Monday, November 28, 2011

Do We Really Need Technology Patents? Part II

OK, I really didn't mean to return so soon to the subject of patents.  It's not really on my my list of the most pressing issues facing society.  But sometimes something grabs your attention, and just won't let go until you take an opportunity to vent.

When I previously questioned the basis of patents, it was based on their value to society.  Today, Id like to explore a different but related concept: Are they fair?

Of course, theres no simple answer to that.  Fair is a cultural concept, and different people have widely different definitions.  Most people would have trouble in providing a useful and consistent definition of fair, but instead fit into the Ill know it when I see it camp.  If enough people have a similar reaction, then thats a reasonable approximation of fair, and Ill go with that for now.

On 11/27/2011, the New York Times profiled an enterprising high school student named Katherine Bomkamp.  Inspired by visits with amputees at the Walter Reed Army Medical Center, she set about to build a prosthetic limb that would treat phantom pain.

Her idea, to treat the stump with heat (under the principle that the same treatment works on strained muscles) is brilliant in its simplicity.  This is not a new problem, and her solution does not involve new technology.  Its simply a new idea that somehow eluded generations of doctors and inventors.  Assuming the tests confirm its effectiveness, and the patent search confirms no pre-existing technologies, then I will heartily agree that her case is exactly the sort of situation that patents were designed for.  I would consider it criminal if a major medical device maker simply took her idea without compensating her.

A patent in this situation fits my definition of fair.

But now, imagine youre a talented electrical engineer named Elisha Gray.  You've spent an enormous amount of time and energy creating a revolutionary new device that is capable of sending the sound of somebodys voice over electrical wires.  The implications are staggering.

You triumphantly take your idea to the patent office, only to discover that the same idea was filed a matter of hours before yours.  Not being awarded a patent is frustrating.  But infinitely worse is that you are now legally prohibited from using your own invention without paying royalties to somebody else.  Ill leave the accusations of theft and conspiracy out of this for the moment.  People may differ, but I classify this as not fair.

If multiple people are inventing the exact same idea at the exact same time, then its not clear that its fair or beneficial to restrict one persons rights in favor of anothers.  It's simply an idea whose time has come, and it would be hard to argue that a third or fourth person wouldnt stumble onto the same idea in a fairly short period of time.  The question is, how frequently does this happen?  Aside from the invention of the telephone (and calculus), do we really have an avalanche of competing ideas all coming to light at the exact same moment in time?

I say yes, but dont take my word for it.  Instead, lets look at a recently passed, and heavily lobbied, law called the America Invents Act (passed on September 26, 2011).

One of the key provisions of this act is that it switches the U.S. patent system from a "first to invent" to a "first to file" system.  Many people have argued about which of these methodologies is more fair, but it certainly has the advantage of being simpler to manage.  Figuring out exactly when the process of invention occurred is an exercise in mind numbing frustration.  I'm personally not in the habit of keeping a full diary of every thought that crosses my brain as I shower each morning.  Trying to settle a dispute between multiple inventors, all of whom have spotty record keeping but huge financial incentives to win, is going to be arbitrary and capricious.  At least a filing at the patent office comes with a reasonably accurate timestamp.  Fair or not, at least it's closer to objective.

This was a very hot topic, and a lot of lobbying money was spent to get it passed.  The question is: would anybody have cared if most patents went uncontested?  Of course not.  The only reason why this becomes a hot button issue is that these types of collisions happen all the time.  We are living in a fast moving age, surrounded by ideas whose time has come.  Granting multi-year exclusivity to one person or organization because they were a day or two faster to file the patent application than somebody else with the exact same idea is not in the best interests of society.

And more than that, its just not fair.

Monday, November 21, 2011

Hackable Everything - Part II

Last week, I titled my blog post "Hackable Everything" and stated that everything is potentially hackable.  Some people asked me if perhaps I was being a bit melodramatic.  Just because there have been some recent news about security flaws, does that really mean that everything is vulnerable?

An interesting question.

First of all, let me point out that encryption algorithms today are actually very good.  There was a time when government agencies such as the NSA could apply massive computing power to break widely used encryption (typically 56 bit DES).  During the 1990s, as the Internet grew in popularity and interest in encryption became more widespread, the government tried to figure out how to keep their ability to decipher electronic communications.  The Clinton administration famously (or infamously) tried to mandate the use of the Clipper chip, which would provide encryption, but also provide backdoor access to government agencies.

