Equations or Arabic, It’s All the Same.

Twitter’s abuzz with the story of an ivy league economics prof being delayed on an airplane, because a fellow passenger spied him writing some partial differential equations. Not knowing what he was writing, she feared he might be a terrorist, and alerted the authorities. The authorities interviewed the guy, found him not guilty, and sent the plane on its way after over two hours of delay.

The press reaction is rightly outraged at the degree of stupidity and ignorance at display here — both on the side of the accuser, and on the side of the flight crew and authorities.

But amazingly, little bits of bias seem to be sneaking into otherwise well-meaning reporting.

Case in point, USA Today: Professor’s airplane math leads to flight delaysays the headline. No, no, no.  It’s not the professor’s math that leads to the delay, but a bigot’s stupidity and fear of the unknown, combined with authorities who, out of an abundance of caution, deem the “foreign” guilty until proven innocent. Instead, the headline blames the professor and his equations. Yes, that headline might have been meant to be ironic — but it’s just too close for comfort.

The Washington Post certainly has the better headline writer: Ivy League economist ethnically profiled, interrogated for doing math on American Airlines flight. But then, deep in the (overall well-written) article, this gem:

That Something she’d seen had been her seatmate’s cryptic notes, scrawled in a script she didn’t recognize. Maybe it was code, or some foreign lettering, possibly the details of a plot to destroy the dozens of innocent lives aboard American Airlines Flight 3950. She may have felt it her duty to alert the authorities just to be safe. The curly-haired man was, the agent informed him politely, suspected of terrorism.

The curly-haired man laughed.

He laughed because those scribbles weren’t Arabic, or another foreign language, or even some special secret terrorist code. They were math.

Yes, math. A differential equation, to be exact.

[…]

His nosy neighbor had spied him trying to work out some properties of the model of price-setting he was about to present. Perhaps she couldn’t differentiate between differential equations and Arabic.

The author is obviously as aghast as anybody at the stupidity of what was going on; she goes on to paint the patent absurdity of the situation by finding various ways to quickly exonerate the professor in question — maybe Google him and find out who he is, how he won a price, how he is beyond reproach. But notice how, little by litte, that other concept sneaks in here? How writing maths (which really, any educated American ought to be able to recognize and accept) is somehow just a little bit different than writing Arabic? How, just maybe, the suspicion of terrorism is maybe deemed a tiny bit more justified if it were “Arabic, or another foreign language”? How, based on having written something, he’s now in need of being exonerated? How, maybe, somebody accused of doing maths on the plane without a public profile and without tenure track might take longer to be exonerated? How the story about “the paranoids are taking over, it was mathematics, not Arabic, for god’s sake” leaves that other sour taste behind?

Let’s talk about what really happened here. Somebody sat on a plane. He wrote, by all accounts quietly and peacefully. The person next to him was illiterate — or at least illiterate in the script or language he wrote. That was enough for the authorities to hold up the plane for over two hours. By itself, and whether he wrote in Russian, Greek, Arabic, Chinese, Korean, Japanese, Partial Differential Equations, abstract algebra, abstract nonsense, or even Perl or legalese, that’s an unequivocally absurd story of paranoia and bigotry. It shouldn’t matter which of those foreign or otherwise incomprehensible languages we’re discussing. The illiterate’s accusation that he was writing incomprehensibly, and therefore a terrorist, shouldn’t have passed the laughing test in the first place. The professor should never have even needed to explain or exonerate himself in the face of some authority.

To bring it to the point: The scandal here isn’t about mathematics. The scandal is that it took two hours to exonerate somebody from a suspicion of terrorism, a suspicion that was not just groundless, but based solely on the fact that they were literate, and their accuser was not.

Witch trials, anyone?

 

Home tech: B&W airplay speakers suck at wifi.

I’ve had a Bowers & Wilkins A7 each in the kitchen and the bedroom for a while. They’re fine speakers, and the MacBook does a decent job streaming to them, synchronously.

