Weak Interface
When the computer people meet the other side

     Although I focus on the weak interface in computers and software, it also has great affect on the “physical” world.  The life of the average person in the US is intertwined with computers.  If you doubt the go to any hospital, bank, restaurant, etc and you will find computers so integrated with the business that they could not operate without them.  Not understanding computers and modern technology is not just risky it’s flat out DANGEROUS.

What does the headline “US bank loses unencrypted data on 4.5m people”  mean to you?    (http://www.theregister.co.uk/2008/06/02/ny_bank_lost_data_flap/)

If you are on the more techie side of things hearing this about your bank would have you looking into your accounts and/or changing banks.  Unfortunately for those on the other side of the weak interface the headline might be harder to understand.  The term “unencrypted data” needs explained.

For the sake of the less techie audience it’s like this - The bank wrote everything needed to empty your account on computer then lost that computer.  Someone out there can take all your money, open credit cards in your name and max them out, ruin your credit, and steal your identity. Had the bank encrypted your data you might be safe, but they didn’t.  To make it even worse they hid the fact that this happened until the government discovered it so who ever has the data had 3 months to have fun without anyone being the wiser.

The bank could have protected the data or the physical media it was on or both but it didn’t.  The days of a guy with a gun sticking up a bank are over, it’s MUCH easier electronically.  In this case the criminal may never be seen or caught. Bank of America is going to court over someone who is suing them after being electronically robbed. (http://searchfinancialsecurity.techtarget.com/news/article/0,,sid185_gci1294358,00.html)

Knowledge is your best defense. Knowledge will remove the weak interface for you.  IN other words learn about computers and software PLEASE.  This is the equivalent of telling you to be aware of who’s around you in a bad neighborhood.  Pay attention to the environment you are in.  The internet is an amazing tool and place to work through but there are also wolves out here.

You can find out if your bank of state has potentially lost your information search here:
-=      http://datalossdb.org/      =-

Let me know what you think.  I’m looking for comments to improve the blog, and motivate my lazy arse to write more often.

Thanks for reading.

Until next time.

I was critical about DRM in a previous post.  Worse than failed DRM is the means of enforcing it.  This involved lawsuits and a lot of hurt feeling.  Well now there’s good news and bad news:

The Good news:

The Recording Industry Association of America(RIAA) has decided to stop suing people.
If you don’t know the RIAA are the ones who have dragged people into court for downloading music.  They don’t know what they are doing.  This is classic weak interface issue.  The ones who are downloading know how to use the internet but the group chasing them has no idea how to find them.  Instead of intelligently asking a person who knows how the internet and downloading work they decided to sue anyone they thought they could find.

Suing everyone they could find included:
- a teenager
(src: http://www.1010wins.com/pages/193237.php?contentType=4&contentId=298727)
- an 83 year old DEAD woman
(src: http://www.theregister.co.uk/2005/02/05/riaa_sues_the_dead/)
- even XM radio!
(src: http://yro.slashdot.org/article.pl?sid=06/05/17/0250238&from=rss)

There’s even a blog of lawyer who specifically deals with the RIAA nonsense I suggest you give it a read: http://recordingindustryvspeople.blogspot.com/

Even if you win a RIAA lawsuit, as almost everyone has, the time, money, and energy you put into it are irreplacable.

So the idea that they are going to stop suing people is great.  After millions of dollars waste and countless hours of the judicial system down the drain they have stopped.  Yeah.

Why am I not more excited well be cause of…

The Bad News:

The Recording Industry Association of America(RIAA) has decided to conspire with internet service providers(ISP).
Your ISP, the folks you pay for internet access are going to police you.  I don’t know how this will play into privacy but you should know that the RIAA has asked them to watch you.  Here’s why it is bad.  VERY BAD.

“The new plan circumvents the law, and puts the power directly into RIAA’s hands, which means that more innocent people than ever will get harassed by the RIAA.”
(src: http://techgossip.net/2008/12/riaas-new-piracy-plan-cuts-off-people-without-a-fair-trial/)

In the near future the intrnet you pay for will now be watched for what “looks like” illegal activity.
Knowing how computers work I suspect some of the speed you pay for will go towards watching you.  As for me if I pay for it I should own it.  If you cut my speed to watch me you better charge a lot less.
And who knows what they will flag as suspicious?  What about get large emails from friends who send pictures? (this happens often) Or what about large files I send my self from my job?  The very subjective standard of “suspicious activity” is a slippery slope towards controlling what you are allowed to see and do online.

Think about all this and let me know what you think.

Till next time….

