Guy: … so anyway, Geneviève is totally my sugar mama now. What can I say, I like my women like I like my wine: rich, French, and full-bodied.
Girl with German Accent: And here I thought you were going to say “white, German, and having dinner with a chauvinist asshole.”

Much love, Dinner Girl.

In the four weeks that the ask me anything post has been up, I’ve received two questions. My father wanted to know when I was going to call my mother, and my mother asked what a “blog” was. The third question arrived just as I began typing this post. My friend Katherine, she of the photography critique, writes:

Oooh, I have a good one: when are you going to update your damn blog?

You know, if you’re having writer’s block, I could contribute as a guest writer. Then again, the only articles I can think of right now are “How to make awesome cheese sticks,” “The optical properties of cyanobacteria”, or “How to attract pallid, underweight, socially maladjusted men.” I could write any of these articles with some level of expertise, but none of them go well with the computer security theme.

Maybe we should have some guest articles.

Okay, no, I received over three hundred questions, which is remarkable because I didn’t even know there were 300 people on the Internet. I’ll start sorting out the questions and answering the best ones in the coming weeks. To help you pass the time until then, I’m including above a gratuitous photograph from Boothbay Harbor in Maine, shot on July 4th. Which is an American national holiday celebrating Thomas Edison’s invention of fireworks in 1776.

That’s where I brilliantly field all questions I can answer, and make up incredibly convincing answers for any I can’t. (In the past, I’ve been asked about computer science, geophysics, abstract algebra, and British post-modern literary theory. Really.)

As an experiment, we’ll try to do the same right here. If you have a question for me, ask away in the comments. Ideally you would ask about things like systems security, programming, scalable systems and Python, but I’ll take humorous questions about education, technology, educational technology, math, British post-modern literary theory and just about any other subject. The questions you leave won’t show up below this post, but I’ll read them all and answer any interesting ones in a followup post. Bonus points for making me think, and don’t be shy. And please don’t ask why I’m so handsome — there’s just no accounting for good genes.

(Update, July 28th: questions are now closed.)

There are lots of problems with this setup. Notably:

• Since I didn’t ask for these releases, they’re unsolicited. Since they’re not addressed to me but mailed to a distribution list, they’re bulk messages. Since they’re transferred by e-mail, this makes them unsolicited bulk e-mail, which is the official name for spam. To say nothing of the fact that most of the e-mails include no obvious way to opt-out from future communiques.
• These are press releases, so they’re written to absolutely destroy my chances of gleaning any useful information whatsoever about the product being discussed. This is by design, as press releases focus on explaining what industry the product will revolutionize and how it will increase leveraged synergies for the manufacturer instead of, you know, telling me why the hell I should care about the product.
• Possessing no useful information about the product, and not having seen it since it hasn’t even been announced yet, what am I supposed to do with the “information”? Write or care about it, sight unseen, based on the press release?

So, new rules. I’m usually interested in both new software and hardware. If you want me to look at software you’ve built, send me a short technical description of why I should care, along with a link to a demo install if it’s a web app or a download link if it’s not. If you want me looking at hardware, send me the technical specs and tell me how, if you’ve managed to interest me, I can get my hands on a unit to play with — you can have it back in perfect condition when I’m done. In both cases, include the e-mail address of a technical contact, which is someone I can ask questions and expect intelligent technical answers. In neither case should you actually send me the press release itself.

Following these simple guidelines, dear PR people, will win you a reprieve from my spam filter despite the fact that you’re still sending me spam. Failure to follow them will, on the other hand, earn you a permanent date with said spam filter (he goes by “Bubba”) and cause me to report you to Spamhaus, your ISP for violating their terms of service, and inform the company you’re representing of your uncouth business practices.

Much love.

Anyway, if you’re in Vancouver, New York, Helsinki, Concepción (Chile) or Barcelona in the upcoming months — see the handy-dandy talk list — and want to grab a beer or commiserate about the world, the human condition, and the heart-breaking ennui of it all, send an e-mail. The boogeyman will oblige. First scare is free.

There are no new ideas here: encryption malware has been around for the better part of a decade, Adam Young and Moti Yung wrote a book about cryptovirology in 2004, and even Gpcode itself has been around since 2005, albeit with a far more primitive approach to encryption that the current incarnation.