The problem: Every once in a while, the wifi seems to go haywire while streaming music, leading to the odd violent break of a couple seconds — not what you want in the middle of, say, Beethoven’s string quartet #15. Also, the speakers seemed to lose the hang of connecting to the wireless network every once in a blue moon, to the tune of having to be power cycled or even factory reset.

Turns out my reasonably modern access point is apparently to blame: Bowers & Wilkins speakers don’t play nicely with networks that aren’t just 802.11g.

Setting up an ancient access point to build a secondary wifi network that’s just for the speakers seems to have solved all those problems, though — and I can finally enjoy the music without awkward interruptions.

 

UA58: SFO to FRA in 42h

The travel experience this christmas season has been something else: Instead of the quick direct flight that would get me into Germany on Tuesday morning, a comedy of delays and mishaps that finally got me there Wednesday afternoon. One crew, two planes, three and a half push-backs, and a crowd of passengers who were increasingly getting to know each other and the crew.

IMG_0228The drama started with a 30min delay “due to catering”: Half of the carts for Economy class had gone missing, and even United wouldn’t launch on a 10h flight without food for the poor folks traveling in steerage. The half hour turned into two; the food was finally delivered. Pushback!

Just a little mechanical issue, should be fixed soon, back to the gate. The mechanical problem gets fixed, “we’re about to close that door”. Alas, that’s an opportunity for some passenger to deplane. Here comes the extra hour to remove the checked baggage. The baggage door is closed, where’s the gate staff? More time flies by. Finally: Pushback!
IMG_0229IMG_0230Cheers and applause. The plane taxis, we think we’re off — alas, the flight deck crew times out, on the runway. Off to park in some corner of the taxiway. An hour later, we’re back at the gate. “They explicitly don’t know whether they’ll re-crew the plane, or whether they’re cancelling”, I text. Doors aren’t opening yet, passengers pile up in the aisle, they just want to get off the damn plane. “They’re trying to make a decision in Chicago, it’ll be 10-15min”, the pilot announces. The United app notifies me that we’ll depart at 8:19pm, or some such — then, minutes later, the flight is cancelled “due to crew rest.” Brief confusion, people deplane, queue up in the departure hall. I learn I’m going to be rebooked (along with luggage, fingers crossed) if I just go home, so that’s what I do, to an unexpected night’s sleep in my own bed. People who need accommodation are less lucky — twitter and the rumors the next day tell stories about four or six hours more in the queue, about unrest in the departure hall, screaming fits by ground staff and passengers, and calls for airport security.

Next day, we’re back. For some reason, they didn’t push all buttons on our reservations the night before, so many of us need to check in at the airport. A check-in agent tells people to go to the Lufthansa desk for “the 3pm to Frankfurt”, there is no United 3pm. “You’re wrong. There’s a special 3pm today because we didn’t fly yesterday”, I yell from far behind. “Ooops, sorry.”

IMG_0231Same passengers, same plane, same crew, different flight number. There’s camaraderie: How are you doing, where did they put you up, what hotels were the parties in; the Hyatt turned off the water at 10pm; people in the lounge are boozing a little more than usual. On board, it’s “hello again” to the cabin staff — we’re all relieved that it’s finally a go. Double helpings of pre-departure champagne in business class, it’s party time and group photos on the upper deck. “We are cleared for departure.” The pilot jokes around, loud cheers. Push—

Oh wait, 30min delay due to operational reasons, says the app: Somehow, they’re only now starting to pull out the luggage that belongs to passengers who cancelled their trips or got rebooked elsewhere. “They’re telling us it’s going to take until 3:30. Having been here for 35 years, I can assure you that’s not true. It’s going to be closer to 4pm or so”, announces the pilot. Laughter — he’s good at pulling the passengers into “we’re all in this together” mode. A couple minutes later, he comes on again, more serious voice: They’ve discovered a hole in the fuselage, below the nose. The plane is not airworthy, and this can’t be repaired here and now. Crew is timing out at 6:20pm. A new aircraft and potentially new (additional?) crew will be brought in, please wait.