Technology moves lightning fast these days. Experts are becoming more knowledgeable faster than ever before, which leads to new technology becoming available faster. The problem is that some institutions we rely on are unable to cope with the new speeds. This is especially worrisome because criminals are abusing the part of the weak interface.

It is relatively easy to defeat a security CCTV with commercially available parts (no, I am not going to tell you how to do it so no links). The RFID chip in everything from bank cards to passports has been beaten
(http://www.schneier.com/blog/archives/2006/08/hackers_clone_r.html),
and the list goes on. Neither the law or law enforcement is able to cope no matter how sure they are because the fail to employ or listen to the experts. In the case of RFID even before the was RFID in passports experts said it could be hacked
(http://money.cnn.com/2006/07/13/pf/rfid_passports/index.htm?cnn=yes)
now an expert hacked it in 2 weeks. Please, please, please listen when experts talk. The actually know something. Even wiretapping can be defeated easily with off the shelf parts. This was posted in a major engineering publication, including examples and experimental results but law enforcement has not yet deployed a solution.
(http://www.crypto.com/papers/wiretapping/)

I really can’t say it enough, when a subject matter expert tells you that technology has advanced too a point of concern, please listen. Talk to them and do what needs done.

Until next time.

One complication of being in an industry that is not well understood is explaining to those outside the industry what you do. Meeting new people gets a little complicated when you hear the simple ‘get-to-know-you’ question,
“So what do you do?”
I don’t like to say, “I work in computers.” That answer covers everything from ‘design national networks that millions rely on’ to ‘working IT at a small store’. Vastly different ends to the spectrum.

I have a friend, ‘Smiles’, who works in the search engine optimization business (think ‘Google’ if you don’t know). When she starts to explain her specific job, eyes glaze over as anyone who needs the explanation gets lost fast.
Another friend, ‘Beck’, is a programmer and he just tells his family he’s like a cable repairman. Not even close to what he does but it is a platitude that let’s him not have to try to explain writing software to people who don’t even understand what a computer is.

The best way I’ve found to explain my job is through analogy and I encourage anyone in the industry to create some that work for them. For example when I was working on guidance systems I merely said,
“I help the machine understand what it sees. Like explaining road signs to a new driver.”
not my favorite analogy but it allows for a very general idea of my job without having to explain the history of computers to someone. Here’s the problem with this solution. Since you don’t get very detailed with the analogy it can give the illusion that your job is easy. People tend to forget that it takes years of experience and a lot of knowledge to be able to do even “simple” programs on the computer. Please if you hear anyone in the computer industry describe their job in simple terms or via an analogy do not assume that the job is ACTUALLY simple.

The best advice I can give: if you’d like to understand the computer industry better would be to go to your local library and ask for some intro books to read. Then sit down and read them. Then sit at a computer and use that knowledge a little.

That’s all for now folks!
Take care.

   I’ve previously stated that the ‘war’ is on between those with knowledge and those without.  Some are using the weak interface for abuse. 

   The abused (you) may not even know they are being abused.  At least when a presentation or demo tricks someone into believing lies, you can see who is lying to you.  In this case, dear reader,it’s possible that what you see on the screen  was interfered with and you’ll had no clue about it! 

   Your ISP may already be doing this to you without your knowledge.  I could explain but someone has explained it better than I could.  he has written to a company who makes the tools of abuse you should really check it out here: http://www.ka9q.net/perfidy.html

Keep your ear to the ground and check out your ISP

Back and now sorry for the hiatus but I just had my first child!  (Tuesday 10/7, at 6:03p 9lb 4oz) anyway, on to the blog…

I have tried very hard to avoid too much talk about DRM(digital rights management).  For those who don’t know, DRM is used by companies to prevent sharing/distributing their software without paying them for the right.  This has cause users both legitimate and illegal problems.

Now I’ve worked both computer security and physical security as well as a mix of both.  The core of the problem in both cases is that you need to make it very hard or impossible for the ‘bad guys’ to get in while making it easy for the good guys to get in.  So it comes down to telling the good and bad apart.  Unfortunately  I have not seen a single DRM solution that tries to do the basic task of knowing the difference between a legal user and an illegal one.  Instead EVERYONE gets treated like they are one of the ‘bad guys’.

Now I’m all for someone trying to protect their work, but when you treat customers like the enemy it makes no sense for business.  Unfortunately this is in essence a weak interface problem.  The people/companies don’t understand how things online work.  This is not like placing a small circuit inside a physical product so the alarm sounds when you leave the store without paying.  They REMOVE the circuit when you pay and it does not make it difficult to use the product or affect you in any way once you leave the store.  Software DRM on the other hand stays with the product, slows down your computer and may even collect private information about you.