The latest instance gets the crypto mostly right: it creates a unique 128-bit RC4 (Arcfour) key on each machine and uses a random initialization vector for each file it targets. The IV is written to the beginning of the file, encrypted by the per-machine key, run through MD5, and the output constitutes the per-file key, used to encrypt each file with RC4. At the end, the main per-machine RC4 key is encrypted with a 1024-bit RSA public key which the malware carries within its payload. The malware author can then send a tailored, per-machine decryptor to folks who pay up.

If you keep backups, you can obviously treat this attack as a simple data loss scenario. And if you don’t have backups and badly need the files back, you have no option but to pay: when used correctly, cryptography works. In their encrypted form and without the RSA private key, the files are as good as garbage. Anti-virus companies have no technological defense against this, can’t make any, and are being appropriately forthcoming:

A security company on Friday asked for help cracking an encryption key central to an extortion scheme that demands money from users whose PCs have been infected by malware. … “Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key,” said Aleks Gostev, a senior virus analyst [at Kaspersky Lab].

See? Completely reasonab… wait, what? Factor the key? Seriously?

Arjen Lenstra and Eric Verheul estimate that, in 2009, a machine that can factor a RSA-1024 key in a day would cost $250 million. With a massive cluster of regular computers, such a computation would take years. And it gets better: 2048-bit RSA keys are considered impractical to factor before the year 2030, while 3072-bit keys are likely to provide protection beyond then. Do you see where this is going?

Even if the present key is factored, it’ll take the malware author mere minutes to generate a stronger one, insert it into the malware payload, and send it on its merry way. And we won’t be able to factor that one.

In fact, focusing on the cryptography in the malware misses the point entirely. What the malware is exposing is the far simpler fact that our desktop security systems are fundamentally broken, as there is no reason that a piece of malware executing silently in the background should have access to a user’s files without interaction or approval. If file access was securely brokered, we wouldn’t have to care about the crypto.

We know how to build desktop systems that are both drastically more secure and more usable than the ones in use today. Prototypes like CapDesk and Polaris demonstrate this on mainstream systems, while my own Bitfrost does so on the OLPC laptops. You won’t see ransomware on the XO-1.

When it comes to Gpcode, factoring the RSA key is the dumbest possible course of action. I know it, the security community knows it, and Kaspersky Lab knows it. It’s a press gambit, and one that I found distasteful at first. But I’ve come around: it grabs headlines, and maybe a proliferation of headline-grabbing, panic-sowing, fear-inducing threats like cryptoviral ransomware is exactly what’s needed to overcome inertia from operating system vendors and finally move us towards a more secure desktop.

Much love, Kaspersky Lab. Let’s go factor some keys.

Now Ubuntu’s Kevin Cole points out a news item on the upcoming flick Get Smart:

[Steve] Carell plays Maxwell Smart, a newly assigned field agent for the super-secret agency CONTROL. He stars opposite Anne Hathaway as Agent 99 and Alan Arkin as the Chief in the reboot of the classic 1960s spy-spoof TV series.

“I try specifically not to laugh when someone else is doing their thing, because if you laugh and ruin someone else’s take, if someone’s doing something inspired or incredibly funny, it’s a gift, and to take that away by laughing and ruining it, that’s a cardinal sin in my mind,” Carell said. “But there are some times you just can’t help yourself. The scene in the movie, when Alan is trying to pronounce a name [in] the Cone of Silence sequence, … the scene probably took five times longer than it should have because … I couldn’t control myself. And so I took that gift from Alan Arkin.”

Arkin improvised some of the scene, in which he struggles to pronounce the name of an enemy agent, Krstić.

“That just killed me,” Carell said.

Look, it’s okay to use my name, but Hollywood and I have a deal: no biopics. My life as a super-secret enemy agent is off limits. Evidently director Peter Segal didn’t get the memo.

The henchmen have been dispatched.

I think people have tried to build a $100 laptop, and here is a $200 phone that can do all that over 3G.

Uh-huh.

It’s just like the “$100 laptop”! Except not rugged, with a tiny screen sans dedicated reading mode, without a reasonable prolonged-use input device, with a $100 fee for a software development certificate, without USB ports or a video camera, with a prohibition on interpreted software and a by-design inability to share software due to DRM, and requiring wi-fi access points or expensive 3G GSM infrastructure to communicate.

And, um, with a $200 retail price after massive subsidy by AT&T which attaches it to a mandatory two thousand dollar contract.

Good call, Ralph.

