2016-12-27

Scentrics finds that security is hard

Two years ago I wrote about Scentrics and their "Key Man" security proposal. I wondered idly what had happened there so did some Googling. Turns out that I'm the top two hits for [scentrics key man] which is heart-warming for me but suggests that their world-beating security patent might have sunk like a stone...

I went to their website www.scentrics.com and noted that it didn't redirect to https. I tried https://www.scentrics.com and lo! Chrome's Red "Not secure" Warning of Death appears. Seems that Scentrics can't even secure their website, which is not a little ironic when their home page trumpets "Secure with Scentrics".

All the pages on the site - even "Overview and Vision" and "Careers" - are hidden behind a sign-on box, declaring the website "invitation only" and inviting you to contact "admin@scentrics.com" if you'd like access. You can view headers, but that's about it. You wonder why they would be so sensitive about exposing information like that.

The 2016 news included a nugget from the Daily Telegraph in June:

Scentrics is poised to seek new funding that would value the company at more than $1 billion as it prepares to rollout its infrastructure for the first time.
"Poised", huh? I like that. I read that as "not yet ready". I also like the uncritical write-up of the company's pitch:
Individual messages and documents sent over the internet can be unlocked without compromising the overall security of the network, according to Scentrics's pitch to operators and governments.
Remember that this essentially involved encrypting one copy of a message with the recipient's public key, and another with a government/agency public key, and storing the latter to give the agency access on demand. The government and security agencies involved might not think that this "compromises" the overall security of the network, but as a consumer of the network's function I can assure them that I'd feel very differently. And of course for this to be effective all network users would have to use a very small ecosystem of only approved apps / browsers which implemented this dual encryption, and maintained the central repository of government-friendly encrypted messages. I'm sure there's no risk of systematic system compromise there by insiders at all.

Companies House shows three officers plus a secretarial company including our old friend Guruparan "Paran" Chandrasekaran. Looks like Sir Francis Mackay, David Rapoport and Dr. Thaksin Shinawatra resigned since 2014, which is interesting because the latter gent used to be the Prime Minister of Thailand, and Scentrics trumpted his role in the Telegraph piece, but as of 1 month ago he's out of his company role.

According to their June 2015 accounts they have about GBP4.2M in net assets, looks like they had an infusion of about GBP4.5M during the year. Going from this to a $1bn valuation seems... optimistic.

Update: Looks like Scentrics are diving into Singapore with advertisements for Project Manager and Devops roles there. This seems to be part of the Singapore government's "Smart Nation" project for a unified network in Singapore:

  • A Smart Nation is one where people are empowered by technology to lead meaningful and fulfilled lives.
  • A Smart Nation harnesses the power of networks, data and info-comm technologies to improve living, create economic opportunity and build a closer community.
  • A Smart Nation is built not by Government, but by all of us - citizens, companies, agencies. This website chronicles some of our endeavours and future directions.
Cutting through the marketing speak, Singaporeans will be using a government-provided network for all services including personal and business communication. With Scentrics playing a role, the benevolent semi-dictatorship of Singapore will be able to snoop on all its citizens' internal communications at will.

Scentrics seems to be very comfortable enabling a government's surveillance on its citizens. I wonder how this is going to work out for them long-term given the distinctly libertarian tilt of most software engineers.

[Disclaimer: no share position in Scentrics. Financially I don't care if they live or die. Personally, I'd incline towards the latter.]

Don't blame the tech industry for its "lack of diversity"

Tekla S. Perry, who's experienced enough in the technology world to know better, wrote a provocative piece in IEEE Spectrum this week titled "Why Isn't the Tech Industry Doing Better on Diversity? It's Google's and Facebook's Fault". This sprang from a discussion at "Inclusion In Silicon Valley" where Leslie Miley, Slack's director of engineering, excoriated Bay Area tech companies for their alleged lack of inclusion:

You come to Silicon Valley and you don't see people that look like me in positions of power [Miley is black]. If that's not hostile, what is?
You don't see Chinese Americans or Indian Americans in positions of power in the Federal government, despite 8 years of a black president. If that's not hostile to Chinese and Indian Americans, what is?