In fact retailers are starting to resist the idea of DRM.  The UK’s largest retailer of online music has said that 3 out of 4 (75%!) of customer issues are about DRM causing computer problems.  (http://arstechnica.com/news.ars/post/20070318-75-percent-customer-problems-caused-by-drm.html)

In essence DRM is about treating everyone like a criminal.  In fact it punishes the ‘good guys’ and not the bad.  If you have any knowledge at all as a ‘bad guy’  you know how to remove the DRM or find illegal sources so only the good guys are punished.

Apple iTunes store has DRM and has caused all sorts of problems.  The DRM violate the customer’s rights and there are lawsuits about it (http://p2pnet.net/story/9003).  In short it’s as if you buy a TV and the store has the right to enter your house and turn it off if they want to and you have no power to stop them.

This article is self explanatory: “Wal*Mart shutting down DRM server, nuking your music collection — only people who pay for music risk losing it to DRM shenanigans” (http://boingboing.net/2008/09/26/walmart-shutting-dow.html)

As I said only the good guys end up being punished making it in the best interests of everyone to steal/share music.  DRM = “Follow the rules get screwed in the end”. 

Dear reader if you have any influence at all, anywhere tell them to talk to me.  This can be done the right way to keep the ‘bad guys’ out but not hurt the good guys.  The problem comes down to the fact that a company asks for software to prevent file sharing but does not consider differentiating one person from the next.  What is really needed is new DRM that takes not only the retailers interests into account but also the customer.  Before every former customer does what is in their best interests and become a ‘criminal’

I’ve said it before, ask the experts.  Find a person or group who understands security, business, software, and the customers then get them to give you what you need.

Take care and Good Luck.

  I’ve mentioned demos and presentation before but now I’m going to focus on them a bit more as I recently had a few colleagues view this blog a they contributed their analogies an stories.  A younger more naive version of myself once asked while preparing for a demo,

  “Why are we working so hard on power point slides and pictures when the code is what matters?”  The answer was that no mater how god the actual code was it was boring and would likely get the project killed.  One older engineer shared with me this quote:    ‘A good plan with a bad presentation is doomed immediately, a bad plan with a good presentation is doomed EVENTUALLY…’ - source unknown  I have since seen that played out over and over again.  The group with the best demo/presentation often wins NOT the one with the best product.  Another person chimed in that since the only thing most users ever see is the graphic user interface  to them that IS the software, kinda like seeing the steering wheel of a car and thinking that IS the car, the engine, the brakes, everything!  As a guy on the ‘mechanic’ side of building the rest of the software it was a revelation that that’s the perspective of the user and most of the decision makers.  It let me understand why people are fooled by demos and pretty pictures.

  It’s like the movies or even a good magic trick only the difference being that in those situations you know it’s not real.  Think about if you convinced someone that the movie ‘Hackers’ was really a documentary?  Completely false impressions and ideas would be conveyed.  In the software world this is what happens at demonstrations/presentations.  Some honest people will give you a documentary of the software while others will give you a movie, but both will tell you it’s real. 

The solution and my advice:
Assume you are being lied to and get a software developer on your payroll with no stake in the project to let you know if you are seeing a real system or a clever trick.
Until next time

I’m back. Sorry for the break in service but I decided it was time to get sick so I did. Feeling better and now it’s back to reporting about the Weak Interface!
(I’ll give you several posts this weekend to make it up to you)

I like it when anyone contributes their own experiences. A valued reader at http://www.anthonydamasco.com (check him out!) sent this. Read and enjoy, my comments in ‘[]’ and after.

—————

.. there a lot of things that are messed up about our industry [which is why this blog exists]. I’ll start with telling you about tech schools that rush you through a course and then give you a certification that means nothing in the real world.

Alright so I went to school about 5 years ago for website development, I pretty much knew html and stuff because I had made a lot of websites on my own. So I paid 15k for this 9 month course, and they told me that I would be earning college credits so that If I wanted to go to college later I could earn a degree using them.

To keep it short, the staff sucked, I constantly corrected the instructors, the courses were straight out of the adobe guide books, and I learned absolutely nothing useful. Oh and no college credits (they told be my last month there) I graduated from school and went on a few job interviews for web design and I was pretty much laughed at when I told them where I went to school. So I had to load trucks for UPS at night and do free web projects during the day to build a portfolio good enough to compete with people that had 4 years of school + a portfolio that they had built the entire time they went to school[We all need to be more like him, he wanted something and did what he had to to get it, can you tell I’m a fan?].

