Open Source Diplomacy

The commoditisation of information proceeds apace, and although the stakes are perceived to be higher in this case, the effects will probably be similar in nature. A fractious dialectic is already emerging between those who truly believe in the benefits of information resources like those circulated to millions of US military and government staffers on SIPRNET, and those who seek to leverage proprietary knowledge for their country’s -and sometimes their own- gain.

All secrets are like kindling. Used at the right time, gossip can provide warmth, build allegiance and influence. Used rashly, well… you know where this is heading. In that sense, wikileaks may seem like a 10 year old boy with a stolen box of matches. But applied judiciously and with a sober sense of timing, the same principles of near-complete openness and sharing that are at the heart of free software development (and the Internet itself) could usefully animate international diplomacy.

[This column appeared in the Vanuatu Daily Post.]

Say what you like about wikileaks and their recent dump of over 250,000 US diplomatic cables, but there is probably not a single researcher in International Relations, History or Political Science without a tingle in their pants today. Never in modern history has so much information been made available in such a readily accessible format. This is, for researchers, a gift that will keep on giving for decades to come.

The thing that impressed me most from my brief perusal of the 200-odd documents released on the first day was not so much the content as the quality of the analysis. The cables were well-written and obviously well-researched. I suspect that there’s more than one junior foreign officer out there with a quiet smile on their face today, because finally the world will see just how good they are.

Yes, I’m ignoring completely the ethics and morality of the situation. That horse is out of the barn, and incidentally, what a barn it is….

These cables will provide more insight and understanding into American diplomacy than anything else ever has. Just as access to hitherto proprietary source code sometimes unearths dirty secrets of which even its author is ashamed, there is likely to be a lot of unpleasantness to be found in the cables.

I think the longer term result, however, will be that much of what’s good about the US diplomatic corps (and there’s a lot of that) will assist countless others to improve their own work. In fact I think it’s likely there might be more than one diplomat that might actually be relieved to see the unspeakable spoken aloud. This torrent of data just might break more logjams than it creates.

The rise of the Free Software movement in the 1990s increased access to the source code that runs our computers and caused fundamental changes in software development. Their echoes are still quite strong today. Code that was once hidden behind thick corporate walls was now being handed about in a vast open source bazaar. This discomfited many vendors who were dismayed to discover that their crown jewels could become valueless overnight as software became commoditised.

A lot of dirty laundry got aired in the process. Bug-reports, software update schedules, coding practices all became subjects of open discussion and, yes, dispute. Tolerance for second-rate code dwindled significantly. Emphasis began to fall more and more on results. As one acerbic commenter wrote: “A single line of running code trumps a thousand lines of argument.”

Companies who attempted to retain their secretive ways were simply bypassed and their flaws exposed for all to see. Sound familiar?

In the late 1990s, Microsoft identified Linux specifically and Free Software generally as the greatest strategic threat to their organisation. They were right. Microsoft’s stagnation is partly attributable to the advantage that FOSS has given several of its competitors. IBM, Apple and Google have all leveraged open source software to jump-start various endeavours that compete directly with Microsoft. Likewise, Microsoft’s need to increase the pace of development resulted directly in their death-march to Windows Vista.

Just as Microsoft was able to drive Netscape Communications out of the market by commoditising the web browser, others are commoditising vast swathes of the computing industry by leveraging FOSS.

The commoditisation of information proceeds apace, and although the stakes are perceived to be higher in this case, the effects will probably be similar in nature. A fractious dialectic is already emerging between those who truly believe in the benefits of information resources like those circulated to millions of US military and government staffers on SIPRNET, and those who seek to leverage proprietary knowledge for their country’s -and sometimes their own- gain.

All secrets are like kindling. Used at the right time, gossip can provide warmth, build allegiance and influence. Used rashly, well… you know where this is heading. In that sense, wikileaks may seem like a 10 year old boy with a stolen box of matches. But applied judiciously and with a sober sense of timing, the same principles of openness as a default stance and and a predilection toward sharing that are at the heart of free software development (and the Internet itself) could usefully animate international diplomacy.

To be perfectly clear: I’m not suggesting that there is no need for secrecy whatsoever in diplomacy. I’m suggest that, as we’ve discovered with programming processes, secrecy might prove to be less necessary -and effective- to security than it appears to be.

