Tuesday, May 31, 2022

On How to be an Ally to Women in Tech

Over my professional career as a computer scientist, I have observed exactly what this April 2022 article discusses about my field
. The gender gap is a problem, and it's not getting better. The problem so bad that the National Science Foundation (NSF) is pushing efforts that address it, and universities are trying to create programs that encourage female enrollments.

So, drawing from my over 55 years as a female in our society and over 30 years working in this profession, I’ll share some thoughts about this and other relevant articles and about my experiences in the field.

“The Bureau of Labor Statistics (BLS) projects computer science research jobs will grow 19% by 2026. Yet, women only earn 18% of computer science bachelor's degrees in the United States. Despite the high job demand, computer science remains a male-dominated field in the United States.”

Only 18% of computer science degrees are earned by women in the USA.

“Starting when computer technology first emerged during World War II and continuing into the 1960s, women made up most of the computing workforce. By 1970, however, women only accounted for 13.6% of bachelor's in computer science graduates. In 1984 that number rose to 37%, but it has since declined to 18% -- around the same time personal computers started showing up in homes.“

I remember being a computer science undergraduate in 1984-86. At that time, somewhere between 25-30% of the students at my school were women. A minority for sure, but enough that you weren’t “the only one”. I recall thinking that this was the perfect time to get into this relatively young field, on the ground floor, to make this field one where women were just as common as were men, unlike so many other technical fields. But enrollments have gone in the opposite direction. To make matters worse, women are more likely to leave the computer science degree program than are men. And, more women are likely to leave the field after career entry than are men. 

Sadly, “Only 20% of computer science professionals are women.” And oh by the way, that’s ALL professionals, including UI (which takes creative design talents) and managers. I’m in an even smaller niche: cyber security research. It is not uncommon for me to be the ONLY woman in a conference room of 50 men.  There is often no line for the women’s room at tech conferences, but the men are lined up out the door.  We women make uncomfortable jokes amongst ourselves about this phenomenon.

Only 20% of computer science professionals are women.

Now, for those who think this is just computer science, this article asserts that in 2022, only 26.7% of tech jobs are held by women. This NSF-funded March 2022 study shows that women make up the majority in social sciences but puts numbers at 16% for engineering and 26% for computer and mathematical sciences. Let that sink in.

Fixing this requires understanding and accepting what is truly happening.

I hope that every reader is asking, “How can I help?” And if you are, THANK YOU! To figure out what we can do, we first have to understand what is really going on in the industry and in society in general.

The above cited articles make some really good points about these questions. In all honesty, it’s complicated. There’s no one thing you can point your finger to and say, “That’s it!” That’s why this is so hard. I will share some of the lessons that I have drawn from my experience as a student of the public schools and of a computer science university program and as a career woman, working in a male-dominated field. These are also informed from talking with other women in the field. This list is not comprehensive.

We need to promote the love of technical subjects.

  1. We adults need to stop telling kids that “math is hard”. When we say that, we are telling kids before they even try that they can’t do it and should hate math. This is really for both genders, but it gets pushed on females for sure. At least I had a dad who drilled into me that “can’t do this” is not in my dictionary and that I could be anything I wanted to be. I love my dad. Have I mentioned that?  Sadly, other girls don't get that kind of encouragement.

Stereotypical biases start early and affect career choices.

  1. There is an inherent bias in the toys that are marketed towards the genders; these toys reinforce stereotypes. I blame Mattel. Well not just Mattel. But consider that it’s only in recent years that they started making “scientist” Barbies and Barbies with different body shapes. Before this shift, playing with Barbies was about going shopping, getting your hair styled, fashion, and working as a flight attendant. Not that there's anything wrong with these things. But girls can be so much more if they so choose. We need to open minds to and support all the choices. Not to mention that we see how well the exaggerated Barbie figures have helped girls over the years. Now we have an entire industry built around eating disorders. Thanks. Not. 

Women need to be encouraged to speak up.

  1. It can be intimidating to be the only female in the room. Often when that happens, the woman will sit in silence and not participate in the conversation. It shouldn’t be that way, but our society has made it that way. I was the only female child in my family, so I’m used to rough housing with the boys and standing up for myself. But other girls didn’t have that same experience. And when you do speak up in any kind of assertive or authoritative manner as part of your job, you are called “controlling” or a *itch. Guys, you wouldn’t say stuff like this if the person were another guy. Stop it. This is nothing more than stereotyped bias. And women are worse than men about doing this to other women. Really?

Women need female role models.

  1. There’s been a lack of female role models in technical fields (see #3). This is really important. People want to be in places where they see other people like themselves. This is just how humans are wired. And this is really a self-fulfilling prophecy. If there are few women in these fields, how do we grow mentors to recruit more females? This is why organizations such as the Women’s Society of Cyberjutsu have popped up. They find female mentors and connect them with young girls who are interested in computer security. 

Sexual harassment in the workplace is a real problem in tech.