Back to the lounge for a coffee. I guest in the passenger ahead of me who for some reason (lack of status?) can’t get in at first, and really needs help rebooking his connecting flight to Rome. Also, why is the stub on my paper boarding pass gone? What is going on? The lounge staff (both at the door and at the reservations desk) haven’t yet heard a word, and the reservation desk lady is grumpy. While I sure hope that plane will depart, I’ve lost faith, and book a fall-back itinerary that gets me out of SFO on Virgin the next morning, and to Germany out of another US hub. I can (and later will) cancel without fee within 24h.

In the end of the day, I decide I won’t try to pull out my luggage or have UA rebook me on one of the other evening flights: Too little time to get the luggage off, over-taxed staff, and it actually looks like the new plane is materializing. Rumors there’s a new crew, so I needn’t worry about this one going illegal at 6:20pm. As I head out of the lounge, I run across the family that just wants to cancel their trip, since they were going to some remote corner in Norway that has a twice-weekly connection — which they missed.

Back on the plane, the crew’s tone has gone a little more serious: Apparently, some passengers are taking out their anger on the crew. Captain’s speaking, “I know you’re feeling frustrated and out of control. We feel the same way. This is a very senior crew, this is ruining our christmas. If you want to vent your anger, go to page 14 of the hemisphere magazine for the guy to direct it to. Here’s his email address.” Applause from the passengers. Finally: Pushback.

We taxi, wheels up at 6:30pm to loud cheers on the plane — we were supposed to be in the air a whopping 30 hours earlier.

The trip was a study in what works and what doesn’t work at United. Unfortunately, the latter appears systemic and cultural, and the former (while some of it was outstanding) spotty and individual.

The crew — unmitigated excellence, both on the flight deck and in the cabin. The captain’s mix of humor and empathy, the way he set himself and the crew apart from the airline (“I don’t believe them”), the way he went out of his way to be transparent, the way he redirected anger at entities off the plane — all that was a textbook example of a difficult negotiation done well. The cabin crew (they must have been as exasperated as the passengers were) managed to stay calm and friendly in the middle of the turmoil, and provided a basis for that negotiation.

The overall United operation — unmitigated disaster. Overtaxed and understaffed on the ground, the constantly changing departure times and promises communicated exactly one thing to the passengers: That they couldn’t believe a word that the airline was sending on official channels. Communication seemed to be as much of a mess internally as externally, or even worse: The check-in agents who weren’t told there’s another flight full of angry passengers, the lounge lady who had no clue what’s going on, the “we’re cleared for departure” when they haven’t even unloaded the excess luggage yet, the fact that Chicago was trying to make decisions about re-crewing more than an hour after the crew had expired.

Striking, too, the hole in the nose of the plane that mysteriously materialized overnight, and went “unnoticed” until we were ready to depart. It probably wasn’t the result of a rabid squirrel attack.

Would I hesitate to fly with this crew again? No.

Do I get the feeling that this airline runs an overall operation that knows how to build safety and reliability in depth, around planning, operational excellence, open communication, and a functioning culture of any kind? Hell, no.

“Hope is not a strategy” holds, in particular in as safety-critical an environment as air travel. Unfortunately, hope is all United in-flight staff and passengers alike appear to be left with.

Doubting the Turing Test

On the phone with a US financial institution. I appeared to be talking with an agent whose natural language comprehension suggested a human being.  Then this.

“To verify your identity, could you please give me your address? — “…, San Francisco 941..” — “Sorry, I have to ask you what state that is.”

Review: David Eggers, The Circle

David Eggers’ “The Circle” comes with some praise. In it, he tries to discuss trade-offs around privacy, transparency, anonymity and autonomy.

Unfortunately, he chose to cast that attempt into the mold of a novel: Leaving assorted logic lapses aside, Eggers’ narrative style is tedious. The characters are too one-dimensional to ever elucidate the tensions around privacy and accountability; character arcs at best linear and predictable, at worst non-existent; Mae’s mostly-superficial thought processes get pages upon pages. And the shark fable is as subtle as a sledgehammer. 

