Doing the Numbers

The pandemic is global. Why isn’t the response?

When scarcity butts up against the public good, tears are guaranteed. This year—and for years to come, it seems—COVID-19 will provide ample opportunity to cry.

First, a word of congratulations to the cohorts of ideologues who spent decades grinding the United Nations down from a place to grapple with global crises to an underfunded, slothful, toothless show dog. Great job, gang. It’s not like we needed it.

What we have instead is a creative response to vaccination in a world where governments don’t want to cooperate, let alone play by the same rules. Gavi, the Vaccine Alliance was cobbled together by dozens of different stakeholders about 20 years ago to deal with something that we’ve always known is a problem: eradicating communicable disease in a world with wildly disparate levels of wealth and health.

The good news is that it was a relatively simple (albeit herculean) job to refocus GAVI on COVID-19 and to form COVAX, the global initiative designed to centralise vaccine acquisition, coordinate its delivery and reduce costs for everyone involved.

And it would be working well, if developed countries hadn’t jumped the queue. Sidelining their own contributions to COVAX, 16% of the world’s population has removed 70% of global vaccine production from control of the global consortium.

The already confusing and complex global supply chain has effectively been corralled by the moneyed nations who are intent on vaccinating themselves first.

That’s crazy, when you think about it.

It’s not crazy at first, though. I mean, it’s their vaccine. They can do what they like with it. And a lot of the money is theirs too, so ditto. And they were elected (or self-selected) to protect the interests of their own people. So… yeah. Ok.

Crying about basic injustice is a legitimate response. The fact that people are willing to shove others out of the way in order to secure a place on the first lifeboat out is lamentable, and not very cool. I seem to recall a bit of confusion about that in Titanic.

But let’s be honest. Fairness is a powerful argument, but not a compelling one.

The calculus that should be driving a coordinated global vaccination effort is the desire to see this thing ended decisively and quickly. A globally coordinated response isn’t just the right thing to do. It’s the best thing to do.

The longer the disease lingers in locales with poor health care services and large populations of people facing multiple concurrent health challenges, the more likely it is to mutate and re-emerge.

In short: If you shoot the first zombie, The Walking Dead never gets past the pilot. If you don’t, you… well, you get the show as premised.

A policy paper published a few days ago by The Lancet lays it all out. It recognises the near-miraculous speed with which the first vaccines have been produced, but warns that if production, pricing and allocation aren’t better coordinated, we could end up drowning in a rush to the lifeboats.

Scaling up production to meet global demand is a monumental challenge.14,  15 Before this pandemic, there were no existing networks of contract manufacturers for several of the leading vaccine candidates that feature novel technologies, including those relying on mRNA delivery platforms. Additionally, the volume of vaccines that is needed places pressure on global supply chains for inputs, such as glass vials, syringes, and stabilising agents.

The production of COVID-19 vaccines is limited by the highly concentrated state of global vaccine manufacturing capacity,16 and the relationships established between lead developers and contract manufacturers. A successful solution to the production bottleneck would probably require widespread technology transfer to enable the expansion of manufacturing capacity.

And yet, there’s no appreciable effort ongoing at the moment to move production into the public domain. Cooperative vaccine deals such as that negotiated by the Quad are good, but they’re just working around regional and strategic rivalries that the UN was specifically designed to circumvent.

Yes, millions will benefit from this, and that’s an unadulterated Good Thing. But it’s too small.

The Lancet makes it clear that self-interest is driving up prices for everyone, and contributing to supply shortages that virtually assure a more protracted fight against the vaccine for everyone. Looming over all of this is the spectre of COVID becoming a long-term affliction of the human species, slowing commerce and travel for decades to come, increasing distrust and instability, and punishing the poor.

Delays cost everyone. Eric Feigl-Ding is an epidemiologist with the Federation of American Scientists. He argues, “Delaying the vaccine is a terrible choice. If you were to choose, just take whatever is available because every day for 100,000 vaccinations that are delayed by just one day 15 people will die.”

