May 31, 2013

Die Passwords! Die!

In one form or another -- verbal, written, typed, semaphored, grunted, and more -- passwords broadly defined have been part of our cultures pretty much since the dawn of humans at least. Whether an 18 character mixed-case password replete with unusual symbols, or the limb-twisting motions of a secret handshake, we've always needed means for authentication and identity verification, and we've long used the concept of a communicable "secret" of some kind to fill this need.

As we plow our way ever deeper into the 21st century, it is notable that most of our Internet and other computer-based systems still depend on the basic password motif for access control. And despite sometimes herculean efforts to keep password-based environments viable, it's all too clear that we're rapidly reaching the end of the road for this venerable mechanism.

That this was eventually inevitable has long been clear, but recent events seem to be piling up and pointing at a more rapid degeneration of password security than many observers had anticipated, and this is taking us quickly into the most complex realms of identity and privacy.

Advances in mathematical techniques, parallel processing, and particularly in the computational power available to password crackers (now often using very high speed graphics processing units to do the number crunching) are undermining long held assumptions about the safety of passwords of any given length or complexity, and rendering even hashed password files increasingly vulnerable to successful attacks. If a single configuration error allows such files to fall into the wrong hands, even the use of more advanced password hashing algorithms is no guarantee of protection against the march of computational power and techniques that may decimate them in the future.

What seems like an almost daily series of high profile password breaches has triggered something of a stampede to finally implement multiple-factor authentication systems of various kinds, which are usually a notch below even more secure systems that use a new password for every login attempt (that is, OTP - One-Time Password systems, which usually depend on a hardware device or smartphone app to generate disposable passwords).

As you'd imagine, the ultimate security of what we might call these "enhanced password" environments depends greatly on the quality of their implementations and maintenance. A well designed multiple factor system can do a lot of good, but a poorly built and vulnerable one can give users a false sense of security that is actually even more dangerous than a basic password system alone.

Given all this, it's understandable that attention has now turned toward more advanced methodologies that -- we hope -- will be less vulnerable than any typical password-based regimes.

There are numerous issues. Ideally, you don't want folks routinely using passwords at all in the conventional sense. Even relatively strong passwords become especially problematic when they're used on multiple systems -- a very common practice. The old adage of the weakest link in the chain holds true here as well. And the less said about weak passwords the better (such as "12345" -- the kind of password, as noted in Mel Brooks' film "Spaceballs" -- that "an idiot would have on his luggage") -- or worse.

So, much focus now is on "federated" authentication systems, such as OAuth and others.

At first glance, the concept appears simple enough. Rather than logging in separately to every site, you authenticate to a single site that then (with your permission) shares your credentials via "tokens" that represent your desired and permitted access levels. Those other sites never learn your password per se, they only see your tokens, which can be revoked on demand. For example, if you use Google+, you can choose to use your Google+ credentials to access various other cooperating sites. An expanding variety of other similar environments are also in various stages of availability.

This is a significant advance. But if you're still using simple passwords for access to a federated authentication system, many of the same old vulnerabilities may still be play. Someone gaining illicit access to your federated identity may then have access to all associated systems. This strongly suggests that when using federated login environments you should always use the strongest currently available practical protections -- like multiple-factor authentication.

All that being said, it's clear that the foreseeable future of authentication will appropriately depend heavily on federated environments of one form or another, so a strong focus there is utterly reasonable.

Given that the point of access to a federated authentication system is so crucial, much work is in progress to eliminate passwords entirely at this level, or to at least associate them with additional physical means of verification.

An obvious approach to this is biometrics -- fingerprints, iris scans, and an array of other bodily metrics. However, since biometric identifiers are so associated with law enforcement, cannot be transferred to another individual in cases of emergency, and are unable to be changed if compromised, the biometric approach alone may not be widely acceptable for mass adoption outside of specialized, relatively high-security environments.

Wearable devices may represent a much more acceptable compromise for many more persons. They could be transferred to another individual when necessary (and stolen as well, but means to render them impotent in that circumstance are fairly straightforward).

A plethora of possibilities exist in this realm -- electronically enabled watches, bracelets, rings, temporary tattoos, even swallowable pills -- to name but a few. Sound like science-fiction? Nope, all of these already exist or are in active development.

Naturally, such methods are useless unless the specific hardware capabilities to receive their authentication signals is also present, when and where you need it, so these devices probably will not be in particularly widespread use for the very short term at least. But it's certainly possible to visualize them being sold along with a receiver unit that could be plugged into existing equipment. As always, price will be a crucial factor in adoption rates.

