Death Of A Password

Time to bid farewell to an old, dear, and familiar friend, a seven-character one whose identity was inscribed, as if by magic, on my fingertips, which flew over the keyboard to bring it to life, time and time again. The time has come for me to lay it to rest, after years and years of yeoman service as a gatekeeper and sentry sans pareil. For years it guarded my electronic stores, my digital repositories of files and email messages. It made sure no interlopers trespassed on these vital treasures, perhaps to defile and destroy, or worse, to embarrass me by firing off missives to all and sundry in the world signed by me, and invoking the wrath of those offended and displeased upon my head. It’s ‘design’ was simple, the artful placement of a special character between a pair of triplet letters that served to produce a colloquial term referring to a major rock band. (Sorry for being coy, but I have hopes of resurrecting this password at some point in the future when the madness about overly-secure passwords and yet utterly useless passwords has broken down.) Once devised this password worked like magic; it was easy to remember, and I never forgot it, no matter how dire the circumstances.

Once my life became sufficiently complicated to require more than one computer account, as an increasing number of aspects of my life moved online, this password was pressed into double and later, triple and quadruple duty: email clients, utilities billing accounts, mortgage payments, online streaming sites, and all of the rest. I knew this was a security risk of sorts but I persisted; like many other computer users, I dreaded having to learn new, increasingly complicated passwords, and of course, I was just plain lazy. And yet, I was curiously protective of my password; I never shared it with anyone, not even a cohabiting girlfriend. My resistance broke down once I got married; my life was now even more intertwined with another person, our affairs messily tangled up; we often needed access to each others’ computer accounts. And so, it came to be: I shared my password with my wife. I wondered, as I wrote it down for her, whether she’d notice my little verbal trick, my little attempt to be clever. Much to my disappointment she did not; she was all business; all she wanted was a string of letters that would let her retrieve a piece of information that she needed.

The end when it came, was prompted by a series of mishaps and by increasingly onerous security policies: my Twitter account was hacked and many new online accounts required new passwords whose requirements could not be met by my old password. With some reluctance, I began adopting a series of new passwords, slowly consolidating them into a pair of alphanumeric combinations. My older password still worked, but on increasingly fewer accounts. Finally, another security breach was the last straw; I had been caught, and found wanting; the time had come to move on. So I did. But not without the odd backward glance or two, back at an older and simpler time.

The Fragile Digital World Described By Zeynep Tufkeci Invites Smashing

In “The Looming Digital Meltdown” (New York Times, January 7th), Zeynep Tufekci writes,

We have built the digital world too rapidly. It was constructed layer upon layer, and many of the early layers were never meant to guard so many valuable things: our personal correspondence, our finances, the very infrastructure of our lives. Design shortcuts and other techniques for optimization — in particular, sacrificing security for speed or memory space — may have made sense when computers played a relatively small role in our lives. But those early layers are now emerging as enormous liabilities. The vulnerabilities announced last week have been around for decades, perhaps lurking unnoticed by anyone or perhaps long exploited.

This digital world is intertwined with, works for, and is  used by, an increasingly problematic social, economic, and political post-colonial and post-imperial world, one riven by political crisis and  economic inequality, playing host to an increasingly desperate polity sustained and driven, all too often, by a rage and anger grounded in humiliation and shame. Within this world, all too many have had their noses rubbed in the dirt of their colonial and subjugated pasts, reminded again and again and again of how they are backward and poor and dispossessed and shameful, of how they need to play ‘catch  up,’ to show that they are ‘modern’ and ‘advanced’ and ‘developed’ in all the right ways.  The technology of the digital world has always been understood as the golden road to the future; it is what will make the journey to the land of the developed possible. Bridge the technological gap; all will be well. This digital world also brought with it the arms of the new age: the viruses, the trojan horses, the malwares, the new weapons promising to reduce the gaping disparity between the rich and the poor, between North and South, between East and West–when it comes to the size of their conventional and nuclear arsenals, a disparity that allows certain countries to bomb yet others with impunity, from close, or from afar. The ‘backward world,’ the ‘poor’, the ‘developing countries’ have understood that besides nuclear weapons, digital weapons can also keep them safe, by threatening to bring the digital worlds of their opponents to their knee–perhaps the malware that knocks out a reactor, or a city’s electric supply, or something else.

