Wednesday, December 23, 2015

Trump is right about "schlong"

The reason Trump is winning is because the attacks against him are unfair. The recent schlong-gate is a great example.

Yes, "schlong" means "penis", but is also means "rubber hose". Getting beaten by a rubber hose has long been a severe way of beating somebody. Getting "schlonged" has long meant getting a severe beating with absolutely no sexual connotation. Sure, you may never heard of this slang, because it's very regional, but it does exist. Fact checkers have gone back and found many uses of this word to mean just that [1] [2] [3] [4] [5], meaning "severe beating" in a non-sexual sense.

We regularly use words like hosed, shafted, stiffed, chapped, and boned to mean something similar. Sure, some of these derive from a base word for "penis", but are commonly used these days without any sexual or derogatory connotation. The only different about "schlonged" is that most Americans were unfamiliar with the idiom. Had Trump said "shafted" instead, this controversy would not have erupted.

But those who hate Trump, and who have only known "schlong" to mean something dirty and derogatory, are unwilling to let go of their hate. They are unwilling to believe that Trump's use of the word in relationship to Hillary is anything but sexist. No amount of citing people from that region saying "I use the word without particular sexual connotation" will ever convince them otherwise. They've never been to that region, never used "schlonged", but now they are experts on exactly what connotations that word has.

And that's why his populist demagoguery is winning. In recent years, every worker in America has been subjected to repeated rounds of sensitivity and political-correctness training, making them feel they are already guilty of racism and sexism before anything has occurred. They watch as either they, or their friends, get in trouble for transgressions just like this, innocent, yet unable to defend themselves. And women and non-whites are just as pissed off.

It's like my friend who calls himself a "cheap Chinaman", because he is Chinese and cheap, just like all his Chinese friends and neighbors. Off to HR he goes for re-education.

Or it's like another co-worker, who said "fair people should only breed with their own kind", to a black co-worker. She was talking about the Renaissance Fair, whose members ("fair people") are hopelessly nerdy and out-of-touch like herself. But that doesn't matter, of to HR she goes for re-education!

Or, it's like another friend, who grew up on an Indian reservation. His first schoolyard fight was because a kid called him "white", which was the worst possible insult. When his parents sent him up to his room without dinner as punishment, he overheard is parents say "should we tell him?", because in fact his mother was indeed mostly white. His identity is American Indian (of the Lumbee tribe), but he looks white enough, so when he challenges his new hire indoctrination about overcoming his white privilege, off to HR for re-education he goes!

None of these three examples are white-males. Everyone feels stifled by this political correctness overreach. When they see Trump confront his bullies boldly, not backing down, he becomes a hero.

Yes, in the end, Trump is a tad racist, and his populist demagoguery borders on fascism. But if he wins, it's not the racism of white-males that will have made it so. It will be the patently unfair hate and bigotry of the left-wing that will have made it so.

Update: Words sounding like "schlang" mean "hose" in a wide variety of European languages, such as шланг (shlang) in Russian, slang in Swedish and Dutch, slange in Danish, შლანგი (shlangi) in Georgian. European "ethnic" areas, like where Trump grew up, use the word to mean "hose". I'm mostly ethnically German. As far back as I can remember, "schlong" has always meant penis in the same way that "hose" has meant penis.

Update: The WaPo reference above is a perfect example of the left-wing bias the media aimed at Trump. It cites a previous non-sexual example of the term "schlonged", and then insists without citing any evidence that the term must have a sexual meaning.

Update: Suppressing regional and ethnic idioms because you've never heard of them is, of course, a form of bigotry and racism.

Friday, December 18, 2015

Where do bitcoins go when you die? (sci-fi)

A cyberpunk writer asks this, so I thought I'd answer it:

Note that it's asked in a legal framework, about "wills" and "heirs", but law isn't the concern. Instead, the question is:
What happens to the bitcoins if you don't pass on the wallet and password?
Presumably, your heirs will inherit your computer, and if they scan it, they'll find your bitcoin wallet. But the wallet is encrypted, and the password is usually not written down anywhere, but memorized by the owner. Without the password, they can do nothing with the wallet.

Now, they could "crack" the password. Half the population will choose easy-to-remember passwords, which means that anybody can crack them. Many, though, will choose complex passwords that essentially mean nobody can crack them.

As a science-fiction writer, you might make up a new technology for cracking passwords. For example, "quantum computers" are becoming scary real scary fast. But here's the thing: any technology that makes it easy to crack this password also makes it easy to crack all of bitcoin to begin with.

But let's go back a moment and look at how bitcoin precisely works. Sci-fi writers imagine future currency as something that exchanged between two devices, such as me holding up my phone to yours, and some data is exchanged. The "coins" are data that exist on one device, that then flow to another device.

This actually doesn't work, because of the "double spending" problem. Unlike real coins, data can be copied. Any data I have on a device that I give to you, I can also keep, and then spend a second time to give to somebody else.

The solution is a ledger. When my phone squirts coins to your phones, both our phones contact the bank and inform it of the transfer. The bank then debits my account and credits yours. And that's how your credit card works with the "chip and pin". It's actually a small computer on the credit card that verifies a transaction, and then your bank records that transaction in a ledger, debiting your account.

Bitcoin is simply that ledger, but without banks. It's a public ledger, known as the blockchain.

The point is that you don't have any bitcoins yourself. Instead, there is an entry in the public-ledger/blockchain that says you have bitcoins.

What's in a bitcoin wallet is not any bitcoins, but the secret crypto keys that control the associated entries in the public ledger. Only the person with the private key can add a transaction to the public-ledger/blockchain reassigning those bitcoins to somebody else. Such a private key looks something like:


Without this key, the associated entries in the blockchain become stale. There's no way to create new entries passing bitcoins to somebody else. If somebody dies without passing this key to somebody else, then the bitcoins essentially die with them.

In theory, somebody can memorize their private key, but in practice, nobody does. Instead, they put this into a file, and then encrypt the file with a password that's more easily memorized. For example, they might use as their password the first line of text from Neuromancer. It's long and hard to guess, but yet something that is either easily memorized, of if forgotten, easily recovered. In other words, the password (or passphrase in this case) to encrypt the file containing the private key might be:
The sky above the port was the color of television, tuned to a dead channel.
So now our deceased has to pass on both the wallet file and the password that will decrypt the wallet. Presumably, though, the deceased's heirs will find the computer and the wallet, so practically the only problem becomes cracking the password.

Cracking is an exponential problem. The trope in sci-fi is to wave aside this problem and "reroute the encryptions", and instantly decrypt such things, but in the real world, it's a lot harder. Passwords become exponentially harder to crack the longer they are.