  1. We need to fully digest that sexual harassment in the workplace is a problem. More than 50% of women in tech report gender inequality, discrimination, or sexual harassment in male-dominated environments.” This fits with my experience. The hacker (and gamer) communities are overrun with testosterone driven guys who act like 13 year olds and treat women as sexual objects, rather than intellectual peers. Think Beavis and Butt-head or Wayne’s World. I'm not saying that all men in these groups act like this but a lot do. So let me be clear: NO PROFESSIONAL WOMAN wants to be in an environment where this garbage is going on. None. It’s so bad that groups like the Women’s Society of Cyberjutsu and Girls Who Code (among others) have had to create safe places for girls and women who want to learn about and become proficient at computer science and cybersecurity. It shouldn’t be this way. We have a partially-gender segregated community. Women should feel welcome and included in all parts of the field.

Societal hyper-sexualization of females is a contributing factor to sexual harassment in the workplace.

  1. The hyper-sexualization of females in our society is real and is one of the contributing factors to sexual violence and harassment. You can’t watch advertisements without seeing it. Nor can you watch much on Netflix (and others) without gratuitous sex (that adds absolutely NOTHING to the story). And it’s not just hinted at. We’re talking full on nudity and sex acts, and that affects the way people think. The sexualization of women even pervasive in superheroes. And it is all leaking into the office. Folks, we can’t have it both ways. Continuing on the thought from #5, there are four top conferences in cybersecurity research. There is one that I haven’t supported in years. Why? Because the last time I went, a male researcher included in his presentation a screenshots of a cover from (I think) Vanity Fair that showed a woman only partially dressed and in a very compromising position. At a professional conference. A place where women are supposed to feel like equals. Really? I guess he didn't get the memo. This is a prime example of our hyper-sexual culture leaking into the work place. A number of women got up and walked out, including me. It was so bad that the conference issued an apology and said that they would be reviewing slides before they were presented in the future. I don’t know if they are actually doing that.  I could give other examples of the sexual harassment I’ve had to eudure in my career, but frankly, those are too embarrassing to talk about. So. You want to help women in the workplace? We need to stop making everything about sex. Really. Making innocuous things about sex only feeds this problem. We women need safe work environments, where we don’t have to worry about what the men we work with are thinking -- a place where we are treated with the dignity and respect that we deserve and where we can excel through excellence of work contribution.

Women need safe work environments that are free of sexual innuendos, undertones, and outright harassment.

These are just some of the thoughts I’ve had about this subject for a very long time. This just keeps coming up. Over and over again. I figured it was about time to write it down. 

As for me? I chose this field. I do not regret it. The career path has been most fulfilling for a logical brained person like myself (I’m reading that left/right brain isn’t really a thing). But. I really don’t appreciate a lot of the garbage I’ve had to tolerate to stay IN this field. I’m not alone in this. I have female co-workers, and we all have this fight. I do want to be clear that the vast majority of my male co-workers are great and don’t engage in the cited abhorrent behavior (5&6). But it’s here, and this is not where we need to be. We have a long way to go, and it’s going to take a village to get there. 

Women need true allies in this fight.  Will you be our ally?

Tuesday, February 23, 2016

When World(view)s Collide

Several have asked my opinion on the matter of the FBI vs. Apple, in which a court has ordered Apple, Inc. to assist the FBI in obtaining access to a locked iPhone, belonging to the San Bernardino shooter. This is not a black & white matter: it is highly complex and pits public safety against both the privacy (and potentially safety) of individuals and the rights of stockholders. It is a matter in which all citizens should be concerned. It has quite a few implications that present serious questions that should be debated openly, rather than being addressed by litigation and/or legislation, crafted by people who do not understand the technical implications of such.

Full disclosure: I am a cyber security professional and have worked in the field since the mid 1990’s. Our focus is to protect, not to break. My first assignment in the field was rewriting portions of an operating system to make it more secure -- to prevent breakage. Prior to that, I developed software for IBM. I now support the Department of Homeland Security’s cyber security research and development (R&D) division. My DHS customer has a program focused on producing forensic analysis tools to assist law enforcement in the recovery and analysis of compute devices involved in criminal investigations. This includes iPhones and Android-based smart phones. My customer also has a program focused on protecting citizen privacy, along with numerous programs focused on preventing breakages. Given that bad guys also use compute devices to aid their criminal activities, I firmly believe we need all of the above. I do not believe that any one is more or less important than the others: we shouldn’t tie the hands of law enforcement, but at the same time, we shouldn’t compromise privacy and safety.

While many of my colleagues are pondering the Apple case, there is no consensus opinion on the matter. I have personally waited to weigh in as I wanted to let more of the facts present themselves prior to coming to any firm conclusion. There are many opinions flying around on the Internet, but these opinions are not facts, and often such are formed by considering only a small fraction of the facts and are emotionally driven. There are also a lot of conspiracy theories out there regarding the FBI’s intent.