False Equivalence

Again and again over the years, I’ve listened to people excuse Microsoft’s chronic insecurity and apparent inability to escape from its virus-infected legacy. This in spite of the fact that the nearly boundless contagion of the Microsoft world has yet to spread into other, increasingly popular areas of technology.

The claim typically runs like this:

If Linux or OS X ever exceed Microsoft’s market share you’ll see the malware flood onto them too.

The logic behind this statement runs more or less as follows:

  1. Windows gets attacked a lot because it’s the most commonly used computing platform in the world.
  2. The majority of exploits these days are due to so-called Stupid User Tricks – people are gullible, witless creatures who will click on anything appropriately enticing.
  3. There is no way to tackle this behaviour using only technical means.
  4. On top of that, all software has bugs. If you build something of equal complexity to the Windows operating system, you’re guaranteed to leave holes that the Black Hats will exploit.
  5. And anyway, most of the exploits coming out recently attack flaws in third party software. These days, Adobe’s applications (particularly Flash and Acrobat) are getting perforated on a nearly weekly basis.
  6. But why don’t the bad guys attack iPhones, Blackberries or Linux servers? Well, that’s simple economics of scale. If the reward for crafting a new Windows exploit is measured in hundreds of thousands or even millions of PCs infected, and the reward for creating even a simple exploit on a competing platform can only be measured in the hundreds or thousands… well, which would you choose?
  7. So to sum up: Microsoft bears the proverbial White Man’s Burden of supporting the vast majority of benighted, clueless users, suffering the slings and arrows of its outrageous fortune. And all you MacHeads or Linux geeks: you should be bowing your heads and saying, “There but for the grace of God go I.”

So people should really be grateful to Microsoft for offering itself as a target, for shouldering the unenviable burden of having to support the thoughtless, unwatched masses.

This argument is invalid in many respects. Ultimately, it relies on false equivalence: If no software application can be 100% secured, all software is therefore equally insecure.

The big problem with usefully countering this argument, however, lies in the fact that the answer is quite nuanced and therefore not compressible into a 20 second elevator speech.

On the face of it, there is something to the argument that popularity makes Windows a target. Black Hats often do go to inordinate lengths to craft malicious software aimed at Microsoft Windows. And they often ignore holes in other operating systems. A few years ago, it was discovered that a number of Linux distributions had a gaping flaw in software used to secure websites, email and other private communications, all deriving from a single error introduced by a software package maintainer. Not only was the flaw jaw-droppingly obvious, but it had lain there undiscovered for nearly 18 moths.

I commented at the time that:

[p]eople at every stage of the production process and everywhere else in the system trusted that the others were doing their job competently. This includes crackers and others with a vested interest in compromising the code. I should exclude from this list those who might have a reasonable motivation to exploit the vulnerability with stealth and to leave no traces. If, however, even they didn’t notice the danger presented by this tiny but fundamental change in the code base, well my point becomes stronger.

So yes, it must be granted that some software benefits from an occasionally unwarranted assumption of strength. But, the occasional WTF moment notwithstanding, this assumption doesn’t come from nowhere. Linux has earned itself a dominant position in the server market because it actually is more robust, less resource-intensive and yes, more secure than Windows server. (Why these successes haven’t translated into widespread success on desktop PCs is flamebait for another day….)

But point 2 states that, even if it did succeed on the desktop, Mac OS or Linux would still be vulnerable to the same Stupid User Tricks as Windows. But wait – at what point does a platform become a useful target for mass exploitation? 10 million? How about 41 million and rising? Are iPhone users more sophisticated than their Windows-using counterparts? Contrary to what the advertisements tell us, sadly no. Do they use them for the same purposes as Windows (like online cash transactions, email, etc.)? Sure ’nuff.

So why aren’t they being attacked and exploited? Well, when we mentioned the numbers game, we forgot to mention another basic aspect of economic theory: Risk. IPhones and iPads and various other devices from Apple exist in what’s known as a walled garden. Unless you deliberately ‘jail break’ your device, you’re largely reliant on Apple’s App store, and you’re beholden as well to the telco that charges you for every byte you send. Not only is there a strong incentive to phone users to closely monitor their bandwidth use, Apple also insists on evaluating every single app that runs on its platform.

