|
|
|
|
Muniment #003
The Bleeding Hearts Issue
Welcome to the third edition of Muniment. We're cooking with gas, now! In this missive we'll be talking about Heartbleed, the latest internet security disaster, a kickstarter about stories, value exchange based protocols, and voice control.
So, on to the newsletter...
|
|
The Heart Bleeds
 Most of you have probably heard about Heartbleed by now, it's been the talk of the Internet since it hit last Monday. The long and short of it is that a very popular piece of software to handle the secure part of HTTPS connections (that little lock icon when you check out on Amazon) has had a bug in it for the last two years that let anyone who knew the secret handshake dump chunk of the web servers memory. This XKCD comic demonstrates it pretty well. The bug leaves no trace, so unless you're recording all the traffic to your web servers, which no one does, you don't even know you've been hit. Ergo, an attacker can use it over and over to grab random bits of whatever the server was working on. Things like passwords (when you try to login, that stuff is in memory), secure server keys (since the server needs them to answer your request), and every other confidential piece of data you can think of.
Sample exploits were in the wild almost immediately, which meant that anyone who could read a readme.txt file could find their favorite internet target (say, Yahoo! mail), and start poking the servers for random bits of data. The thing that should terrify you, beyond the obvious implications that your passwords may be sitting on some random strangers hard drive, is that this bug will never be completely fixed. There are at least hundreds of thousands of machines out there that are essentially orphans, with no active maintenance, and every burned-on-CD version of a Linux distribution for the last two years has this bug in it.
Everyone in the internet security world has been waiting for an apocalyptic event, a black swan that breaks the entire internet for everyone in a dead simple way, and makes us really take security seriously. This was it. Internet security guru Bruce Schneier said that, "On a scale of 1 to 10, it's an 11." In the 90s we talked about the Internet responding to inclement situations and routing around them, so it'll be really interesting to see how the Internet as one big thing routes around this. Lastpass, a secure password storage program, is already checking sites for vulnerability to Heartbleed. It isn't that much of a stretch to think that this is the beginning of actively defensive browsing software, where your browser will start to warn you if it finds potential security issues in the sites you visit. Treating browsers as active security toolkits is kind of a new thing, it'll be interesting to see where that goes. Your browsers job has always really been to protect the user, but it hasn't been developed that way. It really needs to be a watchdog, checking what you put into it and where you go and who you talk to in an intelligent way.
|
|
Storium Time!
 Last week one of the guys I follow on twitter posted a link to a Kickstarter called Storium. I love stories, and I've been thinking a lot about software that tells stories, so I had to go take a peek.
People have told stories since we've had language to communicate them with. Not long after we started telling stories, someone had the idea to take turns. I start the story, you tell the next part, our buddy Gorg tells the third part, and then it comes back to me. It's a story, but it's unpredictable because none of us control it. Fast forward a few thousand years, and we started using tools to enhance our group storytelling. Bob had trouble with pacing and Alice just told the same Star Trek plot over and over, so we decided that we needed a structure. Rule books, cards, computers. People acted them out. One of these storytelling tools is Fiasco, a collaborative story telling game where a few friends can tell a story in the vein of a Cohen brothers movie like Raising Arizona or Burn After Reading. I wrote up a story some friends and I created last year in "Bad Beans".
Fiasco molds the storytelling process by placing each player/storyteller in the shoes of a character. Then the players pick elements from a list of thematically appropriate objects, locations, and relationships in a semi-randomized way to create a setting for your story. Each of the tale tellers takes a turn setting up or resolving a scene, and thus the story is told. Fiasco's a great system for this, but it requires a whole bunch of dice and two or three hours where everyone's in the same place.
Back in 2005 I worked on a project called Synanim. Synanim is designed to be a consensus tool. The goal of a Synanim session is to get a lot of people together online, let them write out their thoughts in a managed workflow, and then use social algorithms to merge the text of the many down to one authoritative statement.