Because the narrative fails, Eggers resorts to pontificating: There’s Bailey’s speech, there’s the ex boy-friend’s letter, there’s the crowd-sourced drone attack gone wrong. And Kalden (who could be an interesting character) arrives in Damascus without us ever learning about the road there.

The worst waste of time since Dan Brown.

The need to explain a newspaper.

Saturday is errand day. I was grabbing a quick lunch at a bagel place in Santa Clara, reading today’s paper of which I still get the dead tree version each day. A boy walks up to my table, perhaps five years old, curiously tucks at the paper, and asks what it is.

Evidently, he hasn’t ever seen a printed newspaper before.

Strange future we live in, said the old man.

#IETF88: On the costs of pervasive surveillance.

Last week’s IETF meeting in Vancouver was remarkable: I do not recall another IETF meeting over the past decade that was as dominated by a single topic, as this one was by “pervasive passive attacks”: assorted governments’ seemingly successful transformation of the Internet from a globally shared civilian infrastructure into a surveillance tool directed not merely at other governments (we seem to be accepting that game, in all its silliness), but at all of us. A transformation that puts the value of the network (economical and otherwise) at risk, and that runs against the self-interest and core values of open societies.

The engineering community won’t be able to take back the network. That remains a task for the political and societal debate. But the engineering community will be able to change cost balance of surveillance in very significant ways.

The key realization behind much of what was discussed in Vancouver, then, is about the relative cost of pervasive, passive surveillance, and of the defenses against such attacks.

In the traditional analysis, the technical ability to execute a passive attack often (not always) translates into the technical ability to execute an active one. Conversely, once you have the mechanisms in place to defend against active attacks, dealing with a passive attacker becomes pretty simple. As a result, the security community has spent much focus on mechanisms (like TLS) that defend against both. The key management requirements for defenses against active or passive attacks are rather different, however: An anonymous Diffie-Hellman key exchange (or some other similar key exchange mechanism) is enough to defend against passive attacks, and can yield perfect forward secrecy without depending on much additional infrastructure. Yet, establishing that you’re talking to the right party requires sophisticated key management and authentication infrastructures; enter PKI.

In terms of cost: Passive attacks are cheap, mostly undetectable, and seemingly low-risk. They can therefore be executed at scale. Active attacks — where communication isn’t just listened to, but actively manipulated — face a higher risk of exposure, and a much higher risk of collateral damage when executed. Defenses against passive attacks can be deployed incrementally, with very lightweight coordination between the parties. The defenses against active attacks that we have focused on in the past are comparably hard to deploy and actually use — arguably, we have failed deploying them at Internet scale. We have ended up in a situation in which passive attacks remain possible, while we’re waiting for the defenses against active attacks to catch on in the market.

That wait is now over: It looks like the engineering community has (finally!) decided that defending against passive attacks right now is worthwhile, and this is the time to develop and deploy those defenses.

 

A hitchhiker’s guide to the HTML5 + EME maze

W3C’s work on HTL5 and the Encrypted Media Extensions specification keeps drawing criticism and controversy. I spent today attending Amelia Andersdotter’s event at the European Parliament in Brussels about HTML5 and DRM, as an interested individual member of the W3C community who doesn’t speak for anyone but myself.

The topic is fraught with controversy: The W3C Director found “Content Protection” to be in scope for the HTML Working Group; the deliverable that the group is working on under this heading is EME. The specification itself defines a reasonably simple JavaScript API that permits a Web application to hand key material to a Content Decryption Module (the actual DRM black box). The general API leaves the nature of the key material unspecified; in the general case, that’s likely to be key material that is by itself encrypted, and not accessible to the browser. The EME spec defines one very simple CDM, Clear Key, which assumes that key material is accessible to the Web application and the browser (therefore, to the user); this is the sort of not- really-DRM that will later on permit the HTML WG to demonstrate interoperability of the API without having to dive into proprietary CDMs.

