What might government regulation of infosec look like?

“Terrible” is the most likely answer. But let’s assume we’re talking about regulation that is effective and sound (from both a technical and civil liberties perspective).

On Sunday’s episode of This Week in Tech, the panel discussed the possibility of government regulation of internet security. I’m not fully convinced that any regulation is necessary, but the case for some form of consumer protection grows with every breach. And I don’t think it likely that companies will self-regulate.

So as neither a policy nor technical security expert, what sort of plan would I draw up?

Good infosec regulation

Any workable laws or regulations would have to be defense-oriented. It may sound like victim-blaming, but I don’t see any other path. Companies must meet some minimum standard of protection or face non-trivial fines in the event of a breach. But if a breach occurs and the company met the standard, I would not punish them. Even the best organization is going get compromised in some way at some point.

In an ideal scenario, the punishment would instead be on the bad actor. The international nature of the Internet makes that a near impossibility. And given that a company is acting with some degree of public trust, I don’t find it unjust to demand a certain level of security compliance.

In order to avoid a heavy administrative burden, I wouldn’t require external audits (at least not for companies below a certain size). It could be something as simple as “document the security plan and show that you’ve kept to it”. The plan would have some number of required elements (e.g. customer passwords aren’t stored in plaintext) and a further list of suggested elements maintained by an expert body. So long as your plan isn’t garishly incompetent and you stick to it, you’re in the clear from a government punishment perspective.

Of course, certain systems would still be subject to heavier burden. I wouldn’t do away with HIPAA or PCI in favor of this new model. But you can see how less-sensitive services would be nudged toward better consumer protection.

Bad infosec regulation

So what wouldn’t I include? I certainly would not require any encryption backdoor (I might even prohibit it) or prohibit users’ use of encryption. That’s an obvious choice in light of the civil liberty requirement.

I also would not include any specific technology or process in the law/regulation itself. The technology landscape is too dynamic and diverse for that to be effective. The best we can hope for is to set broader principles that need updated on the order of years.

The reality of regulation

I don’t see any meaningful regulation happening in the near future. For one, it’s a very difficult problem to solve from both a technical and a policy perspective. More importantly, it could be politically hot, and we all know how pleasant the current environment in Washington is.

At most, we may see a few laws, probably bad, that nibble around the edges. But as the digital age continues to change society as we’ve known it, the law must catch up somehow.

New to Fedora: wordgrinder

Do you ever wish you had a word processor that just processed words? Font selection? Pah! Styling? Just a tiny bit, please. Or maybe you read Scott Nesbitt’s article on Opensource.com and thought “I’d like to try this!” If this sounds like you, then it may interest you to know that WordGrinder is now available on Fedora 25, 26, and Rawhide.

View of WordGrinder in a terminal


I should clarify that it’s only available on some architectures (x86_64, i686, aarch64, and armv7hl). WordGrinder depends on luaJIT which is only available on those platforms.

This is my first new Fedora package, and I have to say I’m kind of proud of myself. I tried to volunteer someone else for it, but he didn’t know how to build RPMs so I ended up volunteering myself. In the process, I had to patch the upstream release to build on Fedora, and then patch my patch to get it to build on Rawhide. In true Fedora fashion, I submitted my patch upstream and it was accepted. So not only did I make a new package available, but I also made an improvement to a project written in a language that I don’t know.

Yay open source!

How to reduce artificial boundaries in severe weather warnings

If you’ve been around here a while, you’ve seen me have opinions about the shapes of so-called “storm-based warnings”. Years ago, the National Weather Service changed the shape of tornado and severe thunderstorm warnings. Instead of issuing warnings based on the county, warnings are arbitrary polygons fitted to the threatened area. The idea is that by shaping warnings to the actual threat, the public gets a more accurate warning.

The reality is a little messier. Warnings are still frequently communicated to the public on a county basis. Worse, the warnings themselves are sometimes shaped to a county line. This is sometimes done to prevent a tiny sliver of a county to be included in a warning. Other times, it’s the result of a boundary between the responsibility areas of different NWS Forecast Offices.

Last week gave a great example close to home. The NWS office in Northern Indiana issued a tornado warning on the edge of their forecast area. Because the adjacent office didn’t issue a warning for that storm, the resulting shape was comically bad.

A tornado warning (red) shaped by the boundary (blue) between the IWX and IND forecast areas.