That’s in the USA. The numbers for Papua New Guinea don’t bear contemplating.

We can’t say we weren’t warned. We knew that if—or more honestly, when—COVID-19 broke out into the community in PNG, it would create a dire threat. One that nobody is equipped to cope with.

Today’s announcement of an urgent effort to guarantee enough vaccines for 20% of Papua New Guineans sound good. Better than the next-to-nothing they’ve got right now, anyway. But 20% of the population in the first year has been the COVAX goal from the start.

That number was based more on market factors than epidemiology. It’s saddening that it takes a crisis of these proportions to raise even the prospect of meeting it.

We now know that vaccines don’t just protect a person from the virus, they also reduce transmission rates vastly, so its possible effective herd immunity may be reached a little shy of the 60% number that’s been bandied about since the beginning of the pandemic.

But here’s the catch: That number only works within discrete populations. We are content to divide ourselves along national boundaries for the moment, so that’s how eradication is going to manifest. The virus will be reduced significantly at first, perhaps even to vanishingly small rates in Europe, North America and large swathes of Asia.

But it only stays eradicated as long as the barriers remain.

And in pockets of the Pacific, in sub-Saharan Africa, remoter parts of Asia and South America, the virus will cling to humanity like a leech, mutating, waiting.

This is Brasil today:

PNG is even less equipped to cope with a runaway virus than Brasil is. We’ve known these were the stakes for a year. It is likely already too late. To his credit, James Marape has been pragmatic about this from the start. Some would say fatalistic.

Some would say that fatalism is an appropriate response.

A million vaccines for PNG isn’t nearly enough. If we’re being fair, the same can be said of every number, for every nation, until the virus is eradicated.

But the way things are going right now, it’s not clear that global eradication going to happen. Because there is no actual global eradication effort. And the odds of success are being driven down right now by wealthy nations getting their own self-interest exactly backwards, because they think there’s a difference between national interest and global interest.

Where they see rivalries, the virus sees opportunities.

COVAX is being undercut by queue jumpers. According to the Lancet, it is facing a multi-billion dollar shortfall, and it’s being outbid by developed nations. It has no long-term funding, and is ill-equipped to build any formal frameworks and supply chains in a marketplace that isn’t just short of vaccines, but also needles, vials, gloves, masks, protective gear—in short, every single thing it needs.

The Lancet policy paper argues convincingly for a global approach to vaccination. But there’s a difference between convincing and compelling. What we need now is the latter. We need world leaders to realise that they’re not protecting themselves if they don’t protect us all.

This is a critical moment in human history, and thus far, we’ve reacted with historic rapidity. But there’s a good chance that we won’t succeed unless we put our differences aside and tackle this global challenge on a truly global scale.

HTTPS Everywhere – what is it good for?

There’s a growing chorus of voices in infosec these days, calling for the effective deprecation of unencrypted traffic over the web. The only useful purpose port 80 serves these days, they argue, is to redirect to port 443.

Their arguments tend to run along these lines:

  1. HTTPS is the right way to handle encryption on your website (and other services, too). That’s true. It’s a well-established, well-understood standard that has gone through some awkward moments, but has emerged from the process as a robust and easy-to-use security layer on your web server.
  2. HTTPS protects you from unethical ISPs/states/actors who like to inject your traffic with unwanted ads and other nasties. That’s somewhat true, but requires a little unpacking, because there are some notable edge cases:
    1. Many corporations install their own certificate authority on approved devices, and use their own certificates to intervene in communications between you and other secure sites. This allows them to sit in the middle of your communication with your bank, for example.
    2. Anyone who can get access to either of the end points can simply watch the unencrypted traffic on either end, rendering any security measures in the communications protocol moot.
    3. Setting up and breaking down a secure session is an extremely difficult process that is well-understood by a very few people. The theory is clear enough, but applying it in practice can get hairy. The 2016 WPAD exploit is a prime example. It was demonstrated that you could use a near-obsolete, insecure method of discovering your network’s proxy settings to eavesdrop on secure communications. (Of course, if you could manipulate that setting, you could pretty much do what you want to the browser anyway. The point here is that there are ways for people to eavesdrop on your secure communications and leave you none the wiser, with or without HTTPS.)
    4. Establishing the identity of remote sites is still a bit fraught. It’s better today than it was in the past, but an SSL cert on its own is insufficient in the absence of a broader, systematic web of trust. These things require international cooperation, protocols and standards. Not all parties want the same thing, and few indeed are focused only on what’s best for the end user’s privacy. HTTPS Everywhere doesn’t move the markers in this part of the debate.
    5. Cross-site tracking cookies are a much more pernicious and troubling way for unscrupulous commercial actors to inject themselves into your day to day web traffic.