The classic story here is that of a knave who plays chess with a king. The king tells his opponent that he can have anything he wants within reason should he win. The knave chooses this as his prize: one grain of rice for the first square, two for the second, four grains of rice for the third square, and so on, doubling each time for all 64 squares on the chessboard. The king, thinking this to be a minor amount, agrees. When the knave wins, the king finds he cannot payoff the winnings -- because of exponential growth.

The first ten squares have the following number of rice grains:
1 2 4 8 16 32 64 128 256 512
This is 1024 grains of rice in total. Using 'k' to mean 'a thousand' (kilo-grains), the next 10 squares look like this:
1k 2k 4k 8k 16k 32k 64k 128k 256k 512k
This is about a million grains of rice. Using 'm' to mean 'a million' (mega-grains of rice), the next 10 squares look like this:
1m 2m 4m 8m 16m 32m 64m 128m 256k 512m
This is about a billion grains of rice. The next 10 squares becomes a trillion gains of rice, and we are only 40 out of 64 squares.

As the Wikipedia article discusses, filling the chessboard requires a heap of rice larger than Mt. Everest in rice, or a thousand years at the current rate of growing rice.

One ending of this story is that the knave gets the daughter in marriage and half the kingdom. In the other version of this story, the king beheads the knave for his impudence.

The same applies to password cracking. Short passwords are easily cracked. Because of exponential growth, long passwords becoming impossible to track, even at sci-fi levels of imagined technology. If such a magic technology existed, then it would defeat the underlying cryptography of the blockchain as well -- if you could crack the password encrypting the key, you could just crack the key. If you could do that, then you could steal everyone's bitcoins, not just the deceased's.

In the above example, the sci-fi writer in question imagines an artificial intelligence that, in order to make money, tracks down dead people and harvests all the bitcoins they haven't passed on. This can't be done by harvesting the blockchain -- it'd need the private keys.

One way that this might happen is that for the AI to own a company that recycles computers. Before recycling, it automatically scans them for such files. While it can't break the encryption normally, some large percentage of people choose weak passwords. Also, the AI might know some tricks that make it smarter at figuring out how people choose passwords. It still won't crack everything, but even cracking half the possible coins would lead to a good amount of income.

Or, let's tackle this problem from another angle, a legal angle. One of the hot topics these days is something known as "crypto backdoors". The police claim (erroneously in my opinion) that such unbreakable encryption prevents them from investigating some crimes, because even when they have a warrant to get computers, phones, and files, they can't possibly decrypt them. Thus, they claim, technology needs a "backdoor" that only the police can access with a warrant.

In it's simplest form, this is technically easy. Indeed, it's often a feature for corporations, so that they can get at the encrypted files and message when employees leave the firm, or more often, when stupid employees forget their password but need to have the IT department recover their data.

In a practical form, it's unreasonable, because it means outlawing any software that doesn't have a backdoor. Since crypto is just math, and software is something anybody can write, this means a drastic police-state measure. But, if you are a cyberpunk writer about future dystopias, well then, this would be perfectly reasonable.

Thus, in this case, the police, using their secret backdoor key, would be able to decrypt the wallet, and recover any secret key.

But then at the same time, the police could in theory impose this rule on the blockchain itself. Instead of simply trusting a single person's key, it can trust multiple keys, so that any of them can transfer bitcoins to somebody else. One of those keys could be a secret backdoor police held by the police, so they could step in and grab bitcoins any time they want.

This would, of course, largely defeat the purpose of the bitcoin blockchain, because now you had a central control. But things can go halfway. Bitcoin is transnational, so it really can't be controlled by even a dystopic government, which is why it's currently popular in places like Russia. However, a government can still force the citizens of their own country to backdoor their transactions with that county's public backdoor key (which matches a secret police key). Thus, the American police would be able to grab bitcoins from any law-abiding American to chose to sign their transactions with the FBI's key.

The point I'm making here is that if you are a sci-fi writer, while a naive approach to the topic might not have a good answer, something thinking and discussing it with a bunch of people might yield something fruitful.

Thursday, December 17, 2015

Force Awakens review: adequacity

The film is worth seeing. See it quickly before everyone tells you the spoilers. The two main characters, Rey and Fin, are rather awesome. There was enough cheering in the theater, at the appropriate points, that I think fans and non fans will like it. Director JarJar Abrams did not, as I feared, ruin the franchise (as he did previously with Star Trek).

On the other hand, there's so much to hate. The plot is a rip-off of the original Star Wars movie, so much so that the decision to "go in and blow it up" is a soul-killing perfunctory scene. Rather than being on the edge of your seat, you really just don't care, because you know how that part ends.

While JarJar Abrams thankfully cut down down on the lens flare, there's still to much that ruins every scene he applies it to. Critics keep hammering him on how much this sucks, but JarJar will never give up his favorite movie making technique.

The universe is flat and boring. In the original trilogy, things happen for a purpose. Everything that transpires is according to Palpatine's design. And even while we find his plans confusing, we still get the sense that there are plans. In this movie, the bad guys seem to act haphazardly, with no real plan. Deus Ex Machina is out in force, with JarJar Abrams conjuring things out of thin air to serve his purpose, even though if you think them through, they make no sense.

Many settings were similarly flat. Both JarJar Abrams and George Lucas create places that looked fantastically beautiful from afar. But JarJar often leaves it at that, whereas Lucas then goes onto explore his creations. We saw a lot of Naboo, Coruscant, Tatooine, Endor, Lando's Cloud City, and so on; they weren't just still pictures painted on a screen. In Force Awakens, we just touch down in a place and then leave again, without fully exploring it.

In other words, the latest episode doesn't have the soul or depth of Lucas's original. Lucas had a huge story, and let us peek at it with each movie. JarJar Abrams is small minded -- he's only interested in this movie, and doesn't care about the larger story. If we couldn't see it on the screen, JarJar put little thought into it. The difference is palpable.

But the characters of Rey and Fin save the movie. The actors are fantastically cast, especially Daisy Ridley's (Rey) quirkyness. Their yearning to grow is the same as Luke's that drove the original film, which is the part I identified with most as a child. It's what made me a Star Wars fan. It's beautifully portrayed at the start of the movie where each of the character reaches a point where they first say "no", and from that moment on start growing according to their own design, and not the design of those around them. And, each character finds that their own decisions actually make a difference. JJ Abrams deserves a lot of credit for how well this turned out. I don't care much about this new Star Wars -- except I want to know what these two characters do next.