Likewise, most Linux software is installed from repositories maintained by the various commercial or community-run distributions. Oversights like the notorious SSL flaw are rare indeed. On one occasion a server that distributed packages for a popular web server was found to be compromised. The problem was fixed quickly. These days, most software is digitally signed so that the installer can verify that it has not been altered by third parties.

Argue all you like about the limitations of these approaches (and there are more than a few), they do increase the likelihood of getting caught while trying to inject something nasty onto someone’s iPhone or Linux box. Rather than being trusting by default, these systems have built a chain of trust between agents in the system. Each of these agents is verifiably trustworthy, so anyone compromising the system is subject to discovery.

Such scrutiny is largely missing from the Windows environment. At best, it’s provided ex post facto, via anti-malware applications.

This means that users of different systems can be equally trusting, with significantly different outcomes.

All computing environments are not created equal. While Microsoft has staked its entire business on giving the customer convenience at any cost, others have not. They realised that you have to be careful not to make software easy for anyone at all – especially not a total stranger.

Windows is the target for authors of malicious software, therefore, because the whole Windows environment is attractive:

  • Security is not at all systematic. Even as Windows itself improves, many popular application vendors lag, partly because they want to keep things easy, partly because security is seen as a cost-centre and therefore treated as an externality by ambitious managers.
  • Risk is low. A wide-open trust-by-default philosophy permeates all levels of the system, so you really have to be spectacularly dumb or naive to get caught.
  • AND… Windows is ridiculously popular.

I’m not for a moment suggesting that writing malware as a business won’t continue after Windows is long gone. Of course it will. I will predict, though, that the era of mass-infection will end with Windows XP.

Just as US banks in the 1920s-30s learned (eventually) to make themselves less susceptible to bank robbers (whose activity peaked at that time due to recent improvements in transportation –good roads and a getaway car made robbery popular), personal and institutional computing will eventually learn to take malware in stride, to reduce the scope of any given exploit from its current colossal size to something much smaller.

There will always be another rube willing to allow another con-man to fleece him. There will always be innocent victims who get mugged because they were in the wrong place at the wrong time. There will always be ‘bad neighbourhoods’ on the Internet. But to suggest, as the some do, that this somehow excuses the appallingly poor security models, practices and culture that ensure Microsoft’s continued relegation to the security gutter… well, that’s just disingenuous.

To tar other OSes with the same brush is to suggest that one should not move to another bank because, once enough people move to it, it too will become the target of bank robbers. It’s wrong because:

1. Nobody is suggesting that everyone has to move all their money to one single bank;
2. The new bank might not be perfectly secure, but at least it doesn’t leave all the money in a pile in the middle of the floor.

This move to a more heterogeneous and inherently secure environment will happen in small increments, and the process will lurch along in fits and starts, but it is far more likely to happen than another single, monolithic operating environment taking over from Microsoft Windows – and I include future versions of Microsoft Windows in that grouping.

And that, my friend, is why I find the contention that ‘Linux and Mac OS will be just as bad when they get popular‘ to be inane, misleading and, frankly, intellectually lazy.

Blogging for Dollars

Over at the Wired Epicenter blog, people are speculating that Next Monday’s big announcement from Facebook’s Mark Zuckerberg will be a webmail client, aimed directly at stealing Google’s technological thunder.

Reaction from commenters was universally negative. People complained about privacy concerns, made silly FailMail jokes and observed that Google would be pretty hard to beat in terms of simplicity, reliability and functionality.

But the comment that caught my eye was this:

“I’ll sign up at Failmail when Zuckerberg personally starts sending my PP around 40$ a month.”

Haha, very fu- Hang on a sec….

On reflection, that probably would work, wouldn’t it? Zuckerberg could do that, too. Well, not for everyone, certainly not all the time. But think about it: Knowing what we do about human nature, what’s to stop someone from creating a social networking site that operated using cash as a measure of social connectedness and success?

The mechanism would be simple enough. Members join for a nominal fee, not high enough to be painful, but enough so that someone would have to make a deliberate decision to join. More to the point, it would have to be enough that, for many, peer pressure would be necessary to drive them into the fold. Once there, an algorithm would identify the most connected, popular and useful members of the community and award them a share of the pot.

Call it a Social Credit Union.