Yet while the wearable side of the authentication equation has the coolness factor, the truth is that it's behind the scenes where the really tough challenges and the most seriously important related policy and engineering questions reside.

No matter the chosen methods of authentication -- typed, worn, or swallowed -- one of the most challenging areas is how to appropriately design, deploy, and operate the underlying systems. It is incumbent on us to create powerful federated authentication environments in ways that give users trustworthy control over how their identity credentials are managed and shared, what capabilities they wish to provide in specific environments, how these factors interact with complex privacy parameters, and a whole host of associated questions, including how to provide for pseudonymous and anonymous activities where appropriate.

Not only do we need to understand the basic topology of these questions and develop policies that represent reasonable answers, we must actually build and deploy such systems in secure and reliable ways, often at enormous scale by historical standards. It's a fascinating area, and there is a tremendous amount of thinking and work ongoing toward these goals -- but in many ways we're only just at the beginning. Interesting times.

One thing is pretty much certain, however. Passwords as we've traditionally known them are on the way out. They are doomed. The sooner we're rid of them, the better off we're all going to be.

Especially if your password is "12345" ...


Posted by Lauren at 11:45 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 24, 2013

USA Intellectual Property Theft Commission Recommends Malware!

Oh boy. The "Commission on the Theft of American Intellectual Property" has released its long awaited report, and it's 90 or so pages of doom, gloom, and the bizarre -- including one section that had me almost literally doing a "spit-take" onto my screens while sipping my morning coffee.

I'm not going to try critique the entire report here and now. As you'd expect, it presents a dire scenario of intellectual property theft run amok, and while offering only a few words of lip service to the grossly flawed measurement methodologies that vastly overstate dollar losses in various sectors, the report instead suggests that those exaggerations are actually understatements -- that the problem is far, far worse than we ever imagined. Oh, the horror. The horror.

But we expected this sort of skew to massively hyperbolize the underlying actual problems of IP theft.

What you may not have expected, however, is that the authors of this report appear to have been smoking "funny cigarettes" during its drafting. OK, we don't know this for a fact, but it's otherwise difficult to wrap your mind around this specific proposal in the "cyber" section of the report:

"Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized userís computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved."

Booooing! Say what? Is this the parody section of the report? Something from "The Onion" or perhaps a "Saturday Night Live" skit?

I'm afraid they're serious. And what they're proposing is no less than the legitimizing of a form of malware that has attacked vast numbers of Internet users, costing them immense lost time, money, and grief.

You may have been unlucky enough to see this for yourself. It comes in various forms, but generally it claims to be a law enforcement warning (often saying it's from the FBI). It accuses you of having some kind of "illicit" material (usually a copyright violation and/or porn) on your system, and demands that you contact an address for "more information" -- or even that you make immediate payment of a "fine" to release your computer. Your webcam may even be surreptitiously used to include your photo to further confuse and upset you.

Of course, this is all a scam. If you go to that address, you'll likely download more malware, or be directed to provide credit card or bank account info to pay for your "violation" of law. Even if you pay, you have no assurance that this malware will go away. Even if it does seem to release you, it may hang around in the background sucking up your private information, bank account access data, and who knows what else.

Consumers attacked by this class of malware have spent enormous sums to get it actually cleaned out, and very many have been directly defrauded by it as well. And of course, these systems can't be used for anything else while the malware is actively threatening you.

So now we have the IP Commission suggesting that firms be allowed to use basically this same technique -- pop up on someone's computer because you *believe* they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well.

What the hell are these guys thinking? Outside of the enormous collateral damage this sort of "permitted malware" regime could do to innocents -- how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?

What's more, how can it possibly be justified to lock users out of their systems on this sort of unilateral basis? How much "theft" -- even when it actually occurred -- is enough to justify locking someone out of their private applications and data, some of which may be absolutely necessary to their daily lives.

I could get into a lot of technical details about this, but we can just cut to the chase for now: the whole concept is utterly insane, and frankly calls into question the competency of the commission in general.

With our own commissions coming up with idiotic, dangerous nonsense like this, we may have more to worry about from their kind of thinking than from the "cyber-crooks" themselves.

And that's really, seriously, scary.


Posted by Lauren at 10:50 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 23, 2013

For Shame: The Internet Cruelty Machine Torments GIF Inventor

I've never been quite sure what it is about the Net that tends to bring out, amplify, and exacerbate the cruel, infantile, and snarky side of so many people, including persons who really, seriously should know better.