They failed.  Today, we routinely use encryption algorithms and keys which are beyond the capability of any known computer or collection of computers to break.

How sure are we of this?  Couldnt the NSA have some massive computer buried in a government bunker that blows away our estimates?

To grossly oversimplify things, let's note that for a well-designed, properly implemented encryption algorithm, the difficulty in breaking it is a function of the key size.  DES, once the most commonly used algorithm, used a 56 bit key.  Over time, computers grew in power to be able to defeat this using a brute force attack - that is, trying every possible combination until they found the key by pure luck.

How do you make a 56 bit key twice as hard to crack?  Double the key length to 112?  Nope.  You just have to add one bit to make it a 57 bit key.

As key sizes grow, the numbers grow so fast as to make your head spin.

An 8 bit key has 256 possibilities.  A child could crack this in minutes using pen and paper.
A 16 bit key has 65536 possibilities.  A pretty big number, but you can probably visualize it if you try.
A 32 bit key has 4.3 Billion possibilities.  This is roughly the number of seconds in 136 years.
A 64 bit key has 18.4 Quintillion possibilities.  This is roughly 468 million times greater than Warren Buffets fortune.
A 128 bit key has 340 Undecillion possibilities.  This is roughly 340 trillion times greater than the estimated number of stars in the Universe.

128 bits is pretty much the minimum key length used in symmetric encryption these days.  In 2008, 56 bit DES was demonstrated to be crackable within a day.  Assuming we could get this down to a second, cracking a 128 bit key would still take 149 trillion years.  Im comfortable that the NSA doesnt have a computer 149 trillion times more powerful than the state of the art, which could crack this in a year.  Bump the key size up to 256 or 512 bits just for fun, and you cant even come up with metaphors to express the difficulty.  You can knock this down significantly by extrapolating Moore's law will continue developing more and more powerful hardware over the next several decades, but assuming you're not trying to keep data secure for a century, you're good.

So why then do I say that anything can be hacked?

First of all, note the requirement that algorithms be well designed and properly implemented.  The problem is, you never know whether this is the case, except in hindsight.  WEP was once considered to be unbreakable wireless security.  Then it was noticed that the very powerful algorithms it uses were implemented in a sloppy fashion, making it easy to step right around them.  Today, a script kiddy with minimal technical knowledge can download free programs to break WEP using a standard laptop.

OK, thats a challenge, but with care and lots of testing, you can implement a pretty solid encryption algorithm with a high degree of confidence.  We have a number of algorithms and products that have been closely scrutinized by thousands of people.  Theyre probably pretty good.

The second challenge, however, is more difficult to solve.  All security is built upon trusting something.  (Ask yourself how secure an encrypted transaction with Bernie Madoff would have been.)  Anything you have to trust is a potentially vulnerable point in your security infrastructure.

For example, most security on the Internet depends on "Certificates", which enable a person to unambiguously assert their identity, encrypt their data, and make sure any messages they send can be tied accurately back to themselves.  Certificates are the foundation upon which most everything else is based.  Having your certificate be compromised is like opening the back door to the castle - it simply doesn't matter how thick your walls are, or how deep your moat is, if people can enter freely.  Recently, a number of Certificate Authorities have been hacked, including Diginotar and KPN.  Once the Certificate Authority is breached, some Certificates (perhaps all) issued by that Authority are no longer secure.

Here's the scary part: check your browser, and see how many Certificate Authorities it considers to be "trusted".  The answer is close to 600.

600 companies, any of which might have a weak password, or a poorly implemented algorithm, or a single open port on a server, or a pissed-off employee who didn't get the raise they really thought they deserved.  Every one of which your browser is trusting 100% to keep you secure.  Do you have the detailed technical and organizational knowledge to know if this trust is justified?  Have you even heard of Izenpe S.A. (which I just found in my Certificate list in Firefox)?  Diginotar didn't tell anybody about their breach for many months.  Would you know if others have already been breached?

Are you feeling safe now?

