Insecurities

Sometimes, the world isn’t a very nice place.

When the Internet was invented, it was a space for collaboration. The technical challenge of connecting disparate computer systems in remote locations was daunting. The goal was to allow researchers at the various locations to work together, sharing data, analyses, and perspectives.

https://www.flickr.com/photos/michaelsarver/62771138The idea that some members of the community would try to exploit the system to gain access to information or resources that don’t belong to them was inconceivable. The researchers and engineers designing the protocols and tools that eventually became the Internet were focused on getting the system to work. They weren’t worried about security.

That oversight is a common thread for innovation. We often underestimate how new technologies will be misused. Einstein famously regretted his work on the atomic bomb. Kalashnikov was horrified that his rifle was used by so many to cause so much terror. Sometimes, we fail to consider the worst consequences of our best ideas. We’re so focused on making the impossible practical that we don’t spend much time considering whether impossible is such a bad thing.

The Internet has struggled with its underlying insecurity for decades. We have replacements for telnet and ftp that encrypt communications to keep anyone from eavesdropping on them. We have https to allow encrypted web traffic. We use WPA to protect wireless traffic. We can even encrypt email if we have to, but almost no one does. Security is still an afterthought. It’s bolted on to a product or protocol after it already works. Because it’s much simpler, the insecure versions are always more reliable and faster and more efficient and more convenient. We often prioritize these things ahead of security, and continue to use technologies that we know will get us into trouble eventually.

The tech industry didn’t learn from the development of the Internet. Operating systems, too, were designed for a single user who has total access to everything, as were phones and tablets. The idea that this computer might be connected to other computers, and that other software and users might exploit their access is often ignored. Even today, we run into a lot of software that won’t work without complete control over the entire computer and everything on it.

On the network side, system requirements for just about every software package we use require us to eliminate all aspects of security. They often require firewall and filtering exceptions that make our systems more vulnerable. When we point this out, we hit a brick wall. If we can’t prove that we’ve followed their requirements to the letter, they won’t help with any problems we may have.


When you’re developing software, if you design it to work first and then try to add in security later, it doesn’t work right. You end up in cycle where you try to make it more secure, but those efforts break some critical functionality. When you fix those bugs, you introduce more security problems. The result is a program that constantly needs updated, but that never really reaches a point where it’s both secure and reliable.

This process used to be hidden from most people through the beta testing process. Back in the ’90s, it was cool to get betas of new software. You could try out new software in exchange for providing feedback to the developers to help them fix bugs and get the product ready for the general public. I remember being excited about new beta versions of web browsers. It was an exciting time when you could get a glimpse of what’s next.

As we’ve moved along, though, it seems like ALL software is beta software now. Each update comes with that wonderful anticipation of the new problems we’re sure to have. The industry constantly tells us we have to keep all of our software updated, but every time we do, something breaks. That’s okay. There’s a new version next week to fix that major problem. And the update next month will fix the security vulnerabilities introduced by this fix.

We’re living in a world where software doesn’t have to work reliably or securely. It just has to be “good enough” for now. Ship new versions quickly and regularly, and don’t worry too much about it. Every time I start up my phone or my computer or my tablet or my Chromebook, I have a nice new collection of crappy software to install.

So what’s the solution? How do we move away from this endless cycle? I think it comes down to the license agreement. You know, those terms you agree to without reading every time software tries to install or update? In Google’s case, the relevant parts are sections 13 and 14 (some of which I’ve left out). They put it in all caps so you know it’s important:

13.3 IN PARTICULAR, GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS DO NOT REPRESENT OR WARRANT TO YOU THAT:
(A) YOUR USE OF THE SERVICES WILL MEET YOUR REQUIREMENTS,
(B) YOUR USE OF THE SERVICES WILL BE UNINTERRUPTED, TIMELY, SECURE OR FREE FROM ERROR,
(D) THAT DEFECTS IN THE OPERATION OR FUNCTIONALITY OF ANY SOFTWARE PROVIDED TO YOU AS PART OF THE SERVICES WILL BE CORRECTED.