None of these are arguments against the use of HTTPS. You should use it when you can. Just because the other guy’s going to win doesn’t mean you shouldn’t at least make him work for it. But these are considerations that have to be borne in mind when people start suggesting that a web with HTTPS everywhere is a safer, more private place for everyone.

  1. HTTPS is growing in use. Get on board! That’s an argumentum ad populum. It’s a useful observation—and a Good Thing—but not reason to move in and of itself.
  2. Plain old HTTP is insecure, and untrustworthy. The first part is true, and people should know it. Google Chrome’s recent decision to mark all plain text websites as insecure is a good move. But the question of trust is more a practical than a technical issue. In other words, you can communicate securely with an untrustworthy information source, and you can communicate insecurely with a trustworthy source. Trust between end points needs to be distinguished from trust in the communications medium. Technical experts who advocate for HTTPS everywhere sometimes confuse the two. Non-technical people often do. Which means we have to be extremely circumspect about what we promise when we talk about making things more secure for them.
  3. HTTPS is secure and will protect you from eavesdropping. Yes it is, and no it will not. Yes, the protocol is solid. It’s really easy to do right (which is incredibly important for security), and it works for the purpose intended. But it’s only one part of a much, much bigger picture. As Bruce Schneier is fond of saying, the bad guys only need to find one way to win. Most systems have more than one way in. Many systems allow state-sanctioned eavesdroppers in through the front door.
  4. Encrypting even normal traffic means that you’re protected from state surveillance across the board. If they can’t differentiate your traffic, it makes it harder for them to single out the things they object to. Sad to say, the real world doesn’t work that way.

If a state wants to watch what you’re accessing over the web, they will find a way. At very least, they will know the end points you’re connecting to. If they’ve singled you out for observation, you’re going to face issues even if you use TOR, VPNs and other tools. Between compromised devices, networks and information providers, your options are quite limited if people decide to watch you individually.

If you’re not being singled out, they probably don’t care what you’re looking at. They might care about individual sources, but in cases like that, they’ll just block the site sources.

But wait—what about someone who’s not yet been targeted, and doesn’t want to be? Good question. There’s a marginal case there, but again, using HTTPS Everywhere is probably not going to be the decisive factor. It sure isn’t in China.

There are very good reasons to support the spread of HTTPS. Anybody who tells you otherwise is just… wrong. You should use it when you’re doing anything that involves your personal information. That includes everything from chatting with friends about what movies are good to transferring millions into your superyacht fund.

But to conclude from this that ‘the only purpose for port 80 these days is to redirect to HTTPS’ is a bit naïve, sad to say. It assumes that there are technical solutions to social/political problems. That’s not necessarily true:

  1. We’d be vastly better off with regulatory/legislative intervention to stop ISPs and others from messing with your web traffic. The reason for this is that removing the mandate to inject gunk into your web traffic is a far more effective way of circumscribing what ISPs are allowed to do. Let’s call it (part of) Net Neutrality. With or without HTTPS, we still need this regulation. Politically, cynical ISPs can point to HTTPS Everywhere and use it as an argument against net neutrality regulation. It’s not entirely rational, but that’s not to say the argument would be ineffective.
  2. When changing collective behaviour, it’s often better to proscribe the behaviour rather than prescribe the technical cure. People will always seek ways to fulfil the letter of the law and still achieve their own selfish ends. So an emphasis on better law is generally more effective than emphasising better tech.
  3. State actors and other surveillance groups generally don’t care that you’re looking at public access websites. When they do care, they just block the site at the ISP level. Yes, there are edge cases where you can get in before they know it matters, but that’s true with and without HTTPS. Encryption does add a slight advantage when it comes to internet whack-a-mole, but it’s only slight. And it’s likely to be ephemeral.
  4. If someone really wants to track you, they will compromise your end points, not the network layer. This is what China does. They just sit people inside the offices of the main online services. Law enforcement and signals intelligence agencies do much the same thing. They’ll either compromise your devices, or they’ll compromise the other end-point, often with the assistance of the service provider. The FBI attempted this with TOR, with partial success.
  5. HTTPS is easy, yes, but easy is not the same as simple. Just because you’ve got your cert properly set up doesn’t mean you’re safe. Focusing on HTTPS to the exclusion of other considerations or overselling its benefits could create a false sense of security. It’s far easier to designate something ‘untrusted’ than it is to determine that the same thing is ‘trusted’. We need to be careful about what we’re selling when we say that HTTPS Everywhere makes us more secure.

Widespread use of HTTPS is a Good Thing, and should be encouraged. But mandating its use everywhere is of limited additional utility where your practical security is concerned.

In a nutshell, universal HTTPS alone is insufficient to change or curb malicious human behaviour; and the additional measures that are necessary don’t require HTTPS everywhere to succeed.

HTTPS everywhere would achieve only a marginal and possibly ephemeral gain. In practical terms, people who are most vulnerable to unwanted collective or individual surveillance by state actors gain very little from this.

But let’s keep perspective: Opposing HTTPS Everywhere is a foolish waste of time and effort. We should encourage its spread. What we should NOT do, though, is pretend that the end of port 80 is the end of our privacy concerns, or even a particularly notable win. It’s a marginal improvement at best.

My beef is with people who think this is a big win for privacy. It’s emphatically not.

The intelligence game

Some may express a lack of concern about evidence of intelligence agencies ‘hoovering up’ every single communication across the southwest Pacific. But that doesn’t mean it isn’t illegal and wrong. Comprehensive surveillance of the kind we are experiencing under the NSA’s regime of total information awareness is a threat to our freedom of conscience, expression and association. More the point, it’s just not how allies should act.

Samoan prime minister Tuilaepa Sailele recently offered a public reaction to the news that New Zealand’s Government Communications Security Bureau, or GCSB, had moved in 2009 from occasional, targeted electronic surveillance tactics to ‘full-take’ collection. Mr Sailele showed his trademark forthrightness in asserting that the proper term for spying was ‘diplomacy’ and that it happened all the time.

This is a mischaracterisation. To conflate the sometimes confidential and always delicate role of the diplomat with someone rooting through literally everything you send over a wire is misguided, and does a significant disservice to diplomats. It’s a little rich, too, when someone who has ‘nothing to hide’ also has no problem with the physical intimidation of the Samoan media.

Let’s be perfectly clear about one thing: There is a world of difference between the intelligence gathering that allies conduct between themselves—often cooperatively—and the kind of thing of which New Zealand stands accused. Read more “The intelligence game”

Poettering Uber Alles

The wisdom of Dear Leader Lennart Poettering:

The design of systemd as a suite of integrated tools that each have their individual purposes but when used together are more than just the sum of the parts, that’s pretty much at the core of UNIX philosophy.

I would say that he misunderstands the essence, the substance and possibly even the purpose of the UNIX philosophy… but I think he actually does understand. I think he’s simply being disingenuous, twisting the definition to meet his desires. It’s clear that this is a man who believes that he knows what’s good and what’s not.
Read more “Poettering Uber Alles”

Torrenting clichés live on for a reason

Freddie de Boer has a post up, decrying pro-torrenting ‘myths’ that need to die.