In short, despite all that I hate JarJar Abrams, the movie is still worth watching. As everyone else goes to see the movie, the spoilers will start leaking out. Any single spoiler isn't going to ruin the movie, but the more you hear, the less interesting the movie will become. You really need to go see it this week, before all that happens.

Wednesday, December 16, 2015

All app developers should learn from WhatsApp-v-Brazil incident and defend against it

So Brazil forced the ISPs to shutdown WhatsApp (a chat app) for 48 hours, causing more than a million of their customers to move to Telegram (another chat app). Apparently, this was to punish WhatsApp for not helping in a criminal investigation.

Well, this is similar to how ISPs block botnets. Botnets, the most common form of malware these days, have a command-channel back to the hacker that controls all the bots in the network. ISPs try to block the IP address and/or DNS name in order to block access to the botnet.

Botnets use two ways around this. One way is "fast-flux DNS", where something like "" changes its IP address every few minutes. This produces too many IP addresses for ISPs to block. WhatsApp can keep spinning up new cloud instances at places like Amazon Web Services or Rackspace faster than ISPs can play whack-a-mole.

But ISPs can also block the domain name itself, instead of the IP address. Therefore, an app can also choose to use a "domain generation algorithm" or "domain flux".  This generates a new domain name based on the current time, which changes several times per day. Names will be something like "", using a predictable, but "pseudo-random" algorithm. This would generate too many names for ISPs to block, assume the algorithm was public. However, in practice, in situations like this, the ISPs wouldn't know the algorithm, so therefore, wouldn't know the list of names they needed to block.

The cool thing is that companies like WhatsApp can deploy such measures in their software really easily. but not tell anybody. The first time a government like Brazil tried to punish them, the ISPs would mysteriously fail at blocking the app. It would take days of research for anybody to figure out why.

This highlights two important points.

The first is that "governments", not just "hackers", need to be part of your threat model when developing apps/services. The second is that evil "malware" or "viruses" is often indistinguishable from good software. That's what things like the Wassenaar Arms Control export restrictions are doomed to fail, because it's impossible for regulations to clarify the difference.

Note: Apparently the court order specified '', '', all subdomains, and IP addresses used by those domains.

No, you can't shut down parts of the Internet

In tonight's Republican debate, Donald Trump claimed we should shutdown parts of the Internet in order to disable ISIS. This would not work. I thought I'd create some quick notes why.

This post claims it would be easy, just forge a BGP announcement. Doing so would then redirect all Syrian traffic to the United States instead of Syria. This is too simplistic of a view.

Technically, the BGP attack described in the above post wouldn't even work. BGP announcements in the United States would only disrupt traffic to/from the United States. Traffic between Turkey and ISIS would remain unaffected. The Internet is based on trust -- abusing trust this way could only work temporarily, before everyone else would untrust the United States. Legally, this couldn't work, as the United States has no sufficient legal authority to cause such an action. Congress would have to pass a law, which it wouldn't do.

But "routing" is just a logical layer built on top of telecommunications links. Syria and Iraq own their respective IP address space. ISIS doesn't have any "ASN" of their own. (If you think otherwise, then simply tell us the ASN that ISIS uses). Instead, ISIS has to pay for telecommunications links to route traffic through other countries. This causes ISIS to share the IP address space of those countries. Since we are talking about client access to the Internet, these are probably going through NATs of some kind. Indeed, that's how a lot of cellphone access works in third world countries -- the IP address of your phone frequently does not match that of your country, but of the country of the company providing the cellphone service (which is often outsourced).

Any attempt to shut those down is going to have a huge collateral impact on other Internet users. You could take a scorched earth approach and disrupt everyone's traffic, but that's just going to increasingly isolate the United States while having little impact on ISIS. Satellite and other private radio links can be setup as fast as you bomb them.

In any event, a scorched earth approach to messing with IP routing is still harder than just cutting off their land-line links they already have. In other words, attacking ISIS at Layer 3 (routing) is foolish when attacking at Layer 1 (pysical links) is so much easier.

You could probably bomb fiber optic cables and satellite links as quickly as they got reestablished. But then, you could disable ISIS by doing the same thing with roads, bridges, oil wells, electrical power, and so on. Disabling critical infrastructure is considered a war crime, because it disproportionately affects the populace rather than the enemy. The same likely applies to Internet connections -- you'd do little but annoy ISIS while harming the population.

Indeed, cutting off the population from the Internet is what dictators do. It's what ISIS wants to do, but don't, because it would turn the populace against them. Our strategy shouldn't be to help ISIS.

Note that I've been focused on clients, because ISIS's servers they use to interact with the rest of the world are located outside of ISIS controlled areas. That's because Internet access is so slow and expensive, they use it for only client browsing, not for services. Trump tried to backoff his crazy proposal by insisting it was only in ISIS controlled areas, but that's not how the Internet works. ISIS equipment is world wide -- the only way to shut them down is a huge First Amendment violating censorship campaign.

Here's the deal. The Internet routes around censorship. Of the many options we have, censoring the Internet in ISIS controlled territories is neither something we can do or would want to do. Simply null routing AS numbers in BGP and bombing satellite uplinks would certainly not do it. Cutting the physical links is certainly possible, but even ISIS's neighbors, all of whom oppose ISIS, have not taken that step.

Update: In response to Weev's comment below, I thought I'd make a few points. The Pakistan goof did not disable all of YouTube, just areas with a shorter route to Pakistan than the United States, such as Europe. Also, while it's possible to create disruption, it's impossible to do so for a long period of time, as the Pakistan incident showed when after a bit everyone just ignored Pakistan. It hurt Pakistan more than YouTube. Lastly, ISIS has no ASN to null route. If you disagree with me, then name the ASN. Instead, the ASNs in ISIS controled areas are those from Syria, neighbors like Turkey and Iran, and possibly other countries like China. Trying to block them all would cause huge collateral damage.

Update: If you think you can wage war by spoofing BGP, then it means ISIS-friendly ISPs can retaliate by spoofing back. It's not a precedent you want to establish.

Thursday, December 10, 2015

Policy wonks aren't computer experts

This Politico story polls "cybersecurity experts" on a range of issues. But they weren't experts, they were mostly policy wonks and politicians. Almost none of them have ever configured a firewall, wrote some code, exploited SQL injection, analyzed a compromise, or in any other way have any technical expertise in cybersecurity. It's like polling a group of "medical experts", none of which has a degree in medicine, or having a "council of economic advisers", consisting of nobody with economics degrees, but instead representatives from labor unions and corporations.

As an expert, a real expert, I thought I'd answer the questions in the poll. After each question, I'll post my answer (yes/no), the percentage from the Politico poll of those agreeing with me, and then a discussion.