Here’s some background so that you can understand exactly what is going on here and the purpose behind the FBI request. The new Apple iOS (device operating system) is designed to prevent successful password guessing attacks. The device data is encrypted using the user’s password/pin code. When a user unlocks his device, the data is decrypted, and he can use his data. However, if the password/pin code on these devices is entered incorrectly 5-6 times, the device locks up completely, and there was no possible way to recover the device data at that point. This is by design to protect users when their devices are lost or stolen. Prior to this design, thieves could simply keep guessing 4 digit pin codes until they unlocked the device and then gained access to all of a person’s accounts (social media, email, and potentially very sensitive things such as banking accounts.) I ran into this myself with my iPad, where I accidentally entered an old password too many times. Had I backed up my device to the Apple iCloud, I wouldn’t have had to reinstall from scratch --I could have simply wiped the device and had it restore from my iCloud account. I do not, however, trust my data in the cloud (for good reason), so that meant I had to reinstall (I have since discovered that I can backup directly to my local iTunes, which I can store on an encrypted drive). While I was really annoyed at having to reinstall, this move by Apple is definitely in the best interest of their customers. Unfortunately, there’s a downside to this security design: it not only locks out criminals, it also locks out law enforcement. Enter the FBI.

For those who care to read, here is the actual court order. The court order doesn’t just insist that Apple aid the FBI in access the data (which it was already doing): it prescribes a specific technical solution to the problem. In summary, the technical direction imposed on Apple by the court is that Apple is to provide a solution that the FBI can load on the phone under or around the iOS operating system that will enable the FBI to do a brute force password/pin attack on the phone without causing it to brick (permanently stop working).The key language is this: "The [software image file] will load and run from Random Access Memory ("RAM") and will not modify the iOS on the actual phone, the user data partition or system partition on the device's flash memory." 

Some key points and questions to consider:

1) What Apple is being asked to do is dangerously close to a nation-state level attack: this is something that a Chinese or Russian cyber soldier might do. It is disconcerting that the FBI is asking Apple to do this for numerous reasons, the least of which is the implication that our government does not possess such a capability. Our enemies most likely do. 

2) Who should bear the responsibility (and cost) for law enforcement’s capabilities, or lack thereof? Should companies be required to undermine their own technology? E.g., a lock company engineers a new door lock that cannot be picked. Should that lock company be required to create a means whereby law enforcement can subvert the lock and gain access to a physical building?

3) The FBI argues that since technology changes rapidly, what they are asking for will have limited life value. They claim that it is nearly a one-time-use capability. It is true that Apple will continue to develop new technology, and they may well be able to engineer a new phone that is not susceptible to the malicious firmware they are being forced to create. However, given that cellular providers have moved away from renew-every-two plans that subsidize phone costs and that the public is now seeing the full cost of these devices, it is more likely that end users will hold onto devices longer than two years. Until Apple produces a new, non-vulnerable phone and customers upgrade, people will continue to be vulnerable to password cracking attacks on these phones. Are we willing to put a large class of people at risk of attack in order to potentially gain information that will save other lives? Whose lives and property are more valuable?

4) Developing technology costs money, and someone has to pay for it. Apple invested a significant amount of money and time into designing a new, secure phone to protect its customer base. What they are being asked to do will devalue that investment, which affects both Apple and its shareholders. What incentive will companies have to make such investments in the future, if courts will simply compel them to undermine the technology resulting from such investments? This precedent could have far reaching implications for secure solutions in the long term.

5) By forcing Apple to undermine the security of this phone, every customer who bought will have to upgrade if they want to get a new phone that isn’t susceptible to the attack. Upgrading is not free. That means that every Apple customer who bought a like phone will suffer financial loss, simply because one person committed a crime using it. And, there is no guarantee that a newly engineered phone won’t subsequently be used in a crime and Apple again be required by court order to subvert the security of the new phone. Is this something we are willing to accept?

6) Sometimes when people need something, they ask for a specific means to get what they need rather than just what they need. Is the specific means requested by the FBI in the court order the ONLY way to gain access to the data? If not, what are the alternate means and which of those pose the least long term risk to iPhone users and to Apple’s shareholders? In other words, is there a different way of getting the FBI what they need without jeopardizing the safety and security of a large segment of the population?

All that said, public safety is of vital importance, and the FBI is tasked with providing just that. There may well be critical information on the subject phone that could save countless lives. Or, there may not be. We won’t know until law enforcement gains access to the phone’s data. So the question we need to ask ourselves is whether or not gaining the information is worth the cost of all the potential impacts, and if we do not proceed with forcing Apple to do what is asked and a lot of people die as a result, are we willing to accept that?

As a society, we need to decide when it is acceptable to compromise the privacy (and potentially safety) of individuals in the name of public safety. We need open debate on this topic. On the surface, this may seem like a no-brainer: we should always err on the side of public safety. But it’s not that simple in cases where the solution may in fact put the public at greater safety risk than the risk one is trying to address in the first place. And herein lies the core of the problem in the current situation.

-- a.k.a. geek girl

Tuesday, November 4, 2014

On How to Get Your Tongue Unstuck

On How to Get Your Tongue Unstuck

ed·i·to·ri·al·izeverb, to inject personal interpretations or opinions into an otherwise factual account.

It is quite difficult for a human who has strong opinions to write a news article devoid of editorial comments stemming from his personal biases. These comments often creep into articles in the form of descriptive adjectives that convey matters of judgment, although they can be found in other descriptive words. Good editors are supposed to find and expunge such from articles prior to print, but sadly, good editors seem to be non-existent at present.