Perhaps they get caught up in the moment like a rioting crowd, and the degrees of separation from "real life" -- allowing the easy spouting of bile that most of them would never do in person -- is also in play.

But none of this is any excuse for acting like a jerk.

Case in point, the rampant, mean-spirited attacks now being widely deployed against Steve Wilhite, who created the omnipresent "GIF" graphics format in 1987 while at CompuServe. Still widely used for conventional photos even in the face of more recent formats, it is the backbone of repeating animated image displays, from funny cats to serious diagrams.

A couple of days ago Steve -- who suffered a stroke in 2000 and now primarily communicates using email over the Net itself -- accepted a well-deserved lifetime achievement "Webby" award.

In the course of subsequent discussion, he noted his long-standing belief that GIF -- a term we must remember he invented -- should be pronounced with a soft G rather than a hard G -- not the first time this issue has arisen by any means.

Immediately, the Web pounced in ridicule, with satirical articles, obscene comments, and even a video whose producer claims is in fun but just comes off crude and cruel -- like pulling wings off insects.

As it happens, I've always pronounced GIF with a hard G -- not Steve's pronunciation. I always figured that since the G stood for Graphics, the hard G made the most sense. And I'm not going to change that now.

But for the love of the Net and basic human decency, can't we give the man an award -- someone who provided us with a tool that has become part and parcel of the Web -- without tormenting him afterwards like children during recess torturing another kid about the pronunciation of his name?

As the creator of GIF, Steve Wilhite outranks us all when it comes to what he feels is the "official" pronunciation. But you and I can still pronounce GIF any way we choose, and we can do so without behaving like asses.

Consider growing up just a little bit people, please.


Posted by Lauren at 12:58 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 20, 2013

Yahoo's Big Tumble Into Big Porn, Big Sleaze, and Perhaps, Big Trouble

By now you've likely heard that Tumblr is selling itself to Yahoo for just over a billion bucks in cash. Oh wait, excuse me, that's Tumblr. -- officially, there's a period after Tumblr, a flourish added to the current vogue of purpsly drpping leters frm yor nme.

Yahoo wants to be "cool" again -- young, hip, bad, fresh, sick, tight -- or whatever your favorite current euphemism for youth monetization might be.

In furtherance of this worthy end, Yahoo will be providing Tumblr's (insert the periods yourself if you must) 26-year-old, high school dropout founder with a payday of something on the order of a quarter of a billion dollars -- and each Tumblr employee something like a paltry six meg each.

To which I say -- more power to them! Man, if you can get it, take it! While it appears that P.T. Barnum never actually uttered the phrase usually attributed to him -- concerning the birth rate of suckers -- it's true nonetheless.

In the last couple of days, I've realized that a surprising number of folks have either never heard of Tumblr, or purport to know virtually nothing about its content and user policies. The old echo chamber strikes again -- it's easy for us to forget that not everyone spends their days thinking about the Net.

The fact is that Tumblr brings to Yahoo a rather fascinating dilemma. It would be unfair to call Tumblr a sleaze site per se -- because they do host a wide variety of utterly un-sleazy materials posted by their freewheeling users on a virtually endless series of "microblogs."

But, truth be told, Tumblr is also an almost bottomless pit of seamy, gross, and in some cases borderline illicit postings of all sorts.

The topic range in these particular categories is both broad and deep, and of the sort to make your creepy Uncle Ernie both pant and vomit with joy.

We're not talking here simply about happy adult pornography, but bestiality, self-mutilation, racism, anorexia fan sites, near c-porn, and so, so much more.

Certainly it's true that other major sites are not necessarily entirely devoid of such goodies. But the Tumblr terms of use have tended to either implicitly or explicitly condone -- and so attract -- this sort of content.

Which brings us back to Yahoo.

I'm a first amendment, free speech guy, and so my concern in this context is not with that Tumblr content itself -- however disgusting I personally find much of it to be. Like I say all the time, censorship on the Internet doesn't work and just makes things worse -- don't even try it.

But seeming corporate hypocrisy related to a billion dollar acquisition really bugs me.

Yahoo is claiming that it's going to be "hands off" Tumblr -- that (at least for now) Tumblr will operate separately with no changes to their usage terms.

"Tumblr and Yahoo will be independent," said Yahoo today -- on the same day they moved (with considerable fanfare) the Yahoo official blog to a address. Hmm.