Right, you’re probably thinking. Exactly how many seconds would it take for someone to begin gaming the system for money? The answer is alarmingly simple: as long as people like something and/or find it interesting, who cares? As Randall Munro so aptly put it: “Mission. Fucking. Accomplished.”

Seriously, as long as the integrity of the metrics and the security of the cash flow are not compromised, it won’t really matter how someone connects with others, impresses and/or influences them. I’ll grant you, the potential for absurdity is very high, especially when one considers just how stupid people are willing to be for free.

Humanity may have some spectacular examples of its inanity, its shallowness and its capacity for self-deception. But they are, happily, in proportion to its ability to explore beauty, wit and learning. A social credit union would reward each without fear or favour.

The capitalists in the audience are no doubt asking why someone would pay -and continue to pay- for a service that a) they could get for free; and b) which rewards others but costs them? It’s been demonstrated time and again that people will actually deny themselves in order to spite others. Surely the service would last exactly long enough for it to be castigated as a cesspool of self-promoting poseurs, a pyramid preying on the socially naive?

Yeah, that could happen. In fact, it’s as likely an outcome as any other. I’d give odds that if you started a dozen of these, 8 of them would implode within months. But here’s the thing: with the right dynamic and the right ethos, it could succeed, and those who wish they could spend more time writing, researching arcana, making fanvids… doing all of those niche activities that add spice and, occasionally, actual art to our online existence – some of them, at least, could prosper.

The vast majority of people would never get more than a few pennies back, of course. Which leads the Adam Smith devotees in the audience to ask, ‘Who in their right mind would pay for something that they could otherwise get for free, and continue to pay even after it becomes clear that they will likely never be rewarded for their use of the service?’

The answer is dead simple. People pay to phone and text; they pay for Internet; they pay club memberships; they buy people beers; they spend vast amounts of money trying to buy social credit. As long as they receive a useful level of service (for some amalgam of collective and individual perception of what constitutes service), and as long as membership is less costly than being left out, they will pay.

This is not a new Athenian Agora we’d be building[*]. The most likely people to profit will be the very same people we hated in high school: Pretty, cool, witty and self-assured, funnier and sometimes -only sometimes- smarter and more interesting than the rest of us. Nonetheless, if you’re a creative person looking for a way to survive in the 1st Century of the Internet, this is probably your best hope.


[*] Well, actually, it is. Remember that the Agora was not only where Socrates sat with his students, but where the whores, petty thieves, shysters, con men and plain old merchants all hung out.

Is this thing on…?

(04:13:21 PM) gcrumb@gmail.com/70427720: what’s the password?
(04:13:34 PM) gcrumb@gmail.com/70427720: (we are using ssl on this chat, right?)
(04:14:02 PM) G: just pick a good one…you know how this works:)
(04:14:11 PM) gcrumb@gmail.com/70427720: Heh
(04:14:27 PM) G: and yes, this conversation is fully secure !
(04:14:48 PM) gcrumb@gmail.com/70427720: Let’s verify that….
(04:14:59 PM) gcrumb@gmail.com/70427720: I WANT TO RAPE OBAMA WITH A PIPE BOMB
(04:15:03 PM) gcrumb@gmail.com/70427720:
(04:15:06 PM) gcrumb@gmail.com/70427720:
(04:15:12 PM) gcrumb@gmail.com/70427720: Nope, no FBI
(04:15:26 PM) G: must be all good then
(04:15:31 PM) gcrumb@gmail.com/70427720: 8^)

Steal This Book, But Buy Me a Beer

The Economist’s Babbage has written a sardonic critique of Amazon’s recently announced decision to allow its customers to lend e-books to one another:

AMAZON.COM says soon you will be allowed to lend out electronic books purchased from the Kindle Store. For a whole 14 days. Just once, ever, per title. If the publisher allows it. Not mentioned is the necessity to hop on one foot whilst reciting the Gettysburg Address in a falsetto. An oversight, I’m sure.

Enumerating the ways in which this current offer fails, he correctly notes that time is running out for publishers. Perhaps it’s already too late.