So, why is editorializing in news articles bad? Because the writer is telling the reader not what happened, but rather what to think about what happened. This leads to “group think” and biases readers. In the case of an ongoing murder trial, for example, this practice can result in the accused receiving an unfair trial by his peers and being wrongly convicted.

Editorializing is extremely prevalent in political reports because almost all writers have very strong convictions about their politics. This is very dangerous because it gives an enormous amount of power to the news media in swaying public opinion and shaping the political landscape. I suppose we are just fortunate that we have both conservative and liberal news outlets to balance each other out. *sigh* It is also my opinion that biased news reports are in a large way responsible for polarizing the public.

I have noted that while many people accuse the media of being biased, these same people seem to think that only the media that opposes their own views is biased. The truth is this: editorializing is found in both conservative and liberal news outlets. One of the valuable exercises we did in my high school journalism class was to take the two town papers, one liberal and one conservative, and compare news reports from each about the same event. It was eye-opening to find that the articles seemed to be about two entirely different events. Then we had to correct each without editorializing.

Just to prove that the bias exists on both sides, here are two examples from around the 2012 elections.

From the Washington Times, a conservative news paper.

Obama to break recent precedent, will stump during RNC
August 23, 2012

In discussing President Obama’s decision to campaign during the GOP convention, the writer stated: “By going on the road, Mr. Obama is bucking protocol. Incumbents usually stay home while the opposing party plots their defeat.”

The verb “bucking” means “to resist or oppose obstinately; object strongly to.” “Obstinate” is a matter of judgment and casts a negative light on the President’s decision to campaign during this time. Therefore, the word “bucking” is inappropriate and unnecessary in this news report.

What the reporter should have said was something like:

“By campaigning on the road during the GOP convention, Mr. Obama is going against the long-standing tradition of staying home during the opposing party’s convention.”

From the Washington Post, a liberal news paper.

Mitt Romney says plan will achieve North American energy independence by 2020
August 23, 2012

The writer began his article with: “Mitt Romney morphed into a traveling salesman here Thursday as he gave his best pitch for an energy plan that’s big on loosening environmental regulations and expanding domestic oil drilling and coal production.”

First, while I appreciate the amusing phrase, “morphed into a traveling salesman”, it belongs in a creative writing exercise, not a news article. Sorry, news articles are not about being creative.  They are about reporting facts. Second, “traveling salesman” has a bad connotation in our society. Most people don’t like solicitors and some get outright hostile toward them (myself included, if it’s on the phone). To draw a parallel between Mr. Romney’s campaigning and a “traveling salesman” is to cast a negative light on what he is doing. Next, “best pitch”. “Best” is a superlative, implying that Mr. Romney cannot do any better. Determining if something is “best” is judgment call. Judgment calls have no place in news reports. The “traveling salesman” parallel and the use of the superlative “best” are inappropriate and unnecessary in this news report.

What the reporter should have said was something like: 

“Mitt Romney campaigned in Hobbs, New Mexico, on Thursday, highlighting his energy plan, which features less environmental regulations and more domestic drilling and coal production.”

And so, my challenge to all my friends is this: if you are conservative, read a news article from a conservative news outlet and look at the descriptive words used. Pull out your dictionary and look at the connotation associated with the words. Is the connotation something that falls in the category of “judgment call”? If so, it’s editorializing and biased. And for my liberal friends, do the same thing only looking at news articles from liberal outlets. In my own experience, I have found it easy to spot editorial comments in news articles with which I disagree, but difficult to spot in those with which I agree. Why is this? Because we often think our own opinion is fact. It is not. While it is hard to see bias in statements with which we agree, it is not impossible. But you do have to train yourself to look for it. And once you do, you can begin to get your tongue unstuck from the extreme political polls. 

I Triple Dog Dare You ;)

Addendum, 3/19/2015:
This issue applies equally (and possibly more so) to cable news stations and shows. A 2013 report from the Pew Research Center on The State of the News Media 2013 found that Fox News injects opinion into 55% of its material. CNN was similarly found to inject opinion 45% of the time. MSNBC? A whopping 85% of the time. For the purposes of this study, a story was considered to be commentary/opinion if at least 25% of the time, it included opinionated statements. 

Both Business Insider and Forbes reported on this study.  As the writer in Forbes said, "If you’re like most cable news viewers, you probably think the channel you favor has a monopoly on the facts and the other ones are nothing more than a bunch of ranting. In fact, which cable network is the most opinionated is not a matter of opinion."  Viewer beware.