Down in the comments, he writes,

Many of you are dramatically underestimating the kind of resources that are necessary to make great artwork. Sgt Pepper could not have been made by dedicated amateurs. Even today, high-quality recording costs are far higher than people realize. Lawrence of Arabia could not be made by some kids with a GoPro and a dream. Nobody laboring alone in his bedroom could code Half-Life 2.

But Counter Strike absolutely WAS coded by a bunch of volunteers as a result of their own enthusiasm. Likewise Team Fortress.

Oh – and the Linux kernel, which drives most of the web today. And BSD Unix – the framework on which Mac OS X is built.

And pretty much all of deviantart.com. And a majority of the stuff on 500px.com. And a great deal of good writing.

Lawrence of Arabia could not be made by some kids with a GoPro, but that does nothing to diminish what a couple of kids with a GoPro can do. And Sergeant Pepper – oh, this is silly and childish. Freddie, your proposition is that Great Art is not possible without significant resources being brought to bear. The real proposition is that some kinds of creative endeavour (the majority of which are decidedly not great) are not possible without significant resources. Read more “Torrenting clichés live on for a reason”

Snowdrift? Toboggan hill!

Paul Chiusano, in the course of reinventing the world, writes:

One of my personal pet causes is developing a better alternative to HTML/CSS. This is a case where the metaphorical snowdrift is R&D on new platforms (which could at least initially compile to HTML/CSS).

The problem with the ‘snowdrift’ here, to abuse the metaphor, has nothing to do with IP law, and nothing to do with lack of innovation. It has everything to do with the size of the drift. You don’t have any choice but to wait for someone else to come along to help shovel. But the author is trying to say, If everyone doesn’t shovel, nobody gets out. And that’s not always true.

A quick reminder: When HTML first came out, the very first thing virtually every proprietary software vendor of note did was create their own, better alternative. Web design tools were so common, it became difficult to market oneself as someone who actually knew how to create HTML by hand. And each of those tools used proprietary extensions and/or unique behaviour in an attempt to provide a ‘better alternative’ to consumers – and of course to corner the market on web development, and therefore on the web itself.
Read more “Snowdrift? Toboggan hill!”

The ‘Digital Divide’ is a chasm

The ITU, bless their binary souls, just released the 2014 Measuring the Information Society report. The headline is – or should be – that something is very wrong on the internet, and we need to fix it.

The ITU, bless their binary souls, just released the 2014 Measuring the Information Society report. The headline is – or should be – that something is very wrong on the internet, and we need to fix it.

I used to scoff at the phrase ‘digital divide’, which was used to soft-peddle the glaring technological inequalities between rich and poor nations. I still don’t like it, but for different reasons. I used to think that the technological gap between the developed and developing was evanescent, a transient blip which would rapidly disappear as wireless broadband technologies proved viable in even the most marginal markets.

Not so. At least, not so far. The 2014 ITU report shows a widening gap between rich and poor, in spite of the fact that growth in the global digital economy is driven entirely by the developing world.

Let’s look at who’s got access to broadband on their mobile:

 

 

The disparity between the richest and the poorest countries is glaring, and unlikely to right itself. The developed world and the Least Developed Countries are on completely different trajectories. Even the developing countries are showing a rate of increase that would require radical change even to come close to the level of ubiquity seen in Europe and North America. Read more “The ‘Digital Divide’ is a chasm”

Systemd and The Unix Way

What follows is not for the benefit of systemd supporters. I write it because somewhere out there on the wilds of the internet, there might still be some youngster with a clue who needs to get this….