Leslie Miley is a mendacious asshole. There are many legitimate points to make about the disproportionately small number of black software engineers, and the horrendous educational and societal failings behind that - and let's be clear, prejudice against academically successful black engineers is a real thing from both the black and white communities - but Leslie's point is not one of those. He is jumping from "X is not happening" (observation) to "X must be being blocked by Y" (assumption). You'd think that a competent engineer would be better acquainted with logical reasoning. But looking at Miley's LinkedIn profile he's only spent a series of 2-3 year stints at a list of major tech companies (Google, Apple, Twitter) in engineering management roles; since you spend 3-6 months coming up to speed with a job like that, and assume you draw down effort in the 3 months looking for a replacement job before you leave, his actual engineering experience doesn't seem that great, and you wonder why he kept leaving each firm before his stock options started to vest in quantity... (This is of course the "play the man, not the ball" approach to argument, which is intellectually facile but no less well founded that Miley's approach to argument.)

I've said this before but let's say it again. The main reason that people of Afro-Caribbean descent are under-represented in the software engineering industry is because the dominant education requirement for that industry is a bachelor's degree in a numerical subject (STEM), and such people are correspondingly under-represented in that qualification bucket. Such under-representation is a major issue that needs fixing, but it's happening way before the Silicon Valley and other engineering companies get involved. There's a secondary issue that engineering companies in general should get better at finding bright numerate non-STEM-degree holders who will do well in software engineering with a small investment of training, but that's another blog post entirely - and in any case, Silicon Valley big firms do spend time and money looking in that general area.

It's not just Miley who's making dumb remarks at this diversity love-fest, of course:

The lack of diversity stems from hidden and systemic bias, believes Monique Woodard, a partner in 500 startups. "If you turned off the imported talent, would you look to Oakland and Atlanta? I'm not sure people would," she said.
This is bollocks on stilts, but not just for the reasons you think. Oakland is stuffed full of Bay Area tech workers, especially junior engineers. They live there because it is relatively cheap compared to San Francisco, Palo Alto, San Jose, Milpitas etc. Tech companies recruit people from Oakland all the gosh-darn time. What Monique Woodard means is that she doesn't believe that tech companies will go looking for the black talent in Oakland and Atlanta. Why isn't she saying this explicitly? You be the judge.

"Changing the practices that perpetuate the overwhelmingly white and male character of the Silicon Valley workforce are not going to be easy"
Male: yep. White: nope. In Silicon Valley, Caucasians are actually under-represented per the general population; Chinese and Indians are significantly overrepresented. In my experience, people who openly identify as gay or transgender are also markedly over-represented. By many reasonable measures, Silicon Valley is one of the most diverse environments there is - there is a huge population of people whose national original is not the USA, and they aren't just Indians and Chinese: there are substantial Russian, Korean, Polish, Filipino, Vietnamese and other nationalities.

What Ms. Woodard is actually saying is: "there aren't enough engineers with dark skin - excluding Indians - in Silicon Valley." Well, Ms. Woodard, why is that? Is there a peculiar conspiracy in hiring where the recruiters and hiring deciders are wide open to all sorts of people except those who are of Afro-Caribbean extraction? Is that what you are saying, or is it such a ridiculous notion that you have to resort to camouflaging it behind the umbrella of "diversity"?

Behind Miley's comments, at least, there's a nugget of good sense. The competition for engineers in Silicon Valley and its environs, and to some extent other places like Seattle (Microsoft/Amazon) and New York (Big Finance) is intense. If big firms want to find a cheaper source of good engineers then they should look at other major cities, such as Atlanta, Dallas, Austin. This is something of a risk though: you need to start a new engineering office, which means recruiting many tens of new engineers in addition to migrating some of your existing senior engineers down there to help build and train the teams, reinforce company culture and keep strong communication with the root offices. Up until now, this has been more of a risk than just upping the game in recruiting from the Bay: I suspect soon the numbers will cross a threshold that makes new engineering offices sufficiently financially attractive to be worth a try.

Bringing in new engineers from Republican states such as Texas and Georgia is also excellent for increasing diversity in the heavily Democratic (and worse, Californian) engineering cohorts of Silicon Valley. Yet, why is it that I suspect that Miley, Woodard et al don't regard that kind of diversity as desirable?