Schools like Lincoln tech, Chubb institute, Cittone institute, totally screwed everyone that I went to school with. Even to this day I see fresh out of tech school web developers working at restaurants and producing really crappy work that they were told, was acceptable.

One of the biggest problems with the schools are they are always 4 years behind, I talked to this guy who just graduated a month ago from the chubb institute, and he didn’t even know what “Web 2.0″ meant, or SEO, not even ajax, or that there is an actionscript 3.0 [if you don’t know these terms you shouldn’t be in the industry].

—————

Sadly this story rings too true. Countless hopefuls have burned money on useless schools. The truth is, in any industry, performance matters more than credentials. The normal idea is that you look at credentials and can infer how the person will perform. Unfortunately since these schools do not necessarily have to meet the academic standards that a University does, and the fact that no matter how inept the graduates are more will still sign up, there is no real motivations to deliver value. If you talk a big game in commercials, media, etc, enough people will mistake it for a real school and give you money.

I can’t say it enough: Ask professionals.
Universities work with industry to prep students with what they need for the industry. These schools don’t need to work with industry cuz they know how to “sell” the idea of a degree without actually producing anything.
Be careful. Be skeptical. Ask the pros

Until next time
.

 The Star Trek problem.  Just hearing that means frustration is in my future.  It’s a term that gets kicked around in some tech circles.  On more than a few occasions a client requests software do something impossible.  When you ask where they saw a system do what they want and they reply they heard about it on TV, it scares me..

   Dear reader when in a position like this my first impulse is to cut the client off and have nothing to do with that particular project.  Before you even begin negotiations or dialogue about the project, you know the position of the client is outside the bounds of logic or physics.  TV is typically not a tool for education but for entertainment.  When you entertain it’s ok to ‘bend’ the truth for the sake of the story but it’s bad when someone takes that for reality.  It’s hard to tell a client educated by science fiction that no we do not have fully interactive AI or a holodeck for training or phasers or almost any of the advanced technology you’ve seen in Star Trek.  Believe me I wish we did, I’d be the first in line for it.  The problem is compounded by movies and other media, where they can fake it because in depth computer knowledge is still in the hands of a relative few.  They don’t do it with any well known things such as having 4 outs in baseball game.   Google “movie physics” and you’ll see how movies ‘bend’ the truth.  My favorite article on the issue is http://www.cracked.com/article_15229_5-things-hollywood-thinks-computers-can-do.html

   On some level I understand that technology develops so fast these days that it seems there’s a new techno miracle everyday.  But there are actual limits that must be acknowledged.  When a client is unable to see these boundaries, no matter how much you tell them otherwise, then they are dealing in the realm of fiction. This means there’s no hope of having a good working relationship. 

Anything you do in the real world will fall short of their fantasies.

  If you get anything from the Star Trek problem, it would be:  Know what’s possible before you make plans for what you want to be built for you.  At the very least the client should know that a professional probably knows what’s possible better than they do.

   Most programmers have had the experience of a client, be it their manager or paying customer, ask for a change outside of what they originally designed before the system development started.  Of course it is often thought of as a “simple” change.  It usually starts at a demonstration or meeting with a phrase like,

    “Can’t you make it do this thing I just thought of?”

this is like asking a builder to add another bedroom after the walls are framed out.  Not always simple and in no way cheap.  Sometimes it is and sometimes not. 

   From my own experience I’ve seen both.  At a demo for a large project the lead of the largest team was presenting as he knew the system best.  At various points in the demo he was asked to add or change a feature.  He deferred all the requests to the lead of the area concerned. The problem was that not all changes are created equal.   The situation rises where the guy next to you has been asked to move a button and they say

    “No problem”

but you get asked to ADD a button that will mean new modules and algorithms must be written to perform some feat which may mean an additional 40 hours of work.  When you say that it will require a week’s effort you look like you’re dragging your feet.  I was not asked to change any of my software but I saw this happen to one friend of mine.  The request came from a supervisor who insisted it shouldn’t take that long.  This is the Weak Interface in action.  The knowledgeable programmer has been asked for something and responded with his honest assessment, while the supervisor, who has never been a programmer, makes assumptions that he thinks should override the opinion of a professional. 

   You can imagine how it ended but if you need closure let’s just say it was not resolved without casualties.

My advice for supervisors: listen to the guy you hired to do the job.  If you don’t trust him why is he on your payroll?

My advice for programmers: hope you never get into this situation or get on a new project with supervisors who know enough to trust your opinion.