What follows is not for the benefit of systemd supporters. I write it because somewhere out there In the wilds of the internet, there might still be some youngster with a clue who needs to get this:

Systemd, OOP and a number of other technologies have been touted by people who have a curious mixture of cleverness and a lack of imagination or experience (something altogether too common in the world of software development). They claim that because they have solved a problem, they are therefore entitled to use the same approach to Solve All Problems Ever. So instead of exercising a little humility and moving their work ahead in a way that’s accepting of other approaches, they charge in full speed, damn the torpedoes and devil take the hindmost.

It happened with Microsoft and ActiveX. It happened with Object Oriented Programming languages – most notably with Java: there was a time when it was hard to find work programming in anything else. It happened, to a smaller degree, with design patterns. You can find numerous other examples if you search for them.

It’s happening again today with systemd. Read more “Systemd and The Unix Way”

There’s no app for that

Putting responsibility for our children in the hands of governments and corporations is just wrong

Putting responsibility for our children in the hands of governments and corporations is just wrong

In recent years, the International Telecommunications Union (ITU) has been drumming up support for surveillance and censorship. They do it under the guise of creating measures to protect children and stop what they call cyber-crime. But what they advocate is nothing short of a toolkit fit for a police state.

I’d love to be able to say that I’m overstating the case. I’d love to find out that the technologies and legal levers that are being proffered by the ITU and various other agencies were never used for anything other than good. I’d also love a pony.

I’ve written before about the fractious relationship between the ITU and the technical organisations that actually do run the internet. I’ve written about how Pacific island governments and societies can come to terms with surveillance and censorship. I’ve even talked about this push by the ITU, extending across the developing world, to drum up support for its vision of the internet as a fenced and orderly place. More to the point, I’ve already written about where it leads.

But just last week, at a conference discussing the protection of critical IT infrastructure, I watched a presenter describing the creation of a computer incident response team (in ITU jargon, a CIRT) based on a model adopted by some of the least free countries in the world. This was presented without apology or explanation. Read more “There’s no app for that”

Web tricks are not for kids any more

Javascript is not a toy any more. Finally, after two decades of stumbling around blindly, wreaking more chaos and mayhem than a shirtless, drunken Australian on a JetStar weekend in Bali, web development has finally matured.

Screen Shot 2014-06-23 at 12.01.22 PMI started writing web apps in 1994. Using CGI.pm in Perl was pretty much state of the art – and the art wasn’t very pretty. ColdFusion appeared shortly thereafter, but only supported basic control structures – no functions or even subroutines at the start. Then came ASP and a disastrous mishmash of security holes, ActiveX objects being called from the only thing worse than PHP for tag soup with spaghetti code for filler. PHP, for our sins, went from being a ‘hey, kids, look – I made a web page!’ app to an actual application platform.

.. and the list goes on.

I’ve lived through the browser standards wars, I’ve seen such sins committed in the name of the Web that I would wake up screaming, ‘Why, Tim Berners Lee?!? WHY???!!’ I’ve lived through <BLINK>, Flash, animated GIFs, <MARQUEE>… and other monstrosities whose names Shall Not Be Spoken.

I’ve used JavaScript since it was a toy.

But this, my child, is the key: It’s not a toy any more. Finally, after two decades of stumbling around blindly, wreaking more chaos and mayhem than a shirtless, drunken Australian on a JetStar weekend in Bali, web development has finally matured. A bit. It’s learned that being cool doesn’t earn you nearly as many friends as being useful. It’s learned that a guy’s gotta eat, fer Chrissakes, and sleep from time to time. It’s learned that popsicle-stick bridges may be neat, but won’t carry the load that a boring old concrete one will.

But, as the scripture says, ‘then I put away my childish things.’ Oh, it’s true that just because we’ve grown up doesn’t mean we’ve learned every lesson ever. It’s true that we Web Developers still get seduced by Teh Shiney. But all in all, we’ve grown; we’ve lost our innocence and our hair. But we sleep at night. And we parallelise. And we scale. We’re grown-ups now. With grown-up tools.

So put down your PHP child. Accept that JavaScript is a language. REST in your Bower and accept that some change is for the better.