13.6 GOOGLE FURTHER EXPRESSLY DISCLAIMS ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT.

Translation: I don’t know what you think this software is going to do, or if you’ve bought into all of our marketing hype, but no matter how low your expectations are, you should lower them more. 

14. LIMITATION OF LIABILITY

14.1 SUBJECT TO OVERALL PROVISION IN PARAGRAPH 13.1 ABOVE, YOU EXPRESSLY UNDERSTAND AND AGREE THAT GOOGLE, ITS SUBSIDIARIES AND AFFILIATES, AND ITS LICENSORS SHALL NOT BE LIABLE TO YOU FOR:

(A) ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL CONSEQUENTIAL OR EXEMPLARY DAMAGES WHICH MAY BE INCURRED BY YOU, HOWEVER CAUSED AND UNDER ANY THEORY OF LIABILITY.. THIS SHALL INCLUDE, BUT NOT BE LIMITED TO, ANY LOSS OF PROFIT (WHETHER INCURRED DIRECTLY OR INDIRECTLY), ANY LOSS OF GOODWILL OR BUSINESS REPUTATION, ANY LOSS OF DATA SUFFERED, COST OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR OTHER INTANGIBLE LOSS;

(B) ANY LOSS OR DAMAGE WHICH MAY BE INCURRED BY YOU, INCLUDING BUT NOT LIMITED TO LOSS OR DAMAGE AS A RESULT OF:

(I) ANY RELIANCE PLACED BY YOU ON THE COMPLETENESS, ACCURACY OR EXISTENCE OF ANY ADVERTISING, OR AS A RESULT OF ANY RELATIONSHIP OR TRANSACTION BETWEEN YOU AND ANY ADVERTISER OR SPONSOR WHOSE ADVERTISING APPEARS ON THE SERVICES;

(II) ANY CHANGES WHICH GOOGLE MAY MAKE TO THE SERVICES, OR FOR ANY PERMANENT OR TEMPORARY CESSATION IN THE PROVISION OF THE SERVICES (OR ANY FEATURES WITHIN THE SERVICES);

(III) THE DELETION OF, CORRUPTION OF, OR FAILURE TO STORE, ANY CONTENT AND OTHER COMMUNICATIONS DATA MAINTAINED OR TRANSMITTED BY OR THROUGH YOUR USE OF THE SERVICES;

14.2 THE LIMITATIONS ON GOOGLE’S LIABILITY TO YOU IN PARAGRAPH 14.1 ABOVE SHALL APPLY WHETHER OR NOT GOOGLE HAS BEEN ADVISED OF OR SHOULD HAVE BEEN AWARE OF THE POSSIBILITY OF ANY SUCH LOSSES ARISING.

Translation: whatever happens, it’s not our fault. Even if we do it on purpose.

The software companies have created conditions of use that eliminate any sense of accountability on their part. They won’t guarantee that their product will do anything, and they won’t be responsible for any damage created by it. Even if they willfully cause problems or data loss, lie to you about the product, and interfere with other technologies you’re using, they have no liability.

I keep waiting for the courts to throw these things out. End users are clicking through these agreements without reading them because they have no choice. They’re not making informed decisions to give away their rights. They’re not so excited to try out new software that they’re setting up test environment that have no important data or work to do. They’re just trying to get to the Internet, to check their email, to open a PDF file, and to get some work done. Where’s the stable, reliable software product that helps them do that?

Without any incentive to ship reliable, stable, secure code, we’re going to continue to be inundated with updates. Every time there’s a security breach or an internet outage or a loss of data, we’re going to blame the end user. “We told you not to trust our software.” “Why don’t you have a backup.” “What do you MEAN you’re still using that horrible old software from next month.” “Don’t you dare delay this update.”

So until something changes, we’ll keep installing updates, and then update the updates. And then reboot to find that there’s a bug fix for the update.

Photo credit: Michael Sarver on Flickr

 

 

Leading the Blind

I was talking to a colleague from a nearby school district the other day. She had just come from a training session on a new math program they’re going to be using. From what I understand, it’s mostly a test-prep kind of tool. It identifies gaps in students’ math skills and provides instruction on those skills to bring them up to par. She didn’t sound too enthusiastic about it.