Should the government mandate minimum cybersecurity requirements for private-sector firms?

No (39%). This question is biased because they asked policy wonks, most of which will answer "yes" to any question "should government mandate". It's also biases because if you ask anybody involved in X if we need more X, they'll say "yes", regardless of the subject you are talking about.

But the best answer is "no", for three reasons.

Firstly, we experts don't know what "minimum requirements" should be. The most common attacks on the Internet are SQL injection, phishing, and password reuse. We experts don't know how to solve these problems. Even if everyone followed minimum requirements, it wouldn't make a difference in hacking.

Secondly, "requirements" have a huge cost. The government already has a mandate for minimum requirements for government products, called "Common Criteria". It costs millions of dollars to get a product certified and make no difference in cybersecurity.

Finally, it would kill innovation. The industry is in a headlong rush to "IoT", the "Internet of Things", where every device in your home, including hair driers and Barbie dolls, are Internet enabled. I'll be at the forefront pointing out the laughable security in these devices, and how they easily allow hackers into your home. But to force innovation to halt for the next decade while they addressed cybersecurity instead would be a travesty. A better model is for them to ship crap first, for us in the industry to laugh and mock them for their obvious bugs, and for them to fix it later.

Should companies provide a "back door" for law enforcement to gain access to a program or computer?

No (85%). This one is a no brainer. Even the most pro-law-enforcement among us recognize the problems with this one.

If passed, would the cybersecurity legislation under negotiation result in the appreciable reduction in cyber breaches of U.S. firms?

No (74%). This one surprised me, since most of the responses are from Washington D.C. policy wonks. But then the truth of CISA is that nobody cares whether it actually works -- they want it firstly so that they appear to be addressing the problem, and secondly as a platform to stick amendments onto.

If passed, would the cybersecurity legislation under negotiation present a significant loss of privacy for Americans?

Yes (35%). Sadly, I'm in the minority. The reason is that policy wonks believe that the intention of CISA isn't to invade privacy, so they'll answer "no". However, privacy invasion is an unintended consequence of information sharing, which is why privacy advocates answer "yes".

Do you expect a major cyberattack against U.S. critical infrastructure to occur within the ...

Century (0%). The only choices they gave were Next year (9%), Net five years (48%), and Next decade (43%). They are all morons. It's roughly the same answer "experts" have been giving for the last 15 years, which has shown that they've been consistently wrong.

Hacking into a power company and causing a blackout is deceptively easy. A lot of these people are privy to "pen test" reports showing how hackers easily broke into a power grid and put their virtual fingers on the proverbial button to turn off the power.

But just because it's possible doesn't mean that people will do it. It's equally possible for Al Qaeda, the North Koreans, or the French to send sleeper agents into the United States to create explosives from off-the-shelf ingredients, and then bomb key power distribution points to cause mass blackouts throughout the country. Attacking the grid with cyber is easy, but attacking it "kinetically" is still even easier. I've done pentests of the power grid. If you hired me to cause mass blackouts, I'd predominantly use explosives.

The biggest issue, though, is that the United States critical infrastructure is incredibly diverse, involving 10,000 different companies. Small, temporary blackouts are easy, but a "major" blackout affecting a large part of the grid is impractical, at least, unless you spent many years on the problem.

Eventually something might happen. But what we'll see is a range of minor attacks against critical infrastructure long before we see a major attack. Those minor attacks haven't happened yet, and until they do, we shouldn't get worried about it.

Does working for the U.S. government now mean accepting that your personal information will be accessed by foreign governments?

Yes (77%), but really, it's always been this way. Throughout the cold war, the biggest thing spies did was figure out everyone working for foreign intelligence agencies. It's always been known that if you get clearance, you get put on a list that our adversaries (Russia, China, the French) would know about, meaning that even casually traveling to those countries as a tourist might get your hotel room bugged.

The OPM breach changes none of this. I suspect the OPM breach was by much lower level hackers, and they are finding it hard selling the information because all the potential buyers already have it.

Should the U.S. government pardon Edward Snowden?

No (91%), but not for the reasons you think.

I'm on the side who thinks Snowden is a hero. However, breaking your word should have consequences. I'd like to think given the same situation as Snowden, I'd've leaked that Verizon court order, but I would have stayed to face the consequences and go to jail.

Anybody in government who has taken solemn oaths (especially the military) is likely to agree with me, regardless of what they think about mass surveillance.

Is cybersecurity over-hyped as a problem?

Yes (19%), of course it is. It's obvious the Internet is secure enough, or people wouldn't be putting everything on the Internet. No matter the costs of hacking/insecurity, they are less than the benefits of the Internet.

For example, credit card fraud is the biggest cybersecurity problem today, but is so small that we get "cash back" from credit cards, because the amount of fraud is still less than the fees they charge designed to compensate for fraud.

Of course, this question has the same biases I mentioned above. If you ask anybody involved in X if the public needs more awareness of X, they'll almost always say "yes".

Has the U.S. military been too hesitant to conduct offensive cyber operations?

No (77%). The other 23% say "yes" because they've seen situations where we could've, but didn't.

But "no" is the right answer. By itself, the mass global cyber surveillance uncovered by Snowden is evidence that we are the most aggressive actor in cyberspace. But beyond surveillance, we have a very active program of cyber-offensive.

Will we reach an agreement on international rules of the road in cyberspace?

Blerg (0%). That's sort of a nonsense question. Will we reach agreements? Yes. That's the sort of thing politicians do. Will they have any meaning? any teeth? Will countries abide by them? Probably not.

We've already one instance, the Wassenaar agreement controlling "cyber weapons", and it's turning out horribly, not what anybody expected.

Are U.S. government officials too hesitant to publicly attribute cyberattacks to other countries?

No (39%). The reason policy wonks answer "yes" is that they can point to examples where the government was hesitant, such as that DDoS attack against GitHub that was clearly by the Chinese government.

But at the same time, we can point to many opposite cases where the government is too eager to attribute attacks to other countries, such as the Sony hack attributed to North Korea.

It's hard to say which happens more often, but in my experience, attacks that are legitimate from "other countries" aren't actually directed by those countries. Government foster an environment that makes attacking the U.S. easy, but don't actually direct the attacks.

It's like the terrorist attacks in Paris and San Bernadino. ISIS claims credit, but it's unclear how much was directed and supported by ISIS, and how much the attacks were planned by locals in ISIS's name. In much the same way, there are lots of cyberattacks from China and Russia against the United States, but I'm not sure how much they are directed by their respective governments.

Is the no-commercial cyberspying agreement between President Barack Obama and chinese President Xi Jinping likely to lead to a reduction in economic hacking by China?