To be clear: I don’t blame the forecasters here. It was a judgment call to issue or not issue a warning. The real problem is that the artificial boundary does the public a disservice. Most of the general public probably does not know which NWS office serves them. Bureaucratic boundaries here only add confusion.

One solution is for the offices to coordinate when issuing warnings near the edge of their area. That doesn’t hold up well in the short time frame of severe weather, especially if an office is understaffed or over-weathered. Coordination takes time and minutes matter in these situations.

My solution is simpler: allow (and encourage) offices to extend warnings beyond their area. Pick a time frame (30 minutes seems reasonable) and allow the warning to extend as far into another office’s area as it needs to in order to contain the threat at that time. Once the threat is entirely into the new area, allow that office to update the warning as they see fit.

This allows offices to draw warnings based on the actual threat. It buys some time for additional coordination if needed, or at least gives a cleaner end to the warning. It does mean that some local officials will need to have a relationship with two NWS offices, but if they’re on the edge they should be doing that anyway.

The downside is that it increases the effort in verifying warnings because you can no longer assume which office issued the warning. And it could lead to some territorial issues between offices. But the status quo provides easier bureaucracy by putting the burden on the public. That’s not right.

Sidebar: what about issuing warnings at the national level?

Another solution would be for a national center to issue warnings. This is already the case for severe weather watches, after all. While it would solve the responsibility area problems, it would also reduce the overall quality of warnings. Local offices develop relationships with local officials, spotters, etc. These relationships help them evaluate incoming storm reports, tailor warnings to local conditions and events, etc. While a national-level warning operation would clearly provide some benefit, warning response is ultimately a very personal action that benefits from putting the warning issuance as close to the public as possible.

Conference talks: “how” versus “why”

Recently in the #public_speaking channel on Freenode, we were discussing two types of conference talks: the “how” talks and the “why” talks. SomeKittens said:

too many talks are “how” when I really want to hear “why”

I couldn’t agree more. I struggle with “how” talks at conferences because conferences are a fire hose of information and it can be hard to take it all in, never mind retain it. By the time I get back to real life and am ready to implement this new thing I’ve learned, I have forgotten so much. If I’m lucky, I can watch the recorded version a few months later. But then why did I go to the session in the first place?

“How” talks are also often meaningless without the context of “why”. What good is knowing how to frobble the bobulator if I don’t know why a bobulator needs to be frobbled in the first place?

“How” talks are often very specific. A certain person in a certain organization accomplished a certain task in a certain way. How much of that is applicable to another person in another organization? Even if they want to accomplish the exact same task, the conditions aren’t the same.

“Why” talks tend to be more about identifying and presenting principles that can be broadly applied. As genehack pointed out, they tend to be stories. Stories make for much more engaging talks.

If you were to think about a talk mapped to written form, consider a “how” talk like a blog post. It might give a bit of introductory context (and if not, it’s a bad post) but then it gets straight into the matter at hand. There’s a well-defined flow and set of steps. It’s very amenable to copy/paste-ing.

A “why” talk is more like a book or maybe a magazine. You’re not going to copy and paste from it. You may put it down partway through, mull it over, and then pick it back up later. The aim is less about accomplishing a particular task and more about developing a mental framework.

When you’re developing a conference presentation, come up with whatever you want. But at least consider making it a “why” talk.

Twitter’s public roadmap: I’ll believe it when I see it

Full disclosure: I own a small number of shares in Twitter.

Trello is a very important tool in my workflow, so I read their blog for tips and news. I started reading a recent post by Leah Rider and everything was fine until I saw this:

As one of the most dialed-in companies to the pulse of the people, Twitter…

I’m sorry, what? Twitter is notoriously bad at knowing what people want, be they users (an edit button and less harassment), developers (the ability to develop apps), or investors (I’d settle for breaking even at this point). Twitter may be where the pulse of the people is expressed, but that doesn’t mean the company has a clue.

The post goes on to say

Through a simple public Trello board, Twitter is redefining their relationship with the developer community and setting a precedent for other platforms.

If Twitter wants to define a relationship with the developer community, they could start by having one. The only reason I maintain a Twitter client is because Twitter drove away the original developer. Twitter’s rise was due in part to the ecosystem of great (and not-so-great) third-party applications. Twitter was a platform that people could build off of.