52772616_52335e7c83_z

“It’s your fault we’re doing this,” she accused.

“Why is it my fault?”

“Our school does everything your school does. Your district uses this program, and one of our administrators has a child that goes to school there. She heard about it from her kid. Since your test scores are always so great, our school decided to adopt the program here, too.”

That didn’t sound right. This is a math initiative. I work down the hall from our math instructional coach. I see her several times a day. She’s never mentioned it. I texted her and asked about it.

“It’s a terrible web site that supposedly teaches math. We piloted it a couple years ago with some students over the summer. I’m not a fan. We’re not using it anywhere.”

As it turns out, the kid was part of the pilot, but mom didn’t realize that we had been trying out a solution that we ultimately decided was a bad idea. She inferred our endorsement, and adopted the program in her school.

Sometimes checking to see what others are doing can be perilous if you don’t ask the right questions. Sure, we want to be collaborators. And of course, others have great ideas. We can’t always assume we’re the smartest people in the room. We want to adopt the best practices of other schools who are facing similar challenges to ours. We want to learn from the wisdom of others. But I think we often follow others when we’re unsure of our own path. We don’t know what we want or which direction to take or how to approach a problem. So we try to replicate others’ success by copying what they do.

If I’m in a meeting where school leaders can’t agree on a course of action, someone invariably suggests a survey. Let’s see what other schools are doing. Let’s ask the teachers what they want. We need to get some input from our parents and stakeholders.

That feedback is important. We need to have a finger on the pulse of our constituents. We have to know what’s important to them, what challenges they’re facing, and what they want from their schools. But if we ask them what they want, they’ll tell us they want exactly what they have, but better, faster, and cheaper.

That’s not innovative.

It’s much more difficult to look at the goals and challenges, examine the available resources, and design a plan to meet the need. We have to ask a lot of questions, challenge assumptions, and predict how our needs are going to change. That takes a long time. And, often, we end up needing things that don’t exist yet. So we have to settle. Or we have to invent.

That’s why it is taking us more than two years to replace aging classroom computers. It’s not that we don’t have the money. It’s not that we don’t need new computers. The problem is that instruction is changing at the classroom level in fundamental ways. We’re doing less whole group instruction. We’re differentiating and individualizing instruction on a regular basis. Our students are collaborating and sharing and presenting. Our teachers and students and principals and parents are in the middle of this metamorphosis. They’re not really sure what their needs will be in three years or five years or seven years.

So we’ll take our time. We’ll figure it out. We’ll play with a lot of different approaches and see what works best. We’ll weigh tradeoffs and price compare and figure out which things are most important. We will get feedback from our stakeholders, and that feedback will influence (but not dictate) our decisions. Then, we’ll come up with an awesome approach.

And then other schools will copy it.

Photo credit: Ian Harding on Flickr.

 

Facts and Feelings

We are living in an age when information is no longer scarce. The Internet gave everyone access to the information. It was sold to us as an information superhighway. Think of all of the wonderful resources you have right at your fingertips with this fantastic, revolutionary technology. Then, interactive web tools came along and made it really easy for anyone to post content online. We moved away from broadcast media, where a single entity informs the masses, to a system where everyone has a voice. It’s a democracy of information. Finally, mobile technologies became practical, so those tools are now available to us wherever we are.

Information is free, in both senses of the word. Questions no longer go unanswered, opinions no longer go unshared. It’s truly a wonderful and amazing time to be living.

flat-earth-1054350_960_720But there’s also a problem. We are overwhelmed by content. When I was in school, we used to struggle to find enough information to write cohesive research papers. Now, finding enough information is as easy as a Google search. We have to be able to filter that information to find the most relevant content, evaluate the accuracy and reliability of the content we’re finding from disparate sources, and build on that knowledge to spark new ideas and new solutions to complex problems.