No (60%). At most, it'll stop the direct attacks from the Chinese Army, but hacking is rife in Chinese society, so I'm not sure how much that will stop. On the other hand, information about who in society is hacking percolates up the food chain, so it's possible that the central government could crack down on those hackers if it wants. I imagine a situation where there's this hacker who has been living in a mansion for a decade, selling secret's he's hacked with collusion from Chinese officials, to be surprised by the secret police showing up one day and arresting him.

Wednesday, December 09, 2015

Some notes on fast grep

This thread on the FreeBSD mailing discusses why GNU grep (that you get on Linux) is faster than the grep on FreeBSD. I thought I'd write up some notes on this.

I come from the world of "network intrusion detection", where we search network traffic for patterns indicating hacker activity. In many cases, this means solving the same problem of grep with complex regexes, but doing so very fast, at 10gbps on desktop-class hardware (quad-core Core i7). We in the intrusion-detection world have seen every possible variation of the problem. Concepts like "Boyer-Moore" and "Aho-Corasick" may seem new to you, but they are old-hat to us.


Your first problem is getting the raw data from the filesystem into memory. As the thread suggests, one way of doing this is "memory-mapping" the file. Another option would be "asynchronous I/O". When done right, either solution gets you "zero-copy" performance. On modern Intel CPUs, the disk controller will DMA the block directly into the CPU's L3 cache. Network cards work the same way, which is why getting 10-gbps from the network card is trivial, even on slow desktop systems.


Your next problem is stop with the line parsing, idiots. All these command-line tools first parse to the end-of-line, either explicitly (such as memchr()) or implicitly (such as reading input with fgets()). This double-parses the data -- and even memchr() is likely slower than the regex algorithm, unless you are using the new AVX "TEXT" instructions that can process 16 bytes per clock cycle.

I mention this because all the command-line tools, from grep to awk to wc, suffer from this problem. Consider wc, "word count", as bottom limit for a simple command-line, text-processing utility. What can be simpler than counting the number of words in an input file? In fact, it's needlessly complex and slow, such as double-parsing end-of-lines,. It therefore represents a sort of upper limit on parsing speed. You can almost always parse text files faster than wc can. Benchmark your text parser, and if it fails to be faster than wc, then go back and fix it.

I've created a DNS server that must parse the 8 gigabyte ".com" zone file. It does so several times faster than wc, even though the parsing (and building an in-memory database) is a much harder task. This demonstrates the problem that parsing end-of-line causes in code.

NFAs and DFAs

regex gets converted into a finite-automata, either an NFA (nondeterministic finite-automata), or DFA (deterministic finite-automata).

An NFA uses low amount of memory, but a lot more CPU power. Some complicated regexes will cause unbounded CPU to be used. It's actually a vulnerability in systems that allow users to submit regexes -- they can submit some that cause the CPU to go into a nearly infinite loop.

A DFA uses a tiny amount of CPU power, but a corresponding large amount of memory. Some complicated regexes cause the amount of memory to explode -- though they are typically different expressions than those which cases NFA problems. Again, this is a security problem, as hackers can submit regexes that consume all memory.

The perfect regex system combines DFA and NFA. The DFA portion is for those things that encode well in a DFA with low memory, plus the first parts of those patterns that'll eventually match using NFA. It'll be very fast in the normal case, while also be memory efficient. Also, it should be able to avoid hostile patterns that cause memory or CPU to explode.

DFA speed

A DFA is essentially just a big table, with a state variable pointing to the current row. Each new byte of data then looks up in the current row to find the next row to point the state at.

The speed of DFA is about 9 instructions per byte input, regardless of the size of the table. Since Intel CPUs can easily execute 3 instructions per clock cycle, that's roughly 3 clocks per byte of input.

However, the limit is not the number of instructions executed, but the speed of the L1 cache. Each new byte of input requires reading a new table row from memory. In random input, these rows will be in L1 cache. Modern x86 processors require 4 clock cycles to read the L1 cache. Thus, each byte of input costs 4 clock cycles.

Consider Intel's latest "Skylake" Core i7 CPU that runs a quad-core at 4.0 GHz. That translates to a DFA running at 1 gigabyte per second, or 8 gbps. On four cores, that's essentially a theoretical speed of 32 gbps. That's why modern desktop CPUs are easily fast enough for something like a 10-gbps network intrusion detection system.

Note that much the same logic applies to low-end ARM CPUs, such as those found in cellphones and microservers like the Raspberry Pi.


The original grep thread, however, started with the Boyer-Moore algorithm. Consider if you are searching for the pattern "xxxxxxxxxx". This means that instead of looking at each byte of input, you can skip forward every 10 characters and test for an 'x'. If there's no 'x', then you know that the pattern can't fit within the previous 10 bytes, and you can just skip forward again. But, if there is an 'x', then you have to stop and search backwards for the start of the string, then test for a full match.

More complicated patterns like "abracadabra" means skipping forward, then testing to see if the character is one of "abcdr". Testing for multiple words at a the same time works the same way. Each skip is for the shortest word, and the characters tested are a combination of all the words.

Thus, for a 10 character pattern, Boyer-Moore is essentially 10x faster than a regex DFA. On the other hand, the system quickly breaks down when there are lots of patterns or any short patterns. As soon as a 3 byte pattern is entered into the mix, or there are enough characters that they start matching on random input, then the entire system becomes much slower than a DFA.


The perfect grep would therefore look like the following:

  • got data into memory with zero-copy (either memory-map or async)
  • didn't parse newlines first
  • used mixed DFA and NFA for regex
  • used Boyer-Moore instead for simple patterns

Monday, December 07, 2015

Joking aside: Trump is Unreasonable

Orin Kerr writes an excellent post repudiating Donald Trump. As a right-of-center troll, sometimes it looks like I support Trump. I don't -- I repudiate everything about Trump.

I often defend Trump, but only because I defend fairness. Sometimes people attack Trump for identical policies supported by their own favorite politicians. Sometimes they take Trump's bad policies and make them even worse by creating "strawman" versions of them. Because I believe in fairness, I'll defend even Trump from unfair attacks.

But Trump is an evil politician. Trump is "fascism-lite". You'll quickly cite Godwin's Law, but fascism is indeed the proper comparison. He's nationalistic, racist, populist, and promotes the idea of a "strongman" -- all the distinctive hallmarks of Nazism and Italian Fascism.