This paper examines the impact of having access to a home computer on child and adolescent outcomes. To avoid the bias due to non-random access to home computers, we exploit a unique government program which provided vouchers towards the purchase of a personal computer for low-income children enrolled in Romanian public schools. Since the fixed number of vouchers were allocated based on a simple ranking of family income, this program affords a stark regression discontinuity which allows comparisons across students very similar in family income and other respects, but who experienced markedly different access to a computer at home. In 2007, we conducted a household survey of children who participated in the program in 2005. Using these data, we show that children who received a voucher were 50 percent more likely to own a computer.

Next, we show that receipt of a voucher had a large impact on time spent in front of the computer and decreased the amount of time spent watching TV and doing homework. Children in household that won a voucher also report having lower school grades and lower educational aspirations. There is also suggestive evidence that winning a voucher is associated with negative behavior outcomes. Nevertheless, we find that having a stay- at-home mom and the presence of rules regarding computer use do mitigate some of the negative effects of winning a computer voucher, indicating that parental monitoring and supervision may be important mediating factors. …

Both columns 1 and 2 of Panel A indicate a negative effect of winning a voucher on GPA as reported by parents and the children themselves. The effect is statistically significant for the child reports, at 0.36 grade points or about one third of a standard deviation.The decrease in GPA based on parental reports is smaller and not statistically significant at conventional levels. Similarly, parents in households who won a voucher are 13 percentage points less likely to report that their child intends to attend college. … Interestingly, winning a voucher does not increase the intention to major in computer science in college. …

Children in households who received a voucher show a large reduction in their school behavior grade during the 2005-2006 school-year. This result is large and statistically significant … To summarize, the evidence on GPA, college plans and the school behavior grade presented in Table 5 suggests that, if anything, computer ownership has a negative impact on child academic and behavioral outcomes. …

However, despite the efforts of the Romanian Ministry of Education to encourage the use of these computers for educational purposes through the provision of educational lessons, relatively few children have educational software installed on their computer, and fewer still report using the educational software on a regular basis. Instead, our analysis brings out the important role of parents in shaping the impact of home computer use on child and adolescent outcomes. We find that in families where mothers stay at home and where parents have rules regarding computer use, the negative effects of winning a voucher are greatly reduced. Thus, our findings suggest caution regarding the broader impact of home computers on child outcomes. They also raise questions about the usefulness of recent large-scale efforts to increase computer access for disadvantaged children around the world without paying sufficient attention to how parental oversight affects a child’s computer use.

Fascinating. I find it particularly interesting that, despite educational software from the Ministry being available to the parents in the voucher program at no cost, few appear to want it or install it, and few children report using what educational software was provided. Internet access was relatively unavailable for voucher households, however, and I wonder how much that colors the study’s results.

So what went wrong?

I think there was one key error with the choice of hardware, while the software missed the point entirely.

Choosing hardware
No one knows exactly what an education-centric computing device should look like, or even what the “education-centric” moniker actually means. Over time, people have gotten better at reasoning about it out loud, though. What, then, are the defining physical (non-software) qualities of an education-centric computer?

Ownership — it has to be something the kids can own, because communal computer classrooms only tend to work where there are classrooms and teachers to run them, and few enough kids not to compete for computer time. But in the neediest parts of the world, such settings are in the minority, and it’s all the other settings that need help the most.

Portability — the kids should be able to carry the device around as much as they want, at the very least because in many cases, the device will be substituting for books. (It’d be crazy if it didn’t: at OLPC, we found a classroom in an African capital that had three books for 90 children. This isn’t rare, or even particularly uncommon.) More fundamentally, if the device is to encourage “always-on learning” by becoming a brain extension that the kids can turn to whenever they become interested or curious about something, they need to be able to have it with them a substantial amount of time. That means desktops and other clunky, heavy, and immobile solutions are out of the picture.

Proper human interaction — the device should allow rich, prolonged user interaction. It needs to have a sensible input device, for instance, which rules out most cell phones — just imagine typing a history paper on a phone keyboard. And you need a reasonable viewport. Even the iPhone’s display, the reigning champion of mobile phone screens, is hardly one you want to use as your sole window into reading, writing, and browsing the web. So no, “give them cell phones” isn’t going to fly. Anything with a screen below a 6-7 inch diagonal is suspect.