But sooner or later, Yahoo is going to want to monetize the Tumbler throngs, and therein awaits the advertising trap.

Pretty much the worst thing that could happen to most major advertisers is to have their products pitched in conjunction with serious sleaze, especially in this age of flash boycotts.

What to do? Well, obviously Yahoo will be pushing for Tumbler users to be rigorous about accurately labeling their sites -- e.g. as "Not Safe For Pretty Much Anyone" -- but just like right now, many users will ignore this, and likely others will begin purposely mislabeling as a form of protest against Yahoo's takeover.

Algorithms can try to ferret out some of this automatically -- "Running Procedure sicko_seek-pns49300A.3" -- but a lot will still slip through, so to speak.

All told, it's almost impossible to visualize anything beyond a relatively near-term future where the existing full content range on Tumblr will be tolerable to Yahoo.

My guess is that Yahoo will be subtly working to drive out those "troublesome" aspects of the Tumblr user base over time -- one way or another -- ideally before the first big public blowup in the "Yahoo era" over Tumblr content.

This won't happen overnight. It's in Yahoo's interests right now to try make Tumblr users of all stripes feel that they're wanted, valued, and cherished. Welcome to the joyful embrace of Yahoo!

But if I were a Tumblr user with content that was, shall we say, considerably divergent from the mainstream, I'd be starting to look around right now for a different place to host my stuff, and some new URLs to forward over to good ol' Uncle Ernie.


Posted by Lauren at 05:09 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 19, 2013

Attack of the Google Snarkers

I hadn't planned on writing anything about this, but watching the continuing stream of obnoxious snarking -- both in blogs and some mainstream media -- following Larry Page's appearance at the end of Wednesday's "Google I/O" keynote, my irritation level has risen to the point where some comment seems apropos.

Let's get the disclaimer out of the way. I've never met Larry. I am currently consulting to Google. Everything I say here represents my thoughts only, and any blame for them should be attributed to me alone. OK, let's move on.

Regular readers know that I am not a fan of snark in general. In fact, snarky comments are one of the easiest ways to get bounced from my Google+ threads. As far as I'm concerned, they're almost always cheap shots aimed at minimizing real issues, to try get a quick "gee, ain't I clever" laugh. Some folks love that stuff. That's their choice, of course. Personally, I feel they usually detract from serious and useful discussion.

I dare say I wasn't the only one surprised when Larry walked on stage Wednesday. There was no obvious reason why he had to do that, not to mention his extended Q&A with the audience.

In the wake of this, we've seen pundits and writers attempting to characterize his remarks in a variety of snarky ways. I'm not going to provide those venues with link juice here.

And in fact, that kind of snarking is painfully representative of the kinds of attitudes that have driven our political system into toxic paralysis, making it so difficult for so many creative people to ponder the big questions, to consider the tough "what ifs?," without being mercilessly attacked by the champions of the status quo.

My interpretation of Larry's remarks is that he wasn't revealing a specific business plan, he was exploring a *philosophy* bigger than the limitations and constraints that encumber us today -- not just at the nexus of government vs. technology but in many other ways as well.

It is *incredibly* important that such thinking be encouraged, not attacked or ridiculed.

To ponder what could be achieved with different legal constraints than exist today is both valid and valuable, because we don't live in a static world at all -- much as some people would prefer as little change as possible.

Well within the lifetimes of many of you reading this, it was *illicit* to plug your own equipment -- even the simplest of phones -- into a telephone line. This seems inconceivable today, but imagine if nobody back then had pondered the question of what might be accomplished if we could legally hook our own data and other devices to the telephone network. Very likely, the Internet as we know it today might not exist at all.

Google is large and influential, and there are many venues for reasoned discussion about Google-related issues.

But snarking -- especially aimed at an individual like Larry who voluntarily chose to share some personal and philosophical thoughts very much worth pondering -- yes, especially the snarking we've heard over the last few days, is counterproductive, disgraceful, and -- to the detriment of us all -- very much calculated to discourage honest consideration of our complex and mutable futures.

The purveyors of such poison should not only be shunned, but should be utterly ashamed of themselves.


Posted by Lauren at 08:56 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 11, 2013

May 09, 2013

A 3D-Printed Gun Meets the Streisand Effect

Regular readers here and in other venues will know by now that I am a very strong supporter of gun control legislation (now more popularly called "gun safety" regulation for political correctness). Not only that, I consider the NRA and its minions inside and outside of government to be directly responsible for millions of innocent deaths at the bidding of their gun merchant supporters. And that's just for starters.