Monday, October 27, 2014

Everything you ever needed to know about gluten, in a nutshell

Sadly, there's a lot of misconceptions out there about gluten and gluten free diets. It seems we need a bit of education here. In a nutshell, everything you ever needed to know about gluten:

  1. Gluten is a protein found in wheat, barley and rye. 
  2. Gluten sensitivity is not the same thing as wheat allergy.
  3. Most people can safely eat gluten. 
  4. Contrary to popular belief, eating gluten free is a completely healthy way of eating. No one suffers from a gluten free diet (other than mentally craving Cinnabons.) This includes people who can safely eat it. This is according to the Mayo Clinic
  5. Consuming gluten (and even using gluten products on the skin) is a VERY real issue for some people. 
  6. People with Celiac disease cannot safely eat gluten. According to the Mayo Clinic, about 1 in 100 people have Celiac disease (many of whom are undiagnosed). For these people, gluten is very dangerous. If a Celiac continues to eat gluten, it can lead to lymphoma and/or colon cancer. The only treatment for Celiac disease is complete avoidance of any gluten. Even microscopic amounts can make a Celiac very ill. Cross contamination in kitchens is a very serious issue for these people, and many cannot eat out for this reason.
  7. There are people who do not have Celiac disease but do have varying levels of sensitivity to gluten and should avoid gluten in their diets. These people are said to have Non-Celiac Gluten Sensitivity (NCGS). Their symptoms range widely and are not limited to gastrointestinal issues; in many cases, gastrointestinal symptoms do not present at all. The amounts of gluten their systems can tolerate also ranges widely. Avoidance of gluten has been clinically shown to improve their symptoms.
  8. There are recent medical studies linking gluten to many common health issues such as thyroid disease, ADHD, and autism. These studies are not conclusive and additional studies are needed. Anecdotal evidence does seem to indicate a connection in many cases, and some doctors are proceeding to prescribe gluten free diets for these people since there is no harm in a gluten free diet. 
  9. People do not lose weight by avoiding gluten in their diets. People lose weight by cutting out empty processed carbs and replacing with healthy whole foods. Simply substituting gluten-filled junk with gluten-free junk is not the answer.  Oh, and eating fewer calories and exercising helps...
  10. Products labeled as "gluten free" in supermarkets are not always 100% free of gluten. The FDA has set a gluten limit of less than 20 parts per million (ppm) for foods that carry the label “gluten-free,” “no gluten,” “free of gluten,” or “without gluten.”  Just another reason for Celiacs and gluten sensitive people to avoid processed foods.
For those who think avoidance of gluten is just a silly fad, please take the time to read these articles by the Mayo Clinic: 

Discussions of medical studies and advances in Celiac Disease:
And finally, when considering medical studies. it is really important to look at the sample size and statistical power used in the study. Here is a talk on this subject, which explains the proper use of statistics in experiments in order to get meaningful results. 

Thursday, August 14, 2014

On Going for the Gold: Issues with Mobile App Permissions

Or To Mobile Facebook or Not To Mobile Facebook: That is the Question

Recently, Facebook began forcing its smartphone app users to install an additional Messenger app in order to use its messaging service. This move has, yet again, put Facebook in the spotlight of public anger. Some were initially angry that they were being forced to install a bloated app that uses excessive space, battery, and data. But as Android users began installing the app, they were shown the required permissions for the app and became alarmed. The app requires permissions such as reading and sending SMS text messages, reading and modifying contacts, and knowing when the phone is in use, what number you are connected to, being able to dial numbers -- all without your approval -- and a whole host of other permissions as well. 

Facebook finally responded, explaining why Messenger needs some of these permissions. All required permissions were not explained, however. 

Is the Sky Really Falling?

Some big news papers such as USA Today began circulating "myths" of the Facebook Messenger app, downplaying the seriousness of Facebook's excessive permission grabbing on consumer smartphones. Even Snopes joined in an effort to placate the public.  They rightly point out that the Messenger app does not require any additional permissions beyond the base Facebook app. 

The conclusion that some are reaching as a result of media downplaying is that since the Facebook app requires excessive permissions, then the Messenger app is okay to require excessive permissions.  Is this a valid conclusion? Let's examine the actual permissions that the Facebook app requires to run on Android smartphones.

Above are the three screens from an Android smartphone for the permissions required by the Facebook app. That's a lot of permissions. 

Does Facebook really need to read your phone call log? Does it really need to read the content of your SMS text messages? You do remember the old text messaging that people did on phones before smartphones existed, right? Does Facebook need to read or modify the calendar on your device? Does it need to send email to people on your Google calendar invites without your knowledge? Does it need to change your Wi-Fi connection? Does it need to read or add accounts to your phone? Does it need to see what other apps are running? Really???? 

I'm sure that Mark Zuckerberg would argue that Facebook indeed does need all these permissions, and certainly if one's goal is to make Facebook be the center of your life and the interface through which you do all communications, then absolutely, Facebook needs all of those permissions. But do YOU want Facebook to have that level of access and control over your life?

Three reasons not to use the Facebook or Messenger Apps on your smartphone

1. Facebook's business is to sell advertising. YOU are the product. 

Currently, Facebook collects and uses anything and everything you post, like, comment on or share through their private messaging service to improve their targeted marketing. They really cannot be faulted for this: Users do not pay to use Facebook services, and Facebook has to make a profit. As long as users are aware of what Facebook is doing, they can simply choose to not share certain aspects of their lives via Facebook. So you choose to tell your best friend the exciting news about your pregnancy, that you haven't even shared with your parents, using SMS text messages rather than via the FBig-brother channel. End of story. Right?

Well, not so fast... 