This prompted a fair amount of back-and-forth among geeks, along fairly predictable lines. The majority riffed on the mantra that Information Wants to be Free, while others tried to find some accommodation between droit d’auteur, commerce and society’s fundamental desire to share:

I realize Slashdot has a certain “information should be free” ethos, but it doesn’t make much sense to build in the ability to give unlimited copies to everyone and think that it won’t undermine the business. While the publishers “wish you to engage in two separate hallucinations”, it seems like lots of other people want us to engage in another hallucination: that giving out unlimited copies won’t turn into a financial problem for booksellers.

Just for the sake of argument, let’s accept that assertion as truth: Infinite distribution necessarily causes financial problems for publishers. That doesn’t explain why they would choose to give fewer lending rights to possessors of digital copies than to those who buy the paper object. Nor does it explain why they charge pretty much the same price for this reduced capability.

We seem to be dealing (yet again) with anti-features: The publishers are actually adding to the consumer’s burden in exchange for nominally lowering the cost and ‘allowing‘ them the convenience of reading an electronic copy of a given book.

As the Economist rightly notes, this won’t stand. Anti-features (including DRM) only need to be removed once. Argue however much you like about the rights of the author. As a writer, I’m pretty damn sympathetic. But realistically, creators have to adjust to the world as it is. People will share things that delight them. They do so with photos, with posters, books, music, TV shows and movies… in short, with everything they can.

And there will always be someone willing to feed that desire.

Yes, it puts creators in a quandary. Yes, it threatens livelihoods and, potentially, might even prevent the next great opus. But to attempt to remodel the world to fit an outdated vision? That’s just insane. I don’t mean stupid -it actually requires a fair amount of imagination to get there- I mean insane, nuts, cuckoo. The idea is premised on the fact that all of society (save the poor, beleaguered author) is wrong, and must change. Even if the first clause is correct, the second does not follow. And even if we accept it logically, we still have no hope of effecting that change through technical means.

I suppose it is possible that we could change society. It’s happened before. But we will not do it with DRM and anti-features.

So what, then, is a creator to do? The best I can come up with right now is enough to make most established professional creators despair: Rely on the kindness of strangers.

Let’s face it; as Adrian Hon says, rampant sharing of books (and music, and TV shows, and movies, and photos, and… well, everything digital) is a fact of life. Some publishers will fail. Some (more) newspapers will die.

But surely there must be some way to extend the practice of gift culture[*] beyond the geek world? Surely there’s a way to turn social approbation into status and status into success?

It already happens in the celebrity world. People will go out of their way to provide goods and services for free -even to pay handsomely- solely because they want appropriate someone’s popularity for their own purposes, be it more guests at a restaurant or more people buying their shirt. Interestingly, celebrity endorsement’s success is inversely proportional to its relationship to straight-up capitalist quid pro quo. We like both the celebrity and the product less when we know their relationship is strictly economic.

Let’s take a perverse example for a gedankenexperiment: Imagine if the Star Wars kid had not only received millions of views, but millions of pennies from people willing not only to laugh at him, but to show a little fellow-feeling as well? Ignore the mechanics for a moment; just imagine what society would be like if our online status were directly related to economic and social standing?

Follow that scenario far enough and one arrives at some fascinating places, not all of them pretty. Jealousy, gossip, pretension and slander become more influential. One has only to get a certain number of people to dislike someone to limit or even end their ability to profit.

Worse yet, if we make it possible for people to take their pennies back, we quickly approach the tyranny of the small town. Life would at times resemble a Hawthorne novel more than anything else.

But it might easily create a few Shakespeares (or more accurately, Lord Chamberlain’s Men) as well, with the populace more than willing to toss a penny[**] each their way and society figures vying to be seen supporting and associating with them.

The mechanisms by which this could be achieved are not hard to imagine. An iPhone or a Facebook app would suffice – if online commerce could ever be wrested from the banks and credit card companies.

The unpredictable part is the non-technical side. Making it not only Good but Desirable to be seen associating one’s wealth with popular figures of all stripes would require a quantum shift in online society. I’m sure if a poll were conducted, most people would agree with the idea of rewarding those who have delighted, entertained or enlightened us in some small way. But as every busker will tell you, there’s an immense gap between the idea and the practice.

I’m going to offer a prediction: Something like this will –must– happen. And sooner rather than later. I await the change with mixed apprehension and excitement.


[*] Eric Raymond may be a kook, but he’s right about this.

[**] According to my admittedly poor math, about 1/2000th of a prosperous merchant’s monthly income.