Storium takes the web workflow component of Synanim (and many other systems) and merges it with a Character-based storytelling framework like Fiasco, to create a collaborative story telling game. Genre writers have created settings (called worlds), and the system has some simple game mechanics to keep players on track. The system already works, backing the Kickstarter gets you access. I've rounded up a few willing testers and I'll be starting a game in a few days. If any of the settings look interesting to you, and you'd like to try it out, let me know. People who've tried it really seem to love it.
Related to Storium, I think there's an opportunity here to build similar tools for drawing stories out of families. I'm still really interested in tools that enable people to document their lives and the lives of their loved ones, and I think you could learn a lot from the experience design and gamification of Storium as you think about that.
|
|
The Fifth Protocol
 The internet is made of layers (not tubes, as you may have previously been told). There's the link layer, like Ethernet or WiFi. There's the Internet layer (or Protocol), which is how traffic knows where to go. There's the transport layer, which is how the information is bundled up and prioritized, and then the Application layer, where this text you're reading right now lives.
When the Internet was a small, academic and amateur thing, this worked really well, but these days the Internet is business and critical communications and home to malicious actors of all shapes and flags. What the Internet doesn't have at its core is any concept of the exchange of value in a transaction. If you want to send me email, the ethos of the Internet is that your server connects to my server, your server gives it the email, and it ends up in my mailbox. No reciprocal exchange, just a free flow of data. In that environment it's really easy to deluge servers with traffic, or spam.
One of the early proposed solutions for email spam, and something you've probably used recently when you tried to sign up for a web site or submit a form, is the proof of work. You know this kind of system as CAPTCHA, those 'enter the numbers/letters you see' forms that prove you're a person, but they can also be mathematical equations that your browser has to solve before you can submit a comment. In these systems they're requiring the expenditure of verifiable effort in order to complete the transaction. We know you mean it because you're willing to do the work. Proof of work never caught on in email, because it wasn't baked into the protocol.
In order for things to be pervasive, they need to be in the core protocols. Naval Ravikant posted a really interest article about the possibilities of using Bitcoins blockchain for it, and having systems transfer tiny amounts of computable cryptocurrency between them when they interacted. We've talked about micropayments for content for a long time (pay me $.02 to read my awesome blog post!), and this would be the same thing, but at a lower level. Naval called it The Fifth Protocol, and it's a great read. Thanks to Matt Mullenweg for pointing me at it.
This stuff starts to feel very science-fictiony, once you consider that all your Internet of Things devices could trade their own cryptocurrency as a base part of their communications spec. Once you have currency you get debt, and then you're deep in the world of Hannu Rajaniemi's The Quantum Thief and Charles Stross's Neptune's Brood.
|
|
Voice Command... Voice Command...
 In the realm of interesting projects to tinker with, some enterprising folks have built a really slick looking voice control API called Jasper on top of the Raspberry Pi. Jasper can do things like tell you the weather, check your email, and more all from an always-on microphone. I'm thinking I may take one of my non-functional Mac Classics and build an always-on Jarvis-style companion for my office. If you had a ethereal robo-butler in your house, what would you ask it about?
|
|
Wrap Up & Shout Outs
The SpaceX launch that the Kramer Satellite is going up on was postponed till today, Monday, April 14th. You can watch the launch live at 4:58:44 p.m. EDT!
Matt Sanders mentioned to me that the folks he works with over at Librato had a post about ChatOps, too, so you should check that out.
Former Polycot and now MIT Media Lab tinkerer David Nunez had a big hand in EDI, the Baxter-based magicians assistant who debuted at TED2014. I try not to pretend that I'm outrageously jealous of David. When he started working on Drupal stuff with us he said his dream was to build dancing robots, and while EDI doesn't dance, David's getting pretty damn close.
See you next time!
- Jeff Kramer
|
|
|
|
|
|
|