Smartphones are quickly becoming the central integration point for all communications and services for an individual. People make dinner reservations, buy movie tickets, plan their travelarrange for a tow truck, do their banking, manage their health care, control their alarm systems, control their appliances and lights... you name it, they do it -- all from their smartphones.  Indeed, the days of the "land line" phone are limited. As cell phone plans now have unlimited toll free calling, many people are opting to rid themselves of the additional cost of home phones, which seldom ring for anything other than a phone solicitor. For these people, smartphone contacts include their entire set of friends, family, doctors, and those with whom they conduct business. And smartphones retain active logins to pretty much all these services plus email and social media. Smartphones are a gold mine. 

In fact, smartphones are such a gold mine that police have been searching them when they stop people for simple traffic violations. Because of the privacy issues associated with smartphones, the Supreme Court recently ruled that police may not search a person's smartphone without a court issued warrant

When you install a smartphone app (which is actual code) on your phone, and it requires permissions, such as those the Facebook app requires, that app has access to, well, the gold. So essentially you are giving the app access to that which the Supreme Court has ruled that law enforcement cannot get without a court order.

So ask yourself, do you really want to give Facebook access to your gold? You might say, "They wouldn't misuse their privilege", which leads me to my next point.

2. Facebook cannot be trusted to act ethically. 

Facebook recently was found to have collaborated with Cornell University to conduct a social experiment on its users without their knowledge or express consent. They published results of the study entitled "Experimental evidence of massive-scale emotional contagion through social networksin the Proceedings of the National Academy of Sciences. The nature of the experiment is one which, for research conducted by any reputable research organization, requires approval by an Institutional Review Board (IRB). Such approval was neither sought nor received.  

The Department of Homeland Security's Science and Technology Cyber Security Division funded and published the 2012 Menlo Report, which discusses ethics in conducting these kinds of online experiments. In section C.2.1, the report states,

"Informed consent is a process during which the researcher accurately describes the project and its risks to subjects and they accept the risks and agree to participate or decline. Subjects must be free to withdraw from research participation without negative consequences. "

Indeed, the irony that Facebook's home is in Menlo Park is astounding.

So how was this justified? Facebook claimed that in order to have an account with them, users had to agree to their usage policy, and that the policy authorized the experiment. They specifically cited the following part of their policy.

“[I]n addition to helping people see and find things that you do and share, we may use the information we receive about you…for internal operations, including troubleshooting, data analysis, testing, research and service improvement.”

In essence, Facebook claims that every single user agreed to be a lab rat simply by creating an account with them, an act which required acceptance of their usage policy. This recent revelation has raised all kinds of questions about the ethics of the Facebook company.  

Why is this relevant to mobile app permissions? If Facebook interpreted their usage policy to include coverage of social experiments without the user's knowledge or consent, then how can they be trusted to not interpret the installation of the Facebook app as covering the mining of information from user phones? After all, when you installed that app, you agreed to give it the permissions it requested.

But... why in the world would they want to access to all your "gold"? Remember: YOU are the product. What better way to have the world's best marketing engine than to be able to use personal data mined from user smartphones to refine one's advertising targeting engine. One day you're calling Joe's Deck Repair on your phone, and the next thing you know, ads for Joe's competitors are popping up in your news feed. Oh, and remember that pregnancy secret that you shared with your best friend via SMS text? Pampers and Similac have your number... 

3. Widely used software attracts hackers. 

Maybe you don't care if Facebook spams you with ads based on information they mine from your phone, outside the actual Facebook service. Or... even if Facebook could be trusted to act ethically, the same trust simply cannot be extended to hackers. 

Pay special attention here. This is IMPORTANT. The permissions that the Facebook app requires are the exact permissions that hackers want on your phone. By installing a widely used app that has so much privilege on your phone, you have made yourself a big, fat target. Once an attacker gets control of the app, he has the same privilege as the app on your phone.

"But I'm a nobody. No hacker would come after me." Oh really? Have you heard of identity theft? The Infosec Institute published an article about cyber crime against the financial industry, which included a discussion about malware placed on bank customer smartphones via an app in the Google play store.  Be very careful about what you install.

Should I really be concerned about Messenger then?

Back to the question I first asked: Is it a valid conclusion that since the Facebook app requires excessive permissions, then the Messenger app is okay to require excessive permissions and that I should not be concerned? Absolutely, unequivocally no.  The truth is, you should be concerned about both

You also need to consider that other social media apps require some pretty outrageous permissions too. This is not a "Facebook Only" problem. Are you willing to grant gold access to these app providers? 

So what do I do now?

Should I get off Facebook and/or social media entirely? That's up to you. I'm not, but I will not use any social media smartphone apps. Using Facebook on a PC or laptop does have risk, but it's a very different kind of risk than that posed by excessive app permissions. Every person must evaluate and decide the level of risk he or she is willing to take. 

Ask yourself if you really need to be plugged in to social media 24x7. For those who really feel the need to use Facebook, Twitter, or other social media on their smartphones, here is an alternate way of doing it that grants less privilege to the service and hence, supports less features.