But even I can recognize bogosity when I see it.

By now you've probably heard about the downloadable plans for printing a plastic gun on a (currently fairly expensive, but cheaper they will continue to become) 3D printer.

After the simple gun was determined to essentially function as designed, the plans were posted to the Web a couple of days ago.

Today comes word that, reportedly, the U.S. State Department has asked the plans' distributor to remove them from the Net, while legal issues are being explored.

The parties involved have apparently complied.

But over 100K copies of those plans had already been downloaded.

You know where this is going.

The very act of attempting to bottle up this data has drawn far more attention to the plans themselves than would otherwise likely have been the case -- a textbook definition of the so-called "Streisand Effect" in action, a phenomenon we've discussed here many times in the past.

And of course, the plans themselves are still trivially available.

I found them -- intact and complete -- on a mirror site within 30 seconds, using an obvious three word search query, just a few minutes ago.

Outside of the just plain uselessness of trying to block such information after it has already been published -- how many times must this truism be repeated? -- there are a couple of other obvious ironies in play.

One is that just as attempts to censor the Net will almost always be ultimately futile (but still potentially very damaging to individuals or organizations caught up in those attempts), trying to control 3D printing is almost certainly going to be equally (if not even more) futile in the long run.

And the other irony? Who the hell needs to print a gun when the NRA and its ilk have made it trivial for pretty much anyone, including the mentally ill, people on the no-fly terrorism watch list, and basically anyone else not carting around pressure-cooker bombs (and maybe them too), to easily and legally purchase cheap, powerful, much more effective weapons with a nod and a wink at any gun show -- no background checks usually required!

So all around, from every angle, this whole story only serves to demonstrate the depth of society's confusion regarding the Internet, 3D printing, and guns.

To paraphrase the inestimable "Firesign Theatre" -- I'm afraid we may all be bozos on this bus.


Posted by Lauren at 05:40 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

Obama and Others: When "Transparency" Becomes a Wolf in Sheep's Clothing

When you're basically a techie who thinks a lot about policy -- as I am -- there's a natural tendency to approach issues specifically and individually, like bugs to be stamped out of complex program code.

Frankly, it's also easier to write that way, to focus on individual issues rather than broader, often conflicting concepts -- that can be far more difficult to paint into an intelligible portrait of words.

But the old platitudes and idioms like "not seeing the forest for the trees" or "connecting the dots" exist for a reason. Sometimes you do need to take the "long view" -- both in space and time -- to really understand what's going on, and how we're likely to be impacted.

I was reminded of this today, as I noted all the excitement around the Net over the Obama administration's announcement of a "government open data" initiative, to help make previously unavailable or hard to access data broadly available to the public to "Enhance Government Efficiency and Fuel Economic Growth" -- as the White House press release puts it.

This is certainly a welcome development in government transparency, well deserving of praise. The excitement is understandable.

And yet ...

Over the last few days there have been other reminders relating to this administration -- paralleling distressing events in Europe and elsewhere -- that remind us how "transparency" can be a nightmarish technological trap as well, depending upon how "transparency" is defined, and who is defining it.

For it's the same Obama administration pushing for "open government data" that is also pushing for a vast expansion of FBI access to our telecommunications and other personal data.

The reported scope of this thrust is both deep and wide. Demands that Internet services provide "real-time" wiretapping facilities -- ironic for an administration pushing cybersecurity, given that such mechanisms actually weaken security by providing new avenues for black hat hacking.

And this is the same administration that is actively fighting to maintain the intolerable legal structure under which warrantless access to our centrally stored email and other data has become such a travesty, threatening consumer confidence in the very cloud-based services that are a crucial aspect of our modern Internet environment.

It appears that President Obama doesn't only ostensibly want government to be transparent to us, but also that everything we write or say on the phone or Internet should be "transparent" to government as well.

That's a rather Faustian sort of bargain that I suspect most of us didn't know we were signing up for, so to speak.

To be sure, this isn't a mindset restricted to Obama, or one political party, or even the USA.

Over in Europe (and elsewhere) a similar "wolf in sheep's clothing" hypocrisy has also taken hold in governments, in dimensions ranging from censorship to surveillance.