As far as it’s discernable today, EME has significant implementer interest; the motivation there is, of course, to use it as an interface to connect proprietary DRM systems with the Web. As with any controversy, there are plenty of confusing points to go around.

On fundamentals, some argue that content protection is, basically, the same thing as password protection for content that you buy for, or a paywall, or perhaps encryption of confidential material online. That’s a false equivalence: The commercial driver for standardization of EME are existing DRM systems — the proprietary CDMs that I mentioned above. The attacker against whom content is protected is the user (and the browser code, which could be under the user’s control); the attack is use of content in a way that isn’t explicitly authorized by the rights holder.

The DRM systems used in this context cannot be implemented in Open Source, they are typically patent encumbered, and they arguably are corrosive to the notion of putting general-purpose, modifiable computing into users’ hands. And while it is conceivable to build a watermarking-based system on top of EME, that would sound like a pretty awkward approach, and it isn’t why implementers are interested in EME.

All of that, however, doesn’t mean that EME (the interface) can’t be implemented in open source: EME, together with the ClearKey CDM that’s part of the specification, should be implementable in Open Source software, without royalty, just fine. It just doesn’t provide the protection that rights holders are after; the real deployment of EME is as an interface toward proprietary CDMs that are implemented in closed source software, and partially in hardware.

Some proponents of EME try to make it palatable by pointing out that, just maybe, it could help users protect the privacy of their personal information online — we heard that argument today. That doesn’t sound like it’s very plausible: EME is a pass-through API for browser implementation, tightly coupled to inline media elements in HTML. The basic model is actually very simple. Now, it is true that some in the privacy community have looked at policy enforcement using trusted computing mechanisms. But it doesn’t look like EME specifically, or the CDMs it interfaces with, are even in the same ballpark. I respectfully suggest that we just drop that part of the conversation and focus on the actual reasons for deploying EME.

Another argument that is frequently made is that, because EME is made part of a core Web technology (HTML5), “browsers do not have a choice.” That isn’t exactly true, either: EME is a separate spec from HTML5. The two documents can go to W3C Recommendation (or not) independently of each other. Just because somebody says they implement HTML5, that doesn’t mean they have to implement EME. That debate, however, is ultimately a debate about words, not about substance: The deployment driver is the desire to provide playback of DRMed video content, not the exact nature of the API spec, and how it is split across different documents.

The real focus of the discussion, then, ought to be on the merits (or not) of what EME actually is: A carefully scoped interoperability layer on top of existing, proprietary DRM systems, to enable the designers of Web applications (think youtube, think netflix) to pass key material to these CDMs in a way that’s interoperable across multiple browsers. That abstraction layer doesn’t “do” DRM; it can probably be implemented in open source software without royalty; but it isn’t very useful unless we end up in a world with a few widely implemented CDMs that ship with browsers across different platforms, and for which “protected” content on the Web is encoded.

Some of the questions to ask in this context: If EME is successfully standardized by W3C and broadly deployed by browsers — is that, by itself, an improvement over a future in which either of these (standardization, deployment) doesn’t happen? What would other plausible futures for EME or, more generally, for DRMed content sold today even look like? By what criteria would we evaluate those? What’s the impact of these futures on large content providers, small content providers, browser vendors, and innovation for the network?

How does that reasoning change if we assume either of EME being the end of DRM integration into the web platform, or EME being the beginning of DRM integration into the web platform? And which of these is more likely?

What is the weight that we might assign to “goodies” that could come with EME? For example, open APIs further down in the stack (between CDM and browser), or additional transparency into the DRM hat gets deployed on the Web? And what is the weight that we might assign to side effects of DRM deployment through EME — such as, perhaps, additional privacy concerns, and serious accessibility issues?

Finally, what does this entire discussion say about the governance model that we collectively want to apply to Web standards — how do we collectively reconcile between W3C as a member-driven organization, its accountability to the broader public, and its stewardship role for the Web?

Technologists and the values of the surveillance state.