ATTENTION Android Users: Did you know you that you really don't need special apps to use social media on your smartphone? That's right. There is a way to do social media on your phone without installing a bunch of battery draining, privacy violating apps. Enter Google Chrome. Simply point the browser on your phone to the social media site of your choice and log in. Next, create a bookmark to the site. Finally, add the bookmark to your home screen using the "Add to homescreen" option within Chrome. The bookmark will show up as an icon that you can move around just like any other icon. Simply tap the icon to be taken to the social media site.

This method works for really any social media that works via a web browser on your PC. I've tested it with Facebook, Twitter, and Google+, and each works seamlessly. The main capability you lose is being automatically notified of posts or messages. That's a small price to pay that will actually save battery and data usage on your phone. If you really want to be notified, Facebook can be configured to send email notices when posts are made or messages sent. Personally, I don't need to be THAT plugged in. 

BEFORE DOING THIS, you should review the permissions that Chrome requires and make sure you are comfortable with those permissions. Chrome also requires camera and microphone access, but at least it doesn't access your phone, contacts, calendar and email. The above described access method likely works with other browsers as well, and you may find a browser that is even more restricted than Chrome.


Organizations that downplay the seriousness of this matter are doing the public a gross mis-service by giving the impression that app permission grabbing is nothing to be concerned about. Further, they are missing a real opportunity to educate the public. Their behavior is, quite frankly, irresponsible.

The whole approach to granting all permissions on a promise to use them minimally flies in the face of cyber security best practices, which edict role based separation and least privilege operation.  To help with that, Google needs to change the Android app permission model to allow even more fine grained permissions. Developers need to allow users to pick and choose which app features they want to use, based on permissions each feature requires, and Android needs to enforce the subset of permissions required. Facebook has the opportunity to lead the way by separating the Messenger capability completely out of the Facebook app and reducing the privileges required for each to just the subset needed for each app's purpose. Will they? We can only hope. We need leaders in the high tech industry who are committed to public safety over the almighty dollar. 

Finally, we should thank Facebook for bringing this matter of app permissions to light, as they aren't the only ones doing this. When installing apps on your smartphone, don't just click through the permissions. Look at each and ask yourself if you really want to give to give your gold to that app.

Friday, June 14, 2013

Tilting at Windmills

Our society is ill. A simple scan of the local news and listening in on police scanners reveals a not so insignificant amount of daily crime. Burglaries, thefts, fraud, extortion, stabbings, beatings, rape, murders. These things abound, and yet we don't know why and how to stop it.

Let's consider the recent Boston bombing by the Tsarnaev brothers. These brothers made and used pressure cooker bombs to kill people. That was illegal. They killed an MIT police officer. That was illegal. They robbed a 7-11. That was illegal. They engaged in a shoot out with police. That was illegal. They were in possession of unregistered guns. That was illegal. They car-jacked a Mercedes SUV. That was illegal. They fled from police, resisting arrest. That was illegal. They broke many laws. Why did our laws not stop them?

I posit the following answer: laws cannot stop evil people from committing crimes against society. A person of free will who chooses what he will or won't do can always choose to do something that violates existing law. Always. Think about a society of people with no ability to make choices. Such would be the equivalent of a robotic society. Just consider a lesser offense: when was the last time you didn't exceed the speed limit to pass a slow poke on the road? You used your judgment and justified (to yourself) that exceeding the speed limit was acceptable, even though the law makes no such exception. That is illegal.

Someone has asked: why even have laws, if criminals won't abide by them anyway? Laws define what is acceptable and unacceptable in a society, and thereby define what is crime. Without law, there is no crime and hence, no criminals. While laws cannot stop crimes, they do give us the means by which we punish those who refuse to behave in society. Society's hope is that these people will learn over time to behave in an acceptable way, much like a child whose parent disciplines him in hopes of teaching him "good manners". Many (or perhaps most) of these miscreants will not. Such must be dealt with by society in order to maintain civility.

In the wake of tragic events perpetrated by evil people, the reaction is always to pass more laws. After all, we must do something to prevent such from happening again. Yet evil people simply will not obey the laws they do not want to obey. Somehow we ignore this fact and have created in our minds an imaginary adversary who can be constrained by an invisible legal force field. If laws cannot stop evil people from committing crimes against society, then the creation of new laws to stop crimes does nothing more than create a false sense of security. In trying to constrain this imaginary evil doer with more law, are we not tilting at windmills?

Sunday, September 11, 2011

Shattered Illusions

A tribute to those who fell on September 11, 2001

We hang suspended in the moment as we realize we are under attack.

7:58 a.m. - United Airlines Flight 175 departs Boston for Los Angeles, carrying 56 passengers, two pilots, and seven flight attendants. The Boeing 767 is hijacked after takeoff and diverted to New York.

7:59 a.m. - American Airlines Flight 11 departs Boston for Los Angeles, carrying 81 passengers, two pilots, and nine flight attendants. This Boeing 767 is also hijacked and diverted to New York.

8:01 a.m. - United Airlines Flight 93, a Boeing 757 carrying 38 passengers, two pilots, and five flight attendants, leaves Newark, N.J., for San Francisco. It is hijacked after takeoff.