In the EU, demands for massive law enforcement inspired, government-mandated consumer data retention regimes have become common, at the same time that dangerous, Orwellian concepts like "the right to be forgotten" and micromanaged censorship of search results are frequently promoted by regulators and other officials.

Meanwhile, we see a fetishistic focus on harmless Web cookies and anonymous ad personalization systems that have hurt nobody, while government demands for politically expedient censorship (doomed to ultimate failure, but still intensely harassing and treacherous) continue to intensify.

Some of these specific hypocrisies are also beginning to show up here in the U.S. as well.

It is almost a given that governments -- going back to the dawn of human civilization -- will rarely be able to resist the urge to try entice us with shiny baubles with one hand, while eviscerating our liberties with the other.

You don't even need to invoke concepts like "evil" to understand this. More often than not, these leaders genuinely feel that they're doing this for our own good, to protect all the "little people" who just don't understand what we really need.

Given that this is pretty much the historical status quo, you may feel comfortable with this state of affairs, or at least resigned to it.

That would be an unfortunate attitude in the extreme, for all of us.

Because the Internet, with its inherent ability to allow us to communicate directly and instantly between individuals, countries, and cultures in a manner never before imagined, does provide us with enormously powerful tools and capabilities unavailable to citizenries of the past.

This is why, not at all coincidentally, that so many governments around the globe are trying so very hard to control the Net, to shape it to their own image -- a task fortunately made very difficult by the Internet's fundamental design philosophy.

But that technological genius will be of comparatively little use to us if we don't avail ourselves of it, and especially if we don't "connect the dots" and "see the forest for the trees" in terms of the issues where the Internet's communications power can be brought productively to bear, especially when governmental hypocrisies are involved.

Governments will keep trying to entice us with their baubles, but the Internet is the very foundation of our rights and freedoms for the future -- most especially for the "little people" like us.


Posted by Lauren at 10:41 AM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 08, 2013

Search Like a Spook! - NSA's Guide to Web Research!

Search Like a Spook! - NSA's Guide to Web Research! Just declassified! Not a joke! How to "hack" search engines like a government agent!

Seriously, this 600+ page PDF, which NSA just released under a FOIA request, is 100% legit. I downloaded it myself from NSA, and am providing this local copy as a public service. It's over 40MB, so please be patient.



Posted by Lauren at 01:17 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 06, 2013

Adobe Gives the Little Guys the Finger

You may have heard by now that Adobe, long-time manufacturer of Photoshop and related software products, has finally brought out the big hammer, and smashed it down firmly on the heads of individuals and small businesses.

What? You haven't heard this?

Perhaps you heard that Adobe is switching to an "Internet always required, subscription only" model for their "Creative Suite" products. If you've seen those articles today, you probably saw business writers waxing poetic over what a wonderful move this is by (and for) Adobe. These same authors are generally implying that it's a great deal for users, too.

And it is -- if you're willing to let Adobe weld a ring and chain to your nose (and wallet).

The clue to this seeming paradox is revealed if you look at the reader comments on most of these articles, which (at least so far) seem to be overwhelmingly negative.

How could this be? After all, these have always been premium software products, why should anyone get bent out of shape by their move to a subscription model and requiring the Net for use?

The devil, as always, is in the details.

There are some applications that naturally benefit greatly from a move to "the cloud" in various contexts, especially when staying up to the minute with security fixes is involved.

Email and document collaboration are two obvious examples, with Microsoft trying to play catch-up with Google in this context.

And even then, pricing matters -- a lot.

Basic Google services are free. The business version of Google Apps is $5/user/month (a bit less on an annual basis).

But Adobe is aiming for much bigger bucks -- their pricing schedule shows monthly fees up to an order of magnitude higher than that $5, or even much more.

Now, obviously Photoshop has a very different feature set than Google Docs.

And Adobe's prices have always been of the premium variety, even as increasingly powerful Open Source tools (like GIMP, for example) have become very widely available.

For larger businesses for whom cost isn't much of an object, it's (as the old saying goes) six of one or half a dozen of the other whether they're on a subscription model with Adobe or not. They're likely pretty much locked-in anyway for logistical and workflow reasons if nothing else.

But if you're like an awful lot of people and smaller businesses I know, you've justified the premium price of Adobe Creative software products on the basis that you simply didn't need to upgrade them all that often for the features you need.

Perhaps you skipped every other upgrade cycle, or upgraded even less frequently, and have been quite happy anyway.

