and their value adds are generally rip-offs of features from more expensive products. We don’t have any walled gardens in our world, because there’s no margin in controlling things for poor people. When the iPad becomes old news and is massively ripped off, no one is going to wall in anything.

Curate my content? Hell, you're not even going to be here next week.

This is important, so I’m going to say it again: There will always be people trying to get the disposable income of poor people, and there will never be a margin in maintaining a walled garden for us. You might reply to this by saying ‘Sidekick’ and I’ll point out that was a lesson in there being no margin in it. Just because something doesn’t work doesn’t mean people don’t try it occasionally. This is also the failing of the Zittrain argument. Even in his worst case scenario, it really is just you rich people that get locked up for your own safety. We will still be free, and living in dangerous lands1. Just like in the real world, our neighborhoods online will be built from crap materials, mildly dangerous, old, and interesting2.

Which means that it will always be true for you as well. Like fashion, technology is primed for occasional revolutions that come from below and are recycled from the top. Those will impact many parts of society- and even change the walls the rich3 build around themselves as well. As the internet devolves knowledge to something we can get, you’ll decide something else is required for accreditation into your class. Oh wait, you already did that. You’ll do it harder the more knowledge we get. But I’m so excited about seeing everyone get your used netbooks. I think the halcyon days are ahead for the life of the mind among the poor, and we’ll do it with the same freedom we’ve done everything, the freedom of the forgotten.

Don’t worry about freedom going away because of the iPad, just becoming the kind of neighborhood you wouldn’t visit.

  1. For most poor people, the idea that the net is dangerous is pretty laughable. We actually do live in dangerous places, and mostly the police don’t really protect us so much as protect you from us.
  2. Also, the iPad seriously looks like thief bait. We’re not idiots, we know what our drunk uncles are going to do with it if we come home with one.
  3. Rich includes the middle classes. You all look the same to me.