You’re probably still with me at this point. If you’re working in higher education, you have an anecdote to insert here about kids these days thinking that “Google” and “Research” are synonyms. Many in K-12 are thinking I’m rehashing old ideas, because we’ve been doing all of these things for years and talking about 21st Century Skills since the 21st century started. If we’re sitting in a room having this conversation, this is the point at which someone will disparagingly refer to Wikipedia. After all, anyone can change it. How reliable can that be? Once we’ve made that turn, we’re off on a track that leads to me ranting about how Wikipedia is actually a pretty reliable source because of their insistence on citations and their transparency about where the information comes from. My challenge to Wikipedia haters is to change a basic fact on the site to be wrong, and see how long that lasts before someone fixes it.

But that’s not where we’re going today. I want to talk about something more important than whether your ninth grade English teacher will let you cite Wikipedia as a source.

What if you want to mislead people? Everyone on the Internet has a megaphone. Everyone can be a content creator. Everyone can be a publisher. Let’s say I want to convince people of something crazy. Maybe I want people to think that the Earth is flat. How would I do that?

I could start by referencing the ancient Greeks, who believed the Earth to be flat until the Pythagoras came along to cause trouble. I could also refer to ancient Indians (prior to the year 300), American aboriginal traditions, or China up until the 17th century. These were smart people, philosophers and scientists, and they wrote about the world being flat all the time.

I could reference 19th century literature by the likes of Washington Irving, whose romanticized history of Christopher Columbus includes the idea that 15th century Europeans thought he would fall off the edge of the Earth.  Or, I could write about the work of Samuel Rowbotham, whose “scientific” work in Zetetic Astronomy proved the Earth is flat in 1849. Moving to the modern age, I can reference the Flat Earth Society, which has been advocating for a flat Earth model since the days of Sputnik. Finally, I can top it off with 21st century author Thomas Friedman, by taking his best-selling book’s metaphor completely out of context.

Maybe I’ve convinced you. Maybe I haven’t. Now it’s time to fire up the social media machine. I start tweeting about the Earth being flat. I post conspiracy theories on Facebook, and make catchy memes about it. People tell me I’m crazy. They start arguing in the comments. They bait the troll. I shoot back. Now, I start focusing on the buzz. People are talking about whether the Earth is flat. Look at all these conversations on the Internet about the flat Earth. Why is big media assuming that the Earth is round? Where’s our equal time? Where’s our fair and balanced?

At this point, it’s time to discredit our own strategy. Anyone can put anything on the Internet. You can’t trust what you read online. We’ve been burned so many times by misleading and biased content that we’re quick to agree with the cynical view that everyone has an agenda. Everyone is against us. Those fact checkers who say the Earth is round? They have an agenda. They’re out to get us. The impartial media? They’re not so impartial after all. They only tell one side of the story. This so-called science that proves the Earth is round? Well, we all know what they say about statistics. You can make the numbers say anything you want.

Now, this is the part that’s new. It’s time to change the story. Many people believe the world is flat. Lots of people are talking about the flat Earth. The news reports the facts. The politicians cite the facts. The fact-checkers check the facts. But the facts have changed. Did you catch the subtle shift? People are talking. That is a fact. People believe. That is a fact. This politician said. That is a fact. The Earth is flat. It doesn’t matter if that’s a fact. It’s just the object of the talking and believing and feeling. So you can say things like “Lots of people think the world is flat” and “Flat Earth proponents feel like they’re underrepresented in media.” Both of those statements are true. But that doesn’t mean they’re going to fall of the edge of the planet.

Distinguishing between fact and opinion is a lot harder than it used to be. We have to teach our children (and our parents, and our peers) to recognize those triggers of “feel”, “believe”, and “think”. Opinions are valuable. Beliefs matter. They shape our view of the world, and our actions in it. But people can be wrong. If one wrong person convinces 99 others, then we have 100 wrong people. The fact that there are 100 of them doesn’t make them less wrong, even if they feel like they’re not being heard. It’s a lot easier now for a few people to use “feelings” to mislead others. Part of being an informed digital citizen is recognizing when that’s being done to us.

 


Post script: Did you notice that almost all of those links about the flat Earth go to the SAME Wikipedia article? The links may make the text look more reliable, but cited sources are only as good as the person checking them.

Photo credit: JooJoo41 on Pixabay.