Well, Adobe isn't happy with you. They want you to be upgraded at all times at those premium prices, no ifs, ands, or buts. And not only are you forced to pay premium prices, if you ever stop paying, you're left with ... nothing. You don't even have an older version that suited you just fine to run any more. Poof!

Adobe claims their pricing offers an "inexpensive" way into their Creative world (hey, even pay without an annual commitment if you're willing to hand over a lot more cash -- not a small increment, mind you).

But this is the oldest game in the book, evolved to a fine art by generations of used car salesmen. Hook in the suckers by concentrating only on the monthly fee, and by all means don't let them think about how those will be adding up over the months and years.

Again, we're not talking $5 a month here. We're talking much higher amounts.

It seems obvious that part of Adobe's plan (in addition to the added anti-piracy, forced connectivity aspects) is to cull the herd of those "unproductive ingrates" -- the customers who simply refused to upgrade every cycle to get the latest fancy doodads that they didn't require or use. And in the process, Adobe wants to sucker in folks who don't bother calculating the cumulative costs on those monthly charges, even though most of these users would likely do just fine with some of the great Open Source alternatives (if they even know about them, which they probably don't).

I've actually been a long-time supporter of Adobe products like Photoshop and Premiere. But yes -- I'll admit it -- I'm one of those "bottom-feeders" by Adobe's definition, who somehow has managed to be satisfied with older versions of their products without frequently funneling more cash in Adobe's direction.

I'm also a big supporter of cloud-based services -- they can bring great benefits in an array of contexts -- where they're appropriate, make sense, and above all are appropriately priced.

But as we see with Adobe, it's also possible to use this model and an aggressive pricing structure to fleece the sheep, and frankly, I believe that is what Adobe is doing here as far as individuals and many small businesses are concerned.

Of course, this is only my opinion. Perhaps you disagree with me totally regarding Adobe's new philosophy.

In that case, you might wish to wander over to the many articles about Adobe's changes that are filling up with negative comments from upset Adobe users.

I'm sure that Adobe would appreciate your posted thoughts in support of their brave new world.


Posted by Lauren at 08:56 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 04, 2013

Dealing with Claims That the Government is Recording All Phone Calls

You may have heard buzzing by now that the talking heads of cable news are all aflutter over comments (on CNN) by a "former FBI counterterrorism agent" implying that the federal government is recording all domestic telephone calls, and need merely to go digging into that archive to find "conversations of interest" related to the Boston bombings.

OK, let's talk about this for a moment (no pun intended). Many years ago, I publicly discussed the data requirements for "recording all telephone calls" and postulated that it was becoming technically feasible. This is not, however, the same as saying it is actually being done. There are several considerations.

First, I take anything said by "former FBI counterterrorism" operatives with more than a grain of salt. This whole sector -- like the intelligence community in general -- is rife with layers of purposeful misdirection and obfuscation. Never take anything you hear from these spooks at face value. Never.

It is now fairly well known that NSA, et al. have for decades taken the view that "merely" recording traffic is different from actually examining it -- but this has been almost entirely in the scope of international communications, and I know of no legal predicate under which NSA (or FBI, or another government entity) could collect *domestic* communications legally *en masse* as described. Of course, laws can be broken.

But the biggest reason I am doubtful of these claims is that I find it difficult to believe that surreptitious data collection of phone calls on that scale is possible without a very noticeable dribble of very explicit leaks. Somehow the same people who feel that the government is incompetent at most things believe that the government could keep all that data bottled up, with all those enticing phone calls (whether related to national security or just phone sex), without leaks.

I'm not talking here about one guy with claims about a secret telco cabinet.

There'd be so many people at various levels who would have to be involved in such a massive operation as a vacuum cleaner recording of domestic calls, that it's almost inconceivable there wouldn't be leaks not only about specifics of the program but of actual calls. The amount of money that would be offered by the gossip sites alone would be astronomical.

There's another problem too. You can't explicitly *use* any of the data from such a program without risking its exposure and an enormous blowback against everyone involved. Even if you only use the data to try track other leads, you risk massive unraveling if anybody slips up on something of this scope.

Now, obviously, I could be wrong in my speculation. I have no inside knowledge to impart. Perhaps somewhere inside the Beltway there are guys sitting at giant screens in hidden basements reading this right now and chuckling at my naivete.

Or perhaps, we're indeed being suckered by claims of capabilities that do not actually exist.

We shall see in the fullness of time.