That’s no longer the case. Many features are not available via the API. Polls and GIF searches are two that come right to mind. It takes more than a public Trello board to have a community. And the Trello board isn’t even impressive. It is publicly visible, but not editable. What’s worse, the last update was almost a month ago. The last activity before that was over two months ago.

So if Twitter is ready to develop a robust third-party app ecosystem again, that’s great. It can only benefit the platform. But you’ll forgive me if I wait to see some evidence before I believe it.

Do you have an expectation of privacy from the Geek Squad?

In May, a federal judge excluded evidence from a child pornography case because the search warrant was based on impermissible evidence. Setting aside the abhorrent nature of the alleged crime, I think this was the right decision. While the accused did surrender his laptop to Best Buy’s Geek Squad technicians, that doesn’t give the techs carte blanche to search for incriminating material.

It’s not as if the images were in a folder called “Here’s my kiddie porn!” on the accused’s desktop. They were apparently deleted files recovered from the unallocated part of the disk drive. Now it’s entirely possible that they were the accused’s files that he had deleted. It’s also possible that they were from a browser cache after clicking on a risky link. Or that they were from the previous owner of the hard drive (if there was one). As the judge noted, there’s no clear possession.

Furthermore, because the Geek Squad technicians were acting as agents of the government, the standards are a little higher. The fact that the FBI, when applying for the search warrant that lead to the discovery of more illegal material at the accused’s house, omitted key facts did not help.

On This Week in Law (episode 387), one of the panelists (I believe it was Matt Curtis) said reasonable people can disagree, but he doesn’t think there’s a reasonable expectation of privacy when you give your property to a third party. I agree, but it all comes down to the definition of “reasonable”. Unless specifically requested, I don’t see that a reasonable person would assume technicians would search inaccessible parts of the hard drive. After all, he sent in the laptop for repair because it wasn’t working, not to recover data.

The digital era changes the framework for how we consider privacy, both culturally and legally. Nevertheless, the fourth amendment provides a key safeguard to the liberty we hold dear. It should be difficult to prosecute someone for a crime, even when that crime is despicable. Particularly when the crime is despicable.

Other writing in June 2017

Where have I been writing when I haven’t been writing here?


Curated articles

Cycle Computing

Silicon Valley has no empathy

That’s not quite fair. The tech industry has no empathy, regardless of geography. And it’s not fair to say “no empathy”, but so many social issues around technology stem from a lack of empathy. I’m no half-Betazoid Starfleet counselor, but in my view there are two kinds of empathy: proactive and reactive.

Reactive empathy is, for example, feeling sad when someone’s cat dies. It’s putting yourself in the shoes of someone who has experienced a Thing. Most functional humans (and yes, I’m including the tech sector here) have at least some amount of reactive empathy. Some more than others, of course, but it’s there.

Proactive empathy is harder. That’s imagining how someone else is going to experience a Thing. It requires more imagination. Even when you know you have to do it, it’s a hard skill to practice.

I touched on this a little bit in a post a few weeks ago, but there I framed it as a lack of ethics. I’m not convinced that’s fully the case. More often, issues are probably more correctly attributed to a lack of empathy. You know why you can’t add alt-text to GIFs in tweets? Because Silicon Valley has no empathy.

I was thinking about this again last week as I drove down to Indianapolis. I had to pass through the remnants of Tropical Storm Cindy, which meant some very heavy downpours. Like a good citizen, I tried to report issues on Waze so that other drivers would have some warning. As it turns out, “tropical deluge” is not a weather option in Waze. Want to know how I can tell it was developed in the Valley?

It’s so easy to say “it works for me!” and then move on to the next thing. But that’s why it’s so important to bring in people who aren’t like you to help develop your product. Watch how others experience it and you’ll probably find all sorts of things you never considered.

Mario Marathon 2017

That’s right! Your favorite video game charity marathon is back again! By the time this post goes live, I’ll probably be getting ready to drive down to Indianapolis and play my part. Not playing the games, of course, but reading tweets and generally interacting with the audience. I really like that part.

So, my ones of readers, I strongly encourage you to go to MarioMarathon.com, tune in, and donate if you can. As always, the money goes directly to Child’s Play Charity which provides books, toys, and video games for children in children’s hospitals around the world.

This year features a new location, and some great surprises. You won’t want to miss it.