A match for infrastructure and external conditions — the device needs to be compatible with infrastructure realities, which vary wildly with locale. Much of the least developed world struggles with obtaining clean water daily. Those places won’t be helped by computer rollouts at this stage. But one level up, many countries that generally have enough food and clean water still don’t have a ubiquitous electrical grid, and they certainly don’t have wireless access points hanging from every tree. An ideal device for the developing world would suck little power, allow networking without infrastructure in remote locations, and could manage the scorching heat and fine sand grains of Libya, the bone-freezing cold of Mongolia, and the incessant rain and humidity of Peru’s jungles. Extra points if it’s also rugged to survive (un)intentional abuse by children.

Romania’s choice
If these are our criteria, Romania’s effective choice of home-owned, primarily desktop computers for the voucher scheme fails to meet an important one: desktop computers are not portable. This means that computers become segmented both physically and temporally. They can only be used in a particular place, for particular hours in the day. Children can’t take them to school, they can’t benefit from teachers incorporating computers into the curriculum as I’ve seen happen in rural Peru, and without internet connectivity, they can’t work (or play!) with other children when using their machine. Perhaps most importantly, children can’t turn to a non-portable computer every time they get a curious itch — curiosity being the instigator of a tremendous amount of learning at an early age.

Not even the nerdiest of children I know want to willingly carve out “learning time” in their day. But they do get curious constantly, and unless they’re in a position to get answers immediately from an authority figure, most of the time the point of interest will be unanswered and forgotten. Laptops, especially when preloaded with knowledge bases, can change the picture entirely, and I think this was Romania’s key hardware miss. (I should note that the program didn’t mandate desktops, but the economic realities appear to have forced most voucher winners to use their vouchers for purchasing desktop machines.)

The software issue might be more telling. The Ministry provided voucher winners with “530 multimedia educational lessons”, which they hoped would encourage educational use of the machines. In other words, they assumed that children will come home after a full day at school, do their regular homework, and then, by themselves, of their own accord, and with no tangible benefit or reward, do more schoolwork.

Does that sound like many children you know?

Though the study’s point about parental oversight is very well taken, here’s what I continue to think: learning with computers should be always-on. Kids should come to treat them as surrogate brains that are very likely to have answers when kids have questions. They should have interfaces that are collaborative and allow for learning that’s shared, open and involves peers. Where an established schooling system exists, the collaborative aspects of the computer should be used as much as possible in teaching, which is a tall order, and in letting children work on problems together, which isn’t.

This is the promise of Walter’s Sugar Labs, and it’s a good one. The Malamud/Pop-Eleches study is an entirely unsurprising reminder that, as the New York Times found anecdotally, merely throwing computers at children — even if they’re laptops — just won’t do.

Being of that gentle generation that never witnessed the greatness of print news, I grew up with no innate reverence for the broadsheet. My generation did not see the Times, in clear invitation of great ire from the Nixon administration, publish the Pentagon Papers in ‘71. We had no Bob Woodward and Carl Bernstein to inspire in us a faith in print journalism which did not lie, did not distort, and did not cower in fear of repercussions from the powerful.

But we were there when Patricia Smith resigned from the Boston Globe in ‘98 after fabricating people in her ASNE award-winning columns, and when Stephen Glass lied in The New Republic the same year, Jay Forman in Slate in ‘01, and Christopher Newton in the Associated Press in ‘02. We were there for the Gropegate mess in the LA Times in ‘03, and when Reuters ran fraudulent photographs in 2006.

We were there for Jayson Blair’s shameful resignation from the Times for plagiarism and fabrication in ‘03. We were there when a month later, both the paper’s managing and executive editors resigned for their part in the matter, amidst what an internal committee discovered was “a series of management and operation breakdowns” and “a stunning lack of communication within the newsroom.”

Cable news did no better. Living in my home Croatia during the ‘91 war, I watched in disbelief as CNN — the purported beacon of on-air objectivity — ran segment after segment about the war that omitted key facts and distorted yet others, many at the hands of Christiane Amanpour who later faced various allegations of editorial bias. More recently, there was the ABC News election memo screwup in ‘04 and the incredible mess that CBS went through with Rathergate the same year.

It would be easy to say that my recollections are naturally biased towards recent events, that journalism always had its share of bad apples, and that it’s just business as usual. After all, lots of people remember at least the Washington Post’s Janet Cooke in 1980 and Walter Duranty in the Times some fifty years before then. But it’s also true that the rise of attention-deficit culture and the dizzying speedup of the news cycle greatly agitated the industry, increasing both the frequency and gravity of journalistic transgressions. And while there’s always a tendency to romanticize the days of old, to remember the Bernsteins and the Woodwards with a rosy nostalgia that’s half merited and half flight of fancy, it’s just as true that these folks are a vanishing kind. Where is my generation’s Bob Woodward? Where is our Walter Cronkite?