2016-12-18

neveragain.tech virtue signalling

In the past couple of days I've seen all manner of prompts to add my name to the petition at neveragain.tech, solemnly swearing to:

  1. refuse to participate in the creation of databases of identifying information for the United States government to target individuals based on race, religion, or national origin.
  2. advocate within our organizations:
    • to minimize the collection and retention of data that would facilitate ethnic or religious targeting.
    • to scale back existing datasets with unnecessary racial, ethnic, and national origin data.
    • to responsibly destroy high-risk datasets and backups.
    • to implement security and privacy best practices, in particular, for end-to-end encryption to be the default wherever possible. to demand appropriate legal process should the government request that we turn over user data collected by our organization, even in small amounts.
  3. if I discover misuse of data that I consider illegal or unethical in my organizations:
    • I will work with our colleagues and leaders to correct it.
    • If we cannot stop these practices, we will exercise our rights and responsibilities to speak out publicly and engage in responsible whistleblowing without endangering users.
    • If we have the authority to do so, we will use all available legal defenses to stop these practices.
    • If we do not have such authority, and our organizations force us to engage in such misuse, we will resign from our positions rather than comply.
  4. raise awareness and ask critical questions about the responsible and fair use of data and algorithms beyond my organization and our industry.

The more perceptive readers will be surprised at how closely this declaration follows the election of Donald Trump as President of the USA, and wonder why - following the past 8 years of progressive weaponization of the Federal government - the tech industry has suddenly decided that unlimited government power is A Bad Thing to be strenuously resisted.

OK, maybe it's not much of a mystery.

Seriously though, one has to wonder why so many tecchies - who are, on average, very intelligent and somewhat resistant to regular bullshit - are signing this petition. The classic excuse comes from the role of IBM's equipment in the Holocaust, used by the Nazis to process the data around selection and slaughter of Jews in Europe. IBM itself acknowledges its role:

It has been known for decades that the Nazis used Hollerith equipment and that IBM's German subsidiary during the 1930s -- Deutsche Hollerith Maschinen GmbH (Dehomag) -- supplied Hollerith equipment. As with hundreds of foreign-owned companies that did business in Germany at that time, Dehomag came under the control of Nazi authorities prior to and during World War II. It is also widely known that Thomas J. Watson, Sr., received and subsequently repudiated and returned a medal presented to him by the German government for his role in global economic relations.
It's a bit unfair to single out IBM here. The premise is that equipment from an IBM-owned subsidiary was instrumental to the Nazis being able to kill Jews more efficiently. Nowadays, how would we feel if Syria's Bashar Assad used an Excel spreadsheet or two to organise slaughter of non-Alawite citizens? I'm fairly sure that Microsoft's Excel developers couldn't realistically be held accountable for this. Even if a Microsoft sales rep sold a 1000-seat Excel license to the Syrian regime, it would be a bit of a stretch to blame them for any resulting massacre. After all, the regime could always use OpenOffice for a free-as-in-beer-and-freedom solution to programmatic pogrom.

As you might expect from a Silicon Valley initiative, this is primarily intended as strenuous virtue-signalling. "Look at me, how right-thinking I am and how willing to prevent persecution of minorities!" Really though, it will have zero effect. The US Government does not contract out to random Silicon Valley firms for immigration and related database work. They have their own information systems for this, developed at horrific expense and timescales by the Beltway Bandit consulting firms and government IT workers. The US Citizenship and Immigration Services department isn't going to ask Twitter or a San Francisco start-up to develop a new immigrant tracking system - even though I suspect they'd get one with 10% of the downtime and 20% of the cost of the one that the Bandits will develop for them.

The most plausible concern of the signatories is the existing social graph and personally identifiable information in systems like Facebook and Twitter. Religion and national origin isn't stored systematically, and visa status isn't stored at all, but from analysis of posts and relationship activities I can imagine that you could fairly reliably infer areas of the relationship graph that are likely to be e.g. Guatemalan in origin and using Latin American Spanish as their primary language, working in low-wage industries, and physically located in Southern California (checking in from IPs known to be in LA and its environment). If you wanted to identify a pool of likely illegal immigrants, that would be a good place to start. Since Facebook already has this data, and sells access to parts of their information to advertisers, I wonder what these signatories are going to do about it?

$20 says "not a damn thing." They like their jobs and status too much. They won't find other companies as accepting of their social activism and public posturing. They won't take on new jobs targeting minorities, but then no-one sane is going to ask them to take on that kind of work because the D.C. consulting firms want the money instead and have lobbyists ensuring that they'll get it.