Scoundrels, like Trump, make it appear that opposition is unreasonable, that they are somehow sabotaging progress, and that all it takes is a strongman with the "will" to overcome them. But the truth is that in politics, reasonable people disagree. I'll vigorously defend my politics and call yours wrong, but at the end of the day, we can go out and have a beer together without hating each other. Trump-style politicians, on the other hand, do everything in their power to delegitimatize or dehumanize their opponents, stoking the fires of hate.

If only we had a strong leader, one able to overcome the illegitimate opposition, then progress can be made. That was the fundamental argument of Mussolini's "Fascist" party, and later Hitler's. It's a morally bankrupt position, as Benito and Adolf shows us. Gridlock often happens in a Democracy. For all that you don't get what you want, because of political gridlock, the more democratic a society, and the more "political" everything is, the more prosperity they enjoy.

Trump's racism is almost childlike in its simplicity, But even here, there's an undercurrent of fascism. Trump describes the Mexicans and Chinese as "clever" people who take advantage of us. Despite his protestations that he likes the Mexicans and Chinese, this comes uncomfortably close to Nazism. Hitler killed Gypsies and Slavs in huge numbers, but the particular hatred he had for Jews was that they were a "clever" people taking advantage of Aryans.

While we reject Trump, we still need to take his positions seriously. What do you call somebody who is stupid, uneducated, crazy, and bigoted? The answer is "voter". Trump knows this, and appeals to these people are just fed up being called stupid, crazy, and bigoted. No, that doesn't mean we enact racist policies that Trump proposes. But it does mean that we take voters seriously, explaining yet again why bigotry matters, rather than simply shrugging them off.

Anyway, this post is trying to just make it clear that I don't support Trump in any way. All the remaining Democrat/Republican candidates in the race are reasonable people that would make adequate presidents, except for Trump. Sure, they all have their downsides, but they are all about average for politicians. The only one that's exceptional and unreasonable is Trump.

Friday, December 04, 2015

Tesla is copying Apple's business model

One of the interesting things about Tesla is that the company is trying to copy Apple's business model. As a Silicon Valley entrepreneur myself, and an owner of a Tesla car, I thought I'd write up what that means.

There are two basic business models in the world. The first is cheap, low-quality, high-volume products. You don't make much profit per unit, but you sell of a ton of them. The second is expensive, high-quality (luxury), low-volume products. You don't sell many units, but you make a lot of profit per unit.

It's really hard to split the difference, selling high-volume, high-quality products. If you spend 1% more on quality, your customers can't tell the difference (without more research on their part), so you'll lose 10% of your customers who won't accept the higher price. Or, you are selling to the luxury market, lowering price to sell more units means lowering quality standards, destroying your brand.

Rarely, though, companies can split the difference. A prime example is Costco. While the average person who shops at Walmart (low-quality, high-volume store) earns less than $20,000 per year, the average income of a Costco customer is over $90,000 per year. Costco sells high-quality products to these customers, but it does so at high-volume, keeping the prices low.

Apple is another company that succeeds at this, selling higher quality products at enormous volumes, at mainstream prices.

It's at this point that those who don't like Apple laugh at me for calling it "quality" products. They are wrong. While many aspects of quality are subjective, leading some to dislike Apple, other aspects are objective.

Most luxury products are really only subjectively quality products. Take Ferrari cars, for example. Sure, they go fast, but they also spend a lot of time in the shop. Likewise, a lot of high-fashion falls apart if you wash it. The biggest lie in luxury is Whole Foods, which often sells crap products like bottled tap water for high prices.

At the same time, some quality measurements are objective. That's how Costco works. For every product category, their buyers apply rigorous quality tests before selling something under their "Kirkland" brand, whether it's soap, cola, vodka, luggage, or shoes.

Likewise, Apple is objectively a quality product. Take an Apple power supply, remove any branding, and give it to an engineer to compare against other power supplies. The engineer will tell you that the Apple product is better designed and uses higher quality components.

But being higher quality doesn't work if customers don't know it. That's why every other company has crappy power supplies, because it's not a value that companies can communicate to their customers. The customers don't care.

That's where branding comes in. The business models of Costco and Apple are precarious. As soon as customers fail to recognize their better quality, they'll leave these companies for cheaper products. That makes these companies focus obsessively on maintaining both subjective and objective quality. This communicates the brand of quality even when customers can't judge for themselves.

Look at the Apple power supply, on the outside. It screams "APPPLE". It's not (just) the logo that does this. It's the fact that the power supply has the same white plastic, curved edged design of the first iPods and MacBooks. Subjectively, every bit of the power supply feels different than the standard industrial bricks sourced from random vendors. Even if it's not actual quality, subjectively it feels different, and hence (if you like Apple) better.

The problem with all this "quality" is that it gets expensive. It can easily double the price. Customers impressed with Apple's quality wouldn't be willing to pay for it. Sure, they'll pay 30% more, because it's a status symbol and "cool", but they won't pay double. Therefore, Apple has to tackle the cost issue.

They do this with "NRE" or "up-front" payments. The reason quality components are expensive is because they are produced in low volume, the same business model duality described above. Apple has to push its business model down through the supply chain. That means going to vendor, giving them a bunch of money (Non-Recurring Engineering) to design a higher quality part, then capital so they can build a factory to produce that part in volume. In exchange, Apple then gets to buy that part at a low price.

Apple is so good at this that they can produce a high-quality iPhone at the same cost as low-quality competitors. This produces huge profits per iPhone. Even though Apple sells less than 20% of all mobile phones, it earns most of the industry's profits. Nobody can compete with them. Another vendor wishing to enter the market doesn't have enough capital to create the same deals Apple gets, so can't produce a quality phone as cheaply, and thus must sell in lower volumes for lower profits. And even then, they still can't compete because such a low volume product can't generate enough profits for the engineering required. And, there is certainly no money left over to create the luxury branding needed to support the marketing.

Thus, not only is Apple's model unique, nobody else can replicate it. At least, not in any market where Apple competes.


Now let's talk about Tesla. Their endgame is to be like Apple, but for cars. That means selling a high-margin product, but at volume competing against other lower-priced competitors.

That car will probably be the Model 3, a $35k car that sells against a Chevy Volt, Nissan Leaf, and BMW i3.

To get there, Tesla needs to first create a brand, namely "it's what the cool people drive". Branding isn't your name, logo, motto, or anything conscious. Branding is about unconconscious emotions. People move from Android to iPhones (and rarely the other direction) simply because of the emotional feeling that it's why the cool kids own. It's like buying a kid an XBox for Christmas, which objectively meets the kid's needs better any other console, but having the kid cry because all the cool kids at school have PlayStations. Tesla is trying to create a brand that'll cause kids to cry if you don't buy them one when they turn 18.