The marriage of a nihilistic anger with the technical nous of the digital weapon maker and the security vulnerabilities of the digital world is a recipe for disaster. This world, this glittering world, its riches all dressed up and packaged and placed out of reach, invites resentful assault. The digital world, its basket in which it has placed all its eggs, invites smashing; and a nihilistic hacker might just be the person to do it. An arsenal of drones and cruise missiles and ICBMS will not be of much defense against the insidious Trojan Horse, artfully placed to do the most damage to a digital installation. Self-serving security experts, all hungering for the highly-paid consulting gig, have long talked up this threat; but their greed does not make the threat any less real.

Ken Englehart’s Exceedingly Lame Argument Against Net Neutrality

Over at the New York Times, Ken Englehart, “a lawyer specializing in communications law, is a senior adviser for StrategyCorp, an adjunct professor at Osgoode Hall Law School and a senior fellow at the C. D. Howe Institute” offers us an astonishing argument suggesting we not worry about the FCC’s move to repeal Net Neutrality. It roughly consists of saying “Don’t worry, corporations will do right by you.” Englehart accepts that the concerns raised by opponents of the FCC–” getting rid of neutrality regulation will lead to a “two-tier” internet: Internet service providers will start charging fees to websites and apps, and slow down or block the sites that don’t pay up…users will have unfettered access to only part of the internet, with the rest either inaccessible or slow”–have some merit for he makes note  of abuses by ISPs that confirm just those fears. But he just does not think we need worry that ISPs will abuse their new powers:

[T]hese are rare examples, for a reason: The public blowback was fierce, scaring other providers from following suit. Second, blocking competitors to protect your own services is anticompetitive conduct that might well be stopped by antitrust laws without any need for network neutrality regulations.

How reassuring. “Public blowback” seems unlikely to have any effect on the behavior of folks who run quasi-monopolies. Moreover, the idea that we might should trust our ISPs to not indulge in behavior that “might well be stopped by antitrust laws” also sounds unlikely to assuage any concerns pertaining to the abuse of ISP powers. It gets better, of course:

Net-neutrality defenders also worry that some service providers could slow down high-data peer-to-peer traffic, like BitTorrent. And again, it has happened, most notably in 2007, when Comcast throttled some peer-to-peer file sharing.

But it’s still good:

So why am I not worried? I worked for a telecommunications company for 25 years, and whatever one may think about corporate control over the internet, I know that it simply is not in service providers’ interests to throttle access to what consumers want to see. Neutral broadband access is a cash cow; why would they kill it?

Because service providers will make all the money they need by providing faster services to premium customers and not give a damn about the plebes?

But don’t worry:

[T]here’s still competition: Some markets may have just one cable provider, but phone companies offer increasingly comparable internet access — so if the cable provider slowed down or blocked some sites, the phone company could soak up the affected customers simply by promising not to do so.

Or they could collude, with both charging high prices because they know customers have nowhere to go?

Is this the best defenders of the FCC can do? The old ‘market pressures will make corporations behave’ pony trick? Englehart’s cleverest trick, I will admit, is the aside that “the current net neutrality rule was put in place by the Obama administration.” That’s a good dog-whistle to blow. Anything done by the Obama administration is worth repealing by anyone connected with this administration. And their cronies, like Englehart.

Contra Cathy O’Neil, The ‘Ivory Tower’ Does Not ‘Ignore Tech’

In ‘Ivory Tower Cannot Keep On Ignoring TechCathy O’Neil writes:

We need academia to step up to fill in the gaps in our collective understanding about the new role of technology in shaping our lives. We need robust research on hiring algorithms that seem to filter out peoplewith mental health disorders…we need research to ensure that the same mistakes aren’t made again and again. It’s absolutely within the abilities of academic research to study such examples and to push against the most obvious statistical, ethical or constitutional failures and dedicate serious intellectual energy to finding solutions. And whereas professional technologists working at private companies are not in a position to critique their own work, academics theoretically enjoy much more freedom of inquiry.