Along with yesterday’s revelations, Bruce Schneier writes in the Guardian :

Again, the politics of this is a bigger task than the engineering, but the engineering is critical. We need to demand that real technologists be involved in any key government decision making on these issues. We’ve had enough of lawyers and politicians not fully understanding technology; we need technologists at the table when we build tech policy.

What Schneier is getting at is, of course, important: Policy-makers need to understand the technology they’re messing around with, and they need to understand the impact of their decisions.  Technologists might be able to help them understand those points.

But that is too short-sighted: If anything, we’re seeing over and over again that the NSA, and plenty of policy-makers, understand the possibilities of a global network perfectly well — and have learned to wield their resources to turn it into a global instrument of surveillance. With an estimated three billion users of the global Internet (four billion to go, though), the surveillance debate has long transcended the world of just us technologists. And with an estimated three billion users of the global Internet, the notion that technologists can simply “take back the network” tastes of techno-idealism and techno-elitism — however much, as somebody working on Internet and Web technology, I might like that idea.

The conflict that we’re living through now is more fundamental. It is about the vision we have of a networked society.

In the vision that many of us have been working towards (and that is, in various ways, at the intellectual roots of the Internet), we get the benefits of increasingly seamless communication and collaboration, we get exposure to other views, we have the knowledge and tools available that make us more creative and more productive, that bring us closer to other human beings, and improve our understanding of each other. In this vision, the network turns our society into a better one.  In this vision, we can have trust in the network. In this vision, we can use the network to communicate with our loved ones. In this vision, we can trust the network with our private life and personal secrets. Geopolitically, this Internet is a network that (as a very smart man once put it) serves as a powerful projection of Western values and a civil society across the world. This is for everyone.

We are learning this summer that the network that we have actually built has become a Trojan horse, inspired by a dark and dystopian view of humanity: The dangerous species homo sapiens cannot be trusted with fast, private, perhaps anonymous communication at scale. Communication (a fundamental piece of what makes us human!) needs to be domesticated, for feral communication (and humanity) bears uncontrollable risks.

We are learning this summer that the hidden domestication of communications technology hasn’t just taken the form of attacks on crypto systems or endpoints or network hardware (all of which we would expect): Instead, what we see is an assertion of the primacy of surveillance in the design, deployment, and operation of Internet technologies at global scale, at the expense of the security and privacy of their civilian users.

The crossroads that policy-makers are at is less about understanding technology: It is about understanding that the design of technology is never simply value-neutral.  It is about choosing the values that we embed into the technology we build and deploy.

Are these still the values of an open society? Or are they the values of the oppressive surveillance state?

Keep running

One of my favorite runs in the world is the loop along the Charles River between Boston and Cambridge — connecting MIT, Harvard, BU, and Back Bay, if you run the long version. That’s but a few blocks away from where yesterday’s attack happened.

I’ve never run the Boston Marathon. During the day, I was joking with a friend there about who was how far from qualifying. I didn’t quite say “there’s a challenge to compete on, let’s run it next year”, mostly because I didn’t think I’d be in shape to make that challenge — I’ve never actually run a marathon, and the few half marathons I’ve done were well above 2h. No way I’d qualify.

A few hours later, the news hit twitter.

We quickly established that some MIT-based colleagues who had been helping with the communication infrastructure around the run were taken care of. A former colleague who used to run the marathon wasn’t in town this year. That was good news. And then, the fog of terror: Was a fire at the JFK library related? (didn’t seem so) Had more bombs been found, or not (none found)? Had the cell phone networks been shut down? (probably not, also: probably a bad idea) Classical media didn’t do much better than the social media rumor mill. Some news sites were down, given all the traffic.

On the day after, the news is full of security taking over, and full of reactions and worries around the world. How can we make sports events secure?

And there is that urge to say something, anything, when one really doesn’t have anything to say — for example, this blog post.

Bruce Schneier has it right: keep calm and carry on. We mustn’t let fear take over public spaces, or our thinking.

Here’s hoping that, next year, the Boston Marathon will be even harder to get into, because more people will want to run it.