Part of that is their rebranding of "internal combustion engines", or "ICE", as uncool. It's weird talking to Tesla owners and their disdain for ICE, as if they all went to the same cult. It's like some shameful cooties that other car makers have that they'll never be able to get rid of. Even though BMW produces an all-electric i3, they still can't shake their ICE heritage.

And indeed, it is a hard heritage to move beyond, as this story describes. Existing car companies sell through dealers, which make their profits by servicing cars, which electric cars need less of. Thus, the sales people steer customers toward gasoline cars, or try to trick them into paying for a "service" plan that includes free oil changes -- something electric cars don't need. It's like watching Microsoft flail around with its tragicly un-cool "Zune" against the iPod. Objectively, it was just as good or better. Subjectively, they failed in branding against Apple in every possible way marketing people can fail.

Ultimately, what Tesla is trying to do with the current model (Model S) is to create a "cool" factor that it can later apply to the later mainstream model (Model 3). It'll take them time to ramp up production and support network, so the number of cars they can build is limited anyway. Therefore, they make the coolest car possible for under $100,000.

And they succeeded. The Model S is better than every other sedan on the market, and also better than most all sports cars. It's better in every single metric but one (long distance driving). The huge battery means it drives three times further than any other electric car. Because of the huge battery, it can generate faster acceleration than any car costing less than $1 million. Because of the huge battery sitting at the bottom of the car, lowering the center of gravity, it's handling is better than any other car not specifically tuned for the track. It's not just this, but a long list of other cool features, like the central control unit, the aluminum body, the self-driving features, and so on.

In short, the Model S is iconic, like Apple. It's the mostly highly rated car in car enthusiast magazines ever.

The mainstream Model 3 won't be as iconic, because it'll be cheaper. But yet, the brand will be established. For example, the high-end Model S is nearly all aluminum, but the cheaper Model 3 will be mostly steel. But yet, marketing will still focus on the few remaining light-weight parts, extolling their virtues, even though in practice they are little different than competitors. The competitors won't be able to get into a fight over whose car is lightest, because then Tesla will always fight back with the Model S. Apple has been doing this for years with things like processor speed -- objectively, it's no faster, but subjectively, they convince the faithful it's somehow better.

In much the same way that Apple became the biggest consumer of flash memory, and used it's capital to guarantee it paid the lowest price in the industry, Tesla is doing the same with batteries. The Model S has three times the battery per car as any other electric vehicle, and sells more electric cars than anyone else. Thus, it drives the battery market.

That's why they are spending so much capital on the "Gigafactory" to produce batteries, currently partnering with Panasonic. Just like Apple has to spend capital to get low-cost parts and flash memory, Tesla has to spend capital to guarantee cheap batteries. That means when the mainstream Model 3 starts competing against the Volt, Leaf, and i3, it'll have larger batteries for a cheaper cost than its competitors.

It's weird watching business models like this unfold. Existing car companies aren't willing to bet that much capital in an unproven market. Tesla's investors, on the other hand, are betting everything to create that market. Thus, Tesla can do things that entrenched companies cannot. Assuming Tesla continues to be competent, and that the electric car market grows, then they should command the lion's share of it -- just like Apple.

Recently, industry veteran Bob Lutz wrote an op-ed claiming Tesla was doomed because it didn't have a dealer network like at traditional car company. It's just like reading the op-eds from Nokia, Microsoft, and Blackberry when Apple released the iPhone. Lutz might be partly right that Tesla needs dealers to provide capital to for inventory management, but he's otherwise profoundly wrong. Tesla breaks dealership model even if it didn't want to, such as different way electrics need servicing. Dealerships are corrupt quasi-monopolies, and nobody likes dealing with them. Sure, Tesla may lose some sales because customers can't drive a car instantly off the lot, but they'll also gain customers fed up with corrupt businesses. Putting showrooms in shopping malls instead is just one more way that Tesla easily makes itself distinctly different from its internal combustion competitors.

With all the good ways Tesla is executing on Apple's business model, it's also making a lot of mistakes. There are lots of small design flaws in the Model S, and some clearly lacking areas. For example, the voice command system is decade old crap. Tesla desperately needs to license a better one from Apple (Siri), Microsoft (Cortana), or Google (Ok Google).

What these flaws show is that Tesla doesn't have Musk's full attention. He's off dreaming about hyperloops, solar panels, and SpaceX. Tesla doesn't have somebody like a Steve Jobs, or even a Jonathan Ive, who obsesses over every small detail to make everything perfect. This flaw can be fatal. The Tesla Model S driving experience is so awesome is makes us look past the small flaws, but there's no excuse for those flaws to exist. If they persist, they'll kill the Model 3. Imagine test driving a Nissan Leaf with Apple Siri embedded, where you can ask about last night's game scores, and then step into a Model 3 which can't even dial a phone properly. Car innovation is continuing beyond the electric model and self-driving features -- Tesla needs to be up near the front on all of them.


When Apple released the iPhone during the recession, I bought a bunch of Apple stock -- enough to buy my Tesla Model S from the gains. Just by looking at the product, business model, and the market, it should've been obvious to anybody that Apple had changed everything.

Electrics aren't quite the same game changer -- they are still cars. The challenges of charging them, and the inability of pure electrics to drive long distances, mean that they won't take over the market. In a decade, though, even without government subsidies, they'll command a good 30% of the market. Even if Tesla isn't one of the top car companies, there's a good chance it'll be one of the most profitable -- if it can continue to execute on this model. High margins means that even if it's not selling the most cars, it could be earning the most profits in the industry.

Their stock is already high, and Musk doesn't seem to be executing as well as Jobs, so I'm not interested in buying their stock. But really, the Model S is an awesome car to drive.

Wednesday, December 02, 2015

Why "Force Awakens" will suck

JJ Abram’s movie “Super 8” is an underrated masterpiece. It leads me to believe that he actually “gets it”. But then, everything else JJ has done convinces me he really doesn’t. He destroyed Star Trek, and I’m convinced he’ll do the same to Star Wars. I thought I’d list the things he almost certainly gets wrong in the “Star Wars: Force Awakens” movie.

The movie hangs on spoilers

The original Star Wars was known for the way that people repeatedly saw it in theatres. There were no spoilers. Sure, they blow up the Death Star, but knowing this ahead of time detracts not a whit from the movie. In Episode I, most of us know that Palpatine is the Emperor. Knowing this spoiler doesn’t detract from the movie, but adds to it. Sure, the original series had the “Luke I am your father” spoiler, but knowing that ahead of time detracts nothing from the movies.

But JJ loves the big reveal. It’s like Lost, where season after season we didn’t know what was going on. Worse yet, it’s like his second Star Trek movie, where we weren’t supposed to know it was really Khan. It makes watching the movie a second time a chore.