It is a sad reflection on the state of affairs when the most iconic newsman of my day is Jon Stewart, whose fake-but-not-really news show on a comedy television network was found in an Indiana University study to be just as substantive in its news coverage as mainstream news networks. “You’re on CNN,” Stewart charged during a visit to the political TV show Crossfire, “[and] the show that leads into me is puppets making crank phone calls.” Stewart attacked the hosts for being “partisan hacks” who are “doing theater, when [they] should be doing debate.” Mere months later, CNN’s chief executive decided to cancel the long-running show, citing agreement with Stewart’s sentiments.

So it’s 2008, and it’s getting increasingly hard to find a decent news source. No, I genuinely don’t care about what or whom celebrities are doing this week, or the seemingly endless stream of oddball “look at these strange people” personal interest stories littering the mainstream media. Where’s a man to find some great writing and whip-smart coverage of what’s going on in my country and the world?

I did a lot of exploration to answer the question for myself. As a result, a number of years ago I pared down my news intake to four basic sources: National Public Radio, the Financial Times, The Economist, and The New Yorker. None are without fault, but all are among the few remaining bastions of world-class journalism. And particularly dear to my heart, all four know from time to time not to take themselves too seriously.

I’ll spare you a dystopian prophecy of the death of print. Instead, I’ll share a few paragraphs from the last Financial Times Weekend magazine that, in between great articles on thorium-fuel nuclear generators and the CDO-inspired global credit crunch, gave me a good chuckle while I flew from Boston to München yesterday.

Writes Sue Norris, in “Winning smiles”:

The Times reported that the professor found that the British used the classic Duchenne [smile], “producing a more sincere, hard-to-fake smile”, “restrained, but dignified”. Americans, said the paper, tended to use the “far-less expressive ‘Pan-Am’ smile, named after the defunct airline’s gesture of welcome.”

Enter The New York Times Magazine, fighting. Keltner, it reported, found that Americans “simply draw the corners of our lips up, showing our upper teeth. Think Julia Roberts or the gracefully aged Robert Redford.” It noted how the English smile “can be mistaken for a suppressed grimace or a request to wipe that stupid smile off your face.”

Was this a fair fight? Not at all. The Americans cheated. They said that the eminent professor’s experiment had failed to control for bad British teeth.

Gerrit Wiesmann in “Can we get an M to go?”:

Because as un-American as [McDonald's new burger, "the M"] might want to be, the centralised mass-production it requires relies on the same processes that have been bringing us Big Macs for 40 years. In fact, you could argue that the M is only pretending to be European — a subterfuge that [McDonald's European Food Studio head Chris Young] and team happily worked on for two-and-a-half years. The M might be the product of barbarian taste, but it is less the symbol of an empire’s malaise than capitalism’s power to reinvent itself. Tired of the mass-produced? We’ll mass-produce the hand-made. Young, I should point out, is American.

John Griffiths in “Road test: The BMW X6″:

The exchange of stares — between those whose potential for future relationship could at most be confined to barbecuer and barbecuee — stretched from seconds to perhaps half a minute. Then, making a startling, explosive and echoing personal contribution to global warming, this hirsute chieftain of the ungulate race turned its rear on me and shambled away. As an expression of that much-vaunted disdain of the Highlander for the Sassenach, it had a bizarre eloquence all its own. …

Skye is also a dog walkers’ paradise. But be warned … if you really are hell-bent on buying one of these [BMW X6] beasts, you must do one of two things: teach Rover to use crampons and climbing ropes. Or swap him for a kangaroo.”

Lucy Pinney in “Try this: Aerial assault course”:

“Failure to follow the safety rules could lead to a serious — even fatal — injury.” As my 13-year-old-son, Nat, and I listened, I began to wish we hadn’t decided to “Go Ape!” after all. An aerial assault-course built into the tops of pine trees in Haldon Forest Park, Devon, Go Ape! opened in March. The course began with a safety talk and practice session so long and comprehensive that Nat attached his climbing karabinas to his nipples to break the tedium.

Mayhaps print isn’t doomed just yet.