There is essentially no distinct field of academic study that takes seriously the responsibility of understanding and critiquing the role of technology — and specifically, the algorithms that are responsible for so many decisions — in our lives. That’s not surprising. Which academic department is going to give up a valuable tenure line to devote to this, given how much academic departments fight over resources already?

O’Neil’s piece is an unfortunate continuation of a trend to continue to castigate academia for its lack of social responsibility, all the while ignoring the work academics do in precisely those domains where their absence is supposedly felt.

In her Op-Ed, O’Neil ignores science and technology studies, a field of study that “takes seriously the responsibility of understanding and critiquing the role of technology,” and many of whose members are engaged in precisely the kind of studies she thinks should be undertaken at this moment in the history of technology. Moreover, there are fields of academic studies such as philosophy of science, philosophy of technology, and the sociology of knowledge, all of which take very seriously the task of examining and critiquing the conceptual foundations of science and technology; such inquiries are not elucidatory, they are very often critical and skeptical. Such disciplines then, produce work that makes both descriptive and prescriptive claims about the practice of science, and the social, political, and ethical values that underwrite what may seem like purely ‘technical’ decisions pertaining to design and implementation. The humanities are not alone in this regard, most computer science departments now require a class in ‘Computer Ethics’ as part of the requirements for their major (indeed, I designed one such class here at Brooklyn College, and taught it for a few semesters.) And of course, legal academics have, in recent years started to pay attention to these fields and incorporated them in their writings on ‘algorithmic decision making,’ ‘algorithmic control’ and so on. (The work of Frank Pasquale and Danielle Citron is notable in this regard.) If O’Neil is interested, she could dig deeper into the philosophical canon and read works by critical theorists like Herbert Marcuse and Max Horkheimer who mounted rigorous critiques of scientism, reductionism, and positivism in their works. Lastly, O’Neil could read my co-authored work Decoding Liberation: The Promise of Free and Open Source Software, a central claim of which is that transparency, not opacity, should be the guiding principle for software design and deployment. I’d be happy to send her a copy if she so desires.

The Distinct Relief Of Being (Partially) ‘Off-Line’

I’ve been off blogging for a while, and for good reason: I’d been traveling and did not bother to try to stay online during my travels. Interestingly enough, had I bothered to exert myself ever so slightly in this regard, I could have maintained a minimal presence online here at this blog by posting a quick photo or two–you know, the ones that let you know what you are missing out on, or perhaps even a couple of sentences on my various journeys–which might even have risen above the usual ‘oh my god, my mind is blown’ reactions to spectacular landscapes; network connectivity has improved, and we are ever more accessible even as we venture forth into the ‘outdoors’; after all, doesn’t it seem obligatory for travelers to remote ends of the earth to keep us informed on every weekly, daily, hourly increment in their progress?  (Some five years ago, I’d enforced a similar hiatus on this blog; then, staying offline was easier as my cellphone signal-finding rarely found purchase on my road-trip through the American West.)

But indolence and even more importantly, relief at the cessation of the burden of staying ‘online’ and ‘updated’ and ‘current’ and ‘visible’ kicked in all too soon; and my hand drifted from the wheel, content to let this blog’s count of days without a new post rack up ever so steadily, and for my social media ‘updates’ to become ever more sporadic: I posted no links on Facebook, and only occasionally dispensed some largesse to my ‘friends’ in the form of a ‘like’ or a ‘love,’ my tweeting came to a grinding halt. Like many others who have made note of the experience of going ‘off-line’ in some shape or form, I experienced relief of a very peculiar and particular kind. I continued to check email obsessively; I sent text messages to my family and video chatted with my wife and daughter when we were separated from each other. Nothing quite brought home the simultaneous remoteness and connectedness of my location in northwest Iceland like being able to chat in crystal clear video from a location eight arc-minutes south of the Arctic Circle with my chirpy daughter back in Brooklyn. This connectedness helps keep us safe, of course; while hiking alone in Colorado, I was able to inform my local friends of my arrivals at summits,  my time of commencing return, and then my arrival back at the trailhead; for that measure of anxiety reduction, I’m truly grateful.