8:10 a.m.
- American Airlines Flight 77 departs Washington's Dulles International Airport for Los Angeles, carrying 58 passengers, two pilots, and four flight attendants. The Boeing 757 is hijacked after takeoff.

8:37 a.m. – NORAD is notified that Flight 11 has been hijacked.

8:46 a.m. - American Flight 11 from Boston crashes into the North Tower at the World Trade Center.

8:53 a.m. – Two F-15’s are scrambled from Otis Air National Guard Base in Massachusetts.

9:03 a.m.
- United Flight 175 from Boston crashes into the South Tower at the World Trade Center.

- U.S. Federal Aviation Administration shuts down all New York area airports.

9:21 a.m.
- Bridges and tunnels leading into New York City are closed.

9:25 a.m. - All domestic flights are grounded by U.S. Federal Aviation Administration.

9:30 a.m. – More fighter jets are scrambled from Langley Air Force Base in Virginia.

9:45 a.m.
- American Flight 77 crashes into The Pentagon.

10:05 a.m. - The South Tower at the World Trade Center collapses.

10:05 a.m. - The White House is evacuated.

10:10 a.m. - A large section of one side of The Pentagon collapses.

10:10 a.m. - United Flight 93 crashes in a wooded area in Pennsylvania, after passengers confront hijackers.

10:20 a.m. – Orders are issued to shoot down any commercial aircraft positively identified as being hijacked.

10:28 a.m.
- The North Tower at the World Trade Center collapses.

Never Forget. Copyright 2015 Laura S. Tinnel. www.ImagesByLauraLynn.com
Never Forget. Copyright 2015 Laura S. Tinnel.
The September morning’s crystal clear blue skies are accompanied by comfortable temperatures telling me that summer’s heat is finally gone. College football season has officially begun, and autumn scenes are now beginning to dance in my head. My sons, ages 6 and 8, are finally back in school: another sign of summer’s passing. My baby is experiencing his sixth day as a 1st grader, and even though he still believes in Santa Claus, he is starting to turn into a little man.

While my sons are busy searching backpacks for lost homework and learning to raise their hands rather than blurting out answers, I am at home working. Oddly, so is my husband: the first anomaly of my day. I sit in my usual spot, typing and nuzzling my mug of freshly brewed coffee, the aroma swirling lazily around my head.

My co-workers are busy in the office churning out computer code while I am beginning my day. I am researching the computer systems used on board U.S. Navy carriers and submarines and at U.S. Air Force bases. This knowledge will soon be shaped and formed into a grand challenge problem for a DARPA-funded research program in strategic cyber defense. I am surprised at the breadth of information readily available on the Internet: names and skills of ship personnel, capabilities and software systems (including version numbers), general locations, etc… It is a true gold mine for anyone plotting evil deeds. I sit contemplating who the adversary might be and what he would do and how.

An instant message interrupts my thoughts: “Turn on the news”. Dutifully, I leave my computer and go to the family room, where I turn on the television. I see a passenger jet sticking out of the north tower of the World Trade Center in New York City. Black smoke billows out. “Joel!” He comes bounding up the stairs from his basement man-cave. We stand speculating on the possible causes of such an accident when a second plane strikes the south tower. The realization that this is no accident strikes us like a head-on collision. We hang suspended in the moment as we realize we are under attack.

Passenger airliners as missiles. Who could have thought it? Whoever “they” are, they are using our own technology, our own system, and our very freedoms against us. It is a masterful plan, hinging on the element of surprise. Incredulously, I begin wondering how many other planes are in the air. Twenty-two minutes pass and a call comes to ground all planes followed by a report that fighter jets have been scrambled. A thick cloud of horror descends upon me at the thought of having to shoot down our own private citizens in our own planes.

And then it gets very close to home: a plane slams into the Pentagon, which is at best 30 miles from our house as the crow flies. Fear and panic grip me. What is the next target? Should we get our sons from school and head west to the mountains? Our sense of safety and security is ripped from us, like the young child whose older sibling spitefully tells him that Santa Claus is a fairy tale.

Life changes. We are afraid to go anywhere large groups are gathered: no malls, no theaters, no ballparks, no museums… We build up a supply of non-perishable food items, acquire a shortwave radio, and keep lots of cash on hand. We keep packed bags in the car trunk in the event emergency evacuation becomes necessary, and we do not let our gas tanks get more than half empty. We know communications will be nearly impossible when another attack comes, so we plan a route and rendezvous point, just in case we are not in the same place when it happens.

Society changes. Airports no longer allow non-passengers beyond security check points. Real silverware cannot be found inside the check points or on airplanes. Previously unclassified, open research becomes restricted from foreign national access. And as for that very detailed information I found on the Internet, it all disappears. But worse, the policies and practices for government viewing of private information changes.

Benjamin Franklin is quoted as saying, “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.” Our society is now faced with a critical conundrum: how can we remain open and free and at the same time protect ourselves from those who wish to exterminate us from the face of the earth?

We now realize that, in a free society, security is an illusion. Much like Neo’s awakening in The Matrix, the 9/11 terrorists did not take away our security; rather, they shattered the illusion. That is one illusion I would have preferred to keep.