Months ago, my beloved iPod nano lost its right ear. That is, the stereo plug became mono. Today, the left ear left the iPod.

I’m not one to take setbacks lightly when it comes to electronics, especially iPods, so I visited the wonderful repair site iFixit. After studying the repair guide for my 4th generation nano I decided this was something I could do myself.

Finding my smallest screwdriver proved to be tough, but minutes later, I discovered it at the bottom of one of my many junk drawers. Jumping in with both feet, I neatly disassembled my purple nano. I am a fan of the Apollo moon landing, and am always amazed at how delicate the spacecraft were. The iPod nano is mainly held together with tape. Some incredibly delicate ribbon cables are held in place with ZIF sockets smaller than a fingernail.

It was step 19 that did me in. I inched the logic board out when millimeters were clearly called for. The delicate ribbon cable for the wheel silently tore.

After realizing my folly, I continued on ahead. How could it get worse? Looking closely at the headphone jack revealed that a simple tweak with my tiniest screwdriver could potentially have saved me the entire disassembly! The connectors for the headphones are gold, thus easily reshaped (which is the root cause of the issue anyway). Sticking a screwdriver into the headphone jack and twisting clockwise should provide enough movement to solve my problem.

You live, you learn.

Update. After ruining my iPod nano, I inserted my headphones into my laptop to listen to some music. The headphone cable was what shorted out today, not the iPod! Incredibly disappointing.

There are a lot of really great ways to communicate securely over the ‘Net. The trouble is, they’re virtually all user-unfriendly.

Today I’d like to start a discussion on making browsing safer and friendlier for everyone. I call it the “Safer Browser” initiative. I’ll discuss a feature virtually all browsers currently implement, why it makes browsing safer, how browser vendors can make it friendlier to use, and how application developers could help us all out.

Part one: what browsers currently offer.

Nearly every web browser allows a user to connect a TLS certificate with their own profile. These client certificates can sign the requests being made from a user’s browser. This is a feature that I believe only enterprises may actually employ. It’s nontrivial to set up on a regular person’s computer. Large prime numbers get involved. Thus, few civilians really use client certificates. Since no customers present client certificates, site owners pretty much ignore them too. Hence, the chicken-and-egg problem is that few sites care to accept client certificates, so why should browsers bother to use them too?

Part two: how browsers need to change.

I propose that new installations of web browsers automatically generate a certificate for the customer as part of the installation process. Now that the world is essentially using multi-user computers, associating a user’s profile with their own TLS certificate can be more safely done than 10 years ago. If FireFox, IE, Chrome, Safari, and Opera begin generating client certificates for the purpose of identifying the current user, using the web will become much safer.

In order for the public to begin benefitting from stronger encryption, browsers must begin creating (and using) client certificates on behalf of the customer. By creating a certificate on behalf of the customer, a tipping point can be achieved. If we remain as we are now, with customers having to generate their own, or Heaven forfend, having to pay a fee every year to renew their identity with Verisign, things will never really change in the defaults of browsing safely.

So, browsers must start out creating a certificate for end users. Since the end user isn’t really a part of the transaction (other than maybe providing a password for the keychain), it may be a good idea to separate the generated certificate into a separate store from what is currently available.

Part three: how sites can make use of this.

Now that we’ve got browser vendors providing certificates for their users, let me describe how I see sites taking advantage of this.

Imagine a banking website. Whenever a user is prompted to log in, a check can be easily made to verify that a user has provided a client certificate. The log in procedure could then add some extra fields to the log in form to connect the certificate with the log in credentials the user is now providing. This would allow the user to bypass the next login if they’re using their own trusted browser.

Taking this further, a smart, security-conscious banking site could offer to deny any logins from browsers that are not offering the same certificate that the user is currently providing. This would immediately lock out bad guys (e.g. crackers) and good guys (e.g. Mint) alike. The upside is that we’ve now established a very strong bond of trust between the browser the customer is now using and the bank. I would recommend that sites offer the ability to connect multiple certificates to a customer’s account, and to develop handshaking procedures that require a previously-connected browser in the chain to vouch for a new addition. The result is that the username and password are less valuable in the event of a theft. If my credentials are stolen, I still get a bit of say-so in allowing some other browser to log in with them!

Summary

So, browsers now generate certificates inside a user’s profile, and try to send them to sites using HTTPS by default. Sites now can associate such certificates with a login to more strongly identify that particular user.

Now that this is happening, sites can reduce the amount of effort involved in requiring “security questions” that are easily spoofed via machines in the middle of the connection. In addition, passwords become a secondary token of identification, and sites that have them stolen are not as easily utilized.

I think the benefits to both customers and site owners are obvious (although the site owner does need to do some work on their part). Browser authors are also benefitted by locking-in the customer to using only their browser as part of their online experience (which some power-users like myself would probably cringe at), which should make the organizations that create those browsers happy too. I think this plan is feasible, so let’s go out and make browsing safer.