The third point is even more difficult to come to terms with: data leaks.  No matter how secure the transmission is, it doesn't matter if somebody can read your data before it's encrypted at the end points.  Who cares if you use 1024 bit encryption if there's a keystroke logger installed on your machine which captures everything you do before it can be encrypted?
Or maybe they don't even need a keystroke logger.  Try sitting in a room where somebody else is typing.  Close your eyes, and listen to the sound of their keystrokes.  Do you notice how they don't all sound quite the same?  (If you're not convinced, ask them to touch type for a few minutes, then hit the same key over and over again with one finger.)  Depending on the location in the keyboard, each key strike has a slightly different pitch and timbre.  Researchers at Georgia Tech recently demonstrated how the accelerometer in an iPhone 4 could determine what was being typed on a nearby keyboard with 80% accuracy.  This was considered a much more interesting demonstration than simply using the microphone, because the accelerometer is much less secure you usually get notified when the microphone is turned on.  How is  encryption going to save you from that?

Now granted, this iPhone exploit is not easily replicable - they needed the phone to be perfectly positioned, on the right type of table, and all sorts of other controllable factors.  But technology always gets better, and more pervasive.  How long before an iPhone can do the same type of detection from 10 feet away?  How long before somebody figures out how to do it using a laser microphone against your window from 300 feet away?  How long before the current proliferation of cameras and microphones in consumer, industrial and municipal devices means that you're always within range of some camera, somewhere?

When any one of them can potentially be hacked, how will you ever know that anything you say or type won't be monitored?

This all sounds like the stuff of spy movies.  You're probably thinking, "Sure, this could happen in theory.  But who's going to take the time and effort to go after me?"  That's probably true.  Until technology makes it so simple to do that your neighbor's kids can buy the necessary gear for less than $10.  Counterfeiting money was once the exclusive domain of organized crime.  Then we had a new generation of printers and copiers which could churn out perfect copies of dollar bills.  You'll notice our currency has gone through some significant redesigns in the last twenty years, adding many new security measures.  This wasn't to stop organized crime.  This was to stop the average consumer for whom temptation had become just a little too hard to resist.

This is the point where I'm supposed to editorialize, and point out that only with immediate action right now can we avoid calamity.  But I don't have any answers on this one.  If you do, I'd be interested to hear about it.  But first, find a venture capitalist and start a company to implement it, because security concerns are going to be one of the hottest topics of the twenty first century.

Monday, November 14, 2011

Hackable Everything - Part I

The internet was created on a dream.

What if computers could talk to each other?

It's easy to lose sight of what a revolutionary dream that once was.  There was a time when most computers were not sold with modems or network connections of any sort.  You transferred files by putting them on floppy disks.  If you were especially tech savvy, you hooked two PCs together through their parallel ports and were able to transfer files directly from one to the other.  It seemed like magic at the time.

Then Al Gore invented the internet, and suddenly computers all over the world could talk to each other.  This happened so suddenly that nobody knew what to do with it.  You think I'm kidding, but I'm not.  The first corporate websites in the 90s looked like they should be hanging on the walls of a third grade art class.  Take a look at some of these if you don't believe me.

Then we upgraded everybody to broadband, and figured out what to use the Internet for: just about anything you could do on a computer.  You could browse.  You could shop.  You could communicate.

Anything you could do on a computer.

What if we could connect to the internet without a computer?

Between shrinking chip sizes and mobile protocols such as wi-fi and bluetooth, this dream was barely formulated before it came to life.  Email on your cell phone?  Check.  Emergency service and navigation in your car?  No problem.  Bluetooth connectivity for your insulin pump?  Why not?

Maybe we should have tried a little harder to answer that last question.

Because the inventors were not the only ones dreaming.

What if any device with a network connection could be hacked?

Finding unintentional uses for computers is a past-time as old as computers itself.  One of the first demonstrations ever of a personal computer was done on a machine lacking a monitor and printer.  Lacking a formal method of output, the programmer timed the cycles of the CPU just right to cause the radio interference generated to play some simple songs from the static of a nearby radio.  Computers weren't designed to leak radio signals.  It was simply possible, and a really clever person figured out how to exploit it.

The world is chock full of really clever people.  Not all of them have good intentions.

The problem is, we still don't really understand our connected, online devices, any more than we really understood the internet back in the 90s.  We still expect them to act like old fashioned devices, just better.  Hacking an insulin pump?  Whoever heard of such a ridiculous notion?  When security researcher Jerome Radcliffe demonstrated that he could issue unauthorized commands to his insulin pump over bluetooth, the manufacturer, Medtronic, just laughed.  They issued a dismissive statement saying: "...there has never been a single reported incident of wireless tampering outside of controlled laboratory experiments in more than 30 years of use."  Because we haven't seen this before, it couldn't happen now.  Go away, and trust us.