Posted by Lauren at 01:25 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein

May 02, 2013

Expel and Arrest the Best Students: The USA's Road to Ruin

By now you've probably heard the story of 16-year-old Kiera Wilmot in (you almost could guess this) the once great but now poster child for government mediocrity state of Florida.

When she mixed a couple of chemicals together as an experiment on school grounds, she created a micro-explosion -- really just a loud poof -- that didn't hurt anybody or damage anything. The same sort of experiment that thousands of creative youngsters have performed for generations, back in the days when chemistry sets still had actual chemicals in them, and creativity itself wasn't considered to be a crime.

Should she have been doing this without explicit permission and supervision? Probably not. A reasonable punishment might have been a safety lecture, or at the far end a couple of days of after school detention.

But this is Florida. Her high school called out the goon squad, had her arrested, hauled away in handcuffs, and charged with a felony (to be tried as an adult) -- possession/discharge of a weapon on school grounds and discharging a destructive device. In other words, the lunatic State of Florida is hell bent on destroying her life.

Did I mention that Kiera is also black? Good ol' Florida. If there's one thing you can depend on from the "Sunshine State," it's that when it comes to health care, the justice system, education, and pretty much everything else, they'll do everything in the most punitive, unthinking, unethical, and morally corrupt manner possible.

Just to be clear, I'm not saying that everyone in Florida fits these deplorable categories. But the people of Florida get the kind of government they vote for, and can't complain if they're judged by the results, just like everywhere else.

And I'll even cut Florida a break. They're not alone in their idiotic, asinine behavior when it comes to education and dealing with kids.

Across the country, we've been treated to a late night horror movie sequence of young children -- some barely able to walk by themselves -- being tasered, handcuffed, arrested, interrogated, expelled, and worse for all manner of harmless behaviors -- with school district officials usually hiding like cowards behind so-called "zero tolerance" rules that help to make the USA educational system a laughingstock of the world.

When we have little children being accosted by authorities for biting their cookies into the shape of a gun, you know the lunatics are running the asylum.

I haven't heard reports of American children being waterboarded by school officials yet, but given the actions of officials to date -- most of whom probably shouldn't be let anywhere near children at all -- we'd be unwise to totally discount the possibility of such behavior. (You think I'm exaggerating? You've heard the one about the strip searches of kids to try find a few missing dollars? When you have that kind of perverted antisocial mentality running schools, I'd submit that pretty much anything could happen.)

Now admittedly, there are some things that the American educational system is good at. For example, there's increasing evidence that we're just stellar at driving children to the edge of mental and physical illness (and increasingly, beyond the edge) with standardized tests that often cover material that was never taught, and that put such pressures on the system that kids are vomiting and teachers are rigging results to try get by. Great work, if your goal is making sure that our country's competitive decline in the global community becomes the most permanent and prominent aspect of our history going forward.

But everything is relative, and we can pull the camera back even farther, and see how the failings of our schools represent the broader failings of a corrupt and toxic political process, with many prominent politicians sounding like they themselves never made it past third grade. But ask them to quote the bible, and they'll bend your ear with their explanations of what God wants for us all.

Small wonder then that we see increasing political attacks on science research and funding, and attempts to replace peer review with bible thumping.

Sometimes it's not easy to see the forest for the trees.

But when it comes to the utter insanity that has increasingly become part and parcel of our educational and political systems, the "connect the dots" cause and effect is staring us in the face, directly from the mirror.

This is our fault. It is perhaps the ultimate realization of Pogo's "We have met the enemy and he is us."

We have permitted this nonsense, this anti-intellectual horror to metastasize throughout our society, even as we push into the Internet age where science, reason, and education will be critical, crucial, indispensable to our personal and collective futures.

It is unacceptable for the small and perverse minds who would declare an inquisitive teenager a felon, or a cookie-wielding child a menace, to be anointed with such power to literally destroy our civilization -- piece by piece, child by child.

For it is in education and our children that the entirety of our legacy ultimately rests. It is not at all an exaggeration to suggest that if we don't change course from toxic stupidity, we are ultimately and deservedly doomed.

Changing the course of a gigantic ship headed toward a waterfall of destruction cannot be accomplished instantly.

But we can at the very least begin by introducing a modicum of common sense back into school policies that currently seem to have been based on prison procedures, and to stop using handcuffs, jail cells, and electric prods as our most visible and powerful educational tools.

The choices, as always, remain very much our own.


Posted by Lauren at 02:58 PM | Permalink
Twitter: @laurenweinstein
Google+: Lauren Weinstein