Now, I’m back, desk-bound again. Incomplete syllabi await completion; draft book manuscripts call me over to inspect their discombobulated state; unanswered email stacks rise ominously; textbook order reminders frown at me.  It will take some time for me to plow my way out from under this pile; writing on this blog will help reduce the inevitable anxiety that will accompany me on these salvage operations. (Fortunately, I have not returned overweight and out-of-shape; thanks to my choice of activities on my travels, those twin post-journey curses have not been part of my fate this summer.)

On to the rest of the summer and then, the fall.

Proprietary Software And Our Hackable Elections

Bloomberg reports that:

Russia’s cyberattack on the U.S. electoral system before Donald Trump’s election was far more widespread than has been publicly revealed, including incursions into voter databases and software systems in almost twice as many states as previously reported. In Illinois, investigators found evidence that cyber intruders tried to delete or alter voter data. The hackers accessed software designed to be used by poll workers on Election Day, and in at least one state accessed a campaign finance database….the Russian hackers hit systems in a total of 39 states

In Decoding Liberation: The Promise of Free and Open Source Software, Scott Dexter and I wrote:

Oversight of elections, considered by many to be the cornerstone of modern representational democracies, is a governmental function; election commissions are responsible for generating ballots; designing, implementing, and maintaining the voting infrastructure; coordinating the voting process; and generally insuring the integrity and transparency of the election. But modern voting technology, specifically that of the computerized electronic voting machine that utilizes closed software, is not inherently in accord with these norms. In elections supported by these machines, a great mystery takes place. A citizen walks into the booth and “casts a vote.” Later, the machine announces the results. The magical transformation from a sequence of votes to an electoral decision is a process obscure to all but the manufacturers of the software. The technical efficiency of the electronic voting process becomes part of a package that includes opacity and the partial relinquishing of citizens’ autonomy.

This “opacity” has always meant that the software used to, quite literally, keep our democracy running has its quality and operational reliability vetted, not by the people, or their chosen representatives, but only by the vendor selling the code to the government. There is no possibility of say, a fleet of ‘white-hat’ hackers–concerned citizens–putting the voting software through its paces, checking for security vulnerabilities and points of failure. The kinds that hostile ‘black-hat’ hackers, working for a foreign entity like, say, Russia, could exploit. These concerns are not new.

Dexter and I continue:

The plethora of problems attributed to the closed nature of electronic voting machines in the 2004 U.S. presidential election illustrates the ramifications of tolerating such an opaque process. For example, 30 percent of the total votes were cast on machines that lacked ballot-based audit trails, making accurate recounts impossible….these machines are vulnerable to security hacks, as they rely in part on obscurity….Analyses of code very similar to that found in these machines reported that the voting system should not be used in elections as it failed to meet even the most minimal of security standards.

There is a fundamental political problem here:

The opaqueness of these machines’ design is a secret compact between governments and manufacturers of electronic voting machines, who alone are privy to the details of the voting process.

The solution, unsurprisingly, is one that calls for greater transparency; the use of free and open source software–which can be copied, modified, shared, distributed by anyone–emerges as an essential requirement for electronic voting machines.

The voting process and its infrastructure should be a public enterprise, run by a non-partisan Electoral Commission with its operational procedures and functioning transparent to the citizenry. Citizens’ forums demand open code in electoral technology…that vendors “provide election officials with access to their source code.” Access to this source code provides the polity an explanation of how voting results are reached, just as publicly available transcripts of congressional sessions illustrate governmental decision-making. The use of FOSS would ensure that, at minimum, technology is held to the same standards of openness.

So long as our voting machines run secret, proprietary software, our electoral process remains hackable–not just by Russian hackers but also by anyone that wishes to subvert the process to help realize their own political ends.