My bet is this: we won’t be watching Force Awakens multiple times, unlike the original sextology.

It’s just one episode in an epic saga

As everyone knows, Lucas created a huge, epic story, and then told only one episode in the original movie. This requires two disciplines. The first is that you create that epic story, and think through all the various threads. The second, and harder discipline, is that you don’t tell the epic story. Instead, let the audience imagine what that might be. Luke killed womprats with his T16, but we never actually learned what a womprat or T16 looked like.

I doubt that JJ has created the epic story that Lucas did, but more importantly, I don’t think he has the discipline to restrict which parts he tells. JJ loves movie masturbation, showing us everything that’s in his head, not guiding our imaginations as Lucas did. The only time he hides things is behind excessive lens flar


Many believe the good vs. evil in the original movie was black and white, literally, with Darth Vader wearing black and Luke Skywalker wearing white. In fact, it was more nuanced than that. Luke is excited by the Rebellion, but not because he really shares their aims, but because it’s interesting. In fact, Luke wants to attend the Imperial Academy in order to become a pilot, leaving it ambiguous which side he’d fight for. Han Solo is both an evil smuggler (who shoots first, damnit!) and has a change of heart that saves the day at the end.

In most movies, “evil” is simplistic, we never learn its motivations, other than evil is just what the bad guys do. In Lucas’s Star Wars, “evil” is complex, whether it’s Grand Moff Tarking squabbling with his advisors, or Palpatine’s struggle to become emperor.

Indeed, the entire point of the series is that we aren’t sure which side we are rooting for. The Jedi council has become hopelessly corrupt, and pretty much deserved what it got. In the first movies, we are rooting for the side of the Republic against those evil separatists – only to find the Republic becoming the Empire that we root against in the later movies.

JJ may have nuance. Apparently, one of the heroes is a former storm trooper. But I’m hoping for more. I want Luke wielding the Dark Side. Instead of remnants of the empire being the bad guys, I want the victorious Rebellion of the first movies to have become tyrannical overlords. I want good vs. evil to not be determined by which side you happen to be on (us vs. them), but your core principles that are inviolate. Action should be driven by the fact that your side changes its principle to suit its desires, which makes them become out-of-step with your own fixed principles.

It’s not an action movie

Sure, Star Wars has lots of light saber duels, but ultimately, it’s not an action flic, but a thinking flic. The tension is that action is always on the periphery, ready to break out, even when nothing special is happening. It’s like when they go to Mos Eisly to get passage off planet, calmly getting a drink at a bar and negotiating with a smuggler. Action is ready to break out at any moment, especially with storm troopers breathing down your neck, so there is constant tension -- but the action that does happen is brief.

Or, in the prequels, there is a lot of time spent debating crap in the senate, even while action continues to happen on Naboo. We don't see the action to know that it's happening.

But JJ doesn’t do “thinking” well. That’s how he ruined Star Trek, removing all the deep thoughts by Gene Roddenberry about the future, and converting the franchise into a cheap gimmicky sci-fi action flic fully of explosions.

You see that in the trailers. The original Episode I trailer, while promising action, also promised deep thinking pauses. The Force Awakens trailers promise little but action.

OMG the Tropes

A trope is like a cliche, something that movies overuse (see A master filmmaker like Lucas knows that he audience is familiar with common tropes, so he only has to hint at a trope in order to use it. Joss Whedon is a another master at using tropes well in TV/film.

It's like when Luke arrives in Leia's cell "I'm here to rescue you". Yes, that's a boring "guy rescues girl" trope, but then everything after that point happens nothing like the trope, with Leia taking control and rescuing the hapless party from themselves.

Everything in Star Wars is a trope. You are supposed to draw the lines back to Kurosawa or WW II movies. And you are supposed to appreciate how Lucas didn't simply copy them, but morphed those tropes into a wholly original and new film.

JJ, on the other hand, is like most filmmakers who simply repeats the trope, adding nothing to it. Watching his Star Trek movies was painful, as he reused trope after trope. It's like he decided James T. Kirk was a rebel, then consulted for all the stupid rebel tropes he could stick in the movie.

It's a franchise, damnit

Lucas famously got rich off the first Star Wars not from the movie itself, but from the merchandising. The movie is only one part of a larger franchise. It's the franchise that's the money maker, not any particular movie.

TV shows get it. Some shows are bad, but exist not to be watched by themselves, but to service the larger story arc. That's why some of the original Star Trek movies were flops -- but yet were essential to the overall franchise. Sure, the first movie with Vger was high concept art that didn't work well with audiences, but at the same time, was essential to establishing Star Trek among fans.

My fear is that JJ Abrams wants this movie to be a big hit, sacrificing everything else in the franchise. That's what he did to the Star Trek movies, creating sci fi action flics that did nothing to service the larger Star Trek universe, exploiting the fan base rather than servicing the fan base.


The Force Awakens looks like a good movie. We all want to see the Millenium Falcon soar again, so it looks exactly like what we want. But at the same time, we want more than cheap thrills, we want substance. JJ Abrams' past work shows that he can sometimes deliver substance, but he fails to do so in the bulk of his work. I fear that he's going to destroy the Star Wars universe, to become known as Jar Jar Abrams for the rest of eternity.

Tuesday, December 01, 2015

NSA needs more EFF hoodies

A few months ago, many stories covered "", a group that bought billboards outside NSA buildings encouraging moderates to leave intelligence organizations. This is a stupidbad idea.

For one thing, it's already happening inside the intelligence community. Before Snowden, EFF hoodies were tolerated. From what I hear, they aren't anymore. Anybody who says anything nice about the EFF or Snowden quickly finds their promotion prospects reduced. And if you aren't being promoted, you are on track to be pushed out, to make room for new young blood.

The exit of moderates is radicalizing the intelligence community. More and more, those who stay want more surveillance.

In my own experience, the intelligence community is full of pro-EFF moderates. More than anybody, those inside the community can see the potential for abuse. For all that mass surveillance is unacceptable, the reality is that it's not really being abused. These people stop abuses. The NSA really is just focused on catching evil terrorists, not on tracking political activists in America. All this power is in the hands of people who use the power as intended.

A mass exodus of moderates, though, will change this, creating a more secretive and more abusive organization. The NSA is nowhere near how "Enemy of the State" imagines, but could easily become that bad when all the moderates leave.

Instead of encouraging moderates to leave, we should be encouraging them to stay. Not just stay, we should be encouraging them to speak out. We should have an organization supplying free EFF hoodies to everyone in intelligence.