Back in 2001, Apple joined the fray of portable music device manufacturers with iPod. Of interest to some was a throwaway phrase mentioned about its engineering: “made with off-the-shelf parts.” That is to say, Apple used existing chips and hardware largely in creating its music player.

By designing iPod with pre-existing parts, Apple was offered a world of flexibility. If the device flopped, the company could recoup losses much quicker than if it had spent an extended amount of time putting its varying departments to work developing custom circuits, screens, etc. If the device proved successful, future revisions could include less off-the-shelf parts. Apple established a brand, getting their foot in the door. Over time, Apple switched from iPod components out gradually replacing them with their own, custom parts.

I am reminded of the software design principle of “Ya Ain’t Gonna Need It.” This principle basically says that one should not add functionality until it is required. In order to create a new product, Apple didn’t require all of the component design and maintenance headaches to start a project. Instead, YAGNI was in play, and Apple got their foot in the door.

When the time was right, the proper changes were made. By no longer using those same off-the-shelf parts, Apple could fine-tune and better control what it wanted, resulting in a more innovative player. The first iPod had a mechanical wheel, the next used a touch pad surface, the next a click-wheel, etc. However, without getting the brand started, Apple had no incentive to iterate its design. I think that is an important lesson.

In many ways, this has been the Apple m.o. for some time. The iMac and Mac mini have frequently been test beds for engineering smaller parts that would eventually end up in its notebook computer line. The MacBook Air paved the way for the Unibody Aluminum MacBook Pro. Across the internal lines within the company exist some powerful cross-cutting concerns. Apple is wise enough to keep its eyes open and to identify those cross-cutting concerns and embrace them.

This brings me to the iPad. Apple made a lot of news with this device. I found it interesting as it featured a processor designed by a recently acquired processor designer. If the pattern Apple has applied in the past continues, I wouldn’t be surprised if Apple believes the time is right to switch to a similar custom system on a chip for its next iPhone model.

By embracing the principle of YAGNI Apple has reaped the benefits of flexibility. As a software developer, I live in a wondrous age where I can lease a score of servers from Amazon’s EC2 system and try out an idea without purchasing a operations center full of computers. If the idea fails, very little harm was done. If the idea takes off, a future purchase of dedicated servers can be arranged. The beauty of it all is that one will already have proof that the idea is viable. The question I’m left with is this one: why haven’t I created something to prove the concepts I am talking about?

This is depressing. By upholding corporations rights as individuals, a new class of person is being created. No long will we think of the poor, middle class, and the rich; we’ll add three new classifiers on top: poor corporations, middle class corporations, and rich corporations.

Does this pave the way for other amendments to protect corporations? You betcha. Next we’ll be dealing with Blackwater Xe‘s right to bear arms.

Now that they’ve got the right to free speech, how long before corporations gain the right to vote? Does slavery apply to corporations (i.e. is it against the constitution to even own a corporation since it is an individual)?

Corporations have won over citizens in this country; it’s been happening behind closed doors for a long time now, the SCOTUS just decided to remove the need for formality.

Seriously though, if I could at all believe in an overarching, long-term strategy to weaken an enemy, this would be a doozy of one. (please note, I do not endorse any arguments about women being a “weaker gender” by the previous statement, I only imply that a potential enemy of the West could)

One of the reasons I voted for Obama was so that our nation would stop justifying torture (and hopefully to prosecute those sorry souls that sullied my country’s reputation by doing so). I have great hope in Eric Holder’s prerogatives regarding the latter.

I do have a major complaint though: none of my existing accessories can charge this darn thing!

This is my 3rd iPod; the first was a display model version of a second generation iPod followed by a iPod mini (my wife also has a first-gen. iPod nano). As you may expect, over time we’ve purchased some friends for our iPods: car chargers, speakers, docks, etc. Why oh why has Apple screwed up on their design so that none of these existing accessories can charge this thing? The same dock connector port is present but apparently it is too much work to solder in support for the two wires that charged older models. For an otherwise wonderful machine, this design is flawed.

I’ve got some issues with both what happened, how this has been reported, and what I expect the aftermath of this to be.

First off, the individual security contractor should lose his/her job over this immediately. That was egregious and should be punished. Digging into the details of what happened yielded that the contractor reconfigured Gnutella (the peer-to-peer software involved) to share more than the default folder, causing the plans to be shared online. That was beyond dumb given the classified information on that hard disk.

Secondly, whoever was in charge of security for the contractor’s company totally dropped the ball. Congress should request an audit of the security procedures for all of its defense and security contractors immediately, before the next loss of important documents occurs.