Then McAfee reproduced the hack.  And improved it, so it could work from 300 feet away.  And demonstrated how easy it would be to request the pump to deliver a lethal dose of insulin.  Medtronic isn't laughing anymore.

On November 14th, the New York Times published an article discussing Google's top secret research labs, where researchers are figuring out, among other things, how to put just about anything on the internet.  Garden planters.  Coffee pots.  Refrigerators.

What happens if Google succeeds?  Could a clever hacker figure out how to shut your freezer off for a few days while you were away from home, then turn it back on, causing you to unknowingly eat spoiled and possibly lethal food?  How about turning on your furnace full blast in the middle of an August heat wave?  And God help us if they ever figure out how to hack one of Google's driverless cars.

We live in a brave new world.  Everything is going online.  Everything is potentially hackable.  Unimaginable opportunity.  Unimaginable risk.

Anybody who claims to know how this will play out is selling something.

Monday, November 7, 2011

Technology Dreaming

Dreaming about technology can be extremely seductive, because it can make the impossible suddenly very possible.  I'm not even talking about the big dreams like healing the sick, or feeding the hungry.  I'm talking about the very mundane details of how to run a business, which are anything but mundane if it happens to be your business.

Imagine if we could deliver a package anywhere in the world overnight.
Imagine if customers could withdraw money from the bank without needing a teller.
Imagine if we could order inventory just in time and massively shrink our warehouse.

The trouble with dreaming about technology is we forget that it is not always possible to achieve the impossible.  History is littered with failed ideas that seemed just within our reach.

Imagine if we could achieve a paperless office.
Imagine if we could predict the stock market.
Imagine if we could automatically deliver baggage in the Denver International Airport.

Netflix is a great example of a company that was swept up by the promises and perils of technology dreaming.  It started with a brilliant idea.

Imagine if we could rent videos without video stores.

This is a killer concept.  I've never reviewed the financial statements of Blockbuster (remember them?), but I'm pretty confident that if I had, I would have found the vast majority of their capital was tied up in real estate.  Other than a couple big warehouses and data centers, Netflix has no real estate.

Netflix combined this killer idea with superb execution, and became a juggernaut in an insanely short period of time.  David Pogue raved about their service even after he'd given up his membership.  They attracted global attention when they offered a ten million dollar bounty for an algorithm to improve their video recommendations, saving themselves many times that in R&D costs.  It was almost a perfect business.  They had almost no need for capital, except for their inventory of DVD disks.

Those pesky, irritating disks.

Imagine if we could get rid of the disks.

It's such a fine line between stupid and clever.

But let's get things straight.  Starting a movie streaming business to give your customers better and faster options is clever.  Positioning yourself for a future when disks may go out of fashion is clever.

Jettisoning a popular business because you like the idea of streamlining your operations, without regard to how you're enraging your customers, is stupid.

Many customers registered their displeasure, and cancelled their subscriptions.  Many investors registered their displeasure, and sold their stock, wiping out roughly $8 Billion in market capitalization. (It has since regained a bit of ground, but nothing close to what it lost.) The fact is that technology isn't yet ready for totally disk free viewing for everybody.  Movie studios aren't yet willing to license all their content for streaming.  Broadband connectivity can be flaky.  And even when it's reliable, many people are still on DSL, which provides image quality about equivalent to a VHS - not as good as DVD, and a long shot from Blu-Ray.  And sometimes you're not completely done when the movie is over, and want to see some of the specials, which are not yet available on streaming.

It's interesting to ask why Netflix is still in the doghouse.  They've cancelled their unpopular plan to spin off the DVD business.  And their prices are still competitive to where they were before the streaming business ever existed, and Netflix was still wildly popular.  The problem is that customers also dream.  They dream about a company that treats them right, and puts their interests over short term profits.  For a while, Netflix seemed to be that company.  Then the dream was shattered.  It will take a long time to rebuild that dream.

So go ahead and dream about technology.  Dream up the next killer idea that will transfer your business.   Transcend the impossible.

Just try not to cross that fine line that separates stupid and clever.