Thirdly, why wasn’t encryption used at the file level? If something is a secret, treat it like one. If the software in use doesn’t offer encryption, our government should have a policy that mandates the boycott of said software for the purpose of secret documents. In other words, if AutoCAD doesn’t have an encryption option, AutoCAD should never be used for a sensitive project. This one is a no-brainer! What if that person’s laptop was stolen? The security breach is the same. Encryption at the file level helps here. I also think that government (and affiliate) laptops should only use encrypted filesystems as well in the case of physical theft, but that would not have helped here.

Fourthly, the news coverage of this is essentially blaming file-sharing for the breach. The breach was caused by either a lack of understanding of what a tool does, or a purposeful ignoring of what a tool does. If I shoot a nail gun into my hand, I have only myself to blame for the nail. Either I did not understand the purpose of the nail gun, I did not understand the risks involved with using a nail gun, or else I chose to ignore those risks. This was a people problem that should have been avoided.

Finally, the aftermath of this will likely involve some ridiculous agency sifting through p2p traffic looking for state secrets. Just like using child pornography as a reason to filter regular net traffic, state secrets will be used as a red herring to make the federal government sift through p2p traffic. I smell the stink of Big Copyright at work. Congress, take note: preventing future slippage of secrets does not involve sifting traffic, it involves mandating encryption and having workable security policies. It will be a huge waste of taxpayer dollars if p2p traffic becomes the target of government snoops.

The gist of the book is Hawkins’s theory that the function of the neo-cortex is to form predictive models of the world based on past experience, communicated to it as inputs through the senses. He points out that each sense is processed similarly to one another even though they seem to be radically different to the untrained eye. An example Hawkins uses that caught my attention was of the transition between typing, speaking, and hand-writing. Hawkins points out that to communicate the Gettysburg Address one need not consciously learn it for a new medium. Our brain learns the famous speech by hearing it or reading it and our brain can rehash it by totally different means. The example is rather simple but amazing nonetheless.

The neo-cortex is called the neo-cortex because it is the “new” brain when compared to a lesser species that did not evolve it. Our “lower” brain is also called the reptilian brain, since that’s the sort of brain we have in common with Gojira and his friends (not Mothra of course, that’s another blog post). What I found fascinating about the descriptions of the neo-cortex was its uncanny ability to discern and absorb information. Watching a baby in a new room gives one a sense of this. As the baby girl looks around you can visualize all of the identification and cataloging that is going on inside her head. The cortex functions by translating any possible input into what it already knows. If the cortex does not have a pre-existing model to translate to, it files the new input away as a potential model.

Areas of the cortex work on bits of input to determine if they are suitable towards the purpose of that particular identifying bit. An oversimplified example would be a tiny part of the brain that looked as some input (say, something that was translated from the optic nerve and further broken down into vague shapes) and determine if the input contained an eye. If the input did contain an eye, further processing could then take place and our brain would communicate back and forth to tell the optic nerve to expect a nose in this general direction.

According to Hawkins this is how we work. Given this, Hawkins expects electronic brains to be feasible in ways that traditional artificial intelligence will never be. Some day Google may actually fully understand what the following question means: “is a dandelion more yellow than a canary?” Based on a lot of input (and correctly labeling such input) software should be able to learn about qualities in the way humans do. Whether or not this is a good thing and will actually be truly useful is to be seen (hopefully in my lifetime).

I think that one could easily create a sociopath computer just by taking advantage of how it learns. I joked with my wife one time about purposefully teaching the incorrect words for various colors to the children of some friends of ours. “What color is the grass? That’s right, it’s pink.” Giving a learning machine similar false positives could really screw up its view of the world. I wonder if such a thing could cause a machine to feel hate, or would emotion truly be more complex than a brain mechanism (i.e. necessarily involving hormones).

Based on my listen I also wonder about whether or not organized society is simply an evolutionary step. If our neo-cortex is all about taking in input, cataloging it, and making predictions based upon that stored knowledge, perhaps society rose about as a way to distribute such knowledge? What would the implication be if we determined that the entire function of families, cities, and nations was simply to propagate knowledge? If this would be the truth, in what direction are we evolving?

One final thought I wanted to share from this book was one on DNA and species-memory. Hawkins describes a scenario that explains the course of evolution by way of DNA being the most primitive form of brain: certain aspects necessary for survival are encoded into our DNA and this is how further generations know certain things. I don’t really know if I buy into this (I’d love to see more evidence and experiments for it) but the notion is intriguing. If this is true, the notion of clones becomes interesting to me, if nothing else but for the purpose of seeing how different they become over time. Not in a Multiplicity way of course but over generations of “self-duplication.” Would clones evolve over generations? Perhaps a series of clones would become impotent based on the new way of propagating genes? Okay, now I’m beginning to sound like some cheap sci-fi.

All in all, this work has been wonderful to listen to. Though it’s taken me weeks to get through, “On Intelligence” is a book I’d recommend to anyone interested in a journey of abstraction.